Changeset 2aaf4f5 in mod_gnutls for src/gnutls_config.c


Ignore:
Timestamp:
Feb 23, 2014, 1:05:31 PM (6 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
765cac2
Parents:
999cdec
Message:

implement GnuTLSExportCertificates control over max exported cert size

This patchset implements the proposed modification to
GnuTLSExportCertificates, allowing server administrators to choose the
maximum size of the exported certs.

Some advantages:

  • avoids large buffers on the stack
  • more configurable for server admins who expect to use larger certs
  • better visibilty for users when a too-large-cert is encountered

This also increases the default maximum exported size from 10KiB to
16KiB.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_config.c

    r999cdec r2aaf4f5  
    1919
    2020#include "mod_gnutls.h"
     21#include "apr_lib.h"
    2122
    2223#ifdef APLOG_USE_MODULE
     
    554555}
    555556
    556 const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy, const char *arg) {
     557const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy, const char *arg) {
    557558    mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module);
    558559    if (!strcasecmp(arg, "On")) {
    559         sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE;
     560        sc->export_certificates_size = 16 * 1024;
    560561    } else if (!strcasecmp(arg, "Off")) {
    561         sc->export_certificates_enabled = GNUTLS_ENABLED_FALSE;
     562        sc->export_certificates_size = 0;
    562563    } else {
    563         return
    564         "GnuTLSExportCertificates must be set to 'On' or 'Off'";
     564        char* endptr;
     565        sc->export_certificates_size = strtol(arg, &endptr, 10);
     566        while (apr_isspace(*endptr)) endptr++;
     567        if (*endptr == '\0' || *endptr == 'b' || *endptr == 'B') {
     568            ;
     569        } else if (*endptr == 'k' || *endptr == 'K') {
     570            sc->export_certificates_size *= 1024;
     571        } else {
     572            return "GnuTLSExportCertificates must be set to a size (in bytes) or 'On' or 'Off'";
     573        }
    565574    }
    566575
     
    638647    sc->dh_params = NULL;
    639648    sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
    640     sc->export_certificates_enabled = GNUTLS_ENABLED_UNSET;
     649    sc->export_certificates_size = -1;
    641650    sc->client_verify_method = mgs_cvm_unset;
    642651
     
    667676    gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET);
    668677    gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
    669     gnutls_srvconf_merge(export_certificates_enabled, GNUTLS_ENABLED_UNSET);
     678    gnutls_srvconf_merge(export_certificates_size, -1);
    670679    gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset);
    671680    gnutls_srvconf_merge(client_verify_mode, -1);
Note: See TracChangeset for help on using the changeset viewer.