about summary refs log tree commit diff
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2020-07-28 15:12:49 -0400
committerJune McEnroe <june@causal.agency>2020-07-31 12:12:53 -0400
commit7dc5c64f767f10e5b466e9d44c6e2439f40ef15c (patch)
tree4b6f73cd00287a683efee695ab00d14ef6575556
parenttls: Implement use_certificate_chain_mem (diff)
downloadlibretls-7dc5c64f767f10e5b466e9d44c6e2439f40ef15c.tar.gz
libretls-7dc5c64f767f10e5b466e9d44c6e2439f40ef15c.zip
tls: Implement load_verify_mem
Based on crypto/x509/by_mem.c
Diffstat
-rw-r--r--tls.c44
1 files changed, 43 insertions, 1 deletions
diff --git a/tls.c b/tls.c
index 9e5a58d..90458c4 100644
--- a/tls.c
+++ b/tls.c
@@ -543,6 +543,48 @@ tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
 	return (0);
 }
 
+static int
+load_verify_mem(SSL_CTX *ctx, void *buf, int len)
+{
+	X509_STORE *store;
+	BIO *in = NULL;
+	STACK_OF(X509_INFO) *inf = NULL;
+	X509_INFO *itmp;
+	int i, count = 0, ok = 0;
+
+	store = SSL_CTX_get_cert_store(ctx);
+
+	if ((in = BIO_new_mem_buf(buf, len)) == NULL)
+		goto done;
+
+	if ((inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL)) == NULL)
+		goto done;
+
+	for (i = 0; i < sk_X509_INFO_num(inf); i++) {
+		itmp = sk_X509_INFO_value(inf, i);
+		if (itmp->x509) {
+			if ((ok = X509_STORE_add_cert(store, itmp->x509)) == 0)
+				goto done;
+			count++;
+		}
+		if (itmp->crl) {
+			if ((ok = X509_STORE_add_crl(store, itmp->crl)) == 0)
+				goto done;
+			count++;
+		}
+	}
+
+	ok = count != 0;
+ done:
+	if (count == 0)
+		X509err(0xfff, ERR_R_PEM_LIB);
+	if (inf != NULL)
+		sk_X509_INFO_pop_free(inf, X509_INFO_free);
+	if (in != NULL)
+		BIO_free(in);
+	return (ok);
+}
+
 int
 tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 {
@@ -580,7 +622,7 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 			tls_set_errorx(ctx, "ca too long");
 			goto err;
 		}
-		if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
+		if (load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
 			tls_set_errorx(ctx, "ssl verify memory setup failure");
 			goto err;
 		}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-20 11:47:58 +0000
nput_id.c?id=bcfce235> you'll see that if you reload the page a few times, a bunch of times the diffstat comes out with no lines being shown or changed. I'm not currently sure what the cause of this is, but I suspect it might have to do with this uninitialized data. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-02-05gen-version.sh: check if git is available before trying to call itFabien C Some people may clone the cgit repository and compile within a sandbox or on another machine where git is not necessarily installed. When it happens, cgit is getting compiled with an empty version number. This commit fixes this. 2014-01-23simple-authentication: styleJason A. Donenfeld Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-22makefile: use LUA_PKGCONFIG to set Lua implementationNatanael Copa This breaks compat with the previous LUA_IMPLEMENTATION but gives more flexibility in that user can specify the pkg-config package name directly. Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> 2014-01-20tests: only do lua tests if lua is compiled-inJason A. Donenfeld Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-20cgit: add --version argument for printing infoJason A. Donenfeld We need this to do runtime tests for make test. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-19cache: use sendfile() instead of a pair of read() + write()Sebastian Andrzej Siewior sendfile() does the same job and avoids to copy the content into userland and back. One has to define NO_SENDFILE in case the OS (kernel / libc) does not supported. It is disabled by default on non-linux environemnts. According to the glibc, sendfile64() was added in Linux 2.4 (so it has been there for a while) but after browsing over the mapage of FreeBSD's I noticed that the prototype is little different. Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> 2014-01-19README: document pkg-config for luajitJason A. Donenfeld Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-17makefile: bump versionJason A. Donenfeld Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-17mailmap: source before lighttpdJason A. Donenfeld Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-17ui-shared: do not allow negative minutesJason A. Donenfeld Do to timestamp differences, sometimes cgit would should "-0 min", which doesn't make any sense. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-17auth: document tweakables in lua scriptJason A. Donenfeld Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-17repolist: make owner clickable to searchJason A. Donenfeld Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-17ui-shared: move about tab all the way to the leftJason A. Donenfeld There were no objections (at the time of committing this): http://lists.zx2c4.com/pipermail/cgit/2013-May/001393.html http://lists.zx2c4.com/pipermail/cgit/2014-January/001904.html Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-17filter: don't forget to reap the auth filterJason A. Donenfeld Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-17cgit.c: free tmp variableJason A. Donenfeld Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-17Switch to exclusively using global ctxLukas Fleischer Drop the context parameter from the following functions (and all static helpers used by them) and use the global context instead: * cgit_print_http_headers() * cgit_print_docstart() * cgit_print_pageheader() Remove context parameter from all commands Drop the context parameter from the following functions (and all static helpers used by them) and use the global context instead: * cgit_get_cmd() * All cgit command functions. * cgit_clone_info() * cgit_clone_objects() * cgit_clone_head() * cgit_print_plain() * cgit_show_stats() In initialization routines, use the global context variable instead of passing a pointer around locally. Remove callback data parameter for cache slots This is no longer needed since the context is always read from the global context variable. Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de> 2014-01-16auth: have cgit calculate login addressJason A. Donenfeld This way we're sure to use virtual root, or any other strangeness encountered. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-16auth: lua string comparisons are time invariantJason A. Donenfeld By default, strings are compared by hash, so we can remove this comment. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-16authentication: use hidden form instead of refererJason A. Donenfeld This also gives us some CSRF protection. Note that we make use of the hmac to protect the redirect value. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-16auth: add basic authentication filter frameworkJason A. Donenfeld This leverages the new lua support. See filters/simple-authentication.lua for explaination of how this works. There is also additional documentation in cgitrc.5.txt. Though this is a cookie-based approach, cgit's caching mechanism is preserved for authenticated pages. Very plugable and extendable depending on user needs. The sample script uses an HMAC-SHA1 based cookie to store the currently logged in user, with an expiration date. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2014-01-16t0111: Additions and fixesLukas Fleischer * Rename the capitalize-* filters to dump.* since they also dump the arguments. * Add full argument validation to the email filters. Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de> 2014-01-16parsing.c: Remove leading space from committerLukas Fleischer