--- /dev/null
+#ifndef _PROTO_OPENSSL_COMPAT_H
+#define _PROTO_OPENSSL_COMPAT_H
+#include <openssl/crypto.h>
+#include <openssl/ssl.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
+#include <openssl/ocsp.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+
+#if (OPENSSL_VERSION_NUMBER < 0x1000000fL)
+/*
+ * Functions introduced in OpenSSL 1.0.1
+ */
+static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len)
+{
+ s->sid_ctx_length = sid_ctx_len;
+ memcpy(s->sid_ctx, sid_ctx, sid_ctx_len);
+ return 1;
+}
+
+static inline int EVP_PKEY_base_id(const EVP_PKEY *pkey)
+{
+ return EVP_PKEY_type(pkey->type);
+}
+
+static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length)
+{
+ *sid_length = sess->session_id_length;
+ return sess->session_id;
+}
+
+static inline X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc)
+{
+ return sk_X509_NAME_ENTRY_value(name->entries, loc);
+}
+
+static inline ASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne)
+{
+ return ne->object;
+}
+
+static inline ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne)
+{
+ return ne->value;
+}
+
+static inline int ASN1_STRING_length(const ASN1_STRING *x)
+{
+ return x->length;
+}
+
+static inline int X509_NAME_entry_count(X509_NAME *name)
+{
+ return sk_X509_NAME_ENTRY_num(name->entries)
+}
+
+int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg, const unsigned char **pk, int *ppklen, X509_ALGOR **pa, X509_PUBKEY *pub)
+{
+ *ppkalg = pub->algor->algorithm;
+ return 1;
+}
+
+static inline void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, const void **ppval, const X509_ALGOR *algor)
+{
+ *paobj = algor->algorithm;
+}
+
+#ifndef X509_get_X509_PUBKEY
+#define X509_get_X509_PUBKEY(x) ((x)->cert_info->key
+#endif
+
+#endif
+
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
+/*
+ * Functions introduced in OpenSSL 1.1.0
+ */
+
+static inline const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *sess, unsigned int *sid_ctx_length)
+{
+ *sid_ctx_length = sess->sid_ctx_length;
+ return sess->sid_ctx;
+}
+
+static inline int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, unsigned int sid_len)
+{
+ s->session_id_length = sid_len;
+ memcpy(s->session_id, sid, sid_len);
+ return 1;
+}
+
+static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
+{
+ return single->certId;
+}
+
+static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
+{
+ return ctx->default_passwd_callback;
+}
+
+static inline void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
+{
+ return ctx->default_passwd_callback_userdata;
+}
+
+#ifndef OPENSSL_NO_DH
+static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* Implements only the bare necessities for HAProxy */
+ dh->p = p;
+ dh->g = g;
+ return 1;
+}
+#endif
+
+static inline const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x)
+{
+ return x->data;
+}
+
+static inline X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
+{
+ return x->cert_info->signature;
+}
+
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+#define __OPENSSL_110_CONST__ const
+#else
+#define __OPENSSL_110_CONST__
+#endif
+
+#endif /* _PROTO_OPENSSL_COMPAT_H */
#include <ebmbtree.h>
#include <types/global.h>
#include "proto/shctx.h"
+#include <proto/openssl-compat.h>
struct shsess_packet_hdr {
unsigned int eol;
unsigned char encsess[sizeof(struct shsess_packet)+SHSESS_MAX_DATA_LEN];
struct shsess_packet *packet = (struct shsess_packet *)encsess;
unsigned char *p;
- int data_len, sid_length, sid_ctx_length;
-
+ int data_len;
+ unsigned int sid_length, sid_ctx_length;
+ const unsigned char *sid_data;
+ const unsigned char *sid_ctx_data;
/* Session id is already stored in to key and session id is known
* so we dont store it to keep size.
*/
- sid_length = sess->session_id_length;
- sess->session_id_length = 0;
- sid_ctx_length = sess->sid_ctx_length;
- sess->sid_ctx_length = 0;
+
+ sid_data = SSL_SESSION_get_id(sess, &sid_length);
+ sid_ctx_data = SSL_SESSION_get0_id_context(sess, &sid_ctx_length);
+ SSL_SESSION_set1_id(sess, sid_data, 0);
+ SSL_SESSION_set1_id_context(sess, sid_ctx_data, 0);
/* check if buffer is large enough for the ASN1 encoded session */
data_len = i2d_SSL_SESSION(sess, NULL);
p = packet->data;
i2d_SSL_SESSION(sess, &p);
- memcpy(packet->hdr.id, sess->session_id, sid_length);
+ memcpy(packet->hdr.id, sid_data, sid_length);
if (sid_length < SSL_MAX_SSL_SESSION_ID_LENGTH)
memset(&packet->hdr.id[sid_length], 0, SSL_MAX_SSL_SESSION_ID_LENGTH-sid_length);
err:
/* reset original length values */
- sess->session_id_length = sid_length;
- sess->sid_ctx_length = sid_ctx_length;
+ SSL_SESSION_set1_id(sess, sid_data, sid_length);
+ SSL_SESSION_set1_id_context(sess, sid_ctx_data, sid_ctx_length);
return 0; /* do not increment session reference count */
}
/* SSL callback used on lookup an existing session cause none found in internal cache */
-SSL_SESSION *shctx_get_cb(SSL *ssl, unsigned char *key, int key_len, int *do_copy)
+SSL_SESSION *shctx_get_cb(SSL *ssl, __OPENSSL_110_CONST__ unsigned char *key, int key_len, int *do_copy)
{
struct shared_session *shsess;
unsigned char data[SHSESS_MAX_DATA_LEN], *p;
sess = d2i_SSL_SESSION(NULL, (const unsigned char **)&p, data_len);
/* Reset session id and session id contenxt */
if (sess) {
- memcpy(sess->session_id, key, key_len);
- sess->session_id_length = key_len;
- memcpy(sess->sid_ctx, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME));
- sess->sid_ctx_length = ssl->sid_ctx_length;
+ SSL_SESSION_set1_id(sess, key, key_len);
+ SSL_SESSION_set1_id_context(sess, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME));
}
return sess;
{
struct shared_session *shsess;
unsigned char tmpkey[SSL_MAX_SSL_SESSION_ID_LENGTH];
- unsigned char *key = sess->session_id;
+ unsigned int sid_length;
+ const unsigned char *sid_data;
(void)ctx;
+ sid_data = SSL_SESSION_get_id(sess, &sid_length);
/* tree key is zeros padded sessionid */
- if (sess->session_id_length < SSL_MAX_SSL_SESSION_ID_LENGTH) {
- memcpy(tmpkey, sess->session_id, sess->session_id_length);
- memset(tmpkey+sess->session_id_length, 0, SSL_MAX_SSL_SESSION_ID_LENGTH - sess->session_id_length);
- key = tmpkey;
+ if (sid_length < SSL_MAX_SSL_SESSION_ID_LENGTH) {
+ memcpy(tmpkey, sid_data, sid_length);
+ memset(tmpkey+sid_length, 0, SSL_MAX_SSL_SESSION_ID_LENGTH - sid_length);
+ sid_data = tmpkey;
}
shared_context_lock();
/* lookup for session */
- shsess = shsess_tree_lookup(key);
+ shsess = shsess_tree_lookup(sid_data);
if (shsess) {
/* free session */
shsess_tree_delete(shsess);
#include <netdb.h>
#include <netinet/tcp.h>
+#include <openssl/crypto.h>
#include <openssl/ssl.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <proto/freq_ctr.h>
#include <proto/frontend.h>
#include <proto/listener.h>
+#include <proto/openssl-compat.h>
#include <proto/pattern.h>
#include <proto/proto_tcp.h>
#include <proto/server.h>
OCSP_RESPONSE *resp;
OCSP_BASICRESP *bs = NULL;
OCSP_SINGLERESP *sr;
+ OCSP_CERTID *id;
unsigned char *p = (unsigned char *)ocsp_response->str;
int rc , count_sr;
ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
goto out;
}
+ id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
+
rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
if (rc != V_OCSP_CERTSTATUS_GOOD) {
memprintf(err, "OCSP single response: certificate status not good");
}
if (cid) {
- if (OCSP_id_cmp(sr->certId, cid)) {
+ if (OCSP_id_cmp(id, cid)) {
memprintf(err, "OCSP single response: Certificate ID does not match certificate and issuer");
goto out;
}
unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH];
unsigned char *p;
- rc = i2d_OCSP_CERTID(sr->certId, NULL);
+ rc = i2d_OCSP_CERTID(id, NULL);
if (!rc) {
memprintf(err, "OCSP single response: Unable to encode Certificate ID");
goto out;
p = key;
memset(key, 0, OCSP_MAX_CERTID_ASN1_LENGTH);
- i2d_OCSP_CERTID(sr->certId, &p);
+ i2d_OCSP_CERTID(id, &p);
ocsp = (struct certificate_ocsp *)ebmb_lookup(&cert_ocsp_tree, key, OCSP_MAX_CERTID_ASN1_LENGTH);
if (!ocsp) {
memprintf(err, "OCSP single response: Certificate ID does not match any certificate or issuer");
if (!ssl_pkey)
return SSL_TLSEXT_ERR_NOACK;
- key_type = EVP_PKEY_type(ssl_pkey->type);
+ key_type = EVP_PKEY_base_id(ssl_pkey);
if (ocsp_arg->is_single && ocsp_arg->single_kt == key_type)
ocsp = ocsp_arg->s_ocsp;
struct certificate_ocsp *ocsp = NULL, *iocsp;
char *warn = NULL;
unsigned char *p;
+ pem_password_cb *passwd_cb;
+ void *passwd_cb_userdata;
+ void (*callback) (void);
snprintf(ocsp_path, MAXPATHLEN+1, "%s.ocsp", cert_path);
if (BIO_read_filename(in, issuer_path) <= 0)
goto out;
- xi = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
+ passwd_cb = SSL_CTX_get_default_passwd_cb(ctx);
+ passwd_cb_userdata = SSL_CTX_get_default_passwd_cb_userdata(ctx);
+
+ xi = PEM_read_bio_X509_AUX(in, NULL, passwd_cb, passwd_cb_userdata);
if (!xi)
goto out;
if (iocsp == ocsp)
ocsp = NULL;
- if (!ctx->tlsext_status_cb) {
+#ifndef SSL_CTX_get_tlsext_status_cb
+# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
+ *cb = (void (*) (void))ctx->tlsext_status_cb;
+#endif
+ SSL_CTX_get_tlsext_status_cb(ctx, &callback);
+
+ if (!callback) {
struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg));
cb_arg->is_single = 1;
cb_arg->s_ocsp = iocsp;
- cb_arg->single_kt = EVP_PKEY_type(X509_get_pubkey(x)->type);
+
+ cb_arg->single_kt = EVP_PKEY_base_id(X509_get_pubkey(x));
SSL_CTX_set_tlsext_status_cb(ctx, ssl_sock_ocsp_stapling_cbk);
SSL_CTX_set_tlsext_status_arg(ctx, cb_arg);
* If the ctx has a status CB, then we have previously set an OCSP staple for this ctx
* Update that cb_arg with the new cert's staple
*/
- struct ocsp_cbk_arg *cb_arg = ctx->tlsext_status_arg;
+ struct ocsp_cbk_arg *cb_arg;
struct certificate_ocsp *tmp_ocsp;
int index;
+ int key_type;
+
+#ifdef SSL_CTX_get_tlsext_status_arg
+ SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
+#else
+ cb_arg = ctx->tlsext_status_arg;
+#endif
/*
* The following few lines will convert cb_arg from a single ocsp to multi ocsp
cb_arg->is_single = 0;
cb_arg->single_kt = 0;
- index = ssl_sock_get_ocsp_arg_kt_index(EVP_PKEY_type(X509_get_pubkey(x)->type));
+ key_type = EVP_PKEY_base_id(X509_get_pubkey(x));
+ index = ssl_sock_get_ocsp_arg_kt_index(key_type);
if (index >= 0 && !cb_arg->m_ocsp[index])
cb_arg->m_ocsp[index] = iocsp;
const EVP_MD *digest;
X509V3_CTX ctx;
unsigned int i;
+ int key_type;
/* Get the private key of the defautl certificate and use it */
if (!(pkey = SSL_get_privatekey(ssl)))
}
/* Sign the certificate with the CA private key */
- if (EVP_PKEY_type(capkey->type) == EVP_PKEY_DSA)
- digest = EVP_dss1();
- else if (EVP_PKEY_type (capkey->type) == EVP_PKEY_RSA)
+
+ key_type = EVP_PKEY_base_id(capkey);
+
+ if (key_type == EVP_PKEY_DSA)
+ digest = EVP_sha1();
+ else if (key_type == EVP_PKEY_RSA)
digest = EVP_sha256();
- else if (EVP_PKEY_type (capkey->type) == EVP_PKEY_EC)
+ else if (key_type == EVP_PKEY_EC)
digest = EVP_sha256();
else {
#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL)
0x02,
};
+ BIGNUM *p;
+ BIGNUM *g;
DH *dh = DH_new();
if (dh) {
- dh->p = BN_bin2bn(dh1024_p, sizeof dh1024_p, NULL);
- dh->g = BN_bin2bn(dh1024_g, sizeof dh1024_g, NULL);
+ p = BN_bin2bn(dh1024_p, sizeof dh1024_p, NULL);
+ g = BN_bin2bn(dh1024_g, sizeof dh1024_g, NULL);
- if (!dh->p || !dh->g) {
+ if (!p || !g) {
DH_free(dh);
dh = NULL;
+ } else {
+ DH_set0_pqg(dh, p, NULL, g);
}
}
return dh;
0x02,
};
+ BIGNUM *p;
+ BIGNUM *g;
DH *dh = DH_new();
if (dh) {
- dh->p = BN_bin2bn(dh2048_p, sizeof dh2048_p, NULL);
- dh->g = BN_bin2bn(dh2048_g, sizeof dh2048_g, NULL);
+ p = BN_bin2bn(dh2048_p, sizeof dh2048_p, NULL);
+ g = BN_bin2bn(dh2048_g, sizeof dh2048_g, NULL);
- if (!dh->p || !dh->g) {
+ if (!p || !g) {
DH_free(dh);
dh = NULL;
+ } else {
+ DH_set0_pqg(dh, p, NULL, g);
}
}
return dh;
0x02,
};
+ BIGNUM *p;
+ BIGNUM *g;
DH *dh = DH_new();
if (dh) {
- dh->p = BN_bin2bn(dh4096_p, sizeof dh4096_p, NULL);
- dh->g = BN_bin2bn(dh4096_g, sizeof dh4096_g, NULL);
+ p = BN_bin2bn(dh4096_p, sizeof dh4096_p, NULL);
+ g = BN_bin2bn(dh4096_g, sizeof dh4096_g, NULL);
- if (!dh->p || !dh->g) {
+ if (!p || !g) {
DH_free(dh);
dh = NULL;
+ } else {
+ DH_set0_pqg(dh, p, NULL, g);
}
}
return dh;
{
DH *dh = NULL;
EVP_PKEY *pkey = SSL_get_privatekey(ssl);
- int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
+ int type;
+
+ type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
/* The keylen supplied by OpenSSL can only be 512 or 1024.
See ssl3_send_server_key_exchange() in ssl/s3_srvr.c
i = -1;
while ((i = X509_NAME_get_index_by_NID(xname, NID_commonName, i)) != -1) {
X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i);
-
- if (ASN1_STRING_to_UTF8((unsigned char **)&str, entry->value) >= 0) {
+ ASN1_STRING *value;
+ value = X509_NAME_ENTRY_get_data(entry);
+ if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) {
/* Important line is here */
ssl_sock_populate_sni_keytypes_hplr(str, &sni_keytypes_map, n);
int order = 0;
X509_NAME *xname;
char *str;
+ pem_password_cb *passwd_cb;
+ void *passwd_cb_userdata;
+
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
STACK_OF(GENERAL_NAME) *names;
#endif
if (BIO_read_filename(in, file) <= 0)
goto end;
- x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
+
+ passwd_cb = SSL_CTX_get_default_passwd_cb(ctx);
+ passwd_cb_userdata = SSL_CTX_get_default_passwd_cb_userdata(ctx);
+
+ x = PEM_read_bio_X509_AUX(in, NULL, passwd_cb, passwd_cb_userdata);
if (x == NULL)
goto end;
i = -1;
while ((i = X509_NAME_get_index_by_NID(xname, NID_commonName, i)) != -1) {
X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i);
- if (ASN1_STRING_to_UTF8((unsigned char **)&str, entry->value) >= 0) {
+ ASN1_STRING *value;
+
+ value = X509_NAME_ENTRY_get_data(entry);
+ if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) {
order = ssl_sock_add_cert_sni(ctx, s, str, order);
OPENSSL_free(str);
}
if (!SSL_CTX_use_certificate(ctx, x))
goto end;
+#ifdef SSL_CTX_clear_extra_chain_certs
+ SSL_CTX_clear_extra_chain_certs(ctx);
+#else
if (ctx->extra_certs != NULL) {
sk_X509_pop_free(ctx->extra_certs, X509_free);
ctx->extra_certs = NULL;
}
+#endif
- while ((ca = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata))) {
+ while ((ca = PEM_read_bio_X509(in, NULL, passwd_cb, passwd_cb_userdata))) {
if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
X509_free(ca);
goto end;
i = -1;
while (!ok && (i = X509_NAME_get_index_by_NID(cert_subject, NID_commonName, i)) != -1) {
X509_NAME_ENTRY *entry = X509_NAME_get_entry(cert_subject, i);
- if (ASN1_STRING_to_UTF8((unsigned char **)&str, entry->value) >= 0) {
+ ASN1_STRING *value;
+ value = X509_NAME_ENTRY_get_data(entry);
+ if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) {
ok = ssl_sock_srv_hostcheck(str, servername);
OPENSSL_free(str);
}
if (!errno && conn->flags & CO_FL_WAIT_L4_CONN)
conn->flags &= ~CO_FL_WAIT_L4_CONN;
if (!conn->err_code) {
- if (!((SSL *)conn->xprt_ctx)->packet_length) {
+ int empty_handshake;
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+ OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
+ empty_handshake = state == TLS_ST_BEFORE;
+#else
+ empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
+#endif
+
+ if (empty_handshake) {
if (!errno) {
if (conn->xprt_st & SSL_SOCK_RECV_HEARTBEAT)
conn->err_code = CO_ER_SSL_HANDSHAKE_HB;
return 0;
}
else if (ret == SSL_ERROR_SYSCALL) {
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+ OSSL_HANDSHAKE_STATE state;
+#endif
+ int empty_handshake;
/* if errno is null, then connection was successfully established */
if (!errno && conn->flags & CO_FL_WAIT_L4_CONN)
conn->flags &= ~CO_FL_WAIT_L4_CONN;
- if (!((SSL *)conn->xprt_ctx)->packet_length) {
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+ state = SSL_get_state((SSL *)conn->xprt_ctx);
+ empty_handshake = state == TLS_ST_BEFORE;
+#else
+ empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
