From cbc684498751d383edbc37e5a63cb812f8f0b9f9 Mon Sep 17 00:00:00 2001 From: deepend Date: Thu, 19 Feb 2026 11:17:17 -0700 Subject: [PATCH] Fixed _SSL_get_cert_info() to stop dereferencing OpenSSL-internal struct fields, which is what caused the macOS/OpenSSL opaque-struct build failure (peer_cert->sig_alg->algorithm). It now uses X509_ALGOR_get0() for the public key algorithm OID and OBJ_obj2nid() from that accessor output. Reworked signature algorithm detection to use X509_get_signature_nid() when available, and a compatibility fallback (X509_get0_signature() + X509_ALGOR_get0() + OBJ_obj2nid()) when HAVE_X509_GET_SIGNATURE_NID is not defined. --- src/common/ssl.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/common/ssl.c b/src/common/ssl.c index e7f7e0a8..2d073306 100644 --- a/src/common/ssl.c +++ b/src/common/ssl.c @@ -154,6 +154,7 @@ _SSL_get_cert_info (struct cert_info *cert_info, SSL * ssl) X509 *peer_cert; X509_PUBKEY *key; X509_ALGOR *algor = NULL; + const ASN1_OBJECT *algor_obj = NULL; EVP_PKEY *peer_pkey; char notBefore[64]; char notAfter[64]; @@ -175,11 +176,19 @@ _SSL_get_cert_info (struct cert_info *cert_info, SSL * ssl) if (!X509_PUBKEY_get0_param(NULL, NULL, 0, &algor, key)) return 1; - alg = OBJ_obj2nid (algor->algorithm); -#ifndef HAVE_X509_GET_SIGNATURE_NID - sign_alg = OBJ_obj2nid (peer_cert->sig_alg->algorithm); -#else + X509_ALGOR_get0 (&algor_obj, NULL, NULL, algor); + alg = OBJ_obj2nid (algor_obj); +#ifdef HAVE_X509_GET_SIGNATURE_NID sign_alg = X509_get_signature_nid (peer_cert); +#else + { + const X509_ALGOR *signature_algor = NULL; + const ASN1_OBJECT *signature_algor_obj = NULL; + + X509_get0_signature (NULL, &signature_algor, peer_cert); + X509_ALGOR_get0 (&signature_algor_obj, NULL, NULL, signature_algor); + sign_alg = OBJ_obj2nid (signature_algor_obj); + } #endif ASN1_TIME_snprintf (notBefore, sizeof (notBefore), X509_get_notBefore (peer_cert));