(ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName

Howard Chu hyc at symas.com
Fri Feb 15 20:05:50 CET 2008

Nikos Mavrogiannopoulos wrote:
> Indeed I'll try to improve this patch to work only for formats known
> to be text.

The code was perfectly correct before this patch. Why do you want to change 
anything here at all? I looked in the gnutls-devel archives and couldn't find 
any discussion of this change. It would be nice to understand what you're 
trying to accomplish here, given that there are large bodies of code already 
written that expect the existing behavior of GnuTLS 2.1.7 and older.

> On Fri, Feb 15, 2008 at 12:34 AM, Joe Orton<joe at manyfish.co.uk>  wrote:
>> On Sun, Feb 10, 2008 at 01:58:37AM -0800, Howard Chu wrote:
>>   >  Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result
>>   >  you're seeing. The change is here:
>>   >  http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048
>>   >
>>   >  and it is clearly a bug, since subjectAltName's are not necessarily
>>   >  strings. (E.g., they can also be IP addresses, which are just 4 or 16
>>   >  octets.) If you notice in the diff, they set
>>   >         *name_size = len + 1;
>>   >  and then later
>>   >        name[len] = 0;
>>   >  but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they
>>   >  can cause a write past the end of the supplied buffer.
>>   >
>>   >  This patch should be reverted, it is clearly wrong.
>>   FWIW, I agree.  neon's test cases for subjectAltName support are
>>   breaking with 2.3.0 as well.  Reverting the changeset Howard referenced
>>   fixes the issues.

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

More information about the Gnutls-devel mailing list