Skip to content

Commit c02434e

Browse files
committed
Use const X509_NAME*, not X509_NAME*, on newer OpenSSL
to fix a build error against OpenSSL 4.0. OpenSSL 4.0 made `X509_NAME*` pointers returned by `X509_get_subject_name()`, `X509_REQ_get_subject_name()` and related getters const. In contrast, under OpenSSL 1.x, setters expect non-const pointers, hence our new typedef `X509NameConstPtr`. - Use `X509NameConstPtr` parameters in `GetX509NameCN()`, `CreateCert()` and, `CreateCertIcingaCA()` to match the const expectations per OpenSSL version - Replace `X509_REQ_get_subject_name()` with `X509_NAME_new()` + `X509_REQ_set_subject_name()` for CSR subject modification, since the returned data can't be directly modified now
1 parent 09dd2cc commit c02434e

2 files changed

Lines changed: 31 additions & 9 deletions

File tree

lib/base/tlsutility.cpp

Lines changed: 23 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -403,7 +403,7 @@ void AddCRLToSSLContext(X509_STORE *x509_store, const String& crlPath)
403403
X509_VERIFY_PARAM_free(param);
404404
}
405405

406-
static String GetX509NameCN(X509_NAME *name)
406+
static String GetX509NameCN(X509NameConstPtr name)
407407
{
408408
char errbuf[256];
409409
char buffer[256];
@@ -598,8 +598,25 @@ int MakeX509CSR(
598598
X509_REQ_set_version(req, 0);
599599
X509_REQ_set_pubkey(req, key);
600600

601-
X509_NAME *name = X509_REQ_get_subject_name(req);
602-
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)cn.CStr(), -1, -1, 0);
601+
std::unique_ptr<X509_NAME, decltype(&X509_NAME_free)> name{X509_NAME_new(), &X509_NAME_free};
602+
if (!name) {
603+
unsigned long err = ERR_peek_error();
604+
BOOST_THROW_EXCEPTION(openssl_error()
605+
<< boost::errinfo_api_function("X509_NAME_new")
606+
<< errinfo_openssl_error(err));
607+
}
608+
609+
X509_NAME_add_entry_by_txt(name.get(), "CN", MBSTRING_ASC, (unsigned char *)cn.CStr(), -1, -1, 0);
610+
611+
if (!X509_REQ_set_subject_name(req, name.get())) {
612+
unsigned long err = ERR_peek_error();
613+
ERR_error_string_n(err, errbuf, sizeof errbuf);
614+
Log(LogCritical, "SSL")
615+
<< "Error while setting CSR subject name: " << err << ", \"" << errbuf << "\"";
616+
BOOST_THROW_EXCEPTION(openssl_error()
617+
<< boost::errinfo_api_function("X509_REQ_set_subject_name")
618+
<< errinfo_openssl_error(err));
619+
}
603620

604621
if (!ca) {
605622
String san = "DNS:" + cn;
@@ -652,8 +669,8 @@ int MakeX509CSR(
652669

653670
std::shared_ptr<X509> CreateCert(
654671
EVP_PKEY* pubkey,
655-
X509_NAME* subject,
656-
X509_NAME* issuer,
672+
X509NameConstPtr subject,
673+
X509NameConstPtr issuer,
657674
EVP_PKEY* cakey,
658675
long validFrom,
659676
long validFor,
@@ -746,7 +763,7 @@ String GetIcingaCADir()
746763
return Configuration::DataDir + "/ca";
747764
}
748765

749-
std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject, long validFrom, long validFor, bool ca)
766+
std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509NameConstPtr subject, long validFrom, long validFor, bool ca)
750767
{
751768
char errbuf[256];
752769

lib/base/tlsutility.hpp

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,11 @@ const auto LEAF_VALID_FOR = 60 * 60 * 24 * 397;
3939
const auto RENEW_THRESHOLD = 60 * 60 * 24 * 30;
4040
const auto RENEW_INTERVAL = 60 * 60 * 24;
4141

42+
// Tracks the constness of X509_NAME* across OpenSSL versions: on 1.x getters return X509_NAME* and
43+
// setters expect X509_NAME*; on 4.x both sides became const X509_NAME*. Using decltype on the getter
44+
// gives us the right type automatically, so we can accept getter results and pass to setters cast-free.
45+
using X509NameConstPtr = decltype(X509_get_subject_name(nullptr));
46+
4247
void InitializeOpenSSL();
4348

4449
String GetOpenSSLVersion();
@@ -66,8 +71,8 @@ int MakeX509CSR(
6671
);
6772
std::shared_ptr<X509> CreateCert(
6873
EVP_PKEY* pubkey,
69-
X509_NAME* subject,
70-
X509_NAME* issuer,
74+
X509NameConstPtr subject,
75+
X509NameConstPtr issuer,
7176
EVP_PKEY* cakey,
7277
long validFrom,
7378
long validFor,
@@ -83,7 +88,7 @@ inline String CertificateToString(const std::shared_ptr<X509>& cert)
8388
}
8489

8590
std::shared_ptr<X509> StringToCertificate(const String& cert);
86-
std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject, long validFrom, long validFor, bool ca = false);
91+
std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509NameConstPtr subject, long validFrom, long validFor, bool ca = false);
8792
std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert, long validFrom = 0, long validFor = LEAF_VALID_FOR);
8893
bool IsCertUptodate(const std::shared_ptr<X509>& cert);
8994
bool IsCaUptodate(X509* cert);

0 commit comments

Comments
 (0)