From dc4a9255f12840eb96a3a150332ccd26c4c41d7f Mon Sep 17 00:00:00 2001 From: Rudi Heitbaum Date: Mon, 23 Mar 2026 13:19:00 +0100 Subject: [PATCH] ssl_verify_openssl: use official ASN1_STRING_ API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ASN1_STRING are now opaque types in OpenSSL 4.x — the internal data and length fields are no longer directly accessible. Use the accessor API instead. Accessors have been available since OpenSSL 1.1.0 The ASN1_STRING_length accessor is already in use, but not consistently applied. Standardise on using ASN1_STRING_length and ASN1_STRING_get0_data which allows for successful build of OpenSSL 4.x Change-Id: I8adffc3152b5b502a820a8ae0f901717e4831f81 Signed-off-by: Rudi Heitbaum Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1584 Message-Id: <20260323121908.730-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36254.html Signed-off-by: Gert Doering --- src/openvpn/ssl_verify_openssl.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 46401cd3..d96879bd 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -259,7 +259,7 @@ backend_x509_get_username(char *common_name, size_t cn_len, char *x509_username_ { ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert); struct gc_arena gc = gc_new(); - char *serial = format_hex_ex(asn1_i->data, asn1_i->length, 0, 1 | FHE_CAPS, NULL, &gc); + char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc); if (!serial || cn_len <= strlen(serial) + 2) { @@ -313,7 +313,7 @@ backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc) { const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert); - return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc); + return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc); } result_t @@ -626,7 +626,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) { ASN1_BIT_STRING *ns; ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); - result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; + result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose " @@ -654,7 +654,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) { ASN1_BIT_STRING *ns; ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); - result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE; + result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE; if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose "