Changeset 71e9a5c in mod_gnutls for src/gnutls_config.c
- Timestamp:
- Aug 22, 2015, 3:53:31 PM (6 years ago)
- Branches:
- debian/master, debian/stretch-backports, jessie-backports
- Children:
- b837187
- Parents:
- 2db6923 (diff), 4addf74 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)links above to see all the changes relative to each parent. - File:
-
- 1 edited
-
src/gnutls_config.c (modified) (16 diffs)
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_config.c
r2db6923 r71e9a5c 1 1 /** 2 2 * Copyright 2004-2005 Paul Querna 3 * Copyright 2008 Nikos Mavrogiannopoulos3 * Copyright 2008, 2014 Nikos Mavrogiannopoulos 4 4 * Copyright 2011 Dash Shendy 5 * Copyright 2015 Thomas Klute 5 6 * 6 7 * Licensed under the Apache License, Version 2.0 (the "License"); … … 19 20 20 21 #include "mod_gnutls.h" 22 #include "apr_lib.h" 23 #include <gnutls/abstract.h> 24 25 #define INIT_CA_SIZE 128 26 27 #ifdef APLOG_USE_MODULE 28 APLOG_USE_MODULE(gnutls); 29 #endif 30 31 static int pin_callback(void *user, int attempt __attribute__((unused)), 32 const char *token_url __attribute__((unused)), 33 const char *token_label, unsigned int flags, 34 char *pin, size_t pin_max) 35 { 36 mgs_srvconf_rec *sc = user; 37 38 if (sc->pin == NULL || flags & GNUTLS_PIN_FINAL_TRY || 39 flags & GNUTLS_PIN_WRONG) { 40 return -1; 41 } 42 43 if (token_label && strcmp(token_label, "SRK") == 0) { 44 snprintf(pin, pin_max, "%s", sc->srk_pin); 45 } else { 46 snprintf(pin, pin_max, "%s", sc->pin); 47 } 48 return 0; 49 } 21 50 22 51 static int load_datum_from_file(apr_pool_t * pool, 23 const char *file, gnutls_datum_t * data) { 52 const char *file, gnutls_datum_t * data) 53 { 24 54 apr_file_t *fp; 25 55 apr_finfo_t finfo; … … 28 58 29 59 rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, 30 60 APR_OS_DEFAULT, pool); 31 61 if (rv != APR_SUCCESS) { 32 62 return rv; 33 63 } 34 64 … … 36 66 37 67 if (rv != APR_SUCCESS) { 38 68 return rv; 39 69 } 40 70 … … 43 73 44 74 if (rv != APR_SUCCESS) { 45 75 return rv; 46 76 } 47 77 apr_file_close(fp); … … 53 83 } 54 84 55 const char *mgs_set_dh_file(cmd_parms * parms, void *dummy, 56 const char *arg) { 85 /* 2048-bit group parameters from SRP specification */ 86 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n" 87 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" 88 "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" 89 "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n" 90 "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n" 91 "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n" 92 "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" 93 "-----END DH PARAMETERS-----\n"; 94 95 int mgs_load_files(apr_pool_t * p, server_rec * s) 96 { 97 apr_pool_t *spool; 98 const char *file; 99 gnutls_datum_t data; 57 100 int ret; 58 gnutls_datum_t data; 59 const char *file; 60 apr_pool_t *spool; 61 mgs_srvconf_rec *sc = 62 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 63 module_config, 64 &gnutls_module); 65 66 apr_pool_create(&spool, parms->pool); 67 68 file = ap_server_root_relative(spool, arg); 69 70 if (load_datum_from_file(spool, file, &data) != 0) { 71 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 72 "DH params '%s'", file); 73 } 101 mgs_srvconf_rec *sc = 102 (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 103 &gnutls_module); 104 105 apr_pool_create(&spool, p); 106 107 sc->cert_pgp = apr_pcalloc(p, sizeof(sc->cert_pgp[0])); 108 sc->cert_crt_pgp = apr_pcalloc(p, sizeof(sc->cert_crt_pgp[0])); 109 sc->certs_x509_chain = 110 apr_pcalloc(p, MAX_CHAIN_SIZE * sizeof(sc->certs_x509_chain[0])); 111 sc->certs_x509_crt_chain = 112 apr_pcalloc(p, 113 MAX_CHAIN_SIZE * sizeof(sc->certs_x509_crt_chain[0])); 114 115 ret = gnutls_certificate_allocate_credentials(&sc->certs); 116 if (ret < 0) { 117 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 118 "GnuTLS: Failed to initialize" ": (%d) %s", ret, 119 gnutls_strerror(ret)); 120 ret = -1; 121 goto cleanup; 122 } 123 124 ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds); 125 if (ret < 0) { 126 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 127 "GnuTLS: Failed to initialize" ": (%d) %s", ret, 128 gnutls_strerror(ret)); 129 ret = -1; 130 goto cleanup; 131 } 132 133 /* Load SRP parameters */ 134 #ifdef ENABLE_SRP 135 ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds); 136 if (ret < 0) { 137 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 138 "GnuTLS: Failed to initialize" ": (%d) %s", ret, 139 gnutls_strerror(ret)); 140 ret = -1; 141 goto cleanup; 142 } 143 144 if (sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) { 145 ret = gnutls_srp_set_server_credentials_file 146 (sc->srp_creds, sc->srp_tpasswd_file, 147 sc->srp_tpasswd_conf_file); 148 149 if (ret < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) { 150 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, 151 s, 152 "GnuTLS: Host '%s:%d' is missing a " 153 "SRP password or conf File!", 154 s->server_hostname, s->port); 155 ret = -1; 156 goto cleanup; 157 } 158 } 159 #endif 74 160 75 161 ret = gnutls_dh_params_init(&sc->dh_params); 76 162 if (ret < 0) { 77 return apr_psprintf(parms->pool, 78 "GnuTLS: Failed to initialize" 79 ": (%d) %s", ret, 80 gnutls_strerror(ret)); 81 } 82 83 ret = 84 gnutls_dh_params_import_pkcs3(sc->dh_params, &data, 85 GNUTLS_X509_FMT_PEM); 86 if (ret < 0) { 87 return apr_psprintf(parms->pool, 88 "GnuTLS: Failed to Import " 89 "DH params '%s': (%d) %s", file, ret, 90 gnutls_strerror(ret)); 91 } 92 163 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 164 "GnuTLS: Failed to initialize" 165 ": (%d) %s", ret, gnutls_strerror(ret)); 166 ret = -1; 167 goto cleanup; 168 } 169 170 /* Load DH parameters */ 171 if (sc->dh_file) { 172 if (load_datum_from_file(spool, sc->dh_file, &data) != 0) { 173 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 174 "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file); 175 ret = -1; 176 goto cleanup; 177 } 178 179 ret = 180 gnutls_dh_params_import_pkcs3(sc->dh_params, &data, 181 GNUTLS_X509_FMT_PEM); 182 if (ret < 0) { 183 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 184 "GnuTLS: Failed to Import " 185 "DH params '%s': (%d) %s", sc->dh_file, ret, 186 gnutls_strerror(ret)); 187 ret = -1; 188 goto cleanup; 189 } 190 } else { 191 gnutls_datum_t pdata = { 192 (void *) static_dh_params, 193 sizeof(static_dh_params) 194 }; 195 196 ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &pdata, GNUTLS_X509_FMT_PEM); 197 if (ret < 0) { 198 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 199 "GnuTLS: Unable to generate or load DH Params: (%d) %s", 200 ret, gnutls_strerror(ret)); 201 ret = -1; 202 goto cleanup; 203 } 204 } 205 206 if (sc->x509_cert_file != NULL) { 207 unsigned int chain_num, i; 208 unsigned format = GNUTLS_X509_FMT_PEM; 209 210 /* Load X.509 certificate */ 211 if (strncmp(sc->x509_cert_file, "pkcs11:", 7) == 0) { 212 gnutls_pkcs11_obj_t obj; 213 214 file = sc->x509_cert_file; 215 216 ret = gnutls_pkcs11_obj_init(&obj); 217 if (ret < 0) { 218 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 219 "GnuTLS: Error Initializing PKCS #11 object"); 220 ret = -1; 221 goto cleanup; 222 } 223 224 gnutls_pkcs11_obj_set_pin_function(obj, pin_callback, sc); 225 226 ret = gnutls_pkcs11_obj_import_url(obj, file, GNUTLS_PKCS11_OBJ_FLAG_LOGIN); 227 if (ret < 0) { 228 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 229 "GnuTLS: Error Importing PKCS #11 object: '%s': %s", 230 file, gnutls_strerror(ret)); 231 ret = -1; 232 goto cleanup; 233 } 234 235 format = GNUTLS_X509_FMT_DER; 236 ret = gnutls_pkcs11_obj_export2(obj, &data); 237 if (ret < 0) { 238 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 239 "GnuTLS: Error Exporting a PKCS #11 object: '%s': %s", 240 file, gnutls_strerror(ret)); 241 ret = -1; 242 goto cleanup; 243 } 244 245 gnutls_pkcs11_obj_deinit(obj); 246 } else { 247 file = ap_server_root_relative(spool, sc->x509_cert_file); 248 249 ret = gnutls_load_file(file, &data); 250 if (ret < 0) { 251 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 252 "GnuTLS: Error Reading Certificate '%s': %s", 253 file, gnutls_strerror(ret)); 254 ret = -1; 255 goto cleanup; 256 } 257 } 258 259 ret = 260 gnutls_x509_crt_list_import2(&sc->certs_x509_crt_chain, 261 &chain_num, &data, format, 262 GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); 263 gnutls_free(data.data); 264 sc->certs_x509_chain_num = chain_num; 265 266 if (ret < 0) { 267 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 268 "GnuTLS: Failed to Import Certificate Chain '%s': (%d) %s", 269 file, ret, gnutls_strerror(ret)); 270 ret = -1; 271 goto cleanup; 272 } 273 274 for (i = 0; i < chain_num; i++) { 275 ret = 276 gnutls_pcert_import_x509(&sc->certs_x509_chain[i], 277 sc->certs_x509_crt_chain[i], 0); 278 if (ret < 0) { 279 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 280 "GnuTLS: Failed to Import pCertificate '%s': (%d) %s", 281 file, ret, gnutls_strerror(ret)); 282 ret = -1; 283 goto cleanup; 284 } 285 } 286 sc->certs_x509_chain_num = chain_num; 287 } 288 289 if (sc->x509_key_file) { 290 ret = gnutls_privkey_init(&sc->privkey_x509); 291 if (ret < 0) { 292 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 293 "GnuTLS: Failed to initialize: (%d) %s", ret, 294 gnutls_strerror(ret)); 295 ret = -1; 296 goto cleanup; 297 } 298 299 if (gnutls_url_is_supported(sc->x509_key_file) != 0) { 300 file = sc->x509_key_file; 301 302 gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback, 303 sc); 304 305 ret = gnutls_privkey_import_url(sc->privkey_x509, file, 0); 306 307 if (ret < 0) { 308 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 309 "GnuTLS: Failed to Import Private Key URL '%s': (%d) %s", 310 file, ret, gnutls_strerror(ret)); 311 ret = -1; 312 goto cleanup; 313 } 314 } else { 315 file = ap_server_root_relative(spool, sc->x509_key_file); 316 317 if (load_datum_from_file(spool, file, &data) != 0) { 318 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 319 "GnuTLS: Error Reading Private Key '%s'", 320 file); 321 ret = -1; 322 goto cleanup; 323 } 324 325 ret = 326 gnutls_privkey_import_x509_raw(sc->privkey_x509, &data, 327 GNUTLS_X509_FMT_PEM, sc->pin, 328 0); 329 330 if (ret < 0) { 331 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 332 "GnuTLS: Failed to Import Private Key '%s': (%d) %s", 333 file, ret, gnutls_strerror(ret)); 334 ret = -1; 335 goto cleanup; 336 } 337 } 338 } 339 340 /* Load the X.509 CA file */ 341 if (sc->x509_ca_file) { 342 if (load_datum_from_file(spool, sc->x509_ca_file, &data) != 0) { 343 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 344 "GnuTLS: Error Reading " "Client CA File '%s'", 345 sc->x509_ca_file); 346 ret = -1; 347 goto cleanup; 348 } 349 350 ret = gnutls_x509_crt_list_import2(&sc->ca_list, &sc->ca_list_size, 351 &data, GNUTLS_X509_FMT_PEM, 0); 352 if (ret < 0) { 353 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 354 "GnuTLS: Failed to load " 355 "Client CA File '%s': (%d) %s", sc->x509_ca_file, 356 ret, gnutls_strerror(ret)); 357 ret = -1; 358 goto cleanup; 359 } 360 } 361 362 if (sc->pgp_cert_file) { 363 if (load_datum_from_file(spool, sc->pgp_cert_file, &data) != 0) { 364 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 365 "GnuTLS: Error Reading " "Certificate '%s'", 366 sc->pgp_cert_file); 367 ret = -1; 368 goto cleanup; 369 } 370 371 ret = gnutls_openpgp_crt_init(&sc->cert_crt_pgp[0]); 372 if (ret < 0) { 373 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 374 "GnuTLS: Failed to Init " 375 "PGP Certificate: (%d) %s", ret, 376 gnutls_strerror(ret)); 