[rpms/voms] rawhide: Fix build with OpenSSL 4.0 (opaque ASN1_STRING, const X509, removed ERR_STATE)

[rpms/voms] rawhide: Fix build with OpenSSL 4.0 (opaque ASN1_STRING, const X509, removed ERR_STATE)

[Dmitry Belyavskiy]

A new commit has been pushed.

Repo   : rpms/voms
Branch : rawhide
Commit : 0bd8b7964ee7907f070c3812cad609a2cd258aea
Author : Dmitry Belyavskiy <beldmit@gmail.com>
Date   : 2026-04-29T16:14:45+02:00
Stats  : +381/-1 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/voms/c/0bd8b7964ee7907f070c3812cad609a2cd258aea?branch=rawhide

Log:
Fix build with OpenSSL 4.0 (opaque ASN1_STRING, const X509, removed ERR_STATE)

---
diff --git a/voms-openssl4.patch b/voms-openssl4.patch
new file mode 100644
index 0000000..5b96532
--- /dev/null
+++ b/voms-openssl4.patch
@@ -0,0 +1,374 @@
+diff -ruN a/src/ac/validate.cc b/src/ac/validate.cc
+--- a/src/ac/validate.cc	2025-12-18 13:39:27.000000000 +0100
++++ b/src/ac/validate.cc	2026-04-29 15:38:19.136425930 +0200
+@@ -205,8 +205,8 @@
+   }
+ 
+   v.version    = 1;
+-  v.siglen     = ac->signature->length;
+-  v.signature  = std::string((char*)ac->signature->data, ac->signature->length);
++  v.siglen     = ASN1_STRING_length(ac->signature);
++  v.signature  = std::string((char*)ASN1_STRING_get0_data(ac->signature), ASN1_STRING_length(ac->signature));
+   bn               = ASN1_INTEGER_to_BN(ac->acinfo->serial, NULL);
+   char *bnstring = BN_bn2hex(bn);
+   v.serial     = std::string(bnstring);
+@@ -294,15 +294,15 @@
+       if (X509_NAME_cmp(name->d.dirn, X509_get_subject_name(issuer)))
+         ERROR(AC_ERR_ISSUER_NAME);
+ 
+-    if (ac->acinfo->serial->length>20)
++    if (ASN1_STRING_length(ac->acinfo->serial)>20)
+       ERROR(AC_ERR_SERIAL);
+   }
+ 
+   b = ac->acinfo->validity->notBefore;
+   a = ac->acinfo->validity->notAfter;
+ 
+-  v.date1 = std::string((char*)b->data, b->length);
+-  v.date2 = std::string((char*)a->data, a->length);
++  v.date1 = std::string((char*)ASN1_STRING_get0_data(b), ASN1_STRING_length(b));
++  v.date2 = std::string((char*)ASN1_STRING_get0_data(a), ASN1_STRING_length(a));
+ 
+   if (valids & VERIFY_DATE) {
+     time_t ctime, dtime;
+@@ -315,8 +315,8 @@
+     ctime += 300;
+     dtime = ctime-600;
+ 
+-    if ((a->type != V_ASN1_GENERALIZEDTIME) ||
+-        (b->type != V_ASN1_GENERALIZEDTIME))
++    if ((ASN1_STRING_type(a) != V_ASN1_GENERALIZEDTIME) ||
++        (ASN1_STRING_type(b) != V_ASN1_GENERALIZEDTIME))
+       ERROR(AC_ERR_DATES);
+ 
+     if (((X509_cmp_time(b, &vertime) >= 0) &&
+@@ -379,7 +379,7 @@
+   /* put policyAuthority in voms struct */
+   data = sk_GENERAL_NAME_value(capattr->names, 0);
+   if (data->type == GEN_URI) {
+-    v.voname = std::string((char*)data->d.ia5->data, data->d.ia5->length);
++    v.voname = std::string((char*)ASN1_STRING_get0_data(data->d.ia5), ASN1_STRING_length(data->d.ia5));
+     std::string::size_type point = v.voname.find("://");
+ 
+     if (point != std::string::npos) {
+@@ -398,10 +398,10 @@
+   for (int i=0; i<sk_AC_IETFATTRVAL_num(values); i++) {
+     capname = sk_AC_IETFATTRVAL_value(values, i);
+ 
+-    if (!(capname->type == V_ASN1_OCTET_STRING))
++    if (!(ASN1_STRING_type(capname) == V_ASN1_OCTET_STRING))
+       return AC_ERR_ATTRIB_FQAN;
+ 
+-    std::string str  = std::string((char*)capname->data, capname->length);
++    std::string str  = std::string((char*)ASN1_STRING_get0_data(capname), ASN1_STRING_length(capname));
+     std::string::size_type top_group_size = top_group.size();
+     std::string::size_type str_size = str.size();
+ 
+@@ -556,14 +556,14 @@
+           if (key->keyid) {
+             unsigned char hashed[SHA_DIGEST_LENGTH];
+ 
+-            ASN1_BIT_STRING* pubkey = X509_get0_pubkey_bitstr(iss);
+-            if (!SHA1(pubkey->data,
