Re: [Spice-devel] [spice-common] ssl: Use ASN1_STRING_get0_data instead of ASN1_STRING_data

[Pavel Grunt]

On Tue, 2017-01-24 at 10:21 +0100, Christophe Fergeau wrote:
> From: Sebastian Andrzej Siewior 
> 
> The latter is deprecated, so might be removed at  some point in the
> future. This also adds a compatibility wrapper for OpenSSL < 1.1.0.
> 
> Signed-off-by: Sebastian Andrzej Siewior 
> Signed-off-by: Christophe Fergeau 
> ---
> 
> Here is the patch with a FIXME, I have a slight preference for the
> version
> without it, but this version is fine with me too.

Imho it is more clear without the FIXME. I guess Victor was
suggesting:
FIXME: Require OpenSSL >= 1.1


Pavel
> 
>  common/ssl_verify.c | 22 --
>  1 file changed, 16 insertions(+), 6 deletions(-)
> 
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index 601252e..1c41e21 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -33,6 +33,16 @@
>  #include 
>  #include 
>  
> +#if OPENSSL_VERSION_NUMBER < 0x1010
> +
> +/* FIXME: Remove this compatibility block when OpenSSL < 1.1.0
> support is
> + * dropped */
> +static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING
> *asn1)
> +{
> +return M_ASN1_STRING_data(asn1);
> +}
> +#endif
> +
>  static int verify_pubkey(X509* cert, const char *key, size_t
> key_size)
>  {
>  EVP_PKEY* cert_pubkey = NULL;
> @@ -182,10 +192,10 @@ static int verify_hostname(X509* cert, const
> char *hostname)
>  const GENERAL_NAME* name =
> sk_GENERAL_NAME_value(subject_alt_names, i);
>  if (name->type == GEN_DNS) {
>  found_dns_name = 1;
> -if (_gnutls_hostname_compare((char
> *)ASN1_STRING_data(name->d.dNSName),
> +if (_gnutls_hostname_compare((const char
> *)ASN1_STRING_get0_data(name->d.dNSName),
>   ASN1_STRING_length(nam
> e->d.dNSName),
>   hostname)) {
> -spice_debug("alt name match=%s",
> ASN1_STRING_data(name->d.dNSName));
> +spice_debug("alt name match=%s",
> ASN1_STRING_get0_data(name->d.dNSName));
>  GENERAL_NAMES_free(subject_alt_names);
>  return 1;
>  }
> @@ -208,11 +218,11 @@ static int verify_hostname(X509* cert, const
> char *hostname)
>  alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
>  
>  if ((ip_len == alt_ip_len) &&
> -   (memcmp(ASN1_STRING_data(name->d.iPAddress),
> ip_binary, ip_len)) == 0) {
> +   (memcmp(ASN1_STRING_get0_data(name-
> >d.iPAddress), ip_binary, ip_len)) == 0) {
>  GInetAddress * alt_ip = NULL;
>  gchar * alt_ip_string = NULL;
>  
> -alt_ip =
> g_inet_address_new_from_bytes(ASN1_STRING_data(name->d.iPAddress),
> +alt_ip =
> g_inet_address_new_from_bytes(ASN1_STRING_get0_data(name-
> >d.iPAddress),
> g_inet_a
> ddress_get_family(ip));
>  alt_ip_string =
> g_inet_address_to_string(alt_ip);
>  spice_debug("alt name IP match=%s",
> alt_ip_string);
> @@ -253,10 +263,10 @@ static int verify_hostname(X509* cert, const
> char *hostname)
>  continue;
>  }
>  
> -if
> (_gnutls_hostname_compare((char*)ASN1_STRING_data(cn_asn1),
> +if (_gnutls_hostname_compare((const
> char*)ASN1_STRING_get0_data(cn_asn1),
>   ASN1_STRING_length(cn_asn1
> ),
>   hostname)) {
> -spice_debug("common name match=%s",
> (char*)ASN1_STRING_data(cn_asn1));
> +spice_debug("common name match=%s",
> (char*)ASN1_STRING_get0_data(cn_asn1));
>  cn_match = 1;
>  break;
>  }
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/spice-devel

[Spice-devel] [spice-common] ssl: Use ASN1_STRING_get0_data instead of ASN1_STRING_data

[Christophe Fergeau]

From: Sebastian Andrzej Siewior 

The latter is deprecated, so might be removed at  some point in the
future. This also adds a compatibility wrapper for OpenSSL < 1.1.0.

