more fixes for subject alternative name.

author: Nokis Mavrogiannopoulos 2007-12-02 07:29:05 +0000
committer: Nokis Mavrogiannopoulos 2007-12-02 07:29:05 +0000
commit: 3ce85fd536b52f0e04e86451215cdf01ffa22f6b (patch)
tree: 8c3ab76a6cf0f52b103e34ca8d8c9240e58b7dee
parent: c30816fa5d336fac1b5e8f5c300a62a555f6882e (diff)
1 files changed, 31 insertions, 15 deletions
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index ce5efbb..e20592b 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -97,7 +97,7 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool)
    rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, APR_OS_DEFAULT,
                       pool);
    if (rv != APR_SUCCESS) {
-        ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
+        ap_log_error(APLOG_MARK, APLOG_INFO, rv, s,
                     "GnuTLS failed to load params file at: %s. Will use internal params.",
                     file);
        return ret;
@@ -106,7 +106,7 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool)
    rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
    if (rv != APR_SUCCESS) {
-        ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
+        ap_log_error(APLOG_MARK, APLOG_INFO, rv, s,
                     "GnuTLS failed to stat params file at: %s", file);
        return ret;
    }
@@ -115,7 +115,7 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool)
    rv = apr_file_read_full(fp, ret.data, finfo.size, &br);
    if (rv != APR_SUCCESS) {
-        ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
+        ap_log_error(APLOG_MARK, APLOG_INFO, rv, s,
                     "GnuTLS failed to read params file at: %s", file);
        return ret;
    }
@@ -209,7 +209,7 @@ const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
 *
 * Returns negative on error.
 */
-static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert,
+static int read_crt_cn(server_rec *s, apr_pool_t * p, gnutls_x509_crt cert,
                       char **cert_cn)
 {
    int rv = 0, i;
@@ -227,19 +227,28 @@ static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert,
        rv = gnutls_x509_crt_get_dn_by_oid(cert,
                  GNUTLS_OID_X520_COMMON_NAME, 0, 0, *cert_cn, &data_len);
    } else {                    /* No CN return subject alternative name */
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                     "No common name found in certificate for '%s:%d'. Looking for subject alternative name.", 
+                     s->server_hostname, s->port);
+        rv = 0;
        /* read subject alternative name */
        for (i = 0; !(rv < 0); i++) {
            rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
                    NULL, &data_len, NULL);
-                    
-            if (rv == GNUTLS_SAN_DNSNAME) {
-                *cert_cn = apr_palloc(p, data_len);
-                rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
-                    *cert_cn, &data_len, NULL);
-                break;
-            }
+            if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
+                /* FIXME: not very efficient. What if we have several alt names
+                 * before DNSName?
+                 */
+                *cert_cn = apr_palloc(p, data_len+1);
+               
+                rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
+                  *cert_cn, &data_len, NULL);
+                (*cert_cn)[data_len]=0;
+                if (rv == GNUTLS_SAN_DNSNAME)
+                  break;
+            }
        }
    }
    
@@ -386,12 +395,11 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
            }
            if (sc->enabled == GNUTLS_ENABLED_TRUE) {
-                rv = read_crt_cn(p, sc->cert_x509, &sc->cert_cn);
+                rv = read_crt_cn(s, p, sc->cert_x509, &sc->cert_cn);
                if (rv < 0) {
                    ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
-                             "[GnuTLS] - Cannot find a certificate for host '%s:%d'! Disabling TLS.",
+                             "[GnuTLS] - Cannot find a certificate for host '%s:%d'!",
                             s->server_hostname, s->port);
-                    sc->enabled = GNUTLS_ENABLED_FALSE;
                    sc->cert_cn = NULL;
                    continue;
                }
@@ -487,6 +495,14 @@ static int vhost_cb(void *baton, conn_rec * conn, server_rec * s)
         * acccckkkkkk. 
         */
        return 1;
+    } else {
+#if MOD_GNUTLS_DEBUG
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
+                     x->ctxt->c->base_server,
+                     "GnuTLS: Virtual Host CB: "
+                     "'%s' != '%s'", tsc->cert_cn, x->sni_name);
+#endif
+    
    }
    return 0;
 }
author	Nokis Mavrogiannopoulos	2007-12-02 07:29:05 +0000
committer	Nokis Mavrogiannopoulos	2007-12-02 07:29:05 +0000
commit	3ce85fd536b52f0e04e86451215cdf01ffa22f6b (patch)
tree	8c3ab76a6cf0f52b103e34ca8d8c9240e58b7dee
parent	c30816fa5d336fac1b5e8f5c300a62a555f6882e (diff)

diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c index ce5efbb..e20592b 100644 --- a/src/gnutls_hooks.c +++ b/src/gnutls_hooks.c
@@ -97,7 +97,7 @@ load_params(const char file, server_rec s, apr_pool_t * pool)
97	rv = apr_file_open(&fp, file, APR_READ \| APR_BINARY, APR_OS_DEFAULT,	97	rv = apr_file_open(&fp, file, APR_READ \| APR_BINARY, APR_OS_DEFAULT,
98	pool);	98	pool);
99	if (rv != APR_SUCCESS) {	99	if (rv != APR_SUCCESS) {
100	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,	100	ap_log_error(APLOG_MARK, APLOG_INFO, rv, s,
101	"GnuTLS failed to load params file at: %s. Will use internal params.",	101	"GnuTLS failed to load params file at: %s. Will use internal params.",
102	file);	102	file);
103	return ret;	103	return ret;
@@ -106,7 +106,7 @@ load_params(const char file, server_rec s, apr_pool_t * pool)
106	rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);	106	rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
107		107
108	if (rv != APR_SUCCESS) {	108	if (rv != APR_SUCCESS) {
109	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,	109	ap_log_error(APLOG_MARK, APLOG_INFO, rv, s,
110	"GnuTLS failed to stat params file at: %s", file);	110	"GnuTLS failed to stat params file at: %s", file);
111	return ret;	111	return ret;
112	}	112	}
@@ -115,7 +115,7 @@ load_params(const char file, server_rec s, apr_pool_t * pool)
115	rv = apr_file_read_full(fp, ret.data, finfo.size, &br);	115	rv = apr_file_read_full(fp, ret.data, finfo.size, &br);
116		116
117	if (rv != APR_SUCCESS) {	117	if (rv != APR_SUCCESS) {
118	ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,	118	ap_log_error(APLOG_MARK, APLOG_INFO, rv, s,
119	"GnuTLS failed to read params file at: %s", file);	119	"GnuTLS failed to read params file at: %s", file);
120	return ret;	120	return ret;
121	}	121	}
@@ -209,7 +209,7 @@ const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
209	*	209	*
210	* Returns negative on error.	210	* Returns negative on error.
211	*/	211	*/
212	static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert,	212	static int read_crt_cn(server_rec s, apr_pool_t p, gnutls_x509_crt cert,
213	char **cert_cn)	213	char **cert_cn)
214	{	214	{
215	int rv = 0, i;	215	int rv = 0, i;
@@ -227,19 +227,28 @@ static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert,
227	rv = gnutls_x509_crt_get_dn_by_oid(cert,	227	rv = gnutls_x509_crt_get_dn_by_oid(cert,
228	GNUTLS_OID_X520_COMMON_NAME, 0, 0, *cert_cn, &data_len);	228	GNUTLS_OID_X520_COMMON_NAME, 0, 0, *cert_cn, &data_len);
229	} else { /* No CN return subject alternative name */	229	} else { /* No CN return subject alternative name */
230		230	ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
		231	"No common name found in certificate for '%s:%d'. Looking for subject alternative name.",
		232	s->server_hostname, s->port);
		233	rv = 0;
231	/* read subject alternative name */	234	/* read subject alternative name */
232	for (i = 0; !(rv < 0); i++) {	235	for (i = 0; !(rv < 0); i++) {
233	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,	236	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
234	NULL, &data_len, NULL);	237	NULL, &data_len, NULL);
235
236	if (rv == GNUTLS_SAN_DNSNAME) {
237	*cert_cn = apr_palloc(p, data_len);
238	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
239	*cert_cn, &data_len, NULL);
240	break;
241		238
242	}	239	if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
		240	/* FIXME: not very efficient. What if we have several alt names
		241	* before DNSName?
		242	*/
		243	*cert_cn = apr_palloc(p, data_len+1);
		244
		245	rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
		246	*cert_cn, &data_len, NULL);
		247	(*cert_cn)[data_len]=0;
		248
		249	if (rv == GNUTLS_SAN_DNSNAME)
		250	break;
		251	}
243	}	252	}
244	}	253	}
245		254
@@ -386,12 +395,11 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
386	}	395	}
387		396
388	if (sc->enabled == GNUTLS_ENABLED_TRUE) {	397	if (sc->enabled == GNUTLS_ENABLED_TRUE) {
389	rv = read_crt_cn(p, sc->cert_x509, &sc->cert_cn);	398	rv = read_crt_cn(s, p, sc->cert_x509, &sc->cert_cn);
390	if (rv < 0) {	399	if (rv < 0) {
391	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,	400	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
392	"[GnuTLS] - Cannot find a certificate for host '%s:%d'! Disabling TLS.",	401	"[GnuTLS] - Cannot find a certificate for host '%s:%d'!",
393	s->server_hostname, s->port);	402	s->server_hostname, s->port);
394	sc->enabled = GNUTLS_ENABLED_FALSE;
395	sc->cert_cn = NULL;	403	sc->cert_cn = NULL;
396	continue;	404	continue;
397	}	405	}
@@ -487,6 +495,14 @@ static int vhost_cb(void baton, conn_rec conn, server_rec * s)
487	* acccckkkkkk.	495	* acccckkkkkk.
488	*/	496	*/
489	return 1;	497	return 1;
		498	} else {
		499	#if MOD_GNUTLS_DEBUG
		500	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
		501	x->ctxt->c->base_server,
		502	"GnuTLS: Virtual Host CB: "
		503	"'%s' != '%s'", tsc->cert_cn, x->sni_name);
		504	#endif
		505
490	}	506	}
491	return 0;	507	return 0;
492	}	508	}