Print this page
4853 illumos-gate is not lint-clean when built with openssl 1.0

Split Close
Expand all
Collapse all
          --- old/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c
          +++ new/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c
↓ open down ↓ 2491 lines elided ↑ open up ↑
2492 2492  
2493 2493          /* Lookup by key hash */
2494 2494  
2495 2495          /* If key hash isn't SHA1 length then forget it */
2496 2496          if (id->value.byKey->length != SHA_DIGEST_LENGTH)
2497 2497                  return (NULL);
2498 2498  
2499 2499          keyhash = id->value.byKey->data;
2500 2500          /* Calculate hash of each key and compare */
2501 2501          for (i = 0; i < sk_X509_num(certs); i++) {
2502      -                /* LINTED E_BAD_PTR_CAST_ALIGN */
2503 2502                  X509 *x = sk_X509_value(certs, i);
2504 2503                  /* Use pubkey_digest to get the key ID value */
2505 2504                  (void) X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
2506 2505                  if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
2507 2506                          return (x);
2508 2507          }
2509 2508          return (NULL);
2510 2509  }
2511 2510  
2512 2511  /* ocsp_find_signer() is copied from openssl source */
↓ open down ↓ 1119 lines elided ↑ open up ↑
3632 3631          }
3633 3632          cert_infos = (X509_INFO **)malloc(sk_X509_INFO_num(x509_info_stack) *
3634 3633              sizeof (X509_INFO *));
3635 3634          if (cert_infos == NULL) {
3636 3635                  (void) fclose(fp);
3637 3636                  rv = KMF_ERR_MEMORY;
3638 3637                  goto err;
3639 3638          }
3640 3639  
3641 3640          for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
3642      -                /* LINTED E_BAD_PTR_CAST_ALIGN */
3643 3641                  cert_infos[ncerts] = sk_X509_INFO_value(x509_info_stack, i);
3644 3642                  ncerts++;
3645 3643          }
3646 3644  
3647 3645          if (ncerts == 0) {
3648 3646                  (void) fclose(fp);
3649 3647                  rv = KMF_ERR_CERT_NOT_FOUND;
3650 3648                  goto err;
3651 3649          }
3652 3650  
↓ open down ↓ 61 lines elided ↑ open up ↑
3714 3712          }
3715 3713  
3716 3714          if (priv_key == NULL && pkey != NULL)
3717 3715                  EVP_PKEY_free(pkey);
3718 3716          else if (priv_key != NULL && pkey != NULL)
3719 3717                  *priv_key = pkey;
3720 3718  
3721 3719  err:
3722 3720          /* Cleanup the stack of X509 info records */
3723 3721          for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
3724      -                /* LINTED E_BAD_PTR_CAST_ALIGN */
3725 3722                  info = (X509_INFO *)sk_X509_INFO_value(x509_info_stack, i);
3726 3723                  X509_INFO_free(info);
3727 3724          }
3728 3725          if (x509_info_stack)
3729 3726                  sk_X509_INFO_free(x509_info_stack);
3730 3727  
3731 3728          if (cert_infos != NULL)
3732 3729                  free(cert_infos);
3733 3730  
3734 3731          return (rv);
3735 3732  }
3736 3733  
3737 3734  static KMF_RETURN
3738 3735  openssl_parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
3739 3736          STACK_OF(EVP_PKEY) *keys, STACK_OF(X509) *certs)
3740 3737  {
3741 3738          KMF_RETURN ret;
3742 3739          int i;
3743 3740  
3744 3741          for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
3745      -                /* LINTED E_BAD_PTR_CAST_ALIGN */
3746 3742                  PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(bags, i);
3747 3743                  ret = openssl_parse_bag(bag, pin, (pin ? strlen(pin) : 0),
3748 3744                      keys, certs);
3749 3745  
3750 3746                  if (ret != KMF_OK)
3751 3747                          return (ret);
3752 3748          }
3753 3749  
3754 3750          return (ret);
3755 3751  }
↓ open down ↓ 10 lines elided ↑ open up ↑
3766 3762                  pkey->attributes = sk_X509_ATTRIBUTE_new_null();
3767 3763                  if (pkey->attributes == NULL)
3768 3764                          return (KMF_ERR_MEMORY);
3769 3765          }
3770 3766          attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr);
3771 3767          if (attr != NULL) {
3772 3768                  int i;
