Changeset 2b3a248 in mod_gnutls


Ignore:
Timestamp:
Dec 16, 2007, 4:04:11 AM (12 years ago)
Author:
Nokis Mavrogiannopoulos <nmav@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream
Children:
e6f648a
Parents:
8bd529f
git-author:
Nikos Mavrogiannopoulos <nmav@…> (12/16/07 04:04:11)
git-committer:
Nokis Mavrogiannopoulos <nmav@…> (12/16/07 04:04:11)
Message:

more changes for openpgp support. Seems to be at a workable state.

Files:
4 edited

Legend:

Unmodified
Added
Removed
  • README

    r8bd529f r2b3a248  
    5555
    5656    # This is the Private key for your server.
    57     GnuTLSKeyFile conf/server.key
     57    GnuTLSX509KeyFile conf/server.key
    5858
    5959    # This is the Server Certificate. 
    60     GnuTLSCertificateFile conf/server.cert
     60    GnuTLSX509CertificateFile conf/server.cert
    6161</VirtualHost>
    6262
     
    7474        GNUTLSExportCertificates on
    7575
    76         GnuTLSCertificateFile /etc/apache2/server-cert.pem
    77         GnuTLSKeyFile /etc/apache2/server-key.pem
     76        GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
     77        GnuTLSX509KeyFile /etc/apache2/server-key.pem
    7878
    7979# To enable SRP you must have these files installed. Check the gnutls srptool.
     
    8585# contains the CAs to verify client certificates.
    8686        GnuTLSClientVerify request
    87         GnuTLSClientCAFile ca.pem
     87        GnuTLSX509CAFile ca.pem
    8888        ...
    8989</VirtualHost>
  • src/gnutls_config.c

    r8bd529f r2b3a248  
    11/**
    22 *  Copyright 2004-2005 Paul Querna
     3 *  Copyright 2007 Nikos Mavrogiannopoulos
    34 *
    45 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    230231    }
    231232     
    232 
    233233    ret =
    234234        gnutls_openpgp_crt_import(sc->cert_pgp, &data, GNUTLS_OPENPGP_FMT_BASE64);
     
    451451    }
    452452
     453    rv = gnutls_openpgp_keyring_init(&sc->pgp_list);
     454    if (rv < 0) {
     455        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
     456                            "keyring: (%d) %s", rv, gnutls_strerror(rv));
     457    }
     458
    453459    rv = gnutls_openpgp_keyring_import(sc->pgp_list, &data, GNUTLS_OPENPGP_FMT_BASE64);
    454460    if (rv < 0) {
  • src/gnutls_hooks.c

    r8bd529f r2b3a248  
    7272#endif
    7373
     74    if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) {
     75        fprintf(stderr, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
     76          LIBGNUTLS_VERSION, gnutls_check_version(NULL));
     77        return -3;
     78    }
     79
    7480    ret = gnutls_global_init();
    75     if (ret < 0) /* FIXME: can we print here? */ {
     81    if (ret < 0) {
    7682        fprintf(stderr, "gnutls_global_init: %s\n", gnutls_strerror(ret));
    7783        return -3;
     
    7985
    8086    ret = gnutls_global_init_extra();
    81     if (ret < 0) { /* FIXME: can we print here? */
     87    if (ret < 0) {
    8288        fprintf(stderr, "gnutls_global_init_extra: %s\n", gnutls_strerror(ret));
    8389        return -3;
     
    94100    gnutls_global_set_log_level(9);
    95101    gnutls_global_set_log_function(gnutls_debug_log_all);
     102    apr_file_printf(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
    96103#endif
    97104
     
    104111    mgs_srvconf_rec *tsc;
    105112    int ret;
    106     int cprio[3] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 };
     113    int cprio[2];
    107114
    108115    ctxt = gnutls_transport_get_ptr(session);
     
    136143     */
    137144    ret = gnutls_priority_set(session, ctxt->sc->priorities);
    138 
    139     /* Do not allow the user to override certificate priorities. We know
    140      * better if the certificate of certain type is enabled. */
    141     if (ctxt->sc->cert_pgp != NULL && ctxt->sc->certs_x509[0] != NULL) {
    142         gnutls_certificate_type_set_priority( session, cprio);
    143     } else if (ctxt->sc->certs_x509[0] != NULL) {
     145    /* actually it shouldn't fail since we have checked at startup */
     146    if (ret < 0)
     147        return ret;
     148
     149    /* If both certificate types are not present disallow them from
     150     * being negotiated.
     151     */
     152    if (ctxt->sc->certs_x509[0] != NULL && ctxt->sc->cert_pgp == NULL) {
    144153        cprio[0] = GNUTLS_CRT_X509;
    145154        cprio[1] = 0;
    146155        gnutls_certificate_type_set_priority( session, cprio);
    147     } else if (ctxt->sc->cert_pgp != NULL) {
     156    } else if (ctxt->sc->cert_pgp != NULL && ctxt->sc->certs_x509[0]==NULL) {
    148157        cprio[0] = GNUTLS_CRT_OPENPGP;
    149158        cprio[1] = 0;
     
    151160    }
    152161
    153     /* actually it shouldn't fail since we have checked at startup */
    154     if (ret < 0)
    155         return ret;
    156162
    157163
     
    189195}
    190196
     197/* 2048-bit group parameters from SRP specification */
    191198const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
    192199    "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
     
    412419            if (sc->enabled == GNUTLS_ENABLED_TRUE) {
    413420                rv = read_crt_cn(s, p, sc->certs_x509[0], &sc->cert_cn);
    414                 if (rv < 0)  /* try openpgp certificate */
     421                if (rv < 0 && sc->cert_pgp != NULL)  /* try openpgp certificate */
    415422                    rv = read_pgpcrt_cn(s, p, sc->cert_pgp, &sc->cert_cn);
    416423
     
    978985}
    979986
    980 /* FIXME: Allow client sending a certificate chain */
     987/* TODO: Allow client sending a X.509 certificate chain */
    981988static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
    982989{
     
    10471054    }
    10481055
    1049 
    10501056    if (rv < 0) {
    10511057        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    10521058                      "GnuTLS: Failed to Verify Peer certificate: (%d) %s",
    10531059                      rv, gnutls_strerror(rv));
     1060        if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
     1061            ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
     1062                      "GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
    10541063        ret = HTTP_FORBIDDEN;
    10551064        goto exit;
    10561065    }
     1066
     1067    /* TODO: X509 CRL Verification. */
     1068    /* May add later if anyone needs it.
     1069     */
     1070    /* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
    10571071
    10581072    expired = 0;
     
    10891103                      "GnuTLS: Peer Certificate is revoked.");
    10901104    }
    1091 
    1092     /* TODO: Further Verification. */
    1093     /* Revocation is X.509 non workable paradigm, I really doubt implementation
    1094      * is worth doing --nmav
    1095      */
    1096 /// ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size);
    1097 
    1098 //    mgs_hook_fixups(r);
    1099 //    rv = mgs_authz_lua(r);
    11001105
    11011106    if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509)
  • src/mod_gnutls.c

    r8bd529f r2b3a248  
    6565                  RSRC_CONF,
    6666                  "Set the CA File to verify Client Certificates"),
     67    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
     68                  NULL,
     69                  RSRC_CONF,
     70                  "Set the CA File to verify Client Certificates"),
    6771    AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
    6872                  NULL,
     
    8084                  NULL,
    8185                  RSRC_CONF,
    82                   "SSL Server Certificate file"),
     86                  "SSL Server X509 Certificate file"),
    8387    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
    8488                  NULL,
    8589                  RSRC_CONF,
    86                   "SSL Server Private Key file"),
     90                  "SSL Server X509 Private Key file"),
     91    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
     92                  NULL,
     93                  RSRC_CONF,
     94                  "SSL Server X509 Certificate file"),
     95    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
     96                  NULL,
     97                  RSRC_CONF,
     98                  "SSL Server X509 Private Key file"),
    8799    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
    88100                  NULL,
Note: See TracChangeset for help on using the changeset viewer.