cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: OpenSSL OCSP API breakage

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Fri, 20 Mar 2015 13:15:17 +0100

On ven, mar 20, 2015 at 11:21:42 +0100, Daniel Stenberg wrote:
> Hey
>
> Just a heads up here. And a chance for me to whine a little bit.
>
> Yesterday after the recent OpenSSL security announcement I updated to the
> latest OpenSSL git master in a local build of mine, only to realize that
> they've changed the API in HEAD and as a consequence libcurl no longer
> builds with the latest OpenSSL code.
>
> The OpenSSL commit 6ef869d7d0a9d is the offender, and it was made quite
> deliberately: "Make OCSP structures opaque."
>
> I figure we should replace the struct references with the proper function
> invokes but after having read our code and the latest OpenSSL headers it
> isn't really clear to me which ones to use.
>
> Here's a sample of how this tastes:
>
> vtls/openssl.c: In function 'verifystatus':
> vtls/openssl.c:1371:44: error: dereferencing pointer to incomplete type
> if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
> ^
> vtls/openssl.c:1372:39: error: dereferencing pointer to incomplete type
> X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);

These two are needed to workaround the OpenSSL verification bug [0], and without
it the feature won't work with a pretty big number of servers. I stll haven't
received any comment on my patch (see link), and I kind of gave up a while ago.

Unfortunately there doesn't seem to be any "getter" functions for the ->certs
field, so either the bug gets fixed or libcurl will be b0rked. Trying openssl
git master without the workaround may be worth a try, but looking at the code,
the issue doesn't seem to be fixed yet.

I don't know if there is anyone listening who can do anything about it, but it's
IMO a pretty important OpenSSL issue that really needs to be fixed, if you care
about OCSP.

> vtls/openssl.c:1399:36: error: dereferencing pointer to incomplete type
> if(!sk_OCSP_SINGLERESP_value(br->tbsResponseData->responses, i))
> ^

This and the other sk_OCSP_SINGLERESP_* calls can be replaced by the respective
OCSP_resp_* calls, I can write a patch for that.

Cheers

[0] https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3668

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2015-03-20