This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new d2bfadf fix OCSP under OpenSSL 1.1.x
d2bfadf is described below
commit d2bfadf12d34979d43d9b1aeba93868004bc4cb0
Author: Randall Meyer <[email protected]>
AuthorDate: Thu Jan 11 07:35:03 2018 +0000
fix OCSP under OpenSSL 1.1.x
fixes issue #3004
---
iocore/net/OCSPStapling.cc | 34 ++++++++++++++++++++++++----------
iocore/net/P_OCSPStapling.h | 5 -----
2 files changed, 24 insertions(+), 15 deletions(-)
diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index c5fdf35..c8dd275 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -22,6 +22,7 @@
#include "P_OCSPStapling.h"
#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#include <openssl/ssl.h>
#include <openssl/ocsp.h>
#include "P_Net.h"
#include "P_SSLConfig.h"
@@ -77,11 +78,17 @@ ssl_stapling_ex_init()
static X509 *
stapling_get_issuer(SSL_CTX *ssl_ctx, X509 *x)
{
- X509 *issuer = nullptr;
- int i;
- X509_STORE *st = SSL_CTX_get_cert_store(ssl_ctx);
- X509_STORE_CTX inctx;
+ X509 *issuer = nullptr;
+ X509_STORE *st = SSL_CTX_get_cert_store(ssl_ctx);
STACK_OF(X509) *extra_certs = nullptr;
+ X509_STORE_CTX *inctx = X509_STORE_CTX_new();
+
+ if (inctx == nullptr) {
+ return nullptr;
+ }
+ if (X509_STORE_CTX_init(inctx, st, nullptr, nullptr) == 0) {
+ goto end;
+ }
#ifdef SSL_CTX_get_extra_chain_certs
SSL_CTX_get_extra_chain_certs(ssl_ctx, &extra_certs);
@@ -90,24 +97,31 @@ stapling_get_issuer(SSL_CTX *ssl_ctx, X509 *x)
#endif
if (sk_X509_num(extra_certs) == 0) {
- return nullptr;
+ goto end;
}
- for (i = 0; i < sk_X509_num(extra_certs); i++) {
+ for (int i = 0; i < sk_X509_num(extra_certs); i++) {
issuer = sk_X509_value(extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
return issuer;
+#else
+ X509_up_ref(issuer);
+#endif
+ goto end;
}
}
- if (!X509_STORE_CTX_init(&inctx, st, nullptr, nullptr)) {
- return nullptr;
+ if (!X509_STORE_CTX_init(inctx, st, nullptr, nullptr)) {
+ goto end;
}
- if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0) {
+ if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0) {
issuer = nullptr;
}
- X509_STORE_CTX_cleanup(&inctx);
+
+end:
+ X509_STORE_CTX_free(inctx);
return issuer;
}
diff --git a/iocore/net/P_OCSPStapling.h b/iocore/net/P_OCSPStapling.h
index e93516e..366c4a8 100644
--- a/iocore/net/P_OCSPStapling.h
+++ b/iocore/net/P_OCSPStapling.h
@@ -24,15 +24,10 @@
#include <openssl/ssl.h>
-// TODO: This should be moved to autoconf
-#ifdef sk_OPENSSL_STRING_pop
-#ifdef SSL_CTX_set_tlsext_status_cb
#define HAVE_OPENSSL_OCSP_STAPLING 1
void ssl_stapling_ex_init();
bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname);
void ocsp_update();
int ssl_callback_ocsp_stapling(SSL *);
-#endif /* SSL_CTX_set_tlsext_status_cb */
-#endif /* sk_OPENSSL_STRING_pop */
#endif /* __P_OCSPSTAPLING_H__ */
--
To stop receiving notification emails like this one, please contact
[email protected].
