summaryrefslogtreecommitdiffstatsabout
diff options
context:
space:
mode:
authorNokis Mavrogiannopoulos <nmav@gnutls.org>2007-12-02 07:29:05 (GMT)
committer Nokis Mavrogiannopoulos <nmav@gnutls.org>2007-12-02 07:29:05 (GMT)
commit3ce85fd536b52f0e04e86451215cdf01ffa22f6b (patch)
tree8c3ab76a6cf0f52b103e34ca8d8c9240e58b7dee
parentc30816fa5d336fac1b5e8f5c300a62a555f6882e (diff)
more fixes for subject alternative name.
-rw-r--r--src/gnutls_hooks.c46
1 files changed, 31 insertions, 15 deletions
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index ce5efbb..e20592b 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -97,7 +97,7 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool)
97 rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, APR_OS_DEFAULT, 97 rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, APR_OS_DEFAULT,
98 pool); 98 pool);
99 if (rv != APR_SUCCESS) { 99 if (rv != APR_SUCCESS) {
100 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 100 ap_log_error(APLOG_MARK, APLOG_INFO, rv, s,
101 "GnuTLS failed to load params file at: %s. Will use internal params.", 101 "GnuTLS failed to load params file at: %s. Will use internal params.",
102 file); 102 file);
103 return ret; 103 return ret;
@@ -106,7 +106,7 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool)
106 rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp); 106 rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
107 107
108 if (rv != APR_SUCCESS) { 108 if (rv != APR_SUCCESS) {
109 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 109 ap_log_error(APLOG_MARK, APLOG_INFO, rv, s,
110 "GnuTLS failed to stat params file at: %s", file); 110 "GnuTLS failed to stat params file at: %s", file);
111 return ret; 111 return ret;
112 } 112 }
@@ -115,7 +115,7 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool)
115 rv = apr_file_read_full(fp, ret.data, finfo.size, &br); 115 rv = apr_file_read_full(fp, ret.data, finfo.size, &br);
116 116
117 if (rv != APR_SUCCESS) { 117 if (rv != APR_SUCCESS) {
118 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 118 ap_log_error(APLOG_MARK, APLOG_INFO, rv, s,
119 "GnuTLS failed to read params file at: %s", file); 119 "GnuTLS failed to read params file at: %s", file);
120 return ret; 120 return ret;
121 } 121 }
@@ -209,7 +209,7 @@ const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
209 * 209 *
210 * Returns negative on error. 210 * Returns negative on error.
211 */ 211 */
212static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert, 212static int read_crt_cn(server_rec *s, apr_pool_t * p, gnutls_x509_crt cert,
213 char **cert_cn) 213 char **cert_cn)
214{ 214{
215 int rv = 0, i; 215 int rv = 0, i;
@@ -227,19 +227,28 @@ static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert,
227 rv = gnutls_x509_crt_get_dn_by_oid(cert, 227 rv = gnutls_x509_crt_get_dn_by_oid(cert,
228 GNUTLS_OID_X520_COMMON_NAME, 0, 0, *cert_cn, &data_len); 228 GNUTLS_OID_X520_COMMON_NAME, 0, 0, *cert_cn, &data_len);
229 } else { /* No CN return subject alternative name */ 229 } else { /* No CN return subject alternative name */
230 230 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
231 "No common name found in certificate for '%s:%d'. Looking for subject alternative name.",
232 s->server_hostname, s->port);
233 rv = 0;
231 /* read subject alternative name */ 234 /* read subject alternative name */
232 for (i = 0; !(rv < 0); i++) { 235 for (i = 0; !(rv < 0); i++) {
233 rv = gnutls_x509_crt_get_subject_alt_name(cert, i, 236 rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
234 NULL, &data_len, NULL); 237 NULL, &data_len, NULL);
235
236 if (rv == GNUTLS_SAN_DNSNAME) {
237 *cert_cn = apr_palloc(p, data_len);
238 rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
239 *cert_cn, &data_len, NULL);
240 break;
241 238
242 } 239 if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
240 /* FIXME: not very efficient. What if we have several alt names
241 * before DNSName?
242 */
243 *cert_cn = apr_palloc(p, data_len+1);
244
245 rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
246 *cert_cn, &data_len, NULL);
247 (*cert_cn)[data_len]=0;
248
249 if (rv == GNUTLS_SAN_DNSNAME)
250 break;
251 }
243 } 252 }
244 } 253 }
245 254
@@ -386,12 +395,11 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
386 } 395 }
387 396
388 if (sc->enabled == GNUTLS_ENABLED_TRUE) { 397 if (sc->enabled == GNUTLS_ENABLED_TRUE) {
389 rv = read_crt_cn(p, sc->cert_x509, &sc->cert_cn); 398 rv = read_crt_cn(s, p, sc->cert_x509, &sc->cert_cn);
390 if (rv < 0) { 399 if (rv < 0) {
391 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 400 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
392 "[GnuTLS] - Cannot find a certificate for host '%s:%d'! Disabling TLS.", 401 "[GnuTLS] - Cannot find a certificate for host '%s:%d'!",
393 s->server_hostname, s->port); 402 s->server_hostname, s->port);
394 sc->enabled = GNUTLS_ENABLED_FALSE;
395 sc->cert_cn = NULL; 403 sc->cert_cn = NULL;
396 continue; 404 continue;
397 } 405 }
@@ -487,6 +495,14 @@ static int vhost_cb(void *baton, conn_rec * conn, server_rec * s)
487 * acccckkkkkk. 495 * acccckkkkkk.
488 */ 496 */
489 return 1; 497 return 1;
498 } else {
499#if MOD_GNUTLS_DEBUG
500 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
501 x->ctxt->c->base_server,
502 "GnuTLS: Virtual Host CB: "
503 "'%s' != '%s'", tsc->cert_cn, x->sni_name);
504#endif
505
490 } 506 }
491 return 0; 507 return 0;
492} 508}