Changeset 67101aa in mod_gnutls for src


Ignore:
Timestamp:
Jul 20, 2009, 5:08:39 PM (11 years ago)
Author:
Nokis Mavrogiannopoulos <nmav@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream
Children:
1d48b0a
Parents:
c05a8bb
git-author:
Nikos Mavrogiannopoulos <nmav@…> (07/20/09 17:08:39)
git-committer:
Nokis Mavrogiannopoulos <nmav@…> (07/20/09 17:08:39)
Message:

Applied patch of jmdesp that allows certificate lists by client.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_hooks.c

    rc05a8bb r67101aa  
    10291029    unsigned int cert_list_size, status, expired;
    10301030    int rv, ret;
     1031    unsigned int ch_size = 0;
    10311032    union {
    1032       gnutls_x509_crt_t x509;
     1033      gnutls_x509_crt_t x509[MAX_CHAIN_SIZE];
    10331034      gnutls_openpgp_crt_t pgp;
    10341035    } cert;
     
    10521053    }
    10531054
    1054     if (cert_list_size > 1) {
    1055         ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     1055    if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) {
     1056        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
     1057            "GnuTLS: A Chain of %d certificate(s) was provided for validation", cert_list_size);
     1058
     1059        for (ch_size =0; ch_size<cert_list_size; ch_size++) {
     1060            gnutls_x509_crt_init(&cert.x509[ch_size]);
     1061            rv = gnutls_x509_crt_import(cert.x509[ch_size], &cert_list[ch_size], GNUTLS_X509_FMT_DER);
     1062            // When failure to import, leave the loop
     1063            if ( rv != GNUTLS_E_SUCCESS ) {
     1064                if (ch_size < 1) {
     1065                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     1066                            "GnuTLS: Failed to Verify Peer: "
     1067                            "Failed to import peer certificates.");
     1068                    ret = HTTP_FORBIDDEN;
     1069                    goto exit;
     1070                }
     1071                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     1072                        "GnuTLS: Failed to import some peer certificates. Using %d certificates",
     1073                        ch_size);
     1074                rv = GNUTLS_E_SUCCESS;
     1075                break;
     1076            }
     1077        }
     1078    } else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) {
     1079        if (cert_list_size > 1) {
     1080            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    10561081                      "GnuTLS: Failed to Verify Peer: "
    10571082                      "Chained Client Certificates are not supported.");
    1058         return HTTP_FORBIDDEN;
    1059     }
    1060 
    1061     if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) {
    1062         gnutls_x509_crt_init(&cert.x509);
    1063         rv = gnutls_x509_crt_import(cert.x509, &cert_list[0], GNUTLS_X509_FMT_DER);
    1064     } else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) {
     1083            return HTTP_FORBIDDEN;
     1084        }
     1085
    10651086        gnutls_openpgp_crt_init(&cert.pgp);
    10661087        rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW);
     1088
    10671089    } else return HTTP_FORBIDDEN;
    10681090 
     
    10771099    if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) {
    10781100        apr_time_ansi_put(&expiration_time,
    1079                       gnutls_x509_crt_get_expiration_time(cert.x509));
     1101                      gnutls_x509_crt_get_expiration_time(cert.x509[0]));
    10801102        apr_time_ansi_put(&activation_time,
    1081                       gnutls_x509_crt_get_activation_time(cert.x509));
    1082 
    1083         rv = gnutls_x509_crt_verify(cert.x509, ctxt->sc->ca_list,
    1084                                 ctxt->sc->ca_list_size, 0, &status);
     1103                      gnutls_x509_crt_get_activation_time(cert.x509[0]));
     1104
     1105        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
     1106            "GnuTLS: Verifying list of  %d certificate(s)", ch_size);
     1107        rv = gnutls_x509_crt_list_verify(cert.x509, ch_size,
     1108                ctxt->sc->ca_list, ctxt->sc->ca_list_size,
     1109                NULL, 0, 0, &status);
    10851110    } else {
    10861111        apr_time_ansi_put(&expiration_time,
     
    11461171
    11471172    if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509)
    1148         mgs_add_common_cert_vars(r, cert.x509, 1,
     1173        mgs_add_common_cert_vars(r, cert.x509[0], 1,
    11491174                             ctxt->sc->export_certificates_enabled);
    11501175    else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP)
     
    11731198
    11741199  exit:
    1175     if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509)
    1176         gnutls_x509_crt_deinit(cert.x509);
    1177     else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP)
     1200    if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) {
     1201        int i;
     1202        for (i=0; i<ch_size; i++) {
     1203            gnutls_x509_crt_deinit(cert.x509[i]);
     1204        }
     1205    } else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP)
    11781206        gnutls_openpgp_crt_deinit(cert.pgp);
    11791207    return ret;
Note: See TracChangeset for help on using the changeset viewer.