Submitted By: Pierre Labastie Date: 2026-05-29 Initial Package Version: 2.11 Upstream Status: Applied Origin: Upstream Description: Fixes building with openssl-4 From 141abf49a432c9a0f4f38c47a477ab258ec9e239 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 6 Apr 2026 11:32:06 +0300 Subject: OpenSSL: Use ASN1_STRING_length/get0_data() more consistently Some of the accesses to ASN1_IA5STRING were using direct references to the structure members. Replace those with helper functions to avoid the direct access. This is needed for OpenSSL 4.0. Signed-off-by: Jouni Malinen --- src/crypto/tls_openssl.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index d6f254371..fc7b4d2f9 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2020,8 +2020,9 @@ static int tls_match_altsubject_component(X509 *cert, int type, gen = sk_GENERAL_NAME_value(ext, i); if (gen->type != type) continue; - if (os_strlen((char *) gen->d.ia5->data) == len && - os_memcmp(value, gen->d.ia5->data, len) == 0) + if ((size_t) ASN1_STRING_length(gen->d.ia5) == len && + os_memcmp(value, ASN1_STRING_get0_data(gen->d.ia5), len) == + 0) found++; } @@ -2344,10 +2345,10 @@ static int tls_match_suffix_helper(X509 *cert, const char *match, continue; dns_name++; wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName", - gen->d.dNSName->data, - gen->d.dNSName->length); - if (domain_suffix_match(gen->d.dNSName->data, - gen->d.dNSName->length, + ASN1_STRING_get0_data(gen->d.dNSName), + ASN1_STRING_length(gen->d.dNSName)); + if (domain_suffix_match(ASN1_STRING_get0_data(gen->d.dNSName), + ASN1_STRING_length(gen->d.dNSName), match, match_len, full) == 1) { wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found", full ? "Match" : "Suffix match"); @@ -2378,8 +2379,10 @@ static int tls_match_suffix_helper(X509 *cert, const char *match, if (cn == NULL) continue; wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName", - cn->data, cn->length); - if (domain_suffix_match(cn->data, cn->length, + ASN1_STRING_get0_data(cn), + ASN1_STRING_length(cn)); + if (domain_suffix_match(ASN1_STRING_get0_data(cn), + ASN1_STRING_length(cn), match, match_len, full) == 1) { wpa_printf(MSG_DEBUG, "TLS: %s in commonName found", full ? "Match" : "Suffix match"); @@ -2588,7 +2591,7 @@ static void openssl_tls_cert_event(struct tls_connection *conn, gen->type != GEN_URI) continue; - pos = os_malloc(10 + gen->d.ia5->length + 1); + pos = os_malloc(10 + ASN1_STRING_length(gen->d.ia5) + 1); if (pos == NULL) break; altsubject[num_altsubject++] = pos; @@ -2608,8 +2611,9 @@ static void openssl_tls_cert_event(struct tls_connection *conn, break; } - os_memcpy(pos, gen->d.ia5->data, gen->d.ia5->length); - pos += gen->d.ia5->length; + os_memcpy(pos, ASN1_STRING_get0_data(gen->d.ia5), + ASN1_STRING_length(gen->d.ia5)); + pos += ASN1_STRING_length(gen->d.ia5); *pos = '\0'; } sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free); -- cgit v1.2.3