On 29/06/16 15:35, Jan Just Keijser wrote:
> hi all,
>
> I'm the maintainer of grid-proxy-verify, a grid-tool that uses "plain"
> openssl to verify a grid proxy (either RFC3820 or legacy Globus proxy).
> This tool
> http://www.nikhef.nl/~janjust/proxy-verify/
> and
> http://www.nikhef.nl/~janjust/proxy-verify/grid-proxy-verify.c
> builds without any warnings with openssl 0.9.8 and 1.0.x, e.g. using
> gcc -Wall -pedantic -c -o grid-proxy-verify.o grid-proxy-verify.c
> but with 1.1.0 I run into all sorts of issues (see the bottom of this
> email). Most of these have to do with members of structs becoming opaque
> but especially the disappearance of the check_issued callback is
> worrisome, as that callback is crucial for verifying proxy certificates.
> How should I modify my code so that it builds and links with openssl 1.1.0?
There have been lots of structures made opaque.
Where as before you might have done this:
FOO x;
FOO_init(x);
x->bar = 1;
...
FOO_cleanup(x);
Now you might have to do:
FOO *x;
x = FOO_new();
if (x == NULL)
goto err;
FOO_set_bar(x, 1);
...
FOO_free(x);
Making these changes will fix most of the "incomplete type" issues you
are seeing.
This issue:
> grid-proxy-verify.c: In function ‘grid_verifyCert’:
> openssl-1.1.0-pre5/include/openssl/x509_vfy.h:107:56: error:
> dereferencing pointer to incomplete type
> # define X509_STORE_set_verify_cb_func(ctx,func)
((ctx)->verify_cb=(func))
> ^
> grid-proxy-verify.c:686:5: note: in expansion of macro
> ‘X509_STORE_set_verify_cb_func’
> X509_STORE_set_verify_cb_func (store, grid_X509_verify_callback);
is actually a bug in pre5. Fixed in the latest master version.
> grid-proxy-verify.c:965:5: warning: ‘ERR_remove_state’ is deprecated
> (declared at openssl-1.1.0-pre5/include/openssl/err.h:363)
> [-Wdeprecated-declarations]
> ERR_remove_state(0);
ERR_remove_state() was actually deprecated in OpenSSL 1.0.0. Its
successor ERR_remove_thread_state() has also now been deprecated. You
should not need to call this at all in OpenSSL 1.1.0 - it can be
removed. The library is auto-deinitialised (see
https://www.openssl.org/docs/manmaster/crypto/OPENSSL_init_crypto.html)
The "check_issued" thing looks like a possible missing accessor
function(s) (if so please raise a GitHub Issue).
Matt
>
>
> thx for any pointers,
>
> JJK / Jan Just Keijser
>
> $ gcc -I openssl-1.1.0-pre5/include -o grid-proxy-verify.o
> grid-proxy-verify.c
> grid-proxy-verify.c: In function ‘grid_X509_check_issued_wrapper’:
> grid-proxy-verify.c:337:14: error: dereferencing pointer to incomplete type
> if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) return 0;
> ^
> grid-proxy-verify.c:341:8: error: dereferencing pointer to incomplete type
> ctx->error = ret;
> ^
> grid-proxy-verify.c:342:8: error: dereferencing pointer to incomplete type
> ctx->current_cert = x;
> ^
> grid-proxy-verify.c:343:8: error: dereferencing pointer to incomplete type
> ctx->current_issuer = issuer;
> ^
> grid-proxy-verify.c:344:15: error: dereferencing pointer to incomplete type
> return ctx->verify_cb(0, ctx);
> ^
> grid-proxy-verify.c: In function ‘grid_verifyProxy’:
> grid-proxy-verify.c:529:25: error: dereferencing pointer to incomplete type
> if (pkey->type == EVP_PKEY_RSA)
> ^
> grid-proxy-verify.c:531:56: error: dereferencing pointer to incomplete type
> int key_strength = BN_num_bits(pkey->pkey.rsa->n);
> ^
> grid-proxy-verify.c: In function ‘grid_X509_verify_callback’:
> grid-proxy-verify.c:593:16: error: dereferencing pointer to incomplete type
> ctx->error = errnum;
> ^
> grid-proxy-verify.c:620:21: warning: cast to pointer from integer of
> different size [-Wint-to-pointer-cast]
> certstack = (STACK_OF(X509) *) X509_STORE_CTX_get_chain( ctx );
> ^
> grid-proxy-verify.c:627:12: error: dereferencing pointer to incomplete type
> ctx->error = errnum;
> ^
> In file included from openssl-1.1.0-pre5/include/openssl/x509.h:363:0,
> from grid-proxy-verify.c:38:
> grid-proxy-verify.c: In function ‘grid_verifyCert’:
> openssl-1.1.0-pre5/include/openssl/x509_vfy.h:107:56: error:
> dereferencing pointer to incomplete type
> # define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
> ^
> grid-proxy-verify.c:686:5: note: in expansion of macro
> ‘X509_STORE_set_verify_cb_func’
> X509_STORE_set_verify_cb_func (store, grid_X509_verify_callback);
> ^
> grid-proxy-verify.c:720:10: error: dereferencing pointer to incomplete type
> store->check_issued = grid_X509_check_issued_wrapper;
> ^
> grid-proxy-verify.c:783:9: error: dereferencing pointer to incomplete type
> cert->ex_flags |= EXFLAG_PROXY;
> ^
> grid-proxy-verify.c:785:16: error: dereferencing pointer to incomplete type
> verify_ctx -> param -> depth = depth + 5;
> ^
> grid-proxy-verify.c:794:25: error: dereferencing pointer to incomplete type
> ret = verify_ctx->error;
> ^
> grid-proxy-verify.c: In function ‘main’:
> grid-proxy-verify.c:965:5: warning: ‘ERR_remove_state’ is deprecated
> (declared at openssl-1.1.0-pre5/include/openssl/err.h:363)
> [-Wdeprecated-declarations]
> ERR_remove_state(0);
> ^
>
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
