From simon.tls at a-oben.org Thu Mar 8 12:54:32 2018 From: simon.tls at a-oben.org (Simon Friedberger) Date: Thu, 8 Mar 2018 12:54:32 +0100 Subject: [gnutls-help] GIT build failing Message-ID: <97c12e74-daa4-aa67-fd6d-947cbd12e1b9@a-oben.org> I am getting the following error when trying to build the master branch: ./parse-datetime.y: In function 'yylex': ./parse-datetime.y:1413:20: error: dereferencing pointer to incomplete type 'union YYSTYPE' ?????????????? lvalp->timespec.tv_sec = s; ??????????????????? ^ What might be causing this? Best Regards, Simon From nmav at gnutls.org Sat Mar 10 16:49:42 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 10 Mar 2018 16:49:42 +0100 Subject: [gnutls-help] GIT build failing In-Reply-To: <97c12e74-daa4-aa67-fd6d-947cbd12e1b9@a-oben.org> References: <97c12e74-daa4-aa67-fd6d-947cbd12e1b9@a-oben.org> Message-ID: On Thu, Mar 8, 2018 at 12:54 PM, Simon Friedberger wrote: > I am getting the following error when trying to build the master branch: > > ./parse-datetime.y: In function 'yylex': > ./parse-datetime.y:1413:20: error: dereferencing pointer to incomplete > type 'union YYSTYPE' > lvalp->timespec.tv_sec = s; > ^ > What might be causing this? This is a file processed with bison/yacc. Which version do you use? Did you follow the instructions in README.md? regards, Nikos From whissi at gentoo.org Mon Mar 26 16:06:25 2018 From: whissi at gentoo.org (Thomas Deutschmann) Date: Mon, 26 Mar 2018 16:06:25 +0200 Subject: [gnutls-help] Can a malicious/malformed DNS name pass gnutls_certificate_verify_peers function? Message-ID: <9394daec-6d91-50f0-5cc8-5e861cb924b2@gentoo.org> Hi, I am currently auditing a program which was, while looking for a valid peer name, looping through alternative names list like: > char szAltName[1024]; > int iAltName; > char allNames[32*1024]; > int iAllNames; > size_t szAltNameLen; > > [...] > > while(!bFoundName) { > szAltNameLen = sizeof(szAltName); > gnuRet = gnutls_x509_crt_get_subject_alt_name(cert, iAltName, > szAltName, &szAltNameLen, NULL); > if(gnuRet < 0) > break; > else if(gnuRet == GNUTLS_SAN_DNSNAME) { > iAllNames += snprintf(allNames+iAllNames, sizeof(allNames)-iAllNames, > "DNSname: %s; ", szAltName); > myCustomPeerNameValidator(szAltName, &bFoundName); > } > ++iAltName; > } > > [...] Like you probably already noticed, "snprintf" usage is invalid and can be exploited using a crafted certificate with a lot of large SANs. However, I am wondering if an attack would be very limited because before this code runs, the program calls "gnutls_certificate_verify_peers2" function on that certificate. I.e. does GnuTLS guarantees at this stage, that any certificate validated using this function does only contain valid dnsNames (i.e. IA5String values) or not? Thanks. -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 981 bytes Desc: OpenPGP digital signature URL: From petr.spacek at nic.cz Thu Mar 29 11:41:44 2018 From: petr.spacek at nic.cz (=?UTF-8?B?UGV0ciDFoHBhxI1law==?=) Date: Thu, 29 Mar 2018 11:41:44 +0200 Subject: [gnutls-help] gnutls_certificate_status_t to text Message-ID: <19f0a2be-ba3a-02ac-e6d6-88f88ba47dab@nic.cz> Hello GnuTLSers, is there a recommended way to transform non-zero gnutls_certificate_status_t value returned by gnutls-certificate-verify-peers3 to text, which can be displayed to user? I did not find any but maybe I'm looking into wrong direction. (Bonus points for a solution which can work on RHEL 7! :-)) Thank you for your time. -- Petr ?pa?ek @ CZ.NIC From jgh at wizmail.org Thu Mar 29 12:17:40 2018 From: jgh at wizmail.org (Jeremy Harris) Date: Thu, 29 Mar 2018 11:17:40 +0100 Subject: [gnutls-help] gnutls_certificate_status_t to text In-Reply-To: <19f0a2be-ba3a-02ac-e6d6-88f88ba47dab@nic.cz> References: <19f0a2be-ba3a-02ac-e6d6-88f88ba47dab@nic.cz> Message-ID: On 29/03/18 10:41, Petr ?pa?ek wrote: > is there a recommended way to transform non-zero > gnutls_certificate_status_t value returned by > gnutls-certificate-verify-peers3 to text, which can be displayed to user? [guile/src/enum-map.i.c] static const char * scm_gnutls_certificate_status_to_c_string (gnutls_certificate_status_t c_obj) { static const struct { gnutls_certificate_status_t value; const char *name; } table[] = { { GNUTLS_CERT_INVALID, "invalid" }, { GNUTLS_CERT_REVOKED, "revoked" }, { GNUTLS_CERT_SIGNER_NOT_FOUND, "signer-not-found" }, { GNUTLS_CERT_SIGNER_NOT_CA, "signer-not-ca" }, { GNUTLS_CERT_INSECURE_ALGORITHM, "insecure-algorithm" }, }; unsigned i; const char *name = NULL; for (i = 0; i < 5; i++) { if (table[i].value == c_obj) { name = table[i].name; break; } } return (name); } From petr.spacek at nic.cz Thu Mar 29 13:02:15 2018 From: petr.spacek at nic.cz (=?UTF-8?B?UGV0ciDFoHBhxI1law==?