Changeset 040387c in mod_gnutls


Ignore:
Timestamp:
Jan 29, 2013, 8:05:42 PM (6 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream
Children:
0367e02
Parents:
32538ff
git-author:
Daniel Kahn Gillmor <dkg@…> (01/27/13 03:53:01)
git-committer:
Daniel Kahn Gillmor <dkg@…> (01/29/13 20:05:42)
Message:

server-wide settings should be defaults unless overridden in a vhost

Previously, there was no merging possible; so if any directives were
set in a vhost, all other directives set from the server config would
be thrown away.

Files:
5 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r32538ff r040387c  
    5050#define GNUTLS_ENABLED_FALSE 0
    5151#define GNUTLS_ENABLED_TRUE  1
     52#define GNUTLS_ENABLED_UNSET  2
    5253/* Current module version */
    5354#define MOD_GNUTLS_VERSION "0.5.10"
     
    7576#if HAVE_APR_MEMCACHE
    7677        /* Use Memcache */
    77     mgs_cache_memcache
     78    mgs_cache_memcache,
    7879#endif
     80    mgs_cache_unset
    7981} mgs_cache_e;
    8082
     
    355357                                    void *mconfig, const char *arg);
    356358void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
     359void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
    357360
    358361void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
  • src/gnutls_cache.c

    r32538ff r040387c  
    561561int mgs_cache_post_config(apr_pool_t * p, server_rec * s,
    562562        mgs_srvconf_rec * sc) {
     563
     564    /* if GnuTLSCache was never explicitly set: */
     565    if (sc->cache_type == mgs_cache_unset)
     566        sc->cache_type = mgs_cache_none;
     567    /* if GnuTLSCacheTimeout was never explicitly set: */
     568    if (sc->cache_timeout == -1)
     569        sc->cache_timeout = apr_time_from_sec(300);
     570
    563571    if (sc->cache_type == mgs_cache_dbm
    564572            || sc->cache_type == mgs_cache_gdbm) {
  • src/gnutls_config.c

    r32538ff r040387c  
    544544}
    545545
    546 void *mgs_config_server_create(apr_pool_t * p, server_rec * s) {
     546static mgs_srvconf_rec *_mgs_config_server_create(apr_pool_t * p, char** err) {
    547547    mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof (*sc));
    548548    int ret;
    549549
    550     sc->enabled = GNUTLS_ENABLED_FALSE;
     550    sc->enabled = GNUTLS_ENABLED_UNSET;
    551551
    552552    ret = gnutls_certificate_allocate_credentials(&sc->certs);
    553553    if (ret < 0) {
    554         return apr_psprintf(p, "GnuTLS: Failed to initialize"
    555                 ": (%d) %s", ret,
    556                 gnutls_strerror(ret));
     554        *err = apr_psprintf(p, "GnuTLS: Failed to initialize"
     555                            ": (%d) %s", ret,
     556                            gnutls_strerror(ret));
     557        return NULL;
    557558    }
    558559
    559560    ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
    560561    if (ret < 0) {
    561         return apr_psprintf(p, "GnuTLS: Failed to initialize"
    562                 ": (%d) %s", ret,
    563                 gnutls_strerror(ret));
     562        *err = apr_psprintf(p, "GnuTLS: Failed to initialize"
     563                            ": (%d) %s", ret,
     564                            gnutls_strerror(ret));
     565        return NULL;
    564566    }
    565567#ifdef ENABLE_SRP
    566568    ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
    567569    if (ret < 0) {
    568         return apr_psprintf(p, "GnuTLS: Failed to initialize"
    569                 ": (%d) %s", ret,
    570                 gnutls_strerror(ret));
     570        *err =  apr_psprintf(p, "GnuTLS: Failed to initialize"
     571                             ": (%d) %s", ret,
     572                             gnutls_strerror(ret));
     573        return NULL;
    571574    }
    572575
     
