diff options
author | Nikos Mavrogiannopoulos | 2007-12-03 18:26:23 +0000 |
---|---|---|
committer | Nokis Mavrogiannopoulos | 2007-12-03 18:26:23 +0000 |
commit | a3c97d1f759cf5fce5dc5fa7aeb5b4812e6c89a1 (patch) | |
tree | e43ac10d8d663abc12c958695243485398c1e6a9 /src | |
parent | 2226711353fe0895769ba4c2bc5bf7017cbc4d89 (diff) |
better handling of RSAFile and DHFile
Diffstat (limited to 'src')
-rw-r--r-- | src/gnutls_config.c | 49 | ||||
-rw-r--r-- | src/gnutls_hooks.c | 133 |
2 files changed, 79 insertions, 103 deletions
diff --git a/src/gnutls_config.c b/src/gnutls_config.c index 697dae1..22e8fbc 100644 --- a/src/gnutls_config.c +++ b/src/gnutls_config.c | |||
@@ -54,12 +54,34 @@ static int load_datum_from_file(apr_pool_t * pool, | |||
54 | const char *mgs_set_dh_file(cmd_parms * parms, void *dummy, | 54 | const char *mgs_set_dh_file(cmd_parms * parms, void *dummy, |
55 | const char *arg) | 55 | const char *arg) |
56 | { | 56 | { |
57 | int ret; | ||
58 | gnutls_datum_t data; | ||
59 | const char *file; | ||
60 | apr_pool_t *spool; | ||
57 | mgs_srvconf_rec *sc = | 61 | mgs_srvconf_rec *sc = |
58 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> | 62 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
59 | module_config, | 63 | module_config, |
60 | &gnutls_module); | 64 | &gnutls_module); |
61 | 65 | ||
62 | sc->dh_params_file = ap_server_root_relative(parms->pool, arg); | 66 | apr_pool_create(&spool, parms->pool); |
67 | |||
68 | file = ap_server_root_relative(spool, arg); | ||
69 | |||
70 | if (load_datum_from_file(spool, file, &data) != 0) { | ||
71 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " | ||
72 | "DH params '%s'", file); | ||
73 | } | ||
74 | |||
75 | gnutls_dh_params_init(&sc->dh_params); | ||
76 | ret = | ||
77 | gnutls_dh_params_import_pkcs3(sc->dh_params, &data, GNUTLS_X509_FMT_PEM); | ||
78 | if (ret != 0) { | ||
79 | return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " | ||
80 | "DH params '%s': (%d) %s", file, ret, | ||
81 | gnutls_strerror(ret)); | ||
82 | } | ||
83 | |||
84 | apr_pool_destroy(spool); | ||
63 | 85 | ||
64 | return NULL; | 86 | return NULL; |
65 | } | 87 | } |
@@ -67,13 +89,34 @@ const char *mgs_set_dh_file(cmd_parms * parms, void *dummy, | |||
67 | const char *mgs_set_rsa_export_file(cmd_parms * parms, void *dummy, | 89 | const char *mgs_set_rsa_export_file(cmd_parms * parms, void *dummy, |
68 | const char *arg) | 90 | const char *arg) |
69 | { | 91 | { |
92 | int ret; | ||
93 | gnutls_datum_t data; | ||
94 | const char *file; | ||
95 | apr_pool_t *spool; | ||
70 | mgs_srvconf_rec *sc = | 96 | mgs_srvconf_rec *sc = |
71 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> | 97 | (mgs_srvconf_rec *) ap_get_module_config(parms->server-> |
72 | module_config, | 98 | module_config, |
73 | &gnutls_module); | 99 | &gnutls_module); |
74 | 100 | ||
75 | sc->rsa_params_file = ap_server_root_relative(parms->pool, arg); | 101 | apr_pool_create(&spool, parms->pool); |
102 | |||
103 | file = ap_server_root_relative(spool, arg); | ||
104 | |||
105 | if (load_datum_from_file(spool, file, &data) != 0) { | ||
106 | return apr_psprintf(parms->pool, "GnuTLS: Error Reading " | ||
107 | "RSA params '%s'", file); | ||
108 | } | ||
109 | |||
110 | gnutls_rsa_params_init(&sc->rsa_params); | ||
111 | ret = | ||
112 | gnutls_rsa_params_import_pkcs1(sc->rsa_params, &data, GNUTLS_X509_FMT_PEM); | ||
113 | if (ret != 0) { | ||
114 | return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " | ||
115 | "RSA params '%s': (%d) %s", file, ret, | ||
116 | gnutls_strerror(ret)); | ||
