Commit e7061f7e authored by Yashwant Sahu's avatar Yashwant Sahu

Bug #22738607: YASSL FUNCTION X509_NAME_GET_INDEX_BY_NID IS NOT WORKING AS EXPECTED.

parent 29cc2c28
...@@ -12,6 +12,12 @@ before calling SSL_new(); ...@@ -12,6 +12,12 @@ before calling SSL_new();
*** end Note *** *** end Note ***
yaSSL Release notes, version 2.3.9b (2/03/2016)
This release of yaSSL fixes the OpenSSL compatibility function
X509_NAME_get_index_by_NID() to use the actual index of the common name
instead of searching on the format prefix. Thanks for the report from
yashwant.sahu@oracle.com . Anyone using this function should update.
yaSSL Release notes, version 2.3.9 (12/01/2015) yaSSL Release notes, version 2.3.9 (12/01/2015)
This release of yaSSL fixes two client side Diffie-Hellman problems. This release of yaSSL fixes two client side Diffie-Hellman problems.
yaSSL was only handling the cases of zero or one leading zeros for the key yaSSL was only handling the cases of zero or one leading zeros for the key
......
...@@ -35,7 +35,7 @@ ...@@ -35,7 +35,7 @@
#include "rsa.h" #include "rsa.h"
#define YASSL_VERSION "2.3.9" #define YASSL_VERSION "2.3.9b"
#if defined(__cplusplus) #if defined(__cplusplus)
......
...@@ -191,14 +191,18 @@ private: ...@@ -191,14 +191,18 @@ private:
class X509_NAME { class X509_NAME {
char* name_; char* name_;
size_t sz_; size_t sz_;
int cnPosition_; // start of common name, -1 is none
int cnLen_; // length of above
ASN1_STRING entry_; ASN1_STRING entry_;
public: public:
X509_NAME(const char*, size_t sz); X509_NAME(const char*, size_t sz, int pos, int len);
~X509_NAME(); ~X509_NAME();
const char* GetName() const; const char* GetName() const;
ASN1_STRING* GetEntry(int i); ASN1_STRING* GetEntry(int i);
size_t GetLength() const; size_t GetLength() const;
int GetCnPosition() const { return cnPosition_; }
int GetCnLength() const { return cnLen_; }
private: private:
X509_NAME(const X509_NAME&); // hide copy X509_NAME(const X509_NAME&); // hide copy
X509_NAME& operator=(const X509_NAME&); // and assign X509_NAME& operator=(const X509_NAME&); // and assign
...@@ -226,7 +230,7 @@ class X509 { ...@@ -226,7 +230,7 @@ class X509 {
StringHolder afterDate_; // not valid after StringHolder afterDate_; // not valid after
public: public:
X509(const char* i, size_t, const char* s, size_t, X509(const char* i, size_t, const char* s, size_t,
const char* b, int, const char* a, int); const char* b, int, const char* a, int, int, int, int, int);
~X509() {} ~X509() {}
X509_NAME* GetIssuer(); X509_NAME* GetIssuer();
......
...@@ -293,7 +293,10 @@ int CertManager::Validate() ...@@ -293,7 +293,10 @@ int CertManager::Validate()
int aSz = (int)strlen(cert.GetAfterDate()) + 1; int aSz = (int)strlen(cert.GetAfterDate()) + 1;
peerX509_ = NEW_YS X509(cert.GetIssuer(), iSz, cert.GetCommonName(), peerX509_ = NEW_YS X509(cert.GetIssuer(), iSz, cert.GetCommonName(),
sSz, cert.GetBeforeDate(), bSz, sSz, cert.GetBeforeDate(), bSz,
cert.GetAfterDate(), aSz); cert.GetAfterDate(), aSz,
cert.GetIssuerCnStart(), cert.GetIssuerCnLength(),
cert.GetSubjectCnStart(), cert.GetSubjectCnLength()
);
if (err == TaoCrypt::SIG_OTHER_E && verifyCallback_) { if (err == TaoCrypt::SIG_OTHER_E && verifyCallback_) {
X509_STORE_CTX store; X509_STORE_CTX store;
...@@ -345,7 +348,9 @@ void CertManager::setPeerX509(X509* x) ...@@ -345,7 +348,9 @@ void CertManager::setPeerX509(X509* x)
peerX509_ = NEW_YS X509(issuer->GetName(), issuer->GetLength(), peerX509_ = NEW_YS X509(issuer->GetName(), issuer->GetLength(),
subject->GetName(), subject->GetLength(), (const char*) before->data, subject->GetName(), subject->GetLength(), (const char*) before->data,
before->length, (const char*) after->data, after->length); before->length, (const char*) after->data, after->length,
issuer->GetCnPosition(), issuer->GetCnLength(),
subject->GetCnPosition(), subject->GetCnLength());
} }
......
...@@ -1351,15 +1351,13 @@ int ASN1_STRING_type(ASN1_STRING *x) ...@@ -1351,15 +1351,13 @@ int ASN1_STRING_type(ASN1_STRING *x)
int X509_NAME_get_index_by_NID(X509_NAME* name,int nid, int lastpos) int X509_NAME_get_index_by_NID(X509_NAME* name,int nid, int lastpos)
{ {
int idx = -1; // not found int idx = -1; // not found
const char* start = &name->GetName()[lastpos + 1]; int cnPos = -1;
switch (nid) { switch (nid) {
case NID_commonName: case NID_commonName:
const char* found = strstr(start, "/CN="); cnPos = name->GetCnPosition();
if (found) { if (lastpos < cnPos)
found += 4; // advance to str idx = cnPos;
idx = found - start + lastpos + 1;
}
break; break;
} }
......
...@@ -1555,7 +1555,9 @@ void SSL_SESSION::CopyX509(X509* x) ...@@ -1555,7 +1555,9 @@ void SSL_SESSION::CopyX509(X509* x)
peerX509_ = NEW_YS X509(issuer->GetName(), issuer->GetLength(), peerX509_ = NEW_YS X509(issuer->GetName(), issuer->GetLength(),
subject->GetName(), subject->GetLength(), (const char*) before->data, subject->GetName(), subject->GetLength(), (const char*) before->data,
before->length, (const char*) after->data, after->length); before->length, (const char*) after->data, after->length,
issuer->GetCnPosition(), issuer->GetCnLength(),
subject->GetCnPosition(), subject->GetCnLength());
} }
...@@ -2472,8 +2474,8 @@ void Security::set_resuming(bool b) ...@@ -2472,8 +2474,8 @@ void Security::set_resuming(bool b)
} }
X509_NAME::X509_NAME(const char* n, size_t sz) X509_NAME::X509_NAME(const char* n, size_t sz, int pos, int len)
: name_(0), sz_(sz) : name_(0), sz_(sz), cnPosition_(pos), cnLen_(len)
{ {
if (sz) { if (sz) {
name_ = NEW_YS char[sz]; name_ = NEW_YS char[sz];
...@@ -2503,8 +2505,9 @@ size_t X509_NAME::GetLength() const ...@@ -2503,8 +2505,9 @@ size_t X509_NAME::GetLength() const
X509::X509(const char* i, size_t iSz, const char* s, size_t sSz, X509::X509(const char* i, size_t iSz, const char* s, size_t sSz,
const char* b, int bSz, const char* a, int aSz) const char* b, int bSz, const char* a, int aSz, int issPos,
: issuer_(i, iSz), subject_(s, sSz), int issLen, int subPos, int subLen)
: issuer_(i, iSz, issPos, issLen), subject_(s, sSz, subPos, subLen),
beforeDate_(b, bSz), afterDate_(a, aSz) beforeDate_(b, bSz), afterDate_(a, aSz)
{} {}
...@@ -2538,17 +2541,19 @@ ASN1_STRING* X509_NAME::GetEntry(int i) ...@@ -2538,17 +2541,19 @@ ASN1_STRING* X509_NAME::GetEntry(int i)
if (i < 0 || i >= int(sz_)) if (i < 0 || i >= int(sz_))
return 0; return 0;
if (i != cnPosition_ || cnLen_ <= 0) // only entry currently supported
return 0;
if (cnLen_ > int(sz_-i)) // make sure there's room in read buffer
return 0;
if (entry_.data) if (entry_.data)
ysArrayDelete(entry_.data); ysArrayDelete(entry_.data);
entry_.data = NEW_YS byte[sz_]; // max size; entry_.data = NEW_YS byte[cnLen_+1]; // max size;
memcpy(entry_.data, &name_[i], sz_ - i); memcpy(entry_.data, &name_[i], cnLen_);
if (entry_.data[sz_ -i - 1]) { entry_.data[cnLen_] = 0;
entry_.data[sz_ - i] = 0; entry_.length = cnLen_;
entry_.length = int(sz_) - i;
}
else
entry_.length = int(sz_) - i - 1;
entry_.type = 0; entry_.type = 0;
return &entry_; return &entry_;
......
...@@ -283,6 +283,10 @@ public: ...@@ -283,6 +283,10 @@ public:
const byte* GetHash() const { return subjectHash_; } const byte* GetHash() const { return subjectHash_; }
const char* GetBeforeDate() const { return beforeDate_; } const char* GetBeforeDate() const { return beforeDate_; }
const char* GetAfterDate() const { return afterDate_; } const char* GetAfterDate() const { return afterDate_; }
int GetSubjectCnStart() const { return subCnPos_; }
int GetIssuerCnStart() const { return issCnPos_; }
int GetSubjectCnLength() const { return subCnLen_; }
int GetIssuerCnLength() const { return issCnLen_; }
void DecodeToKey(); void DecodeToKey();
private: private:
...@@ -292,6 +296,10 @@ private: ...@@ -292,6 +296,10 @@ private:
word32 sigLength_; // length of signature word32 sigLength_; // length of signature
word32 signatureOID_; // sum of algorithm object id word32 signatureOID_; // sum of algorithm object id
word32 keyOID_; // sum of key algo object id word32 keyOID_; // sum of key algo object id
int subCnPos_; // subject common name start, -1 is none
int subCnLen_; // length of above
int issCnPos_; // issuer common name start, -1 is none
int issCnLen_; // length of above
byte subjectHash_[SHA_SIZE]; // hash of all Names byte subjectHash_[SHA_SIZE]; // hash of all Names
byte issuerHash_[SHA_SIZE]; // hash of all Names byte issuerHash_[SHA_SIZE]; // hash of all Names
byte* signature_; byte* signature_;
......
...@@ -474,8 +474,9 @@ void DH_Decoder::Decode(DH& key) ...@@ -474,8 +474,9 @@ void DH_Decoder::Decode(DH& key)
CertDecoder::CertDecoder(Source& s, bool decode, SignerList* signers, CertDecoder::CertDecoder(Source& s, bool decode, SignerList* signers,
bool noVerify, CertType ct) bool noVerify, CertType ct)
: BER_Decoder(s), certBegin_(0), sigIndex_(0), sigLength_(0), : BER_Decoder(s), certBegin_(0), sigIndex_(0), sigLength_(0), subCnPos_(-1),
signature_(0), verify_(!noVerify) subCnLen_(0), issCnPos_(-1), issCnLen_(0), signature_(0),
verify_(!noVerify)
{ {
issuer_[0] = 0; issuer_[0] = 0;
subject_[0] = 0; subject_[0] = 0;
...@@ -796,6 +797,13 @@ void CertDecoder::GetName(NameType nt) ...@@ -796,6 +797,13 @@ void CertDecoder::GetName(NameType nt)
case COMMON_NAME: case COMMON_NAME:
if (!(ptr = AddTag(ptr, buf_end, "/CN=", 4, strLen))) if (!(ptr = AddTag(ptr, buf_end, "/CN=", 4, strLen)))
return; return;
if (nt == ISSUER) {
issCnPos_ = (int)(ptr - strLen - issuer_);
issCnLen_ = (int)strLen;
} else {
subCnPos_ = (int)(ptr - strLen - subject_);
subCnLen_ = (int)strLen;
}
break; break;
case SUR_NAME: case SUR_NAME:
if (!(ptr = AddTag(ptr, buf_end, "/SN=", 4, strLen))) if (!(ptr = AddTag(ptr, buf_end, "/SN=", 4, strLen)))
......
...@@ -470,10 +470,28 @@ inline void showPeer(SSL* ssl) ...@@ -470,10 +470,28 @@ inline void showPeer(SSL* ssl)
char* issuer = X509_NAME_oneline(X509_get_issuer_name(peer), 0, 0); char* issuer = X509_NAME_oneline(X509_get_issuer_name(peer), 0, 0);
char* subject = X509_NAME_oneline(X509_get_subject_name(peer), 0, 0); char* subject = X509_NAME_oneline(X509_get_subject_name(peer), 0, 0);
printf("peer's cert info:\n issuer : %s\n subject: %s\n", issuer, X509_NAME_ENTRY* se = NULL;
subject); ASN1_STRING* sd = NULL;
char* subCN = NULL;
X509_NAME* sub = X509_get_subject_name(peer);
int lastpos = -1;
if (sub)
lastpos = X509_NAME_get_index_by_NID(sub, NID_commonName, lastpos);
if (lastpos >= 0) {
se = X509_NAME_get_entry(sub, lastpos);
if (se)
sd = X509_NAME_ENTRY_get_data(se);
if (sd)
subCN = (char*)ASN1_STRING_data(sd);
}
printf("peer's cert info:\n issuer : %s\n subject: %s\n"
" subject cn: %s\n", issuer, subject, subCN);
free(subject); free(subject);
free(issuer); free(issuer);
} }
else else
printf("peer has no cert!\n"); printf("peer has no cert!\n");
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment