Context Navigation

gnutls_config.c @ b94aee2

Visit:

debian/masterproxy-ticket

Last change on this file since b94aee2 was b94aee2, checked in by Fiona Klute <fiona.klute@…>, 2 years ago

Remove internal cache type enum

The cache type is now transparently passed to ap_lookup_provider(), so
mod_gnutls does not need to manage available cache types. The new
server variable sc->cache_enable exists to track whether the cache
should be used at all.

Property mode set to 100644

File size: 32.5 KB

Line
1	/*
2	* Copyright 2004-2005 Paul Querna
3	* Copyright 2008, 2014 Nikos Mavrogiannopoulos
4	* Copyright 2011 Dash Shendy
5	* Copyright 2015-2018 Fiona Klute
6	*
7	* Licensed under the Apache License, Version 2.0 (the "License");
8	* you may not use this file except in compliance with the License.
9	* You may obtain a copy of the License at
10	*
11	* http://www.apache.org/licenses/LICENSE-2.0
12	*
13	* Unless required by applicable law or agreed to in writing, software
14	* distributed under the License is distributed on an "AS IS" BASIS,
15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16	* See the License for the specific language governing permissions and
17	* limitations under the License.
18	*/
19
20	#include "gnutls_config.h"
21	#include "mod_gnutls.h"
22	#include "gnutls_ocsp.h"
23	#include "apr_lib.h"
24	#include <gnutls/abstract.h>
25
26	#define INIT_CA_SIZE 128
27
28	#ifdef APLOG_USE_MODULE
29	APLOG_USE_MODULE(gnutls);
30	#endif
31
32	static int pin_callback(void *user, int attempt __attribute__((unused)),
33	const char *token_url __attribute__((unused)),
34	const char *token_label, unsigned int flags,
35	char *pin, size_t pin_max)
36	{
37	mgs_srvconf_rec *sc = user;
38
39	if (sc->pin == NULL \|\| flags & GNUTLS_PIN_FINAL_TRY \|\|
40	flags & GNUTLS_PIN_WRONG) {
41	return -1;
42	}
43
44	if (token_label && strcmp(token_label, "SRK") == 0) {
45	snprintf(pin, pin_max, "%s", sc->srk_pin);
46	} else {
47	snprintf(pin, pin_max, "%s", sc->pin);
48	}
49	return 0;
50	}
51
52	static int load_datum_from_file(apr_pool_t * pool,
53	const char file, gnutls_datum_t data)
54	{
55	apr_file_t *fp;
56	apr_finfo_t finfo;
57	apr_status_t rv;
58	apr_size_t br = 0;
59
60	rv = apr_file_open(&fp, file, APR_READ \| APR_BINARY,
61	APR_OS_DEFAULT, pool);
62	if (rv != APR_SUCCESS) {
63	return rv;
64	}
65
66	rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
67
68	if (rv != APR_SUCCESS) {
69	return rv;
70	}
71
72	data->data = apr_palloc(pool, finfo.size + 1);
73	rv = apr_file_read_full(fp, data->data, finfo.size, &br);
74
75	if (rv != APR_SUCCESS) {
76	return rv;
77	}
78	apr_file_close(fp);
79
80	data->data[br] = '\0';
81	data->size = br;
82
83	return 0;
84	}
85
86
87
88	/**
89	* Clean up the various GnuTLS data structures allocated by
90	* mgs_load_files()
91	*/
92	static apr_status_t mgs_pool_free_credentials(void *arg)
93	{
94	mgs_srvconf_rec sc = (mgs_srvconf_rec ) arg;
95
96	if (sc->certs)
97	{
98	gnutls_certificate_free_credentials(sc->certs);
99	sc->certs = NULL;
100	}
101
102	if (sc->anon_creds)
103	{
104	gnutls_anon_free_server_credentials(sc->anon_creds);
105	sc->anon_creds = NULL;
106	}
107
108	#ifdef ENABLE_SRP
109	if (sc->srp_creds)
110	{
111	gnutls_srp_free_server_credentials(sc->srp_creds);
112	sc->srp_creds = NULL;
113	}
114	#endif
115
116	if (sc->dh_params)
117	{
118	gnutls_dh_params_deinit(sc->dh_params);
119	sc->dh_params = NULL;
120	}
121
122	for (unsigned int i = 0; i < sc->certs_x509_chain_num; i++)
123	{
124	gnutls_pcert_deinit(&sc->certs_x509_chain[i]);
125	gnutls_x509_crt_deinit(sc->certs_x509_crt_chain[i]);
126	}
127
128	if (sc->privkey_x509)
129	{
130	gnutls_privkey_deinit(sc->privkey_x509);
131	sc->privkey_x509 = NULL;
132	}
133
134	if (sc->ca_list)
135	{
136	for (unsigned int i = 0; i < sc->ca_list_size; i++)
137	{
138	gnutls_x509_crt_deinit(sc->ca_list[i]);
139	}
140	gnutls_free(sc->ca_list);
141	sc->ca_list = NULL;
142	}
143
144	if (sc->priorities)
145	{
146	gnutls_priority_deinit(sc->priorities);
147	sc->priorities = NULL;
148	}
149
150	return APR_SUCCESS;
151	}
152
153	int mgs_load_files(apr_pool_t pconf, apr_pool_t ptemp, server_rec *s)
154	{
155	apr_pool_t *spool;
156	const char *file;
157	gnutls_datum_t data;
158	int ret;
159	mgs_srvconf_rec *sc =
160	(mgs_srvconf_rec *) ap_get_module_config(s->module_config,
161	&gnutls_module);
162
163	apr_pool_create(&spool, ptemp);
164
165	/* Cleanup function for the GnuTLS structures allocated below */
166	apr_pool_cleanup_register(pconf, sc, mgs_pool_free_credentials,
167	apr_pool_cleanup_null);
168
169	if (sc->certs == NULL)
170	{
171	ret = gnutls_certificate_allocate_credentials(&sc->certs);
172	if (ret < 0) {
173	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
174	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
175	gnutls_strerror(ret));
176	ret = -1;
177	goto cleanup;
178	}
179	}
180
181	if (sc->anon_creds == NULL)
182	{
183	ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
184	if (ret < 0) {
185	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
186	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
187	gnutls_strerror(ret));
188	ret = -1;
189	goto cleanup;
190	}
191	}
192
193	/* Load SRP parameters */
194	#ifdef ENABLE_SRP
195	if (sc->srp_creds == NULL)
196	{
197	ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
198	if (ret < 0) {
199	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
200	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
201	gnutls_strerror(ret));
202	ret = -1;
203	goto cleanup;
204	}
205	}
206
207	if (sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL)
208	{
209	ret = gnutls_srp_set_server_credentials_file
210	(sc->srp_creds, sc->srp_tpasswd_file,
211	sc->srp_tpasswd_conf_file);
212
213	if (ret < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
214	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
215	"GnuTLS: Host '%s:%d' is missing a "
216	"SRP password or conf File!",
217	s->server_hostname, s->port);
218	ret = -1;
219	goto cleanup;
220	}
221	}
222	#endif
223
224	/* Load user provided DH parameters, if any */
225	if (sc->dh_file)
226	{
227	if (sc->dh_params == NULL)
228	{
229	ret = gnutls_dh_params_init(&sc->dh_params);
230	if (ret < 0) {
231	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
232	"GnuTLS: Failed to initialize"
233	": (%d) %s", ret, gnutls_strerror(ret));
234	ret = -1;
235	goto cleanup;
236	}
237	}
238
239	if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
240	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
241	"GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
242	ret = -1;
243	goto cleanup;
244	}
245
246	ret =
247	gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
248	GNUTLS_X509_FMT_PEM);
249	if (ret < 0) {
250	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
251	"GnuTLS: Failed to Import "
252	"DH params '%s': (%d) %s", sc->dh_file, ret,
253	gnutls_strerror(ret));
254	ret = -1;
255	goto cleanup;
256	}
257	}
258
259	if (sc->x509_cert_file != NULL && sc->certs_x509_crt_chain == NULL)
260	{
261	sc->certs_x509_chain =
262	apr_pcalloc(pconf,
263	MAX_CHAIN_SIZE * sizeof(sc->certs_x509_chain[0]));
264	sc->certs_x509_crt_chain =
265	apr_pcalloc(pconf,
266	MAX_CHAIN_SIZE * sizeof(sc->certs_x509_crt_chain[0]));
267	unsigned int chain_num = MAX_CHAIN_SIZE;
268	unsigned format = GNUTLS_X509_FMT_PEM;
269
270	/* Load X.509 certificate */
271	if (strncmp(sc->x509_cert_file, "pkcs11:", 7) == 0) {
272	gnutls_pkcs11_obj_t obj;
273
274	file = sc->x509_cert_file;
275
276	ret = gnutls_pkcs11_obj_init(&obj);
277	if (ret < 0) {
278	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
279	"GnuTLS: Error Initializing PKCS #11 object");
280	ret = -1;
281	goto cleanup;
282	}
283
284	gnutls_pkcs11_obj_set_pin_function(obj, pin_callback, sc);
285
286	ret = gnutls_pkcs11_obj_import_url(obj, file,
287	GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
288	if (ret < 0) {
289	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
290	"GnuTLS: Error Importing PKCS #11 object: "
291	"'%s': %s",
292	file, gnutls_strerror(ret));
293	ret = -1;
294	goto cleanup;
295	}
296
