From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 7 Nov 2016 10:49:37 +0000 (+1300)
Subject: Bug 4599 pt1: initial support for OpenSSL v1.1
X-Git-Tag: SQUID_4_0_17~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f2b870075b87f639fdf49e850ebedbc8a82c808;p=thirdparty%2Fsquid.git

Bug 4599 pt1: initial support for OpenSSL v1.1

Converts some CRYPTO_add(..., CRYPTO_LOCK_X509) calls with portability
wrapper for X509_up_ref(). Just the calls which are in code not yet using
Security::CertPointer.
---

diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc
index e684cc4219..359e835054 100644
--- a/src/ssl/PeekingPeerConnector.cc
+++ b/src/ssl/PeekingPeerConnector.cc
@@ -204,7 +204,7 @@ Ssl::PeekingPeerConnector::initialize(Security::SessionPointer &serverSession)
             serverBump->attachServerSSL(serverSession.get());
             // store peeked cert to check SQUID_X509_V_ERR_CERT_CHANGE
             if (X509 *peeked_cert = serverBump->serverCert.get()) {
-                CRYPTO_add(&(peeked_cert->references),1,CRYPTO_LOCK_X509);
+                X509_up_ref(peeked_cert);
                 SSL_set_ex_data(serverSession.get(), ssl_ex_index_ssl_peeked_cert, peeked_cert);
             }
         }
diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 26eeb17d21..9c4e0fd3ef 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -975,7 +975,7 @@ Ssl::chainCertificatesToSSLContext(Security::ContextPointer &ctx, AnyP::PortCfg
     X509 *signingCert = port.signingCert.get();
     if (SSL_CTX_add_extra_chain_cert(ctx.get(), signingCert)) {
         // increase the certificate lock
-        CRYPTO_add(&(signingCert->references),1,CRYPTO_LOCK_X509);
+        X509_up_ref(signingCert);
     } else {
         const int ssl_error = ERR_get_error();
         debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
@@ -1089,7 +1089,7 @@ Ssl::addChainToSslContext(Security::ContextPointer &ctx, STACK_OF(X509) *chain)
         X509 *cert = sk_X509_value(chain, i);
         if (SSL_CTX_add_extra_chain_cert(ctx.get(), cert)) {
             // increase the certificate lock
-            CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
+            X509_up_ref(cert);
         } else {
             const int ssl_error = ERR_get_error();
             debugs(83, DBG_IMPORTANT, "WARNING: can not add certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
diff --git a/src/ssl/support.h b/src/ssl/support.h
index 42c9815307..163d239581 100644
--- a/src/ssl/support.h
+++ b/src/ssl/support.h
@@ -91,6 +91,12 @@ bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &);
 /// initialize a TLS client context with OpenSSL specific settings
 bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long options, long flags);
 
+#if defined(CRYPTO_LOCK_X509)
+// portability wrapper for OpenSSL 1.0 vs 1.1
+// use Security::CertPointer instead where possible
+inline int X509_up_ref(X509 *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509); return 0;}
+#endif
+
 } //namespace Ssl
 
 /// \ingroup ServerProtocolSSLAPI