vtls: do not reach into ASN1_STRING

OpenSSL 4 has plans to make ASN1_STRING opaque, which will break the
build, so convert the code to use accessors. ASN1_STRING_length() and
ASN1_STRING_type() go way back to SSLeay and ASN1_STRING_get0_data() is
OpenSSL 1.1 API present in BoringSSL since foreer and also available
since LibreSSL 2.7, so this should not cause compat issues with any
libcrypto in a supported version of the fork family.

https://github.com/openssl/openssl/issues/29117

Closes #19831

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 67466e6e41d53308b1a5c25b1d0b3c4cedb99423..444fbc4e04530a5aaf6727d7af57875750bb193d 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -412,6 +412,7 @@ static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl)
 
   for(i = 0; !result && (i < (int)numcerts); i++) {
     ASN1_INTEGER *num;
+    const unsigned char *numdata;
     X509 *x = sk_X509_value(sk, (ossl_valsize_t)i);
     EVP_PKEY *pubkey = NULL;
     int j;
@@ -433,10 +434,11 @@ static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl)
       break;
 
     num = X509_get_serialNumber(x);
-    if(num->type == V_ASN1_NEG_INTEGER)
+    if(ASN1_STRING_type(num) == V_ASN1_NEG_INTEGER)
       BIO_puts(mem, "-");
-    for(j = 0; j < num->length; j++)
-      BIO_printf(mem, "%02x", num->data[j]);
+    numdata = ASN1_STRING_get0_data(num);
+    for(j = 0; j < ASN1_STRING_length(num); j++)
+      BIO_printf(mem, "%02x", numdata[j]);
     result = push_certinfo(data, mem, "Serial Number", i);
     if(result)
       break;
@@ -503,8 +505,9 @@ static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl)
     }
 
     if(!result && psig) {
-      for(j = 0; j < psig->length; j++)
-        BIO_printf(mem, "%02x:", psig->data[j]);
+      const unsigned char *psigdata = ASN1_STRING_get0_data(psig);
+      for(j = 0; j < ASN1_STRING_length(psig); j++)
+        BIO_printf(mem, "%02x:", psigdata[j]);
       result = push_certinfo(data, mem, "Signature", i);
     }