[openssl-dev] build issue with openssl 1.1.0-pre5

Douglas E Engert deengert at gmail.com
Wed Jun 29 15:47:26 UTC 2016 

Good to hear that grid proxy and RFC3820 are still being used. I worked on both before I retired a few years ago from Argonne Nat Lab.

I see you have commented on the OpenSC mailinig list too. In a note earlier today I said:
OpenSC has  been looking at the approach - program to 1.1.0  and add a  sc_ossl_compat.h that uses inline routines for older version of openssl  going back to 0.9.7 (not my choice, but someone asked 
for 0.9.7)  Only changes needed by OpenSC are defined, but it is a start.
Some #ifdefs are still needed, but only a handful, and could be isolated to the sc_ossl_compat.h.

See https://github.com/dengert/OpenSC/commit/8e00355cbcb42deefc2c44e910f23aa3d137f298

This does not address all your issues because OpenSC is not using X509_STORE_CTX but have a look at the BN_ and  pkey->type == EVP_PKEY_RSA
type issues.

On 6/29/2016 9:35 AM, Jan Just Keijser wrote:
> hi all,
>
> I'm the maintainer of grid-proxy-verify, a grid-tool that uses "plain" openssl to verify a grid proxy (either RFC3820 or legacy Globus proxy). This tool
>   http://www.nikhef.nl/~janjust/proxy-verify/
> and
>   http://www.nikhef.nl/~janjust/proxy-verify/grid-proxy-verify.c
> builds without any warnings with openssl 0.9.8 and 1.0.x, e.g. using
>   gcc -Wall -pedantic -c -o grid-proxy-verify.o grid-proxy-verify.c
> but with 1.1.0 I run into all sorts of issues (see the bottom of this email). Most of these have to do with members of structs becoming opaque but especially the disappearance of the check_issued 
> callback is worrisome, as that callback is crucial for verifying proxy certificates. How should I modify my code so that it builds and links with openssl 1.1.0?
>
>
> thx for any pointers,
>
> JJK / Jan Just Keijser
>
> $ gcc -I openssl-1.1.0-pre5/include -o grid-proxy-verify.o grid-proxy-verify.c
> grid-proxy-verify.c: In function ‘grid_X509_check_issued_wrapper’:
> grid-proxy-verify.c:337:14: error: dereferencing pointer to incomplete type
>      if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) return 0;
>               ^
> grid-proxy-verify.c:341:8: error: dereferencing pointer to incomplete type
>      ctx->error = ret;
>         ^
> grid-proxy-verify.c:342:8: error: dereferencing pointer to incomplete type
>      ctx->current_cert = x;
>         ^
> grid-proxy-verify.c:343:8: error: dereferencing pointer to incomplete type
>      ctx->current_issuer = issuer;
>         ^
> grid-proxy-verify.c:344:15: error: dereferencing pointer to incomplete type
>      return ctx->verify_cb(0, ctx);
>                ^
> grid-proxy-verify.c: In function ‘grid_verifyProxy’:
> grid-proxy-verify.c:529:25: error: dereferencing pointer to incomplete type
>                  if (pkey->type == EVP_PKEY_RSA)
>                          ^
> grid-proxy-verify.c:531:56: error: dereferencing pointer to incomplete type
>                      int key_strength = BN_num_bits(pkey->pkey.rsa->n);
>                                                         ^
> grid-proxy-verify.c: In function ‘grid_X509_verify_callback’:
> grid-proxy-verify.c:593:16: error: dereferencing pointer to incomplete type
>              ctx->error = errnum;
>                 ^
> grid-proxy-verify.c:620:21: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
>          certstack = (STACK_OF(X509) *) X509_STORE_CTX_get_chain( ctx );
>                      ^
> grid-proxy-verify.c:627:12: error: dereferencing pointer to incomplete type
>          ctx->error = errnum;
>             ^
> In file included from openssl-1.1.0-pre5/include/openssl/x509.h:363:0,
>                  from grid-proxy-verify.c:38:
> grid-proxy-verify.c: In function ‘grid_verifyCert’:
> openssl-1.1.0-pre5/include/openssl/x509_vfy.h:107:56: error: dereferencing pointer to incomplete type
>  # define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func))
>                                                         ^
> grid-proxy-verify.c:686:5: note: in expansion of macro ‘X509_STORE_set_verify_cb_func’
>      X509_STORE_set_verify_cb_func (store, grid_X509_verify_callback);
>      ^
> grid-proxy-verify.c:720:10: error: dereferencing pointer to incomplete type
>      store->check_issued = grid_X509_check_issued_wrapper;
>           ^
> grid-proxy-verify.c:783:9: error: dereferencing pointer to incomplete type
>      cert->ex_flags |= EXFLAG_PROXY;
>          ^
> grid-proxy-verify.c:785:16: error: dereferencing pointer to incomplete type
>      verify_ctx -> param -> depth = depth + 5;
>                 ^
> grid-proxy-verify.c:794:25: error: dereferencing pointer to incomplete type
>          ret = verify_ctx->error;
>                          ^
> grid-proxy-verify.c: In function ‘main’:
> grid-proxy-verify.c:965:5: warning: ‘ERR_remove_state’ is deprecated (declared at openssl-1.1.0-pre5/include/openssl/err.h:363) [-Wdeprecated-declarations]
>      ERR_remove_state(0);
>      ^
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

More information about the openssl-dev mailing list