diff mbox series

[Openvpn-devel,v5] Do not access internals of ASN1_INTEGER to print hex of serial

Message ID 20260404155726.7696-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v5] Do not access internals of ASN1_INTEGER to print hex of serial | expand

Commit Message

Gert Doering April 4, 2026, 3:57 p.m. UTC 
From: Arne Schwabe <arne@rfc2549.org>

OpenSSL 4.0 does not allow internal access to to these data structures
anymore. So use public methods to get the serial data and convert it to
hex.

Change-Id: I5158fbb0762443ea4954e5745f520e83e019ed30
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1589
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1589
This mail reflects revision 5 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>

Comments

Gert Doering April 4, 2026, 8:18 p.m. UTC | #1 
There was a bit of confusion with the buildbot fails on freebsd 13 -
which got fixed by rebasing to current master, some const/non-const
openssl 4.0 work fallout.  I did not investigate further as the rebased
is exactly identical to the v5, just no build fails anymore.

The patch itself passes the corresponding unit test, so it won't
crash and won't change user-visible behaviour.  Plus, ACK from Frank.

Your patch has been applied to the master and release/2.7 branch.

commit bab0e32e6f9de8ee1433abcaafc4719f170b2f47 (master)
commit c3dd2ab23e7e11426d7eedbcdbd97b4fa05bee88 (release/2.7)
Author: Arne Schwabe
Date:   Sat Apr 4 17:57:19 2026 +0200

     Do not access internals of ASN1_INTEGER to print hex of serial

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1589
     Message-Id: <20260404155726.7696-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36459.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index ef30620..1a0f5d4 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -260,17 +260,19 @@ 
     }
     else if (strcmp(LN_serialNumber, x509_username_field) == 0)
     {
-        ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
-        struct gc_arena gc = gc_new();
-        char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc);
+        const ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
+
+        BIGNUM *bn_serial = ASN1_INTEGER_to_BN(asn1_i, NULL);
+        char *serial = BN_bn2hex(bn_serial);
+        BN_free(bn_serial);
 
         if (!serial || cn_len <= strlen(serial) + 2)
         {
-            gc_free(&gc);
+            OPENSSL_free(serial);
             return FAILURE;
         }
         snprintf(common_name, cn_len, "0x%s", serial);
-        gc_free(&gc);
+        OPENSSL_free(serial);
     }
     else
     {
@@ -315,8 +317,16 @@ 
 backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc)
 {
     const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);
+    BIGNUM *bn_serial = ASN1_INTEGER_to_BN(asn1_i, NULL);
+    int len_serial = BN_num_bytes(bn_serial);
+    unsigned char *buf = malloc(len_serial);
+    BN_bn2binpad(bn_serial, buf, len_serial);
 
-    return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc);
+    char *ret = format_hex_ex(buf, len_serial, 0, 1, ":", gc);
+    free(buf);
+    BN_free(bn_serial);
+
+    return ret;
 }
 
 result_t