Changeset 2aaf4f5 in mod_gnutls for src/gnutls_config.c

Timestamp:

Feb 23, 2014, 1:05:31 PM (6 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, upstream

Children:

765cac2

Parents:

999cdec

Message:

implement GnuTLSExportCertificates control over max exported cert size

This patchset implements the proposed modification to
GnuTLSExportCertificates, allowing server administrators to choose the
maximum size of the exported certs.

Some advantages:

• avoids large buffers on the stack
• more configurable for server admins who expect to use larger certs
• better visibilty for users when a too-large-cert is encountered

This also increases the default maximum exported size from 10KiB to
16KiB.

File:

• src/gnutls_config.c (modified) (4 diffs)

src/gnutls_config.c

@@ -19 +19 @@
 
 #include "mod_gnutls.h"
+#include "apr_lib.h"
 
 #ifdef APLOG_USE_MODULE
@@ -554 +555 @@
 }
 
-const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy, const char *arg) {
+const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy, const char *arg) {
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module);
     if (!strcasecmp(arg, "On")) {
-        sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE;
+        sc->export_certificates_size = 16 * 1024;
     } else if (!strcasecmp(arg, "Off")) {
-        sc->export_certificates_enabled = GNUTLS_ENABLED_FALSE;
+        sc->export_certificates_size = 0;
     } else {
-        return
-        "GnuTLSExportCertificates must be set to 'On' or 'Off'";
+        char* endptr;
+        sc->export_certificates_size = strtol(arg, &endptr, 10);
+        while (apr_isspace(*endptr)) endptr++;
+        if (*endptr == '\0' || *endptr == 'b' || *endptr == 'B') {
+            ;
+        } else if (*endptr == 'k' || *endptr == 'K') {
+            sc->export_certificates_size *= 1024;
+        } else {
+            return "GnuTLSExportCertificates must be set to a size (in bytes) or 'On' or 'Off'";
+        }
     }
 
@@ -638 +647 @@
     sc->dh_params = NULL;
     sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
-    sc->export_certificates_enabled = GNUTLS_ENABLED_UNSET;
+    sc->export_certificates_size = -1;
     sc->client_verify_method = mgs_cvm_unset;
 
@@ -667 +676 @@
     gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET);
     gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
-    gnutls_srvconf_merge(export_certificates_enabled, GNUTLS_ENABLED_UNSET);
+    gnutls_srvconf_merge(export_certificates_size, -1);
     gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset);
     gnutls_srvconf_merge(client_verify_mode, -1);