[glib-networking/support-openssl-1.0.1] Support again openssl 1.0.1



commit 3f9ab95517900037dfb3186febc8272425f9d4c1
Author: Ignacio Casal Quinteiro <qignacio amazon com>
Date:   Thu Oct 17 09:46:49 2019 +0200

    Support again openssl 1.0.1
    
    This version is provided by RHEL 6 so for now we want to keep
    supporting it.

 tls/openssl/gtlsserverconnection-openssl.c | 192 +++++++++++++++++++----------
 1 file changed, 129 insertions(+), 63 deletions(-)
---
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index c52b855..df451d4 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -73,68 +73,6 @@ g_tls_server_connection_openssl_finalize (GObject *object)
   G_OBJECT_CLASS (g_tls_server_connection_openssl_parent_class)->finalize (object);
 }
 
-static gboolean
-ssl_set_certificate (SSL              *ssl,
-                     GTlsCertificate  *cert,
-                     GError          **error)
-{
-  EVP_PKEY *key;
-  X509 *x;
-  GTlsCertificate *issuer;
-
-  key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (cert));
-
-  if (!key)
-    {
-      g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
-                           _("Certificate has no private key"));
-      return FALSE;
-    }
-
-  /* Note, order is important. If a certificate has been set previously,
-   * OpenSSL requires that the new certificate is set _before_ the new
-   * private key is set. */
-  x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert));
-  if (SSL_use_certificate (ssl, x) <= 0)
-    {
-      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
-                   _("There is a problem with the certificate: %s"),
-                   ERR_error_string (ERR_get_error (), NULL));
-      return FALSE;
-    }
-
-  if (SSL_use_PrivateKey (ssl, key) <= 0)
-    {
-      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
-                   _("There is a problem with the certificate private key: %s"),
-                   ERR_error_string (ERR_get_error (), NULL));
-      return FALSE;
-    }
-
-  if (SSL_clear_chain_certs (ssl) == 0)
-    g_warning ("There was a problem clearing the chain certificates: %s",
-               ERR_error_string (ERR_get_error (), NULL));
-
-  /* Add all the issuers to create the full certificate chain */
-  for (issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (cert));
-       issuer;
-       issuer = g_tls_certificate_get_issuer (issuer))
-    {
-      X509 *issuer_x;
-
-      issuer_x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (issuer));
-
-      /* Be careful here and duplicate the certificate since the ssl object
-       * will take the ownership
-       */
-      if (SSL_add1_chain_cert (ssl, issuer_x) == 0)
-        g_warning ("There was a problem adding the chain certificate: %s",
-                   ERR_error_string (ERR_get_error (), NULL));
-    }
-
-  return TRUE;
-}
-
 static void
 g_tls_server_connection_openssl_get_property (GObject    *object,
                                               guint       prop_id,
@@ -216,6 +154,123 @@ g_tls_server_connection_openssl_get_ssl (GTlsConnectionOpenssl *connection)
   return G_TLS_SERVER_CONNECTION_OPENSSL (connection)->ssl;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+static gboolean
+ssl_ctx_set_certificate (SSL_CTX          *ssl_ctx,
+                         GTlsCertificate  *cert,
+                         GError          **error)
+{
+  EVP_PKEY *key;
+  X509 *x;
+  GTlsCertificate *issuer;
+
+  key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (cert));
+
+  if (!key)
+    {
+      g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+                           _("Certificate has no private key"));
+      return FALSE;
+    }
+
+  if (SSL_CTX_use_PrivateKey (ssl_ctx, key) <= 0)
+    {
+      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+                   _("There is a problem with the certificate private key: %s"),
+                   ERR_error_string (ERR_get_error (), NULL));
+     return FALSE;
+    }
+
+  x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert));
+  if (SSL_CTX_use_certificate (ssl_ctx, x) <= 0)
+    {
+      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+                   _("There is a problem with the certificate: %s"),
+                   ERR_error_string (ERR_get_error (), NULL));
+      return FALSE;
+    }
+
+  /* Add all the issuers to create the full certificate chain */
+  for (issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (cert));
+       issuer;
+       issuer = g_tls_certificate_get_issuer (issuer))
+    {
+      X509 *issuer_x;
+
+      /* Be careful here and duplicate the certificate since the context
+      * will take the ownership
+       */
+      issuer_x = X509_dup (g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (issuer)));
+      if (!SSL_CTX_add_extra_chain_cert (ssl_ctx, issuer_x))
+        g_warning ("There was a problem adding the extra chain certificate: %s",
+                   ERR_error_string (ERR_get_error (), NULL));
+    }
+}
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
+static gboolean
+ssl_set_certificate (SSL              *ssl,
+                     GTlsCertificate  *cert,
+                     GError          **error)
+{
+  EVP_PKEY *key;
+  X509 *x;
+  GTlsCertificate *issuer;
+
+  key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (cert));
+
+  if (!key)
+    {
+      g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+                           _("Certificate has no private key"));
+      return FALSE;
+    }
+
+  /* Note, order is important. If a certificate has been set previously,
+   * OpenSSL requires that the new certificate is set _before_ the new
+   * private key is set. */
+  x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert));
+  if (SSL_use_certificate (ssl, x) <= 0)
+    {
+      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+                   _("There is a problem with the certificate: %s"),
+                   ERR_error_string (ERR_get_error (), NULL));
+      return FALSE;
+    }
+
+  if (SSL_use_PrivateKey (ssl, key) <= 0)
+    {
+      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+                   _("There is a problem with the certificate private key: %s"),
+                   ERR_error_string (ERR_get_error (), NULL));
+      return FALSE;
+    }
+
+  if (SSL_clear_chain_certs (ssl) == 0)
+    g_warning ("There was a problem clearing the chain certificates: %s",
+               ERR_error_string (ERR_get_error (), NULL));
+
+  /* Add all the issuers to create the full certificate chain */
+  for (issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (cert));
+       issuer;
+       issuer = g_tls_certificate_get_issuer (issuer))
+    {
+      X509 *issuer_x;
+
+      issuer_x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (issuer));
+
+      /* Be careful here and duplicate the certificate since the ssl object
+       * will take the ownership
+       */
+      if (SSL_add1_chain_cert (ssl, issuer_x) == 0)
+        g_warning ("There was a problem adding the chain certificate: %s",
+                   ERR_error_string (ERR_get_error (), NULL));
+    }
+
+  return TRUE;
+}
+
 static void
 on_certificate_changed (GObject    *object,
                         GParamSpec *spec,
@@ -230,6 +285,7 @@ on_certificate_changed (GObject    *object,
   if (ssl && cert)
     ssl_set_certificate (ssl, cert, NULL);
 }
+#endif
 
