giampaolo@tomassoni.biz wrote:
Full_Name: Giampaolo Tomassoni Version: 2.4.24 OS: Linux 2.6.39-gentoo-r3 URL: Submission from: (NULL) (79.23.61.128)
A triky mistake (is it a typo?) in libraries/libldap/tls_g.c:tlsg_x509_cert_dn prevents a gnutls-enabled server to correctly obtain the "subject" ASN.1 tree from the client's certificate.
Thanks for the report, now fixed in master, please test.
This is the needed patch:
This patch should not work either, you still need a skip_tag before the get_int.
--- libraries/libldap/tls_g.c.wrong 2011-09-25 14:58:30.000000000 +0200 +++ libraries/libldap/tls_g.c 2011-09-25 14:35:06.000000000 +0200 @@ -530,7 +530,7 @@ ber_init2( ber, cert, LBER_USE_DER ); tag = ber_skip_tag( ber,&len ); /* Sequence */ tag = ber_skip_tag( ber,&len ); /* Sequence */
tag = ber_skip_tag( ber,&len ); /* Context + Constructed(version) */
tag = ber_peek_tag( ber,&len ); /* Context + Constructed(version) */ if ( tag == 0xa0 ) /* Version is optional */ tag = ber_get_int( ber,&i ); /* Int: Version */ tag = ber_skip_tag( ber,&len ); /* Int: Serial (can be longer than ber_int_t) */
Basically, the optional version field in the certificate wasn't peeked, but rather skipped. This resulted in walking in the certificate tree in the wrong way, thereby impairing a correct result from libraries/libldap/tls2.c:ldap_pvt_tls_get_peer_dn.
I'm not using sasl, so I can't be sure about this, but I guess this problem could impair client authentication via certificate using the sasl external method.