    577580    sc->privkey_x509 = NULL;
    578581        /* Initialize all Certificate Chains */
     582    /* FIXME: how do we indicate that this is unset for a merge? (that
     583     * is, how can a subordinate server override the chain by setting
     584     * an empty one?  what would that even look like in the
     585     * configuration?) */
    579586        sc->certs_x509_chain = malloc(MAX_CHAIN_SIZE * sizeof (*sc->certs_x509_chain));
    580587    sc->certs_x509_chain_num = 0;
    581     sc->cache_timeout = apr_time_from_sec(300);
    582     sc->cache_type = mgs_cache_none;
     588    sc->cache_timeout = -1; /* -1 means "unset" */
     589    sc->cache_type = mgs_cache_unset;
    583590    sc->cache_config = NULL;
    584         /* By default enable session tickets */
    585     sc->tickets = GNUTLS_ENABLED_TRUE;
    586 
    587     sc->client_verify_mode = GNUTLS_CERT_IGNORE;
     591    sc->tickets = GNUTLS_ENABLED_UNSET;
     592    sc->priorities = NULL;
     593    sc->dh_params = NULL;
     594    sc->proxy_enabled = GNUTLS_ENABLED_UNSET;
     595   
     596/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
     597    sc->client_verify_mode = -1;
    588598
    589599    return sc;
    590600}
     601
     602void *mgs_config_server_create(apr_pool_t * p, server_rec * s) {
     603    char *err = NULL;
     604    mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err);
     605    if (sc) return sc; else return err;
     606}
     607
     608#define gnutls_srvconf_merge(t, unset) sc->t = (add->t == unset) ? base->t : add->t
     609#define gnutls_srvconf_assign(t) sc->t = add->t
     610
     611void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD) {
     612    int i;
     613    char *err = NULL;
     614    mgs_srvconf_rec *base = (mgs_srvconf_rec *)BASE;
     615    mgs_srvconf_rec *add = (mgs_srvconf_rec *)ADD;
     616    mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err);
     617    if (NULL == sc) return err;
     618
     619    gnutls_srvconf_merge(enabled, GNUTLS_ENABLED_UNSET);
     620    gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET);
     621    gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET);
     622    gnutls_srvconf_merge(client_verify_mode, -1);
     623    gnutls_srvconf_merge(srp_tpasswd_file, NULL);
     624    gnutls_srvconf_merge(srp_tpasswd_conf_file, NULL);
     625    gnutls_srvconf_merge(privkey_x509, NULL);
     626    gnutls_srvconf_merge(priorities, NULL);
     627    gnutls_srvconf_merge(dh_params, NULL);
     628
     629    /* FIXME: the following items are pre-allocated, and should be
     630     * properly disposed of before assigning in order to avoid leaks;
     631     * so at the moment, we can't actually have them in the config.
     632     * what happens during de-allocation?
     633
     634     * This is probably leaky.
     635     */
     636    gnutls_srvconf_assign(certs);
     637    gnutls_srvconf_assign(anon_creds);
     638    gnutls_srvconf_assign(srp_creds);
     639    gnutls_srvconf_assign(certs_x509_chain);
     640    gnutls_srvconf_assign(certs_x509_chain_num);
     641
     642    /* how do these get transferred cleanly before the data from ADD
     643     * goes away? */
     644    gnutls_srvconf_assign(cert_cn);
     645    for (i = 0; i < MAX_CERT_SAN; i++)
     646        gnutls_srvconf_assign(cert_san[i]);
     647    gnutls_srvconf_assign(ca_list);
     648    gnutls_srvconf_assign(ca_list_size);
     649    gnutls_srvconf_assign(cert_pgp);
     650    gnutls_srvconf_assign(pgp_list);
     651    gnutls_srvconf_assign(privkey_pgp);
     652
     653    return sc;
     654}
     655
     656#undef gnutls_srvconf_merge
     657#undef gnutls_srvconf_assign
    591658
    592659void *mgs_config_dir_merge(apr_pool_t * p, void *basev, void *addv) {
     
    605672    return dc;
    606673}
     674
  • src/gnutls_hooks.c

    r32538ff r040387c  
    344344        sc->cache_type = sc_base->cache_type;
    345345        sc->cache_config = sc_base->cache_config;
     346        sc->cache_timeout = sc_base->cache_timeout;
     347
     348        /* defaults for unset values: */
     349        if (sc->enabled == GNUTLS_ENABLED_UNSET)
     350            sc->enabled = GNUTLS_ENABLED_FALSE;
     351        if (sc->tickets ==  GNUTLS_ENABLED_UNSET)
     352            sc->tickets = GNUTLS_ENABLED_TRUE;
     353        if (sc->client_verify_mode ==  -1)
     354            sc->client_verify_mode = GNUTLS_CERT_IGNORE;
     355
    346356
    347357        /* Check if the priorities have been set */
  • src/mod_gnutls.c

    r32538ff r040387c  
    184184    .merge_dir_config = mgs_config_dir_merge,
    185185    .create_server_config = mgs_config_server_create,
     186    .merge_server_config = mgs_config_server_merge,
    186187    .cmds = mgs_config_cmds,
    187188    .register_hooks = gnutls_hooks
Note: See TracChangeset for help on using the changeset viewer.