[PATCH] ALPN validation fix

Hal Murray hmurray at megapathdsl.net
Sun Dec 8 12:58:37 UTC 2019

Thanks.  Interesting that you are the first to notice.  It's been there since 
mid September.

> The ALPN validation was broken and would always return "bad".  Why NTS works
> anyway I don't know
       bool bad = true;  /* Always return OK for now. */
Leftover from early ALPN debugging.

> so you can't use strcmp to check
       memcpy(buff, data, len);
       buff[len] = '\0';
The idea was to turn it into a string so it could be printed and we could use 
string routines.

The bug in the old code was that when this area was reworked back in 
September, I missed changing the compare to use the new copy.
-	if (0 != strcmp((const char*)data, "ntske/1")) {
+	if (0 != strcmp(buff, "ntske/1")) {
So it would work if the next byte in data was a 0 which seemed to happen on 
many of my systems.  (Interesting how long it took me to figure that out.)

+		strlcpy(buff, (const char *)data, sizeof(buff));
That can run off the end of data.

I think there are two approaches.  One is to convert data to a string, then 
use string routines.  The other is to use memcmp, then convert to a string if 
you want to print it.  The latter seemed cleaner to me since there is only one 
place where it gets printed.

I also got rid of "bad" and added a special case check for OK if no ALPN when 
using TLSv1.2.

The current code now requires ALPN if using TLSv1.3.  *******

These are my opinions.  I hate spam.

More information about the devel mailing list