From f5d41cc68407f77f8fab41e242fa1d651c55c257 Mon Sep 17 00:00:00 2001
From: Hristo Venev <hristo@venev.name>
Date: Thu, 4 May 2017 00:10:48 +0100
Subject: [PATCH] Fix extract_x509_field_ssl for external objects, v2

Only fields known to OpenSSL have a NID. OBJ_txt2obj allows specifying
fields by numeric OID.

Signed-off-by: Hristo Venev <hristo@venev.name>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1493853048.30207.1.camel@venev.name>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14535.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 69311687da55b8c0e6966b25c94c72494ea44e57)
---
 src/openvpn/ssl_verify_openssl.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 5624daac5..de4b5da4b 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -191,16 +191,24 @@ extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out,
     X509_NAME_ENTRY *x509ne = 0;
     ASN1_STRING *asn1 = 0;
     unsigned char *buf = NULL;
-    int nid = OBJ_txt2nid(field_name);
+    ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0);
+
+    if (field_name_obj == NULL)
+    {
+        msg(D_TLS_ERRORS, "Invalid X509 attribute name '%s'", field_name);
+        return FAILURE;
+    }
 
     ASSERT(size > 0);
     *out = '\0';
     do
     {
         lastpos = tmp;
-        tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos);
+        tmp = X509_NAME_get_index_by_OBJ(x509, field_name_obj, lastpos);
     } while (tmp > -1);
 
+    ASN1_OBJECT_free(field_name_obj);
+
     /* Nothing found */
     if (lastpos == -1)
     {
-- 
2.47.2