[gnutls-dev] [PATCH] error handling large CA files

Nikos Mavroyanopoulos nmav at gnutls.org
Wed Mar 12 11:58:02 CET 2003

On Tue, Mar 11, 2003 at 04:41:39PM -0500, Ian Peters wrote:

> In lib/gnutls_x509.c, the functions read_cert_file, read_ca_file, and
> read_key_file all read into a stack-allocated buffer of MAX_FILE_SIZE,
> which is defined as 1024*100.  The default CA file that comes with most
> web browsers exceeds this (it is closer to 245k).  This means that the
> file is truncated, and parse_pem_cert_mem only sees part of the file,
> resulting in only some of the trusted certificates being loaded. 
> Because of the pem file format, this is not a fatal error, and program
> execution continues, but some certificates that should be trusted are
> not.
> The attached patch fixes these three functions to read passed file into
> a heap-allocated buffer, parse the memory, and then free the buffer. 
> You'll probably want to tweak things to fit into gnutls better
> stylistically.

It is already solved in the 0.9.0 release, but this has the problem of loading
the whole file into memory. 

I'm now working on something that will allow reading mmaped file regions. That
will need and strnstr implementation which is not available in gnu libc (thus
I'll have to implement it or get it from somewhere).

> Ian

Nikos Mavroyanopoulos

More information about the Gnutls-devel mailing list