297	format = GNUTLS_X509_FMT_DER;
298	ret = gnutls_pkcs11_obj_export2(obj, &data);
299	if (ret < 0) {
300	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
301	"GnuTLS: Error Exporting a PKCS #11 object: "
302	"'%s': %s",
303	file, gnutls_strerror(ret));
304	ret = -1;
305	goto cleanup;
306	}
307
308	gnutls_pkcs11_obj_deinit(obj);
309	} else {
310	file = ap_server_root_relative(spool, sc->x509_cert_file);
311
312	ret = gnutls_load_file(file, &data);
313	if (ret < 0) {
314	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
315	"GnuTLS: Error Reading Certificate '%s': %s",
316	file, gnutls_strerror(ret));
317	ret = -1;
318	goto cleanup;
319	}
320	}
321
322	ret = gnutls_x509_crt_list_import(sc->certs_x509_crt_chain,
323	&chain_num, &data, format,
324	GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
325	gnutls_free(data.data);
326	sc->certs_x509_chain_num = chain_num;
327
328	if (ret < 0) {
329	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
330	"GnuTLS: Failed to Import Certificate Chain "
331	"'%s': (%d) %s",
332	file, ret, gnutls_strerror(ret));
333	ret = -1;
334	goto cleanup;
335	}
336
337	for (unsigned int i = 0; i < chain_num; i++)
338	{
339	ret =
340	gnutls_pcert_import_x509(&sc->certs_x509_chain[i],
341	sc->certs_x509_crt_chain[i], 0);
342	if (ret < 0) {
343	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
344	"GnuTLS: Failed to Import pCertificate "
345	"'%s': (%d) %s",
346	file, ret, gnutls_strerror(ret));
347	ret = -1;
348	goto cleanup;
349	}
350	}
351	sc->certs_x509_chain_num = chain_num;
352	}
353
354	if (sc->x509_key_file && sc->privkey_x509 == NULL)
355	{
356	ret = gnutls_privkey_init(&sc->privkey_x509);
357	if (ret < 0) {
358	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
359	"GnuTLS: Failed to initialize: (%d) %s", ret,
360	gnutls_strerror(ret));
361	ret = -1;
362	goto cleanup;
363	}
364
365	if (gnutls_url_is_supported(sc->x509_key_file) != 0) {
366	file = sc->x509_key_file;
367
368	gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback,
369	sc);
370
371	ret = gnutls_privkey_import_url(sc->privkey_x509, file, 0);
372
373	if (ret < 0) {
374	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
375	"GnuTLS: Failed to Import Private Key URL "
376	"'%s': (%d) %s",
377	file, ret, gnutls_strerror(ret));
378	ret = -1;
379	goto cleanup;
380	}
381	} else {
382	file = ap_server_root_relative(spool, sc->x509_key_file);
383
384	if (load_datum_from_file(spool, file, &data) != 0) {
385	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
386	"GnuTLS: Error Reading Private Key '%s'",
387	file);
388	ret = -1;
389	goto cleanup;
390	}
391
392	ret =
393	gnutls_privkey_import_x509_raw(sc->privkey_x509, &data,
394	GNUTLS_X509_FMT_PEM, sc->pin,
395	0);
396
397	if (ret < 0) {
398	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
399	"GnuTLS: Failed to Import Private Key "
400	"'%s': (%d) %s",
401	file, ret, gnutls_strerror(ret));
402	ret = -1;
403	goto cleanup;
404	}
405	}
406	}
407
408	/* Load the X.509 CA file */
409	if (sc->x509_ca_file)
410	{
411	if (load_datum_from_file(spool, sc->x509_ca_file, &data) != 0) {
412	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
413	"GnuTLS: Error Reading " "Client CA File '%s'",
414	sc->x509_ca_file);
415	ret = -1;
416	goto cleanup;
417	}
418
419	ret = gnutls_x509_crt_list_import2(&sc->ca_list, &sc->ca_list_size,
420	&data, GNUTLS_X509_FMT_PEM, 0);
421	if (ret < 0) {
422	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
423	"GnuTLS: Failed to load "
424	"Client CA File '%s': (%d) %s", sc->x509_ca_file,
425	ret, gnutls_strerror(ret));
426	ret = -1;
427	goto cleanup;
428	}
429	}
430
431	if (sc->priorities_str && sc->priorities == NULL)
432	{
433	const char *err;
434	ret = gnutls_priority_init(&sc->priorities, sc->priorities_str, &err);
435
436	if (ret < 0) {
437	if (ret == GNUTLS_E_INVALID_REQUEST) {
438	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
439	"GnuTLS: Syntax error parsing priorities string at: %s",
440	err);
441	} else {
442	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
443	"GnuTLS: error parsing priorities string");
444
445	}
446	ret = -1;
447	goto cleanup;
448	}
449	}
450
451	ret = 0;
452	cleanup:
453	apr_pool_destroy(spool);
454
455	return ret;
456	}
457
458	int mgs_pkcs11_reinit(server_rec * base_server)
459	{
460	int ret;
461	server_rec *s;
462	mgs_srvconf_rec *sc;
463
464	gnutls_pkcs11_reinit();
465
466	for (s = base_server; s; s = s->next) {
467	sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
468
469	/* gnutls caches the session in a private key, so we need to open
470	* a new one */
471	if (sc->x509_key_file && gnutls_url_is_supported(sc->x509_key_file) != 0) {
472	gnutls_privkey_deinit(sc->privkey_x509);
473
474	ret = gnutls_privkey_init(&sc->privkey_x509);
475	if (ret < 0) {
476	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
477	"GnuTLS: Failed to initialize: (%d) %s", ret,
478	gnutls_strerror(ret));
479	goto fail;
480	}
481
482	gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback, sc);
483
484	ret = gnutls_privkey_import_url(sc->privkey_x509, sc->x509_key_file, 0);
485	if (ret < 0) {
486	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
487	"GnuTLS: Failed to Re-Import Private Key URL '%s': (%d) %s",
488	sc->x509_key_file, ret, gnutls_strerror(ret));
489	goto fail;
490	}
491	}
492	}
493
494	return 0;
495
496	fail:
497	gnutls_privkey_deinit(sc->privkey_x509);
498	return -1;
499	}
500
501	const char mgs_set_dh_file(cmd_parms parms, void *dummy __attribute__((unused)),
502	const char *arg) {
503	mgs_srvconf_rec *sc =
504	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
505	module_config,
506	&gnutls_module);
507
508	sc->dh_file = ap_server_root_relative(parms->pool, arg);
509
510	return NULL;
511	}
512
513	const char mgs_set_cert_file(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
514
515	mgs_srvconf_rec *sc =
516	(mgs_srvconf_rec *) ap_get_module_config(parms->
517	server->module_config,
518	&gnutls_module);
519
520	sc->x509_cert_file = apr_pstrdup(parms->pool, arg);
521
522	return NULL;
523
524	}
525
526	const char mgs_set_key_file(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
527
528	mgs_srvconf_rec *sc =
529	(mgs_srvconf_rec *) ap_get_module_config(parms->
530	server->module_config,
531	&gnutls_module);
532
533	sc->x509_key_file = apr_pstrdup(parms->pool, arg);
534
535	return NULL;
536	}
537
538	const char mgs_set_tickets(cmd_parms parms,
539	void *dummy __attribute__((unused)),
540	const int arg)
541	{
542	mgs_srvconf_rec sc = (mgs_srvconf_rec )
543	ap_get_module_config(parms->server->module_config, &gnutls_module);
544
545	if (arg)
546	sc->tickets = GNUTLS_ENABLED_TRUE;
547	else
548	sc->tickets = GNUTLS_ENABLED_FALSE;
549
550	return NULL;
551	}
552
553
554	#ifdef ENABLE_SRP
555
556	const char mgs_set_srp_tpasswd_file(cmd_parms parms, void *dummy __attribute__((unused)),
557	const char *arg) {
558	mgs_srvconf_rec *sc =
559	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
560	module_config,
561	&gnutls_module);
562
563	sc->srp_tpasswd_file = ap_server_root_relative(parms->pool, arg);
564
565	return NULL;
566	}
567
568	const char mgs_set_srp_tpasswd_conf_file(cmd_parms parms, void *dummy __attribute__((unused)),
569	const char *arg) {
570	mgs_srvconf_rec *sc =
571	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
572	module_config,
573	&gnutls_module);
574
575	sc->srp_tpasswd_conf_file = ap_server_root_relative(parms->pool, arg);
576
577	return NULL;
578	}
579
580	#endif
581
582	const char mgs_set_cache(cmd_parms parms,
583	void *dummy __attribute__((unused)),
584	const char type, const char arg)
585	{
586	const char *err;
587	mgs_srvconf_rec *sc =
588	ap_get_module_config(parms->server->module_config,
589	&gnutls_module);
590	if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY)))
591	return err;
592
593	/* none: disable cache */
594	if (strcasecmp("none", type) == 0)
595	{
596	sc->cache_enable = GNUTLS_ENABLED_FALSE;
597	sc->cache_type = NULL;
598	sc->cache_config = NULL;
599	return NULL;
600	}
601
602	sc->cache_enable = GNUTLS_ENABLED_TRUE;
603
