Dev news

Commit 374b17fe88 for strongswan.org

commit 374b17fe886ad1d031f429a1063e0a58847b31f3
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Mon May 4 12:11:47 2026 +0200

    openssl: Fix 'const' issues that came up with OpenSSL 4

diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
index d9abcf8c0f..656813cf68 100644
--- a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
@@ -283,7 +283,8 @@ static auth_cfg_t *verify_signature(CMS_SignerInfo *si,
  */
 static bool verify_digest(CMS_ContentInfo *cms, CMS_SignerInfo *si, int hash_oid)
 {
-	ASN1_OCTET_STRING *os, **osp;
+	const ASN1_OCTET_STRING *os;
+	ASN1_OCTET_STRING **osp;
 	hash_algorithm_t hash_alg;
 	chunk_t digest, content, hash;
 	hasher_t *hasher;
@@ -448,7 +449,7 @@ METHOD(pkcs7_t, get_attribute, bool,
 	signature_enumerator_t *e;
 	CMS_SignerInfo *si;
 	X509_ATTRIBUTE *attr;
-	ASN1_TYPE *type;
+	const ASN1_TYPE *type;
 	chunk_t chunk, wrapped;
 	int i;

@@ -468,7 +469,11 @@ METHOD(pkcs7_t, get_attribute, bool,
 		{
 			/* get first value in SET */
 			type = X509_ATTRIBUTE_get0_type(attr, 0);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+			chunk = wrapped = openssl_i2chunk(ASN1_TYPE, (ASN1_TYPE*)type);
+#else
 			chunk = wrapped = openssl_i2chunk(ASN1_TYPE, type);
+#endif
 			if (asn1_unwrap(&chunk, &chunk) != 0x100 /* ASN1_INVALID */)
 			{
 				*value = chunk_clone(chunk);
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index 67d3de00fd..ae72710fb3 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -287,14 +287,18 @@ chunk_t openssl_asn1_int2chunk(const ASN1_INTEGER *asn1)
 /**
  * Convert a X509 name to a ID_DER_ASN1_DN identification_t
  */
-identification_t *openssl_x509_name2id(X509_NAME *name)
+identification_t *openssl_x509_name2id(const X509_NAME *name)
 {
 	if (name)
 	{
 		identification_t *id;
 		chunk_t chunk;

+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		chunk = openssl_i2chunk(X509_NAME, (X509_NAME*)name);
+#else
 		chunk = openssl_i2chunk(X509_NAME, name);
+#endif
 		if (chunk.len)
 		{
 			id = identification_create_from_encoding(ID_DER_ASN1_DN, chunk);
@@ -326,15 +330,21 @@ int openssl_asn1_known_oid(const ASN1_OBJECT *obj)
 time_t openssl_asn1_to_time(const ASN1_TIME *time)
 {
 	chunk_t chunk;
+	int type;

 	if (time)
 	{
 		chunk = openssl_asn1_str2chunk(time);
-		switch (ASN1_STRING_type(time))
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		type = ASN1_STRING_type((ASN1_TIME*)time);
+#else
+		type = ASN1_STRING_type(time);
+#endif
+		switch (type)
 		{
 			case V_ASN1_UTCTIME:
 			case V_ASN1_GENERALIZEDTIME:
-				return asn1_to_time(&chunk, ASN1_STRING_type(time));
+				return asn1_to_time(&chunk, type);
 			default:
 				break;
 		}
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
index 8e6f001993..7c72db2cce 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.h
+++ b/src/libstrongswan/plugins/openssl/openssl_util.h
@@ -148,7 +148,7 @@ chunk_t openssl_asn1_int2chunk(const ASN1_INTEGER *asn1);
  * @param name		name to convert
  * @return			identification_t, NULL on error
  */
-identification_t *openssl_x509_name2id(X509_NAME *name);
+identification_t *openssl_x509_name2id(const X509_NAME *name);

 /**
  * Check if an ASN1 oid is a an OID known by libstrongswan.