From patchwork Thu Apr 2 12:10:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 4867 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:fe4d:b0:83c:d90d:321 with SMTP id da13csp762873mac; Thu, 2 Apr 2026 05:11:03 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXTpyWQn7XQ1ILvzpCNAiVJwpSc0UzN7Hsr8+LNvwUjRlTh2eQAB4CHpZM9wKa4LoAwhDzfaqH/+rg=@openvpn.net X-Received: by 2002:a05:6808:c223:b0:467:2f84:b0bf with SMTP id 5614622812f47-46ae01ef2b6mr4199944b6e.49.1775131863408; Thu, 02 Apr 2026 05:11:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1775131863; cv=none; d=google.com; s=arc-20240605; b=Tx7aAtNTHrHnRs+YcotXL5NfTaC8RucUOy/MhqN+v8mpqogjV6TgL3ho2wmKuH5dpA Af9aJ8SReg298hxm1BXtDDmHypVj5h1HQgCW/3pk6BlqkuHX3SzKElNDvPvENW2sJAx4 6FHKbBwxBHVDDF3aKYOT79duOE0CuzXZGFq8/rU/euUYqCDjgWX1BjxGu62Yp69DzrF0 m57X0gif5bb3GcfFfMio7YAamVSULh0KLEa4Wq32aBj28XphKy3gWq98qXbncVJ1/nl9 Z2V0h1ZfdK1YNLdLHubvH7dQQmJQQFnjsUwrpkgQe0aYhSAh6tDrK6J7+9W+EETubxwe w39A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=+IzbPUu1zD52PbD7QH2/HuZ5n7ybmhGzSjTzAv/FFS4=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=bveqXc31KJwDqaV6B0HjCglQPsInqd4aDkmsbMvnbyjUktzSIRNfe0p0aeKy0C5oNx jp1gAVfdD9n5u2i+vjlwd2vbipN0zqBgi7U/ZRCP1JNNPCeX9NMJBIWYA2fJqRGOO9Tk kX0zewBqt76myKsjp+Gtwxqj+UstHWqjoqrZ6aJcTaJanteZV8JjtgzSLQbPFQ6NtTOn n/TkOKZHrtddYGoPEc6oHzEroDWIZx94h6dJsCLrbL+ap+8fOZoqly/zpt0F4J8TWpTb pMbzX9yC5c/8LyrydIc9wq5PrMczTjPl1tRnRS4pum+IpjtndUmOuT5n6HfF8dRGcABd NMog==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=A9aeAPIE; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ceMS50cp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=g8nyuGjB; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=DzTYWUP2; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-46d8fe5a2b0si1830494b6e.36.2026.04.02.05.11.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Apr 2026 05:11:03 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=A9aeAPIE; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ceMS50cp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=g8nyuGjB; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=DzTYWUP2; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=+IzbPUu1zD52PbD7QH2/HuZ5n7ybmhGzSjTzAv/FFS4=; b=A9aeAPIE6SQWDKTb8ZSe0kZH4H 5z5ZsRLUwqFJ8AriyY2l52zAKOjBLUvepKxKsxd7tv0ELAU+GJAD0kTGe1WTyOIHCmT8hPMVQcIiz RDYw4B3ckUwff0KKZUtZGBtWQcCZrECEaT1e6kBiurjYdCF/QyUTa6+nQEfvkS58IRko=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w8Gt3-0000x8-3j; Thu, 02 Apr 2026 12:11:01 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w8Gt1-0000wq-Mv for openvpn-devel@lists.sourceforge.net; Thu, 02 Apr 2026 12:10:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FzTTKbguenDkn3E7nZUN5VvdvRKmRAEJ16oHEwa1wGM=; b=ceMS50cp0giU0So6wALXl5CnvX go8juxB/QRy5blw4JFqzyvEo13LF/48AWmUkUJihyAfnWqxnaA9/oBTlkMVcl5iv8SIaXEilD/g8P pRDWKMqe3DFWSlGx8Tz9jTf2xYOyNfQC4kHisC5056EYKV5OvypCSOfOuCqKbZAvbeTQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FzTTKbguenDkn3E7nZUN5VvdvRKmRAEJ16oHEwa1wGM=; b=g8nyuGjBYcLqRkTrI5LGdWa/R0 nXWprD+zFTFZseeRX+XBOF/HrSkVyB29z9jdvtmk7+Fl+poezn0xymCLFYE3V7mvIVHQTTB0rww5t G/Fv89XgKRYmM/Y14yrBQ6qUSIQd2+NRlAAiHJldtJwGj7R3BVJRoN+S90WAmB1t6DD4=; Received: from mout-p-101.mailbox.org ([80.241.56.151]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1w8Gt0-0005eO-QG for openvpn-devel@lists.sourceforge.net; Thu, 02 Apr 2026 12:10:59 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4fmgfy5WvMz9v0r; Thu, 2 Apr 2026 14:10:50 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1775131850; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FzTTKbguenDkn3E7nZUN5VvdvRKmRAEJ16oHEwa1wGM=; b=DzTYWUP2K/8Ox0fq2p886zvyW4WpJWgeaBgmtRmBK+9XFYm0tJf5tVWZbTiTERxpHjJpVg gdTTdthCu4DrSTRf6U0PCKZGsdbqs5U3biGTnWGhE27k8OU9yaAp99jdEduYvYrNaF9d4G IvvaKYUf2erlHieFtsBCDFsBi5J7GyxSsw+qrVs0Yinsr6M+lmIB58zN+ZxzTj03hSmFd0 PJJggxDi1cdEDJOEmhax1LUPpJJMg4VrUX7MXpEq1rRSEZZqEP91KOCBzDHhM2Yt1XAfGn YZQ9Y/QzAbbvzIZmuMRgJip2zd1NdyLDRlau/WR2fHO2dWiA234mem/HWjbSXg== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of frank@lichtenheld.com designates 2001:67c:2050:b231:465::202 as permitted sender) smtp.mailfrom=frank@lichtenheld.com From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Thu, 2 Apr 2026 14:10:49 +0200 Message-ID: <20260402121049.41102-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4fmgfy5WvMz9v0r X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe In OpenSSL 4.0 a lot of the APIs have changed to return const objects. Adjust our source code to use const objects as well. Change-Id: Iea1d13c160599f134587c6f1c2f4a90e7f5e3991 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1w8Gt0-0005eO-QG Subject: [Openvpn-devel] [PATCH v5] OpenSSL 4.0: Make X509 objects const X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1861360668460592641?= X-GMAIL-MSGID: =?utf-8?q?1861360668460592641?= From: Arne Schwabe In OpenSSL 4.0 a lot of the APIs have changed to return const objects. Adjust our source code to use const objects as well. Change-Id: Iea1d13c160599f134587c6f1c2f4a90e7f5e3991 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1596 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1596 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index a26663a..fd05f43 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1789,7 +1789,6 @@ STACK_OF(X509_NAME) *cert_names = NULL; X509_LOOKUP *lookup = NULL; X509_STORE *store = NULL; - X509_NAME *xn = NULL; BIO *in = NULL; int i, added = 0, prev = 0; @@ -1853,21 +1852,26 @@ } } - xn = X509_get_subject_name(info->x509); + /* OpenSSL 4.0 has made X509_get_subject_name return const + * but not adjusted the other functions to take const + * arguments, and other libraries do not have const + * arguments, so just ignore const here */ + X509_NAME *xn = (X509_NAME *)X509_get_subject_name(info->x509); if (!xn) { continue; } + /* Don't add duplicate CA names */ - if (sk_X509_NAME_find(cert_names, xn) == -1) + if (sk_X509_NAME_find(cert_names, (X509_NAME *)xn) == -1) { - xn = X509_NAME_dup(xn); - if (!xn) + X509_NAME *xn_dup = X509_NAME_dup(xn); + if (!xn_dup) { continue; } - sk_X509_NAME_push(cert_names, xn); + sk_X509_NAME_push(cert_names, xn_dup); } } diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 08946cd..c5c4acd 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -191,7 +191,7 @@ * to contain result is grounds for error). */ static result_t -extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out, size_t size) +extract_x509_field_ssl(const X509_NAME *x509, const char *field_name, char *out, size_t