Package: qca2
Followup-For: Bug #1138313
X-Debbugs-Cc: [email protected]
Control: tags -1 patch ftbfs

Dear Maintainer,

The patch fixes the build issue.

-- System Information:
Debian Release: trixie/sid
  APT prefers noble-updates
  APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 'noble'), 
(100, 'noble-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.8.0-117-generic (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
>From 6a7ddd76aa54ecc14d13151cca008137b0aa25d8 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <[email protected]>
Date: Sun, 21 Jun 2026 12:44:08 +0000
Subject: [PATCH] Compile with openssl4

Origin: upstream, 
https://github.com/KDE/qca/commit/6a7ddd76aa54ecc14d13151cca008137b0aa25d8
Bug-Ubuntu: https://bugs.launchpad.net/bugs/2154860
Bug-Debian: https://bugs.debian.org/1138313
Last-Update: 2026-07-02

---
 plugins/qca-ossl/qca-ossl.cpp | 158 +++++++++++++++++++++-------------
 1 file changed, 96 insertions(+), 62 deletions(-)

diff --git a/plugins/qca-ossl/qca-ossl.cpp b/plugins/qca-ossl/qca-ossl.cpp
index f41fcbb5..7ab1b47d 100644
--- a/plugins/qca-ossl/qca-ossl.cpp
+++ b/plugins/qca-ossl/qca-ossl.cpp
@@ -281,6 +281,30 @@ static Constraints ext_only(const Constraints &list)
     return constraints;
 }*/
 
+// We need this to support openssl3 (could be removed once we only support >= 
4 if that ever happens)
+template<typename T> static void *our_X509V3_EXT_d2i(T *ext)
+{
+    using NonConstType = std::remove_const_t<T>;
+
+    return X509V3_EXT_d2i(const_cast<NonConstType *>(ext));
+}
+
+// We need this to support openssl1 (could be removed once we only support >= 
3 if that ever happens)
+template<typename T> static int our_X509_NAME_get_index_by_NID(T *name, int 
nid, int lastpos)
+{
+    using NonConstType = std::remove_const_t<T>;
+
+    return X509_NAME_get_index_by_NID(const_cast<NonConstType *>(name), nid, 
lastpos);
+}
+
+// We need this to support openssl1 (could be removed once we only support >= 
3 if that ever happens)
+template<typename T> static int our_X509_NAME_get_index_by_OBJ(T *name, const 
ASN1_OBJECT *obj, int lastpos)
+{
+    using NonConstType = std::remove_const_t<T>;
+
+    return X509_NAME_get_index_by_OBJ(const_cast<NonConstType *>(name), obj, 
lastpos);
+}
+
 static void try_add_name_item(X509_NAME **name, int nid, const QString &val)
 {
     if (val.isEmpty())
@@ -304,20 +328,22 @@ static X509_NAME *new_cert_name(const CertificateInfo 
&info)
     return name;
 }
 
-static void try_get_name_item(X509_NAME *name, int nid, const 
CertificateInfoType &t, CertificateInfo *info)
+static void try_get_name_item(const X509_NAME *name, int nid, const 
CertificateInfoType &t, CertificateInfo *info)
 {
     int loc;
     loc = -1;
-    while ((loc = X509_NAME_get_index_by_NID(name, nid, loc)) != -1) {
-        X509_NAME_ENTRY *ne   = X509_NAME_get_entry(name, loc);
-        ASN1_STRING     *data = X509_NAME_ENTRY_get_data(ne);
-        QByteArray       cs((const char *)data->data, data->length);
+    while ((loc = our_X509_NAME_get_index_by_NID(name, nid, loc)) != -1) {
+        const X509_NAME_ENTRY *ne   = X509_NAME_get_entry(name, loc);
+        const ASN1_STRING     *data = X509_NAME_ENTRY_get_data(ne);
+        QByteArray             cs((const char *)ASN1_STRING_get0_data(data), 
ASN1_STRING_length(data));
         info->insert(t, QString::fromLatin1(cs));
     }
 }
 
-static void
-try_get_name_item_by_oid(X509_NAME *name, const QString &oidText, const 
CertificateInfoType &t, CertificateInfo *info)
+static void try_get_name_item_by_oid(const X509_NAME           *name,
+                                     const QString             &oidText,
+                                     const CertificateInfoType &t,
+                                     CertificateInfo           *info)
 {
     ASN1_OBJECT *oid = OBJ_txt2obj(oidText.toLatin1().data(), 1); // 1 = only 
accept dotted input
     if (!oid)
@@ -325,17 +351,17 @@ try_get_name_item_by_oid(X509_NAME *name, const QString 
&oidText, const Certific
 
     int loc;
     loc = -1;
-    while ((loc = X509_NAME_get_index_by_OBJ(name, oid, loc)) != -1) {
-        X509_NAME_ENTRY *ne   = X509_NAME_get_entry(name, loc);
-        ASN1_STRING     *data = X509_NAME_ENTRY_get_data(ne);
-        QByteArray       cs((const char *)data->data, data->length);
+    while ((loc = our_X509_NAME_get_index_by_OBJ(name, oid, loc)) != -1) {
+        const X509_NAME_ENTRY *ne   = X509_NAME_get_entry(name, loc);
+        const ASN1_STRING     *data = X509_NAME_ENTRY_get_data(ne);
+        QByteArray             cs((const char *)ASN1_STRING_get0_data(data), 
ASN1_STRING_length(data));
         info->insert(t, QString::fromLatin1(cs));
         qDebug() << "oid: " << oidText << ",  result: " << cs;
     }
     ASN1_OBJECT_free(oid);
 }
 
-static CertificateInfo get_cert_name(X509_NAME *name)
+static CertificateInfo get_cert_name(const X509_NAME *name)
 {
     CertificateInfo info;
     try_get_name_item(name, NID_commonName, CommonName, &info);
@@ -389,9 +415,9 @@ static X509_EXTENSION *new_basic_constraints(bool ca, int 
pathlen)
     return ex;
 }
 
-static void get_basic_constraints(X509_EXTENSION *ex, bool *ca, int *pathlen)
+static void get_basic_constraints(const X509_EXTENSION *ex, bool *ca, int 
*pathlen)
 {
-    BASIC_CONSTRAINTS *bs = (BASIC_CONSTRAINTS *)X509V3_EXT_d2i(ex);
+    BASIC_CONSTRAINTS *bs = (BASIC_CONSTRAINTS *)our_X509V3_EXT_d2i(ex);
     *ca                   = (bs->ca ? true : false);
     if (bs->pathlen)
         *pathlen = ASN1_INTEGER_get(bs->pathlen);
@@ -641,10 +667,10 @@ static void try_get_general_name(GENERAL_NAMES *names, 
const CertificateInfoType
     }
 }
 
-static CertificateInfo get_cert_alt_name(X509_EXTENSION *ex)
+static CertificateInfo get_cert_alt_name(const X509_EXTENSION *ex)
 {
     CertificateInfo info;
-    GENERAL_NAMES  *gn = (GENERAL_NAMES *)X509V3_EXT_d2i(ex);
+    GENERAL_NAMES  *gn = (GENERAL_NAMES *)our_X509V3_EXT_d2i(ex);
     try_get_general_name(gn, Email, &info);
     try_get_general_name(gn, URI, &info);
     try_get_general_name(gn, DNS, &info);
@@ -704,7 +730,7 @@ static X509_EXTENSION *new_cert_key_usage(const Constraints 
&constraints)
     return ex;
 }
 
-static Constraints get_cert_key_usage(X509_EXTENSION *ex)
+static Constraints get_cert_key_usage(const X509_EXTENSION *ex)
 {
     Constraints constraints;
     int         bit_table[9] = {DigitalSignature,
@@ -717,7 +743,7 @@ static Constraints get_cert_key_usage(X509_EXTENSION *ex)
                                 EncipherOnly,
                                 DecipherOnly};
 
-    ASN1_BIT_STRING *keyusage = (ASN1_BIT_STRING *)X509V3_EXT_d2i(ex);
+    ASN1_BIT_STRING *keyusage = (ASN1_BIT_STRING *)our_X509V3_EXT_d2i(ex);
     for (int n = 0; n < 9; ++n) {
         if (ASN1_BIT_STRING_get_bit(keyusage, n))
             constraints += ConstraintType((ConstraintTypeKnown)bit_table[n]);
@@ -778,11 +804,11 @@ static X509_EXTENSION *new_cert_ext_key_usage(const 
Constraints &constraints)
     return ex;
 }
 