+#endif
+ if (empty_handshake) {
if (!errno) {
if (conn->xprt_st & SSL_SOCK_RECV_HEARTBEAT)
conn->err_code = CO_ER_SSL_HANDSHAKE_HB;
ssl_sock_get_dn_entry(X509_NAME *a, const struct chunk *entry, int pos, struct chunk *out)
{
X509_NAME_ENTRY *ne;
+ ASN1_OBJECT *obj;
+ ASN1_STRING *data;
+ const unsigned char *data_ptr;
+ int data_len;
int i, j, n;
int cur = 0;
const char *s;
char tmp[128];
+ int name_count;
+
+ name_count = X509_NAME_entry_count(a);
out->len = 0;
- for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
+ for (i = 0; i < name_count; i++) {
if (pos < 0)
- j = (sk_X509_NAME_ENTRY_num(a->entries)-1) - i;
+ j = (name_count-1) - i;
else
j = i;
- ne = sk_X509_NAME_ENTRY_value(a->entries, j);
- n = OBJ_obj2nid(ne->object);
+ ne = X509_NAME_get_entry(a, j);
+ obj = X509_NAME_ENTRY_get_object(ne);
+ data = X509_NAME_ENTRY_get_data(ne);
+ data_ptr = ASN1_STRING_get0_data(data);
+ data_len = ASN1_STRING_length(data);
+ n = OBJ_obj2nid(obj);
if ((n == NID_undef) || ((s = OBJ_nid2sn(n)) == NULL)) {
- i2t_ASN1_OBJECT(tmp, sizeof(tmp), ne->object);
+ i2t_ASN1_OBJECT(tmp, sizeof(tmp), obj);
s = tmp;
}
if (cur != pos)
continue;
- if (ne->value->length > out->size)
+ if (data_len > out->size)
return -1;
- memcpy(out->str, ne->value->data, ne->value->length);
- out->len = ne->value->length;
+ memcpy(out->str, data_ptr, data_len);
+ out->len = data_len;
return 1;
}
ssl_sock_get_dn_oneline(X509_NAME *a, struct chunk *out)
{
X509_NAME_ENTRY *ne;
+ ASN1_OBJECT *obj;
+ ASN1_STRING *data;
+ const unsigned char *data_ptr;
+ int data_len;
int i, n, ln;
int l = 0;
const char *s;
char *p;
char tmp[128];
+ int name_count;
+
+
+ name_count = X509_NAME_entry_count(a);
out->len = 0;
p = out->str;
- for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
- ne = sk_X509_NAME_ENTRY_value(a->entries, i);
- n = OBJ_obj2nid(ne->object);
+ for (i = 0; i < name_count; i++) {
+ ne = X509_NAME_get_entry(a, i);
+ obj = X509_NAME_ENTRY_get_object(ne);
+ data = X509_NAME_ENTRY_get_data(ne);
+ data_ptr = ASN1_STRING_get0_data(data);
+ data_len = ASN1_STRING_length(data);
+ n = OBJ_obj2nid(obj);
if ((n == NID_undef) || ((s = OBJ_nid2sn(n)) == NULL)) {
- i2t_ASN1_OBJECT(tmp, sizeof(tmp), ne->object);
+ i2t_ASN1_OBJECT(tmp, sizeof(tmp), obj);
s = tmp;
}
ln = strlen(s);
- l += 1 + ln + 1 + ne->value->length;
+ l += 1 + ln + 1 + data_len;
if (l > out->size)
return -1;
out->len = l;
memcpy(p, s, ln);
p += ln;
*(p++)='=';
- memcpy(p, ne->value->data, ne->value->length);
- p += ne->value->length;
+ memcpy(p, data_ptr, data_len);
+ p += data_len;
}
if (!out->len)
{
int cert_peer = (kw[4] == 'c') ? 1 : 0;
X509 *crt;
+ __OPENSSL_110_CONST__ ASN1_OBJECT *algorithm;
int nid;
struct connection *conn;
if (!crt)
return 0;
- nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->signature->algorithm));
+ X509_ALGOR_get0(&algorithm, NULL, NULL, X509_get0_tbs_sigalg(crt));
+ nid = OBJ_obj2nid(algorithm);
smp->data.u.str.str = (char *)OBJ_nid2sn(nid);
if (!smp->data.u.str.str) {
{
int cert_peer = (kw[4] == 'c') ? 1 : 0;
X509 *crt;
+ ASN1_OBJECT *algorithm;
int nid;
struct connection *conn;
if (!crt)
return 0;
- nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->key->algor->algorithm));
+ X509_PUBKEY_get0_param(&algorithm, NULL, NULL, NULL, X509_get_X509_PUBKEY(crt));
+ nid = OBJ_obj2nid(algorithm);
smp->data.u.str.str = (char *)OBJ_nid2sn(nid);
if (!smp->data.u.str.str) {
projects / thirdparty / haproxy.git / commitdiff
