[gnutls-dev] Problem with gnutls_certificate_verify_peers2()

Victor Stinner victor at inl.fr
Wed May 16 01:06:19 CEST 2007


Hi,

I'm trying to understand how to use gnutls_certificate_verify_peers2() and how 
the function works. I think that there is a bug in x509 certificate code:

[gnutls/lib/gnutls_x509.c, near line 181]

   ret = gnutls_x509_crt_list_verify(..., status);
   ...
   if (ret < 0) { ...; return ret; }
   return 0;

[gnutls/lib/x509/verify.c, near line 784]

   int gnutls_x509_crt_list_verify(...)
   {
      *verify = _gnutls_x509_verify_certificate(...);
      return 0;
   }


_gnutls_x509_verify_certificate() return code (stored in *status) is never 
checked :-/

Problem: gnutls_certificate_verify_peers2() returns 0 even if the certificate 
is invalid :-/

Solutions:
 * Workaround: in application code: 
     * check status value: if (ret < 0 || status != 0) error!
     * NEVER use gnutls_certificate_verify_peers()
 * Fix gnutls: use status value, something like:
      if (status != 0) { gnutls_assert(); return -1; }

This bug looks to be a security bug :-/

Victor Stinner
http://www.inl.fr/



More information about the Gnutls-dev mailing list