On 29/06/16 15:35, Jan Just Keijser wrote: > hi all, > > I'm the maintainer of grid-proxy-verify, a grid-tool that uses "plain" > openssl to verify a grid proxy (either RFC3820 or legacy Globus proxy). > This tool > http://www.nikhef.nl/~janjust/proxy-verify/ > and > http://www.nikhef.nl/~janjust/proxy-verify/grid-proxy-verify.c > builds without any warnings with openssl 0.9.8 and 1.0.x, e.g. using > gcc -Wall -pedantic -c -o grid-proxy-verify.o grid-proxy-verify.c > but with 1.1.0 I run into all sorts of issues (see the bottom of this > email). Most of these have to do with members of structs becoming opaque > but especially the disappearance of the check_issued callback is > worrisome, as that callback is crucial for verifying proxy certificates. > How should I modify my code so that it builds and links with openssl 1.1.0?
There have been lots of structures made opaque. Where as before you might have done this: FOO x; FOO_init(x); x->bar = 1; ... FOO_cleanup(x); Now you might have to do: FOO *x; x = FOO_new(); if (x == NULL) goto err; FOO_set_bar(x, 1); ... FOO_free(x); Making these changes will fix most of the "incomplete type" issues you are seeing. This issue: > grid-proxy-verify.c: In function ‘grid_verifyCert’: > openssl-1.1.0-pre5/include/openssl/x509_vfy.h:107:56: error: > dereferencing pointer to incomplete type > # define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func)) > ^ > grid-proxy-verify.c:686:5: note: in expansion of macro > ‘X509_STORE_set_verify_cb_func’ > X509_STORE_set_verify_cb_func (store, grid_X509_verify_callback); is actually a bug in pre5. Fixed in the latest master version. > grid-proxy-verify.c:965:5: warning: ‘ERR_remove_state’ is deprecated > (declared at openssl-1.1.0-pre5/include/openssl/err.h:363) > [-Wdeprecated-declarations] > ERR_remove_state(0); ERR_remove_state() was actually deprecated in OpenSSL 1.0.0. Its successor ERR_remove_thread_state() has also now been deprecated. You should not need to call this at all in OpenSSL 1.1.0 - it can be removed. The library is auto-deinitialised (see https://www.openssl.org/docs/manmaster/crypto/OPENSSL_init_crypto.html) The "check_issued" thing looks like a possible missing accessor function(s) (if so please raise a GitHub Issue). Matt > > > thx for any pointers, > > JJK / Jan Just Keijser > > $ gcc -I openssl-1.1.0-pre5/include -o grid-proxy-verify.o > grid-proxy-verify.c > grid-proxy-verify.c: In function ‘grid_X509_check_issued_wrapper’: > grid-proxy-verify.c:337:14: error: dereferencing pointer to incomplete type > if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) return 0; > ^ > grid-proxy-verify.c:341:8: error: dereferencing pointer to incomplete type > ctx->error = ret; > ^ > grid-proxy-verify.c:342:8: error: dereferencing pointer to incomplete type > ctx->current_cert = x; > ^ > grid-proxy-verify.c:343:8: error: dereferencing pointer to incomplete type > ctx->current_issuer = issuer; > ^ > grid-proxy-verify.c:344:15: error: dereferencing pointer to incomplete type > return ctx->verify_cb(0, ctx); > ^ > grid-proxy-verify.c: In function ‘grid_verifyProxy’: > grid-proxy-verify.c:529:25: error: dereferencing pointer to incomplete type > if (pkey->type == EVP_PKEY_RSA) > ^ > grid-proxy-verify.c:531:56: error: dereferencing pointer to incomplete type > int key_strength = BN_num_bits(pkey->pkey.rsa->n); > ^ > grid-proxy-verify.c: In function ‘grid_X509_verify_callback’: > grid-proxy-verify.c:593:16: error: dereferencing pointer to incomplete type > ctx->error = errnum; > ^ > grid-proxy-verify.c:620:21: warning: cast to pointer from integer of > different size [-Wint-to-pointer-cast] > certstack = (STACK_OF(X509) *) X509_STORE_CTX_get_chain( ctx ); > ^ > grid-proxy-verify.c:627:12: error: dereferencing pointer to incomplete type > ctx->error = errnum; > ^ > In file included from openssl-1.1.0-pre5/include/openssl/x509.h:363:0, > from grid-proxy-verify.c:38: > grid-proxy-verify.c: In function ‘grid_verifyCert’: > openssl-1.1.0-pre5/include/openssl/x509_vfy.h:107:56: error: > dereferencing pointer to incomplete type > # define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func)) > ^ > grid-proxy-verify.c:686:5: note: in expansion of macro > ‘X509_STORE_set_verify_cb_func’ > X509_STORE_set_verify_cb_func (store, grid_X509_verify_callback); > ^ > grid-proxy-verify.c:720:10: error: dereferencing pointer to incomplete type > store->check_issued = grid_X509_check_issued_wrapper; > ^ > grid-proxy-verify.c:783:9: error: dereferencing pointer to incomplete type > cert->ex_flags |= EXFLAG_PROXY; > ^ > grid-proxy-verify.c:785:16: error: dereferencing pointer to incomplete type > verify_ctx -> param -> depth = depth + 5; > ^ > grid-proxy-verify.c:794:25: error: dereferencing pointer to incomplete type > ret = verify_ctx->error; > ^ > grid-proxy-verify.c: In function ‘main’: > grid-proxy-verify.c:965:5: warning: ‘ERR_remove_state’ is deprecated > (declared at openssl-1.1.0-pre5/include/openssl/err.h:363) > [-Wdeprecated-declarations] > ERR_remove_state(0); > ^ > -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev