Changeset 7fec961 in mod_gnutls


Ignore:
Timestamp:
Jul 2, 2010, 9:15:52 AM (9 years ago)
Author:
Nikos Mavrogiannopoulos <nmav@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream
Children:
368b574
Parents:
bca274d
Message:

Depend on libgnutls for the activation and expiration time checks.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    rbca274d r7fec961  
    10441044{
    10451045    const gnutls_datum_t *cert_list;
    1046     unsigned int cert_list_size, status, expired;
     1046    unsigned int cert_list_size, status;
    10471047    int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
    10481048    unsigned int ch_size = 0;
     
    10511051      gnutls_openpgp_crt_t pgp;
    10521052    } cert;
    1053     apr_time_t activation_time, expiration_time, cur_time;
     1053    apr_time_t expiration_time, cur_time;
    10541054
    10551055    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     
    11171117        apr_time_ansi_put(&expiration_time,
    11181118                      gnutls_x509_crt_get_expiration_time(cert.x509[0]));
    1119         apr_time_ansi_put(&activation_time,
    1120                       gnutls_x509_crt_get_activation_time(cert.x509[0]));
    11211119
    11221120        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
     
    11281126        apr_time_ansi_put(&expiration_time,
    11291127                      gnutls_openpgp_crt_get_expiration_time(cert.pgp));
    1130         apr_time_ansi_put(&activation_time,
    1131                       gnutls_openpgp_crt_get_creation_time(cert.pgp));
    11321128
    11331129        rv = gnutls_openpgp_crt_verify_ring(cert.pgp, ctxt->sc->pgp_list,
     
    11511147    /* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
    11521148
    1153     expired = 0;
    11541149    cur_time = apr_time_now();
    1155     if (activation_time > cur_time) {
    1156         ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    1157                       "GnuTLS: Failed to Verify Peer: "
    1158                       "Peer Certificate is not yet activated.");
    1159         expired = 1;
    1160     }
    1161 
    1162     if (gnutls_certificate_type_get( ctxt->session) != GNUTLS_CRT_OPENPGP || expiration_time != 0) {
    1163         if (expiration_time < cur_time) {
    1164             ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    1165                       "GnuTLS: Failed to Verify Peer: "
    1166                       "Peer Certificate is expired.");
    1167             expired = 1;
    1168         }
    1169     }
    11701150
    11711151    if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
     
    11771157        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    11781158                      "GnuTLS: Peer's Certificate signer is not a CA");
     1159    }
     1160
     1161    if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
     1162        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     1163                      "GnuTLS: Peer's Certificate is using insecure algorithms");
     1164    }
     1165
     1166    if (status & GNUTLS_CERT_EXPIRED || status & GNUTLS_CERT_NOT_ACTIVATED) {
     1167        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     1168                      "GnuTLS: Peer's Certificate signer is expired or not yet activated");
    11791169    }
    11801170
     
    12031193    }
    12041194
    1205     if (status == 0 && expired == 0) {
     1195    if (status == 0) {
    12061196        apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY", "SUCCESS");
    12071197        ret = OK;
Note: See TracChangeset for help on using the changeset viewer.