+-                      pubkey->length,
++            const ASN1_BIT_STRING* pubkey = X509_get0_pubkey_bitstr(iss);
++            if (!SHA1(ASN1_STRING_get0_data(pubkey),
++                      ASN1_STRING_length(pubkey),
+                       hashed))
+               ret = AC_ERR_EXT_KEY;
+           
+-            if ((memcmp(key->keyid->data, hashed, 20) != 0) && 
+-                (key->keyid->length == 20))
++            if ((memcmp(ASN1_STRING_get0_data(key->keyid), hashed, 20) != 0) && 
++                (ASN1_STRING_length(key->keyid) == 20))
+               ret = AC_ERR_EXT_KEY;
+           }
+           else {
+@@ -574,7 +574,7 @@
+                                 (X509_get0_serialNumber(iss))))
+               ret = AC_ERR_EXT_KEY;
+ 	  
+-            if (key->serial->type != GEN_DIRNAME)
++            if (ASN1_STRING_type(key->serial) != GEN_DIRNAME)
+               ret = AC_ERR_EXT_KEY;
+ 
+             if (X509_NAME_cmp(sk_GENERAL_NAME_value((key->issuer), 0)->d.dirn, 
+@@ -632,15 +632,15 @@
+       AC_ATTRIBUTE *at = sk_AC_ATTRIBUTE_value(atts, j);
+ 
+       struct attribute a;
+-      a.name      = std::string((char*)at->name->data,      at->name->length);
+-      a.value     = std::string((char*)at->value->data,     at->value->length);
+-      a.qualifier = std::string((char*)at->qualifier->data, at->qualifier->length);
++      a.name      = std::string((char*)ASN1_STRING_get0_data(at->name),      ASN1_STRING_length(at->name));
++      a.value     = std::string((char*)ASN1_STRING_get0_data(at->value),     ASN1_STRING_length(at->value));
++      a.qualifier = std::string((char*)ASN1_STRING_get0_data(at->qualifier), ASN1_STRING_length(at->qualifier));
+ 
+       al.attributes.push_back(a);
+     }
+ 
+     gn = sk_GENERAL_NAME_value(holder->grantor, 0);
+-    al.grantor = std::string((char*)gn->d.ia5->data, gn->d.ia5->length);
++    al.grantor = std::string((char*)ASN1_STRING_get0_data(gn->d.ia5), ASN1_STRING_length(gn->d.ia5));
+ 
+     rd->attributes->push_back(al);
+   }
+diff -ruN a/src/api/ccapi/api_util.cc b/src/api/ccapi/api_util.cc
+--- a/src/api/ccapi/api_util.cc	2025-12-18 13:39:27.000000000 +0100
++++ b/src/api/ccapi/api_util.cc	2026-04-29 16:05:24.239940677 +0200
+@@ -139,7 +139,7 @@
+   int index = X509_get_ext_by_NID(cert, nid, -1);
+ 
+   if (index >= 0)
+-    return X509_get_ext(cert, index);
++    return const_cast<X509_EXTENSION*>(X509_get_ext(cert, index));
+   else
+     return NULL;
+ }
+@@ -157,17 +157,17 @@
+ 
+   ext = get_ext(cert, "incfile");
+   if (ext) {
+-    ASN1_OCTET_STRING* value = X509_EXTENSION_get_data(ext);
++    const ASN1_OCTET_STRING* value = X509_EXTENSION_get_data(ext);
+     assert(value && "X509_EXTENSION_get_data failed");
+-    extra_data = std::string(reinterpret_cast<char*>(value->data), value->length);
++    extra_data = std::string(reinterpret_cast<const char*>(ASN1_STRING_get0_data(value)), ASN1_STRING_length(value));
+     found = true;
+   }
+ 
+   ext = get_ext(cert, "vo");
+   if (ext) {
+-    ASN1_OCTET_STRING* value = X509_EXTENSION_get_data(ext);
++    const ASN1_OCTET_STRING* value = X509_EXTENSION_get_data(ext);
+     assert(value && "X509_EXTENSION_get_data failed");
+-    workvo = std::string(reinterpret_cast<char*>(value->data), value->length);
++    workvo = std::string(reinterpret_cast<const char*>(ASN1_STRING_get0_data(value)), ASN1_STRING_length(value));
+   }
+ 
+   return found;
+@@ -423,7 +423,7 @@
+     return NULL;
+   }
+   
+-  std::string voname((const char *)name->d.ia5->data, 0, name->d.ia5->length);
++  std::string voname((const char *)ASN1_STRING_get0_data(name->d.ia5), 0, ASN1_STRING_length(name->d.ia5));
+   std::string::size_type cpos = voname.find("://");
+   std::string hostname;
+ 
+diff -ruN a/src/api/ccapi/voms_api.cc b/src/api/ccapi/voms_api.cc
+--- a/src/api/ccapi/voms_api.cc	2025-12-18 13:39:27.000000000 +0100
++++ b/src/api/ccapi/voms_api.cc	2026-04-29 16:05:14.064784528 +0200
+@@ -1025,8 +1025,8 @@
+         AC_TARGET *name = NULL;
+         name = sk_AC_TARGET_value(target->targets, i);
+         if (name->name->type == GEN_URI)
+-          targets.push_back(std::string((char*)(name->name->d.ia5->data), 
+-                                        name->name->d.ia5->length));
++          targets.push_back(std::string((char*)ASN1_STRING_get0_data(name->name->d.ia5), 
++                                        ASN1_STRING_length(name->name->d.ia5)));
+       }
+     }
+     AC_TARGETS_free(target);
+diff -ruN a/src/include/sslutils.h b/src/include/sslutils.h
+--- a/src/include/sslutils.h	2025-12-18 13:39:27.000000000 +0100
++++ b/src/include/sslutils.h	2026-04-29 14:45:17.997509299 +0200
+@@ -403,8 +403,8 @@
+ int 
+ proxy_check_issued(
+     X509_STORE_CTX *                    ctx,
+-    X509 *                              x,
+-    X509 *                              issuer);
++    const X509 *                        x,
++    const X509 *                        issuer);
+ 
+ int
+ proxy_verify_certchain(
+diff -ruN a/src/sslutils/proxy.c b/src/sslutils/proxy.c
+--- a/src/sslutils/proxy.c	2025-12-18 13:39:27.000000000 +0100
++++ b/src/sslutils/proxy.c	2026-04-29 15:21:22.859426069 +0200
+@@ -543,8 +543,9 @@
+       oct = ASN1_OCTET_STRING_new();
+       assert(oct != NULL && "ASN1_OCTET_STRING_new failed");
+ 
+-      oct->data = der;
+-      oct->length = len;
++      ASN1_STRING_set0(oct, der, len);
++
++
+       ex7 = X509_EXTENSION_create_by_NID(NULL, v3nid, 1 /*critical*/, oct);
+ 
+       ASN1_OCTET_STRING_free(oct);
+@@ -683,8 +684,7 @@
+     goto err;
+   }
+   
+-  ex_oct->data   = (unsigned char*)data;
+-  ex_oct->length = datalen;
++  ASN1_STRING_set0(ex_oct, (unsigned char*)data, datalen);
+   
+   if (!(ex = X509_EXTENSION_create_by_OBJ(NULL, ex_obj, crit, ex_oct))) {
+     PRXYerr(PRXYERR_F_PROXY_SIGN,PRXYERR_R_CLASS_ADD_EXT);
+@@ -694,8 +694,7 @@
+   
+   if (ex_oct) {
+     /* avoid spurious free of the contents. */
+-    ex_oct->length = 0;
+-    ex_oct->data = NULL;
++    ASN1_STRING_set0(ex_oct, NULL, 0);
+     ASN1_OCTET_STRING_free(ex_oct);
+   }
+ 
+@@ -806,10 +805,10 @@
+   ASN1_BIT_STRING *usage = X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL);
+   
+   if (usage) {
+-    if (usage->length > 0)
+-      keyusage = usage->data[0];
+-    if (usage->length > 1)
+-      keyusage |= usage->data[1] << 8;
++    if (ASN1_STRING_length(usage) > 0)
++      keyusage = ASN1_STRING_get0_data(usage)[0];
++    if (ASN1_STRING_length(usage) > 1)
++      keyusage |= ASN1_STRING_get0_data(usage)[1] << 8;
+ 
+     ASN1_BIT_STRING_free(usage);
+   }
+diff -ruN a/src/sslutils/proxycertinfo.c b/src/sslutils/proxycertinfo.c
+--- a/src/sslutils/proxycertinfo.c	2025-12-18 13:39:27.000000000 +0100
++++ b/src/sslutils/proxycertinfo.c	2026-04-29 14:44:27.158966391 +0200
+@@ -107,9 +107,9 @@
+     BIO_printf(out, "%*sPolicy Language: ", indent, "");
+     i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
+     BIO_puts(out, "\n");
+-    if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
++    if (pci->proxyPolicy->policy && ASN1_STRING_get0_data(pci->proxyPolicy->policy))
+         BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+-                   pci->proxyPolicy->policy->data);
++                   ASN1_STRING_get0_data(pci->proxyPolicy->policy));
+     return 1;
+ }
+ 
+@@ -142,11 +142,11 @@
+ {
+     if(policy->policy)
+     { 
+-        (*length) = policy->policy->length;
+-        if(*length > 0 && policy->policy->data)
++        (*length) = ASN1_STRING_length(policy->policy);
