> On 14 Jul 2026, at 00:25, Andreas Karlsson <[email protected]> wrote:
> On 7/13/26 16:16, Daniel Gustafsson wrote:

>> * 0003: Replace deprecated API X509_NAME_get_text_by_NID with the recommended
>>   alternative X509_NAME_get_index_by_NID + X509_NAME_get_entry.  The API was
>>   deprecated in OpenSSL 4 and risk getting removed, with the alternatives 
>> being
>>   available in all supported versions.
> 
> You should declare entry in the inner scope, not in the function scope.

Ah, yes.  It was already in the inner scope, but it should've been in
inner-inner scope =)

> The comment should maybe also add that entry and peer_cn_asn1 too are OpenSSL 
> owned pointers. Just saying it for peer_cn_internal seems a bit odd to me.

The other pointers are of OpenSSL data types and those are rarely freed unless
a matching _new or _dup method has been called, whereas peer_cn_internal is a
char pointer extracted with _get0_data.  To me the latter seemed more
reasonable to believe it was caller owned, but I can remove the comment
altogether if it's deemed useless.

> Also this is subjective but I am not personally a fan of 
> MemoryContextAllocZero() + memcpy(). I prefer MemoryContextAlloc() + memcpy() 
> + peer_cn[len] = 0. I feel that explains better what is going on. I have also 
> seen us use strncpy() for this purpose which I guess works too.

We can't use strncpy or strlcpy here since OpenSSL had defined the string as
const unsigned char * so we'd get pointer-sign compiler warnings unless we do
trickery, which seems not worth it.  I don't have strong opinions on how to
zero the buffer so changed to your proposal.

The attached also contains the non-null guards from Tristans review upthread.

--
Daniel Gustafsson

Attachment: v2-0001-ssl-Remove-static-var-tracking-tls_init_hook-warn.patch
Description: Binary data

Attachment: v2-0002-ssl-Use-TLS_method-instead-of-deprecated-SSLv23_m.patch
Description: Binary data

Attachment: v2-0003-ssl-Replace-deprecated-API-to-get-commonName.patch
Description: Binary data

Attachment: v2-0004-ssl-Use-the-correct-feature-macros-for-TLS-protoc.patch
Description: Binary data



Reply via email to