Drop support for OpenSSL < 3

All supported versions of Fedora and CentOS Stream provide OpenSSL 3
now, and only Ubuntu 20.04 was still lacking it (which we will drop
support for).

Updates to C23 for the compiler language standard.

Signed-off-by: Stephen Gallagher <[email protected]>

.github/workflows/ci.yaml

@@ -19,7 +19,6 @@ jobs:
       fail-fast: false
       matrix:
         os:
-          - ubuntu-20.04
           - ubuntu-22.04
           - ubuntu-24.04
         compiler:

meson.build

@@ -31,8 +31,8 @@
 project(
   'sscg',
   'c',
-version : '3.0.5',
-default_options : ['buildtype=debugoptimized', 'c_std=gnu99', 'warning_level=1', 'b_asneeded=true'],
+version : '3.0.90',
+default_options : ['buildtype=debugoptimized', 'c_std=c23', 'warning_level=1', 'b_asneeded=true'],
 license : 'GPL-3.0-or-later WITH OpenSSL-exception',
 meson_version : '>=0.44.0'
 )
@@ -62,17 +62,9 @@ endforeach
 
 pkg = import('pkgconfig')
 
-crypto = dependency('libcrypto11', version: '>= 1.1.0', required: false)
-if crypto.found()
-else
-    crypto = dependency('libcrypto', version: '>= 1.1.0')
-endif
+crypto = dependency('libcrypto', version: '>= 3.0.0')
 
-ssl = dependency('libssl11', version: '>= 1.1.0', required: false)
-if ssl.found()
-else
-    ssl = dependency('libssl', version: '>= 1.1.0')
-endif
+ssl = dependency('libssl', version: '>= 3.0.0')
 
 path_utils = dependency('path_utils')
 talloc = dependency('talloc')
@@ -82,15 +74,6 @@ popt = dependency(
     version : '>=1.14',
     required : true)
 
-has_evp_rsa_gen = cc.has_header_symbol(
-    'openssl/rsa.h',
-    'EVP_RSA_gen',
-    dependencies: [ crypto ])
-
-has_ossl_param = cc.has_header_symbol(
-    'openssl/core.h',
-    'OSSL_PARAM')
-
 sscg_bin_srcs = [
     'src/arguments.c',
     'src/sscg.c',
@@ -144,16 +127,6 @@ sscg = executable(
     install : true,
 )
 
-# Fake test to ensure that all sources and headers are formatted properly
-test_clang_format = find_program('clang-format', required: false)
-if not test_clang_format.found()
-    test_clang_format = disabler()
-endif
-
-clang_args = [ '-i' ]
-test('test_clang_format', test_clang_format,
-     args : clang_args + files(sscg_lib_srcs + sscg_lib_hdrs + sscg_bin_srcs))
-
 create_ca_test = executable(
     'create_ca_test',
     'test/create_ca_test.c',
@@ -289,8 +262,6 @@ endforeach
 
 cdata = configuration_data()
 cdata.set_quoted('PACKAGE_VERSION', meson.project_version())
-cdata.set('HAVE_SSL_EVP_RSA_GEN', has_evp_rsa_gen)
-cdata.set('HAVE_OSSL_PARAM', has_ossl_param)
 configure_file(
     output : 'config.h',
     configuration : cdata)

src/dhparams.c

@@ -283,7 +283,6 @@ is_valid_named_group (const char *group_name)
 }
 
 
-#ifdef HAVE_OSSL_PARAM
 int
 get_params_by_named_group (const char *group_name, EVP_PKEY **dhparams)
 {
@@ -340,78 +339,3 @@ get_params_by_named_group (const char *group_name, EVP_PKEY **dhparams)
   talloc_free (tmp_ctx);
   return ret;
 }
-
-#else //HAVE_OSSL_PARAM
-
-static int
-get_group_nid (const char *group_name)
-{
-  if (strcmp ("ffdhe2048", group_name) == 0)
-    {
-      return NID_ffdhe2048;
-    }
-  else if (strcmp ("ffdhe3072", group_name) == 0)
-    {
-      return NID_ffdhe3072;
-    }
-  else if (strcmp ("ffdhe4096", group_name) == 0)
-    {
-      return NID_ffdhe4096;
-    }
-  else if (strcmp ("ffdhe6144", group_name) == 0)
-    {
-      return NID_ffdhe6144;
-    }
-  else if (strcmp ("ffdhe8192", group_name) == 0)
-    {
-      return NID_ffdhe8192;
-    }
-  return NID_undef;
-}
-
-int
-get_params_by_named_group (const char *group_name, EVP_PKEY **dhparams)
-{
-  int ret, sslret;
-  DH *dh = NULL;
-  EVP_PKEY *pkey = NULL;
-  TALLOC_CTX *tmp_ctx = talloc_new (NULL);
-
-  if (!is_valid_named_group (group_name))
-    {
-      fprintf (stderr, "Unknown Diffie Hellman finite field group.\n");
-      fprintf (
-        stderr, "Valid groups are: %s.\n", valid_dh_group_names (tmp_ctx));
-      ret = EINVAL;
-      goto done;
-    }
-
-  dh = DH_new_by_nid (get_group_nid (group_name));
-  if (!dh)
-    {
-      fprintf (
-        stderr, "Unknown Diffie Hellman finite field group %s.\n", group_name);
-      ret = EINVAL;
-      goto done;
-    }
-
-  pkey = EVP_PKEY_new ();
-  sslret = EVP_PKEY_assign_DH (pkey, dh);
-  CHECK_SSL (sslret, "EVP_PKEY_ASSIGN_DH");
-
-  /* The dhparams are owned by the pkey now */
-  dh = NULL;
-
-  *dhparams = pkey;
-  pkey = NULL;
-
-  ret = EOK;
-
-done:
-  DH_free (dh);
-  EVP_PKEY_free (pkey);
-  talloc_free (tmp_ctx);
-  return ret;
-}
-
-#endif //HAVE_OSSL_PARAM

src/key.c

@@ -56,40 +56,9 @@ sscg_generate_rsa_key (TALLOC_CTX *mem_ctx,
   EVP_PKEY *pkey = NULL;
   TALLOC_CTX *tmp_ctx = NULL;
 
-#ifdef HAVE_SSL_EVP_RSA_GEN
-
   pkey = EVP_RSA_gen (bits);
   CHECK_MEM (pkey);
 
-#else // HAVE_SSL_EVP_RSA_GEN
-  int sslret;
-  RSA *rsa = NULL;
-  struct sscg_bignum *e;
-
-  tmp_ctx = talloc_new (NULL);
-
-  /* Create memory for the actual key */
-  rsa = RSA_new ();
-  CHECK_MEM (rsa);
-
-  /* Use an exponent value of RSA F4 aka 0x10001 (65537) */
-  ret = sscg_init_bignum (tmp_ctx, RSA_F4, &e);
-  CHECK_OK (ret);
-
-  /* Generate a random RSA keypair */
-  sslret = RSA_generate_key_ex (rsa, bits, e->bn, NULL);
-  CHECK_SSL (sslret, RSA_generate_key_ex);
-
-  pkey = EVP_PKEY_new ();
-  CHECK_MEM (pkey);
-
-  sslret = EVP_PKEY_assign_RSA (pkey, rsa);
-  CHECK_SSL (sslret, EVP_PKEY_assign_RSA);
-
-  /* The memory for the RSA key is now maintained by the EVP_PKEY.
-       Mark this variable as NULL so we don't free() it below */
-  rsa = NULL;
-#endif // HAVE_SSL_EVP_RSA_GEN
 
   /* Create the talloc container to hold the memory */
   (*_key) = talloc_zero (mem_ctx, struct sscg_evp_pkey);
@@ -105,10 +74,6 @@ sscg_generate_rsa_key (TALLOC_CTX *mem_ctx,
   ret = EOK;
 
 done:
-#ifndef HAVE_SSL_EVP_RSA_GEN
-  RSA_free (rsa);
-#endif //HAVE_SSL_EVP_RSA_GEN
-
   talloc_free (tmp_ctx);
   return ret;
 }