1 | /** |
---|
2 | * Copyright 2004-2005 Paul Querna |
---|
3 | * Copyright 2008 Nikos Mavrogiannopoulos |
---|
4 | * Copyright 2011 Dash Shendy |
---|
5 | * |
---|
6 | * Licensed under the Apache License, Version 2.0 (the "License"); |
---|
7 | * you may not use this file except in compliance with the License. |
---|
8 | * You may obtain a copy of the License at |
---|
9 | * |
---|
10 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
11 | * |
---|
12 | * Unless required by applicable law or agreed to in writing, software |
---|
13 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
15 | * See the License for the specific language governing permissions and |
---|
16 | * limitations under the License. |
---|
17 | * |
---|
18 | */ |
---|
19 | |
---|
20 | #include "mod_gnutls.h" |
---|
21 | |
---|
22 | #ifdef APLOG_USE_MODULE |
---|
23 | APLOG_USE_MODULE(gnutls); |
---|
24 | #endif |
---|
25 | |
---|
26 | static int load_datum_from_file(apr_pool_t * pool, |
---|
27 | const char *file, gnutls_datum_t * data) { |
---|
28 | apr_file_t *fp; |
---|
29 | apr_finfo_t finfo; |
---|
30 | apr_status_t rv; |
---|
31 | apr_size_t br = 0; |
---|
32 | |
---|
33 | rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, |
---|
34 | APR_OS_DEFAULT, pool); |
---|
35 | if (rv != APR_SUCCESS) { |
---|
36 | return rv; |
---|
37 | } |
---|
38 | |
---|
39 | rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp); |
---|
40 | |
---|
41 | if (rv != APR_SUCCESS) { |
---|
42 | return rv; |
---|
43 | } |
---|
44 | |
---|
45 | data->data = apr_palloc(pool, finfo.size + 1); |
---|
46 | rv = apr_file_read_full(fp, data->data, finfo.size, &br); |
---|
47 | |
---|
48 | if (rv != APR_SUCCESS) { |
---|
49 | return rv; |
---|
50 | } |
---|
51 | apr_file_close(fp); |
---|
52 | |
---|
53 | data->data[br] = '\0'; |
---|
54 | data->size = br; |
---|
55 | |
---|
56 | return 0; |
---|
57 | } |
---|
58 | |
---|
59 | const char *mgs_set_dh_file(cmd_parms * parms, void *dummy, |
---|
60 | const char *arg) { |
---|
61 | int ret; |
---|
62 | gnutls_datum_t data; |
---|
63 | const char *file; |
---|
64 | apr_pool_t *spool; |
---|
65 | mgs_srvconf_rec *sc = |
---|
66 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
67 | module_config, |
---|
68 | &gnutls_module); |
---|
69 | |
---|
70 | apr_pool_create(&spool, parms->pool); |
---|
71 | |
---|
72 | file = ap_server_root_relative(spool, arg); |
---|
73 | |
---|
74 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
75 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " |
---|
76 | "DH params '%s'", file); |
---|
77 | } |
---|
78 | |
---|
79 | ret = gnutls_dh_params_init(&sc->dh_params); |
---|
80 | if (ret < 0) { |
---|
81 | return apr_psprintf(parms->pool, |
---|
82 | "GnuTLS: Failed to initialize" |
---|
83 | ": (%d) %s", ret, |
---|
84 | gnutls_strerror(ret)); |
---|
85 | } |
---|
86 | |
---|
87 | ret = |
---|
88 | gnutls_dh_params_import_pkcs3(sc->dh_params, &data, |
---|
89 | GNUTLS_X509_FMT_PEM); |
---|
90 | if (ret < 0) { |
---|
91 | return apr_psprintf(parms->pool, |
---|
92 | "GnuTLS: Failed to Import " |
---|
93 | "DH params '%s': (%d) %s", file, ret, |
---|
94 | gnutls_strerror(ret)); |
---|
95 | } |
---|
96 | |
---|
97 | apr_pool_destroy(spool); |
---|
98 | |
---|
99 | return NULL; |
---|
100 | } |
---|
101 | |
---|
102 | const char *mgs_set_cert_file(cmd_parms * parms, void *dummy, const char *arg) { |
---|
103 | |
---|
104 | int ret; |
---|
105 | gnutls_datum_t data; |
---|
106 | const char *file; |
---|
107 | apr_pool_t *spool; |
---|
108 | |
---|
109 | mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); |
---|
110 | apr_pool_create(&spool, parms->pool); |
---|
111 | |
---|
112 | file = ap_server_root_relative(spool, arg); |
---|
113 | |
---|
114 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
115 | apr_pool_destroy(spool); |
---|
116 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading Certificate '%s'", file); |
---|
117 | } |
---|
118 | |
---|
119 | sc->certs_x509_chain_num = MAX_CHAIN_SIZE; |
---|
120 | ret = gnutls_x509_crt_list_import(sc->certs_x509_chain, &sc->certs_x509_chain_num, &data, GNUTLS_X509_FMT_PEM, 0); |
---|
121 | if (ret < 0) { |
---|
122 | apr_pool_destroy(spool); |
---|
123 | return apr_psprintf(parms->pool, "GnuTLS: Failed to Import Certificate '%s': (%d) %s", file, ret, gnutls_strerror(ret)); |
---|
124 | } |
---|
125 | |
---|
126 | apr_pool_destroy(spool); |
---|
127 | return NULL; |
---|
128 | |
---|
129 | } |
---|
130 | |
---|
131 | const char *mgs_set_key_file(cmd_parms * parms, void *dummy, const char *arg) { |
---|
132 | |
---|
133 | int ret; |
---|
134 | gnutls_datum_t data; |
---|
135 | const char *file; |
---|
136 | apr_pool_t *spool; |
---|
137 | const char *out; |
---|
138 | |
---|
139 | mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); |
---|
140 | |
---|
141 | apr_pool_create(&spool, parms->pool); |
---|
142 | |
---|
143 | file = ap_server_root_relative(spool, arg); |
---|
144 | |
---|
145 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
146 | out = apr_psprintf(parms->pool, "GnuTLS: Error Reading Private Key '%s'", file); |
---|
147 | apr_pool_destroy(spool); |
---|
148 | return out; |
---|
149 | } |
---|
150 | |
---|
151 | ret = gnutls_x509_privkey_init(&sc->privkey_x509); |
---|
152 | |
---|
153 | if (ret < 0) { |
---|
154 | apr_pool_destroy(spool); |
---|
155 | return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize: (%d) %s", ret, gnutls_strerror(ret)); |
---|
156 | } |
---|
157 | |
---|
158 | ret = gnutls_x509_privkey_import(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM); |
---|
159 | |
---|
160 | if (ret < 0) { |
---|
161 | ret = gnutls_x509_privkey_import_pkcs8(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM, NULL, GNUTLS_PKCS_PLAIN); |
---|
162 | } |
---|
163 | |
---|
164 | if (ret < 0) { |
---|
165 | out = apr_psprintf(parms->pool, "GnuTLS: Failed to Import Private Key '%s': (%d) %s", file, ret, gnutls_strerror(ret)); |
---|
166 | apr_pool_destroy(spool); |
---|
167 | return out; |
---|
168 | } |
---|
169 | |
---|
170 | apr_pool_destroy(spool); |
---|
171 | |
---|
172 | return NULL; |
---|
173 | } |
---|
174 | |
---|
175 | const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy, |
---|
176 | const char *arg) { |
---|
177 | int ret; |
---|
178 | gnutls_datum_t data; |
---|
179 | const char *file; |
---|
180 | apr_pool_t *spool; |
---|
181 | mgs_srvconf_rec *sc = |
---|
182 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
183 | module_config, |
---|
184 | &gnutls_module); |
---|
185 | apr_pool_create(&spool, parms->pool); |
---|
186 | |
---|
187 | file = ap_server_root_relative(spool, arg); |
---|
188 | |
---|
189 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
