From 3e14f0d8a529798163c7da11b77011337645cd95 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 25 Jun 2016 23:35:12 +0900
Subject: [PATCH] nghttpx: Fix compile error with openssl 1.0.1

openssl lacks SSL_CTX_get0_certificates().
---
 src/shrpx_ssl.cc      | 46 ++++++++++++++++++++++++++++++++++++++-----
 src/shrpx_ssl.h       |  4 ++++
 src/shrpx_ssl_test.cc | 26 ++----------------------
 3 files changed, 47 insertions(+), 29 deletions(-)

diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc
index 1d835ec8..171e85b9 100644
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -1318,6 +1318,26 @@ bool upstream_tls_enabled() {
                      [](const UpstreamAddr &faddr) { return faddr.tls; });
 }
 
+X509 *load_certificate(const char *filename) {
+  auto bio = BIO_new(BIO_s_file());
+  if (!bio) {
+    fprintf(stderr, "BIO_new() failed\n");
+    return nullptr;
+  }
+  auto bio_deleter = defer(BIO_vfree, bio);
+  if (!BIO_read_filename(bio, filename)) {
+    fprintf(stderr, "Could not read certificate file '%s'\n", filename);
+    return nullptr;
+  }
+  auto cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
+  if (!cert) {
+    fprintf(stderr, "Could not read X509 structure from file '%s'\n", filename);
+    return nullptr;
+  }
+
+  return cert;
+}
+
 SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
                                   CertLookupTree *cert_tree
 #ifdef HAVE_NEVERBLEED
@@ -1351,25 +1371,41 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
     return ssl_ctx;
   }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+  auto cert = SSL_CTX_get0_certificate(ssl_ctx);
+#else
+  auto cert = load_certificate(tlsconf.cert_file.c_str());
+  auto cert_deleter = defer(X509_free, cert);
+#endif
+
   if (ssl::cert_lookup_tree_add_cert_from_x509(
-          cert_tree, all_ssl_ctx.size() - 1,
-          SSL_CTX_get0_certificate(ssl_ctx)) == -1) {
+          cert_tree, all_ssl_ctx.size() - 1, cert) == -1) {
     LOG(FATAL) << "Failed to add default certificate.";
     DIE();
   }
 
   for (auto &keycert : tlsconf.subcerts) {
+    auto &priv_key_file = keycert.first;
+    auto &cert_file = keycert.second;
+
     auto ssl_ctx =
-        ssl::create_ssl_context(keycert.first.c_str(), keycert.second.c_str()
+        ssl::create_ssl_context(priv_key_file.c_str(), cert_file.c_str()
 #ifdef HAVE_NEVERBLEED
                                                            ,
                                 nb
 #endif // HAVE_NEVERBLEED
                                 );
     all_ssl_ctx.push_back(ssl_ctx);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+    auto cert = SSL_CTX_get0_certificate(ssl_ctx);
+#else
+    auto cert = load_certificate(cert_file.c_str());
+    auto cert_deleter = defer(X509_free, cert);
+#endif
+
     if (ssl::cert_lookup_tree_add_cert_from_x509(
-            cert_tree, all_ssl_ctx.size() - 1,
-            SSL_CTX_get0_certificate(ssl_ctx)) == -1) {
+            cert_tree, all_ssl_ctx.size() - 1, cert) == -1) {
       LOG(FATAL) << "Failed to add sub certificate.";
       DIE();
     }
diff --git a/src/shrpx_ssl.h b/src/shrpx_ssl.h
index 294b4efe..a6086a97 100644
--- a/src/shrpx_ssl.h
+++ b/src/shrpx_ssl.h
@@ -236,6 +236,10 @@ void try_cache_tls_session(TLSSessionCache &cache, const Address &addr,
 // found associated to |addr|, nullptr will be returned.
 SSL_SESSION *reuse_tls_session(const TLSSessionCache &addr);
 
+// Loads certificate form file |filename|.  The caller should delete
+// the returned object using X509_free().
+X509 *load_certificate(const char *filename);
+
 } // namespace ssl
 
 } // namespace shrpx
diff --git a/src/shrpx_ssl_test.cc b/src/shrpx_ssl_test.cc
index 63062f4c..0161336a 100644
--- a/src/shrpx_ssl_test.cc
+++ b/src/shrpx_ssl_test.cc
@@ -93,28 +93,6 @@ void test_shrpx_ssl_create_lookup_tree(void) {
   }
 }
 
-namespace {
-X509 *load_certificate(const char *filename) {
-  auto bio = BIO_new(BIO_s_file());
-  if (!bio) {
-    fprintf(stderr, "BIO_new() failed\n");
-    return nullptr;
-  }
-  auto bio_deleter = defer(BIO_vfree, bio);
-  if (!BIO_read_filename(bio, filename)) {
-    fprintf(stderr, "Could not read certificate file '%s'\n", filename);
-    return nullptr;
-  }
-  auto cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
-  if (!cert) {
-    fprintf(stderr, "Could not read X509 structure from file '%s'\n", filename);
-    return nullptr;
-  }
-
-  return cert;
-}
-} // namespace
-
 // We use cfssl to generate key pairs.
 //
 // CA self-signed key pairs generation:
@@ -141,11 +119,11 @@ void test_shrpx_ssl_cert_lookup_tree_add_cert_from_x509(void) {
   int rv;
 
   constexpr char nghttp2_certfile[] = NGHTTP2_SRC_DIR "/test.nghttp2.org.pem";
-  auto nghttp2_cert = load_certificate(nghttp2_certfile);
+  auto nghttp2_cert = ssl::load_certificate(nghttp2_certfile);
   auto nghttp2_cert_deleter = defer(X509_free, nghttp2_cert);
 
   constexpr char examples_certfile[] = NGHTTP2_SRC_DIR "/test.example.com.pem";
-  auto examples_cert = load_certificate(examples_certfile);
+  auto examples_cert = ssl::load_certificate(examples_certfile);
   auto examples_cert_deleter = defer(X509_free, examples_cert);
 
   ssl::CertLookupTree tree;