diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index fc788aa76..fb859263e 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -394,6 +394,12 @@ static inline unsigned long ERR_peek_error_func(const char **func) #define __OPENSSL_110_CONST__ #endif +#if (HA_OPENSSL_VERSION_NUMBER >= 0x40000000L) && (!defined(USE_OPENSSL_WOLFSSL)) +#define __X509_NAME_CONST__ const +#else +#define __X509_NAME_CONST__ +#endif + /* ERR_remove_state() was deprecated in 1.0.0 in favor of * ERR_remove_thread_state(), which was in turn deprecated in * 1.1.0 and does nothing anymore. Let's simply silently kill diff --git a/include/haproxy/ssl_utils.h b/include/haproxy/ssl_utils.h index d6649fa9b..1d1b16966 100644 --- a/include/haproxy/ssl_utils.h +++ b/include/haproxy/ssl_utils.h @@ -34,10 +34,10 @@ int cert_get_pkey_algo(X509 *crt, struct buffer *out); int ssl_sock_get_serial(X509 *crt, struct buffer *out); int ssl_sock_crt2der(X509 *crt, struct buffer *out); int ssl_sock_get_time(ASN1_TIME *tm, struct buffer *out); -int ssl_sock_get_dn_entry(X509_NAME *a, const struct buffer *entry, int pos, +int ssl_sock_get_dn_entry(__X509_NAME_CONST__ X509_NAME *a, const struct buffer *entry, int pos, struct buffer *out); -int ssl_sock_get_dn_formatted(X509_NAME *a, const struct buffer *format, struct buffer *out); -int ssl_sock_get_dn_oneline(X509_NAME *a, struct buffer *out); +int ssl_sock_get_dn_formatted(__X509_NAME_CONST__ X509_NAME *a, const struct buffer *format, struct buffer *out); +int ssl_sock_get_dn_oneline(__X509_NAME_CONST__ X509_NAME *a, struct buffer *out); X509* ssl_sock_get_peer_certificate(SSL *ssl); X509* ssl_sock_get_verified_chain_root(SSL *ssl); unsigned int openssl_version_parser(const char *version); diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 787e289d9..c03e95d36 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -2126,7 +2126,7 @@ static int show_cert_detail(X509 *cert, STACK_OF(X509) *chain, struct issuer_cha int i; int write = -1; unsigned int len = 0; - X509_NAME *name = NULL; + __X509_NAME_CONST__ X509_NAME *name = NULL; if (!tmp) return -1; @@ -4412,7 +4412,7 @@ static int show_crl_detail(X509_CRL *crl, struct buffer *out) BIO *bio = NULL; struct buffer *tmp = alloc_trash_chunk(); long version; - X509_NAME *issuer; + __X509_NAME_CONST__ X509_NAME *issuer; int write = -1; #ifndef USE_OPENSSL_WOLFSSL STACK_OF(X509_REVOKED) *rev = NULL; diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c index ef6922d35..d5d710daa 100644 --- a/src/ssl_gencert.c +++ b/src/ssl_gencert.c @@ -92,7 +92,8 @@ static SSL_CTX *ssl_sock_do_create_cert(const char *servername, struct bind_conf EVP_PKEY *pkey = NULL; SSL *tmp_ssl = NULL; CONF *ctmp = NULL; - X509_NAME *name; + __X509_NAME_CONST__ X509_NAME *name; + X509_NAME *subject = NULL; const EVP_MD *digest; X509V3_CTX ctx; unsigned int i; @@ -140,21 +141,21 @@ static SSL_CTX *ssl_sock_do_create_cert(const char *servername, struct bind_conf goto mkcert_error; /* Set the subject name using the same, but the CN */ - name = X509_NAME_dup(name); + subject = X509_NAME_dup(name); if (strlen(servername) <= 64) { - if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, + if (X509_NAME_add_entry_by_txt(subject, "CN", MBSTRING_ASC, (const unsigned char *)servername, -1, -1, 0) != 1) { - X509_NAME_free(name); + X509_NAME_free(subject); goto mkcert_error; } } - if (X509_set_subject_name(newcrt, name) != 1) { - X509_NAME_free(name); + if (X509_set_subject_name(newcrt, subject) != 1) { + X509_NAME_free(subject); goto mkcert_error; } - X509_NAME_free(name); + X509_NAME_free(subject); /* Add x509v3 extensions as specified */ ctmp = NCONF_new(NULL); diff --git a/src/ssl_sample.c b/src/ssl_sample.c index b2740f309..fdbbdd3e8 100644 --- a/src/ssl_sample.c +++ b/src/ssl_sample.c @@ -779,7 +779,7 @@ static int smp_fetch_ssl_r_dn(const struct arg *args, struct sample *smp, const char *kw, void *private) { X509 *crt = NULL; - X509_NAME *name; + __X509_NAME_CONST__ X509_NAME *name; int ret = 0; struct buffer *smp_trash; struct connection *conn; @@ -1113,7 +1113,7 @@ smp_fetch_ssl_x_i_dn(const struct arg *args, struct sample *smp, const char *kw, int cert_peer = (kw[4] == 'c' || kw[4] == 's') ? 1 : 0; int conn_server = (kw[4] == 's') ? 1 : 0; X509 *crt = NULL; - X509_NAME *name; + __X509_NAME_CONST__ X509_NAME *name; int ret = 0; struct buffer *smp_trash; struct connection *conn; @@ -1309,7 +1309,7 @@ smp_fetch_ssl_x_s_dn(const struct arg *args, struct sample *smp, const char *kw, int cert_peer = (kw[4] == 'c' || kw[4] == 's') ? 1 : 0; int conn_server = (kw[4] == 's') ? 1 : 0; X509 *crt = NULL; - X509_NAME *name; + __X509_NAME_CONST__ X509_NAME *name; int ret = 0; struct buffer *smp_trash; struct connection *conn; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index aeb408ffa..2e38dc064 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -691,7 +691,8 @@ static STACK_OF(X509_NAME)* ssl_get_client_ca_file(char *path) STACK_OF(X509_OBJECT) *objs; STACK_OF(X509_NAME) *skn; X509 *x; - X509_NAME *xn; + __X509_NAME_CONST__ X509_NAME *xn; + X509_NAME *xn_dup; skn = sk_X509_NAME_new_null(); /* take x509 from cafile_tree */ @@ -716,19 +717,19 @@ static STACK_OF(X509_NAME)* ssl_get_client_ca_file(char *path) if (ca_name) continue; ca_name = calloc(1, sizeof *ca_name); - xn = X509_NAME_dup(xn); + xn_dup = X509_NAME_dup(xn); if (!ca_name || - !xn || - !sk_X509_NAME_push(skn, xn)) { + !xn_dup || + !sk_X509_NAME_push(skn, xn_dup)) { free(ca_name); - X509_NAME_free(xn); + X509_NAME_free(xn_dup); sk_X509_NAME_pop_free(skn, X509_NAME_free); sk_X509_NAME_free(skn); skn = NULL; break; } ca_name->node.key = key; - ca_name->xname = xn; + ca_name->xname = xn_dup; eb64_insert(&ca_name_tree, &ca_name->node); } sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); @@ -3151,7 +3152,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct SSL_CTX *ctx; int i; int order = 0; - X509_NAME *xname; + __X509_NAME_CONST__ X509_NAME *xname; char *str; EVP_PKEY *pkey; struct pkey_info kinfo = { .sig = TLSEXT_signature_anonymous, .bits = 0 }; @@ -3243,8 +3244,8 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct xname = X509_get_subject_name(data->cert); i = -1; while ((i = X509_NAME_get_index_by_NID(xname, NID_commonName, i)) != -1) { - X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i); - ASN1_STRING *value; + __X509_NAME_CONST__ X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i); + __X509_NAME_CONST__ ASN1_STRING *value; value = X509_NAME_ENTRY_get_data(entry); if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) { @@ -4897,7 +4898,7 @@ static int ssl_sock_srv_verifycbk(int ok, X509_STORE_CTX *ctx) X509 *cert; STACK_OF(GENERAL_NAME) *alt_names; int i; - X509_NAME *cert_subject; + __X509_NAME_CONST__ X509_NAME *cert_subject; char *str; if (ok == 0) @@ -4963,8 +4964,8 @@ static int ssl_sock_srv_verifycbk(int ok, X509_STORE_CTX *ctx) cert_subject = X509_get_subject_name(cert); i = -1; while (!ok && (i = X509_NAME_get_index_by_NID(cert_subject, NID_commonName, i)) != -1) { - X509_NAME_ENTRY *entry = X509_NAME_get_entry(cert_subject, i); - ASN1_STRING *value; + __X509_NAME_CONST__ X509_NAME_ENTRY *entry = X509_NAME_get_entry(cert_subject, i); + __X509_NAME_CONST__ ASN1_STRING *value; value = X509_NAME_ENTRY_get_data(entry); if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) { ok = ssl_sock_srv_hostcheck(str, servername); @@ -7637,7 +7638,7 @@ int ssl_sock_get_remote_common_name(struct connection *conn, { struct ssl_sock_ctx *ctx = conn_get_ssl_sock_ctx(conn); X509 *crt = NULL; - X509_NAME *name; + __X509_NAME_CONST__ X509_NAME *name; const char find_cn[] = "CN"; const struct buffer find_cn_chunk = { .area = (char *)&find_cn, @@ -7737,7 +7738,7 @@ int ssl_sock_get_alpn(const struct connection *conn, void *xprt_ctx, const char int ssl_load_global_issuer_from_BIO(BIO *in, char *fp, char **err) { X509 *ca; - X509_NAME *name = NULL; + __X509_NAME_CONST__ X509_NAME *name = NULL; ASN1_OCTET_STRING *skid = NULL; STACK_OF(X509) *chain = NULL; struct issuer_chain *issuer; diff --git a/src/ssl_trace.c b/src/ssl_trace.c index ae5a07233..96cb8a2a7 100644 --- a/src/ssl_trace.c +++ b/src/ssl_trace.c @@ -140,7 +140,7 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_ X509 *crt = SSL_get_certificate(ssl); if (crt) { - X509_NAME *name = X509_get_subject_name(crt); + __X509_NAME_CONST__ X509_NAME *name = X509_get_subject_name(crt); if (name) chunk_appendf(&trace_buf, " subject=\"%s\"", X509_NAME_oneline(name, 0, 0)); diff --git a/src/ssl_utils.c b/src/ssl_utils.c index 6ecd03039..836e44cc2 100644 --- a/src/ssl_utils.c +++ b/src/ssl_utils.c @@ -187,12 +187,12 @@ int ssl_sock_get_time(ASN1_TIME *tm, struct buffer *out) /* Extract an entry from a X509_NAME and copy its value to an output chunk. * Returns 1 if entry found, 0 if entry not found, or -1 if output not large enough. */ -int ssl_sock_get_dn_entry(X509_NAME *a, const struct buffer *entry, int pos, +int ssl_sock_get_dn_entry(__X509_NAME_CONST__ X509_NAME *a, const struct buffer *entry, int pos, struct buffer *out) { - X509_NAME_ENTRY *ne; - ASN1_OBJECT *obj; - ASN1_STRING *data; + __X509_NAME_CONST__ X509_NAME_ENTRY *ne; + __X509_NAME_CONST__ ASN1_OBJECT *obj; + __X509_NAME_CONST__ ASN1_STRING *data; const unsigned char *data_ptr; int data_len; int i, j, n; @@ -249,7 +249,7 @@ int ssl_sock_get_dn_entry(X509_NAME *a, const struct buffer *entry, int pos, * Currently supports rfc2253 for returning LDAP V3 DNs. * Returns 1 if dn entries exist, 0 if no dn entry was found. */ -int ssl_sock_get_dn_formatted(X509_NAME *a, const struct buffer *format, struct buffer *out) +int ssl_sock_get_dn_formatted(__X509_NAME_CONST__ X509_NAME *a, const struct buffer *format, struct buffer *out) { BIO *bio = NULL; int ret = 0; @@ -279,11 +279,11 @@ out: /* Extract and format full DN from a X509_NAME and copy result into a chunk * Returns 1 if dn entries exits, 0 if no dn entry found or -1 if output is not large enough. */ -int ssl_sock_get_dn_oneline(X509_NAME *a, struct buffer *out) +int ssl_sock_get_dn_oneline(__X509_NAME_CONST__ X509_NAME *a, struct buffer *out) { - X509_NAME_ENTRY *ne; - ASN1_OBJECT *obj; - ASN1_STRING *data; + __X509_NAME_CONST__ X509_NAME_ENTRY *ne; + __X509_NAME_CONST__ ASN1_OBJECT *obj; + __X509_NAME_CONST__ ASN1_STRING *data; const unsigned char *data_ptr; int data_len; int i, n, ln;