Context Navigation

gnutls_config.c @ eee1432

Visit:

debian/masterdebian/stretch-backportsproxy-ticketupstream

Last change on this file since eee1432 was eee1432, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Bind temporary pool in mgs_load_files() to ptemp scope

Pool 'spool' is destroyed at the end of the function, so the temporary
scope is definitely appropriate. This ensures cleanup in case a bug
prevents explicit pool destruction.

Property mode set to 100644

File size: 39.9 KB

Rev	Line
[46b85d8]	1	/**
	2	* Copyright 2004-2005 Paul Querna
[e021722]	3	* Copyright 2008, 2014 Nikos Mavrogiannopoulos
[e183628]	4	* Copyright 2011 Dash Shendy
[8913410]	5	* Copyright 2015-2016 Thomas Klute
[46b85d8]	6	*
	7	* Licensed under the Apache License, Version 2.0 (the "License");
	8	* you may not use this file except in compliance with the License.
	9	* You may obtain a copy of the License at
	10	*
	11	* http://www.apache.org/licenses/LICENSE-2.0
	12	*
	13	* Unless required by applicable law or agreed to in writing, software
	14	* distributed under the License is distributed on an "AS IS" BASIS,
	15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	16	* See the License for the specific language governing permissions and
	17	* limitations under the License.
	18	*
	19	*/
	20
	21	#include "mod_gnutls.h"
[2aaf4f5]	22	#include "apr_lib.h"
[031acac]	23	#include <gnutls/abstract.h>
	24
	25	#define INIT_CA_SIZE 128
[70a1e5a]	26	/* Default OCSP response grace time in seconds */
	27	#define MGS_GRACE_TIME 60
[46b85d8]	28
[55dc3f0]	29	#ifdef APLOG_USE_MODULE
	30	APLOG_USE_MODULE(gnutls);
	31	#endif
	32
[259e835]	33	static int pin_callback(void *user, int attempt __attribute__((unused)),
	34	const char *token_url __attribute__((unused)),
	35	const char *token_label, unsigned int flags,
	36	char *pin, size_t pin_max)
[031acac]	37	{
	38	mgs_srvconf_rec *sc = user;
	39
	40	if (sc->pin == NULL \|\| flags & GNUTLS_PIN_FINAL_TRY \|\|
	41	flags & GNUTLS_PIN_WRONG) {
	42	return -1;
	43	}
	44
	45	if (token_label && strcmp(token_label, "SRK") == 0) {
	46	snprintf(pin, pin_max, "%s", sc->srk_pin);
	47	} else {
	48	snprintf(pin, pin_max, "%s", sc->pin);
	49	}
	50	return 0;
	51	}
	52
[7bebb42]	53	static int load_datum_from_file(apr_pool_t * pool,
[031acac]	54	const char file, gnutls_datum_t data)
	55	{
[e183628]	56	apr_file_t *fp;
	57	apr_finfo_t finfo;
	58	apr_status_t rv;
	59	apr_size_t br = 0;
[7bebb42]	60
[e183628]	61	rv = apr_file_open(&fp, file, APR_READ \| APR_BINARY,
[031acac]	62	APR_OS_DEFAULT, pool);
[e183628]	63	if (rv != APR_SUCCESS) {
[031acac]	64	return rv;
[e183628]	65	}
[7bebb42]	66
[e183628]	67	rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
[7bebb42]	68
[e183628]	69	if (rv != APR_SUCCESS) {
[031acac]	70	return rv;
[e183628]	71	}
[7bebb42]	72
[e183628]	73	data->data = apr_palloc(pool, finfo.size + 1);
	74	rv = apr_file_read_full(fp, data->data, finfo.size, &br);
[7bebb42]	75
[e183628]	76	if (rv != APR_SUCCESS) {
[031acac]	77	return rv;
[e183628]	78	}
	79	apr_file_close(fp);
[7bebb42]	80
[e183628]	81	data->data[br] = '\0';
	82	data->size = br;
[7bebb42]	83
[e183628]	84	return 0;
[46b85d8]	85	}
	86
[031acac]	87	/* 2048-bit group parameters from SRP specification */
	88	const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
	89	"MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
	90	"gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
	91	"KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
	92	"dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
	93	"YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
	94	"Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
	95	"-----END DH PARAMETERS-----\n";
	96
[e2ba939]	97	/*
	98	* Clean up the various GnuTLS data structures allocated from
	99	* mgs_load_files()
	100	*/
	101	static apr_status_t mgs_pool_free_credentials(void *arg)
	102	{
	103	mgs_srvconf_rec sc = (mgs_srvconf_rec ) arg;
	104
	105	if (sc->certs)
	106	{
	107	gnutls_certificate_free_credentials(sc->certs);
	108	sc->certs = NULL;
	109	}
	110
	111	if (sc->anon_creds)
	112	{
	113	gnutls_anon_free_server_credentials(sc->anon_creds);
	114	sc->anon_creds = NULL;
	115	}
	116
	117	#ifdef ENABLE_SRP
	118	if (sc->srp_creds)
	119	{
	120	gnutls_srp_free_server_credentials(sc->srp_creds);
	121	sc->srp_creds = NULL;
	122	}
	123	#endif
	124
	125	if (sc->dh_params)
	126	{
	127	gnutls_dh_params_deinit(sc->dh_params);
	128	sc->dh_params = NULL;
	129	}
	130
	131	for (unsigned int i = 0; i < sc->certs_x509_chain_num; i++)
	132	{
	133	gnutls_pcert_deinit(&sc->certs_x509_chain[i]);
	134	gnutls_x509_crt_deinit(sc->certs_x509_crt_chain[i]);
	135	}
	136
	137	if (sc->privkey_x509)
	138	{
	139	gnutls_privkey_deinit(sc->privkey_x509);
	140	sc->privkey_x509 = NULL;
	141	}
	142
[db9ef68]	143	if (sc->ca_list)
	144	{
	145	for (unsigned int i = 0; i < sc->ca_list_size; i++)
	146	{
	147	gnutls_x509_crt_deinit(sc->ca_list[i]);
	148	}
	149	gnutls_free(sc->ca_list);
	150	sc->ca_list = NULL;
	151	}
	152
[45b7b83]	153	if (sc->privkey_pgp)
	154	{
	155	gnutls_privkey_deinit(sc->privkey_pgp);
	156	sc->privkey_pgp = NULL;
	157	#if GNUTLS_VERSION_NUMBER < 0x030312
	158	gnutls_openpgp_privkey_deinit(sc->privkey_pgp_internal);
	159	sc->privkey_pgp_internal = NULL;
	160	#endif
	161	}
	162
	163	if (sc->pgp_list)
	164	{
	165	gnutls_openpgp_keyring_deinit(sc->pgp_list);
	166	sc->pgp_list = NULL;
