🔐 Make it possible to build with OpenSSL 1.0.1 (#199)

alexeyserbin · prince-chrismc · web-flow · commit 97c878260557 · 2022-01-24T23:09:48.000-08:00
* Make it possible to build with OpenSSL 1.0.1 This patch updates the code in the jwt-cpp/jwt.h header and relaxes the requirement for OpenSSL's version in the top-level CMakeLists.txt to allow for compiling with OpenSSL 1.0.1. The patch works around the non-constantness of the 'sig' parameter in the signature of the EVP_DigestVerifyFinal() function in versions of OpenSSL prior to 1.0.2. I verfied it's now possible to compile with OpenSSL 1.0.1, but I guess it might be possible to compile even with OpenSSL 1.0.0 after tweaking the version requirement in CMakeLists.txt. The new EVP_DigestVerifyFinal() signature was introduced in [1] and then cherry-picked into the main branch as [2]. The update [1] doesn't contain any functional change per se: even prior to the update, EVP_DigestVerifyFinal() implementation was de facto treating the 'sig' parameter as if it were immutable [3]. [1] openssl/openssl@1abfa78 [2] openssl/openssl@0f7fa1b [3] https://github.com/openssl/openssl/blob/27007233db5d6f8b91ed474c4e09dd7014871cc6/crypto/evp/m_sigver.c#L163-L187 * Fix formatting in jwt-cpp/jwt.h This patch doesn't contain any functional modifications. This is a follow-up to d74c832. * Test against OpenSSL 1.0.1u Co-authored-by: Chris Mc <prince.chrismc@gmail.com>
diff --git a/.github/workflows/ssl.yml b/.github/workflows/ssl.yml
@@ -16,6 +16,7 @@ jobs:
           - { tag: "OpenSSL_1_1_1l", name: "1.1.1l" }
           - { tag: "OpenSSL_1_1_0i", name: "1.1.0i" }
           - { tag: "OpenSSL_1_0_2u", name: "1.0.2u" }
+          - { tag: "OpenSSL_1_0_1u", name: "1.0.1u" }
     name: OpenSSL ${{ matrix.openssl.name }}
     steps:
       - uses: actions/checkout@v2
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -49,7 +49,7 @@ endif()
 
 # Lookup dependencies
 if(${JWT_SSL_LIBRARY} MATCHES "OpenSSL")
-  find_package(OpenSSL 1.0.2 REQUIRED)
+  find_package(OpenSSL 1.0.1 REQUIRED)
 elseif(${JWT_SSL_LIBRARY} MATCHES "LibreSSL")
   find_package(LibreSSL 3.0.0 REQUIRED)
 elseif(${JWT_SSL_LIBRARY} MATCHES "wolfSSL")
diff --git a/include/jwt-cpp/jwt.h b/include/jwt-cpp/jwt.h
@@ -1088,9 +1088,13 @@ namespace jwt {
 					return;
 				}
 
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+				unsigned char* der_sig_data = reinterpret_cast<unsigned char*>(const_cast<char*>(der_signature.data()));
+#else
+				const unsigned char* der_sig_data = reinterpret_cast<const unsigned char*>(der_signature.data());
+#endif
 				auto res =
-					EVP_DigestVerifyFinal(ctx.get(), reinterpret_cast<const unsigned char*>(der_signature.data()),
-										  static_cast<unsigned int>(der_signature.length()));
+					EVP_DigestVerifyFinal(ctx.get(), der_sig_data, static_cast<unsigned int>(der_signature.length()));
 				if (res == 0) {
 					ec = error::signature_verification_error::invalid_signature;
 					return;
