[mod_gnutls-devel] Certificates not always exported to environment

[Benny Baumann]

Hi,

while skimming through the code I noticed a minor bug (which I currently
could not yet trigger due to lack of a sufficiently large certificate
(and getting such one shouldn't be too hard) which causes mod_gnutls to
fail exporting the server and client certificate when the PEM encoding
of the certificate is more than 10 KiB.

The reason: mod_gnutls uses a static buffer to hold the encoded
certificate information and thus will fail to put the encoded
certificate into the buffer.

What happens: If you supply a certificate large enough to not fit into
the buffer (about 7KiB, which should possible to do with a well-crafted
16kRSA key with non-standard exponent) or 40k RSA with standard exponent
OR a CA putting LOTS of extensions in you can cause mod_gnutls to skip
exporting this certificate to a client process like fcgi. If the client
process relies on the certificate to be present it will see that a
certificate was supplied (by the means of the ther variables in the
environment) but wont see the actual certificate and thus might fail
authentication or other functions relying on the presence of the
exported certificate.

What should happen: Use a dynamic buffer which is allocated using the
size returned by the function exporting the certificate so that the
buffer is always large enough.

Implications: The current buffer is allocated on stack and thus might be
an attack vector if the GnuTLS routine used was prone to a buffer overrun.

Regards,
BenBE.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140218/d4da67d4/attachment-0001.sig>