Changeset d04f7da in mod_gnutls for src/gnutls_config.c


Ignore:
Timestamp:
Apr 7, 2015, 12:28:40 PM (5 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
2cde026d
Parents:
2cde8111
Message:

Version guards for gnutls_privkey_import_openpgp_raw workaround

The invalid free bug in gnutls_privkey_import_openpgp_raw should be
fixed in GnuTLS 3.3.12 [1], so add appropriate version guards and use
the workaround only with older versions.

[1] https://github.com/nmav/mod_gnutls/commit/031acac9c6541034777f8917633164b51f6bd10a#commitcomment-10581365

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_config.c

    r2cde8111 rd04f7da  
    422422        }
    423423
    424         /* Theoretically, this chain of gnutls_openpgp_privkey_init,
     424#if GNUTLS_VERSION_NUMBER < 0x030312
     425        /* GnuTLS versions before 3.3.12 contain a bug in
     426         * gnutls_privkey_import_openpgp_raw which frees data that is
     427         * accessed when the key is used, leading to segfault. Loading
     428         * the key into a gnutls_openpgp_privkey_t and then assigning
     429         * it to the gnutls_privkey_t works around the bug, hence this
     430         * chain of gnutls_openpgp_privkey_init,
    425431         * gnutls_openpgp_privkey_import and
    426          * gnutls_privkey_import_openpgp could be replaced with one
    427          * call to gnutls_privkey_import_openpgp_raw as shown
    428          * below. However, that led to a segfault during handshake
    429          * which disappeared with the three step method.
    430          *
    431          * ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,
    432          *                                         GNUTLS_OPENPGP_FMT_BASE64,
    433          *                                         NULL, NULL); */
     432         * gnutls_privkey_import_openpgp. */
    434433        ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp_internal);
    435434        if (ret != 0) {
     
    464463            goto cleanup;
    465464        }
     465#else
     466        ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,
     467                                                GNUTLS_OPENPGP_FMT_BASE64,
     468                                                NULL, NULL);
     469        if (ret != 0)
     470        {
     471            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     472                         "GnuTLS: Failed to Import "
     473                         "PGP Private Key '%s': (%d) %s",
     474                         sc->pgp_key_file, ret, gnutls_strerror(ret));
     475            ret = -1;
     476            goto cleanup;
     477        }
     478#endif
    466479    }
    467480
Note: See TracChangeset for help on using the changeset viewer.