Changeset 7d1ab49 in mod_gnutls


Ignore:
Timestamp:
Jan 29, 2013, 8:05:42 PM (6 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream
Children:
3e800f9
Parents:
6ef3afc
git-author:
Daniel Kahn Gillmor <dkg@…> (01/29/13 18:52:52)
git-committer:
Daniel Kahn Gillmor <dkg@…> (01/29/13 20:05:42)
Message:

restore GnuTLSExportCertificate directive

It looks to me like this option was mistakenly removed when the the
RSA-EXPORT configuration parameters were ripped out, possibly due to
confusion over the term Export.

GnuTLSExportCertificate is a useful configuration directive, and some
users might be relying on it.

Files:
5 edited

Legend:

Unmodified
Added
Removed
  • docs/mod_gnutls_manual-0.1.html

    r6ef3afc r7d1ab49  
    358358                server config, virtual host<br />
    359359            </div>
    360             <p>This directive enables exporting the full PEM encoded certificates of the server and the client to CGIs.<br />
    361             This makes mod_gnutls export exactly the same environment variables as mod_ssl.</p>
     360            <p>This directive enables exporting the full certificates
     361            of the server and the client to CGI scripts.  The exported
     362            certificates will be PEM-encoded (if X.509) or
     363            ASCII-armored (if OpenPGP).<br />With
     364            GnuTLSExportCertificates enabled, mod_gnutls exports the
     365            same environment variables as mod_ssl.</p>
    362366        </div>
    363367        <hr />
  • include/mod_gnutls.h.in

    r6ef3afc r7d1ab49  
    119119        /* Is the module enabled? */
    120120    int enabled;
     121    /* Export full certificates to CGI environment: */
     122    int export_certificates_enabled;
    121123        /* GnuTLS Priorities */
    122124    gnutls_priority_t priorities;
  • src/gnutls_config.c

    r6ef3afc r7d1ab49  
    531531}
    532532
     533const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy, const char *arg) {
     534    mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module);
     535    if (!strcasecmp(arg, "On")) {
     536        sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE;
     537    } else if (!strcasecmp(arg, "Off")) {
     538        sc->export_certificates_enabled = GNUTLS_ENABLED_FALSE;
     539    } else {
     540        return
     541        "GnuTLSExportCertificates must be set to 'On' or 'Off'";
     542    }
     543
     544    return NULL;
     545}
     546
    533547const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg) {
    534548
     
    601615    sc->dh_params = NULL;
    602616    sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
     617    sc->export_certificates_enabled = GNUTLS_ENABLED_UNSET;
    603618   
    604619/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
     
    628643    gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET);
    629644    gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
     645    gnutls_srvconf_merge(export_certificates_enabled, GNUTLS_ENABLED_UNSET);
    630646    gnutls_srvconf_merge(client_verify_mode, -1);
    631647    gnutls_srvconf_merge(srp_tpasswd_file, NULL);
  • src/gnutls_hooks.c

    r6ef3afc r7d1ab49  
    3535static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
    3636/* use side==0 for server and side==1 for client */
    37 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side);
    38 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side);
     37static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert);
     38static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert);
    3939
    4040/* Pool Cleanup Function */
     
    347347        if (sc->enabled == GNUTLS_ENABLED_UNSET)
    348348            sc->enabled = GNUTLS_ENABLED_FALSE;
    349         if (sc->tickets ==  GNUTLS_ENABLED_UNSET)
     349        if (sc->tickets == GNUTLS_ENABLED_UNSET)
    350350            sc->tickets = GNUTLS_ENABLED_TRUE;
     351        if (sc->export_certificates_enabled == GNUTLS_ENABLED_UNSET)
     352            sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE;
    351353        if (sc->client_verify_mode ==  -1)
    352354            sc->client_verify_mode = GNUTLS_CERT_IGNORE;
     
    772774
    773775    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
    774                 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0);
     776                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0, ctxt->sc->export_certificates_enabled);
    775777        } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
    776         mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0);
     778        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0, ctxt->sc->export_certificates_enabled);
    777779        }
    778780
     
    846848 */
    847849
    848 /* side is either 0 for SERVER or 1 for CLIENT
     850/* @param side is either 0 for SERVER or 1 for CLIENT
     851 *
     852 * @param export_full_cert (boolean) export the PEM-encoded
     853 * certificate in full as an environment variable.
    849854 */
    850855#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
    851856
    852 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side) {
     857static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert) {
    853858    unsigned char sbuf[64]; /* buffer to hold serials */
    854859    char buf[AP_IOBUFSIZE];
     
    864869
    865870    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    866 
     871    if (export_full_cert != 0) {
     872        char cert_buf[10 * 1024];
     873        len = sizeof (cert_buf);
     874
     875        if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
     876            apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
     877                           apr_pstrmemdup(r->pool, cert_buf, len));
     878        else
     879            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     880                          "GnuTLS: Failed to export X.509 certificate to environment");         
     881    }
     882 
    867883    len = sizeof (buf);
    868884    gnutls_x509_crt_get_dn(cert, buf, &len);
     
    974990}
    975991
    976 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side) {
     992
     993/* @param side 0: server, 1: client
     994 *
     995 * @param export_full_cert (boolean) export the PEM-encoded
     996 * certificate in full as an environment variable.
     997 */
     998static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert) {
    977999
    9781000        unsigned char sbuf[64]; /* buffer to hold serials */
     
    9871009    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    9881010    apr_table_t *env = r->subprocess_env;
     1011
     1012    if (export_full_cert != 0) {
     1013        char cert_buf[10 * 1024];
     1014        len = sizeof (cert_buf);
     1015
     1016        if (gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
     1017            apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
     1018                           apr_pstrmemdup(r->pool, cert_buf, len));
     1019        else
     1020            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     1021                          "GnuTLS: Failed to export OpenPGP certificate to environment");         
     1022    }
    9891023
    9901024    len = sizeof (buf);
     
    11881222
    11891223    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
    1190         mgs_add_common_cert_vars(r, cert.x509[0], 1);
    1191     else if (gnutls_certificate_type_get(ctxt->session) ==
    1192             GNUTLS_CRT_OPENPGP)
    1193         mgs_add_common_pgpcert_vars(r, cert.pgp, 1);
     1224        mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_enabled);
     1225    else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP)
     1226        mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_enabled);
    11941227
    11951228    {
  • src/mod_gnutls.c

    r6ef3afc r7d1ab49  
    176176    RSRC_CONF,
    177177    "Whether this server has GnuTLS Enabled. Default: Off"),
    178     { NULL }
     178    AP_INIT_TAKE1("GnuTLSExportCertificates",
     179    mgs_set_export_certificates_enabled,
     180    NULL,
     181    RSRC_CONF,
     182    "Whether to export PEM encoded certificates to CGIs. Default: Off"),
     183    { NULL },
    179184};
    180185
Note: See TracChangeset for help on using the changeset viewer.