From: Joris Vink <joris@coders.se>
Date: Wed, 28 Dec 2022 11:09:15 +0100
Subject: Disable deprecated warnings for OpenSSL 3.

Until the replacement is done, make sure Kore builds against OpenSSL 3
so it can be used as most distros made the move towards it.
---
 src/cli.c            | 18 +++++++++++++
 src/keymgr_openssl.c | 60 +++++++++++++++++------------------------
 src/tls_openssl.c    | 75 +++++++---------------------------------------------
 3 files changed, 52 insertions(+), 101 deletions(-)

diff --git a/src/cli.c b/src/cli.c
index 5ea164e..7e437fe 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -43,6 +43,24 @@
 #include <unistd.h>
 #include <utime.h>
 
+/*
+ * Turn off deprecated function warnings when building against OpenSSL 3.
+ *
+ * The OpenSSL 3 library deprecated most low-level functions in favour
+ * for their higher level APIs.
+ *
+ * I am planning a replacement, but for now we can still make it build
+ * and function by ignoring these warnings completely.
+ *
+ * The functions in question are:
+ *	- SHA256_Init, SHA256_Update, SHA256_Final
+ *	- RSA_new, RSA_generate_key_ex
+ *	- EVP_PKEY_assign
+ */
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+#endif
+
 #define errno_s			strerror(errno)
 #define ssl_errno_s		ERR_error_string(ERR_get_error(), NULL)
 
diff --git a/src/keymgr_openssl.c b/src/keymgr_openssl.c
index 98ffbbc..ffc892b 100644
--- a/src/keymgr_openssl.c
+++ b/src/keymgr_openssl.c
@@ -63,6 +63,16 @@
 #include "acme.h"
 #endif
 
+/*
+ * Disable deprecated declaration warnings if we're building against
+ * OpenSSL 3 as they marked all low-level APIs as deprecated.
+ *
+ * Work is being done to replace these, but for now let things build.
+ */
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+#endif
+
 #define RAND_TMP_FILE		"rnd.tmp"
 #define RAND_POLL_INTERVAL	(1800 * 1000)
 #define RAND_FILE_SIZE		1024
@@ -168,10 +178,11 @@ struct key {
 	TAILQ_ENTRY(key)	list;
 };
 
-char				*kore_rand_file = NULL;
-
-static TAILQ_HEAD(, key)	keys;
-static int			initialized = 0;
+/* Helper for weird API designs (looking at you OpenSSL). */
+union deconst {
+	void		*p;
+	const void	*cp;
+};
 
 #if defined(KORE_USE_ACME)
 
@@ -251,8 +262,6 @@ static void	keymgr_x509_msg(const char *, const void *, size_t, int, int);
 
 static void	keymgr_rsa_encrypt(struct kore_msg *, const void *,
 		    struct key *);
-static void	keymgr_ecdsa_sign(struct kore_msg *, const void *,
-		    struct key *);
 
 #if defined(__OpenBSD__)
 #if defined(KORE_USE_ACME)
@@ -262,6 +271,11 @@ static const char *keymgr_pledges = "stdio rpath";
 #endif
 #endif
 
+static TAILQ_HEAD(, key)	keys;
+static int			initialized = 0;
+
+char				*kore_rand_file = NULL;
+
 void
 kore_keymgr_run(void)
 {
@@ -658,9 +672,6 @@ keymgr_msg_recv(struct kore_msg *msg, const void *data)
 		case EVP_PKEY_RSA:
 			keymgr_rsa_encrypt(msg, data, key);
 			break;
-		case EVP_PKEY_EC:
-			keymgr_ecdsa_sign(msg, data, key);
-			break;
 		default:
 			break;
 		}
@@ -685,6 +696,7 @@ keymgr_msg_recv(struct kore_msg *msg, const void *data)
 static void
 keymgr_rsa_encrypt(struct kore_msg *msg, const void *data, struct key *key)
 {
+	union deconst			cp;
 	int				ret;
 	RSA				*rsa;
 	const struct kore_keyreq	*req;
@@ -692,7 +704,9 @@ keymgr_rsa_encrypt(struct kore_msg *msg, const void *data, struct key *key)
 	u_int8_t			buf[1024];
 
 	req = (const struct kore_keyreq *)data;
-	rsa = EVP_PKEY_get0_RSA(key->pkey);
+	cp.cp = EVP_PKEY_get0_RSA(key->pkey);
+
+	rsa = cp.p;
 
 	keylen = RSA_size(rsa);
 	if (req->data_len > keylen || keylen > sizeof(buf))
@@ -706,32 +720,6 @@ keymgr_rsa_encrypt(struct kore_msg *msg, const void *data, struct key *key)
 	kore_msg_send(msg->src, KORE_MSG_KEYMGR_RESP, buf, ret);
 }
 
-static void
-keymgr_ecdsa_sign(struct kore_msg *msg, const void *data, struct key *key)
-{
-	size_t				len;
-	EC_KEY				*ec;
-	const struct kore_keyreq	*req;
-	unsigned int			siglen;
-	u_int8_t			sig[1024];
-
-	req = (const struct kore_keyreq *)data;
-	ec = EVP_PKEY_get0_EC_KEY(key->pkey);
-
-	len = ECDSA_size(ec);
-	if (req->data_len > len || len > sizeof(sig))
-		return;
-
-	if (ECDSA_sign(EVP_PKEY_NONE, req->data, req->data_len,
-	    sig, &siglen, ec) == 0)
-		return;
-
-	if (siglen > sizeof(sig))
-		return;
-
-	kore_msg_send(msg->src, KORE_MSG_KEYMGR_RESP, sig, siglen);
-}
-
 static void
 keymgr_x509_msg(const char *domain, const void *data, size_t len,
     int target, int msg)
diff --git a/src/tls_openssl.c b/src/tls_openssl.c
index c2fffbb..af14f75 100644
--- a/src/tls_openssl.c
+++ b/src/tls_openssl.c
@@ -36,6 +36,16 @@
 #include "kore.h"
 #include "http.h"
 
