[xmltooling] 07/07: Unwind previous.
Ferenc Wágner
wferi at moszumanska.debian.org
Fri Sep 2 19:55:53 UTC 2016
This is an automated email from the git hooks/post-receive script.
wferi pushed a commit to branch master
in repository xmltooling.
commit bae0dd5307ac389c17901050bf6b0de6a66700f2
Author: Rod Widdowson <rdw at steadingsoftware.com>
Date: Tue Jul 19 16:51:30 2016 +0100
Unwind previous.
Managed to get myself into a fankle and whilst I create
a branch and then make changes I pushed the changes and
then made the remote branch. Sigh.
This leaves mainline in a precarious position, so this backs
it all out.
I'll commit the inverse change to the new branch and from then on
changes should be as I wanted..
Maybe
---
Projects/vc10/xmltooling/xmltooling.vcxproj | 6 +--
.../vc10/xmltooling/xmltooling.vcxproj.filters | 13 +-----
xmltooling/Makefile.am | 2 -
xmltooling/XMLToolingConfig.cpp | 9 ----
.../security/impl/ExplicitKeyTrustEngine.cpp | 9 ++--
.../security/impl/FilesystemCredentialResolver.cpp | 1 -
xmltooling/security/impl/PKIXPathValidator.cpp | 54 +++++++++-------------
xmltooling/security/impl/SecurityHelper.cpp | 13 +++---
xmltooling/soap/impl/CURLSOAPTransport.cpp | 11 ++---
9 files changed, 39 insertions(+), 79 deletions(-)
diff --git a/Projects/vc10/xmltooling/xmltooling.vcxproj b/Projects/vc10/xmltooling/xmltooling.vcxproj
index 48e2cf3..2320132 100644
--- a/Projects/vc10/xmltooling/xmltooling.vcxproj
+++ b/Projects/vc10/xmltooling/xmltooling.vcxproj
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
@@ -194,7 +194,6 @@
<ClCompile Include="..\..\..\XMLTooling\Lockable.cpp" />
<ClCompile Include="..\..\..\XMLTooling\Namespace.cpp" />
<ClCompile Include="..\..\..\XMLTooling\QName.cpp" />
- <ClCompile Include="..\..\..\xmltooling\security\impl\OpenSSLSupport.cpp" />
<ClCompile Include="..\..\..\XMLTooling\security\impl\PKIXPathValidator.cpp" />
<ClCompile Include="..\..\..\XMLTooling\unicode.cpp" />
<ClCompile Include="..\..\..\XMLTooling\util\CloneInputStream.cpp" />
@@ -271,7 +270,6 @@
<ClInclude Include="..\..\..\XMLTooling\Namespace.h" />
<ClInclude Include="..\..\..\XMLTooling\PluginManager.h" />
<ClInclude Include="..\..\..\XMLTooling\QName.h" />
- <ClInclude Include="..\..\..\xmltooling\security\impl\OpenSSLSupport.h" />
<ClInclude Include="..\..\..\XMLTooling\security\OpenSSLPathValidator.h" />
<ClInclude Include="..\..\..\XMLTooling\security\PathValidator.h" />
<ClInclude Include="..\..\..\XMLTooling\security\PKIXPathValidatorParams.h" />
@@ -348,4 +346,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
-</Project>
\ No newline at end of file
+</Project>
diff --git a/Projects/vc10/xmltooling/xmltooling.vcxproj.filters b/Projects/vc10/xmltooling/xmltooling.vcxproj.filters
index a3e2882..bee07e2 100644
--- a/Projects/vc10/xmltooling/xmltooling.vcxproj.filters
+++ b/Projects/vc10/xmltooling/xmltooling.vcxproj.filters
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
@@ -73,9 +73,6 @@
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav</Extensions>
</Filter>
- <Filter Include="Header Files\security\impl">
- <UniqueIdentifier>{8ce132be-735f-49f0-899a-cc0e7cb8e775}</UniqueIdentifier>
- </Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="..\..\..\XMLTooling\AbstractAttributeExtensibleXMLObject.cpp">
