[Spice-devel] [spice-common] ssl: Use ASN1_STRING_get0_data instead of ASN1_STRING_data
Pavel Grunt
pgrunt at redhat.com
Mon Feb 6 10:37:39 UTC 2017
On Tue, 2017-01-24 at 10:21 +0100, Christophe Fergeau wrote:
> From: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
>
> The latter is deprecated, so might be removed at some point in the
> future. This also adds a compatibility wrapper for OpenSSL < 1.1.0.
>
> Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
> Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
> ---
>
> Here is the patch with a FIXME, I have a slight preference for the
> version
> without it, but this version is fine with me too.
Imho it is more clear without the FIXME. I guess Victor was
suggesting:
FIXME: Require OpenSSL >= 1.1
Pavel
>
> common/ssl_verify.c | 22 ++++++++++++++++------
> 1 file changed, 16 insertions(+), 6 deletions(-)
>
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index 601252e..1c41e21 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -33,6 +33,16 @@
> #include <string.h>
> #include <gio/gio.h>
>
> +#if OPENSSL_VERSION_NUMBER < 0x10100000
> +
> +/* FIXME: Remove this compatibility block when OpenSSL < 1.1.0
> support is
> + * dropped */
> +static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING
> *asn1)
> +{
> + return M_ASN1_STRING_data(asn1);
> +}
> +#endif
> +
> static int verify_pubkey(X509* cert, const char *key, size_t
> key_size)
> {
> EVP_PKEY* cert_pubkey = NULL;
> @@ -182,10 +192,10 @@ static int verify_hostname(X509* cert, const
> char *hostname)
> const GENERAL_NAME* name =
> sk_GENERAL_NAME_value(subject_alt_names, i);
> if (name->type == GEN_DNS) {
> found_dns_name = 1;
> - if (_gnutls_hostname_compare((char
> *)ASN1_STRING_data(name->d.dNSName),
> + if (_gnutls_hostname_compare((const char
> *)ASN1_STRING_get0_data(name->d.dNSName),
> ASN1_STRING_length(nam
> e->d.dNSName),
> hostname)) {
> - spice_debug("alt name match=%s",
> ASN1_STRING_data(name->d.dNSName));
> + spice_debug("alt name match=%s",
> ASN1_STRING_get0_data(name->d.dNSName));
> GENERAL_NAMES_free(subject_alt_names);
> return 1;
> }
> @@ -208,11 +218,11 @@ static int verify_hostname(X509* cert, const
> char *hostname)
> alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
>
> if ((ip_len == alt_ip_len) &&
> - (memcmp(ASN1_STRING_data(name->d.iPAddress),
> ip_binary, ip_len)) == 0) {
> + (memcmp(ASN1_STRING_get0_data(name-
> >d.iPAddress), ip_binary, ip_len)) == 0) {
> GInetAddress * alt_ip = NULL;
> gchar * alt_ip_string = NULL;
>
> - alt_ip =
> g_inet_address_new_from_bytes(ASN1_STRING_data(name->d.iPAddress),
> + alt_ip =
> g_inet_address_new_from_bytes(ASN1_STRING_get0_data(name-
> >d.iPAddress),
> g_inet_a
> ddress_get_family(ip));
> alt_ip_string =
> g_inet_address_to_string(alt_ip);
> spice_debug("alt name IP match=%s",
> alt_ip_string);
> @@ -253,10 +263,10 @@ static int verify_hostname(X509* cert, const
> char *hostname)
> continue;
> }
>
> - if
> (_gnutls_hostname_compare((char*)ASN1_STRING_data(cn_asn1),
> + if (_gnutls_hostname_compare((const
> char*)ASN1_STRING_get0_data(cn_asn1),
> ASN1_STRING_length(cn_asn1
> ),
> hostname)) {
> - spice_debug("common name match=%s",
> (char*)ASN1_STRING_data(cn_asn1));
> + spice_debug("common name match=%s",
> (char*)ASN1_STRING_get0_data(cn_asn1));
> cn_match = 1;
> break;
> }
More information about the Spice-devel
mailing list