+/*
+ * Disable deprecated declaration warnings if we're building against
+ * OpenSSL 3 as they marked all low-level APIs as deprecated.
+ *
+ * Work is being done to replace these, but for now let things build.
+ */
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+#endif
+
 #define TLS_SESSION_ID		"kore_tls_sessionid"
 
 static int	tls_domain_x509_verify(int, X509_STORE_CTX *);
@@ -59,11 +69,7 @@ static int	tls_keymgr_rsa_finish(RSA *);
 static int	tls_keymgr_rsa_privenc(int, const unsigned char *,
 		    unsigned char *, RSA *, int);
 
-static ECDSA_SIG *tls_keymgr_ecdsa_sign(const unsigned char *, int,
-		    const BIGNUM *, const BIGNUM *, EC_KEY *);
-
 static RSA_METHOD	*keymgr_rsa_meth = NULL;
-static EC_KEY_METHOD	*keymgr_ec_meth = NULL;
 
 static DH		*dh_params = NULL;
 static int		tls_version = KORE_TLS_VERSION_BOTH;
@@ -102,12 +108,6 @@ kore_tls_init(void)
 	RSA_meth_set_finish(keymgr_rsa_meth, tls_keymgr_rsa_finish);
 	RSA_meth_set_priv_enc(keymgr_rsa_meth, tls_keymgr_rsa_privenc);
 
-	if ((keymgr_ec_meth = EC_KEY_METHOD_new(NULL)) == NULL)
-		fatal("failed to allocate EC KEY method");
-
-	EC_KEY_METHOD_set_sign(keymgr_ec_meth,
-	    NULL, NULL, tls_keymgr_ecdsa_sign);
-
 	kore_log(LOG_NOTICE, "TLS backend %s", OPENSSL_VERSION_TEXT);
 #if !defined(TLS1_3_VERSION)
 	if (!kore_quiet) {
@@ -122,7 +122,6 @@ void
 kore_tls_cleanup(void)
 {
 	RSA_meth_free(keymgr_rsa_meth);
-	EC_KEY_METHOD_free(keymgr_ec_meth);
 }
 
 void
@@ -204,7 +203,6 @@ kore_tls_domain_setup(struct kore_domain *dom, int type,
 	X509			*x509;
 	EVP_PKEY		*pkey;
 	STACK_OF(X509_NAME)	*certs;
-	EC_KEY			*eckey;
 	const SSL_METHOD	*method;
 
 	if (dom->tls_ctx != NULL)
@@ -285,12 +283,6 @@ kore_tls_domain_setup(struct kore_domain *dom, int type,
 		RSA_set_app_data(rsa, dom);
 		RSA_set_method(rsa, keymgr_rsa_meth);
 		break;
-	case EVP_PKEY_EC:
-		if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL)
-			fatalx("no EC public key present");
-		EC_KEY_set_ex_data(eckey, 0, dom);
-		EC_KEY_set_method(eckey, keymgr_ec_meth);
-		break;
 	default:
 		fatalx("unknown public key in certificate");
 	}
@@ -894,53 +886,6 @@ tls_keymgr_rsa_finish(RSA *rsa)
 	return (1);
 }
 
-static ECDSA_SIG *
-tls_keymgr_ecdsa_sign(const unsigned char *dgst, int dgst_len,
-    const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)
-{
-	size_t				len;
-	ECDSA_SIG			*sig;
-	const u_int8_t			*ptr;
-	struct kore_domain		*dom;
-	struct kore_keyreq		*req;
-
-	if (in_kinv != NULL || in_r != NULL)
-		return (NULL);
-
-	len = sizeof(*req) + dgst_len;
-	if (len > sizeof(keymgr_buf))
-		fatal("keymgr_buf too small");
-
-	if ((dom = EC_KEY_get_ex_data(eckey, 0)) == NULL)
-		fatal("EC_KEY has no domain");
-
-	memset(keymgr_buf, 0, sizeof(keymgr_buf));
-	req = (struct kore_keyreq *)keymgr_buf;
-
-	if (kore_strlcpy(req->domain, dom->domain, sizeof(req->domain)) >=
-	    sizeof(req->domain))
-		fatal("%s: domain truncated", __func__);
-
-	req->data_len = dgst_len;
-	memcpy(&req->data[0], dgst, req->data_len);
-
-	kore_msg_send(KORE_WORKER_KEYMGR, KORE_MSG_KEYMGR_REQ, keymgr_buf, len);
-	tls_keymgr_await_data();
-
-	if (keymgr_response) {
-		ptr = keymgr_buf;
-		sig = d2i_ECDSA_SIG(NULL, &ptr, keymgr_buflen);
-	} else {
-		sig = NULL;
-	}
-
-	keymgr_buflen = 0;
-	keymgr_response = 0;
-	kore_platform_event_all(worker->msg[1]->fd, worker->msg[1]);
-
-	return (sig);
-}
-
 static void
 tls_keymgr_await_data(void)
 {