CVSROOT: /cvs
Module name: src
Changes by: b...@cvs.openbsd.org 2023/05/02 08:13:05
Modified files:
lib/libcrypto/man: X509_NAME_get_index_by_NID.3
lib/libcrypto/x509: x509name.c
regress/lib/libcrypto/x509: x509_asn1.c
Log message:
Change X509_NAME_get_index_by[NID|OBJ] to be safer.
Currently these functions return raw ASN1_STRING bytes as
a C string and ignore the encoding in a "hold my beer I am
a toolkit not a functioning API surely it's just for testing
and you'd never send nasty bytes" kind of way.
Sadly some callers seem to use them to fetch things liks
subject name components for comparisons, and often just
use the result as a C string.
Instead, encode the resulting bytes as UTF-8 so it is
something like "text",
Add a failure case if the length provided is inadequate
or if the resulting text would contain an nul byte.
based on boringssl.
nits by dlg@
ok tb@
