You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@serf.apache.org by br...@apache.org on 2018/05/01 14:27:19 UTC
svn commit: r1830684 - in /serf/trunk: SConstruct buckets/ssl_buckets.c
Author: brane
Date: Tue May 1 14:27:19 2018
New Revision: 1830684
URL: http://svn.apache.org/viewvc?rev=1830684&view=rev
Log:
Fix issue SERF-188: Do not use deprecated functions with OpenSSL 1.1.x.
* SConstruct: Check for several functions that are new in OpenSSL 1.1.
* buckets/ssl_buckets.c
(X509_get0_notBefore, X509_get0_notAfter, X509_STORE_CTX_get0_chain):
Add optional replacement macros for the new functions.
(validate_server_certificate,
init_ssl_libraries,
serf_ssl_cert_certificate): Update implementations.
Patch by: Quentin Minster
Modified:
serf/trunk/SConstruct
serf/trunk/buckets/ssl_buckets.c
Modified: serf/trunk/SConstruct
URL: http://svn.apache.org/viewvc/serf/trunk/SConstruct?rev=1830684&r1=1830683&r2=1830684&view=diff
==============================================================================
--- serf/trunk/SConstruct (original)
+++ serf/trunk/SConstruct Tue May 1 14:27:19 2018
@@ -460,10 +460,20 @@ if not conf.CheckFunc('BIO_set_init'):
env.Append(CPPDEFINES=['SERF_NO_SSL_BIO_WRAPPERS'])
if not conf.CheckFunc('X509_STORE_get0_param'):
env.Append(CPPDEFINES=['SERF_NO_SSL_X509_STORE_WRAPPERS'])
+if not conf.CheckFunc('X509_get0_notBefore'):
+ env.Append(CPPDEFINES=['SERF_NO_SSL_X509_GET0_NOTBEFORE'])
+if not conf.CheckFunc('X509_get0_notAfter'):
+ env.Append(CPPDEFINES=['SERF_NO_SSL_X509_GET0_NOTAFTER'])
+if not conf.CheckFunc('X509_STORE_CTX_get0_chain'):
+ env.Append(CPPDEFINES=['SERF_NO_SSL_X509_GET0_CHAIN'])
if conf.CheckFunc('CRYPTO_set_locking_callback'):
env.Append(CPPDEFINES=['SERF_HAVE_SSL_LOCKING_CALLBACKS'])
if conf.CheckFunc('OPENSSL_malloc_init', '#include <openssl/crypto.h>'):
env.Append(CPPDEFINES=['SERF_HAVE_OPENSSL_MALLOC_INIT'])
+if conf.CheckFunc('SSL_library_init', '#include <openssl/crypto.h>'):
+ env.Append(CPPDEFINES=['SERF_HAVE_OPENSSL_SSL_LIBRARY_INIT'])
+if conf.CheckFunc('OpenSSL_version_num', '#include <openssl/crypto.h>'):
+ env.Append(CPPDEFINES=['SERF_HAVE_OPENSSL_VERSION_NUM'])
if conf.CheckFunc('SSL_set_alpn_protos'):
env.Append(CPPDEFINES=['SERF_HAVE_OPENSSL_ALPN'])
if conf.CheckType('OSSL_HANDSHAKE_STATE', '#include <openssl/ssl.h>'):
Modified: serf/trunk/buckets/ssl_buckets.c
URL: http://svn.apache.org/viewvc/serf/trunk/buckets/ssl_buckets.c?rev=1830684&r1=1830683&r2=1830684&view=diff
==============================================================================
--- serf/trunk/buckets/ssl_buckets.c (original)
+++ serf/trunk/buckets/ssl_buckets.c Tue May 1 14:27:19 2018
@@ -53,6 +53,18 @@
#define X509_STORE_get0_param(store) ((store)->param)
#endif
+#ifdef SERF_NO_SSL_X509_GET0_NOTBEFORE
+#define X509_get0_notBefore(cert) (X509_get_notBefore(cert))
+#endif
+
+#ifdef SERF_NO_SSL_X509_GET0_NOTAFTER
+#define X509_get0_notAfter(cert) (X509_get_notAfter(cert))
+#endif
+
+#ifdef SERF_NO_SSL_X509_GET0_CHAIN
+#define X509_STORE_CTX_get0_chain(store) (X509_STORE_CTX_get_chain(store))
+#endif
+
/*
* Here's an overview of the SSL bucket's relationship to OpenSSL and serf.
@@ -821,10 +833,10 @@ validate_server_certificate(int cert_val
failures |= SERF_SSL_CERT_INVALID_HOST;
/* Check certificate expiry dates. */
- if (X509_cmp_current_time(X509_get_notBefore(server_cert)) >= 0) {
+ if (X509_cmp_current_time(X509_get0_notBefore(server_cert)) >= 0) {
failures |= SERF_SSL_CERT_NOTYETVALID;
}
- else if (X509_cmp_current_time(X509_get_notAfter(server_cert)) <= 0) {
+ else if (X509_cmp_current_time(X509_get0_notAfter(server_cert)) <= 0) {
failures |= SERF_SSL_CERT_EXPIRED;
}
@@ -864,7 +876,7 @@ validate_server_certificate(int cert_val
apr_pool_create(&subpool, ctx->pool);
/* Borrow the chain to pass to the callback. */
- chain = X509_STORE_CTX_get_chain(store_ctx);
+ chain = X509_STORE_CTX_get0_chain(store_ctx);
/* If the chain can't be retrieved, just pass the current
certificate. */
@@ -1410,7 +1422,11 @@ static void init_ssl_libraries(void)
#ifdef SERF_LOGGING_ENABLED
/* Warn when compile-time and run-time version of OpenSSL differ in
major/minor version number. */
+#ifdef SERF_HAVE_OPENSSL_VERSION_NUM
+ unsigned long libver = OpenSSL_version_num();
+#else
long libver = SSLeay();
+#endif
if ((libver ^ OPENSSL_VERSION_NUMBER) & 0xFFF00000) {
serf__log(LOGLVL_WARNING, LOGCOMP_SSL, __FILE__, NULL,
@@ -1425,10 +1441,12 @@ static void init_ssl_libraries(void)
#else
CRYPTO_malloc_init();
#endif
+#ifdef SERF_HAVE_OPENSSL_SSL_LIBRARY_INIT
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
+#endif
#if APR_HAS_THREADS && defined(SERF_HAVE_SSL_LOCKING_CALLBACKS)
numlocks = CRYPTO_num_locks();
@@ -2304,18 +2322,18 @@ apr_hash_t *serf_ssl_cert_certificate(
/* set expiry dates */
bio = BIO_new(BIO_s_mem());
if (bio) {
- ASN1_TIME *notBefore, *notAfter;
+ const ASN1_TIME *notBefore, *notAfter;
char buf[256];
memset (buf, 0, sizeof (buf));
- notBefore = X509_get_notBefore(cert->ssl_cert);
+ notBefore = X509_get0_notBefore(cert->ssl_cert);
if (ASN1_TIME_print(bio, notBefore)) {
BIO_read(bio, buf, 255);
apr_hash_set(tgt, "notBefore", APR_HASH_KEY_STRING,
apr_pstrdup(pool, buf));
}
memset (buf, 0, sizeof (buf));
- notAfter = X509_get_notAfter(cert->ssl_cert);
+ notAfter = X509_get0_notAfter(cert->ssl_cert);
if (ASN1_TIME_print(bio, notAfter)) {
BIO_read(bio, buf, 255);
apr_hash_set(tgt, "notAfter", APR_HASH_KEY_STRING,