604	/* Try to split socache "type:config" style configuration */
605	const char* sep = ap_strchr_c(type, ':');
606	if (sep)
607	{
608	sc->cache_type = apr_pstrmemdup(parms->pool, type, sep - type);
609	if (arg != NULL)
610	{
611	/* No mixing of socache style and legacy config! */
612	return "GnuTLSCache appears to have a mod_socache style "
613	"type:config value, but there is a second parameter!";
614	}
615	arg = ++sep;
616	}
617	else
618	sc->cache_type = apr_pstrdup(parms->pool, type);
619
620	if (arg == NULL)
621	sc->cache_config = "";
622	else
623	sc->cache_config = apr_pstrdup(parms->pool, arg);
624
625	return NULL;
626	}
627
628	const char mgs_set_timeout(cmd_parms parms,
629	void *dummy __attribute__((unused)),
630	const char *arg)
631	{
632	apr_int64_t argint = apr_atoi64(arg);
633	/* timeouts cannot be negative */
634	if (argint < 0)
635	return apr_psprintf(parms->pool, "%s: Invalid argument",
636	parms->directive->directive);
637
638	mgs_srvconf_rec sc = (mgs_srvconf_rec )
639	ap_get_module_config(parms->server->module_config, &gnutls_module);
640
641	if (!apr_strnatcasecmp(parms->directive->directive, "GnuTLSCacheTimeout"))
642	{
643	const char *err;
644	if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY)))
645	return err;
646	sc->cache_timeout = apr_time_from_sec(argint);
647	}
648	else if (!apr_strnatcasecmp(parms->directive->directive,
649	"GnuTLSOCSPCacheTimeout"))
650	sc->ocsp_cache_time = apr_time_from_sec(argint);
651	else if (!apr_strnatcasecmp(parms->directive->directive,
652	"GnuTLSOCSPFailureTimeout"))
653	sc->ocsp_failure_timeout = apr_time_from_sec(argint);
654	else if (!apr_strnatcasecmp(parms->directive->directive,
655	"GnuTLSOCSPFuzzTime"))
656	sc->ocsp_fuzz_time = apr_time_from_sec(argint);
657	else if (!apr_strnatcasecmp(parms->directive->directive,
658	"GnuTLSOCSPSocketTimeout"))
659	sc->ocsp_socket_timeout = apr_time_from_sec(argint);
660	else
661	/* Can't happen unless there's a serious bug in mod_gnutls or Apache */
662	return apr_psprintf(parms->pool,
663	"mod_gnutls: %s called for invalid option '%s'",
664	__func__, parms->directive->directive);
665
666	return NULL;
667	}
668
669	const char mgs_set_client_verify_method(cmd_parms parms, void *dummy __attribute__((unused)),
670	const char *arg) {
671	mgs_srvconf_rec sc = (mgs_srvconf_rec )ap_get_module_config(parms->server->module_config, &gnutls_module);
672
673	if (strcasecmp("cartel", arg) == 0) {
674	sc->client_verify_method = mgs_cvm_cartel;
675	} else if (strcasecmp("msva", arg) == 0) {
676	#ifdef ENABLE_MSVA
677	sc->client_verify_method = mgs_cvm_msva;
678	#else
679	return "GnuTLSClientVerifyMethod: msva is not supported";
680	#endif
681	} else {
682	return "GnuTLSClientVerifyMethod: Invalid argument";
683	}
684
685	return NULL;
686	}
687
688	const char mgs_set_client_verify(cmd_parms parms,
689	void *dirconf,
690	const char *arg) {
691	int mode;
692
693	if (strcasecmp("none", arg) == 0 \|\| strcasecmp("ignore", arg) == 0) {
694	mode = GNUTLS_CERT_IGNORE;
695	} else if (strcasecmp("optional", arg) == 0
696	\|\| strcasecmp("request", arg) == 0) {
697	mode = GNUTLS_CERT_REQUEST;
698	} else if (strcasecmp("require", arg) == 0) {
699	mode = GNUTLS_CERT_REQUIRE;
700	} else {
701	return "GnuTLSClientVerify: Invalid argument";
702	}
703
704	/* This was set from a directory context */
705	if (parms->path) {
706	mgs_dirconf_rec dc = (mgs_dirconf_rec ) dirconf;
707	dc->client_verify_mode = mode;
708	} else {
709	mgs_srvconf_rec sc = (mgs_srvconf_rec )
710	ap_get_module_config(parms->server->module_config,
711	&gnutls_module);
712	sc->client_verify_mode = mode;
713	}
714
715	return NULL;
716	}
717
718	const char mgs_set_client_ca_file(cmd_parms parms, void *dummy __attribute__((unused)),
719	const char *arg) {
720	mgs_srvconf_rec *sc =
721	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
722	module_config,
723	&gnutls_module);
724
725	sc->x509_ca_file = ap_server_root_relative(parms->pool, arg);
726
727	return NULL;
728	}
729
730	/*
731	* Enable TLS proxy operation if arg is true, disable it otherwise.
