This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push: new d2bfadf fix OCSP under OpenSSL 1.1.x d2bfadf is described below commit d2bfadf12d34979d43d9b1aeba93868004bc4cb0 Author: Randall Meyer <randallme...@yahoo.com> AuthorDate: Thu Jan 11 07:35:03 2018 +0000 fix OCSP under OpenSSL 1.1.x fixes issue #3004 --- iocore/net/OCSPStapling.cc | 34 ++++++++++++++++++++++++---------- iocore/net/P_OCSPStapling.h | 5 ----- 2 files changed, 24 insertions(+), 15 deletions(-) diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc index c5fdf35..c8dd275 100644 --- a/iocore/net/OCSPStapling.cc +++ b/iocore/net/OCSPStapling.cc @@ -22,6 +22,7 @@ #include "P_OCSPStapling.h" #ifdef HAVE_OPENSSL_OCSP_STAPLING +#include <openssl/ssl.h> #include <openssl/ocsp.h> #include "P_Net.h" #include "P_SSLConfig.h" @@ -77,11 +78,17 @@ ssl_stapling_ex_init() static X509 * stapling_get_issuer(SSL_CTX *ssl_ctx, X509 *x) { - X509 *issuer = nullptr; - int i; - X509_STORE *st = SSL_CTX_get_cert_store(ssl_ctx); - X509_STORE_CTX inctx; + X509 *issuer = nullptr; + X509_STORE *st = SSL_CTX_get_cert_store(ssl_ctx); STACK_OF(X509) *extra_certs = nullptr; + X509_STORE_CTX *inctx = X509_STORE_CTX_new(); + + if (inctx == nullptr) { + return nullptr; + } + if (X509_STORE_CTX_init(inctx, st, nullptr, nullptr) == 0) { + goto end; + } #ifdef SSL_CTX_get_extra_chain_certs SSL_CTX_get_extra_chain_certs(ssl_ctx, &extra_certs); @@ -90,24 +97,31 @@ stapling_get_issuer(SSL_CTX *ssl_ctx, X509 *x) #endif if (sk_X509_num(extra_certs) == 0) { - return nullptr; + goto end; } - for (i = 0; i < sk_X509_num(extra_certs); i++) { + for (int i = 0; i < sk_X509_num(extra_certs); i++) { issuer = sk_X509_value(extra_certs, i); if (X509_check_issued(issuer, x) == X509_V_OK) { +#if OPENSSL_VERSION_NUMBER < 0x10100000 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); return issuer; +#else + X509_up_ref(issuer); +#endif + goto end; } } - if (!X509_STORE_CTX_init(&inctx, st, nullptr, nullptr)) { - return nullptr; + if (!X509_STORE_CTX_init(inctx, st, nullptr, nullptr)) { + goto end; } - if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0) { + if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0) { issuer = nullptr; } - X509_STORE_CTX_cleanup(&inctx); + +end: + X509_STORE_CTX_free(inctx); return issuer; } diff --git a/iocore/net/P_OCSPStapling.h b/iocore/net/P_OCSPStapling.h index e93516e..366c4a8 100644 --- a/iocore/net/P_OCSPStapling.h +++ b/iocore/net/P_OCSPStapling.h @@ -24,15 +24,10 @@ #include <openssl/ssl.h> -// TODO: This should be moved to autoconf -#ifdef sk_OPENSSL_STRING_pop -#ifdef SSL_CTX_set_tlsext_status_cb #define HAVE_OPENSSL_OCSP_STAPLING 1 void ssl_stapling_ex_init(); bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname); void ocsp_update(); int ssl_callback_ocsp_stapling(SSL *); -#endif /* SSL_CTX_set_tlsext_status_cb */ -#endif /* sk_OPENSSL_STRING_pop */ #endif /* __P_OCSPSTAPLING_H__ */ -- To stop receiving notification emails like this one, please contact zw...@apache.org.