Bug#1138336: svxlink: FTBFS with openssl 4.0

Thu, 25 Jun 2026 03:09:18 -0700 

Package: svxlink
Followup-For: Bug #1138336
X-Debbugs-Cc: [email protected]
Control: tags -1 patch ftbfs

Dear Maintainer,

The previous patch is incorrect, I have attached the updated patch.

-- System Information:
Debian Release: trixie/sid
  APT prefers noble-updates
  APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 'noble'), 
(100, 'noble-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.8.0-117-generic (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Description: Fix OpenSSL 4.0 compatibility in async SSL code
 Create mutable X509_NAME via X509_NAME_new(), populate it, and set it
 on the certificate/CSR via X509_set_*_name()/X509_REQ_set_subject_name()
 (which copy internally) instead of mutating the const pointer returned
 by X509_get_*_name()/X509_REQ_get_subject_name(). Use const for
 read-only X509_NAME_ENTRY/ASN1_STRING return values.
Forwarded: https://github.com/sm0svx/svxlink/pull/775
Bug-Ubuntu: https://bugs.launchpad.net/bugs/2154883
Bug-Debian: https://bugs.debian.org/1138336
Last-Update: 2026-06-24

Index: svxlink/src/async/core/AsyncSslCertSigningReq.h
===================================================================
--- svxlink.orig/src/async/core/AsyncSslCertSigningReq.h        2026-06-25 
11:01:57.216607528 +0200
+++ svxlink/src/async/core/AsyncSslCertSigningReq.h     2026-06-25 
11:02:40.473688173 +0200
@@ -292,17 +292,17 @@
     bool addSubjectName(const std::string& field, const std::string& value)
     {
       assert(m_req != nullptr);
-      X509_NAME* name = X509_REQ_get_subject_name(m_req);
+      X509_NAME* name = X509_NAME_new();
       if (name == nullptr)
       {
-        name = X509_NAME_new();
+        return false;
       }
-      assert(name != nullptr);
       bool success = (X509_NAME_add_entry_by_txt(name, field.c_str(),
             MBSTRING_UTF8,
             reinterpret_cast<const unsigned char*>(value.c_str()),
             value.size(), -1, 0) == 1);
       success = success && (X509_REQ_set_subject_name(m_req, name) == 1);
+      X509_NAME_free(name);
       return success;
     }
 
@@ -404,8 +404,8 @@
       //int lastpos = X509_NAME_get_index_by_NID(subj, NID_commonName, -1);
       if (lastpos >= 0)
       {
-        X509_NAME_ENTRY *e = X509_NAME_get_entry(subj, lastpos);
-        ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
+        const X509_NAME_ENTRY *e = X509_NAME_get_entry(subj, lastpos);
+        const ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
         cn = reinterpret_cast<const char*>(ASN1_STRING_get0_data(d));
       }
       return cn;
Index: svxlink/src/async/core/AsyncSslX509.h
===================================================================
--- svxlink.orig/src/async/core/AsyncSslX509.h  2026-06-25 11:01:57.216607528 
+0200
+++ svxlink/src/async/core/AsyncSslX509.h       2026-06-25 11:03:30.050785788 
+0200
@@ -354,8 +354,8 @@
 #endif
       if (lastpos >= 0)
       {
-        X509_NAME_ENTRY *e = X509_NAME_get_entry(subj, lastpos);
-        ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
+        const X509_NAME_ENTRY *e = X509_NAME_get_entry(subj, lastpos);
+        const ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
         cn = reinterpret_cast<const char*>(ASN1_STRING_get0_data(d));
       }
       return cn;
@@ -712,11 +712,7 @@
     {
       // FIXME: Error handling
       assert(m_cert != nullptr);
-      X509_NAME* name = X509_get_issuer_name(m_cert);
-      if (name == nullptr)
-      {
-        name = X509_NAME_new();
-      }
+      X509_NAME* name = X509_NAME_new();
       assert(name != nullptr);
       int ret = X509_NAME_add_entry_by_txt(name, field.c_str(), MBSTRING_UTF8,
           reinterpret_cast<const unsigned char*>(value.c_str()),
@@ -724,6 +720,7 @@
       assert(ret == 1);
       ret = X509_set_issuer_name(m_cert, name);
       assert(ret == 1);
+      X509_NAME_free(name);
     }
 
     /**
@@ -735,11 +732,7 @@
     {
       // FIXME: Error handling
       assert(m_cert != nullptr);
-      X509_NAME* name = X509_get_subject_name(m_cert);
-      if (name == nullptr)
-      {
-        name = X509_NAME_new();
-      }
+      X509_NAME* name = X509_NAME_new();
       assert(name != nullptr);
       int ret = X509_NAME_add_entry_by_txt(name, field.c_str(), MBSTRING_UTF8,
           reinterpret_cast<const unsigned char*>(value.c_str()),
@@ -747,6 +740,7 @@
       assert(ret == 1);
       ret = X509_set_subject_name(m_cert, name);
       assert(ret == 1);
+      X509_NAME_free(name);
     }
 
     /**
Index: svxlink/src/async/demo/AsyncSslTcpServer_demo.cpp
===================================================================
--- svxlink.orig/src/async/demo/AsyncSslTcpServer_demo.cpp      2026-06-25 
11:01:57.216607528 +0200
+++ svxlink/src/async/demo/AsyncSslTcpServer_demo.cpp   2026-06-25 
11:01:57.211607519 +0200
@@ -86,8 +86,8 @@
               {
                   break;
               }
-              X509_NAME_ENTRY *e = X509_NAME_get_entry(subj, lastpos);
-              ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
+              const X509_NAME_ENTRY *e = X509_NAME_get_entry(subj, lastpos);
+              const ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
               const unsigned char* str = (ASN1_STRING_get0_data(d));
               std::cout << "### CN=" << str << std::endl;
           }

Reply via email to