[Spice-devel] [spice-common] ssl: Use ASN1_STRING_get0_data instead of ASN1_STRING_data
From: Sebastian Andrzej Siewior The latter is deprecated, so might be removed at some point in the future. This also adds a compatibility wrapper for OpenSSL < 1.1.0. Signed-off-by: Sebastian Andrzej Siewior --- common/ssl_verify.c | 20 ++-- 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/common/ssl_verify.c b/common/ssl_verify.c index 601252e..b6a96a7 100644 --- a/common/ssl_verify.c +++ b/common/ssl_verify.c @@ -33,6 +33,14 @@ #include #include +#if OPENSSL_VERSION_NUMBER < 0x1010 + +static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1) +{ +return M_ASN1_STRING_data(asn1); +} +#endif + static int verify_pubkey(X509* cert, const char *key, size_t key_size) { EVP_PKEY* cert_pubkey = NULL; @@ -182,10 +190,10 @@ static int verify_hostname(X509* cert, const char *hostname) const GENERAL_NAME* name = sk_GENERAL_NAME_value(subject_alt_names, i); if (name->type == GEN_DNS) { found_dns_name = 1; -if (_gnutls_hostname_compare((char *)ASN1_STRING_data(name->d.dNSName), +if (_gnutls_hostname_compare((const char *)ASN1_STRING_get0_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName), hostname)) { -spice_debug("alt name match=%s", ASN1_STRING_data(name->d.dNSName)); +spice_debug("alt name match=%s", ASN1_STRING_get0_data(name->d.dNSName)); GENERAL_NAMES_free(subject_alt_names); return 1; } @@ -208,11 +216,11 @@ static int verify_hostname(X509* cert, const char *hostname) alt_ip_len = ASN1_STRING_length(name->d.iPAddress); if ((ip_len == alt_ip_len) && - (memcmp(ASN1_STRING_data(name->d.iPAddress), ip_binary, ip_len)) == 0) { + (memcmp(ASN1_STRING_get0_data(name->d.iPAddress), ip_binary, ip_len)) == 0) { GInetAddress * alt_ip = NULL; gchar * alt_ip_string = NULL; -alt_ip = g_inet_address_new_from_bytes(ASN1_STRING_data(name->d.iPAddress), +alt_ip = g_inet_address_new_from_bytes(ASN1_STRING_get0_data(name->d.iPAddress), g_inet_address_get_family(ip)); alt_ip_string = g_inet_address_to_string(alt_ip); spice_debug("alt name IP match=%s", alt_ip_string); @@ -253,10 +261,10 @@ static int verify_hostname(X509* cert, const char *hostname) continue; } -if (_gnutls_hostname_compare((char*)ASN1_STRING_data(cn_asn1), +if (_gnutls_hostname_compare((const char*)ASN1_STRING_get0_data(cn_asn1), ASN1_STRING_length(cn_asn1), hostname)) { -spice_debug("common name match=%s", (char*)ASN1_STRING_data(cn_asn1)); +spice_debug("common name match=%s", (char*)ASN1_STRING_get0_data(cn_asn1)); cn_match = 1; break; } -- 2.9.3 ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/spice-devel
[Spice-devel] [spice-common] ssl: Use ASN1_STRING_get0_data instead of ASN1_STRING_data
From: Sebastian Andrzej Siewior The latter is deprecated, so might be removed at some point in the future. This also adds a compatibility wrapper for OpenSSL < 1.1.0. Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Christophe Fergeau --- Here is the patch with a FIXME, I have a slight preference for the version without it, but this version is fine with me too. common/ssl_verify.c | 22 -- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/common/ssl_verify.c b/common/ssl_verify.c index 601252e..1c41e21 100644 --- a/common/ssl_verify.c +++ b/common/ssl_verify.c @@ -33,6 +33,16 @@ #include #include +#if OPENSSL_VERSION_NUMBER < 0x1010 + +/* FIXME: Remove this compatibility block when OpenSSL < 1.1.0 support is + * dropped */ +static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1) +{ +return M_ASN1_STRING_data(asn1); +} +#endif + static int verify_pubkey(X509* cert, const char *key, size_t key_size) { EVP_PKEY* cert_pubkey = NULL; @@ -182,10 +192,10 @@ static int verify_hostname(X509* cert, const char *hostname) const GENERAL_NAME* name = sk_GENERAL_NAME_value(subject_alt_names, i); if (name->type == GEN_DNS) { found_dns_name = 1; -if (_gnutls_hostname_compare((char *)ASN1_STRING_data(name->d.dNSName), +if (_gnutls_hostname_compare((const char *)ASN1_STRING_get0_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName), hostname)) { -spice_debug("alt name match=%s", ASN1_STRING_data(name->d.dNSName)); +spice_debug("alt name match=%s", ASN1_STRING_get0_data(name->d.dNSName)); GENERAL_NAMES_free(subject_alt_names); return 1; } @@ -208,11 +218,11 @@ static int verify_hostname(X509* cert, const char *hostname) alt_ip_len = ASN1_STRING_length(name->d.iPAddress); if ((ip_len == alt_ip_len) && - (memcmp(ASN1_STRING_data(name->d.iPAddress), ip_binary, ip_len)) == 0) { + (memcmp(ASN1_STRING_get0_data(name->d.iPAddress), ip_binary, ip_len)) == 0) { GInetAddress * alt_ip = NULL; gchar * alt_ip_string = NULL; -alt_ip = g_inet_address_new_from_bytes(ASN1_STRING_data(name->d.iPAddress), +alt_ip = g_inet_address_new_from_bytes(ASN1_STRING_get0_data(name->d.iPAddress), g_inet_address_get_family(ip)); alt_ip_string = g_inet_address_to_string(alt_ip); spice_debug("alt name IP match=%s", alt_ip_string); @@ -253,10 +263,10 @@ static int verify_hostname(X509* cert, const char *hostname) continue; } -if (_gnutls_hostname_compare((char*)ASN1_STRING_data(cn_asn1), +if (_gnutls_hostname_compare((const char*)ASN1_STRING_get0_data(cn_asn1), ASN1_STRING_length(cn_asn1), hostname)) { -spice_debug("common name match=%s", (char*)ASN1_STRING_data(cn_asn1)); +spice_debug("common name match=%s", (char*)ASN1_STRING_get0_data(cn_asn1)); cn_match = 1; break; } -- 2.9.3 ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-common] ssl: Use ASN1_STRING_get0_data instead of ASN1_STRING_data
Hi, On Fri, Jan 13, 2017 at 12:12:50PM +0100, Christophe Fergeau wrote: > From: Sebastian Andrzej Siewior > > The latter is deprecated, so might be removed at some point in the > future. This also adds a compatibility wrapper for OpenSSL < 1.1.0. > > Signed-off-by: Sebastian Andrzej Siewior > --- > common/ssl_verify.c | 20 ++-- > 1 file changed, 14 insertions(+), 6 deletions(-) > > diff --git a/common/ssl_verify.c b/common/ssl_verify.c > index 601252e..b6a96a7 100644 > --- a/common/ssl_verify.c > +++ b/common/ssl_verify.c > @@ -33,6 +33,14 @@ > #include > #include > I would include a FIXME here, to require >= 1.1.0 in the future, just make it easier to track this. I don't have 1.1.0 here to test, but this matches the description at [0], so Acked-by: Victor Toso [0] https://github.com/openssl/openssl/commit/17ebf85abda18c3875b1ba6670fe7b393bc1f297 > +#if OPENSSL_VERSION_NUMBER < 0x1010 > + > +static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1) > +{ > +return M_ASN1_STRING_data(asn1); > +} > +#endif > + > static int