Changeset 7921dc7 in mod_gnutls


Ignore:
Timestamp:
Apr 22, 2018, 1:04:41 PM (3 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master, proxy-ticket
Children:
0470e44
Parents:
2246a84
git-author:
Fiona Klute <fiona.klute@…> (04/18/18 04:38:36)
git-committer:
Fiona Klute <fiona.klute@…> (04/22/18 13:04:41)
Message:

Remove OpenPGP authentication

OpenPGP authentication was removed from GnuTLS a while ago, follow suit.

Files:
5 deleted
7 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r2246a84 r7921dc7  
    3333#include <gnutls/gnutls.h>
    3434#include <gnutls/abstract.h>
    35 #include <gnutls/openpgp.h>
    3635#include <gnutls/x509.h>
    3736
     
    123122    char *x509_key_file;
    124123    char *x509_ca_file;
    125 
    126     char *pgp_cert_file;
    127     char *pgp_key_file;
    128     char *pgp_ring_file;
    129124
    130125    char *dh_file;
     
    179174    gnutls_privkey_t privkey_x509;
    180175
    181         /* OpenPGP Certificate */
    182     gnutls_pcert_st *cert_pgp;
    183     gnutls_openpgp_crt_t *cert_crt_pgp;
    184 
    185         /* OpenPGP Certificate Private Key */
    186     gnutls_privkey_t privkey_pgp;
    187 #if GNUTLS_VERSION_NUMBER < 0x030312
    188     /* Internal structure for the OpenPGP private key, used in the
    189      * workaround for a bug in gnutls_privkey_import_openpgp_raw that
    190      * frees memory that is still needed. DO NOT USE for any other
    191      * purpose. */
    192     gnutls_openpgp_privkey_t privkey_pgp_internal;
    193 #endif
    194 
    195176    /* Export full certificates to CGI environment: */
    196177    int export_certificates_size;
     
    201182        /* A list of CA Certificates */
    202183    gnutls_x509_crt_t *ca_list;
    203         /* OpenPGP Key Ring */
    204     gnutls_openpgp_keyring_t pgp_list;
    205184        /* CA Certificate list size */
    206185    unsigned int ca_list_size;
     
    413392                             const char *arg);
    414393
    415 const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
    416                                         const char *arg);
    417 
    418 const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
    419                              const char *arg);
    420 
    421394const char *mgs_set_cache(cmd_parms * parms, void *dummy,
    422395                          const char *type, const char* arg);
     
    440413
    441414const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
    442                                    const char *arg);
    443 
    444 const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
    445415                                   const char *arg);
    446416
  • src/gnutls_config.c

    r2246a84 r7921dc7  
    142142    }
    143143
    144     if (sc->cert_pgp)
    145     {
    146         gnutls_pcert_deinit(&sc->cert_pgp[0]);
    147         sc->cert_pgp = NULL;
    148         gnutls_openpgp_crt_deinit(sc->cert_crt_pgp[0]);
    149         sc->cert_crt_pgp = NULL;
    150     }
    151 
    152     if (sc->privkey_pgp)
    153     {
    154         gnutls_privkey_deinit(sc->privkey_pgp);
    155         sc->privkey_pgp = NULL;
    156 #if GNUTLS_VERSION_NUMBER < 0x030312
    157         gnutls_openpgp_privkey_deinit(sc->privkey_pgp_internal);
    158         sc->privkey_pgp_internal = NULL;
    159 #endif
    160     }
    161 
    162     if (sc->pgp_list)
    163     {
    164         gnutls_openpgp_keyring_deinit(sc->pgp_list);
    165         sc->pgp_list = NULL;
    166     }
    167 
    168144    if (sc->priorities)
    169145    {
     