3773 3769                  X509_ATTRIBUTE *a;
3774 3770                  for (i = 0;
3775 3771                      i < sk_X509_ATTRIBUTE_num(pkey->attributes); i++) {
3776      -                        /* LINTED E_BAD_PTR_CASE_ALIGN */
3777 3772                          a = sk_X509_ATTRIBUTE_value(pkey->attributes, i);
3778 3773                          if (OBJ_obj2nid(a->object) == nid) {
3779 3774                                  X509_ATTRIBUTE_free(a);
3780      -                                /* LINTED E_BAD_PTR_CAST_ALIGN */
3781 3775                                  sk_X509_ATTRIBUTE_set(pkey->attributes,
3782 3776                                      i, attr);
3783 3777                                  return (KMF_OK);
3784 3778                          }
3785 3779                  }
3786 3780                  if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == NULL) {
3787 3781                          X509_ATTRIBUTE_free(attr);
3788 3782                          return (KMF_ERR_MEMORY);
3789 3783                  }
3790 3784          } else {
↓ open down ↓ 157 lines elided ↑ open up ↑
3948 3942                  }
3949 3943          } else if (!PKCS12_verify_mac(p12, pin, -1)) {
3950 3944                  return (KMF_ERR_AUTH_FAILED);
3951 3945          }
3952 3946  
3953 3947          if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL)
3954 3948                  return (KMF_ERR_PKCS12_FORMAT);
3955 3949  
3956 3950          for (i = 0; ret == KMF_OK && i < sk_PKCS7_num(asafes); i++) {
3957 3951                  bags = NULL;
3958      -                /* LINTED E_BAD_PTR_CAST_ALIGN */
3959 3952                  p7 = sk_PKCS7_value(asafes, i);
3960 3953                  bagnid = OBJ_obj2nid(p7->type);
3961 3954  
3962 3955                  if (bagnid == NID_pkcs7_data) {
3963 3956                          bags = PKCS12_unpack_p7data(p7);
3964 3957                  } else if (bagnid == NID_pkcs7_encrypted) {
3965 3958                          bags = PKCS12_unpack_p7encdata(p7, pin,
3966 3959                              (pin ? strlen(pin) : 0));
3967 3960                  } else {
3968 3961                          continue;
↓ open down ↓ 257 lines elided ↑ open up ↑
4226 4219  static X509_ATTRIBUTE *
4227 4220  find_attr(STACK_OF(X509_ATTRIBUTE) *attrs, int nid)
4228 4221  {
4229 4222          X509_ATTRIBUTE *a;
4230 4223          int i;
4231 4224  
4232 4225          if (attrs == NULL)
4233 4226                  return (NULL);
4234 4227  
4235 4228          for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
4236      -                /* LINTED E_BAD_PTR_CAST_ALIGN */
4237 4229                  a = sk_X509_ATTRIBUTE_value(attrs, i);
4238 4230                  if (OBJ_obj2nid(a->object) == nid)
4239 4231                          return (a);
4240 4232          }
4241 4233          return (NULL);
4242 4234  }
4243 4235  
4244 4236  static KMF_RETURN
4245 4237  convertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key)
4246 4238  {
↓ open down ↓ 20 lines elided ↑ open up ↑
4267 4259                          return (KMF_ERR_BAD_PARAMETER);
4268 4260          }
4269 4261          /*
4270 4262           * If friendlyName, add it to record.
4271 4263           */
4272 4264          attr = find_attr(pkey->attributes, NID_friendlyName);
4273 4265          if (attr != NULL) {
4274 4266                  ASN1_TYPE *ty = NULL;
4275 4267                  int numattr = sk_ASN1_TYPE_num(attr->value.set);
4276 4268                  if (attr->single == 0 && numattr > 0) {
4277      -                        /* LINTED E_BAD_PTR_CAST_ALIGN */
4278 4269                          ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4279 4270                  }
4280 4271                  if (ty != NULL) {
4281 4272  #if OPENSSL_VERSION_NUMBER < 0x10000000L
4282 4273                          key->label = uni2asc(ty->value.bmpstring->data,
4283 4274                              ty->value.bmpstring->length);
4284 4275  #else
4285 4276                          key->label = OPENSSL_uni2asc(ty->value.bmpstring->data,
4286 4277                              ty->value.bmpstring->length);
4287 4278  #endif
↓ open down ↓ 3 lines elided ↑ open up ↑
4291 4282          }
4292 4283  
4293 4284          /*
4294 4285           * If KeyID, add it to record as a KMF_DATA object.
4295 4286           */
4296 4287          attr = find_attr(pkey->attributes, NID_localKeyID);
4297 4288          if (attr != NULL) {
4298 4289                  ASN1_TYPE *ty = NULL;
4299 4290                  int numattr = sk_ASN1_TYPE_num(attr->value.set);
4300 4291                  if (attr->single == 0 && numattr > 0) {
4301      -                        /* LINTED E_BAD_PTR_CAST_ALIGN */
4302 4292                          ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4303 4293                  }
4304 4294                  key->id.Data = (uchar_t *)malloc(
4305 4295                      ty->value.octet_string->length);
4306 4296                  if (key->id.Data == NULL)
4307 4297                          return (KMF_ERR_MEMORY);
4308 4298                  (void) memcpy(key->id.Data, ty->value.octet_string->data,
4309 4299                      ty->value.octet_string->length);
4310 4300                  key->id.Length = ty->value.octet_string->length;
4311 4301          } else {
↓ open down ↓ 10 lines elided ↑ open up ↑
4322 4312          STACK_OF(X509) *sslcert,
4323 4313          STACK_OF(X509) *sslcacerts,
4324 4314          KMF_RAW_KEY_DATA **keylist, int *nkeys,
4325 4315          KMF_X509_DER_CERT **certlist, int *ncerts)
4326 4316  {
4327 4317          KMF_RETURN rv = KMF_OK;
4328 4318          KMF_RAW_KEY_DATA key;
4329 4319          int i;
4330 4320  
4331 4321          for (i = 0; sslkeys != NULL && i < sk_EVP_PKEY_num(sslkeys); i++) {
4332      -                /* LINTED E_BAD_PTR_CAST_ALIGN */
4333 4322                  EVP_PKEY *pkey = sk_EVP_PKEY_value(sslkeys, i);
4334 4323                  rv = convertToRawKey(pkey, &key);
4335 4324                  if (rv == KMF_OK)
4336 4325                          rv = add_key_to_list(keylist, &key, nkeys);
4337 4326  
4338 4327                  if (rv != KMF_OK)
4339 4328                          return (rv);
4340 4329          }
4341 4330  
4342 4331          /* Now add the certificate to the certlist */
4343 4332          for (i = 0; sslcert != NULL && i < sk_X509_num(sslcert); i++) {
4344      -                /* LINTED E_BAD_PTR_CAST_ALIGN */
4345 4333                  X509 *cert = sk_X509_value(sslcert, i);
4346 4334                  rv = add_cert_to_list(kmfh, cert, certlist, ncerts);
4347 4335                  if (rv != KMF_OK)
4348 4336                          return (rv);
4349 4337          }
4350 4338  
4351 4339          /* Also add any included CA certs to the list */
4352 4340          for (i = 0; sslcacerts != NULL && i < sk_X509_num(sslcacerts); i++) {
4353 4341                  X509 *c;
4354 4342                  /*
4355 4343                   * sk_X509_value() is macro that embeds a cast to (X509 *).
4356 4344                   * Here it translates into ((X509 *)sk_value((ca), (i))).
4357 4345                   * Lint is complaining about the embedded casting, and
4358 4346                   * to fix it, you need to fix openssl header files.
4359 4347                   */
4360      -                /* LINTED E_BAD_PTR_CAST_ALIGN */
4361 4348                  c = sk_X509_value(sslcacerts, i);
4362 4349  
4363 4350                  /* Now add the ca cert to the certlist */
4364 4351                  rv = add_cert_to_list(kmfh, c, certlist, ncerts);
4365 4352                  if (rv != KMF_OK)
4366 4353                          return (rv);
4367 4354          }
4368 4355          return (rv);
4369 4356  }
4370 4357  
↓ open down ↓ 1046 lines elided ↑ open up ↑
5417 5404          /* Check to see if the certificate serial number is revoked */
5418 5405          revoke_stack = X509_CRL_get_REVOKED(xcrl);
5419 5406          if (sk_X509_REVOKED_num(revoke_stack) <= 0) {
5420 5407                  /* No revoked certificates in the CRL file */
5421 5408                  SET_ERROR(kmfh, ERR_get_error());
5422 5409                  ret = KMF_ERR_EMPTY_CRL;
5423 5410                  goto end;
5424 5411          }
5425 5412  
5426 5413          for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {
5427      -                /* LINTED E_BAD_PTR_CAST_ALIGN */
5428 5414                  revoke = sk_X509_REVOKED_value(revoke_stack, i);
5429 5415                  if (ASN1_INTEGER_cmp(xcert->cert_info->serialNumber,
5430 5416                      revoke->serialNumber) == 0) {
5431 5417                          break;
5432 5418                  }
5433 5419          }
5434 5420  
5435 5421          if (i < sk_X509_REVOKED_num(revoke_stack)) {
5436 5422                  ret = KMF_OK;
5437 5423          } else {
↓ open down ↓ 160 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX