pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: pkg/52298: pkgtools/pkg_install fails to build with OpenSSL 1.1.0 due to incomplete type in check_ca()
The following reply was made to PR pkg/52298; it has been noted by GNATS.
From: coypu%sdf.org@localhost
To: gnats-bugs%NetBSD.org@localhost
Cc:
Subject: Re: pkg/52298: pkgtools/pkg_install fails to build with OpenSSL
1.1.0 due to incomplete type in check_ca()
Date: Tue, 4 Jul 2017 09:06:00 +0000
===================================================================
RCS file: /cvsroot/pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c,v
retrieving revision 1.5
diff -u -r1.5 pkcs7.c
--- lib/pkcs7.c 2 Aug 2009 17:56:45 -0000 1.5
+++ lib/pkcs7.c 2 Jul 2017 17:27:34 -0000
@@ -55,25 +55,11 @@
#define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
#endif
-static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;
+#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#define X509_get_extended_key_usage(x) x->ex_xkusage
+#endif
-static int
-check_ca(X509 *cert)
-{
- if ((cert->ex_flags & EXFLAG_KUSAGE) != 0 &&
- (cert->ex_kusage & KU_KEY_CERT_SIGN) != KU_KEY_CERT_SIGN)
- return 0;
- if ((cert->ex_flags & EXFLAG_BCONS) != 0)
- return (cert->ex_flags & EXFLAG_CA) == EXFLAG_CA;
- if ((cert->ex_flags & (EXFLAG_V1|EXFLAG_SS)) == (EXFLAG_V1|EXFLAG_SS))
- return 1;
- if ((cert->ex_flags & EXFLAG_KUSAGE) != 0)
- return 1;
- if ((cert->ex_flags & EXFLAG_NSCERT) != 0 &&
- (cert->ex_nscert & NS_ANY_CA) != 0)
- return 1;
- return 0;
-}
+static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;
static STACK_OF(X509) *
file_to_certs(const char *file)
@@ -180,18 +166,18 @@
/* Compute ex_xkusage */
X509_check_purpose(sk_X509_value(signers, i), -1, -1);
- if (check_ca(sk_X509_value(signers, i))) {
+ if (X509_check_ca(sk_X509_value(signers, i))) {
warnx("CA keys are not valid for signatures");
goto cleanup;
}
if (is_pkg) {
- if (sk_X509_value(signers, i)->ex_xkusage != pkg_key_usage) {
+ if (X509_get_extended_key_usage(sk_X509_value(signers, i)) != pkg_key_usage) {
warnx("Certificate must have CODE SIGNING "
"and EMAIL PROTECTION property");
goto cleanup;
}
} else {
- if (sk_X509_value(signers, i)->ex_xkusage != 0) {
+ if (X509_get_extended_key_usage(sk_X509_value(signers, i)) != 0) {
warnx("Certificate must not have any property");
goto cleanup;
}
@@ -271,12 +257,12 @@
/* Compute ex_kusage */
X509_check_purpose(certificate, -1, 0);
- if (check_ca(certificate)) {
+ if (X509_check_ca(certificate)) {
warnx("CA keys are not valid for signatures");
goto cleanup;
}
- if (certificate->ex_xkusage != pkg_key_usage) {
+ if (X509_get_extended_key_usage(certificate) != pkg_key_usage) {
warnx("Certificate must have CODE SIGNING "
"and EMAIL PROTECTION property");
goto cleanup;
Home |
Main Index |
Thread Index |
Old Index