string handling in hx509
Matthieu Patou
mat at samba.org
Sun Aug 8 03:33:14 MDT 2010
Hello love,
I'm trying to use heimdal x509 implementation.
I have problems with decoding a certificate issued by a Windows 2008 R2
server (attached).
The problem I guess lies in the fact that the name in the certificate is
in UTF-16 and the code in der_get_general_string seems not to be ready
for this as it expect to have NULLs at the end of the string only (if any).
Gnutls and openssl have no pbs dealing with it so it seems to be quite
valid.
int
der_get_general_string (const unsigned char *p, size_t len,
heim_general_string *str, size_t *size)
{
const unsigned char *p1;
char *s;
p1 = memchr(p, 0, len);
if (p1 != NULL) {
/*
* Allow trailing NULs. We allow this since MIT Kerberos sends
* an strings in the NEED_PREAUTH case that includes a
* trailing NUL.
*/
while (p1 - p < len && *p1 == '\0')
p1++;
if (p1 - p != len)
return ASN1_BAD_CHARACTER;
}
if (len > len + 1)
return ASN1_BAD_LENGTH;
s = malloc (len + 1);
if (s == NULL)
return ENOMEM;
memcpy (s, p, len);
s[len] = '\0';
*str = s;
if(size) *size = len;
return 0;
}
I also attached a proposal for fixing this (it is basically checking
that the last two chars are nulls).
Let me know what do you think of it (I'm pretty sure it's not sufficient
but I lack imagination in what can be tested).
Cheers
Matthieu
--
Matthieu Patou
Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proposal_for_der_utf16.patch
Type: text/x-patch
Size: 976 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100808/b3aab4ea/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cert
Type: application/octet-stream
Size: 772 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100808/b3aab4ea/attachment.obj>
More information about the samba-technical
mailing list