- Timestamp:
- Jul 20, 2009, 5:08:39 PM (14 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, jessie-backports, master, msva, proxy-ticket, upstream
- Children:
- 1d48b0a
- Parents:
- c05a8bb
- git-author:
- Nikos Mavrogiannopoulos <nmav@…> (07/20/09 17:08:39)
- git-committer:
- Nokis Mavrogiannopoulos <nmav@…> (07/20/09 17:08:39)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_hooks.c
rc05a8bb r67101aa 1029 1029 unsigned int cert_list_size, status, expired; 1030 1030 int rv, ret; 1031 unsigned int ch_size = 0; 1031 1032 union { 1032 gnutls_x509_crt_t x509 ;1033 gnutls_x509_crt_t x509[MAX_CHAIN_SIZE]; 1033 1034 gnutls_openpgp_crt_t pgp; 1034 1035 } cert; … … 1052 1053 } 1053 1054 1054 if (cert_list_size > 1) { 1055 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1055 if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { 1056 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 1057 "GnuTLS: A Chain of %d certificate(s) was provided for validation", cert_list_size); 1058 1059 for (ch_size =0; ch_size<cert_list_size; ch_size++) { 1060 gnutls_x509_crt_init(&cert.x509[ch_size]); 1061 rv = gnutls_x509_crt_import(cert.x509[ch_size], &cert_list[ch_size], GNUTLS_X509_FMT_DER); 1062 // When failure to import, leave the loop 1063 if ( rv != GNUTLS_E_SUCCESS ) { 1064 if (ch_size < 1) { 1065 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1066 "GnuTLS: Failed to Verify Peer: " 1067 "Failed to import peer certificates."); 1068 ret = HTTP_FORBIDDEN; 1069 goto exit; 1070 } 1071 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1072 "GnuTLS: Failed to import some peer certificates. Using %d certificates", 1073 ch_size); 1074 rv = GNUTLS_E_SUCCESS; 1075 break; 1076 } 1077 } 1078 } else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) { 1079 if (cert_list_size > 1) { 1080 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1056 1081 "GnuTLS: Failed to Verify Peer: " 1057 1082 "Chained Client Certificates are not supported."); 1058 return HTTP_FORBIDDEN; 1059 } 1060 1061 if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { 1062 gnutls_x509_crt_init(&cert.x509); 1063 rv = gnutls_x509_crt_import(cert.x509, &cert_list[0], GNUTLS_X509_FMT_DER); 1064 } else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) { 1083 return HTTP_FORBIDDEN; 1084 } 1085 1065 1086 gnutls_openpgp_crt_init(&cert.pgp); 1066 1087 rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW); 1088 1067 1089 } else return HTTP_FORBIDDEN; 1068 1090 … … 1077 1099 if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { 1078 1100 apr_time_ansi_put(&expiration_time, 1079 gnutls_x509_crt_get_expiration_time(cert.x509 ));1101 gnutls_x509_crt_get_expiration_time(cert.x509[0])); 1080 1102 apr_time_ansi_put(&activation_time, 1081 gnutls_x509_crt_get_activation_time(cert.x509)); 1082 1083 rv = gnutls_x509_crt_verify(cert.x509, ctxt->sc->ca_list, 1084 ctxt->sc->ca_list_size, 0, &status); 1103 gnutls_x509_crt_get_activation_time(cert.x509[0])); 1104 1105 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 1106 "GnuTLS: Verifying list of %d certificate(s)", ch_size); 1107 rv = gnutls_x509_crt_list_verify(cert.x509, ch_size, 1108 ctxt->sc->ca_list, ctxt->sc->ca_list_size, 1109 NULL, 0, 0, &status); 1085 1110 } else { 1086 1111 apr_time_ansi_put(&expiration_time, … … 1146 1171 1147 1172 if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) 1148 mgs_add_common_cert_vars(r, cert.x509 , 1,1173 mgs_add_common_cert_vars(r, cert.x509[0], 1, 1149 1174 ctxt->sc->export_certificates_enabled); 1150 1175 else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) … … 1173 1198 1174 1199 exit: 1175 if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) 1176 gnutls_x509_crt_deinit(cert.x509); 1177 else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) 1200 if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { 1201 int i; 1202 for (i=0; i<ch_size; i++) { 1203 gnutls_x509_crt_deinit(cert.x509[i]); 1204 } 1205 } else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) 1178 1206 gnutls_openpgp_crt_deinit(cert.pgp); 1179 1207 return ret;
Note: See TracChangeset
for help on using the changeset viewer.