CVSROOT: /cvs Module name: src Changes by: b...@cvs.openbsd.org 2023/05/02 08:13:05
Modified files: lib/libcrypto/man: X509_NAME_get_index_by_NID.3 lib/libcrypto/x509: x509name.c regress/lib/libcrypto/x509: x509_asn1.c Log message: Change X509_NAME_get_index_by[NID|OBJ] to be safer. Currently these functions return raw ASN1_STRING bytes as a C string and ignore the encoding in a "hold my beer I am a toolkit not a functioning API surely it's just for testing and you'd never send nasty bytes" kind of way. Sadly some callers seem to use them to fetch things liks subject name components for comparisons, and often just use the result as a C string. Instead, encode the resulting bytes as UTF-8 so it is something like "text", Add a failure case if the length provided is inadequate or if the resulting text would contain an nul byte. based on boringssl. nits by dlg@ ok tb@