summaryrefslogtreecommitdiffstatsabout
path: root/src/gnutls_hooks.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/gnutls_hooks.c')
-rw-r--r--src/gnutls_hooks.c133
1 files changed, 33 insertions, 100 deletions
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index 55f8e5f..7b7e2b3 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -84,48 +84,6 @@ mgs_hook_pre_config(apr_pool_t * pconf,
84 return OK; 84 return OK;
85} 85}
86 86
87
88static gnutls_datum
89load_params(const char *file, server_rec * s, apr_pool_t * pool)
90{
91 gnutls_datum ret = { NULL, 0 };
92 apr_file_t *fp;
93 apr_finfo_t finfo;
94 apr_status_t rv;
95 apr_size_t br = 0;
96
97 rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, APR_OS_DEFAULT,
98 pool);
99 if (rv != APR_SUCCESS) {
100 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
101 "GnuTLS failed to load params file at: %s. Will use internal params.",
102 file);
103 return ret;
104 }
105
106 rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
107
108 if (rv != APR_SUCCESS) {
109 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
110 "GnuTLS failed to stat params file at: %s", file);
111 return ret;
112 }
113
114 ret.data = apr_palloc(pool, finfo.size + 1);
115 rv = apr_file_read_full(fp, ret.data, finfo.size, &br);
116
117 if (rv != APR_SUCCESS) {
118 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
119 "GnuTLS failed to read params file at: %s", file);
120 return ret;
121 }
122 apr_file_close(fp);
123 ret.data[br] = '\0';
124 ret.size = br;
125
126 return ret;
127}
128
129/* We don't support openpgp certificates, yet */ 87/* We don't support openpgp certificates, yet */
130const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 }; 88const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
131 89
@@ -284,68 +242,33 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
284 242
285 243
286 { 244 {
287 gnutls_datum pdata = { NULL, 0 };
288 apr_pool_t *tpool;
289 s = base_server; 245 s = base_server;
290 sc_base = 246 sc_base =
291 (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 247 (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
292 &gnutls_module); 248 &gnutls_module);
293 249
294 apr_pool_create(&tpool, p);
295
296
297 gnutls_dh_params_init(&dh_params); 250 gnutls_dh_params_init(&dh_params);
298 251
299 if (sc_base->dh_params_file) 252 if (sc_base->dh_params == NULL) {
300 pdata = load_params(sc_base->dh_params_file, s, tpool); 253 gnutls_datum pdata = { (void *) static_dh_params, sizeof(static_dh_params) };
301 254 /* loading defaults */
302 if (pdata.size != 0) { 255 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
303 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
304 GNUTLS_X509_FMT_PEM);
305 if (rv != 0) {
306 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
307 "GnuTLS: Unable to load DH Params: (%d) %s",
308 rv, gnutls_strerror(rv));
309 exit(rv);
310 }
311 } else {
312 /* If the file does not exist use internal parameters
313 */
314 pdata.data = (void *) static_dh_params;
315 pdata.size = sizeof(static_dh_params);
316 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
317 GNUTLS_X509_FMT_PEM); 256 GNUTLS_X509_FMT_PEM);
318 257
319 if (rv < 0) { 258 if (rv < 0) {
320 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 259 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
321 "GnuTLS: Unable to load internal DH Params." 260 "GnuTLS: Unable to load DH Params: (%d) %s",
322 " Shutting down."); 261 rv, gnutls_strerror(rv));
323 exit(-1); 262 exit(rv);
324 } 263 }
325 } 264 } else dh_params = sc_base->dh_params;
326 apr_pool_clear(tpool); 265
327 266 if (sc_base->rsa_params != NULL)
328 pdata.data = NULL; 267 rsa_params = sc_base->rsa_params;
329 pdata.size = 0; 268
330 269 /* else not an error but RSA-EXPORT ciphersuites are not available
331 if (sc_base->rsa_params_file)
332 pdata = load_params(sc_base->rsa_params_file, s, tpool);
333
334 if (pdata.size != 0) {
335 gnutls_rsa_params_init(&rsa_params);
336 rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata,
337 GNUTLS_X509_FMT_PEM);
338 if (rv != 0) {
339 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
340 "GnuTLS: Unable to load RSA Params: (%d) %s",
341 rv, gnutls_strerror(rv));
342 exit(rv);
343 }
344 }
345 /* not an error but RSA-EXPORT ciphersuites are not available
346 */ 270 */
347 271
348 apr_pool_destroy(tpool);
349 rv = mgs_cache_post_config(p, s, sc_base); 272 rv = mgs_cache_post_config(p, s, sc_base);
350 if (rv != 0) { 273 if (rv != 0) {
351 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 274 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
@@ -355,6 +278,7 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
355 } 278 }
356 279
357 for (s = base_server; s; s = s->next) { 280 for (s = base_server; s; s = s->next) {
281 void *load = NULL;
358 sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 282 sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
359 &gnutls_module); 283 &gnutls_module);
360 sc->cache_type = sc_base->cache_type; 284 sc->cache_type = sc_base->cache_type;
@@ -367,16 +291,25 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
367 s->server_hostname, s->port); 291 s->server_hostname, s->port);
368 exit(-1); 292 exit(-1);
369 } 293 }
370
371 if (rsa_params != NULL)
372 gnutls_certificate_set_rsa_export_params(sc->certs,
373 rsa_params);
374 294
375 if (dh_params != NULL) /* not needed but anyway */ 295 /* Check if DH or RSA params have been set per host */
376 gnutls_certificate_set_dh_params(sc->certs, dh_params); 296 if (sc->rsa_params != NULL)
297 load = sc->rsa_params;
298 else if (rsa_params) load = rsa_params;
299
300 if (load != NULL)
301 gnutls_certificate_set_rsa_export_params(sc->certs, load);
377 302
378 303
379 gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params); 304 load = NULL;
305 if (sc->dh_params != NULL)
306 load = sc->dh_params;
307 else if (dh_params) load = dh_params;
308
309 if (load != NULL) { /* not needed but anyway */
310 gnutls_certificate_set_dh_params(sc->certs, load);
311 gnutls_anon_set_server_dh_params(sc->anon_creds, load);
312 }
380 313
381 gnutls_certificate_server_set_retrieve_function(sc->certs, 314 gnutls_certificate_server_set_retrieve_function(sc->certs,
382 cert_retrieve_fn); 315 cert_retrieve_fn);