From: Viktor Dukhovni <postfix-users@dukhovni.org>
Date: Sun, 24 Apr 2016 13:40:13 +0000 (-0400)
Subject: Bitrot: X509_STORE_CTX opaque in OpenSSL 1.1.0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1047f92eedab6c2ea6ea7f02b754153e5ac15a1;p=thirdparty%2Fpostfix.git

Bitrot: X509_STORE_CTX opaque in OpenSSL 1.1.0
---

diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h
index a335fc8ad..0079dc316 100644
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@@ -90,6 +90,10 @@ extern const NAME_CODE tls_level_table[];
 	CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
 #define EVP_PKEY_up_ref(k) \
 	CRYPTO_add(&((k)->references), 1, CRYPTO_LOCK_EVP_PKEY)
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+#define X509_STORE_CTX_get0_untrusted(ctx) ((ctx)->untrusted)
+#define X509_STORE_CTX_set0_untrusted X509_STORE_CTX_set_chain
+#define X509_STORE_CTX_set0_trusted_stack X509_STORE_CTX_trusted_stack
 #endif
 
 /* SSL_CIPHER_get_name() got constified in 0.9.7g */
diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c
index 3f6060980..4038c70f7 100644
--- a/postfix/src/tls/tls_dane.c
+++ b/postfix/src/tls/tls_dane.c
@@ -1716,8 +1716,8 @@ static void set_trust(TLS_SESS_STATE *TLScontext, X509_STORE_CTX *ctx)
     int     depth = 0;
     EVP_PKEY *takey;
     X509   *ca;
-    X509   *cert = ctx->cert;		/* XXX: Accessor? */
-    x509_stack_t *in = ctx->untrusted;	/* XXX: Accessor? */
+    X509   *cert = X509_STORE_CTX_get0_cert(ctx);
+    x509_stack_t *in = X509_STORE_CTX_get0_untrusted(ctx);
 
     /* shallow copy */
     if ((in = sk_X509_dup(in)) == 0)
@@ -1798,7 +1798,7 @@ static int dane_cb(X509_STORE_CTX *ctx, void *app_ctx)
 {
     const char *myname = "dane_cb";
     TLS_SESS_STATE *TLScontext = (TLS_SESS_STATE *) app_ctx;
-    X509   *cert = ctx->cert;		/* XXX: accessor? */
+    X509   *cert = X509_STORE_CTX_get0_cert(ctx);
 
     /*
      * Degenerate case: depth 0 self-signed cert.
@@ -1828,9 +1828,9 @@ static int dane_cb(X509_STORE_CTX *ctx, void *app_ctx)
      * Check that setting the untrusted chain updates the expected structure
      * member at the expected offset.
      */
-    X509_STORE_CTX_trusted_stack(ctx, TLScontext->trusted);
-    X509_STORE_CTX_set_chain(ctx, TLScontext->untrusted);
-    if (ctx->untrusted != TLScontext->untrusted)
+    X509_STORE_CTX_set0_trusted_stack(ctx, TLScontext->trusted);
+    X509_STORE_CTX_set0_untrusted(ctx, TLScontext->untrusted);
+    if (X509_STORE_CTX_get0_untrusted(ctx) != TLScontext->untrusted)
 	msg_panic("%s: OpenSSL ABI change", myname);
 
     return X509_verify_cert(ctx);