Re: [Openvpn-devel] [RFC PATCH v1 09/15] OpenSSL: don't use direct access to the internal of X509_STORE_CTX
On 22 February 2017 at 15:47, Christian Hessewrote: > Steffan Karger on Tue, 2017/02/21 22:30: >> ACK. Changes look good and tested against OpenSSL 0.9.8, 1.0.0, 1.0.1 >> and 1.0.2. > > You answered to a patch in the middle of a series. Does this ACK apply to the > complete series or just this patch? Just this one. Not much brains left last night, so I only reviewed this rather simple and independent patch out of the series :) -Steffan -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [RFC PATCH v1 09/15] OpenSSL: don't use direct access to the internal of X509_STORE_CTX
Steffan Kargeron Tue, 2017/02/21 22:30: > ACK. Changes look good and tested against OpenSSL 0.9.8, 1.0.0, 1.0.1 > and 1.0.2. You answered to a patch in the middle of a series. Does this ACK apply to the complete series or just this patch? -- main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];) putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);} pgpy7cO83QlgZ.pgp Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [RFC PATCH v1 09/15] OpenSSL: don't use direct access to the internal of X509_STORE_CTX
Hi, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget> > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including X509_STORE_CTX. We have to use the defined > functions to do so. > > Fortunately, these functions have existed since the dawn of time so > we don't have any compatibility issue here. > > Signed-off-by: Emmanuel Deloget > --- > src/openvpn/ssl_verify_openssl.c | 19 ++- > 1 file changed, 10 insertions(+), 9 deletions(-) > > diff --git a/src/openvpn/ssl_verify_openssl.c > b/src/openvpn/ssl_verify_openssl.c > index > edc709b89eb05bca895639dde606b29f8e1f7024..5bdd1e3609c4a2693e16c0835a9e5c39babd5ff8 > 100644 > --- a/src/openvpn/ssl_verify_openssl.c > +++ b/src/openvpn/ssl_verify_openssl.c > @@ -62,14 +62,15 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) > session = (struct tls_session *) SSL_get_ex_data(ssl, mydata_index); > ASSERT(session); > > -struct buffer cert_hash = x509_get_sha256_fingerprint(ctx->current_cert, > ); > -cert_hash_remember(session, ctx->error_depth, _hash); > +X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); > +struct buffer cert_hash = x509_get_sha256_fingerprint(current_cert, ); > +cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), > _hash); > > /* did peer present cert which was signed by our root cert? */ > if (!preverify_ok) > { > /* get the X509 name */ > -char *subject = x509_get_subject(ctx->current_cert, ); > +char *subject = x509_get_subject(current_cert, ); > > if (!subject) > { > @@ -77,11 +78,11 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) > } > > /* Log and ignore missing CRL errors */ > -if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) > +if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) > { > msg(D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s", > -ctx->error_depth, > -X509_verify_cert_error_string(ctx->error), > +X509_STORE_CTX_get_error_depth(ctx), > +X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), > subject); > ret = 1; > goto cleanup; > @@ -89,8 +90,8 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) > > /* Remote site specified a certificate, but it's not correct */ > msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", > -ctx->error_depth, > -X509_verify_cert_error_string(ctx->error), > +X509_STORE_CTX_get_error_depth(ctx), > +X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), > subject); > > ERR_clear_error(); > @@ -99,7 +100,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) > goto cleanup; > } > > -if (SUCCESS != verify_cert(session, ctx->current_cert, ctx->error_depth)) > +if (SUCCESS != verify_cert(session, current_cert, > X509_STORE_CTX_get_error_depth(ctx))) > { > goto cleanup; > } > ACK. Changes look good and tested against OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2. -Steffan -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [RFC PATCH v1 09/15] OpenSSL: don't use direct access to the internal of X509_STORE_CTX
From: Emmanuel DelogetOpenSSL 1.1 does not allow us to directly access the internal of any data type, including X509_STORE_CTX. We have to use the defined functions to do so. Fortunately, these functions have existed since the dawn of time so we don't have any compatibility issue here. Signed-off-by: Emmanuel Deloget --- src/openvpn/ssl_verify_openssl.c | 19 ++- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index edc709b89eb05bca895639dde606b29f8e1f7024..5bdd1e3609c4a2693e16c0835a9e5c39babd5ff8 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -62,14 +62,15 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) session = (struct tls_session *) SSL_get_ex_data(ssl, mydata_index); ASSERT(session); -struct buffer cert_hash = x509_get_sha256_fingerprint(ctx->current_cert, ); -cert_hash_remember(session, ctx->error_depth, _hash); +X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); +struct buffer cert_hash = x509_get_sha256_fingerprint(current_cert, ); +cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), _hash); /* did peer present cert which was signed by our root cert? */ if (!preverify_ok) { /* get the X509 name */ -char *subject = x509_get_subject(ctx->current_cert, ); +char *subject = x509_get_subject(current_cert, ); if (!subject) { @@ -77,11 +78,11 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) } /* Log and ignore missing CRL errors */ -if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) +if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) { msg(D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s", -ctx->error_depth, -X509_verify_cert_error_string(ctx->error), +X509_STORE_CTX_get_error_depth(ctx), +X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), subject); ret = 1; goto cleanup; @@ -89,8 +90,8 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) /* Remote site specified a certificate, but it's not correct */ msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", -ctx->error_depth, -X509_verify_cert_error_string(ctx->error), +X509_STORE_CTX_get_error_depth(ctx), +X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), subject); ERR_clear_error(); @@ -99,7 +100,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) goto cleanup; } -if (SUCCESS != verify_cert(session, ctx->current_cert, ctx->error_depth)) +if (SUCCESS != verify_cert(session, current_cert, X509_STORE_CTX_get_error_depth(ctx))) { goto cleanup; } -- 2.7.4 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel