[gnutls-devel] GnuTLS | Fix removal of duplicate certs during verification (!1653)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Oct 17 11:53:19 CEST 2022




Daiki Ueno commented on a discussion on lib/x509/verify-high.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1653#note_1137720424

> -		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
> -			sorted_size = _gnutls_sort_clist(&cert_list[i],
> -							 cert_list_size - i);
> -		}
> -
> -		/* Remove duplicates. Start with index 1, as the first element
> -		 * may be re-checked after issuer retrieval. */
> -		for (j = 1; j < sorted_size; j++) {
> -			if (cert_set_contains(&cert_set, cert_list[i + j])) {
> -				if (i + j < cert_list_size - 1) {
> -					memmove(&cert_list[i + j],
> -						&cert_list[i + j + 1],
> -						sizeof(cert_list[i]));
> +	/* Remove duplicates */
> +	for (i = 0; i < cert_list_size - 1 && cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ++i) {
> +		for (j = i + 1; j < cert_list_size && cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ++j) {

@ZoltanFridrich the code is:
```c
			memmove(set->node[hash].certs[i],
				set->node[hash].certs[i + 1],
				(set->node[hash].size - i - 1) *
				sizeof(cert));
```
which is trying to remove the gap by moving the following memory areas by one entry ahead, so there is an overlap I think.

But the code is a little sketchy; I guess we could better use a hash table provided by gnulib instead.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1653#note_1137720424
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20221017/cca01b96/attachment-0001.html>


More information about the Gnutls-devel mailing list