From 53b731b290a1c625c79b5e6463916b4ea719c9a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A5l=20Hermunn=20Johansen?=
<hermunn@varnish-software.com>
Date: Tue, 15 Nov 2016 16:25:54 +0100
Subject: [PATCH] Make Hitch compatible with OpenSSL 1.1.0
This should address #100. Most of the work is thanks to #sesse.
Advice on https://wiki.openssl.org/index.php/1.1_API_Changes was
helpful when doing this work.
---
src/hitch.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/src/hitch.c b/src/hitch.c
index 81acb2b..e5e432a 100644
--- a/src/hitch.c
+++ b/src/hitch.c
@@ -683,9 +683,13 @@ load_privatekey(SSL_CTX *ctx, const char *file)
return NULL;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define SSL_CTX_get_default_passwd_cb(ctx) (ctx->default_passwd_callback)
+#define SSL_CTX_get_default_passwd_cb_userdata(ctx) (ctx->default_passwd_callback_userdata)
+#endif
pkey = PEM_read_bio_PrivateKey(bio, NULL,
- ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata);
+ SSL_CTX_get_default_passwd_cb(ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx));
BIO_free(bio);
return (pkey);
@@ -1091,8 +1095,11 @@ load_cert_ctx(sslctx *so)
return (1);
}
x509_entry = X509_NAME_get_entry(x509_name, i);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_NAME_ENTRY_get_data(e) (e->value)
+#endif
AN(x509_entry);
- PUSH_CTX(x509_entry->value, ctx);
+ PUSH_CTX(X509_NAME_ENTRY_get_data(x509_entry), ctx);
return (0);
}
@@ -1883,9 +1890,15 @@ static void end_handshake(proxystate *ps) {
#endif
LOGPROXY(ps,"ssl end handshake\n");
/* Disable renegotiation (CVE-2009-3555) */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* For OpenSSL 1.1, setting the following flag does not seem
+ * to be possible. This is OK, since SSLv3 negotiation will
+ * not happen in OpenSSL 0.9.8m or later unless
+ * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is set. */
if (ps->ssl->s3) {
ps->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
}
+#endif
ps->handshaked = 1;
/* Check if clear side is connected */