From 0d3a8119ce17f41a1e9b67380e6291c3c6399a62 Mon Sep 17 00:00:00 2001 From: maya Date: Tue, 24 Oct 2017 15:54:31 +0000 Subject: pkg_install: Fix OpenSSL 1.1.0 build OpenSSL 1.1.0 makes xkusage and ex_flags opaque. Use X509_check_ca rather than a custom and nearly identical implementation. This is available since OpenSSL 0.9.8 (even in RHEL5). This is also done because we cannot implement it identically under OpenSSL 1.1.0 due to missing getters. Test EXFLAG_XKUSAGE rather than zero xkusage test no usage to avoid openssl 1.1.0 getter returning a different code on this case. Use getter for xkusage in the non-zero test case. Provide fallback definitions for getters. PR pkg/52298, PR pkg/52648 --- pkgtools/pkg_install/files/lib/pkcs7.c | 37 +++++++++++----------------------- 1 file changed, 12 insertions(+), 25 deletions(-) (limited to 'pkgtools') diff --git a/pkgtools/pkg_install/files/lib/pkcs7.c b/pkgtools/pkg_install/files/lib/pkcs7.c index 0fd4f245c1e..41cab190faf 100644 --- a/pkgtools/pkg_install/files/lib/pkcs7.c +++ b/pkgtools/pkg_install/files/lib/pkcs7.c @@ -1,4 +1,4 @@ -/* $NetBSD: pkcs7.c,v 1.5 2009/08/02 17:56:45 joerg Exp $ */ +/* $NetBSD: pkcs7.c,v 1.6 2017/10/24 15:54:31 maya Exp $ */ #if HAVE_CONFIG_H #include "config.h" #endif @@ -7,7 +7,7 @@ #include #endif -__RCSID("$NetBSD: pkcs7.c,v 1.5 2009/08/02 17:56:45 joerg Exp $"); +__RCSID("$NetBSD: pkcs7.c,v 1.6 2017/10/24 15:54:31 maya Exp $"); /*- * Copyright (c) 2004, 2008 The NetBSD Foundation, Inc. @@ -55,25 +55,12 @@ __RCSID("$NetBSD: pkcs7.c,v 1.5 2009/08/02 17:56:45 joerg Exp $"); #define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA) #endif -static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME; +#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L) +#define X509_get_extended_key_usage(x) x->ex_xkusage +#define X509_get_extension_flags(x) x->ex_flags +#endif -static int -check_ca(X509 *cert) -{ - if ((cert->ex_flags & EXFLAG_KUSAGE) != 0 && - (cert->ex_kusage & KU_KEY_CERT_SIGN) != KU_KEY_CERT_SIGN) - return 0; - if ((cert->ex_flags & EXFLAG_BCONS) != 0) - return (cert->ex_flags & EXFLAG_CA) == EXFLAG_CA; - if ((cert->ex_flags & (EXFLAG_V1|EXFLAG_SS)) == (EXFLAG_V1|EXFLAG_SS)) - return 1; - if ((cert->ex_flags & EXFLAG_KUSAGE) != 0) - return 1; - if ((cert->ex_flags & EXFLAG_NSCERT) != 0 && - (cert->ex_nscert & NS_ANY_CA) != 0) - return 1; - return 0; -} +static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME; static STACK_OF(X509) * file_to_certs(const char *file) @@ -180,18 +167,18 @@ easy_pkcs7_verify(const char *content, size_t len, /* Compute ex_xkusage */ X509_check_purpose(sk_X509_value(signers, i), -1, -1); - if (check_ca(sk_X509_value(signers, i))) { + if (X509_check_ca(sk_X509_value(signers, i))) { warnx("CA keys are not valid for signatures"); goto cleanup; } if (is_pkg) { - if (sk_X509_value(signers, i)->ex_xkusage != pkg_key_usage) { + if (X509_get_extended_key_usage(sk_X509_value(signers, i)) != pkg_key_usage) { warnx("Certificate must have CODE SIGNING " "and EMAIL PROTECTION property"); goto cleanup; } } else { - if (sk_X509_value(signers, i)->ex_xkusage != 0) { + if (X509_get_extension_flags(sk_X509_value(signers, i)) & EXFLAG_XKUSAGE) { warnx("Certificate must not have any property"); goto cleanup; } @@ -271,12 +258,12 @@ easy_pkcs7_sign(const char *content, size_t len, /* Compute ex_kusage */ X509_check_purpose(certificate, -1, 0); - if (check_ca(certificate)) { + if (X509_check_ca(certificate)) { warnx("CA keys are not valid for signatures"); goto cleanup; } - if (certificate->ex_xkusage != pkg_key_usage) { + if (X509_get_extended_key_usage(certificate) != pkg_key_usage) { warnx("Certificate must have CODE SIGNING " "and EMAIL PROTECTION property"); goto cleanup; -- cgit v1.2.3