Changes in / [9a06bbd:c4a015b] in mod_gnutls
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
README
r9a06bbd rc4a015b 22 22 ------------- 23 23 24 * GnuTLS >= 2.12.6 <http://www.gnutls.org/> (3.* preferred)24 * GnuTLS >= 3.1.3 <http://www.gnutls.org/> (3.2.* preferred) 25 25 * Apache HTTPD >= 2.2 <http://httpd.apache.org/> (2.4.* preferred) 26 26 * autotools & gcc -
configure.ac
r9a06bbd rc4a015b 28 28 ) 29 29 30 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 2.12.6])30 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.1.3]) 31 31 32 32 LIBGNUTLS_VERSION=`pkg-config --modversion gnutls` -
docs/mod_gnutls_manual.mdwn
r9a06bbd rc4a015b 367 367 as protection against statistical attacks to ciphertext data in order to 368 368 achieve maximum compatibility (some broken mobile clients need this). 369 370 `GnuTLSPIN` 371 ------------------ 372 373 Set the PIN to be used to access encrypted key files or PKCS #11 objects. 374 375 GnuTLSPIN XXXXXX 376 377 Default: *none*\ 378 Context: server config, virtual host 379 380 Takes a string to be used as a PIN for the protected objects in 381 a security module, or as a key to be used to decrypt PKCS #8, PKCS #12, 382 or openssl encrypted keys. 383 384 `GnuTLSSRKPIN` 385 ------------------ 386 387 Set the SRK PIN to be used to unlaccess the TPM. 388 389 GnuTLSSRKPIN XXXXXX 390 391 Default: *none*\ 392 Context: server config, virtual host 393 394 Takes a string to be used as a PIN for the protected objects in 395 the TPM module. 369 396 370 397 `GnuTLSExportCertificates` -
include/mod_gnutls.h.in
r9a06bbd rc4a015b 34 34 #include <gnutls/extra.h> 35 35 #endif 36 #include <gnutls/abstract.h> 36 37 #include <gnutls/openpgp.h> 37 38 #include <gnutls/x509.h> … … 104 105 /* Server Configuration Record */ 105 106 typedef struct { 107 /* --- Configuration values --- */ 108 /* Is the module enabled? */ 109 int enabled; 110 /* Is mod_proxy enabled? */ 111 int proxy_enabled; 112 /* A Plain HTTP request */ 113 int non_ssl_request; 114 115 /* PIN used for PKCS #11 operations */ 116 char *pin; 117 118 /* the SRK PIN used in TPM operations */ 119 char *srk_pin; 120 121 char *x509_cert_file; 122 char *x509_key_file; 123 char *x509_ca_file; 124 125 char *pgp_cert_file; 126 char *pgp_key_file; 127 char *pgp_ring_file; 128 129 char *dh_file; 130 131 char *priorities_str; 132 133 const char* srp_tpasswd_file; 134 const char* srp_tpasswd_conf_file; 135 136 /* Cache timeout value */ 137 int cache_timeout; 138 /* Chose Cache Type */ 139 mgs_cache_e cache_type; 140 const char* cache_config; 141 142 /* GnuTLS uses Session Tickets */ 143 int tickets; 144 145 /* --- Things initialized at _child_init --- */ 146 106 147 /* x509 Certificate Structure */ 107 148 gnutls_certificate_credentials_t certs; … … 113 154 char* cert_cn; 114 155 /* Current x509 Certificate SAN [Subject Alternate Name]s*/ 115 char* cert_san[MAX_CERT_SAN]; 116 /* A x509 Certificate Chain */ 117 gnutls_x509_crt_t *certs_x509_chain; 118 /* Current x509 Certificate Private Key */ 119 gnutls_x509_privkey_t privkey_x509; 120 /* OpenPGP Certificate */ 121 gnutls_openpgp_crt_t cert_pgp; 122 /* OpenPGP Certificate Private Key */ 123 gnutls_openpgp_privkey_t privkey_pgp; 156 char* cert_san[MAX_CERT_SAN]; 157 /* An x509 Certificate Chain */ 158 gnutls_pcert_st *certs_x509_chain; 159 gnutls_x509_crt_t *certs_x509_crt_chain; 124 160 /* Number of Certificates in Chain */ 125 161 unsigned int certs_x509_chain_num; 126 /* Is the module enabled? */ 127 int enabled; 162 163 /* Current x509 Certificate Private Key */ 164 gnutls_privkey_t privkey_x509; 165 166 /* OpenPGP Certificate */ 167 gnutls_pcert_st *cert_pgp; 168 gnutls_openpgp_crt_t *cert_crt_pgp; 169 170 /* OpenPGP Certificate Private Key */ 171 gnutls_privkey_t privkey_pgp; 172 128 173 /* Export full certificates to CGI environment: */ 129 174 int export_certificates_size; … … 132 177 /* GnuTLS DH Parameters */ 133 178 gnutls_dh_params_t dh_params; 134 /* Cache timeout value */135 int cache_timeout;136 /* Chose Cache Type */137 mgs_cache_e cache_type;138 const char* cache_config;139 const char* srp_tpasswd_file;140 const char* srp_tpasswd_conf_file;141 179 /* A list of CA Certificates */ 142 180 gnutls_x509_crt_t *ca_list; … … 151 189 /* Last Cache timestamp */ 152 190 apr_time_t last_cache_check; 153 /* GnuTLS uses Session Tickets */154 int tickets;155 /* Is mod_proxy enabled? */156 int proxy_enabled;157 /* A Plain HTTP request */158 int non_ssl_request;159 191 } mgs_srvconf_rec; 160 192 … … 304 336 305 337 /** 338 * Perform any reinitialization required in PKCS #11 339 */ 340 int mgs_pkcs11_reinit(server_rec * s); 341 342 /** 306 343 * Convert a SSL Session ID into a Null Terminated Hex Encoded String 307 344 * @param id raw SSL Session ID … … 323 360 324 361 /* Configuration Functions */ 362 363 /* Loads all files set in the configuration */ 364 int mgs_load_files(apr_pool_t * p, server_rec * s); 325 365 326 366 const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy, … … 356 396 const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, 357 397 const char *arg); 398 const char *mgs_set_pin(cmd_parms * parms, void *dummy, 399 const char *arg); 400 401 const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy, 402 const char *arg); 358 403 359 404 const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy, -
src/gnutls_config.c
r9a06bbd rc4a015b 20 20 #include "mod_gnutls.h" 21 21 #include "apr_lib.h" 22 #include <gnutls/abstract.h> 23 24 #define INIT_CA_SIZE 128 22 25 23 26 #ifdef APLOG_USE_MODULE … … 25 28 #endif 26 29 30 static int pin_callback(void *user, int attempt __attribute__((unused)), 31 const char *token_url __attribute__((unused)), 32 const char *token_label, unsigned int flags, 33 char *pin, size_t pin_max) 34 { 35 mgs_srvconf_rec *sc = user; 36 37 if (sc->pin == NULL || flags & GNUTLS_PIN_FINAL_TRY || 38 flags & GNUTLS_PIN_WRONG) { 39 return -1; 40 } 41 42 if (token_label && strcmp(token_label, "SRK") == 0) { 43 snprintf(pin, pin_max, "%s", sc->srk_pin); 44 } else { 45 snprintf(pin, pin_max, "%s", sc->pin); 46 } 47 return 0; 48 } 49 27 50 static int load_datum_from_file(apr_pool_t * pool, 28 const char *file, gnutls_datum_t * data) { 51 const char *file, gnutls_datum_t * data) 52 { 29 53 apr_file_t *fp; 30 54 apr_finfo_t finfo; … … 33 57 34 58 rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, 35 59 APR_OS_DEFAULT, pool); 36 60 if (rv != APR_SUCCESS) { 37 61 return rv; 38 62 } 39 63 … … 41 65 42 66 if (rv != APR_SUCCESS) { 43 67 return rv; 44 68 } 45 69 … … 48 72 49 73 if (rv != APR_SUCCESS) { 50 74 return rv; 51 75 } 52 76 apr_file_close(fp); … … 58 82 } 59 83 60 const char *mgs_set_dh_file(cmd_parms * parms, void *dummy __attribute__((unused)), 61 const char *arg) { 84 /* 2048-bit group parameters from SRP specification */ 85 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n" 86 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" 87 "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n" 88 "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n" 89 "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n" 90 "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n" 91 "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" 92 "-----END DH PARAMETERS-----\n"; 93 94 int mgs_load_files(apr_pool_t * p, server_rec * s) 95 { 96 apr_pool_t *spool; 97 const char *file; 98 gnutls_datum_t data; 62 99 int ret; 63 gnutls_datum_t data; 64 const char *file; 65 apr_pool_t *spool; 66 mgs_srvconf_rec *sc = 67 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 68 module_config, 69 &gnutls_module); 70 71 apr_pool_create(&spool, parms->pool); 72 73 file = ap_server_root_relative(spool, arg); 74 75 if (load_datum_from_file(spool, file, &data) != 0) { 76 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 77 "DH params '%s'", file); 78 } 100 mgs_srvconf_rec *sc = 101 (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 102 &gnutls_module); 103 104 apr_pool_create(&spool, p); 105 106 sc->cert_pgp = apr_pcalloc(p, sizeof(sc->cert_pgp[0])); 107 sc->cert_crt_pgp = apr_pcalloc(p, sizeof(sc->cert_crt_pgp[0])); 108 sc->certs_x509_chain = 109 apr_pcalloc(p, MAX_CHAIN_SIZE * sizeof(sc->certs_x509_chain[0])); 110 sc->certs_x509_crt_chain = 111 apr_pcalloc(p, 112 MAX_CHAIN_SIZE * sizeof(sc->certs_x509_crt_chain[0])); 113 114 ret = gnutls_certificate_allocate_credentials(&sc->certs); 115 if (ret < 0) { 116 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 117 "GnuTLS: Failed to initialize" ": (%d) %s", ret, 118 gnutls_strerror(ret)); 119 ret = -1; 120 goto cleanup; 121 } 122 123 ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds); 124 if (ret < 0) { 125 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 126 "GnuTLS: Failed to initialize" ": (%d) %s", ret, 127 gnutls_strerror(ret)); 128 ret = -1; 129 goto cleanup; 130 } 131 132 /* Load SRP parameters */ 133 #ifdef ENABLE_SRP 134 ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds); 135 if (ret < 0) { 136 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 137 "GnuTLS: Failed to initialize" ": (%d) %s", ret, 138 gnutls_strerror(ret)); 139 ret = -1; 140 goto cleanup; 141 } 142 143 if (sc->srp_tpasswd_conf_file != NULL && sc->srp_tpasswd_file != NULL) { 144 ret = gnutls_srp_set_server_credentials_file 145 (sc->srp_creds, sc->srp_tpasswd_file, 146 sc->srp_tpasswd_conf_file); 147 148 if (ret < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) { 149 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, 150 s, 151 "GnuTLS: Host '%s:%d' is missing a " 152 "SRP password or conf File!", 153 s->server_hostname, s->port); 154 ret = -1; 155 goto cleanup; 156 } 157 } 158 #endif 79 159 80 160 ret = gnutls_dh_params_init(&sc->dh_params); 81 161 if (ret < 0) { 82 return apr_psprintf(parms->pool, 83 "GnuTLS: Failed to initialize" 84 ": (%d) %s", ret, 85 gnutls_strerror(ret)); 86 } 87 88 ret = 89 gnutls_dh_params_import_pkcs3(sc->dh_params, &data, 90 GNUTLS_X509_FMT_PEM); 91 if (ret < 0) { 92 return apr_psprintf(parms->pool, 93 "GnuTLS: Failed to Import " 94 "DH params '%s': (%d) %s", file, ret, 95 gnutls_strerror(ret)); 96 } 97 162 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 163 "GnuTLS: Failed to initialize" 164 ": (%d) %s", ret, gnutls_strerror(ret)); 165 ret = -1; 166 goto cleanup; 167 } 168 169 /* Load DH parameters */ 170 if (sc->dh_file) { 171 if (load_datum_from_file(spool, sc->dh_file, &data) != 0) { 172 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 173 "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file); 174 ret = -1; 175 goto cleanup; 176 } 177 178 ret = 179 gnutls_dh_params_import_pkcs3(sc->dh_params, &data, 180 GNUTLS_X509_FMT_PEM); 181 if (ret < 0) { 182 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 183 "GnuTLS: Failed to Import " 184 "DH params '%s': (%d) %s", sc->dh_file, ret, 185 gnutls_strerror(ret)); 186 ret = -1; 187 goto cleanup; 188 } 189 } else { 190 gnutls_datum_t pdata = { 191 (void *) static_dh_params, 192 sizeof(static_dh_params) 193 }; 194 195 ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &pdata, GNUTLS_X509_FMT_PEM); 196 if (ret < 0) { 197 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 198 "GnuTLS: Unable to generate or load DH Params: (%d) %s", 199 ret, gnutls_strerror(ret)); 200 ret = -1; 201 goto cleanup; 202 } 203 } 204 205 if (sc->x509_cert_file != NULL) { 206 unsigned int chain_num, i; 207 unsigned format = GNUTLS_X509_FMT_PEM; 208 209 /* Load X.509 certificate */ 210 if (strncmp(sc->x509_cert_file, "pkcs11:", 7) == 0) { 211 gnutls_pkcs11_obj_t obj; 212 213 file = sc->x509_cert_file; 214 215 ret = gnutls_pkcs11_obj_init(&obj); 216 if (ret < 0) { 217 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 218 "GnuTLS: Error Initializing PKCS #11 object"); 219 ret = -1; 220 goto cleanup; 221 } 222 223 gnutls_pkcs11_obj_set_pin_function(obj, pin_callback, sc); 224 225 ret = gnutls_pkcs11_obj_import_url(obj, file, GNUTLS_PKCS11_OBJ_FLAG_LOGIN); 226 if (ret < 0) { 227 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 228 "GnuTLS: Error Importing PKCS #11 object: '%s': %s", 229 file, gnutls_strerror(ret)); 230 ret = -1; 231 goto cleanup; 232 } 233 234 format = GNUTLS_X509_FMT_DER; 235 ret = gnutls_pkcs11_obj_export2(obj, &data); 236 if (ret < 0) { 237 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 238 "GnuTLS: Error Exporting a PKCS #11 object: '%s': %s", 239 file, gnutls_strerror(ret)); 240 ret = -1; 241 goto cleanup; 242 } 243 244 gnutls_pkcs11_obj_deinit(obj); 245 } else { 246 file = ap_server_root_relative(spool, sc->x509_cert_file); 247 248 ret = gnutls_load_file(file, &data); 249 if (ret < 0) { 250 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 251 "GnuTLS: Error Reading Certificate '%s': %s", 252 file, gnutls_strerror(ret)); 253 ret = -1; 254 goto cleanup; 255 } 256 } 257 258 ret = 259 gnutls_x509_crt_list_import2(&sc->certs_x509_crt_chain, 260 &chain_num, &data, format, 261 GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); 262 gnutls_free(data.data); 263 sc->certs_x509_chain_num = chain_num; 264 265 if (ret < 0) { 266 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 267 "GnuTLS: Failed to Import Certificate Chain '%s': (%d) %s", 268 file, ret, gnutls_strerror(ret)); 269 ret = -1; 270 goto cleanup; 271 } 272 273 for (i = 0; i < chain_num; i++) { 274 ret = 275 gnutls_pcert_import_x509(&sc->certs_x509_chain[i], 276 sc->certs_x509_crt_chain[i], 0); 277 if (ret < 0) { 278 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 279 "GnuTLS: Failed to Import pCertificate '%s': (%d) %s", 280 file, ret, gnutls_strerror(ret)); 281 ret = -1; 282 goto cleanup; 283 } 284 } 285 sc->certs_x509_chain_num = chain_num; 286 } 287 288 if (sc->x509_key_file) { 289 ret = gnutls_privkey_init(&sc->privkey_x509); 290 if (ret < 0) { 291 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 292 "GnuTLS: Failed to initialize: (%d) %s", ret, 293 gnutls_strerror(ret)); 294 ret = -1; 295 goto cleanup; 296 } 297 298 if (gnutls_url_is_supported(sc->x509_key_file) != 0) { 299 file = sc->x509_key_file; 300 301 gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback, 302 sc); 303 304 ret = gnutls_privkey_import_url(sc->privkey_x509, file, 0); 305 306 if (ret < 0) { 307 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 308 "GnuTLS: Failed to Import Private Key URL '%s': (%d) %s", 309 file, ret, gnutls_strerror(ret)); 310 ret = -1; 311 goto cleanup; 312 } 313 } else { 314 file = ap_server_root_relative(spool, sc->x509_key_file); 315 316 if (load_datum_from_file(spool, file, &data) != 0) { 317 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 318 "GnuTLS: Error Reading Private Key '%s'", 319 file); 320 ret = -1; 321 goto cleanup; 322 } 323 324 ret = 325 gnutls_privkey_import_x509_raw(sc->privkey_x509, &data, 326 GNUTLS_X509_FMT_PEM, sc->pin, 327 0); 328 329 if (ret < 0) { 330 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 331 "GnuTLS: Failed to Import Private Key '%s': (%d) %s", 332 file, ret, gnutls_strerror(ret)); 333 ret = -1; 334 goto cleanup; 335 } 336 } 337 } 338 339 /* Load the X.509 CA file */ 340 if (sc->x509_ca_file) { 341 if (load_datum_from_file(spool, sc->x509_ca_file, &data) != 0) { 342 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 343 "GnuTLS: Error Reading " "Client CA File '%s'", 344 sc->x509_ca_file); 345 ret = -1; 346 goto cleanup; 347 } 348 349 ret = gnutls_x509_crt_list_import2(&sc->ca_list, &sc->ca_list_size, 350 &data, GNUTLS_X509_FMT_PEM, 0); 351 if (ret < 0) { 352 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 353 "GnuTLS: Failed to load " 354 "Client CA File '%s': (%d) %s", sc->x509_ca_file, 355 ret, gnutls_strerror(ret)); 356 ret = -1; 357 goto cleanup; 358 } 359 } 360 361 if (sc->pgp_cert_file) { 362 if (load_datum_from_file(spool, sc->pgp_cert_file, &data) != 0) { 363 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 364 "GnuTLS: Error Reading " "Certificate '%s'", 365 sc->pgp_cert_file); 366 ret = -1; 367 goto cleanup; 368 } 369 370 ret = gnutls_openpgp_crt_init(&sc->cert_crt_pgp[0]); 371 if (ret < 0) { 372 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 373 "GnuTLS: Failed to Init " 374 "PGP Certificate: (%d) %s", ret, 375 gnutls_strerror(ret)); 376 ret = -1; 377 goto cleanup; 378 } 379 380 ret = 381 gnutls_openpgp_crt_import(sc->cert_crt_pgp[0], &data, 382 GNUTLS_OPENPGP_FMT_BASE64); 383 if (ret < 0) { 384 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 385 "GnuTLS: Failed to Import " 386 "PGP Certificate: (%d) %s", ret, 387 gnutls_strerror(ret)); 388 ret = -1; 389 goto cleanup; 390 } 391 392 ret = 393 gnutls_pcert_import_openpgp(sc->cert_pgp, sc->cert_crt_pgp[0], 394 0); 395 if (ret < 0) { 396 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 397 "GnuTLS: Failed to Import " 398 "PGP pCertificate: (%d) %s", ret, 399 gnutls_strerror(ret)); 400 ret = -1; 401 goto cleanup; 402 } 403 } 404 405 /* Load the PGP key file */ 406 if (sc->pgp_key_file) { 407 if (load_datum_from_file(spool, sc->pgp_key_file, &data) != 0) { 408 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 409 "GnuTLS: Error Reading " "Private Key '%s'", 410 sc->pgp_key_file); 411 ret = -1; 412 goto cleanup; 413 } 414 415 ret = gnutls_privkey_init(&sc->privkey_pgp); 416 if (ret < 0) { 417 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 418 "GnuTLS: Failed to initialize" 419 ": (%d) %s", ret, gnutls_strerror(ret)); 420 ret = -1; 421 goto cleanup; 422 } 423 424 ret = 425 gnutls_privkey_import_openpgp_raw(sc->privkey_pgp, &data, 426 GNUTLS_OPENPGP_FMT_BASE64, 427 NULL, NULL); 428 if (ret != 0) { 429 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 430 "GnuTLS: Failed to Import " 431 "PGP Private Key '%s': (%d) %s", 432 sc->pgp_key_file, ret, gnutls_strerror(ret)); 433 ret = -1; 434 goto cleanup; 435 } 436 } 437 438 /* Load the keyring file */ 439 if (sc->pgp_ring_file) { 440 if (load_datum_from_file(spool, sc->pgp_ring_file, &data) != 0) { 441 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 442 "GnuTLS: Error Reading " "Keyring File '%s'", 443 sc->pgp_ring_file); 444 ret = -1; 445 goto cleanup; 446 } 447 448 ret = gnutls_openpgp_keyring_init(&sc->pgp_list); 449 if (ret < 0) { 450 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 451 "GnuTLS: Failed to initialize" 452 "keyring: (%d) %s", ret, gnutls_strerror(ret)); 453 ret = -1; 454 goto cleanup; 455 } 456 457 ret = gnutls_openpgp_keyring_import(sc->pgp_list, &data, 458 GNUTLS_OPENPGP_FMT_BASE64); 459 if (ret < 0) { 460 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 461 "GnuTLS: Failed to load " 462 "Keyring File '%s': (%d) %s", sc->pgp_ring_file, 463 ret, gnutls_strerror(ret)); 464 ret = -1; 465 goto cleanup; 466 } 467 } 468 469 if (sc->priorities_str) { 470 const char *err; 471 ret = gnutls_priority_init(&sc->priorities, sc->priorities_str, &err); 472 473 if (ret < 0) { 474 if (ret == GNUTLS_E_INVALID_REQUEST) { 475 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 476 "GnuTLS: Syntax error parsing priorities string at: %s", 477 err); 478 } else { 479 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 480 "GnuTLS: error parsing priorities string"); 481 482 } 483 ret = -1; 484 goto cleanup; 485 } 486 } 487 488 ret = 0; 489 cleanup: 98 490 apr_pool_destroy(spool); 99 491 492 return ret; 493 } 494 495 int mgs_pkcs11_reinit(server_rec * base_server) 496 { 497 int ret; 498 server_rec *s; 499 mgs_srvconf_rec *sc; 500 501 gnutls_pkcs11_reinit(); 502 503 for (s = base_server; s; s = s->next) { 504 sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module); 505 506 /* gnutls caches the session in a private key, so we need to open 507 * a new one */ 508 if (sc->x509_key_file && gnutls_url_is_supported(sc->x509_key_file) != 0) { 509 gnutls_privkey_deinit(sc->privkey_x509); 510 511 ret = gnutls_privkey_init(&sc->privkey_x509); 512 if (ret < 0) { 513 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 514 "GnuTLS: Failed to initialize: (%d) %s", ret, 515 gnutls_strerror(ret)); 516 goto fail; 517 } 518 519 gnutls_privkey_set_pin_function(sc->privkey_x509, pin_callback, sc); 520 521 ret = gnutls_privkey_import_url(sc->privkey_x509, sc->x509_key_file, 0); 522 if (ret < 0) { 523 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 524 "GnuTLS: Failed to Re-Import Private Key URL '%s': (%d) %s", 525 sc->x509_key_file, ret, gnutls_strerror(ret)); 526 goto fail; 527 } 528 } 529 } 530 531 return 0; 532 533 fail: 534 gnutls_privkey_deinit(sc->privkey_x509); 535 return -1; 536 } 537 538 const char *mgs_set_dh_file(cmd_parms * parms, void *dummy __attribute__((unused)), 539 const char *arg) { 540 mgs_srvconf_rec *sc = 541 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 542 module_config, 543 &gnutls_module); 544 545 sc->dh_file = ap_server_root_relative(parms->pool, arg); 546 100 547 return NULL; 101 548 } … … 103 550 const char *mgs_set_cert_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) { 104 551 105 int ret; 106 gnutls_datum_t data; 107 const char *file; 108 apr_pool_t *spool; 109 110 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); 111 apr_pool_create(&spool, parms->pool); 112 113 file = ap_server_root_relative(spool, arg); 114 115 if (load_datum_from_file(spool, file, &data) != 0) { 116 apr_pool_destroy(spool); 117 return apr_psprintf(parms->pool, "GnuTLS: Error Reading Certificate '%s'", file); 118 } 119 120 sc->certs_x509_chain_num = MAX_CHAIN_SIZE; 121 ret = gnutls_x509_crt_list_import(sc->certs_x509_chain, &sc->certs_x509_chain_num, &data, GNUTLS_X509_FMT_PEM, 0); 122 if (ret < 0) { 123 apr_pool_destroy(spool); 124 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import Certificate '%s': (%d) %s", file, ret, gnutls_strerror(ret)); 125 } 126 127 apr_pool_destroy(spool); 552 mgs_srvconf_rec *sc = 553 (mgs_srvconf_rec *) ap_get_module_config(parms-> 554 server->module_config, 555 &gnutls_module); 556 557 sc->x509_cert_file = apr_pstrdup(parms->pool, arg); 558 128 559 return NULL; 129 560 … … 132 563 const char *mgs_set_key_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) { 133 564 134 int ret; 135 gnutls_datum_t data; 136 const char *file; 137 apr_pool_t *spool; 138 const char *out; 139 140 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); 141 142 apr_pool_create(&spool, parms->pool); 143 144 file = ap_server_root_relative(spool, arg); 145 146 if (load_datum_from_file(spool, file, &data) != 0) { 147 out = apr_psprintf(parms->pool, "GnuTLS: Error Reading Private Key '%s'", file); 148 apr_pool_destroy(spool); 149 return out; 150 } 151 152 ret = gnutls_x509_privkey_init(&sc->privkey_x509); 153 154 if (ret < 0) { 155 apr_pool_destroy(spool); 156 return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize: (%d) %s", ret, gnutls_strerror(ret)); 157 } 158 159 ret = gnutls_x509_privkey_import(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM); 160 161 if (ret < 0) { 162 ret = gnutls_x509_privkey_import_pkcs8(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM, NULL, GNUTLS_PKCS_PLAIN); 163 } 164 165 if (ret < 0) { 166 out = apr_psprintf(parms->pool, "GnuTLS: Failed to Import Private Key '%s': (%d) %s", file, ret, gnutls_strerror(ret)); 167 apr_pool_destroy(spool); 168 return out; 169 } 170 171 apr_pool_destroy(spool); 565 mgs_srvconf_rec *sc = 566 (mgs_srvconf_rec *) ap_get_module_config(parms-> 567 server->module_config, 568 &gnutls_module); 569 570 sc->x509_key_file = apr_pstrdup(parms->pool, arg); 172 571 173 572 return NULL; … … 175 574 176 575 const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy __attribute__((unused)), 177 const char *arg) { 178 int ret; 179 gnutls_datum_t data; 180 const char *file; 181 apr_pool_t *spool; 182 mgs_srvconf_rec *sc = 183 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 184 module_config, 185 &gnutls_module); 186 apr_pool_create(&spool, parms->pool); 187 188 file = ap_server_root_relative(spool, arg); 189 190 if (load_datum_from_file(spool, file, &data) != 0) { 191 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 192 "Certificate '%s'", file); 193 } 194 195 ret = gnutls_openpgp_crt_init(&sc->cert_pgp); 196 if (ret < 0) { 197 return apr_psprintf(parms->pool, "GnuTLS: Failed to Init " 198 "PGP Certificate: (%d) %s", ret, 199 gnutls_strerror(ret)); 200 } 201 202 ret = 203 gnutls_openpgp_crt_import(sc->cert_pgp, &data, 204 GNUTLS_OPENPGP_FMT_BASE64); 205 if (ret < 0) { 206 return apr_psprintf(parms->pool, 207 "GnuTLS: Failed to Import " 208 "PGP Certificate '%s': (%d) %s", file, 209 ret, gnutls_strerror(ret)); 210 } 211 212 apr_pool_destroy(spool); 576 const char *arg) 577 { 578 mgs_srvconf_rec *sc = 579 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 580 module_config, 581 &gnutls_module); 582 583 sc->pgp_cert_file = ap_server_root_relative(parms->pool, arg); 584 213 585 return NULL; 214 586 } … … 216 588 const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy __attribute__((unused)), 217 589 const char *arg) { 218 int ret; 219 gnutls_datum_t data; 220 const char *file; 221 apr_pool_t *spool; 222 mgs_srvconf_rec *sc = 223 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 224 module_config, 225 &gnutls_module); 226 apr_pool_create(&spool, parms->pool); 227 228 file = ap_server_root_relative(spool, arg); 229 230 if (load_datum_from_file(spool, file, &data) != 0) { 231 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 232 "Private Key '%s'", file); 233 } 234 235 ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp); 236 if (ret < 0) { 237 return apr_psprintf(parms->pool, 238 "GnuTLS: Failed to initialize" 239 ": (%d) %s", ret, 240 gnutls_strerror(ret)); 241 } 242 243 ret = 244 gnutls_openpgp_privkey_import(sc->privkey_pgp, &data, 245 GNUTLS_OPENPGP_FMT_BASE64, NULL, 246 0); 247 if (ret != 0) { 248 return apr_psprintf(parms->pool, 249 "GnuTLS: Failed to Import " 250 "PGP Private Key '%s': (%d) %s", file, 251 ret, gnutls_strerror(ret)); 252 } 253 apr_pool_destroy(spool); 590 mgs_srvconf_rec *sc = 591 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 592 module_config, 593 &gnutls_module); 594 595 sc->pgp_key_file = ap_server_root_relative(parms->pool, arg); 596 254 597 return NULL; 255 598 } … … 258 601 const char *arg) { 259 602 mgs_srvconf_rec *sc = 260 261 262 603 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 604 module_config, 605 &gnutls_module); 263 606 264 607 sc->tickets = 0; 265 608 if (strcasecmp("on", arg) == 0) { 266 609 sc->tickets = 1; 267 610 } 268 611 … … 276 619 const char *arg) { 277 620 mgs_srvconf_rec *sc = 278 279 280 621 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 622 module_config, 623 &gnutls_module); 281 624 282 625 sc->srp_tpasswd_file = ap_server_root_relative(parms->pool, arg); … … 288 631 const char *arg) { 289 632 mgs_srvconf_rec *sc = 290 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 291 module_config, 292 &gnutls_module); 293 294 sc->srp_tpasswd_conf_file = 295 ap_server_root_relative(parms->pool, arg); 633 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 634 module_config, 635 &gnutls_module); 636 637 sc->srp_tpasswd_conf_file = ap_server_root_relative(parms->pool, arg); 296 638 297 639 return NULL; … … 304 646 const char *err; 305 647 mgs_srvconf_rec *sc = 306 307 648 ap_get_module_config(parms->server->module_config, 649 &gnutls_module); 308 650 if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { 309 651 return err; 310 652 } 311 653 312 654 if (strcasecmp("none", type) == 0) { 313 314 315 655 sc->cache_type = mgs_cache_none; 656 sc->cache_config = NULL; 657 return NULL; 316 658 } else if (strcasecmp("dbm", type) == 0) { 317 659 sc->cache_type = mgs_cache_dbm; 318 660 } else if (strcasecmp("gdbm", type) == 0) { 319 661 sc->cache_type = mgs_cache_gdbm; 320 662 } 321 663 #if HAVE_APR_MEMCACHE 322 664 else if (strcasecmp("memcache", type) == 0) { 323 665 sc->cache_type = mgs_cache_memcache; 324 666 } 325 667 #endif 326 668 else { 327 669 return "Invalid Type for GnuTLSCache!"; 328 670 } 329 671 330 672 if (arg == NULL) 331 673 return "Invalid argument 2 for GnuTLSCache!"; 332 674 333 675 if (sc->cache_type == mgs_cache_dbm 334 || sc->cache_type == mgs_cache_gdbm) { 335 sc->cache_config = 336 ap_server_root_relative(parms->pool, arg); 676 || sc->cache_type == mgs_cache_gdbm) { 677 sc->cache_config = ap_server_root_relative(parms->pool, arg); 337 678 } else { 338 679 sc->cache_config = apr_pstrdup(parms->pool, arg); 339 680 } 340 681 … … 347 688 const char *err; 348 689 mgs_srvconf_rec *sc = 349 350 351 690 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 691 module_config, 692 &gnutls_module); 352 693 353 694 if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { 354 695 return err; 355 696 } 356 697 … … 358 699 359 700 if (argint < 0) { 360 701 return "GnuTLSCacheTimeout: Invalid argument"; 361 702 } else if (argint == 0) { 362 703 sc->cache_timeout = 0; 363 704 } else { 364 705 sc->cache_timeout = apr_time_from_sec(argint); 365 706 } 366 707 … … 373 714 374 715 if (strcasecmp("cartel", arg) == 0) { 375 716 sc->client_verify_method = mgs_cvm_cartel; 376 717 } else if (strcasecmp("msva", arg) == 0) { 377 718 #ifdef ENABLE_MSVA 378 719 sc->client_verify_method = mgs_cvm_msva; 379 720 #else 380 721 return "GnuTLSClientVerifyMethod: msva is not supported"; 381 722 #endif 382 723 } else { 383 724 return "GnuTLSClientVerifyMethod: Invalid argument"; 384 725 } 385 726 … … 393 734 394 735 if (strcasecmp("none", arg) == 0 || strcasecmp("ignore", arg) == 0) { 395 736 mode = GNUTLS_CERT_IGNORE; 396 737 } else if (strcasecmp("optional", arg) == 0 397 398 738 || strcasecmp("request", arg) == 0) { 739 mode = GNUTLS_CERT_REQUEST; 399 740 } else if (strcasecmp("require", arg) == 0) { 400 741 mode = GNUTLS_CERT_REQUIRE; 401 742 } else { 402 743 return "GnuTLSClientVerify: Invalid argument"; 403 744 } 404 745 … … 408 749 dc->client_verify_mode = mode; 409 750 } else { 410 mgs_srvconf_rec *sc = 411 (mgs_srvconf_rec *) 412 ap_get_module_config(parms->server->module_config, 413 &gnutls_module); 414 sc->client_verify_mode = mode; 415 } 416 417 return NULL; 418 } 419 420 #define INIT_CA_SIZE 128 751 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 752 ap_get_module_config(parms->server->module_config, 753 &gnutls_module); 754 sc->client_verify_mode = mode; 755 } 756 757 return NULL; 758 } 421 759 422 760 const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy __attribute__((unused)), 423 761 const char *arg) { 424 int rv; 425 const char *file; 426 apr_pool_t *spool; 427 gnutls_datum_t data; 428 429 mgs_srvconf_rec *sc = 430 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 431 module_config, 432 &gnutls_module); 433 apr_pool_create(&spool, parms->pool); 434 435 file = ap_server_root_relative(spool, arg); 436 437 if (load_datum_from_file(spool, file, &data) != 0) { 438 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 439 "Client CA File '%s'", file); 440 } 441 442 sc->ca_list_size = INIT_CA_SIZE; 443 sc->ca_list = malloc(sc->ca_list_size * sizeof (*sc->ca_list)); 444 if (sc->ca_list == NULL) { 445 return apr_psprintf(parms->pool, 446 "mod_gnutls: Memory allocation error"); 447 } 448 449 rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size, 450 &data, GNUTLS_X509_FMT_PEM, 451 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); 452 if (rv < 0 && rv != GNUTLS_E_SHORT_MEMORY_BUFFER) { 453 return apr_psprintf(parms->pool, "GnuTLS: Failed to load " 454 "Client CA File '%s': (%d) %s", file, 455 rv, gnutls_strerror(rv)); 456 } 457 458 if (INIT_CA_SIZE < sc->ca_list_size) { 459 sc->ca_list = 460 realloc(sc->ca_list, 461 sc->ca_list_size * sizeof (*sc->ca_list)); 462 if (sc->ca_list == NULL) { 463 return apr_psprintf(parms->pool, 464 "mod_gnutls: Memory allocation error"); 465 } 466 467 /* re-read */ 468 rv = gnutls_x509_crt_list_import(sc->ca_list, 469 &sc->ca_list_size, &data, 470 GNUTLS_X509_FMT_PEM, 0); 471 472 if (rv < 0) { 473 return apr_psprintf(parms->pool, 474 "GnuTLS: Failed to load " 475 "Client CA File '%s': (%d) %s", 476 file, rv, gnutls_strerror(rv)); 477 } 478 } 479 480 apr_pool_destroy(spool); 762 mgs_srvconf_rec *sc = 763 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 764 module_config, 765 &gnutls_module); 766 767 sc->x509_ca_file = ap_server_root_relative(parms->pool, arg); 768 481 769 return NULL; 482 770 } … … 484 772 const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy __attribute__((unused)), 485 773 const char *arg) { 486 int rv; 487 const char *file; 488 apr_pool_t *spool; 489 gnutls_datum_t data; 490 491 mgs_srvconf_rec *sc = 492 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 493 module_config, 494 &gnutls_module); 495 apr_pool_create(&spool, parms->pool); 496 497 file = ap_server_root_relative(spool, arg); 498 499 if (load_datum_from_file(spool, file, &data) != 0) { 500 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 501 "Keyring File '%s'", file); 502 } 503 504 rv = gnutls_openpgp_keyring_init(&sc->pgp_list); 505 if (rv < 0) { 506 return apr_psprintf(parms->pool, 507 "GnuTLS: Failed to initialize" 508 "keyring: (%d) %s", rv, 509 gnutls_strerror(rv)); 510 } 511 512 rv = gnutls_openpgp_keyring_import(sc->pgp_list, &data, 513 GNUTLS_OPENPGP_FMT_BASE64); 514 if (rv < 0) { 515 return apr_psprintf(parms->pool, "GnuTLS: Failed to load " 516 "Keyring File '%s': (%d) %s", file, rv, 517 gnutls_strerror(rv)); 518 } 519 520 apr_pool_destroy(spool); 774 mgs_srvconf_rec *sc = 775 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 776 module_config, 777 &gnutls_module); 778 779 sc->pgp_ring_file = ap_server_root_relative(parms->pool, arg); 780 521 781 return NULL; 522 782 } … … 525 785 const char *arg) { 526 786 527 mgs_srvconf_rec *sc = (mgs_srvconf_rec *)528 787 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 788 ap_get_module_config(parms->server->module_config, &gnutls_module); 529 789 530 790 if (!strcasecmp(arg, "On")) { 531 791 sc->proxy_enabled = GNUTLS_ENABLED_TRUE; 532 792 } else if (!strcasecmp(arg, "Off")) { 533 793 sc->proxy_enabled = GNUTLS_ENABLED_FALSE; 534 794 } else { 535 795 return "SSLProxyEngine must be set to 'On' or 'Off'"; 536 796 } 537 797 … … 542 802 const char *arg) { 543 803 mgs_srvconf_rec *sc = 544 545 546 804 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 805 module_config, 806 &gnutls_module); 547 807 if (!strcasecmp(arg, "On")) { 548 808 sc->enabled = GNUTLS_ENABLED_TRUE; 549 809 } else if (!strcasecmp(arg, "Off")) { 550 810 sc->enabled = GNUTLS_ENABLED_FALSE; 551 811 } else { 552 812 return "GnuTLSEnable must be set to 'On' or 'Off'"; 553 813 } 554 814 … … 559 819 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); 560 820 if (!strcasecmp(arg, "On")) { 561 821 sc->export_certificates_size = 16 * 1024; 562 822 } else if (!strcasecmp(arg, "Off")) { 563 823 sc->export_certificates_size = 0; 564 824 } else { 565 char* endptr; 566 sc->export_certificates_size = strtol(arg, &endptr, 10); 567 while (apr_isspace(*endptr)) endptr++; 568 if (*endptr == '\0' || *endptr == 'b' || *endptr == 'B') { 569 ; 570 } else if (*endptr == 'k' || *endptr == 'K') { 571 sc->export_certificates_size *= 1024; 572 } else { 573 return "GnuTLSExportCertificates must be set to a size (in bytes) or 'On' or 'Off'"; 574 } 575 } 576 577 return NULL; 578 } 579 580 const char *mgs_set_priorities(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) { 581 582 int ret; 583 const char *err; 584 825 char *endptr; 826 sc->export_certificates_size = strtol(arg, &endptr, 10); 827 while (apr_isspace(*endptr)) 828 endptr++; 829 if (*endptr == '\0' || *endptr == 'b' || *endptr == 'B') { 830 ; 831 } else if (*endptr == 'k' || *endptr == 'K') { 832 sc->export_certificates_size *= 1024; 833 } else { 834 return 835 "GnuTLSExportCertificates must be set to a size (in bytes) or 'On' or 'Off'"; 836 } 837 } 838 839 return NULL; 840 } 841 842 const char *mgs_set_priorities(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) 843 { 585 844 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 586 ap_get_module_config(parms->server->module_config, &gnutls_module); 587 588 ret = gnutls_priority_init(&sc->priorities, arg, &err); 589 590 if (ret < 0) { 591 if (ret == GNUTLS_E_INVALID_REQUEST) { 592 return apr_psprintf(parms->pool, 593 "GnuTLS: Syntax error parsing priorities string at: %s", err); 594 } 595 return "Error setting priorities"; 596 } 597 598 return NULL; 599 } 600 601 static mgs_srvconf_rec *_mgs_config_server_create(apr_pool_t * p, char** err) { 602 mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof (*sc)); 603 int ret; 845 ap_get_module_config(parms->server->module_config, &gnutls_module); 846 847 sc->priorities_str = apr_pstrdup(parms->pool, arg); 848 849 return NULL; 850 } 851 852 const char *mgs_set_pin(cmd_parms * parms, void *dummy __attribute__((unused)), 853 const char *arg) 854 { 855 856 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 857 ap_get_module_config(parms->server->module_config, &gnutls_module); 858 859 sc->pin = apr_pstrdup(parms->pool, arg); 860 861 return NULL; 862 } 863 864 const char *mgs_set_srk_pin(cmd_parms * parms, 865 void *dummy __attribute__((unused)), 866 const char *arg) 867 { 868 869 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 870 ap_get_module_config(parms->server->module_config, &gnutls_module); 871 872 sc->srk_pin = apr_pstrdup(parms->pool, arg); 873 874 return NULL; 875 } 876 877 static mgs_srvconf_rec *_mgs_config_server_create(apr_pool_t * p, 878 char **err __attribute__((unused))) 879 { 880 mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc)); 604 881 605 882 sc->enabled = GNUTLS_ENABLED_UNSET; 606 883 607 ret = gnutls_certificate_allocate_credentials(&sc->certs);608 if (ret < 0) {609 *err = apr_psprintf(p, "GnuTLS: Failed to initialize"610 ": (%d) %s", ret,611 gnutls_strerror(ret));612 return NULL;613 }614 615 ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);616 if (ret < 0) {617 *err = apr_psprintf(p, "GnuTLS: Failed to initialize"618 ": (%d) %s", ret,619 gnutls_strerror(ret));620 return NULL;621 }622 #ifdef ENABLE_SRP623 ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);624 if (ret < 0) {625 *err = apr_psprintf(p, "GnuTLS: Failed to initialize"626 ": (%d) %s", ret,627 gnutls_strerror(ret));628 return NULL;629 }630 631 sc->srp_tpasswd_conf_file = NULL;632 sc->srp_tpasswd_file = NULL;633 #endif634 884 635 885 sc->privkey_x509 = NULL; 636 /* Initialize all Certificate Chains */ 637 /* FIXME: how do we indicate that this is unset for a merge? (that 638 * is, how can a subordinate server override the chain by setting 639 * an empty one? what would that even look like in the 640 * configuration?) */ 641 sc->certs_x509_chain = malloc(MAX_CHAIN_SIZE * sizeof (*sc->certs_x509_chain)); 886 sc->privkey_pgp = NULL; 642 887 sc->certs_x509_chain_num = 0; 643 sc->cache_timeout = -1; 888 sc->cache_timeout = -1; /* -1 means "unset" */ 644 889 sc->cache_type = mgs_cache_unset; 645 890 sc->cache_config = NULL; … … 661 906 char *err = NULL; 662 907 mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err); 663 if (sc) return sc; else return err; 908 if (sc) 909 return sc; 910 else 911 return err; 664 912 } 665 913 … … 667 915 #define gnutls_srvconf_assign(t) sc->t = add->t 668 916 669 void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD) { 917 void *mgs_config_server_merge(apr_pool_t * p, void *BASE, void *ADD) 918 { 670 919 int i; 671 920 char *err = NULL; 672 mgs_srvconf_rec *base = (mgs_srvconf_rec *) BASE;673 mgs_srvconf_rec *add = (mgs_srvconf_rec *) ADD;921 mgs_srvconf_rec *base = (mgs_srvconf_rec *) BASE; 922 mgs_srvconf_rec *add = (mgs_srvconf_rec *) ADD; 674 923 mgs_srvconf_rec *sc = _mgs_config_server_create(p, &err); 675 if (NULL == sc) return err; 924 if (NULL == sc) 925 return err; 676 926 677 927 gnutls_srvconf_merge(enabled, GNUTLS_ENABLED_UNSET); … … 683 933 gnutls_srvconf_merge(srp_tpasswd_file, NULL); 684 934 gnutls_srvconf_merge(srp_tpasswd_conf_file, NULL); 685 gnutls_srvconf_merge(privkey_x509, NULL); 686 gnutls_srvconf_merge(priorities, NULL); 687 gnutls_srvconf_merge(dh_params, NULL); 935 gnutls_srvconf_merge(x509_cert_file, NULL); 936 937 gnutls_srvconf_merge(x509_key_file, NULL); 938 gnutls_srvconf_merge(x509_ca_file, NULL); 939 gnutls_srvconf_merge(pin, NULL); 940 gnutls_srvconf_merge(pgp_cert_file, NULL); 941 gnutls_srvconf_merge(pgp_key_file, NULL); 942 gnutls_srvconf_merge(pgp_ring_file, NULL); 943 gnutls_srvconf_merge(dh_file, NULL); 944 gnutls_srvconf_merge(priorities_str, NULL); 688 945 689 946 /* FIXME: the following items are pre-allocated, and should be 690 947 * properly disposed of before assigning in order to avoid leaks; 691 948 * so at the moment, we can't actually have them in the config. 692 * what happens during de-allocation? 693 694 * This is probably leaky. 695 */ 949 * what happens during de-allocation? */ 950 gnutls_srvconf_assign(ca_list); 951 gnutls_srvconf_assign(ca_list_size); 952 gnutls_srvconf_assign(cert_pgp); 953 gnutls_srvconf_assign(cert_crt_pgp); 954 gnutls_srvconf_assign(pgp_list); 696 955 gnutls_srvconf_assign(certs); 697 956 gnutls_srvconf_assign(anon_creds); 698 957 gnutls_srvconf_assign(srp_creds); 699 958 gnutls_srvconf_assign(certs_x509_chain); 959 gnutls_srvconf_assign(certs_x509_crt_chain); 700 960 gnutls_srvconf_assign(certs_x509_chain_num); 701 961 … … 704 964 gnutls_srvconf_assign(cert_cn); 705 965 for (i = 0; i < MAX_CERT_SAN; i++) 706 gnutls_srvconf_assign(cert_san[i]); 707 gnutls_srvconf_assign(ca_list); 708 gnutls_srvconf_assign(ca_list_size); 709 gnutls_srvconf_assign(cert_pgp); 710 gnutls_srvconf_assign(pgp_list); 711 gnutls_srvconf_assign(privkey_pgp); 966 gnutls_srvconf_assign(cert_san[i]); 712 967 713 968 return sc; … … 724 979 mgs_dirconf_rec *add = (mgs_dirconf_rec *) addv; 725 980 726 new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof 981 new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof(mgs_dirconf_rec)); 727 982 new->client_verify_mode = add->client_verify_mode; 728 983 return new; … … 735 990 return dc; 736 991 } 737 -
src/gnutls_hooks.c
r9a06bbd rc4a015b 171 171 172 172 static int cert_retrieve_fn(gnutls_session_t session, 173 const gnutls_datum_t * req_ca_rdn __attribute__((unused)), int nreqs __attribute__((unused)), 174 const gnutls_pk_algorithm_t * pk_algos __attribute__((unused)), int pk_algos_length __attribute__((unused)), 175 gnutls_retr2_st *ret) { 176 177 178 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 179 180 mgs_handle_t *ctxt; 173 const gnutls_datum_t * req_ca_rdn __attribute__((unused)), 174 int nreqs __attribute__((unused)), 175 const gnutls_pk_algorithm_t * pk_algos __attribute__((unused)), 176 int pk_algos_length __attribute__((unused)), 177 gnutls_pcert_st **pcerts, 178 unsigned int *pcert_length, 179 gnutls_privkey_t *privkey) 180 { 181 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 182 183 mgs_handle_t *ctxt; 181 184 182 185 if (session == NULL) { 183 186 // ERROR INVALID SESSION 184 ret->ncerts = 0;185 ret->deinit_all = 1;186 187 return -1; 187 } 188 } 189 188 190 ctxt = gnutls_transport_get_ptr(session); 189 191 190 192 if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) { 191 193 // X509 CERTIFICATE 192 ret->cert_type = GNUTLS_CRT_X509; 193 ret->key_type = GNUTLS_PRIVKEY_X509; 194 ret->ncerts = ctxt->sc->certs_x509_chain_num; 195 ret->deinit_all = 0; 196 ret->cert.x509 = ctxt->sc->certs_x509_chain; 197 ret->key.x509 = ctxt->sc->privkey_x509; 194 *pcerts = ctxt->sc->certs_x509_chain; 195 *pcert_length = ctxt->sc->certs_x509_chain_num; 196 *privkey = ctxt->sc->privkey_x509; 198 197 return 0; 199 198 } else if (gnutls_certificate_type_get(session) == GNUTLS_CRT_OPENPGP) { 200 199 // OPENPGP CERTIFICATE 201 ret->cert_type = GNUTLS_CRT_OPENPGP; 202 ret->key_type = GNUTLS_PRIVKEY_OPENPGP; 203 ret->ncerts = 1; 204 ret->deinit_all = 0; 205 ret->cert.pgp = ctxt->sc->cert_pgp; 206 ret->key.pgp = ctxt->sc->privkey_pgp; 200 *pcerts = ctxt->sc->cert_pgp; 201 *pcert_length = 1; 202 *privkey = ctxt->sc->privkey_pgp; 207 203 return 0; 208 204 } else { 209 205 // UNKNOWN CERTIFICATE 210 ret->ncerts = 0;211 ret->deinit_all = 1;212 206 return -1; 213 207 } 214 208 } 215 216 /* 2048-bit group parameters from SRP specification */217 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"218 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"219 "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"220 "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"221 "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"222 "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"223 "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"224 "-----END DH PARAMETERS-----\n";225 209 226 210 /* Read the common name or the alternative name of the certificate. … … 322 306 } 323 307 324 325 308 s = base_server; 326 309 sc_base = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module); 327 310 328 gnutls_dh_params_init(&dh_params);329 330 if (sc_base->dh_params == NULL) {331 gnutls_datum_t pdata = {332 (void *) static_dh_params,333 sizeof(static_dh_params)334 };335 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, GNUTLS_X509_FMT_PEM);336 /* Generate DH Params337 int dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,338 GNUTLS_SEC_PARAM_NORMAL);339 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,340 "GnuTLS: Generating DH Params of %i bits. "341 "To avoid this use GnuTLSDHFile to specify DH Params for this host",342 dh_bits);343 #if MOD_GNUTLS_DEBUG344 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,345 "GnuTLS: Generated DH Params of %i bits",dh_bits);346 #endif347 rv = gnutls_dh_params_generate2 (dh_params,dh_bits);348 */349 if (rv < 0) {350 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,351 "GnuTLS: Unable to generate or load DH Params: (%d) %s",352 rv, gnutls_strerror(rv));353 exit(rv);354 }355 } else {356 dh_params = sc_base->dh_params;357 }358 311 359 312 rv = mgs_cache_post_config(p, s, sc_base); … … 370 323 sc->cache_config = sc_base->cache_config; 371 324 sc->cache_timeout = sc_base->cache_timeout; 325 326 rv = mgs_load_files(p, s); 327 if (rv != 0) { 328 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 329 "GnuTLS: Loading required files failed." 330 " Shutting Down."); 331 exit(-1); 332 } 372 333 373 334 /* defaults for unset values: */ … … 383 344 sc->client_verify_method = mgs_cvm_cartel; 384 345 385 386 346 /* Check if the priorities have been set */ 387 347 if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) { … … 401 361 } 402 362 403 gnutls_certificate_set_retrieve_function(sc->certs, cert_retrieve_fn); 404 405 #ifdef ENABLE_SRP 406 if (sc->srp_tpasswd_conf_file != NULL 407 && sc->srp_tpasswd_file != NULL) { 408 rv = gnutls_srp_set_server_credentials_file 409 (sc->srp_creds, sc->srp_tpasswd_file, 410 sc->srp_tpasswd_conf_file); 411 412 if (rv < 0 && sc->enabled == GNUTLS_ENABLED_TRUE) { 413 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, 414 s, 415 "[GnuTLS] - Host '%s:%d' is missing a " 416 "SRP password or conf File!", 417 s->server_hostname, s->port); 418 exit(-1); 419 } 420 } 421 #endif 363 gnutls_certificate_set_retrieve_function2(sc->certs, cert_retrieve_fn); 422 364 423 365 if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) && 424 366 sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) { 425 367 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 426 " [GnuTLS] -Host '%s:%d' is missing a Certificate File!",368 "GnuTLS: Host '%s:%d' is missing a Certificate File!", 427 369 s->server_hostname, s->port); 428 370 exit(-1); 429 371 } 430 431 372 if (sc->enabled == GNUTLS_ENABLED_TRUE && 432 ((sc->certs_x509_chain != NULL && sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) ||433 (sc->cert_ pgp!= NULL && sc->privkey_pgp == NULL))) {373 ((sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) || 374 (sc->cert_crt_pgp[0] != NULL && sc->privkey_pgp == NULL))) { 434 375 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 435 " [GnuTLS] -Host '%s:%d' is missing a Private Key File!",376 "GnuTLS: Host '%s:%d' is missing a Private Key File!", 436 377 s->server_hostname, s->port); 437 378 exit(-1); … … 441 382 rv = -1; 442 383 if (sc->certs_x509_chain_num > 0) { 443 rv = read_crt_cn(s, p, sc->certs_x509_c hain[0], &sc->cert_cn);384 rv = read_crt_cn(s, p, sc->certs_x509_crt_chain[0], &sc->cert_cn); 444 385 } 445 386 if (rv < 0 && sc->cert_pgp != NULL) { 446 rv = read_pgpcrt_cn(s, p, sc->cert_ pgp, &sc->cert_cn);387 rv = read_pgpcrt_cn(s, p, sc->cert_crt_pgp[0], &sc->cert_cn); 447 388 } 448 389 449 390 if (rv < 0) { 450 391 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 451 " [GnuTLS] -Cannot find a certificate for host '%s:%d'!",392 "GnuTLS: Cannot find a certificate for host '%s:%d'!", 452 393 s->server_hostname, s->port); 453 394 sc->cert_cn = NULL; … … 474 415 } 475 416 476 void mgs_hook_child_init(apr_pool_t * p, server_rec * 417 void mgs_hook_child_init(apr_pool_t * p, server_rec *s) { 477 418 apr_status_t rv = APR_SUCCESS; 478 mgs_srvconf_rec *sc = ap_get_module_config(s->module_config, 479 &gnutls_module); 480 481 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 419 mgs_srvconf_rec *sc = 420 (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module); 421 422 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 423 /* if we use PKCS #11 reinitialize it */ 424 425 if (mgs_pkcs11_reinit(s) < 0) { 426 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 427 "GnuTLS: Failed to reinitialize PKCS #11"); 428 exit(-1); 429 } 430 482 431 if (sc->cache_type != mgs_cache_none) { 483 432 rv = mgs_cache_child_init(p, s, sc); 484 433 if (rv != APR_SUCCESS) { 485 434 ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, 486 " [GnuTLS] -Failed to run Cache Init");435 "GnuTLS: Failed to run Cache Init"); 487 436 } 488 437 } … … 605 554 606 555 if (tsc->certs_x509_chain_num > 0) { 607 /* why are we doing this check? */ 608 ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_chain[0], s->server_hostname); 556 /* this check is there to warn administrator of any missing hostname 557 * in the certificate. */ 558 ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_crt_chain[0], s->server_hostname); 609 559 if (0 == ret) 610 ap_log_error(APLOG_MARK, APLOG_ INFO, 0, s,611 "GnuTLS: Error checking certificate forhostname "560 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, 561 "GnuTLS: the certificate doesn't match requested hostname " 612 562 "'%s'", s->server_hostname); 613 563 } else { … … 841 791 842 792 if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) { 843 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0, ctxt->sc->export_certificates_size);844 845 mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_ pgp, 0, ctxt->sc->export_certificates_size);846 793 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_crt_chain[0], 0, ctxt->sc->export_certificates_size); 794 } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) { 795 mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_crt_pgp[0], 0, ctxt->sc->export_certificates_size); 796 } 847 797 848 798 return rv; -
src/mod_gnutls.c
r9a06bbd rc4a015b 118 118 RSRC_CONF | OR_AUTHCFG, 119 119 "Enable SSL Proxy Engine"), 120 AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin, 121 NULL, 122 RSRC_CONF, 123 "The PIN to use in case of encrypted keys or PKCS #11 tokens."), 124 AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin, 125 NULL, 126 RSRC_CONF, 127 "The SRK PIN to use in case of TPM keys."), 120 128 AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify, 121 129 NULL,
Note: See TracChangeset
for help on using the changeset viewer.