[mod_gnutls-devel] msv_ctxt_init() cleanup

Ramkumar Chinchani ramkumar.chinchani at gmail.com
Wed Mar 19 23:19:42 CET 2014 

[removing Clint from this thread]

Here is the mod_gnutls-side patch to properly handle this.
Can be consumed now although will really take effect only after upstream
libmsv fix.
mod_gnutls no longer crashes on various related failures.

Added a "rv" fix also (feel free to change this), so that HTTP_FORBIDDEN is
returned in this case as well and the caller can decide what needs to do
with it. Again [1] is relevant.

[1] http://lists.gnupg.org/pipermail/mod_gnutls-devel/2014-March/000054.html

diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index d068ebb..dc5e98f 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -1198,6 +1198,14 @@ static int mgs_cert_verify(request_rec * r,
mgs_handle_t * ctxt) {
             size_t len = sizeof (cert_pem_buf);

             rv = 0;
+            if (!ctx) {
+                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                              "MSV: Could not initialize context");
+                status = GNUTLS_CERT_INVALID;
+                rv = GNUTLS_E_MEMORY_ERROR;
+                break;
+            }
+
             if (gnutls_x509_crt_export(cert.x509[0], GNUTLS_X509_FMT_PEM,
cert_pem_buf, &len) >= 0) {
                 /* FIXME : put together a name from the cert we received,
instead of hard-coding this value: */
                 q.peername = mgs_x509_construct_uid(r, cert.x509[0]);
@@ -1209,6 +1217,7 @@ static int mgs_cert_verify(request_rec * r,
mgs_handle_t * ctxt) {
                     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                                   "GnuTLS: Monkeysphere validation failed:
(message: %s)", resp->message);
                     status = GNUTLS_CERT_INVALID;
+                    rv = GNUTLS_E_CERTIFICATE_ERROR;
                 } else {
                     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                                   "GnuTLS: Error communicating with the
Monkeysphere Validation Agent: (%d) %s", rv, msv_strerror(ctx, rv));



On Wed, Mar 19, 2014 at 8:41 AM, Clint Adams <clint at debian.org> wrote:

> On Tue, Mar 18, 2014 at 02:09:41PM -0700, Ramkumar Chinchani wrote:
> > Test code cleanup after recent code changes.
>
> On Tue, Mar 18, 2014 at 05:18:01PM -0400, Daniel Kahn Gillmor wrote:
> > I'm fine using this mailing list to discuss libmsv work (though if Clint
> > would prefer it happen somewhere else, i defer to his preference), but
>
> Works for me.
>
> On Tue, Mar 18, 2014 at 03:06:34PM -0700, Ramkumar Chinchani wrote:
> > The following is the final patch in the current series I am working on
> for
> > libmsv.
>
> Both patches applied and pushed.  Thanks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140319/5ebe0662/attachment-0001.html>

More information about the mod_gnutls-devel mailing list