Tuesday, May 10, 2011

is really gnutls considered harmful?

A comment made few years ago by Howard Chu, the developer of openldap, seems to be being repeated by people, ignorant of the issue, as an argument against GnuTLS. It is the sad truth however that this comment is and was wrong back then. I had commented back then stating the facts and why I thought Howard came up to that conclusion.

So what is the issue? Howard claims that GnuTLS makes liberal use of strcpy(), strcat() and strlen(). Those functions are known to be responsible for several attacks via buffer overflows in current programs. In GnuTLS however we had few vulnerabilities (discussed in our security advisories page) but none of them was a buffer overflow. Why is that? Because we don't use strcpy() and strcat() liberally. We don't use them with data originated from the network or the user or without checking boundaries. GnuTLS includes a custom string library, the gnutls_buffer_st interface in gnutls_str, which is used in most of the cases.

So why was Howard concerned about our liberal use of strcpy() and strcat()? We do use those functions, but for static string copying and for strings originating within the library. E.g. our ASN.1 library requires to identify objects a string of the form "PKIX1.CRLDistributionPoints.?1.distributionPoint.fullName" or "PKIX1.CRLDistributionPoints.?5.distributionPoint.fullName". Thus in several occasions we do something like
char str[256];

gnutls_str_cpy(str, sizeof(str), "PKIX1.CRLDistributionPoints.");
gnutls_str_cat(str, sizeof(str), "?1.distributionPoint.fullName");
Our version of strcpy() and strcat() provide a safer wrapper function over the libc function, that will never overflow the destination string. Other cases include strings that are locally generated and controlled. Thus seeing strcpy() or strcat() in a program does not mean that it is vulnerable to buffer overflow attacks. Two things are also required, user or network input to be involved and bound checking not to be done. As far as we know neither is or was true for GnuTLS.

Of course noone is claiming that GnuTLS is perfect and bug-free. No software is bug-free and don't believe anyone claiming it. My claim is that the specific critique is invalid.


No comments:

Post a Comment