|
From: | Howard Chu |
Subject: | Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName |
Date: | Fri, 15 Feb 2008 12:38:27 -0800 |
User-agent: | Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008013117 SeaMonkey/2.0a1pre |
Nikos Mavrogiannopoulos wrote:
On Friday 15 February 2008, Howard Chu wrote:Nikos Mavrogiannopoulos wrote:Indeed I'll try to improve this patch to work only for formats known to be text.The code was perfectly correct before this patch. Why do you want to change anything here at all? I looked in the gnutls-devel archives and couldn't find any discussion of this change. It would be nice to understand what you're trying to accomplish here, given that there are large bodies of code already written that expect the existing behavior of GnuTLS 2.1.7 and older.Well, it depends on the definition of correct. It didn't null terminate printable strings, and this was so correct for me.
Fair enough, that's your definition. Most people coding for X.509 understand that it's ASN.1/DER and as such, they're accustomed to the fact that strings use counted lengths, not NUL terminators. As such, the old behavior was normal and expected. Also, the behavior you introduce here makes this particular API behave differently from every other API that extracts strings from certificates. Note - this is not a suggestion to you to now go and change all those other APIs.
Anyway, does the attached patch solve your problem?
Not really. It still returns a size one byte larger than expected for the strings. Even in languages where NUL-terminated strings are the norm, the terminating byte is not included in the length.
The point is, we expect this API to return exactly the data that was in the certificate. If the caller wants to treat the data as a string, they can NUL-terminate it themselves. The manpage only says that the data will be returned, it does not say that it will be altered in any way.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
[Prev in Thread] | Current Thread | [Next in Thread] |