- Timestamp:
- Feb 23, 2014, 1:05:31 PM (8 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, jessie-backports, master, proxy-ticket, upstream
- Children:
- 765cac2
- Parents:
- 999cdec
- Location:
- src
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_config.c
r999cdec r2aaf4f5 19 19 20 20 #include "mod_gnutls.h" 21 #include "apr_lib.h" 21 22 22 23 #ifdef APLOG_USE_MODULE … … 554 555 } 555 556 556 const char *mgs_set_export_certificates_ enabled(cmd_parms * parms, void *dummy, const char *arg) {557 const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy, const char *arg) { 557 558 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); 558 559 if (!strcasecmp(arg, "On")) { 559 sc->export_certificates_ enabled = GNUTLS_ENABLED_TRUE;560 sc->export_certificates_size = 16 * 1024; 560 561 } else if (!strcasecmp(arg, "Off")) { 561 sc->export_certificates_ enabled = GNUTLS_ENABLED_FALSE;562 sc->export_certificates_size = 0; 562 563 } else { 563 return 564 "GnuTLSExportCertificates must be set to 'On' or 'Off'"; 564 char* endptr; 565 sc->export_certificates_size = strtol(arg, &endptr, 10); 566 while (apr_isspace(*endptr)) endptr++; 567 if (*endptr == '\0' || *endptr == 'b' || *endptr == 'B') { 568 ; 569 } else if (*endptr == 'k' || *endptr == 'K') { 570 sc->export_certificates_size *= 1024; 571 } else { 572 return "GnuTLSExportCertificates must be set to a size (in bytes) or 'On' or 'Off'"; 573 } 565 574 } 566 575 … … 638 647 sc->dh_params = NULL; 639 648 sc->proxy_enabled = GNUTLS_ENABLED_UNSET; 640 sc->export_certificates_ enabled = GNUTLS_ENABLED_UNSET;649 sc->export_certificates_size = -1; 641 650 sc->client_verify_method = mgs_cvm_unset; 642 651 … … 667 676 gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET); 668 677 gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET); 669 gnutls_srvconf_merge(export_certificates_ enabled, GNUTLS_ENABLED_UNSET);678 gnutls_srvconf_merge(export_certificates_size, -1); 670 679 gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset); 671 680 gnutls_srvconf_merge(client_verify_mode, -1); -
src/gnutls_hooks.c
r999cdec r2aaf4f5 43 43 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt); 44 44 /* use side==0 for server and side==1 for client */ 45 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_ full_cert);46 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_ full_cert);45 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_cert_size); 46 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_cert_size); 47 47 static const char* mgs_x509_construct_uid(request_rec * pool, gnutls_x509_crt_t cert); 48 48 static int mgs_status_hook(request_rec *r, int flags); … … 373 373 if (sc->tickets == GNUTLS_ENABLED_UNSET) 374 374 sc->tickets = GNUTLS_ENABLED_TRUE; 375 if (sc->export_certificates_ enabled == GNUTLS_ENABLED_UNSET)376 sc->export_certificates_ enabled = GNUTLS_ENABLED_FALSE;375 if (sc->export_certificates_size < 0) 376 sc->export_certificates_size = 0; 377 377 if (sc->client_verify_mode == -1) 378 378 sc->client_verify_mode = GNUTLS_CERT_IGNORE; … … 818 818 819 819 if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) { 820 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0, ctxt->sc->export_certificates_ enabled);820 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0, ctxt->sc->export_certificates_size); 821 821 } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) { 822 mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0, ctxt->sc->export_certificates_ enabled);822 mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0, ctxt->sc->export_certificates_size); 823 823 } 824 824 … … 894 894 /* @param side is either 0 for SERVER or 1 for CLIENT 895 895 * 896 * @param export_ full_cert (boolean) export the PEM-encoded897 * certificate in full as an environment variable.896 * @param export_cert_size (int) maximum size for environment variable 897 * to use for the PEM-encoded certificate (0 means do not export) 898 898 */ 899 899 #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT") 900 900 901 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_ full_cert) {901 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_cert_size) { 902 902 unsigned char sbuf[64]; /* buffer to hold serials */ 903 903 char buf[AP_IOBUFSIZE]; … … 913 913 914 914 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 915 if (export_full_cert != 0) { 916 