On Mon, Sep 05, 2016 at 10:02:43PM +0200, Sebastian Andrzej Siewior wrote:
> On 2016-06-26 12:24:41 [+0200], Kurt Roeckx wrote:
> > If you have problems making things work, feel free to contact us.
>
> The patch attached fixes most of it.
> There are a few des ??? DES conversations like des_cblock ??? DES_cblock or
> des_key_schedule ??? DES_key_schedule or des_ede3_cbc_encrypt ???
> DESede3_cbc_encrypt which I hope are okay.
des_old.h has been removed. Replacing des_ by DES_ will probably
work in most case. It used to contain:
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
*
* The function names in here are deprecated and are only present to
* provide an interface compatible with openssl 0.9.6 and older as
* well as libdes. OpenSSL now provides functions where "des_" has
* been replaced with "DES_" in the names, to make it possible to
* make incompatible changes that are needed for C type security and
* other stuff.
*
* This include files has two compatibility modes:
*
* - If OPENSSL_DES_LIBDES_COMPATIBILITY is defined, you get an API
* that is compatible with libdes and SSLeay.
* - If OPENSSL_DES_LIBDES_COMPATIBILITY isn't defined, you get an
* API that is compatible with OpenSSL 0.9.5x to 0.9.6x.
*
* Note that these modes break earlier snapshots of OpenSSL, where
* libdes compatibility was the only available mode or (later on) the
* prefered compatibility mode. However, after much consideration
* (and more or less violent discussions with external parties), it
* was concluded that OpenSSL should be compatible with earlier versions
* of itself before anything else. Also, in all honesty, libdes is
* an old beast that shouldn't really be used any more.
*
* Please consider starting to use the DES_ functions rather than the
* des_ ones. The des_ functions will disappear completely before
* OpenSSL 1.0!
*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
[...]
# define des_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e)\
DES_ede3_cbc_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(e))
You already had to include that file to get it working, and that seems to be
a message form 2001. So you really can't say they haven't been warned.
> There are M_ASN1_INTEGER_free ??? ASN1_STRING_free which I also hope that
> those are okay.
# define M_ASN1_INTEGER_free(a) ASN1_STRING_free((ASN1_STRING *)a)
So that looks fine.
> That part where I replaced d2i_ASN1_BOOLEAN() looks like
> they copied it from old openssl code.
I'm not sure that that code you replaced it with is correct or not.
> @@ -854,16 +857,18 @@ bif_smime_sign (caddr_t * qst, caddr_t * err_ret,
> state_slot_t ** args)
> }
>
> certs = sk_X509_new_null ();
> +#if HALP
> if (store && store->objs)
> {
> for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
> {
> X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
> - if (obj->type == X509_LU_X509)
> + if (X509_OBJECT_get_type(obj) == X509_LU_X509)
> sk_X509_push (certs, X509_dup (obj->data.x509));
> }
>
> }
> +#endif
Are you looking for X509_STORE_get0_objects(store) instead of
store->objs?
> @@ -1488,6 +1496,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t *
> err_ret, state_slot_t ** args
> int n, i, len;
> char *s, *data_ptr;
> BIO *mem = BIO_new (BIO_s_mem ());
> +#if HALP
> for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries);
> i++)
> {
> ne = sk_X509_NAME_ENTRY_value(subj->entries,i);
I think you're looking for:
for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
{
X509_NAME_ENTRY *ne = X509_NAME_get_entry(subj, i);
Kurt
