Module Name: src
Committed By: tteras
Date: Mon Dec 24 14:50:04 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c
Log Message:
>From Götz Babin-Ebell <g.babin-eb...@novamedia.de>: Smarter X.509 subject
name compare.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.23 Mon Dec 24 08:46:27 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Mon Dec 24 14:50:04 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.23 2012/12/24 08:46:27 tteras Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.24 2012/12/24 14:50:04 tteras Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -280,145 +280,6 @@ out:
}
/*
- * The following are derived from code in crypto/x509/x509_cmp.c
- * in OpenSSL0.9.7c:
- * X509_NAME_wildcmp() adds wildcard matching to the original
- * X509_NAME_cmp(), nocase_cmp() and nocase_spacenorm_cmp() are as is.
- */
-#include <ctype.h>
-/* Case insensitive string comparision */
-static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
- int i;
-
- if (a->length != b->length)
- return (a->length - b->length);
-
- for (i=0; i<a->length; i++)
- {
- int ca, cb;
-
- ca = tolower(a->data[i]);
- cb = tolower(b->data[i]);
-
- if (ca != cb)
- return(ca-cb);
- }
- return 0;
-}
-
-/* Case insensitive string comparision with space normalization
- * Space normalization - ignore leading, trailing spaces,
- * multiple spaces between characters are replaced by single space
- */
-static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
- unsigned char *pa = NULL, *pb = NULL;
- int la, lb;
-
- la = a->length;
- lb = b->length;
- pa = a->data;
- pb = b->data;
-
- /* skip leading spaces */
- while (la > 0 && isspace(*pa))
- {
- la--;
- pa++;
- }
- while (lb > 0 && isspace(*pb))
- {
- lb--;
- pb++;
- }
-
- /* skip trailing spaces */
- while (la > 0 && isspace(pa[la-1]))
- la--;
- while (lb > 0 && isspace(pb[lb-1]))
- lb--;
-
- /* compare strings with space normalization */
- while (la > 0 && lb > 0)
- {
- int ca, cb;
-
- /* compare character */
- ca = tolower(*pa);
- cb = tolower(*pb);
- if (ca != cb)
- return (ca - cb);
-
- pa++; pb++;
- la--; lb--;
-
- if (la <= 0 || lb <= 0)
- break;
-
- /* is white space next character ? */
- if (isspace(*pa) && isspace(*pb))
- {
- /* skip remaining white spaces */
- while (la > 0 && isspace(*pa))
- {
- la--;
- pa++;
- }
- while (lb > 0 && isspace(*pb))
- {
- lb--;
- pb++;
- }
- }
- }
- if (la > 0 || lb > 0)
- return la - lb;
-
- return 0;
-}
-
-static int X509_NAME_wildcmp(const X509_NAME *a, const X509_NAME *b)
-{
- int i,j;
- X509_NAME_ENTRY *na,*nb;
-
- if (sk_X509_NAME_ENTRY_num(a->entries)
- != sk_X509_NAME_ENTRY_num(b->entries))
- return sk_X509_NAME_ENTRY_num(a->entries)
- -sk_X509_NAME_ENTRY_num(b->entries);
- for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
- {
- na=sk_X509_NAME_ENTRY_value(a->entries,i);
- nb=sk_X509_NAME_ENTRY_value(b->entries,i);
- j=OBJ_cmp(na->object,nb->object);
- if (j) return(j);
- if ((na->value->length == 1 && na->value->data[0] == '*')
- || (nb->value->length == 1 && nb->value->data[0] == '*'))
- continue;
- j=na->value->type-nb->value->type;
- if (j) return(j);
- if (na->value->type == V_ASN1_PRINTABLESTRING)
- j=nocase_spacenorm_cmp(na->value, nb->value);
- else if (na->value->type == V_ASN1_IA5STRING
- && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
- j=nocase_cmp(na->value, nb->value);
- else
- {
- j=na->value->length-nb->value->length;
- if (j) return(j);
- j=memcmp(na->value->data,nb->value->data,
- na->value->length);
- }
- if (j) return(j);
- j=na->set-nb->set;
- if (j) return(j);
- }
-
- return(0);
-}
-
-/*
* compare two subjectNames.
* OUT: 0: equal
* positive:
@@ -430,16 +291,49 @@ eay_cmp_asn1dn(n1, n2)
{
X509_NAME *a = NULL, *b = NULL;
caddr_t p;
+ char oneLine[512];
int i = -1;
+ int idx;
p = n1->v;
- if (!d2i_X509_NAME(&a, (void *)&p, n1->l))
+ if (!d2i_X509_NAME(&a, (void *)&p, n1->l)) {
+ plog(LLV_ERROR, LOCATION, NULL, "eay_cmp_asn1dn: first dn not a dn");
goto end;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL, "1st name: %s\n", X509_NAME_oneline(a, oneLine, sizeof(oneLine)));
p = n2->v;
- if (!d2i_X509_NAME(&b, (void *)&p, n2->l))
+ if (!d2i_X509_NAME(&b, (void *)&p, n2->l)) {
+ plog(LLV_ERROR, LOCATION, NULL, "eay_cmp_asn1dn: second dn not a dn");
goto end;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL, "2nd name: %s\n", X509_NAME_oneline(b, oneLine, sizeof(oneLine)));
- i = X509_NAME_wildcmp(a, b);
+ /* handle wildcard: do not compare entry content but only entry object type */
+ for(idx = 0; idx < X509_NAME_entry_count(a); idx++) {
+ X509_NAME_ENTRY *ea = X509_NAME_get_entry(a, idx);
+ X509_NAME_ENTRY *eb = X509_NAME_get_entry(b, idx);
+ if (!eb) { /* reached end of eb while still entries in ea, can not be equal... */
+ i = idx+1;
+ goto end;
+ }
+ if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
+ (eb->value->length == 1 && eb->value->data[0] == '*')) {
+ if (OBJ_cmp(ea->object,eb->object)) {
+ i = idx+1;
+ goto end;
+ }
+ /* OK: object type equals, we don't care for this entry anymore, so let's forget it... */
+ X509_NAME_delete_entry(a, idx);
+ X509_NAME_delete_entry(b, idx);
+ X509_NAME_ENTRY_free(ea);
+ X509_NAME_ENTRY_free(eb);
+ idx--;
+ }
+ }
+ if (X509_NAME_entry_count(a) == 0 && X509_NAME_entry_count(b) == 0)
+ i = 0;
+ else
+ i = X509_NAME_cmp(a, b);
end:
if (a)
