plaisthos has uploaded this change for review. ( http://gerrit.openvpn.net/c/openvpn/+/1587?usp=email )
Change subject: Use ASN1_BIT_STRING_get_bit to check for netscape certificate usage ...................................................................... Use ASN1_BIT_STRING_get_bit to check for netscape certificate usage The ASN_BIT_STRING object has become opaque in OpenSSL 4.0. So instead of accessing the internal, we have to use a method now to check these attributes. The bit counting in ANS.1 and of this method is a bit strange and it will count bits from the left instead of the right, so the previous mask of 0x80 for clients is now 0 and 0x40 for server is now 1. Change-Id: I77500d435f212a4bf42ee8cfca07d0285fe694f2 Signed-off-by: Arne Schwabe <[email protected]> --- M src/openvpn/ssl_verify_openssl.c 1 file changed, 5 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/87/1587/1 diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 46401cd..fc14789 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -626,7 +626,8 @@ { ASN1_BIT_STRING *ns; ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); - result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; + // bit 0 is to check if certificate is the client certificate + result = ASN1_BIT_STRING_get_bit(ns, 0) ? SUCCESS : FAILURE; if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose " @@ -652,9 +653,9 @@ */ if (result == FAILURE) { - ASN1_BIT_STRING *ns; - ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); - result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE; + ASN1_BIT_STRING *ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); + // Server bit is 1 for ASN1_BIT_STRING_get_bit + result = ASN1_BIT_STRING_get_bit(ns, 1) ? SUCCESS : FAILURE; if (result == SUCCESS) { msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose " -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1587?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I77500d435f212a4bf42ee8cfca07d0285fe694f2 Gerrit-Change-Number: 1587 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
