Context Navigation

gnutls_config.c @ ce5f776

Visit:

asynciodebian/mastermainproxy-ticket

Last change on this file since ce5f776 was ce5f776, checked in by Fiona Klute <fiona.klute@…>, 5 years ago

Move config and post_config of a cache instance to separate functions

This prepares the infrastructure for multiple caches and simplifies
the server configuration structure.

Property mode set to 100644

File size: 32.4 KB

Line
1	/*
2	* Copyright 2004-2005 Paul Querna
3	* Copyright 2008, 2014 Nikos Mavrogiannopoulos
4	* Copyright 2011 Dash Shendy
5	* Copyright 2015-2018 Fiona Klute
6	*
7	* Licensed under the Apache License, Version 2.0 (the "License");
8	* you may not use this file except in compliance with the License.
9	* You may obtain a copy of the License at
10	*
11	* http://www.apache.org/licenses/LICENSE-2.0
12	*
13	* Unless required by applicable law or agreed to in writing, software
14	* distributed under the License is distributed on an "AS IS" BASIS,
15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16	* See the License for the specific language governing permissions and
17	* limitations under the License.
18	*/
19
20	#include "gnutls_cache.h"
21	#include "gnutls_config.h"
22	#include "mod_gnutls.h"
23	#include "gnutls_ocsp.h"
24	#include "apr_lib.h"
25	#include <gnutls/abstract.h>
26
27	#define INIT_CA_SIZE 128
28
29	#ifdef APLOG_USE_MODULE
30	APLOG_USE_MODULE(gnutls);
31	#endif
32
33	static int pin_callback(void *user, int attempt __attribute__((unused)),
34	const char *token_url __attribute__((unused)),
35	const char *token_label, unsigned int flags,
36	char *pin, size_t pin_max)
37	{
38	mgs_srvconf_rec *sc = user;
39
40	if (sc->pin == NULL \|\| flags & GNUTLS_PIN_FINAL_TRY \|\|
41	flags & GNUTLS_PIN_WRONG) {
42	return -1;
43	}
44
45	if (token_label && strcmp(token_label, "SRK") == 0) {
46	snprintf(pin, pin_max, "%s", sc->srk_pin);
47	} else {
48	snprintf(pin, pin_max, "%s", sc->pin);
49	}
50	return 0;
51	}
52
53	static int load_datum_from_file(apr_pool_t * pool,
54	const char file, gnutls_datum_t data)
55	{
56	apr_file_t *fp;
57	apr_finfo_t finfo;
58	apr_status_t rv;
59	apr_size_t br = 0;
60
61	rv = apr_file_open(&fp, file, APR_READ \| APR_BINARY,
62	APR_OS_DEFAULT, pool);
63	if (rv != APR_SUCCESS) {
64	return rv;
65	}
66
67	rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
68
69	if (rv != APR_SUCCESS) {
70	return rv;
71	}
72
73	data->data = apr_palloc(pool, finfo.size + 1);
74	rv = apr_file_read_full(fp, data->data, finfo.size, &br);
75
76	if (rv != APR_SUCCESS) {
77	return rv;
78	}
79	apr_file_close(fp);
80
81	data->data[br] = '\0';
82	data->size = br;
83
84	return 0;
85	}
86
87
88
89	/**
90	* Clean up the various GnuTLS data structures allocated by
91	* mgs_load_files()
92	*/
93	static apr_status_t mgs_pool_free_credentials(void *arg)
94	{
95	mgs_srvconf_rec sc = (mgs_srvconf_rec ) arg;
96
97	if (sc->certs)
98	{
99	gnutls_certificate_free_credentials(sc->certs);
100	sc->certs = NULL;
101	}
102
103	if (sc->anon_creds)
104	{
105	gnutls_anon_free_server_credentials(sc->anon_creds);
106	sc->anon_creds = NULL;
107	}
108
109	#ifdef ENABLE_SRP
110	if (sc->srp_creds)
111	{
112	gnutls_srp_free_server_credentials(sc->srp_creds);
113	sc->srp_creds = NULL;
114	}
115	#endif
116
117	if (sc->dh_params)
118	{
119	gnutls_dh_params_deinit(sc->dh_params);
120	sc->dh_params = NULL;
121	}
122
123	for (unsigned int i = 0; i < sc->certs_x509_chain_num; i++)
124	{
125	gnutls_pcert_deinit(&sc->certs_x509_chain[i]);
126	gnutls_x509_crt_deinit(sc->certs_x509_crt_chain[i]);
127	}
128
129	if (sc->privkey_x509)
130	{
131	gnutls_privkey_deinit(sc->privkey_x509);
132	sc->privkey_x509 = NULL;
133	}
134
135	if (sc->ca_list)
136	{
137	for (unsigned int i = 0; i < sc->ca_list_size; i++)
138	{
139	gnutls_x509_crt_deinit(sc->ca_list[i]);
140	}
141	gnutls_free(sc->ca_list);
142	sc->ca_list = NULL;
143	}
144
145	if (sc->priorities)
146	{
147	gnutls_priority_deinit(sc->priorities);
148	sc->priorities = NULL;
149	}
150
