Changeset 7d1ab49 in mod_gnutls for src/gnutls_hooks.c

Timestamp:

Jan 29, 2013, 8:05:42 PM (7 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream

Children:

3e800f9

Parents:

6ef3afc

git-author:

Daniel Kahn Gillmor <dkg@…> (01/29/13 18:52:52)

git-committer:

Daniel Kahn Gillmor <dkg@…> (01/29/13 20:05:42)

Message:

restore GnuTLSExportCertificate directive

It looks to me like this option was mistakenly removed when the the
RSA-EXPORT configuration parameters were ripped out, possibly due to
confusion over the term Export.

GnuTLSExportCertificate is a useful configuration directive, and some
users might be relying on it.

File:

• src/gnutls_hooks.c (modified) (8 diffs)

src/gnutls_hooks.c

@@ -35 +35 @@
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
 /* use side==0 for server and side==1 for client */
-static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side);
-static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side);
+static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert);
+static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert);
 
 /* Pool Cleanup Function */
@@ -347 +347 @@
         if (sc->enabled == GNUTLS_ENABLED_UNSET)
             sc->enabled = GNUTLS_ENABLED_FALSE;
-        if (sc->tickets ==  GNUTLS_ENABLED_UNSET)
+        if (sc->tickets == GNUTLS_ENABLED_UNSET)
             sc->tickets = GNUTLS_ENABLED_TRUE;
+        if (sc->export_certificates_enabled == GNUTLS_ENABLED_UNSET)
+            sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE;
         if (sc->client_verify_mode ==  -1)
             sc->client_verify_mode = GNUTLS_CERT_IGNORE;
@@ -772 +774 @@
 
     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
-                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0);
+                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0, ctxt->sc->export_certificates_enabled);
         } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
-        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0);
+        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0, ctxt->sc->export_certificates_enabled);
         }
 
@@ -846 +848 @@
  */
 
-/* side is either 0 for SERVER or 1 for CLIENT
+/* @param side is either 0 for SERVER or 1 for CLIENT
+ * 
+ * @param export_full_cert (boolean) export the PEM-encoded
+ * certificate in full as an environment variable.
  */
 #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
 
-static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side) {
+static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, int export_full_cert) {
     unsigned char sbuf[64]; /* buffer to hold serials */
     char buf[AP_IOBUFSIZE];
@@ -864 +869 @@
 
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-
+    if (export_full_cert != 0) {
+        char cert_buf[10 * 1024];
+        len = sizeof (cert_buf);
+
+        if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
+            apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
+                           apr_pstrmemdup(r->pool, cert_buf, len));
+        else
+            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                          "GnuTLS: Failed to export X.509 certificate to environment");         
+    }
+ 
     len = sizeof (buf);
     gnutls_x509_crt_get_dn(cert, buf, &len);
@@ -974 +990 @@
 }
 
-static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side) {
+
+/* @param side 0: server, 1: client
+ * 
+ * @param export_full_cert (boolean) export the PEM-encoded
+ * certificate in full as an environment variable.
+ */
+static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side, int export_full_cert) {
 
         unsigned char sbuf[64]; /* buffer to hold serials */
@@ -987 +1009 @@
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     apr_table_t *env = r->subprocess_env;
+
+    if (export_full_cert != 0) {
+        char cert_buf[10 * 1024];
+        len = sizeof (cert_buf);
+
+        if (gnutls_openpgp_crt_export(cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
+            apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
+                           apr_pstrmemdup(r->pool, cert_buf, len));
+        else
+            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                          "GnuTLS: Failed to export OpenPGP certificate to environment");         
+    }
 
     len = sizeof (buf);
@@ -1188 +1222 @@
 
     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509)
-        mgs_add_common_cert_vars(r, cert.x509[0], 1);
-    else if (gnutls_certificate_type_get(ctxt->session) ==
-            GNUTLS_CRT_OPENPGP)
-        mgs_add_common_pgpcert_vars(r, cert.pgp, 1);
+        mgs_add_common_cert_vars(r, cert.x509[0], 1, ctxt->sc->export_certificates_enabled);
+    else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP)
+        mgs_add_common_pgpcert_vars(r, cert.pgp, 1, ctxt->sc->export_certificates_enabled);
 
     {