[gnutls-dev] Re: [Fwd: crash in GNUTLS-1.4.0]

Simon Josefsson jas at extundo.com
Sat Aug 12 01:21:57 CEST 2006


With some guess-work, I was able to reproduce the problem, and the
patch is below.  I'm not yet sure what it is that trigger the problem.
If I replace the server key/certificate with another pair, it doesn't
crash, and if I instead replace the CA certificate with another CA
certificate, it doesn't crash either.  So it seems it is a combination
with the particular CA certificate and server key/certificate that you
sent.

I'm going away over the weekend, so if anybody here wants to analyze
this further, that would be appreciated.  Here is the recipe to
reproduce the crash:

$ gnutls-serv --x509keyfile key.pem --x509certfile newcert.pem
...
$ gnutls-cli --x509cafile cacert.pem --port 5556 localhost

I'm labeling this problem as GNUTLS-SA-2006-02 because, under some
unclear situations, it is a remotely triggered crash of clients.

/Simon

Index: gnutls_algorithms.c
===================================================================
RCS file: /cvs/gnutls/gnutls/lib/gnutls_algorithms.c,v
retrieving revision 2.156
retrieving revision 2.157
diff -u -p -r2.156 -r2.157
--- gnutls_algorithms.c	15 Dec 2005 13:24:29 -0000	2.156
+++ gnutls_algorithms.c	11 Aug 2006 22:40:36 -0000	2.157
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2000, 2002, 2003, 2004, 2005 Free Software Foundation
+ * Copyright (C) 2000, 2002, 2003, 2004, 2005, 2006 Free Software Foundation
  *
  * Author: Nikos Mavroyanopoulos
  *
@@ -563,7 +563,7 @@ _gnutls_x509_oid2mac_algorithm (const ch
 {
   gnutls_mac_algorithm_t ret = 0;
 
-  GNUTLS_HASH_LOOP (if (strcmp (oid, p->oid) == 0)
+  GNUTLS_HASH_LOOP (if (p->oid && strcmp (oid, p->oid) == 0)
 		    {
 		    ret = p->id; break;}
   );
-------------- next part --------------
A non-text attachment was scrubbed...
Name: newcert.pem
Type: application/octet-stream
Size: 3181 bytes
Desc: not available
Url : /pipermail/attachments/20060812/e6b26304/newcert.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: key.pem
Type: application/octet-stream
Size: 887 bytes
Desc: not available
Url : /pipermail/attachments/20060812/e6b26304/key.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.pem
Type: application/octet-stream
Size: 1009 bytes
Desc: not available
Url : /pipermail/attachments/20060812/e6b26304/cacert.obj


More information about the Gnutls-dev mailing list