summaryrefslogtreecommitdiffstatsabout
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/gnutls_config.c49
-rw-r--r--src/gnutls_hooks.c133
2 files changed, 79 insertions, 103 deletions
diff --git a/src/gnutls_config.c b/src/gnutls_config.c
index 697dae1..22e8fbc 100644
--- a/src/gnutls_config.c
+++ b/src/gnutls_config.c
@@ -54,12 +54,34 @@ static int load_datum_from_file(apr_pool_t * pool,
54const char *mgs_set_dh_file(cmd_parms * parms, void *dummy, 54const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
55 const char *arg) 55 const char *arg)
56{ 56{
57 int ret;
58 gnutls_datum_t data;
59 const char *file;
60 apr_pool_t *spool;
57 mgs_srvconf_rec *sc = 61 mgs_srvconf_rec *sc =
58 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 62 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
59 module_config, 63 module_config,
60 &gnutls_module); 64 &gnutls_module);
61 65
62 sc->dh_params_file = ap_server_root_relative(parms->pool, arg); 66 apr_pool_create(&spool, parms->pool);
67
68 file = ap_server_root_relative(spool, arg);
69
70 if (load_datum_from_file(spool, file, &data) != 0) {
71 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
72 "DH params '%s'", file);
73 }
74
75 gnutls_dh_params_init(&sc->dh_params);
76 ret =
77 gnutls_dh_params_import_pkcs3(sc->dh_params, &data, GNUTLS_X509_FMT_PEM);
78 if (ret != 0) {
79 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
80 "DH params '%s': (%d) %s", file, ret,
81 gnutls_strerror(ret));
82 }
83
84 apr_pool_destroy(spool);
63 85
64 return NULL; 86 return NULL;
65} 87}
@@ -67,13 +89,34 @@ const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
67const char *mgs_set_rsa_export_file(cmd_parms * parms, void *dummy, 89const char *mgs_set_rsa_export_file(cmd_parms * parms, void *dummy,
68 const char *arg) 90 const char *arg)
69{ 91{
92 int ret;
93 gnutls_datum_t data;
94 const char *file;
95 apr_pool_t *spool;
70 mgs_srvconf_rec *sc = 96 mgs_srvconf_rec *sc =
71 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 97 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
72 module_config, 98 module_config,
73 &gnutls_module); 99 &gnutls_module);
74 100
75 sc->rsa_params_file = ap_server_root_relative(parms->pool, arg); 101 apr_pool_create(&spool, parms->pool);
102
103 file = ap_server_root_relative(spool, arg);
104
105 if (load_datum_from_file(spool, file, &data) != 0) {
106 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
107 "RSA params '%s'", file);
108 }
109
110 gnutls_rsa_params_init(&sc->rsa_params);
111 ret =
112 gnutls_rsa_params_import_pkcs1(sc->rsa_params, &data, GNUTLS_X509_FMT_PEM);
113 if (ret != 0) {
114 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
115 "RSA params '%s': (%d) %s", file, ret,
116 gnutls_strerror(ret));
117 }
76 118
119 apr_pool_destroy(spool);
77 return NULL; 120 return NULL;
78} 121}
79 122
@@ -103,7 +146,7 @@ const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
103 gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM); 146 gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM);
104 if (ret != 0) { 147 if (ret != 0) {
105 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " 148 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
106 "Certificate'%s': (%d) %s", file, ret, 149 "Certificate '%s': (%d) %s", file, ret,
107 gnutls_strerror(ret)); 150 gnutls_strerror(ret));
108 } 151 }
109 152
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index 55f8e5f..7b7e2b3 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -84,48 +84,6 @@ mgs_hook_pre_config(apr_pool_t * pconf,
84 return OK; 84 return OK;
85} 85}
86 86
87
88static gnutls_datum
89load_params(const char *file, server_rec * s, apr_pool_t * pool)
90{
91 gnutls_datum ret = { NULL, 0 };
92 apr_file_t *fp;
93 apr_finfo_t finfo;
94 apr_status_t rv;
95 apr_size_t br = 0;
96
97 rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, APR_OS_DEFAULT,
98 pool);
99 if (rv != APR_SUCCESS) {
100 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
101 "GnuTLS failed to load params file at: %s. Will use internal params.",
102 file);
103 return ret;
104 }
105
106 rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
107
108 if (rv != APR_SUCCESS) {
109 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
110 "GnuTLS failed to stat params file at: %s", file);
111 return ret;
112 }
113
114 ret.data = apr_palloc(pool, finfo.size + 1);
115 rv = apr_file_read_full(fp, ret.data, finfo.size, &br);
116
117 if (rv != APR_SUCCESS) {
118 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
119 "GnuTLS failed to read params file at: %s", file);
120 return ret;
121 }
122 apr_file_close(fp);
123 ret.data[br] = '\0';
124 ret.size = br;
125
126 return ret;
127}
128
