From b209dd0934295a0f84f006560da953f37e5a942b Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Fri, 5 Jun 2026 00:05:45 +0200
Subject: [PATCH v3 3/4] ssl: Replace deprecated API to get commonName

X509_NAME_get_text_by_NID was deprecated in OpenSSL 4.0.0, and could
be removed in a future version of OpenSSL.  The replacement APIs are
available in all versions of OpenSSL and LibreSSL that we support so
we can easily change to make the code future proof.

The reason for the deprecation is that X509_NAME_get_text_by_NID can
only grab the first entry in a list, and doesn't handle multibyte
strings well.  The fix is to get the index of the name entry with
X509_NAME_get_index_by_NID and use X509_NAME_get_entry to extract
the data.

Author: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Tristan Partin <tristan@partin.io>
Reviewed-by: Andreas Karlsson <andreas@proxel.se>
Discussion: https://postgr.es/m/68B9881D-DAA8-467D-A251-C96E98E57BA0@yesql.se
---
 src/backend/libpq/be-secure-openssl.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 9dfa7903ff5..00d7519957d 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1083,22 +1083,24 @@ aloop:
 		char	   *peer_dn;
 		BIO		   *bio = NULL;
 		BUF_MEM    *bio_buf = NULL;
+		int			index;
 
-		len = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, NULL, 0);
-		if (len != -1)
+		index = X509_NAME_get_index_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, -1);
+		if (index >= 0)
 		{
+			const X509_NAME_ENTRY *entry;
+			const ASN1_STRING *peer_cn_asn1;
+			const unsigned char *peer_cn_internal;
 			char	   *peer_cn;
 
+			entry = X509_NAME_get_entry(unconstify(X509_NAME *, x509name), index);
+			peer_cn_asn1 = X509_NAME_ENTRY_get_data(entry);
+			len = ASN1_STRING_length(peer_cn_asn1);
+			peer_cn_internal = ASN1_STRING_get0_data(peer_cn_asn1);
+
 			peer_cn = MemoryContextAlloc(TopMemoryContext, len + 1);
-			r = X509_NAME_get_text_by_NID(unconstify(X509_NAME *, x509name), NID_commonName, peer_cn,
-										  len + 1);
+			memcpy(peer_cn, peer_cn_internal, len);
 			peer_cn[len] = '\0';
-			if (r != len)
-			{
-				/* shouldn't happen */
-				pfree(peer_cn);
-				return -1;
-			}
 
 			/*
 			 * Reject embedded NULLs in certificate common name to prevent
-- 
2.39.3 (Apple Git-146)