    453429    }
    454430
    455     if (sc->pgp_cert_file && sc->cert_pgp == NULL)
    456     {
    457         sc->cert_pgp = apr_pcalloc(pconf, sizeof(sc->cert_pgp[0]));
    458         sc->cert_crt_pgp = apr_pcalloc(pconf, sizeof(sc->cert_crt_pgp[0]));
    459 
    460         if (load_datum_from_file(spool, sc->pgp_cert_file, &data) != 0) {
    461             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    462                          "GnuTLS: Error Reading " "Certificate '%s'",
    463                          sc->pgp_cert_file);
    464             ret = -1;
    465             goto cleanup;
    466         }
    467 
    468         ret = gnutls_openpgp_crt_init(&sc->cert_crt_pgp[0]);
    469         if (ret < 0) {
    470             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    471                          "GnuTLS: Failed to Init "
    472                          "PGP Certificate: (%d) %s", ret,
    473                          gnutls_strerror(ret));
    474             ret = -1;
    475             goto cleanup;
    476         }
    477 
    478         ret = gnutls_openpgp_crt_import(sc->cert_crt_pgp[0], &data,
    479                                         GNUTLS_OPENPGP_FMT_BASE64);
    480         if (ret < 0) {
    481             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    482                          "GnuTLS: Failed to Import "
    483                          "PGP Certificate: (%d) %s", ret,
    484                          gnutls_strerror(ret));
    485             ret = -1;
    486             goto cleanup;
    487         }
    488 
    489         ret = gnutls_pcert_import_openpgp(sc->cert_pgp,
    490                                           sc->cert_crt_pgp[0], 0);
    491         if (ret < 0) {
    492             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    493                          "GnuTLS: Failed to Import "
    494                          "PGP pCertificate: (%d) %s", ret,
    495                          gnutls_strerror(ret));
    496             ret = -1;
    497             goto cleanup;
    498         }
    499     }
    500 
    501     /* Load the PGP key file */
    502     if (sc->pgp_key_file && sc->privkey_pgp == NULL)
    503     {
    504         if (load_datum_from_file(spool, sc->pgp_key_file, &data) != 0) {
    505             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    506                          "GnuTLS: Error Reading " "Private Key '%s'",
    507                          sc->pgp_key_file);
    508             ret = -1;
    509             goto cleanup;
    510         }
    511 
    512         ret = gnutls_privkey_init(&sc->privkey_pgp);
    513         if (ret < 0) {
    514             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    515                          "GnuTLS: Failed to initialize"
    516                          ": (%d) %s", ret, gnutls_strerror(ret));
    517             ret = -1;
    518             goto cleanup;
    519         }
    520 
    521 #if GNUTLS_VERSION_NUMBER < 0x030312
    522         /* GnuTLS versions before 3.3.12 contain a bug in
    523          * gnutls_privkey_import_openpgp_raw which frees data that is
    524          * accessed when the key is used, leading to segfault. Loading
    525          * the key into a gnutls_openpgp_privkey_t and then assigning
    526          * it to the gnutls_privkey_t works around the bug, hence this
    527          * chain of gnutls_openpgp_privkey_init,
    528          * gnutls_openpgp_privkey_import and
    529          * gnutls_privkey_import_openpgp. */
    530         ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp_internal);
    531         if (ret != 0) {
    532             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    533                          "GnuTLS: Failed to initialize "
    534                          "PGP Private Key '%s': (%d) %s",
    535                          sc->pgp_key_file, ret, gnutls_strerror(ret));
    536             ret = -1;
    537             goto cleanup;
    538         }
    539 
    540         ret = gnutls_openpgp_privkey_import(sc->privkey_pgp_internal, &data,
    541                                             GNUTLS_OPENPGP_FMT_BASE64, NULL, 0);
    542         if (ret != 0) {
    543             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    544                          "GnuTLS: Failed to Import "
    545                          "PGP Private Key '%s': (%d) %s",
    546                          sc->pgp_key_file, ret, gnutls_strerror(ret));
    547             ret = -1;
    548             goto cleanup;
    549         }
    550 
    551         ret = gnutls_privkey_import_openpgp(sc->privkey_pgp,
    552                                             sc->privkey_pgp_internal, 0);
    553         if (ret != 0)
    554         {
    555             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    556                          "GnuTLS: Failed to assign PGP Private Key '%s' "
    557                          "to gnutls_privkey_t structure: (%d) %s",
    558                          sc->pgp_key_file, ret, gnutls_strerror(ret));
    559             ret = -1;
    560             goto cleanup;
    561         }
    562 #else
    563         ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,
    564                                                 GNUTLS_OPENPGP_FMT_BASE64,
    565                                                 NULL, NULL);
    566         if (ret != 0)
    567         {
    568             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    569                          "GnuTLS: Failed to Import "
    570                          "PGP Private Key '%s': (%d) %s",
    571                          sc->pgp_key_file, ret, gnutls_strerror(ret));
    572             ret = -1;
    573             goto cleanup;
    574         }
    575 #endif
    576     }
    577 
    578     /* Load the keyring file */
    579     if (sc->pgp_ring_file && sc->pgp_list == NULL)
    580     {
    581         if (load_datum_from_file(spool, sc->pgp_ring_file, &data) != 0) {
    582             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    583                          "GnuTLS: Error Reading " "Keyring File '%s'",
    584                          sc->pgp_ring_file);
    585             ret = -1;
    586             goto cleanup;
    587         }
    588 
    589         ret = gnutls_openpgp_keyring_init(&sc->pgp_list);
    590         if (ret < 0) {
    591             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    592                          "GnuTLS: Failed to initialize"
    593                          "keyring: (%d) %s", ret, gnutls_strerror(ret));
    594             ret = -1;
    595             goto cleanup;
    596         }
    597 
    598         ret = gnutls_openpgp_keyring_import(sc->pgp_list, &data,
    599                                             GNUTLS_OPENPGP_FMT_BASE64);
    600         if (ret < 0) {
    601             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    602                          "GnuTLS: Failed to load "
    603                          "Keyring File '%s': (%d) %s", sc->pgp_ring_file,
    604                          ret, gnutls_strerror(ret));
    605             ret = -1;
    606             goto cleanup;
    607         }
    608     }
    609 
    610431    if (sc->priorities_str && sc->priorities == NULL)
    611432    {
     
    711532
    712533    sc->x509_key_file = apr_pstrdup(parms->pool, arg);
    713 
    714     return NULL;
    715 }
    716 
    717 const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy __attribute__((unused)),
    718         const char *arg)
    719 {
    720     mgs_srvconf_rec *sc =
    721         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    722                                                  module_config,
    723                                                  &gnutls_module);
    724 
    725     sc->pgp_cert_file = ap_server_root_relative(parms->pool, arg);
    726 
    727     return NULL;
    728 }
    729 
    730 const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy __attribute__((unused)),
    731         const char *arg) {
    732     mgs_srvconf_rec *sc =
    733         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    734                                                  module_config,
    735                                                  &gnutls_module);
    736 
    737     sc->pgp_key_file = ap_server_root_relative(parms->pool, arg);
    738534
    739535    return NULL;
     
    923719
    924720    sc->x509_ca_file = ap_server_root_relative(parms->pool, arg);
    925 
    926     return NULL;
    927 }
    928 
    929 const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy __attribute__((unused)),
    930         const char *arg) {
    931     mgs_srvconf_rec *sc =
    932         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    933                                                  module_config,
    934                                                  &gnutls_module);
    935 
    936     sc->pgp_ring_file = ap_server_root_relative(parms->pool, arg);
    937721
    938722    return NULL;
     
    1074858    sc->pin = NULL;
    1075859
    1076     sc->cert_pgp = NULL;
    1077     sc->cert_crt_pgp = NULL;
    1078     sc->privkey_pgp = NULL;
    1079 #if GNUTLS_VERSION_NUMBER < 0x030312
    1080     sc->privkey_pgp_internal = NULL;
    1081 #endif
    1082     sc->pgp_list = NULL;
    1083 
    1084860    sc->priorities_str = NULL;
    1085861    sc->cache_timeout = MGS_TIMEOUT_UNSET;
     
    1162938    gnutls_srvconf_merge(p11_modules, NULL);
    1163939    gnutls_srvconf_merge(pin, NULL);
    1164     gnutls_srvconf_merge(pgp_cert_file, NULL);
    1165     gnutls_srvconf_merge(pgp_key_file, NULL);
    1166     gnutls_srvconf_merge(pgp_ring_file, NULL);
    1167940    gnutls_srvconf_merge(dh_file, NULL);
    1168941    gnutls_srvconf_merge(priorities_str, NULL);
     
    1186959    gnutls_srvconf_assign(ca_list);
    1187960    gnutls_srvconf_assign(ca_list_size);
    1188     gnutls_srvconf_assign(cert_pgp);
    1189     gnutls_srvconf_assign(cert_crt_pgp);
    1190     gnutls_srvconf_assign(pgp_list);
    1191961    gnutls_srvconf_assign(certs);
    1192962    gnutls_srvconf_assign(anon_creds);
  • src/gnutls_hooks.c

    r2246a84 r7921dc7  
    5555/* use side==0 for server and side==1 for client */
    5656static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, size_t export_cert_size);
    57 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size);
    5857static int mgs_status_hook(request_rec *r, int flags);
    5958#ifdef ENABLE_MSVA
     
    352351        *privkey = ctxt->sc->privkey_x509;
    353352        return 0;
    354     } else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) {
    355                 // OPENPGP CERTIFICATE
    356         *pcerts = ctxt->sc->cert_pgp;
    357         *pcert_length = 1;
    358         *privkey = ctxt->sc->privkey_pgp;
    359         return 0;
    360353    } else {
    361354                // UNKNOWN CERTIFICATE
     
    416409            }
    417410        }
    418     }
    419 
    420     return rv;
    421 }
    422 
    423 static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
    424         gnutls_openpgp_crt_t cert, char **cert_cn) {
    425     int rv = 0;
    426     size_t data_len;
    427 
    428 
    429     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    430     *cert_cn = NULL;
    431 
    432     data_len = 0;
    433     rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
    434 
    435     if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
    436         *cert_cn = apr_palloc(p, data_len);
    437         rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn,
    438                 &data_len);
    439     } else { /* No CN return subject alternative name */
    440         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
    441                 "No name found in PGP certificate for '%s:%d'.",
    442                 s->server_hostname, s->port);
    443411    }
    444412
     
    732700
    733701        if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) &&
    734             sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
     702            sc->enabled == GNUTLS_ENABLED_TRUE) {
    735703                        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    736704                                                "GnuTLS: Host '%s:%d' is missing a Certificate File!",
     
    739707        }
    740708        if (sc->enabled == GNUTLS_ENABLED_TRUE &&
    741             ((sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) ||
    742              (sc->cert_crt_pgp != NULL && sc->privkey_pgp == NULL)))
     709            (sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL))
    743710        {
    744711                        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     
    748715        }
    749716
    750         /* If OpenPGP support is already disabled in the loaded GnuTLS
    751          * library startup will fail if the configuration tries to
    752          * load PGP credentials. Otherwise warn affected users about
    753          * deprecation. */
    754         if (sc->pgp_cert_file || sc->pgp_key_file || sc->pgp_ring_file)
    755             ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
    756                          "Host '%s:%d' is configured to use OpenPGP auth. "
    757                          "OpenPGP support has been deprecated in GnuTLS "
    758                          "since version 3.5.9 and will be removed from "
    759                          "mod_gnutls in a future release.",
    760                          s->server_hostname, s->port);
    761 
    762717        if (sc->enabled == GNUTLS_ENABLED_TRUE) {
    763718            rv = -1;
     
    765720                rv = read_crt_cn(s, pconf, sc->certs_x509_crt_chain[0], &sc->cert_cn);
    766721            }
    767             if (rv < 0 && sc->cert_pgp != NULL) {
    768                 rv = read_pgpcrt_cn(s, pconf, sc->cert_crt_pgp[0], &sc->cert_cn);
    769                         }
    770722
    771723            if (rv < 0) {
     
    13351287
    13361288    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
    1337         mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_crt_chain[0], 0, ctxt->sc->export_certificates_size);
    1338     } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
    1339         mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_crt_pgp[0], 0, ctxt->sc->export_certificates_size);
     1289        mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_crt_chain[0], 0,
     1290                                 ctxt->sc->export_certificates_size);
    13401291    }
    13411292
     
    15321483
    15331484
    1534 /* @param side 0: server, 1: client
    1535  *
    1536  * @param export_cert_size (int) maximum size for environment variable
    1537  * to use for the PEM-encoded certificate (0 means do not export)
    1538  */
    1539 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, size_t export_cert_size) {
    1540 
    1541         unsigned char sbuf[64]; /* buffer to hold serials */
    1542     char buf[AP_IOBUFSIZE];
    1543     const char *tmp;
    1544     size_t len;
    1545     int ret;
    1546 
    1547     if (r == NULL)
    1548         return;
    1549 
    1550     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    1551     apr_table_t *env = r->subprocess_env;
    1552 
    1553     if (export_cert_size > 0) {
    1554         len = 0;
    1555         ret = gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, NULL, &len);
    1556         if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
    1557             if (len >= export_cert_size) {
    1558                 apr_table_setn(env, MGS_SIDE("_CERT"),
    1559                                "GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED");
    1560                 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    1561                               "GnuTLS: Failed to export too-large OpenPGP certificate to environment");
    1562             } else {
    1563                 char* cert_buf = apr_palloc(r->pool, len + 1);
    1564                 if (cert_buf != NULL && gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0) {
    1565                     cert_buf[len] = 0;
    1566                     apr_table_setn(env, MGS_SIDE("_CERT"), cert_buf);
    1567                 } else {
    1568                     ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
    1569                                   "GnuTLS: failed to export OpenPGP certificate");
    1570                 }
    1571             }
    1572         } else {
    1573             ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
    1574                           "GnuTLS: dazed and confused about OpenPGP certificate size");
    1575         }
    1576     }
    1577 
    1578     len = sizeof (buf);
    1579     gnutls_openpgp_crt_get_name(cert, 0, buf, &len);
    1580     apr_table_setn(env, MGS_SIDE("_NAME"), apr_pstrmemdup(r->pool, buf, len));
    1581 
    1582     len = sizeof (sbuf);
    1583     gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
    1584     apr_table_setn(env, MGS_SIDE("_FINGERPRINT"),
    1585                    apr_pescape_hex(r->pool, sbuf, len, 0));
    1586 
    1587     ret = gnutls_openpgp_crt_get_version(cert);
    1588     if (ret > 0)
    1589         apr_table_setn(env, MGS_SIDE("_M_VERSION"),
    1590                        apr_psprintf(r->pool, "%u", ret));
    1591 
    1592     apr_table_setn(env, MGS_SIDE("_CERT_TYPE"), "OPENPGP");
    1593 
    1594     tmp =
    1595             mgs_time2sz(gnutls_openpgp_crt_get_expiration_time
    1596             (cert), buf, sizeof (buf));
    1597     apr_table_setn(env, MGS_SIDE("_V_END"), apr_pstrdup(r->pool, tmp));
    1598 
    1599     tmp =
    1600             mgs_time2sz(gnutls_openpgp_crt_get_creation_time
    1601             (cert), buf, sizeof (buf));
    1602     apr_table_setn(env, MGS_SIDE("_V_START"), apr_pstrdup(r->pool, tmp));
    1603 
    1604     ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);
    1605     if (ret >= 0) {
    1606         apr_table_setn(env, MGS_SIDE("_A_KEY"), gnutls_pk_algorithm_get_name(ret));
    1607     }
    1608 
    1609 }
    16101485
    16111486/* TODO: Allow client sending a X.509 certificate chain */
     
    16191494    unsigned int ch_size = 0;
    16201495
     1496    // TODO: union no longer needed here after removing its "pgp" component.
    16211497    union {
    16221498        gnutls_x509_crt_t x509[MAX_CHAIN_SIZE];
    1623         gnutls_openpgp_crt_t pgp;
    16241499    } cert;
    16251500    apr_time_t expiration_time, cur_time;
     
    16721547            }
    16731548        }
    1674     } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
    1675         if (cert_list_size > 1) {
    1676             ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    1677                     "GnuTLS: Failed to Verify Peer: "
    1678                     "Chained Client Certificates are not supported.");
    1679             return HTTP_FORBIDDEN;
    1680         }
    1681 
    1682         gnutls_openpgp_crt_init(&cert.pgp);
    1683         rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0],
    1684                 GNUTLS_OPENPGP_FMT_RAW);
    1685 
    16861549    } else
    16871550        return HTTP_FORBIDDEN;
     
    17591622
    17601623    } else {
    1761         apr_time_ansi_put(&expiration_time,
    1762                 gnutls_openpgp_crt_get_expiration_time
    1763                 (cert.pgp));
    1764 
    1765         switch(ctxt->sc->client_verify_method) {
    1766         case mgs_cvm_cartel:
    1767             rv = gnutls_openpgp_crt_verify_ring(cert.pgp,
    1768                                                 ctxt->sc->pgp_list, 0,
    1769                                                 &status);
    1770             break;
    1771 #ifdef ENABLE_MSVA
    1772         case mgs_cvm_msva:
    1773             ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    1774                           "GnuTLS:  OpenPGP verification via MSVA is not yet implemented");
    1775             rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
    1776             break;
    1777 #endif
    1778         default:
    1779             /* If this block is reached, that indicates a
    1780              * configuration error or bug in mod_gnutls (invalid value
    1781              * of ctxt->sc->client_verify_method). */
    1782             ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    1783                           "GnuTLS: Failed to Verify OpenPGP Peer: method '%s' is not supported",
    1784                           mgs_readable_cvm(ctxt->sc->client_verify_method));
    1785             rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
    1786         }
     1624        /* Unknown certificate type */
     1625        rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
    17871626    }
    17881627
     
    17951634        if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
    17961635            ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
    1797                 "GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
     1636                "GnuTLS: No certificate was found for verification. Did you set the GnuTLSClientCAFile directive?");
    17981637        ret = HTTP_FORBIDDEN;
    17991638        goto exit;
     
    18361675    }
    18371676
    1838     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
    1839         mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_size);
    1840     else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP)
    1841         mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_size);
     1677    mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_size);
    18421678
    18431679    {
     
    18671703        for (unsigned int i = 0; i < ch_size; i++)
    18681704            gnutls_x509_crt_deinit(cert.x509[i]);
    1869     else if (gnutls_certificate_type_get(ctxt->session) ==
    1870              GNUTLS_CRT_OPENPGP)
    1871         gnutls_openpgp_crt_deinit(cert.pgp);
     1705
    18721706    return ret;
    18731707}
     
    19281762 * certificate, but doesn't tell us (in any other way) who they are
    19291763 * trying to authenticate as.
    1930 
    1931  * TODO: we might need another parallel for OpenPGP, but for that it's
    1932  * much simpler: we can just assume that the first User ID marked as
    1933  * "primary" (or the first User ID, period) is the identity the user
    1934  * is trying to present as.
    19351764
    19361765 * one complaint might be "but the user wanted to be another identity,
  • src/mod_gnutls.c

    r2246a84 r7921dc7  
    245245}
    246246
     247#define OPENPGP_REMOVED "OpenPGP support has been removed."
     248
    247249static const command_rec mgs_config_cmds[] = {
    248250    AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
     
    278280    RSRC_CONF,
    279281    "Set the CA File to verify Client Certificates"),
    280     AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
    281     NULL,
    282     RSRC_CONF,
    283     "Set the Keyring File to verify Client Certificates"),
    284282    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
    285283    NULL,
     
    302300    RSRC_CONF,
    303301    "TLS Server X509 Private Key file"),
    304     AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
    305     NULL,
    306     RSRC_CONF,
    307     "TLS Server PGP Certificate file"),
    308     AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
    309     NULL,
    310     RSRC_CONF,
    311     "TLS Server PGP Private key file"),
    312302#ifdef ENABLE_SRP
    313303    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
     
    396386                  NULL, RSRC_CONF,
    397387                  "Socket timeout for OCSP requests"),
     388    AP_INIT_RAW_ARGS("GnuTLSPGPKeyringFile",
     389                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
     390    AP_INIT_RAW_ARGS("GnuTLSPGPCertificateFile",
     391                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
     392    AP_INIT_RAW_ARGS("GnuTLSPGPKeyFile",
     393                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
    398394#ifdef __clang__
    399395    /* Workaround for this clang bug:
  • test/Makefile.am

    r2246a84 r7921dc7  
    3636TESTS = $(dist_check_SCRIPTS)
    3737
    38 check_PROGRAMS = pgpcrc gnutls_openpgp_support
     38check_PROGRAMS = pgpcrc
    3939pgpcrc_SOURCES = pgpcrc.c
    40 gnutls_openpgp_support_SOURCES = gnutls_openpgp_support.c
    41 gnutls_openpgp_support_CFLAGS = $(LIBGNUTLS_CFLAGS)
    42 gnutls_openpgp_support_LDFLAGS = $(LIBGNUTLS_LIBS)
    4340
    4441# build OCSP database tool
     
    5350# Identities in the miniature CA, server, and client environment for
    5451# the test suite
    55 shared_identities = server authority client imposter rogueca
     52shared_identities = authority client
    5653pgp_identities = $(shared_identities)
    57 x509_only_identities = rogueclient
     54x509_only_identities = server rogueca imposter rogueclient
    5855if ENABLE_OCSP_TEST
    5956x509_only_identities += ocsp-responder
  • test/test-14_basic_openpgp.bash

    r2246a84 r7921dc7  
    11#!/bin/bash
    2 ./gnutls_openpgp_support || exit $?
    3 ${srcdir}/runtests t-14
     2echo "OpenPGP support has been removed, skipping." 2>&1
     3exit 77
  • test/tests/Makefile.am

    r2246a84 r7921dc7  
    1414        12_cgi_variables/apache.conf 12_cgi_variables/gnutls-cli.args 12_cgi_variables/input 12_cgi_variables/output \
    1515        13_cgi_variables_no_client_cert/apache.conf 13_cgi_variables_no_client_cert/gnutls-cli.args 13_cgi_variables_no_client_cert/input 13_cgi_variables_no_client_cert/output \
    16         14_basic_openpgp/apache.conf 14_basic_openpgp/gnutls-cli.args 14_basic_openpgp/input 14_basic_openpgp/output \
    1716        15_basic_msva/apache.conf 15_basic_msva/gnutls-cli.args 15_basic_msva/input 15_basic_msva/output \
    1817        16_view-status/apache.conf 16_view-status/gnutls-cli.args 16_view-status/input 16_view-status/output \
Note: See TracChangeset for help on using the changeset viewer.