char cert_buf[10 * 1024]; 917 len = sizeof (cert_buf); 918 919 if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0) 920 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), 921 apr_pstrmemdup(r->pool, cert_buf, len)); 922 else 923 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 924 "GnuTLS: Failed to export X.509 certificate to environment"); 915 if (export_cert_size > 0) { 916 len = 0; 917 ret = gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, NULL, &len); 918 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { 919 if (len >= export_cert_size) { 920 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), 921 "GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED"); 922 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 923 "GnuTLS: Failed to export too-large X.509 certificate to environment"); 924 } else { 925 char* cert_buf = apr_palloc(r->pool, len + 1); 926 if (cert_buf != NULL && gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0) { 927 cert_buf[len] = 0; 928 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), cert_buf); 929 } else { 930 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, 931 "GnuTLS: failed to export X.509 certificate"); 932 } 933 } 934 } else { 935 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, 936 "GnuTLS: dazed and confused about X.509 certificate size"); 937 } 925 938 } 926 939 … … 1037 1050 /* @param side 0: server, 1: client 1038 1051 * 1039 * @param export_ full_cert (boolean) export the PEM-encoded1040 * certificate in full as an environment variable.1052 * @param export_cert_size (int) maximum size for environment variable 1053 * to use for the PEM-encoded certificate (0 means do not export) 1041 1054 */ 1042 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_ full_cert) {1055 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_cert_size) { 1043 1056 1044 1057 unsigned char sbuf[64]; /* buffer to hold serials */ … … 1054 1067 apr_table_t *env = r->subprocess_env; 1055 1068 1056 if (export_full_cert != 0) { 1057 char cert_buf[10 * 1024]; 1058 len = sizeof (cert_buf); 1059 1060 if (gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0) 1061 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), 1062 apr_pstrmemdup(r->pool, cert_buf, len)); 1063 else 1064 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1065 "GnuTLS: Failed to export OpenPGP certificate to environment"); 1069 if (export_cert_size > 0) { 1070 len = 0; 1071 ret = gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, NULL, &len); 1072 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { 1073 if (len >= export_cert_size) { 1074 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), 1075 "GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED"); 1076 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1077 "GnuTLS: Failed to export too-large OpenPGP certificate to environment"); 1078 } else { 1079 char* cert_buf = apr_palloc(r->pool, len + 1); 1080 if (cert_buf != NULL && gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0) { 1081 cert_buf[len] = 0; 1082 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), cert_buf); 1083 } else { 1084 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, 1085 "GnuTLS: failed to export OpenPGP certificate"); 1086 } 1087 } 1088 } else { 1089 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, 1090 "GnuTLS: dazed and confused about OpenPGP certificate size"); 1091 } 1066 1092 } 1067 1093 … … 1328 1354 1329 1355 if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) 1330 mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_ enabled);1356 mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_size); 1331 1357 else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) 1332 mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_ enabled);1358 mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_size); 1333 1359 1334 1360 { -
src/mod_gnutls.c
r999cdec r2aaf4f5 181 181 "Whether this server has GnuTLS Enabled. Default: Off"), 182 182 AP_INIT_TAKE1("GnuTLSExportCertificates", 183 mgs_set_export_certificates_ enabled,183 mgs_set_export_certificates_size, 184 184 NULL, 185 185 RSRC_CONF, 186 " Whether to export PEM encoded certificates to CGIs. Default: Off"),186 "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"), 187 187 { NULL }, 188 188 };
Note: See TracChangeset
for help on using the changeset viewer.