Changeset 46b85d8 in mod_gnutls
- Timestamp:
- Apr 24, 2005, 6:01:46 PM (18 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, jessie-backports, main, master, msva, proxy-ticket, upstream
- Children:
- c301152
- Parents:
- 316bd8c
- Files:
-
- 1 added
- 5 edited
-
include/mod_gnutls.h.in (modified) (1 diff)
-
mod_gnutls.xcode/project.pbxproj (modified) (1 diff)
-
src/Makefile.am (modified) (1 diff)
-
src/gnutls_cache.c (modified) (1 diff)
-
src/gnutls_config.c (added)
-
src/mod_gnutls.c (modified) (7 diffs)
Legend:
- Unmodified
- Added
- Removed
-
include/mod_gnutls.h.in
r316bd8c r46b85d8 213 213 char *str, int strsize); 214 214 215 /* Configuration Functions */ 216 217 const char *mgs_set_cert_file(cmd_parms * parms, void *dummy, 218 const char *arg); 219 220 const char *mgs_set_key_file(cmd_parms * parms, void *dummy, 221 const char *arg); 222 223 const char *mgs_set_cache(cmd_parms * parms, void *dummy, 224 const char *type, const char* arg); 225 226 const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy, 227 const char *arg); 228 229 const char *mgs_set_client_verify(cmd_parms * parms, void *dummy, 230 const char *arg); 231 232 const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, 233 const char *arg); 234 235 const char *mgs_set_enabled(cmd_parms * parms, void *dummy, 236 const char *arg); 237 238 void *mgs_config_server_create(apr_pool_t * p, server_rec * s); 239 240 void *mgs_config_dir_create(apr_pool_t *p, char *dir); 241 215 242 #endif /* __mod_gnutls_h_inc */ -
mod_gnutls.xcode/project.pbxproj
r316bd8c r46b85d8 6 6 objectVersion = 39; 7 7 objects = { 8 4541F3BA081C4B1A007457C1 = { 9 fileEncoding = 30; 10 isa = PBXFileReference; 11 lastKnownFileType = sourcecode.c.c; 12 name = gnutls_config.c; 13 path = src/gnutls_config.c; 14 refType = 2; 15 sourceTree = SOURCE_ROOT; 16 }; 8 17 45B624630802F1E200CBFD9A = { 9 18 children = ( 19 4541F3BA081C4B1A007457C1, 10 20 45B6246D0802F20D00CBFD9A, 11 21 45B6247D0802F85B00CBFD9A, -
src/Makefile.am
r316bd8c r46b85d8 1 1 CLEANFILES = .libs/libmod_gnutls *~ 2 2 3 libmod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c 3 libmod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c 4 4 libmod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS} 5 5 libmod_gnutls_la_LDFLAGS = -rpath ${AP_LIBEXECDIR} -module -avoid-version ${MODULE_LIBS} -
src/gnutls_cache.c
r316bd8c r46b85d8 80 80 static apr_memcache_t* mc; 81 81 82 int mc_cache_child_init(apr_pool_t *p, server_rec *s,82 static int mc_cache_child_init(apr_pool_t *p, server_rec *s, 83 83 mod_gnutls_srvconf_rec *sc) 84 84 { -
src/mod_gnutls.c
r316bd8c r46b85d8 293 293 } 294 294 295 static void mod_gnutls_changed_servers(mod_gnutls_handle_t *ctxt)296 {297 gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode);298 }299 300 295 #define MAX_HOST_LEN 255 301 296 … … 335 330 */ 336 331 x->ctxt->sc = tsc; 337 mod_gnutls_changed_servers(x->ctxt); 332 /* Shit. Crap. Dammit. We *really* should rehandshake here, as our 333 * certificate structure *should* change when the server changes. 334 * acccckkkkkk. 335 */ 336 gnutls_certificate_server_set_request(x->ctxt->session, x->ctxt->sc->client_verify_mode); 338 337 return 1; 339 338 } … … 426 425 #endif 427 426 ctxt->sc = tsc; 428 mod_gnutls_changed_servers(ctxt);427 gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode); 429 428 return 0; 430 429 } … … 483 482 484 483 gnutls_certificate_server_set_retrieve_function(sc->certs, cert_retrieve_fn); 485 486 mod_gnutls_changed_servers(ctxt); 484 gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode); 487 485 return ctxt; 488 486 } … … 561 559 } 562 560 563 static int load_datum_from_file(apr_pool_t* pool,564 const char* file,565 gnutls_datum_t* data)566 {567 apr_file_t* fp;568 apr_finfo_t finfo;569 apr_status_t rv;570 apr_size_t br = 0;571 572 rv = apr_file_open(&fp, file, APR_READ|APR_BINARY, APR_OS_DEFAULT,573 pool);574 if (rv != APR_SUCCESS) {575 return rv;576 }577 578 rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);579 580 if (rv != APR_SUCCESS) {581 return rv;582 }583 584 data->data = apr_palloc(pool, finfo.size+1);585 rv = apr_file_read_full(fp, data->data, finfo.size, &br);586 587 if (rv != APR_SUCCESS) {588 return rv;589 }590 apr_file_close(fp);591 592 data->data[br] = '\0';593 data->size = br;594 595 return 0;596 }597 598 static const char *gnutls_set_cert_file(cmd_parms * parms, void *dummy,599 const char *arg)600 {601 int ret;602 gnutls_datum_t data;603 const char* file;604 apr_pool_t* spool;605 mod_gnutls_srvconf_rec *sc =606 (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server->607 module_config,608 &gnutls_module);609 apr_pool_create(&spool, parms->pool);610 611 file = ap_server_root_relative(spool, arg);612 613 if (load_datum_from_file(spool, file, &data) != 0) {614 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "615 "Certificate '%s'", file);616 }617 618 gnutls_x509_crt_init(&sc->cert_x509);619 ret = gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM);620 if (ret != 0) {621 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "622 "Certificate'%s': (%d) %s", file, ret,623 gnutls_strerror(ret));624 }625 626 apr_pool_destroy(spool);627 return NULL;628 }629 630 static const char *gnutls_set_key_file(cmd_parms * parms, void *dummy,631 const char *arg)632 {633 int ret;634 gnutls_datum_t data;635 const char* file;636 apr_pool_t* spool;637 mod_gnutls_srvconf_rec *sc =638 (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server->639 module_config,640 &gnutls_module);641 apr_pool_create(&spool, parms->pool);642 643 file = ap_server_root_relative(spool, arg);644 645 if (load_datum_from_file(spool, file, &data) != 0) {646 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "647 "Private Key '%s'", file);648 }649 650 gnutls_x509_privkey_init(&sc->privkey_x509);651 ret = gnutls_x509_privkey_import(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM);652 if (ret != 0) {653 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "654 "Private Key '%s': (%d) %s", file, ret,655 gnutls_strerror(ret));656 }657 apr_pool_destroy(spool);658 return NULL;659 }660 661 static const char *gnutls_set_cache(cmd_parms * parms, void *dummy,662 const char *type, const char* arg)663 {664 const char* err;665 mod_gnutls_srvconf_rec *sc = ap_get_module_config(parms->server->666 module_config,667 &gnutls_module);668 if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) {669 return err;670 }671 672 if (strcasecmp("none", type) == 0) {673 sc->cache_type = mod_gnutls_cache_none;674 }675 else if (strcasecmp("dbm", type) == 0) {676 sc->cache_type = mod_gnutls_cache_dbm;677 }678 #if HAVE_APR_MEMCACHE679 else if (strcasecmp("memcache", type) == 0) {680 sc->cache_type = mod_gnutls_cache_memcache;681 }682 #endif683 else {684 return "Invalid Type for GnuTLSCache!";685 }686 687 if (sc->cache_type == mod_gnutls_cache_dbm) {688 sc->cache_config = ap_server_root_relative(parms->pool, arg);689 }690 else {691 sc->cache_config = apr_pstrdup(parms->pool, arg);692 }693 694 return NULL;695 }696 697 static const char *gnutls_set_cache_timeout(cmd_parms * parms, void *dummy,698 const char *arg)699 {700 int argint;701 mod_gnutls_srvconf_rec *sc =702 (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server->703 module_config,704 &gnutls_module);705 706 argint = atoi(arg);707 708 if (argint < 0) {709 return "GnuTLSCacheTimeout: Invalid argument";710 }711 else if (argint == 0) {712 sc->cache_timeout = 0;713 }714 else {715 sc->cache_timeout = apr_time_from_sec(argint);716 }717 718 return NULL;719 }720 721 722 static const char *gnutls_set_client_verify(cmd_parms * parms, void *dummy,723 const char *arg)724 {725 int mode;726 727 if (strcasecmp("none", arg) == 0 || strcasecmp("ignore", arg) == 0) {728 mode = GNUTLS_CERT_IGNORE;729 }730 else if (strcasecmp("optional", arg) == 0 || strcasecmp("request", arg) == 0) {731 mode = GNUTLS_CERT_REQUEST;732 }733 else if (strcasecmp("require", arg) == 0) {734 mode = GNUTLS_CERT_REQUIRE;735 }736 else {737 return "GnuTLSClientVerify: Invalid argument";738 }739 740 /* This was set from a directory context */741 if (parms->path) {742 mod_gnutls_dirconf_rec *dc = (mod_gnutls_dirconf_rec *)dummy;743 dc->client_verify_mode = mode;744 }745 else {746 mod_gnutls_srvconf_rec *sc =747 (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server->748 module_config,749 &gnutls_module);750 sc->client_verify_mode = mode;751 }752 753 return NULL;754 }755 756 static const char *gnutls_set_client_ca_file(cmd_parms * parms, void *dummy,757 const char *arg)758 {759 int rv;760 const char* file;761 mod_gnutls_srvconf_rec *sc =762 (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server->763 module_config,764 &gnutls_module);765 file = ap_server_root_relative(parms->pool, arg);766 rv = gnutls_certificate_set_x509_trust_file(sc->certs,767 file, GNUTLS_X509_FMT_PEM);768 769 if (rv < 0) {770 return apr_psprintf(parms->pool, "GnuTLS: Failed to load "771 "Client CA File '%s': (%d) %s", file, rv,772 gnutls_strerror(rv));773 }774 return NULL;775 }776 777 778 static const char *gnutls_set_enabled(cmd_parms * parms, void *dummy,779 const char *arg)780 {781 mod_gnutls_srvconf_rec *sc =782 (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server->783 module_config,784 &gnutls_module);785 if (!strcasecmp(arg, "On")) {786 sc->enabled = GNUTLS_ENABLED_TRUE;787 }788 else if (!strcasecmp(arg, "Off")) {789 sc->enabled = GNUTLS_ENABLED_FALSE;790 }791 else {792 return "GnuTLSEnable must be set to 'On' or 'Off'";793 }794 795 return NULL;796 }797 798 static const command_rec gnutls_cmds[] = {799 AP_INIT_TAKE1("GnuTLSClientVerify", gnutls_set_client_verify,800 NULL,801 RSRC_CONF|OR_AUTHCFG,802 "Set Verification Requirements of the Client Certificate"),803 AP_INIT_TAKE1("GnuTLSClientCAFile", gnutls_set_client_ca_file,804 NULL,805 RSRC_CONF,806 "Set the CA File for Client Certificates"),807 AP_INIT_TAKE1("GnuTLSCertificateFile", gnutls_set_cert_file,808 NULL,809 RSRC_CONF,810 "SSL Server Key file"),811 AP_INIT_TAKE1("GnuTLSKeyFile", gnutls_set_key_file,812 NULL,813 RSRC_CONF,814 "SSL Server Certificate file"),815 AP_INIT_TAKE1("GnuTLSCacheTimeout", gnutls_set_cache_timeout,816 NULL,817 RSRC_CONF,818 "Cache Timeout"),819 AP_INIT_TAKE2("GnuTLSCache", gnutls_set_cache,820 NULL,821 RSRC_CONF,822 "Cache Configuration"),823 AP_INIT_TAKE1("GnuTLSEnable", gnutls_set_enabled,824 NULL, RSRC_CONF,825 "Whether this server has GnuTLS Enabled. Default: Off"),826 827 {NULL}828 };829 830 561 int mod_gnutls_hook_authz(request_rec *r) 831 562 { … … 837 568 838 569 ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module); 570 571 if (!ctxt) { 572 return DECLINED; 573 } 574 575 if (!dc) { 576 dc = mgs_config_dir_create(r->pool, NULL); 577 } 839 578 840 579 if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) { … … 948 687 } 949 688 950 static void *gnutls_config_server_create(apr_pool_t * p, server_rec * s) 951 { 952 int i; 953 mod_gnutls_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc)); 954 955 sc->enabled = GNUTLS_ENABLED_FALSE; 956 957 gnutls_certificate_allocate_credentials(&sc->certs); 958 sc->privkey_x509 = NULL; 959 sc->cert_x509 = NULL; 960 sc->cache_timeout = apr_time_from_sec(300); 961 sc->cache_type = mod_gnutls_cache_dbm; 962 sc->cache_config = ap_server_root_relative(p, "conf/gnutls_cache"); 963 964 /* TODO: Make this Configurable. But it isn't configurable in mod_ssl? */ 965 sc->dh_params_file = ap_server_root_relative(p, "conf/dhfile"); 966 sc->rsa_params_file = ap_server_root_relative(p, "conf/rsafile"); 967 968 /* Finish SSL Client Certificate Support */ 969 sc->client_verify_mode = GNUTLS_CERT_IGNORE; 970 971 /* TODO: Make this Configurable ! */ 972 /* mod_ssl uses a flex based parser for this part.. sigh */ 973 i = 0; 974 sc->ciphers[i++] = GNUTLS_CIPHER_AES_256_CBC; 975 sc->ciphers[i++] = GNUTLS_CIPHER_AES_128_CBC; 976 sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_128; 977 sc->ciphers[i++] = GNUTLS_CIPHER_3DES_CBC; 978 sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_40; 979 sc->ciphers[i] = 0; 980 981 i = 0; 982 sc->key_exchange[i++] = GNUTLS_KX_RSA; 983 sc->key_exchange[i++] = GNUTLS_KX_RSA_EXPORT; 984 sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS; 985 sc->key_exchange[i++] = GNUTLS_KX_DHE_RSA; 986 sc->key_exchange[i++] = GNUTLS_KX_ANON_DH; 987 sc->key_exchange[i++] = GNUTLS_KX_SRP; 988 sc->key_exchange[i++] = GNUTLS_KX_SRP_RSA; 989 sc->key_exchange[i++] = GNUTLS_KX_SRP_DSS; 990 sc->key_exchange[i] = 0; 991 992 i = 0; 993 sc->macs[i++] = GNUTLS_MAC_SHA; 994 sc->macs[i++] = GNUTLS_MAC_MD5; 995 sc->macs[i++] = GNUTLS_MAC_RMD160; 996 sc->macs[i] = 0; 997 998 i = 0; 999 sc->protocol[i++] = GNUTLS_TLS1_1; 1000 sc->protocol[i++] = GNUTLS_TLS1; 1001 sc->protocol[i++] = GNUTLS_SSL3; 1002 sc->protocol[i] = 0; 1003 1004 i = 0; 1005 sc->compression[i++] = GNUTLS_COMP_NULL; 1006 sc->compression[i++] = GNUTLS_COMP_ZLIB; 1007 sc->compression[i++] = GNUTLS_COMP_LZO; 1008 sc->compression[i] = 0; 1009 1010 i = 0; 1011 sc->cert_types[i++] = GNUTLS_CRT_X509; 1012 sc->cert_types[i] = 0; 1013 1014 return sc; 1015 } 1016 1017 void *gnutls_config_dir_create(apr_pool_t *p, char *dir) 1018 { 1019 mod_gnutls_dirconf_rec *dc = apr_palloc(p, sizeof(*dc)); 1020 1021 dc->client_verify_mode = -1; 1022 1023 return dc; 1024 } 689 static const command_rec mgs_config_cmds[] = { 690 AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify, 691 NULL, 692 RSRC_CONF|OR_AUTHCFG, 693 "Set Verification Requirements of the Client Certificate"), 694 AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file, 695 NULL, 696 RSRC_CONF, 697 "Set the CA File for Client Certificates"), 698 AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file, 699 NULL, 700 RSRC_CONF, 701 "SSL Server Key file"), 702 AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file, 703 NULL, 704 RSRC_CONF, 705 "SSL Server Certificate file"), 706 AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout, 707 NULL, 708 RSRC_CONF, 709 "Cache Timeout"), 710 AP_INIT_TAKE2("GnuTLSCache", mgs_set_cache, 711 NULL, 712 RSRC_CONF, 713 "Cache Configuration"), 714 AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled, 715 NULL, RSRC_CONF, 716 "Whether this server has GnuTLS Enabled. Default: Off"), 717 718 {NULL} 719 }; 1025 720 1026 721 module AP_MODULE_DECLARE_DATA gnutls_module = { 1027 722 STANDARD20_MODULE_STUFF, 1028 gnutls_config_dir_create,723 mgs_config_dir_create, 1029 724 NULL, 1030 gnutls_config_server_create,725 mgs_config_server_create, 1031 726 NULL, 1032 /* gnutls_config_server_merge, */ 1033 gnutls_cmds, 727 mgs_config_cmds, 1034 728 gnutls_hooks 1035 729 };
Note: See TracChangeset
for help on using the changeset viewer.
