Remove OpenSSL 1.1.1 support

IB-8335

Signed-off-by: Raul Metsma <raul@metsma.ee>

.github/workflows/build.yml

@@ -131,7 +131,7 @@ jobs:
     container: ubuntu:${{ matrix.container }}
     strategy:
       matrix:
-        container: ['20.04', '22.04', '24.04', '24.10']
+        container: ['22.04', '24.04', '24.10']
     env:
       DEBIAN_FRONTEND: noninteractive
       DEBFULLNAME: github-actions

CMakeLists.txt

@@ -1,7 +1,4 @@
-cmake_minimum_required(VERSION 3.16)
-if(POLICY CMP0122)
-    cmake_policy(SET CMP0122 NEW)
-endif()
+cmake_minimum_required(VERSION 3.22)
 if(POLICY CMP0167)
     cmake_policy(SET CMP0167 NEW)
 endif()
@@ -55,29 +52,28 @@ if(APPLE)
     set(FRAMEWORK_DESTINATION /Library/Frameworks CACHE PATH "Mac OS X Framework install destination")
 endif()
 
-find_package(OpenSSL 1.1.1 REQUIRED)
+find_package(OpenSSL 3.0.0 REQUIRED)
 find_package(PKCS11)
 #find_package(PoDoFo)
 find_package(Threads)
 find_package(LibXml2 REQUIRED)
 find_package(ZLIB REQUIRED)
 find_package(MiniZip 1 QUIET)
-add_library(xmlsec INTERFACE)
 if(UNIX)
     find_package(PkgConfig)
     find_package(unofficial-xmlsec QUIET)
     if(TARGET unofficial::xmlsec::xmlsec1-openssl)
-        target_link_libraries(xmlsec INTERFACE unofficial::xmlsec::xmlsec1-openssl)
+        add_library(xmlsec ALIAS unofficial::xmlsec::xmlsec1-openssl)
     else()
         pkg_check_modules(XMLSEC1_OPENSSL xmlsec1-openssl REQUIRED IMPORTED_TARGET)
-        target_link_libraries(xmlsec INTERFACE PkgConfig::XMLSEC1_OPENSSL)
+        add_library(xmlsec ALIAS PkgConfig::XMLSEC1_OPENSSL)
     endif()
     if(NOT APPLE)
         pkg_check_modules(MINIZIP minizip IMPORTED_TARGET)
     endif()
 else()
     find_package(unofficial-xmlsec REQUIRED)
-    target_link_libraries(xmlsec INTERFACE unofficial::xmlsec::xmlsec1-openssl)
+    add_library(xmlsec ALIAS unofficial::xmlsec::xmlsec1-openssl)
 endif()
 find_package(SWIG)
 if(SWIG_FOUND)

debian/control

@@ -3,7 +3,7 @@ Section: libs
 Priority: optional
 Maintainer: RIA <info@ria.ee>
 Build-Depends:
- debhelper-compat (= 12),
+ debhelper-compat (= 13),
  pkg-config,
  cmake,
  libxml2-dev,
@@ -13,7 +13,8 @@ Build-Depends:
  java11-sdk-headless,
  libpython3-dev,
  python3-setuptools
-Standards-Version: 4.5.1
+Standards-Version: 4.6.1
+Rules-Requires-Root: no
 Homepage: https://github.com/open-eid/libdigidocpp
 
 Package: libdigidocpp-common
@@ -65,10 +66,12 @@ Description: DigiDoc digital signature library tools
 
 Package: libdigidocpp-dev
 Architecture: any
+Multi-Arch: same
 Section: libdevel
 Depends:
  libdigidocpp1 (= ${binary:Version}),
  ${misc:Depends}
+Suggests: libdigidoc-doc
 Description: DigiDoc digital signature library development files
  This package contains files necessary for developing applications with the
  DigiDoc digital signature library.
@@ -109,6 +112,7 @@ Description: DigiDoc digital signature python bindings
 
