Re: [openssl.org #147] [PATCH] The function print_name in apps/apps.c truncates X509_NAM Es that are longer than 255 characters

Mon, 15 Jul 2002 02:51:21 -0700 

After further thought, this is a simpler solution:

diff -ur openssl-engine-0.9.6d/apps/apps.c 
openssl-engine-0.9.6d-patch/apps/apps.c
--- openssl-engine-0.9.6d/apps/apps.c    Sun Sep 17 23:37:16 2000
+++ openssl-engine-0.9.6d-patch/apps/apps.c    Mon Jul 15 12:18:48 2002
@@ -757,22 +757,34 @@
 
 void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 {
-    char buf[256];
-    char mline = 0;
-    int indent = 0;
-    if(title) BIO_puts(out, title);
-    if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
-        mline = 1;
-        indent = 4;
-    }
-    if(lflags == XN_FLAG_COMPAT) {
-        X509_NAME_oneline(nm,buf,256);
-        BIO_puts(out,buf);
-        BIO_puts(out, "\n");
-    } else {
-        if(mline) BIO_puts(out, "\n");
-        X509_NAME_print_ex(out, nm, indent, lflags);
-        BIO_puts(out, "\n");
-    }
+  int half_buf_size = 256;
+  char* buf = (char*) OPENSSL_malloc(half_buf_size * 2);
+  int len1, len2;
+  char mline = 0;
+  int indent = 0;
+
+  if(title) BIO_puts(out, title);
+  if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
+    mline = 1;
+    indent = 4;
+  }
+  if(lflags == XN_FLAG_COMPAT) {   
+    while(1) {
+      X509_NAME_oneline(nm, buf, half_buf_size);
+      len1 = strlen(buf);
+      X509_NAME_oneline(nm, buf, half_buf_size*2);
+      len2 = strlen(buf);
+      if(len1 == len2)
+    break;
+      half_buf_size *= 2;
+      buf = OPENSSL_realloc(buf, half_buf_size * 2);
+    }
+    BIO_puts(out,buf);
+    BIO_puts(out, "\n");
+  } else {
+    if(mline) BIO_puts(out, "\n");
+    X509_NAME_print_ex(out, nm, indent, lflags);
+    BIO_puts(out, "\n");
+  }
 }
 

The fix isn't foolproof, though. I noticed that X509_NAME_oneline never 
returns truncated attribute values. So, if the X509_NAME contains an 
attribute value longer than 256 characters, the wrong name may be 
printed out. There may be a completely different solution to this issue, 
but since I'm not that familiar with the OpenSSL code, I'm unaware of it.

Yuval Pemper
Development Team Leader
Application Servers Group
Radware Ltd.

http://www.radware.com



Yuval Pemper via RT wrote:

>Hi,
>
>I tries posting this message before, but it seems to not have gotten through. If it 
>already has, my apologies.
>
>I came across a shortcoming in the "openssl x509" command, which caused
>the subjects of certificates with subjects longer than 255 characters to
>be truncated when printed out.. The reason is that the print_name
>function in apps/apps.c uses a buffer of size 256, instead of allocating
>a dynamic buffer.
>
>The patch to this problem is given below. Please note that because I didn't want 
>to change the interface to the X509_NAME_oneline function, I had to resort to a 
>non optimal method of determining the appropriate buffer size.
>
>Yuval Pemper
>Development Team Leader
>Application Servers Group
>Radware Ltd.
>
>http://www.radware.com
>
>
>
>diff -ur openssl-engine-0.9.6d/apps/apps.c openssl-engine-0.9.6d-patch/apps/apps.c
>--- openssl-engine-0.9.6d/apps/apps.c  Sun Sep 17 23:37:16 2000
>+++ openssl-engine-0.9.6d-patch/apps/apps.c    Thu Jul 11 19:58:09 2002
>@@ -757,22 +757,37 @@
>
>  void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
>  {
>- 
>char buf[256];
>- 
>char mline = 0;
>- 
>int indent = 0;
>- 
>if(title) BIO_puts(out, title);
>- 
>if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
>- 
>       mline = 1;
>- 
>       indent = 4;
>- 
>}
>- 
>if(lflags == XN_FLAG_COMPAT) {
>- 
>       X509_NAME_oneline(nm,buf,256);
>- 
>       BIO_puts(out,buf);
>- 
>       BIO_puts(out, "\n");
>- 
>} else {
>- 
>       if(mline) BIO_puts(out, "\n");
>- 
>       X509_NAME_print_ex(out, nm, indent, lflags);
>- 
>       BIO_puts(out, "\n");
>- 
>}
>+  int buf_size = 256;
>+  char* buf = (char*) OPENSSL_malloc(buf_size);
>+  char* buf2 = (char*) OPENSSL_malloc(buf_size*2);
>+  char mline = 0;
>+  int indent = 0;
>+
>+  *buf = '\0';
>+  *buf2 = '\0';
>+  if(title) BIO_puts(out, title);
>+  if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
>+    mline = 1;
>+    indent = 4;
>+  }
>+  if(lflags == XN_FLAG_COMPAT) {
>+    while(1) {
>+      X509_NAME_oneline(nm,buf,buf_size);
>+      X509_NAME_oneline(nm,buf2,buf_size*2);
>+      if(strlen(buf) == strlen(buf2))
>+ 
>break;
>+      buf_size *= 2;
>+      buf = OPENSSL_realloc(buf, buf_size);
>+      buf2 = OPENSSL_realloc(buf2, buf_size*2);
>+      *buf = '\0';
>+      *buf2 = '\0';
>+    }
>+    BIO_puts(out,buf);
>+    BIO_puts(out, "\n");
>+  } else {
>+    if(mline) BIO_puts(out, "\n");
>+    X509_NAME_print_ex(out, nm, indent, lflags);
>+    BIO_puts(out, "\n");
>+  }
>  }
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>Development Mailing List                       [EMAIL PROTECTED]
>Automated List Manager                           [EMAIL PROTECTED]
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>Development Mailing List                       [EMAIL PROTECTED]
>Automated List Manager                           [EMAIL PROTECTED]
>


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to