From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Nov 2023 01:14:37 +0000 (+0000)
Subject: openssl: enable `infof_certstack` for 1.1 and LibreSSL 3.6
X-Git-Tag: curl-8_5_0~48
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=294194d689ad9e72110d6c983d3959506f9884d3;p=thirdparty%2Fcurl.git

openssl: enable `infof_certstack` for 1.1 and LibreSSL 3.6

Lower the barrier to enable `infof_certstack()` from OpenSSL 3 to
OpenSSL 1.1.x, and LibreSSL 3.6 or upper.

With the caveat, that "group name" and "type name" are missing from
the log output with these TLS backends.

Follow-up to b6e6d4ff8f253c8b8055bab9d4d6a10f9be109f3 #12030

Reviewed-by: Daniel Stenberg
Closes #12385
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 80d0eca224..f788c50cf7 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -4078,7 +4078,11 @@ static CURLcode ossl_pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert,
   return result;
 }
 
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) &&  \
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) &&  \
+  !(defined(LIBRESSL_VERSION_NUMBER) && \
+    LIBRESSL_VERSION_NUMBER < 0x3060000fL) && \
+  !defined(OPENSSL_IS_BORINGSSL) && \
+  !defined(OPENSSL_IS_AWSLC) && \
   !defined(CURL_DISABLE_VERBOSE_STRINGS)
 static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
 {
@@ -4096,7 +4100,6 @@ static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
 
   for(cert_level = 0; cert_level < num_cert_levels; cert_level++) {
     char cert_algorithm[80] = "";
-    char group_name[80] = "";
     char group_name_final[80] = "";
     const X509_ALGOR *palg_cert = NULL;
     const ASN1_OBJECT *paobj_cert = NULL;
@@ -4105,6 +4108,7 @@ static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
     int key_bits;
     int key_sec_bits;
     int get_group_name;
+    const char *type_name;
 
     current_cert = sk_X509_value(certstack, cert_level);
 
@@ -4114,15 +4118,27 @@ static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
 
     current_pkey = X509_get0_pubkey(current_cert);
     key_bits = EVP_PKEY_bits(current_pkey);
+#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
+#define EVP_PKEY_get_security_bits EVP_PKEY_security_bits
+#endif
     key_sec_bits = EVP_PKEY_get_security_bits(current_pkey);
-    get_group_name = EVP_PKEY_get_group_name(current_pkey, group_name,
-                                             sizeof(group_name), NULL);
-    msnprintf(group_name_final, sizeof(group_name_final), "/%s", group_name);
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+    {
+      char group_name[80] = "";
+      get_group_name = EVP_PKEY_get_group_name(current_pkey, group_name,
+                                               sizeof(group_name), NULL);
+      msnprintf(group_name_final, sizeof(group_name_final), "/%s", group_name);
+    }
+    type_name = EVP_PKEY_get0_type_name(current_pkey);
+#else
+    get_group_name = 0;
+    type_name = NULL;
+#endif
 
     infof(data,
           "  Certificate level %d: "
           "Public key type %s%s (%d/%d Bits/secBits), signed using %s",
-          cert_level, EVP_PKEY_get0_type_name(current_pkey),
+          cert_level, type_name ? type_name : "?",
           get_group_name == 0 ? "" : group_name_final,
           key_bits, key_sec_bits, cert_algorithm);
   }