--- libs/libpkixipext/ver.c.orig	2019-02-27 16:25:45 UTC
+++ libs/libpkixipext/ver.c
@@ -101,11 +101,15 @@ static int
 in_range(ASN1_BIT_STRING *min1, ASN1_BIT_STRING *max1, ASN1_BIT_STRING *min2,
     ASN1_BIT_STRING *max2, int af)
 {
-	BIGNUM bpmin[1], bpmax[1], bmin[1], bmax[1];
-	int alen, len, bits;
+	BIGNUM *bpmin, *bpmax, *bmin, *bmax;
+	int alen, len, bits, ret;
 	uint8_t mask, buf[sizeof (struct in6_addr)];
 
-	BN_init(bpmin); BN_init(bpmax); BN_init(bmin); BN_init(bmax);
+	bpmin = BN_new();
+	bpmax = BN_new();
+	bmin = BN_new();
+	bmax = BN_new();
+	ret = 0;
 	switch (af) {
 	case AF_INET:
 		alen = sizeof (struct in_addr);
@@ -115,14 +119,14 @@ in_range(ASN1_BIT_STRING *min1, ASN1_BIT_STRING *max1,
 		break;
 	default:
 		DBG(&dbg_ver, "Unsupported AF");
-		return (0);
+		goto end;
 	}
 
 	len = min1->length < alen ? min1->length : alen;
 	memset(buf, 0, sizeof (buf));
 	memcpy(buf, min1->data, len);
 	if (!BN_bin2bn(buf, alen, bpmin)) {
-		return (0);
+		goto end;
 	}
 
 	len = max1->length < alen ? max1->length : alen;
@@ -135,14 +139,14 @@ in_range(ASN1_BIT_STRING *min1, ASN1_BIT_STRING *max1,
 		buf[len - 1] |= mask;
 	}
 	if (!BN_bin2bn(buf, alen, bpmax)) {
-		return (0);
+		goto end;
 	}
 
 	len = min2->length < alen ? min2->length : alen;
 	memset(buf, 0, sizeof (buf));
 	memcpy(buf, min2->data, len);
 	if (!BN_bin2bn(buf, alen, bmin)) {
-		return (0);
+		goto end;
 	}
 
 	len = max2->length < alen ? max2->length : alen;
@@ -155,18 +159,24 @@ in_range(ASN1_BIT_STRING *min1, ASN1_BIT_STRING *max1,
 		buf[len - 1] |= mask;
 	}
 	if (!BN_bin2bn(buf, alen, bmax)) {
-		return (0);
+		goto end;
 	}
 
 	/* bmin <= bpmin <= bpmax <= bmax. We already know bpmin <= bpmax */
 	if (BN_cmp(bmin, bpmin) == 1) {
-		return (0);
+		goto end;
 	}
 	if (BN_cmp(bpmax, bmax) == 1) {
-		return (0);
+		goto end;
 	}
+	ret = 1;
+end:
+	BN_free(bpmin);
+	BN_free(bpmax);
+	BN_free(bmin);
+	BN_free(bmax);
 
-	return (1);
+	return (ret);
 }
 
 static int
@@ -247,16 +257,14 @@ af_cmp(IPAddressFamily *ipf1, IPAddressFamily *ipf2)
 	}
 
 	DBG(&dbg_ver, "Pre-cmp ipc AOR count: %d",
-	    sk_num(ipc1->u.addressesOrRanges));
+	    sk_IPAddressOrRange_num(ipc1->u.addressesOrRanges));
 
-	for (i = 0; i < sk_num(ipc1->u.addressesOrRanges); i++) {
-		aor1 =
-		    (IPAddressOrRange *)sk_value(ipc1->u.addressesOrRanges, i);
-		for (j = 0; j < sk_num(ipc2->u.addressesOrRanges); j++) {
-			aor2 = (IPAddressOrRange *)
-			    sk_value(ipc2->u.addressesOrRanges, j);
+	for (i = 0; i < sk_IPAddressOrRange_num(ipc1->u.addressesOrRanges); i++) {
+		aor1 = sk_IPAddressOrRange_value(ipc1->u.addressesOrRanges, i);
+		for (j = 0; j < sk_IPAddressOrRange_num(ipc2->u.addressesOrRanges); j++) {
+			aor2 = sk_IPAddressOrRange_value(ipc2->u.addressesOrRanges, j);
 			if (aor_match(aor1, aor2, af) == 0) {
-				sk_delete(ipc1->u.addressesOrRanges, i--);
+				sk_IPAddressOrRange_delete(ipc1->u.addressesOrRanges, i--);
 				IPAddressOrRange_free(aor1);
 				break;
 			}
@@ -264,9 +272,9 @@ af_cmp(IPAddressFamily *ipf1, IPAddressFamily *ipf2)
 	}
 
 	DBG(&dbg_ver, "Post-cmp ipc AOR count: %d",
-	    sk_num(ipc1->u.addressesOrRanges));
+	    sk_IPAddressOrRange_num(ipc1->u.addressesOrRanges));
 
-	if (sk_num(ipc1->u.addressesOrRanges) == 0) {
+	if (sk_IPAddressOrRange_num(ipc1->u.addressesOrRanges) == 0) {
 		return (0);
 	}
 
@@ -307,7 +315,7 @@ verify_ipext_cert(X509_STORE_CTX *ctx, int idx, X509 *
 	IPAddressFamily *ipf1, *ipf2;
 	int i, j, inherit = 0;
 
