pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg/52298: pkgtools/pkg_install fails to build with OpenSSL 1.1.0 due to incomplete type in check_ca()

The following reply was made to PR pkg/52298; it has been noted by GNATS.

From: coypu%sdf.org@localhost
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: pkg/52298: pkgtools/pkg_install fails to build with OpenSSL
 1.1.0 due to incomplete type in check_ca()
Date: Tue, 4 Jul 2017 09:06:00 +0000

 ===================================================================
 RCS file: /cvsroot/pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c,v
 retrieving revision 1.5
 diff -u -r1.5 pkcs7.c
 --- lib/pkcs7.c	2 Aug 2009 17:56:45 -0000	1.5
 +++ lib/pkcs7.c	2 Jul 2017 17:27:34 -0000
 @@ -55,25 +55,11 @@
  #define NS_ANY_CA		(NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
  #endif
  
 -static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;
 +#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
 +#define X509_get_extended_key_usage(x) x->ex_xkusage
 +#endif
  
 -static int
 -check_ca(X509 *cert)
 -{
 -	if ((cert->ex_flags & EXFLAG_KUSAGE) != 0 &&
 -	    (cert->ex_kusage & KU_KEY_CERT_SIGN) != KU_KEY_CERT_SIGN)
 -		return 0;
 -	if ((cert->ex_flags & EXFLAG_BCONS) != 0)
 -		return (cert->ex_flags & EXFLAG_CA) == EXFLAG_CA;
 -	if ((cert->ex_flags & (EXFLAG_V1|EXFLAG_SS)) == (EXFLAG_V1|EXFLAG_SS))
 -		return 1;
 -	if ((cert->ex_flags & EXFLAG_KUSAGE) != 0)
 -		return 1;
 -	if ((cert->ex_flags & EXFLAG_NSCERT) != 0 &&
 -	    (cert->ex_nscert & NS_ANY_CA) != 0)
 -		return 1;
 -	return 0;
 -}
 +static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;
  
  static STACK_OF(X509) *
  file_to_certs(const char *file)
 @@ -180,18 +166,18 @@
  		/* Compute ex_xkusage */
  		X509_check_purpose(sk_X509_value(signers, i), -1, -1);
  
 -		if (check_ca(sk_X509_value(signers, i))) {
 +		if (X509_check_ca(sk_X509_value(signers, i))) {
  			warnx("CA keys are not valid for signatures");
  			goto cleanup;
  		}
  		if (is_pkg) {
 -			if (sk_X509_value(signers, i)->ex_xkusage != pkg_key_usage) {
 +			if (X509_get_extended_key_usage(sk_X509_value(signers, i)) != pkg_key_usage) {
  				warnx("Certificate must have CODE SIGNING "
  				    "and EMAIL PROTECTION property");
  				goto cleanup;
  			}
  		} else {
 -			if (sk_X509_value(signers, i)->ex_xkusage != 0) {
 +			if (X509_get_extended_key_usage(sk_X509_value(signers, i)) != 0) {
  				warnx("Certificate must not have any property");
  				goto cleanup;
  			}
 @@ -271,12 +257,12 @@
  	/* Compute ex_kusage */
  	X509_check_purpose(certificate, -1, 0);
  
 -	if (check_ca(certificate)) {
 +	if (X509_check_ca(certificate)) {
  		warnx("CA keys are not valid for signatures");
  		goto cleanup;
  	}
  
 -	if (certificate->ex_xkusage != pkg_key_usage) {
 +	if (X509_get_extended_key_usage(certificate) != pkg_key_usage) {
  		warnx("Certificate must have CODE SIGNING "
  		    "and EMAIL PROTECTION property");
  		goto cleanup;
Home | Main Index | Thread Index | Old Index