[gnutls-help] Can a malicious/malformed DNS name pass gnutls_certificate_verify_peers function?
Thomas Deutschmann
whissi at gentoo.org
Mon Mar 26 16:06:25 CEST 2018
Hi,
I am currently auditing a program which was, while looking for a valid
peer name, looping through alternative names list like:
> char szAltName[1024];
> int iAltName;
> char allNames[32*1024];
> int iAllNames;
> size_t szAltNameLen;
>
> [...]
>
> while(!bFoundName) {
> szAltNameLen = sizeof(szAltName);
> gnuRet = gnutls_x509_crt_get_subject_alt_name(cert, iAltName,
> szAltName, &szAltNameLen, NULL);
> if(gnuRet < 0)
> break;
> else if(gnuRet == GNUTLS_SAN_DNSNAME) {
> iAllNames += snprintf(allNames+iAllNames, sizeof(allNames)-iAllNames,
> "DNSname: %s; ", szAltName);
> myCustomPeerNameValidator(szAltName, &bFoundName);
> }
> ++iAltName;
> }
>
> [...]
Like you probably already noticed, "snprintf" usage is invalid and can be
exploited using a crafted certificate with a lot of large SANs.
However, I am wondering if an attack would be very limited because before
this code runs, the program calls "gnutls_certificate_verify_peers2"
function on that certificate. I.e. does GnuTLS guarantees at this stage,
that any certificate validated using this function does only contain
valid dnsNames (i.e. IA5String values) or not?
Thanks.
--
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 981 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20180326/ce411c92/attachment.sig>
More information about the Gnutls-help
mailing list