Changeset 2cde026d in mod_gnutls for include


Ignore:
Timestamp:
Apr 21, 2015, 8:09:54 AM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, jessie-backports, upstream
Children:
4133f2d
Parents:
73f6f12 (diff), d04f7da (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
git-author:
Thomas Klute <thomas2.klute@…> (04/21/15 06:25:30)
git-committer:
Thomas Klute <thomas2.klute@…> (04/21/15 08:09:54)
Message:

Merge branch 'new-gnutls-api'

Merge my TLS proxy implementation with Nikos Mavrogiannopoulos' changes
to use the new GnuTLS key handling API. Some conflicts had to be
resolved.

In Nikos' branch, structures for credentials and priorities are
allocated in mgs_load_files (gnutls_config.c), rather than during server
config structure creation as before. This makes sense, but his patch
doesn't consider the proxy credentials because they didn't exist at the
time.

To minimize additional changes during the merge, proxy credentials are
now allocated in load_proxy_x509_credentials (gnutls_hooks.c), and
mgs_set_priorities (gnutls_config.c) treats proxy and front end
credentials differently (value of GnuTLSPriorities is stored for
mgs_load_files, GnuTLSProxyPriorities is parsed immediately).

Unified handling of priority strings in mgs_set_priorities should be
restored later (towards parsing in post config), handling front end and
proxy credentials separately makes sense because the latter need only be
loaded when TLS proxy operation is enabled and there are some
differences between client (proxy back end) and server (front end)
operation.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    rf030883 r2cde026d  
    3434#include <gnutls/extra.h>
    3535#endif
     36#include <gnutls/abstract.h>
    3637#include <gnutls/openpgp.h>
    3738#include <gnutls/x509.h>
     
    104105/* Server Configuration Record */
    105106typedef struct {
     107    /* --- Configuration values --- */
     108        /* Is the module enabled? */
     109    int enabled;
     110        /* Is mod_proxy enabled? */
     111    int proxy_enabled;
     112        /* A Plain HTTP request */
     113    int non_ssl_request;
     114
     115    /* PIN used for PKCS #11 operations */
     116    char *pin;
     117
     118    /* the SRK PIN used in TPM operations */
     119    char *srk_pin;
     120
     121    char *x509_cert_file;
     122    char *x509_key_file;
     123    char *x509_ca_file;
     124
     125    char *pgp_cert_file;
     126    char *pgp_key_file;
     127    char *pgp_ring_file;
     128
     129    char *dh_file;
     130
     131    char *priorities_str;
     132
     133    const char* srp_tpasswd_file;
     134    const char* srp_tpasswd_conf_file;
     135
     136        /* Cache timeout value */
     137    int cache_timeout;
     138        /* Chose Cache Type */
     139    mgs_cache_e cache_type;
     140    const char* cache_config;
     141
     142        /* GnuTLS uses Session Tickets */
     143    int tickets;
     144
     145    /* --- Things initialized at _child_init --- */
     146
    106147    /* x509 Certificate Structure */
    107148    gnutls_certificate_credentials_t certs;
     
    126167    char* cert_cn;
    127168        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
    128         char* cert_san[MAX_CERT_SAN];
    129         /* A x509 Certificate Chain */
    130     gnutls_x509_crt_t *certs_x509_chain;
    131         /* Current x509 Certificate Private Key */
    132     gnutls_x509_privkey_t privkey_x509;
    133         /* OpenPGP Certificate */
    134     gnutls_openpgp_crt_t cert_pgp;
    135         /* OpenPGP Certificate Private Key */
    136     gnutls_openpgp_privkey_t privkey_pgp;
     169    char* cert_san[MAX_CERT_SAN];
     170        /* An x509 Certificate Chain */
     171    gnutls_pcert_st *certs_x509_chain;
     172    gnutls_x509_crt_t *certs_x509_crt_chain;
    137173        /* Number of Certificates in Chain */
    138174    unsigned int certs_x509_chain_num;
    139         /* Is the module enabled? */
    140     int enabled;
     175
     176        /* Current x509 Certificate Private Key */
     177    gnutls_privkey_t privkey_x509;
     178
     179        /* OpenPGP Certificate */
     180    gnutls_pcert_st *cert_pgp;
     181    gnutls_openpgp_crt_t *cert_crt_pgp;
     182
     183        /* OpenPGP Certificate Private Key */
     184    gnutls_privkey_t privkey_pgp;
     185#if GNUTLS_VERSION_NUMBER < 0x030312
     186    /* Internal structure for the OpenPGP private key, used in the
     187     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
     188     * frees memory that is still needed. DO NOT USE for any other
     189     * purpose. */
     190    gnutls_openpgp_privkey_t privkey_pgp_internal;
     191#endif
     192
    141193    /* Export full certificates to CGI environment: */
    142194    int export_certificates_size;
     
    145197        /* GnuTLS DH Parameters */
    146198    gnutls_dh_params_t dh_params;
    147         /* Cache timeout value */
    148     int cache_timeout;
    149         /* Chose Cache Type */
    150     mgs_cache_e cache_type;
    151     const char* cache_config;
    152     const char* srp_tpasswd_file;
    153     const char* srp_tpasswd_conf_file;
    154199        /* A list of CA Certificates */
    155200    gnutls_x509_crt_t *ca_list;
     
    164209        /* Last Cache timestamp */
    165210    apr_time_t last_cache_check;
    166         /* GnuTLS uses Session Tickets */
    167     int tickets;
    168         /* Is mod_proxy enabled? */
    169     int proxy_enabled;
    170         /* A Plain HTTP request */
    171     int non_ssl_request;
    172211} mgs_srvconf_rec;
    173212
     
    319358
    320359/**
     360 * Perform any reinitialization required in PKCS #11
     361 */
     362int mgs_pkcs11_reinit(server_rec * s);
     363
     364/**
    321365 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
    322366 * @param id raw SSL Session ID
     
    338382
    339383/* Configuration Functions */
     384
     385/* Loads all files set in the configuration */
     386int mgs_load_files(apr_pool_t * p, server_rec * s);
    340387
    341388const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
     
    371418const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
    372419                                   const char *arg);
     420const char *mgs_set_pin(cmd_parms * parms, void *dummy,
     421                                   const char *arg);
     422
     423const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
     424                                   const char *arg);
    373425
    374426const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
Note: See TracChangeset for help on using the changeset viewer.