diff options
-rw-r--r-- | NEWS | 7 | ||||
-rw-r--r-- | include/mod_gnutls.h.in | 6 | ||||
-rw-r--r-- | src/gnutls_config.c | 32 |
3 files changed, 34 insertions, 11 deletions
@@ -1,4 +1,9 @@ | |||
1 | ** Verison 0.5.4 (2009-01-04) | 1 | ** Version 0.5.5 (unreleased) |
2 | |||
3 | - Removed limits on CA certificate loading. Reported by | ||
4 | Sander Marechal and Jack Bates. | ||
5 | |||
6 | ** Version 0.5.4 (2009-01-04) | ||
2 | 7 | ||
3 | - mod_gnutls.h: modified definition to extern to avoid compilation | 8 | - mod_gnutls.h: modified definition to extern to avoid compilation |
4 | errors in darwin. | 9 | errors in darwin. |
diff --git a/include/mod_gnutls.h.in b/include/mod_gnutls.h.in index 9af95a0..ec28e07 100644 --- a/include/mod_gnutls.h.in +++ b/include/mod_gnutls.h.in | |||
@@ -79,10 +79,6 @@ typedef struct | |||
79 | } mgs_dirconf_rec; | 79 | } mgs_dirconf_rec; |
80 | 80 | ||
81 | 81 | ||
82 | /* The maximum number of client CA certificates allowed. | ||
83 | */ | ||
84 | #define MAX_CA_CRTS 128 | ||
85 | |||
86 | /* The maximum number of certificates to send in a chain | 82 | /* The maximum number of certificates to send in a chain |
87 | */ | 83 | */ |
88 | #define MAX_CHAIN_SIZE 8 | 84 | #define MAX_CHAIN_SIZE 8 |
@@ -111,7 +107,7 @@ typedef struct | |||
111 | const char* cache_config; | 107 | const char* cache_config; |
112 | const char* srp_tpasswd_file; | 108 | const char* srp_tpasswd_file; |
113 | const char* srp_tpasswd_conf_file; | 109 | const char* srp_tpasswd_conf_file; |
114 | gnutls_x509_crt_t ca_list[MAX_CA_CRTS]; | 110 | gnutls_x509_crt_t *ca_list; |
115 | gnutls_openpgp_keyring_t pgp_list; | 111 | gnutls_openpgp_keyring_t pgp_list; |
116 | unsigned int ca_list_size; | 112 | unsigned int ca_list_size; |
117 | int client_verify_mode; | 113 | int client_verify_mode; |
diff --git a/src/gnutls_config.c b/src/gnutls_config.c index e290d90..0a56b38 100644 --- a/src/gnutls_config.c +++ b/src/gnutls_config.c | |||
@@ -398,6 +398,7 @@ const char *mgs_set_client_verify(cmd_parms * parms, void *dummy, | |||
398 | return NULL; | 398 | return NULL; |
399 | } | 399 | } |
400 | 400 | ||
401 | #define INIT_CA_SIZE 128 | ||
401 | const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, | 402 | const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, |
402 | const char *arg) | 403 | const char *arg) |
403 | { | 404 | { |
@@ -419,15 +420,36 @@ const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, | |||
419 | "Client CA File '%s'", file); | 420 | "Client CA File '%s'", file); |
420 | } | 421 | } |
421 | 422 | ||
422 | sc->ca_list_size = MAX_CA_CRTS; | 423 | sc->ca_list_size = INIT_CA_SIZE; |
424 | sc->ca_list = malloc(sc->ca_list_size * sizeof(*sc->ca_list)); | ||
425 | if (sc->ca_list == NULL) { | ||
426 | return apr_psprintf(parms->pool, "mod_gnutls: Memory allocation error"); | ||
427 | } | ||
428 | |||
423 | rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size, | 429 | rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size, |
424 | &data, GNUTLS_X509_FMT_PEM, | 430 | &data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); |
425 | GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); | 431 | if (rv < 0 && rv != GNUTLS_E_SHORT_MEMORY_BUFFER) { |
426 | if (rv < 0) { | 432 | return apr_psprintf(parms->pool, "GnuTLS: Failed to load " |
427 | return apr_psprintf(parms->pool, "GnuTLS: Failed to load " | ||
428 | "Client CA File '%s': (%d) %s", file, rv, | 433 | "Client CA File '%s': (%d) %s", file, rv, |
429 | gnutls_strerror(rv)); | 434 | gnutls_strerror(rv)); |
430 | } | 435 | } |
436 | |||
437 | if (INIT_CA_SIZE < sc->ca_list_size) { | ||
438 | sc->ca_list = realloc(sc->ca_list, sc->ca_list_size*sizeof(*sc->ca_list)); | ||
439 | if (sc->ca_list == NULL) { | ||
440 | return apr_psprintf(parms->pool, "mod_gnutls: Memory allocation error"); | ||
441 | } | ||
442 | |||
443 | /* re-read */ | ||
444 | rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size, | ||
445 | &data, GNUTLS_X509_FMT_PEM, 0); | ||
446 | |||
447 | if (rv < 0) { | ||
448 | return apr_psprintf(parms->pool, "GnuTLS: Failed to load " | ||
449 | "Client CA File '%s': (%d) %s", file, rv, | ||
450 | gnutls_strerror(rv)); | ||
451 | } | ||
452 | } | ||
431 | 453 | ||
432 | apr_pool_destroy(spool); | 454 | apr_pool_destroy(spool); |
433 | return NULL; | 455 | return NULL; |