From 5726c18abb06574af02a8d4ddb3b248f08d600f9 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Thu, 29 Jan 2026 16:08:02 +0100 Subject: [PATCH] fixup implement getX and popX --- include/haproxy/openssl-compat.h | 11 ++++++++++- src/ssl_ckch.c | 30 +++++++++++++++--------------- src/ssl_sock.c | 8 ++++---- 3 files changed, 29 insertions(+), 20 deletions(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index c54e2f4a0..7575e2b19 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -380,7 +380,16 @@ static inline unsigned long ERR_peek_error_func(const char **func) #endif -#if (HA_OPENSSL_VERSION_NUMBER < 0x30300000L) +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_AWSLC) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(USE_OPENSSL_WOLFSSL) +# define X509_STORE_getX_objects(x) X509_STORE_get1_objects(x) +# define sk_X509_OBJECT_popX_free(x, y) sk_X509_OBJECT_pop_free(x,y) +#else +# define X509_STORE_getX_objects(x) X509_STORE_get0_objects(x) +# define sk_X509_OBJECT_popX_free(x, y) ({}) +#endif + +#if (HA_OPENSSL_VERSION_NUMBER < 0x30300000L) && !defined(OPENSSL_IS_AWSLC) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(USE_OPENSSL_WOLFSSL) + /* Previous OpenSSL versions does not implement X509_STORE_get1_objects() * but X509_STORE_get0_objects were added in OpenSSL 1.1.0. */ diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 48d8b4d7b..7753fb718 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1357,7 +1357,7 @@ struct cafile_entry *ssl_store_dup_cafile_entry(struct cafile_entry *src) if (!store) goto err; - objs = X509_STORE_get1_objects(src->ca_store); + objs = X509_STORE_getX_objects(src->ca_store); for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { X509 *cert; X509_CRL *crl; @@ -1385,11 +1385,11 @@ struct cafile_entry *ssl_store_dup_cafile_entry(struct cafile_entry *src) } } dst = ssl_store_create_cafile_entry(src->path, store, src->type); - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); return dst; err: - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); X509_STORE_free(store); ha_free(&dst); @@ -1608,7 +1608,7 @@ scandir_err: } } - objs = X509_STORE_get1_objects(store); + objs = X509_STORE_getX_objects(store); cert_count = sk_X509_OBJECT_num(objs); if (cert_count == 0) { if (!shuterror) @@ -1622,11 +1622,11 @@ scandir_err: } ebst_insert(&cafile_tree, &ca_e->node); } - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); return (store != NULL); err: - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); X509_STORE_free(store); store = NULL; return 0; @@ -3823,7 +3823,7 @@ static int cli_io_handler_show_cafile_detail(struct appctx *appctx) if (!cafile_entry->ca_store) goto end; - objs = X509_STORE_get1_objects(cafile_entry->ca_store); + objs = X509_STORE_getX_objects(cafile_entry->ca_store); for (i = ca_index; i < sk_X509_OBJECT_num(objs); i++) { cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i)); @@ -3846,16 +3846,16 @@ static int cli_io_handler_show_cafile_detail(struct appctx *appctx) } end: - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); free_trash_chunk(out); return 1; /* end, don't come back */ end_no_putchk: - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); free_trash_chunk(out); return 1; yield: - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); /* save the current state */ ctx->ca_index = i; free_trash_chunk(out); @@ -3958,10 +3958,10 @@ static int get_certificate_count(struct cafile_entry *cafile_entry) STACK_OF(X509_OBJECT) *objs; if (cafile_entry && cafile_entry->ca_store) { - objs = X509_STORE_get1_objects(cafile_entry->ca_store); + objs = X509_STORE_getX_objects(cafile_entry->ca_store); if (objs) cert_count = sk_X509_OBJECT_num(objs); - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); } return cert_count; } @@ -4516,7 +4516,7 @@ static int cli_io_handler_show_crlfile_detail(struct appctx *appctx) if (!cafile_entry->ca_store) goto end; - objs = X509_STORE_get1_objects(cafile_entry->ca_store); + objs = X509_STORE_getX_objects(cafile_entry->ca_store); for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { crl = X509_OBJECT_get0_X509_CRL(sk_X509_OBJECT_value(objs, i)); if (!crl) @@ -4539,11 +4539,11 @@ end: goto yield; end_no_putchk: - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); free_trash_chunk(out); return 1; yield: - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); free_trash_chunk(out); return 0; /* should come back */ } diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 03c499575..3540038a2 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -630,7 +630,7 @@ static int ssl_set_cert_crl_file(X509_STORE *store_ctx, char *path) if (store_ctx && store) { int i; X509_OBJECT *obj; - STACK_OF(X509_OBJECT) *objs = X509_STORE_get1_objects(store); + STACK_OF(X509_OBJECT) *objs = X509_STORE_getX_objects(store); for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { obj = sk_X509_OBJECT_value(objs, i); switch (X509_OBJECT_get_type(obj)) { @@ -644,7 +644,7 @@ static int ssl_set_cert_crl_file(X509_STORE *store_ctx, char *path) break; } } - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); return 1; } return 0; @@ -688,7 +688,7 @@ static STACK_OF(X509_NAME)* ssl_get_client_ca_file(char *path) skn = sk_X509_NAME_new_null(); /* take x509 from cafile_tree */ - objs = X509_STORE_get1_objects(ca_e->ca_store); + objs = X509_STORE_getX_objects(ca_e->ca_store); for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { x = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i)); if (!x) @@ -724,7 +724,7 @@ static STACK_OF(X509_NAME)* ssl_get_client_ca_file(char *path) ca_name->xname = xn; eb64_insert(&ca_name_tree, &ca_name->node); } - sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); + sk_X509_OBJECT_popX_free(objs, X509_OBJECT_free); ca_e->ca_list = skn; /* remove temporary ca_name tree */ node = eb64_first(&ca_name_tree);