git:4.4:0f2a129e: auth_identity: switched to use pointer of X509_STORE_CTX - sr-dev

27 Oct 2016

Module: kamailio
Branch: 4.4
Commit: 0f2a129e4f1790f8d6502ac224b480d60126fb09
URL: https://github.com/kamailio/kamailio/commit/0f2a129e4f1790f8d6502ac224b480d6...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Victor Seva linuxmaniac@torreviejawireless.org
Date: 2016-10-27T16:34:27+02:00
auth_identity: switched to use pointer of X509_STORE_CTX
- starting with libssl 1.1.0 the size of X509_STORE_CTX is not known at
  compile time, throwing error:
error: storage size of 'ca_ctx' isn't known
   X509_STORE_CTX ca_ctx;
- reported by Victor Seva, GH #685
(cherry picked from commit 46f0f1c0f492c45c1b1bbcfd4a0cc63eb56480ea)
---
Modified: modules/auth_identity/auth_crypt.c
---
Diff:  https://github.com/kamailio/kamailio/commit/0f2a129e4f1790f8d6502ac224b480d6...
Patch: https://github.com/kamailio/kamailio/commit/0f2a129e4f1790f8d6502ac224b480d6...
---

diff --git a/modules/auth_identity/auth_crypt.c b/modules/auth_identity/auth_crypt.c
index de5b03d..dbb0957 100644
--- a/modules/auth_identity/auth_crypt.c
+++ b/modules/auth_identity/auth_crypt.c
@@ -37,6 +37,7 @@
 #include <openssl/sha.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include <openssl/crypto.h>
 #include <openssl/x509_vfy.h>
#include "../../mem/mem.h"
@@ -115,7 +116,7 @@ int check_x509_subj(X509 *pcert, str* sdom)
if (actname->type == GEN_DNS || actname->type == GEN_URI) {
    			/* we've found one */
-				altptr = (char *)ASN1_STRING_data(actname->d.ia5);
+				altptr = (char *)ASN1_STRING_get0_data(actname->d.ia5);
    			if (actname->type == GEN_URI) {
    				if (parse_uri(altptr, strlen(altptr), &suri) != 0) {
    					continue;
@@ -163,22 +164,30 @@ int check_x509_subj(X509 *pcert, str* sdom)
int verify_x509(X509 *pcert, X509_STORE *pcacerts)
 {
-	X509_STORE_CTX ca_ctx;
+	X509_STORE_CTX *ca_ctx = NULL;
    char *strerr;
+	ca_ctx = X509_STORE_CTX_new();
+	if(ca_ctx==NULL) {
+		LM_ERR("cannot get a x509 context\n");
+		return -1;
+	}
-	if (X509_STORE_CTX_init(&ca_ctx, pcacerts, pcert, NULL) != 1) {
+	if (X509_STORE_CTX_init(ca_ctx, pcacerts, pcert, NULL) != 1) {
    	LOG(L_ERR, "AUTH_IDENTITY:verify_x509: Unable to init X509 store ctx\n");
+		X509_STORE_CTX_free(ca_ctx);
    	return -1;
    }
-	if (X509_verify_cert(&ca_ctx) != 1) {
-		strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
+	if (X509_verify_cert(ca_ctx) != 1) {
+		strerr = (char *)X509_verify_cert_error_string(X509_STORE_CTX_get_error(ca_ctx));
    	LOG(L_ERR, "AUTH_IDENTITY VERIFIER: Certificate verification error: %s\n", strerr);
-		X509_STORE_CTX_cleanup(&ca_ctx);
+		X509_STORE_CTX_cleanup(ca_ctx);
+		X509_STORE_CTX_free(ca_ctx);
    	return -2;
    }
-	X509_STORE_CTX_cleanup(&ca_ctx);
+	X509_STORE_CTX_cleanup(ca_ctx);
+	X509_STORE_CTX_free(ca_ctx);
LOG(AUTH_DBG_LEVEL, "AUTH_IDENTITY VERIFIER: Certificate is valid\n");

    