[mod_gnutls-devel] GnuTLSPGPKeyringFile?
Ramkumar Chinchani
ramkumar.chinchani at gmail.com
Fri Mar 14 08:04:14 CET 2014
mod_gnutls-side fix.
This can be consumed now but won't really be effective until some next
gnutls stable release containing the silent failure fix.
diff --git a/src/gnutls_config.c b/src/gnutls_config.c
index 3300854..8bae9ec 100644
--- a/src/gnutls_config.c
+++ b/src/gnutls_config.c
@@ -508,12 +508,18 @@ const char *mgs_set_keyring_file(cmd_parms * parms,
void *dummy,
gnutls_strerror(rv));
}
+ /* first attempt loading in base64 format */
rv = gnutls_openpgp_keyring_import(sc->pgp_list, &data,
GNUTLS_OPENPGP_FMT_BASE64);
if (rv < 0) {
- return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
- "Keyring File '%s': (%d) %s", file, rv,
- gnutls_strerror(rv));
+ /* next try raw format */
+ rv = gnutls_openpgp_keyring_import(sc->pgp_list, &data,
+ GNUTLS_OPENPGP_FMT_RAW);
+ if (rv < 0) {
+ return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
+ "Keyring File '%s': (%d) %s", file, rv,
+ gnutls_strerror(rv));
+ }
}
apr_pool_destroy(spool);
On Thu, Mar 6, 2014 at 11:34 PM, Ramkumar Chinchani <
ramkumar.chinchani at gmail.com> wrote:
> FYI.
>
> Suggested a patch upstream [1] which should make this happen.
>
> [1] http://lists.gnutls.org/pipermail/gnutls-devel/2014-March/006803.html
>
>
>
> On Sun, Mar 2, 2014 at 8:25 AM, Ramkumar Chinchani <
> ramkumar.chinchani at gmail.com> wrote:
>
>> Hi Benny,
>>
>> Thanks for the code review.
>>
>> The problem is that in the following code snippet in the function
>> gnutls_openpgp_keyring_import()
>>
>> 174 do
>> 175 {
>> 176 err =
>> 177 cdk_stream_read (input, raw_data + written, raw_len -
>> written);
>> 178
>> 179 if (err > 0)
>> 180 written += err;
>> 181 }
>> 182 while (written < raw_len && err != EOF && err > 0);
>>
>>
>> "err" comes with EOF in the very first iteration because of the incorrect
>> armor (base64 vs raw)
>> And this failure appears to be silent so there is no way of detecting the
>> failure in the caller and try a different armor.
>>
>>
>>
>>
>> On Thu, Feb 27, 2014 at 8:11 AM, Benny Baumann <BenBE at geshi.org> wrote:
>>
>>> Hi,
>>>
>>> Am 27.02.2014 08:35, schrieb Ramkumar Chinchani:
>>> > Is there a way to export the entire keyring? in base64 format?
>>> gnupg exports all matching keys when given the --export option. Haven't
>>> checked though yet how to export the full keyring at once.
>>> >
>>> > If not, then I am likely pointing GnuTLSPGPKeyringFile to
>>> > ${HOME}/.gnupg/pubring.gpg which should be in RAW format?
>>> >
>>> >
>>> > diff --git a/src/gnutls_config.c b/src/gnutls_config.c
>>> > index 3300854..6b672f5 100644
>>> > --- a/src/gnutls_config.c
>>> > +++ b/src/gnutls_config.c
>>> > @@ -509,7 +509,7 @@ const char *mgs_set_keyring_file(cmd_parms *
>>> > parms, void *dummy,
>>> > }
>>> >
>>> > rv = gnutls_openpgp_keyring_import(sc->pgp_list, &data,
>>> > - GNUTLS_OPENPGP_FMT_BASE64);
>>> > + GNUTLS_OPENPGP_FMT_RAW);
>>> > if (rv < 0) {
>>> > return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
>>> > "Keyring File '%s': (%d) %s", file, rv,
>>> >
>>> >
>>> I'd prefer if the old behaviour stays and it additionally allows for
>>> binary keyrings to be loaded. That way you won't offend existing users
>>> of this feature.
>>>
>>> Regards,
>>> BenBE.
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140314/bc01400d/attachment.html>
More information about the mod_gnutls-devel
mailing list