[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: (ITS#7051) ldap_pvt_tls_get_peer_dn fails under gnutls

To: openldap-its@OpenLDAP.org
Subject: RE: (ITS#7051) ldap_pvt_tls_get_peer_dn fails under gnutls
From: Giampaolo@Tomassoni.biz
Date: Fri, 30 Sep 2011 19:11:38 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

> > This is the needed patch:
> 
> This patch should not work either, you still need a skip_tag before the
> get_int.
>
> > -       tag = ber_skip_tag( ber,&len );        /* Context +
> Constructed
> > (version) */
> > +       tag = ber_peek_tag( ber,&len );        /* Context +
> Constructed

I confirm this patch worked for me, at least it did on an amd64 I'm working
on.

It worked both with openssl-generated v1 (no version tag present) and v3
certificates (version tag present).

I don't know if this is an cpu-architecture -dependent issue (I don't think
so), nor I know how the ber_* library works, but FWICU the Context +
Constructed stuff is handled as a tag prefix by the ber_get_int(), which
then discards it when found and fetches the encapsulated value.

Instead, ber_peek_tag() is probably more simple-minded in that it peeks the
first word at the buffer pointer, which is the Context + Constructed prefix,
not really the tag.

I can of course be wrong, but with this patch I got i==2 from v3
certificates, which is the correct value.

Giampaolo

Prev by Date: Re: (ITS#6979) test062 portability
Index(es):
- Chronological
- Thread