On Thu, Oct 21, 2021 at 01:05:18PM +0200, Theo Buehler wrote:
> This is the first of two diffs to prepare isakmpd for upcoming libcrypto
> changes. X509_EXTENSION will become opaque so we need to use an accessor.
> I decided to leave accesses into ASN1_OCTET_STRING as they are for
> readability (asn1_string_st is still exposed in OpenSSL's asn1.h).
Here's a second diff that deals with opaque X509_STORE_CTX.
There is a minor piece left that needs X509_OBJECT_{new,free}() to land
in libcrypto.
Index: x509.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/x509.c,v
retrieving revision 1.120
diff -u -p -r1.120 x509.c
--- x509.c 13 Oct 2021 16:57:43 -0000 1.120
+++ x509.c 21 Oct 2021 11:19:14 -0000
@@ -109,7 +109,7 @@ x509_generate_kn(int id, X509 *cert)
"Conditions: %s >= \"%s\" && %s <= \"%s\";\n";
X509_NAME *issuer, *subject;
struct keynote_deckey dc;
- X509_STORE_CTX csc;
+ X509_STORE_CTX *csc = NULL;
X509_OBJECT obj;
X509 *icert;
RSA *key = NULL;
@@ -154,24 +154,32 @@ x509_generate_kn(int id, X509 *cert)
RSA_free(key);
key = NULL;
+ csc = X509_STORE_CTX_new();
+ if (csc == NULL) {
+ log_print("x509_generate_kn: failed to get memory for "
+ "certificate store");
+ goto fail;
+ }
+
/* Now find issuer's certificate so we can get the public key. */
- X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
- if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) !=
+ X509_STORE_CTX_init(csc, x509_cas, cert, NULL);
+ if (X509_STORE_get_by_subject(csc, X509_LU_X509, issuer, &obj) !=
X509_LU_X509) {
- X509_STORE_CTX_cleanup(&csc);
- X509_STORE_CTX_init(&csc, x509_certs, cert, NULL);
- if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj)
+ X509_STORE_CTX_cleanup(csc);
+ X509_STORE_CTX_init(csc, x509_certs, cert, NULL);
+ if (X509_STORE_get_by_subject(csc, X509_LU_X509, issuer, &obj)
!= X509_LU_X509) {
- X509_STORE_CTX_cleanup(&csc);
+ X509_STORE_CTX_cleanup(csc);
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: no certificate found for "
"issuer"));
goto fail;
}
}
- X509_STORE_CTX_cleanup(&csc);
- icert = obj.data.x509;
+ X509_STORE_CTX_free(csc);
+ csc = NULL;
+ icert = X509_OBJECT_get0_X509(&obj);
if (icert == NULL) {
LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: "
"missing certificates, cannot construct X509 chain"));
@@ -435,6 +443,7 @@ x509_generate_kn(int id, X509 *cert)
return 1;
fail:
+ X509_STORE_CTX_free(csc);
free(buf);
free(skey);
free(ikey);
@@ -812,25 +821,31 @@ x509_cert_get(u_int8_t *asn, u_int32_t l
int
x509_cert_validate(void *scert)
{
- X509_STORE_CTX csc;
+ X509_STORE_CTX *csc;
X509_NAME *issuer, *subject;
X509 *cert = (X509 *) scert;
EVP_PKEY *key;
- int res, err;
+ int res, err, flags;
/*
* Validate the peer certificate by checking with the CA certificates
* we trust.
*/
- X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
+ csc = X509_STORE_CTX_new();
+ if (csc == NULL) {
+ log_print("x509_cert_validate: failed to get memory for "
+ "certificate store");
+ }
+ X509_STORE_CTX_init(csc, x509_cas, cert, NULL);
/* XXX See comment in x509_read_crls_from_dir. */
- if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
- X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
- X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
- }
- res = X509_verify_cert(&csc);
- err = csc.error;
- X509_STORE_CTX_cleanup(&csc);
+ flags = X509_VERIFY_PARAM_get_flags(X509_STORE_get0_param(x509_cas));
+ if (flags & X509_V_FLAG_CRL_CHECK) {
+ X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CRL_CHECK);
+ X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CRL_CHECK_ALL);
+ }
+ res = X509_verify_cert(csc);
+ err = X509_STORE_CTX_get_error(csc);
+ X509_STORE_CTX_free(csc);
/*
* Return if validation succeeded or self-signed certs are not
