This commit ports VOMS to OpenSSL 1.1.
More details in openssl11.md.

Porting to OpenSSL 1.1

Fix issue #60

…lifre-wsdl2h-detect

* 'wsdl2h-detect' of https://github.com/olifre/voms:
  wsdl2h.m4: Fix detection of modern wsdl2h versions.
  Fixes for README.md

Based on italiangrid/pkg.base:centos6

Fix https://issues.infn.it/jira/browse/VOMS-875
(for the part about incompatible AC)

Add a class static function to allow clients to skip OpenSSL
initialization. This makes sense only for versions up to 1.0.2; above
that the initialization is done automatically. There is no check on
this though, to minimize changes.

Moreover OpenSSL (if not skipped) and AC- and Proxy-related
functionality are initialized atomically.

The flag that tells if OpenSSL needs to be initialized is not atomic
because it is checked inside the critical section of pthread_once.

Fixes: #89

Fix AC incompatibilty introduced with the migration to OpenSSL 1.1

Align develop-2.1.x with develop

Allow to skip OpenSSL initialization

During the merge of branch issue-89 into develop, a previous
change introduced by the merge of develop-2.1.x into develop was
undone. This commit reintroduces that change: the call to
SSLeay_add_all_algorithms is replaced by a call to
OpenSSL_add_all_algorithms.

Fixes: issue https://issues.infn.it/jira/browse/VOMS-915

Initialize OpenSSL only below version 1.1

Don't use macros in AC_CHECK_LIB

Change default proxy cert key length to 2048 bits

Assign default value before reading sysconfig

Fix compilation error with gcc7 and beyond

voms-proxy-init was already changed to work this way.

Remove obsolete (and buggy) globus() function that detemines the
globus version. No longer used to define the default proxy version.

Only test for gSOAP and WSDL2H when building server. This allows building the
non-server components on platforms without gSOAP.

GSOAP checks are only needed for server.

- several functions now have 'constified' their parameters
- defining AC_dup using &(AC_it) causes a SEGV in OpenSSL 3.0. The proper way
  seems to always have been to use ASN1_ITEM_rptr(), see for example
  https://github.com/openssl/openssl/blob/OpenSSL_1_1_1/crypto/rsa/rsa_asn1.c#L113_L116

Remove globus version detection

Minimal fixes to build with OpenSSL 3

The checks define preprocessor macros causing many compilation
warnings. Moreover the autoconf macros seem incorrect, for they
swap the two branches of an if; the result was sort-of-ok by chance.

A literal string cannot be bound to a non-const char pointer. Minimally
adjust the const-ness of parameters passed to the parse_ga_value
function.

RSA_generate_key was deprecated a long time ago. Unfortunately
RSA_generate_key_ex is also deprecated by OpenSSL 3, but we'll
manage it together with the other OpenSSL 3 deprecations.

In the process, clean up the callbacks, to make them respect the
required signature.

C did not allow unnamed function parameters. For uniformity, do
the same in similar contexts in C++ code (where it would be allowed).

Note that recent versions of gcc allow unnamed parameters. This is
probably due to an upgrade of the C standard (to be checked).

The two functions have been introduced only in OpenSSL 1.1.
Add include guard to the header file.

Do not use -ansi, which can be too strict.

Only one of name, group and cert is allowed.
According to RFC 3281, the AC target should be a choice between the
three fields, but apparently VOMS traditionally implements it as three
optional fields.
The change fixes the parsing on the client side. How the server behaves
needs to be checked.

Fix #102

…not-parse-correctly-the-target-information-extension

Declare fields of AC_TARGET as optional

Otherwise OPENSSL_COMPAT_API is defined by OpenSSL before we
have the chance to do it.

Corresponding to the various supported OpenSSL versions: 1.0, 1.1, 3.0.

Port to CentOS 9 Stream (OpenSSL 3)

Catch exception by reference

Fix also a warning about an unused variable. This piece of code can probably
go away, but let's just fix the warning for the time being.

About a documented return type for a function that does not return anything.

This is a false positive, since the source is an 8-byte hash and
is copied into an 8-byte substring. memcpy is a better fit anyway.

This reverts 5c022c1

This is an alternative (and not wrong) solution to commit 5c022c1
to define the macro OPENSSL_COMPAT_API before OpenSSL does it.

They are reported from the runtime checks on EL9

When verification of ACs fails, the prior behavior is to always have
this message:

```
Cannot verify AC signature!
```

This can be difficult to debug as there's no indication of whether
its a problem with the proxy itself or with the host configuration.

This patch appends the underlying error message if one was provided.
For example,

```
Cannot verify AC signature!  Underlying error: Certificate verification \
  failed for certificate '/CN=voms.example.com': certificate has expired.
```

(newlines added for readability)

And include them in a few strategic places.  This avoids build
failures with future compilers that do not support implicit function
declarations by default.

(NB: This commit does not regenerate the lexers/parsers, so the
line numbers are slightly off.)

)

The depth of some fields was not correct for the response obtained
through the REST API, which is the first one tried and the only one that
will survive in the future with VOMS-AA.

In addition, VOMS-AA returns a numeric code for an error condition, not
a string like VOMS server.

* Always process the errors, not only in case an AC has been returned
* For certain errors (user doesn't exist, is suspended, is inactive) do
  not try the legacy endpoint, which doesn't even exist for VOMS AA
* Leave some commented-out debug messages, to be possibly included in
  the output in debug mode (requires some work to propagate the debug
  flag)

Fixes build error if all targets are made.

voms-server: chown-with-dot root.voms [usr/share/voms/voms_install_db:276]

chown-with-dot

  The named script uses a dot to separate owner and group in a call like
  chown user.group but that usage is deprecated.

  Please use a colon instead, as in:

  chown user:group.

* Regenerate lexers/parsers

Regenerate lexers/parsers after PR #112, which has changed the *.y and
*.l files.

The regeneration is done on CentOS 9 Stream, with bison 3.7.4-5 and
flex 2.6.4-9.

Resolves issue #118

* Prepend srcdir path for out-of-source builds