151	return APR_SUCCESS;
152	}
153
154	int mgs_load_files(apr_pool_t pconf, apr_pool_t ptemp, server_rec *s)
155	{
156	apr_pool_t *spool;
157	const char *file;
158	gnutls_datum_t data;
159	int ret;
160	mgs_srvconf_rec *sc =
161	(mgs_srvconf_rec *) ap_get_module_config(s->module_config,
162	&gnutls_module);
163
164	apr_pool_create(&spool, ptemp);
165
166	/* Cleanup function for the GnuTLS structures allocated below */
167	apr_pool_cleanup_register(pconf, sc, mgs_pool_free_credentials,
168	apr_pool_cleanup_null);
169
170	if (sc->certs == NULL)
171	{
172	ret = gnutls_certificate_allocate_credentials(&sc->certs);
173	if (ret < 0) {
174	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
175	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
176	gnutls_strerror(ret));
177	ret = -1;
178	goto cleanup;
179	}
180	}
181
182	if (sc->anon_creds == NULL)
183	{
184	ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
185	if (ret < 0) {
186	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
187	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
188	gnutls_strerror(ret));
189	ret = -1;
190	goto cleanup;
191	}
192	}
193
194	/* Load SRP parameters */
195	#ifdef ENABLE_SRP
196	if (sc->srp_creds == NULL)
197	{
198	ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
199	if (ret < 0) {
200	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
201	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
202	gnutls_strerror(ret));
203	ret = -1;
204	goto cleanup;
205	}
206	}
207
208	if (sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL)
209	{
210	ret = gnutls_srp_set_server_credentials_file
211	(sc->srp_creds, sc->srp_tpasswd_file,
212	sc->srp_tpasswd_conf_file);
213
214	if (ret < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
215	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
216	"GnuTLS: Host '%s:%d' is missing a "
217	"SRP password or conf File!",
218	s->server_hostname, s->port);
219	ret = -1;
220	goto cleanup;
221	}
222	}
223	#endif
224
225	/* Load user provided DH parameters, if any */
226	if (sc->dh_file)
227	{
228	if (sc->dh_params == NULL)
229	{
230	ret = gnutls_dh_params_init(&sc->dh_params);
231	if (ret < 0) {
232	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
233	"GnuTLS: Failed to initialize"
234	": (%d) %s", ret, gnutls_strerror(ret));
235	ret = -1;
236	goto cleanup;
237	}
238	}
239
240	if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
241	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
242	"GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
243	ret = -1;
244	goto cleanup;
245	}
246
247	ret =
248	gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
249	GNUTLS_X509_FMT_PEM);
250	if (ret < 0) {
251	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
252	"GnuTLS: Failed to Import "
253	"DH params '%s': (%d) %s", sc->dh_file, ret,
254	gnutls_strerror(ret));
255	ret = -1;
256	goto cleanup;
257	}
258	}
259
260	if (sc->x509_cert_file != NULL && sc->certs_x509_crt_chain == NULL)
261	{
262	sc->certs_x509_chain =
263	apr_pcalloc(pconf,
264	MAX_CHAIN_SIZE * sizeof(sc->certs_x509_chain[0]));
265	sc->certs_x509_crt_chain =
266	apr_pcalloc(pconf,
267	MAX_CHAIN_SIZE * sizeof(sc->certs_x509_crt_chain[0]));
268	unsigned int chain_num = MAX_CHAIN_SIZE;
269	unsigned format = GNUTLS_X509_FMT_PEM;
270
271	/* Load X.509 certificate */
272	if (strncmp(sc->x509_cert_file, "pkcs11:", 7) == 0) {
273	gnutls_pkcs11_obj_t obj;
274
275	file = sc->x509_cert_file;
276
277	ret = gnutls_pkcs11_obj_init(&obj);
278	if (ret < 0) {
279	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
280	"GnuTLS: Error Initializing PKCS #11 object");
281	ret = -1;
282	goto cleanup;
283	}
284
285	gnutls_pkcs11_obj_set_pin_function(obj, pin_callback, sc);
286
287	ret = gnutls_pkcs11_obj_import_url(obj, file,
288	GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
289	if (ret < 0) {
290	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
291	"GnuTLS: Error Importing PKCS #11 object: "
292	"'%s': %s",
