Changeset 2dd044f in mod_gnutls

Timestamp:

Jan 11, 2013, 12:56:51 AM (10 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports

Children:

54b3065

Parents:

15ffe0b (diff), 9d9b093 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge tag 'upstream/0.5.1'

Upstream version 0.5.1

Files:

• Makefile.in (modified) (1 diff)
• NEWS (modified) (2 diffs)
• NOTICE (modified) (1 diff)
• README (modified) (3 diffs)
• configure (modified) (45 diffs)
• configure.ac (modified) (4 diffs)
• include/mod_gnutls.h.in (modified) (5 diffs)
• m4/libgnutls.m4 (modified) (8 diffs)
• src/Makefile.in (modified) (1 diff)
• src/gnutls_config.c (modified) (3 diffs)
• src/gnutls_hooks.c (modified) (20 diffs)
• src/mod_gnutls.c (modified) (2 diffs)

Makefile.in

@@ -138 +138 @@
 LIBGNUTLS_CERTTOOL = @LIBGNUTLS_CERTTOOL@
 LIBGNUTLS_CFLAGS = @LIBGNUTLS_CFLAGS@
-LIBGNUTLS_CONFIG = @LIBGNUTLS_CONFIG@
+LIBGNUTLS_EXTRA_CFLAGS = @LIBGNUTLS_EXTRA_CFLAGS@
+LIBGNUTLS_EXTRA_CONFIG = @LIBGNUTLS_EXTRA_CONFIG@
+LIBGNUTLS_EXTRA_LIBS = @LIBGNUTLS_EXTRA_LIBS@
 LIBGNUTLS_LIBS = @LIBGNUTLS_LIBS@
 LIBGNUTLS_PREFIX = @LIBGNUTLS_PREFIX@

NEWS

@@ -1 @@
-** Version 0.4.3 (2008-03-05)
+** Version 0.5.1 (2008-03-05)
 
 - Added --disable-srp configure option
@@ -5 +5 @@
 - Better check for memcache (patch by Guillaume Rousse)
 
-- Corrected possible memory leak in DBM support for resuming sessions. 
+- Corrected possible memory leak in DBM support for resuming sessions.
+
+** Version 0.5.0-alpha (2008-01-24)
+
+- Added support for OpenPGP keys. The new directives are:
+  GnuTLSPGPKeyringFile, GnuTLSPGPCertificateFile, GnuTLSPGPKeyFile
 
 ** Version 0.4.2 (2007-12-10)

NOTICE

@@ +1 @@
+This product includes software developed by
+Nikos Mavrogiannopoulos (http://www.gnutls.org/).
+
 This product includes software developed by
 Paul Querna (http://www.outoforder.cc/).

README

@@ -55 +55 @@
 
     # This is the Private key for your server.
-    GnuTLSKeyFile conf/server.key
+    GnuTLSX509KeyFile conf/server.key
 
     # This is the Server Certificate.  
-    GnuTLSCertificateFile conf/server.cert
+    GnuTLSX509CertificateFile conf/server.cert
 </VirtualHost>
-
 
 # a more advanced configuration
@@ -74 +73 @@
         GNUTLSExportCertificates on
 
-        GnuTLSCertificateFile /etc/apache2/server-cert.pem
-        GnuTLSKeyFile /etc/apache2/server-key.pem
+        GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
+        GnuTLSX509KeyFile /etc/apache2/server-key.pem
 
 # To enable SRP you must have these files installed. Check the gnutls srptool.
@@ -85 +84 @@
 # contains the CAs to verify client certificates.
         GnuTLSClientVerify request
-        GnuTLSClientCAFile ca.pem
+        GnuTLSX509CAFile ca.pem
         ...
 </VirtualHost>
+
+# A setup for OpenPGP and X.509 authentication
+<VirtualHost 1.2.3.4:443>
+        Servername crystal.lan:443
+        GnuTLSEnable on
+        GnuTLSPriorities NORMAL:+COMP-NULL
+
+# setup the openpgp keys
+        GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
+        GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
+
+# and the X.509 keys
+        GnuTLSCertificateFile /etc/apache2/server-cert.pem
+        GnuTLSKeyFile /etc/apache2/server-key.pem
+        GnuTLSClientVerify ignore
+
+# To avoid using the default DH params
+        GnuTLSDHFile /etc/apache2/dh.pem
+
+# these are only needed if GnuTLSClientVerify != ignore
+        GnuTLSClientCAFile ca.pem
+        GnuTLSPGPKeyringFile /etc/apache2/ring.asc
+</VirtualHost>

configure

@@ -1 +1 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for mod_gnutls 0.4.3.
+# Generated by GNU Autoconf 2.61 for mod_gnutls 0.5.1.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -727 +727 @@
 PACKAGE_NAME='mod_gnutls'
 PACKAGE_TARNAME='mod_gnutls'
-PACKAGE_VERSION='0.4.3'
-PACKAGE_STRING='mod_gnutls 0.4.3'
+PACKAGE_VERSION='0.5.1'
+PACKAGE_STRING='mod_gnutls 0.5.1'
 PACKAGE_BUGREPORT=''
 
@@ -903 +903 @@
 APXS_EXTENSION
 APXS_CFLAGS
-LIBGNUTLS_CONFIG
+LIBGNUTLS_EXTRA_CONFIG
+LIBGNUTLS_EXTRA_CFLAGS
+LIBGNUTLS_EXTRA_LIBS
 LIBGNUTLS_CFLAGS
 LIBGNUTLS_LIBS
@@ -1434 +1436 @@
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mod_gnutls 0.4.3 to adapt to many kinds of systems.
+\`configure' configures mod_gnutls 0.5.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1505 +1507 @@
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mod_gnutls 0.4.3:";;
+     short | recursive ) echo "Configuration of mod_gnutls 0.5.1:";;
    esac
   cat <<\_ACEOF
@@ -1534 +1536 @@
   --with-tags[=TAGS]      include additional configurations [automatic]
   --with-apxs=PATH        Path to apxs
-  --with-libgnutls-prefix=PFX   Prefix where libgnutls is installed (optional)
+  --with-libgnutls-extra-prefix=PFX   Prefix where libgnutls-extra is installed (optional)
   --with-apr-memcache-prefix=PATH
                           Install prefix for apr_memcache
@@ -1620 +1622 @@
 if $ac_init_version; then
   cat <<\_ACEOF
-mod_gnutls configure 0.4.3
+mod_gnutls configure 0.5.1
 generated by GNU Autoconf 2.61
 
@@ -1634 +1636 @@
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mod_gnutls $as_me 0.4.3, which was
+It was created by mod_gnutls $as_me 0.5.1, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
@@ -2005 +2007 @@
   chmod +x config.nice
 
-MOD_GNUTLS_VERSION=0.4.3
+MOD_GNUTLS_VERSION=0.5.1
 
 
@@ -2506 +2508 @@
 # Define the identity of the package.
  PACKAGE=mod_gnutls
- VERSION=0.4.3
+ VERSION=0.5.1
 
 
@@ -4551 +4553 @@
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 4553 "configure"' > conftest.$ac_ext
+  echo '#line 4555 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
@@ -7288 +7290 @@
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7290: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7292: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7294: \$? = $ac_status" >&5
+   echo "$as_me:7296: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
@@ -7578 +7580 @@
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7580: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7582: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7584: \$? = $ac_status" >&5
+   echo "$as_me:7586: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
@@ -7682 +7684 @@
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7684: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7686: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7688: \$? = $ac_status" >&5
+   echo "$as_me:7690: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
@@ -10044 +10046 @@
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 10046 "configure"
+#line 10048 "configure"
 #include "confdefs.h"
 
@@ -10144 +10146 @@
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 10146 "configure"
+#line 10148 "configure"
 #include "confdefs.h"
 
