summaryrefslogtreecommitdiffstatsabout
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/gnutls_hooks.c36
1 files changed, 13 insertions, 23 deletions
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index 032e6f3..3ce8188 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -1043,14 +1043,14 @@ mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side
1043static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) 1043static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
1044{ 1044{
1045 const gnutls_datum_t *cert_list; 1045 const gnutls_datum_t *cert_list;
1046 unsigned int cert_list_size, status, expired; 1046 unsigned int cert_list_size, status;
1047 int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret; 1047 int rv = GNUTLS_E_NO_CERTIFICATE_FOUND, ret;
1048 unsigned int ch_size = 0; 1048 unsigned int ch_size = 0;
1049 union { 1049 union {
1050 gnutls_x509_crt_t x509[MAX_CHAIN_SIZE]; 1050 gnutls_x509_crt_t x509[MAX_CHAIN_SIZE];
1051 gnutls_openpgp_crt_t pgp; 1051 gnutls_openpgp_crt_t pgp;
1052 } cert; 1052 } cert;
1053 apr_time_t activation_time, expiration_time, cur_time; 1053 apr_time_t expiration_time, cur_time;
1054 1054
1055 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 1055 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
1056 cert_list = 1056 cert_list =
@@ -1116,8 +1116,6 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
1116 if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) { 1116 if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) {
1117 apr_time_ansi_put(&expiration_time, 1117 apr_time_ansi_put(&expiration_time,
1118 gnutls_x509_crt_get_expiration_time(cert.x509[0])); 1118 gnutls_x509_crt_get_expiration_time(cert.x509[0]));
1119 apr_time_ansi_put(&activation_time,
1120 gnutls_x509_crt_get_activation_time(cert.x509[0]));
1121 1119
1122 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 1120 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
1123 "GnuTLS: Verifying list of %d certificate(s)", ch_size); 1121 "GnuTLS: Verifying list of %d certificate(s)", ch_size);
@@ -1127,8 +1125,6 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
1127 } else { 1125 } else {
1128 apr_time_ansi_put(&expiration_time, 1126 apr_time_ansi_put(&expiration_time,
1129 gnutls_openpgp_crt_get_expiration_time(cert.pgp)); 1127 gnutls_openpgp_crt_get_expiration_time(cert.pgp));
1130 apr_time_ansi_put(&activation_time,
1131 gnutls_openpgp_crt_get_creation_time(cert.pgp));
1132 1128
1133 rv = gnutls_openpgp_crt_verify_ring(cert.pgp, ctxt->sc->pgp_list, 1129 rv = gnutls_openpgp_crt_verify_ring(cert.pgp, ctxt->sc->pgp_list,
1134 0, &status); 1130 0, &status);
@@ -1150,23 +1146,7 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
1150 */ 1146 */
1151 /* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */ 1147 /* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
1152 1148
1153 expired = 0;
1154 cur_time = apr_time_now(); 1149 cur_time = apr_time_now();
1155 if (activation_time > cur_time) {
1156 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1157 "GnuTLS: Failed to Verify Peer: "
1158 "Peer Certificate is not yet activated.");
1159 expired = 1;
1160 }
1161
1162 if (gnutls_certificate_type_get( ctxt->session) != GNUTLS_CRT_OPENPGP || expiration_time != 0) {
1163 if (expiration_time < cur_time) {
1164 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1165 "GnuTLS: Failed to Verify Peer: "
1166 "Peer Certificate is expired.");
1167 expired = 1;
1168 }
1169 }
1170 1150
1171 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { 1151 if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
1172 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1152 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
@@ -1178,6 +1158,16 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
1178 "GnuTLS: Peer's Certificate signer is not a CA"); 1158 "GnuTLS: Peer's Certificate signer is not a CA");
1179 } 1159 }
1180 1160
1161 if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
1162 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1163 "GnuTLS: Peer's Certificate is using insecure algorithms");
1164 }
1165
1166 if (status & GNUTLS_CERT_EXPIRED || status & GNUTLS_CERT_NOT_ACTIVATED) {
1167 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1168 "GnuTLS: Peer's Certificate signer is expired or not yet activated");
1169 }
1170
1181 if (status & GNUTLS_CERT_INVALID) { 1171 if (status & GNUTLS_CERT_INVALID) {
1182 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1172 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
1183 "GnuTLS: Peer Certificate is invalid."); 1173 "GnuTLS: Peer Certificate is invalid.");
@@ -1202,7 +1192,7 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
1202 apr_psprintf(r->pool, "%lu", remain)); 1192 apr_psprintf(r->pool, "%lu", remain));
1203 } 1193 }
1204 1194
1205 if (status == 0 && expired == 0) { 1195 if (status == 0) {
1206 apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY", "SUCCESS"); 1196 apr_table_setn(r->subprocess_env, "SSL_CLIENT_VERIFY", "SUCCESS");
1207 ret = OK; 1197 ret = OK;
1208 } else { 1198 } else {