Compile fixes for OpenSSL 4.0.0

syzop · syzop · commit bd0dea4a0ed0 · 2026-04-15T15:12:34.000+02:00
This does two things:
* We now only compile src/openssl_hostname_validation.c on
  really old OpenSSL's. This was already unused/dead code
  for most OpenSSL's but we always compiled it in until now.
* Added 'const' to please OpenSSL 4.0.0 while not breaking
  OpenSSL 1.0.x. And yeah i'm happy to drop OpenSSL 1.0.x
  support real soon... but not this month yet.
diff --git a/autoconf/m4/unreal.m4 b/autoconf/m4/unreal.m4
@@ -396,9 +396,12 @@ AC_LANG_POP(C)
 if test $has_function = 1; then
 	AC_MSG_RESULT([yes])
 	AC_DEFINE([HAS_X509_check_host], [], [Define if ssl library has X509_check_host])
+	OPENSSL_HOSTNAME_VALIDATION_OBJ=""
 else
 	AC_MSG_RESULT([no])
+	OPENSSL_HOSTNAME_VALIDATION_OBJ="openssl_hostname_validation.o"
 fi
+AC_SUBST(OPENSSL_HOSTNAME_VALIDATION_OBJ)
 ])
 
 dnl For geoip-api-c
diff --git a/configure b/configure
@@ -675,6 +675,7 @@ PCRE2_CFLAGS
 PKG_CONFIG_LIBDIR
 PKG_CONFIG_PATH
 PKG_CONFIG
+OPENSSL_HOSTNAME_VALIDATION_OBJ
 LDFLAGS_PRIVATELIBS
 CONTROLFILE
 PIDFILE
@@ -8251,11 +8252,14 @@ printf "%s\n" "yes" >&6; }
 
 printf "%s\n" "#define HAS_X509_check_host /**/" >>confdefs.h
 
+	OPENSSL_HOSTNAME_VALIDATION_OBJ=""
 else
 	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
 printf "%s\n" "no" >&6; }
+	OPENSSL_HOSTNAME_VALIDATION_OBJ="openssl_hostname_validation.o"
 fi
 
+
 # Check whether --enable-dynamic-linking was given.
 if test ${enable_dynamic_linking+y}
 then :
diff --git a/src/Makefile.in b/src/Makefile.in
@@ -33,7 +33,7 @@ OBJS=ircd_vars.o dns.o auth.o channel.o dbuf.o \
 	api-event.o api-rpc.o api-apicallback.o \
 	crypt_blowfish.o unrealdb.o crashreport.o modulemanager.o \
 	utf8.o json.o log.o \
-	openssl_hostname_validation.o $(URL)
+	@OPENSSL_HOSTNAME_VALIDATION_OBJ@ $(URL)
 
 SRC=$(OBJS:%.o=%.c)
 
diff --git a/src/openssl_hostname_validation.c b/src/openssl_hostname_validation.c
@@ -287,8 +287,8 @@ SOFTWARE.
 */
 static HostnameValidationResult matches_common_name(const char *hostname, const X509 *server_cert) {
         int common_name_loc = -1;
-        X509_NAME_ENTRY *common_name_entry = NULL;
-        ASN1_STRING *common_name_asn1 = NULL;
+        const X509_NAME_ENTRY *common_name_entry = NULL;
+        const ASN1_STRING *common_name_asn1 = NULL;
         const char *common_name_str = NULL;
 
         // Find the position of the CN field in the Subject field of the certificate
diff --git a/src/tls.c b/src/tls.c
@@ -25,6 +25,12 @@
 #include "unrealircd.h"
 #include "openssl_hostname_validation.h"
 
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
+#define OSSL_CONST const
+#else
+#define OSSL_CONST
+#endif
+
 #ifdef _WIN32
 #define IDC_PASS                        1166
 extern HINSTANCE hInst;
@@ -1342,7 +1348,7 @@ const char *certificate_name(SSL *ssl)
 {
 	static char buf[384];
 	X509 *cert;
-	X509_NAME *n;
+	OSSL_CONST X509_NAME *n;
 
 	if (!ssl)
 		return NULL;
