Changeset 5c0d491 in mod_gnutls for src/gnutls_hooks.c
- Timestamp:
- Nov 16, 2013, 2:46:50 AM (9 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, jessie-backports, master, proxy-ticket, upstream
- Children:
- 140d237
- Parents:
- 07889ab
- git-author:
- Daniel Kahn Gillmor <dkg@…> (01/30/13 06:33:35)
- git-committer:
- Daniel Kahn Gillmor <dkg@…> (11/16/13 02:46:50)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_hooks.c
r07889ab r5c0d491 1182 1182 1183 1183 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 1184 "GnuTLS: Verifying list of %d certificate(s)", 1185 ch_size); 1186 rv = gnutls_x509_crt_list_verify(cert.x509, ch_size, 1187 ctxt->sc->ca_list, 1188 ctxt->sc->ca_list_size, 1189 NULL, 0, 0, &status); 1184 "GnuTLS: Verifying list of %d certificate(s) via method '%s'", 1185 ch_size, mgs_readable_cvm(ctxt->sc->client_verify_method)); 1186 switch(ctxt->sc->client_verify_method) { 1187 case mgs_cvm_cartel: 1188 rv = gnutls_x509_crt_list_verify(cert.x509, ch_size, 1189 ctxt->sc->ca_list, 1190 ctxt->sc->ca_list_size, 1191 NULL, 0, 0, &status); 1192 break; 1193 #ifdef ENABLE_MSVA 1194 case mgs_cvm_msva: 1195 { 1196 struct msv_response resp; 1197 char cert_pem_buf[10 * 1024]; 1198 size_t len = sizeof (cert_pem_buf); 1199 1200 rv = 0; 1201 if (gnutls_x509_crt_export(cert.x509[0], GNUTLS_X509_FMT_PEM, cert_pem_buf, &len) >= 0) { 1202 char cert_pem_buf2[10*1024]; 1203 char* tokstate; 1204 char* ptr = cert_pem_buf; 1205 char* outptr = cert_pem_buf2; 1206 /* convert PEM to JSON-friendly string by escaping all newlines 1207 (this should really be done within libmsv) */ 1208 ptr = apr_strtok(ptr, "\n", &tokstate); 1209 do { 1210 outptr = apr_cpystrn(outptr, ptr, (cert_pem_buf2 + sizeof(cert_pem_buf2) - outptr)); 1211 outptr = apr_cpystrn(outptr, "\\n", (cert_pem_buf2 + sizeof(cert_pem_buf2) - outptr)); 1212 ptr = apr_strtok(NULL, "\n", &tokstate); 1213 } while (ptr); 1214 1215 /* FIXME : put together a name from the cert we received, instead of hard-coding this value: */ 1216 rv = msv_query_agent(NULL, "https", "client", "Test User <test0@modgnutls.test>", "x509pem", cert_pem_buf2, &resp); 1217 if (rv == LIBMSV_ERROR_SUCCESS) { 1218 status = 0; 1219 } else if (rv == LIBMSV_ERROR_INVALID) { 1220 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 1221 "GnuTLS: Monkeysphere validation failed: (message: %s)", resp.message); 1222 status = GNUTLS_CERT_INVALID; 1223 } else { 1224 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 1225 "GnuTLS: Error communicating with the Monkeysphere Validation Agent: (%d) %s", rv, msv_strerror(rv)); 1226 status = GNUTLS_CERT_INVALID; 1227 rv = -1; 1228 } 1229 } else { 1230 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1231 "GnuTLS: Could not convert the client certificate to PEM format"); 1232 status = GNUTLS_CERT_INVALID; 1233 rv = GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; 1234 } 1235 } 1236 break; 1237 #endif 1238 default: 1239 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1240 "GnuTLS: Failed to Verify X.509 Peer: method '%s' is not supported", 1241 mgs_readable_cvm(ctxt->sc->client_verify_method)); 1242 } 1243 1190 1244 } else { 1191 1245 apr_time_ansi_put(&expiration_time, … … 1193 1247 (cert.pgp)); 1194 1248 1195 rv = gnutls_openpgp_crt_verify_ring(cert.pgp, 1196 ctxt->sc->pgp_list, 0, 1197 &status); 1249 switch(ctxt->sc->client_verify_method) { 1250 case mgs_cvm_cartel: 1251 rv = gnutls_openpgp_crt_verify_ring(cert.pgp, 1252 ctxt->sc->pgp_list, 0, 1253 &status); 1254 break; 1255 #ifdef ENABLE_MSVA 1256 case mgs_cvm_msva: 1257 /* need to set status and rv */ 1258 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1259 "GnuTLS: OpenPGP verification via MSVA is not yet implemented"); 1260 rv = GNUTLS_E_UNIMPLEMENTED_FEATURE; 1261 break; 1262 #endif 1263 default: 1264 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1265 "GnuTLS: Failed to Verify OpenPGP Peer: method '%s' is not supported", 1266 mgs_readable_cvm(ctxt->sc->client_verify_method)); 1267 } 1198 1268 } 1199 1269
Note: See TracChangeset
for help on using the changeset viewer.