You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by jp...@apache.org on 2014/07/08 22:12:50 UTC

[1/2] git commit: TS-2893: fix casting bug while tokenizing SSL certificate lists

Repository: trafficserver
Updated Branches:
  refs/heads/master c9d443353 -> fa655be29


TS-2893: fix casting bug while tokenizing SSL certificate lists


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/f1090b6f
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/f1090b6f
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/f1090b6f

Branch: refs/heads/master
Commit: f1090b6f05eaa88ea6bf9b7b3c42856b8766e4b0
Parents: c9d4433
Author: James Peach <jp...@apache.org>
Authored: Tue Jul 8 13:11:41 2014 -0700
Committer: James Peach <jp...@apache.org>
Committed: Tue Jul 8 13:12:44 2014 -0700

----------------------------------------------------------------------
 iocore/net/SSLUtils.cc   |  4 ++--
 lib/ts/SimpleTokenizer.h | 11 ++++++-----
 2 files changed, 8 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1090b6f/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 3546219..4afd562 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -972,8 +972,8 @@ SSLInitServerContext(
   }
 
   if (!params->serverCertChainFilename && !sslMultCertSettings.ca && sslMultCertSettings.cert) {
-    SimpleTokenizer cert_tok(sslMultCertSettings.cert, SSL_CERT_SEPARATE_DELIM);
-    SimpleTokenizer key_tok((char *)(sslMultCertSettings.key ? (const char *)sslMultCertSettings.key : ats_strdup("")), SSL_CERT_SEPARATE_DELIM);
+    SimpleTokenizer cert_tok((const char *)sslMultCertSettings.cert, SSL_CERT_SEPARATE_DELIM);
+    SimpleTokenizer key_tok((sslMultCertSettings.key ? (const char *)sslMultCertSettings.key : ""), SSL_CERT_SEPARATE_DELIM);
 
     if (sslMultCertSettings.key && cert_tok.getNumTokensRemaining() != key_tok.getNumTokensRemaining()) {
         Error("the number of certificates in ssl_cert_name and ssl_key_name doesn't match");

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1090b6f/lib/ts/SimpleTokenizer.h
----------------------------------------------------------------------
diff --git a/lib/ts/SimpleTokenizer.h b/lib/ts/SimpleTokenizer.h
index 25e8f0f..929a606 100644
--- a/lib/ts/SimpleTokenizer.h
+++ b/lib/ts/SimpleTokenizer.h
@@ -125,11 +125,12 @@ public:
     OVERWRITE_INPUT_STRING = 8
   };
 
-  SimpleTokenizer(char delimiter = ' ', int mode = 0, char escape = '\\')
+  SimpleTokenizer(char delimiter = ' ', unsigned mode = 0, char escape = '\\')
     : _data(0), _delimiter(delimiter), _mode(mode), _escape(escape), _start(0), _length(0)
   {  }
 
-SimpleTokenizer(char *s, char delimiter = ' ', int mode = 0, char escape = '\\')
+  // NOTE: The input strring 's' is overwritten for mode OVERWRITE_INPUT_STRING.
+  SimpleTokenizer(const char *s, char delimiter = ' ', unsigned mode = 0, char escape = '\\')
   : _data(0), _delimiter(delimiter), _mode(mode), _escape(escape)
   {
     setString(s);
@@ -139,13 +140,13 @@ SimpleTokenizer(char *s, char delimiter = ' ', int mode = 0, char escape = '\\')
     _clearData();
   }
 
-  void setString(char *s)
+  void setString(const char *s)
   {
     _clearData();
 
     _start = 0;
     _length = strlen(s);
-    _data = (_mode & OVERWRITE_INPUT_STRING ? s : ats_strdup(s));
+    _data = (_mode & OVERWRITE_INPUT_STRING ? const_cast<char *>(s) : ats_strdup(s));
 
     // to handle the case where there is a null field at the end of the
     // input string, we replace the null character at the end of the
@@ -186,7 +187,7 @@ private:
   char *_data;                  // a pointer to the input data itself,
   // or to a copy of it
   char _delimiter;              // the token delimiter
-  int _mode;                    // flags that determine the
+  unsigned _mode;                    // flags that determine the
   // mode of operation
   char _escape;                 // the escape character
   size_t _start;                // pointer to the start of the next

[2/2] git commit: tsqa: fix broken CN matching for certificate handling tests

Posted by jp...@apache.org.

tsqa: fix broken CN matching for certificate handling tests


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/fa655be2
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/fa655be2
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/fa655be2

Branch: refs/heads/master
Commit: fa655be29b467525c5163028f67d6ba74f27ca68
Parents: f1090b6
Author: James Peach <jp...@apache.org>
Authored: Tue Jul 8 13:12:11 2014 -0700
Committer: James Peach <jp...@apache.org>
Committed: Tue Jul 8 13:12:45 2014 -0700

----------------------------------------------------------------------
 ci/tsqa/test-ssl-certificates | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/fa655be2/ci/tsqa/test-ssl-certificates
----------------------------------------------------------------------
diff --git a/ci/tsqa/test-ssl-certificates b/ci/tsqa/test-ssl-certificates
index f45441a..ce56c0d 100755
--- a/ci/tsqa/test-ssl-certificates
+++ b/ci/tsqa/test-ssl-certificates
@@ -51,15 +51,33 @@ make_ssl_certificate() {
 
 openssl_verify_certificate() {
   local certname="$1" # Certificate CN to expect
+  local result="$TSQA_ROOT/${certname}.result"
+  local commonName=
   local status=1  # default status is FAIL
 
   shift
-  msg "checking for the $certname certificate ..."
+  msg "checking for the $certname certificate ..." | tee -a "$TSQA_ROOT/$TSQA_TESTNAME.log"
 
   # When s_client verifies the certificate, it will log a line that looks like:
   # depth=0 C = US, ST = CA, L = Norm, O = TrafficServer, OU = Test, CN = address.tsqa.trafficserver.apache.org
-  $OPENSSL s_client "$@" < /dev/null 2>&1 | tee -a "$TSQA_ROOT/$TSQA_TESTNAME.log" | \
-    grep -q "depth=0.* CN = \Q$certname\E"
+  $OPENSSL s_client "$@" < /dev/null > "$result" 2>&1
+  if [ "$?" != 0 ]; then
+    fail "openssl check for $certname failed"
+  fi
+
+  # The output of this openssl formulation is:
+  # subject=
+  #     countryName               = US
+  #     stateOrProvinceName       = CA
+  #     localityName              = Norm
+  #     organizationName          = TrafficServer
+  #     organizationalUnitName    = Test
+  #     commonName                = *.tsqa.trafficserver.apache.org
+  commonName=$(openssl x509 -in "$result" -noout -subject -nameopt multiline | awk '/commonName/{print $3}')
+
+  if [ "$commonName" != "$certname" ]; then
+    fail "received certificate CN \"$commonName\", expected \"$certname\""
+  fi
 
   if [ "$?" != 0 ]; then
     fail "certificate name $certname did not match"