openssl-1.1.1.patch

   1 diff -ur ckermit-9.0.302/ck_crp.c ckermit-9.0.302.openssl111/ck_crp.c
   2 --- ckermit-9.0.302/ck_crp.c    2011-08-20 23:02:21.000000000 +0200
   3 +++ ckermit-9.0.302.openssl111/ck_crp.c 2018-10-21 13:18:30.581182834 +0200
   4 @@ -295,7 +295,7 @@
   5  #define des_new_random_key            des_random_key
   6  #define des_set_random_generator_seed des_random_seed
   7  #endif /* UNIX */
   8 -#define des_fixup_key_parity          des_set_odd_parity
   9 +#define des_fixup_key_parity          DES_set_odd_parity
  10  #ifdef OPENSSL_097
  11  #define OPENSSL_ENABLE_OLD_DES_SUPPORT
  12  #include <openssl/des.h>
  13 @@ -394,7 +394,7 @@
  14  void
  15  des_set_random_generator_seed(Block B)
  16  {
  17 -    des_random_seed(B);
  18 +//    DES_random_seed(B);
  19      return;
  20  }
  21
  22 @@ -403,7 +403,7 @@
  23  void
  24  des_fixup_key_parity(Block B)
  25  {
  26 -    des_set_odd_parity(B);
  27 +    DES_set_odd_parity(B);
  28      return;
  29  }
  30  #endif /* COMMENT */
  31 @@ -415,7 +415,7 @@
  32         This might need to have the "rc = " removed because this
  33         is VOID in later, and maybe even all, versions.
  34      */
  35 -    rc = des_random_key(B);
  36 +    rc = DES_random_key(B);
  37      return(rc);
  38  }
  39
  40 @@ -2138,8 +2138,9 @@
  41          }
  42
  43  #else /* MIT_CURRENT */
  44 -        des_new_random_key(fbp->temp_feed);
  45 -        des_ecb_encrypt(fbp->temp_feed, fbp->temp_feed,
  46 +        DES_random_key(fbp->temp_feed);
  47 +       int DES_random_key(DES_cblock *ret);
  48 +        DES_ecb_encrypt(fbp->temp_feed, fbp->temp_feed,
  49                           fbp->krbdes_sched, 1);
  50  #endif /* MIT_CURRENT */
  51          p = fbp->fb_feed + 3;
  52 @@ -2457,14 +2458,14 @@
  53      fb64_stream_key(fbp->krbdes_key, c_stream);
  54
  55      if (fbp->once == 0) {
  56 -        des_set_random_generator_seed(fbp->krbdes_key);
  57 +//        DES_set_random_generator_seed(fbp->krbdes_key);
  58          fbp->once = 1;
  59      }
  60
  61      memset(fbp->krbdes_sched,0,sizeof(Schedule));
  62      ckhexdump("fb64_session_key",fbp->krbdes_key,8);
  63
  64 -    rc = des_key_sched(fbp->krbdes_key, fbp->krbdes_sched);
  65 +    rc = DES_key_sched(fbp->krbdes_key, fbp->krbdes_sched);
  66      if ( rc == -1 ) {
  67          printf("?Invalid DES key specified for encryption\n");
  68          debug(F110,"fb64_session_key",
  69 @@ -2620,7 +2621,7 @@
  70      ckhexdump("fb64_stream_iv",stp->str_ikey,8);
  71
  72  #ifndef MIT_CURRENT
  73 -    rc = des_key_sched(stp->str_ikey, stp->str_sched);
  74 +    rc = DES_key_sched(stp->str_ikey, stp->str_sched);
  75      if ( rc == -1 ) {
  76          printf("?Invalid DES key specified for encryption\r\n");
  77          debug(F110,"fb64_stream_iv",
  78 @@ -2662,7 +2663,7 @@
  79
  80      ckhexdump("fb64_stream_key",key,8);
  81
  82 -    rc = des_key_sched(key, stp->str_sched);
  83 +    rc = DES_key_sched(key, stp->str_sched);
  84      if ( rc == -1 ) {
  85          printf("?Invalid DES key specified for encryption\r\n");
  86          debug(F110,"fb64_stream_key",
  87 @@ -2721,7 +2722,7 @@
  88  #ifdef MIT_CURRENT
  89              ecb_encrypt(stp, stp->str_output, b);
  90  #else /* MIT_CURRENT */
  91 -            des_ecb_encrypt(stp->str_output, b, stp->str_sched, 1);
  92 +            DES_ecb_encrypt(stp->str_output, b, stp->str_sched, 1);
  93  #endif /* MIT_CURRENT */
  94              memcpy(stp->str_feed,b,sizeof(Block));
  95              index = 0;
  96 @@ -2759,7 +2760,7 @@
  97  #ifdef MIT_CURRENT
  98          ecb_encrypt(stp, stp->str_output, b);
  99  #else /* MIT_CURRENT */
 100 -        des_ecb_encrypt(stp->str_output, b, stp->str_sched, 1);
 101 +        DES_ecb_encrypt(stp->str_output, b, stp->str_sched, 1);
 102  #endif /* MIT_CURRENT */
 103          memcpy(stp->str_feed, b, sizeof(Block));
 104          stp->str_index = 1;     /* Next time will be 1 */
 105 @@ -2805,7 +2806,7 @@
 106  #ifdef MIT_CURRENT
 107              ecb_encrypt(stp, stp->str_feed, b);
 108  #else /* MIT_CURRENT */
 109 -            des_ecb_encrypt(stp->str_feed, b, stp->str_sched, 1);
 110 +            DES_ecb_encrypt(stp->str_feed, b, stp->str_sched, 1);
 111  #endif /* MIT_CURRENT */
 112              memcpy(stp->str_feed,b,sizeof(Block));
 113              index = 0;
 114 @@ -2840,7 +2841,7 @@
 115  #ifdef MIT_CURRENT
 116          ecb_encrypt(stp, stp->str_feed, b);
 117  #else /* MIT_CURRENT */
 118 -        des_ecb_encrypt(stp->str_feed, b, stp->str_sched, 1);
 119 +        DES_ecb_encrypt(stp->str_feed, b, stp->str_sched, 1);
 120  #endif /* MIT_CURRENT */
 121          memcpy(stp->str_feed, b, sizeof(Block));
 122          stp->str_index = 1;     /* Next time will be 1 */
 123 @@ -2955,19 +2956,19 @@
 124          /*
 125          * Create a random feed and send it over.
 126          */
 127 -        des_new_random_key(fbp->temp_feed);
 128 +        DES_random_key(fbp->temp_feed);
 129  #ifdef LIBDES
 130 -        des_ecb3_encrypt(fbp->temp_feed, fbp->temp_feed,
 131 +        DES_ecb3_encrypt(fbp->temp_feed, fbp->temp_feed,
 132                           fbp->krbdes_sched[0],
 133                           fbp->krbdes_sched[1],
 134                           fbp->krbdes_sched[2],
 135                           1);
 136  #else /* LIBDES */
 137 -        des_ecb_encrypt(fbp->temp_feed, fbp->temp_feed,
 138 +        DES_ecb_encrypt(fbp->temp_feed, fbp->temp_feed,
 139                           fbp->krbdes_sched[0], 1);
 140 -        des_ecb_encrypt(fbp->temp_feed, fbp->temp_feed,
 141 +        DES_ecb_encrypt(fbp->temp_feed, fbp->temp_feed,
 142                           fbp->krbdes_sched[1], 0);
 143 -        des_ecb_encrypt(fbp->temp_feed, fbp->temp_feed,
 144 +        DES_ecb_encrypt(fbp->temp_feed, fbp->temp_feed,
 145                           fbp->krbdes_sched[2], 1);
 146  #endif /* LIBDES */
 147
 148 @@ -3274,7 +3275,7 @@
 149              sizeof(Block)
 150              );
 151      if (fbp->once == 0) {
 152 -        des_set_random_generator_seed(fbp->krbdes_key[0]);
 153 +//        DES_set_random_generator_seed(fbp->krbdes_key[0]);
 154          fbp->once = 1;
 155      }
 156
 157 @@ -3333,7 +3334,7 @@
 158      for ( i=0;i<3;i++ ) {
 159          memset(fbp->krbdes_sched[i],0,sizeof(Schedule));
 160
 161 -        rc = des_key_sched(fbp->krbdes_key[i], fbp->krbdes_sched[i]);
 162 +        rc = DES_key_sched(fbp->krbdes_key[i], fbp->krbdes_sched[i]);
 163          if ( rc == -1 ) {
 164              printf("?Invalid DES key specified for encryption [DES3,%s]\r\n",
 165                      server?"server":"client");
 166 @@ -3488,7 +3489,7 @@
 167
 168          ckhexdump("des3_fb64_stream_iv",stp->str_ikey[i],8);
 169
 170 -        rc = des_key_sched(stp->str_ikey[i], stp->str_sched[i]);
 171 +        rc = DES_key_sched(stp->str_ikey[i], stp->str_sched[i]);
