Browse code
OpenSSL: don't use direct access to the internal of X509_STORE
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509_STORE. We have to use the defined functions
to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <8e6d66e3a9a40abb3d7c99c48ba59bad1037d0ef.1487368114.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14076.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Emmanuel Deloget authored on 2017/02/18 07:00:41Showing 4 changed files
- configure.ac
- src/openvpn/openssl_compat.h
- src/openvpn/ssl_openssl.c
- src/openvpn/ssl_verify_openssl.c
| ... | ... |
@@ -42,6 +42,7 @@ |
| 42 | 42 |
#endif |
| 43 | 43 |
|
| 44 | 44 |
#include <openssl/ssl.h> |
| 45 |
+#include <openssl/x509.h> |
|
| 45 | 46 |
|
| 46 | 47 |
#if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA) |
| 47 | 48 |
/** |
| ... | ... |
@@ -71,4 +72,18 @@ SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) |
| 71 | 71 |
} |
| 72 | 72 |
#endif |
| 73 | 73 |
|
| 74 |
+#if !defined(HAVE_X509_STORE_GET0_OBJECTS) |
|
| 75 |
+/** |
|
| 76 |
+ * Fetch the X509 object stack from the X509 store |
|
| 77 |
+ * |
|
| 78 |
+ * @param store X509 object store |
|
| 79 |
+ * @return the X509 object stack |
|
| 80 |
+ */ |
|
| 81 |
+static inline STACK_OF(X509_OBJECT) * |
|
| 82 |
+X509_STORE_get0_objects(X509_STORE *store) |
|
| 83 |
+{
|
|
| 84 |
+ return store ? store->objs : NULL; |
|
| 85 |
+} |
|
| 86 |
+#endif |
|
| 87 |
+ |
|
| 74 | 88 |
#endif /* OPENSSL_COMPAT_H_ */ |
| ... | ... |
@@ -900,13 +900,14 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, |
| 900 | 900 |
/* Always start with a cleared CRL list, for that we |
| 901 | 901 |
* we need to manually find the CRL object from the stack |
| 902 | 902 |
* and remove it */ |
| 903 |
- for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) |
|
| 903 |
+ STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store); |
|
| 904 |
+ for (int i = 0; i < sk_X509_OBJECT_num(objs); i++) |
|
| 904 | 905 |
{
|
| 905 |
- X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i); |
|
| 906 |
+ X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i); |
|
| 906 | 907 |
ASSERT(obj); |
| 907 | 908 |
if (obj->type == X509_LU_CRL) |
| 908 | 909 |
{
|
| 909 |
- sk_X509_OBJECT_delete(store->objs, i); |
|
| 910 |
+ sk_X509_OBJECT_delete(objs, i); |
|
| 910 | 911 |
X509_OBJECT_free_contents(obj); |
| 911 | 912 |
OPENSSL_free(obj); |
| 912 | 913 |
} |
| ... | ... |
@@ -43,6 +43,7 @@ |
| 43 | 43 |
#include "ssl_openssl.h" |
| 44 | 44 |
#include "ssl_verify.h" |
| 45 | 45 |
#include "ssl_verify_backend.h" |
| 46 |
+#include "openssl_compat.h" |
|
| 46 | 47 |
|
| 47 | 48 |
#include <openssl/x509v3.h> |
| 48 | 49 |
#include <openssl/err.h> |
| ... | ... |
@@ -716,9 +717,10 @@ tls_verify_crl_missing(const struct tls_options *opt) |
| 716 | 716 |
crypto_msg(M_FATAL, "Cannot get certificate store"); |
| 717 | 717 |
} |
| 718 | 718 |
|
| 719 |
- for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) |
|
| 719 |
+ STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store); |
|
| 720 |
+ for (int i = 0; i < sk_X509_OBJECT_num(objs); i++) |
|
| 720 | 721 |
{
|
| 721 |
- X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i); |
|
| 722 |
+ X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i); |
|
| 722 | 723 |
ASSERT(obj); |
| 723 | 724 |
if (obj->type == X509_LU_CRL) |
| 724 | 725 |
{
|