[rs-dev] Work-around for Open SSL 1.1.0 till Open SSL 1.1.1 bis

Dirk-Willem van Gulik dirkx at webweaving.org
Tue Dec 3 22:01:22 CET 2019 

So OpenSSL 1.1.0 made the contents of the X509_REQ struct private. And only gave us a getter.

I've put in a PR for a setter (https://github.com/openssl/openssl/pull/10563)

But that will take a few months to work through - and 2-3 years for most distributions to pick this up.

How about below as a stopgap for us.

Or is this too naughty ?

Dw.


Index: mod_csr.c
===================================================================
--- mod_csr.c	(revision 145)
+++ mod_csr.c	(working copy)
@@ -47,6 +47,8 @@
#define DEFAULT_FRESHNESS 2
#define DEFAULT_FRESHNESS_MAX 3600*24

+#include "openssl_setter_compat.h"
+
module AP_MODULE_DECLARE_DATA csr_module;

typedef struct
@@ -897,7 +899,13 @@
    X509_REQ_set_pubkey(creq, pktmp);

    /* duplicate the signature algorithm */
+#if OPENSSL_VERSION_NUMBER  > 0x010100000L
+    const X509_ALGOR *psigalg;
+    X509_REQ_get0_signature(req,NULL /* no need for signature */,&psigalg);
+    X509_REQ_set0_signature(creq, NULL, X509_ALGOR_dup((X509_ALGOR*)psigalg));
+#else
    creq->sig_alg = X509_ALGOR_dup(req->sig_alg);
+#endif

    /* extract the param_challenge, if present */
    idx = X509_REQ_get_attr_by_NID(req, OBJ_sn2nid("challengePassword"), -1);
Index: openssl_setter_compat.h
===================================================================
--- openssl_setter_compat.h	(nonexistent)
+++ openssl_setter_compat.h	(working copy)
@@ -0,0 +1,38 @@
+#if OPENSSL_VERSION_NUMBER  < 0x010101000L || OPENSSL_VERSION_NUMBER >= 0x010100000L
+#warning Including openssl private parts - as there is no setter yet (OpenSSL_1_1_0-pre1 .. post OpenSSL_1_1_1)
+
+#include "openssl/x509.h"
+
+// Yhese routines are coies from OpenSSL/1.1.1 its x509/x509_req.c
+// and the private header files for that.
+
+struct X509_req_info_st {
+    ASN1_ENCODING enc;          
+    ASN1_INTEGER *version;     
+    X509_NAME *subject;       
+    X509_PUBKEY *pubkey;     
+    STACK_OF(X509_ATTRIBUTE) *attributes;
+};
+
+typedef _Atomic int CRYPTO_REF_COUNT;
+
+struct X509_req_st {
+    X509_REQ_INFO req_info; 
+    X509_ALGOR sig_alg;       
+    ASN1_BIT_STRING *signature; /* signature */
+    CRYPTO_REF_COUNT references;
+    CRYPTO_RWLOCK *lock;
+# ifndef OPENSSL_NO_SM2
+    ASN1_OCTET_STRING *sm2_id;
+# endif
+};
+
+static void X509_REQ_set0_signature(X509_REQ *req, ASN1_BIT_STRING *psigOrNull,
+                             X509_ALGOR *palgOrNull)
+{
+    if (psigOrNull != NULL)
+        req->signature = psigOrNull;
+    if (palgOrNull != NULL)
+        req->sig_alg = *palgOrNull;
+}
+#endif

More information about the rs-dev mailing list