Bug#1138486: Patch to fix use ASN1_STRING accessors

Hilko Bengen Mon, 01 Jun 2026 15:31:19 -0700

control: tag -1 patch

Dear maintainer,


here's a patch that fixes the build with OpenSSL 4 by using
ASN1_STRING_* accessor functions.

Cheers,
-Hilko

From: Hilko Bengen <[email protected]>
Date: Mon, 1 Jun 2026 22:56:00 +0200
Subject: Use ASN1_STRING accessor functions instead of direct field access

---
 appx.c         |  8 ++++----
 cab.c          |  4 ++--
 cat.c          | 10 +++++-----
 helpers.c      |  7 +++----
 msi.c          |  4 ++--
 osslsigncode.c | 29 +++++++++++++----------------
 pe.c           | 26 +++++++++++++-------------
 script.c       |  4 ++--
 8 files changed, 44 insertions(+), 48 deletions(-)

diff --git a/appx.c b/appx.c
index 71a0ba4..d441810 100644
--- a/appx.c
+++ b/appx.c
@@ -472,8 +472,8 @@ static int appx_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
 {
     if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) {
         ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence;
-        const u_char *p = content_val->data;
-        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
+        const u_char *p = ASN1_STRING_get0_data(content_val);
+        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, ASN1_STRING_length(content_val));
 
         if (idc) {
             BIO *hashes;
@@ -1077,8 +1077,8 @@ static int appx_extract_hashes(FILE_FORMAT_CTX *ctx, SpcIndirectDataContent *con
     AppxSpcSipInfo_free(si);
     BIO_free_all(stdbio);
 #endif
-    int length = content->messageDigest->digest->length;
-    uint8_t *data = content->messageDigest->digest->data;
+    int length = ASN1_STRING_length(content->messageDigest->digest);
+    uint8_t *data = ASN1_STRING_get0_data(content->messageDigest->digest);
     int mdlen = EVP_MD_size(ctx->appx_ctx->md);
     int pos = 4;
 
diff --git a/cab.c b/cab.c
index 257c2f0..8b48bd3 100644
--- a/cab.c
+++ b/cab.c
@@ -339,8 +339,8 @@ static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
 
     if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) {
         ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence;
-        const u_char *p = content_val->data;
-        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
+        const u_char *p = ASN1_STRING_get0_data(content_val);
+        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, ASN1_STRING_length(content_val));
         if (idc) {
             if (spc_indirect_data_content_get_digest(idc, mdbuf, &mdtype) < 0) {
                 fprintf(stderr, "Failed to extract message digest from signature\n\n");
diff --git a/cat.c b/cat.c
index 8967d77..7430aed 100644
--- a/cat.c
+++ b/cat.c
@@ -301,14 +301,14 @@ static int cat_sign_content(PKCS7 *p7, PKCS7 *contents)
     int seqhdrlen, content_length;
 
     if (!contents->d.other || !contents->d.other->value.sequence
-          || !contents->d.other->value.sequence->data) {
+        || !ASN1_STRING_get0_data(contents->d.other->value.sequence)) {
         fprintf(stderr, "Failed to get content value\n");
         return 0; /* FAILED */
     }
-    seqhdrlen = asn1_simple_hdr_len(contents->d.other->value.sequence->data,
-        contents->d.other->value.sequence->length);
-    content = contents->d.other->value.sequence->data + seqhdrlen;
-    content_length = contents->d.other->value.sequence->length - seqhdrlen;
+    seqhdrlen = asn1_simple_hdr_len(ASN1_STRING_get0_data(contents->d.other->value.sequence),
+        ASN1_STRING_length(contents->d.other->value.sequence));
+    content = ASN1_STRING_get0_data(contents->d.other->value.sequence) + seqhdrlen;
+    content_length = ASN1_STRING_length(contents->d.other->value.sequence) - seqhdrlen;
 
     if (!pkcs7_sign_content(p7, content, content_length)) {
         fprintf(stderr, "Failed to sign content\n");
diff --git a/helpers.c b/helpers.c
index cbcbc38..cced3ea 100644
--- a/helpers.c
+++ b/helpers.c
@@ -581,7 +581,7 @@ int spc_indirect_data_content_get_digest(SpcIndirectDataContent *idc, u_char *md
         !idc->messageDigest->digestAlgorithm) {
         return -1; /* FAILED */
     }
-    digest_len = idc->messageDigest->digest->length;
+    digest_len = ASN1_STRING_length(idc->messageDigest->digest);
 
     /* Validate digest length to prevent buffer overflow */
     if (digest_len <= 0 || digest_len > EVP_MAX_MD_SIZE) {
@@ -590,7 +590,7 @@ int spc_indirect_data_content_get_digest(SpcIndirectDataContent *idc, u_char *md
         return -1; /* FAILED */
     }
     *mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
-    memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)digest_len);
+    memcpy(mdbuf, ASN1_STRING_get0_data(idc->messageDigest->digest), (size_t)digest_len);
     return digest_len; /* OK */
 }
 
@@ -653,8 +653,7 @@ static int spc_indirect_data_content_create(u_char **blob, int *len, FILE_FORMAT
         SpcIndirectDataContent_free(idc);
         return 0; /* FAILED */
     }
-    idc->data->value->value.sequence->data = p;
-    idc->data->value->value.sequence->length = l;
+    ASN1_STRING_set(idc->data->value->value.sequence, p, l);
     idc->messageDigest->digestAlgorithm->algorithm = OBJ_nid2obj(mdtype);
     idc->messageDigest->digestAlgorithm->parameters = ASN1_TYPE_new();
     idc->messageDigest->digestAlgorithm->parameters->type = V_ASN1_NULL;
diff --git a/msi.c b/msi.c
index affa65c..0ae3e32 100644
--- a/msi.c
+++ b/msi.c
@@ -416,8 +416,8 @@ static int msi_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
 
     if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) {
         ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence;
-        const u_char *p = content_val->data;
-        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
+        const u_char *p = ASN1_STRING_get0_data(content_val);
+        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, ASN1_STRING_length(content_val));
         if (idc) {
             if (spc_indirect_data_content_get_digest(idc, mdbuf, &mdtype) < 0) {
                 fprintf(stderr, "Failed to extract message digest from signature\n\n");
diff --git a/osslsigncode.c b/osslsigncode.c
index b83c285..6bd26aa 100644
--- a/osslsigncode.c
+++ b/osslsigncode.c
@@ -316,7 +316,7 @@ static BIO *bio_encode_rfc3161_request(PKCS7 *p7, const EVP_MD *md)
 #pragma GCC diagnostic pop
 #endif
     BIO_push(bhash, BIO_new(BIO_s_null()));
-    BIO_write(bhash, si->enc_digest->data, si->enc_digest->length);
+    BIO_write(bhash, ASN1_STRING_get0_data(si->enc_digest), ASN1_STRING_length(si->enc_digest));
     BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md));
 
     req = TS_REQ_new();
@@ -393,10 +393,7 @@ static ASN1_INTEGER *create_nonce(int bits)
         fprintf(stderr, "Could not create nonce\n");
         return NULL;
     }
-    OPENSSL_free(nonce->data);
-    nonce->length = len - i;
-    nonce->data = OPENSSL_malloc((size_t)nonce->length + 1);
-    memcpy(nonce->data, buf + i, (size_t)nonce->length);
+    ASN1_STRING_set(nonce, buf + i, len - i);
     return nonce;
 }
 
@@ -2196,8 +2193,8 @@ static int verify_timestamp_token(PKCS7 *p7, CMS_ContentInfo *timestamp)
     /* get the embedded content */
     pos  = CMS_get0_content(timestamp);
     if (pos != NULL && *pos != NULL) {
-        const u_char *p = (*pos)->data;
-        TS_TST_INFO *token = d2i_TS_TST_INFO(NULL, &p, (*pos)->length);
+        const u_char *p = ASN1_STRING_get0_data(*pos);
+        TS_TST_INFO *token = d2i_TS_TST_INFO(NULL, &p, ASN1_STRING_length(*pos));
 
         if (token) {
             BIO *bhash;
@@ -2229,17 +2226,17 @@ static int verify_timestamp_token(PKCS7 *p7, CMS_ContentInfo *timestamp)
 #pragma GCC diagnostic pop
 #endif
             BIO_push(bhash, BIO_new(BIO_s_null()));
-            BIO_write(bhash, si->enc_digest->data, si->enc_digest->length);
+            BIO_write(bhash, ASN1_STRING_get0_data(si->enc_digest), ASN1_STRING_length(si->enc_digest));
             BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md));
             BIO_free_all(bhash);
 
