From: Rainer Jung <rjung@apache.org>
Date: Sat, 23 Apr 2016 13:17:52 +0000 (+0000)
Subject: Support for OpenSSL 1.1.0:
X-Git-Tag: 2.5.0-alpha~1719
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e387d3e9c77033de56dec79c5cc9871981c61a29;p=apache

Support for OpenSSL 1.1.0:
- X509_STORE_CTX is now opaque.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1740653 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index ffa78dff7b..a8f9ebeb64 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -432,7 +432,7 @@ int ssl_hook_Access(request_rec *r)
     X509 *cert;
     X509 *peercert;
     X509_STORE *cert_store = NULL;
-    X509_STORE_CTX cert_store_ctx;
+    X509_STORE_CTX *cert_store_ctx;
     STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
     const SSL_CIPHER *cipher = NULL;
     int depth, verify_old, verify, n, is_slave = 0;
@@ -913,25 +913,27 @@ int ssl_hook_Access(request_rec *r)
                 cert = sk_X509_value(cert_stack, 0);
             }
 
-            X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);
+            cert_store_ctx = X509_STORE_CTX_new();
+            X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack);
             depth = SSL_get_verify_depth(ssl);
 
             if (depth >= 0) {
-                X509_STORE_CTX_set_depth(&cert_store_ctx, depth);
+                X509_STORE_CTX_set_depth(cert_store_ctx, depth);
             }
 
-            X509_STORE_CTX_set_ex_data(&cert_store_ctx,
+            X509_STORE_CTX_set_ex_data(cert_store_ctx,
                                        SSL_get_ex_data_X509_STORE_CTX_idx(),
                                        (char *)ssl);
 
-            if (!X509_verify_cert(&cert_store_ctx)) {
+            if (!X509_verify_cert(cert_store_ctx)) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)
                               "Re-negotiation verification step failed");
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
             }
 
-            SSL_set_verify_result(ssl, cert_store_ctx.error);
-            X509_STORE_CTX_cleanup(&cert_store_ctx);
+            SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx));
+            X509_STORE_CTX_cleanup(cert_store_ctx);
+            X509_STORE_CTX_free(cert_store_ctx);
 
             if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
                 /* we created this ourselves, so free it */
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index ddaebb3e8d..3600600a68 100644
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -109,7 +109,7 @@ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
 {
     OCSP_REQUEST *req = OCSP_REQUEST_new();
 
-    *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer);
+    *certid = OCSP_cert_to_id(NULL, cert, X509_STORE_CTX_get0_current_issuer(ctx));
     if (!*certid || !OCSP_request_add0_id(req, *certid)) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)
                      "could not retrieve certificate id");
@@ -184,7 +184,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
 
     if (rc == V_OCSP_CERTSTATUS_GOOD) {
         /* TODO: allow flags configuration. */
-        if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {
+        if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
                         "failed to verify the OCSP response");
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 616d7cbcb5..be2a402f4d 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -219,6 +219,16 @@ void init_bio_methods(void);
 void free_bio_methods(void);
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+#define X509_STORE_CTX_get0_store(x) (x->ctx)
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+#ifndef X509_STORE_CTX_get0_current_issuer
+#define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)
+#endif
+#endif
+
 /* mod_ssl headers */
 #include "ssl_util_ssl.h"
 
diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index 63be9b2ced..718a291793 100644
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -79,7 +79,7 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
     X509 *issuer = NULL;
     int i;
     X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
-    X509_STORE_CTX inctx;
+    X509_STORE_CTX *inctx;
     STACK_OF(X509) *extra_certs = NULL;
 
 #ifdef OPENSSL_NO_SSL_INTERN
@@ -100,13 +100,14 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
         }
     }
 
-    if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))
+    inctx = X509_STORE_CTX_new();
+    if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
         return 0;
-    if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
+    if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
         issuer = NULL;
-    X509_STORE_CTX_cleanup(&inctx);
+    X509_STORE_CTX_cleanup(inctx);
+    X509_STORE_CTX_free(inctx);
     return issuer;
-
 }
 
 int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,