summaryrefslogtreecommitdiffstatsabout
diff options
context:
space:
mode:
-rw-r--r--README19
-rw-r--r--src/gnutls_hooks.c43
2 files changed, 51 insertions, 11 deletions
diff --git a/README b/README
index 5198ed7..34054b6 100644
--- a/README
+++ b/README
@@ -109,3 +109,22 @@ NameVirtualHost 1.2.3.4:443
109 GnuTLSClientCAFile ca.pem 109 GnuTLSClientCAFile ca.pem
110 GnuTLSPGPKeyringFile /etc/apache2/ring.asc 110 GnuTLSPGPKeyringFile /etc/apache2/ring.asc
111</VirtualHost> 111</VirtualHost>
112
113Create OpenPGP credentials for the server:
114
115IMPORTANT: mod_gnutls currently cannot read encrypted OpenPGP credentials. That
116is, when you generate a key with gpg and gpg prompts you for a passphrase, just
117press enter. Then press enter again, to confirm an empty passphrase.
118http://news.gmane.org/gmane.comp.apache.outoforder.modules
119
120These instructions are from the GnuTLS manual:
121http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv
122
123 $ gpg --gen-key
124 ...enter whatever details you want, use 'test.gnutls.org' as name...
125
126Make a note of the OpenPGP key identifier of the newly generated key, here it
127was 5D1D14D8. You will need to export the key for GnuTLS to be able to use it.
128
129 $ gpg -a --export 5D1D14D8 > openpgp-server.txt
130 $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index fd62164..54b0a83 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -62,6 +62,18 @@ mgs_hook_pre_config(apr_pool_t * pconf,
62{ 62{
63int ret; 63int ret;
64 64
65#if MOD_GNUTLS_DEBUG
66 apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
67 APR_APPEND | APR_WRITE | APR_CREATE, APR_OS_DEFAULT,
68 pconf);
69
70 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
71
72 gnutls_global_set_log_level(9);
73 gnutls_global_set_log_function(gnutls_debug_log_all);
74 apr_file_printf(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
75#endif
76
65#if APR_HAS_THREADS 77#if APR_HAS_THREADS
66 ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded); 78 ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded);
67 if (mpm_is_threaded) { 79 if (mpm_is_threaded) {
@@ -72,29 +84,20 @@ int ret;
72#endif 84#endif
73 85
74 if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) { 86 if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) {
75 fprintf(stderr, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n", 87 apr_file_printf(debug_log_fp, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
76 LIBGNUTLS_VERSION, gnutls_check_version(NULL)); 88 LIBGNUTLS_VERSION, gnutls_check_version(NULL));
77 return -3; 89 return -3;
78 } 90 }
79 91
80 ret = gnutls_global_init(); 92 ret = gnutls_global_init();
81 if (ret < 0) { 93 if (ret < 0) {
82 fprintf(stderr, "gnutls_global_init: %s\n", gnutls_strerror(ret)); 94 apr_file_printf(debug_log_fp, "gnutls_global_init: %s\n", gnutls_strerror(ret));
83 return -3; 95 return -3;
84 } 96 }
85 97
86 apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, 98 apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
87 apr_pool_cleanup_null); 99 apr_pool_cleanup_null);
88 100
89#if MOD_GNUTLS_DEBUG
90 apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
91 APR_APPEND | APR_WRITE | APR_CREATE, APR_OS_DEFAULT,
92 pconf);
93
94 gnutls_global_set_log_level(9);
95 gnutls_global_set_log_function(gnutls_debug_log_all);
96 apr_file_printf(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
97#endif
98 101
99 return OK; 102 return OK;
100} 103}
@@ -106,6 +109,8 @@ static int mgs_select_virtual_server_cb(gnutls_session_t session)
106 int ret; 109 int ret;
107 int cprio[2]; 110 int cprio[2];
108 111
112 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
113
109 ctxt = gnutls_transport_get_ptr(session); 114 ctxt = gnutls_transport_get_ptr(session);
110 115
111 /* find the virtual server */ 116 /* find the virtual server */
@@ -162,6 +167,7 @@ static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret)
162{ 167{
163 mgs_handle_t *ctxt; 168 mgs_handle_t *ctxt;
164 169
170 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
165 ctxt = gnutls_transport_get_ptr(session); 171 ctxt = gnutls_transport_get_ptr(session);
166 172
167 if (ctxt == NULL) 173 if (ctxt == NULL)
@@ -213,6 +219,7 @@ static int read_crt_cn(server_rec * s, apr_pool_t * p,
213 size_t data_len; 219 size_t data_len;
214 220
215 221
222 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
216 *cert_cn = NULL; 223 *cert_cn = NULL;
217 224
218 data_len = 0; 225 data_len = 0;
@@ -264,6 +271,7 @@ static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
264 size_t data_len; 271 size_t data_len;
265 272
266 273
274 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
267 *cert_cn = NULL; 275 *cert_cn = NULL;
268 276
269 data_len = 0; 277 data_len = 0;
@@ -296,6 +304,7 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
296 int first_run = 0; 304 int first_run = 0;
297 const char *userdata_key = "mgs_init"; 305 const char *userdata_key = "mgs_init";
298 306
307 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
299 apr_pool_userdata_get(&data, userdata_key, base_server->process->pool); 308 apr_pool_userdata_get(&data, userdata_key, base_server->process->pool);
300 if (data == NULL) { 309 if (data == NULL) {
301 first_run = 1; 310 first_run = 1;
@@ -442,6 +451,7 @@ void mgs_hook_child_init(apr_pool_t * p, server_rec * s)
442 mgs_srvconf_rec *sc = ap_get_module_config(s->module_config, 451 mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
443 &gnutls_module); 452 &gnutls_module);
444 453
454 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
445 if (sc->cache_type != mgs_cache_none) { 455 if (sc->cache_type != mgs_cache_none) {
446 rv = mgs_cache_child_init(p, s, sc); 456 rv = mgs_cache_child_init(p, s, sc);
447 if (rv != APR_SUCCESS) { 457 if (rv != APR_SUCCESS) {
@@ -460,6 +470,7 @@ const char *mgs_hook_http_scheme(const request_rec * r)
460 (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, 470 (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config,
461 &gnutls_module); 471 &gnutls_module);
462 472
473 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
463 if (sc->enabled == GNUTLS_ENABLED_FALSE) { 474 if (sc->enabled == GNUTLS_ENABLED_FALSE) {
464 return NULL; 475 return NULL;
465 } 476 }
@@ -473,6 +484,7 @@ apr_port_t mgs_hook_default_port(const request_rec * r)
473 (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, 484 (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config,
474 &gnutls_module); 485 &gnutls_module);
475 486
487 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
476 if (sc->enabled == GNUTLS_ENABLED_FALSE) { 488 if (sc->enabled == GNUTLS_ENABLED_FALSE) {
477 return 0; 489 return 0;
478 } 490 }
@@ -494,6 +506,7 @@ static int vhost_cb(void *baton, conn_rec * conn, server_rec * s)
494 mgs_srvconf_rec *tsc; 506 mgs_srvconf_rec *tsc;
495 vhost_cb_rec *x = baton; 507 vhost_cb_rec *x = baton;
496 508
509 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
497 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 510 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
498 &gnutls_module); 511 &gnutls_module);
499 512
@@ -546,6 +559,7 @@ mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
546 mgs_srvconf_rec *tsc; 559 mgs_srvconf_rec *tsc;
547#endif 560#endif
548 561
562 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
549 ctxt = gnutls_transport_get_ptr(session); 563 ctxt = gnutls_transport_get_ptr(session);
550 564
551 rv = gnutls_server_name_get(ctxt->session, sni_name, 565 rv = gnutls_server_name_get(ctxt->session, sni_name,
@@ -623,6 +637,7 @@ static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
623 module_config, 637 module_config,
624 &gnutls_module); 638 &gnutls_module);
625 639
640 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
626 ctxt = apr_pcalloc(pool, sizeof(*ctxt)); 641 ctxt = apr_pcalloc(pool, sizeof(*ctxt));
627 ctxt->c = c; 642 ctxt->c = c;
628 ctxt->sc = sc; 643 ctxt->sc = sc;
@@ -661,6 +676,7 @@ int mgs_hook_pre_connection(conn_rec * c, void *csd)
661 module_config, 676 module_config,
662 &gnutls_module); 677 &gnutls_module);
663 678
679 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
664 if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) { 680 if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
665 return DECLINED; 681 return DECLINED;
666 } 682 }
@@ -690,6 +706,7 @@ int mgs_hook_fixups(request_rec * r)
690 mgs_handle_t *ctxt; 706 mgs_handle_t *ctxt;
691 int rv = OK; 707 int rv = OK;
692 708
709 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
693 apr_table_t *env = r->subprocess_env; 710 apr_table_t *env = r->subprocess_env;
694 711
695 ctxt = 712 ctxt =
@@ -764,6 +781,7 @@ int mgs_hook_authz(request_rec * r)
764 mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config, 781 mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config,
765 &gnutls_module); 782 &gnutls_module);
766 783
784 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
767 ctxt = 785 ctxt =
768 ap_get_module_config(r->connection->conn_config, &gnutls_module); 786 ap_get_module_config(r->connection->conn_config, &gnutls_module);
769 787
@@ -825,6 +843,7 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side,
825 843
826 apr_table_t *env = r->subprocess_env; 844 apr_table_t *env = r->subprocess_env;
827 845
846 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
828 if (export_certificates_enabled != 0) { 847 if (export_certificates_enabled != 0) {
829 char cert_buf[10 * 1024]; 848 char cert_buf[10 * 1024];
830 len = sizeof(cert_buf); 849 len = sizeof(cert_buf);
@@ -931,6 +950,7 @@ mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side
931 size_t len; 950 size_t len;
932 int ret; 951 int ret;
933 952
953 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
934 apr_table_t *env = r->subprocess_env; 954 apr_table_t *env = r->subprocess_env;
935 955
936 if (export_certificates_enabled != 0) { 956 if (export_certificates_enabled != 0) {
@@ -997,6 +1017,7 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
997 } cert; 1017 } cert;
998 apr_time_t activation_time, expiration_time, cur_time; 1018 apr_time_t activation_time, expiration_time, cur_time;
999 1019
1020 apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__);
1000 cert_list = 1021 cert_list =
1001 gnutls_certificate_get_peers(ctxt->session, &cert_list_size); 1022 gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
1002 1023