[PATCH] ALPN validation fix
Hal Murray
hmurray at megapathdsl.net
Sun Dec 8 12:58:37 UTC 2019
Thanks. Interesting that you are the first to notice. It's been there since
mid September.
> The ALPN validation was broken and would always return "bad". Why NTS works
> anyway I don't know
bool bad = true; /* Always return OK for now. */
Leftover from early ALPN debugging.
> so you can't use strcmp to check
memcpy(buff, data, len);
buff[len] = '\0';
The idea was to turn it into a string so it could be printed and we could use
string routines.
The bug in the old code was that when this area was reworked back in
September, I missed changing the compare to use the new copy.
- if (0 != strcmp((const char*)data, "ntske/1")) {
+ if (0 != strcmp(buff, "ntske/1")) {
So it would work if the next byte in data was a 0 which seemed to happen on
many of my systems. (Interesting how long it took me to figure that out.)
+ strlcpy(buff, (const char *)data, sizeof(buff));
That can run off the end of data.
I think there are two approaches. One is to convert data to a string, then
use string routines. The other is to use memcmp, then convert to a string if
you want to print it. The latter seemed cleaner to me since there is only one
place where it gets printed.
I also got rid of "bad" and added a special case check for OK if no ALPN when
using TLSv1.2.
The current code now requires ALPN if using TLSv1.3. *******
--
These are my opinions. I hate spam.
More information about the devel
mailing list