From patchwork Wed Apr  1 12:31:40 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 4864
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:fe4d:b0:83c:d90d:321 with SMTP id da13csp88403mac;
        Wed, 1 Apr 2026 05:32:07 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXBWiNk40zB5yE7sroSon+3O4P75JzS9GKFKoC9eZYj35mWh3F3XaAlHO6us00rM5J6mXcZ8R5+zIU=@openvpn.net
X-Received: by 2002:a05:6808:a8c:b0:468:1f2:5336 with SMTP id
 5614622812f47-46acdd17266mr2936847b6e.28.1775046727123;
        Wed, 01 Apr 2026 05:32:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775046727; cv=none;
        d=google.com; s=arc-20240605;
        b=YaoG856wYzjKMFJYbe/cDaSXPdClLoS4eQka2ntldxVzHCrFT/tmrsfU63qyrw6Tm1
         qUQPHCdi0vH8e9Z6hQKBXcGsyub03IoWwD0ENy7Y9fkUoo+UE3Dss4FFGq87uS7MRgte
         LdGWm/Gf7KAHBWeUYWJicxlF1cP9uzrspn3bisr+IYarVpvLqTXgWQV+5wvU1qkxqbFI
         dmSbVPruPduSQGClnQqbHnzkW2AChJJvfcyrLuUAafsMbYDrFNzu6aEWevWf7GErosH5
         /nzzPWQkbf6mdJCDq/og+qy70kHAdgVaqL9XIzxc+b1xzFWcH0rf7Cx5boyKsEAtbjLm
         LMhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=q7/po2rN8AcyuWcTYoH9D5h3B0i6cTqq5oS4SUt9ZH0=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=T8yssxPxSjOTnV2OUt3f16yQc+3oQoAc+ENF3YA2kcru4PIStagmTk26WdDVVO8hFg
         mxX17LCanJo1m/U5pTWb2WDnc1nzsAgO/vQOFB88lemTWNh117mjKU0YKZfUxb446D7A
         O20Gow4ml80a0Q3/92vQ+SbPWjnldRjnxOyCM48S1ky+BIsUiOlL+oSADu+nj6Dnqm4+
         L/xyTXhRATZKAz45hvZ52hw0xcsIdv7XURz+4rRCZgKMVpW8RZjLmL7kdsPttyODty0g
         fFiUKWgD1Yy1vJzNR4iEGbOuEYQ4QGzl1qf7M0bFK9Vk0OvNrJVqzkRNxtXZ6pLQUBS+
         ZDWA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=fEil0EHk;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=iPbQgprK;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="McL/eHzd";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 586e51a60fabf-41d04d18618si12038720fac.191.2026.04.01.05.32.06
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 01 Apr 2026 05:32:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=fEil0EHk;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=iPbQgprK;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="McL/eHzd";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=q7/po2rN8AcyuWcTYoH9D5h3B0i6cTqq5oS4SUt9ZH0=; b=fEil0EHk6QQfpvsu+nKmjVPD7m
	PjtAZRnkoSkUnAuLgUiCDpHD6v4a5o/ayQ3IIYwYQ9WmwGpzmXeCFIjRGulpG+txJnEirHstc2h1/
	NfIU+JXHgKbsmedARaNzPK+GqSNPExehFs1n27t5D/Q+I+z/YwEVnBY+QXRjCUDQzDiE=;
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
	by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1w7ujq-00025e-8c;
	Wed, 01 Apr 2026 12:32:02 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue4.greenie.muc.de>) id 1w7ujp-00025P-3v
 for openvpn-devel@lists.sourceforge.net;
 Wed, 01 Apr 2026 12:32:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=6iQ3m2ONqV++LoXnX9EZVIqQ+AnkoWSNS+331N1gbQA=; b=iPbQgprKnS1X8osSAdXJiE2nnN
 0JKiFE17HN4V6S8lRqeC+QcrIFEhSDsR3fPQV/88ENbtYOOs8ZZd2iMt+hrhpsE2crQBdgZQAP9FG
 6inP5jIWt0hw3HVb2f1yozlCm2Enpw/8NeP03mnIxmaC8pstUwyOQJJCp+6x8f+kdtxw=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=6iQ3m2ONqV++LoXnX9EZVIqQ+AnkoWSNS+331N1gbQA=; b=McL/eHzd2ExyHnBazYbn/4UsmN
 sLl5x0HujIkL1kvuq4PjQe9MYW9bkcZHenV2/BXvl+Td/E5CzrIzMHI98pH5lPiUUmkp9bxDGhGAN
 RtpKSpxWljrSpfNgFd5rG8wpCfHBAp36Y34wdUYivIp5SncKDBy5YHW4R7z8Iaij0Bf8=;
Received: from [193.149.48.129] (helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1w7ujn-0001to-Px for openvpn-devel@lists.sourceforge.net;
 Wed, 01 Apr 2026 12:32:01 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 631CVlsI032703
 for <openvpn-devel@lists.sourceforge.net>; Wed, 1 Apr 2026 14:31:47 +0200
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 631CVl3v032702
 for openvpn-devel@lists.sourceforge.net; Wed, 1 Apr 2026 14:31:47 +0200
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Wed,  1 Apr 2026 14:31:40 +0200
Message-ID: <20260401123147.32686-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.52.0
In-Reply-To: 
 <gerrit.1774445432000.I5158fbb0762443ea4954e5745f520e83e019ed30@gerrit.openvpn.net>
References: 
 <gerrit.1774445432000.I5158fbb0762443ea4954e5745f520e83e019ed30@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-1.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Arne Schwabe <arne@rfc2549.org> OpenSSL 4.0 does not
 allow internal access to to these data structures anymore. So use public
 methods to get the serial data and convert it to hex. Change-Id:
 I5158fbb0762443ea4954e5745f520e83e019ed30
 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld
 <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn
 [...] Content analysis details:   (1.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
 See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [URI: openvpn.net]
 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1w7ujn-0001to-Px
Subject: [Openvpn-devel] [PATCH v5] Do not access internals of ASN1_INTEGER
 to print hex of serial
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1861271396927697156?=
X-GMAIL-MSGID: =?utf-8?q?1861271396927697156?=

From: Arne Schwabe <arne@rfc2549.org>

OpenSSL 4.0 does not allow internal access to to these data structures
anymore. So use public methods to get the serial data and convert it to
hex.

Change-Id: I5158fbb0762443ea4954e5745f520e83e019ed30
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1589
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1589
This mail reflects revision 5 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index ef30620..1a0f5d4 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -260,17 +260,19 @@
     }
     else if (strcmp(LN_serialNumber, x509_username_field) == 0)
     {
-        ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
-        struct gc_arena gc = gc_new();
-        char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc);
+        const ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
+
+        BIGNUM *bn_serial = ASN1_INTEGER_to_BN(asn1_i, NULL);
+        char *serial = BN_bn2hex(bn_serial);
+        BN_free(bn_serial);
 
         if (!serial || cn_len <= strlen(serial) + 2)
         {
-            gc_free(&gc);
+            OPENSSL_free(serial);
             return FAILURE;
         }
         snprintf(common_name, cn_len, "0x%s", serial);
-        gc_free(&gc);
+        OPENSSL_free(serial);
     }
     else
     {
@@ -315,8 +317,16 @@
 backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc)
 {
     const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);
+    BIGNUM *bn_serial = ASN1_INTEGER_to_BN(asn1_i, NULL);
+    int len_serial = BN_num_bytes(bn_serial);
+    unsigned char *buf = malloc(len_serial);
+    BN_bn2binpad(bn_serial, buf, len_serial);
 
-    return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc);
+    char *ret = format_hex_ex(buf, len_serial, 0, 1, ":", gc);
+    free(buf);
+    BN_free(bn_serial);
+
+    return ret;
 }
 
 result_t