Changeset ec06980 in mod_gnutls


Ignore:
Timestamp:
Jan 11, 2013, 12:55:31 AM (6 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, upstream
Children:
40ac29f, a4839ae
Parents:
70c2d86
Message:

Imported Upstream version 0.4.0

Files:
1 deleted
11 edited

Legend:

Unmodified
Added
Removed
  • Makefile.in

    r70c2d86 rec06980  
    3737        $(srcdir)/Makefile.in $(srcdir)/config.in \
    3838        $(top_srcdir)/configure $(top_srcdir)/include/mod_gnutls.h.in \
    39         config/compile config/config.guess config/config.sub \
    40         config/depcomp config/install-sh config/ltmain.sh \
    41         config/missing
     39        config/config.guess config/config.sub config/depcomp \
     40        config/install-sh config/ltmain.sh config/missing
    4241ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
    4342am__aclocal_m4_deps = $(top_srcdir)/m4/apache.m4 \
  • README

    r70c2d86 rec06980  
    6262
    6363
    64 # a more advance configuration
     64# a more advanced configuration
    6565GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
    6666GnuTLSCacheTimeout 500
  • autogen.sh

    • Property mode changed from 100644 to 100755
  • configure

    r70c2d86 rec06980  
    11#! /bin/sh
    22# Guess values for system-dependent variables and create Makefiles.
    3 # Generated by GNU Autoconf 2.61 for mod_gnutls 0.3.4.
     3# Generated by GNU Autoconf 2.61 for mod_gnutls 0.4.0.
    44#
    55# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
     
    727727PACKAGE_NAME='mod_gnutls'
    728728PACKAGE_TARNAME='mod_gnutls'
    729 PACKAGE_VERSION='0.3.4'
    730 PACKAGE_STRING='mod_gnutls 0.3.4'
     729PACKAGE_VERSION='0.4.0'
     730PACKAGE_STRING='mod_gnutls 0.4.0'
    731731PACKAGE_BUGREPORT=''
    732732
     
    14261426  # This message is too long to be a string in the A/UX 3.1 sh.
    14271427  cat <<_ACEOF
    1428 \`configure' configures mod_gnutls 0.3.4 to adapt to many kinds of systems.
     1428\`configure' configures mod_gnutls 0.4.0 to adapt to many kinds of systems.
    14291429
    14301430Usage: $0 [OPTION]... [VAR=VALUE]...
     
    14971497if test -n "$ac_init_help"; then
    14981498  case $ac_init_help in
    1499      short | recursive ) echo "Configuration of mod_gnutls 0.3.4:";;
     1499     short | recursive ) echo "Configuration of mod_gnutls 0.4.0:";;
    15001500   esac
    15011501  cat <<\_ACEOF
     
    16071607if $ac_init_version; then
    16081608  cat <<\_ACEOF
    1609 mod_gnutls configure 0.3.4
     1609mod_gnutls configure 0.4.0
    16101610generated by GNU Autoconf 2.61
    16111611
     
    16211621running configure, to aid debugging if configure makes a mistake.
    16221622
    1623 It was created by mod_gnutls $as_me 0.3.4, which was
     1623It was created by mod_gnutls $as_me 0.4.0, which was
    16241624generated by GNU Autoconf 2.61.  Invocation command line was
    16251625
     
    19921992  chmod +x config.nice
    19931993
    1994 MOD_GNUTLS_VERSION=0.3.4
     1994MOD_GNUTLS_VERSION=0.4.0
    19951995
    19961996
     
    24932493# Define the identity of the package.
    24942494 PACKAGE=mod_gnutls
    2495  VERSION=0.3.4
     2495 VERSION=0.4.0
    24962496
    24972497
     
    2013320133
    2013420134
    20135 MIN_TLS_VERSION=2.1.5
     20135MIN_TLS_VERSION=2.1.7
    2013620136
    2013720137
     
    2139621396# values after options handling.
    2139721397ac_log="
    21398 This file was extended by mod_gnutls $as_me 0.3.4, which was
     21398This file was extended by mod_gnutls $as_me 0.4.0, which was
    2139921399generated by GNU Autoconf 2.61.  Invocation command line was
    2140021400
     
