Changeset 9ca1f21 in mod_gnutls


Ignore:
Timestamp:
Sep 18, 2015, 7:12:16 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
dff03fa
Parents:
88df24d
Message:

Allow loading more than one PKCS #11 module using GnuTLSP11Module

This commit allows multiple modules to be loaded using the
GnuTLSP11Module directive. Each occurrence of GnuTLSP11Module causes the
given module to be added to a list, and all modules on that list are
loaded.

Commit f21d2a6dba6378b18d015dde88193fcad70d8728 disabled modules
configured through the system wide p11-kit configuration if
GnuTLSP11Module is set. With that change, using multiple PKCS #11
modules required using the system configuration, since only one module
could be loaded using GnuTLSP11Module.

Files:
4 edited

Legend:

Unmodified
Added
Removed

  • doc/mod_gnutls_manual.mdwn

    r88df24d r9ca1f21  
    382382Context: server config
    383383
    384 Load this PKCS #11 provider module, instead of the system defaults.
     384Load this PKCS #11 provider module, instead of the system
     385defaults. May occur multiple times to load multiple modules.
    385386
    386387`GnuTLSPIN`

  • include/mod_gnutls.h.in

    r88df24d r9ca1f21  
    115115    int non_ssl_request;
    116116
    117     /* Additional PKCS #11 provider module to load, only valid in the
     117    /* List of PKCS #11 provider modules to load, only valid in the
    118118     * base config, ignored in virtual hosts */
    119     char *p11_module;
     119    apr_array_header_t *p11_modules;
    120120
    121121    /* PIN used for PKCS #11 operations */

  • src/gnutls_config.c

    r88df24d r9ca1f21  
    952952    sc->privkey_pgp = NULL;
    953953    sc->certs_x509_chain_num = 0;
    954     sc->p11_module = NULL;
     954    sc->p11_modules = NULL;
    955955    sc->pin = NULL;
    956956    sc->priorities_str = NULL;
     
    10131013    gnutls_srvconf_merge(x509_key_file, NULL);
    10141014    gnutls_srvconf_merge(x509_ca_file, NULL);
    1015     gnutls_srvconf_merge(p11_module, NULL);
     1015    gnutls_srvconf_merge(p11_modules, NULL);
    10161016    gnutls_srvconf_merge(pin, NULL);
    10171017    gnutls_srvconf_merge(pgp_cert_file, NULL);
     
    11191119    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    11201120        ap_get_module_config(parms->server->module_config, &gnutls_module);
    1121     sc->p11_module = apr_pstrdup(parms->pool, arg);
    1122     return NULL;
    1123 }
     1121    /* initialize PKCS #11 module list if necessary */
     1122    if (sc->p11_modules == NULL)
     1123        sc->p11_modules = apr_array_make(parms->pool, 2, sizeof(char*));
     1124
     1125    *(char **) apr_array_push(sc->p11_modules) = apr_pstrdup(parms->pool, arg);
     1126
     1127    return NULL;
     1128}

  • src/gnutls_hooks.c

    r88df24d r9ca1f21  
    323323    }
    324324
    325     /* If GnuTLSP11Module is set, load that PKCS #11 module. Otherwise
    326      * system defaults will be used. */
    327     if (sc_base->p11_module != NULL)
     325    /* If GnuTLSP11Module is set, load the listed PKCS #11
     326     * modules. Otherwise system defaults will be used. */
     327    if (sc_base->p11_modules != NULL)
    328328    {
    329329        rv = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
     
    337337        else
    338338        {
    339             rv = gnutls_pkcs11_add_provider(sc_base->p11_module, NULL);
    340             if (rv != GNUTLS_E_SUCCESS)
    341                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    342                              "GnuTLS: Loading PKCS #11 provider module %s "
    343                              "failed: %s (%d).",
    344                              sc_base->p11_module, gnutls_strerror(rv), rv);
     339            int i;
     340            for (i = 0; i < sc_base->p11_modules->nelts; i++)
     341            {
     342                char *p11_module =
     343                    APR_ARRAY_IDX(sc_base->p11_modules, i, char *);
     344                rv = gnutls_pkcs11_add_provider(p11_module, NULL);
     345                if (rv != GNUTLS_E_SUCCESS)
     346                    ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     347                                 "GnuTLS: Loading PKCS #11 provider module %s "
     348                                 "failed: %s (%d).",
     349                                 p11_module, gnutls_strerror(rv), rv);
     350            }
    345351        }
    346352    }
Note: See TracChangeset for help on using the changeset viewer.