 static void
 g_tls_server_connection_openssl_class_init (GTlsServerConnectionOpensslClass *klass)
@@ -393,6 +449,13 @@ g_tls_server_connection_openssl_initable_init (GInitable       *initable,
   SSL_CTX_set_info_callback (server->ssl_ctx, ssl_info_callback);
 #endif
 
+  cert = g_tls_connection_get_certificate (G_TLS_CONNECTION (initable));
+
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+  if (cert && !ssl_ctx_set_certificate (server->ssl_ctx, cert, error))
+    return FALSE;
+#endif
+
   server->ssl = SSL_new (server->ssl_ctx);
   if (!server->ssl)
     {
@@ -402,9 +465,10 @@ g_tls_server_connection_openssl_initable_init (GInitable       *initable,
       return FALSE;
     }
 
-  cert = g_tls_connection_get_certificate (G_TLS_CONNECTION (initable));
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
   if (cert && !ssl_set_certificate (server->ssl, cert, error))
     return FALSE;
+#endif
 
   SSL_set_accept_state (server->ssl);
 
@@ -412,7 +476,9 @@ g_tls_server_connection_openssl_initable_init (GInitable       *initable,
       init (initable, cancellable, error))
     return FALSE;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
   g_signal_connect (server, "notify::certificate", G_CALLBACK (on_certificate_changed), NULL);
+#endif
 
   return TRUE;
 }


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]