diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b1f156f..1bce58e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,9 +31,9 @@ jobs: #sudo apt-get install -y >/dev/null cmake # build-essential git libssl-dev mkdir build cd build - SECUTILS_NO_TLS=1 cmake -S .. -B . + SECUTILS_NO_TLS=1 cmake -S .. -B . # Release by default cmake --build . - SECUTILS_USE_ICV=1 cmake -DCMAKE_BUILD_TYPE=Release -S .. -B . + SECUTILS_USE_ICV=1 cmake -DCMAKE_BUILD_TYPE=Debug -S .. -B . make clean build DESTDIR=tmp make install uninstall make deb diff --git a/CMakeLists.txt b/CMakeLists.txt index 9b5fa64..264deae 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,20 +1,23 @@ -cmake_minimum_required(VERSION 3.13) +cmake_minimum_required(VERSION 3.18) project( security-utilities - VERSION 2.0.0 # always 3 components for correct versioning + VERSION 2.1.0 # always 3 components for correct versioning LANGUAGES C) message(STATUS "SecurityUtilities version ${security-utilities_VERSION}") # set(CMAKE_VERBOSE_MAKEFILE on) -if(DEFINED ENV{NDEBUG}) - message(STATUS "Setting build type to 'Release' because NDEBUG was set.") +if(DEFINED ENV{NDEBUG} OR NOT CMAKE_BUILD_TYPE MATCHES Debug) + if(DEFINED ENV{NDEBUG}) + message(STATUS "Setting build type to 'Release' because NDEBUG was set.") + elseif(NOT CMAKE_BUILD_TYPE) + message(STATUS "Setting build type to 'Release' by default.") + endif() set(CMAKE_BUILD_TYPE Release # automatically leads to CFLAGS += -DNDEBUG -O3 CACHE STRING "Choose the type of build." FORCE) -elseif(NOT CMAKE_BUILD_TYPE) - message(STATUS "Setting build type to 'Debug' as none was specified.") +else() set(CMAKE_BUILD_TYPE Debug # automatically leads to CFLAGS += -g # -O0 not added by default CACHE STRING "Choose the type of build." FORCE) @@ -22,32 +25,61 @@ endif() message(STATUS "Build mode: ${CMAKE_BUILD_TYPE}") # improved from https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html -if(NOT DEFINED OPENSSL_ROOT_DIR AND NOT "$ENV{OPENSSL_DIR}" STREQUAL "") +if(NOT "$ENV{OPENSSL_DIR}" STREQUAL "") get_filename_component(OPENSSL_ROOT_DIR "$ENV{OPENSSL_DIR}" ABSOLUTE) - set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include") + if(NOT TARGET OpenSSL::Crypto) # not already handled by superordinate module + # invalidate defaults from CMakeCache.txt + set(OPENSSL_VERSION "") + set(OPENSSL_INCLUDE_DIR "") + set(OPENSSL_LIB_SET FALSE) + set(OPENSSL_CRYPTO_LIBRARY "") + set(OPENSSL_SSL_LIBRARY "") + endif() endif() -if(NOT DEFINED OPENSSL_FOUND) # not already done by superordinate module - set(OPENSSL_VERSION "(unknown)") - set(OPENSSL_COMPONENTS COMPONENTS Crypto SSL) # TODO SSL should not be needed if SECUTILS_NO_TLS +if(NOT "$ENV{OPENSSL_DIR}" STREQUAL "" OR + NOT TARGET OpenSSL::Crypto) # not already done by superordinate module + if(${SECUTILS_NO_TLS}) + set(OPENSSL_COMPONENTS COMPONENTS Crypto) + else() + set(OPENSSL_COMPONENTS COMPONENTS Crypto SSL) + endif() if(DEFINED OPENSSL_ROOT_DIR) - find_package(OpenSSL HINTS "${OPENSSL_ROOT_DIR}" NO_DEFAULT_PATH ${OPENSSL_COMPONENTS}) + if(NOT APPLE) # on macOS, work around find_package() not respecting HINTS and NO_DEFAULT_PATH + find_package(OpenSSL HINTS "${OPENSSL_ROOT_DIR}" NO_DEFAULT_PATH ${OPENSSL_COMPONENTS}) + endif() else() find_package(OpenSSL ${OPENSSL_COMPONENTS}) endif() - STRING(REGEX REPLACE "/?/libcrypto\..*" "" OPENSSL_LIB "${OPENSSL_CRYPTO_LIBRARY}") + STRING(REGEX REPLACE ";.*" "" OPENSSL_INCLUDE_DIR "${OPENSSL_INCLUDE_DIR}") + if(NOT OPENSSL_INCLUDE_DIR) + set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include") + endif() + if(NOT OPENSSL_VERSION) + file(READ "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSLV_CONTENT) + string(REGEX MATCH "OpenSSL ([0-9]+\\.[0-9]+\\.[0-9]+[^ ]*)" VERSION_MATCH "${OPENSSLV_CONTENT}") + if(VERSION_MATCH) + string(REGEX REPLACE "OpenSSL " "" OPENSSL_VERSION "${VERSION_MATCH}") + else() + set(OPENSSL_VERSION "(unknown)") + endif() + endif() endif() message(STATUS "using OpenSSL version ${OPENSSL_VERSION}") message(STATUS "using OpenSSL inc dir ${OPENSSL_INCLUDE_DIR}") -STRING(REGEX REPLACE ";.*" "" OPENSSL_INCLUDE_DIR "${OPENSSL_INCLUDE_DIR}") if(NOT EXISTS "${OPENSSL_INCLUDE_DIR}/openssl") message(FATAL_ERROR "OpenSSL include directory does not exist: ${OPENSSL_INCLUDE_DIR}/openssl") endif() -if("$ENV{OPENSSL_LIB}" STREQUAL "" AND NOT "$ENV{OPENSSL_DIR}" STREQUAL "") - set(ENV{OPENSSL_LIB} $ENV{OPENSSL_DIR}) -endif() -if(NOT DEFINED OPENSSL_LIB_SET AND NOT "$ENV{OPENSSL_LIB}" STREQUAL "") - set(OPENSSL_LIB_SET 1) - get_filename_component(OPENSSL_LIB "$ENV{OPENSSL_LIB}" ABSOLUTE) +if(NOT TARGET OpenSSL::Crypto) # not already done by superordinate module + set(OPENSSL_LIB "$ENV{OPENSSL_LIB}") + if(NOT OPENSSL_LIB) + if (NOT "$ENV{OPENSSL_DIR}" STREQUAL "") + set(OPENSSL_LIB $ENV{OPENSSL_DIR}) + elseif(OPENSSL_CRYPTO_LIBRARY) + get_filename_component(OPENSSL_LIB "${OPENSSL_CRYPTO_LIBRARY}" DIRECTORY) + endif() + endif() + get_filename_component(OPENSSL_LIB "${OPENSSL_LIB}" ABSOLUTE) + message(STATUS "using OpenSSL lib dir ${OPENSSL_LIB}") if(NOT EXISTS "${OPENSSL_LIB}") message(FATAL_ERROR "directory OPENSSL_LIB does not exist: ${OPENSSL_LIB}") endif() @@ -67,7 +99,6 @@ if(NOT DEFINED OPENSSL_LIB_SET AND NOT "$ENV{OPENSSL_LIB}" STREQUAL "") set(OPENSSL_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY} ${OPENSSL_SSL_LIBRARY}) endif() endif() -message(STATUS "using OpenSSL lib dir ${OPENSSL_LIB}") message(STATUS "using OpenSSL library ${OPENSSL_CRYPTO_LIBRARY}, ${OPENSSL_SSL_LIBRARY}") if(NOT EXISTS "${OPENSSL_CRYPTO_LIBRARY}") message(FATAL_ERROR "OpenSSL crypto library file does not exist: ${OPENSSL_CRYPTO_LIBRARY}") diff --git a/Makefile_v1 b/Makefile_v1 index 2378281..511dc29 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -33,7 +33,7 @@ ifeq ($(OUT_DIR),) override OUT_DIR = . endif -VERSION=2.0 +VERSION=2.1 # must be kept in sync with debian/changelog and CMakeLists.txt # PACKAGENAME=libsecutils # DIRNAME=$(PACKAGENAME)-$(VERSION) diff --git a/README.md b/README.md index a30208c..5f21baa 100644 --- a/README.md +++ b/README.md @@ -48,10 +48,10 @@ also on a virtual machine or the Windows Subsystem for Linux ([WSL](https://docs and with MacOS. The following network and development tools are needed or recommended. -* Git (for getting the software, tested versions include 2.7.2, 2.11.0, 2.20, 2.30.2, 2.39.2, 2.47.0) -* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested versions include 3.18.4, 3.26.3, 3.27.7, 3.30.5) +* Git (for getting the software, tested versions include 2.7.2, 2.11.0, 2.20, 2.34.1, 2.48.0) +* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested versions include 3.18.4, 3.22.1, 3.27.7, 3.31.5) * GNU make (tested versions include 3.81, 4.1, 4.2.1, 4.3) -* GNU C compiler (gcc, tested versions include 5.4.0, 7.3.0, 8.3.0, 10.0.1, 10.2.1, 12.2.0) +* GNU C compiler (gcc, tested versions include 5.4.0, 7.3.0, 8.3.0, 10.2.1, 11.4.0, 12.2.0) or clang (tested versions include 14.0.3, 17.0.3, 19.1.1) The following OSS components