732	*/
733	const char mgs_set_proxy_engine(cmd_parms parms,
734	void *dummy __attribute__((unused)),
735	const int arg)
736	{
737	mgs_srvconf_rec sc = (mgs_srvconf_rec )
738	ap_get_module_config(parms->server->module_config, &gnutls_module);
739
740	if (arg)
741	sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
742	else
743	sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
744
745	return NULL;
746	}
747
748	/*
749	* Enable TLS for the server/vhost if arg is true, disable it
750	* otherwise.
751	*/
752	const char mgs_set_enabled(cmd_parms parms,
753	void *dummy __attribute__((unused)),
754	const int arg)
755	{
756	mgs_srvconf_rec sc = (mgs_srvconf_rec )
757	ap_get_module_config(parms->server->module_config, &gnutls_module);
758
759	if (arg)
760	sc->enabled = GNUTLS_ENABLED_TRUE;
761	else
762	sc->enabled = GNUTLS_ENABLED_FALSE;
763
764	return NULL;
765	}
766
767	const char mgs_set_export_certificates_size(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
768	mgs_srvconf_rec sc = (mgs_srvconf_rec ) ap_get_module_config(parms->server->module_config, &gnutls_module);
769	if (!strcasecmp(arg, "On")) {
770	sc->export_certificates_size = 16 * 1024;
771	} else if (!strcasecmp(arg, "Off")) {
772	sc->export_certificates_size = 0;
773	} else {
774	char *endptr;
775	sc->export_certificates_size = strtol(arg, &endptr, 10);
776	while (apr_isspace(*endptr))
777	endptr++;
778	if (endptr == '\0' \|\| endptr == 'b' \|\| *endptr == 'B') {
779	;
780	} else if (endptr == 'k' \|\| endptr == 'K') {
781	sc->export_certificates_size *= 1024;
782	} else {
783	return
784	"GnuTLSExportCertificates must be set to a size (in bytes) or 'On' or 'Off'";
785	}
786	}
787
788	return NULL;
789	}
790
791
792
793	/*
794	* Store GnuTLS priority strings. Used for GnuTLSPriorities and
795	* GnuTLSProxyPriorities.
796	*/
797	const char mgs_set_priorities(cmd_parms parms,
798	void *dummy __attribute__((unused)),
799	const char *arg)
800	{
801	mgs_srvconf_rec sc = (mgs_srvconf_rec )
802	ap_get_module_config(parms->server->module_config, &gnutls_module);
803
804	if (!strcasecmp(parms->directive->directive, "GnuTLSPriorities"))
805	sc->priorities_str = apr_pstrdup(parms->pool, arg);
806	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyPriorities"))
807	sc->proxy_priorities_str = apr_pstrdup(parms->pool, arg);
808	else
809	/* Can't happen unless there's a serious bug in mod_gnutls or Apache */
810	return apr_psprintf(parms->pool,
811	"mod_gnutls: %s called for invalid option '%s'",
812	__func__, parms->directive->directive);
813
814	return NULL;
815	}
816
817
818
819	const char mgs_set_pin(cmd_parms parms, void *dummy __attribute__((unused)),
820	const char *arg)
821	{
822
823	mgs_srvconf_rec sc = (mgs_srvconf_rec )
824	ap_get_module_config(parms->server->module_config, &gnutls_module);
825
826	sc->pin = apr_pstrdup(parms->pool, arg);
827
828	return NULL;
829	}
830
831	const char mgs_set_srk_pin(cmd_parms parms,
832	void *dummy __attribute__((unused)),
833	const char *arg)
834	{
835
836	mgs_srvconf_rec sc = (mgs_srvconf_rec )
837	ap_get_module_config(parms->server->module_config, &gnutls_module);
838
839	sc->srk_pin = apr_pstrdup(parms->pool, arg);
840
841	return NULL;
842	}
843
844
845
846	static mgs_srvconf_rec _mgs_config_server_create(apr_pool_t p,
847	char **err __attribute__((unused)))
848	{
849	mgs_srvconf_rec sc = apr_pcalloc(p, sizeof(sc));
850
851	sc->enabled = GNUTLS_ENABLED_UNSET;
852
853	sc->privkey_x509 = NULL;
854	sc->anon_creds = NULL;
855	#ifdef ENABLE_SRP
856	sc->srp_creds = NULL;
857	#endif
858	sc->certs = NULL;
859	sc->certs_x509_chain = NULL;
860	sc->certs_x509_crt_chain = NULL;
861	sc->certs_x509_chain_num = 0;
862	sc->p11_modules = NULL;
863	sc->pin = NULL;
864
865	sc->priorities_str = NULL;
866	sc->cache_timeout = MGS_TIMEOUT_UNSET;
867	sc->cache_type = NULL;
868	sc->cache_enable = GNUTLS_ENABLED_UNSET;
869	sc->cache_config = NULL;
870	sc->cache = NULL;
871	sc->tickets = GNUTLS_ENABLED_UNSET;
872	sc->priorities = NULL;
873	sc->dh_params = NULL;
874	sc->dh_file = NULL;
875	sc->ca_list = NULL;
876	sc->ca_list_size = 0;
877	sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
878	sc->export_certificates_size = -1;
879	sc->client_verify_method = mgs_cvm_unset;
880
881	sc->proxy_x509_key_file = NULL;
882	sc->proxy_x509_cert_file = NULL;
883	sc->proxy_x509_ca_file = NULL;
884	sc->proxy_x509_crl_file = NULL;
885	sc->proxy_priorities_str = NULL;
886	sc->proxy_x509_creds = NULL;
887	sc->anon_client_creds = NULL;
888	sc->proxy_priorities = NULL;
889	sc->proxy_x509_tl = NULL;
890
891	sc->ocsp_staple = GNUTLS_ENABLED_UNSET;
892	sc->ocsp_auto_refresh = GNUTLS_ENABLED_UNSET;
893	sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET;
894	sc->ocsp_response_file = NULL;
895	sc->ocsp_mutex = NULL;
896	sc->ocsp_cache_time = MGS_TIMEOUT_UNSET;
897	sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET;
898	sc->ocsp_fuzz_time = MGS_TIMEOUT_UNSET;
899	sc->ocsp_socket_timeout = MGS_TIMEOUT_UNSET;
900
901	sc->singleton_wd = NULL;
902
903	/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
904	sc->client_verify_mode = -1;
905
906	return sc;
907	}
908
909	void mgs_config_server_create(apr_pool_t p,
910	server_rec * s __attribute__((unused))) {
911	char *err = NULL;
912	mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err);
913	if (sc)
914	return sc;
915	else
916	return err;
917	}
918
919	#define gnutls_srvconf_merge(t, unset) sc->t = (add->t == unset) ? base->t : add->t
920	#define gnutls_srvconf_assign(t) sc->t = add->t
921
922	void mgs_config_server_merge(apr_pool_t p, void BASE, void ADD)
923	{
924	int i;
925	char *err = NULL;
926	mgs_srvconf_rec base = (mgs_srvconf_rec ) BASE;
927	mgs_srvconf_rec add = (mgs_srvconf_rec ) ADD;
928	mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err);
929	if (NULL == sc)
930	return err;
931
932	gnutls_srvconf_merge(enabled, GNUTLS_ENABLED_UNSET);
933	gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET);
934	gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
935	gnutls_srvconf_merge(export_certificates_size, -1);
936	gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset);
937	gnutls_srvconf_merge(client_verify_mode, -1);
938	gnutls_srvconf_merge(srp_tpasswd_file, NULL);
939	gnutls_srvconf_merge(srp_tpasswd_conf_file, NULL);
940	gnutls_srvconf_merge(x509_cert_file, NULL);
941
942	gnutls_srvconf_merge(x509_key_file, NULL);
943	gnutls_srvconf_merge(x509_ca_file, NULL);
944	gnutls_srvconf_merge(p11_modules, NULL);
945	gnutls_srvconf_merge(pin, NULL);
946	gnutls_srvconf_merge(dh_file, NULL);
947	gnutls_srvconf_merge(priorities_str, NULL);
948
949	gnutls_srvconf_merge(proxy_x509_key_file, NULL);
950	gnutls_srvconf_merge(proxy_x509_cert_file, NULL);
951	gnutls_srvconf_merge(proxy_x509_ca_file, NULL);
952	gnutls_srvconf_merge(proxy_x509_crl_file, NULL);
953	gnutls_srvconf_merge(proxy_priorities_str, NULL);
954	gnutls_srvconf_merge(proxy_priorities, NULL);
955
956	gnutls_srvconf_merge(ocsp_staple, GNUTLS_ENABLED_UNSET);
957	gnutls_srvconf_merge(ocsp_auto_refresh, GNUTLS_ENABLED_UNSET);
958	gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
959	gnutls_srvconf_assign(ocsp_response_file);
960	gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET);
961	gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);
962	gnutls_srvconf_merge(ocsp_fuzz_time, MGS_TIMEOUT_UNSET);
963	gnutls_srvconf_merge(ocsp_socket_timeout, MGS_TIMEOUT_UNSET);
964
965	gnutls_srvconf_assign(ca_list);
966	gnutls_srvconf_assign(ca_list_size);
967	gnutls_srvconf_assign(certs);
968	gnutls_srvconf_assign(anon_creds);
969	gnutls_srvconf_assign(srp_creds);
970	gnutls_srvconf_assign(certs_x509_chain);
971	gnutls_srvconf_assign(certs_x509_crt_chain);
972	gnutls_srvconf_assign(certs_x509_chain_num);
973
974	/* how do these get transferred cleanly before the data from ADD
975	* goes away? */
976	gnutls_srvconf_assign(cert_cn);
977	for (i = 0; i < MAX_CERT_SAN; i++)
978	gnutls_srvconf_assign(cert_san[i]);
979
980	return sc;
981	}
982
983	#undef gnutls_srvconf_merge
984	#undef gnutls_srvconf_assign
985
986	void mgs_config_dir_merge(apr_pool_t p,
987	void *basev __attribute__((unused)),
988	void *addv __attribute__((unused))) {
989	mgs_dirconf_rec *new;
990	/* mgs_dirconf_rec base = (mgs_dirconf_rec ) basev; */
991	mgs_dirconf_rec add = (mgs_dirconf_rec ) addv;
992
993	new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof(mgs_dirconf_rec));
994	new->client_verify_mode = add->client_verify_mode;
995	return new;
996	}
997
998	void mgs_config_dir_create(apr_pool_t p,
999	char *dir __attribute__((unused))) {
1000	mgs_dirconf_rec dc = apr_palloc(p, sizeof (dc));
1001	dc->client_verify_mode = -1;
1002	return dc;
1003	}
1004
1005
1006
1007	/*
1008	* Store paths to proxy credentials
1009	*
1010	* This function copies the paths provided in the configuration file
1011	* into the server configuration. The post configuration hook takes
1012	* care of actually loading the credentials, which means than invalid
1013	* paths or the like will be detected there.
1014	*/
1015	const char mgs_store_cred_path(cmd_parms parms,
1016	void *dummy __attribute__((unused)),
1017	const char *arg)
1018	{
1019	mgs_srvconf_rec sc = (mgs_srvconf_rec )
1020	ap_get_module_config(parms->server->module_config, &gnutls_module);
1021
1022	/* parms->directive->directive contains the directive string */
1023	if (!strcasecmp(parms->directive->directive, "GnuTLSProxyKeyFile"))
1024	sc->proxy_x509_key_file = apr_pstrdup(parms->pool, arg);
1025	else if (!strcasecmp(parms->directive->directive,
1026	"GnuTLSProxyCertificateFile"))
1027	sc->proxy_x509_cert_file = apr_pstrdup(parms->pool, arg);
1028	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCAFile"))
1029	sc->proxy_x509_ca_file = apr_pstrdup(parms->pool, arg);
1030	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCRLFile"))
1031	sc->proxy_x509_crl_file = apr_pstrdup(parms->pool, arg);
1032	return NULL;
1033	}
1034
1035
1036
1037	/*
1038	* Record PKCS #11 module to load. Note that the value is only used in
1039	* the base config, settings in virtual hosts are ignored.
1040	*/
1041	const char mgs_set_p11_module(cmd_parms parms,
1042	void *dummy __attribute__((unused)),
1043	const char *arg)
1044	{
1045	mgs_srvconf_rec sc = (mgs_srvconf_rec )
1046	ap_get_module_config(parms->server->module_config, &gnutls_module);
1047	/* initialize PKCS #11 module list if necessary */
1048	if (sc->p11_modules == NULL)
1049	sc->p11_modules = apr_array_make(parms->pool, 2, sizeof(char*));
1050
1051	(char *) apr_array_push(sc->p11_modules) = apr_pstrdup(parms->pool, arg);
1052
1053	return NULL;
1054	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/gnutls_config.c @ b94aee2

Download in other formats: