From 21473d211cab7d1a3e600154166f714752ea22a1 Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Fri, 3 Sep 2010 15:11:26 +0000 Subject: [PATCH] SHA1 VOMS AC support --- org.gridsite.core/CHANGES | 5 +++++ org.gridsite.core/VERSION | 2 +- org.gridsite.core/src/grst_x509.c | 37 ++++++++++++++++++++++++++++++------- 3 files changed, 36 insertions(+), 8 deletions(-) diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES index 4bff845..b77bbc7 100644 --- a/org.gridsite.core/CHANGES +++ b/org.gridsite.core/CHANGES @@ -1,3 +1,8 @@ +* Fri Sep 3 2010 Andrew McNab +- Support hashes other than MD5 for VOMS ACs to + address Bug #72185 +* Fri Sep 3 2010 Andrew McNab +- ==== GridSite version 1.1.21 ==== * Tue Mar 30 2010 Andrew McNab - Apply patch to mod_gridsite.c from Jan Just Keijser to detect change to diff --git a/org.gridsite.core/VERSION b/org.gridsite.core/VERSION index 846aa54..f06ed85 100644 --- a/org.gridsite.core/VERSION +++ b/org.gridsite.core/VERSION @@ -1,4 +1,4 @@ MAJOR_VERSION=1 MINOR_VERSION=1.1 -PATCH_VERSION=1.1.20 +PATCH_VERSION=1.1.21 VERSION=$(PATCH_VERSION) diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c index 71ab3fd..0c17616 100644 --- a/org.gridsite.core/src/grst_x509.c +++ b/org.gridsite.core/src/grst_x509.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2002-5, Andrew McNab, University of Manchester + Copyright (c) 2002-10, Andrew McNab, University of Manchester All rights reserved. Redistribution and use in source and binary forms, with or @@ -61,6 +61,8 @@ #include #include #include +#include +#include #include "gridsite.h" @@ -378,18 +380,21 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time, { #define GRST_ASN1_COORDS_VOMS_DN "-1-1-%d-1-3-1-1-1-%%d-1-%%d" #define GRST_ASN1_COORDS_VOMS_INFO "-1-1-%d-1" +#define GRST_ASN1_COORDS_VOMS_HASH "-1-1-%d-2-1" #define GRST_ASN1_COORDS_VOMS_SIG "-1-1-%d-3" - int ret, isig, iinfo; + int ret, isig, ihash, iinfo; char *certpath, acvomsdn[200], dn_coords[200], - info_coords[200], sig_coords[200]; - unsigned char *q; + info_coords[200], sig_coords[200], hash_coords[200]; + unsigned char *q, *p; DIR *vomsDIR; struct dirent *vomsdirent; X509 *cert; EVP_PKEY *prvkey; FILE *fp; EVP_MD_CTX ctx; + EVP_MD *md_type = NULL; time_t voms_service_time1, voms_service_time2; + ASN1_OBJECT *hash_obj = NULL; if ((vomsdir == NULL) || (vomsdir[0] == '\0')) return GRST_RET_FAILED; @@ -403,11 +408,29 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time, GRST_ASN1_COORDS_VOMS_INFO, acnumber); iinfo = GRSTasn1SearchTaglist(taglist, lasttag, info_coords); + snprintf(hash_coords, sizeof(hash_coords), + GRST_ASN1_COORDS_VOMS_HASH, acnumber); + ihash = GRSTasn1SearchTaglist(taglist, lasttag, hash_coords); + snprintf(sig_coords, sizeof(sig_coords), GRST_ASN1_COORDS_VOMS_SIG, acnumber); isig = GRSTasn1SearchTaglist(taglist, lasttag, sig_coords); - if ((iinfo < 0) || (isig < 0)) return GRST_RET_FAILED; + if ((iinfo < 0) || (ihash < 0) || (isig < 0)) return GRST_RET_FAILED; + + /* determine hash algorithm's type */ + + p = &asn1string[taglist[ihash].start]; + + d2i_ASN1_OBJECT(&hash_obj, (const unsigned char **) &p, + (long) (taglist[ihash].length+taglist[ihash].headerlength)); + + if (hash_obj == NULL) return GRST_RET_FAILED; + + md_type = (EVP_MD *) EVP_get_digestbyname(OBJ_nid2sn(OBJ_obj2nid(hash_obj))); + + if (md_type == NULL) return GRST_RET_FAILED; + vomsDIR = opendir(vomsdir); if (vomsDIR == NULL) return GRST_RET_FAILED; @@ -440,9 +463,9 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time, OpenSSL_add_all_digests(); #if OPENSSL_VERSION_NUMBER >= 0x0090701fL EVP_MD_CTX_init(&ctx); - EVP_VerifyInit_ex(&ctx, EVP_md5(), NULL); + EVP_VerifyInit_ex(&ctx, md_type, NULL); #else - EVP_VerifyInit(&ctx, EVP_md5()); + EVP_VerifyInit(&ctx, md_type); #endif EVP_VerifyUpdate(&ctx, -- 1.8.2.3