Changeset d04f7da in mod_gnutls

Timestamp:

Apr 7, 2015, 12:28:40 PM (4 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, upstream

Children:

2cde026d

Parents:

2cde8111

Message:

Version guards for gnutls_privkey_import_openpgp_raw workaround

The invalid free bug in gnutls_privkey_import_openpgp_raw should be
fixed in GnuTLS 3.3.12 [1], so add appropriate version guards and use
the workaround only with older versions.

[1] ​https://github.com/nmav/mod_gnutls/commit/031acac9c6541034777f8917633164b51f6bd10a#commitcomment-10581365

Files:

• include/mod_gnutls.h.in (modified) (1 diff)
• src/gnutls_config.c (modified) (2 diffs)
• src/gnutls_hooks.c (modified) (1 diff)

include/mod_gnutls.h.in

@@ -170 +170 @@
         /* OpenPGP Certificate Private Key */
     gnutls_privkey_t privkey_pgp;
-    /* Internal structure for the OpenPGP private key. DO NOT USE
-     * outside key loading. */
+#if GNUTLS_VERSION_NUMBER < 0x030312
+    /* Internal structure for the OpenPGP private key, used in the
+     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
+     * frees memory that is still needed. DO NOT USE for any other
+     * purpose. */
     gnutls_openpgp_privkey_t privkey_pgp_internal;
+#endif
 
     /* Export full certificates to CGI environment: */

src/gnutls_config.c

@@ -422 +422 @@
         }
 
-        /* Theoretically, this chain of gnutls_openpgp_privkey_init,
+#if GNUTLS_VERSION_NUMBER < 0x030312
+        /* GnuTLS versions before 3.3.12 contain a bug in
+         * gnutls_privkey_import_openpgp_raw which frees data that is
+         * accessed when the key is used, leading to segfault. Loading
+         * the key into a gnutls_openpgp_privkey_t and then assigning
+         * it to the gnutls_privkey_t works around the bug, hence this
+         * chain of gnutls_openpgp_privkey_init,
          * gnutls_openpgp_privkey_import and
-         * gnutls_privkey_import_openpgp could be replaced with one
-         * call to gnutls_privkey_import_openpgp_raw as shown
-         * below. However, that led to a segfault during handshake
-         * which disappeared with the three step method.
-         *
-         * ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,
-         *                                         GNUTLS_OPENPGP_FMT_BASE64,
-         *                                         NULL, NULL); */
+         * gnutls_privkey_import_openpgp. */
         ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp_internal);
         if (ret != 0) {
@@ -464 +463 @@
             goto cleanup;
         }
+#else
+        ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,
+                                                GNUTLS_OPENPGP_FMT_BASE64,
+                                                NULL, NULL);
+        if (ret != 0)
+        {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                         "GnuTLS: Failed to Import "
+                         "PGP Private Key '%s': (%d) %s",
+                         sc->pgp_key_file, ret, gnutls_strerror(ret));
+            ret = -1;
+            goto cleanup;
+        }
+#endif
     }
 

src/gnutls_hooks.c

@@ -369 +369 @@
          * https://lists.gnupg.org/pipermail/gnutls-devel/2015-January/007377.html
          * Workaround from:
-         * https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12
-         *
-         * TODO: add appropriate version guards */
+         * https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12 */
 #if GNUTLS_VERSION_NUMBER < 0x030312
         gnutls_certificate_set_retrieve_function(sc->certs, (void *) exit);