Started by upstream project "gerrit-osmo-pcap" build number 261261gerrit-osmo-pcapjob/gerrit-osmo-pcap/COMMENT_TYPEDISTROGERRIT_BRANCHmasterGERRIT_CHANGE_NUMBER42849GERRIT_HOSTgerrit.osmocom.orgGERRIT_PATCHSET_NUMBER4GERRIT_PATCHSET_REVISION603c1e44f9e751f6949fa43bc9ac9580235427c2GERRIT_PATCHSET_UPLOADER_NAMEfixeriaGERRIT_PORT29418GERRIT_PROJECTosmo-pcapGERRIT_REFSPECrefs/changes/49/42849/4GERRIT_REPO_URLssh://jenkins@gerrit.osmocom.org:29418/osmo-pcapPIPELINE_BUILD_URLhttps://jenkins.osmocom.org/jenkins/job/gerrit-osmo-pcap/261/PROJECT_NAMEosmo-pcapBRANCH_CImaster00001011631011631.066376637010780064966496261603c1e44f9e751f6949fa43bc9ac9580235427c2603c1e44f9e751f6949fa43bc9ac9580235427c2master603c1e44f9e751f6949fa43bc9ac9580235427c2603c1e44f9e751f6949fa43bc9ac9580235427c2master603c1e44f9e751f6949fa43bc9ac9580235427c2603c1e44f9e751f6949fa43bc9ac9580235427c2masterssh://jenkins@gerrit.osmocom.org:29418/osmo-pcaphttps://jenkins.osmocom.org/jenkins/job/gerrit-osmo-pcap-build/lastStableBuild/artifacthttps://jenkins.osmocom.org/jenkins/job/gerrit-osmo-pcap-build/changeshttps://jenkins.osmocom.org/jenkins/job/gerrit-osmo-pcap-build/lastStableBuild/https://jenkins.osmocom.org/jenkins/job/gerrit-osmo-pcap-build/lastStableBuild/testReportfalse#261101163101162gerrit-osmo-pcap-build #261261falsefalse261150491SUCCESS1782202718386https://jenkins.osmocom.org/jenkins/job/gerrit-osmo-pcap-build/261/- src/osmo_tls.cinclude/osmo-pcap/osmo_tls.h603c1e44f9e751f6949fa43bc9ac9580235427c21782202687000https://jenkins.osmocom.org/jenkins/user/fixeriaVadim Yanitskiyvyanitskiy@sysmocom.detls: fix broken certificate hostname verification
verify_cert_cb() retrieved the gnutls session pointer and passed it to
gnutls_certificate_verify_peers3() as the expected hostname. But the
session pointer is set to the osmo_tls_session struct (it is needed by
cert_callback()), not a hostname string. Hostname matching was
therefore performed against raw struct bytes, rendering verification
meaningless and potentially reading out of bounds, even when
"tls verify-cert" was enabled.
Store the configured hostname in struct osmo_tls_session and have
verify_cert_cb() read it from there. Also drop the stray
gnutls_certificate_verify_peers3() call in the client setup: it ran
before any handshake (so there were no peer certificates yet) and its
result was ignored; the real verification happens via the registered
callback during the handshake.
Change-Id: If64950a698bfcfbf556a37ef1be3e68abc124384
AI-Assisted: yes (Claude)
2026-06-23 08:18:07 +0000603c1e44f9e751f6949fa43bc9ac9580235427c2tls: fix broken certificate hostname verificationeditsrc/osmo_tls.ceditinclude/osmo-pcap/osmo_tls.h
githttps://jenkins.osmocom.org/jenkins/user/fixeriaVadim YanitskiyfixeriaCOMMENT_TYPEDISTROGERRIT_BRANCHmasterGERRIT_CHANGE_NUMBER42849GERRIT_HOSTgerrit.osmocom.orgGERRIT_PATCHSET_NUMBER4GERRIT_PATCHSET_REVISION603c1e44f9e751f6949fa43bc9ac9580235427c2GERRIT_PATCHSET_UPLOADER_NAMEfixeriaGERRIT_PORT29418GERRIT_PROJECTosmo-pcapGERRIT_REFSPECrefs/changes/49/42849/4GERRIT_REPO_URLssh://jenkins@gerrit.osmocom.org:29418/osmo-pcapPIPELINE_BUILD_URLhttps://jenkins.osmocom.org/jenkins/job/gerrit-osmo-pcap/261/PROJECT_NAMEosmo-pcapBRANCH_CImasterStarted by upstream project "gerrit-osmo-pcap-build" build number 261261gerrit-osmo-pcap-buildjob/gerrit-osmo-pcap-build/00392383923860577605771.0000261603c1e44f9e751f6949fa43bc9ac9580235427c2603c1e44f9e751f6949fa43bc9ac9580235427c2master603c1e44f9e751f6949fa43bc9ac9580235427c2603c1e44f9e751f6949fa43bc9ac9580235427c2master603c1e44f9e751f6949fa43bc9ac9580235427c2603c1e44f9e751f6949fa43bc9ac9580235427c2masterssh://jenkins@gerrit.osmocom.org:29418/osmo-pcapfalse#2616057761255gerrit-osmo-pcap-build ยป a1=default,a2=default,a3=default,a4=default,osmocom-gerrit #261261falsefalse261150492SUCCESS1782202718386https://jenkins.osmocom.org/jenkins/job/gerrit-osmo-pcap-build/a1=default,a2=default,a3=default,a4=default,label=osmocom-gerrit/261/build4-deb12build-ansible- src/osmo_tls.cinclude/osmo-pcap/osmo_tls.h603c1e44f9e751f6949fa43bc9ac9580235427c21782202687000https://jenkins.osmocom.org/jenkins/user/fixeriaVadim Yanitskiyvyanitskiy@sysmocom.detls: fix broken certificate hostname verification
verify_cert_cb() retrieved the gnutls session pointer and passed it to
gnutls_certificate_verify_peers3() as the expected hostname. But the
session pointer is set to the osmo_tls_session struct (it is needed by
cert_callback()), not a hostname string. Hostname matching was
therefore performed against raw struct bytes, rendering verification
meaningless and potentially reading out of bounds, even when
"tls verify-cert" was enabled.
Store the configured hostname in struct osmo_tls_session and have
verify_cert_cb() read it from there. Also drop the stray
gnutls_certificate_verify_peers3() call in the client setup: it ran
before any handshake (so there were no peer certificates yet) and its
result was ignored; the real verification happens via the registered
callback during the handshake.
Change-Id: If64950a698bfcfbf556a37ef1be3e68abc124384
AI-Assisted: yes (Claude)
2026-06-23 08:18:07 +0000603c1e44f9e751f6949fa43bc9ac9580235427c2tls: fix broken certificate hostname verificationeditsrc/osmo_tls.ceditinclude/osmo-pcap/osmo_tls.h
githttps://jenkins.osmocom.org/jenkins/user/fixeriaVadim Yanitskiy