[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName



On Sat, Feb 09, 2008 at 11:04:18PM -0800, Howard Chu wrote:
> I cannot duplicate this error with GnuTLS 1.7.8 or 1.7.9. The altname 
> length that is returned just includes the non-NUL characters. Note that 
> all of libldap's TLS functionality was tested and working with GnuTLS 
> 1.7. What version are you using?

Reproduced with GnuTLS 2.0.4 and GnuTLS 2.2.1.

> It seems to me that if your version of GnuTLS is indeed behaving this way,
> then it's a GnuTLS bug, since in C, the length of a string never includes
> the trailing NUL.

It's true that the /length/ of a string doesn't include the trailing NUL,
but it does have to be included in the storage /size/ of a C string, and
it's debatable which is intended here.  Given that one of the errors
returned by gnutls_x509_crt_get_subject_alt_name() is
GNUTLS_E_SHORT_MEMORY_BUFFER, it seems obvious to me that this should use
semantics for storage size rather than string length, and the only question
in my mind is whether the trailing NUL is included as part of the internal
representation of the string.

If this is a behavior change as you say, then I guess we need clarification
from GnuTLS upstream about whether this is intentional.