Bug 4599 pt1: initial support for OpenSSL v1.1

Converts some CRYPTO_add(..., CRYPTO_LOCK_X509) calls with portability
wrapper for X509_up_ref(). Just the calls which are in code not yet using
Security::CertPointer.

diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc
index e684cc42194e3d6b72807a963c3e9e10ccc382f5..359e835054c0c7ef7cf9c91fd2e93dad86873553 100644 (file)
--- a/src/ssl/PeekingPeerConnector.cc
+++ b/src/ssl/PeekingPeerConnector.cc
@@ -204,7 +204,7 @@ Ssl::PeekingPeerConnector::initialize(Security::SessionPointer &serverSession)
             serverBump->attachServerSSL(serverSession.get());
             // store peeked cert to check SQUID_X509_V_ERR_CERT_CHANGE
             if (X509 *peeked_cert = serverBump->serverCert.get()) {
-                CRYPTO_add(&(peeked_cert->references),1,CRYPTO_LOCK_X509);
+                X509_up_ref(peeked_cert);
                 SSL_set_ex_data(serverSession.get(), ssl_ex_index_ssl_peeked_cert, peeked_cert);
             }
         }

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 26eeb17d21ce014f090c0dfda9ff1561f101ff51..9c4e0fd3ef021cf4b2246e83ad055dc598f1c31d 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -975,7 +975,7 @@ Ssl::chainCertificatesToSSLContext(Security::ContextPointer &ctx, AnyP::PortCfg
     X509 *signingCert = port.signingCert.get();
     if (SSL_CTX_add_extra_chain_cert(ctx.get(), signingCert)) {
         // increase the certificate lock
-        CRYPTO_add(&(signingCert->references),1,CRYPTO_LOCK_X509);
+        X509_up_ref(signingCert);
     } else {
         const int ssl_error = ERR_get_error();
         debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
@@ -1089,7 +1089,7 @@ Ssl::addChainToSslContext(Security::ContextPointer &ctx, STACK_OF(X509) *chain)
         X509 *cert = sk_X509_value(chain, i);
         if (SSL_CTX_add_extra_chain_cert(ctx.get(), cert)) {
             // increase the certificate lock
-            CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
+            X509_up_ref(cert);
         } else {
             const int ssl_error = ERR_get_error();
             debugs(83, DBG_IMPORTANT, "WARNING: can not add certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));

diff --git a/src/ssl/support.h b/src/ssl/support.h
index 42c981530715de1258c3760b7b7cb2c21f4bdce8..163d23958117d42fd5accee348a11f5da43ea253 100644 (file)
--- a/src/ssl/support.h
+++ b/src/ssl/support.h
@@ -91,6 +91,12 @@ bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &);
 /// initialize a TLS client context with OpenSSL specific settings
 bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long options, long flags);
 
+#if defined(CRYPTO_LOCK_X509)
+// portability wrapper for OpenSSL 1.0 vs 1.1
+// use Security::CertPointer instead where possible
+inline int X509_up_ref(X509 *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509); return 0;}
+#endif
+
 } //namespace Ssl
 
 /// \ingroup ServerProtocolSSLAPI