[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnutls-dev] Problem with gnutls_certificate_verify_peers2()
|
From: |
Victor Stinner |
|
Subject: |
[gnutls-dev] Problem with gnutls_certificate_verify_peers2() |
|
Date: |
Wed, 16 May 2007 01:06:19 +0200 |
|
User-agent: |
KMail/1.9.5 |
Hi,
I'm trying to understand how to use gnutls_certificate_verify_peers2() and how
the function works. I think that there is a bug in x509 certificate code:
[gnutls/lib/gnutls_x509.c, near line 181]
ret = gnutls_x509_crt_list_verify(..., status);
...
if (ret < 0) { ...; return ret; }
return 0;
[gnutls/lib/x509/verify.c, near line 784]
int gnutls_x509_crt_list_verify(...)
{
*verify = _gnutls_x509_verify_certificate(...);
return 0;
}
_gnutls_x509_verify_certificate() return code (stored in *status) is never
checked :-/
Problem: gnutls_certificate_verify_peers2() returns 0 even if the certificate
is invalid :-/
Solutions:
* Workaround: in application code:
* check status value: if (ret < 0 || status != 0) error!
* NEVER use gnutls_certificate_verify_peers()
* Fix gnutls: use status value, something like:
if (status != 0) { gnutls_assert(); return -1; }
This bug looks to be a security bug :-/
Victor Stinner
http://www.inl.fr/
- [gnutls-dev] Problem with gnutls_certificate_verify_peers2(),
Victor Stinner <=