From 6bb6d5e3c6269589f5e64805bd849174d62bd3ea Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sun, 31 Jan 2016 03:29:28 +0000
Subject: [PATCH] ITS#8353 more for OpenSSL 1.1 compat

tmp_rsa callback has been removed from OpenSSL 1.1
Use new X509_NAME accessor function to retrieve DER bytes
---
 libraries/libldap/tls_o.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index d9b30f3c49..e1b7d48e32 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -57,7 +57,9 @@ static void tlso_report_error( void );
 static void tlso_info_cb( const SSL *ssl, int where, int ret );
 static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
 static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
+#endif
 
 static int tlso_seed_PRNG( const char *randfile );
 
@@ -374,7 +376,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 	SSL_CTX_set_verify( ctx, i,
 		lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ?
 		tlso_verify_ok : tlso_verify_cb );
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 	SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
+#endif
 #ifdef HAVE_OPENSSL_CRL
 	if ( lo->ldo_tls_crlcheck ) {
 		X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
@@ -469,8 +473,17 @@ tlso_session_my_dn( tls_session *sess, struct berval *der_dn )
 	if (!x) return LDAP_INVALID_CREDENTIALS;
 	
 	xn = X509_get_subject_name(x);
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 	der_dn->bv_len = i2d_X509_NAME( xn, NULL );
 	der_dn->bv_val = xn->bytes->data;
+#else
+	{
+		size_t len = 0;
+		der_dn->bv_val = NULL;
+		X509_NAME_get0_der( (const unsigned char **)&der_dn->bv_val, &len, xn );
+		der_dn->bv_len = len;
+	}
+#endif
 	/* Don't X509_free, the session is still using it */
 	return 0;
 }
@@ -496,8 +509,17 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
 		return LDAP_INVALID_CREDENTIALS;
 
 	xn = X509_get_subject_name(x);
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 	der_dn->bv_len = i2d_X509_NAME( xn, NULL );
 	der_dn->bv_val = xn->bytes->data;
+#else
+	{
+		size_t len = 0;
+		der_dn->bv_val = NULL;
+		X509_NAME_get0_der( (const unsigned char **)&der_dn->bv_val, &len, xn );
+		der_dn->bv_len = len;
+	}
+#endif
 	X509_free(x);
 	return 0;
 }
@@ -1149,6 +1171,7 @@ tlso_report_error( void )
 	}
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 static RSA *
 tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
 {
@@ -1179,6 +1202,7 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
 	}
 	return tmp_rsa;
 }
+#endif /* OPENSSL_VERSION_NUMBER < 1.1 */
 
 static int
 tlso_seed_PRNG( const char *randfile )
-- 
2.39.5