[sr-dev] git:master:46f0f1c0: auth_identity: switched to use pointer of X509_STORE_CTX

Daniel-Constantin Mierla miconda at gmail.com
Thu Sep 15 16:33:19 CEST 2016


Module: kamailio
Branch: master
Commit: 46f0f1c0f492c45c1b1bbcfd4a0cc63eb56480ea
URL: https://github.com/kamailio/kamailio/commit/46f0f1c0f492c45c1b1bbcfd4a0cc63eb56480ea

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2016-09-15T16:32:43+02:00

auth_identity: switched to use pointer of X509_STORE_CTX

- starting with libssl 1.1.0 the size of X509_STORE_CTX is not known at
  compile time, throwing error:

error: storage size of 'ca_ctx' isn't known
   X509_STORE_CTX ca_ctx;

- reported by Victor Seva, GH #685

---

Modified: modules/auth_identity/auth_crypt.c

---

Diff:  https://github.com/kamailio/kamailio/commit/46f0f1c0f492c45c1b1bbcfd4a0cc63eb56480ea.diff
Patch: https://github.com/kamailio/kamailio/commit/46f0f1c0f492c45c1b1bbcfd4a0cc63eb56480ea.patch

---

diff --git a/modules/auth_identity/auth_crypt.c b/modules/auth_identity/auth_crypt.c
index 2aa6a0a..c6a0fd1 100644
--- a/modules/auth_identity/auth_crypt.c
+++ b/modules/auth_identity/auth_crypt.c
@@ -35,6 +35,7 @@
 #include <openssl/sha.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include <openssl/crypto.h>
 #include <openssl/x509_vfy.h>
 
 #include "../../mem/mem.h"
@@ -113,7 +114,7 @@ int check_x509_subj(X509 *pcert, str* sdom)
 
 			if (actname->type == GEN_DNS || actname->type == GEN_URI) {
 				/* we've found one */
-				altptr = (char *)ASN1_STRING_data(actname->d.ia5);
+				altptr = (char *)ASN1_STRING_get0_data(actname->d.ia5);
 				if (actname->type == GEN_URI) {
 					if (parse_uri(altptr, strlen(altptr), &suri) != 0) {
 						continue;
@@ -161,22 +162,30 @@ int check_x509_subj(X509 *pcert, str* sdom)
 
 int verify_x509(X509 *pcert, X509_STORE *pcacerts)
 {
-	X509_STORE_CTX ca_ctx;
+	X509_STORE_CTX *ca_ctx = NULL;
 	char *strerr;
 
+	ca_ctx = X509_STORE_CTX_new();
+	if(ca_ctx==NULL) {
+		LM_ERR("cannot get a x509 context\n");
+		return -1;
+	}
 
-	if (X509_STORE_CTX_init(&ca_ctx, pcacerts, pcert, NULL) != 1) {
+	if (X509_STORE_CTX_init(ca_ctx, pcacerts, pcert, NULL) != 1) {
 		LOG(L_ERR, "AUTH_IDENTITY:verify_x509: Unable to init X509 store ctx\n");
+		X509_STORE_CTX_free(ca_ctx);
 		return -1;
 	}
 
-	if (X509_verify_cert(&ca_ctx) != 1) {
-		strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
+	if (X509_verify_cert(ca_ctx) != 1) {
+		strerr = (char *)X509_verify_cert_error_string(X509_STORE_CTX_get_error(ca_ctx));
 		LOG(L_ERR, "AUTH_IDENTITY VERIFIER: Certificate verification error: %s\n", strerr);
-		X509_STORE_CTX_cleanup(&ca_ctx);
+		X509_STORE_CTX_cleanup(ca_ctx);
+		X509_STORE_CTX_free(ca_ctx);
 		return -2;
 	}
-	X509_STORE_CTX_cleanup(&ca_ctx);
+	X509_STORE_CTX_cleanup(ca_ctx);
+	X509_STORE_CTX_free(ca_ctx);
 
 	LOG(AUTH_DBG_LEVEL, "AUTH_IDENTITY VERIFIER: Certificate is valid\n");
 




More information about the sr-dev mailing list