From 4e353ba53dbb88335437aac37e3270e0857f2c04 Mon Sep 17 00:00:00 2001
From: Tony Lambiris <tony@criticalstack.com>
Date: Tue, 21 Nov 2017 13:48:15 -0500
Subject: [PATCH] Latest revision to support multiple SSL versions

---
 evhtp.c               | 74 ++++++++++++++-----------------------------
 include/evhtp/evhtp.h | 12 +++++--
 2 files changed, 32 insertions(+), 54 deletions(-)

diff --git a/evhtp.c b/evhtp.c
index 843050d..fbce474 100644
--- a/evhtp.c
+++ b/evhtp.c
@@ -2754,10 +2754,6 @@ htp__connection_new_(evhtp_t * htp, evutil_socket_t sock, evhtp_type type)
     htparser_init(connection->parser, ptype);
     htparser_set_userdata(connection->parser, connection);
 
-#ifdef EVHTP_FUTURE_USE
-    TAILQ_INIT(&connection->pending);
-#endif
-
     return connection;
 }     /* htp__connection_new_ */
 
@@ -2904,16 +2900,14 @@ htp__ssl_thread_lock_(int mode, int type, const char * file, int line)
 static void
 htp__ssl_delete_scache_ent_(evhtp_ssl_ctx_t * ctx, evhtp_ssl_sess_t * sess)
 {
-    evhtp_t         * htp;
-    evhtp_ssl_cfg_t * cfg;
-    unsigned char   * sid;
-    unsigned int      slen;
-
-    htp  = (evhtp_t *)SSL_CTX_get_app_data(ctx);
-    cfg  = htp->ssl_cfg;
+    evhtp_t          * htp;
+    evhtp_ssl_cfg_t  * cfg;
+    evhtp_ssl_data_t * sid;
+    unsigned int       slen;
 
-    sid  = sess->session_id;
-    slen = sess->session_id_length;
+    htp = (evhtp_t *)SSL_CTX_get_app_data(ctx);
+    cfg = htp->ssl_cfg;
+    sid = (evhtp_ssl_data_t *)SSL_SESSION_get_id(sess, &slen);
 
     if (cfg->scache_del)
     {
@@ -2926,7 +2920,7 @@ htp__ssl_add_scache_ent_(evhtp_ssl_t * ssl, evhtp_ssl_sess_t * sess)
 {
     evhtp_connection_t * connection;
     evhtp_ssl_cfg_t    * cfg;
-    unsigned char      * sid;
+    evhtp_ssl_data_t   * sid;
     int                  slen;
 
     connection = (evhtp_connection_t *)SSL_get_app_data(ssl);
@@ -2934,10 +2928,9 @@ htp__ssl_add_scache_ent_(evhtp_ssl_t * ssl, evhtp_ssl_sess_t * sess)
     {
         return 0;     /* We cannot get the ssl_cfg */
     }
-    cfg        = connection->htp->ssl_cfg;
 
-    sid        = sess->session_id;
-    slen       = sess->session_id_length;
+    cfg = connection->htp->ssl_cfg;
+    sid = (evhtp_ssl_data_t *)SSL_SESSION_get_id(sess, &slen);
 
     SSL_set_timeout(sess, cfg->scache_timeout);
 
@@ -2950,7 +2943,7 @@ htp__ssl_add_scache_ent_(evhtp_ssl_t * ssl, evhtp_ssl_sess_t * sess)
 }
 
 static evhtp_ssl_sess_t *
-htp__ssl_get_scache_ent_(evhtp_ssl_t * ssl, unsigned char * sid, int sid_len, int * copy)
+htp__ssl_get_scache_ent_(evhtp_ssl_t * ssl, evhtp_ssl_data_t * sid, int sid_len, int * copy)
 {
     evhtp_connection_t * connection;
     evhtp_ssl_cfg_t    * cfg;
@@ -3004,18 +2997,20 @@ htp__ssl_servername_(evhtp_ssl_t * ssl, int * unused, void * arg)
 
     if ((evhtp_vhost = htp__request_find_vhost_(evhtp, sname)))
     {
+        SSL_CTX * ctx = SSL_get_SSL_CTX(ssl);
+
         connection->htp = evhtp_vhost;
 
         HTP_FLAG_ON(connection, EVHTP_CONN_FLAG_VHOST_VIA_SNI);
 
         SSL_set_SSL_CTX(ssl, evhtp_vhost->ssl_ctx);
-        SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
+        SSL_set_options(ssl, SSL_CTX_get_options(ctx));
 
         if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
             (SSL_num_renegotiations(ssl) == 0))
         {
-            SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
-                           SSL_CTX_get_verify_callback(ssl->ctx));
+            SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
+                           SSL_CTX_get_verify_callback(ctx));
         }
 
         return SSL_TLSEXT_ERR_OK;
@@ -4763,13 +4758,8 @@ evhtp_ssl_use_threads(void)
 int
 evhtp_ssl_init(evhtp_t * htp, evhtp_ssl_cfg_t * cfg)
 {
-#ifdef EVHTP_ENABLE_FUTURE_STUFF
-    evhtp_ssl_scache_init init_cb = NULL;
-    evhtp_ssl_scache_add  add_cb  = NULL;
-    evhtp_ssl_scache_get  get_cb  = NULL;
-    evhtp_ssl_scache_del  del_cb  = NULL;
-#endif
-    long cache_mode;
+    long          cache_mode;
+    unsigned char c;
 
     if (cfg == NULL || htp == NULL || cfg->pemfile == NULL)
     {
@@ -4853,7 +4843,12 @@ evhtp_ssl_init(evhtp_t * htp, evhtp_ssl_cfg_t * cfg)
 
     if (cfg->x509_chk_issued_cb != NULL)
     {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
         htp->ssl_ctx->cert_store->check_issued = cfg->x509_chk_issued_cb;
+#else
+        X509_STORE_set_check_issued(SSL_CTX_get_cert_store(htp->ssl_ctx), cfg->x509_chk_issued_cb);
+#endif
+        /*SSL_CTX_set_cert_store(htp->ssl_ctx, cfg->x509_chk_issued_cb); */
     }
 
     if (cfg->verify_depth)
@@ -4865,29 +4860,6 @@ evhtp_ssl_init(evhtp_t * htp, evhtp_ssl_cfg_t * cfg)
         case evhtp_ssl_scache_type_disabled:
             cache_mode = SSL_SESS_CACHE_OFF;
             break;
-#ifdef EVHTP_ENABLE_FUTURE_STUFF
-        case evhtp_ssl_scache_type_user:
-            cache_mode = SSL_SESS_CACHE_SERVER |
-                         SSL_SESS_CACHE_NO_INTERNAL |
-                         SSL_SESS_CACHE_NO_INTERNAL_LOOKUP;
-
-            init_cb    = cfg->scache_init;
-            add_cb     = cfg->scache_add;
-            get_cb     = cfg->scache_get;
-            del_cb     = cfg->scache_del;
-            break;
-        case evhtp_ssl_scache_type_builtin:
-            cache_mode = SSL_SESS_CACHE_SERVER |
-                         SSL_SESS_CACHE_NO_INTERNAL |
-                         SSL_SESS_CACHE_NO_INTERNAL_LOOKUP;
-
-            init_cb    = htp__ssl_builtin_init_;
-            add_cb     = htp__ssl_builtin_add_;
-            get_cb     = htp__ssl_builtin_get_;
-            del_cb     = htp__ssl_builtin_del_;
-            break;
-#endif
-        case evhtp_ssl_scache_type_internal:
         default:
             cache_mode = SSL_SESS_CACHE_SERVER;
             break;
diff --git a/include/evhtp/evhtp.h b/include/evhtp/evhtp.h
index ae89238..e9ebde1 100644
--- a/include/evhtp/evhtp.h
+++ b/include/evhtp/evhtp.h
@@ -44,6 +44,11 @@ typedef SSL                       evhtp_ssl_t;
 typedef SSL_CTX                   evhtp_ssl_ctx_t;
 typedef X509                      evhtp_x509_t;
 typedef X509_STORE_CTX            evhtp_x509_store_ctx_t;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+typedef unsigned char             evhtp_ssl_data_t;
+#else
+typedef const unsigned char       evhtp_ssl_data_t;
+#endif
 #else
 typedef void                      evhtp_ssl_sess_t;
 typedef void                      evhtp_ssl_t;
@@ -180,9 +185,10 @@ typedef int (* evhtp_ssl_verify_cb)(int pre_verify, evhtp_x509_store_ctx_t * ctx
 typedef int (* evhtp_ssl_chk_issued_cb)(evhtp_x509_store_ctx_t * ctx, evhtp_x509_t * x, evhtp_x509_t * issuer);
 typedef EVP_PKEY * (* evhtp_ssl_decrypt_cb)(char * privfile);
 
-typedef int (* evhtp_ssl_scache_add)(evhtp_connection_t * connection, unsigned char * sid, int sid_len, evhtp_ssl_sess_t * sess);
-typedef void (* evhtp_ssl_scache_del)(evhtp_t * htp, unsigned char * sid, int sid_len);
-typedef evhtp_ssl_sess_t * (* evhtp_ssl_scache_get)(evhtp_connection_t * connection, unsigned char * sid, int sid_len);
+typedef int (* evhtp_ssl_scache_add)(evhtp_connection_t * connection, evhtp_ssl_data_t * sid, int sid_len, evhtp_ssl_sess_t * sess);
+typedef void (* evhtp_ssl_scache_del)(evhtp_t * htp, evhtp_ssl_data_t * sid, int sid_len);
+typedef evhtp_ssl_sess_t * (* evhtp_ssl_scache_get)(evhtp_connection_t * connection, evhtp_ssl_data_t * sid, int sid_len);
+
 typedef void * (* evhtp_ssl_scache_init)(evhtp_t *);
 #endif