Control: tag -1 patch -fixed-upstream I don't see where the direct struct access issues have been fixed upstream, the source code snapshot available from http://www.kermitproject.org/ckdaily.html still has lots of those.
I have prepared a patch that fixes building with OpenSSL 1.1 and would appreciate a review. Cheers, -Hilko
Index: ckermit-302/ck_ssl.c =================================================================== --- ckermit-302.orig/ck_ssl.c +++ ckermit-302/ck_ssl.c @@ -301,7 +301,7 @@ X509_STORE_CTX *ctx; break; default: printf("Error %d while verifying certificate.\r\n", - ctx->error); + X509_STORE_CTX_get_error(ctx)); break; } } @@ -933,13 +933,15 @@ static DH * get_dh512() { DH *dh=NULL; + BIGNUM *p, *g; if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); + g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); + if ((p == NULL) || (g == NULL)) return(NULL); + DH_set0_pqg(dh, p, NULL, g); return(dh); } @@ -947,13 +949,15 @@ static DH * get_dh768() { DH *dh=NULL; + BIGNUM *p, *g; if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh768_p,sizeof(dh768_p),NULL); - dh->g=BN_bin2bn(dh768_g,sizeof(dh768_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + p=BN_bin2bn(dh768_p,sizeof(dh768_p),NULL); + g=BN_bin2bn(dh768_g,sizeof(dh768_g),NULL); + if ((p == NULL) || (g == NULL)) return(NULL); + DH_set0_pqg(dh, p, NULL, g); return(dh); } @@ -961,13 +965,15 @@ static DH * get_dh1024() { DH *dh=NULL; + BIGNUM *p, *g; if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); - dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); + g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); + if ((p == NULL) || (g == NULL)) return(NULL); + DH_set0_pqg(dh, p, NULL, g); return(dh); } @@ -975,13 +981,15 @@ static DH * get_dh1536() { DH *dh=NULL; + BIGNUM *p, *g; if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh1536_p,sizeof(dh1536_p),NULL); - dh->g=BN_bin2bn(dh1536_g,sizeof(dh1536_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + p=BN_bin2bn(dh1536_p,sizeof(dh1536_p),NULL); + g=BN_bin2bn(dh1536_g,sizeof(dh1536_g),NULL); + if ((p == NULL) || (g == NULL)) return(NULL); + DH_set0_pqg(dh, p, NULL, g); return(dh); } @@ -989,13 +997,15 @@ static DH * get_dh2048() { DH *dh=NULL; + BIGNUM *p, *g; if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); + g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); + if ((p == NULL) || (g == NULL)) return(NULL); + DH_set0_pqg(dh, p, NULL, g); return(dh); } #endif /* NO_DH */ @@ -1054,10 +1064,11 @@ ssl_display_comp(SSL * ssl) if (ssl == NULL) return; - if (ssl->expand == NULL || ssl->expand->meth == NULL) + COMP_METHOD *x = SSL_get_current_expansion(ssl); + if (x) printf("Compression: None\r\n"); else { - printf("Compression: %s\r\n",ssl->expand->meth->name); + printf("Compression: %s\r\n",SSL_COMP_get0_name(x)); } } @@ -1457,13 +1468,15 @@ the build.\r\n\r\n"); #ifdef ZLIB cm = COMP_zlib(); - if (cm != NULL && cm->type != NID_undef) { + if (cm != NULL && SSL_COMP_get_id(cm) != NID_undef) { SSL_COMP_add_compression_method(0xe0, cm); /* EAY's ZLIB ID */ } #endif /* ZLIB */ +#if 0 /* COMP_rle has apparently been removed in OpenSSL 1.1 */ cm = COMP_rle(); if (cm != NULL && cm->type != NID_undef) SSL_COMP_add_compression_method(0xe1, cm); /* EAY's RLE ID */ +#endif /* Ensure the Random number generator has enough entropy */ if ( !RAND_status() ) { @@ -1483,12 +1496,14 @@ the build.