Changeset 99f8375 in mod_gnutls


Ignore:
Timestamp:
Aug 9, 2015, 5:49:12 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
efd3cfe
Parents:
dbec528
Message:

Ensure safe defaults during client verification

Initialize the validation status to "invalid". Two error codepaths do
not set status, though it might be read later. They should never be hit
(invalid verification modes should be rejected during server config),
but this adds another line of defense.

Also, the error paths now set the "rv" variable to an error code, which
means client verification fails without checking of the status variable.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_hooks.c

    rdbec528 r99f8375  
    12041204static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) {
    12051205    const gnutls_datum_t *cert_list;
    1206     unsigned int cert_list_size, status;
     1206    unsigned int cert_list_size;
     1207    /* assume the certificate is invalid unless explicitly set
     1208     * otherwise */
     1209    unsigned int status = GNUTLS_CERT_INVALID;
    12071210    int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
    12081211    unsigned int ch_size = 0;
     
    13381341#endif
    13391342        default:
     1343            /* If this block is reached, that indicates a
     1344             * configuration error or bug in mod_gnutls (invalid value
     1345             * of ctxt->sc->client_verify_method). */
    13401346            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    13411347                          "GnuTLS: Failed to Verify X.509 Peer: method '%s' is not supported",
    13421348                          mgs_readable_cvm(ctxt->sc->client_verify_method));
     1349            rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
    13431350        }
    13441351
     
    13561363#ifdef ENABLE_MSVA
    13571364        case mgs_cvm_msva:
    1358             /* need to set status and rv */
    13591365            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    13601366                          "GnuTLS:  OpenPGP verification via MSVA is not yet implemented");
     
    13631369#endif
    13641370        default:
     1371            /* If this block is reached, that indicates a
     1372             * configuration error or bug in mod_gnutls (invalid value
     1373             * of ctxt->sc->client_verify_method). */
    13651374            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    13661375                          "GnuTLS: Failed to Verify OpenPGP Peer: method '%s' is not supported",
    13671376                          mgs_readable_cvm(ctxt->sc->client_verify_method));
    1368         }
    1369     }
    1370 
     1377            rv = GNUTLS_E_UNIMPLEMENTED_FEATURE;
     1378        }
     1379    }
     1380
     1381    /* "goto exit" at the end of this block skips evaluation of the
     1382     * "status" variable */
    13711383    if (rv < 0) {
    13721384        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
Note: See TracChangeset for help on using the changeset viewer.