commit 2a7003df8f5513fec196bb92a1068c6be041c952
author Bill Blough <billblough@apache.org> Tue Dec 04 03:50:49 2018 +0000
committer Bill Blough <billblough@apache.org> Tue Dec 04 03:50:49 2018 +0000
tree d2712bdba3a9d734e1eccef2298ba1de41e52032
parent b78e587b0379d5d7d42f1029f1e067523700d419

Add support for openssl 1.1.x

Add support for openssl 1.1.x, while maintaining compatibility with
openssl 1.0.x.

src/core/transport/http/sender/ssl/ssl_utils.c

diff --git a/src/core/transport/http/sender/ssl/ssl_utils.c b/src/core/transport/http/sender/ssl/ssl_utils.c
index ad0ac3c..a904883 100644
--- a/src/core/transport/http/sender/ssl/ssl_utils.c
+++ b/src/core/transport/http/sender/ssl/ssl_utils.c
@@ -18,6 +18,48 @@
 
 #include "ssl_utils.h"
 #include <openssl/err.h>
+
+
+/* compatibility functions for openssl < 1.1.0 */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+STACK_OF(X509_OBJECT) * X509_STORE_get0_objects(X509_STORE *st)
+{
+    if (st)
+    {
+        return st->objs;
+    }
+    return NULL;
+};
+
+X509 * X509_OBJECT_get0_X509(const X509_OBJECT *obj)
+{
+    if (obj)
+    {
+        return (obj->data).x509;
+    }
+    return NULL;
+};
+
+void X509_get0_signature(const ASN1_BIT_STRING **psig,
+                         const X509_ALGOR **palg,
+                         const X509 *x)
+{
+    if (x) {
+        *psig = x->signature;
+        *palg = x->sig_alg;
+    }
+}
+
+int ASN1_STRING_cmp(const ASN1_BIT_STRING *a, const ASN1_BIT_STRING *b)
+{
+    return M_ASN1_BIT_STRING_cmp(a, b);
+}
+
+#endif
+
+
+
 BIO *bio_err = 0;
 
 static int
@@ -170,32 +212,44 @@
         X509 *client_cert = NULL;
 
         peer_cert = SSL_get_peer_certificate(ssl);
-        if (peer_cert && peer_cert->cert_info)
+        if (peer_cert)
         {
-            peer_name = (peer_cert->cert_info)->subject;
+            peer_name = X509_get_subject_name(peer_cert);
         }
 
         cert_store = SSL_CTX_get_cert_store(ctx);
         if (peer_name && cert_store)
         {
-            client_object = X509_OBJECT_retrieve_by_subject(cert_store->objs,
-                X509_LU_X509,
-                peer_name);
+            client_object = X509_OBJECT_retrieve_by_subject(
+                    X509_STORE_get0_objects(cert_store),
+                    X509_LU_X509,
+                    peer_name);
         }
+
         if (client_object)
         {
-            client_cert = (client_object->data).x509;
-            if (client_cert &&
-                (M_ASN1_BIT_STRING_cmp(client_cert->signature,
-                        peer_cert->signature) == 0))
+            client_cert = X509_OBJECT_get0_X509(client_object);
+            if (client_cert)
             {
-                if (peer_cert)
+                const ASN1_BIT_STRING *peer_sig = NULL;
+                const X509_ALGOR *peer_alg = NULL;
+
+                const ASN1_BIT_STRING *client_sig = NULL;
+                const X509_ALGOR *client_alg = NULL;
+
+                X509_get0_signature(&peer_sig, &peer_alg, peer_cert);
+                X509_get0_signature(&client_sig, &client_alg, client_cert);
+
+                if (ASN1_STRING_cmp(peer_sig, client_sig) == 0)
                 {
-                    X509_free(peer_cert);
+                    if (peer_cert)
+                    {
+                        X509_free(peer_cert);
+                    }
+                    AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
+                            "[ssl client] SSL certificate verified against peer");
+                    return ssl;
                 }
-                AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
-                    "[ssl client] SSL certificate verified against peer");
-                return ssl;
             }
         }
         if (peer_cert)