You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2014/07/08 22:12:50 UTC
[1/2] git commit: TS-2893: fix casting bug while tokenizing SSL
certificate lists
Repository: trafficserver
Updated Branches:
refs/heads/master c9d443353 -> fa655be29
TS-2893: fix casting bug while tokenizing SSL certificate lists
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/f1090b6f
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/f1090b6f
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/f1090b6f
Branch: refs/heads/master
Commit: f1090b6f05eaa88ea6bf9b7b3c42856b8766e4b0
Parents: c9d4433
Author: James Peach <jp...@apache.org>
Authored: Tue Jul 8 13:11:41 2014 -0700
Committer: James Peach <jp...@apache.org>
Committed: Tue Jul 8 13:12:44 2014 -0700
----------------------------------------------------------------------
iocore/net/SSLUtils.cc | 4 ++--
lib/ts/SimpleTokenizer.h | 11 ++++++-----
2 files changed, 8 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1090b6f/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 3546219..4afd562 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -972,8 +972,8 @@ SSLInitServerContext(
}
if (!params->serverCertChainFilename && !sslMultCertSettings.ca && sslMultCertSettings.cert) {
- SimpleTokenizer cert_tok(sslMultCertSettings.cert, SSL_CERT_SEPARATE_DELIM);
- SimpleTokenizer key_tok((char *)(sslMultCertSettings.key ? (const char *)sslMultCertSettings.key : ats_strdup("")), SSL_CERT_SEPARATE_DELIM);
+ SimpleTokenizer cert_tok((const char *)sslMultCertSettings.cert, SSL_CERT_SEPARATE_DELIM);
+ SimpleTokenizer key_tok((sslMultCertSettings.key ? (const char *)sslMultCertSettings.key : ""), SSL_CERT_SEPARATE_DELIM);
if (sslMultCertSettings.key && cert_tok.getNumTokensRemaining() != key_tok.getNumTokensRemaining()) {
Error("the number of certificates in ssl_cert_name and ssl_key_name doesn't match");
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1090b6f/lib/ts/SimpleTokenizer.h
----------------------------------------------------------------------
diff --git a/lib/ts/SimpleTokenizer.h b/lib/ts/SimpleTokenizer.h
index 25e8f0f..929a606 100644
--- a/lib/ts/SimpleTokenizer.h
+++ b/lib/ts/SimpleTokenizer.h
@@ -125,11 +125,12 @@ public:
OVERWRITE_INPUT_STRING = 8
};
- SimpleTokenizer(char delimiter = ' ', int mode = 0, char escape = '\\')
+ SimpleTokenizer(char delimiter = ' ', unsigned mode = 0, char escape = '\\')
: _data(0), _delimiter(delimiter), _mode(mode), _escape(escape), _start(0), _length(0)
{ }
-SimpleTokenizer(char *s, char delimiter = ' ', int mode = 0, char escape = '\\')
+ // NOTE: The input strring 's' is overwritten for mode OVERWRITE_INPUT_STRING.
+ SimpleTokenizer(const char *s, char delimiter = ' ', unsigned mode = 0, char escape = '\\')
: _data(0), _delimiter(delimiter), _mode(mode), _escape(escape)
{
setString(s);
@@ -139,13 +140,13 @@ SimpleTokenizer(char *s, char delimiter = ' ', int mode = 0, char escape = '\\')
_clearData();
}
- void setString(char *s)
+ void setString(const char *s)
{
_clearData();
_start = 0;
_length = strlen(s);
- _data = (_mode & OVERWRITE_INPUT_STRING ? s : ats_strdup(s));
+ _data = (_mode & OVERWRITE_INPUT_STRING ? const_cast<char *>(s) : ats_strdup(s));
// to handle the case where there is a null field at the end of the
// input string, we replace the null character at the end of the
@@ -186,7 +187,7 @@ private:
char *_data; // a pointer to the input data itself,
// or to a copy of it
char _delimiter; // the token delimiter
- int _mode; // flags that determine the
+ unsigned _mode; // flags that determine the
// mode of operation
char _escape; // the escape character
size_t _start; // pointer to the start of the next
[2/2] git commit: tsqa: fix broken CN matching for certificate
handling tests
Posted by jp...@apache.org.
tsqa: fix broken CN matching for certificate handling tests
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/fa655be2
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/fa655be2
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/fa655be2
Branch: refs/heads/master
Commit: fa655be29b467525c5163028f67d6ba74f27ca68
Parents: f1090b6
Author: James Peach <jp...@apache.org>
Authored: Tue Jul 8 13:12:11 2014 -0700
Committer: James Peach <jp...@apache.org>
Committed: Tue Jul 8 13:12:45 2014 -0700
----------------------------------------------------------------------
ci/tsqa/test-ssl-certificates | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/fa655be2/ci/tsqa/test-ssl-certificates
----------------------------------------------------------------------
diff --git a/ci/tsqa/test-ssl-certificates b/ci/tsqa/test-ssl-certificates
index f45441a..ce56c0d 100755
--- a/ci/tsqa/test-ssl-certificates
+++ b/ci/tsqa/test-ssl-certificates
@@ -51,15 +51,33 @@ make_ssl_certificate() {
openssl_verify_certificate() {
local certname="$1" # Certificate CN to expect
+ local result="$TSQA_ROOT/${certname}.result"
+ local commonName=
local status=1 # default status is FAIL
shift
- msg "checking for the $certname certificate ..."
+ msg "checking for the $certname certificate ..." | tee -a "$TSQA_ROOT/$TSQA_TESTNAME.log"
# When s_client verifies the certificate, it will log a line that looks like:
# depth=0 C = US, ST = CA, L = Norm, O = TrafficServer, OU = Test, CN = address.tsqa.trafficserver.apache.org
- $OPENSSL s_client "$@" < /dev/null 2>&1 | tee -a "$TSQA_ROOT/$TSQA_TESTNAME.log" | \
- grep -q "depth=0.* CN = \Q$certname\E"
+ $OPENSSL s_client "$@" < /dev/null > "$result" 2>&1
+ if [ "$?" != 0 ]; then
+ fail "openssl check for $certname failed"
+ fi
+
+ # The output of this openssl formulation is:
+ # subject=
+ # countryName = US
+ # stateOrProvinceName = CA
+ # localityName = Norm
+ # organizationName = TrafficServer
+ # organizationalUnitName = Test
+ # commonName = *.tsqa.trafficserver.apache.org
+ commonName=$(openssl x509 -in "$result" -noout -subject -nameopt multiline | awk '/commonName/{print $3}')
+
+ if [ "$commonName" != "$certname" ]; then
+ fail "received certificate CN \"$commonName\", expected \"$certname\""
+ fi
if [ "$?" != 0 ]; then
fail "certificate name $certname did not match"