Changeset ec06980 in mod_gnutls for src


Ignore:
Timestamp:
Jan 11, 2013, 12:55:31 AM (8 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, upstream
Children:
40ac29f, a4839ae
Parents:
70c2d86
Message:

Imported Upstream version 0.4.0

Location:
src
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_config.c

    r70c2d86 rec06980  
    330330
    331331
    332 const char *mgs_set_mac(cmd_parms * parms, void *dummy, const char *arg)
    333 {
    334     mgs_srvconf_rec *sc =
    335         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    336                                                  module_config,
    337                                                  &gnutls_module);
    338 
    339     int ret = gnutls_mac_convert_priority( sc->macs, MAX_CIPHERS, arg, ' ');
    340 
    341     if (ret < 0)
    342         return "GnuTLSMACAlgorithms must be a comma separated list of SHA-1 or MD5";
    343 
    344     return NULL;
    345 }
    346 
    347 const char *mgs_set_kx(cmd_parms * parms, void *dummy, const char *arg)
    348 {
    349     mgs_srvconf_rec *sc =
    350         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    351                                                  module_config,
    352                                                  &gnutls_module);
    353 
    354     int ret = gnutls_kx_convert_priority( sc->key_exchange, MAX_CIPHERS, arg, ' ');
    355 
    356     if (ret < 0)
    357         return "GnuTLSKeyExchangeAlgorithms must be a comma separated list of RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS, ANON";
    358 
    359     return NULL;
    360 }
    361 
    362 
    363 const char *mgs_set_ciphers(cmd_parms * parms, void *dummy,
    364                             const char *arg)
    365 {
    366     mgs_srvconf_rec *sc =
    367         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    368                                                  module_config,
    369                                                  &gnutls_module);
    370 
    371     int ret = gnutls_cipher_convert_priority( sc->ciphers, MAX_CIPHERS, arg, ' ');
    372 
    373     if (ret < 0)
    374         return "GnuTLSCiphers must be a comma separated list of AES-128-CBC, CAMELIA-128-CBC, ARCFOUR-128, 3DES-CBC or ARCFOUR-40";
    375 
    376     return NULL;
    377 }
    378 
    379 
    380 const char *mgs_set_compression(cmd_parms * parms, void *dummy,
    381                                 const char *arg)
    382 {
    383     mgs_srvconf_rec *sc =
    384         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    385                                                  module_config,
    386                                                  &gnutls_module);
    387 
    388     int ret = gnutls_compression_convert_priority( sc->compression, MAX_CIPHERS, arg, ' ');
    389 
    390     if (ret < 0)
    391         return "GnuTLSCompressionMethods must be a comma separated list of NULL or DEFLATE";
    392 
    393     return NULL;
    394 }
    395 
    396 const char *mgs_set_protocols(cmd_parms * parms, void *dummy,
    397                                 const char *arg)
    398 {
    399     mgs_srvconf_rec *sc =
    400         (mgs_srvconf_rec *) ap_get_module_config(parms->server->
    401                                                  module_config,
    402                                                  &gnutls_module);
    403 
    404     int ret = gnutls_protocol_convert_priority( sc->protocol, MAX_CIPHERS, arg, ' ');
    405 
    406     if (ret < 0)
    407         return "GnuTLSProtocols must be a comma separated list of TLS1.1, TLS1.0 or SSL3.0";
    408 
    409     return NULL;
    410 }
    411 
     332const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg)
     333{
     334    int ret;
     335    const char *err;
     336    mgs_srvconf_rec *sc =
     337        (mgs_srvconf_rec *) ap_get_module_config(parms->server->
     338                                                 module_config,
     339                                                 &gnutls_module);
     340
     341
     342    ret = gnutls_priority_init( &sc->priorities, arg, &err);
     343    if (ret < 0) {
     344      if (ret == GNUTLS_E_INVALID_REQUEST)
     345        return apr_psprintf(parms->pool, "GnuTLS: Syntax error parsing priorities string at: %s", err);
     346      return "Error setting priorities";
     347    }
     348
     349    return NULL;
     350}
    412351
    413352void *mgs_config_server_create(apr_pool_t * p, server_rec * s)
    414353{
    415     int i;
    416354    mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc));
    417355
     
    435373    sc->client_verify_mode = GNUTLS_CERT_IGNORE;
    436374
    437     if (sc->protocol[0]==0) {
    438       i = 0;
    439       sc->protocol[i++] = GNUTLS_TLS1_1;
    440       sc->protocol[i++] = GNUTLS_TLS1;
    441       sc->protocol[i++] = GNUTLS_SSL3;
    442       sc->protocol[i] = 0;
    443     }
    444 
    445     if (sc->compression[0]==0) {
    446       i = 0;
    447       sc->compression[i++] = GNUTLS_COMP_NULL;
    448       sc->compression[i] = 0;
    449     }
    450 
    451     if (sc->cert_types[0]==0) {
    452       i = 0;
    453       sc->cert_types[i++] = GNUTLS_CRT_X509;
    454       sc->cert_types[i] = 0;
    455     }
    456 
    457375    return sc;
    458376}
  • src/gnutls_hooks.c

    r70c2d86 rec06980  
    125125}
    126126
     127/* We don't support openpgp certificates, yet */
     128const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
     129
    127130static int mgs_select_virtual_server_cb( gnutls_session_t session)
    128131{
    129132    mgs_handle_t *ctxt;
    130133    mgs_srvconf_rec *tsc;
     134    int ret;
    131135
    132136    ctxt = gnutls_transport_get_ptr(session);
     
    155159    }
    156160
    157     /* enable the default priorities and override them later on
     161    /* update the priorities - to avoid negotiating a ciphersuite that is not
     162     * enabled on this virtual server. Note that here we ignore the version
     163     * negotiation.
    158164     */
    159     gnutls_set_default_priority( session);
    160 
    161     /* update the priorities - to avoid negotiating a ciphersuite that is not
    162      * enabled on this virtual server
    163      */
    164     if (ctxt->sc->ciphers[0] != 0)
    165       gnutls_cipher_set_priority(session, ctxt->sc->ciphers);
    166     if (ctxt->sc->compression[0] != 0)
    167       gnutls_compression_set_priority(session, ctxt->sc->compression);
    168     if (ctxt->sc->key_exchange[0] != 0)
    169       gnutls_kx_set_priority(session, ctxt->sc->key_exchange);
    170     if (ctxt->sc->macs[0] != 0)
    171       gnutls_mac_set_priority(session, ctxt->sc->macs);
    172     if (ctxt->sc->cert_types[0] != 0)
    173       gnutls_certificate_type_set_priority(session, ctxt->sc->cert_types);
    174 
    175     /* allow separate caches per virtual host. Actually allowing the same is not
    176      * a good idea, especially if they have different security requirements.
     165    ret = gnutls_priority_set( session, ctxt->sc->priorities);
     166    gnutls_certificate_type_set_priority( session, cert_type_prio);
     167   
     168   
     169    /* actually it shouldn't fail since we have checked at startup */
     170    if (ret < 0) return ret;
     171
     172    /* allow separate caches per virtual host. Actually allowing the same is a
     173     * bad idea, since they might have different security requirements.
    177174     */
    178175    mgs_cache_session_init(ctxt);
     
    535532
    536533
    537 
     534static const int protocol_priority[] = {
     535  GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
     536         
    538537
    539538static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
     
    565564     */
    566565    gnutls_session_enable_compatibility_mode( ctxt->session);
    567 
    568     gnutls_protocol_set_priority(ctxt->session, sc->protocol);
     566   
     567    /* because we don't set any default priorities here (we set later at
     568     * the user hello callback) we need to at least set this in order for
     569     * gnutls to be able to read packets.
     570     */
     571    gnutls_protocol_set_priority( ctxt->session, protocol_priority);
    569572
    570573    gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb);
  • src/mod_gnutls.c

    r70c2d86 rec06980  
    9797                  RSRC_CONF,
    9898                  "Cache Configuration"),
    99     AP_INIT_RAW_ARGS("GnuTLSCiphers", mgs_set_ciphers,
     99    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
    100100                  NULL,
    101101                  RSRC_CONF,
    102                   "The ciphers to enable (AES-128, 3DES, ARCFOUR-128, ARCFOUR-40)"),
    103     AP_INIT_RAW_ARGS("GnuTLSKeyExchangeAlgorithms", mgs_set_kx,
    104                   NULL,
    105                   RSRC_CONF,
    106                   "The key exchange algorithms to enable (RSA, DHE-RSA, DHE-DSS, RSA-EXPORT, SRP, SRP-RSA, SRP-DSS)"),
    107     AP_INIT_RAW_ARGS("GnuTLSMACAlgorithms", mgs_set_mac,
    108                   NULL,
    109                   RSRC_CONF,
    110                   "The MAC algorithms to utilize (SHA-1, MD5)"),
    111     AP_INIT_RAW_ARGS("GnuTLSCompressionMethods", mgs_set_compression,
    112                   NULL,
    113                   RSRC_CONF,
    114                   "The compression methods to utilize (NULL, ZLIB)"),
    115     AP_INIT_RAW_ARGS("GnuTLSProtocols", mgs_set_protocols,
    116                   NULL,
    117                   RSRC_CONF,
    118                   "The TLS protocol version to use (TLS1.1, TLS1.0, SSL3.0)"),
     102                  "The priorities to enable (ciphers, Key exchange, macs, compression)"),
    119103    AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
    120104                  NULL,
Note: See TracChangeset for help on using the changeset viewer.