On Sat, 2013-11-09 at 23:10 +0100, Nikos Mavrogiannopoulos wrote:
> Ok, it seems I've managed to implement it. If you're using
> gnutls_certificate_set_x509_key_file() ...
We're not. I think this ought to work though... ?
diff --git a/configure.ac b/configure.ac
index 357b001..72012b2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -254,6 +254,8 @@ if test "$with_gnutls" = "yes"; then
CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
AC_CHECK_FUNC(gnutls_dtls_set_data_mtu,
[AC_DEFINE(HAVE_GNUTLS_DTLS_SET_DATA_MTU, 1)], [])
+ AC_CHECK_FUNC(gnutls_pkcs11_get_raw_issuer,
+ [AC_DEFINE(HAVE_GNUTLS_PKCS11_GET_RAW_ISSUER, 1)], [])
AC_CHECK_FUNC(gnutls_certificate_set_x509_system_trust,
[AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST, 1)], [])
if test "$ac_cv_func_gnutls_certificate_set_x509_system_trust" != "yes"; then
diff --git a/gnutls.c b/gnutls.c
index 2b3b45f..e57fbd6 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -397,7 +397,8 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo,
}
/* Older versions of GnuTLS didn't actually bother to check this, so we'll
- do it for them. */
+ do it for them. Is there a bug reference for this? Or just the git commit
+ reference (c1ef7efb in master, 5196786c in gnutls_3_0_x-2)? */
static int check_issuer_sanity(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer)
{
#if GNUTLS_VERSION_NUMBER > 0x300014
@@ -1460,21 +1461,37 @@ static int load_certificate(struct openconnect_info *vpninfo)
/* Look for it in the system trust cafile too. */
err = gnutls_certificate_get_issuer(vpninfo->https_cred,
last_cert, &issuer, 0);
- if (err)
- break;
-
/* The check_issuer_sanity() function works fine as a workaround where
it was used above, but when gnutls_certificate_get_issuer() returns
a bogus cert, there's nothing we can do to fix it up. We don't get
to iterate over all the available certs like we can over our own
list. */
- if (check_issuer_sanity(last_cert, issuer)) {
- /* Hm, is there a bug reference for this? Or just the git commit
- reference (c1ef7efb in master, 5196786c in gnutls_3_0_x-2)? */
+ if (!err && check_issuer_sanity(last_cert, issuer)) {
+ gnutls_x509_crt_deinit(issuer);
vpn_progress(vpninfo, PRG_ERR,
_("WARNING: GnuTLS returned incorrect issuer certs; authentication may fail!\n"));
- break;
+ err = GNUTLS_E_INTERNAL_ERROR;
}
+
+#if defined(HAVE_P11KIT) && defined(HAVE_GNUTLS_PKCS11_GET_RAW_ISSUER)
+ if (err && cert_is_p11) {
+ gnutls_datum_t t;
+
+ err = gnutls_pkcs11_get_raw_issuer(cert_url, &t, GNUTLS_X509_FMT_DER, 0);
+ if (!err) {
+ err = gnutls_x509_crt_init(&issuer);
+ if (!err) {
+ err = gnutls_x509_crt_import(issuer, &t, GNUTLS_X509_FMT_DER);
+ if (err)
+ gnutls_x509_crt_deinit(issuer);
+ }
+ }
+ gnutls_free(t.data);
+ }
+#endif
+ if (err)
+ break;
+
}
if (issuer == last_cert) {
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20131115/c4099292/attachment-0001.bin>
