Changeset 2cde8111 in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Apr 5, 2015, 6:20:59 PM (5 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
d04f7da
Parents:
351b51f
Message:

Workarounds for OpenPGP key handling

Commit 031acac9c6541034777f8917633164b51f6bd10a 'Use the new (3.1.3+)
GnuTLS APIs to obtain private keys' led to failed handshakes when using
OpenPGP keys for authentication. Debugging revealed two separate issues,
this commit adds workarounds for both.

The first problem was that the supported certificate types for the
session were not set correctly. This is a known bug in
gnutls_certificate_set_retrieve_function2 [1], the workaround comes from
[2]. The bug should be fixed in GnuTLS 3.3.12, hence the version guard.

After this problem was fixed, segfaults occurred during handshake. A
Valgrind trace showed attemts to access memory that had been free'd in
gnutls_privkey_import_openpgp_raw. I could work around the issue by
loading the key into a gnutls_openpgp_privkey_t structure first and then
importing it into the gnutls_privkey_t using
gnutls_privkey_import_openpgp afterwards.

Thank you to Nikos Mavrogiannopoulos for very fast help with debugging!

[1] https://lists.gnupg.org/pipermail/gnutls-devel/2015-January/007377.html
[2] https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r351b51f r2cde8111  
    360360            gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params);
    361361        }
     362
     363        /* The call after this comment is a workaround for bug in
     364         * gnutls_certificate_set_retrieve_function2 that ignores
     365         * supported certificate types. Should be fixed in GnuTLS
     366         * 3.3.12.
     367         *
     368         * Details:
     369         * https://lists.gnupg.org/pipermail/gnutls-devel/2015-January/007377.html
     370         * Workaround from:
     371         * https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12
     372         *
     373         * TODO: add appropriate version guards */
     374#if GNUTLS_VERSION_NUMBER < 0x030312
     375        gnutls_certificate_set_retrieve_function(sc->certs, (void *) exit);
     376#endif
    362377
    363378        gnutls_certificate_set_retrieve_function2(sc->certs, cert_retrieve_fn);
Note: See TracChangeset for help on using the changeset viewer.