Signed-off-by: Sebastian Andrzej Siewior 
Signed-off-by: Christophe Fergeau 
---

Here is the patch with a FIXME, I have a slight preference for the version
without it, but this version is fine with me too.

 common/ssl_verify.c | 22 --
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index 601252e..1c41e21 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -33,6 +33,16 @@
 #include 
 #include 
 
+#if OPENSSL_VERSION_NUMBER < 0x1010
+
+/* FIXME: Remove this compatibility block when OpenSSL < 1.1.0 support is
+ * dropped */
+static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1)
+{
+return M_ASN1_STRING_data(asn1);
+}
+#endif
+
 static int verify_pubkey(X509* cert, const char *key, size_t key_size)
 {
 EVP_PKEY* cert_pubkey = NULL;
@@ -182,10 +192,10 @@ static int verify_hostname(X509* cert, const char 
*hostname)
 const GENERAL_NAME* name = 
sk_GENERAL_NAME_value(subject_alt_names, i);
 if (name->type == GEN_DNS) {
 found_dns_name = 1;
-if (_gnutls_hostname_compare((char 
*)ASN1_STRING_data(name->d.dNSName),
+if (_gnutls_hostname_compare((const char 
*)ASN1_STRING_get0_data(name->d.dNSName),
  
ASN1_STRING_length(name->d.dNSName),
  hostname)) {
-spice_debug("alt name match=%s", 
ASN1_STRING_data(name->d.dNSName));
+spice_debug("alt name match=%s", 
ASN1_STRING_get0_data(name->d.dNSName));
 GENERAL_NAMES_free(subject_alt_names);
 return 1;
 }
@@ -208,11 +218,11 @@ static int verify_hostname(X509* cert, const char 
*hostname)
 alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
 
 if ((ip_len == alt_ip_len) &&
-   (memcmp(ASN1_STRING_data(name->d.iPAddress), ip_binary, 
ip_len)) == 0) {
+   (memcmp(ASN1_STRING_get0_data(name->d.iPAddress), 
ip_binary, ip_len)) == 0) {
 GInetAddress * alt_ip = NULL;
 gchar * alt_ip_string = NULL;
 
-alt_ip = 
g_inet_address_new_from_bytes(ASN1_STRING_data(name->d.iPAddress),
+alt_ip = 
g_inet_address_new_from_bytes(ASN1_STRING_get0_data(name->d.iPAddress),

g_inet_address_get_family(ip));
 alt_ip_string = g_inet_address_to_string(alt_ip);
 spice_debug("alt name IP match=%s", alt_ip_string);
@@ -253,10 +263,10 @@ static int verify_hostname(X509* cert, const char 
*hostname)
 continue;
 }
 
-if (_gnutls_hostname_compare((char*)ASN1_STRING_data(cn_asn1),
+if (_gnutls_hostname_compare((const 
char*)ASN1_STRING_get0_data(cn_asn1),
  ASN1_STRING_length(cn_asn1),
  hostname)) {
-spice_debug("common name match=%s", 
(char*)ASN1_STRING_data(cn_asn1));
+spice_debug("common name match=%s", 
(char*)ASN1_STRING_get0_data(cn_asn1));
 cn_match = 1;
 break;
 }
-- 
2.9.3

___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [spice-common] ssl: Use ASN1_STRING_get0_data instead of ASN1_STRING_data

[Christophe Fergeau]

On Tue, Jan 17, 2017 at 03:19:00PM +0100, Victor Toso wrote:
> Hi,
> 
> On Fri, Jan 13, 2017 at 12:12:50PM +0100, Christophe Fergeau wrote:
> > From: Sebastian Andrzej Siewior 
> >
> > The latter is deprecated, so might be removed at  some point in the
> > future. This also adds a compatibility wrapper for OpenSSL < 1.1.0.
> >
> > Signed-off-by: Sebastian Andrzej Siewior 
> > ---
> >  common/ssl_verify.c | 20 ++--
> >  1 file changed, 14 insertions(+), 6 deletions(-)
> >
> > diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> > index 601252e..b6a96a7 100644
> > --- a/common/ssl_verify.c
> > +++ b/common/ssl_verify.c
> > @@ -33,6 +33,14 @@
> >  #include 
> >  #include 
> >
> 
> I would include a FIXME here, to require >= 1.1.0 in the future, just
> make it easier to track this.

