From 178e691dbb3e314858e94c369e5d6e7cbee7da4b Mon Sep 17 00:00:00 2001
From: Karen Arutyunov <karen@codesynthesis.com>
Date: Thu, 18 Nov 2021 20:20:41 +0300
Subject: Use pkeyutl command instead of rsautl starting openssl version 3.0.0

---
 mod/mod-build-result.cxx | 30 +++++++++++++++++++++++++++---
 mod/mod-build-result.hxx |  7 +++++++
 2 files changed, 34 insertions(+), 3 deletions(-)

(limited to 'mod')

diff --git a/mod/mod-build-result.cxx b/mod/mod-build-result.cxx
index 1c46fc1..1445a1d 100644
--- a/mod/mod-build-result.cxx
+++ b/mod/mod-build-result.cxx
@@ -12,6 +12,7 @@
 #include <libbutl/process-io.hxx>
 #include <libbutl/manifest-parser.hxx>
 #include <libbutl/manifest-serializer.hxx>
+#include <libbutl/semantic-version.hxx>
 
 #include <libbbot/manifest.hxx>
 
@@ -39,7 +40,8 @@ brep::build_result::
 build_result (const build_result& r)
     : database_module (r),
       build_config_module (r),
-      options_ (r.initialized_ ? r.options_ : nullptr)
+      options_ (r.initialized_ ? r.options_  : nullptr),
+      use_openssl_pkeyutl_ (r.initialized_ ? r.use_openssl_pkeyutl_ : false)
 {
 }
 
@@ -62,6 +64,25 @@ init (scanner& s)
     build_config_module::init (*options_);
   }
 
+  try
+  {
+    optional<openssl_info> oi (
+      openssl::info ([&trace, this] (const char* args[], size_t n)
+                     {
+                       l2 ([&]{trace << process_args {args, n};});
+                     },
+                     2,
+                     options_->openssl ()));
+
+    use_openssl_pkeyutl_ = oi                    &&
+                           oi->name == "OpenSSL" &&
+                           oi->version >= semantic_version {3, 0, 0};
+  }
+  catch (const system_error& e)
+  {
+    fail << "unable to obtain openssl version: " << e;
+  }
+
   if (options_->root ().empty ())
     options_->root (dir_path ("/"));
 }
@@ -347,9 +368,12 @@ handle (request& rq, response&)
                         path ("-"), fdstream_mode::text, 2,
                         process_env (options_->openssl (),
                                      options_->openssl_envvar ()),
-                        "rsautl",
+                        use_openssl_pkeyutl_ ? "pkeyutl" : "rsautl",
                         options_->openssl_option (),
-                        "-verify", "-pubin", "-inkey", i->second);
+                        use_openssl_pkeyutl_ ? "-verifyrecover" : "-verify",
+                        "-pubin",
+                        "-inkey",
+                        i->second);
 
             for (const auto& c: *rqm.challenge)
               os.out.put (c); // Sets badbit on failure.
diff --git a/mod/mod-build-result.hxx b/mod/mod-build-result.hxx
index 71a60f9..1b32ad4 100644
--- a/mod/mod-build-result.hxx
+++ b/mod/mod-build-result.hxx
@@ -36,6 +36,13 @@ namespace brep
 
   private:
     shared_ptr<options::build_result> options_;
+
+    // True if the openssl version is greater or equal to 3.0.0 and so pkeyutl
+    // needs to be used instead of rsautl.
+    //
+    // Note that openssl 3.0.0 deprecates rsautl in favor of pkeyutl.
+    //
+    bool use_openssl_pkeyutl_;
   };
 }
 
-- 
cgit v1.1