Fix ABI problem when marshalling X509VerifyStatusCode on s390x

uweigand · web-flow · commit 4fd2aa9e0baf · 2021-05-18T08:22:06.000-07:00
The X509VerifyStatusCode type is defined as an enum in C code, but as
a struct (with a single member) in C# code.  This means that marshalling
this type only works correctly on platforms where the ABI treats these
two types as equivalent.  This fails e.g. on Linux on s390x.

Fixed by changing all native functions that take X509VerifyStatusCode
as argument or return type to use a plain "int" instead.
diff --git a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OCSP.cs b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OCSP.cs
@@ -35,14 +35,14 @@ ref MemoryMarshal.GetReference(buf),
         internal static extern void OcspResponseDestroy(IntPtr ocspReq);
 
         [DllImport(Libraries.CryptoNative)]
-        private static extern X509VerifyStatusCode CryptoNative_X509ChainGetCachedOcspStatus(
+        private static extern int CryptoNative_X509ChainGetCachedOcspStatus(
             SafeX509StoreCtxHandle ctx,
             string cachePath,
             int chainDepth);
 
         internal static X509VerifyStatusCode X509ChainGetCachedOcspStatus(SafeX509StoreCtxHandle ctx, string cachePath, int chainDepth)
         {
-            X509VerifyStatusCode response = CryptoNative_X509ChainGetCachedOcspStatus(ctx, cachePath, chainDepth);
+            X509VerifyStatusCode response = (X509VerifyStatusCode)CryptoNative_X509ChainGetCachedOcspStatus(ctx, cachePath, chainDepth);
 
             if (response.Code < 0)
             {
@@ -54,7 +54,7 @@ internal static X509VerifyStatusCode X509ChainGetCachedOcspStatus(SafeX509StoreC
         }
 
         [DllImport(Libraries.CryptoNative)]
-        private static extern X509VerifyStatusCode CryptoNative_X509ChainVerifyOcsp(
+        private static extern int CryptoNative_X509ChainVerifyOcsp(
             SafeX509StoreCtxHandle ctx,
             SafeOcspRequestHandle req,
             SafeOcspResponseHandle resp,
@@ -68,7 +68,7 @@ internal static X509VerifyStatusCode X509ChainVerifyOcsp(
             string cachePath,
             int chainDepth)
         {
-            X509VerifyStatusCode response = CryptoNative_X509ChainVerifyOcsp(ctx, req, resp, cachePath, chainDepth);
+            X509VerifyStatusCode response = (X509VerifyStatusCode)CryptoNative_X509ChainVerifyOcsp(ctx, req, resp, cachePath, chainDepth);
 
             if (response.Code < 0)
             {
diff --git a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509.cs b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509.cs
@@ -195,8 +195,13 @@ internal static bool X509VerifyCert(SafeX509StoreCtxHandle ctx)
             return result != 0;
         }
 
-        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_X509StoreCtxGetError")]
-        internal static extern X509VerifyStatusCode X509StoreCtxGetError(SafeX509StoreCtxHandle ctx);
+        [DllImport(Libraries.CryptoNative)]
+        internal static extern int CryptoNative_X509StoreCtxGetError(SafeX509StoreCtxHandle ctx);
+
+        internal static X509VerifyStatusCode X509StoreCtxGetError(SafeX509StoreCtxHandle ctx)
+        {
+            return (X509VerifyStatusCode)CryptoNative_X509StoreCtxGetError(ctx);
+        }
 
         [DllImport(Libraries.CryptoNative)]
         private static extern int CryptoNative_X509StoreCtxReset(SafeX509StoreCtxHandle ctx);
diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.c
@@ -302,9 +302,9 @@ X509* CryptoNative_X509StoreCtxGetTargetCert(X509_STORE_CTX* ctx)
     return NULL;
 }
 