@@ -273,9 +270,6 @@
<ClCompile Include="..\..\..\XMLTooling\util\CloneInputStream.cpp">
<Filter>Source Files\util</Filter>
</ClCompile>
- <ClCompile Include="..\..\..\xmltooling\security\impl\OpenSSLSupport.cpp">
- <Filter>Source Files\security\impl</Filter>
- </ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\..\XMLTooling\AbstractAttributeExtensibleXMLObject.h">
@@ -527,9 +521,6 @@
<ClInclude Include="..\..\..\XMLTooling\util\CloneInputStream.h">
<Filter>Header Files\util</Filter>
</ClInclude>
- <ClInclude Include="..\..\..\xmltooling\security\impl\OpenSSLSupport.h">
- <Filter>Header Files\security\impl</Filter>
- </ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="..\..\..\XMLTooling\xmltooling.rc">
@@ -540,4 +531,4 @@
<None Include="..\..\..\XMLTooling\config_pub.h.in" />
<None Include="..\..\..\XMLTooling\Makefile.am" />
</ItemGroup>
-</Project>
\ No newline at end of file
+</Project>
diff --git a/xmltooling/Makefile.am b/xmltooling/Makefile.am
index e2ced1a..f265007 100644
--- a/xmltooling/Makefile.am
+++ b/xmltooling/Makefile.am
@@ -57,7 +57,6 @@ encinclude_HEADERS = \
implinclude_HEADERS = \
impl/AnyElement.h \
- security/impl\OpenSSLSupport.h \
impl/UnknownElement.h
ioinclude_HEADERS = \
@@ -148,7 +147,6 @@ xmlsec_sources = \
security/impl/InlineKeyResolver.cpp \
security/impl/KeyInfoResolver.cpp \
security/impl/OpenSSLCryptoX509CRL.cpp \
- security/impl/OpenSSLSupport.cpp \
security/impl/PKIXPathValidator.cpp \
security/impl/SecurityHelper.cpp \
security/impl/StaticPKIXTrustEngine.cpp \
diff --git a/xmltooling/XMLToolingConfig.cpp b/xmltooling/XMLToolingConfig.cpp
index a8b4bb5..6925a23 100644
--- a/xmltooling/XMLToolingConfig.cpp
+++ b/xmltooling/XMLToolingConfig.cpp
@@ -111,15 +111,6 @@ using namespace xmlsignature;
namespace {
static XMLToolingInternalConfig g_config;
#ifndef XMLTOOLING_NO_XMLSEC
-// NOTE:
-// "The old locking functions have been removed completely without compatibility macros"
-// see:
-// https://www.openssl.org/docs/manmaster/crypto/CRYPTO_THREAD_lock_free.html
-//
-// For now we just make the callback compile. More work TBD
-#ifndef CRYPTO_LOCK
-#define CRYPTO_LOCK 1
-#endif
static ptr_vector<Mutex> g_openssl_locks;
extern "C" void openssl_locking_callback(int mode,int n,const char *file,int line)
diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
index a4a5dd2..6ad420f 100644
--- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
+++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
@@ -34,20 +34,17 @@
#include "signature/Signature.h"
#include "signature/SignatureValidator.h"
#include "util/NDC.h"
-#include "security/impl/OpenSSLSupport.h"
#include <xercesc/util/XMLUniDefs.hpp>
#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
#include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
-
using namespace xmlsignature;
using namespace xmltooling::logging;
using namespace xmltooling;
using namespace std;
-
using xercesc::DOMElement;
namespace xmltooling {
@@ -263,8 +260,8 @@ bool ExplicitKeyTrustEngine::validate(
{
RSA* rsa = static_cast<OpenSSLCryptoKeyRSA*>(key)->getOpenSSLRSA();
EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
- if (rsa && evp && EVP_PKEY_id(evp) == EVP_PKEY_RSA &&