 Package: libdigidocpp-doc
 Architecture: all
+Multi-Arch: foreign
 Section: doc
 Depends:
  ${misc:Depends}

src/CMakeLists.txt

@@ -1,6 +1,5 @@
 if(TARGET PkgConfig::MINIZIP)
-    add_library(minizip INTERFACE)
-    target_link_libraries(minizip INTERFACE PkgConfig::MINIZIP)
+    add_library(minizip ALIAS PkgConfig::MINIZIP)
 else()
     message(STATUS "MiniZip not found; using bundled copy.")
     add_library(minizip STATIC minizip/zip.c minizip/unzip.c minizip/ioapi.c $<$<C_COMPILER_ID:MSVC>:minizip/iowin32.c>)

src/SignatureXAdES_B.cpp

@@ -23,7 +23,6 @@
 #include "Conf.h"
 #include "DataFile_p.h"
 #include "crypto/Digest.h"
-#include "crypto/OpenSSLHelpers.h"
 #include "crypto/Signer.h"
 #include "crypto/X509CertStore.h"
 #include "crypto/X509Crypto.h"
@@ -117,11 +116,7 @@ int initXmlSecCallback()
             {
                 Exception e(orUnknown(file), line, Log::format("%s:obj=%s:subj=%s:reason=%d - %s",
                     func, orUnknown(errorObject), orUnknown(errorSubject), reason, error_msg));
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-                while(unsigned long error = ERR_get_error_line(&ofile, &oline))
-#else
                 while(unsigned long error = ERR_get_error_all(&ofile, &oline, &ofunc, nullptr, nullptr))
-#endif
                 {
                     Exception err(ofile, oline, ERR_error_string(error, nullptr));
 #ifndef LIBRESSL_VERSION_NUMBER
@@ -142,11 +137,7 @@ int initXmlSecCallback()
                 func, orUnknown(errorObject), orUnknown(errorSubject), reason, error_msg, msg);
             if(reason == XMLSEC_ERRORS_R_CRYPTO_FAILED)
             {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-                while(unsigned long error = ERR_get_error_line(&ofile, &oline))
-#else
                 while(unsigned long error = ERR_get_error_all(&ofile, &oline, &ofunc, nullptr, nullptr))
-#endif
                     Log::out(Log::WarnType, ofile, unsigned(oline), "%s: %s",
                         ofunc, ERR_error_string(error, nullptr));
             }

src/crypto/Connect.cpp

@@ -101,24 +101,10 @@ Connect::Connect(const string &_url, string _method, int _timeout, const vector<
 
     BIO_set_nbio(d, _timeout > 0);
     auto start = chrono::high_resolution_clock::now();
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-    while(BIO_do_connect(d) != 1)
-    {
-        if(_timeout == 0)
-            THROW_NETWORKEXCEPTION("Failed to connect to host: '%s'", hostname.c_str())
-        if(!BIO_should_retry(d))
-            THROW_NETWORKEXCEPTION("Failed to connect to host: '%s'", hostname.c_str())
-        auto end = chrono::high_resolution_clock::now();
-        if(chrono::duration_cast<chrono::seconds>(end - start).count() >= _timeout)
-            THROW_NETWORKEXCEPTION("Failed to create connection with host timeout: '%s'", hostname.c_str())
-        this_thread::sleep_for(chrono::milliseconds(50));
-    }
-#else
     if(timeout > 0 && BIO_do_connect_retry(d, timeout, -1) < 1)
         THROW_NETWORKEXCEPTION("Failed to create connection with host timeout: '%s'", hostname.c_str())
     if(timeout == 0 && BIO_do_connect(d) < 1)
         THROW_NETWORKEXCEPTION("Failed to create connection with host: '%s'", hostname.c_str())
-#endif
 
     if(usessl > 0)
     {
@@ -176,20 +162,6 @@ Connect::Connect(const string &_url, string _method, int _timeout, const vector<
         }
     }
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-    if(_timeout > 0)
-    {
-        int fd = BIO_get_fd(d, nullptr);
-        fd_set confds;
-        FD_ZERO(&confds);
-        FD_SET(fd, &confds);
-        timeval tv { timeout, 0 };
-        int read = BIO_should_read(d);
-        if(select(fd + 1, read ? &confds : nullptr, read ? nullptr : &confds, nullptr, &tv) == -1)
-            DEBUG("select failed");
-    }
-#endif
-
     BIO_printf(d, "%s %s HTTP/1.1\r\n", method.c_str(), path.c_str());
     addHeader("Connection", "close");
     if(port == "80" || port == "443")

src/crypto/OCSP.cpp

@@ -86,7 +86,7 @@ OCSP::OCSP(const X509Cert &cert, const X509Cert &issuer, const std::string &user
         {"Accept", "application/ocsp-response"},
         {"Connection", "Close"},
         {"Cache-Control", "no-cache"}
-    }, i2d(req, i2d_OCSP_REQUEST));
+    }, i2d<i2d_OCSP_REQUEST>(req));
 
     if(result.isForbidden())
         THROW("OCSP service responded - Forbidden");
@@ -179,7 +179,7 @@ X509Cert OCSP::responderCert() const
 
 OCSP::operator vector<unsigned char>() const
 {
-    return i2d(resp, i2d_OCSP_RESPONSE);
+    return i2d<i2d_OCSP_RESPONSE>(resp);
 }
 
 /**
@@ -199,11 +199,7 @@ void OCSP::verifyResponse(const X509Cert &cert) const
             sk_X509_push(stack.get(), i.handle());
     }
     auto store = X509CertStore::createStore(X509CertStore::OCSP, tm);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-    if(OCSP_basic_verify(basic.get(), stack.get(), store.get(), OCSP_NOCHECKS) != 1)
-#else
     if(OCSP_basic_verify(basic.get(), stack.get(), store.get(), OCSP_NOCHECKS | OCSP_PARTIAL_CHAIN) != 1)
-#endif
     {
         unsigned long err = ERR_get_error();
         if(ERR_GET_LIB(err) == ERR_LIB_OCSP &&

src/crypto/OpenSSLHelpers.h

@@ -25,38 +25,33 @@
 
 #include <openssl/err.h>
 
-#ifndef RSA_PSS_SALTLEN_DIGEST
-#define RSA_PSS_SALTLEN_DIGEST -1
-#endif
-
 namespace digidoc
 {
 
-#define SCOPE_PTR_FREE(TYPE, DATA, FREE) make_unique_ptr(DATA, FREE)
-#define SCOPE_PTR(TYPE, DATA) SCOPE_PTR_FREE(TYPE, DATA, TYPE##_free)
-#define SCOPE(TYPE, VAR, DATA) auto VAR = SCOPE_PTR_FREE(TYPE, DATA, TYPE##_free)
+#define SCOPE_PTR(TYPE, DATA) make_unique_ptr<TYPE>(DATA, TYPE##_free)
+#define SCOPE(TYPE, VAR, DATA) auto VAR = make_unique_ptr<TYPE>(DATA, TYPE##_free)
 
-template<class T, typename Func>
+template<auto F, class T>
 [[nodiscard]]
-inline std::vector<unsigned char> i2d(T *obj, Func func)
+inline std::vector<unsigned char> i2d(T *obj)
 {
     std::vector<unsigned char> result;
     if(!obj)
         return result;
-    int size = func(obj, nullptr);
+    int size = F(obj, nullptr);
     if(size <= 0)
         return result;
     result.resize(size_t(size), 0);
-    if(unsigned char *p = result.data(); func(obj, &p) != size)
+    if(unsigned char *p = result.data(); F(obj, &p) != size)
         result.clear();
     return result;
 }
 
-template<class T, typename Func>
+template<auto F, class T>
 [[nodiscard]]
-inline std::vector<unsigned char> i2d(const T &obj, Func func)
+inline std::vector<unsigned char> i2d(const T &obj)
 {
-    return i2d(obj.get(), std::forward<Func>(func));
+    return i2d<F>(obj.get());
 }
 
