Changeset 7d1ab49 in mod_gnutls

Timestamp:

Jan 29, 2013, 8:05:42 PM (6 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream

Children:

3e800f9

Parents:

6ef3afc

git-author:

Daniel Kahn Gillmor <dkg@…> (01/29/13 18:52:52)

git-committer:

Daniel Kahn Gillmor <dkg@…> (01/29/13 20:05:42)

Message:

restore GnuTLSExportCertificate directive

It looks to me like this option was mistakenly removed when the the
RSA-EXPORT configuration parameters were ripped out, possibly due to
confusion over the term Export.

GnuTLSExportCertificate is a useful configuration directive, and some
users might be relying on it.

Files:

• docs/mod_gnutls_manual-0.1.html (modified) (1 diff)
• include/mod_gnutls.h.in (modified) (1 diff)
• src/gnutls_config.c (modified) (3 diffs)
• src/gnutls_hooks.c (modified) (8 diffs)
• src/mod_gnutls.c (modified) (1 diff)

docs/mod_gnutls_manual-0.1.html

@@ -358 +358 @@
                 server config, virtual host<br />
             </div>
-            <p>This directive enables exporting the full PEM encoded certificates of the server and the client to CGIs.<br />
-            This makes mod_gnutls export exactly the same environment variables as mod_ssl.</p>
+            <p>This directive enables exporting the full certificates
+            of the server and the client to CGI scripts.  The exported
+            certificates will be PEM-encoded (if X.509) or
+            ASCII-armored (if OpenPGP).<br />With
+            GnuTLSExportCertificates enabled, mod_gnutls exports the
+            same environment variables as mod_ssl.</p>
         </div>
         <hr />

include/mod_gnutls.h.in

@@ -119 +119 @@
         /* Is the module enabled? */
     int enabled;
+    /* Export full certificates to CGI environment: */
+    int export_certificates_enabled;
         /* GnuTLS Priorities */
     gnutls_priority_t priorities;

src/gnutls_config.c

@@ -531 +531 @@
 }
 
+const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy, const char *arg) {
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module);
+    if (!strcasecmp(arg, "On")) {
+        sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE;
+    } else if (!strcasecmp(arg, "Off")) {
+        sc->export_certificates_enabled = GNUTLS_ENABLED_FALSE;
+    } else {
+        return
+        "GnuTLSExportCertificates must be set to 'On' or 'Off'";
+    }
+
+    return NULL;
+}
+
 const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg) {
 
@@ -601 +615 @@
     sc->dh_params = NULL;
     sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
+    sc->export_certificates_enabled = GNUTLS_ENABLED_UNSET;
     
 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
@@ -628 +643 @@
     gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET);
     gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
+    gnutls_srvconf_merge(export_certificates_enabled, GNUTLS_ENABLED_UNSET);
     gnutls_srvconf_merge(client_verify_mode, -1);
     gnutls_srvconf_merge(srp_tpasswd_file, NULL);

src/gnutls_hooks.c

@@ -35 +35 @@
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
 /* use side==0 for server and side==1 for client */
-static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side);
-static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side);
+static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert);
+static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert);
 
 /* Pool Cleanup Function */
@@ -347 +347 @@
         if (sc->enabled == GNUTLS_ENABLED_UNSET)
             sc->enabled = GNUTLS_ENABLED_FALSE;
-        if (sc->tickets ==  GNUTLS_ENABLED_UNSET)
+        if (sc->tickets == GNUTLS_ENABLED_UNSET)
             sc->tickets = GNUTLS_ENABLED_TRUE;
+        if (sc->export_certificates_enabled == GNUTLS_ENABLED_UNSET)
+            sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE;
         if (sc->client_verify_mode ==  -1)
             sc->client_verify_mode = GNUTLS_CERT_IGNORE;
@@ -772 +774 @@
 
     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
-                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0);
+                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0, ctxt->sc->export_certificates_enabled);
         } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
-        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0);
+        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0, ctxt->sc->export_certificates_enabled);
         }
 
@@ -846 +848 @@
  */
 
-/* side is either 0 for SERVER or 1 for CLIENT
+/* @param side is either 0 for SERVER or 1 for CLIENT
+ * 
+ * @param export_full_cert (boolean) export the PEM-encoded
+ * certificate in full as an environment variable.
  */
 #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
 
-static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side) {
+static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert) {
     unsigned char sbuf[64]; /* buffer to hold serials */
     char buf[AP_IOBUFSIZE];
@@ -864 +869 @@
 
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-
+    if (export_full_cert != 0) {
+        char cert_buf[10 * 1024];
+        len = sizeof (cert_buf);
+
+        if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
+            apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
+                           apr_pstrmemdup(r->pool, cert_buf, len));
+        else
+            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                          "GnuTLS: Failed to export X.509 certificate to environment");         
+    }
+ 
     len = sizeof (buf);
     gnutls_x509_crt_get_dn(cert, buf, &len);
@@ -974 +990 @@
 }
 
-static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side) {
+
+/* @param side 0: server, 1: client
+ * 
+ * @param export_full_cert (boolean) export the PEM-encoded
+ * certificate in full as an environment variable.
+ */
+static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert) {
 
         unsigned char sbuf[64]; /* buffer to hold serials */
@@ -987 +1009 @@
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     apr_table_t *env = r->subprocess_env;
+
+    if (export_full_cert != 0) {
+        char cert_buf[10 * 1024];
+        len = sizeof (cert_buf);
+
+        if (gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
+            apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
+                           apr_pstrmemdup(r->pool, cert_buf, len));
+        else
+            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                          "GnuTLS: Failed to export OpenPGP certificate to environment");         
+    }
 
     len = sizeof (buf);
@@ -1188 +1222 @@
 
     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
-        mgs_add_common_cert_vars(r, cert.x509[0], 1);
-    else if (gnutls_certificate_type_get(ctxt->session) ==
-            GNUTLS_CRT_OPENPGP)
-        mgs_add_common_pgpcert_vars(r, cert.pgp, 1);
+        mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_enabled);
+    else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP)
+        mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_enabled);
 
     {

src/mod_gnutls.c

@@ -176 +176 @@
     RSRC_CONF,
     "Whether this server has GnuTLS Enabled. Default: Off"),
-    { NULL }
+    AP_INIT_TAKE1("GnuTLSExportCertificates",
+    mgs_set_export_certificates_enabled,
+    NULL,
+    RSRC_CONF,
+    "Whether to export PEM encoded certificates to CGIs. Default: Off"),
+    { NULL },
 };