Changeset 7921dc7 in mod_gnutls
- Timestamp:
- Apr 22, 2018, 1:04:41 PM (3 years ago)
- Branches:
- asyncio, debian/master, master, proxy-ticket
- Children:
- 0470e44
- Parents:
- 2246a84
- git-author:
- Fiona Klute <fiona.klute@…> (04/18/18 04:38:36)
- git-committer:
- Fiona Klute <fiona.klute@…> (04/22/18 13:04:41)
- Files:
-
- 5 deleted
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
include/mod_gnutls.h.in
r2246a84 r7921dc7 33 33 #include <gnutls/gnutls.h> 34 34 #include <gnutls/abstract.h> 35 #include <gnutls/openpgp.h>36 35 #include <gnutls/x509.h> 37 36 … … 123 122 char *x509_key_file; 124 123 char *x509_ca_file; 125 126 char *pgp_cert_file;127 char *pgp_key_file;128 char *pgp_ring_file;129 124 130 125 char *dh_file; … … 179 174 gnutls_privkey_t privkey_x509; 180 175 181 /* OpenPGP Certificate */182 gnutls_pcert_st *cert_pgp;183 gnutls_openpgp_crt_t *cert_crt_pgp;184 185 /* OpenPGP Certificate Private Key */186 gnutls_privkey_t privkey_pgp;187 #if GNUTLS_VERSION_NUMBER < 0x030312188 /* Internal structure for the OpenPGP private key, used in the189 * workaround for a bug in gnutls_privkey_import_openpgp_raw that190 * frees memory that is still needed. DO NOT USE for any other191 * purpose. */192 gnutls_openpgp_privkey_t privkey_pgp_internal;193 #endif194 195 176 /* Export full certificates to CGI environment: */ 196 177 int export_certificates_size; … … 201 182 /* A list of CA Certificates */ 202 183 gnutls_x509_crt_t *ca_list; 203 /* OpenPGP Key Ring */204 gnutls_openpgp_keyring_t pgp_list;205 184 /* CA Certificate list size */ 206 185 unsigned int ca_list_size; … … 413 392 const char *arg); 414 393 415 const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,416 const char *arg);417 418 const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,419 const char *arg);420 421 394 const char *mgs_set_cache(cmd_parms * parms, void *dummy, 422 395 const char *type, const char* arg); … … 440 413 441 414 const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy, 442 const char *arg);443 444 const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,445 415 const char *arg); 446 416 -
src/gnutls_config.c
r2246a84 r7921dc7 142 142 } 143 143 144 if (sc->cert_pgp)145 {146 gnutls_pcert_deinit(&sc->cert_pgp[0]);147 sc->cert_pgp = NULL;148 gnutls_openpgp_crt_deinit(sc->cert_crt_pgp[0]);149 sc->cert_crt_pgp = NULL;150 }151 152 if (sc->privkey_pgp)153 {154 gnutls_privkey_deinit(sc->privkey_pgp);155 sc->privkey_pgp = NULL;156 #if GNUTLS_VERSION_NUMBER < 0x030312157 gnutls_openpgp_privkey_deinit(sc->privkey_pgp_internal);158 sc->privkey_pgp_internal = NULL;159 #endif160 }161 162 if (sc->pgp_list)163 {164 gnutls_openpgp_keyring_deinit(sc->pgp_list);165 sc->pgp_list = NULL;166 }167 168 144 if (sc->priorities) 169 145 { … … 453 429 } 454 430 455 if (sc->pgp_cert_file && sc->cert_pgp == NULL)456 {457 sc->cert_pgp = apr_pcalloc(pconf, sizeof(sc->cert_pgp[0]));458 sc->cert_crt_pgp = apr_pcalloc(pconf, sizeof(sc->cert_crt_pgp[0]));459 460 if (load_datum_from_file(spool, sc->pgp_cert_file, &data) != 0) {461 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,462 "GnuTLS: Error Reading " "Certificate '%s'",463 sc->pgp_cert_file);464 ret = -1;465 goto cleanup;466 }467 468 ret = gnutls_openpgp_crt_init(&sc->cert_crt_pgp[0]);469 if (ret < 0) {470 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,471 "GnuTLS: Failed to Init "472 "PGP Certificate: (%d) %s", ret,473 gnutls_strerror(ret));474 ret = -1;475 goto cleanup;476 }477 478 ret = gnutls_openpgp_crt_import(sc->cert_crt_pgp[0], &data,479 GNUTLS_OPENPGP_FMT_BASE64);480 if (ret < 0) {481 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,482 "GnuTLS: Failed to Import "483 "PGP Certificate: (%d) %s", ret,484 