Changeset ec06980 in mod_gnutls

Timestamp:

Jan 11, 2013, 12:55:31 AM (8 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, upstream

Children:

40ac29f, a4839ae

Parents:

70c2d86

Message:

Imported Upstream version 0.4.0

Files:

• Makefile.in (modified) (1 diff)
• README (modified) (1 diff)
• autogen.sh (modified) (1 prop)
• config/compile (deleted)
• configure (modified) (11 diffs)
• configure.ac (modified) (2 diffs)
• data/Makefile.am (modified) (1 diff)
• data/Makefile.in (modified) (1 diff)
• include/mod_gnutls.h.in (modified) (2 diffs)
• src/gnutls_config.c (modified) (2 diffs)
• src/gnutls_hooks.c (modified) (4 diffs)
• src/mod_gnutls.c (modified) (1 diff)

Makefile.in

@@ -37 +37 @@
         $(srcdir)/Makefile.in $(srcdir)/config.in \
         $(top_srcdir)/configure $(top_srcdir)/include/mod_gnutls.h.in \
-        config/compile config/config.guess config/config.sub \
-        config/depcomp config/install-sh config/ltmain.sh \
-        config/missing
+        config/config.guess config/config.sub config/depcomp \
+        config/install-sh config/ltmain.sh config/missing
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/apache.m4 \

README

@@ -62 +62 @@
 
 
-# a more advance configuration
+# a more advanced configuration
 GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
 GnuTLSCacheTimeout 500

configure

@@ -1 +1 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for mod_gnutls 0.3.4.
+# Generated by GNU Autoconf 2.61 for mod_gnutls 0.4.0.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -727 +727 @@
 PACKAGE_NAME='mod_gnutls'
 PACKAGE_TARNAME='mod_gnutls'
-PACKAGE_VERSION='0.3.4'
-PACKAGE_STRING='mod_gnutls 0.3.4'
+PACKAGE_VERSION='0.4.0'
+PACKAGE_STRING='mod_gnutls 0.4.0'
 PACKAGE_BUGREPORT=''
 
@@ -1426 +1426 @@
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mod_gnutls 0.3.4 to adapt to many kinds of systems.
+\`configure' configures mod_gnutls 0.4.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1497 +1497 @@
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mod_gnutls 0.3.4:";;
+     short | recursive ) echo "Configuration of mod_gnutls 0.4.0:";;
    esac
   cat <<\_ACEOF
@@ -1607 +1607 @@
 if $ac_init_version; then
   cat <<\_ACEOF
-mod_gnutls configure 0.3.4
+mod_gnutls configure 0.4.0
 generated by GNU Autoconf 2.61
 
@@ -1621 +1621 @@
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mod_gnutls $as_me 0.3.4, which was
+It was created by mod_gnutls $as_me 0.4.0, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
@@ -1992 +1992 @@
   chmod +x config.nice
 
-MOD_GNUTLS_VERSION=0.3.4
+MOD_GNUTLS_VERSION=0.4.0
 
 
@@ -2493 +2493 @@
 # Define the identity of the package.
  PACKAGE=mod_gnutls
- VERSION=0.3.4
+ VERSION=0.4.0
 
 
@@ -20133 +20133 @@
 
 
-MIN_TLS_VERSION=2.1.5
+MIN_TLS_VERSION=2.1.7
 
 
@@ -21396 +21396 @@
 # values after options handling.
 ac_log="
-This file was extended by mod_gnutls $as_me 0.3.4, which was
+This file was extended by mod_gnutls $as_me 0.4.0, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
@@ -21449 +21449 @@
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-mod_gnutls config.status 0.3.4
+mod_gnutls config.status 0.4.0
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"

configure.ac

@@ -1 +1 @@
 dnl 
-AC_INIT(mod_gnutls, 0.3.4)
+AC_INIT(mod_gnutls, 0.4.0)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
@@ -29 +29 @@
 dnl AC_SUBST(LIBTOOL)
 
-MIN_TLS_VERSION=2.1.5
+MIN_TLS_VERSION=2.1.7
 CHECK_LIBGNUTLS($MIN_TLS_VERSION)
 

data/Makefile.am

@@ -4 +4 @@
 
 rsafile:
-        ${GNUTLS_CERTTOOL} --generate-privkey --bits 512 --outfile rsafile --quick-random
+        ${GNUTLS_CERTTOOL} --generate-privkey --bits 512 --outfile rsafile
 dhfile:
-        ${GNUTLS_CERTTOOL} --generate-dh-params --bits 1024 --outfile dhfile --quick-random
+        ${GNUTLS_CERTTOOL} --generate-dh-params --bits 1024 --outfile dhfile
 
