[gnutls-devel] GnuTLS | Increase the limit of TLS PSK usernames (!1581)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon May 30 22:58:24 CEST 2022



Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1581 was reviewed by Daiki Ueno

--
  <!-- Get preloaded note discussion-->
  
Daiki Ueno started a new discussion on NEWS: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_965046526

> +
> +** libgnutls: Length limit for TLS PSK usernames has been increased
> +   from 128 to 65535 characters.

Let's reference the issue number (or this PR). Also expand the commit log.

--
  <!-- Get preloaded note discussion-->
  
Daiki Ueno started a new discussion on lib/auth/psk.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_965046533

> +	gnutls_free(info->username);
> +	info->username = gnutls_malloc(username->size + 1);
> +	assert(info->username);

Can we change the return type of this function to `int` and propagate `GNUTLS_E_MEMORY_ERROR` to the caller?

--
  <!-- Get preloaded note discussion-->
  
Daiki Ueno started a new discussion on lib/gnutls_int.h: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_965046538

>  
> -#define MAX_USERNAME_SIZE 128
> +#define MAX_USERNAME_SIZE 65535

Maybe good to mention why we chose this limit e.g., RFC 4279 [section 2](https://datatracker.ietf.org/doc/html/rfc4279#section-2) and RFC 8446 [section 4.2.11](https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.11) ?

--
  <!-- Get preloaded note discussion-->
  
Daiki Ueno started a new discussion on lib/handshake-checks.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581#note_965046540

> -			    strncmp(session->internals.saved_username, username, username_length) != 0) {
> +		if (session->internals.saved_username) {
> +			int saved_username_length = strlen(session->internals.saved_username);

We have added support for non-NULL-terminated PSK usernames since https://gitlab.com/gnutls/gnutls/-/merge_requests/917. Is the usage of `strlen` safe with such usernames?


-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1581
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220530/e33bb0cf/attachment-0001.html>


More information about the Gnutls-devel mailing list