[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-10-g05d654f
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-10-g05d654f |
|
Date: |
Thu, 05 May 2011 20:33:23 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=05d654f81bbab1dfd9b75a4375804cceb1808873
The branch, master has been updated
via 05d654f81bbab1dfd9b75a4375804cceb1808873 (commit)
via 12c03890ea08be56536c1c8ea70b19d8a8137564 (commit)
via 810d77cf5530bcefd48030b2982b5c0393026c88 (commit)
from 44cd78f93290902906aa6aa7416e03bc57dd5a47 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 05d654f81bbab1dfd9b75a4375804cceb1808873
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu May 5 22:31:05 2011 +0200
_gnutls_hostname_compare() was incredibly slow when over ten wildcards were
present. Set a limit on 6 wildcards to avoid any denial of service attack.
Reported by Kalle Olavi Niemitalo.
commit 12c03890ea08be56536c1c8ea70b19d8a8137564
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu May 5 22:17:28 2011 +0200
Use c_toupper to avoid converting characters non in the english ASCII set.
Reported by Kalle Olavi Niemitalo.
commit 810d77cf5530bcefd48030b2982b5c0393026c88
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu May 5 22:09:45 2011 +0200
use > 0 instead of == 1.
-----------------------------------------------------------------------
Summary of changes:
THANKS | 1 +
lib/gnutls_str.c | 15 +++++++++++----
lib/gnutls_str.h | 2 +-
lib/opencdk/misc.c | 5 +++--
lib/openpgp/pgp.c | 2 +-
lib/x509/rfc2818_hostname.c | 4 ++--
lib/x509/verify-high.c | 2 +-
7 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/THANKS b/THANKS
index 14eaca3..ef6cb28 100644
--- a/THANKS
+++ b/THANKS
@@ -112,6 +112,7 @@ Micah Anderson <micah [at] riseup.net>
Michael Rommel <rommel [at] layer-7.net>
Mark Brand <mabrand [at] mabrand.nl>
Vitaly Kruglikov <vitaly.kruglikov [at] palm.com>
+Kalle Olavi Niemitalo <kon [at] iki.fi>
----------------------------------------------------------------------
Copying and distribution of this file, with or without modification,
diff --git a/lib/gnutls_str.c b/lib/gnutls_str.c
index c2d53e5..f599f9a 100644
--- a/lib/gnutls_str.c
+++ b/lib/gnutls_str.c
@@ -28,6 +28,7 @@
#include <gnutls_num.h>
#include <gnutls_str.h>
#include <stdarg.h>
+#include <c-ctype.h>
/* These function are like strcat, strcpy. They only
* do bound checking (they shouldn't cause buffer overruns),
@@ -529,14 +530,20 @@ _gnutls_hex2bin (const opaque * hex_data, int hex_size,
opaque * bin_data,
* return 1 on success or 0 on error
*
* note: certnamesize is required as X509 certs can contain embedded NULs in
- * the strings such as CN or subjectAltName
+ * the strings such as CN or subjectAltName.
+ *
+ * @level: is used for recursion. Use 0 when you call this function.
*/
int
_gnutls_hostname_compare (const char *certname,
- size_t certnamesize, const char *hostname)
+ size_t certnamesize, const char *hostname, int level)
{
+
+ if (level > 5)
+ return 0;
+
/* find the first different character */
- for (; *certname && *hostname && toupper (*certname) == toupper (*hostname);
+ for (; *certname && *hostname && c_toupper (*certname) == c_toupper
(*hostname);
certname++, hostname++, certnamesize--)
;
@@ -554,7 +561,7 @@ _gnutls_hostname_compare (const char *certname,
while (1)
{
/* Use a recursive call to allow multiple wildcards */
- if (_gnutls_hostname_compare (certname, certnamesize, hostname))
+ if (_gnutls_hostname_compare (certname, certnamesize, hostname,
level+1))
return 1;
/* wildcards are only allowed to match a single domain
diff --git a/lib/gnutls_str.h b/lib/gnutls_str.h
index 39d9047..9217955 100644
--- a/lib/gnutls_str.h
+++ b/lib/gnutls_str.h
@@ -95,7 +95,7 @@ int _gnutls_hex2bin (const opaque * hex_data, int hex_size,
opaque * bin_data,
size_t * bin_size);
int _gnutls_hostname_compare (const char *certname, size_t certnamesize,
- const char *hostname);
+ const char *hostname, int level);
#define MAX_CN 256
#define BUFFER_APPEND(b, x, s) { \
diff --git a/lib/opencdk/misc.c b/lib/opencdk/misc.c
index d6a89ae..d00aa95 100644
--- a/lib/opencdk/misc.c
+++ b/lib/opencdk/misc.c
@@ -29,6 +29,7 @@
#include <string.h>
#include <ctype.h>
#include <sys/stat.h>
+#include <c-ctype.h>
#include "opencdk.h"
#include "main.h"
@@ -113,10 +114,10 @@ _cdk_memistr (const char *buf, size_t buflen, const char
*sub)
for (t = (byte *) buf, n = buflen, s = (byte *) sub; n; t++, n--)
{
- if (toupper (*t) == toupper (*s))
+ if (c_toupper (*t) == c_toupper (*s))
{
for (buf = t++, buflen = n--, s++;
- n && toupper (*t) == toupper ((byte) * s); t++, s++, n--)
+ n && c_toupper (*t) == c_toupper ((byte) * s); t++, s++, n--)
;
if (!*s)
return buf;
diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c
index e3c24c7..9630448 100644
--- a/lib/openpgp/pgp.c
+++ b/lib/openpgp/pgp.c
@@ -595,7 +595,7 @@ gnutls_openpgp_crt_check_hostname (gnutls_openpgp_crt_t key,
the terminating zero. */
dnsnamesize--;
- if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
+ if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname, 0))
return 1;
}
}
diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c
index 46606fd..092f9f5 100644
--- a/lib/x509/rfc2818_hostname.c
+++ b/lib/x509/rfc2818_hostname.c
@@ -75,7 +75,7 @@ gnutls_x509_crt_check_hostname (gnutls_x509_crt_t cert, const
char *hostname)
if (ret == GNUTLS_SAN_DNSNAME)
{
found_dnsname = 1;
- if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
+ if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname, 0))
{
return 1;
}
@@ -95,7 +95,7 @@ gnutls_x509_crt_check_hostname (gnutls_x509_crt_t cert, const
char *hostname)
return 0;
}
- if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
+ if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname, 0))
{
return 1;
}
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index f911229..0b062df 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -349,7 +349,7 @@ uint32_t hash;
for (i=0;i<list->node[hash].trusted_crt_size;i++)
{
ret = gnutls_x509_crt_check_issuer (cert,
list->node[hash].trusted_crts[i]);
- if (ret == 1)
+ if (ret > 0)
{
*issuer = list->node[hash].trusted_crts[i];
return 0;
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-10-g05d654f,
Nikos Mavrogiannopoulos <=