Changeset 2aaf4f5 in mod_gnutls for src

Timestamp:

Feb 23, 2014, 1:05:31 PM (8 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

asyncio, debian/master, debian/stretch-backports, jessie-backports, master, proxy-ticket, upstream

Children:

765cac2

Parents:

999cdec

Message:

implement GnuTLSExportCertificates control over max exported cert size

This patchset implements the proposed modification to
GnuTLSExportCertificates, allowing server administrators to choose the
maximum size of the exported certs.

Some advantages:

• avoids large buffers on the stack
• more configurable for server admins who expect to use larger certs
• better visibilty for users when a too-large-cert is encountered

This also increases the default maximum exported size from 10KiB to
16KiB.

Location:

src

Files:

• gnutls_config.c (modified) (4 diffs)
• gnutls_hooks.c (modified) (8 diffs)
• mod_gnutls.c (modified) (1 diff)

src/gnutls_config.c

@@ -19 +19 @@
 
 #include "mod_gnutls.h"
+#include "apr_lib.h"
 
 #ifdef APLOG_USE_MODULE
@@ -554 +555 @@
 }
 
-const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy, const char *arg) {
+const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy, const char *arg) {
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module);
     if (!strcasecmp(arg, "On")) {
-        sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE;
+        sc->export_certificates_size = 16 * 1024;
     } else if (!strcasecmp(arg, "Off")) {
-        sc->export_certificates_enabled = GNUTLS_ENABLED_FALSE;
+        sc->export_certificates_size = 0;
     } else {
-        return
-        "GnuTLSExportCertificates must be set to 'On' or 'Off'";
+        char* endptr;
+        sc->export_certificates_size = strtol(arg, &endptr, 10);
+        while (apr_isspace(*endptr)) endptr++;
+        if (*endptr == '\0' || *endptr == 'b' || *endptr == 'B') {
+            ;
+        } else if (*endptr == 'k' || *endptr == 'K') {
+            sc->export_certificates_size *= 1024;
+        } else {
+            return "GnuTLSExportCertificates must be set to a size (in bytes) or 'On' or 'Off'";
+        }
     }
 
@@ -638 +647 @@
     sc->dh_params = NULL;
     sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
-    sc->export_certificates_enabled = GNUTLS_ENABLED_UNSET;
+    sc->export_certificates_size = -1;
     sc->client_verify_method = mgs_cvm_unset;
 
@@ -667 +676 @@
     gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET);
     gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
-    gnutls_srvconf_merge(export_certificates_enabled, GNUTLS_ENABLED_UNSET);
+    gnutls_srvconf_merge(export_certificates_size, -1);
     gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset);
     gnutls_srvconf_merge(client_verify_mode, -1);

src/gnutls_hooks.c

@@ -43 +43 @@
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
 /* use side==0 for server and side==1 for client */
-static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert);
-static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert);
+static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_cert_size);
+static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_cert_size);
 static const char* mgs_x509_construct_uid(request_rec * pool, gnutls_x509_crt_t cert);
 static int mgs_status_hook(request_rec *r, int flags);
@@ -373 +373 @@
         if (sc->tickets == GNUTLS_ENABLED_UNSET)
             sc->tickets = GNUTLS_ENABLED_TRUE;
-        if (sc->export_certificates_enabled == GNUTLS_ENABLED_UNSET)
-            sc->export_certificates_enabled = GNUTLS_ENABLED_FALSE;
+        if (sc->export_certificates_size < 0)
+            sc->export_certificates_size = 0;
         if (sc->client_verify_mode ==  -1)
             sc->client_verify_mode = GNUTLS_CERT_IGNORE;
@@ -818 +818 @@
 
     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
-                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0, ctxt->sc->export_certificates_enabled);
+                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0, ctxt->sc->export_certificates_size);
         } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
-        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0, ctxt->sc->export_certificates_enabled);
+        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0, ctxt->sc->export_certificates_size);
         }
 
@@ -894 +894 @@
 /* @param side is either 0 for SERVER or 1 for CLIENT
  *
- * @param export_full_cert (boolean) export the PEM-encoded
- * certificate in full as an environment variable.
+ * @param export_cert_size (int) maximum size for environment variable
+ * to use for the PEM-encoded certificate (0 means do not export)
  */
 #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
 
-static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert) {
+static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_cert_size) {
     unsigned char sbuf[64]; /* buffer to hold serials */
     char buf[AP_IOBUFSIZE];
@@ -913 +913 @@
 
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-    if (export_full_cert != 0) {
-        char cert_buf[10 * 1024];
-        len = sizeof (cert_buf);
-
-        if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
-            apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
-                           apr_pstrmemdup(r->pool, cert_buf, len));
-        else
-            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                          "GnuTLS: Failed to export X.509 certificate to environment");
+    if (export_cert_size > 0) {
+        len = 0;
+        ret = gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, NULL, &len);
+        if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
+            if (len >= export_cert_size) {
+                apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
+                               "GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED");
+                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                              "GnuTLS: Failed to export too-large X.509 certificate to environment");
+            } else {
+                char* cert_buf = apr_palloc(r->pool, len + 1);
+                if (cert_buf != NULL && gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0) {
+                    cert_buf[len] = 0;
+                    apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), cert_buf);
+                } else {
+                    ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                                  "GnuTLS: failed to export X.509 certificate");
+                }
+            }
+        } else {
+            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                          "GnuTLS: dazed and confused about X.509 certificate size");
+        }
     }
 
@@ -1037 +1050 @@
 /* @param side 0: server, 1: client
  *
- * @param export_full_cert (boolean) export the PEM-encoded
- * certificate in full as an environment variable.
+ * @param export_cert_size (int) maximum size for environment variable
+ * to use for the PEM-encoded certificate (0 means do not export)
  */
-static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert) {
+static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_cert_size) {
 
         unsigned char sbuf[64]; /* buffer to hold serials */
@@ -1054 +1067 @@
     apr_table_t *env = r->subprocess_env;
 
-    if (export_full_cert != 0) {
-        char cert_buf[10 * 1024];
-        len = sizeof (cert_buf);
-
-        if (gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
-            apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
-                           apr_pstrmemdup(r->pool, cert_buf, len));
-        else
-            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                          "GnuTLS: Failed to export OpenPGP certificate to environment");
+    if (export_cert_size > 0) {
+        len = 0;
+        ret = gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, NULL, &len);
+        if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
+            if (len >= export_cert_size) {
+                apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
+                               "GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED");
+                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                              "GnuTLS: Failed to export too-large OpenPGP certificate to environment");
+            } else {
+                char* cert_buf = apr_palloc(r->pool, len + 1);
+                if (cert_buf != NULL && gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0) {
+                    cert_buf[len] = 0;
+                    apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), cert_buf);
+                } else {
+                    ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                                  "GnuTLS: failed to export OpenPGP certificate");
+                }
+            }
+        } else {
+            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                          "GnuTLS: dazed and confused about OpenPGP certificate size");
+        }
     }
 
@@ -1328 +1354 @@
 
     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
-        mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_enabled);
+        mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_size);
     else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP)
-        mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_enabled);
+        mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_size);
 
     {

src/mod_gnutls.c

@@ -181 +181 @@
     "Whether this server has GnuTLS Enabled. Default: Off"),
     AP_INIT_TAKE1("GnuTLSExportCertificates",
-    mgs_set_export_certificates_enabled,
+    mgs_set_export_certificates_size,
     NULL,
     RSRC_CONF,
-    "Whether to export PEM encoded certificates to CGIs. Default: Off"),
+    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
     { NULL },
 };