Project

General

Profile

Bug #5159

ipsec_libssl_setup.c loads libcrypto

Added by Gary Mills almost 5 years ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
2014-09-12
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:

Description

In lib/libipsecutil/common/ipsec_libssl_setup.c, the function print_asn1_name() loads libcrypto.so in order to print a DER distinguished name. This function is called only by the print_ident() function in usr/src/lib/libipsecutil/common/ipsec_util.c, although it could be called by others in the future.
An example, part of the debugging output, is like this:


SID: Source identity, uid=802928, type ASN.1 DER Distinguished Name
SID: C=DE, O=Company, OU=Company CA, OU=PKI, CN=Client

The problem with this approach is that it makes openssl a dependancy of the illumos product. A solution is to replace the function with one that uses new code or existing facilities to print the name.


Files

libipsecutil.c (1.5 KB) libipsecutil.c Test program Andy Fiddaman, 2018-03-17 12:10 PM

History

#1

Updated by Andy Fiddaman over 1 year ago

  • Status changed from New to Pending RTI
  • Assignee set to Andy Fiddaman
  • % Done changed from 0 to 90
  • Tags deleted (needs-triage)

Jason King has developed a change to remove this OpenSSL dependency from libipsecutil. I plan to send it out for review on his behalf in the next couple of weeks.

#2

Updated by Andy Fiddaman over 1 year ago

Using the attached test program, output is below. This tests:

  • printing a DN from DER form constructed using OpenSSL library calls, including a non-standard attribute and an attribute value containing a non-printable character;
  • printing a DN from DER form constructed via libkmf using \" for the value containing spaces;
  • printing a DN from DER form constructed via libkmf using '\ ' for the value containing spaces.

NB: unknown attributes are not supported by kmf_dn_parser() so the second two tests are simpler DNs.

Gate output today:

C=UK, O="illumos org, not-inc", OU=unk\C2\84nown, emailAddress=tester@illumos.org, 1.2.3=unknown, CN=Jo Tester
C=UK, O="illumos org, not-inc", emailAddress=tester@illumos.org, CN=Jo Tester
C=UK, O="illumos org, not-inc", emailAddress=tester@illumos.org, CN=Jo Tester

and with the proposed patch:

C=UK, O=illumos org\, not-inc, OU=unk\C2\84nown, emailAddress=tester@illumos.org, 1.2.3=#756e6b6e6f776e, CN=Jo Tester
C=UK, O=illumos org\, not-inc, emailAddress=tester@illumos.org, CN=Jo Tester
C=UK, O=illumos org\, not-inc, emailAddress=tester@illumos.org, CN=Jo Tester

So the differences in behaviour are:

  • OpenSSL always surrounded values containing spaces with quotes, the new version escapes each space;
  • Unknown attribute values are displayed in text by OpenSSL and hex by the new version.

Since print_asn1_name() is a diagnostic function, the difference in output likely does not matter to any consumer today (for example, the only non-closed gate consumer is 'ikeadm dump p1')

#3

Updated by Electric Monk 10 months ago

  • Status changed from Pending RTI to Closed
  • % Done changed from 90 to 100

git commit bdc560ab289d67ddebad9a2146fd36c2662d88b1

commit  bdc560ab289d67ddebad9a2146fd36c2662d88b1
Author: Jason King <jason.king@joyent.com>
Date:   2018-10-04T00:33:59.000Z

    5159 ipsec_libssl_setup.c loads libcrypto
    Reviewed by: Andy Fiddaman <andy@omniosce.org>
    Reviewed by: Igor Kozhukhov <igor@dilos.org>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Approved by: Dan McDonald <danmcd@joyent.com>

Also available in: Atom PDF