diff options
author | Nokis Mavrogiannopoulos | 2007-12-01 09:12:01 +0000 |
---|---|---|
committer | Nokis Mavrogiannopoulos | 2007-12-01 09:12:01 +0000 |
commit | 94d92bd1b7b5696044c6293fc77292d3ad535148 (patch) | |
tree | 222abe5cf70397429dc90f48aa8d880943406b46 /src | |
parent | 30c3470aac7dc3553882b018e69cf1f1ce13d5ff (diff) |
Added support for subject alternative names. (untested)
Diffstat (limited to 'src')
-rw-r--r-- | src/gnutls_config.c | 2 | ||||
-rw-r--r-- | src/gnutls_hooks.c | 253 |
2 files changed, 155 insertions, 100 deletions
diff --git a/src/gnutls_config.c b/src/gnutls_config.c index cad078c..3771e04 100644 --- a/src/gnutls_config.c +++ b/src/gnutls_config.c | |||
@@ -332,7 +332,7 @@ const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy, | |||
332 | const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg) | 332 | const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg) |
333 | { | 333 | { |
334 | int ret; | 334 | int ret; |
335 | char *err; | 335 | const char *err; |
336 | mgs_srvconf_rec *sc = | 336 | mgs_srvconf_rec *sc = |
337 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> | 337 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
338 | module_config, | 338 | module_config, |
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c index f776def..920eccc 100644 --- a/src/gnutls_hooks.c +++ b/src/gnutls_hooks.c | |||
@@ -37,7 +37,8 @@ static int mpm_is_threaded; | |||
37 | static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt); | 37 | static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt); |
38 | /* use side==0 for server and side==1 for client */ | 38 | /* use side==0 for server and side==1 for client */ |
39 | static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, | 39 | static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, |
40 | int side, int export_certificates_enabled); | 40 | int side, |
41 | int export_certificates_enabled); | ||
41 | 42 | ||
42 | static apr_status_t mgs_cleanup_pre_config(void *data) | 43 | static apr_status_t mgs_cleanup_pre_config(void *data) |
43 | { | 44 | { |
@@ -97,7 +98,8 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool) | |||
97 | pool); | 98 | pool); |
98 | if (rv != APR_SUCCESS) { | 99 | if (rv != APR_SUCCESS) { |
99 | ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, | 100 | ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, |
100 | "GnuTLS failed to load params file at: %s. Will use internal params.", file); | 101 | "GnuTLS failed to load params file at: %s. Will use internal params.", |
102 | file); | ||
101 | return ret; | 103 | return ret; |
102 | } | 104 | } |
103 | 105 | ||
@@ -127,7 +129,7 @@ load_params(const char *file, server_rec * s, apr_pool_t * pool) | |||
127 | /* We don't support openpgp certificates, yet */ | 129 | /* We don't support openpgp certificates, yet */ |
128 | const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 }; | 130 | const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 }; |
129 | 131 | ||
130 | static int mgs_select_virtual_server_cb( gnutls_session_t session) | 132 | static int mgs_select_virtual_server_cb(gnutls_session_t session) |
131 | { | 133 | { |
132 | mgs_handle_t *ctxt; | 134 | mgs_handle_t *ctxt; |
133 | mgs_srvconf_rec *tsc; | 135 | mgs_srvconf_rec *tsc; |
@@ -142,35 +144,36 @@ static int mgs_select_virtual_server_cb( gnutls_session_t session) | |||
142 | ctxt->sc = tsc; | 144 | ctxt->sc = tsc; |
143 | 145 | ||
144 | gnutls_certificate_server_set_request(session, | 146 | gnutls_certificate_server_set_request(session, |
145 | ctxt->sc->client_verify_mode); | 147 | ctxt->sc->client_verify_mode); |
146 | 148 | ||
147 | /* set the new server credentials | 149 | /* set the new server credentials |
148 | */ | 150 | */ |
149 | 151 | ||
150 | gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, | 152 | gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, |
151 | ctxt->sc->certs); | 153 | ctxt->sc->certs); |
152 | 154 | ||
153 | gnutls_credentials_set(session, GNUTLS_CRD_ANON, | 155 | gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds); |
154 | ctxt->sc->anon_creds); | ||
155 | 156 | ||
156 | if ( ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) { | 157 | if (ctxt->sc->srp_tpasswd_conf_file != NULL |
157 | gnutls_credentials_set(session, GNUTLS_CRD_SRP, | 158 | && ctxt->sc->srp_tpasswd_file != NULL) { |
158 | ctxt->sc->srp_creds); | 159 | gnutls_credentials_set(session, GNUTLS_CRD_SRP, |
160 | ctxt->sc->srp_creds); | ||
159 | } | 161 | } |
160 | 162 | ||
161 | /* update the priorities - to avoid negotiating a ciphersuite that is not | 163 | /* update the priorities - to avoid negotiating a ciphersuite that is not |
162 | * enabled on this virtual server. Note that here we ignore the version | 164 | * enabled on this virtual server. Note that here we ignore the version |
163 | * negotiation. | 165 | * negotiation. |
164 | */ | 166 | */ |
165 | ret = gnutls_priority_set( session, ctxt->sc->priorities); | 167 | ret = gnutls_priority_set(session, ctxt->sc->priorities); |
166 | gnutls_certificate_type_set_priority( session, cert_type_prio); | 168 | gnutls_certificate_type_set_priority(session, cert_type_prio); |
167 | 169 | ||
168 | 170 | ||
169 | /* actually it shouldn't fail since we have checked at startup */ | 171 | /* actually it shouldn't fail since we have checked at startup */ |
170 | if (ret < 0) return ret; | 172 | if (ret < 0) |
173 | return ret; | ||
171 | 174 | ||
172 | /* allow separate caches per virtual host. Actually allowing the same is not | 175 | /* allow separate caches per virtual host. Actually allowing the same is a |
173 | * a good idea, especially if they have different security requirements. | 176 | * bad idea, since they might have different security requirements. |
174 | */ | 177 | */ |
175 | mgs_cache_session_init(ctxt); | 178 | mgs_cache_session_init(ctxt); |
176 | 179 | ||
@@ -193,20 +196,63 @@ static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret) | |||
193 | } | 196 | } |
194 | 197 | ||
195 | const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n" | 198 | const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n" |
196 | "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" | 199 | "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" |
197 | "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" | 200 | "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" |
198 | "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n" | 201 | "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n" |
199 | "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n" | 202 | "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n" |
200 | "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n" | 203 | "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n" |
201 | "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" | 204 | "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" |
202 | "-----END DH PARAMETERS-----\n"; | 205 | "-----END DH PARAMETERS-----\n"; |
206 | |||
207 | /* Read the common name or the alternative name of the certificate. | ||
208 | * We only support a single name per certificate. | ||
209 | * | ||
210 | * Returns negative on error. | ||
211 | */ | ||
212 | static int read_crt_cn(apr_pool_t * p, gnutls_x509_crt cert, | ||
213 | char **cert_cn) | ||
214 | { | ||
215 | int rv = 0, i; | ||
216 | size_t data_len; | ||
217 | |||
218 | |||
219 | *cert_cn = NULL; | ||
220 | |||
221 | rv = gnutls_x509_crt_get_dn_by_oid(cert, | ||
222 | GNUTLS_OID_X520_COMMON_NAME, | ||
223 | 0, 0, NULL, &data_len); | ||