-static Constraints get_cert_ext_key_usage(X509_EXTENSION *ex)
+static Constraints get_cert_ext_key_usage(const X509_EXTENSION *ex)
 {
     Constraints constraints;
 
-    EXTENDED_KEY_USAGE *extkeyusage = (EXTENDED_KEY_USAGE *)X509V3_EXT_d2i(ex);
+    EXTENDED_KEY_USAGE *extkeyusage = (EXTENDED_KEY_USAGE 
*)our_X509V3_EXT_d2i(ex);
     for (int n = 0; n < sk_ASN1_OBJECT_num(extkeyusage); ++n) {
         ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(extkeyusage, n);
         int          nid = OBJ_obj2nid(obj);
@@ -852,10 +878,10 @@ static X509_EXTENSION *new_cert_policies(const 
QStringList &policies)
     return ex;
 }
 
-static QStringList get_cert_policies(X509_EXTENSION *ex)
+static QStringList get_cert_policies(const X509_EXTENSION *ex)
 {
     QStringList out;
-    STACK_OF(POLICYINFO) *pols = (STACK_OF(POLICYINFO) *)X509V3_EXT_d2i(ex);
+    STACK_OF(POLICYINFO) *pols = (STACK_OF(POLICYINFO) 
*)our_X509V3_EXT_d2i(ex);
     for (int n = 0; n < sk_POLICYINFO_num(pols); ++n) {
         POLICYINFO *pol = sk_POLICYINFO_value(pols, n);
         QByteArray  buf(128, 0);
@@ -867,9 +893,9 @@ static QStringList get_cert_policies(X509_EXTENSION *ex)
     return out;
 }
 
-static QByteArray get_cert_subject_key_id(X509_EXTENSION *ex)
+static QByteArray get_cert_subject_key_id(const X509_EXTENSION *ex)
 {
-    ASN1_OCTET_STRING *skid = (ASN1_OCTET_STRING *)X509V3_EXT_d2i(ex);
+    ASN1_OCTET_STRING *skid = (ASN1_OCTET_STRING *)our_X509V3_EXT_d2i(ex);
     const QByteArray   out  = qca_ASN1_STRING_toByteArray(skid);
     ASN1_OCTET_STRING_free(skid);
     return out;
@@ -877,9 +903,9 @@ static QByteArray get_cert_subject_key_id(X509_EXTENSION 
*ex)
 
 // If you get any more crashes in this code, please provide a copy
 // of the cert to bradh AT frogmouth.net
-static QByteArray get_cert_issuer_key_id(X509_EXTENSION *ex)
+static QByteArray get_cert_issuer_key_id(const X509_EXTENSION *ex)
 {
-    AUTHORITY_KEYID *akid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ex);
+    AUTHORITY_KEYID *akid = (AUTHORITY_KEYID *)our_X509V3_EXT_d2i(ex);
     QByteArray       out;
     if (akid->keyid)
         out = qca_ASN1_STRING_toByteArray(akid->keyid);
@@ -3334,16 +3360,16 @@ class X509Item
 // by Eric Young
 QDateTime ASN1_UTCTIME_QDateTime(const ASN1_UTCTIME *tm, int *isGmt)
 {
-    QDateTime qdt;
-    char     *v;
-    int       gmt = 0;
-    int       i;
-    int       y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;
-    QDate     qdate;
-    QTime     qtime;
+    QDateTime   qdt;
+    const char *v;
+    int         gmt = 0;
+    int         i;
+    int         y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;
+    QDate       qdate;
+    QTime       qtime;
 
-    i = tm->length;
-    v = (char *)tm->data;
+    i = ASN1_STRING_length((const ASN1_STRING *)tm);
+    v = (const char *)ASN1_STRING_get0_data((const ASN1_STRING *)tm);
 
     if (i < 10)
         goto auq_err;
@@ -3672,42 +3698,42 @@ class MyCertContext : public CertContext
         p.pathLimit = 0;
         int pos     = X509_get_ext_by_NID(x, NID_basic_constraints, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509_get_ext(x, pos);
+            const X509_EXTENSION *ex = X509_get_ext(x, pos);
             if (ex)
                 get_basic_constraints(ex, &p.isCA, &p.pathLimit);
         }
 
         pos = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509_get_ext(x, pos);
+            const X509_EXTENSION *ex = X509_get_ext(x, pos);
             if (ex)
                 subject.unite(get_cert_alt_name(ex));
         }
 
         pos = X509_get_ext_by_NID(x, NID_issuer_alt_name, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509_get_ext(x, pos);
+            const X509_EXTENSION *ex = X509_get_ext(x, pos);
             if (ex)
                 issuer.unite(get_cert_alt_name(ex));
         }
 
         pos = X509_get_ext_by_NID(x, NID_key_usage, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509_get_ext(x, pos);
+            const X509_EXTENSION *ex = X509_get_ext(x, pos);
             if (ex)
                 p.constraints = get_cert_key_usage(ex);
         }
 
         pos = X509_get_ext_by_NID(x, NID_ext_key_usage, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509_get_ext(x, pos);
+            const X509_EXTENSION *ex = X509_get_ext(x, pos);
             if (ex)
                 p.constraints += get_cert_ext_key_usage(ex);
         }
 
         pos = X509_get_ext_by_NID(x, NID_certificate_policies, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509_get_ext(x, pos);
+            const X509_EXTENSION *ex = X509_get_ext(x, pos);
             if (ex)
                 p.policies = get_cert_policies(ex);
         }
@@ -3716,9 +3742,10 @@ class MyCertContext : public CertContext
 
         X509_get0_signature(&signature, nullptr, x);
         if (signature) {
-            p.sig = QByteArray(signature->length, 0);
-            for (int i = 0; i < signature->length; i++)
-                p.sig[i] = signature->data[i];
+            const int byte_len = ASN1_STRING_length((const ASN1_STRING 
*)signature);
+            p.sig              = QByteArray(byte_len, 0);
+            for (int i = 0; i < byte_len; i++)
+                p.sig[i] = ASN1_BIT_STRING_get_bit(signature, i);
         }
 
         switch (X509_get_signature_nid(x)) {
@@ -3758,14 +3785,14 @@ class MyCertContext : public CertContext
 
         pos = X509_get_ext_by_NID(x, NID_subject_key_identifier, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509_get_ext(x, pos);
+            const X509_EXTENSION *ex = X509_get_ext(x, pos);
             if (ex)
                 p.subjectId += get_cert_subject_key_id(ex);
         }
 
         pos = X509_get_ext_by_NID(x, NID_authority_key_identifier, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509_get_ext(x, pos);
+            const X509_EXTENSION *ex = X509_get_ext(x, pos);
             if (ex)
                 p.issuerId += get_cert_issuer_key_id(ex);
         }
@@ -4175,35 +4202,35 @@ class MyCSRContext : public CSRContext
         p.pathLimit = 0;
         int pos     = X509v3_get_ext_by_NID(exts, NID_basic_constraints, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509v3_get_ext(exts, pos);
+            const X509_EXTENSION *ex = X509v3_get_ext(exts, pos);
             if (ex)
                 get_basic_constraints(ex, &p.isCA, &p.pathLimit);
         }
 
         pos = X509v3_get_ext_by_NID(exts, NID_subject_alt_name, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509v3_get_ext(exts, pos);
+            const X509_EXTENSION *ex = X509v3_get_ext(exts, pos);
             if (ex)
                 subject.unite(get_cert_alt_name(ex));
         }
 
         pos = X509v3_get_ext_by_NID(exts, NID_key_usage, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509v3_get_ext(exts, pos);
+            const X509_EXTENSION *ex = X509v3_get_ext(exts, pos);
             if (ex)
                 p.constraints = get_cert_key_usage(ex);
         }
 
         pos = X509v3_get_ext_by_NID(exts, NID_ext_key_usage, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509v3_get_ext(exts, pos);
+            const X509_EXTENSION *ex = X509v3_get_ext(exts, pos);
             if (ex)
                 p.constraints += get_cert_ext_key_usage(ex);
         }
 
         pos = X509v3_get_ext_by_NID(exts, NID_certificate_policies, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509v3_get_ext(exts, pos);
+            const X509_EXTENSION *ex = X509v3_get_ext(exts, pos);
             if (ex)
                 p.policies = get_cert_policies(ex);
         }
@@ -4214,9 +4241,10 @@ class MyCSRContext : public CSRContext
 
         X509_REQ_get0_signature(x, &signature, nullptr);
         if (signature) {
-            p.sig = QByteArray(signature->length, 0);
-            for (int i = 0; i < signature->length; i++)
-                p.sig[i] = signature->data[i];
+            const int byte_len = ASN1_STRING_length((const ASN1_STRING 
*)signature);
+            p.sig              = QByteArray(byte_len, 0);
+            for (int i = 0; i < byte_len; i++)
+                p.sig[i] = ASN1_BIT_STRING_get_bit(signature, i);
         }
 
         switch (X509_REQ_get_signature_nid(x)) {
@@ -4363,9 +4391,9 @@ class MyCRLContext : public CRLContext
             QCA::CRLEntry::Reason reason = QCA::CRLEntry::Unspecified;
             int                   pos    = X509_REVOKED_get_ext_by_NID(rev, 
NID_crl_reason, -1);
             if (pos != -1) {
-                X509_EXTENSION *ex = X509_REVOKED_get_ext(rev, pos);
+                const X509_EXTENSION *ex = X509_REVOKED_get_ext(rev, pos);
                 if (ex) {
-                    ASN1_ENUMERATED *result = (ASN1_ENUMERATED 
*)X509V3_EXT_d2i(ex);
+                    ASN1_ENUMERATED *result = (ASN1_ENUMERATED 
*)our_X509V3_EXT_d2i(ex);
                     switch (ASN1_ENUMERATED_get(result)) {
                     case CRL_REASON_UNSPECIFIED:
                         reason = QCA::CRLEntry::Unspecified;
@@ -4412,9 +4440,10 @@ class MyCRLContext : public CRLContext
 
         X509_CRL_get0_signature(x, &signature, nullptr);
         if (signature) {
-            p.sig = QByteArray(signature->length, 0);
-            for (int i = 0; i < signature->length; i++)
-                p.sig[i] = signature->data[i];
+            const int byte_len = ASN1_STRING_length((const ASN1_STRING 
*)signature);
+            p.sig              = QByteArray(byte_len, 0);
+            for (int i = 0; i < byte_len; i++)
+                p.sig[i] = ASN1_BIT_STRING_get_bit(signature, i);
         }
 
         switch (X509_CRL_get_signature_nid(x)) {
@@ -4454,7 +4483,7 @@ class MyCRLContext : public CRLContext
 
         int pos = X509_CRL_get_ext_by_NID(x, NID_authority_key_identifier, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509_CRL_get_ext(x, pos);
+            const X509_EXTENSION *ex = X509_CRL_get_ext(x, pos);
             if (ex)
                 p.issuerId += get_cert_issuer_key_id(ex);
         }
@@ -4462,9 +4491,9 @@ class MyCRLContext : public CRLContext
         p.number = -1;
         pos      = X509_CRL_get_ext_by_NID(x, NID_crl_number, -1);
         if (pos != -1) {
-            X509_EXTENSION *ex = X509_CRL_get_ext(x, pos);
+            const X509_EXTENSION *ex = X509_CRL_get_ext(x, pos);
             if (ex) {
-                ASN1_INTEGER *result = (ASN1_INTEGER *)X509V3_EXT_d2i(ex);
+                ASN1_INTEGER *result = (ASN1_INTEGER *)our_X509V3_EXT_d2i(ex);
                 p.number             = ASN1_INTEGER_get(result);
                 ASN1_INTEGER_free(result);
             }
@@ -4994,12 +5023,17 @@ class MyTLSContext : public TLSContext
         switch (version) {
 #ifndef OPENSSL_NO_SSL3_METHOD
         case TLS::SSL_v3:
+#if (OPENSSL_VERSION_NUMBER >= 0x40000000L)
+            // There is no ssl3 in openssl4
+            return {};
+#else
             // Here should be used TLS_client_method() but on Fedora
             // it doesn't return any SSL ciphers.
             ctx = SSL_CTX_new(SSLv3_client_method());
             SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
             SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION);
             break;
+#endif
 #endif
         case TLS::TLS_v1:
             ctx = SSL_CTX_new(TLS_client_method());

Reply via email to