From patchwork Sat Apr 4 15:57:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4870 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:d1c6:b0:83c:d90d:321 with SMTP id ly6csp532659mab; Sat, 4 Apr 2026 08:57:50 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVS/dauiq+Fkdsy53mqXCMRuZfrTInx6VH5TVpmCtX6A9AyqvP5kYVQ3pCtuLEltj33Z4CE2ndi5J0=@openvpn.net X-Received: by 2002:a05:6808:6d8d:b0:467:2609:1247 with SMTP id 5614622812f47-46ef61f1862mr3461573b6e.19.1775318270193; Sat, 04 Apr 2026 08:57:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1775318270; cv=none; d=google.com; s=arc-20240605; b=PwU7mniswAZK+iBwWKJB7uwbPzX9UNm8CbMu3b+lOH264Z1+U/utWkXrUeP5cd+OVT 58aq2aOpiggzuL7KInimSscxxcrvgQK1eCbylj8+xhVLPWKaClO+ypsaK5hjbbcX/0Jd ZAS8EEa9jHwv7Ycc9Gd2ZMA7Y0FuN034a9aZILS9ZLb96tfzV46pxQNIyXyvT7MqzYpk 1bCG9KvoFEzOp1BvUIlxOnLMHv/uvo9wylS7O+6Yf+WpCb8nDF02ypJreR/J4Z3Hz/oC 0mNvsrz4QcInu36Vyi5pjsZ0ex3GvXKY2v2F1J7ut7YZ5v43pha/A+cSJJqWpWpBViqE s97g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=q7/po2rN8AcyuWcTYoH9D5h3B0i6cTqq5oS4SUt9ZH0=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=dLuUw03pl3zA5uWdETRZeOEpxkz4k++S4e+igma3CJPEjbCrv+/2/PAwbYegm8umth F3KUsKs1Sat6AxbUdXFjvXb284ocP3Zvs8OcaKsqgd/fud04XmOxiv/PpueYLqTbQ2oA gaTSsAy/YefoN2L4teX0XTodh7Tu70Qm858dJZZPrL1iyUvLviB97EKUpyol7G32pkU0 9oW2dhWnjw7cyRcRUaSarKtBCUs5v/CHSaWv8IIkDCCr50QSU1lDa5+IGyp77mgYtF9O zKdfOzaddg1n37QYM0oeuaFpuLZsbQUNeHCg7dsBAK1niEgjT2Stjpc4LKSEGSGwD7qO pqsA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="N96AL/bY"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=laNHjjxc; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=F4j002na; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-46d8f64e31asi6047264b6e.7.2026.04.04.08.57.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 04 Apr 2026 08:57:50 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="N96AL/bY"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=laNHjjxc; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=F4j002na; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=q7/po2rN8AcyuWcTYoH9D5h3B0i6cTqq5oS4SUt9ZH0=; b=N96AL/bYw70beXMeUfNwcW/xYf vpIt71ga6/NmmG4oHxtIkJN3VFm+U+MDC6FzetXeLtcCo253RnDaN7r8apNK46pta+5wJmuzBvKSj CXZKx8uDWij0Qv4j+TvxvN7h8IjM2EFkhPfJe7zvu9SL5ABuDeWf4UV9KWAXOwc0yXmo=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w93NU-0002ZV-SI; Sat, 04 Apr 2026 15:57:41 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w93NS-0002ZL-Lp for openvpn-devel@lists.sourceforge.net; Sat, 04 Apr 2026 15:57:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=6iQ3m2ONqV++LoXnX9EZVIqQ+AnkoWSNS+331N1gbQA=; b=laNHjjxc9hh7OFSEagVBGW7X4P /ZNHoq1vi0ZHC30sZO5Gqylt7BLHlukbmMEdBmzaeVhPCI6NvGcvNKu9+kU05XUCvhpKfmuqag6K6 loEOXH4+abEgadyEJQTsv6XTTINc5e/IAE++JEuiXFbgoJiRO9g9QB3uY0UAvz5YjOAI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=6iQ3m2ONqV++LoXnX9EZVIqQ+AnkoWSNS+331N1gbQA=; b=F4j002naYiRhp69CmIxcRPLgPY JIhlqxHygrag4R1CzQhED/bW7zvmEqYNMyG0RlbJdL/r4QPpN91o+aYwjX25PI2lIXJQNuiMYMUo9 Ehzl8xYA5P57f/OffXyYfkUJziNoA80mZcYsAKXuwQm+T4UoLgo1Pk3a9oE9FmOX5ie0=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1w93NS-0001JX-Iw for openvpn-devel@lists.sourceforge.net; Sat, 04 Apr 2026 15:57:39 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 634FvQ2S007742 for ; Sat, 4 Apr 2026 17:57:26 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 634FvQD0007741 for openvpn-devel@lists.sourceforge.net; Sat, 4 Apr 2026 17:57:26 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sat, 4 Apr 2026 17:57:19 +0200 Message-ID: <20260404155726.7696-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe OpenSSL 4.0 does not allow internal access to to these data structures anymore. So use public methods to get the serial data and convert it to hex. Change-Id: I5158fbb0762443ea4954e5745f520e83e019ed30 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1w93NS-0001JX-Iw Subject: [Openvpn-devel] [PATCH v5] Do not access internals of ASN1_INTEGER to print hex of serial X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1861271396927697156?= X-GMAIL-MSGID: =?utf-8?q?1861556130310616364?= From: Arne Schwabe OpenSSL 4.0 does not allow internal access to to these data structures anymore. So use public methods to get the serial data and convert it to hex. Change-Id: I5158fbb0762443ea4954e5745f520e83e019ed30 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1589 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1589 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index ef30620..1a0f5d4 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -260,17 +260,19 @@ } else if (strcmp(LN_serialNumber, x509_username_field) == 0) { - ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert); - struct gc_arena gc = gc_new(); - char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc); + const ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert); + + BIGNUM *bn_serial = ASN1_INTEGER_to_BN(asn1_i, NULL); + char *serial = BN_bn2hex(bn_serial); + BN_free(bn_serial); if (!serial || cn_len <= strlen(serial) + 2) { - gc_free(&gc); + OPENSSL_free(serial); return FAILURE; } snprintf(common_name, cn_len, "0x%s", serial); - gc_free(&gc); + OPENSSL_free(serial); } else { @@ -315,8 +317,16 @@ backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc) { const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert); + BIGNUM *bn_serial = ASN1_INTEGER_to_BN(asn1_i, NULL); + int len_serial = BN_num_bytes(bn_serial); + unsigned char *buf = malloc(len_serial); + BN_bn2binpad(bn_serial, buf, len_serial); - return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc); + char *ret = format_hex_ex(buf, len_serial, 0, 1, ":", gc); + free(buf); + BN_free(bn_serial); + + return ret; } result_t