 172          if ( rc == -1 ) {
 173              printf("?Invalid DES key specified for encryption [DES3 iv]\r\n");
 174              debug(F110,"des3_fb64_stream_iv",
 175 @@ -3521,7 +3522,7 @@
 176
 177          ckhexdump("des3_fb64_stream_key",key[i],8);
 178
 179 -        rc = des_key_sched(key[i], stp->str_sched[i]);
 180 +        rc = DES_key_sched(key[i], stp->str_sched[i]);
 181          if ( rc == -1 ) {
 182              printf("?Invalid DES key specified for encryption [DES3 key]\r\n");
 183              debug(F110,"des3_fb64_stream_key",
 184 @@ -3580,14 +3581,14 @@
 185          if (index == sizeof(Block)) {
 186              Block b;
 187  #ifdef LIBDES
 188 -            des_ecb3_encrypt(stp->str_output, b, stp->str_sched[0],
 189 +            DES_ecb3_encrypt(stp->str_output, b, stp->str_sched[0],
 190                                stp->str_sched[1], stp->str_sched[2], 1);
 191  #else /* LIBDES */
 192 -            des_ecb_encrypt(stp->str_output, b,
 193 +            DES_ecb_encrypt(stp->str_output, b,
 194                               stp->str_sched[0], 1);
 195 -            des_ecb_encrypt(stp->str_output, b,
 196 +            DES_ecb_encrypt(stp->str_output, b,
 197                               stp->str_sched[1], 0);
 198 -            des_ecb_encrypt(stp->str_output, b,
 199 +            DES_ecb_encrypt(stp->str_output, b,
 200                               stp->str_sched[2], 1);
 201  #endif /* LIBDES */
 202              memcpy(stp->str_feed,b,sizeof(Block));
 203 @@ -3624,14 +3625,14 @@
 204      if (index == sizeof(Block)) {
 205          Block b;
 206  #ifdef LIBDES
 207 -        des_ecb3_encrypt(stp->str_output, b, stp->str_sched[0],
 208 +        DES_ecb3_encrypt(stp->str_output, b, stp->str_sched[0],
 209                            stp->str_sched[1], stp->str_sched[2], 1);
 210  #else /* LIBDES */
 211 -            des_ecb_encrypt(stp->str_output, b,
 212 +            DES_ecb_encrypt(stp->str_output, b,
 213                               stp->str_sched[0], 1);
 214 -            des_ecb_encrypt(stp->str_output, b,
 215 +            DES_ecb_encrypt(stp->str_output, b,
 216                               stp->str_sched[1], 0);
 217 -            des_ecb_encrypt(stp->str_output, b,
 218 +            DES_ecb_encrypt(stp->str_output, b,
 219                               stp->str_sched[2], 1);
 220  #endif /* LIBDES */
 221          memcpy(stp->str_feed, b, sizeof(Block));
 222 @@ -3680,14 +3681,14 @@
 223          if (index == sizeof(Block)) {
 224              Block b;
 225  #ifdef LIBDES
 226 -            des_ecb3_encrypt(stp->str_feed, b, stp->str_sched[0],
 227 +            DES_ecb3_encrypt(stp->str_feed, b, stp->str_sched[0],
 228                               stp->str_sched[1], stp->str_sched[2], 1);
 229  #else /* LIBDES */
 230 -            des_ecb_encrypt(stp->str_output, b,
 231 +            DES_ecb_encrypt(stp->str_output, b,
 232                               stp->str_sched[0], 1);
 233 -            des_ecb_encrypt(stp->str_output, b,
 234 +            DES_ecb_encrypt(stp->str_output, b,
 235                               stp->str_sched[1], 0);
 236 -            des_ecb_encrypt(stp->str_output, b,
 237 +            DES_ecb_encrypt(stp->str_output, b,
 238                               stp->str_sched[2], 1);
 239  #endif /* LIBDES */
 240              memcpy(stp->str_feed,b,sizeof(Block));
 241 @@ -3721,14 +3722,14 @@
 242      if (index == sizeof(Block)) {
 243          Block b;
 244  #ifdef LIBDES
 245 -        des_ecb3_encrypt(stp->str_feed, b, stp->str_sched[0],
 246 +        DES_ecb3_encrypt(stp->str_feed, b, stp->str_sched[0],
 247                            stp->str_sched[1], stp->str_sched[2], 1);
 248  #else /* LIBDES */
 249 -            des_ecb_encrypt(stp->str_output, b,
 250 +            DES_ecb_encrypt(stp->str_output, b,
 251                               stp->str_sched[0], 1);
 252 -            des_ecb_encrypt(stp->str_output, b,
 253 +            DES_ecb_encrypt(stp->str_output, b,
 254                               stp->str_sched[1], 0);
 255 -            des_ecb_encrypt(stp->str_output, b,
 256 +            DES_ecb_encrypt(stp->str_output, b,
 257                               stp->str_sched[2], 1);
 258  #endif /* LIBDES */
 259          memcpy(stp->str_feed, b, sizeof(Block));
 260 diff -ur ckermit-9.0.302/ck_ssl.c ckermit-9.0.302.openssl111/ck_ssl.c
 261 --- ckermit-9.0.302/ck_ssl.c    2018-10-21 13:19:06.894962175 +0200
 262 +++ ckermit-9.0.302.openssl111/ck_ssl.c 2018-10-21 13:05:08.874620118 +0200
 263 @@ -301,7 +301,7 @@
 264                  break;
 265              default:
 266                  printf("Error %d while verifying certificate.\r\n",
 267 -                       ctx->error);
 268 +                       X509_STORE_CTX_get_error(ctx));
 269                  break;
 270              }
 271          }
 272 @@ -936,10 +936,12 @@
 273
 274      if ((dh=DH_new()) == NULL)
 275          return(NULL);
 276 -    dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
 277 -    dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
 278 -    if ((dh->p == NULL) || (dh->g == NULL))
 279 +    BIGNUM *p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
 280 +    BIGNUM *g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
 281 +    if (DH_set0_pqg(dh, p, NULL, g) == 0) {
 282 +        DH_free(dh);
 283          return(NULL);
 284 +    }
 285      return(dh);
 286  }
 287
 288 @@ -950,10 +952,12 @@
 289
 290      if ((dh=DH_new()) == NULL)
 291          return(NULL);
 292 -    dh->p=BN_bin2bn(dh768_p,sizeof(dh768_p),NULL);
 293 -    dh->g=BN_bin2bn(dh768_g,sizeof(dh768_g),NULL);
 294 -    if ((dh->p == NULL) || (dh->g == NULL))
 295 +    BIGNUM *p=BN_bin2bn(dh768_p,sizeof(dh768_p),NULL);
 296 +    BIGNUM *g=BN_bin2bn(dh768_g,sizeof(dh768_g),NULL);
 297 +    if (DH_set0_pqg(dh, p, NULL, g) == 0) {
 298 +        DH_free(dh);
 299          return(NULL);
 300 +    }
 301      return(dh);
 302  }
 303
 304 @@ -964,10 +968,12 @@
 305
 306      if ((dh=DH_new()) == NULL)
 307          return(NULL);
 308 -    dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
 309 -    dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
 310 -    if ((dh->p == NULL) || (dh->g == NULL))
 311 +    BIGNUM *p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
 312 +    BIGNUM *g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
 313 +    if (DH_set0_pqg(dh, p, NULL, g) == 0) {
 314 +        DH_free(dh);
 315          return(NULL);
 316 +    }
 317      return(dh);
 318  }
 319
 320 @@ -978,10 +984,12 @@
 321
 322      if ((dh=DH_new()) == NULL)
 323          return(NULL);
 324 -    dh->p=BN_bin2bn(dh1536_p,sizeof(dh1536_p),NULL);
 325 -    dh->g=BN_bin2bn(dh1536_g,sizeof(dh1536_g),NULL);
 326 -    if ((dh->p == NULL) || (dh->g == NULL))
 327 +    BIGNUM *p=BN_bin2bn(dh1536_p,sizeof(dh1536_p),NULL);
 328 +    BIGNUM *g=BN_bin2bn(dh1536_g,sizeof(dh1536_g),NULL);
 329 +    if (DH_set0_pqg(dh, p, NULL, g) == 0) {
 330 +        DH_free(dh);
 331          return(NULL);
 332 +    }
 333      return(dh);
 334  }
 335
 336 @@ -992,10 +1000,12 @@
 337
 338      if ((dh=DH_new()) == NULL)
 339          return(NULL);
 340 -    dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
 341 -    dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
 342 -    if ((dh->p == NULL) || (dh->g == NULL))
 343 +    BIGNUM *p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
 344 +    BIGNUM *g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
 345 +    if (DH_set0_pqg(dh, p, NULL, g) == 0) {
 346 +        DH_free(dh);
 347          return(NULL);
 348 +    }
 349      return(dh);
 350  }
 351  #endif /* NO_DH */
 352 @@ -1054,11 +1064,15 @@
 353      if (ssl == NULL)
 354          return;
 355
 356 +#if 0
 357      if (ssl->expand == NULL || ssl->expand->meth == NULL)
 358 +#endif
 359          printf("Compression: None\r\n");
 360 +#if 0
 361      else {
 362          printf("Compression: %s\r\n",ssl->expand->meth->name);
 363      }
 364 +#endif
 365  }
 366
 367  int
 368 @@ -1457,13 +1471,15 @@
 369
 370  #ifdef ZLIB
 371      cm = COMP_zlib();
 372 -    if (cm != NULL && cm->type != NID_undef) {
 373 +    if (cm != NULL && COMP_get_type(cm) != NID_undef) {
 374          SSL_COMP_add_compression_method(0xe0, cm); /* EAY's ZLIB ID */
 375      }
 376  #endif /* ZLIB */
 377 +#ifdef COMP_RLE
 378      cm = COMP_rle();
 379 -    if (cm != NULL && cm->type != NID_undef)
 380 +    if (cm != NULL && COMP_get_type(cm) != NID_undef)
 381          SSL_COMP_add_compression_method(0xe1, cm); /* EAY's RLE ID */
 382 +#endif
 383
 384      /* Ensure the Random number generator has enough entropy */
 385      if ( !RAND_status() ) {
 386 @@ -1483,14 +1499,10 @@
 387          }
 388          debug(F110,"ssl_rnd_file",ssl_rnd_file,0);
 389
 390 -        rc1 = RAND_egd(ssl_rnd_file);
 391 -        debug(F111,"ssl_once_init","RAND_egd()",rc1);
 392 -        if ( rc1 <= 0 ) {
 393 -            rc2 = RAND_load_file(ssl_rnd_file, -1);
 394 -            debug(F111,"ssl_once_init","RAND_load_file()",rc1);
 395 -        }
 396 +        rc2 = RAND_load_file(ssl_rnd_file, -1);
 397 +        debug(F111,"ssl_once_init","RAND_load_file()",rc2);
 398
 399 -        if ( rc1 <= 0 && !rc2 )
 400 +        if ( !rc2 )
 401          {
 402              time_t t = time(NULL);
 403              int tlen = sizeof(time_t);
 404 @@ -2583,14 +2595,13 @@
 405  int
 406  ssl_verify_crl(int ok, X509_STORE_CTX *ctx)
 407  {
 408 -    X509_OBJECT obj;
 409 +    X509_OBJECT *obj;
 410      X509_NAME *subject = NULL;
 411      X509_NAME *issuer = NULL;
 412      X509 *xs = NULL;
 413      X509_CRL *crl = NULL;
 414      X509_REVOKED *revoked = NULL;
 415      X509_STORE_CTX * store_ctx = NULL;
 416 -    long serial;
 417      BIO *bio = NULL;
 418      int i, n, rc;
 419      char *cp;
 420 @@ -2607,6 +2618,11 @@
 421      if ( !store_ctx )
 422          return(ok);
 423
 424 +    obj = X509_OBJECT_new();
 425 +    if ( !obj ) {
 426 +        X509_STORE_CTX_free(store_ctx);
 427 +        return(ok);
 428 +    }
 429      /*
 430       * Determine certificate ingredients in advance
 431       */
 432 @@ -2649,11 +2665,10 @@
 433       * Try to retrieve a CRL corresponding to the _subject_ of
 434       * the current certificate in order to verify it's integrity.
 435       */
 436 -    memset((char *)&obj, 0, sizeof(obj));
 437      X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL);
 438 -    rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, &obj);
 439 +    rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, obj);
 440      X509_STORE_CTX_cleanup(store_ctx);
 441 -    crl = obj.data.crl;
 442 +    crl = X509_OBJECT_get0_X509_CRL(obj);
 443      if (rc > 0 && crl != NULL) {
 444          /*
 445           * Verify the signature on this CRL
 446 @@ -2661,7 +2676,7 @@
 447          if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0) {
 448              fprintf(stderr, "Invalid signature on CRL!\n");
 449              X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
 450 -            X509_OBJECT_free_contents(&obj);
 451 +            X509_OBJECT_free(obj);
 452              X509_STORE_CTX_free(store_ctx);
 453              return 0;
 454          }
 455 @@ -2674,7 +2689,7 @@
 456              fprintf(stderr, "Found CRL has invalid nextUpdate field.\n");
 457              X509_STORE_CTX_set_error(ctx,
 458                                      X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
 459 -            X509_OBJECT_free_contents(&obj);
 460 +            X509_OBJECT_free(obj);
 461              X509_STORE_CTX_free(store_ctx);
 462              return 0;
 463          }
 464 @@ -2683,22 +2698,20 @@
 465  "Found CRL is expired - revoking all certificates until you get updated CRL.\n"
 466                      );
 467              X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED);
 468 -            X509_OBJECT_free_contents(&obj);
 469 +            X509_OBJECT_free(obj);
 470              X509_STORE_CTX_free(store_ctx);
 471              return 0;
 472          }
 473 -        X509_OBJECT_free_contents(&obj);
 474      }
 475
 476      /*
 477       * Try to retrieve a CRL corresponding to the _issuer_ of
 478       * the current certificate in order to check for revocation.
 479       */
 480 -    memset((char *)&obj, 0, sizeof(obj));
 481      X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL);
 482 -    rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, &obj);
 483 +    rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, obj);
 484      X509_STORE_CTX_free(store_ctx);            /* calls X509_STORE_CTX_cleanup() */
 485 -    crl = obj.data.crl;
 486 +    crl = X509_OBJECT_get0_X509_CRL(obj);
 487      if (rc > 0 && crl != NULL) {
 488          /*
 489           * Check if the current certificate is revoked by this CRL
 490 @@ -2706,20 +2719,17 @@
 491          n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
 492          for (i = 0; i < n; i++) {
 493              revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
 494 -            if (ASN1_INTEGER_cmp(revoked->serialNumber,
 495 +            if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(revoked),
 496                                   X509_get_serialNumber(xs)) == 0) {
 497
 498 -                serial = ASN1_INTEGER_get(revoked->serialNumber);
 499 -                cp = X509_NAME_oneline(issuer, NULL, 0);
 500 -                free(cp);
 501 -
 502                  X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
 503 -                X509_OBJECT_free_contents(&obj);
 504 +                X509_OBJECT_free(obj);
 505                  return 0;
 506              }
 507          }
 508 -        X509_OBJECT_free_contents(&obj);
 509      }
 510 +    X509_OBJECT_free(obj);
 511 +    X509_STORE_CTX_free(store_ctx);
 512      return ok;
 513  }
 514
 515 @@ -4338,6 +4348,8 @@
 516      FILE *fp;
 517      struct passwd *pwd;
 518      X509 *file_cert;
 519 +    const ASN1_BIT_STRING *peer_sig, *file_sig;
 520 +    const X509_ALGOR *peer_alg, *file_alg;
 521
 522      if ( peer_cert == NULL )
 523          return(0);
 524 @@ -4350,8 +4362,10 @@
 525
 526      if (!(fp = fopen(buf, "r")))
 527          return 0;
 528 +    X509_get0_signature(&peer_sig, &peer_alg, peer_cert);
 529      while (!r && (file_cert = PEM_read_X509(fp, NULL, NULL, NULL))) {
 530 -        if (!ASN1_STRING_cmp(peer_cert->signature, file_cert->signature))
 531 +        X509_get0_signature(&file_sig, &file_alg, file_cert);
 532 +        if (!ASN1_STRING_cmp(peer_sig, file_sig))
 533              r = 1;
 534          X509_free(file_cert);
 535      }