[openssl-commits] [openssl] master update

Mon, 08 Jan 2018 12:20:42 -0800 

The branch master has been updated
       via  3e41defe469831236ea25ab9bd7609877cf96c13 (commit)
      from  c81c38cb2786dd308256c55ce8d5337e6a3f14ce (commit)


- Log -----------------------------------------------------------------
commit 3e41defe469831236ea25ab9bd7609877cf96c13
Author: Tomas Mraz <[email protected]>
Date:   Mon Dec 11 13:09:13 2017 +0100

    Avoid only exact duplicates when creating the accepted CA names list
    
    This avoids situations where third party client is unable to recognize
    that the client certificate was issued by the same CA with name differring
    only by case or insignificant characters.
    
    Reviewed-by: Matt Caswell <[email protected]>
    Reviewed-by: Tim Hudson <[email protected]>
    Reviewed-by: Rich Salz <[email protected]>
    (Merged from https://github.com/openssl/openssl/pull/4731)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_cert.c | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index c8b9eff..c2f0fda 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -566,14 +566,33 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
     return add_ca_name(&ctx->ca_names, x);
 }
 
-static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
+static int xname_cmp(const X509_NAME *a, const X509_NAME *b)
 {
-    return X509_NAME_cmp(*a, *b);
+    unsigned char *abuf = NULL, *bbuf = NULL;
+    int alen, blen, ret;
+
+    /* X509_NAME_cmp() itself casts away constness in this way, so
+     * assume it's safe:
+     */
+    alen = i2d_X509_NAME((X509_NAME *)a, &abuf);
+    blen = i2d_X509_NAME((X509_NAME *)b, &bbuf);
+
+    if (alen < 0 || blen < 0)
+        ret = -2;
+    else if (alen != blen)
+        ret = alen - blen;
+    else /* alen == blen */
+        ret = memcmp(abuf, bbuf, alen);
+
+    OPENSSL_free(abuf);
+    OPENSSL_free(bbuf);
+
+    return ret;
 }
 
-static int xname_cmp(const X509_NAME *a, const X509_NAME *b)
+static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
 {
-    return X509_NAME_cmp(a, b);
+    return xname_cmp(*a, *b);
 }
 
 static unsigned long xname_hash(const X509_NAME *a)
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

Reply via email to