 clean: clean-am

data/Makefile.in

@@ -387 +387 @@
 
 rsafile:
-        ${GNUTLS_CERTTOOL} --generate-privkey --bits 512 --outfile rsafile --quick-random
+        ${GNUTLS_CERTTOOL} --generate-privkey --bits 512 --outfile rsafile
 dhfile:
-        ${GNUTLS_CERTTOOL} --generate-dh-params --bits 1024 --outfile dhfile --quick-random
+        ${GNUTLS_CERTTOOL} --generate-dh-params --bits 1024 --outfile dhfile
 
 clean: clean-am

include/mod_gnutls.h.in

@@ -96 +96 @@
      */
     int export_certificates_enabled;
-    int ciphers[MAX_CIPHERS];
-    int key_exchange[MAX_CIPHERS];
-    int macs[MAX_CIPHERS];
-    int protocol[MAX_CIPHERS];
-    int compression[MAX_CIPHERS];
-    int cert_types[MAX_CIPHERS];    apr_time_t cache_timeout;
+    gnutls_priority_t priorities;
+    int cache_timeout;
     mgs_cache_e cache_type;
     const char* cache_config;
@@ -271 +267 @@
 const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy,
                             const char *arg);
-const char *mgs_set_ciphers(cmd_parms * parms, void *dummy,
-                            const char *arg);
-const char *mgs_set_kx(cmd_parms * parms, void *dummy,
-                            const char *arg);
-const char *mgs_set_mac(cmd_parms * parms, void *dummy,
-                            const char *arg);
-const char *mgs_set_compression(cmd_parms * parms, void *dummy,
-                            const char *arg);
-const char *mgs_set_protocols(cmd_parms * parms, void *dummy,
+const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
                             const char *arg);
                             

src/gnutls_config.c

@@ -330 +330 @@
 
 
-const char *mgs_set_mac(cmd_parms * parms, void *dummy, const char *arg)
-{
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-
-    int ret = gnutls_mac_convert_priority( sc->macs, MAX_CIPHERS, arg, ' ');
-
-    if (ret < 0)
-        return "GnuTLSMACAlgorithms must be a comma separated list of SHA-1 or MD5";
-
-    return NULL;
-}
-
-const char *mgs_set_kx(cmd_parms * parms, void *dummy, const char *arg)
-{
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-
-    int ret = gnutls_kx_convert_priority( sc->key_exchange, MAX_CIPHERS, arg, ' ');
-
-    if (ret < 0) 
-        return "GnuTLSKeyExchangeAlgorithms must be a comma separated list of RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS, ANON";
-
-    return NULL;
-}
-
-
-const char *mgs_set_ciphers(cmd_parms * parms, void *dummy,
-                            const char *arg)
-{
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-
-    int ret = gnutls_cipher_convert_priority( sc->ciphers, MAX_CIPHERS, arg, ' ');
-
-    if (ret < 0) 
-        return "GnuTLSCiphers must be a comma separated list of AES-128-CBC, CAMELIA-128-CBC, ARCFOUR-128, 3DES-CBC or ARCFOUR-40";
-
-    return NULL;
-}
-
-
-const char *mgs_set_compression(cmd_parms * parms, void *dummy,
-                                const char *arg)
-{
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-
-    int ret = gnutls_compression_convert_priority( sc->compression, MAX_CIPHERS, arg, ' ');
-
-    if (ret < 0) 
-        return "GnuTLSCompressionMethods must be a comma separated list of NULL or DEFLATE";
-
-    return NULL;
-}
-
-const char *mgs_set_protocols(cmd_parms * parms, void *dummy,
-                                const char *arg)
-{
-    mgs_srvconf_rec *sc =
-        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
-                                                 module_config,
-                                                 &gnutls_module);
-
-    int ret = gnutls_protocol_convert_priority( sc->protocol, MAX_CIPHERS, arg, ' ');
-
-    if (ret < 0) 
-        return "GnuTLSProtocols must be a comma separated list of TLS1.1, TLS1.0 or SSL3.0";
-
-    return NULL;
-}
-
+const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg)
+{
+    int ret;
+    const char *err;
+    mgs_srvconf_rec *sc =
+        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
+                                                 module_config,
+                                                 &gnutls_module);
+
+
+    ret = gnutls_priority_init( &sc->priorities, arg, &err);
+    if (ret < 0) {
+      if (ret == GNUTLS_E_INVALID_REQUEST)
+        return apr_psprintf(parms->pool, "GnuTLS: Syntax error parsing priorities string at: %s", err);
+      return "Error setting priorities";
+    }
+
+    return NULL;
+}
 
 void *mgs_config_server_create(apr_pool_t * p, server_rec * s)
 {
-    int i;
     mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc));
 
@@ -435 +373 @@
     sc->client_verify_mode = GNUTLS_CERT_IGNORE;
 
-    if (sc->protocol[0]==0) {
-      i = 0;
-      sc->protocol[i++] = GNUTLS_TLS1_1;
-      sc->protocol[i++] = GNUTLS_TLS1;
-      sc->protocol[i++] = GNUTLS_SSL3;
-      sc->protocol[i] = 0;
-    }
-
-    if (sc->compression[0]==0) {
-      i = 0;
-      sc->compression[i++] = GNUTLS_COMP_NULL;
-      sc->compression[i] = 0;
-    }
-
-    if (sc->cert_types[0]==0) {
-      i = 0;
-      sc->cert_types[i++] = GNUTLS_CRT_X509;
-      sc->cert_types[i] = 0;
-    }
-
     return sc;
 }

src/gnutls_hooks.c

@@ -125 +125 @@
 }
 
+/* We don't support openpgp certificates, yet */
+const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
+
 static int mgs_select_virtual_server_cb( gnutls_session_t session)
 {
     mgs_handle_t *ctxt;
     mgs_srvconf_rec *tsc;
+    int ret;
 
     ctxt = gnutls_transport_get_ptr(session);
@@ -155 +159 @@
     }
 
-    /* enable the default priorities and override them later on
+    /* update the priorities - to avoid negotiating a ciphersuite that is not
+     * enabled on this virtual server. Note that here we ignore the version
+     * negotiation.
      */
-    gnutls_set_default_priority( session);
-
-    /* update the priorities - to avoid negotiating a ciphersuite that is not
-     * enabled on this virtual server
-     */
-    if (ctxt->sc->ciphers[0] != 0)
-      gnutls_cipher_set_priority(session, ctxt->sc->ciphers);
-    if (ctxt->sc->compression[0] != 0)
-      gnutls_compression_set_priority(session, ctxt->sc->compression);
-    if (ctxt->sc->key_exchange[0] != 0)
-      gnutls_kx_set_priority(session, ctxt->sc->key_exchange);
-    if (ctxt->sc->macs[0] != 0)
-      gnutls_mac_set_priority(session, ctxt->sc->macs);
-    if (ctxt->sc->cert_types[0] != 0)
-      gnutls_certificate_type_set_priority(session, ctxt->sc->cert_types);
-
-    /* allow separate caches per virtual host. Actually allowing the same is not
-     * a good idea, especially if they have different security requirements.
+    ret = gnutls_priority_set( session, ctxt->sc->priorities);
+    gnutls_certificate_type_set_priority( session, cert_type_prio);
+    
+    
+    /* actually it shouldn't fail since we have checked at startup */
+    if (ret < 0) return ret;
+
+    /* allow separate caches per virtual host. Actually allowing the same is a
+     * bad idea, since they might have different security requirements.
      */
     mgs_cache_session_init(ctxt);
@@ -535 +532 @@
 
 
-
+static const int protocol_priority[] = {
+  GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
+          
 
 static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
@@ -565 +564 @@
      */
     gnutls_session_enable_compatibility_mode( ctxt->session);
-
-    gnutls_protocol_set_priority(ctxt->session, sc->protocol);
+    
+    /* because we don't set any default priorities here (we set later at
+     * the user hello callback) we need to at least set this in order for
+     * gnutls to be able to read packets.
+     */
+    gnutls_protocol_set_priority( ctxt->session, protocol_priority);
 
     gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb);

src/mod_gnutls.c

@@ -97 +97 @@
                   RSRC_CONF,
                   "Cache Configuration"),
-    AP_INIT_RAW_ARGS("GnuTLSCiphers", mgs_set_ciphers,
+    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
                   NULL,
                   RSRC_CONF,
-                  "The ciphers to enable (AES-128, 3DES, ARCFOUR-128, ARCFOUR-40)"),
-    AP_INIT_RAW_ARGS("GnuTLSKeyExchangeAlgorithms", mgs_set_kx,
-                  NULL,
-                  RSRC_CONF,
-                  "The key exchange algorithms to enable (RSA, DHE-RSA, DHE-DSS, RSA-EXPORT, SRP, SRP-RSA, SRP-DSS)"),
-    AP_INIT_RAW_ARGS("GnuTLSMACAlgorithms", mgs_set_mac,
-                  NULL,
-                  RSRC_CONF,
-                  "The MAC algorithms to utilize (SHA-1, MD5)"),
-    AP_INIT_RAW_ARGS("GnuTLSCompressionMethods", mgs_set_compression,
-                  NULL,
-                  RSRC_CONF,
-                  "The compression methods to utilize (NULL, ZLIB)"),
-    AP_INIT_RAW_ARGS("GnuTLSProtocols", mgs_set_protocols,
-                  NULL,
-                  RSRC_CONF,
-                  "The TLS protocol version to use (TLS1.1, TLS1.0, SSL3.0)"),
+                  "The priorities to enable (ciphers, Key exchange, macs, compression)"),
     AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
                   NULL,