openssl: enable infof_certstack for 1.1 and LibreSSL 3.6

Lower the barrier to enable `infof_certstack()` from OpenSSL 3 to OpenSSL 1.1.x, and LibreSSL 3.6 or upper. With the caveat, that "group name" and "type name" are missing from the log output with these TLS backends. Follow-up to b6e6d4ff8f253c8b8055bab9d4d6a10f9be109f3 #12030 Reviewed-by: Daniel Stenberg Closes #12385
2025-03-19 15:40:42 +08:00 · 2023-11-23 01:14:37 +00:00 · 2023-11-23 01:14:37 +00:00 · 294194d689
commit 294194d689
parent fafefdf9dc
1 changed files with 22 additions and 6 deletions
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@ -4078,7 +4078,11 @@ static CURLcode ossl_pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert,
  return result;
 }

-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) &&  \
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) &&  \
+  !(defined(LIBRESSL_VERSION_NUMBER) && \
+    LIBRESSL_VERSION_NUMBER < 0x3060000fL) && \
+  !defined(OPENSSL_IS_BORINGSSL) && \
+  !defined(OPENSSL_IS_AWSLC) && \
  !defined(CURL_DISABLE_VERBOSE_STRINGS)
 static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
 {
@ -4096,7 +4100,6 @@ static void infof_certstack(struct Curl_easy *data, const SSL *ssl)

  for(cert_level = 0; cert_level < num_cert_levels; cert_level++) {
    char cert_algorithm[80] = "";
-    char group_name[80] = "";
    char group_name_final[80] = "";
    const X509_ALGOR *palg_cert = NULL;
    const ASN1_OBJECT *paobj_cert = NULL;
@ -4105,6 +4108,7 @@ static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
    int key_bits;
    int key_sec_bits;
    int get_group_name;
+    const char *type_name;

    current_cert = sk_X509_value(certstack, cert_level);

@ -4114,15 +4118,27 @@ static void infof_certstack(struct Curl_easy *data, const SSL *ssl)

    current_pkey = X509_get0_pubkey(current_cert);
    key_bits = EVP_PKEY_bits(current_pkey);
+#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
+#define EVP_PKEY_get_security_bits EVP_PKEY_security_bits
+#endif
    key_sec_bits = EVP_PKEY_get_security_bits(current_pkey);
-    get_group_name = EVP_PKEY_get_group_name(current_pkey, group_name,
-                                             sizeof(group_name), NULL);
-    msnprintf(group_name_final, sizeof(group_name_final), "/%s", group_name);
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+    {
+      char group_name[80] = "";
+      get_group_name = EVP_PKEY_get_group_name(current_pkey, group_name,
+                                               sizeof(group_name), NULL);
+      msnprintf(group_name_final, sizeof(group_name_final), "/%s", group_name);
+    }
+    type_name = EVP_PKEY_get0_type_name(current_pkey);
+#else
+    get_group_name = 0;
+    type_name = NULL;
+#endif

    infof(data,
          "  Certificate level %d: "
          "Public key type %s%s (%d/%d Bits/secBits), signed using %s",
-          cert_level, EVP_PKEY_get0_type_name(current_pkey),
+          cert_level, type_name ? type_name : "?",
          get_group_name == 0 ? "" : group_name_final,
          key_bits, key_sec_bits, cert_algorithm);
  }