129/* We don't support openpgp certificates, yet */ 87/* We don't support openpgp certificates, yet */
130const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 }; 88const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 };
131 89
@@ -284,68 +242,33 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
284 242
285 243
286 { 244 {
287 gnutls_datum pdata = { NULL, 0 };
288 apr_pool_t *tpool;
289 s = base_server; 245 s = base_server;
290 sc_base = 246 sc_base =
291 (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 247 (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
292 &gnutls_module); 248 &gnutls_module);
293 249
294 apr_pool_create(&tpool, p);
295
296
297 gnutls_dh_params_init(&dh_params); 250 gnutls_dh_params_init(&dh_params);
298 251
299 if (sc_base->dh_params_file) 252 if (sc_base->dh_params == NULL) {
300 pdata = load_params(sc_base->dh_params_file, s, tpool); 253 gnutls_datum pdata = { (void *) static_dh_params, sizeof(static_dh_params) };
301 254 /* loading defaults */
302 if (pdata.size != 0) { 255 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
303 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
304 GNUTLS_X509_FMT_PEM);
305 if (rv != 0) {
306 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
307 "GnuTLS: Unable to load DH Params: (%d) %s",
308 rv, gnutls_strerror(rv));
309 exit(rv);
310 }
311 } else {
312 /* If the file does not exist use internal parameters
313 */
314 pdata.data = (void *) static_dh_params;
315 pdata.size = sizeof(static_dh_params);
316 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
317 GNUTLS_X509_FMT_PEM); 256 GNUTLS_X509_FMT_PEM);
318 257
319 if (rv < 0) { 258 if (rv < 0) {
320 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 259 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
321 "GnuTLS: Unable to load internal DH Params." 260 "GnuTLS: Unable to load DH Params: (%d) %s",
322 " Shutting down."); 261 rv, gnutls_strerror(rv));
323 exit(-1); 262 exit(rv);
324 } 263 }
325 } 264 } else dh_params = sc_base->dh_params;
326 apr_pool_clear(tpool); 265
327 266 if (sc_base->rsa_params != NULL)
328 pdata.data = NULL; 267 rsa_params = sc_base->rsa_params;
329 pdata.size = 0; 268
330 269 /* else not an error but RSA-EXPORT ciphersuites are not available
331 if (sc_base->rsa_params_file)
332 pdata = load_params(sc_base->rsa_params_file, s, tpool);
333
334 if (pdata.size != 0) {
335 gnutls_rsa_params_init(&rsa_params);
336 rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata,
337 GNUTLS_X509_FMT_PEM);
338 if (rv != 0) {
339 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
340 "GnuTLS: Unable to load RSA Params: (%d) %s",
341 rv, gnutls_strerror(rv));
342 exit(rv);
343 }
344 }
345 /* not an error but RSA-EXPORT ciphersuites are not available
346 */ 270 */
347 271
348 apr_pool_destroy(tpool);
349 rv = mgs_cache_post_config(p, s, sc_base); 272 rv = mgs_cache_post_config(p, s, sc_base);
350 if (rv != 0) { 273 if (rv != 0) {
351 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, 274 ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s,
@@ -355,6 +278,7 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
355 } 278 }
356 279
357 for (s = base_server; s; s = s->next) { 280 for (s = base_server; s; s = s->next) {
281 void *load = NULL;
358 sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 282 sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
359 &gnutls_module); 283 &gnutls_module);
360 sc->cache_type = sc_base->cache_type; 284 sc->cache_type = sc_base->cache_type;
@@ -367,16 +291,25 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
367 s->server_hostname, s->port); 291 s->server_hostname, s->port);
368 exit(-1); 292 exit(-1);
369 } 293 }
370
371 if (rsa_params != NULL)
372 gnutls_certificate_set_rsa_export_params(sc->certs,
373 rsa_params);
374 294
375 if (dh_params != NULL) /* not needed but anyway */ 295 /* Check if DH or RSA params have been set per host */
376 gnutls_certificate_set_dh_params(sc->certs, dh_params); 296 if (sc->rsa_params != NULL)
297 load = sc->rsa_params;
298 else if (rsa_params) load = rsa_params;
299
300 if (load != NULL)
301 gnutls_certificate_set_rsa_export_params(sc->certs, load);
377 302
378 303
379 gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params); 304 load = NULL;
305 if (sc->dh_params != NULL)
306 load = sc->dh_params;
307 else if (dh_params) load = dh_params;
308
309 if (load != NULL) { /* not needed but anyway */
310 gnutls_certificate_set_dh_params(sc->certs, load);
311 gnutls_anon_set_server_dh_params(sc->anon_creds, load);
312 }
380 313
381 gnutls_certificate_server_set_retrieve_function(sc->certs, 314 gnutls_certificate_server_set_retrieve_function(sc->certs,
382 cert_retrieve_fn); 315 cert_retrieve_fn);