(ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Feb 15 21:16:24 CET 2008


On Friday 15 February 2008, Howard Chu wrote:
> Nikos Mavrogiannopoulos wrote:
> > Indeed I'll try to improve this patch to work only for formats known
> > to be text.
>
> The code was perfectly correct before this patch. Why do you want to change
> anything here at all? I looked in the gnutls-devel archives and couldn't
> find any discussion of this change. It would be nice to understand what
> you're trying to accomplish here, given that there are large bodies of code
> already written that expect the existing behavior of GnuTLS 2.1.7 and
> older.

Well, it depends on the definition of correct. It didn't null terminate 
printable strings, and this was so correct for me. Anyway, does the attached 
patch solve your problem?

regards,
Nikos
-------------- next part --------------
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index f1dd604..9713a97 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -888,6 +888,15 @@ gnutls_x509_crt_get_pk_algorithm (gnutls_x509_crt_t cert, unsigned int *bits)
 
 }
 
+inline static int is_type_printable(int type)
+{
+      if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
+        type == GNUTLS_SAN_URI) 
+        return 1;
+      else
+        return 0;
+}
+
 #define XMPP_OID "1.3.6.1.5.5.7.8.5"
 
 /* returns the type and the name on success.
@@ -1030,18 +1039,29 @@ parse_general_name (ASN1_TYPE src, const char *src_name,
 
       len = *name_size;
       result = asn1_read_value (src, nptr, name, &len);
-      *name_size = len + 1;
 
-      if (result == ASN1_MEM_ERROR)
-	return GNUTLS_E_SHORT_MEMORY_BUFFER;
-      
+      if (is_type_printable(type))
+        len++;
+
+      if (result == ASN1_MEM_ERROR || len > *name_size) 
+        {
+          *name_size = len;
+  	  return GNUTLS_E_SHORT_MEMORY_BUFFER;
+        }
+    
+      *name_size = len;
+
       if (result != ASN1_SUCCESS)
 	{
 	  gnutls_assert ();
 	  return _gnutls_asn2err (result);
 	}
       
-      ((char*)name)[len] = 0;
+      if (is_type_printable(type))
+        { /* null terminate it */
+          ((char*)name)[*name_size] = 0; 
+        }
+
     }
 
   return type;


More information about the Gnutls-devel mailing list