I can add one, but I haven't done so in the spice-gtk patch. I expect
openssl 1.0 support to stay there for quite some time fwiw (I'd bet that
this code will be replaced by 'something else' before we decide we can
drop openssl 1.0 support ;)

Christophe


signature.asc
Description: PGP signature
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [spice-common] ssl: Use ASN1_STRING_get0_data instead of ASN1_STRING_data

[Victor Toso]

Hi,

On Fri, Jan 13, 2017 at 12:12:50PM +0100, Christophe Fergeau wrote:
> From: Sebastian Andrzej Siewior 
>
> The latter is deprecated, so might be removed at  some point in the
> future. This also adds a compatibility wrapper for OpenSSL < 1.1.0.
>
> Signed-off-by: Sebastian Andrzej Siewior 
> ---
>  common/ssl_verify.c | 20 ++--
>  1 file changed, 14 insertions(+), 6 deletions(-)
>
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index 601252e..b6a96a7 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -33,6 +33,14 @@
>  #include 
>  #include 
>

I would include a FIXME here, to require >= 1.1.0 in the future, just
make it easier to track this.

I don't have 1.1.0 here to test, but this matches the description at
[0], so

Acked-by: Victor Toso 

[0] 
https://github.com/openssl/openssl/commit/17ebf85abda18c3875b1ba6670fe7b393bc1f297

> +#if OPENSSL_VERSION_NUMBER < 0x1010
> +
> +static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1)
> +{
> +return M_ASN1_STRING_data(asn1);
> +}
> +#endif
> +
>  static int verify_pubkey(X509* cert, const char *key, size_t key_size)
>  {
>  EVP_PKEY* cert_pubkey = NULL;
> @@ -182,10 +190,10 @@ static int verify_hostname(X509* cert, const char 
> *hostname)
>  const GENERAL_NAME* name = 
> sk_GENERAL_NAME_value(subject_alt_names, i);
>  if (name->type == GEN_DNS) {
>  found_dns_name = 1;
> -if (_gnutls_hostname_compare((char 
> *)ASN1_STRING_data(name->d.dNSName),
> +if (_gnutls_hostname_compare((const char 
> *)ASN1_STRING_get0_data(name->d.dNSName),
>   
> ASN1_STRING_length(name->d.dNSName),
>   hostname)) {
> -spice_debug("alt name match=%s", 
> ASN1_STRING_data(name->d.dNSName));
> +spice_debug("alt name match=%s", 
> ASN1_STRING_get0_data(name->d.dNSName));
>  GENERAL_NAMES_free(subject_alt_names);
>  return 1;
>  }
> @@ -208,11 +216,11 @@ static int verify_hostname(X509* cert, const char 
> *hostname)
>  alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
>  
>  if ((ip_len == alt_ip_len) &&
> -   (memcmp(ASN1_STRING_data(name->d.iPAddress), ip_binary, 
> ip_len)) == 0) {
> +   (memcmp(ASN1_STRING_get0_data(name->d.iPAddress), 
> ip_binary, ip_len)) == 0) {
>  GInetAddress * alt_ip = NULL;
>  gchar * alt_ip_string = NULL;
>  
> -alt_ip = 
> g_inet_address_new_from_bytes(ASN1_STRING_data(name->d.iPAddress),
> +alt_ip = 
> g_inet_address_new_from_bytes(ASN1_STRING_get0_data(name->d.iPAddress),
> 
> g_inet_address_get_family(ip));
>  alt_ip_string = g_inet_address_to_string(alt_ip);
>  spice_debug("alt name IP match=%s", alt_ip_string);
> @@ -253,10 +261,10 @@ static int verify_hostname(X509* cert, const char 
> *hostname)
>  continue;
>  }
>  
> -if (_gnutls_hostname_compare((char*)ASN1_STRING_data(cn_asn1),
> +if (_gnutls_hostname_compare((const 
> char*)ASN1_STRING_get0_data(cn_asn1),
>   ASN1_STRING_length(cn_asn1),
>   hostname)) {
> -spice_debug("common name match=%s", 
> (char*)ASN1_STRING_data(cn_asn1));
> +spice_debug("common name match=%s", 
> (char*)ASN1_STRING_get0_data(cn_asn1));
>  cn_match = 1;
>  break;
>  }
> -- 
> 2.9.3
> 
> ___
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel


signature.asc
Description: PGP signature
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/spice-devel

[Spice-devel] [spice-common] ssl: Use ASN1_STRING_get0_data instead of ASN1_STRING_data

[Christophe Fergeau]

From: Sebastian Andrzej Siewior 

The latter is deprecated, so might be removed at  some point in the
future. This also adds a compatibility wrapper for OpenSSL < 1.1.0.

Signed-off-by: Sebastian Andrzej Siewior 
---
 common/ssl_verify.c | 20 ++--
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index 601252e..b6a96a7 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -33,6 +33,14 @@
 #include 
 #include 
 
+#if OPENSSL_VERSION_NUMBER < 0x1010
+
+static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1)
+{
+return M_ASN1_STRING_data(asn1);
+}
+#endif
+
 static int verify_pubkey(X509* cert, const char *key, size_t key_size)
 {
 EVP_PKEY* cert_pubkey = NULL;
@@ -182,10 +190,10 @@ static int verify_hostname(X509* cert, const char 
*hostname)
 const GENERAL_NAME* name = 
sk_GENERAL_NAME_value(subject_alt_names, i);
 if (name->type == GEN_DNS) {
 found_dns_name = 1;
-if (_gnutls_hostname_compare((char 
*)ASN1_STRING_data(name->d.dNSName),
+if (_gnutls_hostname_compare((const char 
*)ASN1_STRING_get0_data(name->d.dNSName),
  
ASN1_STRING_length(name->d.dNSName),
  hostname)) {
-spice_debug("alt name match=%s", 
ASN1_STRING_data(name->d.dNSName));
+spice_debug("alt name match=%s", 
ASN1_STRING_get0_data(name->d.dNSName));
 GENERAL_NAMES_free(subject_alt_names);
 return 1;
 }
@@ -208,11 +216,11 @@ static int verify_hostname(X509* cert, const char 
*hostname)
 alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
 
 if ((ip_len == alt_ip_len) &&
-   (memcmp(ASN1_STRING_data(name->d.iPAddress), ip_binary, 
ip_len)) == 0) {
+   (memcmp(ASN1_STRING_get0_data(name->d.iPAddress), 
ip_binary, ip_len)) == 0) {
 GInetAddress * alt_ip = NULL;
 gchar * alt_ip_string = NULL;
 
-alt_ip = 
g_inet_address_new_from_bytes(ASN1_STRING_data(name->d.iPAddress),
+alt_ip = 
g_inet_address_new_from_bytes(ASN1_STRING_get0_data(name->d.iPAddress),

g_inet_address_get_family(ip));
 alt_ip_string = g_inet_address_to_string(alt_ip);
 spice_debug("alt name IP match=%s", alt_ip_string);
@@ -253,10 +261,10 @@ static int verify_hostname(X509* cert, const char 
*hostname)
 continue;
 }
 
-if (_gnutls_hostname_compare((char*)ASN1_STRING_data(cn_asn1),
+if (_gnutls_hostname_compare((const 
char*)ASN1_STRING_get0_data(cn_asn1),
  ASN1_STRING_length(cn_asn1),
  hostname)) {
-spice_debug("common name match=%s", 
(char*)ASN1_STRING_data(cn_asn1));
+spice_debug("common name match=%s", 
(char*)ASN1_STRING_get0_data(cn_asn1));
 cn_match = 1;
 break;
 }
-- 
2.9.3

___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/spice-devel