<div dir="ltr">Hi all,<div><br></div><div>I found the bug that was preventing certificate validation for certs without sAN from working. I've corrected the patchset (attached). (The bug was that the extensions was incorrectly always being flagged as enabled even if the parse failed).</div>
<div><br></div><div>Please let me know if you find any further issues.</div><div><br></div><div>Sincerely,</div><div>-Alex</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 1, 2013 at 4:33 PM, Alex Chernyakhovsky <span dir="ltr"><<a href="mailto:achernya@google.com" target="_blank">achernya@google.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Can you reproduce against a public cert so that I can test with it? That code path should be getting called unless the extensions is being detected, and this seems to imply the cert claims its presence but does not have any values.<div>
<br></div><div>Sincerely,</div><div>-Alex</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 1, 2013 at 4:31 PM, Jarrod Johnson <span dir="ltr"><<a href="mailto:jarrod.b.johnson@gmail.com" target="_blank">jarrod.b.johnson@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>So I found a bug, it's probably easy to fix but I've about burned out my brain making TLS work in EFI mode.<br>
<br>assert(((&cert->extensions.subject_alt_name.names))->prev != NULL) failed at net/tls.c line 2449<br>
assert(((&cert->extensions.subject_alt_name.names))->next != NULL) failed at net/tls.c line 2449<br>assert(((&cert->extensions.subject_alt_name.names))->next->prev == ((&cert->extensions.subject_alt_name.names))) failed at net/tls.c line 2449<br>
assert(((&cert->extensions.subject_alt_name.names))->prev->next == ((&cert->extensions.subject_alt_name.names))) failed at net/tls.c line 2449<br>assert((((&cert->extensions.subject_alt_name.names)->next)) != NULL) failed at net/tls.c line 2449<br>
<br></div>My cert has no alt names.<br></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 1, 2013 at 1:10 PM, Alex Chernyakhovsky <span dir="ltr"><<a href="mailto:achernya@google.com" target="_blank">achernya@google.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I'm still interested in getting these patches merged, so I'd appreciate review comments.</div>
<div><br></div><div>Sincerely,</div><div>-Alex</div><div><br></div></div><div><div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Tue, Oct 15, 2013 at 4:31 PM, Alex Chernyakhovsky <span dir="ltr"><<a href="mailto:achernya@google.com" target="_blank">achernya@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Just finished testing the OCSP patch, it applies on top of the previous 3, hence the 4/4 in the subject.<div><br></div><div>Sincerely,</div><div>-Alex</div><div><br></div></div><div><div>
<div class="gmail_extra"><br><br>
<div class="gmail_quote">On Tue, Oct 15, 2013 at 4:16 PM, Alex Chernyakhovsky <span dir="ltr"><<a href="mailto:achernya@google.com" target="_blank">achernya@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi Ken,<div><br></div><div>You're correct, looks like I typo'd something while preparing the patches. Here's an updated copy of the patchset. I've also found an issue in the OCSP code while doing this testing, a patch likely forthcoming.</div>
<div><br></div><div>Sincerely,</div><div>-Alex</div><div><br></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Oct 15, 2013 at 2:13 PM, Ken Simon <span dir="ltr"><<a href="mailto:ninkendo@gmail.com" target="_blank">ninkendo@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Alex,<br>
<br>
I think there's a typo in your implementation of dns_wildcard_matcher:<br>
<br>
+ const char* first_dot = strchr (dns, '*') ;<br>
<br>
you probably want:<br>
<br>
+ const char* first_dot = strchr (dns, '.') ;<br>
<br>
Fixing the patch in that way I was able to get wildcard certificates<br>
to work with iPXE.<br>
<br>
--<br>
Ken<br>
_______________________________________________<br>
ipxe-devel mailing list<br>
<a href="mailto:ipxe-devel@lists.ipxe.org" target="_blank">ipxe-devel@lists.ipxe.org</a><br>
<a href="https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel" target="_blank">https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel</a><br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
ipxe-devel mailing list<br>
<a href="mailto:ipxe-devel@lists.ipxe.org" target="_blank">ipxe-devel@lists.ipxe.org</a><br>
<a href="https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel" target="_blank">https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>