Fix for previous commit with OpenSSL <1.1.0 (Debian 8, Ubuntu 16, ..)

Thank you BuildBot. This means on older OpenSSL's we are not going to have certificate expiry checks. Those OpenSSL versions were deprecated by the OpenSSL team itself, so yeah then you will miss out a few things.
2024-06-05 07:48:44 +01:00 · 2020-10-11 15:36:00 +02:00 · 2020-10-11 15:36:00 +02:00 · b3510c5da8
commit b3510c5da8
parent 6778b3e26d
5 changed files with 75 additions and 0 deletions
--- a/autoconf/m4/unreal.m4
+++ b/autoconf/m4/unreal.m4
@ -272,3 +272,23 @@ else
 	AC_MSG_RESULT([no])
 fi
 ])
+
+AC_DEFUN([CHECK_ASN1_TIME_diff],
+[
+AC_MSG_CHECKING([for ASN1_TIME_diff in SSL library])
+AC_LANG_PUSH(C)
+SAVE_LIBS="$LIBS"
+LIBS="$LIBS $CRYPTOLIB"
+AC_TRY_LINK([#include <openssl/ssl.h>],
+	[int one, two; ASN1_TIME_diff(&one, &two, NULL, NULL);],
+	has_function=1,
+	has_function=0)
+LIBS="$SAVE_LIBS"
+AC_LANG_POP(C)
+if test $has_function = 1; then
+	AC_MSG_RESULT([yes])
+	AC_DEFINE([HAS_ASN1_TIME_diff], [], [Define if ssl library has ASN1_TIME_diff])
+else
+	AC_MSG_RESULT([no])
+fi
+])
--- a/47
+++ b/47
@ -6528,6 +6528,53 @@ else
 $as_echo "no" >&6; }
 fi

+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ASN1_TIME_diff in SSL library" >&5
+$as_echo_n "checking for ASN1_TIME_diff in SSL library... " >&6; }
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+SAVE_LIBS="$LIBS"
+LIBS="$LIBS $CRYPTOLIB"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <openssl/ssl.h>
+int
+main ()
+{
+int one, two; ASN1_TIME_diff(&one, &two, NULL, NULL);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  has_function=1
+else
+  has_function=0
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS="$SAVE_LIBS"
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+if test $has_function = 1; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+$as_echo "#define HAS_ASN1_TIME_diff /**/" >>confdefs.h
+
+else
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
 # Check whether --enable-dynamic-linking was given.
 if test "${enable_dynamic_linking+set}" = set; then :
  enableval=$enable_dynamic_linking; enable_dynamic_linking=$enableval
--- a/configure.ac
+++ b/configure.ac
@ -504,6 +504,7 @@ CHECK_SSL
 CHECK_SSL_CTX_SET1_CURVES_LIST
 CHECK_SSL_CTX_SET_MIN_PROTO_VERSION
 CHECK_SSL_CTX_SET_SECURITY_LEVEL
+CHECK_ASN1_TIME_diff
 AC_ARG_ENABLE(dynamic-linking, [AS_HELP_STRING([--disable-dynamic-linking], [Make the IRCd statically link with shared objects rather than dynamically (noone knows if disabling dynamic linking actually does anything or not)])],
 	[enable_dynamic_linking=$enableval], [enable_dynamic_linking="yes"])
 AS_IF([test $enable_dynamic_linking = "yes"],
--- a/include/setup.h.in
+++ b/include/setup.h.in
@ -28,6 +28,9 @@
 /* Define if you have the <glob.h> header file. */
 #undef GLOBH

+/* Define if ssl library has ASN1_TIME_diff */
+#undef HAS_ASN1_TIME_diff
+
 /* Define if ssl library has SSL_CTX_set1_curves_list */
 #undef HAS_SSL_CTX_SET1_CURVES_LIST

--- a/src/tls.c
+++ b/src/tls.c
@ -1339,6 +1339,9 @@ char *outdated_tls_client_build_string(char *pattern, Client *client)

 int check_certificate_expiry_ctx(SSL_CTX *ctx, char **errstr)
 {
+#if !defined(HAS_ASN1_TIME_diff)
+	return 0;
+#else
 	static char errbuf[512];
 	SSL *ssl;
 	X509 *cert;
@ -1386,6 +1389,7 @@ int check_certificate_expiry_ctx(SSL_CTX *ctx, char **errstr)
 	/* All good */
 	SSL_free(ssl);
 	return 0;
+#endif
 }

 void check_certificate_expiry_tlsoptions_and_warn(TLSOptions *tlsoptions)