[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 237/264: GnuTLS: Don't skip really long certificate fields
From: |
gnunet |
Subject: |
[gnurl] 237/264: GnuTLS: Don't skip really long certificate fields |
Date: |
Thu, 30 Apr 2020 16:09:00 +0200 |
This is an automated email from the git hooks/post-receive script.
nikita pushed a commit to branch master
in repository gnurl.
commit 2d137dedb3fa266500d5b33f5cca7846e123e6a5
Author: Emil Engler <address@hidden>
AuthorDate: Mon Apr 20 12:11:54 2020 +0200
GnuTLS: Don't skip really long certificate fields
Closes #5271
---
docs/KNOWN_BUGS | 7 -------
lib/vtls/gtls.c | 27 +++++++++++++++------------
2 files changed, 15 insertions(+), 19 deletions(-)
diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS
index 1cbc76514..93cb36902 100644
--- a/docs/KNOWN_BUGS
+++ b/docs/KNOWN_BUGS
@@ -25,7 +25,6 @@ problems may have been fixed or changed somewhat since this
was written!
2. TLS
2.1 CURLINFO_SSL_VERIFYRESULT has limited support
2.2 DER in keychain
- 2.3 GnuTLS backend skips really long certificate fields
2.4 DarwinSSL won't import PKCS#12 client certificates without a password
2.5 Client cert handling with Issuer DN differs between backends
2.6 CURL_GLOBAL_SSL
@@ -209,12 +208,6 @@ problems may have been fixed or changed somewhat since
this was written!
Curl doesn't recognize certificates in DER format in keychain, but it works
with PEM. https://curl.haxx.se/bug/view.cgi?id=1065
-2.3 GnuTLS backend skips really long certificate fields
-
- libcurl calls gnutls_x509_crt_get_dn() with a fixed buffer size and if the
- field is too long in the cert, it'll just return an error and the field will
- be displayed blank.
-
2.4 DarwinSSL won't import PKCS#12 client certificates without a password
libcurl calls SecPKCS12Import with the PKCS#12 client certificate, but that
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 01dbf850a..4ed3ea5cf 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -802,7 +802,8 @@ gtls_connect_step3(struct connectdata *conn,
unsigned int verify_status = 0;
gnutls_x509_crt_t x509_cert, x509_issuer;
gnutls_datum_t issuerp;
- char certbuf[256] = ""; /* big enough? */
+ gnutls_datum_t certfields;
+ char certname[65] = ""; /* limited to 64 chars by ASN.1 */
size_t size;
time_t certclock;
const char *ptr;
@@ -1036,11 +1037,11 @@ gtls_connect_step3(struct connectdata *conn,
SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
}
- size = sizeof(certbuf);
+ size = sizeof(certname);
rc = gnutls_x509_crt_get_dn_by_oid(x509_cert, GNUTLS_OID_X520_COMMON_NAME,
0, /* the first and only one */
FALSE,
- certbuf,
+ certname,
&size);
if(rc) {
infof(data, "error fetching CN from cert:%s\n",
@@ -1101,16 +1102,16 @@ gtls_connect_step3(struct connectdata *conn,
if(SSL_CONN_CONFIG(verifyhost)) {
failf(data, "SSL: certificate subject name (%s) does not match "
- "target host name '%s'", certbuf, dispname);
+ "target host name '%s'", certname, dispname);
gnutls_x509_crt_deinit(x509_cert);
return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t common name: %s (does not match '%s')\n",
- certbuf, dispname);
+ certname, dispname);
}
else
- infof(data, "\t common name: %s (matched)\n", certbuf);
+ infof(data, "\t common name: %s (matched)\n", certname);
/* Check for time-based validity */
certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
@@ -1195,9 +1196,10 @@ gtls_connect_step3(struct connectdata *conn,
gnutls_x509_crt_get_version(x509_cert));
- size = sizeof(certbuf);
- gnutls_x509_crt_get_dn(x509_cert, certbuf, &size);
- infof(data, "\t subject: %s\n", certbuf);
+ rc = gnutls_x509_crt_get_dn2(x509_cert, &certfields);
+ if(rc != 0)
+ return CURLE_OUT_OF_MEMORY;
+ infof(data, "\t subject: %s\n", certfields.data);
certclock = gnutls_x509_crt_get_activation_time(x509_cert);
showtime(data, "start date", certclock);
@@ -1205,9 +1207,10 @@ gtls_connect_step3(struct connectdata *conn,
certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
showtime(data, "expire date", certclock);
- size = sizeof(certbuf);
- gnutls_x509_crt_get_issuer_dn(x509_cert, certbuf, &size);
- infof(data, "\t issuer: %s\n", certbuf);
+ rc = gnutls_x509_crt_get_issuer_dn2(x509_cert, &certfields);
+ if(rc != 0)
+ return CURLE_OUT_OF_MEMORY;
+ infof(data, "\t issuer: %s\n", certfields.data);
#endif
gnutls_x509_crt_deinit(x509_cert);
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [gnurl] 233/264: tests: add %NOLISTENPORT and use it, (continued)
- [gnurl] 233/264: tests: add %NOLISTENPORT and use it, gnunet, 2020/04/30
- [gnurl] 234/264: tests: run the RTSP test server on a dynamic port number, gnunet, 2020/04/30
- [gnurl] 232/264: mqtt: remove code with no purpose, gnunet, 2020/04/30
- [gnurl] 231/264: mqtt: fix Curl_read() error handling while reading remaining length, gnunet, 2020/04/30
- [gnurl] 247/264: tests/git: ignore mqttd and port files, gnunet, 2020/04/30
- [gnurl] 248/264: docs: fix two typos, gnunet, 2020/04/30
- [gnurl] 240/264: version: skip idn2_check_version() check and add precaution, gnunet, 2020/04/30
- [gnurl] 241/264: lib/mk-ca-bundle: skip empty certs, gnunet, 2020/04/30
- [gnurl] 242/264: transfer: Switch PUT to GET/HEAD on 303 redirect, gnunet, 2020/04/30
- [gnurl] 238/264: curl.h: update comment typo, gnunet, 2020/04/30
- [gnurl] 237/264: GnuTLS: Don't skip really long certificate fields,
gnunet <=
- [gnurl] 239/264: RELEASE-NOTES: synced, gnunet, 2020/04/30
- [gnurl] 203/264: sockfilt: tidy variable naming and data structure in select_ws, gnunet, 2020/04/30
- [gnurl] 204/264: tests: run the sws server on "any port", gnunet, 2020/04/30
- [gnurl] 194/264: cmake: Avoid MSVC C4273 warnings in send/recv checks, gnunet, 2020/04/30
- [gnurl] 195/264: docs/MQTT: replace confusing 80 by 75, gnunet, 2020/04/30
- [gnurl] 193/264: KNOWN_BUGS: Add entry 'Blocking socket operations', gnunet, 2020/04/30
- [gnurl] 215/264: runtests: dummy init the ports variables to avoid warnings, gnunet, 2020/04/30
- [gnurl] 216/264: src: Remove C99 constructs to ensure C89 compliance, gnunet, 2020/04/30
- [gnurl] 252/264: smtp: set auth correctly, gnunet, 2020/04/30
- [gnurl] 250/264: libssh: avoid options override by configuration files, gnunet, 2020/04/30