[nginx] SSL: compatibility with opaque ASN1_NUMBER in OpenSSL 4.0.

Maxim Dounin mdounin at mdounin.ru
Sun Mar 22 13:38:10 UTC 2026 

details:   http://freenginx.org/hg/nginx/rev/a3b7c937d940
branches:  
changeset: 9483:a3b7c937d940
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Sun Mar 22 16:26:34 2026 +0300
description:
SSL: compatibility with opaque ASN1_NUMBER in OpenSSL 4.0.

Previously, ASN1_NUMBER was used directly in ngx_ssl_ocsp_create_key(),
which is no longer possible with OpenSSL 4.0 alpha 1.  The fix is to
convert it to BIGNUM with the ASN1_INTEGER_to_BN() function, and then
copy to the buffer with BN_bn2bin().

This introduces an otherwise unneeded memory allocation for BIGNUM, but
seems to be the only valid way to access the data.  Alternative approach
would be to use ASN1_STRING_length() and ASN1_STRING_get0_data(), but
ASN1_STRING_length(3) explicitly says that ASN1_STRING functions should
not be used for ASN1_INTEGER.

diffstat:

 src/event/ngx_event_openssl_stapling.c |  21 +++++++++++++++++----
 1 files changed, 17 insertions(+), 4 deletions(-)

diffs (41 lines):

diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -2629,7 +2629,9 @@ ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ct
 static ngx_int_t
 ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx)
 {
+    int               n;
     u_char           *p;
+    BIGNUM           *bn;
     ASN1_INTEGER     *serial;
     const X509_NAME  *name;
 
@@ -2655,12 +2657,23 @@ ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx
     p += 20;
 
     serial = X509_get_serialNumber(ctx->cert);
-    if (serial->length > 20) {
-        return NGX_ERROR;
+
+    bn = ASN1_INTEGER_to_BN(serial, NULL);
+    if (bn == NULL) {
+         return NGX_ERROR;
     }
 
-    p = ngx_cpymem(p, serial->data, serial->length);
-    ngx_memzero(p, 20 - serial->length);
+    if (BN_num_bytes(bn) > 20) {
+         BN_free(bn);
+         return NGX_ERROR;
+    }
+
+    n = BN_bn2bin(bn, p);
+    p += n;
+
+    ngx_memzero(p, 20 - n);
+
+    BN_free(bn);
 
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
                    "ssl ocsp key %xV", &ctx->key);

More information about the nginx-devel mailing list