-X509VerifyStatusCode CryptoNative_X509StoreCtxGetError(X509_STORE_CTX* ctx)
+int32_t CryptoNative_X509StoreCtxGetError(X509_STORE_CTX* ctx)
 {
-    return (unsigned int)X509_STORE_CTX_get_error(ctx);
+    return (int32_t)X509_STORE_CTX_get_error(ctx);
 }
 
 int32_t CryptoNative_X509StoreCtxReset(X509_STORE_CTX* ctx)
@@ -337,7 +337,7 @@ int32_t CryptoNative_X509StoreCtxGetErrorDepth(X509_STORE_CTX* ctx)
     return X509_STORE_CTX_get_error_depth(ctx);
 }
 
-const char* CryptoNative_X509VerifyCertErrorString(X509VerifyStatusCode n)
+const char* CryptoNative_X509VerifyCertErrorString(int32_t n)
 {
     return X509_verify_cert_error_string((long)n);
 }
@@ -949,27 +949,27 @@ static time_t GetIssuanceWindowStart()
     return t;
 }
 
-X509VerifyStatusCode CryptoNative_X509ChainGetCachedOcspStatus(X509_STORE_CTX* storeCtx, char* cachePath, int chainDepth)
+int32_t CryptoNative_X509ChainGetCachedOcspStatus(X509_STORE_CTX* storeCtx, char* cachePath, int chainDepth)
 {
     if (storeCtx == NULL || cachePath == NULL)
     {
-        return (X509VerifyStatusCode)-1;
+        return -1;
     }
 
     X509* subject;
     X509* issuer;
 
     if (!Get0CertAndIssuer(storeCtx, chainDepth, &subject, &issuer))
     {
-        return (X509VerifyStatusCode)-2;
+        return -2;
     }
 
     X509VerifyStatusCode ret = PAL_X509_V_ERR_UNABLE_TO_GET_CRL;
     char* fullPath = BuildOcspCacheFilename(cachePath, subject);
 
     if (fullPath == NULL)
     {
-        return ret;
+        return (int32_t)ret;
     }
 
     BIO* bio = BIO_new_file(fullPath, "rb");
@@ -1031,7 +1031,7 @@ X509VerifyStatusCode CryptoNative_X509ChainGetCachedOcspStatus(X509_STORE_CTX* s
         OCSP_RESPONSE_free(resp);
     }
 
-    return ret;
+    return (int32_t)ret;
 }
 
 OCSP_REQUEST* CryptoNative_X509ChainBuildOcspRequest(X509_STORE_CTX* storeCtx, int chainDepth)
@@ -1079,28 +1079,28 @@ OCSP_REQUEST* CryptoNative_X509ChainBuildOcspRequest(X509_STORE_CTX* storeCtx, i
     return req;
 }
 
-X509VerifyStatusCode
+int32_t
 CryptoNative_X509ChainVerifyOcsp(X509_STORE_CTX* storeCtx, OCSP_REQUEST* req, OCSP_RESPONSE* resp, char* cachePath, int chainDepth)
 {
     if (storeCtx == NULL || req == NULL || resp == NULL)
     {
-        return (X509VerifyStatusCode)-1;
+        return -1;
     }
 
     X509* subject;
     X509* issuer;
 
     if (!Get0CertAndIssuer(storeCtx, chainDepth, &subject, &issuer))
     {
-        return (X509VerifyStatusCode)-2;
+        return -2;
     }
 
     X509VerifyStatusCode ret = PAL_X509_V_ERR_UNABLE_TO_GET_CRL;
     OCSP_CERTID* certId = MakeCertId(subject, issuer);
 
     if (certId == NULL)
     {
-        return (X509VerifyStatusCode)-3;
+        return -3;
     }
 
     ASN1_GENERALIZEDTIME* thisUpdate = NULL;
@@ -1167,5 +1167,5 @@ CryptoNative_X509ChainVerifyOcsp(X509_STORE_CTX* storeCtx, OCSP_REQUEST* req, OC
         ASN1_GENERALIZEDTIME_free(thisUpdate);
     }
 
-    return ret;
+    return (int32_t)ret;
 }
diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.h b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.h
@@ -273,7 +273,7 @@ PALEXPORT X509* CryptoNative_X509StoreCtxGetTargetCert(X509_STORE_CTX* ctx);
 /*
 Shims the X509_STORE_CTX_get_error method.
 */
-PALEXPORT X509VerifyStatusCode CryptoNative_X509StoreCtxGetError(X509_STORE_CTX* ctx);
+PALEXPORT int32_t CryptoNative_X509StoreCtxGetError(X509_STORE_CTX* ctx);
 
 /*
 Resets ctx to before the chain was built, preserving the target cert, trust store, extra cert context,
@@ -301,7 +301,7 @@ PALEXPORT void CryptoNative_X509StoreCtxSetVerifyCallback(X509_STORE_CTX* ctx, X
 /*
 Shims the X509_verify_cert_error_string method.
 */
-PALEXPORT const char* CryptoNative_X509VerifyCertErrorString(X509VerifyStatusCode n);
+PALEXPORT const char* CryptoNative_X509VerifyCertErrorString(int32_t n);
 
 /*
 Shims the X509_CRL_free method.
@@ -378,7 +378,7 @@ PALEXPORT int32_t CryptoNative_X509StoreCtxResetForSignatureError(X509_STORE_CTX
 Look for a cached OCSP response appropriate to the end-entity certificate using the issuer as
 determined by the chain in storeCtx.
 */
-PALEXPORT X509VerifyStatusCode CryptoNative_X509ChainGetCachedOcspStatus(X509_STORE_CTX* storeCtx, char* cachePath, int chainDepth);
+PALEXPORT int32_t CryptoNative_X509ChainGetCachedOcspStatus(X509_STORE_CTX* storeCtx, char* cachePath, int chainDepth);
 
 /*
 Build an OCSP request appropriate for the end-entity certificate using the issuer (and trust) as
@@ -390,8 +390,8 @@ PALEXPORT OCSP_REQUEST* CryptoNative_X509ChainBuildOcspRequest(X509_STORE_CTX* s
 Determine if the OCSP response is acceptable, and if acceptable report the status and
 cache the result (if appropriate)
 */
-PALEXPORT X509VerifyStatusCode CryptoNative_X509ChainVerifyOcsp(X509_STORE_CTX* storeCtx,
-                                                                OCSP_REQUEST* req,
-                                                                OCSP_RESPONSE* resp,
-                                                                char* cachePath,
-                                                                int chainDepth);
+PALEXPORT int32_t CryptoNative_X509ChainVerifyOcsp(X509_STORE_CTX* storeCtx,
+                                                   OCSP_REQUEST* req,
+                                                   OCSP_RESPONSE* resp,
+                                                   char* cachePath,
+                                                   int chainDepth);

