- Timestamp:
- Jan 11, 2013, 12:55:31 AM (8 years ago)
- Branches:
- debian/master, debian/stretch-backports, jessie-backports, upstream
- Children:
- 40ac29f, a4839ae
- Parents:
- 70c2d86
- Location:
- src
- Files:
-
- 3 edited
-
gnutls_config.c (modified) (2 diffs)
-
gnutls_hooks.c (modified) (4 diffs)
-
mod_gnutls.c (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_config.c
r70c2d86 rec06980 330 330 331 331 332 const char *mgs_set_mac(cmd_parms * parms, void *dummy, const char *arg) 333 { 334 mgs_srvconf_rec *sc = 335 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 336 module_config, 337 &gnutls_module); 338 339 int ret = gnutls_mac_convert_priority( sc->macs, MAX_CIPHERS, arg, ' '); 340 341 if (ret < 0) 342 return "GnuTLSMACAlgorithms must be a comma separated list of SHA-1 or MD5"; 343 344 return NULL; 345 } 346 347 const char *mgs_set_kx(cmd_parms * parms, void *dummy, const char *arg) 348 { 349 mgs_srvconf_rec *sc = 350 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 351 module_config, 352 &gnutls_module); 353 354 int ret = gnutls_kx_convert_priority( sc->key_exchange, MAX_CIPHERS, arg, ' '); 355 356 if (ret < 0) 357 return "GnuTLSKeyExchangeAlgorithms must be a comma separated list of RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS, ANON"; 358 359 return NULL; 360 } 361 362 363 const char *mgs_set_ciphers(cmd_parms * parms, void *dummy, 364 const char *arg) 365 { 366 mgs_srvconf_rec *sc = 367 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 368 module_config, 369 &gnutls_module); 370 371 int ret = gnutls_cipher_convert_priority( sc->ciphers, MAX_CIPHERS, arg, ' '); 372 373 if (ret < 0) 374 return "GnuTLSCiphers must be a comma separated list of AES-128-CBC, CAMELIA-128-CBC, ARCFOUR-128, 3DES-CBC or ARCFOUR-40"; 375 376 return NULL; 377 } 378 379 380 const char *mgs_set_compression(cmd_parms * parms, void *dummy, 381 const char *arg) 382 { 383 mgs_srvconf_rec *sc = 384 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 385 module_config, 386 &gnutls_module); 387 388 int ret = gnutls_compression_convert_priority( sc->compression, MAX_CIPHERS, arg, ' '); 389 390 if (ret < 0) 391 return "GnuTLSCompressionMethods must be a comma separated list of NULL or DEFLATE"; 392 393 return NULL; 394 } 395 396 const char *mgs_set_protocols(cmd_parms * parms, void *dummy, 397 const char *arg) 398 { 399 mgs_srvconf_rec *sc = 400 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 401 module_config, 402 &gnutls_module); 403 404 int ret = gnutls_protocol_convert_priority( sc->protocol, MAX_CIPHERS, arg, ' '); 405 406 if (ret < 0) 407 return "GnuTLSProtocols must be a comma separated list of TLS1.1, TLS1.0 or SSL3.0"; 408 409 return NULL; 410 } 411 332 const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg) 333 { 334 int ret; 335 const char *err; 336 mgs_srvconf_rec *sc = 337 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 338 module_config, 339 &gnutls_module); 340 341 342 ret = gnutls_priority_init( &sc->priorities, arg, &err); 343 if (ret < 0) { 344 if (ret == GNUTLS_E_INVALID_REQUEST) 345 return apr_psprintf(parms->pool, "GnuTLS: Syntax error parsing priorities string at: %s", err); 346 return "Error setting priorities"; 347 } 348 349 return NULL; 350 } 412 351 413 352 void *mgs_config_server_create(apr_pool_t * p, server_rec * s) 414 353 { 415 int i;416 354 mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc)); 417 355 … … 435 373 sc->client_verify_mode = GNUTLS_CERT_IGNORE; 436 374 437 if (sc->protocol[0]==0) {438 i = 0;439 sc->protocol[i++] = GNUTLS_TLS1_1;440 sc->protocol[i++] = GNUTLS_TLS1;441 sc->protocol[i++] = GNUTLS_SSL3;442 sc->protocol[i] = 0;443 }444 445 if (sc->compression[0]==0) {446 i = 0;447 sc->compression[i++] = GNUTLS_COMP_NULL;448 sc->compression[i] = 0;449 }450 451 if (sc->cert_types[0]==0) {452 i = 0;453 sc->cert_types[i++] = GNUTLS_CRT_X509;454 sc->cert_types[i] = 0;455 }456 457 375 return sc; 458 376 } -
src/gnutls_hooks.c
r70c2d86 rec06980 125 125 } 126 126 127 /* We don't support openpgp certificates, yet */ 128 const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 }; 129 127 130 static int mgs_select_virtual_server_cb( gnutls_session_t session) 128 131 { 129 132 mgs_handle_t *ctxt; 130 133 mgs_srvconf_rec *tsc; 134 int ret; 131 135 132 136 ctxt = gnutls_transport_get_ptr(session); … … 155 159 } 156 160 157 /* enable the default priorities and override them later on 161 /* update the priorities - to avoid negotiating a ciphersuite that is not 162 * enabled on this virtual server. Note that here we ignore the version 163 * negotiation. 158 164 */ 159 gnutls_set_default_priority( session); 160 161 /* update the priorities - to avoid negotiating a ciphersuite that is not 162 * enabled on this virtual server 163 */ 164 if (ctxt->sc->ciphers[0] != 0) 165 gnutls_cipher_set_priority(session, ctxt->sc->ciphers); 166 if (ctxt->sc->compression[0] != 0) 167 gnutls_compression_set_priority(session, ctxt->sc->compression); 168 if (ctxt->sc->key_exchange[0] != 0) 169 gnutls_kx_set_priority(session, ctxt->sc->key_exchange); 170 if (ctxt->sc->macs[0] != 0) 171 gnutls_mac_set_priority(session, ctxt->sc->macs); 172 if (ctxt->sc->cert_types[0] != 0) 173 gnutls_certificate_type_set_priority(session, ctxt->sc->cert_types); 174 175 /* allow separate caches per virtual host. Actually allowing the same is not 176 * a good idea, especially if they have different security requirements. 165 ret = gnutls_priority_set( session, ctxt->sc->priorities); 166 gnutls_certificate_type_set_priority( session, cert_type_prio); 167 168 169 /* actually it shouldn't fail since we have checked at startup */ 170 if (ret < 0) return ret; 171 172 /* allow separate caches per virtual host. Actually allowing the same is a 173 * bad idea, since they might have different security requirements. 177 174 */ 178 175 mgs_cache_session_init(ctxt); … … 535 532 536 533 537 534 static const int protocol_priority[] = { 535 GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; 536 538 537 539 538 static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) … … 565 564 */ 566 565 gnutls_session_enable_compatibility_mode( ctxt->session); 567 568 gnutls_protocol_set_priority(ctxt->session, sc->protocol); 566 567 /* because we don't set any default priorities here (we set later at 568 * the user hello callback) we need to at least set this in order for 569 * gnutls to be able to read packets. 570 */ 571 gnutls_protocol_set_priority( ctxt->session, protocol_priority); 569 572 570 573 gnutls_handshake_set_post_client_hello_function( ctxt->session, mgs_select_virtual_server_cb); -
src/mod_gnutls.c
r70c2d86 rec06980 97 97 RSRC_CONF, 98 98 "Cache Configuration"), 99 AP_INIT_RAW_ARGS("GnuTLS Ciphers", mgs_set_ciphers,99 AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities, 100 100 NULL, 101 101 RSRC_CONF, 102 "The ciphers to enable (AES-128, 3DES, ARCFOUR-128, ARCFOUR-40)"), 103 AP_INIT_RAW_ARGS("GnuTLSKeyExchangeAlgorithms", mgs_set_kx, 104 NULL, 105 RSRC_CONF, 106 "The key exchange algorithms to enable (RSA, DHE-RSA, DHE-DSS, RSA-EXPORT, SRP, SRP-RSA, SRP-DSS)"), 107 AP_INIT_RAW_ARGS("GnuTLSMACAlgorithms", mgs_set_mac, 108 NULL, 109 RSRC_CONF, 110 "The MAC algorithms to utilize (SHA-1, MD5)"), 111 AP_INIT_RAW_ARGS("GnuTLSCompressionMethods", mgs_set_compression, 112 NULL, 113 RSRC_CONF, 114 "The compression methods to utilize (NULL, ZLIB)"), 115 AP_INIT_RAW_ARGS("GnuTLSProtocols", mgs_set_protocols, 116 NULL, 117 RSRC_CONF, 118 "The TLS protocol version to use (TLS1.1, TLS1.0, SSL3.0)"), 102 "The priorities to enable (ciphers, Key exchange, macs, compression)"), 119 103 AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled, 120 104 NULL,
Note: See TracChangeset
for help on using the changeset viewer.
