Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GnuTLS certificates can be bigger than MAX_X509_CERT #14352

Closed
sergiodj opened this issue Aug 2, 2024 · 3 comments
Closed

GnuTLS certificates can be bigger than MAX_X509_CERT #14352

sergiodj opened this issue Aug 2, 2024 · 3 comments
Assignees

Comments

@sergiodj
Copy link

sergiodj commented Aug 2, 2024

I did this

We've received the following bug in Debian:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076800

We are linking curl against GnuTLS, and the following error started happening:

# curl -w '%{size_header}' https://feeds2.feedburner.com/OreillyConferencesOSCON
curl: (100) Failed extracting certificate chain

I expected the following

When using curl linked against OpenSSL, I see:

$ curl -w '%{size_header}' https://feeds2.feedburner.com/OreillyConferencesOSCON
<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:georss="http://www.georss.org/georss" xmlns:twitter="http://api.twitter.com" version="2.0" xmlns:atom="http://www.w3.org/2005/A
tom">
  <channel>
    <title>Twitter / oscon</title> 
    <link>http://twitter.com/oscon</link>
    <atom:link rel="self" href="http://api.twitter.com/1/statuses/user_timeline.rss?screen_name=oscon" type="application/rss+xml"/>
    <description>Twitter updates from O'Reilly OSCON / oscon.</description>
    <language>en-us</language>
    <ttl>40</ttl>
  <item>
    <title>oscon: Easily Invoke Common Protocols with Twisted - Spin up Python-friendly services with 0 lines of code http://t.co/29oTkk0i
sW</title>
...
  </channel>
</rss>
1494

The output above has been truncated for readability.

curl/libcurl version

curl 8.9.1

operating system

Debian unstable

@icing icing self-assigned this Aug 2, 2024
@sergiodj
Copy link
Author

sergiodj commented Aug 2, 2024

After some investigation, I noticed that the problem is happening on Curl_extract_certinfo. Specifically, the following excerpts:

Curl_dyn_init(&out, MAX_X509_STR);

curl/lib/vtls/x509asn1.c

Lines 1235 to 1252 in 45246eb

result = Curl_dyn_add(&out, "-----BEGIN CERTIFICATE-----\n");
if(!result) {
size_t j = 0;
while(!result && (j < clen)) {
size_t chunksize = (clen - j) > 64 ? 64 : (clen - j);
result = Curl_dyn_addn(&out, &certptr[j], chunksize);
if(!result)
result = Curl_dyn_addn(&out, "\n", 1);
j += chunksize;
}
if(!result)
result = Curl_dyn_add(&out, "-----END CERTIFICATE-----\n");
}
free(certptr);
if(!result)
if(data->set.ssl.certinfo)
result = ssl_push_certinfo_dyn(data, certnum, "Cert", &out);

The certificate we get from the website has a size that's much bigger than MAX_X509_STR.

sergiodj pushed a commit to sergiodj/curl that referenced this issue Aug 2, 2024
When using GnuTLS we may see certificates whose sizes are bigger than
10000, so use MAX_X509_CERT as the maximum dynbuf size (instead of
MAX_X509_STR).

Closes: curl#14352

Signed-off-by: Sergio Durigan Junior <sergiodj@sergiodj.net>
@icing
Copy link
Contributor

icing commented Aug 2, 2024

Can reproduce. Analyzing the cause.

icing added a commit to icing/curl that referenced this issue Aug 2, 2024
Raise the limit for certification information from 10 thousand to
100 thousand bytes. Certificates can be larger than 10k.

Change the infof() debug output to add '...' at the end when the
max limit it can handle is exceeded.

Refs curl#14352
@icing
Copy link
Contributor

icing commented Aug 2, 2024

I propose #14354 as fix for this. Could you verify?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

2 participants