Context Navigation

gnutls_config.c @ d036f96

Visit:

asynciodebian/mastermainproxy-ticket

Last change on this file since d036f96 was d036f96, checked in by Fiona Klute <fiona.klute@…>, 5 years ago

Add configuration directive GnuTLSOCSPCache (no-op for now)

First step to a separate cache for OCSP data.

Property mode set to 100644

File size: 33.0 KB

Line
1	/*
2	* Copyright 2004-2005 Paul Querna
3	* Copyright 2008, 2014 Nikos Mavrogiannopoulos
4	* Copyright 2011 Dash Shendy
5	* Copyright 2015-2018 Fiona Klute
6	*
7	* Licensed under the Apache License, Version 2.0 (the "License");
8	* you may not use this file except in compliance with the License.
9	* You may obtain a copy of the License at
10	*
11	* http://www.apache.org/licenses/LICENSE-2.0
12	*
13	* Unless required by applicable law or agreed to in writing, software
14	* distributed under the License is distributed on an "AS IS" BASIS,
15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16	* See the License for the specific language governing permissions and
17	* limitations under the License.
18	*/
19
20	#include "gnutls_cache.h"
21	#include "gnutls_config.h"
22	#include "mod_gnutls.h"
23	#include "gnutls_ocsp.h"
24	#include "apr_lib.h"
25	#include <gnutls/abstract.h>
26
27	#define INIT_CA_SIZE 128
28
29	#ifdef APLOG_USE_MODULE
30	APLOG_USE_MODULE(gnutls);
31	#endif
32
33	static int pin_callback(void *user, int attempt __attribute__((unused)),
34	const char *token_url __attribute__((unused)),
35	const char *token_label, unsigned int flags,
36	char *pin, size_t pin_max)
37	{
38	mgs_srvconf_rec *sc = user;
39
40	if (sc->pin == NULL \|\| flags & GNUTLS_PIN_FINAL_TRY \|\|
41	flags & GNUTLS_PIN_WRONG) {
42	return -1;
43	}
44
45	if (token_label && strcmp(token_label, "SRK") == 0) {
46	snprintf(pin, pin_max, "%s", sc->srk_pin);
47	} else {
48	snprintf(pin, pin_max, "%s", sc->pin);
49	}
50	return 0;
51	}
52
53	static int load_datum_from_file(apr_pool_t * pool,
54	const char file, gnutls_datum_t data)
55	{
56	apr_file_t *fp;
57	apr_finfo_t finfo;
58	apr_status_t rv;
59	apr_size_t br = 0;
60
61	rv = apr_file_open(&fp, file, APR_READ \| APR_BINARY,
62	APR_OS_DEFAULT, pool);
63	if (rv != APR_SUCCESS) {
64	return rv;
65	}
66
67	rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
68
69	if (rv != APR_SUCCESS) {
70	return rv;
71	}
72
73	data->data = apr_palloc(pool, finfo.size + 1);
74	rv = apr_file_read_full(fp, data->data, finfo.size, &br);
75
76	if (rv != APR_SUCCESS) {
77	return rv;
78	}
79	apr_file_close(fp);
80
81	data->data[br] = '\0';
82	data->size = br;
83
84	return 0;
85	}
86
87
88
89	/**
90	* Clean up the various GnuTLS data structures allocated by
91	* mgs_load_files()
92	*/
93	static apr_status_t mgs_pool_free_credentials(void *arg)
94	{
95	mgs_srvconf_rec sc = (mgs_srvconf_rec ) arg;
96
97	if (sc->certs)
98	{
99	gnutls_certificate_free_credentials(sc->certs);
100	sc->certs = NULL;
101	}
102
103	if (sc->anon_creds)
104	{
105	gnutls_anon_free_server_credentials(sc->anon_creds);
106	sc->anon_creds = NULL;
107	}
108
109	#ifdef ENABLE_SRP
110	if (sc->srp_creds)
111	{
112	gnutls_srp_free_server_credentials(sc->srp_creds);
113	sc->srp_creds = NULL;
114	}
115	#endif
116
117	if (sc->dh_params)
118	{
119	gnutls_dh_params_deinit(sc->dh_params);
120	sc->dh_params = NULL;
121	}
122
123	for (unsigned int i = 0; i < sc->certs_x509_chain_num; i++)
124	{
125	gnutls_pcert_deinit(&sc->certs_x509_chain[i]);
126	gnutls_x509_crt_deinit(sc->certs_x509_crt_chain[i]);
127	}
128
129	if (sc->privkey_x509)
130	{
131	gnutls_privkey_deinit(sc->privkey_x509);
132	sc->privkey_x509 = NULL;
133	}
134
135	if (sc->ca_list)
136	{
137	for (unsigned int i = 0; i < sc->ca_list_size; i++)
138	{
139	gnutls_x509_crt_deinit(sc->ca_list[i]);
140	}
141	gnutls_free(sc->ca_list);
142	sc->ca_list = NULL;
143	}
144
145	if (sc->priorities)
146	{
147	gnutls_priority_deinit(sc->priorities);
148	sc->priorities = NULL;
149	}
150
151	return APR_SUCCESS;
152	}
153
154	int mgs_load_files(apr_pool_t pconf, apr_pool_t ptemp, server_rec *s)
155	{
156	apr_pool_t *spool;
157	const char *file;
158	gnutls_datum_t data;
159	int ret;
160	mgs_srvconf_rec *sc =
161	(mgs_srvconf_rec *) ap_get_module_config(s->module_config,
162	&gnutls_module);
163
164	apr_pool_create(&spool, ptemp);
165
166	/* Cleanup function for the GnuTLS structures allocated below */
167	apr_pool_cleanup_register(pconf, sc, mgs_pool_free_credentials,
168	apr_pool_cleanup_null);
169
170	if (sc->certs == NULL)
171	{
172	ret = gnutls_certificate_allocate_credentials(&sc->certs);
173	if (ret < 0) {
174	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
175	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
176	gnutls_strerror(ret));
177	ret = -1;
178	goto cleanup;
179	}
180	}
181
182	if (sc->anon_creds == NULL)
183	{
184	ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
185	if (ret < 0) {
186	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
187	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
188	gnutls_strerror(ret));
189	ret = -1;
190	goto cleanup;
191	}
192	}
193
194	/* Load SRP parameters */
195	#ifdef ENABLE_SRP
196	if (sc->srp_creds == NULL)
197	{
198	ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
199	if (ret < 0) {
200	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
201	"GnuTLS: Failed to initialize" ": (%d) %s", ret,
202	gnutls_strerror(ret));
203	ret = -1;
204	goto cleanup;
205	}
206	}
207
208	if (sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL)
209	{
210	ret = gnutls_srp_set_server_credentials_file
211	(sc->srp_creds, sc->srp_tpasswd_file,
212	sc->srp_tpasswd_conf_file);
213
214	if (ret < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
215	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
216	"GnuTLS: Host '%s:%d' is missing a "
217	"SRP password or conf File!",
218	s->server_hostname, s->port);
219	ret = -1;
220	goto cleanup;
221	}
222	}
223	#endif
224
225	/* Load user provided DH parameters, if any */
226	if (sc->dh_file)
227	{
228	if (sc->dh_params == NULL)
229	{
230	ret = gnutls_dh_params_init(&sc->dh_params);
231	if (ret < 0) {
232	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
233	"GnuTLS: Failed to initialize"
234	": (%d) %s", ret, gnutls_strerror(ret));
235	ret = -1;
236	goto cleanup;
237	}
238	}
239
240	if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
241	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
242	"GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
243	ret = -1;
244	goto cleanup;
245	}
246
247	ret =
248	gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
249	GNUTLS_X509_FMT_PEM);
250	if (ret < 0) {
251	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
252	"GnuTLS: Failed to Import "
253	"DH params '%s': (%d) %s", sc->dh_file, ret,
254	gnutls_strerror(ret));
255	ret = -1;
256	goto cleanup;
257	}
258	}
259
260	if (sc->x509_cert_file != NULL && sc->certs_x509_crt_chain == NULL)
261	{
262	sc->certs_x509_chain =
263	apr_pcalloc(pconf,
264	MAX_CHAIN_SIZE * sizeof(sc->certs_x509_chain[0]));
265	sc->certs_x509_crt_chain =
266	apr_pcalloc(pconf,
267	MAX_CHAIN_SIZE * sizeof(sc->certs_x509_crt_chain[0]));
268	unsigned int chain_num = MAX_CHAIN_SIZE;
269	unsigned format = GNUTLS_X509_FMT_PEM;
270
271	/* Load X.509 certificate */
272	if (strncmp(sc->x509_cert_file, "pkcs11:", 7) == 0) {
273	gnutls_pkcs11_obj_t obj;
274
275	file = sc->x509_cert_file;
276
277	ret = gnutls_pkcs11_obj_init(&obj);
278	if (ret < 0) {
279	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
280	"GnuTLS: Error Initializing PKCS #11 object");
281	ret = -1;
282	goto cleanup;
283	}
284
285	gnutls_pkcs11_obj_set_pin_function(obj, pin_callback, sc);
286
287	ret = gnutls_pkcs11_obj_import_url(obj, file,
288	GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
289	if (ret < 0) {
290	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
291	"GnuTLS: Error Importing PKCS #11 object: "
292	"'%s': %s",
293	file, gnutls_strerror(ret));
294	ret = -1;
295	goto cleanup;
296	}
297
298	format = GNUTLS_X509_FMT_DER;
299	ret = gnutls_pkcs11_obj_export2(obj, &data);
300	if (ret < 0) {
301	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
302	"GnuTLS: Error Exporting a PKCS #11 object: "
303	"'%s': %s",
304	file, gnutls_strerror(ret));
305	ret = -1;
306	goto cleanup;
307	}
308
309	gnutls_pkcs11_obj_deinit(obj);
310	} else {
311	file = ap_server_root_relative(spool, sc->x509_cert_file);
312
313	ret = gnutls_load_file(file, &data);
314	if (ret < 0) {
315	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
316	"GnuTLS: Error Reading Certificate '%s': %s",
317	file, gnutls_strerror(ret));
318	ret = -1;
319	goto cleanup;
320	}
321	}
322
323	ret = gnutls_x509_crt_list_import(sc->certs_x509_crt_chain,
324	&chain_num, &data, format,
325	GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
326	gnutls_free(data.data);
327	sc->certs_x509_chain_num = chain_num;
328
329	if (ret < 0) {
330	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
331	"GnuTLS: Failed to Import Certificate Chain "
332	"'%s': (%d) %s",
333	file, ret, gnutls_strerror(ret));
334	ret = -1;
335	goto cleanup;
336	}
337
338	for (unsigned int i = 0; i < chain_num; i++)
339	{
340	ret =
341	gnutls_pcert_import_x509(&sc->certs_x509_chain[i],
342	sc->certs_x509_crt_chain[i], 0);
343	if (ret < 0) {
344	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
345	"GnuTLS: Failed to Import pCertificate "
346	"'%s': (%d) %s",
347	file, ret, gnutls_strerror(ret));
348	ret = -1;
349	goto cleanup;
350	}
351	}
352	sc->certs_x509_chain_num = chain_num;
353	}
354
355	if (sc->x509_key_file && sc->privkey_x509 == NULL)
356	{
357	ret = gnutls_privkey_init(&sc->privkey_x509);
358	if (ret < 0) {
359	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
360	"GnuTLS: Failed to initialize: (%d) %s", ret,
361	gnutls_strerror(ret));
362	ret = -1;
363	goto cleanup;
364	}
365
366	if (gnutls_url_is_supported(sc->x509_key_file) != 0) {
367	file = sc->x509_key_file;
368
369	gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback,
370	sc);
371
372	ret = gnutls_privkey_import_url(sc->privkey_x509, file, 0);
373
374	if (ret < 0) {
375	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
376	"GnuTLS: Failed to Import Private Key URL "
377	"'%s': (%d) %s",
378	file, ret, gnutls_strerror(ret));
379	ret = -1;
380	goto cleanup;
381	}
382	} else {
383	file = ap_server_root_relative(spool, sc->x509_key_file);
384
385	if (load_datum_from_file(spool, file, &data) != 0) {
386	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
387	"GnuTLS: Error Reading Private Key '%s'",
388	file);
389	ret = -1;
390	goto cleanup;
391	}
392
393	ret =
394	gnutls_privkey_import_x509_raw(sc->privkey_x509, &data,
395	GNUTLS_X509_FMT_PEM, sc->pin,
396	0);
397
398	if (ret < 0) {
399	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
400	"GnuTLS: Failed to Import Private Key "
401	"'%s': (%d) %s",
402	file, ret, gnutls_strerror(ret));
403	ret = -1;
404	goto cleanup;
405	}
406	}
407	}
408
409	/* Load the X.509 CA file */
410	if (sc->x509_ca_file)
411	{
412	if (load_datum_from_file(spool, sc->x509_ca_file, &data) != 0) {
413	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
414	"GnuTLS: Error Reading " "Client CA File '%s'",
415	sc->x509_ca_file);
416	ret = -1;
417	goto cleanup;
418	}
419
420	ret = gnutls_x509_crt_list_import2(&sc->ca_list, &sc->ca_list_size,
421	&data, GNUTLS_X509_FMT_PEM, 0);
422	if (ret < 0) {
423	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
424	"GnuTLS: Failed to load "
425	"Client CA File '%s': (%d) %s", sc->x509_ca_file,
426	ret, gnutls_strerror(ret));
427	ret = -1;
428	goto cleanup;
429	}
430	}
431
432	if (sc->priorities_str && sc->priorities == NULL)
433	{
434	const char *err;
435	ret = gnutls_priority_init(&sc->priorities, sc->priorities_str, &err);
436
437	if (ret < 0) {
438	if (ret == GNUTLS_E_INVALID_REQUEST) {
439	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
440	"GnuTLS: Syntax error parsing priorities string at: %s",
441	err);
442	} else {
443	ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
444	"GnuTLS: error parsing priorities string");
445
446	}
447	ret = -1;
448	goto cleanup;
449	}
450	}
451
452	ret = 0;
453	cleanup:
454	apr_pool_destroy(spool);
455
456	return ret;
457	}
458
459	int mgs_pkcs11_reinit(server_rec * base_server)
460	{
461	int ret;
462	server_rec *s;
463	mgs_srvconf_rec *sc;
464
465	gnutls_pkcs11_reinit();
466
467	for (s = base_server; s; s = s->next) {
468	sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module);
469
470	/* gnutls caches the session in a private key, so we need to open
471	* a new one */
472	if (sc->x509_key_file && gnutls_url_is_supported(sc->x509_key_file) != 0) {
473	gnutls_privkey_deinit(sc->privkey_x509);
474
475	ret = gnutls_privkey_init(&sc->privkey_x509);
476	if (ret < 0) {
477	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
478	"GnuTLS: Failed to initialize: (%d) %s", ret,
479	gnutls_strerror(ret));
480	goto fail;
481	}
482
483	gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback, sc);
484
485	ret = gnutls_privkey_import_url(sc->privkey_x509, sc->x509_key_file, 0);
486	if (ret < 0) {
487	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
488	"GnuTLS: Failed to Re-Import Private Key URL '%s': (%d) %s",
489	sc->x509_key_file, ret, gnutls_strerror(ret));
490	goto fail;
491	}
492	}
493	}
494
495	return 0;
496
497	fail:
498	gnutls_privkey_deinit(sc->privkey_x509);
499	return -1;
500	}
501
502	const char mgs_set_dh_file(cmd_parms parms, void *dummy __attribute__((unused)),
503	const char *arg) {
504	mgs_srvconf_rec *sc =
505	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
506	module_config,
507	&gnutls_module);
508
509	sc->dh_file = ap_server_root_relative(parms->pool, arg);
510
511	return NULL;
512	}
513
514	const char mgs_set_cert_file(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
515
516	mgs_srvconf_rec *sc =
517	(mgs_srvconf_rec *) ap_get_module_config(parms->
518	server->module_config,
519	&gnutls_module);
520
521	sc->x509_cert_file = apr_pstrdup(parms->pool, arg);
522
523	return NULL;
524
525	}
526
527	const char mgs_set_key_file(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
528
529	mgs_srvconf_rec *sc =
530	(mgs_srvconf_rec *) ap_get_module_config(parms->
531	server->module_config,
532	&gnutls_module);
533
534	sc->x509_key_file = apr_pstrdup(parms->pool, arg);
535
536	return NULL;
537	}
538
539	const char mgs_set_tickets(cmd_parms parms,
540	void *dummy __attribute__((unused)),
541	const int arg)
542	{
543	mgs_srvconf_rec sc = (mgs_srvconf_rec )
544	ap_get_module_config(parms->server->module_config, &gnutls_module);
545
546	if (arg)
547	sc->tickets = GNUTLS_ENABLED_TRUE;
548	else
549	sc->tickets = GNUTLS_ENABLED_FALSE;
550
551	return NULL;
552	}
553
554
555	#ifdef ENABLE_SRP
556
557	const char mgs_set_srp_tpasswd_file(cmd_parms parms, void *dummy __attribute__((unused)),
558	const char *arg) {
559	mgs_srvconf_rec *sc =
560	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
561	module_config,
562	&gnutls_module);
563
564	sc->srp_tpasswd_file = ap_server_root_relative(parms->pool, arg);
565
566	return NULL;
567	}
568
569	const char mgs_set_srp_tpasswd_conf_file(cmd_parms parms, void *dummy __attribute__((unused)),
570	const char *arg) {
571	mgs_srvconf_rec *sc =
572	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
573	module_config,
574	&gnutls_module);
575
576	sc->srp_tpasswd_conf_file = ap_server_root_relative(parms->pool, arg);
577
578	return NULL;
579	}
580
581	#endif
582
583	const char mgs_set_cache(cmd_parms parms,
584	void *dummy __attribute__((unused)),
585	const char type, const char arg)
586	{
587	const char *err;
588	mgs_srvconf_rec *sc =
589	ap_get_module_config(parms->server->module_config,
590	&gnutls_module);
591	if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY)))
592	return err;
593
594	unsigned char enable = GNUTLS_ENABLED_TRUE;
595	/* none: disable cache */
596	if (strcasecmp("none", type) == 0)
597	enable = GNUTLS_ENABLED_FALSE;
598
599	/* Try to split socache "type:config" style configuration */
600	const char* sep = ap_strchr_c(type, ':');
601	if (sep)
602	{
603	type = apr_pstrmemdup(parms->temp_pool, type, sep - type);
604	if (arg != NULL)
605	{
606	/* No mixing of socache style and legacy config! */
607	return "GnuTLSCache appears to have a mod_socache style "
608	"type:config value, but there is a second parameter!";
609	}
