Changeset 65c84e5 in mod_gnutls


Ignore:
Timestamp:
Jul 23, 2019, 2:25:59 AM (8 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master
Children:
81018a4
Parents:
7cfc02b
Message:

Set certificates via gnutls_certificate_set_retrieve_function3()

The new API allows stapling multiple OCSP responses (to be implemented
later). Requires GnuTLS 3.6.3 or newer.

Files:
3 edited

Legend:

Unmodified
Added
Removed

  • README

    r7cfc02b r65c84e5  
    2222-------------
    2323
    24  * GnuTLS          >= 3.3 <https://www.gnutls.org/> (3.4 or newer recommended)
     24 * GnuTLS          >= 3.6.3 <https://www.gnutls.org/>
    2525 * Apache HTTPD    >= 2.4.17 <https://httpd.apache.org/>
    2626 * autotools, GNU make, & GCC

  • configure.ac

    r7cfc02b r65c84e5  
    4646        ], [])
    4747
    48 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.3.0])
     48PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.6.3])
    4949
    5050LIBGNUTLS_VERSION=`pkg-config --modversion gnutls`

  • src/gnutls_hooks.c

    r7cfc02b r65c84e5  
    384384
    385385static int cert_retrieve_fn(gnutls_session_t session,
    386                             const gnutls_datum_t * req_ca_rdn __attribute__((unused)),
    387                             int nreqs __attribute__((unused)),
    388                             const gnutls_pk_algorithm_t * pk_algos __attribute__((unused)),
    389                             int pk_algos_length __attribute__((unused)),
     386                            const struct gnutls_cert_retr_st *info __attribute__((unused)),
    390387                            gnutls_pcert_st **pcerts,
    391388                            unsigned int *pcert_length,
    392                             gnutls_privkey_t *privkey)
     389                            gnutls_ocsp_data_st **ocsp,
     390                            unsigned int *ocsp_length,
     391                            gnutls_privkey_t *privkey,
     392                            unsigned int *flags)
    393393{
    394394    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     
    407407        *pcerts = ctxt->sc->certs_x509_chain;
    408408        *pcert_length = ctxt->sc->certs_x509_chain_num;
     409        *ocsp = NULL;
     410        *ocsp_length = 0;
    409411        *privkey = ctxt->sc->privkey_x509;
     412        *flags = 0;
    410413        return 0;
    411414    } else {
     
    731734        }
    732735
    733         /* The call after this comment is a workaround for bug in
    734          * gnutls_certificate_set_retrieve_function2 that ignores
    735          * supported certificate types. Should be fixed in GnuTLS
    736          * 3.3.12.
    737          *
    738          * Details:
    739          * https://lists.gnupg.org/pipermail/gnutls-devel/2015-January/007377.html
    740          * Workaround from:
    741          * https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12 */
    742 #if GNUTLS_VERSION_NUMBER < 0x030312
    743         gnutls_certificate_set_retrieve_function(sc->certs, (void *) exit);
    744 #endif
    745 
    746         gnutls_certificate_set_retrieve_function2(sc->certs, cert_retrieve_fn);
     736        gnutls_certificate_set_retrieve_function3(sc->certs, cert_retrieve_fn);
    747737
    748738        if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) &&
Note: See TracChangeset for help on using the changeset viewer.