Bug#828454: nmap: FTBFS with openssl 1.1.0

Mon, 04 Jul 2016 03:25:18 -0700 

On Mon, Jul 04, 2016 at 08:30:19AM +0200, Hilko Bengen wrote:
> index 38e049b..dcc9380 100644
> --- a/ncat/ncat_ssl.c
> +++ b/ncat/ncat_ssl.c
> @@ -293,7 +293,7 @@ static int cert_match_dnsname(X509 *cert, const char 
> *hostname,
>      X509_EXTENSION *ext;
>      STACK_OF(GENERAL_NAME) *gen_names;
>      const X509V3_EXT_METHOD *method;
> -    unsigned char *data;
> +    ASN1_OCTET_STRING *data;
>      int i;
>  
>      if (num_checked != NULL)
> @@ -315,26 +315,25 @@ static int cert_match_dnsname(X509 *cert, const char 
> *hostname,
>  
>      /* We must copy this address into a temporary variable because 
> ASN1_item_d2i
>         increments it. We don't want it to corrupt ext->value->data. */
> -    data = ext->value->data;
> +    data = X509_EXTENSION_get_data(ext);
>      /* Here we rely on the fact that the internal representation (the "i" in
>         "i2d") for NID_subject_alt_name is STACK_OF(GENERAL_NAME). Converting 
> it
>         to a stack of CONF_VALUE with a i2v method is not satisfactory, 
> because a
>         CONF_VALUE doesn't contain the length of the value so you can't know 
> the
>         presence of null bytes. */
> +    const unsigned char *der;
> +    int length = i2d_ASN1_INTEGER(data, (unsigned char**) &der);
>  #if (OPENSSL_VERSION_NUMBER > 0x00907000L)
>      if (method->it != NULL) {
>          gen_names = (STACK_OF(GENERAL_NAME) *) ASN1_item_d2i(NULL,
> -            (const unsigned char **) &data,
> -            ext->value->length, ASN1_ITEM_ptr(method->it));
> +            &der, length, ASN1_ITEM_ptr(method->it));
>      } else {
>          gen_names = (STACK_OF(GENERAL_NAME) *) method->d2i(NULL,
> -            (const unsigned char **) &data,
> -            ext->value->length);
> +            &der, length);
>      }
>  #else
>      gen_names = (STACK_OF(GENERAL_NAME) *) method->d2i(NULL,
> -        (const unsigned char **) &data,
> -        ext->value->length);
> +        (const unsigned char*) der, length);
>  #endif
>      if (gen_names == NULL)
>          return 0;

This seems to be more complicated than it should.  If you want to
go over all DNS names in the SAN you want something like:

GENERAL_NAMES *names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL)
for (int i = 0; i < sk_GENERAL_NAME_num(names); i++)
{
    GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
    int type;
    ASN1_STRING *asn1_name = GENERAL_NAME_get0_value(name, &type);

    if (type == GEN_DNS)
    {
        /* do someting with asn1_name */
    }
}


> @@ -542,7 +542,7 @@ static int parse_ssl_cert(lua_State *L, X509 *cert)
>  
>    pubkey = X509_get_pubkey(cert);
>    lua_newtable(L);
> -  pkey_type = EVP_PKEY_type(pubkey->type);
> +  pkey_type = EVP_PKEY_type(EVP_PKEY_base_id(pubkey));

That should just be pkey_type = EVP_PKEY_base_id(pubkey);


Kurt

Reply via email to