[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7051) ldap_pvt_tls_get_peer_dn fails under gnutls
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7051) ldap_pvt_tls_get_peer_dn fails under gnutls
- From: hyc@symas.com
- Date: Fri, 30 Sep 2011 07:45:02 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
giampaolo@tomassoni.biz wrote:
> Full_Name: Giampaolo Tomassoni
> Version: 2.4.24
> OS: Linux 2.6.39-gentoo-r3
> URL:
> Submission from: (NULL) (79.23.61.128)
>
>
> A triky mistake (is it a typo?) in libraries/libldap/tls_g.c:tlsg_x509_cert_dn
> prevents a gnutls-enabled server to correctly obtain the "subject" ASN.1 tree
> from the client's certificate.
Thanks for the report, now fixed in master, please test.
>
> This is the needed patch:
This patch should not work either, you still need a skip_tag before the get_int.
> --- libraries/libldap/tls_g.c.wrong 2011-09-25 14:58:30.000000000 +0200
> +++ libraries/libldap/tls_g.c 2011-09-25 14:35:06.000000000 +0200
> @@ -530,7 +530,7 @@
> ber_init2( ber, cert, LBER_USE_DER );
> tag = ber_skip_tag( ber,&len ); /* Sequence */
> tag = ber_skip_tag( ber,&len ); /* Sequence */
> - tag = ber_skip_tag( ber,&len ); /* Context + Constructed
> (version) */
> + tag = ber_peek_tag( ber,&len ); /* Context + Constructed
> (version) */
> if ( tag == 0xa0 ) /* Version is optional */
> tag = ber_get_int( ber,&i ); /* Int: Version */
> tag = ber_skip_tag( ber,&len ); /* Int: Serial (can be longer
> than ber_int_t) */
>
>
> Basically, the optional version field in the certificate wasn't peeked, but
> rather skipped. This resulted in walking in the certificate tree in the wrong
> way, thereby impairing a correct result from
> libraries/libldap/tls2.c:ldap_pvt_tls_get_peer_dn.
>
> I'm not using sasl, so I can't be sure about this, but I guess this problem
> could impair client authentication via certificate using the sasl external
> method.
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/