Allow compilation with newer openssl version

[popovec]

from https://www.openssl.org/news/changelog.html#x4:
EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
HMAC_CTX_cleanup() were removed. HMAC_CTX_reset() and
EVP_MD_CTX_reset() should be called instead to reinitialise
an already created structure.

[frankmorgner]

please check for EVP_MD_CTX_cleanup() in configure.ac to distinguish both cases.

[frankmorgner]

The version check is not very robust, e.g. it may fail for libressl.

[popovec]

Hi Frank,

To get pam_p11 really portable (old/new openssl, libressl) there is necessary to fix more deprecated functions in code. For example from libressl 2.7.3 manual:

EVP_MD_CTX_create(), EVP_MD_CTX_cleanup(), and EVP_MD_CTX_destroy() are deprecated aliases for EVP_MD_CTX_new(), EVP_MD_CTX_reset(), and EVP_MD_CTX_free(), respectively.

Similar to this, documentation for Openssl 1.1.0:
EVP_MD_CTX_create() and EVP_MD_CTX_destroy() were renamed to EVP_MD_CTX_new() and EVP_MD_CTX_free() in OpenSSL 1.1.

Even in OpenSC project some of deprecated functions are used:
src/tools/pkcs11-tool.c: md_ctx = EVP_MD_CTX_create();

I do not have elegant solution for this now, but I agree, testing only OPENSSL_VERSION_NUMBER is not enough.

[frankmorgner]

One typical approach would be to use the new API everywhere and replicate it with the old API if needed...

[popovec]

Hi,

I have created a new patch, draft can be found at https://github.com/popovec/pam_p11/tree/openssl-deprecated . This patch handles only part of deprecated functions. Probably it would be best to replace all old API functions by new API functions. But I have a problem, how to elegantly discard deprecated calls to functions:

OpenSSL_add_all_algorithms();
EVP_cleanup();
ERR_load_crypto_strings();
ERR_free_strings();

Any idea ? Or is it acceptable to leave these functions in code for now ?

[frankmorgner]

Yes, your alternative patch looks (almost) good. Just leave the deprecated initialization calls as is.

[frankmorgner]

closed with #12