verify_pubkey(X509* cert, const char *key, size_t key_size) > { > EVP_PKEY* cert_pubkey = NULL; > @@ -182,10 +190,10 @@ static int verify_hostname(X509* cert, const char > *hostname) > const GENERAL_NAME* name = > sk_GENERAL_NAME_value(subject_alt_names, i); > if (name->type == GEN_DNS) { > found_dns_name = 1; > -if (_gnutls_hostname_compare((char > *)ASN1_STRING_data(name->d.dNSName), > +if (_gnutls_hostname_compare((const char > *)ASN1_STRING_get0_data(name->d.dNSName), > > ASN1_STRING_length(name->d.dNSName), > hostname)) { > -spice_debug("alt name match=%s", > ASN1_STRING_data(name->d.dNSName)); > +spice_debug("alt name match=%s", > ASN1_STRING_get0_data(name->d.dNSName)); > GENERAL_NAMES_free(subject_alt_names); > return 1; > } > @@ -208,11 +216,11 @@ static int verify_hostname(X509* cert, const char > *hostname) > alt_ip_len = ASN1_STRING_length(name->d.iPAddress); > > if ((ip_len == alt_ip_len) && > - (memcmp(ASN1_STRING_data(name->d.iPAddress), ip_binary, > ip_len)) == 0) { > + (memcmp(ASN1_STRING_get0_data(name->d.iPAddress), > ip_binary, ip_len)) == 0) { > GInetAddress * alt_ip = NULL; > gchar * alt_ip_string = NULL; > > -alt_ip = > g_inet_address_new_from_bytes(ASN1_STRING_data(name->d.iPAddress), > +alt_ip = > g_inet_address_new_from_bytes(ASN1_STRING_get0_data(name->d.iPAddress), > > g_inet_address_get_family(ip)); > alt_ip_string = g_inet_address_to_string(alt_ip); > spice_debug("alt name IP match=%s", alt_ip_string); > @@ -253,10 +261,10 @@ static int verify_hostname(X509* cert, const char > *hostname) > continue; > } > > -if (_gnutls_hostname_compare((char*)ASN1_STRING_data(cn_asn1), > +if (_gnutls_hostname_compare((const > char*)ASN1_STRING_get0_data(cn_asn1), > ASN1_STRING_length(cn_asn1), > hostname)) { > -spice_debug("common name match=%s", > (char*)ASN1_STRING_data(cn_asn1)); > +spice_debug("common name match=%s", > (char*)ASN1_STRING_get0_data(cn_asn1)); > cn_match = 1; > break; > } > -- > 2.9.3 > > ___ > Spice-devel mailing list > Spice-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/spice-devel signature.asc Description: PGP signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-common] ssl: Use ASN1_STRING_get0_data instead of ASN1_STRING_data
On Tue, Jan 17, 2017 at 03:19:00PM +0100, Victor Toso wrote: > Hi, > > On Fri, Jan 13, 2017 at 12:12:50PM +0100, Christophe Fergeau wrote: > > From: Sebastian Andrzej Siewior > > > > The latter is deprecated, so might be removed at some point in the > > future. This also adds a compatibility wrapper for OpenSSL < 1.1.0. > > > > Signed-off-by: Sebastian Andrzej Siewior > > --- > > common/ssl_verify.c | 20 ++-- > > 1 file changed, 14 insertions(+), 6 deletions(-) > > > > diff --git a/common/ssl_verify.c b/common/ssl_verify.c > > index 601252e..b6a96a7 100644 > > --- a/common/ssl_verify.c > > +++ b/common/ssl_verify.c > > @@ -33,6 +33,14 @@ > > #include > > #include > > > > I would include a FIXME here, to require >= 1.1.0 in the future, just > make it easier to track this. I can add one, but I haven't done so in the spice-gtk patch. I expect openssl 1.0 support to stay there for quite some time fwiw (I'd bet that this code will be replaced by 'something else' before we decide we can drop openssl 1.0 support ;) Christophe signature.asc Description: PGP signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] [spice-common] ssl: Use ASN1_STRING_get0_data instead of ASN1_STRING_data
