-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Broken code in lib/vtls/x509asn1.c Curl_verifyhost #10163
Comments
Meh, I was twiddling with codeformattting and ended up with the wrong patch =( This codepath only compiles and runs for GSKit which makes it quite rare. Thanks for spotting it.
Is there valid input which can produce an empty string be returned from
I think the easiest solution is to fix the issue by apply the following:
|
That's beside the point. The original fix was for scenario that didn't happen anyway, so fixing it with another actually buggy version (even if rarely if ever occurring) is suboptimal.
There is no need for it. I'd just make the code call The premise:
...is faulty in a way that it does return NULL on failures. There is no chance of double free. I do agree that there was an obviously unnecessary free call in the 2nd part of the patch and I see no problem with removing that. |
Maybe this is a hint that we should drop support for this platform as it clearly is not tested much. Not even a single user has reported this problem nine days after the release... |
On 30 Dec 2022, at 16:02, Daniel Stenberg ***@***.***> wrote:
Maybe this is a hint that we should drop support for this platform as it clearly is not tested much. Not even a single users has reported this problem nine days after the release...
That’s my thinking as well, fix it for next and deprecate by 8 or just rip it for next?
|
As per our deprecation procedure, we add a mention to the |
Ref: #10163 - This is a niche TLS library, only running on some IBM systems - no regular curl contributors use this backend - no CI builds use or verify this backend - gskit, or the curl adaption for it, lacks many modern TLS features making it an inferior solution - build breakages in this code take weeks or more to get detected - fixing gskit code is mostly done "flying blind" Closes #10201
For the last 5 years I have been building and testing new Curl releases on OS400 and usually raise and fix issues usually within a day (or two) of a release, unfortunately 7.87 dropped a couple of days after I'd already turned my work laptop off for the duration of the 2022 Christmas holidays. I missed this and I am only just picking up this new release today, I do appreciate that this issue has already been found/closed already so I can apply the patch :-) The IBM GSKit runtime is available on many other non-IBM platforms other than OS400/AIX & z/OS, including various flavours of Linux, Windows, Mac, etc and it does provide support all modern TLS features - even if the lib/vtls/gskit.c code has not yet implemented them. I do however acknowledge that the GSKit developer kit and header files that would be necessary for anyone to build with GSKit backend on other platforms are not made publicly available (only on OS400) and so that raises issues with maintaining GSKit on just the OS400 platform in this project. I will need to plan to mitigate the impact of this deprecation. Would it be a safe assumption that CURLSSLBACKEND_GSKIT will continue be defined/reserved? This seems to have been true for previous deprecations of POLARSSL, AXTLS and MESALINK. |
First: nothing has changed yet and nothing will change until earliest the date mentioned in The concerns I express about the gskit support are real. If they would be addressed in suitable ways, I think we can discuss how the future should look like.
Yes, we cannot change that without breaking the ABI so it is there to stay. |
This reverts commit 6b19247. Fixes curl#10163 Closes curl#10207
Ref: curl#10163 - This is a niche TLS library, only running on some IBM systems - no regular curl contributors use this backend - no CI builds use or verify this backend - gskit, or the curl adaption for it, lacks many modern TLS features making it an inferior solution - build breakages in this code take weeks or more to get detected - fixing gskit code is mostly done "flying blind" Closes curl#10201
Description
Curl_verifyhost
has some broken code due to recent code shuffling. The issue is visible here:https://github.com/curl/curl/blob/curl-7_87_0/lib/vtls/x509asn1.c#L1355
The code doesn't compile and it also leaks some memory for empty ("") strings if parenthesis are added. The issue was introduced by commit 6b19247
The easiest solution is to revert the first section of the patch. Note how
utf8asn1str
always sets the pointer to NULL on error.curl/libcurl version
curl-7_87_0 tag
The text was updated successfully, but these errors were encountered: