Changeset 7d1ab49 in mod_gnutls
- Timestamp:
- Jan 29, 2013, 8:05:42 PM (10 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, jessie-backports, master, msva, proxy-ticket, upstream
- Children:
- 3e800f9
- Parents:
- 6ef3afc
- git-author:
- Daniel Kahn Gillmor <dkg@…> (01/29/13 18:52:52)
- git-committer:
- Daniel Kahn Gillmor <dkg@…> (01/29/13 20:05:42)
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
docs/mod_gnutls_manual-0.1.html
r6ef3afc r7d1ab49 358 358 server config, virtual host<br /> 359 359 </div> 360 <p>This directive enables exporting the full PEM encoded certificates of the server and the client to CGIs.<br /> 361 This makes mod_gnutls export exactly the same environment variables as mod_ssl.</p> 360 <p>This directive enables exporting the full certificates 361 of the server and the client to CGI scripts. The exported 362 certificates will be PEM-encoded (if X.509) or 363 ASCII-armored (if OpenPGP).<br />With 364 GnuTLSExportCertificates enabled, mod_gnutls exports the 365 same environment variables as mod_ssl.</p> 362 366 </div> 363 367 <hr /> -
include/mod_gnutls.h.in
r6ef3afc r7d1ab49 119 119 /* Is the module enabled? */ 120 120 int enabled; 121 /* Export full certificates to CGI environment: */ 122 int export_certificates_enabled; 121 123 /* GnuTLS Priorities */ 122 124 gnutls_priority_t priorities; -
src/gnutls_config.c
r6ef3afc r7d1ab49 531 531 } 532 532 533 const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy, const char *arg) { 534 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); 535 if (!strcasecmp(arg, "On")) { 536 sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE; 537 } else if (!strcasecmp(arg, "Off")) { 538 sc->export_certificates_enabled = GNUTLS_ENABLED_FALSE; 539 } else { 540 return 541 "GnuTLSExportCertificates must be set to 'On' or 'Off'"; 542 } 543 544 return NULL; 545 } 546 533 547 const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg) { 534 548 … … 601 615 sc->dh_params = NULL; 602 616 sc->proxy_enabled = GNUTLS_ENABLED_UNSET; 617 sc->export_certificates_enabled = GNUTLS_ENABLED_UNSET; 603 618 604 619 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */ … … 628 643 gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET); 629 644 gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET); 645 gnutls_srvconf_merge(export_certificates_enabled, GNUTLS_ENABLED_UNSET); 630 646 gnutls_srvconf_merge(client_verify_mode, -1); 631 647 gnutls_srvconf_merge(srp_tpasswd_file, NULL); -
src/gnutls_hooks.c
r6ef3afc r7d1ab49 35 35 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt); 36 36 /* use side==0 for server and side==1 for client */ 37 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side );38 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side );37 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert); 38 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert); 39 39 40 40 /* Pool Cleanup Function */ … … 347 347 if (sc->enabled == GNUTLS_ENABLED_UNSET) 348 348 sc->enabled = GNUTLS_ENABLED_FALSE; 349 if (sc->tickets == 349 if (sc->tickets == GNUTLS_ENABLED_UNSET) 350 350 sc->tickets = GNUTLS_ENABLED_TRUE; 351 if (sc->export_certificates_enabled == GNUTLS_ENABLED_UNSET) 352 sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE; 351 353 if (sc->client_verify_mode == -1) 352 354 sc->client_verify_mode = GNUTLS_CERT_IGNORE; … … 772 774 773 775 if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) { 774 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0 );776 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0, ctxt->sc->export_certificates_enabled); 775 777 } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) { 776 mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0 );778 mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0, ctxt->sc->export_certificates_enabled); 777 779 } 778 780 … … 846 848 */ 847 849 848 /* side is either 0 for SERVER or 1 for CLIENT 850 /* @param side is either 0 for SERVER or 1 for CLIENT 851 * 852 * @param export_full_cert (boolean) export the PEM-encoded 853 * certificate in full as an environment variable. 849 854 */ 850 855 #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT") 851 856 852 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side ) {857 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert) { 853 858 unsigned char sbuf[64]; /* buffer to hold serials */ 854 859 char buf[AP_IOBUFSIZE]; … … 864 869 865 870 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 866 871 if (export_full_cert != 0) { 872 char cert_buf[10 * 1024]; 873 len = sizeof (cert_buf); 874 875 if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0) 876 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), 877 apr_pstrmemdup(r->pool, cert_buf, len)); 878 else 879 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 880 "GnuTLS: Failed to export X.509 certificate to environment"); 881 } 882 867 883 len = sizeof (buf); 868 884 gnutls_x509_crt_get_dn(cert, buf, &len); … … 974 990 } 975 991 976 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side) { 992 993 /* @param side 0: server, 1: client 994 * 995 * @param export_full_cert (boolean) export the PEM-encoded 996 * certificate in full as an environment variable. 997 */ 998 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert) { 977 999 978 1000 unsigned char sbuf[64]; /* buffer to hold serials */ … … 987 1009 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 988 1010 apr_table_t *env = r->subprocess_env; 1011 1012 if (export_full_cert != 0) { 1013 char cert_buf[10 * 1024]; 1014 len = sizeof (cert_buf); 1015 1016 if (gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0) 1017 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), 1018 apr_pstrmemdup(r->pool, cert_buf, len)); 1019 else 1020 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1021 "GnuTLS: Failed to export OpenPGP certificate to environment"); 1022 } 989 1023 990 1024 len = sizeof (buf); … … 1188 1222 1189 1223 if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) 1190 mgs_add_common_cert_vars(r, cert.x509[0], 1); 1191 else if (gnutls_certificate_type_get(ctxt->session) == 1192 GNUTLS_CRT_OPENPGP) 1193 mgs_add_common_pgpcert_vars(r, cert.pgp, 1); 1224 mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_enabled); 1225 else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) 1226 mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_enabled); 1194 1227 1195 1228 { -
src/mod_gnutls.c
r6ef3afc r7d1ab49 176 176 RSRC_CONF, 177 177 "Whether this server has GnuTLS Enabled. Default: Off"), 178 { NULL } 178 AP_INIT_TAKE1("GnuTLSExportCertificates", 179 mgs_set_export_certificates_enabled, 180 NULL, 181 RSRC_CONF, 182 "Whether to export PEM encoded certificates to CGIs. Default: Off"), 183 { NULL }, 179 184 }; 180 185
Note: See TracChangeset
for help on using the changeset viewer.