190 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " |
---|
191 | "Certificate '%s'", file); |
---|
192 | } |
---|
193 | |
---|
194 | ret = gnutls_openpgp_crt_init(&sc->cert_pgp); |
---|
195 | if (ret < 0) { |
---|
196 | return apr_psprintf(parms->pool, "GnuTLS: Failed to Init " |
---|
197 | "PGP Certificate: (%d) %s", ret, |
---|
198 | gnutls_strerror(ret)); |
---|
199 | } |
---|
200 | |
---|
201 | ret = |
---|
202 | gnutls_openpgp_crt_import(sc->cert_pgp, &data, |
---|
203 | GNUTLS_OPENPGP_FMT_BASE64); |
---|
204 | if (ret < 0) { |
---|
205 | return apr_psprintf(parms->pool, |
---|
206 | "GnuTLS: Failed to Import " |
---|
207 | "PGP Certificate '%s': (%d) %s", file, |
---|
208 | ret, gnutls_strerror(ret)); |
---|
209 | } |
---|
210 | |
---|
211 | apr_pool_destroy(spool); |
---|
212 | return NULL; |
---|
213 | } |
---|
214 | |
---|
215 | const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy, |
---|
216 | const char *arg) { |
---|
217 | int ret; |
---|
218 | gnutls_datum_t data; |
---|
219 | const char *file; |
---|
220 | apr_pool_t *spool; |
---|
221 | mgs_srvconf_rec *sc = |
---|
222 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
223 | module_config, |
---|
224 | &gnutls_module); |
---|
225 | apr_pool_create(&spool, parms->pool); |
---|
226 | |
---|
227 | file = ap_server_root_relative(spool, arg); |
---|
228 | |
---|
229 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
230 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " |
---|
231 | "Private Key '%s'", file); |
---|
232 | } |
---|
233 | |
---|
234 | ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp); |
---|
235 | if (ret < 0) { |
---|
236 | return apr_psprintf(parms->pool, |
---|
237 | "GnuTLS: Failed to initialize" |
---|
238 | ": (%d) %s", ret, |
---|
239 | gnutls_strerror(ret)); |
---|
240 | } |
---|
241 | |
---|
242 | ret = |
---|
243 | gnutls_openpgp_privkey_import(sc->privkey_pgp, &data, |
---|
244 | GNUTLS_OPENPGP_FMT_BASE64, NULL, |
---|
245 | 0); |
---|
246 | if (ret != 0) { |
---|
247 | return apr_psprintf(parms->pool, |
---|
248 | "GnuTLS: Failed to Import " |
---|
249 | "PGP Private Key '%s': (%d) %s", file, |
---|
250 | ret, gnutls_strerror(ret)); |
---|
251 | } |
---|
252 | apr_pool_destroy(spool); |
---|
253 | return NULL; |
---|
254 | } |
---|
255 | |
---|
256 | const char *mgs_set_tickets(cmd_parms * parms, void *dummy, |
---|
257 | const char *arg) { |
---|
258 | mgs_srvconf_rec *sc = |
---|
259 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
260 | module_config, |
---|
261 | &gnutls_module); |
---|
262 | |
---|
263 | sc->tickets = 0; |
---|
264 | if (strcasecmp("on", arg) == 0) { |
---|
265 | sc->tickets = 1; |
---|
266 | } |
---|
267 | |
---|
268 | return NULL; |
---|
269 | } |
---|
270 | |
---|
271 | |
---|
272 | #ifdef ENABLE_SRP |
---|
273 | |
---|
274 | const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy, |
---|
275 | const char *arg) { |
---|
276 | mgs_srvconf_rec *sc = |
---|
277 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
278 | module_config, |
---|
279 | &gnutls_module); |
---|
280 | |
---|
281 | sc->srp_tpasswd_file = ap_server_root_relative(parms->pool, arg); |
---|
282 | |
---|
283 | return NULL; |
---|
284 | } |
---|
285 | |
---|
286 | const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy, |
---|
287 | const char *arg) { |
---|
288 | mgs_srvconf_rec *sc = |
---|
289 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
290 | module_config, |
---|
291 | &gnutls_module); |
---|
292 | |
---|
293 | sc->srp_tpasswd_conf_file = |
---|
294 | ap_server_root_relative(parms->pool, arg); |
---|
295 | |
---|
296 | return NULL; |
---|
297 | } |
---|
298 | |
---|
299 | #endif |
---|
300 | |
---|
301 | const char *mgs_set_cache(cmd_parms * parms, void *dummy, |
---|
302 | const char *type, const char *arg) { |
---|
303 | const char *err; |
---|
304 | mgs_srvconf_rec *sc = |
---|
305 | ap_get_module_config(parms->server->module_config, |
---|
306 | &gnutls_module); |
---|
307 | if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { |
---|
308 | return err; |
---|
309 | } |
---|
310 | |
---|
311 | if (strcasecmp("none", type) == 0) { |
---|
312 | sc->cache_type = mgs_cache_none; |
---|
313 | sc->cache_config = NULL; |
---|
314 | return NULL; |
---|
315 | } else if (strcasecmp("dbm", type) == 0) { |
---|
316 | sc->cache_type = mgs_cache_dbm; |
---|
317 | } else if (strcasecmp("gdbm", type) == 0) { |
---|
318 | sc->cache_type = mgs_cache_gdbm; |
---|
319 | } |
---|
320 | #if HAVE_APR_MEMCACHE |
---|
321 | else if (strcasecmp("memcache", type) == 0) { |
---|
322 | sc->cache_type = mgs_cache_memcache; |
---|
323 | } |
---|
324 | #endif |
---|
325 | else { |
---|
326 | return "Invalid Type for GnuTLSCache!"; |
---|
327 | } |
---|
328 | |
---|
329 | if (arg == NULL) |
---|
330 | return "Invalid argument 2 for GnuTLSCache!"; |
---|
331 | |
---|
332 | if (sc->cache_type == mgs_cache_dbm |
---|
333 | || sc->cache_type == mgs_cache_gdbm) { |
---|
334 | sc->cache_config = |
---|
335 | ap_server_root_relative(parms->pool, arg); |
---|
336 | } else { |
---|
337 | sc->cache_config = apr_pstrdup(parms->pool, arg); |
---|
338 | } |
---|
339 | |
---|
340 | return NULL; |
---|
341 | } |
---|
342 | |
---|
343 | const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy, |
---|
344 | const char *arg) { |
---|
345 | int argint; |
---|
346 | const char *err; |
---|
347 | mgs_srvconf_rec *sc = |
---|
348 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
349 | module_config, |
---|
350 | &gnutls_module); |
---|
351 | |
---|
352 | if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { |
---|
353 | return err; |
---|
354 | } |
---|
355 | |
---|
356 | argint = atoi(arg); |
---|
357 | |
---|
358 | if (argint < 0) { |
---|
359 | return "GnuTLSCacheTimeout: Invalid argument"; |
---|
360 | } else if (argint == 0) { |
---|
361 | sc->cache_timeout = 0; |
---|
362 | } else { |
---|
363 | sc->cache_timeout = apr_time_from_sec(argint); |
---|
364 | } |
---|
365 | |
---|
366 | return NULL; |
---|
367 | } |
---|
368 | |
---|
369 | const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy, |
---|
370 | const char *arg) { |
---|
371 | mgs_srvconf_rec *sc = (mgs_srvconf_rec *)ap_get_module_config(parms->server->module_config, &gnutls_module); |
---|
372 | |
---|
373 | if (strcasecmp("cartel", arg) == 0) { |
---|
374 | sc->client_verify_method = mgs_cvm_cartel; |
---|
375 | } else if (strcasecmp("msva", arg) == 0) { |
---|
376 | #ifdef ENABLE_MSVA |
---|
377 | sc->client_verify_method = mgs_cvm_msva; |
---|
378 | #else |
---|
379 | return "GnuTLSClientVerifyMethod: msva is not supported"; |
---|
380 | #endif |
---|
381 | } else { |
---|
382 | return "GnuTLSClientVerifyMethod: Invalid argument"; |
---|
383 | } |
---|
384 | |
---|
385 | return NULL; |
---|
386 | } |
---|
387 | |
---|
388 | const char *mgs_set_client_verify(cmd_parms * parms, void *dummy, |
---|
389 | const char *arg) { |
---|
390 | int mode; |
---|
391 | |
---|
392 | if (strcasecmp("none", arg) == 0 || strcasecmp("ignore", arg) == 0) { |
---|
393 | mode = GNUTLS_CERT_IGNORE; |
---|
394 | } else if (strcasecmp("optional", arg) == 0 |
---|
395 | || strcasecmp("request", arg) == 0) { |
---|
396 | mode = GNUTLS_CERT_REQUEST; |
---|
397 | } else if (strcasecmp("require", arg) == 0) { |
---|
398 | mode = GNUTLS_CERT_REQUIRE; |
---|
399 | } else { |
---|
400 | return "GnuTLSClientVerify: Invalid argument"; |
---|
401 | } |
---|
402 | |
---|
403 | /* This was set from a directory context */ |
---|
404 | if (parms->path) { |
---|
405 | mgs_dirconf_rec *dc = (mgs_dirconf_rec *) dummy; |
---|
406 | dc->client_verify_mode = mode; |
---|
407 | } else { |
---|
408 | mgs_srvconf_rec *sc = |
---|
409 | (mgs_srvconf_rec *) |
---|
410 | ap_get_module_config(parms->server->module_config, |
---|
411 | &gnutls_module); |
---|
412 | sc->client_verify_mode = mode; |
---|
413 | } |
---|
414 | |
---|
415 | return NULL; |
---|
416 | } |
---|
417 | |
---|
418 | #define INIT_CA_SIZE 128 |
---|
419 | |
---|
420 | const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, |
---|
421 | const char *arg) { |
---|
422 | int rv; |
---|
423 | const char *file; |
---|
424 | apr_pool_t *spool; |
---|
425 | gnutls_datum_t data; |
---|
426 | |
---|
427 | mgs_srvconf_rec *sc = |
---|
428 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
429 | module_config, |
---|
430 | &gnutls_module); |
---|
431 | apr_pool_create(&spool, parms->pool); |
---|
432 | |
---|
433 | file = ap_server_root_relative(spool, arg); |
---|
434 | |
---|
435 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
436 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " |
---|
437 | "Client CA File '%s'", file); |
---|
438 | } |
---|
439 | |
---|
440 | sc->ca_list_size = INIT_CA_SIZE; |
---|
441 | sc->ca_list = malloc(sc->ca_list_size * sizeof (*sc->ca_list)); |
---|
442 | if (sc->ca_list == NULL) { |
---|
443 | return apr_psprintf(parms->pool, |
---|
444 | "mod_gnutls: Memory allocation error"); |
---|
445 | } |
---|
446 | |
---|
447 | rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size, |
---|
448 | &data, GNUTLS_X509_FMT_PEM, |
---|
449 | GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); |
---|
450 | if (rv < 0 && rv != GNUTLS_E_SHORT_MEMORY_BUFFER) { |
---|
451 | return apr_psprintf(parms->pool, "GnuTLS: Failed to load " |
---|
452 | "Client CA File '%s': (%d) %s", file, |
---|
453 | rv, gnutls_strerror(rv)); |
---|
454 | } |
---|
455 | |
---|
456 | if (INIT_CA_SIZE < sc->ca_list_size) { |
---|
457 | sc->ca_list = |
---|
458 | realloc(sc->ca_list, |
---|
459 | sc->ca_list_size * sizeof (*sc->ca_list)); |
---|
460 | if (sc->ca_list == NULL) { |
---|
461 | return apr_psprintf(parms->pool, |
---|
462 | "mod_gnutls: Memory allocation error"); |
---|
463 | } |
---|
464 | |
---|
465 | /* re-read */ |
---|
466 | rv = gnutls_x509_crt_list_import(sc->ca_list, |
---|
467 | &sc->ca_list_size, &data, |
---|
468 | GNUTLS_X509_FMT_PEM, 0); |
---|
469 | |
---|
470 | if (rv < 0) { |
---|
471 | return apr_psprintf(parms->pool, |
---|
472 | "GnuTLS: Failed to load " |
---|
473 | "Client CA File '%s': (%d) %s", |
---|
474 | file, rv, gnutls_strerror(rv)); |
---|
475 | } |
---|
476 | } |
---|
477 | |
---|
478 | apr_pool_destroy(spool); |
---|
479 | return NULL; |
---|
480 | } |
---|
481 | |
---|
482 | const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy, |
---|
483 | const char *arg) { |
---|
484 | int rv; |
---|
485 | const char *file; |
---|
486 | apr_pool_t *spool; |
---|
487 | gnutls_datum_t data; |
---|
488 | |
---|
489 | mgs_srvconf_rec *sc = |
---|
490 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
491 | module_config, |
---|
492 | &gnutls_module); |
---|
493 | apr_pool_create(&spool, parms->pool); |
---|
494 | |
---|
495 | file = ap_server_root_relative(spool, arg); |
---|
496 | |
---|
497 | if (load_datum_from_file(spool, file, &data) != 0) { |
---|
498 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " |
---|
499 | "Keyring File '%s'", file); |
---|
500 | } |
---|
501 | |
---|
502 | rv = gnutls_openpgp_keyring_init(&sc->pgp_list); |
---|
503 | if (rv < 0) { |
---|
504 | return apr_psprintf(parms->pool, |
---|
505 | "GnuTLS: Failed to initialize" |
---|
506 | "keyring: (%d) %s", rv, |
---|
507 | gnutls_strerror(rv)); |
---|
508 | } |
---|
509 | |
---|
510 | rv = gnutls_openpgp_keyring_import(sc->pgp_list, &data, |
---|
511 | GNUTLS_OPENPGP_FMT_BASE64); |
---|
512 | if (rv < 0) { |
---|
513 | return apr_psprintf(parms->pool, "GnuTLS: Failed to load " |
---|
514 | "Keyring File '%s': (%d) %s", file, rv, |
---|
515 | gnutls_strerror(rv)); |
---|
516 | } |
---|
517 | |
---|
518 | apr_pool_destroy(spool); |
---|
519 | return NULL; |
---|
520 | } |
---|
521 | |
---|
522 | const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy, |
---|
523 | const char *arg) { |
---|
524 | |
---|
525 | mgs_srvconf_rec *sc =(mgs_srvconf_rec *) |
---|
526 | ap_get_module_config(parms->server->module_config, &gnutls_module); |
---|
527 | |
---|
528 | if (!strcasecmp(arg, "On")) { |
---|
529 | sc->proxy_enabled = GNUTLS_ENABLED_TRUE; |
---|
530 | } else if (!strcasecmp(arg, "Off")) { |
---|
531 | sc->proxy_enabled = GNUTLS_ENABLED_FALSE; |
---|
532 | } else { |
---|
533 | return "SSLProxyEngine must be set to 'On' or 'Off'"; |
---|
534 | } |
---|
535 | |
---|
536 | return NULL; |
---|
537 | } |
---|
538 | |
---|
539 | const char *mgs_set_enabled(cmd_parms * parms, void *dummy, |
---|
540 | const char *arg) { |
---|
541 | mgs_srvconf_rec *sc = |
---|
542 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
---|
543 | module_config, |
---|
544 | &gnutls_module); |
---|
545 | if (!strcasecmp(arg, "On")) { |
---|
546 | sc->enabled = GNUTLS_ENABLED_TRUE; |
---|
547 | } else if (!strcasecmp(arg, "Off")) { |
---|
548 | sc->enabled = GNUTLS_ENABLED_FALSE; |
---|
549 | } else { |
---|
550 | return "GnuTLSEnable must be set to 'On' or 'Off'"; |
---|
551 | } |
---|
552 | |
---|
553 | return NULL; |
---|
554 | } |
---|
555 | |
---|
556 | const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy, const char *arg) { |
---|
557 | mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); |
---|
558 | if (!strcasecmp(arg, "On")) { |
---|
559 | sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE; |
---|
560 | } else if (!strcasecmp(arg, "Off")) { |
---|
561 | sc->export_certificates_enabled = GNUTLS_ENABLED_FALSE; |
---|
562 | } else { |
---|
563 | return |
---|
564 | "GnuTLSExportCertificates must be set to 'On' or 'Off'"; |
