Re: [openssl-dev] build issue with openssl 1.1.0-pre5

Douglas E Engert Wed, 29 Jun 2016 08:47:46 -0700


Good to hear that grid proxy and RFC3820 are still being used. I worked on both 
before I retired a few years ago from Argonne Nat Lab.


I see you have commented on the OpenSC mailinig list too. In a note earlier 
today I said:

OpenSC has been looking at the approach - program to 1.1.0 and add a sc_ossl_compat.h that uses inline routines for older version of openssl going back to 0.9.7 (not my choice, but someone askedfor 0.9.7) Only changes needed by OpenSC are defined, but it is a start.

Some #ifdefs are still needed, but only a handful, and could be isolated to the 
sc_ossl_compat.h.

See 
https://github.com/dengert/OpenSC/commit/8e00355cbcb42deefc2c44e910f23aa3d137f298

This does not address all your issues because OpenSC is not using X509_STORE_CTX 
but have a look at the BN_ and  pkey->type == EVP_PKEY_RSA
type issues.

On 6/29/2016 9:35 AM, Jan Just Keijser wrote:

hi all,

I'm the maintainer of grid-proxy-verify, a grid-tool that uses "plain" openssl 
to verify a grid proxy (either RFC3820 or legacy Globus proxy). This tool
  http://www.nikhef.nl/~janjust/proxy-verify/
and
  http://www.nikhef.nl/~janjust/proxy-verify/grid-proxy-verify.c
builds without any warnings with openssl 0.9.8 and 1.0.x, e.g. using
  gcc -Wall -pedantic -c -o grid-proxy-verify.o grid-proxy-verify.c

but with 1.1.0 I run into all sorts of issues (see the bottom of this email). Most of these have to do with members of structs becoming opaque but especially the disappearance of the check_issuedcallback is worrisome, as that callback is crucial for verifying proxy certificates. How should I modify my code so that it builds and links with openssl 1.1.0?



thx for any pointers,

JJK / Jan Just Keijser

$ gcc -I openssl-1.1.0-pre5/include -o grid-proxy-verify.o grid-proxy-verify.c
grid-proxy-verify.c: In function ‘grid_X509_check_issued_wrapper’:
grid-proxy-verify.c:337:14: error: dereferencing pointer to incomplete type
     if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) return 0;
              ^
grid-proxy-verify.c:341:8: error: dereferencing pointer to incomplete type
     ctx->error = ret;
        ^
grid-proxy-verify.c:342:8: error: dereferencing pointer to incomplete type
     ctx->current_cert = x;
        ^
grid-proxy-verify.c:343:8: error: dereferencing pointer to incomplete type
     ctx->current_issuer = issuer;
        ^
grid-proxy-verify.c:344:15: error: dereferencing pointer to incomplete type
     return ctx->verify_cb(0, ctx);
               ^
grid-proxy-verify.c: In function ‘grid_verifyProxy’:
grid-proxy-verify.c:529:25: error: dereferencing pointer to incomplete type
                 if (pkey->type == EVP_PKEY_RSA)
                         ^
grid-proxy-verify.c:531:56: error: dereferencing pointer to incomplete type
                     int key_strength = BN_num_bits(pkey->pkey.rsa->n);
                                                        ^
grid-proxy-verify.c: In function ‘grid_X509_verify_callback’:
grid-proxy-verify.c:593:16: error: dereferencing pointer to incomplete type
             ctx->error = errnum;
                ^
grid-proxy-verify.c:620:21: warning: cast to pointer from integer of different 
size [-Wint-to-pointer-cast]
         certstack = (STACK_OF(X509) *) X509_STORE_CTX_get_chain( ctx );
                     ^
grid-proxy-verify.c:627:12: error: dereferencing pointer to incomplete type
         ctx->error = errnum;
            ^
In file included from openssl-1.1.0-pre5/include/openssl/x509.h:363:0,
                 from grid-proxy-verify.c:38:
grid-proxy-verify.c: In function ‘grid_verifyCert’:
openssl-1.1.0-pre5/include/openssl/x509_vfy.h:107:56: error: dereferencing 
pointer to incomplete type
 # define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
                                                        ^
grid-proxy-verify.c:686:5: note: in expansion of macro 
‘X509_STORE_set_verify_cb_func’
     X509_STORE_set_verify_cb_func (store, grid_X509_verify_callback);
     ^
grid-proxy-verify.c:720:10: error: dereferencing pointer to incomplete type
     store->check_issued = grid_X509_check_issued_wrapper;
          ^
grid-proxy-verify.c:783:9: error: dereferencing pointer to incomplete type
     cert->ex_flags |= EXFLAG_PROXY;
         ^
grid-proxy-verify.c:785:16: error: dereferencing pointer to incomplete type
     verify_ctx -> param -> depth = depth + 5;
                ^
grid-proxy-verify.c:794:25: error: dereferencing pointer to incomplete type
         ret = verify_ctx->error;
                         ^
grid-proxy-verify.c: In function ‘main’:
grid-proxy-verify.c:965:5: warning: ‘ERR_remove_state’ is deprecated (declared 
at openssl-1.1.0-pre5/include/openssl/err.h:363) [-Wdeprecated-declarations]
     ERR_remove_state(0);
     ^


--

 Douglas E. Engert  <deeng...@gmail.com>

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] build issue with openssl 1.1.0-pre5

Reply via email to