224 | |||
225 | if (rv >= 0 && data_len > 1) { | ||
226 | *cert_cn = apr_palloc(p, data_len); | ||
227 | rv = gnutls_x509_crt_get_dn_by_oid(cert, | ||
228 | GNUTLS_OID_X520_COMMON_NAME, 0, | ||
229 | 0, *cert_cn, &data_len); | ||
230 | } else { /* No CN return subject alternative name */ | ||
231 | |||
232 | /* read subject alternative name */ | ||
233 | for (i = 0; !(rv < 0); i++) { | ||
234 | rv = gnutls_x509_crt_get_subject_alt_name(cert, i, | ||
235 | NULL, &data_len, NULL); | ||
236 | |||
237 | if (rv == GNUTLS_SAN_DNSNAME) { | ||
238 | *cert_cn = apr_palloc(p, data_len); | ||
239 | rv = gnutls_x509_crt_get_subject_alt_name(cert, i, | ||
240 | *cert_cn, &data_len, NULL); | ||
241 | break; | ||
242 | |||
243 | } | ||
244 | } | ||
245 | } | ||
246 | |||
247 | return rv; | ||
248 | |||
249 | } | ||
203 | 250 | ||
204 | int | 251 | int |
205 | mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | 252 | mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, |
206 | apr_pool_t * ptemp, server_rec * base_server) | 253 | apr_pool_t * ptemp, server_rec * base_server) |
207 | { | 254 | { |
208 | int rv; | 255 | int rv; |
209 | size_t data_len; | ||
210 | server_rec *s; | 256 | server_rec *s; |
211 | gnutls_dh_params_t dh_params; | 257 | gnutls_dh_params_t dh_params; |
212 | gnutls_rsa_params_t rsa_params; | 258 | gnutls_rsa_params_t rsa_params; |
@@ -251,26 +297,26 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | |||
251 | } else { | 297 | } else { |
252 | /* If the file does not exist use internal parameters | 298 | /* If the file does not exist use internal parameters |
253 | */ | 299 | */ |
254 | pdata.data = (void*)static_dh_params; | 300 | pdata.data = (void *) static_dh_params; |
255 | pdata.size = sizeof( static_dh_params); | 301 | pdata.size = sizeof(static_dh_params); |
256 | rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, | 302 | rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, |
257 | GNUTLS_X509_FMT_PEM); | 303 | GNUTLS_X509_FMT_PEM); |
258 | 304 | ||
259 | if (rv < 0) { | 305 | if (rv < 0) { |
260 | ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, | 306 | ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, |
261 | "GnuTLS: Unable to load internal DH Params." | 307 | "GnuTLS: Unable to load internal DH Params." |
262 | " Shutting down."); | 308 | " Shutting down."); |
263 | exit(-1); | 309 | exit(-1); |
264 | } | 310 | } |
265 | } | 311 | } |
266 | apr_pool_clear(tpool); | 312 | apr_pool_clear(tpool); |
267 | 313 | ||
268 | rsa_params = NULL; | 314 | rsa_params = NULL; |
269 | 315 | ||
270 | pdata = load_params(sc_base->rsa_params_file, s, tpool); | 316 | pdata = load_params(sc_base->rsa_params_file, s, tpool); |
271 | 317 | ||
272 | if (pdata.size != 0) { | 318 | if (pdata.size != 0) { |
273 | gnutls_rsa_params_init(&rsa_params); | 319 | gnutls_rsa_params_init(&rsa_params); |
274 | rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata, | 320 | rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata, |
275 | GNUTLS_X509_FMT_PEM); | 321 | GNUTLS_X509_FMT_PEM); |
276 | if (rv != 0) { | 322 | if (rv != 0) { |
@@ -279,9 +325,9 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | |||
279 | rv, gnutls_strerror(rv)); | 325 | rv, gnutls_strerror(rv)); |
280 | exit(rv); | 326 | exit(rv); |
281 | } | 327 | } |
282 | } | 328 | } |
283 | /* not an error but RSA-EXPORT ciphersuites are not available | 329 | /* not an error but RSA-EXPORT ciphersuites are not available |
284 | */ | 330 | */ |
285 | 331 | ||
286 | apr_pool_destroy(tpool); | 332 | apr_pool_destroy(tpool); |
287 | rv = mgs_cache_post_config(p, s, sc_base); | 333 | rv = mgs_cache_post_config(p, s, sc_base); |
@@ -299,20 +345,24 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | |||
