From: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Date: Sun, 1 Aug 2021 21:04:42 +0000 (+0200)
Subject: Build with OpenSSL 3.0 beta 2 Release Candidate
X-Git-Tag: v8.20~71^2~1
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=1b3c4f2db409aba9b96e02798ee2ce2c9a52fc31;p=users%2Fdwmw2%2Fopenconnect.git

Build with OpenSSL 3.0 beta 2 Release Candidate

From the OpenSSL 3.0 Migration guide:
The function code part of an OpenSSL error code is no longer relevant
This code is now always set to zero. Related functions are deprecated.

In our case, removing calls to ERR_GET_FUNC() will not change anything:

PKCS12_F_PKCS12_PARSE / PKCS12_R_MAC_VERIFY_FAILURE

The reason code PKCS12_R_MAC_VERIFY_FAILURE is raised in two OpenSSL functions:
* PKCS12_newpass() in p12_npas.c,
* PKCS12_parse() in p12_kiss.c.
In out code, we check the reason code is PKCS12_R_MAC_VERIFY_FAILURE after
calling PKCS12_parse(), so the incriminated function is necessarily
PKCS12_parse(). Verifying the function code is PKCS12_F_PKCS12_PARSE is
redundant.

EVP_F_EVP_DECRYPTFINAL_EX / EVP_R_BAD_DECRYPT

The reason code EVP_R_BAD_DECRYPT is raised in a single OpenSSL function:
* EVP_DecryptFinal_ex() in evp_enc.c
Therefore verifying the function code is EVP_F_EVP_DECRYPTFINAL_EX is
useless, EVP_F_EVP_DECRYPTFINAL_EX is the only possible value.

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
---

diff --git a/openssl.c b/openssl.c
index 0d282fa6..52906819 100644
--- a/openssl.c
+++ b/openssl.c
@@ -612,7 +612,6 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo, struct cert
 		unsigned long err = ERR_peek_error();
 
 		if (ERR_GET_LIB(err) == ERR_LIB_PKCS12 &&
-		    ERR_GET_FUNC(err) == PKCS12_F_PKCS12_PARSE &&
 		    ERR_GET_REASON(err) == PKCS12_R_MAC_VERIFY_FAILURE) {
 			if (pass)
 				vpn_progress(vpninfo, PRG_ERR,
@@ -881,12 +880,8 @@ static int is_pem_password_error(struct openconnect_info *vpninfo, struct cert_i
 
 	openconnect_report_ssl_errors(vpninfo);
 
-#ifndef EVP_F_EVP_DECRYPTFINAL_EX
-#define EVP_F_EVP_DECRYPTFINAL_EX EVP_F_EVP_DECRYPTFINAL
-#endif
 	/* If the user fat-fingered the passphrase, try again */
 	if (ERR_GET_LIB(err) == ERR_LIB_EVP &&
-	    ERR_GET_FUNC(err) == EVP_F_EVP_DECRYPTFINAL_EX &&
 	    ERR_GET_REASON(err) == EVP_R_BAD_DECRYPT) {
 		vpn_progress(vpninfo, PRG_ERR,
 			     certinfo_string(certinfo, _("Loading private key failed (wrong passphrase?)\n"),
@@ -1060,7 +1055,6 @@ static int load_certificate(struct openconnect_info *vpninfo, struct cert_info *
 				unsigned long err = ERR_peek_error();
 
 				if (ERR_GET_LIB(err) == ERR_LIB_EVP &&
-				    ERR_GET_FUNC(err) == EVP_F_EVP_DECRYPTFINAL_EX &&
 				    ERR_GET_REASON(err) == EVP_R_BAD_DECRYPT) {
 					ERR_clear_error();