From: Emmanuel Hocdet <manu@gandi.net>
Date: Fri, 28 Feb 2020 15:00:34 +0000 (+0100)
Subject: MINOR: ssl: rework add cert chain to CTX to be libssl independent
X-Git-Tag: v2.2-dev6~86
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4fed93eb725b513dd3b2029daa888311db110851;p=thirdparty%2Fhaproxy.git

MINOR: ssl: rework add cert chain to CTX to be libssl independent

SSL_CTX_set1_chain is used for openssl >= 1.0.2 and a loop with
SSL_CTX_add_extra_chain_cert for openssl < 1.0.2.
SSL_CTX_add_extra_chain_cert exist with openssl >= 1.0.2 and can be
used for all openssl version (is new name is SSL_CTX_add0_chain_cert).
This patch use SSL_CTX_add_extra_chain_cert to remove any #ifdef for
compatibilty. In addition sk_X509_num()/sk_X509_value() replace
sk_X509_shift() to extract CA from chain, as it is used in others part
of the code.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 86fa1a305e..46aae7f128 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3635,30 +3635,25 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 	}
 
 	/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
-	if (find_chain)
-#ifdef SSL_CTX_set1_chain
-		if (!SSL_CTX_set1_chain(ctx, find_chain)) {
-			memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
-			          err && *err ? *err : "", path);
-			errcode |= ERR_ALERT | ERR_FATAL;
-			goto end;
-		}
-#else
-		{ /* legacy compat (< openssl 1.0.2) */
-			X509 *ca;
-			STACK_OF(X509) *chain;
-			chain = X509_chain_up_ref(find_chain);
-			while ((ca = sk_X509_shift(chain)))
-				if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
-					memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
-					          err && *err ? *err : "", path);
-					X509_free(ca);
-					sk_X509_pop_free(chain, X509_free);
-					errcode |= ERR_ALERT | ERR_FATAL;
-					goto end;
-				}
+	if (find_chain) {
+		int i;
+		X509 *ca;
+		for (i = 0; i < sk_X509_num(find_chain); i++) {
+			ca = sk_X509_value(find_chain, i);
+			/*
+			   SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2
+			   Used SSL_CTX_add_extra_chain_cert for compat (aka SSL_CTX_add0_chain_cert)
+			*/
+			X509_up_ref(ca);
+			if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
+				X509_free(ca);
+				memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
+					  err && *err ? *err : "", path);
+				errcode |= ERR_ALERT | ERR_FATAL;
+				goto end;
+			}
 		}
-#endif
+	}
 
 #ifndef OPENSSL_NO_DH
 	/* store a NULL pointer to indicate we have not yet loaded