Re: (ITS#6460) SASL EXTERNAL fails with long certificate serial numbers

[masarati@aero.polimi.it]

> Full_Name: Sergio Gelato
> Version: 2.4.11 (problem also in HEAD)
> OS: Debian GNU/Linux
> URL:
> Submission from: (NULL) (85.225.123.197)
>
>
> Using (X.509 certificate-based) SASL EXTERNAL authentication fails when
> the
> serial number of the certificate is longer than 4 octets.
>
> I have traced the problem to the use, by
> libraries/libldap/tls.c:x509_cert_get_dn(),
> of ber_get_int() to consume the serial number. This fails when the value
> to be
> decoded
> doesn't fit in a ber_int_t.
>
> I discovered this bug with Debian's OpenLDAP 2.4.11-1+lenny1 but a look at
> the
> OpenLDAP CVS indicates that the problem is still present in the current
> HEAD
> (1.167).
>
> I've successfully tested the following patch:
> ====================================================================================
> RFC5280 §4.1.2.2 says "[c]ertificate users MUST be able to handle
> serialNumber
> values up to 20 octets". ber_get_int() fails beyond 4 octets. Since we
> don't
> actually care about the certificate serial number, let's just skip it.
>
> --- a/libraries/libldap/tls.c
> +++ b/libraries/libldap/tls.c
> @@ -1673,7 +1673,8 @@
>  	tag = ber_skip_tag( ber, &len );	/* Context + Constructed (version) */
>  	if ( tag == 0xa0 )	/* Version is optional */
>  		tag = ber_get_int( ber, &i );	/* Int: Version */
> -	tag = ber_get_int( ber, &i );	/* Int: Serial */
> +	tag = ber_skip_tag( ber, &len );		/* *Big* integer: Serial */
> +	ber_skip_data( ber, len );
>  	tag = ber_skip_tag( ber, &len );	/* Sequence: Signature */
>  	ber_skip_data( ber, len );
>  	if ( !get_subject ) {

Funny enough, the same thing is dealt with correctly in certificate
validation/normalization in slapd/schema_init.c

p.