=) Date: Thu, 29 Mar 2018 13:02:15 +0200 Subject: [gnutls-help] gnutls_certificate_status_t to text In-Reply-To: References: <19f0a2be-ba3a-02ac-e6d6-88f88ba47dab@nic.cz> Message-ID: On 29.3.2018 12:17, Jeremy Harris wrote: > On 29/03/18 10:41, Petr ?pa?ek wrote: >> is there a recommended way to transform non-zero >> gnutls_certificate_status_t value returned by >> gnutls-certificate-verify-peers3 to text, which can be displayed to user? > > > [guile/src/enum-map.i.c] > > static const char * > scm_gnutls_certificate_status_to_c_string (gnutls_certificate_status_t > c_obj) > { > static const struct { gnutls_certificate_status_t value; const char > *name; } table[] = > { > { GNUTLS_CERT_INVALID, "invalid" }, > { GNUTLS_CERT_REVOKED, "revoked" }, > { GNUTLS_CERT_SIGNER_NOT_FOUND, "signer-not-found" }, > { GNUTLS_CERT_SIGNER_NOT_CA, "signer-not-ca" }, > { GNUTLS_CERT_INSECURE_ALGORITHM, "insecure-algorithm" }, > }; Hmm, I was hoping for something more developer-friendly than custom code. Nikos, could you please API for this to one of further versions? Thank you! -- Petr ?pa?ek @ CZ.NIC From n.mavrogiannopoulos at gmail.com Fri Mar 30 07:17:18 2018 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Fri, 30 Mar 2018 05:17:18 +0000 Subject: [gnutls-help] gnutls_certificate_status_t to text In-Reply-To: References: <19f0a2be-ba3a-02ac-e6d6-88f88ba47dab@nic.cz> Message-ID: Hi, The client example in the manual uses such printing: https://www.gnutls.org/manual/gnutls.html#Legacy-client-example-with-X_002e509-certificate-support On March 29, 2018 11:02:15 AM UTC, "Petr ?pa?ek" wrote: > > >On 29.3.2018 12:17, Jeremy Harris wrote: >> On 29/03/18 10:41, Petr ?pa?ek wrote: >>> is there a recommended way to transform non-zero >>> gnutls_certificate_status_t value returned by >>> gnutls-certificate-verify-peers3 to text, which can be displayed to >user? >> >> >> [guile/src/enum-map.i.c] >> >> static const char * >> scm_gnutls_certificate_status_to_c_string >(gnutls_certificate_status_t >> c_obj) >> { >> static const struct { gnutls_certificate_status_t value; const char >> *name; } table[] = >> { >> { GNUTLS_CERT_INVALID, "invalid" }, >> { GNUTLS_CERT_REVOKED, "revoked" }, >> { GNUTLS_CERT_SIGNER_NOT_FOUND, "signer-not-found" }, >> { GNUTLS_CERT_SIGNER_NOT_CA, "signer-not-ca" }, >> { GNUTLS_CERT_INSECURE_ALGORITHM, "insecure-algorithm" }, >> }; > > >Hmm, I was hoping for something more developer-friendly than custom >code. > >Nikos, could you please API for this to one of further versions? > >Thank you! > >-- >Petr ?pa?ek @ CZ.NIC > >_______________________________________________ >Gnutls-help mailing list >Gnutls-help at lists.gnutls.org >http://lists.gnupg.org/mailman/listinfo/gnutls-help -- Sent from my mobile. Please excuse my brevity. From n.mavrogiannopoulos at gmail.com Fri Mar 30 07:19:06 2018 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Fri, 30 Mar 2018 05:19:06 +0000 Subject: [gnutls-help] Can a malicious/malformed DNS name pass gnutls_certificate_verify_peers function? In-Reply-To: <9394daec-6d91-50f0-5cc8-5e861cb924b2@gentoo.org> References: <9394daec-6d91-50f0-5cc8-5e861cb924b2@gentoo.org> Message-ID: <0146B53B-F2C0-4AC1-B012-791B9AF9E927@gmail.com> The verify function only verifies the certificate signature. Any checks on data would be done by the get function. On March 26, 2018 2:06:25 PM UTC, Thomas Deutschmann wrote: >Hi, > >I am currently auditing a program which was, while looking for a valid >peer name, looping through alternative names list like: > >> char szAltName[1024]; >> int iAltName; >> char allNames[32*1024]; >> int iAllNames; >> size_t szAltNameLen; >> >> [...] >> >> while(!bFoundName) { >> szAltNameLen = sizeof(szAltName); >> gnuRet = gnutls_x509_crt_get_subject_alt_name(cert, iAltName, >> szAltName, &szAltNameLen, NULL); >> if(gnuRet < 0) >> break; >> else if(gnuRet == GNUTLS_SAN_DNSNAME) { >> iAllNames += snprintf(allNames+iAllNames, >sizeof(allNames)-iAllNames, >> "DNSname: %s; ", szAltName); >> myCustomPeerNameValidator(szAltName, &bFoundName); >> } >> ++iAltName; >> } >> >> [...] > >Like you probably already noticed, "snprintf" usage is invalid and can >be >exploited using a crafted certificate with a lot of large SANs. > >However, I am wondering if an attack would be very limited because >before >this code runs, the program calls "gnutls_certificate_verify_peers2" >function on that certificate. I.e. does GnuTLS guarantees at this >stage, >that any certificate validated using this function does only contain >valid dnsNames (i.e. IA5String values) or not? > >Thanks. -- Sent from my mobile. Please excuse my brevity.