size) { int lastpos = -1; int tmp = -1; @@ -209,7 +209,12 @@ do { lastpos = tmp; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L tmp = X509_NAME_get_index_by_OBJ(x509, field_name_obj, lastpos); +#else + /* OpenSSL 1.1.x has the argument as non-const */ + tmp = X509_NAME_get_index_by_OBJ((X509_NAME *)x509, field_name_obj, lastpos); +#endif } while (tmp > -1); ASN1_OBJECT_free(field_name_obj); @@ -269,7 +274,7 @@ } else { - X509_NAME *x509_subject_name = X509_get_subject_name(peer_cert); + const X509_NAME *x509_subject_name = X509_get_subject_name(peer_cert); if (x509_subject_name == NULL) { msg(D_TLS_ERRORS, "X509 subject name is NULL"); @@ -457,7 +462,12 @@ x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509) { struct gc_arena gc = gc_new(); +#if OPENSSL_VERSION_NUMBER < 0x30000000L + /* OpenSSL 1.1.x APIs all take non-const arguments */ X509_NAME *x509_name = X509_get_subject_name(x509); +#else + const X509_NAME *x509_name = X509_get_subject_name(x509); +#endif const char nullc = '\0'; while (xt) @@ -491,10 +501,10 @@ int i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1); if (i >= 0) { - X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i); + const X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i); if (ent) { - ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent); + const ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent); unsigned char *buf = NULL; if (ASN1_STRING_to_UTF8(&buf, val) >= 0) { @@ -508,7 +518,11 @@ i = X509_get_ext_by_NID(x509, xt->nid, -1); if (i >= 0) { +#if OPENSSL_VERSION_NUMBER < 0x40000000L X509_EXTENSION *ext = X509_get_ext(x509, i); +#else + const X509_EXTENSION *ext = X509_get_ext(x509, i); +#endif if (ext) { BIO *bio = BIO_new(BIO_s_mem()); @@ -544,51 +558,43 @@ void x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) { - int i, n; - int fn_nid; - ASN1_OBJECT *fn; - ASN1_STRING *val; - X509_NAME_ENTRY *ent; - const char *objbuf; - unsigned char *buf = NULL; - char *name_expand; - size_t name_expand_size; - X509_NAME *x509 = X509_get_subject_name(peer_cert); + const X509_NAME *x509 = X509_get_subject_name(peer_cert); - n = X509_NAME_entry_count(x509); - for (i = 0; i < n; ++i) + int n = X509_NAME_entry_count(x509); + for (int i = 0; i < n; ++i) { - ent = X509_NAME_get_entry(x509, i); + const X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509, i); if (!ent) { continue; } - fn = X509_NAME_ENTRY_get_object(ent); + const ASN1_OBJECT *fn = X509_NAME_ENTRY_get_object(ent); if (!fn) { continue; } - val = X509_NAME_ENTRY_get_data(ent); + const ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent); if (!val) { continue; } - fn_nid = OBJ_obj2nid(fn); + int fn_nid = OBJ_obj2nid(fn); if (fn_nid == NID_undef) { continue; } - objbuf = OBJ_nid2sn(fn_nid); + const char *objbuf = OBJ_nid2sn(fn_nid); if (!objbuf) { continue; } + unsigned char *buf = NULL; if (ASN1_STRING_to_UTF8(&buf, val) < 0) { continue; } - name_expand_size = 64 + strlen(objbuf); - name_expand = (char *)malloc(name_expand_size); + size_t name_expand_size = 64 + strlen(objbuf); + char *name_expand = malloc(name_expand_size); check_malloc_return(name_expand); snprintf(name_expand, name_expand_size, "X509_%d_%s", cert_depth, objbuf); string_mod(name_expand, CC_PRINT, CC_CRLF, '_');