From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Fri, 1 Oct 2021 17:35:03 +0000 (-0500)
Subject: Use newer certificate functions to work with OpenSSL 3.0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e25eff9a40aa1440b43bb512264e406eb039a157;p=thirdparty%2Ffreeradius-server.git

Use newer certificate functions to work with OpenSSL 3.0
---

diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c
index 1c75414f3b..d494cdb745 100644
--- a/src/lib/tls/verify.c
+++ b/src/lib/tls/verify.c
@@ -129,9 +129,15 @@ int fr_tls_verify_cert_cb(int ok, X509_STORE_CTX *x509_ctx)
 
 	if (RDEBUG_ENABLED3) {
 		char		subject[2048];
-		STACK_OF(X509)	*our_chain = X509_STORE_CTX_get_chain(x509_ctx);
+		STACK_OF(X509)	*our_chain;
 		int		i;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+		our_chain = X509_STORE_CTX_get0_chain(x509_ctx);
+#else
+		our_chain = X509_STORE_CTX_get_chain(x509_ctx);
+#endif
+
 		RDEBUG3("Certificate chain - %i cert(s) untrusted", untrusted);
 		for (i = sk_X509_num(our_chain); i > 0 ; i--) {
 			X509 *this_cert = sk_X509_value(our_chain, i - 1);
@@ -284,7 +290,11 @@ int fr_tls_verify_client_cert_chain(request_t *request, SSL *ssl)
 	/*
 	 *	If there's no client certificate, we just return OK.
 	 */
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	cert = SSL_get0_peer_certificate(ssl);			/* Does not increase ref count */
+#else
 	cert = SSL_get_peer_certificate(ssl);			/* Increases ref count */
+#endif
 	if (!cert) return 1;
 
 	store_ctx = X509_STORE_CTX_new();
@@ -305,7 +315,9 @@ int fr_tls_verify_client_cert_chain(request_t *request, SSL *ssl)
 		}
 	}
 
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	X509_free(cert);
+#endif
 	X509_STORE_CTX_free(store_ctx);
 
 	return ret;