From: Howard Chu <hyc@openldap.org>
Date: Tue, 14 May 2024 15:13:15 +0000 (+0100)
Subject: ITS#10216 libldap: fix OpenSSL channel binding digest
X-Git-Tag: OPENLDAP_REL_ENG_2_5_18~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8bb35fd878d4100876441bba010c15c348fe6543;p=thirdparty%2Fopenldap.git

ITS#10216 libldap: fix OpenSSL channel binding digest

The OBJ_find_ API is undocumented but this is what OpenSSL libcrypto does itself.
---

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 028d1cbfe3..1af87694ff 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -54,8 +54,10 @@
 
 #if OPENSSL_VERSION_MAJOR >= 3
 #define ERR_get_error_line( a, b )	ERR_get_error_all( a, b, NULL, NULL, NULL )
+#ifndef SSL_get_peer_certificate
 #define SSL_get_peer_certificate( s )	SSL_get1_peer_certificate( s )
 #endif
+#endif
 typedef SSL_CTX tlso_ctx;
 typedef SSL tlso_session;
 
@@ -1044,7 +1046,12 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
 		return 0;
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
-	md = EVP_get_digestbynid( X509_get_signature_nid( cert ));
+	{
+		int mdnid;
+		if ( !OBJ_find_sigid_algs( X509_get_signature_nid( cert ), &mdnid, NULL ))
+			return 0;
+		md = EVP_get_digestbynid( mdnid );
+	}
 #else
 	md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm ));
 #endif