Browse code
OpenSSL: don't use direct access to the internal of X509_STORE_CTX
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509_STORE_CTX. We have to use the defined
functions to do so.
Fortunately, these functions have existed since the dawn of time so
we don't have any compatibility issue here.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <11477a0a3cf636572c84e0110a6f1b726bc60c2c.1487368114.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14085.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Emmanuel Deloget authored on 2017/02/18 07:00:48Showing 1 changed files
| ... | ... |
@@ -61,14 +61,15 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) |
| 61 | 61 |
session = (struct tls_session *) SSL_get_ex_data(ssl, mydata_index); |
| 62 | 62 |
ASSERT(session); |
| 63 | 63 |
|
| 64 |
- struct buffer cert_hash = x509_get_sha256_fingerprint(ctx->current_cert, &gc); |
|
| 65 |
- cert_hash_remember(session, ctx->error_depth, &cert_hash); |
|
| 64 |
+ X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); |
|
| 65 |
+ struct buffer cert_hash = x509_get_sha256_fingerprint(current_cert, &gc); |
|
| 66 |
+ cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); |
|
| 66 | 67 |
|
| 67 | 68 |
/* did peer present cert which was signed by our root cert? */ |
| 68 | 69 |
if (!preverify_ok) |
| 69 | 70 |
{
|
| 70 | 71 |
/* get the X509 name */ |
| 71 |
- char *subject = x509_get_subject(ctx->current_cert, &gc); |
|
| 72 |
+ char *subject = x509_get_subject(current_cert, &gc); |
|
| 72 | 73 |
|
| 73 | 74 |
if (!subject) |
| 74 | 75 |
{
|
| ... | ... |
@@ -76,11 +77,11 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) |
| 76 | 76 |
} |
| 77 | 77 |
|
| 78 | 78 |
/* Log and ignore missing CRL errors */ |
| 79 |
- if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) |
|
| 79 |
+ if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) |
|
| 80 | 80 |
{
|
| 81 | 81 |
msg(D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s", |
| 82 |
- ctx->error_depth, |
|
| 83 |
- X509_verify_cert_error_string(ctx->error), |
|
| 82 |
+ X509_STORE_CTX_get_error_depth(ctx), |
|
| 83 |
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), |
|
| 84 | 84 |
subject); |
| 85 | 85 |
ret = 1; |
| 86 | 86 |
goto cleanup; |
| ... | ... |
@@ -88,8 +89,8 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) |
| 88 | 88 |
|
| 89 | 89 |
/* Remote site specified a certificate, but it's not correct */ |
| 90 | 90 |
msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", |
| 91 |
- ctx->error_depth, |
|
| 92 |
- X509_verify_cert_error_string(ctx->error), |
|
| 91 |
+ X509_STORE_CTX_get_error_depth(ctx), |
|
| 92 |
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), |
|
| 93 | 93 |
subject); |
| 94 | 94 |
|
| 95 | 95 |
ERR_clear_error(); |
| ... | ... |
@@ -98,7 +99,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) |
| 98 | 98 |
goto cleanup; |
| 99 | 99 |
} |
| 100 | 100 |
|
| 101 |
- if (SUCCESS != verify_cert(session, ctx->current_cert, ctx->error_depth)) |
|
| 101 |
+ if (SUCCESS != verify_cert(session, current_cert, X509_STORE_CTX_get_error_depth(ctx))) |
|
| 102 | 102 |
{
|
| 103 | 103 |
goto cleanup; |
| 104 | 104 |
} |