++        if(*length > 0 && ASN1_STRING_get0_data(policy->policy))
+         {
+             unsigned char *                 copy = malloc(*length);
+-            memcpy(copy, policy->policy->data, *length);
++            memcpy(copy, ASN1_STRING_get0_data(policy->policy), *length);
+             return copy;
+         }
+     }
+diff -ruN a/src/sslutils/sslutils.c b/src/sslutils/sslutils.c
+--- a/src/sslutils/sslutils.c	2025-12-18 13:39:27.000000000 +0100
++++ b/src/sslutils/sslutils.c	2026-04-29 14:45:33.014031670 +0200
+@@ -404,10 +404,12 @@
+ void PRIVATE
+ ERR_set_continue_needed(void)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x40000000L
+     ERR_STATE *es;
+     es = ERR_get_state();
+     es->err_data_flags[es->top] =
+         es->err_data_flags[es->top] | ERR_DISPLAY_CONTINUE_NEEDED;
++#endif
+ }
+ 
+ 
+@@ -1669,8 +1671,8 @@
+ 
+ int PRIVATE
+ proxy_check_issued(UNUSED(X509_STORE_CTX *  ctx),
+-      X509 *                              x,
+-      X509 *                              issuer)
++      const X509 *                        x,
++      const X509 *                        issuer)
+ {
+   int return_value;
+   int return_code = 1;
+@@ -3268,7 +3270,7 @@
+   struct tm tm;
+   int       size = 0;
+ 
+-  switch (ctm->type) {
++  switch (ASN1_STRING_type(ctm)) {
+   case V_ASN1_UTCTIME:
+     size=10;
+     break;
+@@ -3277,8 +3279,8 @@
+     break;
+   }
+   p = buff1;
+-  i = ctm->length;
+-  str = (char *)ctm->data;
++  i = ASN1_STRING_length(ctm);
++  str = (char *)ASN1_STRING_get0_data(ctm);
+   if ((i < 11) || (i > 17)) {
+     return 0;
+   }
+@@ -3311,7 +3313,7 @@
+ 
+   tm.tm_isdst = 0;
+   int index = 0;
+-  if (ctm->type == V_ASN1_UTCTIME) {
++  if (ASN1_STRING_type(ctm) == V_ASN1_UTCTIME) {
+     tm.tm_year  = (buff1[index++]-'0')*10;
+     tm.tm_year += (buff1[index++]-'0');
+   }
+diff -ruN a/src/sslutils/voms_cert_type.c b/src/sslutils/voms_cert_type.c
+--- a/src/sslutils/voms_cert_type.c	2025-12-18 13:39:27.000000000 +0100
++++ b/src/sslutils/voms_cert_type.c	2026-04-29 15:05:46.737365952 +0200
+@@ -256,11 +256,11 @@
+ 
+     ne_data = X509_NAME_ENTRY_get_data(ne);
+ 
+-    if (ne_data->length == 5 && !memcmp(ne_data->data,"proxy",5))
++    if (ASN1_STRING_length(ne_data) == 5 && !memcmp(ASN1_STRING_get0_data(ne_data),"proxy",5))
+     {
+       *cert_type = VOMS_CERT_TYPE_GSI_2_PROXY;
+     }
+-    else if (ne_data->length == 13 && !memcmp(ne_data->data,"limited proxy",13))
++    else if (ASN1_STRING_length(ne_data) == 13 && !memcmp(ASN1_STRING_get0_data(ne_data),"limited proxy",13))
+     {
+       *cert_type = VOMS_CERT_TYPE_GSI_2_LIMITED_PROXY;
+     }
+@@ -293,7 +293,7 @@
+     ne_data = X509_NAME_ENTRY_get_data(ne);
+ 
+     if ((new_ne = X509_NAME_ENTRY_create_by_NID( NULL, NID_commonName,
+-	    ne_data->type, ne_data->data, -1)) == NULL){
++	    ASN1_STRING_type(ne_data), ASN1_STRING_get0_data(ne_data), -1)) == NULL){
+ 
+       result = voms_validation_error(
+ 	  PRXYERR_R_ERROR_BUILDING_SUBJECT,
+diff -ruN a/src/utils/voms_proxy_info.cc b/src/utils/voms_proxy_info.cc
+--- a/src/utils/voms_proxy_info.cc	2025-12-18 13:39:27.000000000 +0100
++++ b/src/utils/voms_proxy_info.cc	2026-04-29 16:06:20.035319031 +0200
+@@ -466,18 +466,10 @@
+ static ASN1_TIME *
+ convtime(std::string data)
+ {
+-  ASN1_TIME *t= ASN1_TIME_new();
+-
+-  t->data   = (unsigned char*)strdup(data.data());
+-  t->length = data.size();
+-  switch(t->length) {
+-  case 10:
+-    t->type = V_ASN1_UTCTIME;
+-    break;
+-  case 15:
+-    t->type = V_ASN1_GENERALIZEDTIME;
+-    break;
+-  default:
++  ASN1_TIME *t = ASN1_TIME_new();
++  if (!t)
++    return NULL;
++  if (!ASN1_TIME_set_string(t, data.c_str())) {
+     ASN1_TIME_free(t);
+     return NULL;
+   }

