Changeset 7d1ab49 in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Jan 29, 2013, 8:05:42 PM (7 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream
Children:
3e800f9
Parents:
6ef3afc
git-author:
Daniel Kahn Gillmor <dkg@…> (01/29/13 18:52:52)
git-committer:
Daniel Kahn Gillmor <dkg@…> (01/29/13 20:05:42)
Message:

restore GnuTLSExportCertificate directive

It looks to me like this option was mistakenly removed when the the
RSA-EXPORT configuration parameters were ripped out, possibly due to
confusion over the term Export.

GnuTLSExportCertificate is a useful configuration directive, and some
users might be relying on it.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r6ef3afc r7d1ab49  
    3535static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
    3636/* use side==0 for server and side==1 for client */
    37 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side);
    38 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side);
     37static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert);
     38static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert);
    3939
    4040/* Pool Cleanup Function */
     
    347347        if (sc->enabled == GNUTLS_ENABLED_UNSET)
    348348            sc->enabled = GNUTLS_ENABLED_FALSE;
    349         if (sc->tickets ==  GNUTLS_ENABLED_UNSET)
     349        if (sc->tickets == GNUTLS_ENABLED_UNSET)
    350350            sc->tickets = GNUTLS_ENABLED_TRUE;
     351        if (sc->export_certificates_enabled == GNUTLS_ENABLED_UNSET)
     352            sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE;
    351353        if (sc->client_verify_mode ==  -1)
    352354            sc->client_verify_mode = GNUTLS_CERT_IGNORE;
     
    772774
    773775    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
    774                 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0);
     776                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0, ctxt->sc->export_certificates_enabled);
    775777        } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
    776         mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0);
     778        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0, ctxt->sc->export_certificates_enabled);
    777779        }
    778780
     
    846848 */
    847849
    848 /* side is either 0 for SERVER or 1 for CLIENT
     850/* @param side is either 0 for SERVER or 1 for CLIENT
     851 *
     852 * @param export_full_cert (boolean) export the PEM-encoded
     853 * certificate in full as an environment variable.
    849854 */
    850855#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
    851856
    852 static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side) {
     857static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert) {
    853858    unsigned char sbuf[64]; /* buffer to hold serials */
    854859    char buf[AP_IOBUFSIZE];
     
    864869
    865870    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    866 
     871    if (export_full_cert != 0) {
     872        char cert_buf[10 * 1024];
     873        len = sizeof (cert_buf);
     874
     875        if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
     876            apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
     877                           apr_pstrmemdup(r->pool, cert_buf, len));
     878        else
     879            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     880                          "GnuTLS: Failed to export X.509 certificate to environment");         
     881    }
     882 
    867883    len = sizeof (buf);
    868884    gnutls_x509_crt_get_dn(cert, buf, &len);
     
    974990}
    975991
    976 static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side) {
     992
     993/* @param side 0: server, 1: client
     994 *
     995 * @param export_full_cert (boolean) export the PEM-encoded
     996 * certificate in full as an environment variable.
     997 */
     998static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert) {
    977999
    9781000        unsigned char sbuf[64]; /* buffer to hold serials */
     
    9871009    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    9881010    apr_table_t *env = r->subprocess_env;
     1011
     1012    if (export_full_cert != 0) {
     1013        char cert_buf[10 * 1024];
     1014        len = sizeof (cert_buf);
     1015
     1016        if (gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
     1017            apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
     1018                           apr_pstrmemdup(r->pool, cert_buf, len));
     1019        else
     1020            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     1021                          "GnuTLS: Failed to export OpenPGP certificate to environment");         
     1022    }
    9891023
    9901024    len = sizeof (buf);
     
    11881222
    11891223    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
    1190         mgs_add_common_cert_vars(r, cert.x509[0], 1);
    1191     else if (gnutls_certificate_type_get(ctxt->session) ==
    1192             GNUTLS_CRT_OPENPGP)
    1193         mgs_add_common_pgpcert_vars(r, cert.pgp, 1);
     1224        mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_enabled);
     1225    else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP)
     1226        mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_enabled);
    11941227
    11951228    {
Note: See TracChangeset for help on using the changeset viewer.