gamzinav/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUILD: ssl: replace SSL_CTX_get0_privatekey for openssl < 1.0.2

Browse Source 
Commit 48a8332a introduce SSL_CTX_get0_privatekey in openssl-compat.h but
SSL_CTX_get0_privatekey access internal structure and can't be a candidate
to openssl-compat.h. The workaround with openssl < 1.0.2 is to use SSL_new
then SSL_get_privatekey.
This commit is contained in:
Emmanuel Hocdet 2017-08-11 10:56:00 +02:00 committed by Willy Tarreau
parent 286ec68f82
commit 15969297af
2 changed files with 10 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
include/proto/openssl-compat.h
View File

@ -89,19 +89,6 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha
}
#endif
#if (OPENSSL_VERSION_NUMBER < 0x10002000L) || defined(LIBRESSL_VERSION_NUMBER)
/*
* Functions introduced in OpenSSL 1.0.2 and not yet present in LibreSSL
*/
EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
{
if (ctx->cert != NULL)
return ctx->cert->key->privatekey;
else
return NULL;
}
#endif
#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER)
/*
* Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL

11
src/ssl_sock.c
View File

@ -1580,6 +1580,7 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
SSL_CTX *ssl_ctx = NULL;
X509 *newcrt = NULL;
EVP_PKEY *pkey = NULL;
SSL *tmp_ssl = NULL;
X509_NAME *name;
const EVP_MD *digest;
X509V3_CTX ctx;
@ -1587,7 +1588,14 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
int key_type;
/* Get the private key of the default certificate and use it */
if (!(pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx)))
#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined LIBRESSL_VERSION_NUMBER)
pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx);
#else
tmp_ssl = SSL_new(bind_conf->default_ctx);
if (tmp_ssl)
pkey = SSL_get_privatekey(tmp_ssl);
#endif
if (!pkey)
goto mkcert_error;
/* Create the certificate */
@ -1704,6 +1712,7 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
return ssl_ctx;
mkcert_error:
if (tmp_ssl) SSL_free(tmp_ssl);
if (ssl_ctx) SSL_CTX_free(ssl_ctx);
if (newcrt) X509_free(newcrt);
return NULL;