Re: isakmpd: prepare for opaque X509_EXTENSION

Thu, 21 Oct 2021 05:16:26 -0700 

Theo Buehler([email protected]) on 2021.10.21 13:05:18 +0200:
> This is the first of two diffs to prepare isakmpd for upcoming libcrypto
> changes.  X509_EXTENSION will become opaque so we need to use an accessor.
> I decided to leave accesses into ASN1_OCTET_STRING as they are for
> readability (asn1_string_st is still exposed in OpenSSL's asn1.h).

reads ok
 
> Index: x509.c
> ===================================================================
> RCS file: /cvs/src/sbin/isakmpd/x509.c,v
> retrieving revision 1.120
> diff -u -p -r1.120 x509.c
> --- x509.c    13 Oct 2021 16:57:43 -0000      1.120
> +++ x509.c    21 Oct 2021 10:14:03 -0000
> @@ -1064,9 +1064,10 @@ x509_cert_obtain(u_int8_t *id, size_t id
>  int
>  x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len)
>  {
> -     X509_EXTENSION  *subjectaltname;
> -     u_int8_t        *sandata;
> -     int             extpos, santype, sanlen;
> +     X509_EXTENSION          *subjectaltname;
> +     ASN1_OCTET_STRING       *sanasn1data;
> +     u_int8_t                *sandata;
> +     int                      extpos, santype, sanlen;
>  
>       extpos = X509_get_ext_by_NID(scert, NID_subject_alt_name, -1);
>       if (extpos == -1) {
> @@ -1075,16 +1076,16 @@ x509_cert_subjectaltname(X509 *scert, u_
>               return 0;
>       }
>       subjectaltname = X509_get_ext(scert, extpos);
> +     sanasn1data = X509_EXTENSION_get_data(subjectaltname);
>  
> -     if (!subjectaltname || !subjectaltname->value ||
> -         !subjectaltname->value->data ||
> -         subjectaltname->value->length < 4) {
> +     if (!subjectaltname || !sanasn1data || !sanasn1data->data ||
> +         sanasn1data->length < 4) {
>               log_print("x509_cert_subjectaltname: invalid "
>                   "subjectaltname extension");
>               return 0;
>       }
>       /* SSL does not handle unknown ASN stuff well, do it by hand.  */
> -     sandata = subjectaltname->value->data;
> +     sandata = sanasn1data->data;
>       santype = sandata[2] & 0x3f;
>       sanlen = sandata[3];
>       sandata += 4;
> @@ -1094,7 +1095,7 @@ x509_cert_subjectaltname(X509 *scert, u_
>        * extra stuff in subjectAltName, so we will just take the first
>        * salen bytes, and not worry about what follows.
>        */
> -     if (sanlen + 4 > subjectaltname->value->length) {
> +     if (sanlen + 4 > sanasn1data->length) {
>               log_print("x509_cert_subjectaltname: subjectaltname invalid "
>                   "length");
>               return 0;
>

Reply via email to