- BN_cmp(RSA_get0_n(rsa),RSA_get0_n(EVP_PKEY_get0_RSA(evp))) == 0 && BN_cmp(RSA_get0_e(rsa), RSA_get0_e(EVP_PKEY_get0_RSA(evp))) == 0) {
+ if (rsa && evp && evp->type == EVP_PKEY_RSA &&
+ BN_cmp(rsa->n,evp->pkey.rsa->n) == 0 && BN_cmp(rsa->e,evp->pkey.rsa->e) == 0) {
if (evp)
EVP_PKEY_free(evp);
log.debug("end-entity certificate matches peer RSA key information");
@@ -279,7 +276,7 @@ bool ExplicitKeyTrustEngine::validate(
{
DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA();
EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
- if (dsa && evp && EVP_PKEY_id(evp) == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(EVP_PKEY_get0_DSA(evp))) == 0) {
+ if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(dsa->pub_key,evp->pkey.dsa->pub_key) == 0) {
if (evp)
EVP_PKEY_free(evp);
log.debug("end-entity certificate matches peer DSA key information");
diff --git a/xmltooling/security/impl/FilesystemCredentialResolver.cpp b/xmltooling/security/impl/FilesystemCredentialResolver.cpp
index f9a337d..dfeccf7 100644
--- a/xmltooling/security/impl/FilesystemCredentialResolver.cpp
+++ b/xmltooling/security/impl/FilesystemCredentialResolver.cpp
@@ -34,7 +34,6 @@
#include "security/OpenSSLCredential.h"
#include "security/SecurityHelper.h"
#include "security/XSECCryptoX509CRL.h"
-#include "security/impl/OpenSSLSupport.h"
#include "util/NDC.h"
#include "util/PathResolver.h"
#include "util/Threads.h"
diff --git a/xmltooling/security/impl/PKIXPathValidator.cpp b/xmltooling/security/impl/PKIXPathValidator.cpp
index 90cee59..3ac8308 100644
--- a/xmltooling/security/impl/PKIXPathValidator.cpp
+++ b/xmltooling/security/impl/PKIXPathValidator.cpp
@@ -30,7 +30,6 @@
#include "security/OpenSSLCryptoX509CRL.h"
#include "security/PKIXPathValidatorParams.h"
#include "security/SecurityHelper.h"
-#include "security/impl/OpenSSLSupport.h"
#include "util/NDC.h"
#include "util/PathResolver.h"
#include "util/Threads.h"
@@ -55,9 +54,7 @@ namespace {
{
if (!ok) {
Category::getInstance("OpenSSL").error(
- "path validation failure at depth(%d): %s",
- X509_STORE_CTX_get_error_depth(ctx),
- X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx))
+ "path validation failure at depth(%d): %s", ctx->error_depth, X509_verify_cert_error_string(ctx->error)
);
}
return ok;
@@ -294,24 +291,18 @@ bool PKIXPathValidator::validate(X509* EE, STACK_OF(X509)* untrusted, const Path
// This contains the state of the validate operation.
int count=0;
- X509StoreCtxRAII ctxContainer;
-
- if (!ctxContainer.of()) {
- log_openssl();
- X509_STORE_free(store);
- return false;
- }
+ X509_STORE_CTX ctx;
// AFAICT, EE and untrusted are passed in but not owned by the ctx.
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
- if (X509_STORE_CTX_init(ctxContainer.of(),store,EE,untrusted) != 1) {
+ if (X509_STORE_CTX_init(&ctx,store,EE,untrusted) != 1) {
log_openssl();
m_log.error("unable to initialize X509_STORE_CTX");
X509_STORE_free(store);
return false;
}
#else
- X509_STORE_CTX_init(ctxContainer.of(),store,EE,untrusted);
+ X509_STORE_CTX_init(&ctx,store,EE,untrusted);
#endif
STACK_OF(X509)* CAstack = sk_X509_new_null();
@@ -325,15 +316,15 @@ bool PKIXPathValidator::validate(X509* EE, STACK_OF(X509)* untrusted, const Path
m_log.debug("supplied (%d) CA certificate(s)", count);
// Seems to be most efficient to just pass in the CA stack.
- ctxContainer.set0TrustedStack(CAstack);
- X509_STORE_CTX_set_depth(ctxContainer.of(),100); // we check the depth down below
- X509_STORE_CTX_set_verify_cb(ctxContainer.of(),error_callback);
+ X509_STORE_CTX_trusted_stack(&ctx,CAstack);
+ X509_STORE_CTX_set_depth(&ctx,100); // we check the depth down below
+ X509_STORE_CTX_set_verify_cb(&ctx,error_callback);
// Do a first pass verify. If CRLs aren't used, this is the only pass.
- int ret = X509_verify_cert(ctxContainer.of());
+ int ret = X509_verify_cert(&ctx);
if (ret == 1) {
// Now see if the depth was acceptable by counting the number of intermediates.
- int depth=sk_X509_num(ctxContainer.get0Chain())-2;
+ int depth=sk_X509_num(ctx.chain)-2;
if (pkixParams->getVerificationDepth() < depth) {
m_log.error(
"certificate chain was too long (%d intermediates, only %d allowed)",
@@ -349,7 +340,7 @@ bool PKIXPathValidator::validate(X509* EE, STACK_OF(X509)* untrusted, const Path
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
// After the first X509_verify_cert call, the ctx can no longer be used
// (subsequent calls will fail with OpenSSL 1.0.1p / 1.0.2d or later).
- X509_STORE_CTX_cleanup(ctxContainer.of());
+ X509_STORE_CTX_cleanup(&ctx);
// When we add CRLs, we have to be sure the nextUpdate hasn't passed, because OpenSSL won't accept
// the CRL in that case. If we end up not adding a CRL for a particular link in the chain, the
@@ -412,23 +403,23 @@ bool PKIXPathValidator::validate(X509* EE, STACK_OF(X509)* untrusted, const Path
// Do a second pass verify with CRLs in place. Reinitialize ctx, see
// https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=aae41f8c54257d9fa6904d3a9aa09c5db6cefd0d
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
- if (X509_STORE_CTX_init(ctxContainer.of(),store,EE,untrusted) != 1) {
+ if (X509_STORE_CTX_init(&ctx,store,EE,untrusted) != 1) {
log_openssl();
m_log.error("unable to initialize X509_STORE_CTX");
ret = 0;
}
#else
- X509_STORE_CTX_init(ctxContainer.of(),store,EE,untrusted);
+ X509_STORE_CTX_init(&ctx,store,EE,untrusted);
#endif
if (ret != 0) {
- ctxContainer.set0TrustedStack(CAstack);
- X509_STORE_CTX_set_depth(ctxContainer.of(),100); // already checked above
- X509_STORE_CTX_set_verify_cb(ctxContainer.of(),error_callback);
+ X509_STORE_CTX_trusted_stack(&ctx,CAstack);
+ X509_STORE_CTX_set_depth(&ctx,100); // already checked above
+ X509_STORE_CTX_set_verify_cb(&ctx,error_callback);
if (pkixParams->getRevocationChecking() == PKIXPathValidatorParams::REVOCATION_FULLCHAIN)
- X509_STORE_CTX_set_flags(ctxContainer.of(), X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
else
- X509_STORE_CTX_set_flags(ctxContainer.of(), X509_V_FLAG_CRL_CHECK);
- ret = X509_verify_cert(ctxContainer.of());
+ X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK);
+ ret = X509_verify_cert(&ctx);
}
#else
m_log.warn("CRL checking is enabled, but OpenSSL version is too old");
@@ -440,13 +431,13 @@ bool PKIXPathValidator::validate(X509* EE, STACK_OF(X509)* untrusted, const Path
m_log.debug("successfully validated certificate chain");
}
#if defined(X509_V_ERR_NO_EXPLICIT_POLICY) && (OPENSSL_VERSION_NUMBER < 0x10000000L)
- else if (X509_STORE_CTX_get_error(ctxContainer.of()) == X509_V_ERR_NO_EXPLICIT_POLICY && !pkixParams->isPolicyMappingInhibited()) {
+ else if (X509_STORE_CTX_get_error(&ctx) == X509_V_ERR_NO_EXPLICIT_POLICY && !pkixParams->isPolicyMappingInhibited()) {
m_log.warn("policy mapping requires OpenSSL 1.0.0 or later");
}
#endif
// Clean up...
