You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2018/02/07 00:05:31 UTC
[trafficserver] branch 7.1.x updated: fix OCSP under OpenSSL 1.1.x
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/7.1.x by this push:
new fe41303 fix OCSP under OpenSSL 1.1.x
fe41303 is described below
commit fe413031a44abdbf87903414068ea9d215be2929
Author: Randall Meyer <ra...@yahoo.com>
AuthorDate: Thu Jan 11 07:35:03 2018 +0000
fix OCSP under OpenSSL 1.1.x
fixes issue #3004
(cherry picked from commit d2bfadf12d34979d43d9b1aeba93868004bc4cb0)
Conflicts:
iocore/net/OCSPStapling.cc
---
iocore/net/OCSPStapling.cc | 39 ++++++++++++++++++++++++++++-----------
iocore/net/P_OCSPStapling.h | 5 -----
2 files changed, 28 insertions(+), 16 deletions(-)
diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index 7291b5a..d764c75 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -22,6 +22,7 @@
#include "P_OCSPStapling.h"
#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#include <openssl/ssl.h>
#include <openssl/ocsp.h>
#include "P_Net.h"
#include "P_SSLConfig.h"
@@ -73,11 +74,17 @@ ssl_stapling_ex_init()
static X509 *
stapling_get_issuer(SSL_CTX *ssl_ctx, X509 *x)
{
- X509 *issuer = nullptr;
- int i;
- X509_STORE *st = SSL_CTX_get_cert_store(ssl_ctx);
- X509_STORE_CTX inctx;
+ X509 *issuer = nullptr;
+ X509_STORE *st = SSL_CTX_get_cert_store(ssl_ctx);
STACK_OF(X509) *extra_certs = nullptr;
+ X509_STORE_CTX *inctx = X509_STORE_CTX_new();
+
+ if (inctx == nullptr) {
+ return nullptr;
+ }
+ if (X509_STORE_CTX_init(inctx, st, nullptr, nullptr) == 0) {
+ goto end;
+ }
#ifdef SSL_CTX_get_extra_chain_certs
SSL_CTX_get_extra_chain_certs(ssl_ctx, &extra_certs);
@@ -85,22 +92,32 @@ stapling_get_issuer(SSL_CTX *ssl_ctx, X509 *x)
extra_certs = ssl_ctx->extra_certs;
#endif
- if (sk_X509_num(extra_certs) == 0)
- return nullptr;
+ if (sk_X509_num(extra_certs) == 0) {
+ goto end;
+ }
- for (i = 0; i < sk_X509_num(extra_certs); i++) {
+ for (int i = 0; i < sk_X509_num(extra_certs); i++) {
issuer = sk_X509_value(extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
return issuer;
+#else
+ X509_up_ref(issuer);
+#endif
+ goto end;
}
}
- if (!X509_STORE_CTX_init(&inctx, st, nullptr, nullptr))
- return nullptr;
- if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
+ if (!X509_STORE_CTX_init(inctx, st, nullptr, nullptr)) {
+ goto end;
+ }
+ if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0) {
issuer = nullptr;
- X509_STORE_CTX_cleanup(&inctx);
+ }
+
+end:
+ X509_STORE_CTX_free(inctx);
return issuer;
}
diff --git a/iocore/net/P_OCSPStapling.h b/iocore/net/P_OCSPStapling.h
index e93516e..366c4a8 100644
--- a/iocore/net/P_OCSPStapling.h
+++ b/iocore/net/P_OCSPStapling.h
@@ -24,15 +24,10 @@
#include <openssl/ssl.h>
-// TODO: This should be moved to autoconf
-#ifdef sk_OPENSSL_STRING_pop
-#ifdef SSL_CTX_set_tlsext_status_cb
#define HAVE_OPENSSL_OCSP_STAPLING 1
void ssl_stapling_ex_init();
bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname);
void ocsp_update();
int ssl_callback_ocsp_stapling(SSL *);
-#endif /* SSL_CTX_set_tlsext_status_cb */
-#endif /* sk_OPENSSL_STRING_pop */
#endif /* __P_OCSPSTAPLING_H__ */
--
To stop receiving notification emails like this one, please contact
zwoop@apache.org.