    2144921449cat >>$CONFIG_STATUS <<_ACEOF
    2145021450ac_cs_version="\\
    21451 mod_gnutls config.status 0.3.4
     21451mod_gnutls config.status 0.4.0
    2145221452configured by $0, generated by GNU Autoconf 2.61,
    2145321453  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
  • configure.ac

    r70c2d86 rec06980  
    11dnl
    2 AC_INIT(mod_gnutls, 0.3.4)
     2AC_INIT(mod_gnutls, 0.4.0)
    33OOO_CONFIG_NICE(config.nice)
    44MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
     
    2929dnl AC_SUBST(LIBTOOL)
    3030
    31 MIN_TLS_VERSION=2.1.5
     31MIN_TLS_VERSION=2.1.7
    3232CHECK_LIBGNUTLS($MIN_TLS_VERSION)
    3333
  • data/Makefile.am

    r70c2d86 rec06980  
    44
    55rsafile:
    6         ${GNUTLS_CERTTOOL} --generate-privkey --bits 512 --outfile rsafile --quick-random
     6        ${GNUTLS_CERTTOOL} --generate-privkey --bits 512 --outfile rsafile
    77dhfile:
    8         ${GNUTLS_CERTTOOL} --generate-dh-params --bits 1024 --outfile dhfile --quick-random
     8        ${GNUTLS_CERTTOOL} --generate-dh-params --bits 1024 --outfile dhfile
    99
    1010clean: clean-am
  • data/Makefile.in

    r70c2d86 rec06980  
    387387
    388388rsafile:
    389         ${GNUTLS_CERTTOOL} --generate-privkey --bits 512 --outfile rsafile --quick-random
     389        ${GNUTLS_CERTTOOL} --generate-privkey --bits 512 --outfile rsafile
    390390dhfile:
    391         ${GNUTLS_CERTTOOL} --generate-dh-params --bits 1024 --outfile dhfile --quick-random
     391        ${GNUTLS_CERTTOOL} --generate-dh-params --bits 1024 --outfile dhfile
    392392
    393393clean: clean-am
  • include/mod_gnutls.h.in

    r70c2d86 rec06980  
    9696     */
    9797    int export_certificates_enabled;
    98     int ciphers[MAX_CIPHERS];
    99     int key_exchange[MAX_CIPHERS];
    100     int macs[MAX_CIPHERS];
    101     int protocol[MAX_CIPHERS];
    102     int compression[MAX_CIPHERS];
    103     int cert_types[MAX_CIPHERS];    apr_time_t cache_timeout;
     98    gnutls_priority_t priorities;
     99    int cache_timeout;
    104100    mgs_cache_e cache_type;
    105101    const char* cache_config;
     
    271267const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy,
    272268                            const char *arg);
    273 const char *mgs_set_ciphers(cmd_parms * parms, void *dummy,
    274                             const char *arg);
    275 const char *mgs_set_kx(cmd_parms * parms, void *dummy,
    276                             const char *arg);
    277 const char *mgs_set_mac(cmd_parms * parms, void *dummy,
    278                             const char *arg);
    279 const char *mgs_set_compression(cmd_parms * parms, void *dummy,
    280                             const char *arg);
    281 const char *mgs_set_protocols(cmd_parms * parms, void *dummy,
     269const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
    282270                            const char *arg);
    283271                           
  • src/gnutls_config.c

    r70c2d86 rec06980  
    330330
    331331
    332 const char *mgs_set_mac(cmd_parms * parms, void *dummy, const char *arg)
    333 {
    334     mgs_srvconf_rec *sc =
    335         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    336                                                  module_config,
    337                                                  &gnutls_module);
    338 
    339     int ret = gnutls_mac_convert_priority( sc->macs, MAX_CIPHERS, arg, ' ');
    340 
    341     if (ret < 0)
    342         return "GnuTLSMACAlgorithms must be a comma separated list of SHA-1 or MD5";
    343 
    344     return NULL;
    345 }
    346 
    347 const char *mgs_set_kx(cmd_parms * parms, void *dummy, const char *arg)
    348 {
    349     mgs_srvconf_rec *sc =
    350         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    351                                                  module_config,
    352                                                  &gnutls_module);
    353 
    354     int ret = gnutls_kx_convert_priority( sc->key_exchange, MAX_CIPHERS, arg, ' ');
    355 
    356     if (ret < 0)
    357         return "GnuTLSKeyExchangeAlgorithms must be a comma separated list of RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS, ANON";
    358 
    359     return NULL;
    360 }
    361 
    362 
    363 const char *mgs_set_ciphers(cmd_parms * parms, void *dummy,
    364                             const char *arg)
    365 {
    366     mgs_srvconf_rec *sc =
    367         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    368                                                  module_config,
    369                                                  &gnutls_module);
    370 
    371     int ret = gnutls_cipher_convert_priority( sc->ciphers, MAX_CIPHERS, arg, ' ');
    372 
    373     if (ret < 0)
    374         return "GnuTLSCiphers must be a comma separated list of AES-128-CBC, CAMELIA-128-CBC, ARCFOUR-128, 3DES-CBC or ARCFOUR-40";
    375 
    376     return NULL;
    377 }
    378 
    379 
    380 const char *mgs_set_compression(cmd_parms * parms, void *dummy,
    381                                 const char *arg)
    382 {
    383     mgs_srvconf_rec *sc =
    384         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    385                                                  module_config,
    386                                                  &gnutls_module);
    387 
    388     int ret = gnutls_compression_convert_priority( sc->compression, MAX_CIPHERS, arg, ' ');
    389 
    390     if (ret < 0)
    391         return "GnuTLSCompressionMethods must be a comma separated list of NULL or DEFLATE";
    392 
    393     return NULL;
    394 }
    395 
    396 const char *mgs_set_protocols(cmd_parms * parms, void *dummy,
    397                                 const char *arg)
    398 {
    399     mgs_srvconf_rec *sc =
    400         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    401                                                  module_config,
    402                                                  &gnutls_module);
    403 
    404     int ret = gnutls_protocol_convert_priority( sc->protocol, MAX_CIPHERS, arg, ' ');
    405 
    406     if (ret < 0)
    407         return "GnuTLSProtocols must be a comma separated list of TLS1.1, TLS1.0 or SSL3.0";
    408 
    409     return NULL;
    410 }
    411 
     332const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg)
     333{
     334    int ret;
     335    const char *err;
     336    mgs_srvconf_rec *sc =
     337        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
     338                                                 module_config,
     339                                                 &gnutls_module);
     340
     341
     342    ret = gnutls_priority_init( &sc->priorities, arg, &err);
     343    if (ret < 0) {
     344      if (ret == GNUTLS_E_INVALID_REQUEST)
     345        return apr_psprintf(parms->pool, "GnuTLS: Syntax error parsing priorities string at: %s", err);
     346      return "Error setting priorities";
     347    }
     348
     349    return NULL;
     350}
    412351
    413352void *mgs_config_server_create(apr_pool_t * p, server_rec * s)
    414353{
    415     int i;
    416354    mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc));
    417355
     
    435373    sc->client_verify_mode = GNUTLS_CERT_IGNORE;
    436374
    437     if (sc->protocol[0]==0) {
    438       i = 0;
    439       sc->protocol[i++] = GNUTLS_TLS1_1;
    440       sc->protocol[i++] = GNUTLS_TLS1;
    441       sc->protocol[i++] = GNUTLS_SSL3;
    442       sc->protocol[i] = 0;
    443     }
    444 
    445     if (sc->compression[0]==0) {
    446       i = 0;
    447       sc->compression[i++] = GNUTLS_COMP_NULL;
    448       sc->compression[i] = 0;
    449     }
    450 
    451     if (sc->cert_types[0]==0) {
    452       i = 0;
    453       sc->cert_types[i++] = GNUTLS_CRT_X509;
    454       sc->cert_types[i] = 0;
    455     }
    456 
    457375    return sc;
    458376}
  • src/gnutls_hooks.c

    r70c2d86 rec06980  
    125125}
    126126
     127/* We don't support openpgp certificates, yet */
     128const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
     129
    127130static int mgs_select_virtual_server_cb( gnutls_session_t session)
    128131{
    129132    mgs_handle_t *ctxt;
    130133    mgs_srvconf_rec *tsc;
     134    int ret;
    131135
    132136    ctxt = gnutls_transport_get_ptr(session);
     
    155159    }
    156160
    157     /* enable the default priorities and override them later on
     161    /* update the priorities - to avoid negotiating a ciphersuite that is not
     162     * enabled on this virtual server. Note that here we ignore the version
     163     * negotiation.
    158164     */
    159     gnutls_set_default_priority( session);
    160 
    161     /* update the priorities - to avoid negotiating a ciphersuite that is not
    162      * enabled on this virtual server
    163      */
    164     if (ctxt->sc->ciphers[0] != 0)
    165       gnutls_cipher_set_priority(session, ctxt->sc->ciphers);
    166     if (ctxt->sc->compression[0] != 0)
    167       gnutls_compression_set_priority(session, ctxt->sc->compression);
    168     if (ctxt->sc->key_exchange[0] != 0)
    169       gnutls_kx_set_priority(session, ctxt->sc->key_exchange);
    170     if (ctxt->sc->macs[0] != 0)
    171       gnutls_mac_set_priority(session, ctxt->sc->macs);
    172     if (ctxt->sc->cert_types[0] != 0)
    173       gnutls_certificate_type_set_priority(session, ctxt->sc->cert_types);
    174 
    175     /* allow separate caches per virtual host. Actually allowing the same is not
    176      * a good idea, especially if they have different security requirements.
     165    ret = gnutls_priority_set( session, ctxt->sc->priorities);
     166    gnutls_certificate_type_set_priority( session, cert_type_prio);
     167   
     168   
     169    /* actually it shouldn't fail since we have checked at startup */
     170    if (ret < 0) return ret;
     171
     172    /* allow separate caches per virtual host. Actually allowing the same is a
     173     * bad idea, since they might have different security requirements.
    177174     */
    178175    mgs_cache_session_init(ctxt);
     
    535532
    536533
    537 
     534static const int protocol_priority[] = {
     535  GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
     536         
    538537
    539538static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
     
    565564     */
    566565    gnutls_session_enable_compatibility_mode( ctxt->session);
    567 
    568     gnutls_protocol_set_priority(ctxt->session, sc->protocol);
     566   
     567    /* because we don't set any default priorities here (we set later at
     568     * the user hello callback) we need to at least set this in order for
     569     * gnutls to be able to read packets.
     570     */
     571    gnutls_protocol_set_priority( ctxt->session, protocol_priority);
    569572
    570573    gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb);
  • src/mod_gnutls.c

    r70c2d86 rec06980  
    9797                  RSRC_CONF,
    9898                  "Cache Configuration"),
    99     AP_INIT_RAW_ARGS("GnuTLSCiphers", mgs_set_ciphers,
     99    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
    100100                  NULL,
    101101                  RSRC_CONF,
    102                   "The ciphers to enable (AES-128, 3DES, ARCFOUR-128, ARCFOUR-40)"),
    103     AP_INIT_RAW_ARGS("GnuTLSKeyExchangeAlgorithms", mgs_set_kx,
    104                   NULL,
    105                   RSRC_CONF,
    106                   "The key exchange algorithms to enable (RSA, DHE-RSA, DHE-DSS, RSA-EXPORT, SRP, SRP-RSA, SRP-DSS)"),
    107     AP_INIT_RAW_ARGS("GnuTLSMACAlgorithms", mgs_set_mac,
    108                   NULL,
    109                   RSRC_CONF,
    110                   "The MAC algorithms to utilize (SHA-1, MD5)"),
    111     AP_INIT_RAW_ARGS("GnuTLSCompressionMethods", mgs_set_compression,
    112                   NULL,
    113                   RSRC_CONF,
    114                   "The compression methods to utilize (NULL, ZLIB)"),
    115     AP_INIT_RAW_ARGS("GnuTLSProtocols", mgs_set_protocols,
    116                   NULL,
    117                   RSRC_CONF,
    118                   "The TLS protocol version to use (TLS1.1, TLS1.0, SSL3.0)"),
     102                  "The priorities to enable (ciphers, Key exchange, macs, compression)"),
    119103    AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
    120104                  NULL,
Note: See TracChangeset for help on using the changeset viewer.