source: mod_gnutls/debian/patches/fix-tls-client-auth.patch @ 2db6923

debian/masterdebian/stretch-backportsjessie-backports
Last change on this file since 2db6923 was 2db6923, checked in by Daniel Kahn Gillmor <dkg@…>, 8 years ago

refresh patches with gbp pq
  • Property mode set to 100644
File size: 2.0 KB

  • src/gnutls_hooks.c 

    From: Thomas Klute <thomas2.klute@uni-dortmund.de>
Date: Thu, 5 Feb 2015 14:48:45 +0100
Subject: TLS Client auth: Check server verify mode if unset for dir

The authentication hook (mgs_hook_authz) failed to consider the server's
client verify mode, even if the verify mode was unset in the directory
configuration. As a result, invalid certificates were ignored and
clients could connect and receive data as long as they presented any
certificate whatsoever. Logs showed that authorization was granted
despite the certificate being invalid (timestamps removed for
readability):

[:debug] [pid 10806:tid 140242057148160] gnutls_hooks.c(1198): [client ::1:40992] GnuTLS: Verifying list of 1 certificate(s) via method 'cartel'
[:info] [pid 10806:tid 140242057148160] [client ::1:40992] GnuTLS: Could not find Signer for Peer Certificate
[:info] [pid 10806:tid 140242057148160] [client ::1:40992] GnuTLS: Peer Certificate is invalid.
[authz_core:debug] [pid 10806:tid 140242057148160] mod_authz_core.c(835): [client ::1:40992] AH01628: authorization result: granted (no directives)

This commit adds a check for undefined verify mode in the directory
configuration and applies the server wide configuration in that case.
---
 src/gnutls_hooks.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index 1c2e094..e6e7a67 100644
    a b int mgs_hook_authz(request_rec * r) { 
    871871            return DECLINED;
    872872        }
    873873        rv = mgs_cert_verify(r, ctxt);
    874         if (rv != DECLINED &&
    875                 (rv != HTTP_FORBIDDEN ||
    876                 dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
     874        if (rv != DECLINED
     875            && (rv != HTTP_FORBIDDEN
     876                || dc->client_verify_mode == GNUTLS_CERT_REQUIRE
     877                || (dc->client_verify_mode == -1
     878                    && ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUIRE)))
     879        {
    877880            return rv;
    878881        }
    879882    }
Note: See TracBrowser for help on using the repository browser.