---|
565 | } |
---|
566 | |
---|
567 | return NULL; |
---|
568 | } |
---|
569 | |
---|
570 | const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg) { |
---|
571 | |
---|
572 | int ret; |
---|
573 | const char *err; |
---|
574 | |
---|
575 | mgs_srvconf_rec *sc = (mgs_srvconf_rec *) |
---|
576 | ap_get_module_config(parms->server->module_config, &gnutls_module); |
---|
577 | |
---|
578 | ret = gnutls_priority_init(&sc->priorities, arg, &err); |
---|
579 | |
---|
580 | if (ret < 0) { |
---|
581 | if (ret == GNUTLS_E_INVALID_REQUEST) { |
---|
582 | return apr_psprintf(parms->pool, |
---|
583 | "GnuTLS: Syntax error parsing priorities string at: %s", err); |
---|
584 | } |
---|
585 | return "Error setting priorities"; |
---|
586 | } |
---|
587 | |
---|
588 | return NULL; |
---|
589 | } |
---|
590 | |
---|
591 | static mgs_srvconf_rec *_mgs_config_server_create(apr_pool_t * p, char** err) { |
---|
592 | mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof (*sc)); |
---|
593 | int ret; |
---|
594 | |
---|
595 | sc->enabled = GNUTLS_ENABLED_UNSET; |
---|
596 | |
---|
597 | ret = gnutls_certificate_allocate_credentials(&sc->certs); |
---|
598 | if (ret < 0) { |
---|
599 | *err = apr_psprintf(p, "GnuTLS: Failed to initialize" |
---|
600 | ": (%d) %s", ret, |
---|
601 | gnutls_strerror(ret)); |
---|
602 | return NULL; |
---|
603 | } |
---|
604 | |
---|
605 | ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds); |
---|
606 | if (ret < 0) { |
---|
607 | *err = apr_psprintf(p, "GnuTLS: Failed to initialize" |
---|
608 | ": (%d) %s", ret, |
---|
609 | gnutls_strerror(ret)); |
---|
610 | return NULL; |
---|
611 | } |
---|
612 | #ifdef ENABLE_SRP |
---|
613 | ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds); |
---|
614 | if (ret < 0) { |
---|
615 | *err = apr_psprintf(p, "GnuTLS: Failed to initialize" |
---|
616 | ": (%d) %s", ret, |
---|
617 | gnutls_strerror(ret)); |
---|
618 | return NULL; |
---|
619 | } |
---|
620 | |
---|
621 | sc->srp_tpasswd_conf_file = NULL; |
---|
622 | sc->srp_tpasswd_file = NULL; |
---|
623 | #endif |
---|
624 | |
---|
625 | sc->privkey_x509 = NULL; |
---|
626 | /* Initialize all Certificate Chains */ |
---|
627 | /* FIXME: how do we indicate that this is unset for a merge? (that |
---|
628 | * is, how can a subordinate server override the chain by setting |
---|
629 | * an empty one? what would that even look like in the |
---|
630 | * configuration?) */ |
---|
631 | sc->certs_x509_chain = malloc(MAX_CHAIN_SIZE * sizeof (*sc->certs_x509_chain)); |
---|
632 | sc->certs_x509_chain_num = 0; |
---|
633 | sc->cache_timeout = -1; /* -1 means "unset" */ |
---|
634 | sc->cache_type = mgs_cache_unset; |
---|
635 | sc->cache_config = NULL; |
---|
636 | sc->tickets = GNUTLS_ENABLED_UNSET; |
---|
637 | sc->priorities = NULL; |
---|
638 | sc->dh_params = NULL; |
---|
639 | sc->proxy_enabled = GNUTLS_ENABLED_UNSET; |
---|
640 | sc->export_certificates_enabled = GNUTLS_ENABLED_UNSET; |
---|
641 | sc->client_verify_method = mgs_cvm_unset; |
---|
642 | |
---|
643 | /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */ |
---|
644 | sc->client_verify_mode = -1; |
---|
645 | |
---|
646 | return sc; |
---|
647 | } |
---|
648 | |
---|
649 | void *mgs_config_server_create(apr_pool_t * p, server_rec * s) { |
---|
650 | char *err = NULL; |
---|
651 | mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err); |
---|
652 | if (sc) return sc; else return err; |
---|
653 | } |
---|
654 | |
---|
655 | #define gnutls_srvconf_merge(t, unset) sc->t = (add->t == unset) ? base->t : add->t |
---|
656 | #define gnutls_srvconf_assign(t) sc->t = add->t |
---|
657 | |
---|
658 | void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD) { |
---|
659 | int i; |
---|
660 | char *err = NULL; |
---|
661 | mgs_srvconf_rec *base = (mgs_srvconf_rec *)BASE; |
---|
662 | mgs_srvconf_rec *add = (mgs_srvconf_rec *)ADD; |
---|
663 | mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err); |
---|
664 | if (NULL == sc) return err; |
---|
665 | |
---|
666 | gnutls_srvconf_merge(enabled, GNUTLS_ENABLED_UNSET); |
---|
667 | gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET); |
---|
668 | gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET); |
---|
669 | gnutls_srvconf_merge(export_certificates_enabled, GNUTLS_ENABLED_UNSET); |
---|
670 | gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset); |
---|
671 | gnutls_srvconf_merge(client_verify_mode, -1); |
---|
672 | gnutls_srvconf_merge(srp_tpasswd_file, NULL); |
---|
673 | gnutls_srvconf_merge(srp_tpasswd_conf_file, NULL); |
---|
674 | gnutls_srvconf_merge(privkey_x509, NULL); |
---|
675 | gnutls_srvconf_merge(priorities, NULL); |
---|
676 | gnutls_srvconf_merge(dh_params, NULL); |
---|
677 | |
---|
678 | /* FIXME: the following items are pre-allocated, and should be |
---|
679 | * properly disposed of before assigning in order to avoid leaks; |
---|
680 | * so at the moment, we can't actually have them in the config. |
---|
681 | * what happens during de-allocation? |
---|
682 | |
---|
683 | * This is probably leaky. |
---|
684 | */ |
---|
685 | gnutls_srvconf_assign(certs); |
---|
686 | gnutls_srvconf_assign(anon_creds); |
---|
687 | gnutls_srvconf_assign(srp_creds); |
---|
688 | gnutls_srvconf_assign(certs_x509_chain); |
---|
689 | gnutls_srvconf_assign(certs_x509_chain_num); |
---|
690 | |
---|
691 | /* how do these get transferred cleanly before the data from ADD |
---|
692 | * goes away? */ |
---|
693 | gnutls_srvconf_assign(cert_cn); |
---|
694 | for (i = 0; i < MAX_CERT_SAN; i++) |
---|
695 | gnutls_srvconf_assign(cert_san[i]); |
---|
696 | gnutls_srvconf_assign(ca_list); |
---|
697 | gnutls_srvconf_assign(ca_list_size); |
---|
698 | gnutls_srvconf_assign(cert_pgp); |
---|
699 | gnutls_srvconf_assign(pgp_list); |
---|
700 | gnutls_srvconf_assign(privkey_pgp); |
---|
701 | |
---|
702 | return sc; |
---|
703 | } |
---|
704 | |
---|
705 | #undef gnutls_srvconf_merge |
---|
706 | #undef gnutls_srvconf_assign |
---|
707 | |
---|
708 | void *mgs_config_dir_merge(apr_pool_t * p, void *basev, void *addv) { |
---|
709 | mgs_dirconf_rec *new; |
---|
710 | /* mgs_dirconf_rec *base = (mgs_dirconf_rec *) basev; */ |
---|
711 | mgs_dirconf_rec *add = (mgs_dirconf_rec *) addv; |
---|
712 | |
---|
713 | new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof (mgs_dirconf_rec)); |
---|
714 | new->client_verify_mode = add->client_verify_mode; |
---|
715 | return new; |
---|
716 | } |
---|
717 | |
---|
718 | void *mgs_config_dir_create(apr_pool_t * p, char *dir) { |
---|
719 | mgs_dirconf_rec *dc = apr_palloc(p, sizeof (*dc)); |
---|
720 | dc->client_verify_mode = -1; |
---|
721 | return dc; |
---|
722 | } |
---|
723 | |
---|