377 ret = -1; 378 goto cleanup; 379 } 380 381 ret = 382 gnutls_openpgp_crt_import(sc->cert_crt_pgp[0], &data, 383 GNUTLS_OPENPGP_FMT_BASE64); 384 if (ret < 0) { 385 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 386 "GnuTLS: Failed to Import " 387 "PGP Certificate: (%d) %s", ret, 388 gnutls_strerror(ret)); 389 ret = -1; 390 goto cleanup; 391 } 392 393 ret = 394 gnutls_pcert_import_openpgp(sc->cert_pgp, sc->cert_crt_pgp[0], 395 0); 396 if (ret < 0) { 397 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 398 "GnuTLS: Failed to Import " 399 "PGP pCertificate: (%d) %s", ret, 400 gnutls_strerror(ret)); 401 ret = -1; 402 goto cleanup; 403 } 404 } 405 406 /* Load the PGP key file */ 407 if (sc->pgp_key_file) { 408 if (load_datum_from_file(spool, sc->pgp_key_file, &data) != 0) { 409 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 410 "GnuTLS: Error Reading " "Private Key '%s'", 411 sc->pgp_key_file); 412 ret = -1; 413 goto cleanup; 414 } 415 416 ret = gnutls_privkey_init(&sc->privkey_pgp); 417 if (ret < 0) { 418 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 419 "GnuTLS: Failed to initialize" 420 ": (%d) %s", ret, gnutls_strerror(ret)); 421 ret = -1; 422 goto cleanup; 423 } 424 425 #if GNUTLS_VERSION_NUMBER < 0x030312 426 /* GnuTLS versions before 3.3.12 contain a bug in 427 * gnutls_privkey_import_openpgp_raw which frees data that is 428 * accessed when the key is used, leading to segfault. Loading 429 * the key into a gnutls_openpgp_privkey_t and then assigning 430 * it to the gnutls_privkey_t works around the bug, hence this 431 * chain of gnutls_openpgp_privkey_init, 432 * gnutls_openpgp_privkey_import and 433 * gnutls_privkey_import_openpgp. */ 434 ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp_internal); 435 if (ret != 0) { 436 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 437 "GnuTLS: Failed to initialize " 438 "PGP Private Key '%s': (%d) %s", 439 sc->pgp_key_file, ret, gnutls_strerror(ret)); 440 ret = -1; 441 goto cleanup; 442 } 443 444 ret = gnutls_openpgp_privkey_import(sc->privkey_pgp_internal, &data, 445 GNUTLS_OPENPGP_FMT_BASE64, NULL, 0); 446 if (ret != 0) { 447 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 448 "GnuTLS: Failed to Import " 449 "PGP Private Key '%s': (%d) %s", 450 sc->pgp_key_file, ret, gnutls_strerror(ret)); 451 ret = -1; 452 goto cleanup; 453 } 454 455 ret = gnutls_privkey_import_openpgp(sc->privkey_pgp, 456 sc->privkey_pgp_internal, 0); 457 if (ret != 0) 458 { 459 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 460 "GnuTLS: Failed to assign PGP Private Key '%s' " 461 "to gnutls_privkey_t structure: (%d) %s", 462 sc->pgp_key_file, ret, gnutls_strerror(ret)); 463 ret = -1; 464 goto cleanup; 465 } 466 #else 467 ret = gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data, 468 GNUTLS_OPENPGP_FMT_BASE64, 469 NULL, NULL); 470 if (ret != 0) 471 { 472 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 473 "GnuTLS: Failed to Import " 474 "PGP Private Key '%s': (%d) %s", 475 sc->pgp_key_file, ret, gnutls_strerror(ret)); 476 ret = -1; 477 goto cleanup; 478 } 479 #endif 480 } 481 482 /* Load the keyring file */ 483 if (sc->pgp_ring_file) { 484 if (load_datum_from_file(spool, sc->pgp_ring_file, &data) != 0) { 485 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 486 "GnuTLS: Error Reading " "Keyring File '%s'", 487 sc->pgp_ring_file); 488 ret = -1; 489 goto cleanup; 490 } 491 492 ret = gnutls_openpgp_keyring_init(&sc->pgp_list); 493 if (ret < 0) { 494 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 495 "GnuTLS: Failed to initialize" 496 "keyring: (%d) %s", ret, gnutls_strerror(ret)); 497 ret = -1; 498 goto cleanup; 499 } 500 501 ret = gnutls_openpgp_keyring_import(sc->pgp_list, &data, 502 GNUTLS_OPENPGP_FMT_BASE64); 503 if (ret < 0) { 504 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 505 "GnuTLS: Failed to load " 506 "Keyring File '%s': (%d) %s", sc->pgp_ring_file, 507 ret, gnutls_strerror(ret)); 508 ret = -1; 509 goto cleanup; 510 } 511 } 512 513 if (sc->priorities_str) { 514 const char *err; 515 ret = gnutls_priority_init(&sc->priorities, sc->priorities_str, &err); 516 517 if (ret < 0) { 518 if (ret == GNUTLS_E_INVALID_REQUEST) { 519 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 520 "GnuTLS: Syntax error parsing priorities string at: %s", 521 err); 522 } else { 523 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 524 "GnuTLS: error parsing priorities string"); 525 526 } 527 ret = -1; 528 goto cleanup; 529 } 530 } 531 532 ret = 0; 533 cleanup: 93 534 apr_pool_destroy(spool); 94 535 95 return NULL;96 } 97 98 const char *mgs_set_cert_file(cmd_parms * parms, void *dummy, const char *arg) { 99 536 return ret; 537 } 538 539 int mgs_pkcs11_reinit(server_rec * base_server) 540 { 100 541 int ret; 101 gnutls_datum_t data; 102 const char *file; 103 apr_pool_t *spool; 104 105 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); 106 apr_pool_create(&spool, parms->pool); 107 108 file = ap_server_root_relative(spool, arg); 109 110 if (load_datum_from_file(spool, file, &data) != 0) { 111 apr_pool_destroy(spool); 112 return apr_psprintf(parms->pool, "GnuTLS: Error Reading Certificate '%s'", file); 113 } 114 115 sc->certs_x509_chain_num = MAX_CHAIN_SIZE; 116 ret = gnutls_x509_crt_list_import(sc->certs_x509_chain, &sc->certs_x509_chain_num, &data, GNUTLS_X509_FMT_PEM, 0); 117 if (ret < 0) { 118 apr_pool_destroy(spool); 119 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import Certificate '%s': (%d) %s", file, ret, gnutls_strerror(ret)); 120 } 121 122 apr_pool_destroy(spool); 123 return NULL; 124 125 } 126 127 const char *mgs_set_key_file(cmd_parms * parms, void *dummy, const char *arg) { 128 129 int ret; 130 gnutls_datum_t data; 131 const char *file; 132 apr_pool_t *spool; 133 const char *out; 134 135 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); 136 137 apr_pool_create(&spool, parms->pool); 138 139 file = ap_server_root_relative(spool, arg); 140 141 if (load_datum_from_file(spool, file, &data) != 0) { 142 out = apr_psprintf(parms->pool, "GnuTLS: Error Reading Private Key '%s'", file); 143 apr_pool_destroy(spool); 144 return out; 145 } 146 147 ret = gnutls_x509_privkey_init(&sc->privkey_x509); 148 149 if (ret < 0) { 150 apr_pool_destroy(spool); 151 return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize: (%d) %s", ret, gnutls_strerror(ret)); 152 } 153 154 ret = gnutls_x509_privkey_import(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM); 155 156 if (ret < 0) { 157 ret = gnutls_x509_privkey_import_pkcs8(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM, NULL, GNUTLS_PKCS_PLAIN); 158 } 159 160 if (ret < 0) { 161 out = apr_psprintf(parms->pool, "GnuTLS: Failed to Import Private Key '%s': (%d) %s", file, ret, gnutls_strerror(ret)); 162 apr_pool_destroy(spool); 163 return out; 164 } 165 166 apr_pool_destroy(spool); 167 168 return NULL; 169 } 170 171 const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy, 542 server_rec *s; 543 mgs_srvconf_rec *sc; 544 545 gnutls_pkcs11_reinit(); 546 547 for (s = base_server; s; s = s->next) { 548 sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module); 549 550 /* gnutls caches the session in a private key, so we need to open 551 * a new one */ 552 if (sc->x509_key_file && gnutls_url_is_supported(sc->x509_key_file) != 0) { 553 gnutls_privkey_deinit(sc->privkey_x509); 554 555 ret = gnutls_privkey_init(&sc->privkey_x509); 556 if (ret < 0) { 557 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 558 "GnuTLS: Failed to initialize: (%d) %s", ret, 559 gnutls_strerror(ret)); 560 goto fail; 561 } 562 563 gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback, sc); 564 565 ret = gnutls_privkey_import_url(sc->privkey_x509, sc->x509_key_file, 0); 566 if (ret < 0) { 567 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 568 "GnuTLS: Failed to Re-Import Private Key URL '%s': (%d) %s", 569 sc->x509_key_file, ret, gnutls_strerror(ret)); 570 goto fail; 571 } 572 } 573 } 574 575 return 0; 576 577 fail: 578 gnutls_privkey_deinit(sc->privkey_x509); 579 return -1; 580 } 581 582 const char *mgs_set_dh_file(cmd_parms * parms, void *dummy __attribute__((unused)), 172 583 const char *arg) { 173 int ret; 174 gnutls_datum_t data; 175 const char *file; 176 apr_pool_t *spool; 177 mgs_srvconf_rec *sc = 178 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 179 module_config, 180 &gnutls_module); 181 apr_pool_create(&spool, parms->pool); 182 183 file = ap_server_root_relative(spool, arg); 184 185 if (load_datum_from_file(spool, file, &data) != 0) { 186 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 187 "Certificate '%s'", file); 188 } 189 190 ret = gnutls_openpgp_crt_init(&sc->cert_pgp); 191 if (ret < 0) { 192 return apr_psprintf(parms->pool, "GnuTLS: Failed to Init " 193 "PGP Certificate: (%d) %s", ret, 194 gnutls_strerror(ret)); 195 } 196 197 ret = 198 gnutls_openpgp_crt_import(sc->cert_pgp, &data, 199 GNUTLS_OPENPGP_FMT_BASE64); 200 if (ret < 0) { 201 return apr_psprintf(parms->pool, 202 "GnuTLS: Failed to Import " 203 "PGP Certificate '%s': (%d) %s", file, 204 ret, gnutls_strerror(ret)); 205 } 206 207 apr_pool_destroy(spool); 208 return NULL; 209 } 210 211 const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy, 584 mgs_srvconf_rec *sc = 585 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 586 module_config, 587 &gnutls_module); 588 589 sc->dh_file = ap_server_root_relative(parms->pool, arg); 590 591 return NULL; 592 } 593 594 const char *mgs_set_cert_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) { 595 596 mgs_srvconf_rec *sc = 597 (mgs_srvconf_rec *) ap_get_module_config(parms-> 598 server->module_config, 599 &gnutls_module); 600 601 sc->x509_cert_file = apr_pstrdup(parms->pool, arg); 602 603 return NULL; 604 605 } 606 607 const char *mgs_set_key_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) { 608 609 mgs_srvconf_rec *sc = 610 (mgs_srvconf_rec *) ap_get_module_config(parms-> 611 server->module_config, 612 &gnutls_module); 613 614 sc->x509_key_file = apr_pstrdup(parms->pool, arg); 615 616 return NULL; 617 } 618 619 const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy __attribute__((unused)), 620 const char *arg) 621 { 622 mgs_srvconf_rec *sc = 623 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 624 module_config, 625 &gnutls_module); 626 627 sc->pgp_cert_file = ap_server_root_relative(parms->pool, arg); 628 629 return NULL; 630 } 631 632 const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy __attribute__((unused)), 212 633 const char *arg) { 213 int ret; 214 gnutls_datum_t data; 215 const char *file; 216 apr_pool_t *spool; 217 mgs_srvconf_rec *sc = 218 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 219 module_config, 220 &gnutls_module); 221 apr_pool_create(&spool, parms->pool); 222 223 file = ap_server_root_relative(spool, arg); 224 225 if (load_datum_from_file(spool, file, &data) != 0) { 226 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 227 "Private Key '%s'", file); 228 } 229 230 ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp); 231 if (ret < 0) { 232 return apr_psprintf(parms->pool, 233 "GnuTLS: Failed to initialize" 234 ": (%d) %s", ret, 235 gnutls_strerror(ret)); 236 } 237 238 ret = 239 gnutls_openpgp_privkey_import(sc->privkey_pgp, &data, 240 GNUTLS_OPENPGP_FMT_BASE64, NULL, 241 0); 242 if (ret != 0) { 243 return apr_psprintf(parms->pool, 244 "GnuTLS: Failed to Import " 245 "PGP Private Key '%s': (%d) %s", file, 246 ret, gnutls_strerror(ret)); 247 } 248 apr_pool_destroy(spool); 249 return NULL; 250 } 251 252 const char *mgs_set_tickets(cmd_parms * parms, void *dummy, 634 mgs_srvconf_rec *sc = 635 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 636 module_config, 637 &gnutls_module); 638 639 sc->pgp_key_file = ap_server_root_relative(parms->pool, arg); 640 641 return NULL; 642 } 643 644 const char *mgs_set_tickets(cmd_parms * parms, void *dummy __attribute__((unused)), 253 645 const char *arg) { 254 646 mgs_srvconf_rec *sc = 255 256 257 647 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 648 module_config, 649 &gnutls_module); 258 650 259 651 sc->tickets = 0; 260 652 if (strcasecmp("on", arg) == 0) { 261 653 sc->tickets = 1; 262 654 } 263 655 … … 268 660 #ifdef ENABLE_SRP 269 661 270 const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy ,662 const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy __attribute__((unused)), 271 663 const char *arg) { 272 664 mgs_srvconf_rec *sc = 273 274 275 665 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 666 module_config, 667 &gnutls_module); 276 668 277 669 sc->srp_tpasswd_file = ap_server_root_relative(parms->pool, arg); … … 280 672 } 281 673 282 const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy ,674 const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy __attribute__((unused)), 283 675 const char *arg) { 284 676 mgs_srvconf_rec *sc = 285 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 286 module_config, 287 &gnutls_module); 288 289 sc->srp_tpasswd_conf_file = 290 ap_server_root_relative(parms->pool, arg); 677 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 678 module_config, 679 &gnutls_module); 680 681 sc->srp_tpasswd_conf_file = ap_server_root_relative(parms->pool, arg); 291 682 292 683 return NULL; … … 295 686 #endif 296 687 297 const char *mgs_set_cache(cmd_parms * parms, void *dummy ,688 const char *mgs_set_cache(cmd_parms * parms, void *dummy __attribute__((unused)), 298 689 const char *type, const char *arg) { 299 690 const char *err; 300 691 mgs_srvconf_rec *sc = 301 302 692 ap_get_module_config(parms->server->module_config, 693 &gnutls_module); 303 694 if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { 304 695 return err; 305 696 } 306 697 307 698 if (strcasecmp("none", type) == 0) { 308 309 310 699 sc->cache_type = mgs_cache_none; 700 sc->cache_config = NULL; 701 return NULL; 311 702 } else if (strcasecmp("dbm", type) == 0) { 312 703 sc->cache_type = mgs_cache_dbm; 313 704 } else if (strcasecmp("gdbm", type) == 0) { 314 705 sc->cache_type = mgs_cache_gdbm; 315 706 } 316 707 #if HAVE_APR_MEMCACHE 317 708 else if (strcasecmp("memcache", type) == 0) { 318 709 sc->cache_type = mgs_cache_memcache; 319 710 } 320 711 #endif 321 712 else { 322 713 return "Invalid Type for GnuTLSCache!"; 323 714 } 324 715 325 716 if (arg == NULL) 326 717 return "Invalid argument 2 for GnuTLSCache!"; 327 718 328 719 if (sc->cache_type == mgs_cache_dbm 329 || sc->cache_type == mgs_cache_gdbm) { 330 sc->cache_config = 331 ap_server_root_relative(parms->pool, arg); 720 || sc->cache_type == mgs_cache_gdbm) { 721 sc->cache_config = ap_server_root_relative(parms->pool, arg); 332 722 } else { 333 334 } 335 336 return NULL; 337 } 338 339 const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy ,723 sc->cache_config = apr_pstrdup(parms->pool, arg); 724 } 725 726 return NULL; 727 } 728 729 const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy __attribute__((unused)), 340 730 const char *arg) { 341 731 int argint; 342 732 const char *err; 343 733 mgs_srvconf_rec *sc = 344 345 346 734 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 735 module_config, 736 &gnutls_module); 347 737 348 738 if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { 349 739 return err; 350 740 } 351 741 … … 353 743 354 744 if (argint < 0) { 355 745 return "GnuTLSCacheTimeout: Invalid argument"; 356 746 } else if (argint == 0) { 357 747 sc->cache_timeout = 0; 358 748 } else { 359 360 } 361 362 return NULL; 363 } 364 365 const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy ,749 sc->cache_timeout = apr_time_from_sec(argint); 750 } 751 752 return NULL; 753 } 754 755 const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy __attribute__((unused)), 366 756 const char *arg) { 367 757 mgs_srvconf_rec *sc = (mgs_srvconf_rec *)ap_get_module_config(parms->server->module_config, &gnutls_module); 368 758 369 759 if (strcasecmp("cartel", arg) == 0) { 370 760 sc->client_verify_method = mgs_cvm_cartel; 371 761 } else if (strcasecmp("msva", arg) == 0) { 372 762 #ifdef ENABLE_MSVA 373 763 sc->client_verify_method = mgs_cvm_msva; 374 764 #else 375 765 return "GnuTLSClientVerifyMethod: msva is not supported"; 376 766 #endif 377 767 } else { 378 return "GnuTLSClientVerifyMethod: Invalid argument"; 379 } 380 381 return NULL; 382 } 383 384 const char *mgs_set_client_verify(cmd_parms * parms, void *dummy, 385 const char *arg) { 768 return "GnuTLSClientVerifyMethod: Invalid argument"; 769 } 770 771 return NULL; 772 } 773 774 const char *mgs_set_client_verify(cmd_parms * parms, 775 void *dirconf, 776 const char *arg) { 386 777 int mode; 387 778 388 779 if (strcasecmp("none", arg) == 0 || strcasecmp("ignore", arg) == 0) { 389 780 mode = GNUTLS_CERT_IGNORE; 390 781 } else if (strcasecmp("optional", arg) == 0 391 392 782 || strcasecmp("request", arg) == 0) { 783 mode = GNUTLS_CERT_REQUEST; 393 784 } else if (strcasecmp("require", arg) == 0) { 394 785 mode = GNUTLS_CERT_REQUIRE; 395 786 } else { 396 787 return "GnuTLSClientVerify: Invalid argument"; 397 788 } 398 789 399 790 /* This was set from a directory context */ 400 791 if (parms->path) { 401 mgs_dirconf_rec *dc = (mgs_dirconf_rec *) d ummy;792 mgs_dirconf_rec *dc = (mgs_dirconf_rec *) dirconf; 402 793 dc->client_verify_mode = mode; 403 794 } else { 404 mgs_srvconf_rec *sc = 405 (mgs_srvconf_rec *) 406 ap_get_module_config(parms->server->module_config, 407 &gnutls_module); 408 sc->client_verify_mode = mode; 409 } 410 411 return NULL; 412 } 413 414 #define INIT_CA_SIZE 128 415 416 const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, 795 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 796 ap_get_module_config(parms->server->module_config, 797 &gnutls_module); 798 sc->client_verify_mode = mode; 799 } 800 801 return NULL; 802 } 803 804 const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy __attribute__((unused)), 417 805 const char *arg) { 418 int rv; 419 const char *file; 420 apr_pool_t *spool; 421 gnutls_datum_t data; 422 423 mgs_srvconf_rec *sc = 424 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 425 module_config, 426 &gnutls_module); 427 apr_pool_create(&spool, parms->pool); 428 429 file = ap_server_root_relative(spool, arg); 430 431 if (load_datum_from_file(spool, file, &data) != 0) { 432 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 433 "Client CA File '%s'", file); 434 } 435 436 sc->ca_list_size = INIT_CA_SIZE; 437 sc->ca_list = malloc(sc->ca_list_size * sizeof (*sc->ca_list)); 438 if (sc->ca_list == NULL) { 439 return apr_psprintf(parms->pool, 440 "mod_gnutls: Memory allocation error"); 441 } 442 443 rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size, 444 &data, GNUTLS_X509_FMT_PEM, 445 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); 446 if (rv < 0 && rv != GNUTLS_E_SHORT_MEMORY_BUFFER) { 447 return apr_psprintf(parms->pool, "GnuTLS: Failed to load " 448 "Client CA File '%s': (%d) %s", file, 449 rv, gnutls_strerror(rv)); 450 } 451 452 if (INIT_CA_SIZE < sc->ca_list_size) { 453 sc->ca_list = 454 realloc(sc->ca_list, 455 sc->ca_list_size * sizeof (*sc->ca_list)); 456 if (sc->ca_list == NULL) { 457 return apr_psprintf(parms->pool, 458 "mod_gnutls: Memory allocation error"); 459 } 460 461 /* re-read */ 462 rv = gnutls_x509_crt_list_import(sc->ca_list, 463 &sc->ca_list_size, &data, 464 GNUTLS_X509_FMT_PEM, 0); 465 466 if (rv < 0) { 467 return apr_psprintf(parms->pool, 468 "GnuTLS: Failed to load " 469 "Client CA File '%s': (%d) %s", 470 file, rv, gnutls_strerror(rv)); 471 } 472 } 473 474 apr_pool_destroy(spool); 475 return NULL; 476 } 477 478 const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy, 806 mgs_srvconf_rec *sc = 807 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 808 module_config, 809 &gnutls_module); 810 811 sc->x509_ca_file = ap_server_root_relative(parms->pool, arg); 812 813 return NULL; 814 } 815 816 const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy __attribute__((unused)), 479 817 const char *arg) { 480 int rv; 481 const char *file; 482 apr_pool_t *spool; 483 gnutls_datum_t data; 484 485 mgs_srvconf_rec *sc = 486 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 487 module_config, 488 &gnutls_module); 489 apr_pool_create(&spool, parms->pool); 490 491 file = ap_server_root_relative(spool, arg); 492 493 if (load_datum_from_file(spool, file, &data) != 0) { 494 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 495 "Keyring File '%s'", file); 496 } 497 498 rv = gnutls_openpgp_keyring_init(&sc->pgp_list); 499 if (rv < 0) { 500 return apr_psprintf(parms->pool, 501 "GnuTLS: Failed to initialize" 502 "keyring: (%d) %s", rv, 503 gnutls_strerror(rv)); 504 } 505 506 rv = gnutls_openpgp_keyring_import(sc->pgp_list, &data, 507 GNUTLS_OPENPGP_FMT_BASE64); 508 if (rv < 0) { 509 return apr_psprintf(parms->pool, "GnuTLS: Failed to load " 510 "Keyring File '%s': (%d) %s", file, rv, 511 gnutls_strerror(rv)); 512 } 513 514 apr_pool_destroy(spool); 515 return NULL; 516 } 517 518 const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy, 818 mgs_srvconf_rec *sc = 819 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 820 module_config, 821 &gnutls_module); 822 823 sc->pgp_ring_file = ap_server_root_relative(parms->pool, arg); 824 825 return NULL; 826 } 827 828 const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy __attribute__((unused)), 519 829 const char *arg) { 520 830 521 mgs_srvconf_rec *sc = (mgs_srvconf_rec *)522 831 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 832 ap_get_module_config(parms->server->module_config, &gnutls_module); 523 833 524 834 if (!strcasecmp(arg, "On")) { 525 835 sc->proxy_enabled = GNUTLS_ENABLED_TRUE; 526 836 } else if (!strcasecmp(arg, "Off")) { 527 837 sc->proxy_enabled = GNUTLS_ENABLED_FALSE; 528 838 } else { 529 return "SSLProxyEngine must be set to 'On' or 'Off'";530 } 531 532 return NULL; 533 } 534 535 const char *mgs_set_enabled(cmd_parms * parms, void *dummy ,839 return "GnuTLSProxyEngine must be set to 'On' or 'Off'"; 840 } 841 842 return NULL; 843 } 844 845 const char *mgs_set_enabled(cmd_parms * parms, void *dummy __attribute__((unused)), 536 846 const char *arg) { 537 847 mgs_srvconf_rec *sc = 538 539 540 848 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 849 module_config, 850 &gnutls_module); 541 851 if (!strcasecmp(arg, "On")) { 542 852 sc->enabled = GNUTLS_ENABLED_TRUE; 543 853 } else if (!strcasecmp(arg, "Off")) { 544 854 sc->enabled = GNUTLS_ENABLED_FALSE; 545 855 } else { 546 547 } 548 549 return NULL; 550 } 551 552 const char *mgs_set_export_certificates_ enabled(cmd_parms * parms, void *dummy, const char *arg) {856 return "GnuTLSEnable must be set to 'On' or 'Off'"; 857 } 858 859 return NULL; 860 } 861 862 const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) { 553 863 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); 554 864 if (!strcasecmp(arg, "On")) { 555 sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE;865 sc->export_certificates_size = 16 * 1024; 556 866 } else if (!strcasecmp(arg, "Off")) { 557 sc->export_certificates_enabled = GNUTLS_ENABLED_FALSE;867 sc->export_certificates_size = 0; 558 868 } else { 559 return 560 "GnuTLSExportCertificates must be set to 'On' or 'Off'"; 561 } 562 563 return NULL; 564 } 565 566 const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg) { 567 568 int ret; 569 const char *err; 570 869 char *endptr; 870 sc->export_certificates_size = strtol(arg, &endptr, 10); 871 while (apr_isspace(*endptr)) 872 endptr++; 873 if (*endptr == '\0' || *endptr == 'b' || *endptr == 'B') { 874 ; 875 } else if (*endptr == 'k' || *endptr == 'K') { 876 sc->export_certificates_size *= 1024; 877 } else { 878 return 879 "GnuTLSExportCertificates must be set to a size (in bytes) or 'On' or 'Off'"; 880 } 881 } 882 883 return NULL; 884 } 885 886 887 888 /* 889 * Store GnuTLS priority strings. Used for GnuTLSPriorities and 890 * GnuTLSProxyPriorities. 891 */ 892 const char *mgs_set_priorities(cmd_parms * parms, 893 void *dummy __attribute__((unused)), 894 const char *arg) 895 { 571 896 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 572 ap_get_module_config(parms->server->module_config, &gnutls_module); 573 574 ret = gnutls_priority_init(&sc->priorities, arg, &err); 575 576 if (ret < 0) { 577 if (ret == GNUTLS_E_INVALID_REQUEST) { 578 return apr_psprintf(parms->pool, 579 "GnuTLS: Syntax error parsing priorities string at: %s", err); 580 } 581 return "Error setting priorities"; 582 } 583 584 return NULL; 585 } 586 587 static mgs_srvconf_rec *_mgs_config_server_create(apr_pool_t * p, char** err) { 588 mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof (*sc)); 589 int ret; 897 ap_get_module_config(parms->server->module_config, &gnutls_module); 898 899 if (!strcasecmp(parms->directive->directive, "GnuTLSPriorities")) 900 sc->priorities_str = apr_pstrdup(parms->pool, arg); 901 else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyPriorities")) 902 sc->proxy_priorities_str = apr_pstrdup(parms->pool, arg); 903 else 904 /* Can't happen unless there's a serious bug in mod_gnutls or Apache */ 905 return apr_psprintf(parms->pool, 906 "mod_gnutls: %s called for invalid option '%s'", 907 __func__, parms->directive->directive); 908 909 return NULL; 910 } 911 912 913 914 const char *mgs_set_pin(cmd_parms * parms, void *dummy __attribute__((unused)), 915 const char *arg) 916 { 917 918 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 919 ap_get_module_config(parms->server->module_config, &gnutls_module); 920 921 sc->pin = apr_pstrdup(parms->pool, arg); 922 923 return NULL; 924 } 925 926 const char *mgs_set_srk_pin(cmd_parms * parms, 927 void *dummy __attribute__((unused)), 928 const char *arg) 929 { 930 931 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 932 ap_get_module_config(parms->server->module_config, &gnutls_module); 933 934 sc->srk_pin = apr_pstrdup(parms->pool, arg); 935 936 return NULL; 937 } 938 939 940 941 static mgs_srvconf_rec *_mgs_config_server_create(apr_pool_t * p, 942 char **err __attribute__((unused))) 943 { 944 mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc)); 590 945 591 946 sc->enabled = GNUTLS_ENABLED_UNSET; 592 947 593 ret = gnutls_certificate_allocate_credentials(&sc->certs);594 if (ret < 0) {595 *err = apr_psprintf(p, "GnuTLS: Failed to initialize"596 ": (%d) %s", ret,597 gnutls_strerror(ret));598 return NULL;599 }600 601 ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);602 if (ret < 0) {603 *err = apr_psprintf(p, "GnuTLS: Failed to initialize"604 ": (%d) %s", ret,605 gnutls_strerror(ret));606 return NULL;607 }608 #ifdef ENABLE_SRP609 ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);610 if (ret < 0) {611 *err = apr_psprintf(p, "GnuTLS: Failed to initialize"612 ": (%d) %s", ret,613 gnutls_strerror(ret));614 return NULL;615 }616 617 sc->srp_tpasswd_conf_file = NULL;618 sc->srp_tpasswd_file = NULL;619 #endif620 621 948 sc->privkey_x509 = NULL; 622 /* Initialize all Certificate Chains */ 623 /* FIXME: how do we indicate that this is unset for a merge? (that 624 * is, how can a subordinate server override the chain by setting 625 * an empty one? what would that even look like in the 626 * configuration?) */ 627 sc->certs_x509_chain = malloc(MAX_CHAIN_SIZE * sizeof (*sc->certs_x509_chain)); 949 sc->privkey_pgp = NULL; 628 950 sc->certs_x509_chain_num = 0; 629 sc->cache_timeout = -1; /* -1 means "unset" */ 951 sc->p11_module = NULL; 952 sc->pin = NULL; 953 sc->priorities_str = NULL; 954 sc->cache_timeout = -1; /* -1 means "unset" */ 630 955 sc->cache_type = mgs_cache_unset; 631 956 sc->cache_config = NULL; … … 634 959 sc->dh_params = NULL; 635 960 sc->proxy_enabled = GNUTLS_ENABLED_UNSET; 636 sc->export_certificates_ enabled = GNUTLS_ENABLED_UNSET;961 sc->export_certificates_size = -1; 637 962 sc->client_verify_method = mgs_cvm_unset; 963 964 sc->proxy_x509_key_file = NULL; 965 sc->proxy_x509_cert_file = NULL; 966 sc->proxy_x509_ca_file = NULL; 967 sc->proxy_x509_crl_file = NULL; 968 sc->proxy_priorities_str = NULL; 969 sc->proxy_priorities = NULL; 638 970 639 971 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */ … … 643 975 } 644 976 645 void *mgs_config_server_create(apr_pool_t * p, server_rec * s) { 977 void *mgs_config_server_create(apr_pool_t * p, 978 server_rec * s __attribute__((unused))) { 646 979 char *err = NULL; 647 980 mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err); 648 if (sc) return sc; else return err; 981 if (sc) 982 return sc; 983 else 984 return err; 649 985 } 650 986 … … 652 988 #define gnutls_srvconf_assign(t) sc->t = add->t 653 989 654 void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD) { 990 void *mgs_config_server_merge(apr_pool_t * p, void *BASE, void *ADD) 991 { 655 992 int i; 656 993 char *err = NULL; 657 mgs_srvconf_rec *base = (mgs_srvconf_rec *) BASE;658 mgs_srvconf_rec *add = (mgs_srvconf_rec *) ADD;994 mgs_srvconf_rec *base = (mgs_srvconf_rec *) BASE; 995 mgs_srvconf_rec *add = (mgs_srvconf_rec *) ADD; 659 996 mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err); 660 if (NULL == sc) return err; 997 if (NULL == sc) 998 return err; 661 999 662 1000 gnutls_srvconf_merge(enabled, GNUTLS_ENABLED_UNSET); 663 1001 gnutls_srvconf_merge(tickets, GNUTLS_ENABLED_UNSET); 664 1002 gnutls_srvconf_merge(proxy_enabled, GNUTLS_ENABLED_UNSET); 665 gnutls_srvconf_merge(export_certificates_ enabled, GNUTLS_ENABLED_UNSET);1003 gnutls_srvconf_merge(export_certificates_size, -1); 666 1004 gnutls_srvconf_merge(client_verify_method, mgs_cvm_unset); 667 1005 gnutls_srvconf_merge(client_verify_mode, -1); 668 1006 gnutls_srvconf_merge(srp_tpasswd_file, NULL); 669 1007 gnutls_srvconf_merge(srp_tpasswd_conf_file, NULL); 670 gnutls_srvconf_merge(privkey_x509, NULL); 671 gnutls_srvconf_merge(priorities, NULL); 672 gnutls_srvconf_merge(dh_params, NULL); 1008 gnutls_srvconf_merge(x509_cert_file, NULL); 1009 1010 gnutls_srvconf_merge(x509_key_file, NULL); 1011 gnutls_srvconf_merge(x509_ca_file, NULL); 1012 gnutls_srvconf_merge(p11_module, NULL); 1013 gnutls_srvconf_merge(pin, NULL); 1014 gnutls_srvconf_merge(pgp_cert_file, NULL); 1015 gnutls_srvconf_merge(pgp_key_file, NULL); 1016 gnutls_srvconf_merge(pgp_ring_file, NULL); 1017 gnutls_srvconf_merge(dh_file, NULL); 1018 gnutls_srvconf_merge(priorities_str, NULL); 1019 1020 gnutls_srvconf_merge(proxy_x509_key_file, NULL); 1021 gnutls_srvconf_merge(proxy_x509_cert_file, NULL); 1022 gnutls_srvconf_merge(proxy_x509_ca_file, NULL); 1023 gnutls_srvconf_merge(proxy_x509_crl_file, NULL); 1024 gnutls_srvconf_merge(proxy_priorities_str, NULL); 1025 gnutls_srvconf_merge(proxy_priorities, NULL); 673 1026 674 1027 /* FIXME: the following items are pre-allocated, and should be 675 1028 * properly disposed of before assigning in order to avoid leaks; 676 1029 * so at the moment, we can't actually have them in the config. 677 * what happens during de-allocation? 678 679 * This is probably leaky. 680 */ 1030 * what happens during de-allocation? */ 1031 /* TODO: mgs_load_files takes care of most of these now, verify 1032 * and clean up the following lines */ 1033 gnutls_srvconf_assign(ca_list); 1034 gnutls_srvconf_assign(ca_list_size); 1035 gnutls_srvconf_assign(cert_pgp); 1036 gnutls_srvconf_assign(cert_crt_pgp); 1037 gnutls_srvconf_assign(pgp_list); 681 1038 gnutls_srvconf_assign(certs); 682 1039 gnutls_srvconf_assign(anon_creds); 683 1040 gnutls_srvconf_assign(srp_creds); 684 1041 gnutls_srvconf_assign(certs_x509_chain); 1042 gnutls_srvconf_assign(certs_x509_crt_chain); 685 1043 gnutls_srvconf_assign(certs_x509_chain_num); 686 1044 … … 689 1047 gnutls_srvconf_assign(cert_cn); 690 1048 for (i = 0; i < MAX_CERT_SAN; i++) 691 gnutls_srvconf_assign(cert_san[i]); 692 gnutls_srvconf_assign(ca_list); 693 gnutls_srvconf_assign(ca_list_size); 694 gnutls_srvconf_assign(cert_pgp); 695 gnutls_srvconf_assign(pgp_list); 696 gnutls_srvconf_assign(privkey_pgp); 1049 gnutls_srvconf_assign(cert_san[i]); 697 1050 698 1051 return sc; … … 702 1055 #undef gnutls_srvconf_assign 703 1056 704 void *mgs_config_dir_merge(apr_pool_t * p, void *basev, void *addv) { 1057 void *mgs_config_dir_merge(apr_pool_t * p, 1058 void *basev __attribute__((unused)), 1059 void *addv __attribute__((unused))) { 705 1060 mgs_dirconf_rec *new; 706 1061 /* mgs_dirconf_rec *base = (mgs_dirconf_rec *) basev; */ 707 1062 mgs_dirconf_rec *add = (mgs_dirconf_rec *) addv; 708 1063 709 new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof 1064 new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof(mgs_dirconf_rec)); 710 1065 new->client_verify_mode = add->client_verify_mode; 711 1066 return new; 712 1067 } 713 1068 714 void *mgs_config_dir_create(apr_pool_t * p, char *dir) { 1069 void *mgs_config_dir_create(apr_pool_t * p, 1070 char *dir __attribute__((unused))) { 715 1071 mgs_dirconf_rec *dc = apr_palloc(p, sizeof (*dc)); 716 1072 dc->client_verify_mode = -1; … … 718 1074 } 719 1075 1076 1077 1078 /* 1079 * Store paths to proxy credentials 1080 * 1081 * This function copies the paths provided in the configuration file 1082 * into the server configuration. The post configuration hook takes 1083 * care of actually loading the credentials, which means than invalid 1084 * paths or the like will be detected there. 1085 */ 1086 const char *mgs_store_cred_path(cmd_parms * parms, 1087 void *dummy __attribute__((unused)), 1088 const char *arg) 1089 { 1090 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 1091 ap_get_module_config(parms->server->module_config, &gnutls_module); 1092 1093 /* parms->directive->directive contains the directive string */ 1094 if (!strcasecmp(parms->directive->directive, "GnuTLSProxyKeyFile")) 1095 sc->proxy_x509_key_file = apr_pstrdup(parms->pool, arg); 1096 else if (!strcasecmp(parms->directive->directive, 1097 "GnuTLSProxyCertificateFile")) 1098 sc->proxy_x509_cert_file = apr_pstrdup(parms->pool, arg); 1099 else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCAFile")) 1100 sc->proxy_x509_ca_file = apr_pstrdup(parms->pool, arg); 1101 else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCRLFile")) 1102 sc->proxy_x509_crl_file = apr_pstrdup(parms->pool, arg); 1103 return NULL; 1104 } 1105 1106 1107 1108 /* 1109 * Record additional PKCS #11 module to load. Note that the value is 1110 * only used in the base config, settings in virtual hosts are 1111 * ignored. 1112 */ 1113 const char *mgs_set_p11_module(cmd_parms * parms, 1114 void *dummy __attribute__((unused)), 1115 const char *arg) 1116 { 1117 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 1118 ap_get_module_config(parms->server->module_config, &gnutls_module); 1119 sc->p11_module = apr_pstrdup(parms->pool, arg); 1120 return NULL; 1121 }
Note: See TracChangeset
for help on using the changeset viewer.
