upstream/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2026-05-28 04:12:47 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

SSL: compatibility with OpenSSL 4.0.
Some checks are pending
buildbot / buildbot (push) Waiting to run
Details

Browse source 
X509_get_issuer_name() and X509_get_subject_name() were changed to return
a const value.  Since it is passed to functions with a non const argument
in older versions, the const modifier is conditionally compiled as needed.

ASN1_INTEGER was made opaque.  ASN1_STRING accessors are used to preserve
the behaviour.  ASN1_STRING_get0_data() compat shim is provided for OpenSSL
< 1.1.0 where it does not exist.
This commit is contained in:
Sergey Kandaurov 2026-03-10 16:28:04 +04:00 committed by Sergey Kandaurov
parent 390767e6ec
commit 0d025b4a94
3 changed files with 36 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
src/event/ngx_event_openssl.c
View file

@ -948,6 +948,10 @@ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
char *err;
X509 *x509;
X509_NAME *name;
#if (OPENSSL_VERSION_NUMBER >= 0x40000000L)
const
#endif
X509_NAME *sname;
X509_STORE *store;
STACK_OF(X509) *chain;
STACK_OF(X509_NAME) *list;
@ -1003,8 +1007,8 @@ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
return NGX_ERROR;
}
name = X509_get_subject_name(x509);
if (name == NULL) {
sname = X509_get_subject_name(x509);
if (sname == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"X509_get_subject_name(\"%s\") failed", cert->data);
sk_X509_NAME_pop_free(list, X509_NAME_free);
@ -1012,7 +1016,7 @@ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
return NGX_ERROR;
}
name = X509_NAME_dup(name);
name = X509_NAME_dup(sname);
if (name == NULL) {
sk_X509_NAME_pop_free(list, X509_NAME_free);
sk_X509_pop_free(chain, X509_free);
@ -1197,6 +1201,9 @@ ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
char *subject, *issuer;
int err, depth;
X509 *cert;
#if (OPENSSL_VERSION_NUMBER >= 0x40000000L)
const
#endif
X509_NAME *sname, *iname;
ngx_connection_t *c;
ngx_ssl_conn_t *ssl_conn;
@ -6012,6 +6019,9 @@ ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
BIO *bio;
X509 *cert;
#if (OPENSSL_VERSION_NUMBER >= 0x40000000L)
const
#endif
X509_NAME *name;
s->len = 0;
@ -6066,6 +6076,9 @@ ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
BIO *bio;
X509 *cert;
#if (OPENSSL_VERSION_NUMBER >= 0x40000000L)
const
#endif
X509_NAME *name;
s->len = 0;
@ -6122,6 +6135,9 @@ ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
char *p;
size_t len;
X509 *cert;
#if (OPENSSL_VERSION_NUMBER >= 0x40000000L)
const
#endif
X509_NAME *name;
s->len = 0;
@ -6170,6 +6186,9 @@ ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
char *p;
size_t len;
X509 *cert;
#if (OPENSSL_VERSION_NUMBER >= 0x40000000L)
const
#endif
X509_NAME *name;
s->len = 0;

5
src/event/ngx_event_openssl.h
View file

@ -67,6 +67,11 @@
#endif
#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
#define ASN1_STRING_get0_data(x) (x)->data
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined SSL_get_peer_certificate)
#define SSL_get_peer_certificate(s) SSL_get1_peer_certificate(s)
#endif

15
src/event/ngx_event_openssl_stapling.c
View file

@ -2667,9 +2667,10 @@ ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx)
static ngx_int_t
ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx)
{
u_char *p;
X509_NAME *name;
ASN1_INTEGER *serial;
u_char *p;
ngx_int_t length;
ASN1_INTEGER *serial;
const X509_NAME *name;
p = ngx_pnalloc(ctx->pool, 60);
if (p == NULL) {
@ -2693,12 +2694,14 @@ ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx)
p += 20;
serial = X509_get_serialNumber(ctx->cert);
if (serial->length > 20) {
length = ASN1_STRING_length(serial);
if (length > 20) {
return NGX_ERROR;
}
p = ngx_cpymem(p, serial->data, serial->length);
ngx_memzero(p, 20 - serial->length);
p = ngx_cpymem(p, ASN1_STRING_get0_data(serial), length);
ngx_memzero(p, 20 - length);
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
"ssl ocsp key %xV", &ctx->key);