Discussion:
[omniORB] patch for sslConnection.cc, v2
Wei Jiang
2009-04-28 12:07:37 UTC
Permalink
fixed three bugs:
1. memory leak when SSL_get_verify_result(pd_ssl) != X509_V_OK
2. Cope with NO COMMON NAME cert
3. convert common name to native code set string.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl.patch
Type: text/x-patch
Size: 2313 bytes
Desc: not available
Url : http://www.omniorb-support.com/pipermail/omniorb-list/attachments/20090428/923c375f/ssl.bin
Duncan Grisby
2009-04-30 21:12:35 UTC
Permalink
Post by Wei Jiang
1. memory leak when SSL_get_verify_result(pd_ssl) != X509_V_OK
2. Cope with NO COMMON NAME cert
3. convert common name to native code set string.
Thanks. The memory leak is obviously a bug and should be fixed.

Can you explain the other things? I'm not convinced it's right to try
to translate the common name to the native code set. What if it can't be
represented in the native code set?

Cheers,

Duncan.
--
-- Duncan Grisby --
-- ***@grisby.org --
-- http://www.grisby.org --
Wei Jiang
2009-05-01 18:45:16 UTC
Permalink
Can you explain the other things? ?I'm not convinced it's right to try
to translate the common name to the native code set. What if it can't be
represented in the native code set?
383 char buf[1024];
384
385 X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
386 NID_commonName, buf, sizeof(buf));
387
388 pd_peeridentity = CORBA::string_dup(buf);
389 X509_free(peer_cert);

We can sign a cert without commonName using OpenSSL
.X509_NAME_get_text_by_NID will return -1 if no commonName in
peer_cert, CORBA::string_dup(buf) then copy junk from buf to
pd_peeridentity, maybe resulted Access Violation


copy from manual pages
"
NOTES
X509_NAME_get_text_by_NID() and X509_NAME_get_text_by_OBJ() are legacy
functions which have various limitations which make them of minimal use
in practice. They can only find the first matching entry and will copy
the contents of the field verbatim: this can be highly confusing if the
target is a muticharacter string type like a BMPString or a UTF8String.
"
NID_commonName in peer_cert maybe encoding with any codeset that
OpenSSL supported. I think we should convert it to native codeset at
here.
Wei Jiang
2009-05-02 08:33:43 UTC
Permalink
Can you explain the other things? ?I'm not convinced it's right to try
to translate the common name to the native code set. What if it can't be
represented in the native code set?
If sslConnection don't to translate the common name to the native code
set, application can not find out which code set peeridentity use.
If it can't be represented in the native code set, peeridentity()
should return 0 .

static CORBA::Boolean
serverReceiveRequestInterceptor(omni::omniInterceptors::
serverReceiveRequest_T::info_T& iinfo)
{

omni::giopStrand& strand = (omni::giopStrand&)iinfo.giop_s;
omni::giopConnection* connection = strand.connection;
const char * id = connection->peeridentity();
if (id == 0) { //peeridentity not exist or can't be
represented in native code set
//do something
}
... ...
}

Loading...