Original file line number	Diff line number	Diff line change
`@@ -35,14 +35,14 @@ ref MemoryMarshal.GetReference(buf),`
`35`	`35`	`internal static extern void OcspResponseDestroy(IntPtr ocspReq);`
`36`	`36`
`37`	`37`	`[DllImport(Libraries.CryptoNative)]`
`38`		`- private static extern X509VerifyStatusCode CryptoNative_X509ChainGetCachedOcspStatus(`
	`38`	`+ private static extern int CryptoNative_X509ChainGetCachedOcspStatus(`
`39`	`39`	`SafeX509StoreCtxHandle ctx,`
`40`	`40`	`string cachePath,`
`41`	`41`	`int chainDepth);`
`42`	`42`
`43`	`43`	`internal static X509VerifyStatusCode X509ChainGetCachedOcspStatus(SafeX509StoreCtxHandle ctx, string cachePath, int chainDepth)`
`44`	`44`	`{`
`45`		`- X509VerifyStatusCode response = CryptoNative_X509ChainGetCachedOcspStatus(ctx, cachePath, chainDepth);`
	`45`	`+ X509VerifyStatusCode response = (X509VerifyStatusCode)CryptoNative_X509ChainGetCachedOcspStatus(ctx, cachePath, chainDepth);`
`46`	`46`
`47`	`47`	`if (response.Code < 0)`
`48`	`48`	`{`
`@@ -54,7 +54,7 @@ internal static X509VerifyStatusCode X509ChainGetCachedOcspStatus(SafeX509StoreC`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`[DllImport(Libraries.CryptoNative)]`
`57`		`- private static extern X509VerifyStatusCode CryptoNative_X509ChainVerifyOcsp(`
	`57`	`+ private static extern int CryptoNative_X509ChainVerifyOcsp(`
`58`	`58`	`SafeX509StoreCtxHandle ctx,`
`59`	`59`	`SafeOcspRequestHandle req,`
`60`	`60`	`SafeOcspResponseHandle resp,`
`@@ -68,7 +68,7 @@ internal static X509VerifyStatusCode X509ChainVerifyOcsp(`
`68`	`68`	`string cachePath,`
`69`	`69`	`int chainDepth)`
`70`	`70`	`{`
`71`		`- X509VerifyStatusCode response = CryptoNative_X509ChainVerifyOcsp(ctx, req, resp, cachePath, chainDepth);`
	`71`	`+ X509VerifyStatusCode response = (X509VerifyStatusCode)CryptoNative_X509ChainVerifyOcsp(ctx, req, resp, cachePath, chainDepth);`
`72`	`72`
`73`	`73`	`if (response.Code < 0)`
`74`	`74`	`{`
Original file line number	Diff line number	Diff line change
`@@ -302,9 +302,9 @@ X509* CryptoNative_X509StoreCtxGetTargetCert(X509_STORE_CTX* ctx)`
`302`	`302`	`return NULL;`
`303`	`303`	`}`
`304`	`304`
`305`		`-X509VerifyStatusCode CryptoNative_X509StoreCtxGetError(X509_STORE_CTX* ctx)`
	`305`	`+int32_t CryptoNative_X509StoreCtxGetError(X509_STORE_CTX* ctx)`
`306`	`306`	`{`
`307`		`- return (unsigned int)X509_STORE_CTX_get_error(ctx);`
	`307`	`+ return (int32_t)X509_STORE_CTX_get_error(ctx);`
`308`	`308`	`}`
`309`	`309`
`310`	`310`	`int32_t CryptoNative_X509StoreCtxReset(X509_STORE_CTX* ctx)`
`@@ -337,7 +337,7 @@ int32_t CryptoNative_X509StoreCtxGetErrorDepth(X509_STORE_CTX* ctx)`
`337`	`337`	`return X509_STORE_CTX_get_error_depth(ctx);`
`338`	`338`	`}`
`339`	`339`
`340`		`-const char* CryptoNative_X509VerifyCertErrorString(X509VerifyStatusCode n)`
	`340`	`+const char* CryptoNative_X509VerifyCertErrorString(int32_t n)`
`341`	`341`	`{`
`342`	`342`	`return X509_verify_cert_error_string((long)n);`
`343`	`343`	`}`
`@@ -949,27 +949,27 @@ static time_t GetIssuanceWindowStart()`
`949`	`949`	`return t;`
`950`	`950`	`}`
`951`	`951`
`952`		`-X509VerifyStatusCode CryptoNative_X509ChainGetCachedOcspStatus(X509_STORE_CTX* storeCtx, char* cachePath, int chainDepth)`
	`952`	`+int32_t CryptoNative_X509ChainGetCachedOcspStatus(X509_STORE_CTX* storeCtx, char* cachePath, int chainDepth)`
`953`	`953`	`{`
`954`	`954`	`if (storeCtx == NULL \|\| cachePath == NULL)`
`955`	`955`	`{`
`956`		`- return (X509VerifyStatusCode)-1;`
	`956`	`+ return -1;`
`957`	`957`	`}`
`958`	`958`
`959`	`959`	`X509* subject;`
`960`	`960`	`X509* issuer;`
`961`	`961`
`962`	`962`	`if (!Get0CertAndIssuer(storeCtx, chainDepth, &subject, &issuer))`
`963`	`963`	`{`
`964`		`- return (X509VerifyStatusCode)-2;`
	`964`	`+ return -2;`
`965`	`965`	`}`
`966`	`966`
`967`	`967`	`X509VerifyStatusCode ret = PAL_X509_V_ERR_UNABLE_TO_GET_CRL;`
`968`	`968`	`char* fullPath = BuildOcspCacheFilename(cachePath, subject);`
`969`	`969`
`970`	`970`	`if (fullPath == NULL)`
`971`	`971`	`{`
`972`		`- return ret;`
	`972`	`+ return (int32_t)ret;`
`973`	`973`	`}`
`974`	`974`
`975`	`975`	`BIO* bio = BIO_new_file(fullPath, "rb");`
`@@ -1031,7 +1031,7 @@ X509VerifyStatusCode CryptoNative_X509ChainGetCachedOcspStatus(X509_STORE_CTX* s`
`1031`	`1031`	`OCSP_RESPONSE_free(resp);`
`1032`	`1032`	`}`
`1033`	`1033`
`1034`		`- return ret;`
	`1034`	`+ return (int32_t)ret;`
`1035`	`1035`	`}`
`1036`	`1036`
`1037`	`1037`	`OCSP_REQUEST* CryptoNative_X509ChainBuildOcspRequest(X509_STORE_CTX* storeCtx, int chainDepth)`
`@@ -1079,28 +1079,28 @@ OCSP_REQUEST* CryptoNative_X509ChainBuildOcspRequest(X509_STORE_CTX* storeCtx, i`
`1079`	`1079`	`return req;`
`1080`	`1080`	`}`
`1081`	`1081`
`1082`		`-X509VerifyStatusCode`
	`1082`	`+int32_t`
`1083`	`1083`	`CryptoNative_X509ChainVerifyOcsp(X509_STORE_CTX* storeCtx, OCSP_REQUEST* req, OCSP_RESPONSE* resp, char* cachePath, int chainDepth)`
`1084`	`1084`	`{`
`1085`	`1085`	`if (storeCtx == NULL \|\| req == NULL \|\| resp == NULL)`
`1086`	`1086`	`{`
`1087`		`- return (X509VerifyStatusCode)-1;`
	`1087`	`+ return -1;`
`1088`	`1088`	`}`
`1089`	`1089`
`1090`	`1090`	`X509* subject;`
`1091`	`1091`	`X509* issuer;`
`1092`	`1092`
`1093`	`1093`	`if (!Get0CertAndIssuer(storeCtx, chainDepth, &subject, &issuer))`
`1094`	`1094`	`{`
`1095`		`- return (X509VerifyStatusCode)-2;`
	`1095`	`+ return -2;`
`1096`	`1096`	`}`
`1097`	`1097`
`1098`	`1098`	`X509VerifyStatusCode ret = PAL_X509_V_ERR_UNABLE_TO_GET_CRL;`
`1099`	`1099`	`OCSP_CERTID* certId = MakeCertId(subject, issuer);`
`1100`	`1100`
`1101`	`1101`	`if (certId == NULL)`
`1102`	`1102`	`{`
`1103`		`- return (X509VerifyStatusCode)-3;`
	`1103`	`+ return -3;`
`1104`	`1104`	`}`
`1105`	`1105`
`1106`	`1106`	`ASN1_GENERALIZEDTIME* thisUpdate = NULL;`
`@@ -1167,5 +1167,5 @@ CryptoNative_X509ChainVerifyOcsp(X509_STORE_CTX* storeCtx, OCSP_REQUEST* req, OC`
`1167`	`1167`	`ASN1_GENERALIZEDTIME_free(thisUpdate);`
`1168`	`1168`	`}`
`1169`	`1169`
`1170`		`- return ret;`
	`1170`	`+ return (int32_t)ret;`
`1171`	`1171`	`}`