1 files changed, 46 insertions, 18 deletions

diff --git a/modules/ssl/mod_ssl_ct.c b/modules/ssl/mod_ssl_ct.c
index 17b673a8e5..769adba795 100644
--- a/modules/ssl/mod_ssl_ct.c
+++ b/modules/ssl/mod_ssl_ct.c
@@ -70,14 +70,13 @@
 #endif
 
 #include "mod_proxy.h"
-#include "mod_ssl.h"
-#include "mod_ssl_openssl.h"
 
+#include "mod_ssl_openssl.h"
 #include "ssl_ct_util.h"
 #include "ssl_ct_sct.h"
 
-#include "openssl/x509v3.h"
-#include "openssl/ocsp.h"
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
 
 #if OPENSSL_VERSION_NUMBER < 0x10002003L
 #error "mod_ssl_ct requires OpenSSL 1.0.2-beta3 or later"
@@ -1592,26 +1591,55 @@ static const char *gen_key(conn_rec *c, cert_chain *cc,
                            ct_conn_config *conncfg)
 {
     const char *fp;
-    SHA256_CTX sha256ctx;
     unsigned char digest[SHA256_DIGEST_LENGTH];
 
     fp = get_cert_fingerprint(c->pool, cc->leaf);
 
-    SHA256_Init(&sha256ctx); /* UNDOC */
-    SHA256_Update(&sha256ctx, (unsigned char *)fp, strlen(fp)); /* UNDOC */
-    if (conncfg->cert_sct_list) {
-        SHA256_Update(&sha256ctx, conncfg->cert_sct_list, 
-                      conncfg->cert_sct_list_size);
-    }
-    if (conncfg->serverhello_sct_list) {
-        SHA256_Update(&sha256ctx, conncfg->serverhello_sct_list,
-                      conncfg->serverhello_sct_list_size);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+    {
+        SHA256_CTX sha256ctx;
+        SHA256_Init(&sha256ctx); /* UNDOC */
+        SHA256_Update(&sha256ctx, (unsigned char *)fp, strlen(fp)); /* UNDOC */
+        if (conncfg->cert_sct_list) {
+            SHA256_Update(&sha256ctx, conncfg->cert_sct_list, 
+                          conncfg->cert_sct_list_size);
+        }
+        if (conncfg->serverhello_sct_list) {
+            SHA256_Update(&sha256ctx, conncfg->serverhello_sct_list,
+                          conncfg->serverhello_sct_list_size);
+        }
+        if (conncfg->ocsp_sct_list) {
+            SHA256_Update(&sha256ctx, conncfg->ocsp_sct_list,
+                          conncfg->ocsp_sct_list_size);
+        }
+        SHA256_Final(digest, &sha256ctx); /* UNDOC */
     }
-    if (conncfg->ocsp_sct_list) {
-        SHA256_Update(&sha256ctx, conncfg->ocsp_sct_list,
-                      conncfg->ocsp_sct_list_size);
+#else
+    {
+        EVP_MD_CTX *md_ctx;
+        unsigned int dlen = 0;
+        md_ctx = EVP_MD_CTX_create();
+        ap_assert(md_ctx != NULL);
+        ap_assert(EVP_DigestInit_ex(md_ctx, EVP_sha256(), NULL));
+        ap_assert(EVP_DigestUpdate(md_ctx, (unsigned char *)fp, strlen(fp)));
+        if (conncfg->cert_sct_list) {
+            ap_assert(EVP_DigestUpdate(md_ctx, conncfg->cert_sct_list, 
+                                       conncfg->cert_sct_list_size));
+        }
+        if (conncfg->serverhello_sct_list) {
+            ap_assert(EVP_DigestUpdate(md_ctx, conncfg->serverhello_sct_list,
+                                       conncfg->serverhello_sct_list_size));
+        }
+        if (conncfg->ocsp_sct_list) {
+            ap_assert(EVP_DigestUpdate(md_ctx, conncfg->ocsp_sct_list,
+                                       conncfg->ocsp_sct_list_size));
+        }
+        ap_assert(EVP_DigestFinal_ex(md_ctx, digest, &dlen));
+        ap_assert(dlen == SHA256_DIGEST_LENGTH);
+        EVP_MD_CTX_destroy(md_ctx);
     }
-    SHA256_Final(digest, &sha256ctx); /* UNDOC */
+#endif
+
     return apr_pescape_hex(c->pool, digest, sizeof digest, 0);
 }