From 4a11812d9c47213fe1d06bb7b8136901a6b26674 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 29 Mar 2018 14:21:59 +0200
Subject: pkcs11 uris: the URI scheme is case insensitive

Makes the comparisons of the URI scheme to use c_strcasecmp
from gnulib. It also replaces various straw strcasecmp with
the gnulib variant. This ensures that comparison will be
reliable irrespective of the locale.

Resolves #590

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/priority.c          | 25 +++++++++++++------------
 lib/urls.c              | 21 +++++++++++----------
 lib/x509/common.c       |  3 ++-
 lib/x509/verify-high2.c |  6 ++++--
 4 files changed, 30 insertions(+), 25 deletions(-)

(limited to 'lib')

diff --git a/lib/priority.c b/lib/priority.c
index afd4b1a680..fb9aba76c8 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -31,6 +31,7 @@
 #include <gnutls/x509.h>
 #include <c-ctype.h>
 #include <hello_ext.h>
+#include <c-strcase.h>
 #include "fips.h"
 #include "errno.h"
 #include "ext/srp.h"
@@ -1687,21 +1688,21 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 				 GNUTLS_KX_UNKNOWN) {
 				if (algo != GNUTLS_KX_INVALID)
 					fn(&(*priority_cache)->_kx, algo);
-			} else if (strncasecmp
+			} else if (c_strncasecmp
 				 (&broken_list[i][1], "VERS-", 5) == 0) {
-				if (strncasecmp
+				if (c_strncasecmp
 				    (&broken_list[i][1], "VERS-TLS-ALL",
 				     12) == 0) {
 					bulk_given_fn(&(*priority_cache)->
 						protocol,
 						stream_protocol_priority);
-				} else if (strncasecmp
+				} else if (c_strncasecmp
 					(&broken_list[i][1],
 					 "VERS-DTLS-ALL", 13) == 0) {
 					bulk_given_fn(&(*priority_cache)->
 						protocol,
 						(bulk_given_fn==_add_priority)?dtls_protocol_priority:dgram_protocol_priority);
-				} else if (strncasecmp
+				} else if (c_strncasecmp
 					(&broken_list[i][1],
 					 "VERS-ALL", 8) == 0) {
 					bulk_fn(&(*priority_cache)->
@@ -1719,14 +1720,14 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 
 				}
 			} /* now check if the element is something like -ALGO */
-			else if (strncasecmp
+			else if (c_strncasecmp
 				 (&broken_list[i][1], "COMP-", 5) == 0) {
 				/* ignore all compression methods */
 				continue;
 			} /* now check if the element is something like -ALGO */
-			else if (strncasecmp
+			else if (c_strncasecmp
 				 (&broken_list[i][1], "CURVE-", 6) == 0) {
-				if (strncasecmp
+				if (c_strncasecmp
 				    (&broken_list[i][1], "CURVE-ALL",
 				     9) == 0) {
 					bulk_fn(&(*priority_cache)->
@@ -1742,9 +1743,9 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 					else
 						goto error;
 				}
-			} else if (strncasecmp
+			} else if (c_strncasecmp
 				 (&broken_list[i][1], "GROUP-", 6) == 0) {
-				if (strncasecmp
+				if (c_strncasecmp
 				    (&broken_list[i][1], "GROUP-ALL",
 				     9) == 0) {
 					bulk_fn(&(*priority_cache)->
@@ -1824,16 +1825,16 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 					else
 						goto error;
 				}
-			} else if (strncasecmp
+			} else if (c_strncasecmp
 				(&broken_list[i][1], "MAC-ALL", 7) == 0) {
 				bulk_fn(&(*priority_cache)->_mac,
 					mac_priority_normal);
-			} else if (strncasecmp
+			} else if (c_strncasecmp
 				(&broken_list[i][1], "CIPHER-ALL",
 				 10) == 0) {
 				bulk_fn(&(*priority_cache)->_cipher,
 					cipher_priority_normal);
-			} else if (strncasecmp
+			} else if (c_strncasecmp
 				(&broken_list[i][1], "KX-ALL", 6) == 0) {
 				bulk_fn(&(*priority_cache)->_kx,
 					kx_priority_secure);
diff --git a/lib/urls.c b/lib/urls.c
index 69b6cfb2a2..bb47e835d7 100644
--- a/lib/urls.c
+++ b/lib/urls.c
@@ -23,6 +23,7 @@
 #include "str.h"
 #include "urls.h"
 #include "system-keys.h"
+#include <c-strcase.h>
 
 #define MAX_CUSTOM_URLS 8
 
@@ -46,19 +47,19 @@ unsigned gnutls_url_is_supported(const char *url)
 	unsigned i;
 
 	for (i=0;i<_gnutls_custom_urls_size;i++) {
-		if (strncmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0)
+		if (c_strncasecmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0)
 			return 1;
 	}
 
 #ifdef ENABLE_PKCS11
-	if (strncmp(url, PKCS11_URL, sizeof(PKCS11_URL)-1) == 0)
+	if (c_strncasecmp(url, PKCS11_URL, sizeof(PKCS11_URL)-1) == 0)
 		return 1;
 #endif
 #ifdef HAVE_TROUSERS
-	if (strncmp(url, TPMKEY_URL, sizeof(TPMKEY_URL)-1) == 0)
+	if (c_strncasecmp(url, TPMKEY_URL, sizeof(TPMKEY_URL)-1) == 0)
 		return 1;
 #endif
-	if (strncmp(url, SYSTEM_URL, sizeof(SYSTEM_URL)-1) == 0)
+	if (c_strncasecmp(url, SYSTEM_URL, sizeof(SYSTEM_URL)-1) == 0)
 		return _gnutls_system_url_is_supported(url);
 
 	return 0;
@@ -68,15 +69,15 @@ int _gnutls_url_is_known(const char *url)
 {
 	unsigned i;
 
-	if (strncmp(url, PKCS11_URL, sizeof(PKCS11_URL)-1) == 0)
+	if (c_strncasecmp(url, PKCS11_URL, sizeof(PKCS11_URL)-1) == 0)
 		return 1;
-	else if (strncmp(url, TPMKEY_URL, sizeof(TPMKEY_URL)-1) == 0)
+	else if (c_strncasecmp(url, TPMKEY_URL, sizeof(TPMKEY_URL)-1) == 0)
 		return 1;
-	else if (strncmp(url, SYSTEM_URL, sizeof(SYSTEM_URL)-1) == 0)
+	else if (c_strncasecmp(url, SYSTEM_URL, sizeof(SYSTEM_URL)-1) == 0)
 		return 1;
 	else {
 		for (i=0;i<_gnutls_custom_urls_size;i++) {
-			if (strncmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0)
+			if (c_strncasecmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0)
 				return 1;
 		}
 
@@ -147,12 +148,12 @@ int _gnutls_get_raw_issuer(const char *url, gnutls_x509_crt_t cert,
 	unsigned i;
 
 #ifdef ENABLE_PKCS11
-	if (strncmp(url, PKCS11_URL, PKCS11_URL_SIZE) == 0) {
+	if (c_strncasecmp(url, PKCS11_URL, PKCS11_URL_SIZE) == 0) {
 		return gnutls_pkcs11_get_raw_issuer(url, cert, issuer, GNUTLS_X509_FMT_DER, flags);
 	}
 #endif
 	for (i=0;i<_gnutls_custom_urls_size;i++) {
-		if (strncmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0) {
+		if (c_strncasecmp(url, _gnutls_custom_urls[i].name, _gnutls_custom_urls[i].name_size) == 0) {
 			if (_gnutls_custom_urls[i].get_issuer) {
 				return _gnutls_custom_urls[i].get_issuer(url, cert, issuer, flags);
 			}
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 4a3e8376f7..b0ee8b80cc 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -30,6 +30,7 @@
 #include <x509.h>
 #include <num.h>
 #include <x509_b64.h>
+#include <c-strcase.h>
 #include "x509_int.h"
 #include "extras/hex.h"
 #include <common.h>
@@ -164,7 +165,7 @@ const char *_gnutls_ldap_string_to_oid(const char *str, unsigned str_len)
 	do {
 		if ((_oid2str[i].ldap_desc != NULL) &&
 		    (str_len == _oid2str[i].ldap_desc_size) &&
-		    (strncasecmp(_oid2str[i].ldap_desc, str, str_len) ==
+		    (c_strncasecmp(_oid2str[i].ldap_desc, str, str_len) ==
 		     0))
 			return _oid2str[i].oid;
 		i++;
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index 8ba2f2a3ee..f4a580bb05 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -28,12 +28,14 @@
 #include <num.h>
 #include <tls-sig.h>
 #include <str.h>
+#include <c-strcase.h>
 #include <datum.h>
 #include "x509_int.h"
 #include <common.h>
 #include "verify-high.h"
 #include "read-file.h"
 #include <pkcs11_int.h>
+#include "urls.h"
 
 #include <dirent.h>
 
@@ -325,7 +327,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
 
 	if (ca_file != NULL) {
 #ifdef ENABLE_PKCS11
-		if (strncmp(ca_file, "pkcs11:", 7) == 0) {
+		if (c_strncasecmp(ca_file, PKCS11_URL, PKCS11_URL_SIZE) == 0) {
 			unsigned pcrt_list_size = 0;
 
 			/* in case of a token URL import it as a PKCS #11 token,
@@ -497,7 +499,7 @@ gnutls_x509_trust_list_remove_trust_file(gnutls_x509_trust_list_t list,
 	int ret;
 
 #ifdef ENABLE_PKCS11
-	if (strncmp(ca_file, "pkcs11:", 7) == 0) {
+	if (c_strncasecmp(ca_file, PKCS11_URL, PKCS11_URL_SIZE) == 0) {
 		if (is_pkcs11_url_object(ca_file) != 0) {
 			return remove_pkcs11_object_url(list, ca_file);
 		} else { /* token */
-- 
cgit v1.2.1