Re: [openssl-dev] build issue with openssl 1.1.0-pre5

2016-06-29 Thread Matt Caswell 


On 29/06/16 15:35, Jan Just Keijser wrote:
> hi all,
> 
> I'm the maintainer of grid-proxy-verify, a grid-tool that uses "plain"
> openssl to verify a grid proxy (either RFC3820 or legacy Globus proxy).
> This tool
>   http://www.nikhef.nl/~janjust/proxy-verify/
> and
>   http://www.nikhef.nl/~janjust/proxy-verify/grid-proxy-verify.c
> builds without any warnings with openssl 0.9.8 and 1.0.x, e.g. using
>   gcc -Wall -pedantic -c -o grid-proxy-verify.o grid-proxy-verify.c
> but with 1.1.0 I run into all sorts of issues (see the bottom of this
> email). Most of these have to do with members of structs becoming opaque
> but especially the disappearance of the check_issued callback is
> worrisome, as that callback is crucial for verifying proxy certificates.
> How should I modify my code so that it builds and links with openssl 1.1.0?

There have been lots of structures made opaque.

Where as before you might have done this:

FOO x;

FOO_init(x);

x->bar = 1;

...

FOO_cleanup(x);

Now you might have to do:

FOO *x;

x = FOO_new();
if (x == NULL)
goto err;

FOO_set_bar(x, 1);

...

FOO_free(x);


Making these changes will fix most of the "incomplete type" issues you
are seeing.

This issue:
> grid-proxy-verify.c: In function ‘grid_verifyCert’:
> openssl-1.1.0-pre5/include/openssl/x509_vfy.h:107:56: error:
> dereferencing pointer to incomplete type
>  # define X509_STORE_set_verify_cb_func(ctx,func)
((ctx)->verify_cb=(func))
> ^
> grid-proxy-verify.c:686:5: note: in expansion of macro
> ‘X509_STORE_set_verify_cb_func’
>  X509_STORE_set_verify_cb_func (store, grid_X509_verify_callback);

is actually a bug in pre5. Fixed in the latest master version.


> grid-proxy-verify.c:965:5: warning: ‘ERR_remove_state’ is deprecated
> (declared at openssl-1.1.0-pre5/include/openssl/err.h:363)
> [-Wdeprecated-declarations]
>  ERR_remove_state(0);

ERR_remove_state() was actually deprecated in OpenSSL 1.0.0. Its
successor ERR_remove_thread_state() has also now been deprecated. You
should not need to call this at all in OpenSSL 1.1.0 - it can be
removed. The library is auto-deinitialised (see
https://www.openssl.org/docs/manmaster/crypto/OPENSSL_init_crypto.html)

The "check_issued" thing looks like a possible missing accessor
function(s) (if so please raise a GitHub Issue).

Matt

> 
> 
> thx for any pointers,
> 
> JJK / Jan Just Keijser
> 
> $ gcc -I openssl-1.1.0-pre5/include -o grid-proxy-verify.o
> grid-proxy-verify.c
> grid-proxy-verify.c: In function ‘grid_X509_check_issued_wrapper’:
> grid-proxy-verify.c:337:14: error: dereferencing pointer to incomplete type
>  if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) return 0;
>   ^
> grid-proxy-verify.c:341:8: error: dereferencing pointer to incomplete type
>  ctx->error = ret;
> ^
> grid-proxy-verify.c:342:8: error: dereferencing pointer to incomplete type
>  ctx->current_cert = x;
> ^
> grid-proxy-verify.c:343:8: error: dereferencing pointer to incomplete type
>  ctx->current_issuer = issuer;
> ^
> grid-proxy-verify.c:344:15: error: dereferencing pointer to incomplete type
>  return ctx->verify_cb(0, ctx);
>^
> grid-proxy-verify.c: In function ‘grid_verifyProxy’:
> grid-proxy-verify.c:529:25: error: dereferencing pointer to incomplete type
>  if (pkey->type == EVP_PKEY_RSA)
>  ^
> grid-proxy-verify.c:531:56: error: dereferencing pointer to incomplete type
>  int key_strength = BN_num_bits(pkey->pkey.rsa->n);
> ^
> grid-proxy-verify.c: In function ‘grid_X509_verify_callback’:
> grid-proxy-verify.c:593:16: error: dereferencing pointer to incomplete type
>  ctx->error = errnum;
> ^
> grid-proxy-verify.c:620:21: warning: cast to pointer from integer of
> different size [-Wint-to-pointer-cast]
>  certstack = (STACK_OF(X509) *) X509_STORE_CTX_get_chain( ctx );
>  ^
> grid-proxy-verify.c:627:12: error: dereferencing pointer to incomplete type
>  ctx->error = errnum;
> ^
> In file included from openssl-1.1.0-pre5/include/openssl/x509.h:363:0,
>  from grid-proxy-verify.c:38:
> grid-proxy-verify.c: In function ‘grid_verifyCert’:
> openssl-1.1.0-pre5/include/openssl/x509_vfy.h:107:56: error:
> dereferencing pointer to incomplete type
>  # define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
> ^
> grid-proxy-verify.c:686:5: note: in expansion of macro
> ‘X509_STORE_set_verify_cb_func’
>  X509_STORE_set_verify_cb_func (store, grid_X509_verify_callback);
>  ^
> grid-proxy-verify.c:720:10: error: dereferencing pointer to incomplete type
>  store->check_issued = grid_X509_check_issued_wrapper;
>

[openssl-dev] build issue with openssl 1.1.0-pre5

2016-06-29 Thread Jan Just Keijser 

hi all,

I'm the maintainer of grid-proxy-verify, a grid-tool that uses "plain" 
openssl to verify a grid proxy (either RFC3820 or legacy Globus proxy). 
This tool

  http://www.nikhef.nl/~janjust/proxy-verify/
and
  http://www.nikhef.nl/~janjust/proxy-verify/grid-proxy-verify.c
builds without any warnings with openssl 0.9.8 and 1.0.x, e.g. using
  gcc -Wall -pedantic -c -o grid-proxy-verify.o grid-proxy-verify.c
but with 1.1.0 I run into all sorts of issues (see the bottom of this 
email). Most of these have to do with members of structs becoming opaque 
but especially the disappearance of the check_issued callback is 
worrisome, as that callback is crucial for verifying proxy certificates. 
How should I modify my code so that it builds and links with openssl 1.1.0?



thx for any pointers,

JJK / Jan Just Keijser

$ gcc -I openssl-1.1.0-pre5/include -o grid-proxy-verify.o 
grid-proxy-verify.c

grid-proxy-verify.c: In function ‘grid_X509_check_issued_wrapper’:
grid-proxy-verify.c:337:14: error: dereferencing pointer to incomplete type
 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) return 0;
  ^
grid-proxy-verify.c:341:8: error: dereferencing pointer to incomplete type
 ctx->error = ret;
^
grid-proxy-verify.c:342:8: error: dereferencing pointer to incomplete type
 ctx->current_cert = x;
^
grid-proxy-verify.c:343:8: error: dereferencing pointer to incomplete type
 ctx->current_issuer = issuer;
^
grid-proxy-verify.c:344:15: error: dereferencing pointer to incomplete type
 return ctx->verify_cb(0, ctx);
   ^
grid-proxy-verify.c: In function ‘grid_verifyProxy’:
grid-proxy-verify.c:529:25: error: dereferencing pointer to incomplete type
 if (pkey->type == EVP_PKEY_RSA)
 ^
grid-proxy-verify.c:531:56: error: dereferencing pointer to incomplete type
 int key_strength = BN_num_bits(pkey->pkey.rsa->n);
^
grid-proxy-verify.c: In function ‘grid_X509_verify_callback’:
grid-proxy-verify.c:593:16: error: dereferencing pointer to incomplete type
 ctx->error = errnum;
^
grid-proxy-verify.c:620:21: warning: cast to pointer from integer of 
different size [-Wint-to-pointer-cast]

 certstack = (STACK_OF(X509) *) X509_STORE_CTX_get_chain( ctx );
 ^
grid-proxy-verify.c:627:12: error: dereferencing pointer to incomplete type
 ctx->error = errnum;
^
In file included from openssl-1.1.0-pre5/include/openssl/x509.h:363:0,
 from grid-proxy-verify.c:38:
grid-proxy-verify.c: In function ‘grid_verifyCert’:
openssl-1.1.0-pre5/include/openssl/x509_vfy.h:107:56: error: 
dereferencing pointer to incomplete type

 # define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
^
grid-proxy-verify.c:686:5: note: in expansion of macro 
‘X509_STORE_set_verify_cb_func’

 X509_STORE_set_verify_cb_func (store, grid_X509_verify_callback);
 ^
grid-proxy-verify.c:720:10: error: dereferencing pointer to incomplete type
 store->check_issued = grid_X509_check_issued_wrapper;
  ^
grid-proxy-verify.c:783:9: error: dereferencing pointer to incomplete type
 cert->ex_flags |= EXFLAG_PROXY;
 ^
grid-proxy-verify.c:785:16: error: dereferencing pointer to incomplete type
 verify_ctx -> param -> depth = depth + 5;
^
grid-proxy-verify.c:794:25: error: dereferencing pointer to incomplete type
 ret = verify_ctx->error;
 ^
grid-proxy-verify.c: In function ‘main’:
grid-proxy-verify.c:965:5: warning: ‘ERR_remove_state’ is deprecated 
(declared at openssl-1.1.0-pre5/include/openssl/err.h:363) 
[-Wdeprecated-declarations]

 ERR_remove_state(0);
 ^

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev