diff options
-rw-r--r-- | src/gnutls_hooks.c | 36 |
1 files changed, 13 insertions, 23 deletions
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c index 032e6f3..3ce8188 100644 --- a/src/gnutls_hooks.c +++ b/src/gnutls_hooks.c | |||
@@ -1043,14 +1043,14 @@ mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side | |||
1043 | static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) | 1043 | static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) |
1044 | { | 1044 | { |
1045 | const gnutls_datum_t *cert_list; | 1045 | const gnutls_datum_t *cert_list; |
1046 | unsigned int cert_list_size, status, expired; | 1046 | unsigned int cert_list_size, status; |
1047 | int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret; | 1047 | int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret; |
1048 | unsigned int ch_size = 0; | 1048 | unsigned int ch_size = 0; |
1049 | union { | 1049 | union { |
1050 | gnutls_x509_crt_t x509[MAX_CHAIN_SIZE]; | 1050 | gnutls_x509_crt_t x509[MAX_CHAIN_SIZE]; |
1051 | gnutls_openpgp_crt_t pgp; | 1051 | gnutls_openpgp_crt_t pgp; |
1052 | } cert; | 1052 | } cert; |
1053 | apr_time_t activation_time, expiration_time, cur_time; | 1053 | apr_time_t expiration_time, cur_time; |
1054 | 1054 | ||
1055 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | 1055 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); |
1056 | cert_list = | 1056 | cert_list = |
@@ -1116,8 +1116,6 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) | |||
1116 | if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { | 1116 | if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { |
1117 | apr_time_ansi_put(&expiration_time, | 1117 | apr_time_ansi_put(&expiration_time, |
1118 | gnutls_x509_crt_get_expiration_time(cert.x509[0])); | 1118 | gnutls_x509_crt_get_expiration_time(cert.x509[0])); |
1119 | apr_time_ansi_put(&activation_time, | ||
1120 | gnutls_x509_crt_get_activation_time(cert.x509[0])); | ||
1121 | 1119 | ||
1122 | ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, | 1120 | ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, |
1123 | "GnuTLS: Verifying list of %d certificate(s)", ch_size); | 1121 | "GnuTLS: Verifying list of %d certificate(s)", ch_size); |
@@ -1127,8 +1125,6 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) | |||
1127 | } else { | 1125 | } else { |
1128 | apr_time_ansi_put(&expiration_time, | 1126 | apr_time_ansi_put(&expiration_time, |
1129 | gnutls_openpgp_crt_get_expiration_time(cert.pgp)); | 1127 | gnutls_openpgp_crt_get_expiration_time(cert.pgp)); |
1130 | apr_time_ansi_put(&activation_time, | ||
1131 | gnutls_openpgp_crt_get_creation_time(cert.pgp)); | ||
1132 | 1128 | ||
1133 | rv = gnutls_openpgp_crt_verify_ring(cert.pgp, ctxt->sc->pgp_list, | 1129 | rv = gnutls_openpgp_crt_verify_ring(cert.pgp, ctxt->sc->pgp_list, |
1134 | 0, &status); | 1130 | 0, &status); |
@@ -1150,23 +1146,7 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) | |||
1150 | */ | 1146 | */ |
1151 | /* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */ | 1147 | /* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */ |
1152 | 1148 | ||
1153 | expired = 0; | ||
1154 | cur_time = apr_time_now(); | 1149 | cur_time = apr_time_now(); |
1155 | if (activation_time > cur_time) { | ||
1156 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | ||
1157 | "GnuTLS: Failed to Verify Peer: " | ||
1158 | "Peer Certificate is not yet activated."); | ||
1159 | expired = 1; | ||
1160 | } | ||
1161 | |||
1162 | if (gnutls_certificate_type_get( ctxt->session) != GNUTLS_CRT_OPENPGP || expiration_time != 0) { | ||
1163 | if (expiration_time < cur_time) { | ||
1164 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | ||
1165 | "GnuTLS: Failed to Verify Peer: " | ||
1166 | "Peer Certificate is expired."); | ||
1167 | expired = 1; | ||
1168 | } | ||
1169 | } | ||
1170 | 1150 | ||
1171 | if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { | 1151 | if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { |
1172 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | 1152 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, |
@@ -1178,6 +1158,16 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) | |||
1178 | "GnuTLS: Peer's Certificate signer is not a CA"); | 1158 | "GnuTLS: Peer's Certificate signer is not a CA"); |
1179 | } | 1159 | } |
1180 | 1160 | ||
1161 | if (status & GNUTLS_CERT_INSECURE_ALGORITHM) { | ||
1162 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | ||
1163 | "GnuTLS: Peer's Certificate is using insecure algorithms"); | ||
1164 | } | ||
1165 | |||
1166 | if (status & GNUTLS_CERT_EXPIRED || status & GNUTLS_CERT_NOT_ACTIVATED) { | ||
1167 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | ||
1168 | "GnuTLS: Peer's Certificate signer is expired or not yet activated"); | ||
1169 | } | ||
1170 | |||
1181 | if (status & GNUTLS_CERT_INVALID) { | 1171 | if (status & GNUTLS_CERT_INVALID) { |
1182 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | 1172 | ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, |
1183 | "GnuTLS: Peer Certificate is invalid."); | 1173 | "GnuTLS: Peer Certificate is invalid."); |
@@ -1202,7 +1192,7 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) | |||
1202 | apr_psprintf(r->pool, "%lu", remain)); | 1192 | apr_psprintf(r->pool, "%lu", remain)); |
1203 | } | 1193 | } |
1204 | 1194 | ||
1205 | if (status == 0 && expired == 0) { | 1195 | if (status == 0) { |
1206 | apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY", "SUCCESS"); | 1196 | apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY", "SUCCESS"); |
1207 | ret = OK; | 1197 | ret = OK; |
1208 | } else { | 1198 | } else { |