-	DBG(&dbg_ver, "vipb stack cnt: %d idx: %d", sk_num(vipb), idx);
+	DBG(&dbg_ver, "vipb stack cnt: %d idx: %d", sk_IPAddressFamily_num(vipb), idx);
 
 	ipb = X509_get_ext_d2i(x, pkix_ip_ext_method.ext_nid, NULL, NULL);
 	if (!ipb) {
@@ -315,18 +323,18 @@ verify_ipext_cert(X509_STORE_CTX *ctx, int idx, X509 *
 		return (-1);
 	}
 
-	for (i = 0; i < sk_num(vipb); i++) {
-		ipf1 = (IPAddressFamily *)sk_value(vipb, i);
+	for (i = 0; i < sk_IPAddressFamily_num(vipb); i++) {
+		ipf1 = sk_IPAddressFamily_value(vipb, i);
 
 		/* Ignore inherits in vipb */
 		if (is_inherit(ipf1)) {
-			sk_delete(vipb, i--);
+			sk_IPAddressFamily_delete(vipb, i--);
 			IPAddressFamily_free(ipf1);
 			continue;
 		}
 
-		for (j = 0; j < sk_num(ipb); j++) {
-			ipf2 = (IPAddressFamily *)sk_value(ipb, j);
+		for (j = 0; j < sk_IPAddressFamily_num(ipb); j++) {
+			ipf2 = sk_IPAddressFamily_value(ipb, j);
 			if (af_match(ipf1, ipf2)) {
 				/*
 				 * Inherits in ipb need to be checked
@@ -338,7 +346,7 @@ verify_ipext_cert(X509_STORE_CTX *ctx, int idx, X509 *
 				}
 
 				if (af_cmp(ipf1, ipf2) == 0) {
-					sk_delete(vipb, i--);
+					sk_IPAddressFamily_delete(vipb, i--);
 					IPAddressFamily_free(ipf1);
 					break;
 				}
@@ -346,18 +354,18 @@ verify_ipext_cert(X509_STORE_CTX *ctx, int idx, X509 *
 		}
 	}
 
-	if (!inherit || (++idx) == sk_num(ctx->chain)) {
+	if (!inherit || (++idx) == sk_num(X509_STORE_CTX_get_chain(ctx))) {
 		/* end of the line */
 		goto done;
 	}
-	x = (X509 *)sk_value(ctx->chain, idx);
+	x = (X509 *)sk_value(X509_STORE_CTX_get_chain(ctx), idx);
 	verify_ipext_cert(ctx, idx, x, vipb);
 
 done:
 	IPAddrBlocks_free(ipb);
 
 	/* If the vipb stack is now empty all ipf's matched */
-	if (sk_num(vipb) != 0) {
+	if (sk_IPAddressFamily_num(vipb) != 0) {
 		return (-1);
 	}
 
@@ -376,13 +384,13 @@ verify_ipext(X509_STORE_CTX *ctx, IPAddrBlocks *vipb)
 			   i2v_IPAddrBlocks(NULL, vipb, NULL), 8, 1);
 #endif
 
-	if (sk_num(vipb) == 0) {
+	if (sk_IPAddressFamily_num(vipb) == 0) {
 		DBG(&dbg_ver, "IPAddrBlock empty; rejecting");
 		return (-1);
 	}
 
-	for (i = 0; i < sk_num(ctx->chain); i++) {
-		x = (X509 *)sk_value(ctx->chain, i);
+	for (i = 0; i < sk_num(X509_STORE_CTX_get_chain(ctx)); i++) {
+		x = (X509 *)sk_value(X509_STORE_CTX_get_chain(ctx), i);
 
 		DBG(&dbg_ver, "%s",
 		    X509_NAME_oneline(X509_get_subject_name(x), nbuf,
@@ -391,7 +399,7 @@ verify_ipext(X509_STORE_CTX *ctx, IPAddrBlocks *vipb)
 		if (verify_ipext_cert(ctx, i, x, vipb) < 0) {
 			return (-1);
 		}
-		if (sk_num(vipb) == 0) {
+		if (sk_IPAddressFamily_num(vipb) == 0) {
 			break;
 		}
 	}
@@ -408,9 +416,9 @@ verify_ipext_chain(X509_STORE_CTX *ctx)
 
 	DBG(&dbg_ver, "Verifying IP Exts in the certificate chain");
 
-	for (i = 1; i < sk_num(ctx->chain); i++) {
-		vx = (X509 *)sk_value(ctx->chain, i - 1);
-		x = (X509 *)sk_value(ctx->chain, i);
+	for (i = 1; i < sk_num(X509_STORE_CTX_get_chain(ctx)); i++) {
+		vx = (X509 *)sk_value(X509_STORE_CTX_get_chain(ctx), i - 1);
+		x = (X509 *)sk_value(X509_STORE_CTX_get_chain(ctx), i);
 
 		DBG(&dbg_ver, "%s",
 		    X509_NAME_oneline(X509_get_subject_name(vx), nbuf,
@@ -446,7 +454,7 @@ pkixip_verify_cb(int ok, X509_STORE_CTX *ctx)
 	X509_NAME_oneline(X509_get_subject_name(x), nbuf, sizeof (nbuf));
 #endif
 	if (!ok) {
-		if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) {
+		if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) {
 			/*
 			 * OpenSSL doesn't explicitly support PKIX IP Ext,
 			 * so it throws this error when it encounters the
@@ -458,7 +466,7 @@ pkixip_verify_cb(int ok, X509_STORE_CTX *ctx)
 		} else {
 			DBG(&dbg_ver, "Not OK at %s", nbuf);
 			DBG(&dbg_ver, "%s",
-			    X509_verify_cert_error_string(ctx->error));
+			    X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)));
 		}
 	} else {
 		DBG(&dbg_ver, "OK at %s", nbuf);