diff -ruN openssh-3.5p1+x509f/ssh.0 openssh-3.5p1+x509g/ssh.0 --- openssh-3.5p1+x509f/ssh.0 2003-01-30 09:06:00.000000000 +0200 +++ openssh-3.5p1+x509g/ssh.0 2003-02-03 04:08:04.000000000 +0200 @@ -543,8 +543,8 @@ /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys and are used for RhostsRSAAuthentication and HostbasedAuthentication. - It is possible file to contain private part plus x509 certificate - for protocol version 2 keys. If the protocol version 1 + It is possible files to contain private part plus x509 certifi- + cate for protocol version 2 keys. If the protocol version 1 RhostsRSAAuthentication method is used, ssh must be setuid root, since the host key is readable only by root. For protocol ver- sion 2, ssh uses ssh-keysign(8) to access the host keys for diff -ruN openssh-3.5p1+x509f/ssh-x509.c openssh-3.5p1+x509g/ssh-x509.c --- openssh-3.5p1+x509f/ssh-x509.c 2003-01-30 09:06:01.000000000 +0200 +++ openssh-3.5p1+x509g/ssh-x509.c 2003-02-01 09:06:01.000000000 +0200 @@ -594,58 +594,84 @@ i.e. X509_NAME{"/C=XX/O=YY"} is not equal to X509_NAME{"/O=YY/C=XX"} */ static int -ssh_X509_NAME_cmp(X509_NAME *a, X509_NAME *b) { +ssh_X509_NAME_cmp(X509_NAME *_a, X509_NAME *_b) { int k, n; + X509_NAME *b; + - k = sk_X509_NAME_ENTRY_num(a->entries); - n = sk_X509_NAME_ENTRY_num(b->entries); + k = sk_X509_NAME_ENTRY_num(_a->entries); + n = sk_X509_NAME_ENTRY_num(_b->entries); if (k != n) return (n - k); + b = X509_NAME_dup(_b); + n = 0; for (--k; k >= 0; k--) { X509_NAME_ENTRY *neA; ASN1_STRING *nvA; int nid; X509_NAME_ENTRY *neB; ASN1_STRING *nvB; + int loc; - neA = sk_X509_NAME_ENTRY_value(a->entries, k); + neA = sk_X509_NAME_ENTRY_value(_a->entries, k); + nvA = neA->value; nid = OBJ_obj2nid(neA->object); - n = X509_NAME_get_index_by_NID(b, nid, -1); - if (n < 0) { + loc = X509_NAME_get_index_by_NID(b, nid, -1); + if (loc < 0) { char buf1[X509KEY_SUBJECT_MAXLEN]; char buf2[X509KEY_SUBJECT_MAXLEN]; - X509_NAME_oneline(a, buf1, sizeof(buf1)); - X509_NAME_oneline(b, buf2, sizeof(buf2)); - debug3("ssh_X509_NAME_cmp: missing nid=%d(%.40s) in second name." + X509_NAME_oneline(_a, buf1, sizeof(buf1)); + X509_NAME_oneline(_b, buf2, sizeof(buf2)); + debug3("ssh_X509_NAME_cmp: insufficient entries with nid=%d(%.40s) in second name." " na=%.*s, nb=%.*s", nid, OBJ_nid2ln(nid), (int) sizeof(buf1), buf1, (int) sizeof(buf1), buf2); - return -1; + n = -1; + break; } - neB = sk_X509_NAME_ENTRY_value(b->entries, n); - - nvA = neA->value; +trynextentry: + neB = sk_X509_NAME_ENTRY_value(b->entries, loc); nvB = neB->value; +#ifdef SSHX509TEST +{ + int la = M_ASN1_STRING_length(nvA); + u_char *pa = M_ASN1_STRING_data (nvA); + int lb = M_ASN1_STRING_length(nvB); + u_char *pb = M_ASN1_STRING_data (nvB); + + log("nvA='%*s', nvB='%*s'", la, pa, lb, pb); +} +#endif if (nid == NID_pkcs9_emailAddress) { int tag; tag = M_ASN1_STRING_type(nvA); - if (tag != V_ASN1_IA5STRING) + if (tag != V_ASN1_IA5STRING) { + /* to be strict and return nonzero or ... ? XXX + n = -1; + break; + */ error("ssh_X509_NAME_cmp: incorrect type for emailAddress(a) %d(%.30s)", tag, ASN1_tag2str(tag)); - + } + tag = M_ASN1_STRING_type(nvB); - if (tag != V_ASN1_IA5STRING) + if (tag != V_ASN1_IA5STRING) { + /* to be strict and return nonzero or ... ? XXX + n = 1; + break; + */ error("ssh_X509_NAME_cmp: incorrect type for emailAddress(b) %d(%.30s)", tag, ASN1_tag2str(tag)); + } n = ssh_ASN1_STRING_casecmp(nvA, nvB); - if (n == 0) continue; + if (n == 0) goto entryisok; - return n; + goto getnextentry; } if ((M_ASN1_STRING_type(nvA) == V_ASN1_PRINTABLESTRING) || (M_ASN1_STRING_type(nvB) == V_ASN1_PRINTABLESTRING) ) { @@ -660,24 +686,38 @@ debug("ssh_X509_NAME_cmp: X509_NAME_ENTRY(b)->type=%d(%.30s) is not PrintableString", tag, ASN1_tag2str(tag)); n = ssh_ASN1_PRINTABLESTRING_casecmp(nvA, nvB); - if (n == 0) continue; + if (n == 0) goto entryisok; - return n; + goto getnextentry; } n = M_ASN1_STRING_length(nvA) - M_ASN1_STRING_length(nvB); - if (n != 0) return n; + if (n != 0) goto getnextentry; n = M_ASN1_STRING_length(nvA); n = memcmp(nvA->data, nvB->data, n); - if (n != 0) return n; + if (n != 0) goto getnextentry; /* openssl check object too */ n = ssh_ASN1_OBJECT_cmp(neA->object, neB->object); - if (n != 0) return n; + if (n != 0) goto getnextentry; + +entryisok: + { + X509_NAME_ENTRY *ne = X509_NAME_delete_entry(b, loc); + X509_NAME_ENTRY_free(ne); + } + continue; +getnextentry: + loc = X509_NAME_get_index_by_NID(b, nid, loc); + if (loc < 0) { + break; + } + goto trynextentry; } - return 0; + X509_NAME_free(b); + return n; } /* we can check only by Subject (Distinguished Name): @@ -920,38 +960,38 @@ X509_NAME* name; __progname = get_progname(argv[0]); - log_init(__progname, SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 1); + log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 1); name = X509_NAME_new(); X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, DATA, -1, -1, 0); { X509_NAME* x = X509_NAME_new(); X509_NAME_add_entry_by_txt(x, "CN", V_ASN1_PRINTABLESTRING, DATA, -1, -1, 0); - fprintf(stderr, "A1:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); + fprintf(stderr, "A1.1:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); X509_NAME_free(x); } { X509_NAME* x = X509_NAME_new(); X509_NAME_add_entry_by_txt(x, "CN", V_ASN1_PRINTABLESTRING, " " DATA " ", -1, -1, 0); - fprintf(stderr, "A2:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); + fprintf(stderr, "A1.2:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); X509_NAME_free(x); } { X509_NAME* x = X509_NAME_new(); X509_NAME_add_entry_by_txt(x, "CN", V_ASN1_PRINTABLESTRING, " " DATA2 " ", -1, -1, 0); - fprintf(stderr, "A3:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); + fprintf(stderr, "A1.3:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); X509_NAME_free(x); } { X509_NAME* x = X509_NAME_new(); X509_NAME_add_entry_by_txt(x, "OU", V_ASN1_PRINTABLESTRING, " " DATA2 " ", -1, -1, 0); - fprintf(stderr, "A4:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); + fprintf(stderr, "A1.4:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); X509_NAME_free(x); } { X509_NAME* x = X509_NAME_new(); X509_NAME_add_entry_by_txt(x, "CN", MBSTRING_ASC, " " DATA2 " ", -1, -1, 0); - fprintf(stderr, "A5:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); + fprintf(stderr, "A1.5:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); X509_NAME_free(x); } X509_NAME_free(name); @@ -962,35 +1002,59 @@ { X509_NAME* x = X509_NAME_new(); X509_NAME_add_entry_by_txt(x, "emailAddress", V_ASN1_TELETEXSTRING, DATA2, -1, -1, 0); - fprintf(stderr, "A1:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); + fprintf(stderr, "A2.1:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); X509_NAME_free(x); } { X509_NAME* x = X509_NAME_new(); X509_NAME_add_entry_by_txt(x, "emailAddress", V_ASN1_IA5STRING, DATA2, -1, -1, 0); - fprintf(stderr, "A2:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); + fprintf(stderr, "A2.2:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); X509_NAME_free(x); } X509_NAME_free(name); name = X509_NAME_new(); - X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_ASC, DATA, -1, -1, 0); - X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, DATA, -1, -1, 0); + X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_ASC, DATA "-e", -1, -1, 0); + X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, DATA "-cn", -1, -1, 0); { X509_NAME* x = X509_NAME_new(); - X509_NAME_add_entry_by_txt(x, "CN", V_ASN1_PRINTABLESTRING, " " DATA2 " ", -1, -1, 0); - X509_NAME_add_entry_by_txt(x, "emailAddress", V_ASN1_IA5STRING, DATA2, -1, -1, 0); - fprintf(stderr, "A3:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); + X509_NAME_add_entry_by_txt(x, "CN", V_ASN1_PRINTABLESTRING, " " DATA2 "-cn ", -1, -1, 0); + X509_NAME_add_entry_by_txt(x, "emailAddress", V_ASN1_IA5STRING, DATA2 "-e", -1, -1, 0); + fprintf(stderr, "A3 :ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); X509_NAME_free(x); } + X509_NAME_free(name); + + name = X509_NAME_new(); + X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_ASC, DATA "1", -1, -1, 0); + X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_ASC, DATA "2", -1, -1, 0); + X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_ASC, DATA "3", -1, -1, 0); { - int flag = X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, DATA, -1, -1, 0); - if (flag <= 0) - fprintf(stderr, "OK:add_entry fail. return code is %d\n", flag); - else - fprintf(stderr, "add duplicate entry might fail, but return code is OK %d\n", flag); + X509_NAME* x = X509_NAME_new(); + X509_NAME_add_entry_by_txt(x, "OU", MBSTRING_ASC, DATA "1", -1, -1, 0); + X509_NAME_add_entry_by_txt(x, "OU", MBSTRING_ASC, DATA "3", -1, -1, 0); + X509_NAME_add_entry_by_txt(x, "OU", MBSTRING_ASC, DATA "2", -1, -1, 0); + fprintf(stderr, "A4.1:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); + X509_NAME_free(x); + } + { + X509_NAME* x = X509_NAME_new(); + X509_NAME_add_entry_by_txt(x, "OU", MBSTRING_ASC, DATA "2", -1, -1, 0); + X509_NAME_add_entry_by_txt(x, "OU", MBSTRING_ASC, DATA "1", -1, -1, 0); + X509_NAME_add_entry_by_txt(x, "OU", MBSTRING_ASC, DATA "2", -1, -1, 0); + fprintf(stderr, "A4.2:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); + X509_NAME_free(x); + } + { + X509_NAME* x = X509_NAME_new(); + X509_NAME_add_entry_by_txt(x, "OU", MBSTRING_ASC, DATA "2", -1, -1, 0); + X509_NAME_add_entry_by_txt(x, "O" , MBSTRING_ASC, DATA "2", -1, -1, 0); + X509_NAME_add_entry_by_txt(x, "OU", MBSTRING_ASC, DATA "3", -1, -1, 0); + fprintf(stderr, "A4.3:ssh_X509_NAME_cmp return %d\n", ssh_X509_NAME_cmp(name, x)); + X509_NAME_free(x); } X509_NAME_free(name); + exit(0); return 0; } diff -ruN openssh-3.5p1+x509f/tests/CA/1-cre_cadb.sh openssh-3.5p1+x509g/tests/CA/1-cre_cadb.sh --- openssh-3.5p1+x509f/tests/CA/1-cre_cadb.sh 2003-01-30 09:06:00.000000000 +0200 +++ openssh-3.5p1+x509g/tests/CA/1-cre_cadb.sh 2003-02-01 09:06:00.000000000 +0200 @@ -91,8 +91,14 @@ 0.organizationName = Organization Name (eg, company) 0.organizationName_default = $SSH_DN_O -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = $SSH_DN_OU +0.organizationalUnitName = Organizational Unit1 Name (eg, section1) +0.organizationalUnitName_default = ${SSH_DN_OU}-1 + +1.organizationalUnitName = Organizational Unit2 Name (eg, section2) +1.organizationalUnitName_default = ${SSH_DN_OU}-2 + +2.organizationalUnitName = Organizational Unit3 Name (eg, section3) +2.organizationalUnitName_default = ${SSH_DN_OU}-3 commonName = Common Name (eg, YOUR name) commonName_min = 2 diff -ruN openssh-3.5p1+x509f/tests/CA/3-cre_certs.sh openssh-3.5p1+x509g/tests/CA/3-cre_certs.sh --- openssh-3.5p1+x509f/tests/CA/3-cre_certs.sh 2003-01-30 09:06:00.000000000 +0200 +++ openssh-3.5p1+x509g/tests/CA/3-cre_certs.sh 2003-02-01 09:06:00.000000000 +0200 @@ -121,7 +121,9 @@ $SSH_DN_ST . $SSH_DN_O -$SSH_DN_OU +${SSH_DN_OU}-2 +${SSH_DN_OU}-1 +${SSH_DN_OU}-3 $SSH_BASE_DN_CN(${type}${subtype}) . .