Changeset cf2b905 in mod_gnutls

Timestamp:

Nov 16, 2013, 2:46:50 AM (6 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, upstream

Children:

e3cbda4

Parents:

fa45dcb

git-author:

Daniel Kahn Gillmor <dkg@…> (01/30/13 01:40:35)

git-committer:

Daniel Kahn Gillmor <dkg@…> (11/16/13 02:46:50)

Message:

MSVA: document and parse GnuTLSClientVerifyMethod directive

The directive currently doesn't do anything, but this commit makes it
a legal and parseable directive.

Files:

• docs/manual.mdwn (added)
• include/mod_gnutls.h.in (modified) (3 diffs)
• src/gnutls_config.c (modified) (3 diffs)
• src/gnutls_hooks.c (modified) (1 diff)
• src/mod_gnutls.c (modified) (1 diff)

include/mod_gnutls.h.in

@@ -81 +81 @@
     mgs_cache_unset
 } mgs_cache_e;
+
+typedef enum {
+    mgs_cvm_unset,
+    mgs_cvm_cartel,
+    mgs_cvm_msva
+} mgs_client_verification_method_e;
+
 
 /* Directory Configuration Record */
@@ -140 +147 @@
         /* Client Certificate Verification Mode */
     int client_verify_mode;
+        /* Client Certificate Verification Method */
+    mgs_client_verification_method_e client_verify_method;
         /* Last Cache timestamp */
     apr_time_t last_cache_check;
@@ -340 +349 @@
                                   const char *arg);
 
+const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
+                                         const char *arg);
+
 const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
                                    const char *arg);

src/gnutls_config.c

@@ -363 +363 @@
 }
 
+const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
+        const char *arg) {
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)ap_get_module_config(parms->server->module_config, &gnutls_module);
+
+    if (strcasecmp("cartel", arg) == 0) {
+        sc->client_verify_method = mgs_cvm_cartel;
+    } else if (strcasecmp("msva", arg) == 0) {
+#ifdef ENABLE_MSVA
+        sc->client_verify_method = mgs_cvm_msva;
+#else
+        return "GnuTLSClientVerifyMethod: msva is not supported";
+#endif
+    } else {
+        return "GnuTLSClientVerifyMethod: Invalid argument";
+    }
+
+    return NULL;
+}
+
 const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
         const char *arg) {
@@ -616 +635 @@
     sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
     sc->export_certificates_enabled = GNUTLS_ENABLED_UNSET;
+    sc->client_verify_method = mgs_cvm_unset; 
     
 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
@@ -644 +664 @@
     gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
     gnutls_srvconf_merge(export_certificates_enabled, GNUTLS_ENABLED_UNSET);
+    gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset);
     gnutls_srvconf_merge(client_verify_mode, -1);
     gnutls_srvconf_merge(srp_tpasswd_file, NULL);

src/gnutls_hooks.c

@@ -353 +353 @@
         if (sc->client_verify_mode ==  -1)
             sc->client_verify_mode = GNUTLS_CERT_IGNORE;
+        if (sc->client_verify_method ==  mgs_cvm_unset)
+            sc->client_verify_method = mgs_cvm_cartel;
 
 

src/mod_gnutls.c

@@ -105 +105 @@
     RSRC_CONF | OR_AUTHCFG,
     "Set Verification Requirements of the Client Certificate"),
+    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
+    NULL,
+    RSRC_CONF,
+    "Set Verification Method of the Client Certificate"),
     AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
     NULL,