OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509_STORE_CTX. We have to use the defined
functions to do so.
Fortunately, these functions have existed since the dawn of time so
we don't have any compatibility issue here.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <11477a0a3cf636572c84e0110a6f1b726bc60c2c.1487368114.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14085.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -61,14 +61,15 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) |
61 | 61 |
session = (struct tls_session *) SSL_get_ex_data(ssl, mydata_index); |
62 | 62 |
ASSERT(session); |
63 | 63 |
|
64 |
- struct buffer cert_hash = x509_get_sha256_fingerprint(ctx->current_cert, &gc); |
|
65 |
- cert_hash_remember(session, ctx->error_depth, &cert_hash); |
|
64 |
+ X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); |
|
65 |
+ struct buffer cert_hash = x509_get_sha256_fingerprint(current_cert, &gc); |
|
66 |
+ cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); |
|
66 | 67 |
|
67 | 68 |
/* did peer present cert which was signed by our root cert? */ |
68 | 69 |
if (!preverify_ok) |
69 | 70 |
{ |
70 | 71 |
/* get the X509 name */ |
71 |
- char *subject = x509_get_subject(ctx->current_cert, &gc); |
|
72 |
+ char *subject = x509_get_subject(current_cert, &gc); |
|
72 | 73 |
|
73 | 74 |
if (!subject) |
74 | 75 |
{ |
... | ... |
@@ -76,11 +77,11 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) |
76 | 76 |
} |
77 | 77 |
|
78 | 78 |
/* Log and ignore missing CRL errors */ |
79 |
- if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) |
|
79 |
+ if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) |
|
80 | 80 |
{ |
81 | 81 |
msg(D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s", |
82 |
- ctx->error_depth, |
|
83 |
- X509_verify_cert_error_string(ctx->error), |
|
82 |
+ X509_STORE_CTX_get_error_depth(ctx), |
|
83 |
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), |
|
84 | 84 |
subject); |
85 | 85 |
ret = 1; |
86 | 86 |
goto cleanup; |
... | ... |
@@ -88,8 +89,8 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) |
88 | 88 |
|
89 | 89 |
/* Remote site specified a certificate, but it's not correct */ |
90 | 90 |
msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", |
91 |
- ctx->error_depth, |
|
92 |
- X509_verify_cert_error_string(ctx->error), |
|
91 |
+ X509_STORE_CTX_get_error_depth(ctx), |
|
92 |
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), |
|
93 | 93 |
subject); |
94 | 94 |
|
95 | 95 |
ERR_clear_error(); |
... | ... |
@@ -98,7 +99,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) |
98 | 98 |
goto cleanup; |
99 | 99 |
} |
100 | 100 |
|
101 |
- if (SUCCESS != verify_cert(session, ctx->current_cert, ctx->error_depth)) |
|
101 |
+ if (SUCCESS != verify_cert(session, current_cert, X509_STORE_CTX_get_error_depth(ctx))) |
|
102 | 102 |
{ |
103 | 103 |
goto cleanup; |
104 | 104 |
} |