             /* compare the provided hash against the computed hash */
             hash =TS_MSG_IMPRINT_get_msg(msg_imprint);
-            if (memcmp(mdbuf, hash->data, (size_t)hash->length)) {
+            if (memcmp(mdbuf, ASN1_STRING_get0_data(hash), (size_t)ASN1_STRING_length(hash))) {
                 printf("Hash value mismatch:\n\tMessage digest algorithm: %s\n",
                         (md_nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(md_nid));
                 print_hash("\tComputed message digest", "", mdbuf, EVP_MD_size(md));
-                print_hash("\tReceived message digest", "", hash->data, hash->length);
+                print_hash("\tReceived message digest", "", ASN1_STRING_get0_data(hash), ASN1_STRING_length(hash));
                 printf("\nFile's message digest verification: failed\n");
                 TS_TST_INFO_free(token);
                 return 0; /* FAILED */
@@ -2742,7 +2739,7 @@ static time_t time_t_timestamp_get_attributes(CMS_ContentInfo **timestamp, PKCS7
             if (opus == NULL)
                 continue;
             if (opus->moreInfo && opus->moreInfo->type == 0) {
-                char *url = OPENSSL_strdup((char *)opus->moreInfo->value.url->data);
+                char *url = OPENSSL_strdup((char *)ASN1_STRING_get0_data(opus->moreInfo->value.url));
                 printf("\tURL description: %s\n", url);
                 OPENSSL_free(url);
             }
@@ -2756,7 +2753,7 @@ static time_t time_t_timestamp_get_attributes(CMS_ContentInfo **timestamp, PKCS7
                         OPENSSL_free(opusdata);
                     }
                 } else {
-                    desc = OPENSSL_strdup((char *)opus->programName->value.ascii->data);
+                    desc = OPENSSL_strdup((char *)ASN1_STRING_get0_data(opus->programName->value.ascii));
                 }
                 if (desc) {
                     printf("\tText description: %s\n", desc);
@@ -2875,11 +2872,11 @@ static time_t time_t_timestamp_get_attributes(CMS_ContentInfo **timestamp, PKCS7
                 continue;
             }
             if (verbose) {
-                char *data_blob = OPENSSL_buf2hexstr(blob->data, blob->length);
+                char *data_blob = OPENSSL_buf2hexstr(ASN1_STRING_get0_data(blob), ASN1_STRING_length(blob));
                 printf("\nUnauthenticated Data Blob:\n%s\n", data_blob);
                 OPENSSL_free(data_blob);
             } else {
-                printf("\nUnauthenticated Data Blob length: %d bytes\n", blob->length);
+                printf("\nUnauthenticated Data Blob length: %d bytes\n", ASN1_STRING_length(blob));
             }
         }
     }
@@ -2987,8 +2984,8 @@ static time_t time_t_get_cms_time(CMS_ContentInfo *cms)
     ASN1_OCTET_STRING **pos  = CMS_get0_content(cms);
 
     if (pos != NULL && *pos != NULL) {
-        const u_char *p = (*pos)->data;
-        TS_TST_INFO *token = d2i_TS_TST_INFO(NULL, &p, (*pos)->length);
+        const u_char *p = ASN1_STRING_get0_data(*pos);
+        TS_TST_INFO *token = d2i_TS_TST_INFO(NULL, &p, ASN1_STRING_length(*pos));
         if (token) {
             const ASN1_GENERALIZEDTIME *asn1_time = TS_TST_INFO_get_time(token);
             posix_time = time_t_get_asn1_time(asn1_time);
diff --git a/pe.c b/pe.c
index b188395..c0224df 100644
--- a/pe.c
+++ b/pe.c
@@ -249,8 +249,8 @@ static int pe_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
 
     if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) {
         ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence;
-        const u_char *p = content_val->data;
-        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
+        const u_char *p = ASN1_STRING_get0_data(content_val);
+        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, ASN1_STRING_length(content_val));
         if (idc) {
             if (!pe_page_hash_get(&ph, &phlen, &phtype, idc->data)) {
                 fprintf(stderr, "Failed to extract a page hash\n\n");
@@ -857,8 +857,8 @@ static int pe_page_hash_get(u_char **ph, int *phlen, int *phtype, SpcAttributeTy
 
     if (!obj || !obj->value)
         return 0; /* FAILED */
-    blob = obj->value->value.sequence->data;
-    id = d2i_SpcPeImageData(NULL, &blob, obj->value->value.sequence->length);
+    blob = ASN1_STRING_get0_data(obj->value->value.sequence);
+    id = d2i_SpcPeImageData(NULL, &blob, ASN1_STRING_length(obj->value->value.sequence));
     if (!id) {
         return 0; /* FAILED */
     }
@@ -871,15 +871,15 @@ static int pe_page_hash_get(u_char **ph, int *phlen, int *phtype, SpcAttributeTy
         return 1; /* OK - This is not SpcSerializedObject structure that contains page hashes */
     }
     so = id->file->value.moniker;
-    if (so->classId->length != sizeof classid_page_hash ||
-        memcmp(so->classId->data, classid_page_hash, sizeof classid_page_hash)) {
+    if (ASN1_STRING_length(so->classId) != sizeof classid_page_hash ||
+        memcmp(ASN1_STRING_get0_data(so->classId), classid_page_hash, sizeof classid_page_hash)) {
         SpcPeImageData_free(id);
         return 0; /* FAILED */
     }
     /* skip ASN.1 SET hdr */
-    l = asn1_simple_hdr_len(so->serializedData->data, so->serializedData->length);
-    blob = so->serializedData->data + l;
-    obj = d2i_SpcAttributeTypeAndOptionalValue(NULL, &blob, so->serializedData->length - l);
+    l = asn1_simple_hdr_len(ASN1_STRING_get0_data(so->serializedData), ASN1_STRING_length(so->serializedData));
+    blob = ASN1_STRING_get0_data(so->serializedData) + l;
+    obj = d2i_SpcAttributeTypeAndOptionalValue(NULL, &blob, ASN1_STRING_length(so->serializedData) - l);
     SpcPeImageData_free(id);
     if (!obj)
         return 0; /* FAILED */
@@ -896,13 +896,13 @@ static int pe_page_hash_get(u_char **ph, int *phlen, int *phtype, SpcAttributeTy
         return 0; /* FAILED */
     }
     /* Skip ASN.1 SET hdr */
-    l2 = asn1_simple_hdr_len(obj->value->value.sequence->data, obj->value->value.sequence->length);
+    l2 = asn1_simple_hdr_len(ASN1_STRING_get0_data(obj->value->value.sequence), ASN1_STRING_length(obj->value->value.sequence));
     /* Skip ASN.1 OCTET STRING hdr */
-    l = asn1_simple_hdr_len(obj->value->value.sequence->data + l2, obj->value->value.sequence->length - l2);
+    l = asn1_simple_hdr_len(ASN1_STRING_get0_data(obj->value->value.sequence) + l2, ASN1_STRING_length(obj->value->value.sequence) - l2);
     l += l2;
-    *phlen = obj->value->value.sequence->length - l;
+    *phlen = ASN1_STRING_length(obj->value->value.sequence) - l;
     *ph = OPENSSL_malloc((size_t)*phlen);
-    memcpy(*ph, obj->value->value.sequence->data + l, (size_t)*phlen);
+    memcpy(*ph, ASN1_STRING_get0_data(obj->value->value.sequence) + l, (size_t)*phlen);
     SpcAttributeTypeAndOptionalValue_free(obj);
     return 1; /* OK */
 }
diff --git a/script.c b/script.c
index 457791b..009c0ae 100644
--- a/script.c
+++ b/script.c
@@ -291,8 +291,8 @@ static int script_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
     /* FIXME: this shared code most likely belongs in osslsigncode.c */
     if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) {
         ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence;
-        const u_char *p = content_val->data;
-        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
+        const u_char *p = ASN1_STRING_get0_data(content_val);
+        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, ASN1_STRING_length(content_val));
         if (idc) {
             if (spc_indirect_data_content_get_digest(idc, mdbuf, &mdtype) < 0) {
                 fprintf(stderr, "Failed to extract message digest from signature\n\n");

Bug#1138486: Patch to fix use ASN1_STRING accessors

Reply via email to