From: Andrew McNab <andrew.mcnab@manchester.ac.uk>
Date: Thu, 16 Sep 2010 09:42:58 +0000 (+0000)
Subject: support SHA1 VOMS ACs
X-Git-Tag: gridsite-core_R_1_5_19
X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=c204b21928bc2cc2fa99cc7f772ba852fcb1a106;p=jra1mw.git

support SHA1 VOMS ACs
---

diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES
index fcc1a60..c301bb8 100644
--- a/org.gridsite.core/CHANGES
+++ b/org.gridsite.core/CHANGES
@@ -1,3 +1,8 @@
+* Thu Sep 16 2010 Andrew McNab <Andrew.McNab@cern.ch>
+- Support hashes other than MD5 for VOMS ACs to
+  address Bug #72185
+* Thu Sep 16 2010 Andrew McNab <Andrew.McNab@cern.ch>
+- ==== GridSite version 1.5.19 ====
 * Thu Apr 7 2010 Andrew McNab <Andrew.McNab@cern.ch>
 - Introduce SSLSrvConfigRec_server macro to take
   into account change to SSLSrvConfigRec etc in 
diff --git a/org.gridsite.core/VERSION b/org.gridsite.core/VERSION
index c220964..ab1d21f 100644
--- a/org.gridsite.core/VERSION
+++ b/org.gridsite.core/VERSION
@@ -1,5 +1,5 @@
 MAJOR_VERSION=1
 MINOR_VERSION=1.5
-PATCH_VERSION=1.5.18
-DEFVERSION=010518
+PATCH_VERSION=1.5.19
+DEFVERSION=010519
 VERSION=$(PATCH_VERSION)
diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c
index 351cd23..97ead66 100644
--- a/org.gridsite.core/src/grst_x509.c
+++ b/org.gridsite.core/src/grst_x509.c
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2002-7, Andrew McNab, University of Manchester
+   Copyright (c) 2002-10, Andrew McNab, University of Manchester
    All rights reserved.
 
    Redistribution and use in source and binary forms, with or
@@ -63,6 +63,8 @@
 #include <openssl/bio.h>    
 #include <openssl/des.h>    
 #include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/asn1.h>
 #endif
 
 #include "gridsite.h"
@@ -193,7 +195,7 @@ int GRSTx509ChainFree(GRSTx509Chain *chain)
 static int GRSTx509VerifySig(time_t *time1_time, time_t *time2_time,
                              unsigned char *txt, int txt_len,
                              unsigned char *sig, int sig_len, 
-                             X509 *cert)
+                             X509 *cert, EVP_MD *md_type)
 ///
 /// Returns GRST_RET_OK if signature is ok, other values if not.
 {   
@@ -208,9 +210,9 @@ static int GRSTx509VerifySig(time_t *time1_time, time_t *time2_time,
    OpenSSL_add_all_digests();
 #if OPENSSL_VERSION_NUMBER >= 0x0090701fL
    EVP_MD_CTX_init(&ctx);
-   EVP_VerifyInit_ex(&ctx, EVP_md5(), NULL);
+   EVP_VerifyInit_ex(&ctx, md_type, NULL);
 #else
-   EVP_VerifyInit(&ctx, EVP_md5());
+   EVP_VerifyInit(&ctx, md_type);
 #endif
           
    EVP_VerifyUpdate(&ctx, txt, txt_len);
@@ -248,20 +250,23 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
 {   
 #define GRST_ASN1_COORDS_VOMS_DN   "-1-1-%d-1-3-1-1-1-%%d-1-%%d"
 #define GRST_ASN1_COORDS_VOMS_INFO "-1-1-%d-1"
+#define GRST_ASN1_COORDS_VOMS_HASH "-1-1-%d-2-1"
 #define GRST_ASN1_COORDS_VOMS_SIG  "-1-1-%d-3"
-   int            ret, isig, iinfo;
+   int            ret, isig, ihash, iinfo;
    char          *certpath, *certpath2, acvomsdn[200], dn_coords[200],
-                  info_coords[200], sig_coords[200];
-   unsigned char *q;
+                  info_coords[200], sig_coords[200], hash_coords[200];
+   unsigned char *q, *p;
    DIR           *vomsDIR, *vomsDIR2;
    struct dirent *vomsdirent, *vomsdirent2;
    X509          *cert;
    EVP_PKEY      *prvkey;
    FILE          *fp;
    EVP_MD_CTX     ctx;
+   EVP_MD        *md_type = NULL;
    struct stat    statbuf;
    time_t         voms_service_time1 = GRST_MAX_TIME_T, voms_service_time2 = 0,
                   tmp_time1, tmp_time2;
+   ASN1_OBJECT	 *hash_obj = NULL;
 
    if ((vomsdir == NULL) || (vomsdir[0] == '\0')) return GRST_RET_FAILED;
 
@@ -275,12 +280,30 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
             GRST_ASN1_COORDS_VOMS_INFO, acnumber);
    iinfo = GRSTasn1SearchTaglist(taglist, lasttag, info_coords);
 
+   snprintf(hash_coords, sizeof(hash_coords), 
+            GRST_ASN1_COORDS_VOMS_HASH, acnumber);
+   ihash  = GRSTasn1SearchTaglist(taglist, lasttag, hash_coords);
+   
    snprintf(sig_coords, sizeof(sig_coords), 
             GRST_ASN1_COORDS_VOMS_SIG, acnumber);
    isig  = GRSTasn1SearchTaglist(taglist, lasttag, sig_coords);
 
-   if ((iinfo < 0) || (isig < 0)) return GRST_RET_FAILED;
+   if ((iinfo < 0) || (ihash < 0) || (isig < 0)) return GRST_RET_FAILED;
+
+   /* determine hash algorithm's type */
+  
+   p = &asn1string[taglist[ihash].start];
+
+   d2i_ASN1_OBJECT(&hash_obj, (const unsigned char **) &p, 
+                   (long) (taglist[ihash].length+taglist[ihash].headerlength));
 
+   if (hash_obj == NULL) return GRST_RET_FAILED;
+
+   md_type = (EVP_MD *) EVP_get_digestbyname(OBJ_nid2sn(OBJ_obj2nid(hash_obj)));
+
+   if (md_type == NULL) return GRST_RET_FAILED;
+    
+    
    vomsDIR = opendir(vomsdir);
    if (vomsDIR == NULL) return GRST_RET_FAILED;
    
@@ -326,7 +349,7 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
                             &asn1string[taglist[isig].start+
                                                 taglist[isig].headerlength+1],
                             taglist[isig].length - 1,
-                            cert) == GRST_RET_OK)
+                            cert, md_type) == GRST_RET_OK)
                     {
                       GRSTerrorLog(GRST_LOG_DEBUG, "Matched VOMS cert file %s", vomsdirent2->d_name);
 
@@ -364,7 +387,7 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time,
                             &asn1string[taglist[isig].start+
                                                 taglist[isig].headerlength+1],
                             taglist[isig].length - 1,
-                            cert) == GRST_RET_OK)
+                            cert, md_type) == GRST_RET_OK)
                 {
                   GRSTerrorLog(GRST_LOG_DEBUG, "Matched VOMS cert file %s", vomsdirent->d_name);