Version: 0.9.6f and later
File: openssl-engine-0.9.6f/crypto/asn1/a_strex.c

The function "X509_NAME_oneline()" is deprecated:

"The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions
which produce a non standard output form, they don't handle multi character
fields and have various quirks and inconsistencies. Their use is strongly
discouraged in new applications."

But there's no new function that replaces "X509_NAME_oneline()"
This creates a problem.

"X509_NAME_oneline()" is used by both Perl and Python as the only
method for getting access to the "server" and "issuer" fields of
an SSL certficate. What that function produces is a string of
data fields delimited by "/". Unfortunately, "/" is a valid
character in certificate data fields, so parsing is ambiguous.
This isn't a theoretical problem; Verisign's root certificates
have "/" characters in fields, and so do some Comodo certs.

"X509_NAME_print_ex()" properly escapes delimiters, understands
UTF8, and in general does the right things. That's the formatter
to use. Unfortunately, the code that implements "X509_NAME_print_ex()"
won't output to a string, just to an I/O object.

In the code, it looks like someone tried to do this.
"do_name_ex" takes a function argument which determines where
the output goes. There are functions "send_fp_chars" (send
to a file descriptor), "send_bio_chars" (send to a BIO),
and "send_mem_chars" (send to a string in memory).

But "send_mem_chars is never used. For good reason.
There's no length check, so it's a potential buffer overflow.
So that has to be fixed.

Proposed fix:

In "crypto/asn1/a_strex.c":

1. Provide a new API function which safely outputs
a string using the same mechanism as X509_NAME_print_ex()
and with the options of X509_NAME_print_ex():

char* X509_NAME_oneline_ex(char *buf, int size, X509_NAME *nm,
int indent, unsigned long flags);

This isn't hard; create a struct which contains a
pointer to the destination string and its length,
pass that as "arg" to "do_name_ex", and modify
"send_mem_chars" to use said struct. This lets
"send_mem_chars" check for buffer overflow.
Then X509_NAME_oneline_ex is about four lines of code.

2. Make X509_NAME_oneline() use the new function, instead
of the deprecated dump function it is using now.
The edit mode XN_FLAG_ONELINE should be used for
this function.

3. Remove debug code currently called by X509_NAME_oneline().

I'm tempted to write a fix myself, but really don't want to get
into the innards of OpenSSL; I might break something. But
I'd appreciate it if this gets fixed. If this is fixed,
I'll bug the Python people into adding full Unicode support
via the new API function. Thanks.

John Nagle

__________________________________________________ ____________________
OpenSSL Project
Development Mailing List
Automated List Manager