[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAlt

From: Howard Chu
Subject: Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName
Date: Fri, 15 Feb 2008 11:05:50 -0800
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008013117 SeaMonkey/2.0a1pre

Nikos Mavrogiannopoulos wrote:
Indeed I'll try to improve this patch to work only for formats known
to be text.

The code was perfectly correct before this patch. Why do you want to change anything here at all? I looked in the gnutls-devel archives and couldn't find any discussion of this change. It would be nice to understand what you're trying to accomplish here, given that there are large bodies of code already written that expect the existing behavior of GnuTLS 2.1.7 and older.

On Fri, Feb 15, 2008 at 12:34 AM, Joe Orton<address@hidden>  wrote:
On Sun, Feb 10, 2008 at 01:58:37AM -0800, Howard Chu wrote:
  >  Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result
  >  you're seeing. The change is here:
  >  and it is clearly a bug, since subjectAltName's are not necessarily
  >  strings. (E.g., they can also be IP addresses, which are just 4 or 16
  >  octets.) If you notice in the diff, they set
  >         *name_size = len + 1;
  >  and then later
  >        name[len] = 0;
  >  but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they
  >  can cause a write past the end of the supplied buffer.
  >  This patch should be reverted, it is clearly wrong.

  FWIW, I agree.  neon's test cases for subjectAltName support are
  breaking with 2.3.0 as well.  Reverting the changeset Howard referenced
  fixes the issues.

  -- Howard Chu
  Chief Architect, Symas Corp.
  Director, Highland Sun
  Chief Architect, OpenLDAP

reply via email to

[Prev in Thread] Current Thread [Next in Thread]