Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 411103

Summary: net-libs/polarssl: cannot load the ca-certificates.crt
Product: Gentoo Linux Reporter: Anthony Basile <blueness>
Component: [OLD] LibraryAssignee: Thomas Sachau <tommy>
Status: RESOLVED TEST-REQUEST    
Severity: normal CC: gregkh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://polarssl.org/trac/ticket/57
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 503610    

Description Anthony Basile gentoo-dev 2012-04-07 05:00:38 UTC 
While I didn't dive into the code, it looks like polarssl does not have a big enough buffer to read in ca-certificates.crt.  This causes a problem with applications like curl that can link to polarssl as an ssl provider, but giving the option  --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt to curl means you hit the same problem.  You can produce this problem using one of the bundled examples:

polarssl_ssl_client2 server_name=bugs.gentoo.org server_port=443 ca_file=/etc/ssl/certs/ca-certificates.crt 

  . Seeding the random number generator... ok
  . Loading the CA root certificate ... failed
  !  x509parse_crt returned 8

Last error was: 8 - BIGNUM - The buffer is too small to write to


However, if you change ca_file to some other smaller pem, it works.

I know polarssl aims to have a small footprint for embedded systems, but this buffer size should be a configurable option as it is in, say axTLS, which also aims at embedded systems.

Reproducible: Always
Comment 1 Anthony Basile gentoo-dev 2012-04-09 13:28:50 UTC 
Issue pursued upstream.  A bit of background as to why this is useful: curl allows multiple backend ssl providers.  If one configures curl to use polarssl and feeds it --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt, then you hit the problem.
Comment 2 Anthony Basile gentoo-dev 2012-05-17 13:49:26 UTC 
@Tommy[D], take a look at upstream.  This was not an enhencement, but an actual bug. I mistakingly thought that the buffer was not large enough as the error message suggested, but in fact the buffer is dynamically allocated as one would expect.  Its the return value that is not handled properly.  I never had time to jump into the C to look at it and just assumed that they'd set a limit to the buffer because of memory tight embedded systems.
Comment 3 Anthony Basile gentoo-dev 2012-05-25 14:55:22 UTC 
Upstream has pushed the change: http://polarssl.org/trac/changeset/1281
Comment 4 Julian Ospald 2014-03-06 02:08:52 UTC 
is this still an issue?