- X509_STORE_CTX_cleanup(ctxContainer.of());
+ X509_STORE_CTX_cleanup(&ctx);
X509_STORE_free(store);
sk_X509_free(CAstack);
@@ -555,10 +546,7 @@ XSECCryptoX509CRL* PKIXPathValidator::getRemoteCRLs(const char* cdpuri) const
bool PKIXPathValidator::isFreshCRL(XSECCryptoX509CRL *c, Category* log) const
{
if (c) {
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- const
-#endif
- X509_CRL* crl = static_cast<OpenSSLCryptoX509CRL*>(c)->getOpenSSLX509CRL();
+ const X509_CRL* crl = static_cast<OpenSSLCryptoX509CRL*>(c)->getOpenSSLX509CRL();
time_t thisUpdate = getCRLTime(X509_CRL_get_lastUpdate(crl));
time_t nextUpdate = getCRLTime(X509_CRL_get_nextUpdate(crl));
time_t now = time(nullptr);
diff --git a/xmltooling/security/impl/SecurityHelper.cpp b/xmltooling/security/impl/SecurityHelper.cpp
index e53ed8d..0c15f05 100644
--- a/xmltooling/security/impl/SecurityHelper.cpp
+++ b/xmltooling/security/impl/SecurityHelper.cpp
@@ -30,7 +30,6 @@
#include "security/OpenSSLCryptoX509CRL.h"
#include "security/SecurityHelper.h"
#include "security/X509Credential.h"
-#include "security/impl/OpenSSLSupport.h"
#include "soap/HTTPSOAPTransport.h"
#include "util/NDC.h"
@@ -206,7 +205,7 @@ XSECCryptoKey* SecurityHelper::loadKeyFromFile(const char* pathname, const char*
// Now map it to an XSEC wrapper.
if (pkey) {
XSECCryptoKey* ret=nullptr;
- switch (EVP_PKEY_id(pkey)) {
+ switch (pkey->type) {
case EVP_PKEY_RSA:
ret=new OpenSSLCryptoKeyRSA(pkey);
break;
@@ -487,7 +486,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
return false;
const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
- return (rsa1 && rsa2 && BN_cmp(RSA_get0_n(rsa1),RSA_get0_n(rsa2)) == 0 && BN_cmp(RSA_get0_e(rsa1),RSA_get0_e(rsa2)) == 0);
+ return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->e,rsa2->e) == 0);
}
// For a private key, compare the private half.
@@ -496,7 +495,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
return false;
const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
- return (rsa1 && rsa2 && BN_cmp(RSA_get0_n(rsa1),RSA_get0_n(rsa2)) == 0 && BN_cmp(RSA_get0_d(rsa1),RSA_get0_d(rsa2)) == 0);
+ return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->d,rsa2->d) == 0);
}
// If one key is public or both, just compare the public key half.
@@ -505,7 +504,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
return false;
const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
- return (dsa1 && dsa2 && BN_cmp(DSA_get0_pubkey(dsa1),DSA_get0_pubkey(dsa2)) == 0);
+ return (dsa1 && dsa2 && BN_cmp(dsa1->pub_key,dsa2->pub_key) == 0);
}
// For a private key, compare the private half.
@@ -514,7 +513,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
return false;
const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
- return (dsa1 && dsa2 && BN_cmp(DSA_get0_privkey(dsa1),DSA_get0_privkey(dsa2)) == 0);
+ return (dsa1 && dsa2 && BN_cmp(dsa1->priv_key,dsa2->priv_key) == 0);
}
#if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
@@ -790,7 +789,7 @@ XSECCryptoKey* SecurityHelper::fromDEREncoding(const char* buf, unsigned long bu
// Now map it to an XSEC wrapper.
XSECCryptoKey* ret = nullptr;
try {
- switch (EVP_PKEY_id(pkey)) {
+ switch (pkey->type) {
case EVP_PKEY_RSA:
ret = new OpenSSLCryptoKeyRSA(pkey);
break;
diff --git a/xmltooling/soap/impl/CURLSOAPTransport.cpp b/xmltooling/soap/impl/CURLSOAPTransport.cpp
index b7ebe25..38e9271 100644
--- a/xmltooling/soap/impl/CURLSOAPTransport.cpp
+++ b/xmltooling/soap/impl/CURLSOAPTransport.cpp
@@ -30,7 +30,6 @@
#include "security/CredentialCriteria.h"
#include "security/OpenSSLTrustEngine.h"
#include "security/OpenSSLCredential.h"
-#include "security/impl/OpenSSLSupport.h"
#include "soap/HTTPSOAPTransport.h"
#include "soap/OpenSSLSOAPTransport.h"
#include "util/NDC.h"
@@ -712,20 +711,20 @@ int xmltooling::verify_callback(X509_STORE_CTX* x509_ctx, void* arg)
ctx->m_criteria->setUsage(Credential::TLS_CREDENTIAL);
// Bypass name check (handled for us by curl).
ctx->m_criteria->setPeerName(nullptr);
- success = ctx->m_trustEngine->validate(X509_STORE_CTX_get0_cert(x509_ctx),X509_STORE_CTX_get0_untrusted(x509_ctx),*(ctx->m_peerResolver),ctx->m_criteria);
+ success = ctx->m_trustEngine->validate(x509_ctx->cert,x509_ctx->untrusted,*(ctx->m_peerResolver),ctx->m_criteria);
}
else {
// Bypass name check (handled for us by curl).
CredentialCriteria cc;
cc.setUsage(Credential::TLS_CREDENTIAL);
- success = ctx->m_trustEngine->validate(X509_STORE_CTX_get0_cert(x509_ctx),X509_STORE_CTX_get0_untrusted(x509_ctx),*(ctx->m_peerResolver),&cc);
+ success = ctx->m_trustEngine->validate(x509_ctx->cert,x509_ctx->untrusted,*(ctx->m_peerResolver),&cc);
}
if (!success) {
log.error("supplied TrustEngine failed to validate SSL/TLS server certificate");
- if (X509_STORE_CTX_get0_cert(x509_ctx)) {
+ if (x509_ctx->cert) {
BIO* b = BIO_new(BIO_s_mem());
- X509_print(b, X509_STORE_CTX_get0_cert(x509_ctx));
+ X509_print(b, x509_ctx->cert);
BUF_MEM* bptr = nullptr;
BIO_get_mem_ptr(b, &bptr);
if (bptr && bptr->length > 0) {
@@ -737,7 +736,7 @@ int xmltooling::verify_callback(X509_STORE_CTX* x509_ctx, void* arg)
}
BIO_free(b);
}
- X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION); // generic error, check log for plugin specifics
+ x509_ctx->error = X509_V_ERR_APPLICATION_VERIFICATION; // generic error, check log for plugin specifics
ctx->setAuthenticated(false);
return ctx->m_mandatory ? 0 : 1;
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/xmltooling.git
More information about the Pkg-shibboleth-devel
mailing list