From 5634eb71ad12ceddb0f77173e4dcc8dcb1634ca7 Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Wed, 5 Aug 2009 00:30:57 +0000 Subject: [PATCH] https://issues.shibboleth.net/jira/browse/SSPCPP-228 --- adfs/adfs.rc | 8 ++--- apache/mod_shib_13.rc | 8 ++--- apache/mod_shib_20.rc | 8 ++--- apache/mod_shib_22.rc | 8 ++--- config_win32.h | 6 ++-- configure.ac | 4 +-- fastcgi/shibauthorizer.rc | 8 ++--- fastcgi/shibresponder.rc | 8 ++--- isapi_shib/isapi_shib.rc | 8 ++--- nsapi_shib/nsapi_shib.rc | 8 ++--- shar/shar.rc | 8 ++--- shib-target/Makefile.am | 2 +- shib-target/shib-ini.cpp | 24 ++++++++++++-- shib-target/shib-target.rc | 8 ++--- shib-target/shibtarget.dsp | 4 +-- shib/Makefile.am | 2 +- shib/ShibbolethTrust.cpp | 75 ++++++++++++++++++++++++++++--------------- shib/shib.rc | 8 ++--- shibboleth.spec.in | 3 ++ xmlproviders/XMLTrust.cpp | 76 +++++++++++++++++++++++++++++--------------- xmlproviders/xmlproviders.rc | 8 ++--- 21 files changed, 181 insertions(+), 111 deletions(-) diff --git a/adfs/adfs.rc b/adfs/adfs.rc index b00d80a..f385eae 100644 --- a/adfs/adfs.rc +++ b/adfs/adfs.rc @@ -54,8 +54,8 @@ END // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,3,2,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 1,3,3,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -73,14 +73,14 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth ADFS Plugins\0" - VALUE "FileVersion", "1, 3, 2, 0\0" + VALUE "FileVersion", "1, 3, 3, 0\0" VALUE "InternalName", "adfs\0" VALUE "LegalCopyright", "Copyright © 2009 Internet2\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "adfs.so\0" VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/apache/mod_shib_13.rc b/apache/mod_shib_13.rc index b45ef6b..5085be8 100644 --- a/apache/mod_shib_13.rc +++ b/apache/mod_shib_13.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,3,2,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 1,3,3,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -47,14 +47,14 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth Apache 1.3 Module\0" - VALUE "FileVersion", "1, 3, 2, 0\0" + VALUE "FileVersion", "1, 3, 3, 0\0" VALUE "InternalName", "mod_shib_13\0" VALUE "LegalCopyright", "Copyright © 2009 Internet2\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "mod_shib_13.so\0" VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/apache/mod_shib_20.rc b/apache/mod_shib_20.rc index 28e11d2..f14bd37 100644 --- a/apache/mod_shib_20.rc +++ b/apache/mod_shib_20.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,3,2,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 1,3,3,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -47,14 +47,14 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth Apache 2.0 Module\0" - VALUE "FileVersion", "1, 3, 2, 0\0" + VALUE "FileVersion", "1, 3, 3, 0\0" VALUE "InternalName", "mod_shib_20\0" VALUE "LegalCopyright", "Copyright © 2009 Internet2\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "mod_shib_20.so\0" VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/apache/mod_shib_22.rc b/apache/mod_shib_22.rc index c7f7654..ab8f4f8 100644 --- a/apache/mod_shib_22.rc +++ b/apache/mod_shib_22.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,3,2,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 1,3,3,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -47,14 +47,14 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth Apache 2.2 Module\0" - VALUE "FileVersion", "1, 3, 2, 0\0" + VALUE "FileVersion", "1, 3, 3, 0\0" VALUE "InternalName", "mod_shib_22\0" VALUE "LegalCopyright", "Copyright © 2009 Internet2\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "mod_shib_22.so\0" VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/config_win32.h b/config_win32.h index f0caec3..64d1dfd 100644 --- a/config_win32.h +++ b/config_win32.h @@ -101,13 +101,13 @@ #define PACKAGE_NAME "shibboleth" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "shibboleth 1.3.2" +#define PACKAGE_STRING "shibboleth 1.3.3" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "shibboleth" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.3.2" +#define PACKAGE_VERSION "1.3.3" /* Define to the necessary symbol if this constant uses a non-standard name on your system. */ @@ -123,7 +123,7 @@ #define USE_OUR_ONCRPC 1 /* Version number of package */ -#define VERSION "1.3.2" +#define VERSION "1.3.3" /* Define to empty if `const' does not conform to ANSI C. */ /* #undef const */ diff --git a/configure.ac b/configure.ac index da003a6..f0bb29c 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ AC_PREREQ([2.50]) -AC_INIT([shibboleth], [1.3.2], [shibboleth-users@internet2.edu], [shibboleth]) +AC_INIT([shibboleth], [1.3.3], [shibboleth-users@internet2.edu], [shibboleth]) AM_CONFIG_HEADER(config.h) -AM_INIT_AUTOMAKE([shibboleth],[1.3.2]) +AM_INIT_AUTOMAKE([shibboleth],[1.3.3]) sinclude(acx_pthread.m4) sinclude(acx_rpctest.m4) diff --git a/fastcgi/shibauthorizer.rc b/fastcgi/shibauthorizer.rc index b06ca81..6852320 100644 --- a/fastcgi/shibauthorizer.rc +++ b/fastcgi/shibauthorizer.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,3,2,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 1,3,3,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -47,14 +47,14 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth FastCGI Authorizer\0" - VALUE "FileVersion", "1, 3, 2, 0\0" + VALUE "FileVersion", "1, 3, 3, 0\0" VALUE "InternalName", "shibauthorizer\0" VALUE "LegalCopyright", "Copyright © 2009 Internet2\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "shibauthorizer.exe\0" VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/fastcgi/shibresponder.rc b/fastcgi/shibresponder.rc index 538354c..3976351 100644 --- a/fastcgi/shibresponder.rc +++ b/fastcgi/shibresponder.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,3,2,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 1,3,3,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -47,14 +47,14 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth FastCGI Responder\0" - VALUE "FileVersion", "1, 3, 2, 0\0" + VALUE "FileVersion", "1, 3, 3, 0\0" VALUE "InternalName", "shibresponder\0" VALUE "LegalCopyright", "Copyright © 2009 Internet2\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "shibresponder.exe\0" VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/isapi_shib/isapi_shib.rc b/isapi_shib/isapi_shib.rc index bef9a46..1f3b576 100644 --- a/isapi_shib/isapi_shib.rc +++ b/isapi_shib/isapi_shib.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,3,2,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 1,3,3,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -47,14 +47,14 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth ISAPI Filter / Extension\0" - VALUE "FileVersion", "1, 3, 2, 0\0" + VALUE "FileVersion", "1, 3, 3, 0\0" VALUE "InternalName", "isapi_shib\0" VALUE "LegalCopyright", "Copyright © 2009 Internet2\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "isapi_shib.dll\0" VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/nsapi_shib/nsapi_shib.rc b/nsapi_shib/nsapi_shib.rc index f7bcf65..b3ec2d5 100644 --- a/nsapi_shib/nsapi_shib.rc +++ b/nsapi_shib/nsapi_shib.