diff --git a/voms.spec b/voms.spec
index c0cf071..de614d6 100644
--- a/voms.spec
+++ b/voms.spec
@@ -2,7 +2,7 @@
 
 Name:		voms
 Version:	2.1.3
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	Virtual Organization Membership Service
 
 License:	Apache-2.0
@@ -13,6 +13,8 @@ Source1:	%{name}.INSTALL
 #		System user creation config
 Source2:	%{name}-sysusers.conf
 
+Patch0:		voms-openssl4.patch
+
 BuildRequires:	make
 BuildRequires:	gcc-c++
 BuildRequires:	openssl-devel
@@ -104,6 +106,7 @@ This package provides the VOMS service.
 
 %prep
 %setup -q
+%patch 0 -p1 -b .openssl4
 
 ./autogen.sh
 
@@ -296,6 +299,9 @@ fi
 %doc README.Fedora
 
 %changelog
+* Wed Apr 29 2026 Dmitry Belyavskiy <beldmit@gmail.com> - 2.1.3-4
+- Fix build with OpenSSL 4.0 (opaque ASN1_STRING, const X509, removed ERR_STATE)
+
 * Tue Jan 20 2026 Mattias Ellert <mattias.ellert@physics.uu.se> - 2.1.3-3
 - Rebuild for gsoap 2.8.139 (Fedora 44)