From 3b7dcc4c089faf956414a52971730adff2b9be9f Mon Sep 17 00:00:00 2001
From: Avery Pennarun <apenwarr@gmail.com>
Date: Wed, 3 Sep 2008 20:47:35 +0000
Subject: [PATCH] Restore support for openssl 0.9.7 (Debian Sarge).

This adds a HAVE_OPENSSL_POLICY_MAPPING autoconf setting, which is false on
0.9.7 but true on 0.9.8.  A few WvX509-related methods are #ifdef'd out when
this define is false, which is okay because wvstreams itself doesn't depend
on them anyway.
---
 configure.ac              | 6 ++++++
 crypto/t/wvx509.t.cc      | 4 +++-
 crypto/tests/printcert.cc | 5 ++++-
 crypto/wvx509.cc          | 9 +++++++++
 crypto/wvx509mgr.cc       | 5 +++++
 5 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 1cf45b9f..7e8ed4a0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -388,6 +388,11 @@ if test "$with_openssl" != "no"; then
     LIBS_save="$LIBS"
     AC_CHECK_LIB(crypto, X509_free)
     AC_CHECK_LIB(ssl, SSL_has_matching_session_id,, [with_openssl=no])
+    AC_CHECK_LIB(ssl, POLICY_MAPPING_new,, [with_openssl_policy_mapping=no])
+    if test "$with_openssl_policy_mapping" != "no"; then
+        AC_DEFINE([HAVE_OPENSSL_POLICY_MAPPING], [1],
+	    [Whether libssl has the POLICY_MAPPING features (0.9.8 and up)])
+    fi
     LIBS="$LIBS_save"
     if test "$with_openssl" != "no"; then
         LIBS_SSL="-lcrypto -lssl"
@@ -608,6 +613,7 @@ AC_SUBST(enable_testgui)
 
 AC_SUBST(with_dbus)
 AC_SUBST(with_openssl)
+AC_SUBST(with_openssl_policy_mapping)
 AC_SUBST(with_pam)
 AC_SUBST(with_readline)
 AC_SUBST(with_qt)
diff --git a/crypto/t/wvx509.t.cc b/crypto/t/wvx509.t.cc
index 3ee68e2d..8de7c32d 100644
--- a/crypto/t/wvx509.t.cc
+++ b/crypto/t/wvx509.t.cc
@@ -4,6 +4,7 @@
 #include "wvtest.h"
 #include "wvx509.h"
 #include "wvx509mgr.h"
+#include "wvautoconf.h"
 
 // default keylen for where we're not using pre-existing certs
 const static int DEFAULT_KEYLEN = 512; 
@@ -420,6 +421,7 @@ WVTEST_MAIN("basic constraints")
 }
 
 
+#ifdef HAVE_OPENSSL_POLICY_MAPPING
 WVTEST_MAIN("get/set certificate policy extensions")
 {
     WvRSAKey rsakey(DEFAULT_KEYLEN);
@@ -481,7 +483,7 @@ WVTEST_MAIN("ski / aki")
     WVFAIL(!!cacert.get_aki());
     WVPASSEQ(cert.get_aki(), cacert.get_ski());
 }
-
+#endif // HAVE_OPENSSL_POLICY_MAPPING
 
 bool test_encode_decode_str(WvX509::DumpMode mode)
 {
diff --git a/crypto/tests/printcert.cc b/crypto/tests/printcert.cc
index 20af4acd..7080ace7 100644
--- a/crypto/tests/printcert.cc
+++ b/crypto/tests/printcert.cc
@@ -3,7 +3,8 @@
 #include "wvfile.h"
 #include "wvlog.h"   
 #include "wvstrutils.h"
-#include "wvx509.h"                        
+#include "wvx509.h"
+#include "wvautoconf.h"
 
 void print_details(WvX509 *x509)
 {
@@ -31,6 +32,7 @@ void print_details(WvX509 *x509)
     x509->get_policies(list);
     wvcon->print("Certificate Policy OIDs:\n%s\n", list.join("\n"));
 
+#ifdef HAVE_OPENSSL_POLICY_MAPPING
     int requireExplicitPolicy, inhibitPolicyMapping;
     x509->get_policy_constraints(requireExplicitPolicy, inhibitPolicyMapping);
     wvcon->print("Certificate Policy Constraints: requireExplicitPolicy: %s "
@@ -43,6 +45,7 @@ void print_details(WvX509 *x509)
     WvX509::PolicyMapList::Iter i(maplist);
     for (i.rewind(); i.next();)
         wvcon->print("%s -> %s\n", i().issuer_domain, i().subject_domain);
+#endif
 }
 
 
diff --git a/crypto/wvx509.cc b/crypto/wvx509.cc
index d95cb029..53ffee25 100644
--- a/crypto/wvx509.cc
+++ b/crypto/wvx509.cc
@@ -11,6 +11,7 @@
 #include "wvstringlist.h"
 #include "wvbase64.h"
 #include "wvstrutils.h"
+#include "wvautoconf.h"
 
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
@@ -808,6 +809,12 @@ void WvX509::set_basic_constraints(bool ca, int pathlen)
 }
 
 
+/*
+ * These functions are optional to the API.  If OpenSSL doesn't support them,
+ * we simply won't include them here, and apps that need them won't compile.
+ */
+#ifdef HAVE_OPENSSL_POLICY_MAPPING
+
 bool WvX509::get_policy_constraints(int &require_explicit_policy, 
                                     int &inhibit_policy_mapping) const
 {
@@ -915,6 +922,8 @@ void WvX509::set_policy_mapping(PolicyMapList &list)
     sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
 }
 
+#endif // HAVE_OPENSSL_POLICY_MAPPING
+
 
 static void add_aia(WvStringParm type, WvString identifier, AUTHORITY_INFO_ACCESS *ainfo)
 {
diff --git a/crypto/wvx509mgr.cc b/crypto/wvx509mgr.cc
index bcb52474..d974ecfe 100644
--- a/crypto/wvx509mgr.cc
+++ b/crypto/wvx509mgr.cc
@@ -1,6 +1,7 @@
 #include "wvbase64.h"
 #include "wvsslhacks.h"
 #include "wvx509mgr.h"
+#include "wvautoconf.h"
 
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
@@ -348,12 +349,14 @@ bool WvX509Mgr::signcert(WvX509 &unsignedcert) const
     {
 	debug("Self Signing!\n");
     }
+#ifdef HAVE_OPENSSL_POLICY_MAPPING
     else if (!X509_check_ca(cert))
     {
         debug("This certificate is not a CA, and is thus not allowed to sign "
               "certificates!\n");
         return false;
     }
+#endif
     else if (!((cert->ex_flags & EXFLAG_KUSAGE) && 
                (cert->ex_kusage & KU_KEY_CERT_SIGN)))
     {
@@ -388,12 +391,14 @@ bool WvX509Mgr::signcrl(WvCRL &crl) const
               "both) not ok! Aborting.\n");
         return false;
     }
+#ifdef HAVE_OPENSSL_POLICY_MAPPING
     else if (!X509_check_ca(cert))
     {
         debug("This certificate is not a CA, and is thus not allowed to sign "
               "CRLs!\n");
         return false;
     }
+#endif
     else if (!((cert->ex_flags & EXFLAG_KUSAGE) && 
 	  (cert->ex_kusage & KU_CRL_SIGN)))
     {
-- 
2.11.4.GIT