gnutls_strerror(ret));485 ret = -1;486 goto cleanup;487 }488 489 ret = gnutls_pcert_import_openpgp(sc->cert_pgp,490 sc->cert_crt_pgp[0], 0);491 if (ret < 0) {492 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,493 "GnuTLS: Failed to Import "494 "PGP pCertificate: (%d) %s", ret,495 gnutls_strerror(ret));496 ret = -1;497 goto cleanup;498 }499 }500 501 /* Load the PGP key file */502 if (sc->pgp_key_file && sc->privkey_pgp == NULL)503 {504 if (load_datum_from_file(spool, sc->pgp_key_file, &data) != 0) {505 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,506 "GnuTLS: Error Reading " "Private Key '%s'",507 sc->pgp_key_file);508 ret = -1;509 goto cleanup;510 }511 512 ret = gnutls_privkey_init(&sc->privkey_pgp);513 if (ret < 0) {514 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,515 "GnuTLS: Failed to initialize"516 ": (%d) %s", ret, gnutls_strerror(ret));517 ret = -1;518 goto cleanup;519 }520 521 #if GNUTLS_VERSION_NUMBER < 0x030312522 /* GnuTLS versions before 3.3.12 contain a bug in523 * gnutls_privkey_import_openpgp_raw which frees data that is524 * accessed when the key is used, leading to segfault. Loading525 * the key into a gnutls_openpgp_privkey_t and then assigning526 * it to the gnutls_privkey_t works around the bug, hence this527 * chain of gnutls_openpgp_privkey_init,528 * gnutls_openpgp_privkey_import and529 * gnutls_privkey_import_openpgp. */530 ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp_internal);531 if (ret != 0) {532 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,533 "GnuTLS: Failed to initialize "534 "PGP Private Key '%s': (%d) %s",535 sc->pgp_key_file, ret, gnutls_strerror(ret));536 ret = -1;537 goto cleanup;538 }539 540 ret = gnutls_openpgp_privkey_import(sc->privkey_pgp_internal, &data,541 GNUTLS_OPENPGP_FMT_BASE64, NULL, 0);542 if (ret != 0) {543 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,544 "GnuTLS: Failed to Import "545 "PGP Private Key '%s': (%d) %s",546 sc->pgp_key_file, ret, gnutls_strerror(ret));547 ret = -1;548 goto cleanup;549 }550 551 ret = gnutls_privkey_import_openpgp(sc->privkey_pgp,552 sc->privkey_pgp_internal, 0);553 if (ret != 0)554 {555 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,556 "GnuTLS: Failed to assign PGP Private Key '%s' "557 "to gnutls_privkey_t structure: (%d) %s",558 sc->pgp_key_file, ret, gnutls_strerror(ret));559 ret = -1;560 goto cleanup;561 }562 #else563 ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,564 GNUTLS_OPENPGP_FMT_BASE64,565 NULL, NULL);566 if (ret != 0)567 {568 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,569 "GnuTLS: Failed to Import "570 "PGP Private Key '%s': (%d) %s",571 sc->pgp_key_file, ret, gnutls_strerror(ret));572 ret = -1;573 goto cleanup;574 }575 #endif576 }577 578 /* Load the keyring file */579 if (sc->pgp_ring_file && sc->pgp_list == NULL)580 {581 if (load_datum_from_file(spool, sc->pgp_ring_file, &data) != 0) {582 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,583 "GnuTLS: Error Reading " "Keyring File '%s'",584 sc->pgp_ring_file);585 ret = -1;586 goto cleanup;587 }588 589 ret = gnutls_openpgp_keyring_init(&sc->pgp_list);590 if (ret < 0) {591 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,592 "GnuTLS: Failed to initialize"593 "keyring: (%d) %s", ret, gnutls_strerror(ret));594 ret = -1;595 goto cleanup;596 }597 598 ret = gnutls_openpgp_keyring_import(sc->pgp_list, &data,599 GNUTLS_OPENPGP_FMT_BASE64);600 if (ret < 0) {601 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,602 "GnuTLS: Failed to load "603 "Keyring File '%s': (%d) %s", sc->pgp_ring_file,604 ret, gnutls_strerror(ret));605 ret = -1;606 goto cleanup;607 }608 }609 610 431 if (sc->priorities_str && sc->priorities == NULL) 611 432 { … … 711 532 712 533 sc->x509_key_file = apr_pstrdup(parms->pool, arg); 713 714 return NULL;715 }716 717 const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy __attribute__((unused)),718 const char *arg)719 {720 mgs_srvconf_rec *sc =721 (mgs_srvconf_rec *) ap_get_module_config(parms->server->722 module_config,723 &gnutls_module);724 725 sc->pgp_cert_file = ap_server_root_relative(parms->pool, arg);726 727 return NULL;728 }729 730 const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy __attribute__((unused)),731 const char *arg) {732 mgs_srvconf_rec *sc =733 (mgs_srvconf_rec *) ap_get_module_config(parms->server->734 module_config,735 &gnutls_module);736 737 sc->pgp_key_file = ap_server_root_relative(parms->pool, arg);738 534 739 535 return NULL; … … 923 719 924 720 sc->x509_ca_file = ap_server_root_relative(parms->pool, arg); 925 926 return NULL;927 }928 929 const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy __attribute__((unused)),930 const char *arg) {931 mgs_srvconf_rec *sc =932 (mgs_srvconf_rec *) ap_get_module_config(parms->server->933 module_config,934 &gnutls_module);935 936 sc->pgp_ring_file = ap_server_root_relative(parms->pool, arg);937 721 938 722 return NULL; … … 1074 858 sc->pin = NULL; 1075 859 1076 sc->cert_pgp = NULL;1077 sc->cert_crt_pgp = NULL;1078 sc->privkey_pgp = NULL;1079 #if GNUTLS_VERSION_NUMBER < 0x0303121080 sc->privkey_pgp_internal = NULL;1081 #endif1082 sc->pgp_list = NULL;1083 1084 860 sc->priorities_str = NULL; 1085 861 sc->cache_timeout = MGS_TIMEOUT_UNSET; … … 1162 938 gnutls_srvconf_merge(p11_modules, NULL); 1163 939 gnutls_srvconf_merge(pin, NULL); 1164 gnutls_srvconf_merge(pgp_cert_file, NULL);1165 gnutls_srvconf_merge(pgp_key_file, NULL);1166 gnutls_srvconf_merge(pgp_ring_file, NULL);1167 940 gnutls_srvconf_merge(dh_file, NULL); 1168 941 gnutls_srvconf_merge(priorities_str, NULL); … … 1186 959 gnutls_srvconf_assign(ca_list); 1187 960 gnutls_srvconf_assign(ca_list_size); 1188 gnutls_srvconf_assign(cert_pgp);1189 gnutls_srvconf_assign(cert_crt_pgp);1190 gnutls_srvconf_assign(pgp_list);1191 961 gnutls_srvconf_assign(certs); 1192 962 gnutls_srvconf_assign(anon_creds); -
src/gnutls_hooks.c
r2246a84 r7921dc7 55 55 /* use side==0 for server and side==1 for client */ 56 56 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, size_t export_cert_size); 57 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size);58 57 static int mgs_status_hook(request_rec *r, int flags); 59 58 #ifdef ENABLE_MSVA … … 352 351 *privkey = ctxt->sc->privkey_x509; 353 352 return 0; 354 } else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) {355 // OPENPGP CERTIFICATE356 *pcerts = ctxt->sc->cert_pgp;357 *pcert_length = 1;358 *privkey = ctxt->sc->privkey_pgp;359 return 0;360 353 } else { 361 354 // UNKNOWN CERTIFICATE … … 416 409 } 417 410 } 418 }419 420 return rv;421 }422 423 static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,424 gnutls_openpgp_crt_t cert, char **cert_cn) {425 int rv = 0;426 size_t data_len;427 428 429 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);430 *cert_cn = NULL;431 432 data_len = 0;433 rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);434 435 if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {436 *cert_cn = apr_palloc(p, data_len);437 rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn,438 &data_len);439 } else { /* No CN return subject alternative name */440 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,441 "No name found in PGP certificate for '%s:%d'.",442 s->server_hostname, s->port);443 411 } 444 412 … … 732 700 733 701 if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) && 734 sc-> cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {702 sc->enabled == GNUTLS_ENABLED_TRUE) { 735 703 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 736 704 "GnuTLS: Host '%s:%d' is missing a Certificate File!", … … 739 707 } 740 708 if (sc->enabled == GNUTLS_ENABLED_TRUE && 741 ((sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) || 742 (sc->cert_crt_pgp != NULL && sc->privkey_pgp == NULL))) 709 (sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL)) 743 710 { 744 711 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, … … 748 715 } 749 716 750 /* If OpenPGP support is already disabled in the loaded GnuTLS751 * library startup will fail if the configuration tries to752 * load PGP credentials. Otherwise warn affected users about753 * deprecation. */754 if (sc->pgp_cert_file || sc->pgp_key_file || sc->pgp_ring_file)755 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,756 "Host '%s:%d' is configured to use OpenPGP auth. "757 "OpenPGP support has been deprecated in GnuTLS "758 "since version 3.5.9 and will be removed from "759 "mod_gnutls in a future release.",760 s->server_hostname, s->port);761 762 717 if (sc->enabled == GNUTLS_ENABLED_TRUE) { 763 718 rv = -1; … … 765 720 rv = read_crt_cn(s, pconf, sc->certs_x509_crt_chain[0], &sc->cert_cn); 766 721 } 767 if (rv < 0 && sc->cert_pgp != NULL) {768 rv = read_pgpcrt_cn(s, pconf, sc->cert_crt_pgp[0], &sc->cert_cn);769 }770 722 771 723 if (rv < 0) { … … 1335 1287 1336 1288 if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) { 1337 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_crt_chain[0], 0, ctxt->sc->export_certificates_size); 1338 } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) { 1339 mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_crt_pgp[0], 0, ctxt->sc->export_certificates_size); 1289 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_crt_chain[0], 0, 1290 ctxt->sc->export_certificates_size); 1340 1291 } 1341 1292 … … 1532 1483 1533 1484 1534 /* @param side 0: server, 1: client1535 *1536 * @param export_cert_size (int) maximum size for environment variable1537 * to use for the PEM-encoded certificate (0 means do not export)1538 */1539 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size) {1540 1541 unsigned char sbuf[64]; /* buffer to hold serials */1542 char buf[AP_IOBUFSIZE];1543 const char *tmp;1544 size_t len;1545 int ret;1546 1547 if (r == NULL)1548 return;1549 1550 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);1551 apr_table_t *env = r->subprocess_env;1552 1553 if (export_cert_size > 0) {1554 len = 0;1555 ret = gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, NULL, &len);1556 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {1557 if (len >= export_cert_size) {1558 apr_table_setn(env, MGS_SIDE("_CERT"),1559 "GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED");1560 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,1561 "GnuTLS: Failed to export too-large OpenPGP certificate to environment");1562 } else {1563 char* cert_buf = apr_palloc(r->pool, len + 1);1564 if (cert_buf != NULL && gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0) {1565 cert_buf[len] = 0;1566 apr_table_setn(env, MGS_SIDE("_CERT"), cert_buf);1567 } else {1568 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,1569 "GnuTLS: failed to export OpenPGP certificate");1570 }1571 }1572 } else {1573 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,1574 "GnuTLS: dazed and confused about OpenPGP certificate size");1575 }1576 }1577 1578 len = sizeof (buf);1579 gnutls_openpgp_crt_get_name(cert, 0, buf, &len);1580 apr_table_setn(env, MGS_SIDE("_NAME"), apr_pstrmemdup(r->pool, buf, len));1581 1582 len = sizeof (sbuf);1583 gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);1584 apr_table_setn(env, MGS_SIDE("_FINGERPRINT"),1585 apr_pescape_hex(r->pool, sbuf, len, 0));1586 1587 ret = gnutls_openpgp_crt_get_version(cert);1588 if (ret > 0)1589 apr_table_setn(env, MGS_SIDE("_M_VERSION"),1590 apr_psprintf(r->pool, "%u", ret));1591 1592 apr_table_setn(env, MGS_SIDE("_CERT_TYPE"), "OPENPGP");1593 1594 tmp =1595 mgs_time2sz(gnutls_openpgp_crt_get_expiration_time1596 (cert), buf, sizeof (buf));1597 apr_table_setn(env, MGS_SIDE("_V_END"), apr_pstrdup(r->pool, tmp));1598 1599 tmp =1600 mgs_time2sz(gnutls_openpgp_crt_get_creation_time1601 (cert), buf, sizeof (buf));1602 apr_table_setn(env, MGS_SIDE("_V_START"), apr_pstrdup(r->pool, tmp));1603 1604 ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);1605 if (ret >= 0) {1606 apr_table_setn(env, MGS_SIDE("_A_KEY"), gnutls_pk_algorithm_get_name(ret));1607 }1608 1609 }1610 1485 1611 1486 /* TODO: Allow client sending a X.509 certificate chain */ … … 1619 1494 unsigned int ch_size = 0; 1620 1495 1496 // TODO: union no longer needed here after removing its "pgp" component. 1621 1497 union { 1622 1498 gnutls_x509_crt_t x509[MAX_CHAIN_SIZE]; 1623 gnutls_openpgp_crt_t pgp;1624 1499 } cert; 1625 1500 apr_time_t expiration_time, cur_time; … … 1672 1547 } 1673 1548 } 1674 } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {1675 if (cert_list_size > 1) {1676 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,1677 "GnuTLS: Failed to Verify Peer: "1678 "Chained Client Certificates are not supported.");1679 return HTTP_FORBIDDEN;1680 }1681 1682 gnutls_openpgp_crt_init(&cert.pgp);1683 rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0],1684 GNUTLS_OPENPGP_FMT_RAW);1685 1686 1549 } else 1687 1550 return HTTP_FORBIDDEN; … … 1759 1622 1760 1623 } else { 1761 apr_time_ansi_put(&expiration_time, 1762 gnutls_openpgp_crt_get_expiration_time 1763 (cert.pgp)); 1764 1765 switch(ctxt->sc->client_verify_method) { 1766 case mgs_cvm_cartel: 1767 rv = gnutls_openpgp_crt_verify_ring(cert.pgp, 1768 ctxt->sc->pgp_list, 0, 1769 &status); 1770 break; 1771 #ifdef ENABLE_MSVA 1772 case mgs_cvm_msva: 1773 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1774 "GnuTLS: OpenPGP verification via MSVA is not yet implemented"); 1775 rv = GNUTLS_E_UNIMPLEMENTED_FEATURE; 1776 break; 1777 #endif 1778 default: 1779 /* If this block is reached, that indicates a 1780 * configuration error or bug in mod_gnutls (invalid value 1781 * of ctxt->sc->client_verify_method). */ 1782 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1783 "GnuTLS: Failed to Verify OpenPGP Peer: method '%s' is not supported", 1784 mgs_readable_cvm(ctxt->sc->client_verify_method)); 1785 rv = GNUTLS_E_UNIMPLEMENTED_FEATURE; 1786 } 1624 /* Unknown certificate type */ 1625 rv = GNUTLS_E_UNIMPLEMENTED_FEATURE; 1787 1626 } 1788 1627 … … 1795 1634 if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND) 1796 1635 ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r, 1797 "GnuTLS: No certificate was found for verification. Did you set the GnuTLS X509CAFile or GnuTLSPGPKeyringFile directives?");1636 "GnuTLS: No certificate was found for verification. Did you set the GnuTLSClientCAFile directive?"); 1798 1637 ret = HTTP_FORBIDDEN; 1799 1638 goto exit; … … 1836 1675 } 1837 1676 1838 if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) 1839 mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_size); 1840 else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) 1841 mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_size); 1677 mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_size); 1842 1678 1843 1679 { … … 1867 1703 for (unsigned int i = 0; i < ch_size; i++) 1868 1704 gnutls_x509_crt_deinit(cert.x509[i]); 1869 else if (gnutls_certificate_type_get(ctxt->session) == 1870 GNUTLS_CRT_OPENPGP) 1871 gnutls_openpgp_crt_deinit(cert.pgp); 1705 1872 1706 return ret; 1873 1707 } … … 1928 1762 * certificate, but doesn't tell us (in any other way) who they are 1929 1763 * trying to authenticate as. 1930 1931 * TODO: we might need another parallel for OpenPGP, but for that it's1932 * much simpler: we can just assume that the first User ID marked as1933 * "primary" (or the first User ID, period) is the identity the user1934 * is trying to present as.1935 1764 1936 1765 * one complaint might be "but the user wanted to be another identity, -
src/mod_gnutls.c
r2246a84 r7921dc7 245 245 } 246 246 247 #define OPENPGP_REMOVED "OpenPGP support has been removed." 248 247 249 static const command_rec mgs_config_cmds[] = { 248 250 AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine, … … 278 280 RSRC_CONF, 279 281 "Set the CA File to verify Client Certificates"), 280 AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,281 NULL,282 RSRC_CONF,283 "Set the Keyring File to verify Client Certificates"),284 282 AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file, 285 283 NULL, … … 302 300 RSRC_CONF, 303 301 "TLS Server X509 Private Key file"), 304 AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,305 NULL,306 RSRC_CONF,307 "TLS Server PGP Certificate file"),308 AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,309 NULL,310 RSRC_CONF,311 "TLS Server PGP Private key file"),312 302 #ifdef ENABLE_SRP 313 303 AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file, … … 396 386 NULL, RSRC_CONF, 397 387 "Socket timeout for OCSP requests"), 388 AP_INIT_RAW_ARGS("GnuTLSPGPKeyringFile", 389 ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED), 390 AP_INIT_RAW_ARGS("GnuTLSPGPCertificateFile", 391 ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED), 392 AP_INIT_RAW_ARGS("GnuTLSPGPKeyFile", 393 ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED), 398 394 #ifdef __clang__ 399 395 /* Workaround for this clang bug: -
test/Makefile.am
r2246a84 r7921dc7 36 36 TESTS = $(dist_check_SCRIPTS) 37 37 38 check_PROGRAMS = pgpcrc gnutls_openpgp_support38 check_PROGRAMS = pgpcrc 39 39 pgpcrc_SOURCES = pgpcrc.c 40 gnutls_openpgp_support_SOURCES = gnutls_openpgp_support.c41 gnutls_openpgp_support_CFLAGS = $(LIBGNUTLS_CFLAGS)42 gnutls_openpgp_support_LDFLAGS = $(LIBGNUTLS_LIBS)43 40 44 41 # build OCSP database tool … … 53 50 # Identities in the miniature CA, server, and client environment for 54 51 # the test suite 55 shared_identities = server authority client imposter rogueca52 shared_identities = authority client 56 53 pgp_identities = $(shared_identities) 57 x509_only_identities = rogueclient54 x509_only_identities = server rogueca imposter rogueclient 58 55 if ENABLE_OCSP_TEST 59 56 x509_only_identities += ocsp-responder -
test/test-14_basic_openpgp.bash
r2246a84 r7921dc7 1 1 #!/bin/bash 2 ./gnutls_openpgp_support || exit $? 3 ${srcdir}/runtests t-14 2 echo "OpenPGP support has been removed, skipping." 2>&1 3 exit 77 -
test/tests/Makefile.am
r2246a84 r7921dc7 14 14 12_cgi_variables/apache.conf 12_cgi_variables/gnutls-cli.args 12_cgi_variables/input 12_cgi_variables/output \ 15 15 13_cgi_variables_no_client_cert/apache.conf 13_cgi_variables_no_client_cert/gnutls-cli.args 13_cgi_variables_no_client_cert/input 13_cgi_variables_no_client_cert/output \ 16 14_basic_openpgp/apache.conf 14_basic_openpgp/gnutls-cli.args 14_basic_openpgp/input 14_basic_openpgp/output \17 16 15_basic_msva/apache.conf 15_basic_msva/gnutls-cli.args 15_basic_msva/input 15_basic_msva/output \ 18 17 16_view-status/apache.conf 16_view-status/gnutls-cli.args 16_view-status/input 16_view-status/output \
Note: See TracChangeset
for help on using the changeset viewer.