 /**
@@ -72,11 +67,7 @@ class OpenSSLException : public Exception
             {
                 Exception e(ERR_lib_error_string(error), 0, ERR_error_string(error, nullptr));
 #ifndef LIBRESSL_VERSION_NUMBER
-                if(ERR_GET_LIB(error) == ERR_R_BIO_LIB &&
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-                    ERR_GET_FUNC(error) == BIO_F_BIO_LOOKUP_EX &&
-#endif
-                    ERR_GET_REASON(error) == ERR_R_SYS_LIB)
+                if(ERR_GET_LIB(error) == ERR_R_BIO_LIB && ERR_GET_REASON(error) == ERR_R_SYS_LIB)
                     e.setCode(ExceptionCode::HostNotFound);
 #endif
                 addCause(e);

src/crypto/TS.cpp

@@ -92,7 +92,7 @@ TS::TS(const Digest &digest, const std::string &userAgent)
         {"Accept", "application/timestamp-reply"},
         {"Connection", "Close"},
         {"Cache-Control", "no-cache"}
-    }, i2d(req, i2d_TS_REQ));
+    }, i2d<i2d_TS_REQ>(req));
 
     if(result.isForbidden())
     {
@@ -195,14 +195,14 @@ string TS::digestMethod() const
 vector<unsigned char> TS::digestValue() const
 {
     if(auto info = tstInfo())
-        return i2d(TS_MSG_IMPRINT_get_msg(TS_TST_INFO_get_msg_imprint(info.get())), i2d_ASN1_OCTET_STRING);
+        return i2d<i2d_ASN1_OCTET_STRING>(TS_MSG_IMPRINT_get_msg(TS_TST_INFO_get_msg_imprint(info.get())));
     return {};
 }
 
 vector<unsigned char> TS::messageImprint() const
 {
     if(auto info = tstInfo())
-        return i2d(TS_TST_INFO_get_msg_imprint(info.get()), i2d_TS_MSG_IMPRINT);
+        return i2d<i2d_TS_MSG_IMPRINT>(TS_TST_INFO_get_msg_imprint(info.get()));
     return {};
 }
 
@@ -212,7 +212,7 @@ string TS::serial() const
     if(!info)
         return {};
 
-    if(auto bn = SCOPE_PTR_FREE(BIGNUM, ASN1_INTEGER_to_BN(TS_TST_INFO_get_serial(info.get()), nullptr), BN_free))
+    if(auto bn = make_unique_ptr(ASN1_INTEGER_to_BN(TS_TST_INFO_get_serial(info.get()), nullptr), BN_free))
     {
         if(auto str = make_unique_ptr(BN_bn2dec(bn.get()), [](char *data) { OPENSSL_free(data); }))
             return str.get();
@@ -281,7 +281,7 @@ TS::operator vector<unsigned char>() const
 {
 #ifndef OPENSSL_NO_CMS
     if(cms)
-        return i2d(cms, i2d_CMS_ContentInfo);
+        return i2d<i2d_CMS_ContentInfo>(cms);
 #endif
-    return i2d(d, i2d_PKCS7);
+    return i2d<i2d_PKCS7>(d);
 }

src/crypto/X509Cert.cpp

@@ -279,7 +279,7 @@ X509Cert::~X509Cert() = default;
  */
 X509Cert::operator std::vector<unsigned char>() const
 {
-    return i2d(cert, i2d_X509);
+    return i2d<i2d_X509>(cert);
 }
 
 /**
@@ -299,7 +299,7 @@ string X509Cert::serial() const
 {
     if(!cert)
         return {};
-    if(auto bn = SCOPE_PTR_FREE(BIGNUM, ASN1_INTEGER_to_BN(X509_get_serialNumber(cert.get()), nullptr), BN_free))
+    if(auto bn = make_unique_ptr(ASN1_INTEGER_to_BN(X509_get_serialNumber(cert.get()), nullptr), BN_free))
     {
         auto openssl_free = [](char *data) { OPENSSL_free(data); };
         if(auto str = unique_ptr<char,decltype(openssl_free)>(BN_bn2dec(bn.get()), openssl_free))