Print this page
4853 illumos-gate is not lint-clean when built with openssl 1.0
Reviewed by Keith Wesolowski <keith.wesolowski@joyent.com>
Reviewed by Alexander Eremin <alexander.eremin@nexenta.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/lib/libpkg/common/security.c
+++ new/usr/src/lib/libpkg/common/security.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21
22 22 /*
23 23 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
24 24 * Use is subject to license terms.
25 25 */
26 26
27 27
28 28 /*
29 29 * Module: security.c
30 30 * Description:
31 31 * Module for handling certificates and various
32 32 * utilities to access their data.
33 33 */
34 34
35 35 #include <stdio.h>
36 36 #include <string.h>
37 37 #include <errno.h>
38 38 #include <ctype.h>
39 39 #include <sys/types.h>
40 40 #include <sys/stat.h>
41 41 #include <limits.h>
42 42 #include <pkgstrct.h>
43 43 #include <pkginfo.h>
44 44 #include <locale.h>
45 45 #include <libintl.h>
46 46 #include <unistd.h>
47 47 #include <stdlib.h>
48 48
49 49 #include <openssl/bio.h>
50 50 #include <openssl/pkcs12.h>
51 51 #include <openssl/pkcs7.h>
52 52 #include <openssl/x509.h>
53 53 #include <openssl/err.h>
54 54 #include <openssl/ssl.h>
55 55 #include "pkgerr.h"
56 56 #include "pkglib.h"
57 57 #include "pkglibmsgs.h"
58 58 #include "pkglocale.h"
59 59 #include "p12lib.h"
60 60
61 61 /* length of allowable passwords */
62 62 #define MAX_PASSLEN 128
63 63
64 64 /*
65 65 * Name: init_security
66 66 * Description: Initializes structures, libraries, for security operations
67 67 * Arguments: none
68 68 * Returns: 0 if we couldn't initialize, non-zero otherwise
69 69 */
70 70 void
71 71 sec_init(void)
72 72 {
73 73 OpenSSL_add_all_algorithms();
74 74 SSL_load_error_strings();
75 75 ERR_load_SUNW_strings();
76 76 (void) SSL_library_init();
77 77 }
78 78
79 79 /*
80 80 * get_cert_chain - Builds a chain of certificates, from a given
81 81 * user certificate to a trusted certificate.
82 82 *
83 83 * Arguments:
84 84 * err - Error object to add errors to
85 85 * cert - User cert to start with
86 86 * cas - Trusted certs to use as trust anchors
87 87 * chain - The resulting chain of certs (in the form of an
88 88 * ordered set) is placed here.
89 89 *
90 90 * Returns:
91 91 * 0 - Success - chain is stored in 'chain'.
92 92 * non-zero - Failure, errors recorded in err
93 93 */
94 94 int
95 95 get_cert_chain(PKG_ERR *err, X509 *cert, STACK_OF(X509) *clcerts,
96 96 STACK_OF(X509) *cas, STACK_OF(X509) **chain)
97 97 {
98 98 X509_STORE_CTX *store_ctx = NULL;
99 99 X509_STORE *ca_store = NULL;
100 100 X509 *ca_cert = NULL;
101 101 int i;
102 102 int ret = 0;
|
↓ open down ↓ |
102 lines elided |
↑ open up ↑ |
103 103
104 104 if ((ca_store = X509_STORE_new()) == NULL) {
105 105 pkgerr_add(err, PKGERR_NOMEM,
106 106 gettext(ERR_MEM));
107 107 ret = 1;
108 108 goto cleanup;
109 109 }
110 110
111 111 /* add all ca certs into the store */
112 112 for (i = 0; i < sk_X509_num(cas); i++) {
113 - /* LINTED pointer cast may result in improper alignment */
114 113 ca_cert = sk_X509_value(cas, i);
115 114 if (X509_STORE_add_cert(ca_store, ca_cert) == 0) {
116 115 pkgerr_add(err, PKGERR_NOMEM, gettext(ERR_MEM));
117 116 ret = 1;
118 117 goto cleanup;
119 118 }
120 119 }
121 120
122 121 /* initialize context object used during the chain resolution */
123 122
124 123 if ((store_ctx = X509_STORE_CTX_new()) == NULL) {
125 124 pkgerr_add(err, PKGERR_NOMEM, gettext(ERR_MEM));
126 125 ret = 1;
127 126 goto cleanup;
128 127 }
129 128
130 129 (void) X509_STORE_CTX_init(store_ctx, ca_store, cert, clcerts);
131 130 /* attempt to verify the cert, which builds the cert chain */
132 131 if (X509_verify_cert(store_ctx) <= 0) {
133 132 pkgerr_add(err, PKGERR_CHAIN,
134 133 gettext(ERR_CERTCHAIN),
135 134 get_subject_display_name(cert),
136 135 X509_verify_cert_error_string(store_ctx->error));
137 136 ret = 1;
138 137 goto cleanup;
139 138 }
140 139 *chain = X509_STORE_CTX_get1_chain(store_ctx);
141 140
142 141 cleanup:
143 142 if (ca_store != NULL)
144 143 (void) X509_STORE_free(ca_store);
145 144 if (store_ctx != NULL) {
146 145 (void) X509_STORE_CTX_cleanup(store_ctx);
147 146 (void) X509_STORE_CTX_free(store_ctx);
148 147 }
149 148
150 149 return (ret);
151 150 }
152 151
153 152 /*
154 153 * Name: get_subject_name
155 154 * Description: Retrieves a name used for identifying a certificate's subject.
156 155 *
157 156 * Arguments: cert - The certificate to get the name from
158 157 *
159 158 * Returns : A static buffer containing the common name (CN) of the
160 159 * subject of the cert.
161 160 *
162 161 * if the CN is not available, returns a string with the entire
163 162 * X509 distinguished name.
164 163 */
165 164 char
166 165 *get_subject_display_name(X509 *cert)
|
↓ open down ↓ |
43 lines elided |
↑ open up ↑ |
167 166 {
168 167
169 168 X509_NAME *xname;
170 169 static char sname[ATTR_MAX];
171 170
172 171 xname = X509_get_subject_name(cert);
173 172 if (X509_NAME_get_text_by_NID(xname,
174 173 NID_commonName, sname,
175 174 ATTR_MAX) <= 0) {
176 175 (void) strncpy(sname,
177 - X509_NAME_oneline(xname,
178 - NULL, 0), ATTR_MAX);
176 + X509_NAME_oneline(xname, NULL, 0), ATTR_MAX);
179 177 sname[ATTR_MAX - 1] = '\0';
180 178 }
181 179 return (sname);
182 180 }
183 181
184 182 /*
185 183 * Name: get_display_name
186 184 * Description: Retrieves a name used for identifying a certificate's issuer.
187 185 *
188 186 * Arguments: cert - The certificate to get the name from
189 187 *
190 188 * Returns : A static buffer containing the common name (CN)
191 189 * of the issuer of the cert.
192 190 *
193 191 * if the CN is not available, returns a string with the entire
194 192 * X509 distinguished name.
195 193 */
196 194 char
197 195 *get_issuer_display_name(X509 *cert)
|
↓ open down ↓ |
9 lines elided |
↑ open up ↑ |
198 196 {
199 197
200 198 X509_NAME *xname;
201 199 static char sname[ATTR_MAX];
202 200
203 201 xname = X509_get_issuer_name(cert);
204 202 if (X509_NAME_get_text_by_NID(xname,
205 203 NID_commonName, sname,
206 204 ATTR_MAX) <= 0) {
207 205 (void) strncpy(sname,
208 - X509_NAME_oneline(xname,
209 - NULL, 0), ATTR_MAX);
206 + X509_NAME_oneline(xname, NULL, 0), ATTR_MAX);
210 207 sname[ATTR_MAX - 1] = '\0';
211 208 }
212 209 return (sname);
213 210 }
214 211
215 212
216 213 /*
217 214 * Name: get_serial_num
218 215 * Description: Retrieves the serial number of an X509 cert
219 216 *
220 217 * Arguments: cert - The certificate to get the data from
221 218 *
222 219 * Returns : A static buffer containing the serial number
223 220 * of the cert
224 221 *
225 222 * if the SN is not available, returns NULL
226 223 */
227 224 char
228 225 *get_serial_num(X509 *cert)
229 226 {
230 227 static char sn_str[ATTR_MAX];
231 228 ASN1_INTEGER *sn;
232 229
233 230 if ((sn = X509_get_serialNumber(cert)) != 0) {
234 231 return (NULL);
235 232 } else {
236 233 (void) snprintf(sn_str, ATTR_MAX, "%ld",
237 234 ASN1_INTEGER_get(sn));
238 235 }
239 236
240 237 return (sn_str);
241 238 }
242 239
243 240 /*
244 241 * Name: get_fingerprint
245 242 * Description: Generates a fingerprint string given
246 243 * a digest algorithm with which to calculate
247 244 * the fingerprint
248 245 *
249 246 * Arguments: cert - The certificate to get the data from
250 247 * Arguments: alg - The algorithm to use to calculate the fingerprint
251 248 *
252 249 * Returns : A static buffer containing the digest
253 250 * NULL if cert is NULL, or digest cannot be calculated
254 251 */
255 252 char
256 253 *get_fingerprint(X509 *cert, const EVP_MD *alg)
257 254 {
258 255 static char fp_str[ATTR_MAX];
259 256 char tmp[ATTR_MAX] = "";
260 257 unsigned int n;
261 258 unsigned char md[EVP_MAX_MD_SIZE];
262 259 int i;
263 260
264 261 if (!X509_digest(cert, alg, md, &n)) {
265 262 return (NULL);
266 263 }
267 264
268 265 /* start with empty string */
269 266 fp_str[0] = '\0';
270 267
271 268 for (i = 0; i < (int)n; i++) {
272 269 /* form a byte of the fingerprint */
273 270 (void) snprintf(tmp, ATTR_MAX, "%02X:", md[i]);
274 271 /* cat it onto the end of the result */
275 272 (void) strlcat(fp_str, tmp, ATTR_MAX);
276 273 }
277 274
278 275 /* nuke trailing ':' */
279 276 fp_str[strlen(fp_str) - 1] = '\0';
280 277
281 278 return (fp_str);
282 279 }
|
↓ open down ↓ |
63 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX