[136958] trunk/dports/security/certsync/files/certsync.m

cal at macports.org cal at macports.org
Sun May 31 10:38:47 PDT 2015 

Revision: 136958
          https://trac.macports.org/changeset/136958
Author:   cal at macports.org
Date:     2015-05-31 10:38:47 -0700 (Sun, 31 May 2015)
Log Message:
-----------
certsync: Avoid segfault in absence of kSecTrustSettingsResult, closes #47906

Root certificates apparently sometimes do not have a kSecTrustSettingsResult,
and the absence should be treated as kSecTrustSettingsResultTrustRoot. This
change implements that.

Additionally, this silences a few warnings emitted by clang about functions
that are never NULL (at least not on the platform you're compiling for). Since
these checks are required for other platforms, employ the address-of operator
as suggested by clang to turn off the warning.

Modified Paths:
--------------
    trunk/dports/security/certsync/files/certsync.m

Modified: trunk/dports/security/certsync/files/certsync.m
===================================================================
--- trunk/dports/security/certsync/files/certsync.m	2015-05-31 15:03:29 UTC (rev 136957)
+++ trunk/dports/security/certsync/files/certsync.m	2015-05-31 17:38:47 UTC (rev 136958)
@@ -107,17 +107,17 @@
  * @return BOOL indicating whether this system supports retrieving CNs from certificates
  */
 static BOOL GetCertSubject(SecCertificateRef cert, CFStringRef *subject, NSError **subjectError) {
-    if (SecCertificateCopyShortDescription != NULL /* 10.7 */) {
+    if (&SecCertificateCopyShortDescription != NULL /* 10.7 */) {
         *subject = PLCFAutorelease(SecCertificateCopyShortDescription(NULL, cert, (CFErrorRef *) subjectError));
         return YES;
     }
 
-    if (SecCertificateCopySubjectSummary   != NULL /* 10.6 */) {
+    if (&SecCertificateCopySubjectSummary   != NULL /* 10.6 */) {
         *subject = PLCFAutorelease(SecCertificateCopySubjectSummary(cert));
         return YES;
     }
 
-    if (SecCertificateCopyCommonName       != NULL /* 10.5 */) {
+    if (&SecCertificateCopyCommonName       != NULL /* 10.5 */) {
         OSStatus err;
         if ((err = SecCertificateCopyCommonName(cert, subject)) == errSecSuccess && *subject != NULL) {
             PLCFAutorelease(*subject);
@@ -158,7 +158,7 @@
     SecTrustRef trust;
 	{
 		SecPolicyRef policy;
-		if (SecPolicyCreateBasicX509 != NULL) /* >= 10.6 */ {
+		if (&SecPolicyCreateBasicX509 != NULL) /* >= 10.6 */ {
 			policy = SecPolicyCreateBasicX509();
 		} else /* < 10.6 */ {
 			SecPolicySearchRef searchRef = NULL;
@@ -265,7 +265,7 @@
     OSStatus err;
 
     /* Mac OS X >= 10.5 provides SecTrustSettingsCopyCertificates() */
-    if (SecTrustSettingsCopyCertificates != NULL) {
+    if (&SecTrustSettingsCopyCertificates != NULL) {
         /* Fetch all certificates in the given domain */
         err = SecTrustSettingsCopyCertificates(domain, &certs);
         if (err == errSecSuccess) {
@@ -316,7 +316,12 @@
                     SInt32 settingsResult;
 
                     settingsResultNum = (CFNumberRef) [trustProps objectForKey: (id) kSecTrustSettingsResult];
-                    CFNumberGetValue(settingsResultNum, kCFNumberSInt32Type, &settingsResult);
+                    if (settingsResultNum == nil) {
+                        /* "If this key is not present, a default value of kSecTrustSettingsResultTrustRoot is assumed." */
+                        settingsResult = kSecTrustSettingsResultTrustRoot;
+                    } else {
+                        CFNumberGetValue(settingsResultNum, kCFNumberSInt32Type, &settingsResult);
+                    }
 
                     /* If a root, add to the result set */
                     if (settingsResult == kSecTrustSettingsResultTrustRoot || settingsResult == kSecTrustSettingsResultTrustAsRoot) {
@@ -403,7 +408,7 @@
         /* Set the keychain preference domain to user, this causes
          * ValidateSystemTrust to use the user's keychain */
         if ((err = SecKeychainSetPreferenceDomain(kSecPreferencesDomainUser)) != errSecSuccess) {
-            if (SecCopyErrorMessageString != NULL) {
+            if (&SecCopyErrorMessageString != NULL) {
                 /* >= 10.5 */
                 CFStringRef errMsg = PLCFAutorelease(SecCopyErrorMessageString(err, NULL));
                 nsfprintf(stderr, @"Failed to set keychain preference domain: %@\n", errMsg);
@@ -429,7 +434,7 @@
     /* Admin & System */
     /* Causes ValidateSystemTrust to ignore the user's keychain */
     if ((err = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem)) != errSecSuccess) {
-        if (SecCopyErrorMessageString != NULL) {
+        if (&SecCopyErrorMessageString != NULL) {
             /* >= 10.5 */
             CFStringRef errMsg = PLCFAutorelease(SecCopyErrorMessageString(err, NULL));
             nsfprintf(stderr, @"Failed to set keychain preference domain: %@\n", errMsg);
@@ -484,7 +489,7 @@
 
     /* Prefer the non-deprecated SecItemExport on Mac OS X >= 10.7. We use an ifdef to keep the code buildable with earlier SDKs, too. */
     nsfprintf(stderr, @"Exporting certificates from the keychain\n");
-    if (SecItemExport != NULL) {
+    if (&SecItemExport != NULL) {
         err = SecItemExport((CFArrayRef) anchors, kSecFormatPEMSequence, kSecItemPemArmour, NULL, &pemData);
     } else {
         err = SecKeychainItemExport((CFArrayRef) anchors, kSecFormatPEMSequence, kSecItemPemArmour, NULL, &pemData);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-changes/attachments/20150531/78c35768/attachment.html>

More information about the macports-changes mailing list