are used. @@ -178,7 +178,7 @@ With that directory, artifacts are placed in the usual subdirectories. ### Building Debian packages -This repository can build the following Debian and source packages. +On Linux, this repository can build the following Debian and source packages. * `libsecutils` -- the shared library * `libsecutils-dev` -- development headers and documentation diff --git a/debian/changelog b/debian/changelog index 222c224..8b48bd2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +libsecutils (2.1) stable; urgency=medium + + * Various fixes on build system, code, and OpenSSL version compatibility + + -- David von Oheimb Fri, 17 Oct 2025 08:53:10 +0200 + libsecutils (2.0) stable; urgency=medium * Improved build system; various small fixes diff --git a/debian/control b/debian/control index 871b3eb..7de033a 100644 --- a/debian/control +++ b/debian/control @@ -18,7 +18,7 @@ Description: OpenSSL enhancement wrapper library With extended support for certficate status checking using CRLs and/or OCSP Package: libsecutils-dev -Depends: libsecutils (>= 2.0), ${misc:Depends} +Depends: libsecutils (>= 2.1), ${misc:Depends} Suggests: libssl-dev, libuta-dev Section: devel Architecture: all diff --git a/src/libsecutils/include/secutils/connections/conn.h b/src/libsecutils/include/secutils/connections/conn.h index 068b03c..c6be0bc 100644 --- a/src/libsecutils/include/secutils/connections/conn.h +++ b/src/libsecutils/include/secutils/connections/conn.h @@ -24,7 +24,15 @@ static const char* const CONN_https_prefix = "https://"; #define CONN_IS_HTTP( uri) ((uri) != NULL && HAS_PREFIX(uri, OSSL_HTTP_PREFIX )) #define CONN_IS_HTTPS(uri) ((uri) != NULL && HAS_PREFIX(uri, OSSL_HTTPS_PREFIX)) -#define CONN_IS_IP_ADDR(host) ((host) != NULL && ((*(host) >= '0' && *(host) <= '9') || *(host) == '[')) +#define CONN_IS_IP_ADDR(host) CONN_is_IP_address(host) + +/*!***************************************************************************** + * @brief check if host string is an IP address (as opposed to domain name) + * @note an IPv6 address must be enclosed in '[' and ']'. + * @param host identifier string to be checked, or null. + * @return 1 if string is an IP address, 0 otherwise + ******************************************************************************/ +bool CONN_is_IP_address(OPTIONAL const char *host); /*!***************************************************************************** * @brief parse hostname or URI of the form "[http[s]://][@][:][/]" diff --git a/src/libsecutils/include/secutils/credentials/cert.h b/src/libsecutils/include/secutils/credentials/cert.h index c83a6f4..9422898 100644 --- a/src/libsecutils/include/secutils/credentials/cert.h +++ b/src/libsecutils/include/secutils/credentials/cert.h @@ -109,7 +109,7 @@ void CERTS_free(OPTIONAL STACK_OF(X509) *certs); * @return ASN.1 representation of the DN, or null on error *******************************************************************************/ /* this function is used by the genCMPClient API implementation */ -X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn); +X509_NAME* UTIL_parse_name(const char* dn, int chtype, bool multirdn); /*!***************************************************************************** diff --git a/src/libsecutils/include/secutils/credentials/credentials.h b/src/libsecutils/include/secutils/credentials/credentials.h index 6b6d1f6..96994e2 100644 --- a/src/libsecutils/include/secutils/credentials/credentials.h +++ b/src/libsecutils/include/secutils/credentials/credentials.h @@ -40,9 +40,9 @@ typedef const char* component_creds_id; /**< component credentials identifier */ * @return pointer to a new CREDENTIALS structure, or null on error *******************************************************************************/ /* this function is part of the genCMPClient API */ -CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY* pkey, OPTIONAL const OPTIONAL X509* cert, - OPTIONAL const STACK_OF(X509) * chain, OPTIONAL const char* pwd, - OPTIONAL const char* pwdref); +CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY *pkey, OPTIONAL const X509 *cert, + OPTIONAL const STACK_OF(X509) *chain, OPTIONAL const char *pwd, + OPTIONAL const char *pwdref); /*!***************************************************************************** * @brief get private key component of the given credentials diff --git a/src/libsecutils/include/secutils/credentials/store.h b/src/libsecutils/include/secutils/credentials/store.h index 4e9967f..ba1cde7 100644 --- a/src/libsecutils/include/secutils/credentials/store.h +++ b/src/libsecutils/include/secutils/credentials/store.h @@ -62,7 +62,7 @@ bool STORE_set1_desc(X509_STORE* store, OPTIONAL const char* desc); * @param store the certificate trust store * @return description to use for diagnostics, or null on failure or if not set */ -const char* STORE_get0_desc(OPTIONAL X509_STORE* store); +const char *STORE_get0_desc(OPTIONAL const X509_STORE *store); /*!***************************************************************************** * @brief set various optional verification parameters in the given trust store @@ -127,8 +127,8 @@ bool STORE_set_crl_callback(X509_STORE* store, * @param desc description of the CRL to use for any error messages, or null * @return pointer to downloaded CRL, or null on error */ -X509_CRL* STORE_fetch_crl(X509_STORE* store, OPTIONAL const char* url, int timeout, - const X509* cert, OPTIONAL const char* desc); +X509_CRL *STORE_fetch_crl(const X509_STORE *store, OPTIONAL const char *url, int timeout, + const X509 *cert, OPTIONAL const char *desc); /*! * @brief create or extend cert store structure with any given cert(s) @@ -252,7 +252,8 @@ bool STORE_EX_check_index(void); * @param store the affected certificate store * @param host the host name to set, or null to clear it * @return true on success, false on failure - * @note since OpenSSL 3.0, this is no more needed due to X509_VERIFY_PARAM_get0_host() being available + * @note since OpenSSL 3.0, due to X509_VERIFY_PARAM_get0_host() being available, + * this function is no more needed and just returns true */ bool STORE_set1_host(X509_STORE* store, OPTIONAL const char* host); @@ -262,7 +263,7 @@ bool STORE_set1_host(X509_STORE* store, OPTIONAL const char* host); * @param store the certificate store to read from * @return the first host name that has been set, or null if unset or on failure */ -const char* STORE_get0_host(X509_STORE* store); +const char *STORE_get0_host(const X509_STORE *store); # ifndef SECUTILS_NO_TLS /*! diff --git a/src/libsecutils/src/connections/conn.c b/src/libsecutils/src/connections/conn.c index c8f6368..6499670 100644 --- a/src/libsecutils/src/connections/conn.c +++ b/src/libsecutils/src/connections/conn.c @@ -21,8 +21,40 @@ # include #endif +/* for getaddrinfo() and freeaddrinfo() */ +#include +#include +#include +#ifdef _WIN32 +# include +# include +#endif + #include +bool CONN_is_IP_address(OPTIONAL const char *host) +{ + size_t len; + struct addrinfo hints, *res; + int ret; + + if (host == NULL) + return false; + + /* presume IPv6 address literal if host has the form "[]" */ + len = strlen(host); + if (len > 2 && *host == '[' && strchr(host + 1, '[') == NULL + && strchr(host + 1, ']') == host + len - 1) + return true; + + memset(&hints, 0, sizeof(hints)); + hints.ai_flags = AI_NUMERICHOST; + ret = getaddrinfo(host, NULL, &hints, &res); + if (res != NULL) + freeaddrinfo(res); + return ret == 0; +} + static const char* skip_scheme(const char* str) { const char *scheme_end = strstr(str, CONN_scheme_postfix); diff --git a/src/libsecutils/src/connections/http.c b/src/libsecutils/src/connections/http.c index 3859e96..179a17a 100644 --- a/src/libsecutils/src/connections/http.c +++ b/src/libsecutils/src/connections/http.c @@ -29,6 +29,10 @@ # endif # include +# if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 +# define OSSL_HTTP_parse_url(url, s, u, h, p, n, path, q, f) OCSP_parse_url(url, h, p, path, s) +# endif + /* TODO replace this all by new API in http.h of OpenSSL 3.0 */ static int REQ_CTX_i2d(OCSP_REQ_CTX* rctx, const char* content_type, @@ -196,7 +200,7 @@ ASN1_VALUE* CONN_load_ASN1_http(const char* url, int req_timeout, LOG(FL_ERR, "null URL argument for downloading %s", desc); return 0; } - if(not OCSP_parse_url(url, &host, &port, &path, &use_ssl)) + if(not OSSL_HTTP_parse_url(url, &use_ssl, NULL, &host, &port, NULL, &path, NULL, NULL)) { LOG(FL_ERR, "cannot parse URL: '%s' for downloading %s", url, desc); goto err; diff --git a/src/libsecutils/src/credentials/cert.c b/src/libsecutils/src/credentials/cert.c index 9e34eb1..651478f 100644 --- a/src/libsecutils/src/credentials/cert.c +++ b/src/libsecutils/src/credentials/cert.c @@ -77,7 +77,7 @@ void CERTS_free(OPTIONAL STACK_OF(X509) *certs) * The NULL-DN may be given as "/" or "". */ /* adapted from OpenSSL:apps/lib/apps.c */ -X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn) +X509_NAME* UTIL_parse_name(const char* dn, int chtype, bool multirdn) { size_t buflen = strlen(dn) + 1; /* to copy the types and values. * Due to escaping, the copy can only become shorter */ diff --git a/src/libsecutils/src/credentials/credentials.c b/src/libsecutils/src/credentials/credentials.c index e0009e6..e43c6ce 100644 --- a/src/libsecutils/src/credentials/credentials.c +++ b/src/libsecutils/src/credentials/credentials.c @@ -40,9 +40,9 @@ struct credentials } /* CREDENTIALS */; -CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY* pkey, const OPTIONAL X509* cert, - OPTIONAL const STACK_OF(X509) * chain, OPTIONAL const char* pwd, - OPTIONAL const char* pwdref) +CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY *pkey, OPTIONAL const X509 *cert, + OPTIONAL const STACK_OF(X509) *chain, OPTIONAL const char *pwd, + OPTIONAL const char *pwdref) { const char* pass = pwd; if (pwd not_eq 0 and strncmp(pwd, sec_PASS_STR, strlen(sec_PASS_STR)) is_eq 0) diff --git a/src/libsecutils/src/credentials/store.c b/src/libsecutils/src/credentials/store.c index ff02798..42034de 100644 --- a/src/libsecutils/src/credentials/store.c +++ b/src/libsecutils/src/credentials/store.c @@ -34,8 +34,9 @@ typedef struct STORE_ex_st BIO* tls_bio; /* indicates CMP_PKIMESSAGE_http_perform() with TLS is active */ #endif const char* desc; /* description to be used for diagnostic purposes */ +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 const char* host; /* expected host name in cert, for diagnostic purposes */ - /* Since OpenSSL 3.0, the host part could be replaced by using X509_VERIFY_PARAM_get0_host() */ +#endif CONN_load_crl_cb_t crl_cb; OPTIONAL void* crl_cb_arg; revstatus_access cdps; @@ -80,7 +81,9 @@ static void STORE_EX_free(ossl_unused X509_STORE* ts, STORE_EX* ex_data, ossl_un if(0 not_eq ex_data) { OPENSSL_free((char*)ex_data->desc); +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 OPENSSL_free((char*)ex_data->host); +#endif OPENSSL_free((char*)ex_data->cdps.urls); OPENSSL_free((char*)ex_data->ocsp.urls); OPENSSL_free(ex_data); @@ -120,7 +123,7 @@ static void STORE_EX_free_index(void) } } -static STORE_EX* STORE_get_ex_data(X509_STORE* store) +static STORE_EX *STORE_get_ex_data(const X509_STORE *store) { STORE_EX* res = 0; if(store is_eq 0) @@ -129,7 +132,7 @@ static STORE_EX* STORE_get_ex_data(X509_STORE* store) } else { - res = X509_STORE_get_ex_data(store, STORE_EX_data_idx); + res = X509_STORE_get_ex_data((/* needed for OpenSSL < 3.0: */ X509_STORE *)store, STORE_EX_data_idx); if(res is_eq 0) { LOG(FL_ERR, "STORE_EX not found"); @@ -478,7 +481,10 @@ bool STORE_set1_host_ip(X509_STORE* ts, OPTIONAL const char* name, OPTIONAL cons X509_VERIFY_PARAM* ts_vpm = X509_STORE_get0_param(ts); /* first clear any host names, IP addresses, and email addresses */ - if(not STORE_set1_host(ts, 0) or + if( +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 + not STORE_set1_host(ts, 0) or +#endif 0 is_eq X509_VERIFY_PARAM_set1_host(ts_vpm, 0, 0) or 0 is_eq X509_VERIFY_PARAM_set1_ip(ts_vpm, 0, 0) or 0 is_eq X509_VERIFY_PARAM_set1_email(ts_vpm, 0, 0)) @@ -515,15 +521,19 @@ bool STORE_set1_host_ip(X509_STORE* ts, OPTIONAL const char* name, OPTIONAL cons } if(name_str not_eq 0 and (ip_str is_eq 0 or (res is_eq false and strcmp(name, ip) is_eq 0))) { - /* Unfortunately, before OpenSSL 3.0, there was no API function for retrieving the - hostname/ip entries in X509_VERIFY_PARAM. So we store the host value - in ex_data for use in CREDENTIALS_print_cert_verify_cb(). */ res = X509_VERIFY_PARAM_set1_host(ts_vpm, name_str, 0) not_eq 0; +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 + /* + * Before OpenSSL 3.0, there was no API function for retrieving the + * hostname/ip entries in X509_VERIFY_PARAM. So we store the host value + * in ex_data for use in CREDENTIALS_print_cert_verify_cb(). + * Since OpenSSL 3.0, this is no more needed as X509_VERIFY_PARAM_get0_host() is available. + */ if(res not_eq false) { - /* Since OpenSSL 3.0, this is no more needed due to X509_VERIFY_PARAM_get0_host() being available */ res = STORE_set1_host(ts, name_str); } +#endif } if(res is_eq false) { @@ -617,7 +627,7 @@ bool STORE_set1_desc(X509_STORE* store, OPTIONAL const char *desc) return (ex_data->desc == NULL) == (desc == NULL); } -const char* STORE_get0_desc(OPTIONAL X509_STORE* store) +const char *STORE_get0_desc(OPTIONAL const X509_STORE *store) { if(0 is_eq store) { @@ -799,8 +809,8 @@ static X509_CRL *load_crl_http(OPTIONAL void *arg, OPTIONAL const char *url, int return 0; } -X509_CRL* STORE_fetch_crl(X509_STORE* ts, OPTIONAL const char* url, int timeout, - const X509* cert, OPTIONAL const char* desc) +X509_CRL *STORE_fetch_crl(const X509_STORE *ts, OPTIONAL const char *url, int timeout, + const X509 *cert, OPTIONAL const char *desc) { if (url not_eq 0 and strncmp(url, "file:", 5) is_eq 0) { @@ -833,6 +843,7 @@ X509_CRL* STORE_fetch_crl(X509_STORE* ts, OPTIONAL const char* url, int timeout, /* Since OpenSSL 3.0, this is no more needed due to X509_VERIFY_PARAM_get0_host() being available */ bool STORE_set1_host(X509_STORE* store, OPTIONAL const char* host) { +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 STORE_EX* ex_data = STORE_get_ex_data(store); if(ex_data is_eq 0) { @@ -841,20 +852,29 @@ bool STORE_set1_host(X509_STORE* store, OPTIONAL const char* host) OPENSSL_free((char*)ex_data->host); ex_data->host = OPENSSL_strdup(host); return true; +#else + /* prevent warnings on unused parameters: */ + (void)store; + (void)host; + return true; +#endif } -const char* STORE_get0_host(X509_STORE* store) +const char *STORE_get0_host(const X509_STORE *store) { +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 + /* + * Before OpenSSL 3.0, there is no OpenSSL API function for retrieving the + * hostname/ip entries in X509_VERIFY_PARAM. So we use ts->ex_data. + * This works for names we set ourselves but not verify_hostname. + */ const STORE_EX* ex_data = STORE_get_ex_data(store); - const char* host = ex_data not_eq 0 ? ex_data->host : 0; -#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_3_0_0 - if (host is_eq 0) - { - X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(store); - host = X509_VERIFY_PARAM_get0_host(vpm, 0 /* first hostname set in store vpm */); - } + + return ex_data != NULL ? ex_data->host : NULL; +#else + /* first hostname set in store vpm: */ + return X509_VERIFY_PARAM_get0_host(X509_STORE_get0_param(store), 0); #endif - return host; } #ifndef SECUTILS_NO_TLS diff --git a/src/libsecutils/src/credentials/verify.c b/src/libsecutils/src/credentials/verify.c index 7fd8f83..0ffaaa7 100644 --- a/src/libsecutils/src/credentials/verify.c +++ b/src/libsecutils/src/credentials/verify.c @@ -93,9 +93,6 @@ int CREDENTIALS_print_cert_verify_cb(int ok, X509_STORE_CTX* store_ctx) break; case X509_V_ERR_HOSTNAME_MISMATCH: case X509_V_ERR_IP_ADDRESS_MISMATCH: - /* Unfortunately there is no OpenSSL API function for retrieving the - hostname/ip entries in X509_VERIFY_PARAM. So we use ts->ex_data. - This works for names we set ourselves but not verify_hostname. */ expected = STORE_get0_host(ts); break; case X509_V_ERR_INVALID_PURPOSE: diff --git a/src/libsecutils/src/util/log.c b/src/libsecutils/src/util/log.c index 7739037..3181ea3 100644 --- a/src/libsecutils/src/util/log.c +++ b/src/libsecutils/src/util/log.c @@ -180,10 +180,13 @@ bool LOG_generic(OPTIONAL const char* func, OPTIONAL const char* file, int linen char loc[loc_len]; memset(loc, 0x00, loc_len); - int len = snprintf(loc, sizeof(loc), "%s", app_name); #ifndef NDEBUG + int len = snprintf(loc, sizeof(loc), "%s", app_name); + if (len < 0) + len = 0; /* on error, cannot assume any string written to loc buffer */ /* print function name, source file name, and line number only if debugging is enabled at build time */ - (void)snprintf(loc + len, sizeof(loc) - len, ":%s():%s:%d:", func, file, lineno); + if (snprintf(loc + len, sizeof(loc) - (size_t)len, ":%s():%s:%d:", func, file, lineno) < 0) + loc[0] = '\0'; /* on error, resort to empty string */ #endif /* print string corresponding to level */ @@ -223,8 +226,8 @@ bool LOG_generic(OPTIONAL const char* func, OPTIONAL const char* file, int linen } /* print message, making sure that newline is printed */ - len = strlen(msg); - const int msg_nl = len > 0 and msg[len - 1] is_eq '\n'; + size_t msg_len = strlen(msg); + const int msg_nl = msg_len > 0 and msg[msg_len - 1] is_eq '\n'; const int ret = fprintf(fd, "%s %s: %s%s", loc, lvl, msg, msg_nl ? "" : "\n"); /* make sure that printing is done right away, return info on success */