Hacker News new | past | comments | ask | show | jobs | submit login
Certificate Verification Issue - GnuTLS (gnutls.org)
71 points by d0ne on Mar 4, 2014 | hide | past | favorite | 13 comments

@0xabad1dea's excellent sketch analysis[0] explains the root cause of the problem better than the confusing gitorious UI with the diff[1].

[0] http://imgur.com/UqAkZS7

[1] https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150cc...

I like how, as part of the fix, they've renamed the "cleanup" label to "fail".

They haven't -- the cleanup label is still there. They added a `fail` label which explicitly sets the result variable to 0.

One of his complaints is that they aren't using bools, when bools don't exist in c.

Sure they do, since c99. Section 7.16

Even before then, C had the concept of a boolean expression, and ints were used idiomatically as bools.

Unfortunately, the type system can't save you, so it's up to you to keep your promise to return the correct thing. Not even C99 can save you:

    $ cat booltest.c 
    #include <stdio.h>
    #include <stdbool.h>
    bool moo() {
        int rv = -1;
        return rv;
    int main(int argc, char *argv[]) {
        printf("moo() returned %s\n", moo() ? "TRUE" : "FALSE");
    $ clang -std=c99 -o booltest booltest.c -Wall

I'm usually not much of a Java fan, but making bool a stricter type was a good change. I always write my C code as if it had the same rules. For example, if you have:

    bool b;
    int i;
    unsigned u;
    void *p;
You could write code that looked like:

    if (b && i && u && p)
...and some people would even consider that idiomatic. I'd write the same test as:

    if (b && (i != 0) && (u > 0) && (p != NULL))
which is a little longer but, IMO, clearer. If the compiler enforced that style this family of bug would happen a lot less.

In a similar vein, I wish enums had strict conversion rules. C++11 finally gives us that with "enum class", but I don't think anything similar exists in C.

I'm pretty sure that just char's and a little pre-processor hand waving.


If by "he" you mean the person who drew the picture:

First, I absolutely LOVE it when people assume I'm a dude. Plot twist: no I don't. If you don't know someone's gender, getting it wrong with an assumption is a good way to hack them off.

Second: the function is explicitly prototyped as returning bool (I highlighted this in neon green) which means caller expects true or false. It returns a negative value that is not intended to represent either true or false but a detailed error code. THAT IS THE BUG.

If bools don't exist in C then neither does strlen, gahh.

Is this really another problem will poorly written goto's?

No, see my link above. Goto is not the bug.

I find the language "how to mitigate the attack" completely offensive.

How about "how to verify a certificate?" Or better "how to write C code"

This is a scandal. Stop.

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact