From: Emmanuel Deloget <log...@free.fr>
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509_OBJECT. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget <log...@free.fr>
---
configure.ac | 2 ++
src/openvpn/openssl_compat.h | 31 +++++++++++++++++++++++++++++++
src/openvpn/ssl_openssl.c | 5 ++---
src/openvpn/ssl_verify_openssl.c | 2 +-
4 files changed, 36 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
index
415128c9f8687a53e4a73419f3048d07f66b70cc..789ad08fbaa3b3fc4c95d2b7a22332c0a93aeab4
100644
--- a/configure.ac
+++ b/configure.ac
@@ -903,6 +903,8 @@ if test "${enable_crypto}" = "yes" -a
"${with_crypto_library}" = "openssl"; then
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
X509_STORE_get0_objects \
+ X509_OBJECT_free \
+ X509_OBJECT_get_type \
],
,
[]
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index
016008bc1705a41ee0ee09fecfc0b16b282cede3..458a6adbe2b3fcd5ea63dcea6596cc24315d463c
100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -86,4 +86,35 @@ X509_STORE_get0_objects(X509_STORE *store)
}
#endif
+#if !defined(HAVE_X509_OBJECT_FREE)
+/**
+ * Destroy a X509 object
+ *
+ * @param obj X509 object
+ */
+static inline void
+X509_OBJECT_free(X509_OBJECT *obj)
+{
+ if (obj)
+ {
+ X509_OBJECT_free_contents(obj);
+ OPENSSL_free(obj);
+ }
+}
+#endif
+
+#if !defined(HAVE_X509_OBJECT_GET_TYPE)
+/**
+ * Get the type of an X509 object
+ *
+ * @param obj X509 object
+ * @return The underlying object type
+ */
+static inline int
+X509_OBJECT_get_type(const X509_OBJECT *obj)
+{
+ return obj ? obj->type : X509_LU_FAIL;
+}
+#endif
+
#endif /* OPENSSL_COMPAT_H_ */
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index
e57de43a748c89ff58ea00abade0b1c317013258..bf0f643f25439f71cbfe71bf5a7e8eb834b0f012
100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -905,11 +905,10 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx,
const char *crl_file,
{
X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
ASSERT(obj);
- if (obj->type == X509_LU_CRL)
+ if (X509_OBJECT_get_type(obj) == X509_LU_CRL)
{
sk_X509_OBJECT_delete(objs, i);
- X509_OBJECT_free_contents(obj);
- OPENSSL_free(obj);
+ X509_OBJECT_free(obj);
}
}
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index
fabbb0c370b123f54ce4a1eaf5f9650b440f47f8..07975248035b48121d1383b47f40a56042bc7380
100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -721,7 +721,7 @@ tls_verify_crl_missing(const struct tls_options *opt)
{
X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
ASSERT(obj);
- if (obj->type == X509_LU_CRL)
+ if (X509_OBJECT_get_type(obj) == X509_LU_CRL)
{
return false;
}
--
2.7.4
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
