summaryrefslogtreecommitdiffstatsabout
diff options
context:
space:
mode:
authorNokis Mavrogiannopoulos <nmav@gnutls.org>2007-12-03 18:26:23 (GMT)
committer Nokis Mavrogiannopoulos <nmav@gnutls.org>2007-12-03 18:26:23 (GMT)
commit16d0fc76a6981f3f2562cdcade76179e9805dfd8 (patch)
treee43ac10d8d663abc12c958695243485398c1e6a9
parent7854add288a2b22a072d430460a21ebac547fb37 (diff)
better handling of RSAFile and DHFile
-rw-r--r--NEWS5
-rw-r--r--include/mod_gnutls.h.in4
-rw-r--r--src/gnutls_config.c49
-rw-r--r--src/gnutls_hooks.c133
4 files changed, 85 insertions, 106 deletions
diff --git a/NEWS b/NEWS
index 9392872..81a6954 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,9 @@ SSL_CLIENT_S_TYPE, SSL_SERVER_M_VERSION, SSL_SERVER_S_SAN%, SSL_SERVER_S_TYPE
9- The compatibility mode can now be enabled explicitely with the 9- The compatibility mode can now be enabled explicitely with the
10%COMPAT keyword at the GnuTLSPriorities string. It is no longer the default. 10%COMPAT keyword at the GnuTLSPriorities string. It is no longer the default.
11 11
12- Check for GnuTLSPriorities directive. 12- Check for GnuTLSPriorities directive. This corrects a segfault. Thanks
13to David Hrbáč.
14
15- Better handling of GnuTLSDHFile and GnuTLSRSAFile.
13 16
14- No longer default paths for RSA and DH parameter files. 17- No longer default paths for RSA and DH parameter files.
diff --git a/include/mod_gnutls.h.in b/include/mod_gnutls.h.in
index 11c35aa..6a311a3 100644
--- a/include/mod_gnutls.h.in
+++ b/include/mod_gnutls.h.in
@@ -96,11 +96,11 @@ typedef struct
96 */ 96 */
97 int export_certificates_enabled; 97 int export_certificates_enabled;
98 gnutls_priority_t priorities; 98 gnutls_priority_t priorities;
99 gnutls_rsa_params_t rsa_params;
100 gnutls_dh_params_t dh_params;
99 int cache_timeout; 101 int cache_timeout;
100 mgs_cache_e cache_type; 102 mgs_cache_e cache_type;
101 const char* cache_config; 103 const char* cache_config;
102 const char* rsa_params_file;
103 const char* dh_params_file;
104 const char* srp_tpasswd_file; 104 const char* srp_tpasswd_file;
105 const char* srp_tpasswd_conf_file; 105 const char* srp_tpasswd_conf_file;
106 gnutls_x509_crt_t ca_list[MAX_CA_CRTS]; 106 gnutls_x509_crt_t ca_list[MAX_CA_CRTS];
diff --git a/src/gnutls_config.c b/src/gnutls_config.c
index 697dae1..22e8fbc 100644
--- a/src/gnutls_config.c
+++ b/src/gnutls_config.c
@@ -54,12 +54,34 @@ static int load_datum_from_file(apr_pool_t * pool,
54const char *mgs_set_dh_file(cmd_parms * parms, void *dummy, 54const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
55 const char *arg) 55 const char *arg)
56{ 56{
57 int ret;
58 gnutls_datum_t data;
59 const char *file;
60 apr_pool_t *spool;
57 mgs_srvconf_rec *sc = 61 mgs_srvconf_rec *sc =
58 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 62 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
59 module_config, 63 module_config,
60 &gnutls_module); 64 &gnutls_module);
61 65
62 sc->dh_params_file = ap_server_root_relative(parms->pool, arg); 66 apr_pool_create(&spool, parms->pool);
67
68 file = ap_server_root_relative(spool, arg);
69
70 if (load_datum_from_file(spool, file, &data) != 0) {
71 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
72 "DH params '%s'", file);
73 }
74
75 gnutls_dh_params_init(&sc->dh_params);
76 ret =
77 gnutls_dh_params_import_pkcs3(sc->dh_params, &data, GNUTLS_X509_FMT_PEM);
78 if (ret != 0) {
79 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
80 "DH params '%s': (%d) %s", file, ret,
81 gnutls_strerror(ret));
82 }
83
84 apr_pool_destroy(spool);
63 85
64 return NULL; 86 return NULL;
65} 87}
@@ -67,13 +89,34 @@ const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
67const char *mgs_set_rsa_export_file(cmd_parms * parms, void *dummy, 89const char *mgs_set_rsa_export_file(cmd_parms * parms, void *dummy,
68 const char *arg) 90 const char *arg)
69{ 91{
92 int ret;
93 gnutls_datum_t data;
94 const char *file;
95 apr_pool_t *spool;
70 mgs_srvconf_rec *sc = 96 mgs_srvconf_rec *sc =
71 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 97 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
72 module_config, 98 module_config,
73 &gnutls_module); 99 &gnutls_module);
74 100
75 sc->rsa_params_file = ap_server_root_relative(parms->pool, arg); 101 apr_pool_create(&spool, parms->pool);
102
103 file = ap_server_root_relative(spool, arg);
104
105 if (load_datum_from_file(spool, file, &data) != 0) {
106 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
107 "RSA params '%s'", file);
108 }
109
110 gnutls_rsa_params_init(&sc->rsa_params);
111 ret =
112 gnutls_rsa_params_import_pkcs1(sc->rsa_params, &data, GNUTLS_X509_FMT_PEM);
113 if (ret != 0) {
114 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
115 "RSA params '%s': (%d) %s", file, ret,
116 gnutls_strerror(ret));
117 }
76 118
119 apr_pool_destroy(spool);
77 return NULL; 120 return NULL;
78} 121}
79 122
@@ -103,7 +146,7 @@ const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
103 gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM); 146 gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM);
104 if (ret != 0) { 147 if (ret != 0) {
105 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " 148 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
106 "Certificate'%s': (%d) %s", file, ret, 149 "Certificate '%s': (%d) %s", file, ret,
107 gnutls_strerror(ret)); 150 gnutls_strerror(ret));
108 } 151 }
109 152
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index 55f8e5f..7b7e2b3 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -84,48 +84,6 @@ mgs_hook_pre_config(apr_pool_t * pconf,
84 return OK; 84 return OK;
85} 85}
86 86
87
88static gnutls_datum
89load_params(const char *file, server_rec * s, apr_pool_t * pool)
90{
91 gnutls_datum ret = { NULL, 0 };
92 apr_file_t *fp;
93 apr_finfo_t finfo;
94 apr_status_t rv;
95 apr_size_t br = 0;
96
97 rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, APR_OS_DEFAULT,
98 pool);
99 if (rv != APR_SUCCESS) {
100 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
101 "GnuTLS failed to load params file at: %s. Will use internal params.",
102 file);
103 return ret;
104 }
105
106 rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
107
108 if (rv != APR_SUCCESS) {
109 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
110 "GnuTLS failed to stat params file at: %s", file);
111 return ret;
112 }
113
114 ret.data = apr_palloc(pool, finfo.size + 1);
115 rv = apr_file_read_full(fp, ret.data, finfo.size, &br);
116
117 if (rv != APR_SUCCESS) {
118 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
119 "GnuTLS failed to read params file at: %s", file);
120 return ret;
121 }
122 apr_file_close(fp);
123 ret.data[br] = '\0';
124 ret.size = br;
125
126 return ret;
127}
128
129/* We don't support openpgp certificates, yet */ 87/* We don't support openpgp certificates, yet */
130const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 }; 88const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
131 89
@@ -284,68 +242,33 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
284 242
285 243
286 { 244 {
287 gnutls_datum pdata = { NULL, 0 };
288 apr_pool_t *tpool;
289 s = base_server; 245 s = base_server;
290 sc_base = 246 sc_base =
291 (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 247 (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
292 &gnutls_module); 248 &gnutls_module);
293 249
294 apr_pool_create(&tpool, p);
295
296
297 gnutls_dh_params_init(&dh_params); 250 gnutls_dh_params_init(&dh_params);
298 251
299 if (sc_base->dh_params_file) 252 if (sc_base->dh_params == NULL) {
300 pdata = load_params(sc_base->dh_params_file, s, tpool); 253 gnutls_datum pdata = { (void *) static_dh_params, sizeof(static_dh_params) };
301 254 /* loading defaults */
302 if (pdata.size != 0) { 255 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
303 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
304 GNUTLS_X509_FMT_PEM);
305 if (rv != 0) {
306 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
307 "GnuTLS: Unable to load DH Params: (%d) %s",
308 rv, gnutls_strerror(rv));
309 exit(rv);
310 }
311 } else {
312 /* If the file does not exist use internal parameters
313 */
314 pdata.data = (void *) static_dh_params;
315 pdata.size = sizeof(static_dh_params);
316 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
317 GNUTLS_X509_FMT_PEM); 256 GNUTLS_X509_FMT_PEM);
318 257
319 if (rv < 0) { 258 if (rv < 0) {
320 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 259 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
321 "GnuTLS: Unable to load internal DH Params." 260 "GnuTLS: Unable to load DH Params: (%d) %s",
322 " Shutting down."); 261 rv, gnutls_strerror(rv));
323 exit(-1); 262 exit(rv);
324 } 263 }
325 } 264 } else dh_params = sc_base->dh_params;
326 apr_pool_clear(tpool); 265
327 266 if (sc_base->rsa_params != NULL)
328 pdata.data = NULL; 267 rsa_params = sc_base->rsa_params;
329 pdata.size = 0; 268
330 269 /* else not an error but RSA-EXPORT ciphersuites are not available
331 if (sc_base->rsa_params_file)
332 pdata = load_params(sc_base->rsa_params_file, s, tpool);
333
334 if (pdata.size != 0) {
335 gnutls_rsa_params_init(&rsa_params);
336 rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata,
337 GNUTLS_X509_FMT_PEM);
338 if (rv != 0) {
339 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
340 "GnuTLS: Unable to load RSA Params: (%d) %s",
341 rv, gnutls_strerror(rv));
342 exit(rv);
343 }
344 }
345 /* not an error but RSA-EXPORT ciphersuites are not available
346 */ 270 */
347 271
348 apr_pool_destroy(tpool);
349 rv = mgs_cache_post_config(p, s, sc_base); 272 rv = mgs_cache_post_config(p, s, sc_base);
350 if (rv != 0) { 273 if (rv != 0) {
351 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 274 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
@@ -355,6 +278,7 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
355 } 278 }
356 279
357 for (s = base_server; s; s = s->next) { 280 for (s = base_server; s; s = s->next) {
281 void *load = NULL;
358 sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 282 sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
359 &gnutls_module); 283 &gnutls_module);
360 sc->cache_type = sc_base->cache_type; 284 sc->cache_type = sc_base->cache_type;
@@ -367,16 +291,25 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
367 s->server_hostname, s->port); 291 s->server_hostname, s->port);
368 exit(-1); 292 exit(-1);
369 } 293 }
370
371 if (rsa_params != NULL)
372 gnutls_certificate_set_rsa_export_params(sc->certs,
373 rsa_params);
374 294
375 if (dh_params != NULL) /* not needed but anyway */ 295 /* Check if DH or RSA params have been set per host */
376 gnutls_certificate_set_dh_params(sc->certs, dh_params); 296 if (sc->rsa_params != NULL)
297 load = sc->rsa_params;
298 else if (rsa_params) load = rsa_params;
299
300 if (load != NULL)
301 gnutls_certificate_set_rsa_export_params(sc->certs, load);
377 302
378 303
379 gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params); 304 load = NULL;
305 if (sc->dh_params != NULL)
306 load = sc->dh_params;
307 else if (dh_params) load = dh_params;
308
309 if (load != NULL) { /* not needed but anyway */
310 gnutls_certificate_set_dh_params(sc->certs, load);
311 gnutls_anon_set_server_dh_params(sc->anon_creds, load);
312 }
380 313
381 gnutls_certificate_server_set_retrieve_function(sc->certs, 314 gnutls_certificate_server_set_retrieve_function(sc->certs,
382 cert_retrieve_fn); 315 cert_retrieve_fn);