From patchwork Mon Mar 23 12:19:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4849 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:8796:b0:83c:d90d:321 with SMTP id cq22csp837341mab; Mon, 23 Mar 2026 05:19:27 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVDfmikbStWmebIu5BGs0gQwCGcwza5r5eHsaDw3RhMBCDfEnVIIR2S6+pt66XGfB2f1okw9fwABTs=@openvpn.net X-Received: by 2002:a05:6808:10cf:b0:45e:f498:47e0 with SMTP id 5614622812f47-467e60328e0mr5805742b6e.58.1774268367314; Mon, 23 Mar 2026 05:19:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774268367; cv=none; d=google.com; s=arc-20240605; b=d9XleByqEF0sk5uV2JEqXrZZctJTJcgTzIv0vuxR8Wpg/Anx4c3ditKYPU6MwspZe1 j9E/qreOUGvWdn3BSkdCvasUbN4U3eecN4++zZjhL7bd27LIGOCm041rEzJG/Tn1sLaC eFCgGLEJS44ae3nLS2mPdk2OUjj9dNTtBevHQUqZyyafasVE4DOQBb37+fQXoY+WqY8s UXpZ6mLbVykEHMJasI/9Bf9J02k/FzaXLTEBCdF0IGGYORqJ0clNZ57e6yIto/eGIiAn JgMTjv14+8vgs1PStUkkhMwts93f/40MOsaHZVtjzrxI8nwED7O3gXI/K8caGXRODRLA QM8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=mIOL0q9//06Y79r0HngavB5kAlukUpDokX81/XpMU6Q=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=V+xC5gEzDHRWDR5JAw85DrowQLR5HpIjx6UDWzsEUE1nI2R6TYJ/bDkLsIp3gasIvB 8A5iGQDuNsQZiKGGe2BI9QQTk2ZDcUDZ9odYac4hYZM7NRv1j5vMSAloLwa8oo/HFu46 +rgN0TLGfDCRki2xvuOzIMKxzujrL66QiSerLlfJJNCfWidDfZG3O6rRd3SpIerkA2kP PXjpWpqsQFfaJtmGoA8Ne4tRgZatElKy8onjeYvKyr0uhBgO4DE/Z/5oTb5G+Ybt6NR5 BMGHXghZQiUTaMWT1F/IM31IjoEHETXzgZb5M+0yohE8GVy6BfGDdSlfXUw45RoZjP8z Bmhw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=GjSNdb4o; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="B14D/FiG"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ZorbIm51; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-41c148a9148si6795088fac.9.2026.03.23.05.19.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Mar 2026 05:19:26 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=GjSNdb4o; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="B14D/FiG"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ZorbIm51; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=mIOL0q9//06Y79r0HngavB5kAlukUpDokX81/XpMU6Q=; b=GjSNdb4o10zqJ5LwN70RuqkpNR 1wnDewM+LuFgH/xUQUgEmEhvKD5Je2+Ybr+5sy9wL9Dlvd5tltVEEwbxMNE/Trf+7i1unz7BVxwn2 7s1kBvBN3rvHJj54qsAZMZKPaXrM1pjYMLMSTQ8l7gE7jKXLZzLW9KCLzPIrX7BM0v0c=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w4eFf-0008Av-VS; Mon, 23 Mar 2026 12:19:23 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w4eFe-0008Ao-7Z for openvpn-devel@lists.sourceforge.net; Mon, 23 Mar 2026 12:19:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:MIME-Version :References:In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Aa8Oa77jmT1Hvvol3GmfPXvtF2XPO3XvfKjs+WnOl7c=; b=B14D/FiGsso+CqEBdU6j+tnKPm GV0MFKaKWUlHD71jgEmcq/mueE4TwlC0BJ0e1pPPxfmJMRWZFTJsDS9Z3cgJmadelz4F9ZXjzACvt we+0LXB1pkWraM73C81PGzo+x2+OvqP0/2tt6Rx9fki0QOYJjHGHIiVf/DpnWEwuwlB4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Aa8Oa77jmT1Hvvol3GmfPXvtF2XPO3XvfKjs+WnOl7c=; b=ZorbIm51a3EmAfpWFGkQsCdfiX wNuC9qbP02SxEnvcqksTq58NWBmMQc+FJMWFzz0D7Bdxkp+HNku8kAwgFQBs68awpb8BQmTU7kx0T 1dJbG3On4QHxHREiCEEPJ41N6ayTWhOJbIh5eszF4/59PNGdC1YYYh3sbHO6viJGeAGU=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1w4eFc-0004Fy-SO for openvpn-devel@lists.sourceforge.net; Mon, 23 Mar 2026 12:19:22 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 62NCJ85g000770 for ; Mon, 23 Mar 2026 13:19:08 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 62NCJ8s5000769 for openvpn-devel@lists.sourceforge.net; Mon, 23 Mar 2026 13:19:08 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 23 Mar 2026 13:19:00 +0100 Message-ID: <20260323121908.730-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: =?unknown-8bit?q?Spam_detection_software=2C_running_on_the_sy?= =?unknown-8bit?q?stem_=22sfi-spamd-2=2Ehosts=2Ecolo=2Esdot=2Eme=22=2C?= =?unknown-8bit?q?_has_NOT_identified_this_incoming_email_as_spam=2E__The_ori?= =?unknown-8bit?q?ginal?= =?unknown-8bit?q?_message_has_been_attached_to_this_so_you_can_view_it_or_la?= =?unknown-8bit?q?bel?= =?unknown-8bit?q?_similar_future_email=2E__If_you_have_any_questions=2C_see?= =?unknown-8bit?q?_the_administrator_of_that_system_for_details=2E?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_Content_preview=3A__From=3A_Rudi_Heitbaum_=3Crudi=40heitba?= =?unknown-8bit?q?um=2Ecom=3E_ASN1=5FSTRING_are_now?= =?unknown-8bit?q?_opaque_types_in_OpenSSL_4=2Ex_=E2=80=94_the_internal_data_?= =?unknown-8bit?q?and_length_fields_are_no?= =?unknown-8bit?q?_longer_directly_accessible=2E_Use_the_accessor_API_instead?= =?unknown-8bit?q?=2E_Accessors_have?= =?unknown-8bit?q?_been_available_since_OpenSSL_1=2E1_=5B=2E=2E=2E=5D_?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_Content_analysis_details=3A___=281=2E3_points=2C_5=2E0_req?= =?unknown-8bit?q?uired=29?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_pts_rule_name______________description?= =?unknown-8bit?q?_----_----------------------_------------------------------?= =?unknown-8bit?q?--------------------?= =?unknown-8bit?q?_1=2E3_RDNS=5FNONE______________Delivered_to_internal_netwo?= =?unknown-8bit?q?rk_by_a_host_with_no_rDNS?= X-Headers-End: 1w4eFc-0004Fy-SO Subject: [Openvpn-devel] [PATCH v1] ssl_verify_openssl: use official ASN1_STRING_ API X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1860455227113659924?= X-GMAIL-MSGID: =?utf-8?q?1860455227113659924?= From: Rudi Heitbaum ASN1_STRING are now opaque types in OpenSSL 4.x — the internal data and length fields are no longer directly accessible. Use the accessor API instead. Accessors have been available since OpenSSL 1.1.0 The ASN1_STRING_length accessor is already in use, but not consistently applied. Standardise on using ASN1_STRING_length and ASN1_STRING_get0_data which allows for successful build of OpenSSL 4.x Change-Id: I8adffc3152b5b502a820a8ae0f901717e4831f81 Signed-off-by: Rudi Heitbaum Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1584 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1584 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 46401cd..d96879b 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -259,7 +259,7 @@ { ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert); struct gc_arena gc = gc_new(); - char *serial = format_hex_ex(asn1_i->data, asn1_i->length, 0, 1 | FHE_CAPS, NULL, &gc); + char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc); if (!serial || cn_len <= strlen(serial) + 2) { @@ -313,7 +313,7 @@ { const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert); - return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc); + return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc); } result_t @@ -626,7 +626,7 @@ { ASN1_BIT_STRING *ns; ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); - result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; + result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose " @@ -654,7 +654,7 @@ { ASN1_BIT_STRING *ns; ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); - result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE; + result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE; if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose "