From 4a11812d9c47213fe1d06bb7b8136901a6b26674 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 29 Mar 2018 14:21:59 +0200
Subject: pkcs11 uris: the URI scheme is case insensitive

Makes the comparisons of the URI scheme to use c_strcasecmp
from gnulib. It also replaces various straw strcasecmp with
the gnulib variant. This ensures that comparison will be
reliable irrespective of the locale.

Resolves #590

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 configure.ac                             |  2 +-
 lib/priority.c                           | 25 +++++++++++++------------
 lib/urls.c                               | 21 +++++++++++----------
 lib/x509/common.c                        |  3 ++-
 lib/x509/verify-high2.c                  |  6 ++++--
 tests/Makefile.am                        | 10 +++++++++-
 tests/pkcs11/pkcs11-import-url-privkey.c | 10 ++++++++--
 7 files changed, 48 insertions(+), 29 deletions(-)

diff --git a/configure.ac b/configure.ac
index 73f2fca06d..95c756e8bd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -651,7 +651,7 @@ if test "$with_p11_kit" != "no"; then
 	fi
 fi
 
-AM_CONDITIONAL(P11KIT_0_23_10_API, ! $PKG_CONFIG --atleast-version=2.23.10 p11-kit)
+AM_CONDITIONAL(P11KIT_0_23_11_API, $PKG_CONFIG --atleast-version=0.23.11 p11-kit-1)
 
 AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
 
diff --git a/lib/priority.c b/lib/priority.c
index afd4b1a680..fb9aba76c8 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -31,6 +31,7 @@
 #include <gnutls/x509.h>
 #include <c-ctype.h>
 #include <hello_ext.h>
+#include <c-strcase.h>
 #include "fips.h"
 #include "errno.h"
 #include "ext/srp.h"
@@ -1687,21 +1688,21 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 				 GNUTLS_KX_UNKNOWN) {
 				if (algo != GNUTLS_KX_INVALID)
 					fn(&(*priority_cache)->_kx, algo);
-			} else if (strncasecmp
+			} else if (c_strncasecmp
 				 (&broken_list[i][1], "VERS-", 5) == 0) {
-				if (strncasecmp
+				if (c_strncasecmp
 				    (&broken_list[i][1], "VERS-TLS-ALL",
 				     12) == 0) {
 					bulk_given_fn(&(*priority_cache)->
 						protocol,
 						stream_protocol_priority);
-				} else if (strncasecmp
+				} else if (c_strncasecmp
 					(&broken_list[i][1],
 					 "VERS-DTLS-ALL", 13) == 0) {
 					bulk_given_fn(&(*priority_cache)->
 						protocol,
 						(bulk_given_fn==_add_priority)?dtls_protocol_priority:dgram_protocol_priority);
-				} else if (strncasecmp
+				} else if (c_strncasecmp
 					(&broken_list[i][1],
 					 "VERS-ALL", 8) == 0) {
 					bulk_fn(&(*priority_cache)->
@@ -1719,14 +1720,14 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 
 				}
 			} /* now check if the element is something like -ALGO */
-			else if (strncasecmp
+			else if (c_strncasecmp
 				 (&broken_list[i][1], "COMP-", 5) == 0) {
 				/* ignore all compression methods */
 				continue;
 			} /* now check if the element is something like -ALGO */
-			else if (strncasecmp
+			else if (c_strncasecmp
 				 (&broken_list[i][1], "CURVE-", 6) == 0) {
-				if (strncasecmp
+				if (c_strncasecmp
 				    (&broken_list[i][1], "CURVE-ALL",
 				     9) == 0) {
 					bulk_fn(&(*priority_cache)->
@@ -1742,9 +1743,9 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 					else
 						goto error;
 				}
-			} else if (strncasecmp
+			} else if (c_strncasecmp
 				 (&broken_list[i][1], "GROUP-", 6) == 0) {
-				if (strncasecmp
+				if (c_strncasecmp
 				    (&broken_list[i][1], "GROUP-ALL",
 				     9) == 0) {
 					bulk_fn(&(*priority_cache)->
@@ -1824,16 +1825,16 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 					else
 						goto error;
 				}
-			} else if (strncasecmp
+			} else if (c_strncasecmp
 				(&broken_list[i][1], "MAC-ALL", 7) == 0) {
 				bulk_fn(&(*priority_cache)->_mac,
 					mac_priority_normal);
-			} else if (strncasecmp
+			} else if (c_strncasecmp
 				(&broken_list[i][1], "CIPHER-ALL",
 				 10) == 0) {
 				bulk_fn(&(*priority_cache)->_cipher,
 					cipher_priority_normal);
-			} else if (strncasecmp
+			} else if (c_strncasecmp
 				(&broken_list[i][1], "KX-ALL", 6) == 0) {
 				bulk_fn(&(*priority_cache)->_kx,
 					kx_priority_secure);
diff --git a/lib/urls.c b/lib/urls.c
index 69b6cfb2a2..bb47e835d7 100644
--- a/lib/urls.c
+++ b/lib/urls.c
@@ -23,6 +23,7 @@
 #include "str.h"
 #include "urls.h"
 #include "system-keys.h"
+#include <c-strcase.h>
 
 #define MAX_CUSTOM_URLS 8
 
@@ -46,19 +47,19 @@ unsigned gnutls_url_is_supported(const char *url)
 	unsigned i;
 
 	for (i=0;i<_gnutls_custom_urls_size;i++) {
-		if (strncmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0)
+		if (c_strncasecmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0)
 			return 1;
 	}
 
 #ifdef ENABLE_PKCS11
-	if (strncmp(url, PKCS11_URL, sizeof(PKCS11_URL)-1) == 0)
+	if (c_strncasecmp(url, PKCS11_URL, sizeof(PKCS11_URL)-1) == 0)
 		return 1;
 #endif
 #ifdef HAVE_TROUSERS
-	if (strncmp(url, TPMKEY_URL, sizeof(TPMKEY_URL)-1) == 0)
+	if (c_strncasecmp(url, TPMKEY_URL, sizeof(TPMKEY_URL)-1) == 0)
 		return 1;
 #endif
-	if (strncmp(url, SYSTEM_URL, sizeof(SYSTEM_URL)-1) == 0)
+	if (c_strncasecmp(url, SYSTEM_URL, sizeof(SYSTEM_URL)-1) == 0)
 		return _gnutls_system_url_is_supported(url);
 
 	return 0;
@@ -68,15 +69,15 @@ int _gnutls_url_is_known(const char *url)
 {
 	unsigned i;
 
-	if (strncmp(url, PKCS11_URL, sizeof(PKCS11_URL)-1) == 0)
+	if (c_strncasecmp(url, PKCS11_URL, sizeof(PKCS11_URL)-1) == 0)
 		return 1;
-	else if (strncmp(url, TPMKEY_URL, sizeof(TPMKEY_URL)-1) == 0)
+	else if (c_strncasecmp(url, TPMKEY_URL, sizeof(TPMKEY_URL)-1) == 0)
 		return 1;
-	else if (strncmp(url, SYSTEM_URL, sizeof(SYSTEM_URL)-1) == 0)
+	else if (c_strncasecmp(url, SYSTEM_URL, sizeof(SYSTEM_URL)-1) == 0)
 		return 1;
 	else {
 		for (i=0;i<_gnutls_custom_urls_size;i++) {
-			if (strncmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0)
+			if (c_strncasecmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0)
 				return 1;
 		}
 
@@ -147,12 +148,12 @@ int _gnutls_get_raw_issuer(const char *url, gnutls_x509_crt_t cert,
 	unsigned i;
 
 #ifdef ENABLE_PKCS11
-	if (strncmp(url, PKCS11_URL, PKCS11_URL_SIZE) == 0) {
+	if (c_strncasecmp(url, PKCS11_URL, PKCS11_URL_SIZE) == 0) {
 		return gnutls_pkcs11_get_raw_issuer(url, cert, issuer, GNUTLS_X509_FMT_DER, flags);
 	}
 #endif
 	for (i=0;i<_gnutls_custom_urls_size;i++) {
-		if (strncmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0) {
+		if (c_strncasecmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0) {
 			if (_gnutls_custom_urls[i].get_issuer) {
 				return _gnutls_custom_urls[i].get_issuer(url, cert, issuer, flags);
 			}
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 4a3e8376f7..b0ee8b80cc 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -30,6 +30,7 @@
 #include <x509.h>
 #include <num.h>
 #include <x509_b64.h>
+#include <c-strcase.h>
 #include "x509_int.h"
 #include "extras/hex.h"
 #include <common.h>
@@ -164,7 +165,7 @@ const char *_gnutls_ldap_string_to_oid(const char *str, unsigned str_len)
 	do {
 		if ((_oid2str[i].ldap_desc != NULL) &&
 		    (str_len == _oid2str[i].ldap_desc_size) &&
-		    (strncasecmp(_oid2str[i].ldap_desc, str, str_len) ==
+		    (c_strncasecmp(_oid2str[i].ldap_desc, str, str_len) ==
 		     0))
 			return _oid2str[i].oid;
 		i++;
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index 8ba2f2a3ee..f4a580bb05 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -28,12 +28,14 @@
 #include <num.h>
 #include <tls-sig.h>
 #include <str.h>
+#include <c-strcase.h>
 #include <datum.h>
 #include "x509_int.h"
 #include <common.h>
 #include "verify-high.h"
 #include "read-file.h"
 #include <pkcs11_int.h>
+#include "urls.h"
 
 #include <dirent.h>
 
@@ -325,7 +327,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
 
 	if (ca_file != NULL) {
 #ifdef ENABLE_PKCS11
-		if (strncmp(ca_file, "pkcs11:", 7) == 0) {
+		if (c_strncasecmp(ca_file, PKCS11_URL, PKCS11_URL_SIZE) == 0) {
 			unsigned pcrt_list_size = 0;
 
 			/* in case of a token URL import it as a PKCS #11 token,
@@ -497,7 +499,7 @@ gnutls_x509_trust_list_remove_trust_file(gnutls_x509_trust_list_t list,
 	int ret;
 
 #ifdef ENABLE_PKCS11
-	if (strncmp(ca_file, "pkcs11:", 7) == 0) {
+	if (c_strncasecmp(ca_file, PKCS11_URL, PKCS11_URL_SIZE) == 0) {
 		if (is_pkcs11_url_object(ca_file) != 0) {
 			return remove_pkcs11_object_url(list, ca_file);
 		} else { /* token */
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 71d00bcd32..536171995d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -324,6 +324,11 @@ pkcs11_obj_raw_SOURCES = pkcs11/pkcs11-obj-raw.c
 pkcs11_obj_raw_DEPENDENCIES = libpkcs11mock1.la libutils.la
 pkcs11_obj_raw_LDADD = $(LDADD) $(LIBDL)
 
+pkcs11_import_url_privkey_caps_SOURCES = pkcs11/pkcs11-import-url-privkey.c
+pkcs11_import_url_privkey_caps_DEPENDENCIES = libpkcs11mock1.la libutils.la
+pkcs11_import_url_privkey_caps_LDADD = $(LDADD) $(LIBDL)
+pkcs11_import_url_privkey_caps_CFLAGS = -DALL_CAPS_URI
+
 pkcs11_privkey_fork_SOURCES = pkcs11/pkcs11-privkey-fork.c
 pkcs11_privkey_fork_DEPENDENCIES = libpkcs11mock1.la libutils.la
 pkcs11_privkey_fork_LDADD = $(LDADD) $(LIBDL)
@@ -361,6 +366,9 @@ ctests += pkcs11-cert-import-url-exts pkcs11-get-exts pkcs11-get-raw-issuer-exts
 	pkcs11/gnutls_x509_crt_list_import_url pkcs11/gnutls_pcert_list_import_x509_file \
 	pkcs11-token-raw pkcs11-obj-raw
 
+if P11KIT_0_23_11_API
+ctests += pkcs11-import-url-privkey-caps
+endif
 
 endif
 endif
@@ -443,7 +451,7 @@ if ENABLE_PKCS11
 dist_check_SCRIPTS += p11-kit-trust.sh testpkcs11.sh certtool-pkcs11.sh
 
 if HAVE_PKCS11_TRUST_STORE
-if P11KIT_0_23_10_API
+if P11KIT_0_23_11_API
 dist_check_SCRIPTS += p11-kit-load.sh
 indirect_tests += pkcs11/list-tokens
 endif
diff --git a/tests/pkcs11/pkcs11-import-url-privkey.c b/tests/pkcs11/pkcs11-import-url-privkey.c
index cb44fb1e53..38d40b666d 100644
--- a/tests/pkcs11/pkcs11-import-url-privkey.c
+++ b/tests/pkcs11/pkcs11-import-url-privkey.c
@@ -39,6 +39,12 @@
 /* Tests the private key import for sensitive keys in the common case and in
  * some problematic cases. */
 
+#ifdef ALL_CAPS_URI
+#define PURI "PKCS11:"
+#else
+#define PURI "pkcs11:"
+#endif
+
 #ifdef _WIN32
 # define P11LIB "libpkcs11mock1.dll"
 #else
@@ -76,7 +82,7 @@ void doit(void)
 		exit(1);
 	}
 
-	ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size, "pkcs11:", GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY);
+	ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size, PURI, GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY);
 	if (ret < 0) {
 		fail("%d: %s\n", ret, gnutls_strerror(ret));
 		exit(1);
@@ -107,7 +113,7 @@ void doit(void)
 
 		*pflags = MOCK_FLAG_BROKEN_GET_ATTRIBUTES;
 
-		ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size, "pkcs11:", GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY);
+		ret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size, PURI, GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY);
 		if (ret < 0) {
 			fail("%d: %s\n", ret, gnutls_strerror(ret));
 			exit(1);
-- 
cgit v1.2.1