Re: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367)

Read-only notification of GnuTLS library development activities
GitLab

Ander Juaristi commented on a discussion on lib/x509/x509_ext.c:

3957
+
3958
+int gnutls_x509_ct_sct_get_version(gnutls_x509_ct_scts_t scts, unsigned idx,
3959
+				   unsigned int *version_out)
3960
+{
3961
+	int version;
3962
+
3963
+	if (idx >= scts->size)
3964
+		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
3965
+
3966
+	/*
3967
+	 * Currently, only version 1 SCTs are defined (RFC 6962).
3968
+	 * A version 1 SCT has actually the value 0 in the 'version' field.
3969
+	 */
3970
+	version = scts->scts[idx].version;
3971
+	if (version != 0 || version_out == NULL)
3972
+		return -1;

@dueno I've looked at them but I don't know which one would be the most appropriate? Any suggestions?


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367)

Read-only notification of GnuTLS library development activities
GitLab

Ander Juaristi commented on a discussion on lib/x509/x509_ext.c:

3977
+
3978
+int gnutls_x509_ct_sct_v1_get(const gnutls_x509_ct_scts_t scts, unsigned idx,
3979
+			      time_t *timestamp,
3980
+			      gnutls_datum_t *logid,
3981
+			      gnutls_sign_algorithm_t *sigalg,
3982
+			      gnutls_datum_t *signature)
3983
+{
3984
+	int retval = 0;
3985
+	struct ct_sct_st *sct;
3986
+
3987
+	if (idx >= scts->size)
3988
+		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
3989
+
3990
+	sct = &scts->scts[idx];
3991
+	if (sct->version != 0)
3992
+		return -1;

Same here. Any suggestions?


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | Read Certificate Transparency (RFC 6962) SCT extension (!1367)

Read-only notification of GnuTLS library development activities
In reply to this post by Read-only notification of GnuTLS library development activities
GitLab

Ander Juaristi commented on a discussion on lib/x509/x509_ext.c:

3883
+		_gnutls_x509_decode_string(ASN1_ETYPE_OCTET_STRING,
3884
+					   ext->data, ext->size, &scts_content,
3885
+					   0);
3886
+	if (retval < 0)
3887
+		return gnutls_assert_val(retval);
3888
+
3889
+	length = _gnutls_read_uint16(scts_content.data);
3890
+	if (length < 4) {
3891
+		gnutls_free(scts_content.data);
3892
+		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
3893
+	}
3894
+
3895
+	ptr = &scts_content.data[2];
3896
+	while (length > 0) {
3897
+		sct_length = _gnutls_read_uint16(ptr);
3898
+		if (sct_length == 0 || sct_length > length)

AFAIK sct_length == 0 doesn't indicate end of data. You know you've reached EOD when you've read all the bytes that the length field said there are. While you're reading the SCTs, each SCT has its own length field, which is what we're reading here. And all of these should be greater than zero. AFAIK it is an error to have a zero length SCT.


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel