Use explicit fetching in OpenSSL 3.x

curl · Apr 30, 2024 · 3d924fa · 3d924fa
1 parent 02c7711
commit 3d924fa
Showing 1 changed file with 22 additions and 6 deletions.
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
@@ -5150,23 +5150,39 @@ static CURLcode ossl_get_tls_server_end_point(struct Curl_easy *data,
 
   /* https://datatracker.ietf.org/doc/html/rfc5929#section-4.1 */
   if(algo_nid == NID_md5 || algo_nid == NID_sha1) {
-    algo_type = EVP_sha256();
+    algo_name = "SHA256";
   }
   else {
-    algo_type = EVP_get_digestbynid(algo_nid);
-    if(!algo_type) {
-      algo_name = OBJ_nid2sn(algo_nid);
-      failf(data, "Could not find digest algorithm %s (NID %d)",
-            algo_name ? algo_name : "(null)", algo_nid);
+    algo_name = OBJ_nid2sn(algo_nid);
+    if(!algo_name) {
+      failf(data, "Could not find digest algorithm name for NID %d",
+            algo_nid);
       return CURLE_SSL_INVALIDCERTSTATUS;
     }
   }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+  algo_type = EVP_MD_fetch(NULL, algo_name, NULL);
+#else
+  /* OpenSSL 1.1.0 to 1.1.1 must use implicit fetching */
+  algo_type = EVP_get_digestbyname(algo_name);
+#endif
+  if(!algo_type) {
+    failf(data, "Could not find digest algorithm %s (NID %d)",
+          algo_name ? algo_name : "(null)", algo_nid);
+    return CURLE_SSL_INVALIDCERTSTATUS;
+  }
+
   if(!X509_digest(cert, algo_type, buf, &length)) {
     failf(data, "X509_digest() failed");
     return CURLE_SSL_INVALIDCERTSTATUS;
   }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+  /* Free the explicitly fetched algorithm object */
+  EVP_MD_free((EVP_MD *)algo_type);
+#endif
+
   *binding = malloc(sizeof(prefix) - 1 + length);
   if(!*binding)
     return CURLE_OUT_OF_MEMORY;