293	file, gnutls_strerror(ret));
294	ret = -1;
295	goto cleanup;
296	}
297
298	format = GNUTLS_X509_FMT_DER;
299	ret = gnutls_pkcs11_obj_export2(obj, &data);
300	if (ret < 0) {
301	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
302	"GnuTLS: Error Exporting a PKCS #11 object: "
303	"'%s': %s",
304	file, gnutls_strerror(ret));
305	ret = -1;
306	goto cleanup;
307	}
308
309	gnutls_pkcs11_obj_deinit(obj);
310	} else {
311	file = ap_server_root_relative(spool, sc->x509_cert_file);
312
313	ret = gnutls_load_file(file, &data);
314	if (ret < 0) {
315	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
316	"GnuTLS: Error Reading Certificate '%s': %s",
317	file, gnutls_strerror(ret));
318	ret = -1;
319	goto cleanup;
320	}
321	}
322
323	ret = gnutls_x509_crt_list_import(sc->certs_x509_crt_chain,
324	&chain_num, &data, format,
325	GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
326	gnutls_free(data.data);
327	sc->certs_x509_chain_num = chain_num;
328
329	if (ret < 0) {
330	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
331	"GnuTLS: Failed to Import Certificate Chain "
332	"'%s': (%d) %s",
333	file, ret, gnutls_strerror(ret));
334	ret = -1;
335	goto cleanup;
336	}
337
338	for (unsigned int i = 0; i < chain_num; i++)
339	{
340	ret =
341	gnutls_pcert_import_x509(&sc->certs_x509_chain[i],
342	sc->certs_x509_crt_chain[i], 0);
343	if (ret < 0) {
344	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
345	"GnuTLS: Failed to Import pCertificate "
346	"'%s': (%d) %s",
347	file, ret, gnutls_strerror(ret));
348	ret = -1;
349	goto cleanup;
350	}
351	}
352	sc->certs_x509_chain_num = chain_num;
353	}
354
355	if (sc->x509_key_file && sc->privkey_x509 == NULL)
356	{
357	ret = gnutls_privkey_init(&sc->privkey_x509);
358	if (ret < 0) {
359	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
360	"GnuTLS: Failed to initialize: (%d) %s", ret,
361	gnutls_strerror(ret));
362	ret = -1;
363	goto cleanup;
364	}
365
366	if (gnutls_url_is_supported(sc->x509_key_file) != 0) {
367	file = sc->x509_key_file;
368
369	gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback,
370	sc);
371
372	ret = gnutls_privkey_import_url(sc->privkey_x509, file, 0);
373
374	if (ret < 0) {
375	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
376	"GnuTLS: Failed to Import Private Key URL "
377	"'%s': (%d) %s",
378	file, ret, gnutls_strerror(ret));
379	ret = -1;
380	goto cleanup;
381	}
382	} else {
383	file = ap_server_root_relative(spool, sc->x509_key_file);
384
385	if (load_datum_from_file(spool, file, &data) != 0) {
386	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
387	"GnuTLS: Error Reading Private Key '%s'",
388	file);
389	ret = -1;
390	goto cleanup;
391	}
392
393	ret =
394	gnutls_privkey_import_x509_raw(sc->privkey_x509, &data,
395	GNUTLS_X509_FMT_PEM, sc->pin,
396	0);
397
398	if (ret < 0) {
399	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
400	"GnuTLS: Failed to Import Private Key "
401	"'%s': (%d) %s",
402	file, ret, gnutls_strerror(ret));
403	ret = -1;
404	goto cleanup;
405	}
406	}
407	}
408
409	/* Load the X.509 CA file */
410	if (sc->x509_ca_file)
411	{
412	if (load_datum_from_file(spool, sc->x509_ca_file, &data) != 0) {
413	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
414	"GnuTLS: Error Reading " "Client CA File '%s'",
415	sc->x509_ca_file);
416	ret = -1;
417	goto cleanup;
418	}
419
420	ret = gnutls_x509_crt_list_import2(&sc->ca_list, &sc->ca_list_size,
421	&data, GNUTLS_X509_FMT_PEM, 0);
422	if (ret < 0) {
423	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
424	"GnuTLS: Failed to load "
425	"Client CA File '%s': (%d) %s", sc->x509_ca_file,
426	ret, gnutls_strerror(ret));
427	ret = -1;
428	goto cleanup;
429	}
430	}
431
432	if (sc->priorities_str && sc->priorities == NULL)
433	{
434	const char *err;
435	ret = gnutls_priority_init(&sc->priorities, sc->priorities_str, &err);
436
437	if (ret < 0) {
438	if (ret == GNUTLS_E_INVALID_REQUEST) {
439	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
440	"GnuTLS: Syntax error parsing priorities string at: %s",
441	err);
442	} else {
443	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
444	"GnuTLS: error parsing priorities string");
445
446	}
447	ret = -1;
448	goto cleanup;
449	}
450	}
451
452	ret = 0;
453	cleanup:
454	apr_pool_destroy(spool);
455
456	return ret;
457	}
458
459	int mgs_pkcs11_reinit(server_rec * base_server)
460	{
461	int ret;
462	server_rec *s;
463	mgs_srvconf_rec *sc;
464
465	gnutls_pkcs11_reinit();
466
467	for (s = base_server; s; s = s->next) {
468	sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
469
470	/* gnutls caches the session in a private key, so we need to open
471	* a new one */
472	if (sc->x509_key_file && gnutls_url_is_supported(sc->x509_key_file) != 0) {
473	gnutls_privkey_deinit(sc->privkey_x509);
474
475	ret = gnutls_privkey_init(&sc->privkey_x509);
476	if (ret < 0) {
477	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
478	"GnuTLS: Failed to initialize: (%d) %s", ret,
479	gnutls_strerror(ret));
480	goto fail;
481	}
482
483	gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback, sc);
484
485	ret = gnutls_privkey_import_url(sc->privkey_x509, sc->x509_key_file, 0);
486	if (ret < 0) {
487	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
488	"GnuTLS: Failed to Re-Import Private Key URL '%s': (%d) %s",
489	sc->x509_key_file, ret, gnutls_strerror(ret));
490	goto fail;
491	}
492	}
493	}
494
495	return 0;
496
497	fail:
498	gnutls_privkey_deinit(sc->privkey_x509);
499	return -1;
500	}
501
502	const char mgs_set_dh_file(cmd_parms parms, void *dummy __attribute__((unused)),
503	const char *arg) {
504	mgs_srvconf_rec *sc =
505	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
506	module_config,
507	&gnutls_module);
508
509	sc->dh_file = ap_server_root_relative(parms->pool, arg);
510
511	return NULL;
512	}
513
514	const char mgs_set_cert_file(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
515
516	mgs_srvconf_rec *sc =
517	(mgs_srvconf_rec *) ap_get_module_config(parms->
518	server->module_config,
519	&gnutls_module);
520
521	sc->x509_cert_file = apr_pstrdup(parms->pool, arg);
522
523	return NULL;
524
525	}
526
527	const char mgs_set_key_file(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
528
529	mgs_srvconf_rec *sc =
530	(mgs_srvconf_rec *) ap_get_module_config(parms->
531	server->module_config,
532	&gnutls_module);
533
534	sc->x509_key_file = apr_pstrdup(parms->pool, arg);
535
536	return NULL;
537	}
538
539	const char mgs_set_tickets(cmd_parms parms,
540	void *dummy __attribute__((unused)),
541	const int arg)
542	{
543	mgs_srvconf_rec sc = (mgs_srvconf_rec )
544	ap_get_module_config(parms->server->module_config, &gnutls_module);
545
546	if (arg)
547	sc->tickets = GNUTLS_ENABLED_TRUE;
548	else
549	sc->tickets = GNUTLS_ENABLED_FALSE;
550
551	return NULL;
552	}
553
554
555	#ifdef ENABLE_SRP
556
557	const char mgs_set_srp_tpasswd_file(cmd_parms parms, void *dummy __attribute__((unused)),
558	const char *arg) {
559	mgs_srvconf_rec *sc =
560	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
561	module_config,
562	&gnutls_module);
563
564	sc->srp_tpasswd_file = ap_server_root_relative(parms->pool, arg);
565
566	return NULL;
567	}
568
569	const char mgs_set_srp_tpasswd_conf_file(cmd_parms parms, void *dummy __attribute__((unused)),
570	const char *arg) {
571	mgs_srvconf_rec *sc =
572	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
573	module_config,
574	&gnutls_module);
575
576	sc->srp_tpasswd_conf_file = ap_server_root_relative(parms->pool, arg);
577
578	return NULL;
579	}
580
581	#endif
582
583	const char mgs_set_cache(cmd_parms parms,
584	void *dummy __attribute__((unused)),
585	const char type, const char arg)
586	{
587	const char *err;
588	mgs_srvconf_rec *sc =
589	ap_get_module_config(parms->server->module_config,
590	&gnutls_module);
591	if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY)))
592	return err;
593
594	/* none: disable cache */
595	if (strcasecmp("none", type) == 0)
596	{
597	sc->cache_enable = GNUTLS_ENABLED_FALSE;
598	return NULL;
599	}
600
601	sc->cache_enable = GNUTLS_ENABLED_TRUE;
602
603	/* Try to split socache "type:config" style configuration */
604	const char* sep = ap_strchr_c(type, ':');
605	if (sep)
606	{
607	type = apr_pstrmemdup(parms->temp_pool, type, sep - type);
608	if (arg != NULL)
609	{
610	/* No mixing of socache style and legacy config! */
611	return "GnuTLSCache appears to have a mod_socache style "
612	"type:config value, but there is a second parameter!";
613	}
614	arg = ++sep;
615	}
616
617	return mgs_cache_inst_config(&sc->cache, parms->server,
618	type, arg,
619	parms->pool, parms->temp_pool);
620	}
621
622	const char mgs_set_timeout(cmd_parms parms,
623	void *dummy __attribute__((unused)),
624	const char *arg)
625	{
626	apr_int64_t argint = apr_atoi64(arg);
627	/* timeouts cannot be negative */
628	if (argint < 0)
629	return apr_psprintf(parms->pool, "%s: Invalid argument",
630	parms->directive->directive);
631
632	mgs_srvconf_rec sc = (mgs_srvconf_rec )
633	ap_get_module_config(parms->server->module_config, &gnutls_module);
634
635	if (!apr_strnatcasecmp(parms->directive->directive, "GnuTLSCacheTimeout"))
636	sc->cache_timeout = apr_time_from_sec(argint);
637	else if (!apr_strnatcasecmp(parms->directive->directive,
638	"GnuTLSOCSPCacheTimeout"))
639	sc->ocsp_cache_time = apr_time_from_sec(argint);
640	else if (!apr_strnatcasecmp(parms->directive->directive,
641	"GnuTLSOCSPFailureTimeout"))
642	sc->ocsp_failure_timeout = apr_time_from_sec(argint);
643	else if (!apr_strnatcasecmp(parms->directive->directive,
644	"GnuTLSOCSPFuzzTime"))
645	sc->ocsp_fuzz_time = apr_time_from_sec(argint);
646	else if (!apr_strnatcasecmp(parms->directive->directive,
647	"GnuTLSOCSPSocketTimeout"))
648	sc->ocsp_socket_timeout = apr_time_from_sec(argint);
649	else
650	/* Can't happen unless there's a serious bug in mod_gnutls or Apache */
651	return apr_psprintf(parms->pool,
652	"mod_gnutls: %s called for invalid option '%s'",
653	__func__, parms->directive->directive);
654
655	return NULL;
656	}
657
658	const char mgs_set_client_verify_method(cmd_parms parms, void *dummy __attribute__((unused)),
659	const char *arg) {
660	mgs_srvconf_rec sc = (mgs_srvconf_rec )ap_get_module_config(parms->server->module_config, &gnutls_module);
661
662	if (strcasecmp("cartel", arg) == 0) {
663	sc->client_verify_method = mgs_cvm_cartel;
664	} else if (strcasecmp("msva", arg) == 0) {
665	#ifdef ENABLE_MSVA
666	sc->client_verify_method = mgs_cvm_msva;
667	#else
668	return "GnuTLSClientVerifyMethod: msva is not supported";
669	#endif
670	} else {
671	return "GnuTLSClientVerifyMethod: Invalid argument";
672	}
673
674	return NULL;
675	}
676
677	const char mgs_set_client_verify(cmd_parms parms,
678	void *dirconf,
679	const char *arg) {
680	int mode;
681
682	if (strcasecmp("none", arg) == 0 \|\| strcasecmp("ignore", arg) == 0) {
683	mode = GNUTLS_CERT_IGNORE;
684	} else if (strcasecmp("optional", arg) == 0
685	\|\| strcasecmp("request", arg) == 0) {
686	mode = GNUTLS_CERT_REQUEST;
687	} else if (strcasecmp("require", arg) == 0) {
688	mode = GNUTLS_CERT_REQUIRE;
689	} else {
690	return "GnuTLSClientVerify: Invalid argument";
691	}
692
693	/* This was set from a directory context */
694	if (parms->path) {
695	mgs_dirconf_rec dc = (mgs_dirconf_rec ) dirconf;
696	dc->client_verify_mode = mode;
697	} else {
698	mgs_srvconf_rec sc = (mgs_srvconf_rec )
699	ap_get_module_config(parms->server->module_config,
700	&gnutls_module);
701	sc->client_verify_mode = mode;
702	}
703
704	return NULL;
705	}
706
707	const char mgs_set_client_ca_file(cmd_parms parms, void *dummy __attribute__((unused)),
708	const char *arg) {
709	mgs_srvconf_rec *sc =
710	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
711	module_config,
712	&gnutls_module);
713
714	sc->x509_ca_file = ap_server_root_relative(parms->pool, arg);
715
716	return NULL;
717	}
718
719	/*
720	* Enable TLS proxy operation if arg is true, disable it otherwise.
721	*/
722	const char mgs_set_proxy_engine(cmd_parms parms,
723	void *dummy __attribute__((unused)),
724	const int arg)
725	{
726	mgs_srvconf_rec sc = (mgs_srvconf_rec )
727	ap_get_module_config(parms->server->module_config, &gnutls_module);
728
729	if (arg)
730	sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
731	else
732	sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
733
734	return NULL;
735	}
736
737	/*
738	* Enable TLS for the server/vhost if arg is true, disable it
739	* otherwise.
740	*/
741	const char mgs_set_enabled(cmd_parms parms,
742	void *dummy __attribute__((unused)),
743	const int arg)
744	{
745	mgs_srvconf_rec sc = (mgs_srvconf_rec )
746	ap_get_module_config(parms->server->module_config, &gnutls_module);
747
748	if (arg)
749	sc->enabled = GNUTLS_ENABLED_TRUE;
750	else
751	sc->enabled = GNUTLS_ENABLED_FALSE;
752
753	return NULL;
754	}
755
756	const char mgs_set_export_certificates_size(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
757	mgs_srvconf_rec sc = (mgs_srvconf_rec ) ap_get_module_config(parms->server->module_config, &gnutls_module);
758	if (!strcasecmp(arg, "On")) {
759	sc->export_certificates_size = 16 * 1024;
760	} else if (!strcasecmp(arg, "Off")) {
761	sc->export_certificates_size = 0;
762	} else {
763	char *endptr;
764	sc->export_certificates_size = strtol(arg, &endptr, 10);
765	while (apr_isspace(*endptr))
766	endptr++;
767	if (endptr == '\0' \|\| endptr == 'b' \|\| *endptr == 'B') {
768	;
769	} else if (endptr == 'k' \|\| endptr == 'K') {
770	sc->export_certificates_size *= 1024;
771	} else {
772	return
773	"GnuTLSExportCertificates must be set to a size (in bytes) or 'On' or 'Off'";
774	}
775	}
776
777	return NULL;
778	}
779
780
781
782	/*
783	* Store GnuTLS priority strings. Used for GnuTLSPriorities and
784	* GnuTLSProxyPriorities.
785	*/
786	const char mgs_set_priorities(cmd_parms parms,
787	void *dummy __attribute__((unused)),
788	const char *arg)
789	{
790	mgs_srvconf_rec sc = (mgs_srvconf_rec )
791	ap_get_module_config(parms->server->module_config, &gnutls_module);
792
793	if (!strcasecmp(parms->directive->directive, "GnuTLSPriorities"))
794	sc->priorities_str = apr_pstrdup(parms->pool, arg);
795	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyPriorities"))
796	sc->proxy_priorities_str = apr_pstrdup(parms->pool, arg);
797	else
798	/* Can't happen unless there's a serious bug in mod_gnutls or Apache */
799	return apr_psprintf(parms->pool,
800	"mod_gnutls: %s called for invalid option '%s'",
801	__func__, parms->directive->directive);
802
803	return NULL;
804	}
805
806
807
808	const char mgs_set_pin(cmd_parms parms, void *dummy __attribute__((unused)),
809	const char *arg)
810	{
811
812	mgs_srvconf_rec sc = (mgs_srvconf_rec )
813	ap_get_module_config(parms->server->module_config, &gnutls_module);
814
815	sc->pin = apr_pstrdup(parms->pool, arg);
816
817	return NULL;
818	}
819
820	const char mgs_set_srk_pin(cmd_parms parms,
821	void *dummy __attribute__((unused)),
822	const char *arg)
823	{
824
825	mgs_srvconf_rec sc = (mgs_srvconf_rec )
826	ap_get_module_config(parms->server->module_config, &gnutls_module);
827
828	sc->srk_pin = apr_pstrdup(parms->pool, arg);
829
830	return NULL;
831	}
832
833
834
835	static mgs_srvconf_rec _mgs_config_server_create(apr_pool_t p,
836	char **err __attribute__((unused)))
837	{
838	mgs_srvconf_rec sc = apr_pcalloc(p, sizeof(sc));
839
840	sc->enabled = GNUTLS_ENABLED_UNSET;
841
842	sc->privkey_x509 = NULL;
843	sc->anon_creds = NULL;
844	#ifdef ENABLE_SRP
845	sc->srp_creds = NULL;
846	#endif
847	sc->certs = NULL;
848	sc->certs_x509_chain = NULL;
849	sc->certs_x509_crt_chain = NULL;
850	sc->certs_x509_chain_num = 0;
851	sc->p11_modules = NULL;
852	sc->pin = NULL;
853
854	sc->priorities_str = NULL;
855	sc->cache_timeout = MGS_TIMEOUT_UNSET;
856	sc->cache_enable = GNUTLS_ENABLED_UNSET;
857	sc->cache = NULL;
858	sc->tickets = GNUTLS_ENABLED_UNSET;
859	sc->priorities = NULL;
860	sc->dh_params = NULL;
861	sc->dh_file = NULL;
862	sc->ca_list = NULL;
863	sc->ca_list_size = 0;
864	sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
865	sc->export_certificates_size = -1;
866	sc->client_verify_method = mgs_cvm_unset;
867
868	sc->proxy_x509_key_file = NULL;
869	sc->proxy_x509_cert_file = NULL;
870	sc->proxy_x509_ca_file = NULL;
871	sc->proxy_x509_crl_file = NULL;
872	sc->proxy_priorities_str = NULL;
873	sc->proxy_x509_creds = NULL;
874	sc->anon_client_creds = NULL;
875	sc->proxy_priorities = NULL;
876	sc->proxy_x509_tl = NULL;
877
878	sc->ocsp_staple = GNUTLS_ENABLED_UNSET;
879	sc->ocsp_auto_refresh = GNUTLS_ENABLED_UNSET;
880	sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET;
881	sc->ocsp_response_file = NULL;
882	sc->ocsp_mutex = NULL;
883	sc->ocsp_cache_time = MGS_TIMEOUT_UNSET;
884	sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET;
885	sc->ocsp_fuzz_time = MGS_TIMEOUT_UNSET;
886	sc->ocsp_socket_timeout = MGS_TIMEOUT_UNSET;
887
888	sc->singleton_wd = NULL;
889
890	/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
891	sc->client_verify_mode = -1;
892
893	return sc;
894	}
895
896	void mgs_config_server_create(apr_pool_t p,
897	server_rec * s __attribute__((unused))) {
898	char *err = NULL;
899	mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err);
900	if (sc)
901	return sc;
902	else
903	return err;
904	}
905
906	#define gnutls_srvconf_merge(t, unset) sc->t = (add->t == unset) ? base->t : add->t
907	#define gnutls_srvconf_assign(t) sc->t = add->t
908
909	void mgs_config_server_merge(apr_pool_t p, void BASE, void ADD)
910	{
911	int i;
912	char *err = NULL;
913	mgs_srvconf_rec base = (mgs_srvconf_rec ) BASE;
914	mgs_srvconf_rec add = (mgs_srvconf_rec ) ADD;
915	mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err);
916	if (NULL == sc)
917	return err;
918
919	gnutls_srvconf_merge(enabled, GNUTLS_ENABLED_UNSET);
920	gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET);
921	gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
922	gnutls_srvconf_merge(export_certificates_size, -1);
923	gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset);
924	gnutls_srvconf_merge(client_verify_mode, -1);
925	gnutls_srvconf_merge(srp_tpasswd_file, NULL);
926	gnutls_srvconf_merge(srp_tpasswd_conf_file, NULL);
927	gnutls_srvconf_merge(x509_cert_file, NULL);
928
929	gnutls_srvconf_merge(x509_key_file, NULL);
930	gnutls_srvconf_merge(x509_ca_file, NULL);
931	gnutls_srvconf_merge(p11_modules, NULL);
932	gnutls_srvconf_merge(pin, NULL);
933	gnutls_srvconf_merge(dh_file, NULL);
934	gnutls_srvconf_merge(priorities_str, NULL);
935	gnutls_srvconf_merge(cache_timeout, MGS_TIMEOUT_UNSET);
936
937	gnutls_srvconf_merge(proxy_x509_key_file, NULL);
938	gnutls_srvconf_merge(proxy_x509_cert_file, NULL);
939	gnutls_srvconf_merge(proxy_x509_ca_file, NULL);
940	gnutls_srvconf_merge(proxy_x509_crl_file, NULL);
941	gnutls_srvconf_merge(proxy_priorities_str, NULL);
942	gnutls_srvconf_merge(proxy_priorities, NULL);
943
944	gnutls_srvconf_merge(ocsp_staple, GNUTLS_ENABLED_UNSET);
945	gnutls_srvconf_merge(ocsp_auto_refresh, GNUTLS_ENABLED_UNSET);
946	gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
947	gnutls_srvconf_assign(ocsp_response_file);
948	gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET);
949	gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);
950	gnutls_srvconf_merge(ocsp_fuzz_time, MGS_TIMEOUT_UNSET);
951	gnutls_srvconf_merge(ocsp_socket_timeout, MGS_TIMEOUT_UNSET);
952
953	gnutls_srvconf_assign(ca_list);
954	gnutls_srvconf_assign(ca_list_size);
955	gnutls_srvconf_assign(certs);
956	gnutls_srvconf_assign(anon_creds);
957	gnutls_srvconf_assign(srp_creds);
958	gnutls_srvconf_assign(certs_x509_chain);
959	gnutls_srvconf_assign(certs_x509_crt_chain);
960	gnutls_srvconf_assign(certs_x509_chain_num);
961
962	/* how do these get transferred cleanly before the data from ADD
963	* goes away? */
964	gnutls_srvconf_assign(cert_cn);
965	for (i = 0; i < MAX_CERT_SAN; i++)
966	gnutls_srvconf_assign(cert_san[i]);
967
968	return sc;
969	}
970
971	#undef gnutls_srvconf_merge
972	#undef gnutls_srvconf_assign
973
974	void mgs_config_dir_merge(apr_pool_t p,
975	void *basev __attribute__((unused)),
976	void *addv __attribute__((unused))) {
977	mgs_dirconf_rec *new;
978	/* mgs_dirconf_rec base = (mgs_dirconf_rec ) basev; */
979	mgs_dirconf_rec add = (mgs_dirconf_rec ) addv;
980
981	new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof(mgs_dirconf_rec));
982	new->client_verify_mode = add->client_verify_mode;
983	return new;
984	}
985
986	void mgs_config_dir_create(apr_pool_t p,
987	char *dir __attribute__((unused))) {
988	mgs_dirconf_rec dc = apr_palloc(p, sizeof (dc));
989	dc->client_verify_mode = -1;
990	return dc;
991	}
992
993
994
995	/*
996	* Store paths to proxy credentials
997	*
998	* This function copies the paths provided in the configuration file
999	* into the server configuration. The post configuration hook takes
1000	* care of actually loading the credentials, which means than invalid
1001	* paths or the like will be detected there.
1002	*/
1003	const char mgs_store_cred_path(cmd_parms parms,
1004	void *dummy __attribute__((unused)),
1005	const char *arg)
1006	{
1007	mgs_srvconf_rec sc = (mgs_srvconf_rec )
1008	ap_get_module_config(parms->server->module_config, &gnutls_module);
1009
1010	/* parms->directive->directive contains the directive string */
1011	if (!strcasecmp(parms->directive->directive, "GnuTLSProxyKeyFile"))
1012	sc->proxy_x509_key_file = apr_pstrdup(parms->pool, arg);
1013	else if (!strcasecmp(parms->directive->directive,
1014	"GnuTLSProxyCertificateFile"))
1015	sc->proxy_x509_cert_file = apr_pstrdup(parms->pool, arg);
1016	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCAFile"))
1017	sc->proxy_x509_ca_file = apr_pstrdup(parms->pool, arg);
1018	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCRLFile"))
1019	sc->proxy_x509_crl_file = apr_pstrdup(parms->pool, arg);
1020	return NULL;
1021	}
1022
1023
1024
1025	/*
1026	* Record PKCS #11 module to load. Note that the value is only used in
1027	* the base config, settings in virtual hosts are ignored.
1028	*/
1029	const char mgs_set_p11_module(cmd_parms parms,
1030	void *dummy __attribute__((unused)),
1031	const char *arg)
1032	{
1033	mgs_srvconf_rec sc = (mgs_srvconf_rec )
1034	ap_get_module_config(parms->server->module_config, &gnutls_module);
1035	/* initialize PKCS #11 module list if necessary */
1036	if (sc->p11_modules == NULL)
1037	sc->p11_modules = apr_array_make(parms->pool, 2, sizeof(char*));
1038
1039	(char *) apr_array_push(sc->p11_modules) = apr_pstrdup(parms->pool, arg);
1040
1041	return NULL;
1042	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/gnutls_config.c @ ce5f776

Download in other formats: