From f95c29546ca7a1ab0c64b6d0709bb54197806df8 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Fri, 20 Aug 2021 09:51:23 +0200 Subject: [PATCH] BUILD/MINOR: ssl: Fix compilation with OpenSSL 1.0.2 The X509_STORE_CTX_get0_cert did not exist yet on OpenSSL 1.0.2 and neither did X509_STORE_CTX_get0_chain, which was not actually needed since its get1 equivalent already existed. --- include/haproxy/openssl-compat.h | 5 +++++ src/ssl_sock.c | 14 ++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index 983ee03..eb96703 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -291,6 +291,11 @@ static inline const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOK { return x->revocationDate; } + +static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) +{ + return ctx->cert; +} #endif #if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (LIBRESSL_VERSION_NUMBER >= 0x2070200fL) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index bc82783..83003d9 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1592,14 +1592,12 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store) * chain, we might never call this verify callback on the client * certificate's depth (which is 0) so we try to store the * reference right now. */ - if (X509_STORE_CTX_get0_chain(x_store) != NULL) { - certs = X509_STORE_CTX_get1_chain(x_store); - if (certs) { - client_crt = sk_X509_value(certs, 0); - if (client_crt) { - X509_up_ref(client_crt); - SSL_set_ex_data(ssl, ssl_client_crt_ref_index, client_crt); - } + certs = X509_STORE_CTX_get1_chain(x_store); + if (certs) { + client_crt = sk_X509_value(certs, 0); + if (client_crt) { + X509_up_ref(client_crt); + SSL_set_ex_data(ssl, ssl_client_crt_ref_index, client_crt); } sk_X509_pop_free(certs, X509_free); } -- 1.7.10.4