610	arg = ++sep;
611	}
612
613	mgs_cache_t *cache = NULL;
614	/* parms->directive->directive contains the directive string */
615	if (!strcasecmp(parms->directive->directive, "GnuTLSCache"))
616	{
617	if (enable == GNUTLS_ENABLED_FALSE)
618	{
619	sc->cache_enable = GNUTLS_ENABLED_FALSE;
620	return NULL;
621	}
622	sc->cache_enable = GNUTLS_ENABLED_TRUE;
623	cache = &sc->cache;
624	}
625	else if (!strcasecmp(parms->directive->directive, "GnuTLSOCSPCache"))
626	{
627	// TODO
628	return NULL;
629	}
630	else
631	return apr_psprintf(parms->temp_pool, "Internal Error: %s "
632	"called for unknown directive %s",
633	__func__, parms->directive->directive);
634
635	return mgs_cache_inst_config(cache, parms->server,
636	type, arg,
637	parms->pool, parms->temp_pool);
638	}
639
640	const char mgs_set_timeout(cmd_parms parms,
641	void *dummy __attribute__((unused)),
642	const char *arg)
643	{
644	apr_int64_t argint = apr_atoi64(arg);
645	/* timeouts cannot be negative */
646	if (argint < 0)
647	return apr_psprintf(parms->pool, "%s: Invalid argument",
648	parms->directive->directive);
649
650	mgs_srvconf_rec sc = (mgs_srvconf_rec )
651	ap_get_module_config(parms->server->module_config, &gnutls_module);
652
653	if (!apr_strnatcasecmp(parms->directive->directive, "GnuTLSCacheTimeout"))
654	sc->cache_timeout = apr_time_from_sec(argint);
655	else if (!apr_strnatcasecmp(parms->directive->directive,
656	"GnuTLSOCSPCacheTimeout"))
657	sc->ocsp_cache_time = apr_time_from_sec(argint);
658	else if (!apr_strnatcasecmp(parms->directive->directive,
659	"GnuTLSOCSPFailureTimeout"))
660	sc->ocsp_failure_timeout = apr_time_from_sec(argint);
661	else if (!apr_strnatcasecmp(parms->directive->directive,
662	"GnuTLSOCSPFuzzTime"))
663	sc->ocsp_fuzz_time = apr_time_from_sec(argint);
664	else if (!apr_strnatcasecmp(parms->directive->directive,
665	"GnuTLSOCSPSocketTimeout"))
666	sc->ocsp_socket_timeout = apr_time_from_sec(argint);
667	else
668	/* Can't happen unless there's a serious bug in mod_gnutls or Apache */
669	return apr_psprintf(parms->pool,
670	"mod_gnutls: %s called for invalid option '%s'",
671	__func__, parms->directive->directive);
672
673	return NULL;
674	}
675
676	const char mgs_set_client_verify_method(cmd_parms parms, void *dummy __attribute__((unused)),
677	const char *arg) {
678	mgs_srvconf_rec sc = (mgs_srvconf_rec )ap_get_module_config(parms->server->module_config, &gnutls_module);
679
680	if (strcasecmp("cartel", arg) == 0) {
681	sc->client_verify_method = mgs_cvm_cartel;
682	} else if (strcasecmp("msva", arg) == 0) {
683	#ifdef ENABLE_MSVA
684	sc->client_verify_method = mgs_cvm_msva;
685	#else
686	return "GnuTLSClientVerifyMethod: msva is not supported";
687	#endif
688	} else {
689	return "GnuTLSClientVerifyMethod: Invalid argument";
690	}
691
692	return NULL;
693	}
694
695	const char mgs_set_client_verify(cmd_parms parms,
696	void *dirconf,
697	const char *arg) {
698	int mode;
699
700	if (strcasecmp("none", arg) == 0 \|\| strcasecmp("ignore", arg) == 0) {
701	mode = GNUTLS_CERT_IGNORE;
702	} else if (strcasecmp("optional", arg) == 0
703	\|\| strcasecmp("request", arg) == 0) {
704	mode = GNUTLS_CERT_REQUEST;
705	} else if (strcasecmp("require", arg) == 0) {
706	mode = GNUTLS_CERT_REQUIRE;
707	} else {
708	return "GnuTLSClientVerify: Invalid argument";
709	}
710
711	/* This was set from a directory context */
712	if (parms->path) {
713	mgs_dirconf_rec dc = (mgs_dirconf_rec ) dirconf;
714	dc->client_verify_mode = mode;
715	} else {
716	mgs_srvconf_rec sc = (mgs_srvconf_rec )
717	ap_get_module_config(parms->server->module_config,
718	&gnutls_module);
719	sc->client_verify_mode = mode;
720	}
721
722	return NULL;
723	}
724
725	const char mgs_set_client_ca_file(cmd_parms parms, void *dummy __attribute__((unused)),
726	const char *arg) {
727	mgs_srvconf_rec *sc =
728	(mgs_srvconf_rec *) ap_get_module_config(parms->server->
729	module_config,
730	&gnutls_module);
731
732	sc->x509_ca_file = ap_server_root_relative(parms->pool, arg);
733
734	return NULL;
735	}
736
737	/*
738	* Enable TLS proxy operation if arg is true, disable it otherwise.
739	*/
740	const char mgs_set_proxy_engine(cmd_parms parms,
741	void *dummy __attribute__((unused)),
742	const int arg)
743	{
744	mgs_srvconf_rec sc = (mgs_srvconf_rec )
745	ap_get_module_config(parms->server->module_config, &gnutls_module);
746
747	if (arg)
748	sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
749	else
750	sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
751
752	return NULL;
753	}
754
755	/*
756	* Enable TLS for the server/vhost if arg is true, disable it
757	* otherwise.
758	*/
759	const char mgs_set_enabled(cmd_parms parms,
760	void *dummy __attribute__((unused)),
761	const int arg)
762	{
763	mgs_srvconf_rec sc = (mgs_srvconf_rec )
764	ap_get_module_config(parms->server->module_config, &gnutls_module);
765
766	if (arg)
767	sc->enabled = GNUTLS_ENABLED_TRUE;
768	else
769	sc->enabled = GNUTLS_ENABLED_FALSE;
770
771	return NULL;
772	}
773
774	const char mgs_set_export_certificates_size(cmd_parms parms, void dummy __attribute__((unused)), const char arg) {
775	mgs_srvconf_rec sc = (mgs_srvconf_rec ) ap_get_module_config(parms->server->module_config, &gnutls_module);
776	if (!strcasecmp(arg, "On")) {
777	sc->export_certificates_size = 16 * 1024;
778	} else if (!strcasecmp(arg, "Off")) {
779	sc->export_certificates_size = 0;
780	} else {
781	char *endptr;
782	sc->export_certificates_size = strtol(arg, &endptr, 10);
783	while (apr_isspace(*endptr))
784	endptr++;
785	if (endptr == '\0' \|\| endptr == 'b' \|\| *endptr == 'B') {
786	;
787	} else if (endptr == 'k' \|\| endptr == 'K') {
788	sc->export_certificates_size *= 1024;
789	} else {
790	return
791	"GnuTLSExportCertificates must be set to a size (in bytes) or 'On' or 'Off'";
792	}
793	}
794
795	return NULL;
796	}
797
798
799
800	/*
801	* Store GnuTLS priority strings. Used for GnuTLSPriorities and
802	* GnuTLSProxyPriorities.
803	*/
804	const char mgs_set_priorities(cmd_parms parms,
805	void *dummy __attribute__((unused)),
806	const char *arg)
807	{
808	mgs_srvconf_rec sc = (mgs_srvconf_rec )
809	ap_get_module_config(parms->server->module_config, &gnutls_module);
810
811	if (!strcasecmp(parms->directive->directive, "GnuTLSPriorities"))
812	sc->priorities_str = apr_pstrdup(parms->pool, arg);
813	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyPriorities"))
814	sc->proxy_priorities_str = apr_pstrdup(parms->pool, arg);
815	else
816	/* Can't happen unless there's a serious bug in mod_gnutls or Apache */
817	return apr_psprintf(parms->pool,
818	"mod_gnutls: %s called for invalid option '%s'",
819	__func__, parms->directive->directive);
820
821	return NULL;
822	}
823
824
825
826	const char mgs_set_pin(cmd_parms parms, void *dummy __attribute__((unused)),
827	const char *arg)
828	{
829
830	mgs_srvconf_rec sc = (mgs_srvconf_rec )
831	ap_get_module_config(parms->server->module_config, &gnutls_module);
832
833	sc->pin = apr_pstrdup(parms->pool, arg);
834
835	return NULL;
836	}
837
838	const char mgs_set_srk_pin(cmd_parms parms,
839	void *dummy __attribute__((unused)),
840	const char *arg)
841	{
842
843	mgs_srvconf_rec sc = (mgs_srvconf_rec )
844	ap_get_module_config(parms->server->module_config, &gnutls_module);
845
846	sc->srk_pin = apr_pstrdup(parms->pool, arg);
847
848	return NULL;
849	}
850
851
852
853	static mgs_srvconf_rec _mgs_config_server_create(apr_pool_t p,
854	char **err __attribute__((unused)))
855	{
856	mgs_srvconf_rec sc = apr_pcalloc(p, sizeof(sc));
857
858	sc->enabled = GNUTLS_ENABLED_UNSET;
859
860	sc->privkey_x509 = NULL;
861	sc->anon_creds = NULL;
862	#ifdef ENABLE_SRP
863	sc->srp_creds = NULL;
864	#endif
865	sc->certs = NULL;
866	sc->certs_x509_chain = NULL;
867	sc->certs_x509_crt_chain = NULL;
868	sc->certs_x509_chain_num = 0;
869	sc->p11_modules = NULL;
870	sc->pin = NULL;
871
872	sc->priorities_str = NULL;
873	sc->cache_timeout = MGS_TIMEOUT_UNSET;
874	sc->cache_enable = GNUTLS_ENABLED_UNSET;
875	sc->cache = NULL;
876	sc->tickets = GNUTLS_ENABLED_UNSET;
877	sc->priorities = NULL;
878	sc->dh_params = NULL;
879	sc->dh_file = NULL;
880	sc->ca_list = NULL;
881	sc->ca_list_size = 0;
882	sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
883	sc->export_certificates_size = -1;
884	sc->client_verify_method = mgs_cvm_unset;
885
886	sc->proxy_x509_key_file = NULL;
887	sc->proxy_x509_cert_file = NULL;
888	sc->proxy_x509_ca_file = NULL;
889	sc->proxy_x509_crl_file = NULL;
890	sc->proxy_priorities_str = NULL;
891	sc->proxy_x509_creds = NULL;
892	sc->anon_client_creds = NULL;
893	sc->proxy_priorities = NULL;
894	sc->proxy_x509_tl = NULL;
895
896	sc->ocsp_staple = GNUTLS_ENABLED_UNSET;
897	sc->ocsp_auto_refresh = GNUTLS_ENABLED_UNSET;
898	sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET;
899	sc->ocsp_response_file = NULL;
900	sc->ocsp_mutex = NULL;
901	sc->ocsp_cache_time = MGS_TIMEOUT_UNSET;
902	sc->ocsp_failure_timeout = MGS_TIMEOUT_UNSET;
903	sc->ocsp_fuzz_time = MGS_TIMEOUT_UNSET;
904	sc->ocsp_socket_timeout = MGS_TIMEOUT_UNSET;
905
906	sc->singleton_wd = NULL;
907
908	/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
909	sc->client_verify_mode = -1;
910
911	return sc;
912	}
913
914	void mgs_config_server_create(apr_pool_t p,
915	server_rec * s __attribute__((unused))) {
916	char *err = NULL;
917	mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err);
918	if (sc)
919	return sc;
920	else
921	return err;
922	}
923
924	#define gnutls_srvconf_merge(t, unset) sc->t = (add->t == unset) ? base->t : add->t
925	#define gnutls_srvconf_assign(t) sc->t = add->t
926
927	void mgs_config_server_merge(apr_pool_t p, void BASE, void ADD)
928	{
929	int i;
930	char *err = NULL;
931	mgs_srvconf_rec base = (mgs_srvconf_rec ) BASE;
932	mgs_srvconf_rec add = (mgs_srvconf_rec ) ADD;
933	mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err);
934	if (NULL == sc)
935	return err;
936
937	gnutls_srvconf_merge(enabled, GNUTLS_ENABLED_UNSET);
938	gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET);
939	gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
940	gnutls_srvconf_merge(export_certificates_size, -1);
941	gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset);
942	gnutls_srvconf_merge(client_verify_mode, -1);
943	gnutls_srvconf_merge(srp_tpasswd_file, NULL);
944	gnutls_srvconf_merge(srp_tpasswd_conf_file, NULL);
945	gnutls_srvconf_merge(x509_cert_file, NULL);
946
947	gnutls_srvconf_merge(x509_key_file, NULL);
948	gnutls_srvconf_merge(x509_ca_file, NULL);
949	gnutls_srvconf_merge(p11_modules, NULL);
950	gnutls_srvconf_merge(pin, NULL);
951	gnutls_srvconf_merge(dh_file, NULL);
952	gnutls_srvconf_merge(priorities_str, NULL);
953	gnutls_srvconf_merge(cache_timeout, MGS_TIMEOUT_UNSET);
954
955	gnutls_srvconf_merge(proxy_x509_key_file, NULL);
956	gnutls_srvconf_merge(proxy_x509_cert_file, NULL);
957	gnutls_srvconf_merge(proxy_x509_ca_file, NULL);
958	gnutls_srvconf_merge(proxy_x509_crl_file, NULL);
959	gnutls_srvconf_merge(proxy_priorities_str, NULL);
960	gnutls_srvconf_merge(proxy_priorities, NULL);
961
962	gnutls_srvconf_merge(ocsp_staple, GNUTLS_ENABLED_UNSET);
963	gnutls_srvconf_merge(ocsp_auto_refresh, GNUTLS_ENABLED_UNSET);
964	gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
965	gnutls_srvconf_assign(ocsp_response_file);
966	gnutls_srvconf_merge(ocsp_cache_time, MGS_TIMEOUT_UNSET);
967	gnutls_srvconf_merge(ocsp_failure_timeout, MGS_TIMEOUT_UNSET);
968	gnutls_srvconf_merge(ocsp_fuzz_time, MGS_TIMEOUT_UNSET);
969	gnutls_srvconf_merge(ocsp_socket_timeout, MGS_TIMEOUT_UNSET);
970
971	gnutls_srvconf_assign(ca_list);
972	gnutls_srvconf_assign(ca_list_size);
973	gnutls_srvconf_assign(certs);
974	gnutls_srvconf_assign(anon_creds);
975	gnutls_srvconf_assign(srp_creds);
976	gnutls_srvconf_assign(certs_x509_chain);
977	gnutls_srvconf_assign(certs_x509_crt_chain);
978	gnutls_srvconf_assign(certs_x509_chain_num);
979
980	/* how do these get transferred cleanly before the data from ADD
981	* goes away? */
982	gnutls_srvconf_assign(cert_cn);
983	for (i = 0; i < MAX_CERT_SAN; i++)
984	gnutls_srvconf_assign(cert_san[i]);
985
986	return sc;
987	}
988
989	#undef gnutls_srvconf_merge
990	#undef gnutls_srvconf_assign
991
992	void mgs_config_dir_merge(apr_pool_t p,
993	void *basev __attribute__((unused)),
994	void *addv __attribute__((unused))) {
995	mgs_dirconf_rec *new;
996	/* mgs_dirconf_rec base = (mgs_dirconf_rec ) basev; */
997	mgs_dirconf_rec add = (mgs_dirconf_rec ) addv;
998
999	new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof(mgs_dirconf_rec));
1000	new->client_verify_mode = add->client_verify_mode;
1001	return new;
1002	}
1003
1004	void mgs_config_dir_create(apr_pool_t p,
1005	char *dir __attribute__((unused))) {
1006	mgs_dirconf_rec dc = apr_palloc(p, sizeof (dc));
1007	dc->client_verify_mode = -1;
1008	return dc;
1009	}
1010
1011
1012
1013	/*
1014	* Store paths to proxy credentials
1015	*
1016	* This function copies the paths provided in the configuration file
1017	* into the server configuration. The post configuration hook takes
1018	* care of actually loading the credentials, which means than invalid
1019	* paths or the like will be detected there.
1020	*/
1021	const char mgs_store_cred_path(cmd_parms parms,
1022	void *dummy __attribute__((unused)),
1023	const char *arg)
1024	{
1025	mgs_srvconf_rec sc = (mgs_srvconf_rec )
1026	ap_get_module_config(parms->server->module_config, &gnutls_module);
1027
1028	/* parms->directive->directive contains the directive string */
1029	if (!strcasecmp(parms->directive->directive, "GnuTLSProxyKeyFile"))
1030	sc->proxy_x509_key_file = apr_pstrdup(parms->pool, arg);
1031	else if (!strcasecmp(parms->directive->directive,
1032	"GnuTLSProxyCertificateFile"))
1033	sc->proxy_x509_cert_file = apr_pstrdup(parms->pool, arg);
1034	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCAFile"))
1035	sc->proxy_x509_ca_file = apr_pstrdup(parms->pool, arg);
1036	else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCRLFile"))
1037	sc->proxy_x509_crl_file = apr_pstrdup(parms->pool, arg);
1038	return NULL;
1039	}
1040
1041
1042
1043	/*
1044	* Record PKCS #11 module to load. Note that the value is only used in
1045	* the base config, settings in virtual hosts are ignored.
1046	*/
1047	const char mgs_set_p11_module(cmd_parms parms,
1048	void *dummy __attribute__((unused)),
1049	const char *arg)
1050	{
1051	mgs_srvconf_rec sc = (mgs_srvconf_rec )
1052	ap_get_module_config(parms->server->module_config, &gnutls_module);
1053	/* initialize PKCS #11 module list if necessary */
1054	if (sc->p11_modules == NULL)
1055	sc->p11_modules = apr_array_make(parms->pool, 2, sizeof(char*));
1056
1057	(char *) apr_array_push(sc->p11_modules) = apr_pstrdup(parms->pool, arg);
1058
1059	return NULL;
1060	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/gnutls_config.c @ d036f96

Download in other formats: