Changeset a4839ae in mod_gnutls


Ignore:
Timestamp:
Jan 11, 2013, 12:55:44 AM (7 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, upstream
Children:
2a2272d, 9a9f943
Parents:
ec06980
Message:

Imported Upstream version 0.4.1

Files:
1 added
9 edited

Legend:

Unmodified
Added
Removed
  • Makefile.am

    rec06980 ra4839ae  
    55                m4/apache_test.m4 m4/lua.m4 \
    66                include/mod_gnutls.h.in \
    7                 README README.ENV \
     7                README README.ENV NEWS \
    88                NOTICE LICENSE autogen.sh
    99
  • Makefile.in

    rec06980 ra4839ae  
    3737        $(srcdir)/Makefile.in $(srcdir)/config.in \
    3838        $(top_srcdir)/configure $(top_srcdir)/include/mod_gnutls.h.in \
    39         config/config.guess config/config.sub config/depcomp \
     39        NEWS config/config.guess config/config.sub config/depcomp \
    4040        config/install-sh config/ltmain.sh config/missing
    4141ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
     
    221221                m4/apache_test.m4 m4/lua.m4 \
    222222                include/mod_gnutls.h.in \
    223                 README README.ENV \
     223                README README.ENV NEWS \
    224224                NOTICE LICENSE autogen.sh
    225225
  • README.ENV

    rec06980 ra4839ae  
    88SSL_COMPRESS_METHOD: The negotiated compression method (NULL or DEFLATE)
    99SSL_SRP_USER: The SRP username used for authentication.
    10 SSL_CLIENT_VERIFY:
    11   whether the client's certificate was verified. (NONE if none was sent, or SUCCESS or FAILED)
    1210SSL_CIPHER_USEKEYSIZE and SSL_CIPHER_ALGKEYSIZE: The number if bits used in the used cipher
    1311  algorithm. This does not fully reflect the security level since the size of
     
    1614SSL_SESSION_ID: The session ID negotiated in this session. Can be the same during
    1715  client reloads.
     16
    1817SSL_CLIENT_V_REMAIN: The number of days until the client's certificate is expired.
     18SSL_CLIENT_V_START: The activation time of client's certificate.
     19SSL_CLIENT_V_END: The expiration time of client's certificate.
     20SSL_CLIENT_S_DN: The distinguished name of client's certificate in RFC2253 format.
     21SSL_CLIENT_I_DN: The distinguished name of client's issuer certificate in RFC2253 format.
     22SSL_CLIENT_S_SAN%: These will contain the alternative names of the client certificate
     23  (% is a number starting from zero). The values will be prepended by "DNSNAME:",
     24  "RFC822NAME:" or "URI:" depending on the type. If it is not supported the value
     25  "UNSUPPORTED" will be set.
     26SSL_CLIENT_M_SERIAL: The serial number of the client's certificate.
     27SSL_CLIENT_M_VERSION: The version of the client's certificate.
     28SSL_CLIENT_A_SIG: The algorithm used for the signature in client's certificate.
     29SSL_CLIENT_A_KEY: The public key algorithm in client's certificate.
     30SSL_CLIENT_CERT: The PEM-encoded client certificate
     31SSL_CLIENT_VERIFY:
     32  whether the client's certificate was verified. (NONE if none was sent, or SUCCESS or FAILED)
     33SSL_CLIENT_S_TYPE: The certificate type can be X.509 or OPENPGP.
    1934
    20 SSL_CLIENT_CERT: The PEM-encoded client certificate
     35SSL_SERVER_V_START: The activation time of server's certificate.
     36SSL_SERVER_V_END: The expiration time of server's certificate.
     37SSL_SERVER_S_DN: The distinguished name of the server's certificate in RFC2253 format.
     38SSL_SERVER_I_DN: The distinguished name of the server's issuer certificate in RFC2253 format.
     39SSL_SERVER_S_SAN%: These will contain the alternative names of the server certificate
     40  (% is a number starting from zero). The values will be prepended by "DNSNAME:",
     41  "RFC822NAME:" or "URI:" depending on the type. If it is not supported the value
     42  "UNSUPPORTED" will be set.
     43SSL_SERVER_M_SERIAL: The serial number of the server's certificate.
     44SSL_SERVER_M_VERSION: The version of the server's certificate.
     45SSL_SERVER_A_SIG: The algorithm used for the signature in server's certificate.
     46SSL_SERVER_A_KEY: The public key algorithm in server's certificate.
    2147SSL_SERVER_CERT: The PEM-encoded server certificate
     48SSL_SERVER_S_TYPE: The certificate type can be X.509 or OPENPGP.
     49
  • configure

    rec06980 ra4839ae  
    11#! /bin/sh
    22# Guess values for system-dependent variables and create Makefiles.
    3 # Generated by GNU Autoconf 2.61 for mod_gnutls 0.4.0.
     3# Generated by GNU Autoconf 2.61 for mod_gnutls 0.4.1.
    44#
    55# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
     
    727727PACKAGE_NAME='mod_gnutls'
    728728PACKAGE_TARNAME='mod_gnutls'
    729 PACKAGE_VERSION='0.4.0'
    730 PACKAGE_STRING='mod_gnutls 0.4.0'
     729PACKAGE_VERSION='0.4.1'
     730PACKAGE_STRING='mod_gnutls 0.4.1'
    731731PACKAGE_BUGREPORT=''
    732732
     
    14261426  # This message is too long to be a string in the A/UX 3.1 sh.
    14271427  cat <<_ACEOF
    1428 \`configure' configures mod_gnutls 0.4.0 to adapt to many kinds of systems.
     1428\`configure' configures mod_gnutls 0.4.1 to adapt to many kinds of systems.
    14291429
    14301430Usage: $0 [OPTION]... [VAR=VALUE]...
     
    14971497if test -n "$ac_init_help"; then
    14981498  case $ac_init_help in
    1499      short | recursive ) echo "Configuration of mod_gnutls 0.4.0:";;
     1499     short | recursive ) echo "Configuration of mod_gnutls 0.4.1:";;
    15001500   esac
    15011501  cat <<\_ACEOF
     
    16071607if $ac_init_version; then
    16081608  cat <<\_ACEOF
    1609 mod_gnutls configure 0.4.0
     1609mod_gnutls configure 0.4.1
    16101610generated by GNU Autoconf 2.61
    16111611
     
    16211621running configure, to aid debugging if configure makes a mistake.
    16221622
    1623 It was created by mod_gnutls $as_me 0.4.0, which was
     1623It was created by mod_gnutls $as_me 0.4.1, which was
    16241624generated by GNU Autoconf 2.61.  Invocation command line was
    16251625
     
    19921992  chmod +x config.nice
    19931993
    1994 MOD_GNUTLS_VERSION=0.4.0
     1994MOD_GNUTLS_VERSION=0.4.1
    19951995
    19961996
     
    24932493# Define the identity of the package.
    24942494 PACKAGE=mod_gnutls
    2495  VERSION=0.4.0
     2495 VERSION=0.4.1
    24962496
    24972497
     
    2139621396# values after options handling.
    2139721397ac_log="
    21398 This file was extended by mod_gnutls $as_me 0.4.0, which was
     21398This file was extended by mod_gnutls $as_me 0.4.1, which was
    2139921399generated by GNU Autoconf 2.61.  Invocation command line was
    2140021400
     
    2144921449cat >>$CONFIG_STATUS <<_ACEOF
    2145021450ac_cs_version="\\
    21451 mod_gnutls config.status 0.4.0
     21451mod_gnutls config.status 0.4.1
    2145221452configured by $0, generated by GNU Autoconf 2.61,
    2145321453  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
  • configure.ac

    rec06980 ra4839ae  
    11dnl
    2 AC_INIT(mod_gnutls, 0.4.0)
     2AC_INIT(mod_gnutls, 0.4.1)
    33OOO_CONFIG_NICE(config.nice)
    44MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
  • include/mod_gnutls.h.in

    rec06980 ra4839ae  
    9797    int export_certificates_enabled;
    9898    gnutls_priority_t priorities;
     99    gnutls_rsa_params_t rsa_params;
     100    gnutls_dh_params_t dh_params;
    99101    int cache_timeout;
    100102    mgs_cache_e cache_type;
    101103    const char* cache_config;
    102     const char* rsa_params_file;
    103     const char* dh_params_file;
    104104    const char* srp_tpasswd_file;
    105105    const char* srp_tpasswd_conf_file;
  • src/gnutls_config.c

    rec06980 ra4839ae  
    5555                            const char *arg)
    5656{
    57     mgs_srvconf_rec *sc =
    58         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    59                                                  module_config,
    60                                                  &gnutls_module);
    61 
    62     sc->dh_params_file = ap_server_root_relative(parms->pool, arg);
     57    int ret;
     58    gnutls_datum_t data;
     59    const char *file;
     60    apr_pool_t *spool;
     61    mgs_srvconf_rec *sc =
     62        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
     63                                                 module_config,
     64                                                 &gnutls_module);
     65
     66    apr_pool_create(&spool, parms->pool);
     67
     68    file = ap_server_root_relative(spool, arg);
     69
     70    if (load_datum_from_file(spool, file, &data) != 0) {
     71        return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
     72                            "DH params '%s'", file);
     73    }
     74
     75    gnutls_dh_params_init(&sc->dh_params);
     76    ret =
     77        gnutls_dh_params_import_pkcs3(sc->dh_params, &data, GNUTLS_X509_FMT_PEM);
     78    if (ret != 0) {
     79        return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
     80                            "DH params '%s': (%d) %s", file, ret,
     81                            gnutls_strerror(ret));
     82    }
     83
     84    apr_pool_destroy(spool);
    6385
    6486    return NULL;
     
    6890                                    const char *arg)
    6991{
    70     mgs_srvconf_rec *sc =
    71         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    72                                                  module_config,
    73                                                  &gnutls_module);
    74 
    75     sc->rsa_params_file = ap_server_root_relative(parms->pool, arg);
    76 
     92    int ret;
     93    gnutls_datum_t data;
     94    const char *file;
     95    apr_pool_t *spool;
     96    mgs_srvconf_rec *sc =
     97        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
     98                                                 module_config,
     99                                                 &gnutls_module);
     100
     101    apr_pool_create(&spool, parms->pool);
     102
     103    file = ap_server_root_relative(spool, arg);
     104
     105    if (load_datum_from_file(spool, file, &data) != 0) {
     106        return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
     107                            "RSA params '%s'", file);
     108    }
     109
     110    gnutls_rsa_params_init(&sc->rsa_params);
     111    ret =
     112        gnutls_rsa_params_import_pkcs1(sc->rsa_params, &data, GNUTLS_X509_FMT_PEM);
     113    if (ret != 0) {
     114        return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
     115                            "RSA params '%s': (%d) %s", file, ret,
     116                            gnutls_strerror(ret));
     117    }
     118
     119    apr_pool_destroy(spool);
    77120    return NULL;
    78121}
     
    104147    if (ret != 0) {
    105148        return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
    106                             "Certificate'%s': (%d) %s", file, ret,
     149                            "Certificate '%s': (%d) %s", file, ret,
    107150                            gnutls_strerror(ret));
    108151    }
     
    368411    sc->cache_config = ap_server_root_relative(p, "conf/gnutls_cache");
    369412
    370     sc->dh_params_file = ap_server_root_relative(p, "conf/dhfile");
    371     sc->rsa_params_file = ap_server_root_relative(p, "conf/rsafile");
    372 
    373413    sc->client_verify_mode = GNUTLS_CERT_IGNORE;
    374414
  • src/gnutls_hooks.c

    rec06980 ra4839ae  
    3838/* use side==0 for server and side==1 for client */
    3939static void mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert,
    40                                      int side, int export_certificates_enabled);
     40                                     int side,
     41                                     int export_certificates_enabled);
    4142
    4243static apr_status_t mgs_cleanup_pre_config(void *data)
     
    8485}
    8586
    86 
    87 static gnutls_datum
    88 load_params(const char *file, server_rec * s, apr_pool_t * pool)
    89 {
    90     gnutls_datum ret = { NULL, 0 };
    91     apr_file_t *fp;
    92     apr_finfo_t finfo;
    93     apr_status_t rv;
    94     apr_size_t br = 0;
    95 
    96     rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, APR_OS_DEFAULT,
    97                        pool);
    98     if (rv != APR_SUCCESS) {
    99         ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
    100                      "GnuTLS failed to load params file at: %s. Will use internal params.", file);
    101         return ret;
    102     }
    103 
    104     rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
    105 
    106     if (rv != APR_SUCCESS) {
    107         ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
    108                      "GnuTLS failed to stat params file at: %s", file);
    109         return ret;
    110     }
    111 
    112     ret.data = apr_palloc(pool, finfo.size + 1);
    113     rv = apr_file_read_full(fp, ret.data, finfo.size, &br);
    114 
    115     if (rv != APR_SUCCESS) {
    116         ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
    117                      "GnuTLS failed to read params file at: %s", file);
    118         return ret;
    119     }
    120     apr_file_close(fp);
    121     ret.data[br] = '\0';
    122     ret.size = br;
    123 
    124     return ret;
    125 }
    126 
    12787/* We don't support openpgp certificates, yet */
    12888const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
    12989
    130 static int mgs_select_virtual_server_cb( gnutls_session_t session)
     90static int mgs_select_virtual_server_cb(gnutls_session_t session)
    13191{
    13292    mgs_handle_t *ctxt;
     
    143103
    144104    gnutls_certificate_server_set_request(session,
    145        ctxt->sc->client_verify_mode);
     105                                          ctxt->sc->client_verify_mode);
    146106
    147107    /* set the new server credentials
     
    149109
    150110    gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
    151       ctxt->sc->certs);
    152 
    153     gnutls_credentials_set(session, GNUTLS_CRD_ANON,
    154       ctxt->sc->anon_creds);
    155 
    156     if ( ctxt->sc->srp_tpasswd_conf_file != NULL && ctxt->sc->srp_tpasswd_file != NULL) {
    157        gnutls_credentials_set(session, GNUTLS_CRD_SRP,
    158          ctxt->sc->srp_creds);
     111                           ctxt->sc->certs);
     112
     113    gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
     114
     115    if (ctxt->sc->srp_tpasswd_conf_file != NULL
     116        && ctxt->sc->srp_tpasswd_file != NULL) {
     117        gnutls_credentials_set(session, GNUTLS_CRD_SRP,
     118                               ctxt->sc->srp_creds);
    159119    }
    160120
     
    163123     * negotiation.
    164124     */
    165     ret = gnutls_priority_set( session, ctxt->sc->priorities);
    166     gnutls_certificate_type_set_priority( session, cert_type_prio);
    167    
    168    
     125    ret = gnutls_priority_set(session, ctxt->sc->priorities);
     126    gnutls_certificate_type_set_priority(session, cert_type_prio);
     127
     128
    169129    /* actually it shouldn't fail since we have checked at startup */
    170     if (ret < 0) return ret;
     130    if (ret < 0)
     131        return ret;
    171132
    172133    /* allow separate caches per virtual host. Actually allowing the same is a
     
    194155
    195156const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
    196 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
    197 "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
    198 "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
    199 "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
    200 "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
    201 "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
    202 "-----END DH PARAMETERS-----\n";
     157    "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
     158    "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
     159    "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
     160    "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
     161    "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
     162    "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
     163    "-----END DH PARAMETERS-----\n";
     164
     165/* Read the common name or the alternative name of the certificate.
     166 * We only support a single name per certificate.
     167 *
     168 * Returns negative on error.
     169 */
     170static int read_crt_cn(server_rec * s, apr_pool_t * p,
     171                       gnutls_x509_crt cert, char **cert_cn)
     172{
     173    int rv = 0, i;
     174    size_t data_len;
     175
     176
     177    *cert_cn = NULL;
     178
     179    rv = gnutls_x509_crt_get_dn_by_oid(cert,
     180                                       GNUTLS_OID_X520_COMMON_NAME,
     181                                       0, 0, NULL, &data_len);
     182
     183    if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
     184        *cert_cn = apr_palloc(p, data_len);
     185        rv = gnutls_x509_crt_get_dn_by_oid(cert,
     186                                           GNUTLS_OID_X520_COMMON_NAME, 0,
     187                                           0, *cert_cn, &data_len);
     188    } else {                    /* No CN return subject alternative name */
     189        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
     190                     "No common name found in certificate for '%s:%d'. Looking for subject alternative name.",
     191                     s->server_hostname, s->port);
     192        rv = 0;
     193        /* read subject alternative name */
     194        for (i = 0; !(rv < 0); i++) {
     195            data_len = 0;
     196            rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
     197                                                      NULL, &data_len,
     198                                                      NULL);
     199
     200            if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && data_len > 1) {
     201                /* FIXME: not very efficient. What if we have several alt names
     202                 * before DNSName?
     203                 */
     204                *cert_cn = apr_palloc(p, data_len + 1);
     205
     206                rv = gnutls_x509_crt_get_subject_alt_name(cert, i,
     207                                                          *cert_cn,
     208                                                          &data_len, NULL);
     209                (*cert_cn)[data_len] = 0;
     210
     211                if (rv == GNUTLS_SAN_DNSNAME)
     212                    break;
     213            }
     214        }
     215    }
     216
     217    return rv;
     218
     219}
    203220
    204221int
     
    207224{
    208225    int rv;
    209     size_t data_len;
    210226    server_rec *s;
    211     gnutls_dh_params_t dh_params;
    212     gnutls_rsa_params_t rsa_params;
     227    gnutls_dh_params_t dh_params = NULL;
     228    gnutls_rsa_params_t rsa_params = NULL;
    213229    mgs_srvconf_rec *sc;
    214230    mgs_srvconf_rec *sc_base;
     
    227243
    228244    {
    229         gnutls_datum pdata;
    230         apr_pool_t *tpool;
    231245        s = base_server;
    232246        sc_base =
     
    234248                                                     &gnutls_module);
    235249
    236         apr_pool_create(&tpool, p);
    237 
    238250        gnutls_dh_params_init(&dh_params);
    239251
    240         pdata = load_params(sc_base->dh_params_file, s, tpool);
    241 
    242         if (pdata.size != 0) {
    243             rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
     252        if (sc_base->dh_params == NULL) {
     253            gnutls_datum pdata = { (void *) static_dh_params, sizeof(static_dh_params) };
     254            /* loading defaults */
     255            rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
    244256                                               GNUTLS_X509_FMT_PEM);
    245             if (rv != 0) {
    246                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    247                              "GnuTLS: Unable to load DH Params: (%d) %s",
    248                              rv, gnutls_strerror(rv));
    249                 exit(rv);
    250             }
    251         } else {
    252             /* If the file does not exist use internal parameters
    253              */
    254             pdata.data = (void*)static_dh_params;
    255             pdata.size = sizeof( static_dh_params);
    256             rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
    257                                                GNUTLS_X509_FMT_PEM);
    258257
    259258            if (rv < 0) {
    260               ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    261                          "GnuTLS: Unable to load internal DH Params."
    262                          " Shutting down.");
    263               exit(-1);
     259                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     260                     "GnuTLS: Unable to load DH Params: (%d) %s",
     261                     rv, gnutls_strerror(rv));
     262                exit(rv);
    264263            }
    265         }
    266         apr_pool_clear(tpool);
    267 
    268         rsa_params = NULL;
    269        
    270         pdata = load_params(sc_base->rsa_params_file, s, tpool);
    271 
    272         if (pdata.size != 0) {
    273             gnutls_rsa_params_init(&rsa_params);
    274             rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata,
    275                                                 GNUTLS_X509_FMT_PEM);
    276             if (rv != 0) {
    277                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    278                              "GnuTLS: Unable to load RSA Params: (%d) %s",
    279                              rv, gnutls_strerror(rv));
    280                 exit(rv);
    281             }
    282         }
    283         /* not an error but RSA-EXPORT ciphersuites are not available
    284          */
    285 
    286         apr_pool_destroy(tpool);
     264        } else dh_params = sc_base->dh_params;
     265
     266        if (sc_base->rsa_params != NULL)
     267            rsa_params = sc_base->rsa_params;
     268
     269        /* else not an error but RSA-EXPORT ciphersuites are not available
     270         */
     271
    287272        rv = mgs_cache_post_config(p, s, sc_base);
    288273        if (rv != 0) {
     
    294279
    295280        for (s = base_server; s; s = s->next) {
     281            void *load = NULL;
    296282            sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
    297283                                                          &gnutls_module);
     
    299285            sc->cache_config = sc_base->cache_config;
    300286
    301             if (rsa_params != NULL)
    302               gnutls_certificate_set_rsa_export_params(sc->certs,
    303                                                      rsa_params);
    304             gnutls_certificate_set_dh_params(sc->certs, dh_params);
    305 
    306             gnutls_anon_set_server_dh_params( sc->anon_creds, dh_params);
    307            
    308             gnutls_certificate_server_set_retrieve_function(sc->certs,
    309                                                     cert_retrieve_fn);
    310 
    311             if ( sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) {
    312                 gnutls_srp_set_server_credentials_file( sc->srp_creds,
    313                     sc->srp_tpasswd_file, sc->srp_tpasswd_conf_file);
     287            /* Check if the priorities have been set */
     288            if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
     289                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     290                     "GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
     291                             s->server_hostname, s->port);
     292                exit(-1);
    314293            }
    315294           
     295            /* Check if DH or RSA params have been set per host */
     296            if (sc->rsa_params != NULL)
     297                load = sc->rsa_params;
     298            else if (rsa_params) load = rsa_params;
     299           
     300            if (load != NULL)
     301                gnutls_certificate_set_rsa_export_params(sc->certs, load);
     302
     303
     304            load = NULL;
     305            if (sc->dh_params != NULL)
     306                load = sc->dh_params;
     307            else if (dh_params) load = dh_params;
     308           
     309            if (load != NULL) { /* not needed but anyway */
     310                gnutls_certificate_set_dh_params(sc->certs, load);
     311                gnutls_anon_set_server_dh_params(sc->anon_creds, load);
     312            }
     313
     314            gnutls_certificate_server_set_retrieve_function(sc->certs,
     315                                                            cert_retrieve_fn);
     316
     317            if (sc->srp_tpasswd_conf_file != NULL
     318                && sc->srp_tpasswd_file != NULL) {
     319                rv = gnutls_srp_set_server_credentials_file(sc->srp_creds,
     320                                                            sc->
     321                                                            srp_tpasswd_file,
     322                                                            sc->
     323                                                            srp_tpasswd_conf_file);
     324
     325                if (rv < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) {
     326                    ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
     327                                 "[GnuTLS] - Host '%s:%d' is missing a "
     328                                 "SRP password or conf File!",
     329                                 s->server_hostname, s->port);
     330                    exit(-1);
     331                }
     332            }
     333
    316334            if (sc->cert_x509 == NULL
    317335                && sc->enabled == GNUTLS_ENABLED_TRUE) {
     
    333351
    334352            if (sc->enabled == GNUTLS_ENABLED_TRUE) {
    335             rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
    336                                                GNUTLS_OID_X520_COMMON_NAME,
    337                                                0, 0, NULL, &data_len);
    338 
    339             if (data_len < 1) {
    340                 sc->enabled = GNUTLS_ENABLED_FALSE;
    341                 sc->cert_cn = NULL;
    342                 continue;
     353                rv = read_crt_cn(s, p, sc->cert_x509, &sc->cert_cn);
     354                if (rv < 0) {
     355                    ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
     356                                 "[GnuTLS] - Cannot find a certificate for host '%s:%d'!",
     357                                 s->server_hostname, s->port);
     358                    sc->cert_cn = NULL;
     359                    continue;
     360                }
    343361            }
    344 
    345             sc->cert_cn = apr_palloc(p, data_len);
    346             rv = gnutls_x509_crt_get_dn_by_oid(sc->cert_x509,
    347                                                GNUTLS_OID_X520_COMMON_NAME,
    348                                                0, 0, sc->cert_cn,
    349                                                &data_len);
    350             }
    351362        }
    352363    }
     
    440451         */
    441452        return 1;
     453    } else {
     454#if MOD_GNUTLS_DEBUG
     455        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
     456                     x->ctxt->c->base_server,
     457                     "GnuTLS: Virtual Host CB: "
     458                     "'%s' != '%s'", tsc->cert_cn, x->sni_name);
     459#endif
     460
    442461    }
    443462    return 0;
     
    533552
    534553static const int protocol_priority[] = {
    535   GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
    536          
     554    GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
     555};
     556
    537557
    538558static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
     
    559579
    560580    gnutls_init(&ctxt->session, GNUTLS_SERVER);
    561    
    562     /* This is not very good as it trades security for compatibility,
    563      * but it is the only way to be ultra-portable.
    564      */
    565     gnutls_session_enable_compatibility_mode( ctxt->session);
    566    
     581
    567582    /* because we don't set any default priorities here (we set later at
    568583     * the user hello callback) we need to at least set this in order for
    569584     * gnutls to be able to read packets.
    570585     */
    571     gnutls_protocol_set_priority( ctxt->session, protocol_priority);
    572 
    573     gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb);
     586    gnutls_protocol_set_priority(ctxt->session, protocol_priority);
     587
     588    gnutls_handshake_set_post_client_hello_function(ctxt->session,
     589                                                    mgs_select_virtual_server_cb);
    574590
    575591    return ctxt;
     
    624640    apr_table_setn(env, "HTTPS", "on");
    625641
    626     apr_table_setn(env, "SSL_VERSION_LIBRARY", "GnuTLS/"LIBGNUTLS_VERSION);
    627     apr_table_setn(env, "SSL_VERSION_INTERFACE", "mod_gnutls/"MOD_GNUTLS_VERSION);
     642    apr_table_setn(env, "SSL_VERSION_LIBRARY",
     643                   "GnuTLS/" LIBGNUTLS_VERSION);
     644    apr_table_setn(env, "SSL_VERSION_INTERFACE",
     645                   "mod_gnutls/" MOD_GNUTLS_VERSION);
    628646
    629647    apr_table_setn(env, "SSL_PROTOCOL",
     
    631649                                            (ctxt->session)));
    632650
    633     /* should have been called SSL_CIPHERSUITE instead */                                         
     651    /* should have been called SSL_CIPHERSUITE instead */
    634652    apr_table_setn(env, "SSL_CIPHER",
    635           gnutls_cipher_suite_get_name(
    636             gnutls_kx_get(ctxt->session), gnutls_cipher_get(ctxt->session),
    637                     gnutls_mac_get(ctxt->session)));
     653                   gnutls_cipher_suite_get_name(gnutls_kx_get
     654                                                (ctxt->session),
     655                                                gnutls_cipher_get(ctxt->
     656                                                                  session),
     657                                                gnutls_mac_get(ctxt->
     658                                                               session)));
    638659
    639660    apr_table_setn(env, "SSL_COMPRESS_METHOD",
    640661                   gnutls_compression_get_name(gnutls_compression_get
    641                                           (ctxt->session)));
     662                                               (ctxt->session)));
    642663
    643664    apr_table_setn(env, "SSL_SRP_USER",
    644                    gnutls_srp_server_get_username( ctxt->session));
     665                   gnutls_srp_server_get_username(ctxt->session));
    645666
    646667    if (apr_table_get(env, "SSL_CLIENT_VERIFY") == NULL)
     
    663684    apr_table_setn(env, "SSL_SESSION_ID", apr_pstrdup(r->pool, tmp));
    664685
    665     mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0, ctxt->sc->export_certificates_enabled);
     686    mgs_add_common_cert_vars(r, ctxt->sc->cert_x509, 0,
     687                             ctxt->sc->export_certificates_enabled);
    666688
    667689    return rv;
     
    724746#define MGS_SIDE ((side==0)?"SSL_SERVER":"SSL_CLIENT")
    725747static void
    726 mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side, int export_certificates_enabled)
     748mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt cert, int side,
     749                         int export_certificates_enabled)
    727750{
    728751    unsigned char sbuf[64];     /* buffer to hold serials */
    729752    char buf[AP_IOBUFSIZE];
    730753    const char *tmp;
     754    char *tmp2;
    731755    size_t len;
    732     int alg;
     756    int ret, i;
    733757
    734758    apr_table_t *env = r->subprocess_env;
    735759
    736760    if (export_certificates_enabled != 0) {
    737       char cert_buf[10*1024];
    738       len = sizeof(cert_buf);
    739 
    740       if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
    741         apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
    742                    apr_pstrmemdup(r->pool, cert_buf, len));
    743      
     761        char cert_buf[10 * 1024];
     762        len = sizeof(cert_buf);
     763
     764        if (gnutls_x509_crt_export
     765            (cert, GNUTLS_X509_FMT_PEM, cert_buf, &len) >= 0)
     766            apr_table_setn(env,
     767                           apr_pstrcat(r->pool, MGS_SIDE, "_CERT", NULL),
     768                           apr_pstrmemdup(r->pool, cert_buf, len));
     769
    744770    }
    745771
     
    760786                   apr_pstrdup(r->pool, tmp));
    761787
     788    ret = gnutls_x509_crt_get_version(cert);
     789    if (ret > 0)
     790        apr_table_setn(env,
     791                       apr_pstrcat(r->pool, MGS_SIDE, "_M_VERSION", NULL),
     792                       apr_psprintf(r->pool, "%u", ret));
     793
     794    apr_table_setn(env,
     795       apr_pstrcat(r->pool, MGS_SIDE, "_S_TYPE", NULL), "X.509");
     796
    762797    tmp =
    763798        mgs_time2sz(gnutls_x509_crt_get_expiration_time
     
    772807                   apr_pstrdup(r->pool, tmp));
    773808
    774     alg = gnutls_x509_crt_get_signature_algorithm( cert);
    775     if (alg >= 0) {
    776       apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL),
    777           gnutls_sign_algorithm_get_name( alg));
    778     }
    779 
    780     alg = gnutls_x509_crt_get_pk_algorithm( cert, NULL);
    781     if (alg >= 0) {
    782       apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),
    783           gnutls_pk_algorithm_get_name( alg));
     809    ret = gnutls_x509_crt_get_signature_algorithm(cert);
     810    if (ret >= 0) {
     811        apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_SIG", NULL),
     812                       gnutls_sign_algorithm_get_name(ret));
     813    }
     814
     815    ret = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
     816    if (ret >= 0) {
     817        apr_table_setn(env, apr_pstrcat(r->pool, MGS_SIDE, "_A_KEY", NULL),
     818                       gnutls_pk_algorithm_get_name(ret));
     819    }
     820
     821    /* export all the alternative names (DNS, RFC822 and URI) */
     822    for (i = 0; !(ret < 0); i++) {
     823        len = 0;
     824        ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
     825                                                   NULL, &len, NULL);
     826
     827        if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) {
     828            tmp2 = apr_palloc(r->pool, len + 1);
     829
     830            ret =
     831                gnutls_x509_crt_get_subject_alt_name(cert, i, tmp2, &len,
     832                                                     NULL);
     833            tmp2[len] = 0;
     834
     835            if (ret == GNUTLS_SAN_DNSNAME) {
     836                apr_table_setn(env,
     837                       apr_psprintf(r->pool, "%s_S_SAN%u", MGS_SIDE, i),
     838                       apr_psprintf(r->pool, "DNSNAME:%s", tmp2));
     839            } else if (ret == GNUTLS_SAN_RFC822NAME) {
     840                apr_table_setn(env,
     841                       apr_psprintf(r->pool, "%s_S_SAN%u", MGS_SIDE, i),
     842                       apr_psprintf(r->pool, "RFC822NAME:%s", tmp2));
     843            } else if (ret == GNUTLS_SAN_URI) {
     844                apr_table_setn(env,
     845                       apr_psprintf(r->pool, "%s_S_SAN%u", MGS_SIDE, i),
     846                       apr_psprintf(r->pool, "URI:%s", tmp2));
     847            } else {
     848                apr_table_setn(env,
     849                       apr_psprintf(r->pool, "%s_S_SAN%u", MGS_SIDE, i),
     850                       "UNSUPPORTED");
     851            }
     852        }
    784853    }
    785854
     
    888957//    rv = mgs_authz_lua(r);
    889958
    890     mgs_add_common_cert_vars(r, cert, 1, ctxt->sc->export_certificates_enabled);
     959    mgs_add_common_cert_vars(r, cert, 1,
     960                             ctxt->sc->export_certificates_enabled);
    891961
    892962    {
    893       /* days remaining */
    894       unsigned long remain = (apr_time_sec(expiration_time) - apr_time_sec(cur_time))/86400;
    895       apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
    896           apr_psprintf(r->pool, "%lu", remain));
     963        /* days remaining */
     964        unsigned long remain =
     965            (apr_time_sec(expiration_time) -
     966             apr_time_sec(cur_time)) / 86400;
     967        apr_table_setn(r->subprocess_env, "SSL_CLIENT_V_REMAIN",
     968                       apr_psprintf(r->pool, "%lu", remain));
    897969    }
    898970
  • src/mod_gnutls.c

    rec06980 ra4839ae  
    100100                  NULL,
    101101                  RSRC_CONF,
    102                   "The priorities to enable (ciphers, Key exchange, macs, compression)"),
     102                  "The priorities to enable (ciphers, Key exchange, macs, compression)."),
    103103    AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
    104104                  NULL,
Note: See TracChangeset for help on using the changeset viewer.