aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--NEWS7
-rw-r--r--include/mod_gnutls.h.in6
-rw-r--r--src/gnutls_config.c32
3 files changed, 34 insertions, 11 deletions
diff --git a/NEWS b/NEWS
index 26fa82b..5dea61e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,9 @@
1** Verison 0.5.4 (2009-01-04) 1** Version 0.5.5 (unreleased)
2
3- Removed limits on CA certificate loading. Reported by
4 Sander Marechal and Jack Bates.
5
6** Version 0.5.4 (2009-01-04)
2 7
3- mod_gnutls.h: modified definition to extern to avoid compilation 8- mod_gnutls.h: modified definition to extern to avoid compilation
4 errors in darwin. 9 errors in darwin.
diff --git a/include/mod_gnutls.h.in b/include/mod_gnutls.h.in
index 9af95a0..ec28e07 100644
--- a/include/mod_gnutls.h.in
+++ b/include/mod_gnutls.h.in
@@ -79,10 +79,6 @@ typedef struct
79} mgs_dirconf_rec; 79} mgs_dirconf_rec;
80 80
81 81
82/* The maximum number of client CA certificates allowed.
83 */
84#define MAX_CA_CRTS 128
85
86/* The maximum number of certificates to send in a chain 82/* The maximum number of certificates to send in a chain
87 */ 83 */
88#define MAX_CHAIN_SIZE 8 84#define MAX_CHAIN_SIZE 8
@@ -111,7 +107,7 @@ typedef struct
111 const char* cache_config; 107 const char* cache_config;
112 const char* srp_tpasswd_file; 108 const char* srp_tpasswd_file;
113 const char* srp_tpasswd_conf_file; 109 const char* srp_tpasswd_conf_file;
114 gnutls_x509_crt_t ca_list[MAX_CA_CRTS]; 110 gnutls_x509_crt_t *ca_list;
115 gnutls_openpgp_keyring_t pgp_list; 111 gnutls_openpgp_keyring_t pgp_list;
116 unsigned int ca_list_size; 112 unsigned int ca_list_size;
117 int client_verify_mode; 113 int client_verify_mode;
diff --git a/src/gnutls_config.c b/src/gnutls_config.c
index e290d90..0a56b38 100644
--- a/src/gnutls_config.c
+++ b/src/gnutls_config.c
@@ -398,6 +398,7 @@ const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
398 return NULL; 398 return NULL;
399} 399}
400 400
401#define INIT_CA_SIZE 128
401const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, 402const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
402 const char *arg) 403 const char *arg)
403{ 404{
@@ -419,15 +420,36 @@ const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
419 "Client CA File '%s'", file); 420 "Client CA File '%s'", file);
420 } 421 }
421 422
422 sc->ca_list_size = MAX_CA_CRTS; 423 sc->ca_list_size = INIT_CA_SIZE;
424 sc->ca_list = malloc(sc->ca_list_size * sizeof(*sc->ca_list));
425 if (sc->ca_list == NULL) {
426 return apr_psprintf(parms->pool, "mod_gnutls: Memory allocation error");
427 }
428
423 rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size, 429 rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size,
424 &data, GNUTLS_X509_FMT_PEM, 430 &data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
425 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); 431 if (rv < 0 && rv != GNUTLS_E_SHORT_MEMORY_BUFFER) {
426 if (rv < 0) { 432 return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
427 return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
428 "Client CA File '%s': (%d) %s", file, rv, 433 "Client CA File '%s': (%d) %s", file, rv,
429 gnutls_strerror(rv)); 434 gnutls_strerror(rv));
430 } 435 }
436
437 if (INIT_CA_SIZE < sc->ca_list_size) {
438 sc->ca_list = realloc(sc->ca_list, sc->ca_list_size*sizeof(*sc->ca_list));
439 if (sc->ca_list == NULL) {
440 return apr_psprintf(parms->pool, "mod_gnutls: Memory allocation error");
441 }
442
443 /* re-read */
444 rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size,
445 &data, GNUTLS_X509_FMT_PEM, 0);
446
447 if (rv < 0) {
448 return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
449 "Client CA File '%s': (%d) %s", file, rv,
450 gnutls_strerror(rv));
451 }
452 }
431 453
432 apr_pool_destroy(spool); 454 apr_pool_destroy(spool);
433 return NULL; 455 return NULL;