From 7c7bb855e133b6c998385171b2ec86247b86933e Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Fri, 2 Aug 2024 11:53:44 +0200
Subject: [PATCH] use pkcs11 provider for OPENSSL MAJOR >= 3

---
diff --git a/cmake/modules/tests/test_openssl_gost.c b/cmake/modules/tests/test_openssl_gost.c
index 33487e1..b2df4df 100644
--- a/modules/tests/test_openssl_gost.c
+++ b/modules/tests/test_openssl_gost.c
@@ -1,3 +1,4 @@
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #include <openssl/crypto.h>
 #include <openssl/opensslv.h>
@@ -39,3 +40,4 @@ int main()
 
         return 0;
 }
+#endif
diff --git a/src/lib/crypto/OSSLCryptoFactory.h b/src/lib/crypto/OSSLCryptoFactory.h
index d718b69..18028c4 100644
--- a/src/lib/crypto/OSSLCryptoFactory.h
+++ b/src/lib/crypto/OSSLCryptoFactory.h
@@ -42,7 +42,16 @@
 #include "RNG.h"
 #include <memory>
 #include <openssl/conf.h>
-#include <openssl/engine.h>
+#if OPENSSL_VERSION_MAJOR >= 3
+# define USE_PKCS11_PROVIDER
+# include <openssl/provider.h>
+# include <openssl/store.h>
+#else
+# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#  define USE_PKCS11_ENGINE
+#  include <openssl/engine.h>
+# endif
+#endif
 
 class OSSLCryptoFactory : public CryptoFactory
 {
diff --git a/src/lib/crypto/OSSLCryptoFactory.cpp b/src/lib/crypto/OSSLCryptoFactory.cpp
index 32f8dc8..a719778 100644
--- a/src/lib/crypto/OSSLCryptoFactory.cpp
+++ b/src/lib/crypto/OSSLCryptoFactory.cpp
@@ -141,6 +141,11 @@ OSSLCryptoFactory::OSSLCryptoFactory()
 	// Initialise OpenSSL
 	OpenSSL_add_all_algorithms();
 
+	// Initialise the one-and-only RNG
+	rng = new OSSLRNG();
+
+#ifndef OPENSSL_NO_ENGINE
+
 #if !( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
 	// Make sure RDRAND is loaded first
 	ENGINE_load_rdrand();
@@ -221,13 +223,13 @@ err:
 	eg = NULL;
 	return;
 #endif
+#endif // OPENSSL_NO_ENGINE
 }
 
 // Destructor
 OSSLCryptoFactory::~OSSLCryptoFactory()
 {
 	bool ossl_shutdown = false;
-
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 	// OpenSSL 1.1.0+ will register an atexit() handler to run
 	// OPENSSL_cleanup(). If that has already happened we must
@@ -243,6 +245,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory()
 #endif
 	if (!ossl_shutdown)
 	{
+#ifndef OPENSSL_NO_ENGINE
 #ifdef WITH_GOST
 		// Finish the GOST engine
 		if (eg != NULL)
@@ -257,7 +260,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory()
 		ENGINE_finish(rdrand_engine);
 		ENGINE_free(rdrand_engine);
 		rdrand_engine = NULL;
-
+#endif //OPENSSL_NO_ENGINE
 		// Recycle locks
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 		if (setLockingCallback)
-- 
2.45.2