Blob Blame History Raw
--- neon-0.30.0/macros/neon.m4.pkcs11
+++ neon-0.30.0/macros/neon.m4
@@ -982,10 +982,11 @@
 
    # Check for functions in later releases
    NE_CHECK_FUNCS([gnutls_session_get_data2 gnutls_x509_dn_get_rdn_ava \
-                  gnutls_sign_callback_set \
                   gnutls_certificate_get_issuer \
                   gnutls_certificate_get_x509_cas \
-                  gnutls_x509_crt_sign2])
+                  gnutls_x509_crt_sign2 \
+                  gnutls_certificate_set_retrieve_function2 \
+                  gnutls_privkey_import_ext])
 
    # fail if gnutls_x509_crt_sign2 is not found (it was introduced in 1.2.0, which is required)
    if test x${ac_cv_func_gnutls_x509_crt_sign2} != xyes; then
@@ -1039,7 +1040,7 @@
   ;;
 esac
 
-case ${with_pakchois}X${ac_cv_func_gnutls_sign_callback_set}Y${ne_cv_lib_ssl097} in
+case ${with_pakchois}X${ac_cv_func_gnutls_privkey_import_ext}Y${ne_cv_lib_ssl097} in
 noX*Y*) ;;
 *X*Yyes|*XyesY*)
     # PKCS#11... ho!
--- neon-0.30.0/src/ne_gnutls.c.pkcs11
+++ neon-0.30.0/src/ne_gnutls.c
@@ -89,6 +89,13 @@
     ne_ssl_certificate cert;
     gnutls_x509_privkey_t pkey;
     char *friendly_name;
+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT
+    /* Signing callback & userdata provided by ne_pkcs11.c.  It would
+     * be better to rewrite the whole module to use gnutls_privkey_t
+     * directly, but it seems impossible to dup such an object. */
+    gnutls_privkey_sign_func sign_func;
+    void *sign_ud;
+#endif
 };
 
 /* Returns the highest used index in subject (or issuer) DN of
@@ -189,7 +196,7 @@
 char *ne_ssl_readable_dname(const ne_ssl_dname *name)
 {
     gnutls_x509_dn_t dn;
-    int ret, rdn = 0, flag = 0;
+    int ret, rdn = 0;
     ne_buffer *buf;
     gnutls_x509_ava_st val;
 
@@ -227,7 +234,6 @@
                 && ((!CMPOID(&val, OID_emailAddress)
                      && !CMPOID(&val, OID_commonName))
                     || (buf->used == 1 && rdn == 0))) {
-                flag = 1;
                 if (buf->used > 1) ne_buffer_append(buf, ", ", 2);
 
                 append_dirstring(buf, &val.value, val.value_tag);
@@ -526,6 +532,10 @@
     
     if (cc->keyless) {
         newcc->keyless = 1;
+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT
+        newcc->sign_func = cc->sign_func;
+        newcc->sign_ud = cc->sign_ud;
+#endif
     }
     else {
         ret = gnutls_x509_privkey_init(&newcc->pkey);
@@ -554,7 +564,15 @@
 static int provide_client_cert(gnutls_session_t session,
                                const gnutls_datum_t *req_ca_rdn, int nreqs,
                                const gnutls_pk_algorithm_t *sign_algos,
-                               int sign_algos_length, gnutls_retr_st *st)
+                               int sign_algos_length, 
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2
+                               gnutls_pcert_st **pcert, 
+                               unsigned int *pcert_length, 
+                               gnutls_privkey_t *pkey
+#else
+                               gnutls_retr2_st *st
+#endif
+    )
 {
     ne_session *sess = gnutls_session_get_ptr(session);
     
@@ -612,27 +630,58 @@
     if (sess->client_cert) {
         gnutls_certificate_type_t type = gnutls_certificate_type_get(session);
         if (type == GNUTLS_CRT_X509
-#if LIBGNUTLS_VERSION_NUMBER > 0x030000
-            /* Ugly hack; prevent segfaults w/GnuTLS 3.0. */
-            && sess->client_cert->pkey != NULL
+            && (sess->client_cert->pkey || sess->client_cert->keyless)) {
+            int ret;
+
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2
+            gnutls_privkey_init(pkey);
+
+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT
+            if (sess->client_cert->sign_func) {
+                int algo = gnutls_x509_crt_get_pk_algorithm(sess->client_cert->cert.subject, NULL);
+                NE_DEBUG(NE_DBG_SSL, "ssl: Signing for %s.\n", gnutls_pk_algorithm_get_name(algo));
+                         
+                ret = gnutls_privkey_import_ext(*pkey, algo, sess->client_cert->sign_ud,
+                                                sess->client_cert->sign_func, NULL, 0);
+            }
+            else
 #endif
-            ) {
-            NE_DEBUG(NE_DBG_SSL, "Supplying client certificate.\n");
+            if (sess->client_cert->keyless) {
+                ret = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
+            }
+            else {
+                ret = gnutls_privkey_import_x509(*pkey, sess->client_cert->pkey, 0);
+            }
 
-            st->type = type;
+            if (ret) {
+                NE_DEBUG(NE_DBG_SSL, "ssl: Failed to import private key: %s.\n", gnutls_strerror(ret));
+                ne_set_error(sess, _("Failed to import private key: %s"), gnutls_strerror(ret));
+                return ret;
+            }
+            
+            *pcert = gnutls_calloc(1, sizeof **pcert);
+            gnutls_pcert_import_x509(*pcert, sess->client_cert->cert.subject, 0);
+            *pcert_length = 1;
+#else /* !HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2 */
+            st->cert_type = type;
             st->ncerts = 1;
             st->cert.x509 = &sess->client_cert->cert.subject;
             st->key.x509 = sess->client_cert->pkey;
             
             /* tell GNU TLS not to deallocate the certs. */
             st->deinit_all = 0;
+#endif
         } else {
             return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
         }
     } 
     else {
-        NE_DEBUG(NE_DBG_SSL, "No client certificate supplied.\n");
+        NE_DEBUG(NE_DBG_SSL, "ssl: No client certificate supplied.\n");
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2
+        *pcert_length = 0;
+#else        
         st->ncerts = 0;
+#endif
         sess->ssl_cc_requested = 1;
         return 0;
     }
@@ -650,8 +699,12 @@
     ne_ssl_context *ctx = ne_calloc(sizeof *ctx);
     gnutls_certificate_allocate_credentials(&ctx->cred);
     if (flags == NE_SSL_CTX_CLIENT) {
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2
+        gnutls_certificate_set_retrieve_function2(ctx->cred, provide_client_cert);
+#else
         gnutls_certificate_client_set_retrieve_function(ctx->cred,
                                                         provide_client_cert);
+#endif
     }
     gnutls_certificate_set_verify_flags(ctx->cred, 
                                         GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
@@ -694,7 +747,11 @@
 {
     gnutls_certificate_free_credentials(ctx->cred);
     if (ctx->cache.client.data) {
+#if defined(HAVE_GNUTLS_SESSION_GET_DATA2)
+        gnutls_free(ctx->cache.client.data);
+#else
         ne_free(ctx->cache.client.data);
+#endif
     } else if (ctx->cache.server.key.data) {
         gnutls_free(ctx->cache.server.key.data);
         gnutls_free(ctx->cache.server.data.data);
@@ -1164,7 +1221,9 @@
     gnutls_x509_crt_t cert = NULL;
     gnutls_x509_privkey_t pkey = NULL;
 
-    data.data = buffer;
+    /* The datum structure is not modified by gnutls_pkcs12_import,
+     * cast safely: */
+    data.data = (unsigned char *)buffer;
     data.size = buflen;
 
     if (gnutls_pkcs12_init(&p12) != 0) {
@@ -1201,8 +1260,10 @@
     }
 }
 
-ne_ssl_client_cert *ne__ssl_clicert_exkey_import(const unsigned char *der,
-                                                 size_t der_len)
+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT
+ne_ssl_client_cert *ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len,
+                                                 gnutls_privkey_sign_func sign_func,
+                                                 void *userdata)
 {
     ne_ssl_client_cert *cc;
     gnutls_x509_crt_t x5;
@@ -1221,9 +1282,12 @@
     cc->keyless = 1;
     cc->decrypted = 1;
     populate_cert(&cc->cert, x5);
+    cc->sign_func = sign_func;
+    cc->sign_ud = userdata;
 
-    return cc;    
+    return cc;
 }
+#endif
 
 int ne_ssl_clicert_encrypted(const ne_ssl_client_cert *cc)
 {
--- neon-0.30.0/src/ne_pkcs11.c.pkcs11
+++ neon-0.30.0/src/ne_pkcs11.c
@@ -160,6 +160,13 @@
 }
 #endif
 
+#ifdef HAVE_GNUTLS
+static int pk11_sign_callback(gnutls_privkey_t pkey,
+                              void *userdata,
+                              const gnutls_datum_t *raw_data,
+                              gnutls_datum_t *signature);
+#endif
+
 static int pk11_find_x509(ne_ssl_pkcs11_provider *prov,
                           pakchois_session_t *pks, 
                           unsigned char *certid, unsigned long *cid_len)
@@ -207,9 +214,9 @@
             ne_ssl_client_cert *cc;
             
 #ifdef HAVE_GNUTLS
-            cc = ne__ssl_clicert_exkey_import(value, a[0].value_len);
+            cc = ne__ssl_clicert_exkey_import(value, a[0].value_len, pk11_sign_callback, prov);
 #else
-            cc = ne__ssl_clicert_exkey_import(value, a[0].value_len, pk11_rsa_method(prov));
+            cc = ne__ssl_clicert_exkey_import(value, a[0].value_len, prov->method);
 #endif
             if (cc) {
                 NE_DEBUG(NE_DBG_SSL, "pk11: Imported X.509 cert.\n");
@@ -302,10 +309,8 @@
 #ifdef HAVE_GNUTLS
 /* Callback invoked by GnuTLS to provide the signature.  The signature
  * operation is handled here by the PKCS#11 provider.  */
-static int pk11_sign_callback(gnutls_session_t session,
+static int pk11_sign_callback(gnutls_privkey_t pkey,
                               void *userdata,
-                              gnutls_certificate_type_t cert_type,
-                              const gnutls_datum_t *cert,
                               const gnutls_datum_t *hash,
                               gnutls_datum_t *signature)
 {
@@ -575,11 +580,6 @@
 void ne_ssl_set_pkcs11_provider(ne_session *sess, 
                                 ne_ssl_pkcs11_provider *provider)
 {
-#ifdef HAVE_GNUTLS
-    sess->ssl_context->sign_func = pk11_sign_callback;
-    sess->ssl_context->sign_data = provider;
-#endif
-
     ne_ssl_provide_clicert(sess, pk11_provide, provider);
 }
 
--- neon-0.30.0/src/ne_privssl.h.pkcs11
+++ neon-0.30.0/src/ne_privssl.h
@@ -58,6 +58,10 @@
 
 #include <gnutls/gnutls.h>
 
+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT
+#include <gnutls/abstract.h>
+#endif
+
 struct ne_ssl_context_s {
     gnutls_certificate_credentials_t cred;
     int verify; /* non-zero if client cert verification required */
@@ -78,17 +82,13 @@
         } client;
 #endif
     } cache;
-
-#ifdef HAVE_GNUTLS_SIGN_CALLBACK_SET
-    gnutls_sign_func sign_func;
-    void *sign_data;
-#endif
 };
 
 typedef gnutls_session_t ne_ssl_socket;
 
 NE_PRIVATE ne_ssl_client_cert *
-ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len);
+ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len,
+                             gnutls_privkey_sign_func sign_func, void *userdata);
 
 #endif /* HAVE_GNUTLS */