	167	}
	168
[e2ba939]	169	if (sc->priorities)
	170	{
	171	gnutls_priority_deinit(sc->priorities);
	172	sc->priorities = NULL;
	173	}
	174
	175	return APR_SUCCESS;
	176	}
	177
[eee1432]	178	int mgs_load_files(apr_pool_t pconf, apr_pool_t ptemp, server_rec *s)
[031acac]	179	{
[e183628]	180	apr_pool_t *spool;
[031acac]	181	const char *file;
	182	gnutls_datum_t data;
	183	int ret;
[e183628]	184	mgs_srvconf_rec *sc =
[81433f1]	185	(mgs_srvconf_rec *) ap_get_module_config(s->module_config,
	186	&gnutls_module);
[e183628]	187
[eee1432]	188	apr_pool_create(&spool, ptemp);
[e183628]	189
[eee1432]	190	sc->cert_pgp = apr_pcalloc(pconf, sizeof(sc->cert_pgp[0]));
	191	sc->cert_crt_pgp = apr_pcalloc(pconf, sizeof(sc->cert_crt_pgp[0]));
[031acac]	192	sc->certs_x509_chain =
[eee1432]	193	apr_pcalloc(pconf, MAX_CHAIN_SIZE * sizeof(sc->certs_x509_chain[0]));
[031acac]	194	sc->certs_x509_crt_chain =
[eee1432]	195	apr_pcalloc(pconf, MAX_CHAIN_SIZE * sizeof(sc->certs_x509_crt_chain[0]));
[e2ba939]	196
	197	/* Cleanup function for the GnuTLS structures allocated below */
[eee1432]	198	apr_pool_cleanup_register(pconf, sc, mgs_pool_free_credentials,
[e2ba939]	199	apr_pool_cleanup_null);
[e183628]	200
[e2ba939]	201	if (sc->certs == NULL)
	202	{
	203	ret = gnutls_certificate_allocate_credentials(&sc->certs);
	204	if (ret < 0) {
	205	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	206	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
	207	gnutls_strerror(ret));
	208	ret = -1;
	209	goto cleanup;
	210	}
[e183628]	211	}
	212
[e2ba939]	213	if (sc->anon_creds == NULL)
	214	{
	215	ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
	216	if (ret < 0) {
	217	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	218	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
	219	gnutls_strerror(ret));
	220	ret = -1;
	221	goto cleanup;
	222	}
[e183628]	223	}
	224
[031acac]	225	/* Load SRP parameters */
	226	#ifdef ENABLE_SRP
[e2ba939]	227	if (sc->srp_creds == NULL)
	228	{
	229	ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
	230	if (ret < 0) {
	231	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	232	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
	233	gnutls_strerror(ret));
	234	ret = -1;
	235	goto cleanup;
	236	}
[e183628]	237	}
	238
[81433f1]	239	if (sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL)
	240	{
	241	ret = gnutls_srp_set_server_credentials_file
	242	(sc->srp_creds, sc->srp_tpasswd_file,
	243	sc->srp_tpasswd_conf_file);
	244
	245	if (ret < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
	246	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	247	"GnuTLS: Host '%s:%d' is missing a "
	248	"SRP password or conf File!",
	249	s->server_hostname, s->port);
	250	ret = -1;
	251	goto cleanup;
	252	}
[e183628]	253	}
[031acac]	254	#endif
[e183628]	255
[e2ba939]	256	if (sc->dh_params == NULL)
	257	{
	258	ret = gnutls_dh_params_init(&sc->dh_params);
	259	if (ret < 0) {
	260	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	261	"GnuTLS: Failed to initialize"
	262	": (%d) %s", ret, gnutls_strerror(ret));
	263	ret = -1;
	264	goto cleanup;
	265	}
[7bebb42]	266
[81433f1]	267	/* Load DH parameters */
	268	if (sc->dh_file)
	269	{
	270	if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
	271	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	272	"GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
	273	ret = -1;
	274	goto cleanup;
	275	}
	276
	277	ret =
	278	gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
	279	GNUTLS_X509_FMT_PEM);
	280	if (ret < 0) {
	281	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	282	"GnuTLS: Failed to Import "
	283	"DH params '%s': (%d) %s", sc->dh_file, ret,
	284	gnutls_strerror(ret));
	285	ret = -1;
	286	goto cleanup;
	287	}
	288	} else {
	289	gnutls_datum_t pdata = {
	290	(void *) static_dh_params,
	291	sizeof(static_dh_params)
	292	};
	293
	294	ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &pdata, GNUTLS_X509_FMT_PEM);
	295	if (ret < 0) {
	296	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	297	"GnuTLS: Unable to generate or load DH Params: (%d) %s",
	298	ret, gnutls_strerror(ret));
	299	ret = -1;
	300	goto cleanup;
	301	}
[031acac]	302	}
	303	}
[e183628]	304
[e2ba939]	305	if (sc->x509_cert_file != NULL && sc->certs_x509_crt_chain[0] == NULL)
	306	{
	307	unsigned int chain_num = MAX_CHAIN_SIZE;
	308	unsigned format = GNUTLS_X509_FMT_PEM;
[031acac]	309
[81433f1]	310	/* Load X.509 certificate */
	311	if (strncmp(sc->x509_cert_file, "pkcs11:", 7) == 0) {
	312	gnutls_pkcs11_obj_t obj;
	313
	314	file = sc->x509_cert_file;
	315
	316	ret = gnutls_pkcs11_obj_init(&obj);
	317	if (ret < 0) {
	318	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	319	"GnuTLS: Error Initializing PKCS #11 object");
	320	ret = -1;
	321	goto cleanup;
	322	}
	323
	324	gnutls_pkcs11_obj_set_pin_function(obj, pin_callback, sc);
	325
	326	ret = gnutls_pkcs11_obj_import_url(obj, file,
	327	GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
	328	if (ret < 0) {
	329	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	330	"GnuTLS: Error Importing PKCS #11 object: "
	331	"'%s': %s",
	332	file, gnutls_strerror(ret));
	333	ret = -1;
	334	goto cleanup;
	335	}
	336
	337	format = GNUTLS_X509_FMT_DER;
	338	ret = gnutls_pkcs11_obj_export2(obj, &data);
	339	if (ret < 0) {
	340	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	341	"GnuTLS: Error Exporting a PKCS #11 object: "
	342	"'%s': %s",
	343	file, gnutls_strerror(ret));
	344	ret = -1;
	345	goto cleanup;
	346	}
	347
	348	gnutls_pkcs11_obj_deinit(obj);
	349	} else {
	350	file = ap_server_root_relative(spool, sc->x509_cert_file);
	351
	352	ret = gnutls_load_file(file, &data);
	353	if (ret < 0) {
	354	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	355	"GnuTLS: Error Reading Certificate '%s': %s",
	356	file, gnutls_strerror(ret));
	357	ret = -1;
	358	goto cleanup;
	359	}
	360	}
	361
	362	ret = gnutls_x509_crt_list_import(sc->certs_x509_crt_chain,
	363	&chain_num, &data, format,
	364	GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
	365	gnutls_free(data.data);
	366	sc->certs_x509_chain_num = chain_num;
	367
	368	if (ret < 0) {
	369	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	370	"GnuTLS: Failed to Import Certificate Chain "
	371	"'%s': (%d) %s",
	372	file, ret, gnutls_strerror(ret));
	373	ret = -1;
	374	goto cleanup;
	375	}
	376
	377	for (unsigned int i = 0; i < chain_num; i++)
	378	{
	379	ret =
	380	gnutls_pcert_import_x509(&sc->certs_x509_chain[i],
	381	sc->certs_x509_crt_chain[i], 0);
	382	if (ret < 0) {
	383	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	384	"GnuTLS: Failed to Import pCertificate "
	385	"'%s': (%d) %s",
	386	file, ret, gnutls_strerror(ret));
	387	ret = -1;
	388	goto cleanup;
	389	}
	390	}
	391	sc->certs_x509_chain_num = chain_num;
[e183628]	392	}
[671b64f]	393
[e2ba939]	394	if (sc->x509_key_file && sc->privkey_x509 == NULL)
	395	{
[81433f1]	396	ret = gnutls_privkey_init(&sc->privkey_x509);
	397	if (ret < 0) {
	398	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	399	"GnuTLS: Failed to initialize: (%d) %s", ret,
	400	gnutls_strerror(ret));
	401	ret = -1;
	402	goto cleanup;
	403	}
	404
	405	if (gnutls_url_is_supported(sc->x509_key_file) != 0) {
	406	file = sc->x509_key_file;
	407
	408	gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback,
	409	sc);
	410
	411	ret = gnutls_privkey_import_url(sc->privkey_x509, file, 0);
	412
	413	if (ret < 0) {
	414	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	415	"GnuTLS: Failed to Import Private Key URL "
	416	"'%s': (%d) %s",
	417	file, ret, gnutls_strerror(ret));
	418	ret = -1;
	419	goto cleanup;
	420	}
	421	} else {
	422	file = ap_server_root_relative(spool, sc->x509_key_file);
	423
	424	if (load_datum_from_file(spool, file, &data) != 0) {
	425	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	426	"GnuTLS: Error Reading Private Key '%s'",
	427	file);
	428	ret = -1;
	429	goto cleanup;
	430	}
	431
	432	ret =
	433	gnutls_privkey_import_x509_raw(sc->privkey_x509, &data,
	434	GNUTLS_X509_FMT_PEM, sc->pin,
	435	0);
	436
	437	if (ret < 0) {
	438	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	439	"GnuTLS: Failed to Import Private Key "
	440	"'%s': (%d) %s",
	441	file, ret, gnutls_strerror(ret));
	442	ret = -1;
	443	goto cleanup;
	444	}
	445	}
[031acac]	446	}
[46b85d8]	447
[031acac]	448	/* Load the X.509 CA file */
[81433f1]	449	if (sc->x509_ca_file)
	450	{
	451	if (load_datum_from_file(spool, sc->x509_ca_file, &data) != 0) {
	452	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	453	"GnuTLS: Error Reading " "Client CA File '%s'",
	454	sc->x509_ca_file);
	455	ret = -1;
	456	goto cleanup;
	457	}
	458
	459	ret = gnutls_x509_crt_list_import2(&sc->ca_list, &sc->ca_list_size,
	460	&data, GNUTLS_X509_FMT_PEM, 0);
	461	if (ret < 0) {
	462	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	463	"GnuTLS: Failed to load "
	464	"Client CA File '%s': (%d) %s", sc->x509_ca_file,
	465	ret, gnutls_strerror(ret));
	466	ret = -1;
	467	goto cleanup;
	468	}
[031acac]	469	}
[3b4c0d0]	470
[81433f1]	471	if (sc->pgp_cert_file)
	472	{
	473	if (load_datum_from_file(spool, sc->pgp_cert_file, &data) != 0) {
	474	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	475	"GnuTLS: Error Reading " "Certificate '%s'",
	476	sc->pgp_cert_file);
	477	ret = -1;
	478	goto cleanup;
	479	}
	480
	481	ret = gnutls_openpgp_crt_init(&sc->cert_crt_pgp[0]);
	482	if (ret < 0) {
	483	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	484	"GnuTLS: Failed to Init "
	485	"PGP Certificate: (%d) %s", ret,
	486	gnutls_strerror(ret));
	487	ret = -1;
	488	goto cleanup;
	489	}
	490
	491	ret = gnutls_openpgp_crt_import(sc->cert_crt_pgp[0], &data,
	492	GNUTLS_OPENPGP_FMT_BASE64);
	493	if (ret < 0) {
	494	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	495	"GnuTLS: Failed to Import "
	496	"PGP Certificate: (%d) %s", ret,
	497	gnutls_strerror(ret));
	498	ret = -1;
	499	goto cleanup;
	500	}
	501
	502	ret = gnutls_pcert_import_openpgp(sc->cert_pgp,
	503	sc->cert_crt_pgp[0], 0);
	504	if (ret < 0) {
	505	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	506	"GnuTLS: Failed to Import "
	507	"PGP pCertificate: (%d) %s", ret,
	508	gnutls_strerror(ret));
	509	ret = -1;
	510	goto cleanup;
	511	}
[e183628]	512	}
	513
[031acac]	514	/* Load the PGP key file */
[45b7b83]	515	if (sc->pgp_key_file && sc->privkey_pgp == NULL)
	516	{
[81433f1]	517	if (load_datum_from_file(spool, sc->pgp_key_file, &data) != 0) {
	518	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	519	"GnuTLS: Error Reading " "Private Key '%s'",
	520	sc->pgp_key_file);
	521	ret = -1;
	522	goto cleanup;
	523	}
	524
	525	ret = gnutls_privkey_init(&sc->privkey_pgp);
	526	if (ret < 0) {
	527	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	528	"GnuTLS: Failed to initialize"
	529	": (%d) %s", ret, gnutls_strerror(ret));
	530	ret = -1;
	531	goto cleanup;
	532	}
[031acac]	533
[d04f7da]	534	#if GNUTLS_VERSION_NUMBER < 0x030312
	535	/* GnuTLS versions before 3.3.12 contain a bug in
	536	* gnutls_privkey_import_openpgp_raw which frees data that is
	537	* accessed when the key is used, leading to segfault. Loading
	538	* the key into a gnutls_openpgp_privkey_t and then assigning
	539	* it to the gnutls_privkey_t works around the bug, hence this
	540	* chain of gnutls_openpgp_privkey_init,
[2cde8111]	541	* gnutls_openpgp_privkey_import and
[d04f7da]	542	* gnutls_privkey_import_openpgp. */
[2cde8111]	543	ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp_internal);
[81433f1]	544	if (ret != 0) {
	545	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	546	"GnuTLS: Failed to initialize "
	547	"PGP Private Key '%s': (%d) %s",
	548	sc->pgp_key_file, ret, gnutls_strerror(ret));
	549	ret = -1;
	550	goto cleanup;
	551	}
[2cde8111]	552
	553	ret = gnutls_openpgp_privkey_import(sc->privkey_pgp_internal, &data,
	554	GNUTLS_OPENPGP_FMT_BASE64, NULL, 0);
[81433f1]	555	if (ret != 0) {
	556	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	557	"GnuTLS: Failed to Import "
	558	"PGP Private Key '%s': (%d) %s",
	559	sc->pgp_key_file, ret, gnutls_strerror(ret));
	560	ret = -1;
	561	goto cleanup;
	562	}
[2cde8111]	563
	564	ret = gnutls_privkey_import_openpgp(sc->privkey_pgp,
	565	sc->privkey_pgp_internal, 0);
	566	if (ret != 0)
	567	{
	568	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	569	"GnuTLS: Failed to assign PGP Private Key '%s' "
	570	"to gnutls_privkey_t structure: (%d) %s",
	571	sc->pgp_key_file, ret, gnutls_strerror(ret));
[81433f1]	572	ret = -1;
	573	goto cleanup;
	574	}
[d04f7da]	575	#else
	576	ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data,
	577	GNUTLS_OPENPGP_FMT_BASE64,
	578	NULL, NULL);
[81433f1]	579	if (ret != 0)
[d04f7da]	580	{
	581	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	582	"GnuTLS: Failed to Import "
	583	"PGP Private Key '%s': (%d) %s",
	584	sc->pgp_key_file, ret, gnutls_strerror(ret));
[81433f1]	585	ret = -1;
	586	goto cleanup;
	587	}
[d04f7da]	588	#endif
[e183628]	589	}
	590
[031acac]	591	/* Load the keyring file */
[45b7b83]	592	if (sc->pgp_ring_file && sc->pgp_list == NULL)
[81433f1]	593	{
	594	if (load_datum_from_file(spool, sc->pgp_ring_file, &data) != 0) {
	595	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	596	"GnuTLS: Error Reading " "Keyring File '%s'",
	597	sc->pgp_ring_file);
	598	ret = -1;
	599	goto cleanup;
	600	}
	601
	602	ret = gnutls_openpgp_keyring_init(&sc->pgp_list);
	603	if (ret < 0) {
	604	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	605	"GnuTLS: Failed to initialize"
	606	"keyring: (%d) %s", ret, gnutls_strerror(ret));
	607	ret = -1;
	608	goto cleanup;
	609	}
	610
	611	ret = gnutls_openpgp_keyring_import(sc->pgp_list, &data,
	612	GNUTLS_OPENPGP_FMT_BASE64);
	613	if (ret < 0) {
	614	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	615	"GnuTLS: Failed to load "
	616	"Keyring File '%s': (%d) %s", sc->pgp_ring_file,
	617	ret, gnutls_strerror(ret));
	618	ret = -1;
	619	goto cleanup;
	620	}
[e183628]	621	}
[3b4c0d0]	622
[e2ba939]	623	if (sc->priorities_str && sc->priorities == NULL)
	624	{
[7314438]	625	const char *err;
	626	ret = gnutls_priority_init(&sc->priorities, sc->priorities_str, &err);
[031acac]	627
[81433f1]	628	if (ret < 0) {
	629	if (ret == GNUTLS_E_INVALID_REQUEST) {
	630	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	631	"GnuTLS: Syntax error parsing priorities string at: %s",
	632	err);
	633	} else {
	634	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
	635	"GnuTLS: error parsing priorities string");
	636
	637	}
	638	ret = -1;
	639	goto cleanup;
	640	}
[031acac]	641	}
	642
	643	ret = 0;
[81433f1]	644	cleanup:
[e183628]	645	apr_pool_destroy(spool);
[3b4c0d0]	646
[031acac]	647	return ret;
[46b85d8]	648	}
	649
[031acac]	650	int mgs_pkcs11_reinit(server_rec * base_server)
	651	{
[e183628]	652	int ret;
[031acac]	653	server_rec *s;
	654	mgs_srvconf_rec *sc;
[e183628]	655
[031acac]	656	gnutls_pkcs11_reinit();
[e183628]	657
[031acac]	658	for (s = base_server; s; s = s->next) {
	659	sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
[e183628]	660
[031acac]	661	/* gnutls caches the session in a private key, so we need to open
	662	* a new one */
	663	if (sc->x509_key_file && gnutls_url_is_supported(sc->x509_key_file) != 0) {
	664	gnutls_privkey_deinit(sc->privkey_x509);
[e183628]	665
[031acac]	666	ret = gnutls_privkey_init(&sc->privkey_x509);
	667	if (ret < 0) {
	668	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
	669	"GnuTLS: Failed to initialize: (%d) %s", ret,
	670	gnutls_strerror(ret));
	671	goto fail;
	672	}
	673
	674	gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback, sc);
	675
	676	ret = gnutls_privkey_import_url(sc->privkey_x509, sc->x509_key_file, 0);
	677	if (ret < 0) {
	678	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
	679	"GnuTLS: Failed to Re-Import Private Key URL '%s': (%d) %s",
	680	sc->x509_key_file, ret, gnutls_strerror(ret));
	681	goto fail;
	682	}
	683	}
[e183628]	684	}
	685
[031acac]	686	return 0;
	687
	688	fail:
	689	gnutls_privkey_deinit(sc->privkey_x509);
	690	return -1;
	691	}
	692
[1d9cfaf]	693	const char mgs_set_dh_file(cmd_parms parms, void *dummy __attribute__((unused)),
	694	const char *arg) {
[e183628]	695	mgs_srvconf_rec *sc =
[031acac]	696	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
	697	module_config,
	698	&gnutls_module);
[e183628]	699
[031acac]	700	sc->dh_file = ap_server_root_relative(parms->pool, arg);
[e183628]	701
	702	return NULL;
[e5bbda4]	703	}
[e183628]	704
[1d9cfaf]	705	const char mgs_set_cert_file(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
[e183628]	706
	707	mgs_srvconf_rec *sc =
[031acac]	708	(mgs_srvconf_rec *) ap_get_module_config(parms->
	709	server->module_config,
	710	&gnutls_module);
[e183628]	711
[031acac]	712	sc->x509_cert_file = apr_pstrdup(parms->pool, arg);
[e183628]	713
	714	return NULL;
[031acac]	715
[e5bbda4]	716	}
	717
[1d9cfaf]	718	const char mgs_set_key_file(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
[031acac]	719
[e183628]	720	mgs_srvconf_rec *sc =
[031acac]	721	(mgs_srvconf_rec *) ap_get_module_config(parms->
	722	server->module_config,
	723	&gnutls_module);
[e183628]	724
[031acac]	725	sc->x509_key_file = apr_pstrdup(parms->pool, arg);
[e183628]	726
[031acac]	727	return NULL;
	728	}
[e183628]	729
[1d9cfaf]	730	const char mgs_set_pgpcert_file(cmd_parms parms, void *dummy __attribute__((unused)),
[259e835]	731	const char *arg)
	732	{
[031acac]	733	mgs_srvconf_rec *sc =
	734	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
	735	module_config,
	736	&gnutls_module);
	737
	738	sc->pgp_cert_file = ap_server_root_relative(parms->pool, arg);
	739
	740	return NULL;
	741	}
	742
[1d9cfaf]	743	const char mgs_set_pgpkey_file(cmd_parms parms, void *dummy __attribute__((unused)),
	744	const char *arg) {
[031acac]	745	mgs_srvconf_rec *sc =
	746	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
	747	module_config,
	748	&gnutls_module);
	749
	750	sc->pgp_key_file = ap_server_root_relative(parms->pool, arg);
[e183628]	751
	752	return NULL;
[e5bbda4]	753	}
	754
[176047e]	755	const char mgs_set_tickets(cmd_parms parms,
	756	void *dummy __attribute__((unused)),
	757	const int arg)
	758	{
	759	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	760	ap_get_module_config(parms->server->module_config, &gnutls_module);
[e183628]	761
[176047e]	762	if (arg)
	763	sc->tickets = GNUTLS_ENABLED_TRUE;
	764	else
	765	sc->tickets = GNUTLS_ENABLED_FALSE;
[e183628]	766
	767	return NULL;
[ae233c2]	768	}
	769
[e5bbda4]	770
[787dab7]	771	#ifdef ENABLE_SRP
	772
[fd82e59]	773	const char mgs_set_srp_tpasswd_file(cmd_parms parms, void *dummy __attribute__((unused)),
[e183628]	774	const char *arg) {
	775	mgs_srvconf_rec *sc =
[031acac]	776	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
	777	module_config,
	778	&gnutls_module);
[7bebb42]	779
[e183628]	780	sc->srp_tpasswd_file = ap_server_root_relative(parms->pool, arg);
[7bebb42]	781
[e183628]	782	return NULL;
[7bebb42]	783	}
	784
[fd82e59]	785	const char mgs_set_srp_tpasswd_conf_file(cmd_parms parms, void *dummy __attribute__((unused)),
[e183628]	786	const char *arg) {
	787	mgs_srvconf_rec *sc =
[031acac]	788	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
	789	module_config,
	790	&gnutls_module);
[7bebb42]	791
[031acac]	792	sc->srp_tpasswd_conf_file = ap_server_root_relative(parms->pool, arg);
[7bebb42]	793
[e183628]	794	return NULL;
[7bebb42]	795	}
	796
[787dab7]	797	#endif
	798
[fd82e59]	799	const char mgs_set_cache(cmd_parms parms, void *dummy __attribute__((unused)),
[e183628]	800	const char type, const char arg) {
	801	const char *err;
	802	mgs_srvconf_rec *sc =
[031acac]	803	ap_get_module_config(parms->server->module_config,
	804	&gnutls_module);
[e183628]	805	if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) {
[031acac]	806	return err;
[e183628]	807	}
	808
	809	if (strcasecmp("none", type) == 0) {
[031acac]	810	sc->cache_type = mgs_cache_none;
	811	sc->cache_config = NULL;
	812	return NULL;
[e183628]	813	} else if (strcasecmp("dbm", type) == 0) {
[031acac]	814	sc->cache_type = mgs_cache_dbm;
[e183628]	815	} else if (strcasecmp("gdbm", type) == 0) {
[031acac]	816	sc->cache_type = mgs_cache_gdbm;
[e183628]	817	}
[46b85d8]	818	#if HAVE_APR_MEMCACHE
[e183628]	819	else if (strcasecmp("memcache", type) == 0) {
[031acac]	820	sc->cache_type = mgs_cache_memcache;
[e183628]	821	}
[46b85d8]	822	#endif
[e183628]	823	else {
[031acac]	824	return "Invalid Type for GnuTLSCache!";
[e183628]	825	}
	826
	827	if (arg == NULL)
[031acac]	828	return "Invalid argument 2 for GnuTLSCache!";
[e183628]	829
	830	if (sc->cache_type == mgs_cache_dbm
[031acac]	831	\|\| sc->cache_type == mgs_cache_gdbm) {
	832	sc->cache_config = ap_server_root_relative(parms->pool, arg);
[e183628]	833	} else {
[031acac]	834	sc->cache_config = apr_pstrdup(parms->pool, arg);
[e183628]	835	}
	836
	837	return NULL;
[46b85d8]	838	}
	839
[70a1e5a]	840	const char mgs_set_timeout(cmd_parms parms,
	841	void *dummy __attribute__((unused)),
	842	const char *arg)
	843	{
[480aba1]	844	const char *err;
[70a1e5a]	845	if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY)))
	846	return err;
[e183628]	847
[70a1e5a]	848	apr_int64_t argint = apr_atoi64(arg);
	849	if (argint < 0)
	850	return apr_psprintf(parms->pool, "%s: Invalid argument",
	851	parms->directive->directive);
[480aba1]	852
[70a1e5a]	853	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	854	ap_get_module_config(parms->server->module_config, &gnutls_module);
[e183628]	855
[70a1e5a]	856	if (!apr_strnatcasecmp(parms->directive->directive, "GnuTLSCacheTimeout"))
	857	sc->cache_timeout = apr_time_from_sec(argint);
	858	else if (!apr_strnatcasecmp(parms->directive->directive,
	859	"GnuTLSOCSPGraceTime"))
	860	sc->ocsp_grace_time = apr_time_from_sec(argint);
	861	else
	862	/* Can't happen unless there's a serious bug in mod_gnutls or Apache */
	863	return apr_psprintf(parms->pool,
	864	"mod_gnutls: %s called for invalid option '%s'",
	865	__func__, parms->directive->directive);
[e183628]	866
	867	return NULL;
[e02dd8c]	868	}
	869
[fd82e59]	870	const char mgs_set_client_verify_method(cmd_parms parms, void *dummy __attribute__((unused)),
[cf2b905]	871	const char *arg) {
	872	mgs_srvconf_rec sc = (mgs_srvconf_rec )ap_get_module_config(parms->server->module_config, &gnutls_module);
	873
	874	if (strcasecmp("cartel", arg) == 0) {
[031acac]	875	sc->client_verify_method = mgs_cvm_cartel;
[cf2b905]	876	} else if (strcasecmp("msva", arg) == 0) {
	877	#ifdef ENABLE_MSVA
[031acac]	878	sc->client_verify_method = mgs_cvm_msva;
[cf2b905]	879	#else
[031acac]	880	return "GnuTLSClientVerifyMethod: msva is not supported";
[cf2b905]	881	#endif
	882	} else {
[031acac]	883	return "GnuTLSClientVerifyMethod: Invalid argument";
[cf2b905]	884	}
	885
	886	return NULL;
	887	}
	888
[fd82e59]	889	const char mgs_set_client_verify(cmd_parms parms,
	890	void *dirconf,
	891	const char *arg) {
[e183628]	892	int mode;
	893
	894	if (strcasecmp("none", arg) == 0 \|\| strcasecmp("ignore", arg) == 0) {
[031acac]	895	mode = GNUTLS_CERT_IGNORE;
[e183628]	896	} else if (strcasecmp("optional", arg) == 0
[031acac]	897	\|\| strcasecmp("request", arg) == 0) {
	898	mode = GNUTLS_CERT_REQUEST;
[e183628]	899	} else if (strcasecmp("require", arg) == 0) {
[031acac]	900	mode = GNUTLS_CERT_REQUIRE;
[e183628]	901	} else {
[031acac]	902	return "GnuTLSClientVerify: Invalid argument";
[e183628]	903	}
	904
	905	/* This was set from a directory context */
	906	if (parms->path) {
[fd82e59]	907	mgs_dirconf_rec dc = (mgs_dirconf_rec ) dirconf;
[e183628]	908	dc->client_verify_mode = mode;
	909	} else {
[031acac]	910	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	911	ap_get_module_config(parms->server->module_config,
	912	&gnutls_module);
	913	sc->client_verify_mode = mode;
[e183628]	914	}
	915
	916	return NULL;
[46b85d8]	917	}
	918
[fd82e59]	919	const char mgs_set_client_ca_file(cmd_parms parms, void *dummy __attribute__((unused)),
[e183628]	920	const char *arg) {
	921	mgs_srvconf_rec *sc =
[031acac]	922	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
	923	module_config,
	924	&gnutls_module);
[e183628]	925
[031acac]	926	sc->x509_ca_file = ap_server_root_relative(parms->pool, arg);
[e183628]	927
	928	return NULL;
[46b85d8]	929	}
	930
[fd82e59]	931	const char mgs_set_keyring_file(cmd_parms parms, void *dummy __attribute__((unused)),
[e183628]	932	const char *arg) {
	933	mgs_srvconf_rec *sc =
[031acac]	934	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
	935	module_config,
	936	&gnutls_module);
[e183628]	937
[031acac]	938	sc->pgp_ring_file = ap_server_root_relative(parms->pool, arg);
[e183628]	939
	940	return NULL;
[e5bbda4]	941	}
	942
[176047e]	943	/*
	944	* Enable TLS proxy operation if arg is true, disable it otherwise.
	945	*/
	946	const char mgs_set_proxy_engine(cmd_parms parms,
	947	void *dummy __attribute__((unused)),
	948	const int arg)
	949	{
[031acac]	950	mgs_srvconf_rec sc = (mgs_srvconf_rec )
[176047e]	951	ap_get_module_config(parms->server->module_config, &gnutls_module);
[671b64f]	952
[176047e]	953	if (arg)
	954	sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
	955	else
	956	sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
[33826c5]	957
	958	return NULL;
	959	}
	960
[176047e]	961	/*
	962	* Enable TLS for the server/vhost if arg is true, disable it
	963	* otherwise.
	964	*/
	965	const char mgs_set_enabled(cmd_parms parms,
	966	void *dummy __attribute__((unused)),
	967	const int arg)
	968	{
	969	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	970	ap_get_module_config(parms->server->module_config, &gnutls_module);
	971
	972	if (arg)
	973	sc->enabled = GNUTLS_ENABLED_TRUE;
	974	else
	975	sc->enabled = GNUTLS_ENABLED_FALSE;
[e183628]	976
	977	return NULL;
[7bebb42]	978	}
	979
[fd82e59]	980	const char mgs_set_export_certificates_size(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
[7d1ab49]	981	mgs_srvconf_rec sc = (mgs_srvconf_rec ) ap_get_module_config(parms->server->module_config, &gnutls_module);
	982	if (!strcasecmp(arg, "On")) {
[031acac]	983	sc->export_certificates_size = 16 * 1024;
[7d1ab49]	984	} else if (!strcasecmp(arg, "Off")) {
[031acac]	985	sc->export_certificates_size = 0;
[7d1ab49]	986	} else {
[031acac]	987	char *endptr;
	988	sc->export_certificates_size = strtol(arg, &endptr, 10);
	989	while (apr_isspace(*endptr))
	990	endptr++;
	991	if (endptr == '\0' \|\| endptr == 'b' \|\| *endptr == 'B') {
	992	;
	993	} else if (endptr == 'k' \|\| endptr == 'K') {
	994	sc->export_certificates_size *= 1024;
	995	} else {
	996	return
	997	"GnuTLSExportCertificates must be set to a size (in bytes) or 'On' or 'Off'";
	998	}
[7d1ab49]	999	}
	1000
	1001	return NULL;
	1002	}
	1003
[e183628]	1004
[f030883]	1005
	1006	/*
[4133f2d]	1007	* Store GnuTLS priority strings. Used for GnuTLSPriorities and
	1008	* GnuTLSProxyPriorities.
[f030883]	1009	*/
	1010	const char mgs_set_priorities(cmd_parms parms,
	1011	void *dummy __attribute__((unused)),
	1012	const char *arg)
	1013	{
[671b64f]	1014	mgs_srvconf_rec sc = (mgs_srvconf_rec )
[f030883]	1015	ap_get_module_config(parms->server->module_config, &gnutls_module);
	1016
	1017	if (!strcasecmp(parms->directive->directive, "GnuTLSPriorities"))
[2cde026d]	1018	sc->priorities_str = apr_pstrdup(parms->pool, arg);
[f030883]	1019	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyPriorities"))
[4133f2d]	1020	sc->proxy_priorities_str = apr_pstrdup(parms->pool, arg);
[f030883]	1021	else
	1022	/* Can't happen unless there's a serious bug in mod_gnutls or Apache */
	1023	return apr_psprintf(parms->pool,
	1024	"mod_gnutls: %s called for invalid option '%s'",
	1025	__func__, parms->directive->directive);
[3b4c0d0]	1026
[e183628]	1027	return NULL;
[46b85d8]	1028	}
	1029
[e183628]	1030
	1031
[259e835]	1032	const char mgs_set_pin(cmd_parms parms, void *dummy __attribute__((unused)),
	1033	const char *arg)
[031acac]	1034	{
[e183628]	1035
[031acac]	1036	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	1037	ap_get_module_config(parms->server->module_config, &gnutls_module);
[beb14d9]	1038
[031acac]	1039	sc->pin = apr_pstrdup(parms->pool, arg);
[0de1839]	1040
[e183628]	1041	return NULL;
[46b85d8]	1042	}
[0de1839]	1043
[259e835]	1044	const char mgs_set_srk_pin(cmd_parms parms,
	1045	void *dummy __attribute__((unused)),
	1046	const char *arg)
[031acac]	1047	{
[e183628]	1048
[031acac]	1049	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	1050	ap_get_module_config(parms->server->module_config, &gnutls_module);
[e183628]	1051
[031acac]	1052	sc->srk_pin = apr_pstrdup(parms->pool, arg);
[e183628]	1053
[031acac]	1054	return NULL;
	1055	}
	1056
[2cde026d]	1057
	1058
[031acac]	1059	static mgs_srvconf_rec _mgs_config_server_create(apr_pool_t p,
[259e835]	1060	char **err __attribute__((unused)))
[031acac]	1061	{
	1062	mgs_srvconf_rec sc = apr_pcalloc(p, sizeof(sc));
	1063
	1064	sc->enabled = GNUTLS_ENABLED_UNSET;
[787dab7]	1065
[e183628]	1066	sc->privkey_x509 = NULL;
[e2ba939]	1067	sc->anon_creds = NULL;
	1068	#ifdef ENABLE_SRP
	1069	sc->srp_creds = NULL;
	1070	#endif
	1071	sc->certs = NULL;
[3b4c0d0]	1072	sc->certs_x509_chain_num = 0;
[9ca1f21]	1073	sc->p11_modules = NULL;
[2cde026d]	1074	sc->pin = NULL;
[45b7b83]	1075
	1076	sc->privkey_pgp = NULL;
	1077	#if GNUTLS_VERSION_NUMBER < 0x030312
	1078	sc->privkey_pgp_internal = NULL;
	1079	#endif
	1080	sc->pgp_list = NULL;
	1081
[2cde026d]	1082	sc->priorities_str = NULL;
[031acac]	1083	sc->cache_timeout = -1; /* -1 means "unset" */
[040387c]	1084	sc->cache_type = mgs_cache_unset;
[8400c2e]	1085	sc->cache_config = NULL;
[e809fb3]	1086	sc->cache = NULL;
[040387c]	1087	sc->tickets = GNUTLS_ENABLED_UNSET;
	1088	sc->priorities = NULL;
	1089	sc->dh_params = NULL;
[db9ef68]	1090	sc->ca_list = NULL;
	1091	sc->ca_list_size = 0;
[040387c]	1092	sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
[2aaf4f5]	1093	sc->export_certificates_size = -1;
[671b64f]	1094	sc->client_verify_method = mgs_cvm_unset;
	1095
[2cde026d]	1096	sc->proxy_x509_key_file = NULL;
	1097	sc->proxy_x509_cert_file = NULL;
	1098	sc->proxy_x509_ca_file = NULL;
	1099	sc->proxy_x509_crl_file = NULL;
[4133f2d]	1100	sc->proxy_priorities_str = NULL;
[2cde026d]	1101	sc->proxy_priorities = NULL;
	1102
[94cb972]	1103	sc->ocsp_response_file = NULL;
[d6834e0]	1104	sc->ocsp_mutex = NULL;
[70a1e5a]	1105	sc->ocsp_grace_time = apr_time_from_sec(MGS_GRACE_TIME);
[94cb972]	1106
[040387c]	1107	/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
[671b64f]	1108	sc->client_verify_mode = -1;
[7bebb42]	1109
[040387c]	1110	return sc;
	1111	}
	1112
[fd82e59]	1113	void mgs_config_server_create(apr_pool_t p,
	1114	server_rec * s __attribute__((unused))) {
[040387c]	1115	char *err = NULL;
	1116	mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err);
[031acac]	1117	if (sc)
	1118	return sc;
	1119	else
	1120	return err;
[040387c]	1121	}
	1122
	1123	#define gnutls_srvconf_merge(t, unset) sc->t = (add->t == unset) ? base->t : add->t
	1124	#define gnutls_srvconf_assign(t) sc->t = add->t
	1125
[031acac]	1126	void mgs_config_server_merge(apr_pool_t p, void BASE, void ADD)
	1127	{
[040387c]	1128	int i;
	1129	char *err = NULL;
[031acac]	1130	mgs_srvconf_rec base = (mgs_srvconf_rec ) BASE;
	1131	mgs_srvconf_rec add = (mgs_srvconf_rec ) ADD;
[040387c]	1132	mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err);
[031acac]	1133	if (NULL == sc)
	1134	return err;
[040387c]	1135
	1136	gnutls_srvconf_merge(enabled, GNUTLS_ENABLED_UNSET);
	1137	gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET);
	1138	gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
[2aaf4f5]	1139	gnutls_srvconf_merge(export_certificates_size, -1);
[cf2b905]	1140	gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset);
[040387c]	1141	gnutls_srvconf_merge(client_verify_mode, -1);
	1142	gnutls_srvconf_merge(srp_tpasswd_file, NULL);
	1143	gnutls_srvconf_merge(srp_tpasswd_conf_file, NULL);
[031acac]	1144	gnutls_srvconf_merge(x509_cert_file, NULL);
	1145
	1146	gnutls_srvconf_merge(x509_key_file, NULL);
	1147	gnutls_srvconf_merge(x509_ca_file, NULL);
[9ca1f21]	1148	gnutls_srvconf_merge(p11_modules, NULL);
[031acac]	1149	gnutls_srvconf_merge(pin, NULL);
	1150	gnutls_srvconf_merge(pgp_cert_file, NULL);
	1151	gnutls_srvconf_merge(pgp_key_file, NULL);
	1152	gnutls_srvconf_merge(pgp_ring_file, NULL);
	1153	gnutls_srvconf_merge(dh_file, NULL);
	1154	gnutls_srvconf_merge(priorities_str, NULL);
[040387c]	1155
[0de1839]	1156	gnutls_srvconf_merge(proxy_x509_key_file, NULL);
	1157	gnutls_srvconf_merge(proxy_x509_cert_file, NULL);
	1158	gnutls_srvconf_merge(proxy_x509_ca_file, NULL);
[809c422]	1159	gnutls_srvconf_merge(proxy_x509_crl_file, NULL);
[4133f2d]	1160	gnutls_srvconf_merge(proxy_priorities_str, NULL);
[f030883]	1161	gnutls_srvconf_merge(proxy_priorities, NULL);
[0de1839]	1162
[fad7695]	1163	gnutls_srvconf_assign(ocsp_response_file);
[70a1e5a]	1164	gnutls_srvconf_merge(ocsp_grace_time, apr_time_from_sec(MGS_GRACE_TIME));
[94cb972]	1165
[040387c]	1166	/* FIXME: the following items are pre-allocated, and should be
	1167	* properly disposed of before assigning in order to avoid leaks;
	1168	* so at the moment, we can't actually have them in the config.
[031acac]	1169	* what happens during de-allocation? */
[2cde026d]	1170	/* TODO: mgs_load_files takes care of most of these now, verify
	1171	* and clean up the following lines */
[031acac]	1172	gnutls_srvconf_assign(ca_list);
	1173	gnutls_srvconf_assign(ca_list_size);
	1174	gnutls_srvconf_assign(cert_pgp);
	1175	gnutls_srvconf_assign(cert_crt_pgp);
	1176	gnutls_srvconf_assign(pgp_list);
[040387c]	1177	gnutls_srvconf_assign(certs);
	1178	gnutls_srvconf_assign(anon_creds);
	1179	gnutls_srvconf_assign(srp_creds);
	1180	gnutls_srvconf_assign(certs_x509_chain);
[031acac]	1181	gnutls_srvconf_assign(certs_x509_crt_chain);
[040387c]	1182	gnutls_srvconf_assign(certs_x509_chain_num);
	1183
	1184	/* how do these get transferred cleanly before the data from ADD
	1185	* goes away? */
	1186	gnutls_srvconf_assign(cert_cn);
	1187	for (i = 0; i < MAX_CERT_SAN; i++)
[031acac]	1188	gnutls_srvconf_assign(cert_san[i]);
[7bebb42]	1189
[e183628]	1190	return sc;
[46b85d8]	1191	}
	1192
[040387c]	1193	#undef gnutls_srvconf_merge
	1194	#undef gnutls_srvconf_assign
	1195
[fd82e59]	1196	void mgs_config_dir_merge(apr_pool_t p,
	1197	void *basev __attribute__((unused)),
	1198	void *addv __attribute__((unused))) {
[e183628]	1199	mgs_dirconf_rec *new;
	1200	/* mgs_dirconf_rec base = (mgs_dirconf_rec ) basev; */
	1201	mgs_dirconf_rec add = (mgs_dirconf_rec ) addv;
[e02dd8c]	1202
[031acac]	1203	new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof(mgs_dirconf_rec));
[e183628]	1204	new->client_verify_mode = add->client_verify_mode;
	1205	return new;
[84cb5b2]	1206	}
	1207
[fd82e59]	1208	void mgs_config_dir_create(apr_pool_t p,
	1209	char *dir __attribute__((unused))) {
[e183628]	1210	mgs_dirconf_rec dc = apr_palloc(p, sizeof (dc));
	1211	dc->client_verify_mode = -1;
	1212	return dc;
[46b85d8]	1213	}
[040387c]	1214
[2cde026d]	1215
	1216
[0de1839]	1217	/*
	1218	* Store paths to proxy credentials
	1219	*
	1220	* This function copies the paths provided in the configuration file
	1221	* into the server configuration. The post configuration hook takes
	1222	* care of actually loading the credentials, which means than invalid
	1223	* paths or the like will be detected there.
	1224	*/
	1225	const char mgs_store_cred_path(cmd_parms parms,
	1226	void *dummy __attribute__((unused)),
	1227	const char *arg)
	1228	{
	1229	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	1230	ap_get_module_config(parms->server->module_config, &gnutls_module);
	1231
	1232	/* parms->directive->directive contains the directive string */
	1233	if (!strcasecmp(parms->directive->directive, "GnuTLSProxyKeyFile"))
	1234	sc->proxy_x509_key_file = apr_pstrdup(parms->pool, arg);
	1235	else if (!strcasecmp(parms->directive->directive,
	1236	"GnuTLSProxyCertificateFile"))
	1237	sc->proxy_x509_cert_file = apr_pstrdup(parms->pool, arg);
	1238	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCAFile"))
	1239	sc->proxy_x509_ca_file = apr_pstrdup(parms->pool, arg);
[809c422]	1240	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCRLFile"))
	1241	sc->proxy_x509_crl_file = apr_pstrdup(parms->pool, arg);
[0de1839]	1242	return NULL;
	1243	}
[87f1ed2]	1244
	1245
	1246
	1247	/*
[7764015]	1248	* Record PKCS #11 module to load. Note that the value is only used in
	1249	* the base config, settings in virtual hosts are ignored.
[87f1ed2]	1250	*/
	1251	const char mgs_set_p11_module(cmd_parms parms,
	1252	void *dummy __attribute__((unused)),
	1253	const char *arg)
	1254	{
	1255	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	1256	ap_get_module_config(parms->server->module_config, &gnutls_module);
[9ca1f21]	1257	/* initialize PKCS #11 module list if necessary */
	1258	if (sc->p11_modules == NULL)
	1259	sc->p11_modules = apr_array_make(parms->pool, 2, sizeof(char*));
	1260
	1261	(char *) apr_array_push(sc->p11_modules) = apr_pstrdup(parms->pool, arg);
	1262
[87f1ed2]	1263	return NULL;
	1264	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/gnutls_config.c @ eee1432

Download in other formats: