diff options
author | Emmanuel Deloget | 2017-02-17 23:00:48 +0100 |
---|---|---|
committer | Gert Doering | 2017-02-22 16:53:45 +0100 |
commit | 88046ad9e8e333259ae6fb4a295a9931a1a0e47f (patch) | |
tree | aadb5af4c0869b56b8a834fad64569f4efb9f8d5 /src/openvpn/ssl_verify_openssl.c | |
parent | 40d6d471ff72e6a5e46911a3205f8e4401f506a3 (diff) | |
download | openvpn-88046ad9e8e333259ae6fb4a295a9931a1a0e47f.zip openvpn-88046ad9e8e333259ae6fb4a295a9931a1a0e47f.tar.gz |
OpenSSL: don't use direct access to the internal of X509_STORE_CTX
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509_STORE_CTX. We have to use the defined
functions to do so.
Fortunately, these functions have existed since the dawn of time so
we don't have any compatibility issue here.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <11477a0a3cf636572c84e0110a6f1b726bc60c2c.1487368114.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14085.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl_verify_openssl.c')
-rw-r--r-- | src/openvpn/ssl_verify_openssl.c | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 274e2bb..0dca099 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -61,14 +61,15 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) session = (struct tls_session *) SSL_get_ex_data(ssl, mydata_index); ASSERT(session); - struct buffer cert_hash = x509_get_sha256_fingerprint(ctx->current_cert, &gc); - cert_hash_remember(session, ctx->error_depth, &cert_hash); + X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); + struct buffer cert_hash = x509_get_sha256_fingerprint(current_cert, &gc); + cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); /* did peer present cert which was signed by our root cert? */ if (!preverify_ok) { /* get the X509 name */ - char *subject = x509_get_subject(ctx->current_cert, &gc); + char *subject = x509_get_subject(current_cert, &gc); if (!subject) { @@ -76,11 +77,11 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) } /* Log and ignore missing CRL errors */ - if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) + if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) { msg(D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s", - ctx->error_depth, - X509_verify_cert_error_string(ctx->error), + X509_STORE_CTX_get_error_depth(ctx), + X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), subject); ret = 1; goto cleanup; @@ -88,8 +89,8 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) /* Remote site specified a certificate, but it's not correct */ msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", - ctx->error_depth, - X509_verify_cert_error_string(ctx->error), + X509_STORE_CTX_get_error_depth(ctx), + X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), subject); ERR_clear_error(); @@ -98,7 +99,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) goto cleanup; } - if (SUCCESS != verify_cert(session, ctx->current_cert, ctx->error_depth)) + if (SUCCESS != verify_cert(session, current_cert, X509_STORE_CTX_get_error_depth(ctx))) { goto cleanup; } |