Changeset 2cde8111 in mod_gnutls for include


Ignore:
Timestamp:
Apr 5, 2015, 6:20:59 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, jessie-backports, upstream
Children:
d04f7da
Parents:
351b51f
Message:

Workarounds for OpenPGP key handling

Commit 031acac9c6541034777f8917633164b51f6bd10a 'Use the new (3.1.3+)
GnuTLS APIs to obtain private keys' led to failed handshakes when using
OpenPGP keys for authentication. Debugging revealed two separate issues,
this commit adds workarounds for both.

The first problem was that the supported certificate types for the
session were not set correctly. This is a known bug in
gnutls_certificate_set_retrieve_function2 [1], the workaround comes from
[2]. The bug should be fixed in GnuTLS 3.3.12, hence the version guard.

After this problem was fixed, segfaults occurred during handshake. A
Valgrind trace showed attemts to access memory that had been free'd in
gnutls_privkey_import_openpgp_raw. I could work around the issue by
loading the key into a gnutls_openpgp_privkey_t structure first and then
importing it into the gnutls_privkey_t using
gnutls_privkey_import_openpgp afterwards.

Thank you to Nikos Mavrogiannopoulos for very fast help with debugging!

[1] https://lists.gnupg.org/pipermail/gnutls-devel/2015-January/007377.html
[2] https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12

File:
1 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    rc4a015b r2cde8111  
    170170        /* OpenPGP Certificate Private Key */
    171171    gnutls_privkey_t privkey_pgp;
     172    /* Internal structure for the OpenPGP private key. DO NOT USE
     173     * outside key loading. */
     174    gnutls_openpgp_privkey_t privkey_pgp_internal;
    172175
    173176    /* Export full certificates to CGI environment: */
Note: See TracChangeset for help on using the changeset viewer.