@@ -12564 +12566 @@
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12566: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12568: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:12570: \$? = $ac_status" >&5
+   echo "$as_me:12572: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
@@ -12668 +12670 @@
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12670: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12672: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:12674: \$? = $ac_status" >&5
+   echo "$as_me:12676: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
@@ -14245 +14247 @@
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14247: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14249: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:14251: \$? = $ac_status" >&5
+   echo "$as_me:14253: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
@@ -14349 +14351 @@
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14351: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14353: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:14355: \$? = $ac_status" >&5
+   echo "$as_me:14357: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
@@ -16549 +16551 @@
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16551: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16553: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16555: \$? = $ac_status" >&5
+   echo "$as_me:16557: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
@@ -16839 +16841 @@
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16841: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16843: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16845: \$? = $ac_status" >&5
+   echo "$as_me:16847: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
@@ -16943 +16945 @@
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16945: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16947: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:16949: \$? = $ac_status" >&5
+   echo "$as_me:16951: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
@@ -20234 +20236 @@
 MIN_TLS_VERSION=2.2.1
 
-# Check whether --with-libgnutls-prefix was given.
-if test "${with_libgnutls_prefix+set}" = set; then
-  withval=$with_libgnutls_prefix; libgnutls_config_prefix="$withval"
-else
-  libgnutls_config_prefix=""
-fi
-
-
-  if test x$libgnutls_config_prefix != x ; then
-     if test x${LIBGNUTLS_CONFIG+set} != xset ; then
-        LIBGNUTLS_CONFIG=$libgnutls_config_prefix/bin/libgnutls-config
+# Check whether --with-libgnutls-extra-prefix was given.
+if test "${with_libgnutls_extra_prefix+set}" = set; then
+  withval=$with_libgnutls_extra_prefix; libgnutls_extra_config_prefix="$withval"
+else
+  libgnutls_extra_config_prefix=""
+fi
+
+
+  if test x$libgnutls_extra_config_prefix != x ; then
+     if test x${LIBGNUTLS_EXTRA_CONFIG+set} != xset ; then
+        LIBGNUTLS_EXTRA_CONFIG=$libgnutls_extra_config_prefix/bin/libgnutls-extra-config
      fi
   fi
 
-  # Extract the first word of "libgnutls-config", so it can be a program name with args.
-set dummy libgnutls-config; ac_word=$2
+  # Extract the first word of "libgnutls-extra-config", so it can be a program name with args.
+set dummy libgnutls-extra-config; ac_word=$2
 { echo "$as_me:$LINENO: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
-if test "${ac_cv_path_LIBGNUTLS_CONFIG+set}" = set; then
+if test "${ac_cv_path_LIBGNUTLS_EXTRA_CONFIG+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  case $LIBGNUTLS_CONFIG in
+  case $LIBGNUTLS_EXTRA_CONFIG in
   [\\/]* | ?:[\\/]*)
-  ac_cv_path_LIBGNUTLS_CONFIG="$LIBGNUTLS_CONFIG" # Let the user override the test with a path.
+  ac_cv_path_LIBGNUTLS_EXTRA_CONFIG="$LIBGNUTLS_EXTRA_CONFIG" # Let the user override the test with a path.
   ;;
   *)
@@ -20267 +20269 @@
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
-    ac_cv_path_LIBGNUTLS_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    ac_cv_path_LIBGNUTLS_EXTRA_CONFIG="$as_dir/$ac_word$ac_exec_ext"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
@@ -20275 +20277 @@
 IFS=$as_save_IFS
 
-  test -z "$ac_cv_path_LIBGNUTLS_CONFIG" && ac_cv_path_LIBGNUTLS_CONFIG="no"
+  test -z "$ac_cv_path_LIBGNUTLS_EXTRA_CONFIG" && ac_cv_path_LIBGNUTLS_EXTRA_CONFIG="no"
   ;;
 esac
 fi
-LIBGNUTLS_CONFIG=$ac_cv_path_LIBGNUTLS_CONFIG
-if test -n "$LIBGNUTLS_CONFIG"; then
-  { echo "$as_me:$LINENO: result: $LIBGNUTLS_CONFIG" >&5
-echo "${ECHO_T}$LIBGNUTLS_CONFIG" >&6; }
+LIBGNUTLS_EXTRA_CONFIG=$ac_cv_path_LIBGNUTLS_EXTRA_CONFIG
+if test -n "$LIBGNUTLS_EXTRA_CONFIG"; then
+  { echo "$as_me:$LINENO: result: $LIBGNUTLS_EXTRA_CONFIG" >&5
+echo "${ECHO_T}$LIBGNUTLS_EXTRA_CONFIG" >&6; }
 else
   { echo "$as_me:$LINENO: result: no" >&5
@@ -20293 +20295 @@
 echo $ECHO_N "checking for libgnutls - version >= $min_libgnutls_version... $ECHO_C" >&6; }
   no_libgnutls=""
-  if test "$LIBGNUTLS_CONFIG" = "no" ; then
+  if test "$LIBGNUTLS_EXTRA_CONFIG" = "no" ; then
     no_libgnutls=yes
   else
-    LIBGNUTLS_CFLAGS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --cflags`
-    LIBGNUTLS_LIBS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --libs`
-    libgnutls_config_version=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version`
+    LIBGNUTLS_EXTRA_CFLAGS=`$LIBGNUTLS_EXTRA_CONFIG $libgnutls_extra_config_args --cflags`
+    LIBGNUTLS_EXTRA_LIBS=`$LIBGNUTLS_EXTRA_CONFIG $libgnutls_extra_config_args --libs`
+    libgnutls_extra_config_version=`$LIBGNUTLS_EXTRA_CONFIG $libgnutls_extra_config_args --version`
 
 
       ac_save_CFLAGS="$CFLAGS"
       ac_save_LIBS="$LIBS"
-      CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
-      LIBS="$LIBS $LIBGNUTLS_LIBS"
+      CFLAGS="$CFLAGS $LIBGNUTLS_EXTRA_CFLAGS"
+      LIBS="$LIBS $LIBGNUTLS_EXTRA_LIBS"
       rm -f conf.libgnutlstest
       if test "$cross_compiling" = yes; then
@@ -20319 +20321 @@
 #include <stdlib.h>
 #include <string.h>
-#include <gnutls/gnutls.h>
+#include <gnutls/extra.h>
 
 int
@@ -20326 +20328 @@
     system ("touch conf.libgnutlstest");
 
-    if( strcmp( gnutls_check_version(NULL), "$libgnutls_config_version" ) )
+    if( strcmp( gnutls_extra_check_version(NULL), "$libgnutls_extra_config_version" ) )
     {
-      printf("\n*** 'libgnutls-config --version' returned %s, but LIBGNUTLS (%s)\n",
-             "$libgnutls_config_version", gnutls_check_version(NULL) );
-      printf("*** was found! If libgnutls-config was correct, then it is best\n");
-      printf("*** to remove the old version of LIBGNUTLS. You may also be able to fix the error\n");
+      printf("\n*** 'libgnutls-extra-config --version' returned %s, but LIBGNUTLS_EXTRA (%s)\n",
+             "$libgnutls_extra_config_version", gnutls_extra_check_version(NULL) );
+      printf("*** was found! If libgnutls-extra-config was correct, then it is best\n");
+      printf("*** to remove the old version of LIBGNUTLS_EXTRA. You may also be able to fix the error\n");
       printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n");
       printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n");
       printf("*** required on your system.\n");
-      printf("*** If libgnutls-config was wrong, set the environment variable LIBGNUTLS_CONFIG\n");
-      printf("*** to point to the correct copy of libgnutls-config, and remove the file config.cache\n");
+      printf("*** If libgnutls-extra-config was wrong, set the environment variable LIBGNUTLS_EXTRA_CONFIG\n");
+      printf("*** to point to the correct copy of libgnutls-extra-config, and remove the file config.cache\n");
       printf("*** before re-running configure\n");
     }
-    else if ( strcmp(gnutls_check_version(NULL), LIBGNUTLS_VERSION ) )
+    else if ( strcmp(gnutls_extra_check_version(NULL), LIBGNUTLS_EXTRA_VERSION ) )
     {
-      printf("\n*** LIBGNUTLS header file (version %s) does not match\n", LIBGNUTLS_VERSION);
-      printf("*** library (version %s)\n", gnutls_check_version(NULL) );
+      printf("\n*** LIBGNUTLS_EXTRA header file (version %s) does not match\n", LIBGNUTLS_EXTRA_VERSION);
+      printf("*** library (version %s). This is may be due to a different version of gnutls\n", gnutls_extra_check_version(NULL) );
+      printf("*** and gnutls-extra.\n");
     }
     else
     {
-      if ( gnutls_check_version( "$min_libgnutls_version" ) )
+      if ( gnutls_extra_check_version( "$min_libgnutls_version" ) )
       {
         return 0;
@@ -20352 +20355 @@
      else
       {
-        printf("no\n*** An old version of LIBGNUTLS (%s) was found.\n",
-                gnutls_check_version(NULL) );
-        printf("*** You need a version of LIBGNUTLS newer than %s. The latest version of\n",
+        printf("no\n*** An old version of LIBGNUTLS_EXTRA (%s) was found.\n",
+                gnutls_extra_check_version(NULL) );
+        printf("*** You need a version of LIBGNUTLS_EXTRA newer than %s. The latest version of\n",
                "$min_libgnutls_version" );
-        printf("*** LIBGNUTLS is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n");
+        printf("*** LIBGNUTLS_EXTRA is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n");
         printf("*** \n");
         printf("*** If you have already installed a sufficiently new version, this error\n");
-        printf("*** probably means that the wrong copy of the libgnutls-config shell script is\n");
+        printf("*** probably means that the wrong copy of the libgnutls-extra-config shell script is\n");
         printf("*** being found. The easiest way to fix this is to remove the old version\n");
-        printf("*** of LIBGNUTLS, but you can also set the LIBGNUTLS_CONFIG environment to point to the\n");
-        printf("*** correct copy of libgnutls-config. (In this case, you will have to\n");
+        printf("*** of LIBGNUTLS_EXTRA, but you can also set the LIBGNUTLS_EXTRA_CONFIG environment to point to the\n");
+        printf("*** correct copy of libgnutls-extra-config. (In this case, you will have to\n");
         printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n");
         printf("*** so that the correct libraries are found at run-time))\n");
@@ -20419 +20422 @@
 echo "${ECHO_T}no" >&6; }
      fi
-     if test "$LIBGNUTLS_CONFIG" = "no" ; then
-       echo "*** The libgnutls-config script installed by LIBGNUTLS could not be found"
-       echo "*** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in"
-       echo "*** your path, or set the LIBGNUTLS_CONFIG environment variable to the"
-       echo "*** full path to libgnutls-config."
+     if test "$LIBGNUTLS_EXTRA_CONFIG" = "no" ; then
+       echo "*** The libgnutls-extra-config script installed by LIBGNUTLS_EXTRA could not be found"
+       echo "*** If LIBGNUTLS_EXTRA was installed in PREFIX, make sure PREFIX/bin is in"
+       echo "*** your path, or set the LIBGNUTLS_EXTRA_CONFIG environment variable to the"
+       echo "*** full path to libgnutls-extra-config."
      else
        if test -f conf.libgnutlstest ; then
@@ -20429 +20432 @@
        else
           echo "*** Could not run libgnutls test program, checking why..."
-          CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
-          LIBS="$LIBS $LIBGNUTLS_LIBS"
+          CFLAGS="$CFLAGS $LIBGNUTLS_EXTRA_CFLAGS"
+          LIBS="$LIBS $LIBGNUTLS_EXTRA_LIBS"
           cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -20441 +20444 @@
 #include <stdlib.h>
 #include <string.h>
-#include <gnutls/gnutls.h>
+#include <gnutls/extra.h>
 
 int
 main ()
 {
- return !!gnutls_check_version(NULL);
+ return !!gnutls_extra_check_version(NULL);
   ;
   return 0;
@@ -20470 +20473 @@
        $as_test_x conftest$ac_exeext; then
    echo "*** The test program compiled, but did not run. This usually means"
-          echo "*** that the run-time linker is not finding LIBGNUTLS or finding the wrong"
-          echo "*** version of LIBGNUTLS. If it is not finding LIBGNUTLS, you'll need to set your"
+          echo "*** that the run-time linker is not finding LIBGNUTLS_EXTRA or finding the wrong"
+          echo "*** version of LIBGNUTLS_EXTRA. If it is not finding LIBGNUTLS_EXTRA, you'll need to set your"
           echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point"
           echo "*** to the installed location  Also, make sure you have run ldconfig if that"
@@ -20484 +20487 @@
 
          echo "*** The test program failed to compile or link. See the file config.log for the"
-          echo "*** exact error that occured. This usually means LIBGNUTLS was incorrectly installed"
-          echo "*** or that you have moved LIBGNUTLS since it was installed. In the latter case, you"
-          echo "*** may want to edit the libgnutls-config script: $LIBGNUTLS_CONFIG"
+          echo "*** exact error that occured. This usually means LIBGNUTLS_EXTRA was incorrectly installed"
+          echo "*** or that you have moved LIBGNUTLS_EXTRA since it was installed. In the latter case, you"
+          echo "*** may want to edit the libgnutls-extra-config script: $LIBGNUTLS_EXTRA_CONFIG"
 fi
 
@@ -20495 +20498 @@
        fi
      fi
-     LIBGNUTLS_CFLAGS=""
-     LIBGNUTLS_LIBS=""
+     LIBGNUTLS_EXTRA_CFLAGS=""
+     LIBGNUTLS_EXTRA_LIBS=""
      { { echo "$as_me:$LINENO: error:
 ***
-*** libgnutls were not found. You may want to get it from
+*** libgnutls and libgnutls-extra were not found. You may want to get it from
 *** http://www.gnutls.org/
 ***
@@ -20505 +20508 @@
 echo "$as_me: error:
 ***
-*** libgnutls were not found. You may want to get it from
+*** libgnutls and libgnutls-extra were not found. You may want to get it from
 *** http://www.gnutls.org/
 ***
@@ -20515 +20518 @@
 
 
-  LIBGNUTLS_VERSION=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version`
-  LIBGNUTLS_PREFIX="`$LIBGNUTLS_CONFIG $libgnutls_config_args --prefix`"
+  LIBGNUTLS_LIBS=$LIBGNUTLS_EXTRA_LIBS
+  LIBGNUTLS_CFLAGS=$LIBGNUTLS_EXTRA_CFLAGS
+  LIBGNUTLS_VERSION=`$LIBGNUTLS_EXTRA_CONFIG $libgnutls_extra_config_args --version`
+  LIBGNUTLS_PREFIX="`$LIBGNUTLS_EXTRA_CONFIG $libgnutls_extra_config_args --prefix`"
   GNUTLS_CERTTOOL="${LIBGNUTLS_PREFIX}/bin/certtool"
 
@@ -20526 +20531 @@
 
 
+
+# Check whether --enable-srp was given.
+if test "${enable_srp+set}" = set; then
+  enableval=$enable_srp; use_srp=$enableval
+else
+  use_srp=yes
+fi
+
+
+SRP_CFLAGS=""
+if test "$use_srp" != "no"; then
+        SRP_CFLAGS="-DENABLE_SRP=1"
+fi
+{ echo "$as_me:$LINENO: checking whether to enable SRP functionality" >&5
+echo $ECHO_N "checking whether to enable SRP functionality... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $use_srp" >&5
+echo "${ECHO_T}$use_srp" >&6; }
 
 
@@ -21273 +21295 @@
 
 
-# Check whether --enable-srp was given.
-if test "${enable_srp+set}" = set; then
-  enableval=$enable_srp; use_srp=$enableval
-else
-  use_srp=yes
-fi
-
-
-SRP_CFLAGS=""
-if test "$use_srp" != "no"; then
-        SRP_CFLAGS="-DENABLE_SRP=1"
-fi
-{ echo "$as_me:$LINENO: checking whether to enable SRP functionality" >&5
-echo $ECHO_N "checking whether to enable SRP functionality... $ECHO_C" >&6; }
-{ echo "$as_me:$LINENO: result: $use_srp" >&5
-echo "${ECHO_T}$use_srp" >&6; }
-
-MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}"
-MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}"
+MODULE_CFLAGS="${LIBGNUTLS_EXTRA_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}"
+MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_EXTRA_LIBS}"
 
 
@@ -21722 +21727 @@
 # values after options handling.
 ac_log="
-This file was extended by mod_gnutls $as_me 0.4.3, which was
+This file was extended by mod_gnutls $as_me 0.5.1, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
@@ -21775 +21780 @@
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-mod_gnutls config.status 0.4.3
+mod_gnutls config.status 0.5.1
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
@@ -22132 +22137 @@
 APXS_EXTENSION!$APXS_EXTENSION$ac_delim
 APXS_CFLAGS!$APXS_CFLAGS$ac_delim
-LIBGNUTLS_CONFIG!$LIBGNUTLS_CONFIG$ac_delim
+LIBGNUTLS_EXTRA_CONFIG!$LIBGNUTLS_EXTRA_CONFIG$ac_delim
+LIBGNUTLS_EXTRA_CFLAGS!$LIBGNUTLS_EXTRA_CFLAGS$ac_delim
+LIBGNUTLS_EXTRA_LIBS!$LIBGNUTLS_EXTRA_LIBS$ac_delim
 LIBGNUTLS_CFLAGS!$LIBGNUTLS_CFLAGS$ac_delim
 LIBGNUTLS_LIBS!$LIBGNUTLS_LIBS$ac_delim
@@ -22147 +22154 @@
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 51; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 53; then
     break
   elif $ac_last_try; then
@@ -22752 +22759 @@
 echo "   * Apache Modules directory:    ${AP_LIBEXECDIR}"
 echo "   * GnuTLS Library version:      ${LIBGNUTLS_VERSION}"
-echo "   * SRP authentication:          ${use_srp}"
+echo "   * SRP Authentication:          ${use_srp}"
 echo ""
 echo "---"

configure.ac

@@ -1 +1 @@
 dnl 
-AC_INIT(mod_gnutls, 0.4.3)
+AC_INIT(mod_gnutls, 0.5.1)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
@@ -30 +30 @@
 
 MIN_TLS_VERSION=2.2.1
-AM_PATH_LIBGNUTLS($MIN_TLS_VERSION,,
+AM_PATH_LIBGNUTLS_EXTRA($MIN_TLS_VERSION,,
         AC_MSG_ERROR([[
 ***  
-*** libgnutls were not found. You may want to get it from
+*** libgnutls and libgnutls-extra were not found. You may want to get it from
 *** http://www.gnutls.org/
 ***
 ]]))
-
-dnl CHECK_LUA()
-
-have_apr_memcache=0
-CHECK_APR_MEMCACHE([have_apr_memcache=1], [have_apr_memcache=0])
-AC_SUBST(have_apr_memcache)
 
 AC_ARG_ENABLE(srp,
@@ -51 +45 @@
 SRP_CFLAGS=""
 if test "$use_srp" != "no"; then
-        SRP_CFLAGS="-DENABLE_SRP=1"
+        SRP_CFLAGS="-DENABLE_SRP=1"
 fi
 AC_MSG_CHECKING([whether to enable SRP functionality])
 AC_MSG_RESULT($use_srp)
 
-MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}"
-MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}"
+dnl CHECK_LUA()
+
+have_apr_memcache=0
+CHECK_APR_MEMCACHE([have_apr_memcache=1], [have_apr_memcache=0])
+AC_SUBST(have_apr_memcache)
+
+MODULE_CFLAGS="${LIBGNUTLS_EXTRA_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}"
+MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_EXTRA_LIBS}"
 
 AC_SUBST(MODULE_CFLAGS)
@@ -68 +68 @@
 echo "Configuration summary for mod_gnutls:"
 echo ""
-echo "   * mod_gnutls version:          ${MOD_GNUTLS_VERSION}"
-echo "   * Apache Modules directory:    ${AP_LIBEXECDIR}"
-echo "   * GnuTLS Library version:      ${LIBGNUTLS_VERSION}"
-echo "   * SRP authentication:          ${use_srp}"
+echo "   * mod_gnutls version:  ${MOD_GNUTLS_VERSION}"
+echo "   * Apache Modules directory:    ${AP_LIBEXECDIR}"
+echo "   * GnuTLS Library version:      ${LIBGNUTLS_VERSION}"
+echo "   * SRP Authentication:          ${use_srp}"
 echo ""
 echo "---"

include/mod_gnutls.h.in

@@ -30 +30 @@
 #include <gcrypt.h>
 #include <gnutls/gnutls.h>
+#include <gnutls/extra.h>
+#include <gnutls/openpgp.h>
 #include <gnutls/x509.h>
 
@@ -95 +97 @@
     unsigned int certs_x509_num;
     gnutls_x509_privkey_t privkey_x509;
+    gnutls_openpgp_crt_t cert_pgp; /* A certificate chain */
+    gnutls_openpgp_privkey_t privkey_pgp;
     int enabled;
     /* whether to send the PEM encoded certificates
@@ -109 +113 @@
     const char* srp_tpasswd_conf_file;
     gnutls_x509_crt_t ca_list[MAX_CA_CRTS];
+    gnutls_openpgp_keyring_t pgp_list;
     unsigned int ca_list_size;
     int client_verify_mode;
@@ -255 +260 @@
                              const char *arg);
 
+const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
+                                        const char *arg);
+
+const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
+                             const char *arg);
+
 const char *mgs_set_cache(cmd_parms * parms, void *dummy,
                           const char *type, const char* arg);
@@ -265 +276 @@
 
 const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
+                                   const char *arg);
+
+const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
                                    const char *arg);
 

m4/libgnutls.m4

@@ -1 @@
-dnl Autoconf macros for libgnutls
+dnl Autoconf macros for libgnutls-extra
 dnl $id$
 
-# Modified for LIBGNUTLS -- nmav
+# Modified for LIBGNUTLS_EXTRA -- nmav
 # Configure paths for LIBGCRYPT
 # Shamelessly stolen from the one of XDELTA by Owen Taylor
 # Werner Koch   99-12-09
 
-dnl AM_PATH_LIBGNUTLS([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
-dnl Test for libgnutls, and define LIBGNUTLS_CFLAGS and LIBGNUTLS_LIBS
+dnl AM_PATH_LIBGNUTLS_EXTRA([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
+dnl Test for libgnutls-extra, and define LIBGNUTLS_EXTRA_CFLAGS and LIBGNUTLS_EXTRA_LIBS
 dnl
-AC_DEFUN([AM_PATH_LIBGNUTLS],
+AC_DEFUN([AM_PATH_LIBGNUTLS_EXTRA],
 [dnl
-dnl Get the cflags and libraries from the libgnutls-config script
+dnl Get the cflags and libraries from the libgnutls-extra-config script
 dnl
-AC_ARG_WITH(libgnutls-prefix,
-          [  --with-libgnutls-prefix=PFX   Prefix where libgnutls is installed (optional)],
-          libgnutls_config_prefix="$withval", libgnutls_config_prefix="")
+AC_ARG_WITH(libgnutls-extra-prefix,
+          [  --with-libgnutls-extra-prefix=PFX   Prefix where libgnutls-extra is installed (optional)],
+          libgnutls_extra_config_prefix="$withval", libgnutls_extra_config_prefix="")
 
-  if test x$libgnutls_config_prefix != x ; then
-     if test x${LIBGNUTLS_CONFIG+set} != xset ; then
-        LIBGNUTLS_CONFIG=$libgnutls_config_prefix/bin/libgnutls-config
+  if test x$libgnutls_extra_config_prefix != x ; then
+     if test x${LIBGNUTLS_EXTRA_CONFIG+set} != xset ; then
+        LIBGNUTLS_EXTRA_CONFIG=$libgnutls_extra_config_prefix/bin/libgnutls-extra-config
      fi
   fi
 
-  AC_PATH_PROG(LIBGNUTLS_CONFIG, libgnutls-config, no)
+  AC_PATH_PROG(LIBGNUTLS_EXTRA_CONFIG, libgnutls-extra-config, no)
   min_libgnutls_version=ifelse([$1], ,0.1.0,$1)
   AC_MSG_CHECKING(for libgnutls - version >= $min_libgnutls_version)
   no_libgnutls=""
-  if test "$LIBGNUTLS_CONFIG" = "no" ; then
+  if test "$LIBGNUTLS_EXTRA_CONFIG" = "no" ; then
     no_libgnutls=yes
   else
-    LIBGNUTLS_CFLAGS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --cflags`
-    LIBGNUTLS_LIBS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --libs`
-    libgnutls_config_version=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version`
+    LIBGNUTLS_EXTRA_CFLAGS=`$LIBGNUTLS_EXTRA_CONFIG $libgnutls_extra_config_args --cflags`
+    LIBGNUTLS_EXTRA_LIBS=`$LIBGNUTLS_EXTRA_CONFIG $libgnutls_extra_config_args --libs`
+    libgnutls_extra_config_version=`$LIBGNUTLS_EXTRA_CONFIG $libgnutls_extra_config_args --version`
 
 
       ac_save_CFLAGS="$CFLAGS"
       ac_save_LIBS="$LIBS"
-      CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
-      LIBS="$LIBS $LIBGNUTLS_LIBS"
+      CFLAGS="$CFLAGS $LIBGNUTLS_EXTRA_CFLAGS"
+      LIBS="$LIBS $LIBGNUTLS_EXTRA_LIBS"
 dnl
 dnl Now check if the installed libgnutls is sufficiently new. Also sanity
-dnl checks the results of libgnutls-config to some extent
+dnl checks the results of libgnutls-extra-config to some extent
 dnl
       rm -f conf.libgnutlstest
@@ -49 +49 @@
 #include <stdlib.h>
 #include <string.h>
-#include <gnutls/gnutls.h>
+#include <gnutls/extra.h>
 
 int
@@ -56 +56 @@
     system ("touch conf.libgnutlstest");
 
-    if( strcmp( gnutls_check_version(NULL), "$libgnutls_config_version" ) )
+    if( strcmp( gnutls_extra_check_version(NULL), "$libgnutls_extra_config_version" ) )
     {
-      printf("\n*** 'libgnutls-config --version' returned %s, but LIBGNUTLS (%s)\n",
-             "$libgnutls_config_version", gnutls_check_version(NULL) );
-      printf("*** was found! If libgnutls-config was correct, then it is best\n");
-      printf("*** to remove the old version of LIBGNUTLS. You may also be able to fix the error\n");
+      printf("\n*** 'libgnutls-extra-config --version' returned %s, but LIBGNUTLS_EXTRA (%s)\n",
+             "$libgnutls_extra_config_version", gnutls_extra_check_version(NULL) );
+      printf("*** was found! If libgnutls-extra-config was correct, then it is best\n");
+      printf("*** to remove the old version of LIBGNUTLS_EXTRA. You may also be able to fix the error\n");
       printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n");
       printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n");
       printf("*** required on your system.\n");
-      printf("*** If libgnutls-config was wrong, set the environment variable LIBGNUTLS_CONFIG\n");
-      printf("*** to point to the correct copy of libgnutls-config, and remove the file config.cache\n");
+      printf("*** If libgnutls-extra-config was wrong, set the environment variable LIBGNUTLS_EXTRA_CONFIG\n");
+      printf("*** to point to the correct copy of libgnutls-extra-config, and remove the file config.cache\n");
       printf("*** before re-running configure\n");
     }
-    else if ( strcmp(gnutls_check_version(NULL), LIBGNUTLS_VERSION ) )
+    else if ( strcmp(gnutls_extra_check_version(NULL), LIBGNUTLS_EXTRA_VERSION ) )
     {
-      printf("\n*** LIBGNUTLS header file (version %s) does not match\n", LIBGNUTLS_VERSION);
-      printf("*** library (version %s)\n", gnutls_check_version(NULL) );
+      printf("\n*** LIBGNUTLS_EXTRA header file (version %s) does not match\n", LIBGNUTLS_EXTRA_VERSION);
+      printf("*** library (version %s). This is may be due to a different version of gnutls\n", gnutls_extra_check_version(NULL) );
+      printf("*** and gnutls-extra.\n");
     }
     else
     {
-      if ( gnutls_check_version( "$min_libgnutls_version" ) )
+      if ( gnutls_extra_check_version( "$min_libgnutls_version" ) )
       {
         return 0;
@@ -82 +83 @@
      else
       {
-        printf("no\n*** An old version of LIBGNUTLS (%s) was found.\n",
-                gnutls_check_version(NULL) );
-        printf("*** You need a version of LIBGNUTLS newer than %s. The latest version of\n",
+        printf("no\n*** An old version of LIBGNUTLS_EXTRA (%s) was found.\n",
+                gnutls_extra_check_version(NULL) );
+        printf("*** You need a version of LIBGNUTLS_EXTRA newer than %s. The latest version of\n",
                "$min_libgnutls_version" );
-        printf("*** LIBGNUTLS is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n");
+        printf("*** LIBGNUTLS_EXTRA is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n");
         printf("*** \n");
         printf("*** If you have already installed a sufficiently new version, this error\n");
-        printf("*** probably means that the wrong copy of the libgnutls-config shell script is\n");
+        printf("*** probably means that the wrong copy of the libgnutls-extra-config shell script is\n");
         printf("*** being found. The easiest way to fix this is to remove the old version\n");
-        printf("*** of LIBGNUTLS, but you can also set the LIBGNUTLS_CONFIG environment to point to the\n");
-        printf("*** correct copy of libgnutls-config. (In this case, you will have to\n");
+        printf("*** of LIBGNUTLS_EXTRA, but you can also set the LIBGNUTLS_EXTRA_CONFIG environment to point to the\n");
+        printf("*** correct copy of libgnutls-extra-config. (In this case, you will have to\n");
         printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n");
         printf("*** so that the correct libraries are found at run-time))\n");
@@ -113 +114 @@
         AC_MSG_RESULT(no)
      fi
-     if test "$LIBGNUTLS_CONFIG" = "no" ; then
-       echo "*** The libgnutls-config script installed by LIBGNUTLS could not be found"
-       echo "*** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in"
-       echo "*** your path, or set the LIBGNUTLS_CONFIG environment variable to the"
-       echo "*** full path to libgnutls-config."
+     if test "$LIBGNUTLS_EXTRA_CONFIG" = "no" ; then
+       echo "*** The libgnutls-extra-config script installed by LIBGNUTLS_EXTRA could not be found"
+       echo "*** If LIBGNUTLS_EXTRA was installed in PREFIX, make sure PREFIX/bin is in"
+       echo "*** your path, or set the LIBGNUTLS_EXTRA_CONFIG environment variable to the"
+       echo "*** full path to libgnutls-extra-config."
      else
        if test -f conf.libgnutlstest ; then
@@ -123 +124 @@
        else
           echo "*** Could not run libgnutls test program, checking why..."
-          CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
-          LIBS="$LIBS $LIBGNUTLS_LIBS"
+          CFLAGS="$CFLAGS $LIBGNUTLS_EXTRA_CFLAGS"
+          LIBS="$LIBS $LIBGNUTLS_EXTRA_LIBS"
           AC_TRY_LINK([
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <gnutls/gnutls.h>
-],      [ return !!gnutls_check_version(NULL); ],
+#include <gnutls/extra.h>
+],      [ return !!gnutls_extra_check_version(NULL); ],
         [ echo "*** The test program compiled, but did not run. This usually means"
-          echo "*** that the run-time linker is not finding LIBGNUTLS or finding the wrong"
-          echo "*** version of LIBGNUTLS. If it is not finding LIBGNUTLS, you'll need to set your"
+          echo "*** that the run-time linker is not finding LIBGNUTLS_EXTRA or finding the wrong"
+          echo "*** version of LIBGNUTLS_EXTRA. If it is not finding LIBGNUTLS_EXTRA, you'll need to set your"
           echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point"
           echo "*** to the installed location  Also, make sure you have run ldconfig if that"
@@ -142 +143 @@
           echo "***" ],
         [ echo "*** The test program failed to compile or link. See the file config.log for the"
-          echo "*** exact error that occured. This usually means LIBGNUTLS was incorrectly installed"
-          echo "*** or that you have moved LIBGNUTLS since it was installed. In the latter case, you"
-          echo "*** may want to edit the libgnutls-config script: $LIBGNUTLS_CONFIG" ])
+          echo "*** exact error that occured. This usually means LIBGNUTLS_EXTRA was incorrectly installed"
+          echo "*** or that you have moved LIBGNUTLS_EXTRA since it was installed. In the latter case, you"
+          echo "*** may want to edit the libgnutls-extra-config script: $LIBGNUTLS_EXTRA_CONFIG" ])
           CFLAGS="$ac_save_CFLAGS"
           LIBS="$ac_save_LIBS"
        fi
      fi
-     LIBGNUTLS_CFLAGS=""
-     LIBGNUTLS_LIBS=""
+     LIBGNUTLS_EXTRA_CFLAGS=""
+     LIBGNUTLS_EXTRA_LIBS=""
      ifelse([$3], , :, [$3])
   fi
   rm -f conf.libgnutlstest
-  AC_SUBST(LIBGNUTLS_CFLAGS)
-  AC_SUBST(LIBGNUTLS_LIBS)
+  AC_SUBST(LIBGNUTLS_EXTRA_CFLAGS)
+  AC_SUBST(LIBGNUTLS_EXTRA_LIBS)
 
-  LIBGNUTLS_VERSION=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version`
-  LIBGNUTLS_PREFIX="`$LIBGNUTLS_CONFIG $libgnutls_config_args --prefix`"
+  LIBGNUTLS_LIBS=$LIBGNUTLS_EXTRA_LIBS
+  LIBGNUTLS_CFLAGS=$LIBGNUTLS_EXTRA_CFLAGS
+  LIBGNUTLS_VERSION=`$LIBGNUTLS_EXTRA_CONFIG $libgnutls_extra_config_args --version`
+  LIBGNUTLS_PREFIX="`$LIBGNUTLS_EXTRA_CONFIG $libgnutls_extra_config_args --prefix`"
   GNUTLS_CERTTOOL="${LIBGNUTLS_PREFIX}/bin/certtool"
 
@@ -166 +169 @@
   AC_SUBST(LIBGNUTLS_PREFIX)
   AC_SUBST(LIBGNUTLS_CERTTOOL)
-
+  
 ])
 

src/Makefile.in

@@ -143 +143 @@
 LIBGNUTLS_CERTTOOL = @LIBGNUTLS_CERTTOOL@
 LIBGNUTLS_CFLAGS = @LIBGNUTLS_CFLAGS@
-LIBGNUTLS_CONFIG = @LIBGNUTLS_CONFIG@
+LIBGNUTLS_EXTRA_CFLAGS = @LIBGNUTLS_EXTRA_CFLAGS@
+LIBGNUTLS_EXTRA_CONFIG = @LIBGNUTLS_EXTRA_CONFIG@
+LIBGNUTLS_EXTRA_LIBS = @LIBGNUTLS_EXTRA_LIBS@
 LIBGNUTLS_LIBS = @LIBGNUTLS_LIBS@
 LIBGNUTLS_PREFIX = @LIBGNUTLS_PREFIX@

src/gnutls_config.c

@@ -1 +1 @@
 /**
  *  Copyright 2004-2005 Paul Querna
+ *  Copyright 2007 Nikos Mavrogiannopoulos
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -203 +204 @@
 }
 
+const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
+                              const char *arg)
+{
+    int ret;
+    gnutls_datum_t data;
+    const char *file;
+    apr_pool_t *spool;
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
+                                                 module_config,
+                                                 &gnutls_module);
+    apr_pool_create(&spool, parms->pool);
+
+    file = ap_server_root_relative(spool, arg);
+
+    if (load_datum_from_file(spool, file, &data) != 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
+                            "Certificate '%s'", file);
+    }
+
+    ret = gnutls_openpgp_crt_init( &sc->cert_pgp);
+    if (ret < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to Init "
+                            "PGP Certificate: (%d) %s", ret,
+                            gnutls_strerror(ret));
+    }
+      
+    ret =
+        gnutls_openpgp_crt_import(sc->cert_pgp, &data, GNUTLS_OPENPGP_FMT_BASE64);
+    if (ret < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
+                            "PGP Certificate '%s': (%d) %s", file, ret,
+                            gnutls_strerror(ret));
+    }
+
+    apr_pool_destroy(spool);
+    return NULL;
+}
+
+const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
+                             const char *arg)
+{
+    int ret;
+    gnutls_datum_t data;
+    const char *file;
+    apr_pool_t *spool;
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
+                                                 module_config,
+                                                 &gnutls_module);
+    apr_pool_create(&spool, parms->pool);
+
+    file = ap_server_root_relative(spool, arg);
+
+    if (load_datum_from_file(spool, file, &data) != 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
+                            "Private Key '%s'", file);
+    }
+
+    ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp);
+    if (ret < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
+                            ": (%d) %s", ret, gnutls_strerror(ret));
+    }
+
+    ret =
+        gnutls_openpgp_privkey_import(sc->privkey_pgp, &data,
+                                   GNUTLS_OPENPGP_FMT_BASE64, NULL, 0);
+    if (ret != 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
+                            "PGP Private Key '%s': (%d) %s", file, ret,
+                            gnutls_strerror(ret));
+    }
+    apr_pool_destroy(spool);
+    return NULL;
+}
+
+
 #ifdef ENABLE_SRP
 
@@ -355 +434 @@
 }
 
+const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
+                                   const char *arg)
+{
+    int rv;
+    const char *file;
+    apr_pool_t *spool;
+    gnutls_datum_t data;
+
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
+                                                 module_config,
+                                                 &gnutls_module);
+    apr_pool_create(&spool, parms->pool);
+
+    file = ap_server_root_relative(spool, arg);
+
+    if (load_datum_from_file(spool, file, &data) != 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
+                            "Keyring File '%s'", file);
+    }
+
+    rv = gnutls_openpgp_keyring_init(&sc->pgp_list);
+    if (rv < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
+                            "keyring: (%d) %s", rv, gnutls_strerror(rv));
+    }
+
+    rv = gnutls_openpgp_keyring_import(sc->pgp_list, &data, GNUTLS_OPENPGP_FMT_BASE64);
+    if (rv < 0) {
+        return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
+                            "Keyring File '%s': (%d) %s", file, rv,
+                            gnutls_strerror(rv));
+    }
+
+    apr_pool_destroy(spool);
+    return NULL;
+}
+
 const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
                             const char *arg)

src/gnutls_hooks.c

@@ -37 +37 @@
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
 /* use side==0 for server and side==1 for client */
-static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert,
+static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert,
+                                     int side,
+                                     int export_certificates_enabled);
+static void mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert,
                                      int side,
                                      int export_certificates_enabled);
@@ -69 +72 @@
 #endif
 
+    if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) {
+        fprintf(stderr, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n", 
+          LIBGNUTLS_VERSION, gnutls_check_version(NULL));
+        return -3;
+    }
+
     ret = gnutls_global_init();
-    if (ret < 0) /* FIXME: can we print here? */
-        exit(ret);
+    if (ret < 0) {
+        fprintf(stderr, "gnutls_global_init: %s\n", gnutls_strerror(ret));
+        return -3;
+    }
+
+    ret = gnutls_global_init_extra();
+    if (ret < 0) {
+        fprintf(stderr, "gnutls_global_init_extra: %s\n", gnutls_strerror(ret));
+        return -3;
+    }
                                             
     apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
@@ -83 +100 @@
     gnutls_global_set_log_level(9);
     gnutls_global_set_log_function(gnutls_debug_log_all);
+    apr_file_printf(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
 #endif
 
     return OK;
 }
-
-/* We don't support openpgp certificates, yet */
-const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
 
 static int mgs_select_virtual_server_cb(gnutls_session_t session)
@@ -96 +111 @@
     mgs_srvconf_rec *tsc;
     int ret;
+    int cprio[2];
 
     ctxt = gnutls_transport_get_ptr(session);
@@ -129 +145 @@
      */
     ret = gnutls_priority_set(session, ctxt->sc->priorities);
-    gnutls_certificate_type_set_priority(session, cert_type_prio);
-
-
     /* actually it shouldn't fail since we have checked at startup */
     if (ret < 0)
         return ret;
 
+    /* If both certificate types are not present disallow them from
+     * being negotiated.
+     */
+    if (ctxt->sc->certs_x509[0] != NULL && ctxt->sc->cert_pgp == NULL) {
+        cprio[0] = GNUTLS_CRT_X509;
+        cprio[1] = 0;
+        gnutls_certificate_type_set_priority( session, cprio);
+    } else if (ctxt->sc->cert_pgp != NULL && ctxt->sc->certs_x509[0]==NULL) {
+        cprio[0] = GNUTLS_CRT_OPENPGP;
+        cprio[1] = 0;
+        gnutls_certificate_type_set_priority( session, cprio);
+    }
 
     return 0;
@@ -146 +171 @@
     ctxt = gnutls_transport_get_ptr(session);
 
-    ret->type = GNUTLS_CRT_X509;
-    ret->ncerts = ctxt->sc->certs_x509_num;
-    ret->deinit_all = 0;
-
-    ret->cert.x509 = ctxt->sc->certs_x509;
-    ret->key.x509 = ctxt->sc->privkey_x509;
-    return 0;
-}
-
+    if (gnutls_certificate_type_get( session) == GNUTLS_CRT_X509) {
+        ret->type = GNUTLS_CRT_X509;
+        ret->ncerts = ctxt->sc->certs_x509_num;
+        ret->deinit_all = 0;
+
+        ret->cert.x509 = ctxt->sc->certs_x509;
+        ret->key.x509 = ctxt->sc->privkey_x509;
+        
+        return 0;
+    } else if (gnutls_certificate_type_get( session) == GNUTLS_CRT_OPENPGP) {
+        ret->type = GNUTLS_CRT_OPENPGP;
+        ret->ncerts = 1;
+        ret->deinit_all = 0;
+
+        ret->cert.pgp = ctxt->sc->cert_pgp;
+        ret->key.pgp = ctxt->sc->privkey_pgp;
+
+        return 0;
+    
+    }
+
+    return GNUTLS_E_INTERNAL_ERROR;
+}
+
+/* 2048-bit group parameters from SRP specification */
 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
     "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
@@ -170 +211 @@
  */
 static int read_crt_cn(server_rec * s, apr_pool_t * p,
-                       gnutls_x509_crt cert, char **cert_cn)
+                       gnutls_x509_crt_t cert, char **cert_cn)
 {
     int rv = 0, i;
@@ -178 +219 @@
     *cert_cn = NULL;
 
+    data_len = 0;
     rv = gnutls_x509_crt_get_dn_by_oid(cert,
                                        GNUTLS_OID_X520_COMMON_NAME,
@@ -188 +230 @@
                                            0, *cert_cn, &data_len);
     } else {                    /* No CN return subject alternative name */
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
-                     "No common name found in certificate for '%s:%d'. Looking for subject alternative name.",
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                     "No common name found in certificate for '%s:%d'. Looking for subject alternative name...",
                      s->server_hostname, s->port);
         rv = 0;
@@ -217 +259 @@
 
     return rv;
-
-}
+}
+
+static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
+                       gnutls_openpgp_crt_t cert, char **cert_cn)
+{
+    int rv = 0;
+    size_t data_len;
+
+
+    *cert_cn = NULL;
+
+    data_len = 0;
+    rv = gnutls_openpgp_crt_get_name(cert, 0, NULL, &data_len);
+
+    if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
+        *cert_cn = apr_palloc(p, data_len);
+        rv = gnutls_openpgp_crt_get_name(cert, 0, *cert_cn, &data_len);
+    } else {                    /* No CN return subject alternative name */
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                     "No name found in PGP certificate for '%s:%d'.",
+                     s->server_hostname, s->port);
+    }
+
+    return rv;
+}
+
 
 int
@@ -355 +421 @@
             if (sc->enabled == GNUTLS_ENABLED_TRUE) {
                 rv = read_crt_cn(s, p, sc->certs_x509[0], &sc->cert_cn);
+                if (rv < 0 && sc->cert_pgp != NULL)  /* try openpgp certificate */
+                    rv = read_pgpcrt_cn(s, p, sc->cert_pgp, &sc->cert_cn);
+
                 if (rv < 0) {
                     ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
@@ -483 +552 @@
     ctxt = gnutls_transport_get_ptr(session);
 
-    sni_type = gnutls_certificate_type_get(session);
-    if (sni_type != GNUTLS_CRT_X509) {
-        /* In theory, we could support OpenPGP Certificates. Theory != code. */
-        ap_log_error(APLOG_MARK, APLOG_CRIT, 0,
-                     ctxt->c->base_server,
-                     "GnuTLS: Only x509 Certificates are currently supported.");
-        return NULL;
-    }
-
     rv = gnutls_server_name_get(ctxt->session, sni_name,
                                 &data_len, &sni_type, 0);
@@ -691 +751 @@
     apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
 
-    mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0,
+    if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509)
+        mgs_add_common_cert_vars(r, ctxt->sc->certs_x509[0], 0,
+                             ctxt->sc->export_certificates_enabled);
+    else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP)
+        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0,
                              ctxt->sc->export_certificates_enabled);
 
@@ -753 +817 @@
 #define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
 static void
-mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side,
+mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side,
                          int export_certificates_enabled)
 {
@@ -859 +923 @@
         }
     }
-
-
-}
-
-
+}
+
+static void
+mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side,
+                         int export_certificates_enabled)
+{
+    unsigned char sbuf[64];     /* buffer to hold serials */
+    char buf[AP_IOBUFSIZE];
+    const char *tmp;
+    size_t len;
+    int ret;
+
+    apr_table_t *env = r->subprocess_env;
+
+    if (export_certificates_enabled != 0) {
+        char cert_buf[10 * 1024];
+        len = sizeof(cert_buf);
+
+        if (gnutls_openpgp_crt_export
+            (cert, GNUTLS_OPENPGP_FMT_BASE64, cert_buf, &len) >= 0)
+            apr_table_setn(env,
+                           apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
+                           apr_pstrmemdup(r->pool, cert_buf, len));
+
+    }
+
+    len = sizeof(buf);
+    gnutls_openpgp_crt_get_name(cert, 0, buf, &len);
+    apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_NAME", NULL),
+                   apr_pstrmemdup(r->pool, buf, len));
+
+    len = sizeof(sbuf);
+    gnutls_openpgp_crt_get_fingerprint(cert, sbuf, &len);
+    tmp = mgs_session_id2sz(sbuf, len, buf, sizeof(buf));
+    apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_FINGERPRINT", NULL),
+                   apr_pstrdup(r->pool, tmp));
+
+    ret = gnutls_openpgp_crt_get_version(cert);
+    if (ret > 0)
+        apr_table_setn(env,
+                       apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION", NULL),
+                       apr_psprintf(r->pool, "%u", ret));
+
+    apr_table_setn(env,
+       apr_pstrcat(r->pool, MGS_SIDE, "_CERT_TYPE", NULL), "OPENPGP");
+
+    tmp =
+        mgs_time2sz(gnutls_openpgp_crt_get_expiration_time
+                    (cert), buf, sizeof(buf));
+    apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_END", NULL),
+                   apr_pstrdup(r->pool, tmp));
+
+    tmp =
+        mgs_time2sz(gnutls_openpgp_crt_get_creation_time
+                    (cert), buf, sizeof(buf));
+    apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_V_START", NULL),
+                   apr_pstrdup(r->pool, tmp));
+
+    ret = gnutls_openpgp_crt_get_pk_algorithm(cert, NULL);
+    if (ret >= 0) {
+        apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),
+                       gnutls_pk_algorithm_get_name(ret));
+    }
+
+}
+
+/* TODO: Allow client sending a X.509 certificate chain */
 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
 {
@@ -869 +995 @@
     unsigned int cert_list_size, status, expired;
     int rv, ret;
-    gnutls_x509_crt_t cert;
+    union {
+      gnutls_x509_crt_t x509;
+      gnutls_openpgp_crt_t pgp;
+    } cert;
     apr_time_t activation_time, expiration_time, cur_time;
 
@@ -895 +1024 @@
     }
 
-    gnutls_x509_crt_init(&cert);
-    rv = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
+    if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) {
+        gnutls_x509_crt_init(&cert.x509);
+        rv = gnutls_x509_crt_import(cert.x509, &cert_list[0], GNUTLS_X509_FMT_DER);
+    } else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP) {
+        gnutls_openpgp_crt_init(&cert.pgp);
+        rv = gnutls_openpgp_crt_import(cert.pgp, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW);
+    } else return HTTP_FORBIDDEN;
+ 
     if (rv < 0) {
-        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                       "GnuTLS: Failed to Verify Peer: "
                       "Failed to import peer certificates.");
-        ret = HTTP_FORBIDDEN;
-        goto exit;
-    }
-
-    apr_time_ansi_put(&expiration_time,
-                      gnutls_x509_crt_get_expiration_time(cert));
-    apr_time_ansi_put(&activation_time,
-                      gnutls_x509_crt_get_activation_time(cert));
-
-    rv = gnutls_x509_crt_verify(cert, ctxt->sc->ca_list,
+       ret = HTTP_FORBIDDEN;
+       goto exit;
+    }
+
+    if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509) {
+        apr_time_ansi_put(&expiration_time,
+                      gnutls_x509_crt_get_expiration_time(cert.x509));
+        apr_time_ansi_put(&activation_time,
+                      gnutls_x509_crt_get_activation_time(cert.x509));
+
+        rv = gnutls_x509_crt_verify(cert.x509, ctxt->sc->ca_list,
                                 ctxt->sc->ca_list_size, 0, &status);
+    } else {
+        apr_time_ansi_put(&expiration_time,
+                      gnutls_openpgp_crt_get_expiration_time(cert.pgp));
+        apr_time_ansi_put(&activation_time,
+                      gnutls_openpgp_crt_get_creation_time(cert.pgp));
+
+        rv = gnutls_openpgp_crt_verify_ring(cert.pgp, ctxt->sc->pgp_list,
+                      0, &status);
+    }
 
     if (rv < 0) {
@@ -917 +1062 @@
                       "GnuTLS: Failed to Verify Peer certificate: (%d) %s",
                       rv, gnutls_strerror(rv));
+        if (rv == GNUTLS_E_NO_CERTIFICATE_FOUND)
+            ap_log_rerror(APLOG_MARK, APLOG_EMERG, 0, r,
+                      "GnuTLS: No certificate was found for verification. Did you set the GnuTLSX509CAFile or GnuTLSPGPKeyringFile directives?");
         ret = HTTP_FORBIDDEN;
         goto exit;
     }
+
+    /* TODO: X509 CRL Verification. */
+    /* May add later if anyone needs it.
+     */
+    /* ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size); */
 
     expired = 0;
@@ -955 +1108 @@
     }
 
-    /* TODO: Further Verification. */
-    /* Revocation is X.509 non workable paradigm, I really doubt implementation
-     * is worth doing --nmav
-     */
-/// ret = gnutls_x509_crt_check_revocation(crt, crl_list, crl_list_size);
-
-//    mgs_hook_fixups(r);
-//    rv = mgs_authz_lua(r);
-
-    mgs_add_common_cert_vars(r, cert, 1,
+    if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509)
+        mgs_add_common_cert_vars(r, cert.x509, 1,
+                             ctxt->sc->export_certificates_enabled);
+    else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP)
+        mgs_add_common_pgpcert_vars(r, cert.pgp, 1,
                              ctxt->sc->export_certificates_enabled);
 
@@ -988 +1136 @@
 
   exit:
-    gnutls_x509_crt_deinit(cert);
+    if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_X509)
+        gnutls_x509_crt_deinit(cert.x509);
+    else if (gnutls_certificate_type_get( ctxt->session) == GNUTLS_CRT_OPENPGP)
+        gnutls_openpgp_crt_deinit(cert.pgp);
     return ret;
 

src/mod_gnutls.c

@@ -64 +64 @@
                   RSRC_CONF,
                   "Set the CA File to verify Client Certificates"),
+    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
+                  NULL,
+                  RSRC_CONF,
+                  "Set the CA File to verify Client Certificates"),
+    AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
+                  NULL,
+                  RSRC_CONF,
+                  "Set the Keyring File to verify Client Certificates"),
     AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
                   NULL,
@@ -75 +83 @@
                   NULL,
                   RSRC_CONF,
-                  "SSL Server Key file"),
+                  "SSL Server X509 Certificate file"),
     AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
                   NULL,
                   RSRC_CONF,
-                  "SSL Server SRP Password file"),
+                  "SSL Server X509 Private Key file"),
+    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
+                  NULL,
+                  RSRC_CONF,
+                  "SSL Server X509 Certificate file"),
+    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
+                  NULL,
+                  RSRC_CONF,
+                  "SSL Server X509 Private Key file"),
+    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
+                  NULL,
+                  RSRC_CONF,
+                  "SSL Server PGP Certificate file"),
+    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
+                  NULL,
+                  RSRC_CONF,
+                  "SSL Server PGP Private key file"),
 #ifdef ENABLE_SRP
     AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,