Changeset e376ed8 in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Nov 29, 2019, 4:30:08 PM (15 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
asyncio, master, proxy-ticket
Children:
618ee14
Parents:
d4c9331 (diff), 556783e (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge branch 'subca'

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    rd4c9331 re376ed8  
    7373{
    7474    /* Free session ticket master key */
    75 #if GNUTLS_VERSION_NUMBER >= 0x030400
    7675    gnutls_memset(session_ticket_key.data, 0, session_ticket_key.size);
    77 #endif
    7876    gnutls_free(session_ticket_key.data);
    7977    session_ticket_key.data = NULL;
     
    384382
    385383static int cert_retrieve_fn(gnutls_session_t session,
    386                             const gnutls_datum_t * req_ca_rdn __attribute__((unused)),
    387                             int nreqs __attribute__((unused)),
    388                             const gnutls_pk_algorithm_t * pk_algos __attribute__((unused)),
    389                             int pk_algos_length __attribute__((unused)),
     384                            const struct gnutls_cert_retr_st *info __attribute__((unused)),
    390385                            gnutls_pcert_st **pcerts,
    391386                            unsigned int *pcert_length,
    392                             gnutls_privkey_t *privkey)
     387                            gnutls_ocsp_data_st **ocsp,
     388                            unsigned int *ocsp_length,
     389                            gnutls_privkey_t *privkey,
     390                            unsigned int *flags)
    393391{
    394392    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     
    407405        *pcerts = ctxt->sc->certs_x509_chain;
    408406        *pcert_length = ctxt->sc->certs_x509_chain_num;
     407        *ocsp = NULL;
     408        *ocsp_length = 0;
    409409        *privkey = ctxt->sc->privkey_x509;
     410        *flags = 0;
     411
     412        if (ctxt->sc->ocsp_staple == GNUTLS_ENABLED_TRUE)
     413        {
     414            gnutls_ocsp_data_st *resp =
     415                apr_palloc(ctxt->c->pool, sizeof(gnutls_ocsp_data_st));
     416            resp->version = 0;
     417            resp->exptime = 0;
     418
     419            int ret = mgs_get_ocsp_response(session, NULL, &resp->response);
     420            if (ret == GNUTLS_E_SUCCESS)
     421            {
     422                *ocsp = resp;
     423                *ocsp_length = 1;
     424            }
     425        }
     426
    410427        return 0;
    411428    } else {
     
    417434
    418435
    419 #if GNUTLS_VERSION_NUMBER >= 0x030506
    420 #define HAVE_KNOWN_DH_GROUPS 1
    421 #endif
    422 #ifdef HAVE_KNOWN_DH_GROUPS
    423436/**
    424437 * Try to estimate a GnuTLS security parameter based on the given
     
    447460    return gnutls_pk_bits_to_sec_param(pk_algo, bits);
    448461}
    449 #else
    450 /** ffdhe2048 DH group as defined in RFC 7919, Appendix A.1. This is
    451  * the default DH group if mod_gnutls is compiled agains a GnuTLS
    452  * version that does not provide known DH groups based on security
    453  * parameters (before 3.5.6). */
    454 static const char FFDHE2048_PKCS3[] =
    455     "-----BEGIN DH PARAMETERS-----\n"
    456     "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
    457     "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
    458     "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
    459     "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
    460     "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
    461     "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAQA=\n"
    462     "-----END DH PARAMETERS-----\n";
    463 const gnutls_datum_t default_dh_params = {
    464     (void *) FFDHE2048_PKCS3,
    465     sizeof(FFDHE2048_PKCS3)
    466 };
    467 #endif
    468462
    469463
     
    485479        ap_get_module_config(server->module_config, &gnutls_module);
    486480
    487 #ifdef HAVE_KNOWN_DH_GROUPS
    488481    gnutls_sec_param_t seclevel = GNUTLS_SEC_PARAM_UNKNOWN;
    489482    if (sc->privkey_x509)
     
    519512        return HTTP_UNAUTHORIZED;
    520513    }
    521 #else
    522     int ret = gnutls_dh_params_init(&sc->dh_params);
    523     if (ret < 0)
    524     {
    525         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
    526                      "%s: Failed to initialize DH params structure: "
    527                      "%s (%d)", __func__, gnutls_strerror(ret), ret);
    528         return HTTP_UNAUTHORIZED;
    529     }
    530     ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &default_dh_params,
    531                                         GNUTLS_X509_FMT_PEM);
    532     if (ret < 0)
    533     {
    534         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
    535                      "%s: Failed to import default DH params: %s (%d)",
    536                      __func__, gnutls_strerror(ret), ret);
    537         return HTTP_UNAUTHORIZED;
    538     }
    539 
    540     gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
    541     gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
    542 #endif
    543514
    544515    return OK;
     
    731702        }
    732703
    733         /* The call after this comment is a workaround for bug in
    734          * gnutls_certificate_set_retrieve_function2 that ignores
    735          * supported certificate types. Should be fixed in GnuTLS
    736          * 3.3.12.
    737          *
    738          * Details:
    739          * https://lists.gnupg.org/pipermail/gnutls-devel/2015-January/007377.html
    740          * Workaround from:
    741          * https://github.com/vanrein/tlspool/commit/4938102d3d1b086491d147e6c8e4e2a02825fc12 */
    742 #if GNUTLS_VERSION_NUMBER < 0x030312
    743         gnutls_certificate_set_retrieve_function(sc->certs, (void *) exit);
    744 #endif
    745 
    746         gnutls_certificate_set_retrieve_function2(sc->certs, cert_retrieve_fn);
     704        gnutls_certificate_set_retrieve_function3(sc->certs, cert_retrieve_fn);
    747705
    748706        if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) &&
     
    13721330                                         gnutls_mac_get(ctxt->session)));
    13731331
    1374 #if GNUTLS_VERSION_NUMBER >= 0x030600
    13751332    /* Compression support has been removed since GnuTLS 3.6.0 */
    13761333    apr_table_setn(env, "SSL_COMPRESS_METHOD", "NULL");
    1377 #else
    1378     apr_table_setn(env, "SSL_COMPRESS_METHOD",
    1379             gnutls_compression_get_name(gnutls_compression_get(ctxt->session)));
    1380 #endif
    13811334
    13821335#ifdef ENABLE_SRP
Note: See TracChangeset for help on using the changeset viewer.