[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7051) ldap_pvt_tls_get_peer_dn fails under gnutls

giampaolo@tomassoni.biz wrote:
> Full_Name: Giampaolo Tomassoni
> Version: 2.4.24
> OS: Linux 2.6.39-gentoo-r3
> URL:
> Submission from: (NULL) (79.23.61.128)
>
>
> A triky mistake (is it a typo?) in libraries/libldap/tls_g.c:tlsg_x509_cert_dn
> prevents a gnutls-enabled server to correctly obtain the "subject" ASN.1 tree
> from the client's certificate.

Thanks for the report, now fixed in master, please test.
>
> This is the needed patch:

This patch should not work either, you still need a skip_tag before the get_int.

> --- libraries/libldap/tls_g.c.wrong     2011-09-25 14:58:30.000000000 +0200
> +++ libraries/libldap/tls_g.c   2011-09-25 14:35:06.000000000 +0200
> @@ -530,7 +530,7 @@
>          ber_init2( ber, cert, LBER_USE_DER );
>          tag = ber_skip_tag( ber,&len );        /* Sequence */
>          tag = ber_skip_tag( ber,&len );        /* Sequence */
> -       tag = ber_skip_tag( ber,&len );        /* Context + Constructed
> (version) */
> +       tag = ber_peek_tag( ber,&len );        /* Context + Constructed
> (version) */
>          if ( tag == 0xa0 )      /* Version is optional */
>                  tag = ber_get_int( ber,&i );   /* Int: Version */
>          tag = ber_skip_tag( ber,&len );        /* Int: Serial (can be longer
> than ber_int_t) */
>
>
> Basically, the optional version field in the certificate wasn't peeked, but
> rather skipped. This resulted in walking in the certificate tree in the wrong
> way, thereby impairing a correct result from
> libraries/libldap/tls2.c:ldap_pvt_tls_get_peer_dn.
>
> I'm not using sasl, so I can't be sure about this, but I guess this problem
> could impair client authentication via certificate using the sasl external
> method.
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/