Re: CVS commit: src/external/bsd/pkg_install/dist/lib

[maya%netbsd.org@localhost]

I'm intentionally verbose in the hopes that someone has a second look at
it, it's important to get right.

On Sun, Feb 04, 2018 at 09:00:51AM +0000, Maya Rashish wrote:
> Fix OpenSSL 1.1.0 build
> OpenSSL 1.1.0 makes xkusage and ex_flags opaque.
> Use X509_check_ca rather than a custom and nearly identical implementation.
> This is available since OpenSSL 0.9.8 (even in RHEL5).
> This is also done because we cannot implement it identically under
> OpenSSL 1.1.0 due to missing getters.
> Test EXFLAG_XKUSAGE rather than zero xkusage test no usage to avoid openssl
> 1.1.0 getter returning a different code on this case.
> Use getter for xkusage in the non-zero test case.
> Provide fallback definitions for getters.
> 
> PR pkg/52298, PR pkg/52648
> 


> @@ -55,25 +55,12 @@ __RCSID("$NetBSD: pkcs7.c,v 1.2 2017/04/
>  #define NS_ANY_CA		(NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
>  #endif
>  
> -static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;
> +#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
> +#define X509_get_extended_key_usage(x) x->ex_xkusage
> +#define X509_get_extension_flags(x) x->ex_flags
> +#endif
>  
> -static int
> -check_ca(X509 *cert)
> -{
> -	if ((cert->ex_flags & EXFLAG_KUSAGE) != 0 &&
> -	    (cert->ex_kusage & KU_KEY_CERT_SIGN) != KU_KEY_CERT_SIGN)
> -		return 0;
> -	if ((cert->ex_flags & EXFLAG_BCONS) != 0)
> -		return (cert->ex_flags & EXFLAG_CA) == EXFLAG_CA;
> -	if ((cert->ex_flags & (EXFLAG_V1|EXFLAG_SS)) == (EXFLAG_V1|EXFLAG_SS))
> -		return 1;
> -	if ((cert->ex_flags & EXFLAG_KUSAGE) != 0)
> -		return 1;
> -	if ((cert->ex_flags & EXFLAG_NSCERT) != 0 &&
> -	    (cert->ex_nscert & NS_ANY_CA) != 0)
> -		return 1;
> -	return 0;
> -}
> +static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;
>  
>  static STACK_OF(X509) *
>  file_to_certs(const char *file)
> @@ -180,18 +167,18 @@ easy_pkcs7_verify(const char *content, s
>  		/* Compute ex_xkusage */
>  		X509_check_purpose(sk_X509_value(signers, i), -1, -1);
>  
> -		if (check_ca(sk_X509_value(signers, i))) {
> +		if (X509_check_ca(sk_X509_value(signers, i))) {
>  			warnx("CA keys are not valid for signatures");
>  			goto cleanup;
>  		}
>  		if (is_pkg) {
> -			if (sk_X509_value(signers, i)->ex_xkusage != pkg_key_usage) {
> +			if (X509_get_extended_key_usage(sk_X509_value(signers, i)) != pkg_key_usage) {
>  				warnx("Certificate must have CODE SIGNING "
>  				    "and EMAIL PROTECTION property");
>  				goto cleanup;
>  			}
>  		} else {
> -			if (sk_X509_value(signers, i)->ex_xkusage != 0) {
> +			if (X509_get_extension_flags(sk_X509_value(signers, i)) & EXFLAG_XKUSAGE) {
>  				warnx("Certificate must not have any property");
>  				goto cleanup;
>  			}
> @@ -271,12 +258,12 @@ easy_pkcs7_sign(const char *content, siz
>  	/* Compute ex_kusage */
>  	X509_check_purpose(certificate, -1, 0);
>  
> -	if (check_ca(certificate)) {
> +	if (X509_check_ca(certificate)) {
>  		warnx("CA keys are not valid for signatures");
>  		goto cleanup;
>  	}
>  
> -	if (certificate->ex_xkusage != pkg_key_usage) {
> +	if (X509_get_extended_key_usage(certificate) != pkg_key_usage) {
>  		warnx("Certificate must have CODE SIGNING "
>  		    "and EMAIL PROTECTION property");
>  		goto cleanup;