upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-05-28 04:03:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ssl_verify_openssl: use official ASN1_STRING_ API

Browse source 
ASN1_STRING are now opaque types in OpenSSL 4.x — the internal data and
length fields are no longer directly accessible. Use the accessor API
instead. Accessors have been available since OpenSSL 1.1.0

The ASN1_STRING_length accessor is already in use, but not consistently
applied. Standardise on using ASN1_STRING_length and ASN1_STRING_get0_data
which allows for successful build of OpenSSL 4.x

Change-Id: I8adffc3152b5b502a820a8ae0f901717e4831f81
Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1584
Message-Id: <20260323121908.730-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36254.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Rudi Heitbaum 2026-03-23 13:19:00 +01:00 committed by Gert Doering
parent ee2af6655d
commit dc4a9255f1
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/openvpn/ssl_verify_openssl.c
View file

@ -259,7 +259,7 @@ backend_x509_get_username(char *common_name, size_t cn_len, char *x509_username_
{
ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
struct gc_arena gc = gc_new();
char *serial = format_hex_ex(asn1_i->data, asn1_i->length, 0, 1 | FHE_CAPS, NULL, &gc);
char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc);
if (!serial || cn_len <= strlen(serial) + 2)
{
@ -313,7 +313,7 @@ backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc)
{
const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);
return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc);
return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc);
}
result_t
@ -626,7 +626,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage)
{
ASN1_BIT_STRING *ns;
ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
if (result == SUCCESS)
{
msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose "
@ -654,7 +654,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage)
{
ASN1_BIT_STRING *ns;
ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
if (result == SUCCESS)
{
msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose "