[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: solutions
From: |
Simon Josefsson |
Subject: |
Re: solutions |
Date: |
Fri, 07 Aug 2009 00:22:10 +0200 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.1.50 (gnu/linux) |
Nikos Mavrogiannopoulos <address@hidden> writes:
> Simon Josefsson wrote:
>> Having had some time to read the code, here are some observations:
>>
>> * The old _gnutls_x509_oid_data2string in lib/x509/common.c is buggy
>> since it truncates the string after a NUL (it copies the string using
>> strcpy instead of memcpy). The RES_SIZE length output variable is
>> correct though, but output data beyond the NUL will be garbage.
>>
>> * I can see a few ways to solve the problem:
>>
>> 1) Make _gnutls_x509_oid_data2string escape NULs as \00 following RFC
>> 2253.
>>
>> 2) Use memcpy instead of strcpy and change the documentation of the
>> function to say that the returned string may contain embedded NULs,
>> and fix the callers of that function.
>>
>> 3) Return a RFC 2253 #-style string for these strings.
>>
>> 4) Return an error when a NUL is encountered.
>
> 4 is just ok. One could do 1 if he really bothers, but there is no
> reason for that. Even though IA5 string allows for null character there
> is no reason for us to allow it. It is the null terminator for C strings
> thus allowing it can cause only problems and complicated code.
I agree. I have applied the patch. It is not sufficient alone: NUL in
SAN is not covered by that code path, but RedHat supplied a fix for the
hostname comparison functions. What remains is to make sure printing a
certificate with NUL in SAN comes out OK.
/Simon
- Re: solutions, Simon Josefsson, 2009/08/03
- Re: solutions, Simon Josefsson, 2009/08/03
- Re: solutions, Nikos Mavrogiannopoulos, 2009/08/04
- Re: solutions, Simon Josefsson, 2009/08/04
- Re: solutions, Nikos Mavrogiannopoulos, 2009/08/04
- Re: solutions, Simon Josefsson, 2009/08/05
- Re: solutions, Nikos Mavrogiannopoulos, 2009/08/05
- Re: solutions,
Simon Josefsson <=
- please test imminent 2.8.x release, Simon Josefsson, 2009/08/06
- Re: please test imminent 2.8.x release, Tim Kosse, 2009/08/07
- Re: please test imminent 2.8.x release, Simon Josefsson, 2009/08/10
- Re: please test imminent 2.8.x release, Tomas Hoger, 2009/08/10
- Re: please test imminent 2.8.x release, Simon Josefsson, 2009/08/10
- Re: please test imminent 2.8.x release, Tomas Mraz, 2009/08/10
Re: solutions, Werner Koch, 2009/08/04