[mod_gnutls-devel] mgs_hook_authz() handling of return values from mgs_cert_verify()?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Mar 14 22:28:34 CET 2014


On 03/14/2014 02:58 AM, Ramkumar Chinchani wrote:
> When GnuTLSClientVerify method is set to cartel or msva, mgs_cert_verify()
> correctly returns HTTP_FORBIDDEN when verification fails.
> 
> However, when GnuTLSClientVerify is set to "require" at server-level and
> not at directory-level, mgs_hook_authz() doesn't seem to honor the return
> code properly for this case.
> 
> Kindly review the following patch.
> 
> diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
> index d068ebb..5bfc2b6 100644
> --- a/src/gnutls_hooks.c
> +++ b/src/gnutls_hooks.c
> @@ -878,7 +878,8 @@ int mgs_hook_authz(request_rec * r) {
>          rv = mgs_cert_verify(r, ctxt);
>          if (rv != DECLINED &&
>                  (rv != HTTP_FORBIDDEN ||
> -                dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
> +                dc->client_verify_mode == GNUTLS_CERT_REQUIRE ||
> +                ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
>              return rv;
>          }
>      }


Thanks, Ramkumar!  it sounds like you've got a couple test cases in mind
for this.  can you add new test cases to avoid this kind of breakage in
the future?  It seems funny to introduce two test cases to verify a
3-line patch, but they should help us avoid seeing this problem crop up
again in the future.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140314/c9080790/attachment.sig>


More information about the mod_gnutls-devel mailing list