properly call gnutls_x509_crt_list_import

the [manpage][] says:

>  unsigned int * cert_max
>      Initially must hold the maximum number of certs. It will be updated
>      with the number of certs available.

ratbox doesn't actually initialize that variable, so gnutls naturally
fails. i would also recommend considering dynamically allocating the
cert list to deal with that error in other ways than failing to
configured SSL completely in GnuTLS. the apache gnutls module has a
similar problem and came up with a [patch][] to do exactly this which
you may want to consider.

but since our cert chain is only (!) 5 certs long, our itched is
scratch by this particular patch.

[manpage]: https://manpages.debian.org/jessie/gnutls-doc/gnutls_x509_crt_list_import.3.en.html
[patch]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511573#35
This commit is contained in:
Antoine Beaupré 2017-02-28 17:36:56 -05:00
parent 9bd8c1c0dc
commit 9f21f1b353
No known key found for this signature in database
GPG key ID: 792152527B75921E

View file

@ -540,6 +540,7 @@ rb_setup_ssl_server(const char *const certfile, const char *keyfile,
rb_free_datum_t(d_key); rb_free_datum_t(d_key);
return 0; return 0;
} }
client_cert_count = MAX_CERTS;
if((ret = gnutls_x509_crt_list_import(client_cert, &client_cert_count, d_cert, GNUTLS_X509_FMT_PEM, if((ret = gnutls_x509_crt_list_import(client_cert, &client_cert_count, d_cert, GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) < 1) GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) < 1)
{ {