nghttpx: Fix compile error with openssl 1.0.1

openssl lacks SSL_CTX_get0_certificates().
2016-06-25 23:35:12 +09:00 · 2016-06-25 23:35:12 +09:00 · 3e14f0d8a5
parent f7c0d48152
commit 3e14f0d8a5
3 changed files with 47 additions and 29 deletions
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@ -1318,6 +1318,26 @@ bool upstream_tls_enabled() {
                     [](const UpstreamAddr &faddr) { return faddr.tls; });
 }

+X509 *load_certificate(const char *filename) {
+  auto bio = BIO_new(BIO_s_file());
+  if (!bio) {
+    fprintf(stderr, "BIO_new() failed\n");
+    return nullptr;
+  }
+  auto bio_deleter = defer(BIO_vfree, bio);
+  if (!BIO_read_filename(bio, filename)) {
+    fprintf(stderr, "Could not read certificate file '%s'\n", filename);
+    return nullptr;
+  }
+  auto cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
+  if (!cert) {
+    fprintf(stderr, "Could not read X509 structure from file '%s'\n", filename);
+    return nullptr;
+  }
+
+  return cert;
+}
+
 SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
                                  CertLookupTree *cert_tree
 #ifdef HAVE_NEVERBLEED
@ -1351,25 +1371,41 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
    return ssl_ctx;
  }

+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+  auto cert = SSL_CTX_get0_certificate(ssl_ctx);
+#else
+  auto cert = load_certificate(tlsconf.cert_file.c_str());
+  auto cert_deleter = defer(X509_free, cert);
+#endif
+
  if (ssl::cert_lookup_tree_add_cert_from_x509(
-          cert_tree, all_ssl_ctx.size() - 1,
-          SSL_CTX_get0_certificate(ssl_ctx)) == -1) {
+          cert_tree, all_ssl_ctx.size() - 1, cert) == -1) {
    LOG(FATAL) << "Failed to add default certificate.";
    DIE();
  }

  for (auto &keycert : tlsconf.subcerts) {
+    auto &priv_key_file = keycert.first;
+    auto &cert_file = keycert.second;
+
    auto ssl_ctx =
-        ssl::create_ssl_context(keycert.first.c_str(), keycert.second.c_str()
+        ssl::create_ssl_context(priv_key_file.c_str(), cert_file.c_str()
 #ifdef HAVE_NEVERBLEED
                                                           ,
                                nb
 #endif // HAVE_NEVERBLEED
                                );
    all_ssl_ctx.push_back(ssl_ctx);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+    auto cert = SSL_CTX_get0_certificate(ssl_ctx);
+#else
+    auto cert = load_certificate(cert_file.c_str());
+    auto cert_deleter = defer(X509_free, cert);
+#endif
+
    if (ssl::cert_lookup_tree_add_cert_from_x509(
-            cert_tree, all_ssl_ctx.size() - 1,
-            SSL_CTX_get0_certificate(ssl_ctx)) == -1) {
+            cert_tree, all_ssl_ctx.size() - 1, cert) == -1) {
      LOG(FATAL) << "Failed to add sub certificate.";
      DIE();
    }
--- a/src/shrpx_ssl.h
+++ b/src/shrpx_ssl.h
@ -236,6 +236,10 @@ void try_cache_tls_session(TLSSessionCache &cache, const Address &addr,
 // found associated to |addr|, nullptr will be returned.
 SSL_SESSION *reuse_tls_session(const TLSSessionCache &addr);

+// Loads certificate form file |filename|.  The caller should delete
+// the returned object using X509_free().
+X509 *load_certificate(const char *filename);
+
 } // namespace ssl

 } // namespace shrpx
--- a/src/shrpx_ssl_test.cc
+++ b/src/shrpx_ssl_test.cc
@ -93,28 +93,6 @@ void test_shrpx_ssl_create_lookup_tree(void) {
  }
 }

-namespace {
-X509 *load_certificate(const char *filename) {
-  auto bio = BIO_new(BIO_s_file());
-  if (!bio) {
-    fprintf(stderr, "BIO_new() failed\n");
-    return nullptr;
-  }
-  auto bio_deleter = defer(BIO_vfree, bio);
-  if (!BIO_read_filename(bio, filename)) {
-    fprintf(stderr, "Could not read certificate file '%s'\n", filename);
-    return nullptr;
-  }
-  auto cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
-  if (!cert) {
-    fprintf(stderr, "Could not read X509 structure from file '%s'\n", filename);
-    return nullptr;
-  }
-
-  return cert;
-}
-} // namespace
-
 // We use cfssl to generate key pairs.
 //
 // CA self-signed key pairs generation:
@ -141,11 +119,11 @@ void test_shrpx_ssl_cert_lookup_tree_add_cert_from_x509(void) {
  int rv;

  constexpr char nghttp2_certfile[] = NGHTTP2_SRC_DIR "/test.nghttp2.org.pem";
-  auto nghttp2_cert = load_certificate(nghttp2_certfile);
+  auto nghttp2_cert = ssl::load_certificate(nghttp2_certfile);
  auto nghttp2_cert_deleter = defer(X509_free, nghttp2_cert);

  constexpr char examples_certfile[] = NGHTTP2_SRC_DIR "/test.example.com.pem";
-  auto examples_cert = load_certificate(examples_certfile);
+  auto examples_cert = ssl::load_certificate(examples_certfile);
  auto examples_cert_deleter = defer(X509_free, examples_cert);

  ssl::CertLookupTree tree;