Use newer certificate functions to work with OpenSSL 3.0

diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c
index 1c75414f3b11c7bb9e64641df115177749931cc3..d494cdb745a8fe23d0acc3764ef421d004e2f899 100644 (file)
--- a/src/lib/tls/verify.c
+++ b/src/lib/tls/verify.c
@@ -129,9 +129,15 @@ int fr_tls_verify_cert_cb(int ok, X509_STORE_CTX *x509_ctx)
 
        if (RDEBUG_ENABLED3) {
                char            subject[2048];
-               STACK_OF(X509)  *our_chain = X509_STORE_CTX_get_chain(x509_ctx);
+               STACK_OF(X509)  *our_chain;
                int             i;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+               our_chain = X509_STORE_CTX_get0_chain(x509_ctx);
+#else
+               our_chain = X509_STORE_CTX_get_chain(x509_ctx);
+#endif
+
                RDEBUG3("Certificate chain - %i cert(s) untrusted", untrusted);
                for (i = sk_X509_num(our_chain); i > 0 ; i--) {
                        X509 *this_cert = sk_X509_value(our_chain, i - 1);
@@ -284,7 +290,11 @@ int fr_tls_verify_client_cert_chain(request_t *request, SSL *ssl)
        /*
         *      If there's no client certificate, we just return OK.
         */
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+       cert = SSL_get0_peer_certificate(ssl);                  /* Does not increase ref count */
+#else
        cert = SSL_get_peer_certificate(ssl);                   /* Increases ref count */
+#endif
        if (!cert) return 1;
 
        store_ctx = X509_STORE_CTX_new();
@@ -305,7 +315,9 @@ int fr_tls_verify_client_cert_chain(request_t *request, SSL *ssl)
                }
        }
 
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
        X509_free(cert);
+#endif
        X509_STORE_CTX_free(store_ctx);
 
        return ret;