Attachment #325072 for bug #421441

View | Details | Raw Unified | Return to bug 421441
Collapse All | Expand All




   # Check for functions in later releases
   NE_CHECK_FUNCS([gnutls_session_get_data2 gnutls_x509_dn_get_rdn_ava \
                  gnutls_sign_callback_set \
                  gnutls_certificate_get_issuer \
                  gnutls_certificate_get_x509_cas \
                  gnutls_x509_crt_sign2])

   # fail if gnutls_x509_crt_sign2 is not found (it was introduced in 1.2.0, which is required)
   if test x${ac_cv_func_gnutls_x509_crt_sign2} != xyes; then
       AC_MSG_ERROR([GnuTLS version predates gnutls_x509_crt_sign2, newer version required (at least 1.2.0)])
   fi
                  
   # Check for iconv support if using the new RDN access functions:




};

struct ne_ssl_client_cert_s {
    gnutls_pkcs12_t p12;
    int decrypted; /* non-zero if successfully decrypted. */
    int keyless;
    ne_ssl_certificate cert;

    ne_free(ctx);
}

#if !defined(HAVE_GNUTLS_CERTIFICATE_GET_ISSUER) && defined(HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS)
/* Return the issuer of the given certificate, or NULL if none can be
 * found. */
static gnutls_x509_crt find_issuer(gnutls_x509_crt *ca_list,

        }
    }

#if defined(HAVE_GNUTLS_CERTIFICATE_GET_ISSUER) || defined(HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS)
    /* GnuTLS only returns the peers which were *sent* by the server
     * in the Certificate list during the handshake.  Fill in the
     * complete chain manually against the certs we trust: */
    if (current->issuer == NULL) {
        gnutls_x509_crt issuer;

#ifndef HAVE_GNUTLS_CERTIFICATE_GET_ISSUER
        gnutls_x509_crt *ca_list;
        unsigned int num_cas;
        
        gnutls_certificate_get_x509_cas(crd, &ca_list, &num_cas);
#endif

        do { 
            /* Look up the issuer. */
#ifndef HAVE_GNUTLS_CERTIFICATE_GET_ISSUER
            issuer = find_issuer(ca_list, num_cas, current->subject);
#else
            if (gnutls_certificate_get_issuer(crd, current->subject, &issuer, 0))
                issuer = NULL;
#endif

            if (issuer) {
                issuer = x509_crt_copy(issuer);
                cert = populate_cert(ne_calloc(sizeof *cert), issuer);

/* Parses a PKCS#12 structure and loads the certificate, private key
 * and friendly name if possible.  Returns zero on success, non-zero
 * on error. */
static int pkcs12_parse(gnutls_pkcs12_t p12, gnutls_x509_privkey *pkey,
                        gnutls_x509_crt *x5, char **friendly_name,
                        const char *password)
{
    gnutls_pkcs12_bag_t bag = NULL;
    int i, j, ret = 0;

    for (i = 0; ret == 0; ++i) {

        gnutls_pkcs12_bag_decrypt(bag, password);

        for (j = 0; ret == 0 && j < gnutls_pkcs12_bag_get_count(bag); ++j) {
            gnutls_pkcs12_bag_type_t type;
            gnutls_datum data;

            if (friendly_name && *friendly_name == NULL) {

{
    int ret;
    gnutls_datum data;
    gnutls_pkcs12_t p12;
    ne_ssl_client_cert *cc;
    char *friendly_name = NULL;
    gnutls_x509_crt cert = NULL;

Lines 724-732 Link Here

(-)src/ne_socket.c (-3 / +7 lines)
724	_("SSL alert received: %s"),	724	_("SSL alert received: %s"),
725	gnutls_alert_get_name(gnutls_alert_get(sock->ssl)));	725	gnutls_alert_get_name(gnutls_alert_get(sock->ssl)));
726	break;	726	break;
		727	#if GNUTLS_VERSION_MAJOR > 2 \|\| (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR >= 99)
		728	case GNUTLS_E_PREMATURE_TERMINATION:
		729	#else
727	case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:	730	case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
728	/* It's not exactly an API guarantee but this error will	731	#endif
729	* always mean a premature EOF. */
730	ret = NE_SOCK_TRUNC;	732	ret = NE_SOCK_TRUNC;
731	set_error(sock, _("Secure connection truncated"));	733	set_error(sock, _("Secure connection truncated"));
732	break;	734	break;
Lines 1705-1710 Link Here
1705	NE_DEBUG(NE_DBG_SSL, "ssl: Server reused session.\n");	1707	NE_DEBUG(NE_DBG_SSL, "ssl: Server reused session.\n");
1706	}	1708	}
1707	#elif defined(HAVE_GNUTLS)	1709	#elif defined(HAVE_GNUTLS)
		1710	unsigned int verify_status;
		1711
1708	gnutls_init(&ssl, GNUTLS_SERVER);	1712	gnutls_init(&ssl, GNUTLS_SERVER);
1709	gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);	1713	gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
1710	gnutls_set_default_priority(ssl);	1714	gnutls_set_default_priority(ssl);
Lines 1724-1730 Link Here
1724	if (ret < 0) {	1728	if (ret < 0) {
1725	return error_gnutls(sock, ret);	1729	return error_gnutls(sock, ret);
1726	}	1730	}
1727	if (ctx->verify && gnutls_certificate_verify_peers(ssl)) {	1731	if (ctx->verify && (gnutls_certificate_verify_peers2(ssl, &verify_status) \|\| verify_status)) {
1728	set_error(sock, _("Client certificate verification failed"));	1732	set_error(sock, _("Client certificate verification failed"));
1729	return NE_SOCK_ERROR;	1733	return NE_SOCK_ERROR;
1730	}	1734	}

Return to bug 421441

Lines 989-1000 Link Here

(-)macros/neon.m4 (-4 / +5 lines)
989	# Check for functions in later releases	989	# Check for functions in later releases
990	NE_CHECK_FUNCS([gnutls_session_get_data2 gnutls_x509_dn_get_rdn_ava \	990	NE_CHECK_FUNCS([gnutls_session_get_data2 gnutls_x509_dn_get_rdn_ava \
991	gnutls_sign_callback_set \	991	gnutls_sign_callback_set \
		992	gnutls_certificate_get_issuer \
992	gnutls_certificate_get_x509_cas \	993	gnutls_certificate_get_x509_cas \
993	gnutls_certificate_verify_peers2])	994	gnutls_x509_crt_sign2])
994		995
995	# fail if gnutls_certificate_verify_peers2 is not found	996	# fail if gnutls_x509_crt_sign2 is not found (it was introduced in 1.2.0, which is required)
996	if test x${ac_cv_func_gnutls_certificate_verify_peers2} != xyes; then	997	if test x${ac_cv_func_gnutls_x509_crt_sign2} != xyes; then
997	AC_MSG_ERROR([GnuTLS version predates gnutls_certificate_verify_peers2, newer version required])	998	AC_MSG_ERROR([GnuTLS version predates gnutls_x509_crt_sign2, newer version required (at least 1.2.0)])
998	fi	999	fi
999		1000
1000	# Check for iconv support if using the new RDN access functions:	1001	# Check for iconv support if using the new RDN access functions:

Lines 83-89 Link Here

(-)src/ne_gnutls.c (-7 / +16 lines)
83	};	83	};
84		84
85	struct ne_ssl_client_cert_s {	85	struct ne_ssl_client_cert_s {
86	gnutls_pkcs12 p12;	86	gnutls_pkcs12_t p12;
87	int decrypted; /* non-zero if successfully decrypted. */	87	int decrypted; /* non-zero if successfully decrypted. */
88	int keyless;	88	int keyless;
89	ne_ssl_certificate cert;	89	ne_ssl_certificate cert;
Lines 697-703 Link Here
697	ne_free(ctx);	697	ne_free(ctx);
698	}	698	}
699		699
700	#ifdef HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS	700	#if !defined(HAVE_GNUTLS_CERTIFICATE_GET_ISSUER) && defined(HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS)
701	/* Return the issuer of the given certificate, or NULL if none can be	701	/* Return the issuer of the given certificate, or NULL if none can be
702	* found. */	702	* found. */
703	static gnutls_x509_crt find_issuer(gnutls_x509_crt *ca_list,	703	static gnutls_x509_crt find_issuer(gnutls_x509_crt *ca_list,
Lines 752-771 Link Here
752	}	752	}
753	}	753	}
754		754
755	#ifdef HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS	755	#if defined(HAVE_GNUTLS_CERTIFICATE_GET_ISSUER) \|\| defined(HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS)
756	/* GnuTLS only returns the peers which were sent by the server	756	/* GnuTLS only returns the peers which were sent by the server
757	* in the Certificate list during the handshake. Fill in the	757	* in the Certificate list during the handshake. Fill in the
758	* complete chain manually against the certs we trust: */	758	* complete chain manually against the certs we trust: */
759	if (current->issuer == NULL) {	759	if (current->issuer == NULL) {
760	gnutls_x509_crt issuer;	760	gnutls_x509_crt issuer;
		761
		762	#ifndef HAVE_GNUTLS_CERTIFICATE_GET_ISSUER
761	gnutls_x509_crt *ca_list;	763	gnutls_x509_crt *ca_list;
762	unsigned int num_cas;	764	unsigned int num_cas;
763		765
764	gnutls_certificate_get_x509_cas(crd, &ca_list, &num_cas);	766	gnutls_certificate_get_x509_cas(crd, &ca_list, &num_cas);
		767	#endif
765		768
766	do {	769	do {
767	/* Look up the issuer. */	770	/* Look up the issuer. */
		771	#ifndef HAVE_GNUTLS_CERTIFICATE_GET_ISSUER
768	issuer = find_issuer(ca_list, num_cas, current->subject);	772	issuer = find_issuer(ca_list, num_cas, current->subject);
		773	#else
		774	if (gnutls_certificate_get_issuer(crd, current->subject, &issuer, 0))
		775	issuer = NULL;
		776	#endif
		777
769	if (issuer) {	778	if (issuer) {
770	issuer = x509_crt_copy(issuer);	779	issuer = x509_crt_copy(issuer);
771	cert = populate_cert(ne_calloc(sizeof *cert), issuer);	780	cert = populate_cert(ne_calloc(sizeof *cert), issuer);
Lines 1037-1047 Link Here
1037	/* Parses a PKCS#12 structure and loads the certificate, private key	1046	/* Parses a PKCS#12 structure and loads the certificate, private key
1038	* and friendly name if possible. Returns zero on success, non-zero	1047	* and friendly name if possible. Returns zero on success, non-zero
1039	* on error. */	1048	* on error. */
1040	static int pkcs12_parse(gnutls_pkcs12 p12, gnutls_x509_privkey *pkey,	1049	static int pkcs12_parse(gnutls_pkcs12_t p12, gnutls_x509_privkey *pkey,
1041	gnutls_x509_crt x5, char *friendly_name,	1050	gnutls_x509_crt x5, char *friendly_name,
1042	const char *password)	1051	const char *password)
1043	{	1052	{
1044	gnutls_pkcs12_bag bag = NULL;	1053	gnutls_pkcs12_bag_t bag = NULL;
1045	int i, j, ret = 0;	1054	int i, j, ret = 0;
1046		1055
1047	for (i = 0; ret == 0; ++i) {	1056	for (i = 0; ret == 0; ++i) {
Lines 1056-1062 Link Here
1056	gnutls_pkcs12_bag_decrypt(bag, password);	1065	gnutls_pkcs12_bag_decrypt(bag, password);
1057		1066
1058	for (j = 0; ret == 0 && j < gnutls_pkcs12_bag_get_count(bag); ++j) {	1067	for (j = 0; ret == 0 && j < gnutls_pkcs12_bag_get_count(bag); ++j) {
1059	gnutls_pkcs12_bag_type type;	1068	gnutls_pkcs12_bag_type_t type;
1060	gnutls_datum data;	1069	gnutls_datum data;
1061		1070
1062	if (friendly_name && *friendly_name == NULL) {	1071	if (friendly_name && *friendly_name == NULL) {
Lines 1141-1147 Link Here
1141	{	1150	{
1142	int ret;	1151	int ret;
1143	gnutls_datum data;	1152	gnutls_datum data;
1144	gnutls_pkcs12 p12;	1153	gnutls_pkcs12_t p12;
1145	ne_ssl_client_cert *cc;	1154	ne_ssl_client_cert *cc;
1146	char *friendly_name = NULL;	1155	char *friendly_name = NULL;
1147	gnutls_x509_crt cert = NULL;	1156	gnutls_x509_crt cert = NULL;