299 | sc->cache_config = sc_base->cache_config; | 345 | sc->cache_config = sc_base->cache_config; |
300 | 346 | ||
301 | if (rsa_params != NULL) | 347 | if (rsa_params != NULL) |
302 | gnutls_certificate_set_rsa_export_params(sc->certs, | 348 | gnutls_certificate_set_rsa_export_params(sc->certs, |
303 | rsa_params); | 349 | rsa_params); |
304 | gnutls_certificate_set_dh_params(sc->certs, dh_params); | 350 | gnutls_certificate_set_dh_params(sc->certs, dh_params); |
305 | 351 | ||
306 | gnutls_anon_set_server_dh_params( sc->anon_creds, dh_params); | 352 | gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params); |
307 | 353 | ||
308 | gnutls_certificate_server_set_retrieve_function(sc->certs, | 354 | gnutls_certificate_server_set_retrieve_function(sc->certs, |
309 | cert_retrieve_fn); | 355 | cert_retrieve_fn); |
356 | |||
357 | if (sc->srp_tpasswd_conf_file != NULL | ||
358 | && sc->srp_tpasswd_file != NULL) { | ||
359 | gnutls_srp_set_server_credentials_file(sc->srp_creds, | ||
360 | sc-> | ||
361 | srp_tpasswd_file, | ||
362 | sc-> | ||
363 | srp_tpasswd_conf_file); | ||
364 | } | ||
310 | 365 | ||
311 | if ( sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) { | ||
312 | gnutls_srp_set_server_credentials_file( sc->srp_creds, | ||
313 | sc->srp_tpasswd_file, sc->srp_tpasswd_conf_file); | ||
314 | } | ||
315 | |||
316 | if (sc->cert_x509 == NULL | 366 | if (sc->cert_x509 == NULL |
317 | && sc->enabled == GNUTLS_ENABLED_TRUE) { | 367 | && sc->enabled == GNUTLS_ENABLED_TRUE) { |
318 | ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, | 368 | ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, |
@@ -332,22 +382,13 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | |||
332 | } | 382 | } |
333 | 383 | ||
334 | if (sc->enabled == GNUTLS_ENABLED_TRUE) { | 384 | if (sc->enabled == GNUTLS_ENABLED_TRUE) { |
335 | rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, | 385 | rv = read_crt_cn(p, sc->cert_x509, &sc->cert_cn); |
336 | GNUTLS_OID_X520_COMMON_NAME, | 386 | if (rv < 0) { |
337 | 0, 0, NULL, &data_len); | 387 | sc->enabled = GNUTLS_ENABLED_FALSE; |
338 | 388 | sc->cert_cn = NULL; | |
339 | if (data_len < 1) { | 389 | continue; |
340 | sc->enabled = GNUTLS_ENABLED_FALSE; | 390 | } |
341 | sc->cert_cn = NULL; | ||
342 | continue; | ||
343 | } | 391 | } |
344 | |||
345 | sc->cert_cn = apr_palloc(p, data_len); | ||
346 | rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509, | ||
347 | GNUTLS_OID_X520_COMMON_NAME, | ||
348 | 0, 0, sc->cert_cn, | ||
349 | &data_len); | ||
350 | } | ||
351 | } | 392 | } |
352 | } | 393 | } |
353 | 394 | ||
@@ -532,8 +573,9 @@ mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) | |||
532 | 573 | ||
533 | 574 | ||
534 | static const int protocol_priority[] = { | 575 | static const int protocol_priority[] = { |
535 | GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; | 576 | GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 |
536 | 577 | }; | |
578 | |||
537 | 579 | ||
538 | static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) | 580 | static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) |
539 | { | 581 | { |
@@ -558,19 +600,20 @@ static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) | |||
558 | ctxt->output_length = 0; | 600 | ctxt->output_length = 0; |
559 | 601 | ||
560 | gnutls_init(&ctxt->session, GNUTLS_SERVER); | 602 | gnutls_init(&ctxt->session, GNUTLS_SERVER); |
561 | 603 | ||
562 | /* This is not very good as it trades security for compatibility, | 604 | /* This is not very good as it trades security for compatibility, |
563 | * but it is the only way to be ultra-portable. | 605 | * but it is the only way to be ultra-portable. |
564 | */ | 606 | */ |
565 | gnutls_session_enable_compatibility_mode( ctxt->session); | 607 | gnutls_session_enable_compatibility_mode(ctxt->session); |
566 | 608 | ||
567 | /* because we don't set any default priorities here (we set later at | 609 | /* because we don't set any default priorities here (we set later at |
568 | * the user hello callback) we need to at least set this in order for | 610 | * the user hello callback) we need to at least set this in order for |
569 | * gnutls to be able to read packets. | 611 | * gnutls to be able to read packets. |
570 | */ | 612 | */ |
571 | gnutls_protocol_set_priority( ctxt->session, protocol_priority); | 613 | gnutls_protocol_set_priority(ctxt->session, protocol_priority); |
572 | 614 | ||
573 | gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb); | 615 | gnutls_handshake_set_post_client_hello_function(ctxt->session, |
616 | mgs_select_virtual_server_cb); | ||
574 | 617 | ||
575 | return ctxt; | 618 | return ctxt; |
576 | } | 619 | } |
@@ -623,25 +666,30 @@ int mgs_hook_fixups(request_rec * r) | |||
623 | 666 | ||
624 | apr_table_setn(env, "HTTPS", "on"); | 667 | apr_table_setn(env, "HTTPS", "on"); |
625 | 668 | ||
626 | apr_table_setn(env, "SSL_VERSION_LIBRARY", "GnuTLS/"LIBGNUTLS_VERSION); | 669 | apr_table_setn(env, "SSL_VERSION_LIBRARY", |
627 | apr_table_setn(env, "SSL_VERSION_INTERFACE", "mod_gnutls/"MOD_GNUTLS_VERSION); | 670 | "GnuTLS/" LIBGNUTLS_VERSION); |
671 | apr_table_setn(env, "SSL_VERSION_INTERFACE", | ||
672 | "mod_gnutls/" MOD_GNUTLS_VERSION); | ||
628 | 673 | ||
629 | apr_table_setn(env, "SSL_PROTOCOL", | 674 | apr_table_setn(env, "SSL_PROTOCOL", |
630 | gnutls_protocol_get_name(gnutls_protocol_get_version | 675 | gnutls_protocol_get_name(gnutls_protocol_get_version |
631 | (ctxt->session))); | 676 | (ctxt->session))); |
632 | 677 | ||
633 | /* should have been called SSL_CIPHERSUITE instead */ | 678 | /* should have been called SSL_CIPHERSUITE instead */ |
634 | apr_table_setn(env, "SSL_CIPHER", | 679 | apr_table_setn(env, "SSL_CIPHER", |
635 | gnutls_cipher_suite_get_name( | 680 | gnutls_cipher_suite_get_name(gnutls_kx_get |
636 | gnutls_kx_get(ctxt->session), gnutls_cipher_get(ctxt->session), | 681 | (ctxt->session), |
637 | gnutls_mac_get(ctxt->session))); | 682 | gnutls_cipher_get(ctxt-> |
683 | session), | ||
684 | gnutls_mac_get(ctxt-> | ||
685 | session))); | ||
638 | 686 | ||
639 | apr_table_setn(env, "SSL_COMPRESS_METHOD", | 687 | apr_table_setn(env, "SSL_COMPRESS_METHOD", |
640 | gnutls_compression_get_name(gnutls_compression_get | 688 | gnutls_compression_get_name(gnutls_compression_get |
641 | (ctxt->session))); | 689 | (ctxt->session))); |
642 | 690 | ||
643 | apr_table_setn(env, "SSL_SRP_USER", | 691 | apr_table_setn(env, "SSL_SRP_USER", |
644 | gnutls_srp_server_get_username( ctxt->session)); | 692 | gnutls_srp_server_get_username(ctxt->session)); |
645 | 693 | ||
646 | if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL) | 694 | if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL) |
647 | apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE"); | 695 | apr_table_setn(env, "SSL_CLIENT_VERIFY", "NONE"); |
@@ -662,7 +710,8 @@ int mgs_hook_fixups(request_rec * r) | |||
662 | tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf)); | 710 | tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf)); |
663 | apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp)); | 711 | apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp)); |
664 | 712 | ||
665 | mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0, ctxt->sc->export_certificates_enabled); | 713 | mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0, |
714 | ctxt->sc->export_certificates_enabled); | ||
666 | 715 | ||
667 | return rv; | 716 | return rv; |
668 | } | 717 | } |
@@ -723,7 +772,8 @@ int mgs_hook_authz(request_rec * r) | |||
723 | */ | 772 | */ |
724 | #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT") | 773 | #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT") |
725 | static void | 774 | static void |
726 | mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int export_certificates_enabled) | 775 | mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, |
776 | int export_certificates_enabled) | ||
727 | { | 777 | { |
728 | unsigned char sbuf[64]; /* buffer to hold serials */ | 778 | unsigned char sbuf[64]; /* buffer to hold serials */ |
729 | char buf[AP_IOBUFSIZE]; | 779 | char buf[AP_IOBUFSIZE]; |
@@ -734,13 +784,15 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int ex | |||
734 | apr_table_t *env = r->subprocess_env; | 784 | apr_table_t *env = r->subprocess_env; |
735 | 785 | ||
736 | if (export_certificates_enabled != 0) { | 786 | if (export_certificates_enabled != 0) { |
737 | char cert_buf[10*1024]; | 787 | char cert_buf[10 * 1024]; |
738 | len = sizeof(cert_buf); | 788 | len = sizeof(cert_buf); |
789 | |||
790 | if (gnutls_x509_crt_export | ||
791 | (cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0) | ||
792 | apr_table_setn(env, | ||
793 | apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), | ||
794 | apr_pstrmemdup(r->pool, cert_buf, len)); | ||
739 | 795 | ||
740 | if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0) | ||
741 | apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL), | ||
742 | apr_pstrmemdup(r->pool, cert_buf, len)); | ||
743 | |||
744 | } | 796 | } |
745 | 797 | ||
746 | len = sizeof(buf); | 798 | len = sizeof(buf); |
@@ -771,16 +823,16 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int ex | |||
771 | apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL), | 823 | apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL), |
772 | apr_pstrdup(r->pool, tmp)); | 824 | apr_pstrdup(r->pool, tmp)); |
773 | 825 | ||
774 | alg = gnutls_x509_crt_get_signature_algorithm( cert); | 826 | alg = gnutls_x509_crt_get_signature_algorithm(cert); |
775 | if (alg >= 0) { | 827 | if (alg >= 0) { |
776 | apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL), | 828 | apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL), |
777 | gnutls_sign_algorithm_get_name( alg)); | 829 | gnutls_sign_algorithm_get_name(alg)); |
778 | } | 830 | } |
779 | 831 | ||
780 | alg = gnutls_x509_crt_get_pk_algorithm( cert, NULL); | 832 | alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL); |
781 | if (alg >= 0) { | 833 | if (alg >= 0) { |
782 | apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL), | 834 | apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL), |
783 | gnutls_pk_algorithm_get_name( alg)); | 835 | gnutls_pk_algorithm_get_name(alg)); |
784 | } | 836 | } |
785 | 837 | ||
786 | 838 | ||
@@ -887,13 +939,16 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) | |||
887 | // mgs_hook_fixups(r); | 939 | // mgs_hook_fixups(r); |
888 | // rv = mgs_authz_lua(r); | 940 | // rv = mgs_authz_lua(r); |
889 | 941 | ||
890 | mgs_add_common_cert_vars(r, cert, 1, ctxt->sc->export_certificates_enabled); | 942 | mgs_add_common_cert_vars(r, cert, 1, |
943 | ctxt->sc->export_certificates_enabled); | ||
891 | 944 | ||
892 | { | 945 | { |
893 | /* days remaining */ | 946 | /* days remaining */ |
894 | unsigned long remain = (apr_time_sec(expiration_time) - apr_time_sec(cur_time))/86400; | 947 | unsigned long remain = |
895 | apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN", | 948 | (apr_time_sec(expiration_time) - |
896 | apr_psprintf(r->pool, "%lu", remain)); | 949 | apr_time_sec(cur_time)) / 86400; |
950 | apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN", | ||
951 | apr_psprintf(r->pool, "%lu", remain)); | ||
897 | } | 952 | } |
898 | 953 | ||
899 | if (status == 0 && expired == 0) { | 954 | if (status == 0 && expired == 0) { |