1 | /** |
---|
2 | * Copyright 2004-2005 Paul Querna |
---|
3 | * Copyright 2008 Nikos Mavrogiannopoulos |
---|
4 | * Copyright 2011 Dash Shendy |
---|
5 | * |
---|
6 | * Licensed under the Apache License, Version 2.0 (the "License"); |
---|
7 | * you may not use this file except in compliance with the License. |
---|
8 | * You may obtain a copy of the License at |
---|
9 | * |
---|
10 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
11 | * |
---|
12 | * Unless required by applicable law or agreed to in writing, software |
---|
13 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
15 | * See the License for the specific language governing permissions and |
---|
16 | * limitations under the License. |
---|
17 | * |
---|
18 | */ |
---|
19 | |
---|
20 | #include "mod_gnutls.h" |
---|
21 | |
---|
22 | static int load_datum_from_file(apr_pool_t * pool, |
---|
23 | const char *file, gnutls_datum_t * data) { |
---|
24 | apr_file_t *fp; |
---|
25 | apr_finfo_t finfo; |
---|
26 | apr_status_t rv; |
---|
27 | apr_size_t br = 0; |
---|
28 | |
---|
29 | rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, |
---|
30 | APR_OS_DEFAULT, pool); |
---|
31 | if (rv != APR_SUCCESS) { |
---|
32 | return rv; |
---|
33 | } |
---|
34 | |
---|
35 | rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp); |
---|
36 | |
---|
37 | if (rv != APR_SUCCESS) { |
---|
38 | return rv; |
---|
39 | } |
---|
40 | |
---|
41 | data->data = apr_palloc(pool, finfo.size + 1); |
---|
42 | rv = apr_file_read_full(fp, data->data, finfo.size, &br); |
---|
43 | |
---|
44 | if (rv != APR_SUCCESS) { |
---|
45 | return rv; |
---|
46 | } |
---|
47 | apr_file_close(fp); |
---|
48 | |
---|
49 | data->data[br] = '\0'; |
---|
50 | data->size = br; |
---|
51 | |
---|
52 | return 0; |
---|
53 | } |
---|
54 | |
---|
55 | const char *mgs_set_dh_file(cmd_parms * parms, void *dummy, |
---|
56 | const char *arg) { |
---|
57 | int ret; |
---|
58 | gnutls_datum_t data; |
---|
59 | const char *file; |
---|
60 | apr_pool_t *spool; |
---|
61 | mgs_srvconf_rec *sc = |
---|
62 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
63 | module_config, |
---|
64 | &gnutls_module); |
---|
65 | |
---|
66 | apr_pool_create(&spool, parms->pool); |
---|
67 | |
---|
68 | file = ap_server_root_relative(spool, arg); |
---|
69 | |
---|
70 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
71 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " |
---|
72 | "DH params '%s'", file); |
---|
73 | } |
---|
74 | |
---|
75 | ret = gnutls_dh_params_init(&sc->dh_params); |
---|
76 | if (ret < 0) { |
---|
77 | return apr_psprintf(parms->pool, |
---|
78 | "GnuTLS: Failed to initialize" |
---|
79 | ": (%d) %s", ret, |
---|
80 | gnutls_strerror(ret)); |
---|
81 | } |
---|
82 | |
---|
83 | ret = |
---|
84 | gnutls_dh_params_import_pkcs3(sc->dh_params, &data, |
---|
85 | GNUTLS_X509_FMT_PEM); |
---|
86 | if (ret < 0) { |
---|
87 | return apr_psprintf(parms->pool, |
---|
88 | "GnuTLS: Failed to Import " |
---|
89 | "DH params '%s': (%d) %s", file, ret, |
---|
90 | gnutls_strerror(ret)); |
---|
91 | } |
---|
92 | |
---|
93 | apr_pool_destroy(spool); |
---|
94 | |
---|
95 | return NULL; |
---|
96 | } |
---|
97 | |
---|
98 | const char *mgs_set_cert_file(cmd_parms * parms, void *dummy, const char *arg) { |
---|
99 | |
---|
100 | int ret; |
---|
101 | gnutls_datum_t data; |
---|
102 | const char *file; |
---|
103 | apr_pool_t *spool; |
---|
104 | |
---|
105 | mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); |
---|
106 | apr_pool_create(&spool, parms->pool); |
---|
107 | |
---|
108 | file = ap_server_root_relative(spool, arg); |
---|
109 | |
---|
110 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
111 | apr_pool_destroy(spool); |
---|
112 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading Certificate '%s'", file); |
---|
113 | } |
---|
114 | |
---|
115 | sc->certs_x509_chain_num = MAX_CHAIN_SIZE; |
---|
116 | ret = gnutls_x509_crt_list_import(sc->certs_x509_chain, &sc->certs_x509_chain_num, &data, GNUTLS_X509_FMT_PEM, 0); |
---|
117 | if (ret < 0) { |
---|
118 | apr_pool_destroy(spool); |
---|
119 | return apr_psprintf(parms->pool, "GnuTLS: Failed to Import Certificate '%s': (%d) %s", file, ret, gnutls_strerror(ret)); |
---|
120 | } |
---|
121 | |
---|
122 | apr_pool_destroy(spool); |
---|
123 | return NULL; |
---|
124 | |
---|
125 | } |
---|
126 | |
---|
127 | const char *mgs_set_key_file(cmd_parms * parms, void *dummy, const char *arg) { |
---|
128 | |
---|
129 | int ret; |
---|
130 | gnutls_datum_t data; |
---|
131 | const char *file; |
---|
132 | apr_pool_t *spool; |
---|
133 | |
---|
134 | mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); |
---|
135 | |
---|
136 | apr_pool_create(&spool, parms->pool); |
---|
137 | |
---|
138 | file = ap_server_root_relative(spool, arg); |
---|
139 | |
---|
140 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
141 | apr_pool_destroy(spool); |
---|
142 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading Private Key '%s'", file); |
---|
143 | } |
---|
144 | |
---|
145 | ret = gnutls_x509_privkey_init(&sc->privkey_x509); |
---|
146 | |
---|
147 | if (ret < 0) { |
---|
148 | apr_pool_destroy(spool); |
---|
149 | return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize: (%d) %s", ret, gnutls_strerror(ret)); |
---|
150 | } |
---|
151 | |
---|
152 | ret = gnutls_x509_privkey_import(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM); |
---|
153 | |
---|
154 | if (ret < 0) { |
---|
155 | ret = gnutls_x509_privkey_import_pkcs8(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM, NULL, GNUTLS_PKCS_PLAIN); |
---|
156 | } |
---|
157 | |
---|
158 | if (ret < 0) { |
---|
159 | apr_pool_destroy(spool); |
---|
160 | return apr_psprintf(parms->pool, "GnuTLS: Failed to Import Private Key '%s': (%d) %s", file, ret, gnutls_strerror(ret)); |
---|
161 | } |
---|
162 | |
---|
163 | apr_pool_destroy(spool); |
---|
164 | |
---|
165 | return NULL; |
---|
166 | } |
---|
167 | |
---|
168 | const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy, |
---|
169 | const char *arg) { |
---|
170 | int ret; |
---|
171 | gnutls_datum_t data; |
---|
172 | const char *file; |
---|
173 | apr_pool_t *spool; |
---|
174 | mgs_srvconf_rec *sc = |
---|
175 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
176 | module_config, |
---|
177 | &gnutls_module); |
---|
178 | apr_pool_create(&spool, parms->pool); |
---|
179 | |
---|
180 | file = ap_server_root_relative(spool, arg); |
---|
181 | |
---|
182 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
183 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " |
---|
184 | "Certificate '%s'", file); |
---|
185 | } |
---|
186 | |
---|
187 | ret = gnutls_openpgp_crt_init(&sc->cert_pgp); |
---|
188 | if (ret < 0) { |
---|
189 | return apr_psprintf(parms->pool, "GnuTLS: Failed to Init " |
---|
190 | "PGP Certificate: (%d) %s", ret, |
---|
191 | gnutls_strerror(ret)); |
---|
192 | } |
---|
193 | |
---|
194 | ret = |
---|
195 | gnutls_openpgp_crt_import(sc->cert_pgp, &data, |
---|
196 | GNUTLS_OPENPGP_FMT_BASE64); |
---|
197 | if (ret < 0) { |
---|
198 | return apr_psprintf(parms->pool, |
---|
199 | "GnuTLS: Failed to Import " |
---|
200 | "PGP Certificate '%s': (%d) %s", file, |
---|
201 | ret, gnutls_strerror(ret)); |
---|
202 | } |
---|
203 | |
---|
204 | apr_pool_destroy(spool); |
---|
205 | return NULL; |
---|
206 | } |
---|
207 | |
---|
208 | const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy, |
---|
209 | const char *arg) { |
---|
210 | int ret; |
---|
211 | gnutls_datum_t data; |
---|
212 | const char *file; |
---|
213 | apr_pool_t *spool; |
---|
214 | mgs_srvconf_rec *sc = |
---|
215 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
216 | module_config, |
---|
217 | &gnutls_module); |
---|
218 | apr_pool_create(&spool, parms->pool); |
---|
219 | |
---|
220 | file = ap_server_root_relative(spool, arg); |
---|
221 | |
---|
222 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
223 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " |
---|
224 | "Private Key '%s'", file); |
---|
225 | } |
---|
226 | |
---|
227 | ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp); |
---|
228 | if (ret < 0) { |
---|
229 | return apr_psprintf(parms->pool, |
---|
230 | "GnuTLS: Failed to initialize" |
---|
231 | ": (%d) %s", ret, |
---|
232 | gnutls_strerror(ret)); |
---|
233 | } |
---|
234 | |
---|
235 | ret = |
---|
236 | gnutls_openpgp_privkey_import(sc->privkey_pgp, &data, |
---|
237 | GNUTLS_OPENPGP_FMT_BASE64, NULL, |
---|
238 | 0); |
---|
239 | if (ret != 0) { |
---|
240 | return apr_psprintf(parms->pool, |
---|
241 | "GnuTLS: Failed to Import " |
---|
242 | "PGP Private Key '%s': (%d) %s", file, |
---|
243 | ret, gnutls_strerror(ret)); |
---|
244 | } |
---|
245 | apr_pool_destroy(spool); |
---|
246 | return NULL; |
---|
247 | } |
---|
248 | |
---|
249 | const char *mgs_set_tickets(cmd_parms * parms, void *dummy, |
---|
250 | const char *arg) { |
---|
251 | mgs_srvconf_rec *sc = |
---|
252 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
253 | module_config, |
---|
254 | &gnutls_module); |
---|
255 | |
---|
256 | sc->tickets = 0; |
---|
257 | if (strcasecmp("on", arg) == 0) { |
---|
258 | sc->tickets = 1; |
---|
259 | } |
---|
260 | |
---|
261 | return NULL; |
---|
262 | } |
---|
263 | |
---|
264 | |
---|
265 | #ifdef ENABLE_SRP |
---|
266 | |
---|
267 | const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy, |
---|
268 | const char *arg) { |
---|
269 | mgs_srvconf_rec *sc = |
---|
270 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
271 | module_config, |
---|
272 | &gnutls_module); |
---|
273 | |
---|
274 | sc->srp_tpasswd_file = ap_server_root_relative(parms->pool, arg); |
---|
275 | |
---|
276 | return NULL; |
---|
277 | } |
---|
278 | |
---|
279 | const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy, |
---|
280 | const char *arg) { |
---|
281 | mgs_srvconf_rec *sc = |
---|
282 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
283 | module_config, |
---|
284 | &gnutls_module); |
---|
285 | |
---|
286 | sc->srp_tpasswd_conf_file = |
---|
287 | ap_server_root_relative(parms->pool, arg); |
---|
288 | |
---|
289 | return NULL; |
---|
290 | } |
---|
291 | |
---|
292 | #endif |
---|
293 | |
---|
294 | const char *mgs_set_cache(cmd_parms * parms, void *dummy, |
---|
295 | const char *type, const char *arg) { |
---|
296 | const char *err; |
---|
297 | mgs_srvconf_rec *sc = |
---|
298 | ap_get_module_config(parms->server->module_config, |
---|
299 | &gnutls_module); |
---|
300 | if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { |
---|
301 | return err; |
---|
302 | } |
---|
303 | |
---|
304 | if (strcasecmp("none", type) == 0) { |
---|
305 | sc->cache_type = mgs_cache_none; |
---|
306 | sc->cache_config = NULL; |
---|
307 | return NULL; |
---|
308 | } else if (strcasecmp("dbm", type) == 0) { |
---|
309 | sc->cache_type = mgs_cache_dbm; |
---|
310 | } else if (strcasecmp("gdbm", type) == 0) { |
---|
311 | sc->cache_type = mgs_cache_gdbm; |
---|
312 | } |
---|
313 | #if HAVE_APR_MEMCACHE |
---|
314 | else if (strcasecmp("memcache", type) == 0) { |
---|
315 | sc->cache_type = mgs_cache_memcache; |
---|
316 | } |
---|
317 | #endif |
---|
318 | else { |
---|
319 | return "Invalid Type for GnuTLSCache!"; |
---|
320 | } |
---|
321 | |
---|
322 | if (arg == NULL) |
---|
323 | return "Invalid argument 2 for GnuTLSCache!"; |
---|
324 | |
---|
325 | if (sc->cache_type == mgs_cache_dbm |
---|
326 | || sc->cache_type == mgs_cache_gdbm) { |
---|
327 | sc->cache_config = |
---|
328 | ap_server_root_relative(parms->pool, arg); |
---|
329 | } else { |
---|
330 | sc->cache_config = apr_pstrdup(parms->pool, arg); |
---|
331 | } |
---|
332 | |
---|
333 | return NULL; |
---|
334 | } |
---|
335 | |
---|
336 | const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy, |
---|
337 | const char *arg) { |
---|
338 | int argint; |
---|
339 | const char *err; |
---|
340 | mgs_srvconf_rec *sc = |
---|
341 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
342 | module_config, |
---|
343 | &gnutls_module); |
---|
344 | |
---|
345 | if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { |
---|
346 | return err; |
---|
347 | } |
---|
348 | |
---|
349 | argint = atoi(arg); |
---|
350 | |
---|
351 | if (argint < 0) { |
---|
352 | return "GnuTLSCacheTimeout: Invalid argument"; |
---|
353 | } else if (argint == 0) { |
---|
354 | sc->cache_timeout = 0; |
---|
355 | } else { |
---|
356 | sc->cache_timeout = apr_time_from_sec(argint); |
---|
357 | } |
---|
358 | |
---|
359 | return NULL; |
---|
360 | } |
---|
361 | |
---|
362 | const char *mgs_set_client_verify(cmd_parms * parms, void *dummy, |
---|
363 | const char *arg) { |
---|
364 | int mode; |
---|
365 | |
---|
366 | if (strcasecmp("none", arg) == 0 || strcasecmp("ignore", arg) == 0) { |
---|
367 | mode = GNUTLS_CERT_IGNORE; |
---|
368 | } else if (strcasecmp("optional", arg) == 0 |
---|
369 | || strcasecmp("request", arg) == 0) { |
---|
370 | mode = GNUTLS_CERT_REQUEST; |
---|
371 | } else if (strcasecmp("require", arg) == 0) { |
---|
372 | mode = GNUTLS_CERT_REQUIRE; |
---|
373 | } else { |
---|
374 | return "GnuTLSClientVerify: Invalid argument"; |
---|
375 | } |
---|
376 | |
---|
377 | /* This was set from a directory context */ |
---|
378 | if (parms->path) { |
---|
379 | mgs_dirconf_rec *dc = (mgs_dirconf_rec *) dummy; |
---|
380 | dc->client_verify_mode = mode; |
---|
381 | } else { |
---|
382 | mgs_srvconf_rec *sc = |
---|
383 | (mgs_srvconf_rec *) |
---|
384 | ap_get_module_config(parms->server->module_config, |
---|
385 | &gnutls_module); |
---|
386 | sc->client_verify_mode = mode; |
---|
387 | } |
---|
388 | |
---|
389 | return NULL; |
---|
390 | } |
---|
391 | |
---|
392 | #define INIT_CA_SIZE 128 |
---|
393 | |
---|
394 | const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, |
---|
395 | const char *arg) { |
---|
396 | int rv; |
---|
397 | const char *file; |
---|
398 | apr_pool_t *spool; |
---|
399 | gnutls_datum_t data; |
---|
400 | |
---|
401 | mgs_srvconf_rec *sc = |
---|
402 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
403 | module_config, |
---|
404 | &gnutls_module); |
---|
405 | apr_pool_create(&spool, parms->pool); |
---|
406 | |
---|
407 | file = ap_server_root_relative(spool, arg); |
---|
408 | |
---|
409 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
410 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " |
---|
411 | "Client CA File '%s'", file); |
---|
412 | } |
---|
413 | |
---|
414 | sc->ca_list_size = INIT_CA_SIZE; |
---|
415 | sc->ca_list = malloc(sc->ca_list_size * sizeof (*sc->ca_list)); |
---|
416 | if (sc->ca_list == NULL) { |
---|
417 | return apr_psprintf(parms->pool, |
---|
418 | "mod_gnutls: Memory allocation error"); |
---|
419 | } |
---|
420 | |
---|
421 | rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size, |
---|
422 | &data, GNUTLS_X509_FMT_PEM, |
---|
423 | GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); |
---|
424 | if (rv < 0 && rv != GNUTLS_E_SHORT_MEMORY_BUFFER) { |
---|
425 | return apr_psprintf(parms->pool, "GnuTLS: Failed to load " |
---|
426 | "Client CA File '%s': (%d) %s", file, |
---|
427 | rv, gnutls_strerror(rv)); |
---|
428 | } |
---|
429 | |
---|
430 | if (INIT_CA_SIZE < sc->ca_list_size) { |
---|
431 | sc->ca_list = |
---|
432 | realloc(sc->ca_list, |
---|
433 | sc->ca_list_size * sizeof (*sc->ca_list)); |
---|
434 | if (sc->ca_list == NULL) { |
---|
435 | return apr_psprintf(parms->pool, |
---|
436 | "mod_gnutls: Memory allocation error"); |
---|
437 | } |
---|
438 | |
---|
439 | /* re-read */ |
---|
440 | rv = gnutls_x509_crt_list_import(sc->ca_list, |
---|
441 | &sc->ca_list_size, &data, |
---|
442 | GNUTLS_X509_FMT_PEM, 0); |
---|
443 | |
---|
444 | if (rv < 0) { |
---|
445 | return apr_psprintf(parms->pool, |
---|
446 | "GnuTLS: Failed to load " |
---|
447 | "Client CA File '%s': (%d) %s", |
---|
448 | file, rv, gnutls_strerror(rv)); |
---|
449 | } |
---|
450 | } |
---|
451 | |
---|
452 | apr_pool_destroy(spool); |
---|
453 | return NULL; |
---|
454 | } |
---|
455 | |
---|
456 | const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy, |
---|
457 | const char *arg) { |
---|
458 | int rv; |
---|
459 | const char *file; |
---|
460 | apr_pool_t *spool; |
---|
461 | gnutls_datum_t data; |
---|
462 | |
---|
463 | mgs_srvconf_rec *sc = |
---|
464 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
465 | module_config, |
---|
466 | &gnutls_module); |
---|
467 | apr_pool_create(&spool, parms->pool); |
---|
468 | |
---|
469 | file = ap_server_root_relative(spool, arg); |
---|
470 | |
---|
471 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
472 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " |
---|
473 | "Keyring File '%s'", file); |
---|
474 | } |
---|
475 | |
---|
476 | rv = gnutls_openpgp_keyring_init(&sc->pgp_list); |
---|
477 | if (rv < 0) { |
---|
478 | return apr_psprintf(parms->pool, |
---|
479 | "GnuTLS: Failed to initialize" |
---|
480 | "keyring: (%d) %s", rv, |
---|
481 | gnutls_strerror(rv)); |
---|
482 | } |
---|
483 | |
---|
484 | rv = gnutls_openpgp_keyring_import(sc->pgp_list, &data, |
---|
485 | GNUTLS_OPENPGP_FMT_BASE64); |
---|
486 | if (rv < 0) { |
---|
487 | return apr_psprintf(parms->pool, "GnuTLS: Failed to load " |
---|
488 | "Keyring File '%s': (%d) %s", file, rv, |
---|
489 | gnutls_strerror(rv)); |
---|
490 | } |
---|
491 | |
---|
492 | apr_pool_destroy(spool); |
---|
493 | return NULL; |
---|
494 | } |
---|
495 | |
---|
496 | const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy, |
---|
497 | const char *arg) { |
---|
498 | |
---|
499 | mgs_srvconf_rec *sc =(mgs_srvconf_rec *) |
---|
500 | ap_get_module_config(parms->server->module_config, &gnutls_module); |
---|
501 | |
---|
502 | if (!strcasecmp(arg, "On")) { |
---|
503 | sc->proxy_enabled = GNUTLS_ENABLED_TRUE; |
---|
504 | } else if (!strcasecmp(arg, "Off")) { |
---|
505 | sc->proxy_enabled = GNUTLS_ENABLED_FALSE; |
---|
506 | } else { |
---|
507 | return "SSLProxyEngine must be set to 'On' or 'Off'"; |
---|
508 | } |
---|
509 | |
---|
510 | return NULL; |
---|
511 | } |
---|
512 | |
---|
513 | const char *mgs_set_enabled(cmd_parms * parms, void *dummy, |
---|
514 | const char *arg) { |
---|
515 | mgs_srvconf_rec *sc = |
---|
516 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
517 | module_config, |
---|
518 | &gnutls_module); |
---|
519 | if (!strcasecmp(arg, "On")) { |
---|
520 | sc->enabled = GNUTLS_ENABLED_TRUE; |
---|
521 | } else if (!strcasecmp(arg, "Off")) { |
---|
522 | sc->enabled = GNUTLS_ENABLED_FALSE; |
---|
523 | } else { |
---|
524 | return "GnuTLSEnable must be set to 'On' or 'Off'"; |
---|
525 | } |
---|
526 | |
---|
527 | return NULL; |
---|
528 | } |
---|
529 | |
---|
530 | const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg) { |
---|
531 | |
---|
532 | int ret; |
---|
533 | const char *err; |
---|
534 | |
---|
535 | mgs_srvconf_rec *sc = (mgs_srvconf_rec *) |
---|
536 | ap_get_module_config(parms->server->module_config, &gnutls_module); |
---|
537 | |
---|
538 | ret = gnutls_priority_init(&sc->priorities, arg, &err); |
---|
539 | |
---|
540 | if (ret < 0) { |
---|
541 | if (ret == GNUTLS_E_INVALID_REQUEST) { |
---|
542 | return apr_psprintf(parms->pool, |
---|
543 | "GnuTLS: Syntax error parsing priorities string at: %s", err); |
---|
544 | } |
---|
545 | return "Error setting priorities"; |
---|
546 | } |
---|
547 | |
---|
548 | return NULL; |
---|
549 | } |
---|
550 | |
---|
551 | static mgs_srvconf_rec *_mgs_config_server_create(apr_pool_t * p, char** err) { |
---|
552 | mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof (*sc)); |
---|
553 | int ret; |
---|
554 | |
---|
555 | sc->enabled = GNUTLS_ENABLED_UNSET; |
---|
556 | |
---|
557 | ret = gnutls_certificate_allocate_credentials(&sc->certs); |
---|
558 | if (ret < 0) { |
---|
559 | *err = apr_psprintf(p, "GnuTLS: Failed to initialize" |
---|
560 | ": (%d) %s", ret, |
---|
561 | gnutls_strerror(ret)); |
---|
562 | return NULL; |
---|
563 | } |
---|
564 | |
---|
565 | ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds); |
---|
566 | if (ret < 0) { |
---|
567 | *err = apr_psprintf(p, "GnuTLS: Failed to initialize" |
---|
568 | ": (%d) %s", ret, |
---|
569 | gnutls_strerror(ret)); |
---|
570 | return NULL; |
---|
571 | } |
---|
572 | #ifdef ENABLE_SRP |
---|
573 | ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds); |
---|
574 | if (ret < 0) { |
---|
575 | *err = apr_psprintf(p, "GnuTLS: Failed to initialize" |
---|
576 | ": (%d) %s", ret, |
---|
577 | gnutls_strerror(ret)); |
---|
578 | return NULL; |
---|
579 | } |
---|
580 | |
---|
581 | sc->srp_tpasswd_conf_file = NULL; |
---|
582 | sc->srp_tpasswd_file = NULL; |
---|
583 | #endif |
---|
584 | |
---|
585 | sc->privkey_x509 = NULL; |
---|
586 | /* Initialize all Certificate Chains */ |
---|
587 | /* FIXME: how do we indicate that this is unset for a merge? (that |
---|
588 | * is, how can a subordinate server override the chain by setting |
---|
589 | * an empty one? what would that even look like in the |
---|
590 | * configuration?) */ |
---|
591 | sc->certs_x509_chain = malloc(MAX_CHAIN_SIZE * sizeof (*sc->certs_x509_chain)); |
---|
592 | sc->certs_x509_chain_num = 0; |
---|
593 | sc->cache_timeout = -1; /* -1 means "unset" */ |
---|
594 | sc->cache_type = mgs_cache_unset; |
---|
595 | sc->cache_config = NULL; |
---|
596 | sc->tickets = GNUTLS_ENABLED_UNSET; |
---|
597 | sc->priorities = NULL; |
---|
598 | sc->dh_params = NULL; |
---|
599 | sc->proxy_enabled = GNUTLS_ENABLED_UNSET; |
---|
600 | |
---|
601 | /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */ |
---|
602 | sc->client_verify_mode = -1; |
---|
603 | |
---|
604 | return sc; |
---|
605 | } |
---|
606 | |
---|
607 | void *mgs_config_server_create(apr_pool_t * p, server_rec * s) { |
---|
608 | char *err = NULL; |
---|
609 | mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err); |
---|
610 | if (sc) return sc; else return err; |
---|
611 | } |
---|
612 | |
---|
613 | #define gnutls_srvconf_merge(t, unset) sc->t = (add->t == unset) ? base->t : add->t |
---|
614 | #define gnutls_srvconf_assign(t) sc->t = add->t |
---|
615 | |
---|
616 | void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD) { |
---|
617 | int i; |
---|
618 | char *err = NULL; |
---|
619 | mgs_srvconf_rec *base = (mgs_srvconf_rec *)BASE; |
---|
620 | mgs_srvconf_rec *add = (mgs_srvconf_rec *)ADD; |
---|
621 | mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err); |
---|
622 | if (NULL == sc) return err; |
---|
623 | |
---|
624 | gnutls_srvconf_merge(enabled, GNUTLS_ENABLED_UNSET); |
---|
625 | gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET); |
---|
626 | gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET); |
---|
627 | gnutls_srvconf_merge(client_verify_mode, -1); |
---|
628 | gnutls_srvconf_merge(srp_tpasswd_file, NULL); |
---|
629 | gnutls_srvconf_merge(srp_tpasswd_conf_file, NULL); |
---|
630 | gnutls_srvconf_merge(privkey_x509, NULL); |
---|
631 | gnutls_srvconf_merge(priorities, NULL); |
---|
632 | gnutls_srvconf_merge(dh_params, NULL); |
---|
633 | |
---|
634 | /* FIXME: the following items are pre-allocated, and should be |
---|
635 | * properly disposed of before assigning in order to avoid leaks; |
---|
636 | * so at the moment, we can't actually have them in the config. |
---|
637 | * what happens during de-allocation? |
---|
638 | |
---|
639 | * This is probably leaky. |
---|
640 | */ |
---|
641 | gnutls_srvconf_assign(certs); |
---|
642 | gnutls_srvconf_assign(anon_creds); |
---|
643 | gnutls_srvconf_assign(srp_creds); |
---|
644 | gnutls_srvconf_assign(certs_x509_chain); |
---|
645 | gnutls_srvconf_assign(certs_x509_chain_num); |
---|
646 | |
---|
647 | /* how do these get transferred cleanly before the data from ADD |
---|
648 | * goes away? */ |
---|
649 | gnutls_srvconf_assign(cert_cn); |
---|
650 | for (i = 0; i < MAX_CERT_SAN; i++) |
---|
651 | gnutls_srvconf_assign(cert_san[i]); |
---|
652 | gnutls_srvconf_assign(ca_list); |
---|
653 | gnutls_srvconf_assign(ca_list_size); |
---|
654 | gnutls_srvconf_assign(cert_pgp); |
---|
655 | gnutls_srvconf_assign(pgp_list); |
---|
656 | gnutls_srvconf_assign(privkey_pgp); |
---|
657 | |
---|
658 | return sc; |
---|
659 | } |
---|
660 | |
---|
661 | #undef gnutls_srvconf_merge |
---|
662 | #undef gnutls_srvconf_assign |
---|
663 | |
---|
664 | void *mgs_config_dir_merge(apr_pool_t * p, void *basev, void *addv) { |
---|
665 | mgs_dirconf_rec *new; |
---|
666 | /* mgs_dirconf_rec *base = (mgs_dirconf_rec *) basev; */ |
---|
667 | mgs_dirconf_rec *add = (mgs_dirconf_rec *) addv; |
---|
668 | |
---|
669 | new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof (mgs_dirconf_rec)); |
---|
670 | new->client_verify_mode = add->client_verify_mode; |
---|
671 | return new; |
---|
672 | } |
---|
673 | |
---|
674 | void *mgs_config_dir_create(apr_pool_t * p, char *dir) { |
---|
675 | mgs_dirconf_rec *dc = apr_palloc(p, sizeof (*dc)); |
---|
676 | dc->client_verify_mode = -1; |
---|
677 | return dc; |
---|
678 | } |
---|
679 | |
---|