From: Andrew McNab <andrew.mcnab@manchester.ac.uk>
Date: Fri, 3 Sep 2010 15:20:32 +0000 (+0000)
Subject: SHA1 in VOMS AC support
X-Git-Tag: gridsite-core_R_1_5_10_6
X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=762f07577fbe45492ae4c333487e78c0b070a493;p=jra1mw.git

SHA1 in VOMS AC support
---

diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES
index 911c797..c3e60cc 100644
--- a/org.gridsite.core/CHANGES
+++ b/org.gridsite.core/CHANGES
@@ -1,3 +1,6 @@
+* Fri Sep 3 2010 Andrew McNab <Andrew.McNab@cern.ch>
+- Support hashes other than MD5 for VOMS ACs to
+  address Bug #72185
 * Fri Jun 27 2008 Andrew McNab <Andrew.McNab@cern.ch>
 - ==== GridSite version 1.5.10 ====
 * Mon Jun 23 2008 Andrew McNab <Andrew.McNab@man.ac.uk>
diff --git a/org.gridsite.core/VERSION b/org.gridsite.core/VERSION
index 6bc79df..fd71323 100644
--- a/org.gridsite.core/VERSION
+++ b/org.gridsite.core/VERSION
@@ -1,5 +1,5 @@
 MAJOR_VERSION=1
 MINOR_VERSION=1.5
-PATCH_VERSION=1.5.10.5
+PATCH_VERSION=1.5.10.6
 DEFVERSION=010510
 VERSION=$(PATCH_VERSION)
diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c
index 8208324..9f633f2 100644
--- a/org.gridsite.core/src/grst_x509.c
+++ b/org.gridsite.core/src/grst_x509.c
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2002-7, Andrew McNab, University of Manchester
+   Copyright (c) 2002-10, Andrew McNab, University of Manchester
    All rights reserved.
 
    Redistribution and use in source and binary forms, with or
@@ -62,6 +62,8 @@
 #include <openssl/bio.h>    
 #include <openssl/des.h>    
 #include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/asn1.h>
 
 #include "gridsite.h"
 
@@ -189,7 +191,7 @@ int GRSTx509ChainFree(GRSTx509Chain *chain)
 static int GRSTx509VerifySig(time_t *time1_time, time_t *time2_time,
                              unsigned char *txt, int txt_len,
                              unsigned char *sig, int sig_len, 
-                             X509 *cert)
+                             X509 *cert, EVP_MD *md_type)
 ///
 /// Returns GRST_RET_OK if signature is ok, other values if not.
 {   
@@ -204,9 +206,9 @@ static int GRSTx509VerifySig(time_t *time1_time, time_t *time2_time,
    OpenSSL_add_all_digests();
 #if OPENSSL_VERSION_NUMBER >= 0x0090701fL
    EVP_MD_CTX_init(&ctx);
-   EVP_VerifyInit_ex(&ctx, EVP_md5(), NULL);
+   EVP_VerifyInit_ex(&ctx, md_type, NULL);
 #else
-   EVP_VerifyInit(&ctx, EVP_md5());
+   EVP_VerifyInit(&ctx, md_type);
 #endif
           
    EVP_VerifyUpdate(&ctx, txt, txt_len);
@@ -244,19 +246,22 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
 {   
 #define GRST_ASN1_COORDS_VOMS_DN   "-1-1-%d-1-3-1-1-1-%%d-1-%%d"
 #define GRST_ASN1_COORDS_VOMS_INFO "-1-1-%d-1"
+#define GRST_ASN1_COORDS_VOMS_HASH "-1-1-%d-2-1"
 #define GRST_ASN1_COORDS_VOMS_SIG  "-1-1-%d-3"
-   int            ret, isig, iinfo;
+   int            ret, isig, ihash, iinfo;
    char          *certpath, *certpath2, acvomsdn[200], dn_coords[200],
-                  info_coords[200], sig_coords[200];
-   unsigned char *q;
+                  info_coords[200], sig_coords[200], hash_coords[200];
+   unsigned char *q, *p;
    DIR           *vomsDIR, *vomsDIR2;
    struct dirent *vomsdirent, *vomsdirent2;
    X509          *cert;
    EVP_PKEY      *prvkey;
    FILE          *fp;
    EVP_MD_CTX     ctx;
+   EVP_MD	 *md_type = NULL;
    struct stat    statbuf;
    time_t         voms_service_time1, voms_service_time2;
+   ASN1_OBJECT   *hash_obj = NULL;
 
    if ((vomsdir == NULL) || (vomsdir[0] == '\0')) return GRST_RET_FAILED;
 
@@ -270,12 +275,30 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
             GRST_ASN1_COORDS_VOMS_INFO, acnumber);
    iinfo = GRSTasn1SearchTaglist(taglist, lasttag, info_coords);
 
+   snprintf(hash_coords, sizeof(hash_coords), 
+            GRST_ASN1_COORDS_VOMS_HASH, acnumber);
+   ihash  = GRSTasn1SearchTaglist(taglist, lasttag, hash_coords);
+   
    snprintf(sig_coords, sizeof(sig_coords), 
             GRST_ASN1_COORDS_VOMS_SIG, acnumber);
    isig  = GRSTasn1SearchTaglist(taglist, lasttag, sig_coords);
 
-   if ((iinfo < 0) || (isig < 0)) return GRST_RET_FAILED;
+   if ((iinfo < 0) || (ihash < 0) || (isig < 0)) return GRST_RET_FAILED;
+
+   /* determine hash algorithm's type */
+  
+   p = &asn1string[taglist[ihash].start];
+
+   d2i_ASN1_OBJECT(&hash_obj, (const unsigned char **) &p, 
+                   (long) (taglist[ihash].length+taglist[ihash].headerlength));
 
+   if (hash_obj == NULL) return GRST_RET_FAILED;
+
+   md_type = (EVP_MD *) EVP_get_digestbyname(OBJ_nid2sn(OBJ_obj2nid(hash_obj)));
+
+   if (md_type == NULL) return GRST_RET_FAILED;
+    
+    
    vomsDIR = opendir(vomsdir);
    if (vomsDIR == NULL) return GRST_RET_FAILED;
    
@@ -319,7 +342,7 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
                             &asn1string[taglist[isig].start+
                                                 taglist[isig].headerlength+1],
                             taglist[isig].length - 1,
-                            cert) == GRST_RET_OK)
+                            cert, md_type) == GRST_RET_OK)
                     {
                       GRSTerrorLog(GRST_LOG_DEBUG, " VOMS cert signature match");
                       X509_free(cert);
@@ -350,7 +373,7 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
                             &asn1string[taglist[isig].start+
                                                 taglist[isig].headerlength+1],
                             taglist[isig].length - 1,
-                            cert) == GRST_RET_OK)
+                            cert, md_type) == GRST_RET_OK)
                 {
                   X509_free(cert);
                   closedir(vomsDIR);