\r\n\r\n"); } debug(F110,"ssl_rnd_file",ssl_rnd_file,0); +#ifndef OPENSSL_NO_EGD rc1 = RAND_egd(ssl_rnd_file); debug(F111,"ssl_once_init","RAND_egd()",rc1); if ( rc1 <= 0 ) { rc2 = RAND_load_file(ssl_rnd_file, -1); debug(F111,"ssl_once_init","RAND_load_file()",rc1); } +#endif if ( rc1 <= 0 && !rc2 ) { @@ -2583,7 +2598,7 @@ ssl_anonymous_cipher(ssl) SSL * ssl; int ssl_verify_crl(int ok, X509_STORE_CTX *ctx) { - X509_OBJECT obj; + X509_OBJECT *obj = X509_OBJECT_new(); X509_NAME *subject = NULL; X509_NAME *issuer = NULL; X509 *xs = NULL; @@ -2649,11 +2664,10 @@ ssl_verify_crl(int ok, X509_STORE_CTX *c * Try to retrieve a CRL corresponding to the _subject_ of * the current certificate in order to verify it's integrity. */ - memset((char *)&obj, 0, sizeof(obj)); X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL); - rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, &obj); + rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, obj); X509_STORE_CTX_cleanup(store_ctx); - crl = obj.data.crl; + crl = X509_OBJECT_get0_X509_CRL(obj); if (rc > 0 && crl != NULL) { /* * Verify the signature on this CRL @@ -2661,7 +2675,7 @@ ssl_verify_crl(int ok, X509_STORE_CTX *c if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0) { fprintf(stderr, "Invalid signature on CRL!\n"); X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE); - X509_OBJECT_free_contents(&obj); + X509_OBJECT_free(obj); X509_STORE_CTX_free(store_ctx); return 0; } @@ -2674,7 +2688,7 @@ ssl_verify_crl(int ok, X509_STORE_CTX *c fprintf(stderr, "Found CRL has invalid nextUpdate field.\n"); X509_STORE_CTX_set_error(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD); - X509_OBJECT_free_contents(&obj); + X509_OBJECT_free(&obj); X509_STORE_CTX_free(store_ctx); return 0; } @@ -2683,11 +2697,11 @@ ssl_verify_crl(int ok, X509_STORE_CTX *c "Found CRL is expired - revoking all certificates until you get updated CRL.\n" ); X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED); - X509_OBJECT_free_contents(&obj); + X509_OBJECT_free(&obj); X509_STORE_CTX_free(store_ctx); return 0; } - X509_OBJECT_free_contents(&obj); + X509_OBJECT_free(&obj); } /* @@ -2698,7 +2712,7 @@ ssl_verify_crl(int ok, X509_STORE_CTX *c X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL); rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, &obj); X509_STORE_CTX_free(store_ctx); /* calls X509_STORE_CTX_cleanup() */ - crl = obj.data.crl; + crl = X509_OBJECT_get0_X509_CRL(obj); if (rc > 0 && crl != NULL) { /* * Check if the current certificate is revoked by this CRL @@ -2706,19 +2720,19 @@ ssl_verify_crl(int ok, X509_STORE_CTX *c n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); for (i = 0; i < n; i++) { revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); - if (ASN1_INTEGER_cmp(revoked->serialNumber, + if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(revoked), X509_get_serialNumber(xs)) == 0) { - serial = ASN1_INTEGER_get(revoked->serialNumber); + serial = ASN1_INTEGER_get(X509_REVOKED_get0_serialNumber(revoked)); cp = X509_NAME_oneline(issuer, NULL, 0); free(cp); X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); - X509_OBJECT_free_contents(&obj); + X509_OBJECT_free(&obj); return 0; } } - X509_OBJECT_free_contents(&obj); + X509_OBJECT_free(&obj); } return ok; } @@ -4338,9 +4352,11 @@ X509_userok(X509 * peer_cert, const char FILE *fp; struct passwd *pwd; X509 *file_cert; + const ASN1_BIT_STRING *peer_sig, *file_sig; if ( peer_cert == NULL ) return(0); + X509_get0_signature(&peer_sig, NULL, peer_cert); if (!(pwd = getpwnam(userid))) return 0; @@ -4351,7 +4367,8 @@ X509_userok(X509 * peer_cert, const char if (!(fp = fopen(buf, "r"))) return 0; while (!r && (file_cert = PEM_read_X509(fp, NULL, NULL, NULL))) { - if (!ASN1_STRING_cmp(peer_cert->signature, file_cert->signature)) + X509_get0_signature(&file_sig, NULL, file_cert); + if (!ASN1_STRING_cmp(peer_sig, file_sig)) r = 1; X509_free(file_cert); }