Context Navigation

← Previous Change
Next Change →

Changeset 5508683 in mod_gnutls for src

Timestamp:

Jan 11, 2013, 12:58:10 AM (9 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, upstream

Children:

17eb1a1, 9c4a7444

Parents:

Message:

Imported Upstream version 0.5.8

Location:

Files:

: 4 edited

Makefile.in (modified) (1 diff)
gnutls_config.c (modified) (1 diff)
gnutls_hooks.c (modified) (17 diffs)
gnutls_io.c (modified) (7 diffs)

Legend:

: Unmodified
: Added
: Removed

src/Makefile.in

rbbb9bb1	r5508683
1		# Makefile.in generated by automake 1.11 from Makefile.am.
	1	# Makefile.in generated by automake 1.11.1 from Makefile.am.
2	2	# @configure_input@
3	3

src/gnutls_config.c

rbbb9bb1	r5508683
607	607	sc->cache_type = mgs_cache_none;
608	608	sc->cache_config = ap_server_root_relative(p, "conf/gnutls_cache");
	609	sc->tickets = 1; /* by default enable session tickets */
609	610
610	611	sc->client_verify_mode = GNUTLS_CERT_IGNORE;

src/gnutls_hooks.c

-                      rbbb9bb1
+                      r5508683
 const char *mgs_hook_http_scheme(const request_rec * r)
+{
+    mgs_srvconf_rec *sc =
+    mgs_srvconf_rec *sc;
+    if (r == NULL)
+        return NULL;
+    sc =
         (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config,
                                                  &gnutls_module);
 …
 apr_port_t mgs_hook_default_port(const request_rec * r)
+{
+    mgs_srvconf_rec *sc =
+    mgs_srvconf_rec *sc;
+    if (r == NULL)
+        return 0;
+    sc =
         (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config,
                                                  &gnutls_module);
 …
 #endif
+    if (session == NULL)
+        return NULL;
     _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     ctxt = gnutls_transport_get_ptr(session);
 …
+{
     mgs_handle_t *ctxt;
+    mgs_srvconf_rec *sc =
+    mgs_srvconf_rec *sc;
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
+    if (c == NULL)
+        return DECLINED;
+    sc =
         (mgs_srvconf_rec *) ap_get_module_config(c->base_server->
                                                  module_config,
                                                  &gnutls_module);
-    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
         return DECLINED;
 …
     int rv = OK;
+    if (r == NULL)
+        return DECLINED;
     _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     apr_table_t *env = r->subprocess_env;
 …
         ap_get_module_config(r->connection->conn_config, &gnutls_module);
     if (!ctxt) {
+    if (!ctxt || ctxt->session == NULL) {
         return DECLINED;
+    }
 …
     int rv;
     mgs_handle_t *ctxt;
+    mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config,
+    mgs_dirconf_rec *dc;
+    if (r == NULL)
+        return DECLINED;
+    dc = ap_get_module_config(r->per_dir_config,
                                                &gnutls_module);
 …
         ap_get_module_config(r->connection->conn_config, &gnutls_module);
     if (!ctxt) {
+    if (!ctxt || ctxt->session == NULL) {
         return DECLINED;
+    }
 …
     size_t len;
     int ret, i;
+    if (r == NULL)
+        return;
     apr_table_t *env = r->subprocess_env;
 …
     size_t len;
     int ret;
+    if (r == NULL)
+        return;
     _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
 …
+{
     const gnutls_datum_t *cert_list;
     unsigned int cert_list_size, status, expired;
+    unsigned int cert_list_size, status;
     int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
     unsigned int ch_size = 0;
 …
       gnutls_openpgp_crt_t pgp;
     } cert;
+    apr_time_t activation_time, expiration_time, cur_time;
+    apr_time_t expiration_time, cur_time;
+    if (r == NULL || ctxt == NULL || ctxt->session == NULL)
+        return HTTP_FORBIDDEN;
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
 …
         apr_time_ansi_put(&expiration_time,
                       gnutls_x509_crt_get_expiration_time(cert.x509[0]));
-        apr_time_ansi_put(&activation_time,
-                      gnutls_x509_crt_get_activation_time(cert.x509[0]));
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
 …
         apr_time_ansi_put(&expiration_time,
                       gnutls_openpgp_crt_get_expiration_time(cert.pgp));
-        apr_time_ansi_put(&activation_time,
-                      gnutls_openpgp_crt_get_creation_time(cert.pgp));
         rv = gnutls_openpgp_crt_verify_ring(cert.pgp, ctxt->sc->pgp_list,
 …
     /* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
-    expired = 0;
     cur_time = apr_time_now();
-    if (activation_time > cur_time) {
-        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                      "GnuTLS: Failed to Verify Peer: "
-                      "Peer Certificate is not yet activated.");
-        expired = 1;
+    }
-    if (gnutls_certificate_type_get( ctxt->session) != GNUTLS_CRT_OPENPGP || expiration_time != 0) {
-        if (expiration_time < cur_time) {
-            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                      "GnuTLS: Failed to Verify Peer: "
-                      "Peer Certificate is expired.");
-            expired = 1;
+        }
+    }
     if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
 …
         ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                       "GnuTLS: Peer's Certificate signer is not a CA");
+    }
+    if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                      "GnuTLS: Peer's Certificate is using insecure algorithms");
+    }
+    if (status & GNUTLS_CERT_EXPIRED || status & GNUTLS_CERT_NOT_ACTIVATED) {
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                      "GnuTLS: Peer's Certificate signer is expired or not yet activated");
+    }
 …
+    }
     if (status == 0 && expired == 0) {
+    if (status == 0) {
         apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY", "SUCCESS");
         ret = OK;

src/gnutls_io.c

-                      rbbb9bb1
+                      r5508683
+        }
+    }
+    if (ctxt->session == NULL) {
+        return APR_EGENERAL;
+    }
     while (1) {
 …
     int maxtries = HANDSHAKE_MAX_TRIES;
     if (ctxt->status != 0) {
+    if (ctxt->status != 0 || ctxt->session == NULL) {
         return -1;
+    }
 …
+{
     int rv;
+    if (ctxt->session == NULL)
+        return -1;
     rv = gnutls_rehandshake(ctxt->session);
 …
             apr_bucket_copy(bucket, &e);
             APR_BRIGADE_INSERT_TAIL(ctxt->output_bb, e);
             if ((status = ap_pass_brigade(f->next, tmpb)) != APR_SUCCESS) {
                 apr_brigade_cleanup(ctxt->output_bb);
 …
             if (len > 0) {
+                do {
+                    ret = gnutls_record_send(ctxt->session, data, len);
+                }
+                while(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);
+                if (ctxt->session == NULL) {
+                    ret = GNUTLS_E_INVALID_REQUEST;
+                } else {
+                    do {
+                        ret = gnutls_record_send(ctxt->session, data, len);
+                    }
+                    while(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);
+                }
                 if (ret < 0) {
 …
                 return 0;
             } else {
+                gnutls_transport_set_errno(ctxt->session, EINTR);
+                if (ctxt->session)
+                    gnutls_transport_set_errno(ctxt->session, EINTR);
                 return -1;
+            }
 …
         || APR_STATUS_IS_EINTR(ctxt->input_rc)) {
         if (len == 0) {
+            gnutls_transport_set_errno(ctxt->session, EINTR);
+            if (ctxt->session)
+                gnutls_transport_set_errno(ctxt->session, EINTR);
             return -1;
+        }

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: