[gnutls-dev] [PATCH] error handling large CA files

Ian Peters itp at ximian.com
Tue Mar 11 22:51:01 CET 2003


In lib/gnutls_x509.c, the functions read_cert_file, read_ca_file, and
read_key_file all read into a stack-allocated buffer of MAX_FILE_SIZE,
which is defined as 1024*100.  The default CA file that comes with most
web browsers exceeds this (it is closer to 245k).  This means that the
file is truncated, and parse_pem_cert_mem only sees part of the file,
resulting in only some of the trusted certificates being loaded. 
Because of the pem file format, this is not a fatal error, and program
execution continues, but some certificates that should be trusted are
not.

The attached patch fixes these three functions to read passed file into
a heap-allocated buffer, parse the memory, and then free the buffer. 
You'll probably want to tweak things to fit into gnutls better
stylistically.

Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls-0.8.4-large-ca-file.patch
Type: text/x-patch
Size: 2804 bytes
Desc: not available
URL: </pipermail/attachments/20030311/8dfb42b6/attachment.bin>


More information about the Gnutls-devel mailing list