tags 1138374 + patch thanks Hello,
I've opened a Merge Request on Salsa that fixes this issue [1]. I've also attached the same patch to this mail. [1]: https://salsa.debian.org/debian/freeradius/-/merge_requests/16 Cheers, -- Guilherme Puida Moreira
From: Antonio Torres <[email protected]> Date: Tue, 5 May 2026 14:42:27 +0200 Subject: Use ASN1_STRING functions for OpenSSL 4.0 compat Use ASN1_STRING accessor functions instead of direct field access for ASN1_IA5STRING, ASN1_INTEGER, and ASN1_TIME structures. This fixes compatibility with OpenSSL 4.0. Signed-off-by: Antonio Torres <[email protected]> Origin: upstream, https://github.com/FreeRADIUS/freeradius-server/commit/6658c9e375637ce0bd14bed733270d863224431e Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138374 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/2154922 --- src/main/tls.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/src/main/tls.c b/src/main/tls.c index ac85e88..23bd236 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -2537,7 +2537,7 @@ static int ocsp_parse_cert_url(X509 *cert, char **host_out, char **port_out, if (OBJ_obj2nid(ad->method) != NID_ad_OCSP) continue; if (ad->location->type != GEN_URI) continue; - if (OCSP_parse_url((char *) ad->location->d.ia5->data, host_out, + if (OCSP_parse_url((const char *) ASN1_STRING_get0_data(ad->location->d.ia5), host_out, port_out, path_out, is_https)) { ret = 1; break; @@ -3019,12 +3019,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) * we're at the client or issuing certificate. */ if (certs && - (lookup <= 1) && sn && ((size_t) sn->length < (sizeof(buf) / 2))) { + (lookup <= 1) && sn && ((size_t) ASN1_STRING_length(sn) < (sizeof(buf) / 2))) { char *p = buf; int i; + int sn_len = ASN1_STRING_length(sn); + const unsigned char *sn_data = ASN1_STRING_get0_data(sn); - for (i = 0; i < sn->length; i++) { - sprintf(p, "%02x", (unsigned int)sn->data[i]); + for (i = 0; i < sn_len; i++) { + sprintf(p, "%02x", (unsigned int)sn_data[i]); p += 2; } vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_SERIAL][lookup], buf, T_OP_SET); @@ -3037,9 +3039,11 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) buf[0] = '\0'; asn_time = X509_get_notAfter(client_cert); if (certs && (lookup <= 1) && asn_time && - (asn_time->length < (int) sizeof(buf))) { - memcpy(buf, (char*) asn_time->data, asn_time->length); - buf[asn_time->length] = '\0'; + (ASN1_STRING_length(asn_time) < (int) sizeof(buf))) { + int time_len = ASN1_STRING_length(asn_time); + const unsigned char *time_data = ASN1_STRING_get0_data(asn_time); + memcpy(buf, time_data, time_len); + buf[time_len] = '\0'; vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_EXPIRATION][lookup], buf, T_OP_SET); rdebug_pair(L_DBG_LVL_2, request, vp, NULL); } @@ -3050,9 +3054,11 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) buf[0] = '\0'; asn_time = X509_get_notBefore(client_cert); if (certs && (lookup <= 1) && asn_time && - (asn_time->length < (int) sizeof(buf))) { - memcpy(buf, (char*) asn_time->data, asn_time->length); - buf[asn_time->length] = '\0'; + (ASN1_STRING_length(asn_time) < (int) sizeof(buf))) { + int time_len = ASN1_STRING_length(asn_time); + const unsigned char *time_data = ASN1_STRING_get0_data(asn_time); + memcpy(buf, time_data, time_len); + buf[time_len] = '\0'; vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_VALID_SINCE][lookup], buf, T_OP_SET); rdebug_pair(L_DBG_LVL_2, request, vp, NULL); }

