OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509_STORE. We have to use the defined functions
to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <8e6d66e3a9a40abb3d7c99c48ba59bad1037d0ef.1487368114.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14076.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -42,6 +42,7 @@ |
42 | 42 |
#endif |
43 | 43 |
|
44 | 44 |
#include <openssl/ssl.h> |
45 |
+#include <openssl/x509.h> |
|
45 | 46 |
|
46 | 47 |
#if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA) |
47 | 48 |
/** |
... | ... |
@@ -71,4 +72,18 @@ SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) |
71 | 71 |
} |
72 | 72 |
#endif |
73 | 73 |
|
74 |
+#if !defined(HAVE_X509_STORE_GET0_OBJECTS) |
|
75 |
+/** |
|
76 |
+ * Fetch the X509 object stack from the X509 store |
|
77 |
+ * |
|
78 |
+ * @param store X509 object store |
|
79 |
+ * @return the X509 object stack |
|
80 |
+ */ |
|
81 |
+static inline STACK_OF(X509_OBJECT) * |
|
82 |
+X509_STORE_get0_objects(X509_STORE *store) |
|
83 |
+{ |
|
84 |
+ return store ? store->objs : NULL; |
|
85 |
+} |
|
86 |
+#endif |
|
87 |
+ |
|
74 | 88 |
#endif /* OPENSSL_COMPAT_H_ */ |
... | ... |
@@ -900,13 +900,14 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, |
900 | 900 |
/* Always start with a cleared CRL list, for that we |
901 | 901 |
* we need to manually find the CRL object from the stack |
902 | 902 |
* and remove it */ |
903 |
- for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) |
|
903 |
+ STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store); |
|
904 |
+ for (int i = 0; i < sk_X509_OBJECT_num(objs); i++) |
|
904 | 905 |
{ |
905 |
- X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i); |
|
906 |
+ X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i); |
|
906 | 907 |
ASSERT(obj); |
907 | 908 |
if (obj->type == X509_LU_CRL) |
908 | 909 |
{ |
909 |
- sk_X509_OBJECT_delete(store->objs, i); |
|
910 |
+ sk_X509_OBJECT_delete(objs, i); |
|
910 | 911 |
X509_OBJECT_free_contents(obj); |
911 | 912 |
OPENSSL_free(obj); |
912 | 913 |
} |
... | ... |
@@ -43,6 +43,7 @@ |
43 | 43 |
#include "ssl_openssl.h" |
44 | 44 |
#include "ssl_verify.h" |
45 | 45 |
#include "ssl_verify_backend.h" |
46 |
+#include "openssl_compat.h" |
|
46 | 47 |
|
47 | 48 |
#include <openssl/x509v3.h> |
48 | 49 |
#include <openssl/err.h> |
... | ... |
@@ -716,9 +717,10 @@ tls_verify_crl_missing(const struct tls_options *opt) |
716 | 716 |
crypto_msg(M_FATAL, "Cannot get certificate store"); |
717 | 717 |
} |
718 | 718 |
|
719 |
- for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) |
|
719 |
+ STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store); |
|
720 |
+ for (int i = 0; i < sk_X509_OBJECT_num(objs); i++) |
|
720 | 721 |
{ |
721 |
- X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i); |
|
722 |
+ X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i); |
|
722 | 723 |
ASSERT(obj); |
723 | 724 |
if (obj->type == X509_LU_CRL) |
724 | 725 |
{ |