On Tue, 2017-01-24 at 10:21 +0100, Christophe Fergeau wrote: > From: Sebastian Andrzej Siewior > > The latter is deprecated, so might be removed at some point in the > future. This also adds a compatibility wrapper for OpenSSL < 1.1.0. > > Signed-off-by: Sebastian Andrzej Siewior > Signed-off-by: Christophe Fergeau > --- > > Here is the patch with a FIXME, I have a slight preference for the > version > without it, but this version is fine with me too. Imho it is more clear without the FIXME. I guess Victor was suggesting: FIXME: Require OpenSSL >= 1.1 Pavel > > common/ssl_verify.c | 22 -- > 1 file changed, 16 insertions(+), 6 deletions(-) > > diff --git a/common/ssl_verify.c b/common/ssl_verify.c > index 601252e..1c41e21 100644 > --- a/common/ssl_verify.c > +++ b/common/ssl_verify.c > @@ -33,6 +33,16 @@ > #include > #include > > +#if OPENSSL_VERSION_NUMBER < 0x1010 > + > +/* FIXME: Remove this compatibility block when OpenSSL < 1.1.0 > support is > + * dropped */ > +static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING > *asn1) > +{ > +return M_ASN1_STRING_data(asn1); > +} > +#endif > + > static int verify_pubkey(X509* cert, const char *key, size_t > key_size) > { > EVP_PKEY* cert_pubkey = NULL; > @@ -182,10 +192,10 @@ static int verify_hostname(X509* cert, const > char *hostname) > const GENERAL_NAME* name = > sk_GENERAL_NAME_value(subject_alt_names, i); > if (name->type == GEN_DNS) { > found_dns_name = 1; > -if (_gnutls_hostname_compare((char > *)ASN1_STRING_data(name->d.dNSName), > +if (_gnutls_hostname_compare((const char > *)ASN1_STRING_get0_data(name->d.dNSName), > ASN1_STRING_length(nam > e->d.dNSName), > hostname)) { > -spice_debug("alt name match=%s", > ASN1_STRING_data(name->d.dNSName)); > +spice_debug("alt name match=%s", > ASN1_STRING_get0_data(name->d.dNSName)); > GENERAL_NAMES_free(subject_alt_names); > return 1; > } > @@ -208,11 +218,11 @@ static int verify_hostname(X509* cert, const > char *hostname) > alt_ip_len = ASN1_STRING_length(name->d.iPAddress); > > if ((ip_len == alt_ip_len) && > - (memcmp(ASN1_STRING_data(name->d.iPAddress), > ip_binary, ip_len)) == 0) { > + (memcmp(ASN1_STRING_get0_data(name- > >d.iPAddress), ip_binary, ip_len)) == 0) { > GInetAddress * alt_ip = NULL; > gchar * alt_ip_string = NULL; > > -alt_ip = > g_inet_address_new_from_bytes(ASN1_STRING_data(name->d.iPAddress), > +alt_ip = > g_inet_address_new_from_bytes(ASN1_STRING_get0_data(name- > >d.iPAddress), > g_inet_a > ddress_get_family(ip)); > alt_ip_string = > g_inet_address_to_string(alt_ip); > spice_debug("alt name IP match=%s", > alt_ip_string); > @@ -253,10 +263,10 @@ static int verify_hostname(X509* cert, const > char *hostname) > continue; > } > > -if > (_gnutls_hostname_compare((char*)ASN1_STRING_data(cn_asn1), > +if (_gnutls_hostname_compare((const > char*)ASN1_STRING_get0_data(cn_asn1), > ASN1_STRING_length(cn_asn1 > ), > hostname)) { > -spice_debug("common name match=%s", > (char*)ASN1_STRING_data(cn_asn1)); > +spice_debug("common name match=%s", > (char*)ASN1_STRING_get0_data(cn_asn1)); > cn_match = 1; > break; > } ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/spice-devel