aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorGravatar Nokis Mavrogiannopoulos 2007-12-01 09:12:01 +0000
committerGravatar Nokis Mavrogiannopoulos 2007-12-01 09:12:01 +0000
commit94d92bd1b7b5696044c6293fc77292d3ad535148 (patch)
tree222abe5cf70397429dc90f48aa8d880943406b46 /src
parent30c3470aac7dc3553882b018e69cf1f1ce13d5ff (diff)
Added support for subject alternative names. (untested)
Diffstat (limited to 'src')
-rw-r--r--src/gnutls_config.c2
-rw-r--r--src/gnutls_hooks.c253
2 files changed, 155 insertions, 100 deletions
diff --git a/src/gnutls_config.c b/src/gnutls_config.c
index cad078c..3771e04 100644
--- a/src/gnutls_config.c
+++ b/src/gnutls_config.c
@@ -332,7 +332,7 @@ const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy,
332const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg) 332const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg)
333{ 333{
334 int ret; 334 int ret;
335 char *err; 335 const char *err;
336 mgs_srvconf_rec *sc = 336 mgs_srvconf_rec *sc =
337 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 337 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
338 module_config, 338 module_config,
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index f776def..920eccc 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -37,7 +37,8 @@ static int mpm_is_threaded;
37static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt); 37static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
38/* use side==0 for server and side==1 for client */ 38/* use side==0 for server and side==1 for client */
39static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, 39static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert,
40 int side, int export_certificates_enabled); 40 int side,
41 int export_certificates_enabled);
41 42
42static apr_status_t mgs_cleanup_pre_config(void *data) 43static apr_status_t mgs_cleanup_pre_config(void *data)
43{ 44{
@@ -97,7 +98,8 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool)
97 pool); 98 pool);
98 if (rv != APR_SUCCESS) { 99 if (rv != APR_SUCCESS) {
99 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 100 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
100 "GnuTLS failed to load params file at: %s. Will use internal params.", file); 101 "GnuTLS failed to load params file at: %s. Will use internal params.",
102 file);
101 return ret; 103 return ret;
102 } 104 }
103 105
@@ -127,7 +129,7 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool)
127/* We don't support openpgp certificates, yet */ 129/* We don't support openpgp certificates, yet */
128const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 }; 130const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
129 131
130static int mgs_select_virtual_server_cb( gnutls_session_t session) 132static int mgs_select_virtual_server_cb(gnutls_session_t session)
131{ 133{
132 mgs_handle_t *ctxt; 134 mgs_handle_t *ctxt;
133 mgs_srvconf_rec *tsc; 135 mgs_srvconf_rec *tsc;
@@ -142,35 +144,36 @@ static int mgs_select_virtual_server_cb( gnutls_session_t session)
142 ctxt->sc = tsc; 144 ctxt->sc = tsc;
143 145
144 gnutls_certificate_server_set_request(session, 146 gnutls_certificate_server_set_request(session,
145 ctxt->sc->client_verify_mode); 147 ctxt->sc->client_verify_mode);
146 148
147 /* set the new server credentials 149 /* set the new server credentials
148 */ 150 */
149 151
150 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, 152 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
151 ctxt->sc->certs); 153 ctxt->sc->certs);
152 154
153 gnutls_credentials_set(session, GNUTLS_CRD_ANON, 155 gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
154 ctxt->sc->anon_creds);
155 156
156 if ( ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) { 157 if (ctxt->sc->srp_tpasswd_conf_file != NULL
157 gnutls_credentials_set(session, GNUTLS_CRD_SRP, 158 && ctxt->sc->srp_tpasswd_file != NULL) {
158 ctxt->sc->srp_creds); 159 gnutls_credentials_set(session, GNUTLS_CRD_SRP,
160 ctxt->sc->srp_creds);
159 } 161 }
160 162
161 /* update the priorities - to avoid negotiating a ciphersuite that is not 163 /* update the priorities - to avoid negotiating a ciphersuite that is not
162 * enabled on this virtual server. Note that here we ignore the version 164 * enabled on this virtual server. Note that here we ignore the version
163 * negotiation. 165 * negotiation.
164 */ 166 */
165 ret = gnutls_priority_set( session, ctxt->sc->priorities); 167 ret = gnutls_priority_set(session, ctxt->sc->priorities);
166 gnutls_certificate_type_set_priority( session, cert_type_prio); 168 gnutls_certificate_type_set_priority(session, cert_type_prio);
167 169
168 170
169 /* actually it shouldn't fail since we have checked at startup */ 171 /* actually it shouldn't fail since we have checked at startup */
170 if (ret < 0) return ret; 172 if (ret < 0)
173 return ret;
171 174
172 /* allow separate caches per virtual host. Actually allowing the same is not 175 /* allow separate caches per virtual host. Actually allowing the same is a
173 * a good idea, especially if they have different security requirements. 176 * bad idea, since they might have different security requirements.
174 */ 177 */
175 mgs_cache_session_init(ctxt); 178 mgs_cache_session_init(ctxt);
176 179
@@ -193,20 +196,63 @@ static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret)
193} 196}
194 197
195const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n" 198const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
196"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" 199 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
197"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" 200 "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
198"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n" 201 "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
199"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n" 202 "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
200"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n" 203 "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
201"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" 204 "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
202"-----END DH PARAMETERS-----\n"; 205 "-----END DH PARAMETERS-----\n";
206
207/* Read the common name or the alternative name of the certificate.
208 * We only support a single name per certificate.
209 *
210 * Returns negative on error.
211 */
212static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert,
213 char **cert_cn)
214{
215 int rv = 0, i;
216 size_t data_len;
217
218
219 *cert_cn = NULL;
220
221 rv = gnutls_x509_crt_get_dn_by_oid(cert,
222 GNUTLS_OID_X520_COMMON_NAME,
223 0, 0, NULL, &data_len);
224
225 if (rv >= 0 && data_len > 1) {
226 *cert_cn = apr_palloc(p, data_len);
227 rv = gnutls_x509_crt_get_dn_by_oid(cert,
228 GNUTLS_OID_X520_COMMON_NAME, 0,
229 0, *cert_cn, &data_len);
230 } else { /* No CN return subject alternative name */
231
232 /* read subject alternative name */
233 for (i = 0; !(rv < 0); i++) {
234 rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
235 NULL, &data_len, NULL);
236
237 if (rv == GNUTLS_SAN_DNSNAME) {
238 *cert_cn = apr_palloc(p, data_len);
239 rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
240 *cert_cn, &data_len, NULL);
241 break;
242
243 }
244 }
245 }
246
247 return rv;
248
249}
203 250
204int 251int
205mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, 252mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
206 apr_pool_t * ptemp, server_rec * base_server) 253 apr_pool_t * ptemp, server_rec * base_server)
207{ 254{
208 int rv; 255 int rv;
209 size_t data_len;
210 server_rec *s; 256 server_rec *s;
211 gnutls_dh_params_t dh_params; 257 gnutls_dh_params_t dh_params;
212 gnutls_rsa_params_t rsa_params; 258 gnutls_rsa_params_t rsa_params;
@@ -251,26 +297,26 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
251 } else { 297 } else {
252 /* If the file does not exist use internal parameters 298 /* If the file does not exist use internal parameters
253 */ 299 */
254 pdata.data = (void*)static_dh_params; 300 pdata.data = (void *) static_dh_params;
255 pdata.size = sizeof( static_dh_params); 301 pdata.size = sizeof(static_dh_params);
256 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, 302 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
257 GNUTLS_X509_FMT_PEM); 303 GNUTLS_X509_FMT_PEM);
258 304
259 if (rv < 0) { 305 if (rv < 0) {
260 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 306 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
261 "GnuTLS: Unable to load internal DH Params." 307 "GnuTLS: Unable to load internal DH Params."
262 " Shutting down."); 308 " Shutting down.");
263 exit(-1); 309 exit(-1);
264 } 310 }
265 } 311 }
266 apr_pool_clear(tpool); 312 apr_pool_clear(tpool);
267 313
268 rsa_params = NULL; 314 rsa_params = NULL;
269 315
270 pdata = load_params(sc_base->rsa_params_file, s, tpool); 316 pdata = load_params(sc_base->rsa_params_file, s, tpool);
271 317
272 if (pdata.size != 0) { 318 if (pdata.size != 0) {
273 gnutls_rsa_params_init(&rsa_params); 319 gnutls_rsa_params_init(&rsa_params);
274 rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata, 320 rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata,
275 GNUTLS_X509_FMT_PEM); 321 GNUTLS_X509_FMT_PEM);
276 if (rv != 0) { 322 if (rv != 0) {
@@ -279,9 +325,9 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
279 rv, gnutls_strerror(rv)); 325 rv, gnutls_strerror(rv));
280 exit(rv); 326 exit(rv);
281 } 327 }
282 } 328 }
283 /* not an error but RSA-EXPORT ciphersuites are not available 329 /* not an error but RSA-EXPORT ciphersuites are not available
284 */ 330 */
285 331
286 apr_pool_destroy(tpool); 332 apr_pool_destroy(tpool);
287 rv = mgs_cache_post_config(p, s, sc_base); 333 rv = mgs_cache_post_config(p, s, sc_base);
@@ -299,20 +345,24 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
299 sc->cache_config = sc_base->cache_config; 345 sc->cache_config = sc_base->cache_config;
300 346
301 if (rsa_params != NULL) 347 if (rsa_params != NULL)
302 gnutls_certificate_set_rsa_export_params(sc->certs, 348 gnutls_certificate_set_rsa_export_params(sc->certs,
303 rsa_params); 349 rsa_params);
304 gnutls_certificate_set_dh_params(sc->certs, dh_params); 350 gnutls_certificate_set_dh_params(sc->certs, dh_params);
305 351
306 gnutls_anon_set_server_dh_params( sc->anon_creds, dh_params); 352 gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params);
307 353
308 gnutls_certificate_server_set_retrieve_function(sc->certs, 354 gnutls_certificate_server_set_retrieve_function(sc->certs,
309 cert_retrieve_fn); 355 cert_retrieve_fn);
356
357 if (sc->srp_tpasswd_conf_file != NULL
358 && sc->srp_tpasswd_file != NULL) {
359 gnutls_srp_set_server_credentials_file(sc->srp_creds,
360 sc->
361 srp_tpasswd_file,
362 sc->
363 srp_tpasswd_conf_file);
364 }
310 365
311 if ( sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) {
312 gnutls_srp_set_server_credentials_file( sc->srp_creds,
313 sc->srp_tpasswd_file, sc->srp_tpasswd_conf_file);
314 }
315
316 if (sc->cert_x509 == NULL 366 if (sc->cert_x509 == NULL
317 && sc->enabled == GNUTLS_ENABLED_TRUE) { 367 && sc->enabled == GNUTLS_ENABLED_TRUE) {
318 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 368 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
@@ -332,22 +382,13 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
332 } 382 }
333 383
334 if (sc->enabled == GNUTLS_ENABLED_TRUE) { 384 if (sc->enabled == GNUTLS_ENABLED_TRUE) {
335 rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, 385 rv = read_crt_cn(p, sc->cert_x509, &sc->cert_cn);
336 GNUTLS_OID_X520_COMMON_NAME, 386 if (rv < 0) {
337 0, 0, NULL, &data_len); 387 sc->enabled = GNUTLS_ENABLED_FALSE;
338 388 sc->cert_cn = NULL;
339 if (data_len < 1) { 389 continue;
340 sc->enabled = GNUTLS_ENABLED_FALSE; 390 }
341 sc->cert_cn = NULL;
342 continue;
343 } 391 }
344
345 sc->cert_cn = apr_palloc(p, data_len);
346 rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
347 GNUTLS_OID_X520_COMMON_NAME,
348 0, 0, sc->cert_cn,
349 &data_len);
350 }
351 } 392 }
352 } 393 }
353 394
@@ -532,8 +573,9 @@ mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
532 573
533 574
534static const int protocol_priority[] = { 575static const int protocol_priority[] = {
535 GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; 576 GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
536 577};
578
537 579
538static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) 580static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
539{ 581{
@@ -558,19 +600,20 @@ static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
558 ctxt->output_length = 0; 600 ctxt->output_length = 0;
559 601
560 gnutls_init(&ctxt->session, GNUTLS_SERVER); 602 gnutls_init(&ctxt->session, GNUTLS_SERVER);
561 603
562 /* This is not very good as it trades security for compatibility, 604 /* This is not very good as it trades security for compatibility,
563 * but it is the only way to be ultra-portable. 605 * but it is the only way to be ultra-portable.
564 */ 606 */
565 gnutls_session_enable_compatibility_mode( ctxt->session); 607 gnutls_session_enable_compatibility_mode(ctxt->session);
566 608
567 /* because we don't set any default priorities here (we set later at 609 /* because we don't set any default priorities here (we set later at
568 * the user hello callback) we need to at least set this in order for 610 * the user hello callback) we need to at least set this in order for
569 * gnutls to be able to read packets. 611 * gnutls to be able to read packets.
570 */ 612 */
571 gnutls_protocol_set_priority( ctxt->session, protocol_priority); 613 gnutls_protocol_set_priority(ctxt->session, protocol_priority);
572 614
573 gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb); 615 gnutls_handshake_set_post_client_hello_function(ctxt->session,
616 mgs_select_virtual_server_cb);
574 617
575 return ctxt; 618 return ctxt;
576} 619}
@@ -623,25 +666,30 @@ int mgs_hook_fixups(request_rec * r)
623 666
624 apr_table_setn(env, "HTTPS", "on"); 667 apr_table_setn(env, "HTTPS", "on");
625 668
626 apr_table_setn(env, "SSL_VERSION_LIBRARY", "GnuTLS/"LIBGNUTLS_VERSION); 669 apr_table_setn(env, "SSL_VERSION_LIBRARY",
627 apr_table_setn(env, "SSL_VERSION_INTERFACE", "mod_gnutls/"MOD_GNUTLS_VERSION); 670 "GnuTLS/" LIBGNUTLS_VERSION);
671 apr_table_setn(env, "SSL_VERSION_INTERFACE",
672 "mod_gnutls/" MOD_GNUTLS_VERSION);
628 673
629 apr_table_setn(env, "SSL_PROTOCOL", 674 apr_table_setn(env, "SSL_PROTOCOL",
630 gnutls_protocol_get_name(gnutls_protocol_get_version 675 gnutls_protocol_get_name(gnutls_protocol_get_version
631 (ctxt->session))); 676 (ctxt->session)));
632 677
633 /* should have been called SSL_CIPHERSUITE instead */ 678 /* should have been called SSL_CIPHERSUITE instead */
634 apr_table_setn(env, "SSL_CIPHER", 679 apr_table_setn(env, "SSL_CIPHER",
635 gnutls_cipher_suite_get_name( 680 gnutls_cipher_suite_get_name(gnutls_kx_get
636 gnutls_kx_get(ctxt->session), gnutls_cipher_get(ctxt->session), 681 (ctxt->session),
637 gnutls_mac_get(ctxt->session))); 682 gnutls_cipher_get(ctxt->
683 session),
684 gnutls_mac_get(ctxt->
685 session)));
638 686
639 apr_table_setn(env, "SSL_COMPRESS_METHOD", 687 apr_table_setn(env, "SSL_COMPRESS_METHOD",
640 gnutls_compression_get_name(gnutls_compression_get 688 gnutls_compression_get_name(gnutls_compression_get
641 (ctxt->session))); 689 (ctxt->session)));
642 690
643 apr_table_setn(env, "SSL_SRP_USER", 691 apr_table_setn(env, "SSL_SRP_USER",
644 gnutls_srp_server_get_username( ctxt->session)); 692 gnutls_srp_server_get_username(ctxt->session));
645 693
646 if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL) 694 if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
647 apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE"); 695 apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE");
@@ -662,7 +710,8 @@ int mgs_hook_fixups(request_rec * r)
662 tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf)); 710 tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
663 apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp)); 711 apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
664 712
665 mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0, ctxt->sc->export_certificates_enabled); 713 mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0,
714 ctxt->sc->export_certificates_enabled);
666 715
667 return rv; 716 return rv;
668} 717}
@@ -723,7 +772,8 @@ int mgs_hook_authz(request_rec * r)
723 */ 772 */
724#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT") 773#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
725static void 774static void
726mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int export_certificates_enabled) 775mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side,
776 int export_certificates_enabled)
727{ 777{
728 unsigned char sbuf[64]; /* buffer to hold serials */ 778 unsigned char sbuf[64]; /* buffer to hold serials */
729 char buf[AP_IOBUFSIZE]; 779 char buf[AP_IOBUFSIZE];
@@ -734,13 +784,15 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int ex
734 apr_table_t *env = r->subprocess_env; 784 apr_table_t *env = r->subprocess_env;
735 785
736 if (export_certificates_enabled != 0) { 786 if (export_certificates_enabled != 0) {
737 char cert_buf[10*1024]; 787 char cert_buf[10 * 1024];
738 len = sizeof(cert_buf); 788 len = sizeof(cert_buf);
789
790 if (gnutls_x509_crt_export
791 (cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
792 apr_table_setn(env,
793 apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
794 apr_pstrmemdup(r->pool, cert_buf, len));
739 795
740 if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
741 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
742 apr_pstrmemdup(r->pool, cert_buf, len));
743
744 } 796 }
745 797
746 len = sizeof(buf); 798 len = sizeof(buf);
@@ -771,16 +823,16 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int ex
771 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL), 823 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
772 apr_pstrdup(r->pool, tmp)); 824 apr_pstrdup(r->pool, tmp));
773 825
774 alg = gnutls_x509_crt_get_signature_algorithm( cert); 826 alg = gnutls_x509_crt_get_signature_algorithm(cert);
775 if (alg >= 0) { 827 if (alg >= 0) {
776 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL), 828 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL),
777 gnutls_sign_algorithm_get_name( alg)); 829 gnutls_sign_algorithm_get_name(alg));
778 } 830 }
779 831
780 alg = gnutls_x509_crt_get_pk_algorithm( cert, NULL); 832 alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
781 if (alg >= 0) { 833 if (alg >= 0) {
782 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL), 834 apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),
783 gnutls_pk_algorithm_get_name( alg)); 835 gnutls_pk_algorithm_get_name(alg));
784 } 836 }
785 837
786 838
@@ -887,13 +939,16 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
887// mgs_hook_fixups(r); 939// mgs_hook_fixups(r);
888// rv = mgs_authz_lua(r); 940// rv = mgs_authz_lua(r);
889 941
890 mgs_add_common_cert_vars(r, cert, 1, ctxt->sc->export_certificates_enabled); 942 mgs_add_common_cert_vars(r, cert, 1,
943 ctxt->sc->export_certificates_enabled);
891 944
892 { 945 {
893 /* days remaining */ 946 /* days remaining */
894 unsigned long remain = (apr_time_sec(expiration_time) - apr_time_sec(cur_time))/86400; 947 unsigned long remain =
895 apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN", 948 (apr_time_sec(expiration_time) -
896 apr_psprintf(r->pool, "%lu", remain)); 949 apr_time_sec(cur_time)) / 86400;
950 apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
951 apr_psprintf(r->pool, "%lu", remain));
897 } 952 }
898 953
899 if (status == 0 && expired == 0) { 954 if (status == 0 && expired == 0) {