Bug 6331 – CAMPAIGN: Improve server identity processing in GSI C

Bug 6331 - CAMPAIGN: Improve server identity processing in GSI C

Summary:

CAMPAIGN: Improve server identity processing in GSI C

Status:	RESOLVED FIXED

Product:	GSI C
Component:	Campaign
Version:	4.2.0
Platform:	Macintosh All

Importance:	P3 normal
Target Milestone:	4.2.1
Assigned To:	Joe Bester

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-08-20 16:07 by Joe Bester
Modified:	2008-09-18 15:31 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Joe Bester 2008-08-20 16:07:22

The goal of this campaign is to improve the GSI C code to use some of the
techniques described in Section 3 of "HTTP Over TLS" [RFC 2818] to determine
the host name to use for mutual authentication with a service to avoid the
issues described above, with a backward-compatibility mode which support the
old method of comparing host names using the name returned from an address
lookup of the IP address. 

More details about the design and tasks is available at
http://dev.globus.org/wiki/C_Security:_Server_Identity_Processing_In_GSI_C

------- Comment #1 From Joe Bester 2008-08-28 11:38:14 -------

I committed a big chunk of code to the campaign_6311_branch which implements
the new name types and name comparison algorithms described on the wiki page
and added a pretty thorough set of name comparison test cases.

The name comparison behavior uses the GLOBUS_GSSAPI_NAME_COMPATIBILITY
environment variable to fine tune the name comparison algorithm. Values can be
- HYBRID (default)
    Accept all name comparisons that GT2 would accept (including 
    foo-1.example.org == foo.example.org wildcard matching), with added support 
    for
    + DNS Names (with wildcards, optionally) from a subjectAltName in a x.509 
      cert
    + IP Addresses from a subjectAltName in an X.509 certificate
- STRICT_GT2
    Accept all name comparisons that GT2 would accept (including 
    foo-1.example.org == foo.example.org wildcard matching). subjectAltName 
    values are ignored.
- STRICT_RFC2818
    Ignore SubjectName if a DNSName is present in a certificate, and  comparing 
    to a host name. Do not resolve IP addresses to names for comparisons. 
    Ignore GT2 (foo-1.example.org) wildcards. Comparing two
    anonymous names returns FALSE.

------- Comment #2 From Joe Bester 2008-09-09 09:49:40 -------

Tested with GRAM4 and gridftp, and as a result fixed a memory leak and a memory
corruption issue (if a gss_name_t is copied and then the original was freed). 

Added test cases for gss_duplicate_nam.

------- Comment #3 From Joe Bester 2008-09-09 11:54:43 -------

Committed new code to trunk and updated OID list on the dev.globus.org wiki.
After next cycle of automated toolkit tests complete, I'll merge this to the
4.2 branch.

A patch containing the new code is available from
http://www.mcs.anl.gov/~bester/patches/campaign_6331.diff

------- Comment #4 From Joe Bester 2008-09-18 15:30:57 -------

Trunk toolkit tests passed as well as they had before the merge.

Fixed some compile problems with Solaris and AIX this morning, then merged it
all to 4.2 branch.