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,3,2,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 1,3,3,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -47,14 +47,14 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth NSAPI Extension\0" - VALUE "FileVersion", "1, 3, 2, 0\0" + VALUE "FileVersion", "1, 3, 3, 0\0" VALUE "InternalName", "nsapi_shib\0" VALUE "LegalCopyright", "Copyright © 2009 Internet2\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "nsapi_shib.dll\0" VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/shar/shar.rc b/shar/shar.rc index 400de11..f9903e4 100644 --- a/shar/shar.rc +++ b/shar/shar.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,3,2,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 1,3,3,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -47,14 +47,14 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth Daemon Service\0" - VALUE "FileVersion", "1, 3, 2, 0\0" + VALUE "FileVersion", "1, 3, 3, 0\0" VALUE "InternalName", "shibd\0" VALUE "LegalCopyright", "Copyright © 2009 Internet2\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "shibd.exe\0" VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/shib-target/Makefile.am b/shib-target/Makefile.am index 216fab3..551761d 100644 --- a/shib-target/Makefile.am +++ b/shib-target/Makefile.am @@ -35,7 +35,7 @@ libshib_target_la_SOURCES = \ # this is different from the project version # http://sources.redhat.com/autobook/autobook/autobook_91.html -libshib_target_la_LDFLAGS = -version-info 5:1:0 +libshib_target_la_LDFLAGS = -version-info 5:3:0 diff --git a/shib-target/shib-ini.cpp b/shib-target/shib-ini.cpp index 3d719de..a6f06bc 100644 --- a/shib-target/shib-ini.cpp +++ b/shib-target/shib-ini.cpp @@ -1,5 +1,5 @@ /* - * Copyright 2001-2005 Internet2 + * Copyright 2001-2009 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -165,6 +165,22 @@ namespace shibtarget { mutable IReplayCache* m_replayCache; mutable vector m_attrFactories; }; + +#ifdef WIN32 + BOOL LogEvent( + LPCSTR lpUNCServerName, + WORD wType, + DWORD dwEventID, + PSID lpUserSid, + LPCSTR message) + { + LPCSTR messages[] = {message, NULL}; + + HANDLE hElog = RegisterEventSource(lpUNCServerName, "Shibboleth SP Library"); + BOOL res = ReportEvent(hElog, wType, 0, dwEventID, lpUserSid, 1, 0, messages, NULL); + return (DeregisterEventSource(hElog) && res); + } +#endif } IConfig* STConfig::ShibTargetConfigFactory(const DOMElement* e) @@ -868,7 +884,11 @@ void XMLConfigImpl::init(bool first) PropertyConfigurator::configure(logpath.get()); } catch (ConfigureFailure& e) { - log.error("Error reading logging configuration: %s",e.what()); + string msg = string("Error loading logging configuration: ") + e.what(); + log.crit(msg); + #ifdef WIN32 + LogEvent(NULL, EVENTLOG_ERROR_TYPE, 2100, NULL, msg.c_str()); + #endif } } } diff --git a/shib-target/shib-target.rc b/shib-target/shib-target.rc index 02bf52c..baadff0 100644 --- a/shib-target/shib-target.rc +++ b/shib-target/shib-target.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 5,2,0,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 5,3,0,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -47,7 +47,7 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth SP Library\0" - VALUE "FileVersion", "5, 2, 0, 0\0" + VALUE "FileVersion", "5, 3, 0, 0\0" #ifdef _DEBUG VALUE "InternalName", "shibtarget_5D\0" #else @@ -62,7 +62,7 @@ BEGIN #endif VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/shib-target/shibtarget.dsp b/shib-target/shibtarget.dsp index 9f24c1a..e9fe53e 100644 --- a/shib-target/shibtarget.dsp +++ b/shib-target/shibtarget.dsp @@ -53,7 +53,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 -# ADD LINK32 wsock32.lib libeay32.lib ssleay32.lib xerces-c_2.lib log4shib1.lib saml_5.lib /nologo /dll /machine:I386 /out:"Release/shibtarget_5.dll" /libpath:"..\..\cpp-opensaml1\saml\Release" +# ADD LINK32 libeay32.lib ssleay32.lib xerces-c_2.lib log4shib1.lib saml_5.lib wsock32.lib advapi32.lib /nologo /dll /machine:I386 /out:"Release/shibtarget_5.dll" /libpath:"..\..\cpp-opensaml1\saml\Release" # SUBTRACT LINK32 /pdb:none !ELSEIF "$(CFG)" == "shibtarget - Win32 Debug" @@ -80,7 +80,7 @@ BSC32=bscmake.exe # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept -# ADD LINK32 wsock32.lib libeay32D.lib ssleay32D.lib xerces-c_2D.lib log4shib1D.lib saml_5D.lib /nologo /dll /debug /machine:I386 /out:"Debug/shibtarget_5D.dll" /pdbtype:sept /libpath:"..\..\cpp-opensaml1\saml\Debug" +# ADD LINK32 libeay32D.lib ssleay32D.lib xerces-c_2D.lib log4shib1D.lib saml_5D.lib wsock32.lib advapi32.lib /nologo /dll /debug /machine:I386 /out:"Debug/shibtarget_5D.dll" /pdbtype:sept /libpath:"..\..\cpp-opensaml1\saml\Debug" # SUBTRACT LINK32 /pdb:none !ENDIF diff --git a/shib/Makefile.am b/shib/Makefile.am index cd33b0e..bd2375f 100644 --- a/shib/Makefile.am +++ b/shib/Makefile.am @@ -22,7 +22,7 @@ libshib_la_SOURCES = \ # this is different from the project version # http://sources.redhat.com/autobook/autobook/autobook_91.html -libshib_la_LDFLAGS = -version-info 6:1:0 +libshib_la_LDFLAGS = -version-info 6:3:0 install-exec-hook: for la in $(lib_LTLIBRARIES) ; do rm -f $(DESTDIR)$(libdir)/$$la ; done diff --git a/shib/ShibbolethTrust.cpp b/shib/ShibbolethTrust.cpp index e6ad31e..fd63e3a 100644 --- a/shib/ShibbolethTrust.cpp +++ b/shib/ShibbolethTrust.cpp @@ -1,5 +1,5 @@ /* - * Copyright 2001-2005 Internet2 + * Copyright 2001-2009 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -295,7 +295,6 @@ bool ShibbolethTrust::validate(void* certEE, const Iterator& certChain, c auto_ptr kn(toUTF8(role->getEntityDescriptor()->getId())); keynames.push_back(kn.get()); - char buf[256]; X509* x=(X509*)certEE; X509_NAME* subject=X509_get_subject_name(x); if (subject) { @@ -303,32 +302,31 @@ bool ShibbolethTrust::validate(void* certEE, const Iterator& certChain, c // Seems that the way to do the compare is to write the X509_NAME into a BIO. BIO* b = BIO_new(BIO_s_mem()); BIO* b2 = BIO_new(BIO_s_mem()); - BIO_set_mem_eof_return(b, 0); - BIO_set_mem_eof_return(b2, 0); // The flags give us LDAP order instead of X.500, with a comma separator. int len=X509_NAME_print_ex(b,subject,0,XN_FLAG_RFC2253); - string subjectstr,subjectstr2; BIO_flush(b); - while ((len = BIO_read(b, buf, 255)) > 0) { - buf[len] = '\0'; - subjectstr+=buf; - } - if (log.isDebugEnabled()) - log.debugStream() << "certificate subject: " << subjectstr << logging::eol; // The flags give us LDAP order instead of X.500, with a comma plus space separator. len=X509_NAME_print_ex(b2,subject,0,XN_FLAG_RFC2253 + XN_FLAG_SEP_CPLUS_SPC - XN_FLAG_SEP_COMMA_PLUS); BIO_flush(b2); - while ((len = BIO_read(b2, buf, 255)) > 0) { - buf[len] = '\0'; - subjectstr2+=buf; + + BUF_MEM* bptr=NULL; + BUF_MEM* bptr2=NULL; + BIO_get_mem_ptr(b, &bptr); + BIO_get_mem_ptr(b2, &bptr2); + + if (bptr && bptr->length > 0 && log.isDebugEnabled()) { + string subjectstr(bptr->data, bptr->length); + log.debug("certificate subject: %s", subjectstr.c_str()); } // Check each keyname. for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { #ifdef HAVE_STRCASECMP - if (!strcasecmp(n->c_str(),subjectstr.c_str()) || !strcasecmp(n->c_str(),subjectstr2.c_str())) { + if ((n->length() == bptr->length && !strncasecmp(n->c_str(), bptr->data, bptr->length)) || + (n->length() == bptr2->length && !strncasecmp(n->c_str(), bptr2->data, bptr2->length))) { #else - if (!stricmp(n->c_str(),subjectstr.c_str()) || !stricmp(n->c_str(),subjectstr2.c_str())) { + if ((n->length() == bptr->length && !strnicmp(n->c_str(), bptr->data, bptr->length)) || + (n->length() == bptr2->length && !strnicmp(n->c_str(), bptr2->data, bptr2->length))) { #endif log.debug("matched full subject DN to a key name (%s)", n->c_str()); checkName=false; @@ -348,14 +346,13 @@ bool ShibbolethTrust::validate(void* certEE, const Iterator& certChain, c if (check->type==GEN_DNS || check->type==GEN_URI) { const char* altptr = (char*)ASN1_STRING_data(check->d.ia5); const int altlen = ASN1_STRING_length(check->d.ia5); - for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { #ifdef HAVE_STRCASECMP - if ((check->type==GEN_DNS && !strncasecmp(altptr,n->c_str(),altlen)) + if ((check->type==GEN_DNS && n->length()==altlen && !strncasecmp(altptr,n->c_str(),altlen)) #else - if ((check->type==GEN_DNS && !strnicmp(altptr,n->c_str(),altlen)) + if ((check->type==GEN_DNS && n->length()==altlen && !strnicmp(altptr,n->c_str(),altlen)) #endif - || (check->type==GEN_URI && !strncmp(altptr,n->c_str(),altlen))) { + || (check->type==GEN_URI && n->length()==altlen && !strncmp(altptr,n->c_str(),altlen))) { log.debug("matched DNS/URI subjectAltName to a key name (%s)", n->c_str()); checkName=false; break; @@ -368,27 +365,53 @@ bool ShibbolethTrust::validate(void* certEE, const Iterator& certChain, c if (checkName) { log.debug("unable to match subjectAltName, trying TLS CN match"); - memset(buf,0,sizeof(buf)); - if (X509_NAME_get_text_by_NID(subject,NID_commonName,buf,255)>0) { + + // Fetch the last CN RDN. + char* peer_CN = NULL; + int j,i = -1; + while ((j=X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0) + i = j; + if (i >= 0) { + ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i)); + // Copied in from libcurl. + /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input + is already UTF-8 encoded. We check for this case and copy the raw + string manually to avoid the problem. */ + if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) { + j = ASN1_STRING_length(tmp); + if(j >= 0) { + peer_CN = (char*)OPENSSL_malloc(j + 1); + memcpy(peer_CN, ASN1_STRING_data(tmp), j); + peer_CN[j] = '\0'; + } + } + else /* not a UTF8 name */ { + j = ASN1_STRING_to_UTF8(reinterpret_cast(&peer_CN), tmp); + } + for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { #ifdef HAVE_STRCASECMP - if (!strcasecmp(buf,n->c_str())) { + if (n->length() == j && !strncasecmp(peer_CN, n->c_str(), j)) { #else - if (!stricmp(buf,n->c_str())) { + if (n->length() == j && !strnicmp(peer_CN, n->c_str(), j)) { #endif log.debug("matched subject CN to a key name (%s)", n->c_str()); checkName=false; break; } } + if(peer_CN) + OPENSSL_free(peer_CN); } - else + else { log.warn("no common name in certificate subject"); + } } } } - else + else { log.error("certificate has no subject?!"); + } } if (checkName) { diff --git a/shib/shib.rc b/shib/shib.rc index 835c6fa..59a7e35 100644 --- a/shib/shib.rc +++ b/shib/shib.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 6,2,0,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 6,3,0,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -47,7 +47,7 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth Core Library\0" - VALUE "FileVersion", "6, 2, 0, 0\0" + VALUE "FileVersion", "6, 3, 0, 0\0" #ifdef _DEBUG VALUE "InternalName", "shib_6D\0" #else @@ -62,7 +62,7 @@ BEGIN #endif VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END diff --git a/shibboleth.spec.in b/shibboleth.spec.in index 1225b87..c41d96c 100644 --- a/shibboleth.spec.in +++ b/shibboleth.spec.in @@ -182,6 +182,9 @@ fi %{_libdir}/libshib-target.so %changelog +* Tue Aug 4 2009 Scott Cantor - 1.3.3-1 +- 1.3.3 release + * Fri Jun 12 2009 Scott Cantor - 1.3.2-1 - 1.3.2 release diff --git a/xmlproviders/XMLTrust.cpp b/xmlproviders/XMLTrust.cpp index 2fa508a..c7687f2 100644 --- a/xmlproviders/XMLTrust.cpp +++ b/xmlproviders/XMLTrust.cpp @@ -1,5 +1,5 @@ /* - * Copyright 2001-2005 Internet2 + * Copyright 2001-2009 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -458,7 +458,6 @@ bool XMLTrust::validate(void* certEE, const Iterator& certChain, const IR auto_ptr kn(toUTF8(role->getEntityDescriptor()->getId())); keynames.push_back(kn.get()); - char buf[256]; X509* x=(X509*)certEE; X509_NAME* subject=X509_get_subject_name(x); if (subject) { @@ -466,32 +465,31 @@ bool XMLTrust::validate(void* certEE, const Iterator& certChain, const IR // Seems that the way to do the compare is to write the X509_NAME into a BIO. BIO* b = BIO_new(BIO_s_mem()); BIO* b2 = BIO_new(BIO_s_mem()); - BIO_set_mem_eof_return(b, 0); - BIO_set_mem_eof_return(b2, 0); // The flags give us LDAP order instead of X.500, with a comma separator. int len=X509_NAME_print_ex(b,subject,0,XN_FLAG_RFC2253); - string subjectstr,subjectstr2; BIO_flush(b); - while ((len = BIO_read(b, buf, 255)) > 0) { - buf[len] = '\0'; - subjectstr+=buf; - } - if (log.isDebugEnabled()) - log.debugStream() << "certificate subject: " << subjectstr << xmlproviders::logging::eol; // The flags give us LDAP order instead of X.500, with a comma plus space separator. len=X509_NAME_print_ex(b2,subject,0,XN_FLAG_RFC2253 + XN_FLAG_SEP_CPLUS_SPC - XN_FLAG_SEP_COMMA_PLUS); BIO_flush(b2); - while ((len = BIO_read(b2, buf, 255)) > 0) { - buf[len] = '\0'; - subjectstr2+=buf; + + BUF_MEM* bptr=NULL; + BUF_MEM* bptr2=NULL; + BIO_get_mem_ptr(b, &bptr); + BIO_get_mem_ptr(b2, &bptr2); + + if (bptr && bptr->length > 0 && log.isDebugEnabled()) { + string subjectstr(bptr->data, bptr->length); + log.debug("certificate subject: %s", subjectstr.c_str()); } // Check each keyname. for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { #ifdef HAVE_STRCASECMP - if (!strcasecmp(n->c_str(),subjectstr.c_str()) || !strcasecmp(n->c_str(),subjectstr2.c_str())) { + if ((n->length() == bptr->length && !strncasecmp(n->c_str(), bptr->data, bptr->length)) || + (n->length() == bptr2->length && !strncasecmp(n->c_str(), bptr2->data, bptr2->length))) { #else - if (!stricmp(n->c_str(),subjectstr.c_str()) || !stricmp(n->c_str(),subjectstr2.c_str())) { + if ((n->length() == bptr->length && !strnicmp(n->c_str(), bptr->data, bptr->length)) || + (n->length() == bptr2->length && !strnicmp(n->c_str(), bptr2->data, bptr2->length))) { #endif log.debug("matched full subject DN to a key name (%s)", n->c_str()); checkName=false; @@ -506,18 +504,18 @@ bool XMLTrust::validate(void* certEE, const Iterator& certChain, const IR STACK_OF(GENERAL_NAME)* altnames=(STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); if (altnames) { int numalts = sk_GENERAL_NAME_num(altnames); - for (int an=0; !checkName && antype==GEN_DNS || check->type==GEN_URI) { const char* altptr = (char*)ASN1_STRING_data(check->d.ia5); const int altlen = ASN1_STRING_length(check->d.ia5); - for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { #ifdef HAVE_STRCASECMP - if (!strncasecmp(altptr,n->c_str(),altlen)) { + if ((check->type==GEN_DNS && n->length()==altlen && !strncasecmp(altptr,n->c_str(),altlen)) #else - if (!strnicmp(altptr,n->c_str(),altlen)) { + if ((check->type==GEN_DNS && n->length()==altlen && !strnicmp(altptr,n->c_str(),altlen)) #endif + || (check->type==GEN_URI && n->length()==altlen && !strncmp(altptr,n->c_str(),altlen))) { log.debug("matched DNS/URI subjectAltName to a key name (%s)", n->c_str()); checkName=false; break; @@ -530,27 +528,53 @@ bool XMLTrust::validate(void* certEE, const Iterator& certChain, const IR if (checkName) { log.debug("unable to match subjectAltName, trying TLS CN match"); - memset(buf,0,sizeof(buf)); - if (X509_NAME_get_text_by_NID(subject,NID_commonName,buf,255)>0) { + + // Fetch the last CN RDN. + char* peer_CN = NULL; + int j,i = -1; + while ((j=X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0) + i = j; + if (i >= 0) { + ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i)); + // Copied in from libcurl. + /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input + is already UTF-8 encoded. We check for this case and copy the raw + string manually to avoid the problem. */ + if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) { + j = ASN1_STRING_length(tmp); + if(j >= 0) { + peer_CN = (char*)OPENSSL_malloc(j + 1); + memcpy(peer_CN, ASN1_STRING_data(tmp), j); + peer_CN[j] = '\0'; + } + } + else /* not a UTF8 name */ { + j = ASN1_STRING_to_UTF8(reinterpret_cast(&peer_CN), tmp); + } + for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { #ifdef HAVE_STRCASECMP - if (!strcasecmp(buf,n->c_str())) { + if (n->length() == j && !strncasecmp(peer_CN, n->c_str(), j)) { #else - if (!stricmp(buf,n->c_str())) { + if (n->length() == j && !strnicmp(peer_CN, n->c_str(), j)) { #endif log.debug("matched subject CN to a key name (%s)", n->c_str()); checkName=false; break; } } + if(peer_CN) + OPENSSL_free(peer_CN); } - else + else { log.warn("no common name in certificate subject"); + } } } } - else + else { log.error("certificate has no subject?!"); + } } if (checkName) { diff --git a/xmlproviders/xmlproviders.rc b/xmlproviders/xmlproviders.rc index dafc92e..99e77f1 100644 --- a/xmlproviders/xmlproviders.rc +++ b/xmlproviders/xmlproviders.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,3,2,0 - PRODUCTVERSION 1,3,2,0 + FILEVERSION 1,3,3,0 + PRODUCTVERSION 1,3,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -47,14 +47,14 @@ BEGIN VALUE "Comments", "\0" VALUE "CompanyName", "Internet2\0" VALUE "FileDescription", "Shibboleth Core Plugins\0" - VALUE "FileVersion", "1, 3, 2, 0\0" + VALUE "FileVersion", "1, 3, 3, 0\0" VALUE "InternalName", "xmlproviders\0" VALUE "LegalCopyright", "Copyright © 2009 Internet2\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "xmlproviders.so\0" VALUE "PrivateBuild", "\0" VALUE "ProductName", "Shibboleth\0" - VALUE "ProductVersion", "1, 3, 2, 0\0" + VALUE "ProductVersion", "1, 3, 3, 0\0" VALUE "SpecialBuild", "\0" END END -- 2.1.4