(ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName
hyc at symas.com
Fri Feb 15 20:05:50 CET 2008
Nikos Mavrogiannopoulos wrote:
> Indeed I'll try to improve this patch to work only for formats known
> to be text.
The code was perfectly correct before this patch. Why do you want to change
anything here at all? I looked in the gnutls-devel archives and couldn't find
any discussion of this change. It would be nice to understand what you're
trying to accomplish here, given that there are large bodies of code already
written that expect the existing behavior of GnuTLS 2.1.7 and older.
> On Fri, Feb 15, 2008 at 12:34 AM, Joe Orton<joe at manyfish.co.uk> wrote:
>> On Sun, Feb 10, 2008 at 01:58:37AM -0800, Howard Chu wrote:
>> > Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result
>> > you're seeing. The change is here:
>> > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048
>> > and it is clearly a bug, since subjectAltName's are not necessarily
>> > strings. (E.g., they can also be IP addresses, which are just 4 or 16
>> > octets.) If you notice in the diff, they set
>> > *name_size = len + 1;
>> > and then later
>> > name[len] = 0;
>> > but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they
>> > can cause a write past the end of the supplied buffer.
>> > This patch should be reverted, it is clearly wrong.
>> FWIW, I agree. neon's test cases for subjectAltName support are
>> breaking with 2.3.0 as well. Reverting the changeset Howard referenced
>> fixes the issues.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Gnutls-devel