Skip to content
Browse files

_gnutls_hostname_compare() was incredibly slow when over ten wildcard…

…s were present. Set a limit on 6 wildcards to avoid any denial of service attack. Reported by Kalle Olavi Niemitalo.
  • Loading branch information...
1 parent 12c0389 commit 05d654f81bbab1dfd9b75a4375804cceb1808873 @nmav nmav committed May 5, 2011
Showing with 14 additions and 7 deletions.
  1. +1 −0 THANKS
  2. +9 −3 lib/gnutls_str.c
  3. +1 −1 lib/gnutls_str.h
  4. +1 −1 lib/openpgp/pgp.c
  5. +2 −2 lib/x509/rfc2818_hostname.c
View
1 THANKS
@@ -112,6 +112,7 @@ Micah Anderson <micah [at] riseup.net>
Michael Rommel <rommel [at] layer-7.net>
Mark Brand <mabrand [at] mabrand.nl>
Vitaly Kruglikov <vitaly.kruglikov [at] palm.com>
+Kalle Olavi Niemitalo <kon [at] iki.fi>
----------------------------------------------------------------------
Copying and distribution of this file, with or without modification,
View
12 lib/gnutls_str.c
@@ -530,12 +530,18 @@ _gnutls_hex2bin (const opaque * hex_data, int hex_size, opaque * bin_data,
* return 1 on success or 0 on error
*
* note: certnamesize is required as X509 certs can contain embedded NULs in
- * the strings such as CN or subjectAltName
+ * the strings such as CN or subjectAltName.
+ *
+ * @level: is used for recursion. Use 0 when you call this function.
*/
int
_gnutls_hostname_compare (const char *certname,
- size_t certnamesize, const char *hostname)
+ size_t certnamesize, const char *hostname, int level)
{
+
+ if (level > 5)
+ return 0;
+
/* find the first different character */
for (; *certname && *hostname && c_toupper (*certname) == c_toupper (*hostname);
certname++, hostname++, certnamesize--)
@@ -555,7 +561,7 @@ _gnutls_hostname_compare (const char *certname,
while (1)
{
/* Use a recursive call to allow multiple wildcards */
- if (_gnutls_hostname_compare (certname, certnamesize, hostname))
+ if (_gnutls_hostname_compare (certname, certnamesize, hostname, level+1))
return 1;
/* wildcards are only allowed to match a single domain
View
2 lib/gnutls_str.h
@@ -95,7 +95,7 @@ int _gnutls_hex2bin (const opaque * hex_data, int hex_size, opaque * bin_data,
size_t * bin_size);
int _gnutls_hostname_compare (const char *certname, size_t certnamesize,
- const char *hostname);
+ const char *hostname, int level);
#define MAX_CN 256
#define BUFFER_APPEND(b, x, s) { \
View
2 lib/openpgp/pgp.c
@@ -595,7 +595,7 @@ gnutls_openpgp_crt_check_hostname (gnutls_openpgp_crt_t key,
the terminating zero. */
dnsnamesize--;
- if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
+ if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname, 0))
return 1;
}
}
View
4 lib/x509/rfc2818_hostname.c
@@ -75,7 +75,7 @@ gnutls_x509_crt_check_hostname (gnutls_x509_crt_t cert, const char *hostname)
if (ret == GNUTLS_SAN_DNSNAME)
{
found_dnsname = 1;
- if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
+ if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname, 0))
{
return 1;
}
@@ -95,7 +95,7 @@ gnutls_x509_crt_check_hostname (gnutls_x509_crt_t cert, const char *hostname)
return 0;
}
- if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
+ if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname, 0))
{
return 1;
}

0 comments on commit 05d654f

Please sign in to comment.
Something went wrong with that request. Please try again.