[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7051) ldap_pvt_tls_get_peer_dn fails under gnutls

To: openldap-its@OpenLDAP.org
Subject: (ITS#7051) ldap_pvt_tls_get_peer_dn fails under gnutls
From: giampaolo@tomassoni.biz
Date: Sun, 25 Sep 2011 13:07:36 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Giampaolo Tomassoni
Version: 2.4.24
OS: Linux 2.6.39-gentoo-r3
URL: 
Submission from: (NULL) (79.23.61.128)


A triky mistake (is it a typo?) in libraries/libldap/tls_g.c:tlsg_x509_cert_dn
prevents a gnutls-enabled server to correctly obtain the "subject" ASN.1 tree
from the client's certificate.

This is the needed patch:

--- libraries/libldap/tls_g.c.wrong     2011-09-25 14:58:30.000000000 +0200
+++ libraries/libldap/tls_g.c   2011-09-25 14:35:06.000000000 +0200
@@ -530,7 +530,7 @@
        ber_init2( ber, cert, LBER_USE_DER );
        tag = ber_skip_tag( ber, &len );        /* Sequence */
        tag = ber_skip_tag( ber, &len );        /* Sequence */
-       tag = ber_skip_tag( ber, &len );        /* Context + Constructed
(version) */
+       tag = ber_peek_tag( ber, &len );        /* Context + Constructed
(version) */
        if ( tag == 0xa0 )      /* Version is optional */
                tag = ber_get_int( ber, &i );   /* Int: Version */
        tag = ber_skip_tag( ber, &len );        /* Int: Serial (can be longer
than ber_int_t) */


Basically, the optional version field in the certificate wasn't peeked, but
rather skipped. This resulted in walking in the certificate tree in the wrong
way, thereby impairing a correct result from
libraries/libldap/tls2.c:ldap_pvt_tls_get_peer_dn.

I'm not using sasl, so I can't be sure about this, but I guess this problem
could impair client authentication via certificate using the sasl external
method.

Prev by Date: (ITS#7050) meta stop at the first unreachable candidate
Next by Date: (ITS#7052) Spurious CSNs being recorded on syncrepl consumers.
Index(es):
- Chronological
- Thread