117 | } | ||
76 | 118 | ||
119 | apr_pool_destroy(spool); | ||
77 | return NULL; | 120 | return NULL; |
78 | } | 121 | } |
79 | 122 | ||
@@ -103,7 +146,7 @@ const char *mgs_set_cert_file(cmd_parms * parms, void *dummy, | |||
103 | gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM); | 146 | gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM); |
104 | if (ret != 0) { | 147 | if (ret != 0) { |
105 | return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " | 148 | return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " |
106 | "Certificate'%s': (%d) %s", file, ret, | 149 | "Certificate '%s': (%d) %s", file, ret, |
107 | gnutls_strerror(ret)); | 150 | gnutls_strerror(ret)); |
108 | } | 151 | } |
109 | 152 | ||
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c index 55f8e5f..7b7e2b3 100644 --- a/src/gnutls_hooks.c +++ b/src/gnutls_hooks.c | |||
@@ -84,48 +84,6 @@ mgs_hook_pre_config(apr_pool_t * pconf, | |||
84 | return OK; | 84 | return OK; |
85 | } | 85 | } |
86 | 86 | ||
87 | |||
88 | static gnutls_datum | ||
89 | load_params(const char *file, server_rec * s, apr_pool_t * pool) | ||
90 | { | ||
91 | gnutls_datum ret = { NULL, 0 }; | ||
92 | apr_file_t *fp; | ||
93 | apr_finfo_t finfo; | ||
94 | apr_status_t rv; | ||
95 | apr_size_t br = 0; | ||
96 | |||
97 | rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, APR_OS_DEFAULT, | ||
98 | pool); | ||
99 | if (rv != APR_SUCCESS) { | ||
100 | ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, | ||
101 | "GnuTLS failed to load params file at: %s. Will use internal params.", | ||
102 | file); | ||
103 | return ret; | ||
104 | } | ||
105 | |||
106 | rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp); | ||
107 | |||
108 | if (rv != APR_SUCCESS) { | ||
109 | ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, | ||
110 | "GnuTLS failed to stat params file at: %s", file); | ||
111 | return ret; | ||
112 | } | ||
113 | |||
114 | ret.data = apr_palloc(pool, finfo.size + 1); | ||
115 | rv = apr_file_read_full(fp, ret.data, finfo.size, &br); | ||
116 | |||
117 | if (rv != APR_SUCCESS) { | ||
118 | ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, | ||
119 | "GnuTLS failed to read params file at: %s", file); | ||
120 | return ret; | ||
121 | } | ||
122 | apr_file_close(fp); | ||
123 | ret.data[br] = '\0'; | ||
124 | ret.size = br; | ||
125 | |||
126 | return ret; | ||
127 | } | ||
128 | |||
129 | /* We don't support openpgp certificates, yet */ | 87 | /* We don't support openpgp certificates, yet */ |
130 | const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 }; | 88 | const static int cert_type_prio[2] = { GNUTLS_CRT_X509, 0 }; |
131 | 89 | ||
@@ -284,68 +242,33 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | |||
284 | 242 | ||
285 | 243 | ||
286 | { | 244 | { |
287 | gnutls_datum pdata = { NULL, 0 }; | ||
288 | apr_pool_t *tpool; | ||
289 | s = base_server; | 245 | s = base_server; |
290 | sc_base = | 246 | sc_base = |
291 | (mgs_srvconf_rec *) ap_get_module_config(s->module_config, | 247 | (mgs_srvconf_rec *) ap_get_module_config(s->module_config, |
292 | &gnutls_module); | 248 | &gnutls_module); |
293 | 249 | ||
294 | apr_pool_create(&tpool, p); | ||
295 | |||
296 | |||
297 | gnutls_dh_params_init(&dh_params); | 250 | gnutls_dh_params_init(&dh_params); |
298 | 251 | ||
299 | if (sc_base->dh_params_file) | 252 | if (sc_base->dh_params == NULL) { |
300 | pdata = load_params(sc_base->dh_params_file, s, tpool); | 253 | gnutls_datum pdata = { (void *) static_dh_params, sizeof(static_dh_params) }; |
301 | 254 | /* loading defaults */ | |
302 | if (pdata.size != 0) { | 255 | rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, |
303 | rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, | ||
304 | GNUTLS_X509_FMT_PEM); | ||
305 | if (rv != 0) { | ||
306 | ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, | ||
307 | "GnuTLS: Unable to load DH Params: (%d) %s", | ||
308 | rv, gnutls_strerror(rv)); | ||
309 | exit(rv); | ||
310 | } | ||
311 | } else { | ||
312 | /* If the file does not exist use internal parameters | ||
313 | */ | ||
314 | pdata.data = (void *) static_dh_params; | ||
315 | pdata.size = sizeof(static_dh_params); | ||
316 | rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, | ||
317 | GNUTLS_X509_FMT_PEM); | 256 | GNUTLS_X509_FMT_PEM); |
318 | 257 | ||
319 | if (rv < 0) { | 258 | if (rv < 0) { |
320 | ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, | 259 | ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, |
321 | "GnuTLS: Unable to load internal DH Params." | 260 | "GnuTLS: Unable to load DH Params: (%d) %s", |
322 | " Shutting down."); | 261 | rv, gnutls_strerror(rv)); |
323 | exit(-1); | 262 | exit(rv); |
324 | } | 263 | } |
325 | } | 264 | } else dh_params = sc_base->dh_params; |
326 | apr_pool_clear(tpool); | 265 | |
327 | 266 | if (sc_base->rsa_params != NULL) | |
328 | pdata.data = NULL; | 267 | rsa_params = sc_base->rsa_params; |
329 | pdata.size = 0; | 268 | |
330 | 269 | /* else not an error but RSA-EXPORT ciphersuites are not available | |
331 | if (sc_base->rsa_params_file) | ||
332 | pdata = load_params(sc_base->rsa_params_file, s, tpool); | ||
333 | |||
334 | if (pdata.size != 0) { | ||
335 | gnutls_rsa_params_init(&rsa_params); | ||
336 | rv = gnutls_rsa_params_import_pkcs1(rsa_params, &pdata, | ||
337 | GNUTLS_X509_FMT_PEM); | ||
338 | if (rv != 0) { | ||
339 | ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, | ||
340 | "GnuTLS: Unable to load RSA Params: (%d) %s", | ||
341 | rv, gnutls_strerror(rv)); | ||
342 | exit(rv); | ||
343 | } | ||
344 | } | ||
345 | /* not an error but RSA-EXPORT ciphersuites are not available | ||
346 | */ | 270 | */ |
347 | 271 | ||
348 | apr_pool_destroy(tpool); | ||
349 | rv = mgs_cache_post_config(p, s, sc_base); | 272 | rv = mgs_cache_post_config(p, s, sc_base); |
350 | if (rv != 0) { | 273 | if (rv != 0) { |
351 | ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, | 274 | ap_log_error(APLOG_MARK, APLOG_STARTUP, rv, s, |
@@ -355,6 +278,7 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | |||
355 | } | 278 | } |
356 | 279 | ||
357 | for (s = base_server; s; s = s->next) { | 280 | for (s = base_server; s; s = s->next) { |
281 | void *load = NULL; | ||
358 | sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, | 282 | sc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, |
359 | &gnutls_module); | 283 | &gnutls_module); |
360 | sc->cache_type = sc_base->cache_type; | 284 | sc->cache_type = sc_base->cache_type; |
@@ -367,16 +291,25 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | |||
367 | s->server_hostname, s->port); | 291 | s->server_hostname, s->port); |
368 | exit(-1); | 292 | exit(-1); |
369 | } | 293 | } |
370 | |||
371 | if (rsa_params != NULL) | ||
372 | gnutls_certificate_set_rsa_export_params(sc->certs, | ||
373 | rsa_params); | ||
374 | 294 | ||
375 | if (dh_params != NULL) /* not needed but anyway */ | 295 | /* Check if DH or RSA params have been set per host */ |
376 | gnutls_certificate_set_dh_params(sc->certs, dh_params); | 296 | if (sc->rsa_params != NULL) |
297 | load = sc->rsa_params; | ||
298 | else if (rsa_params) load = rsa_params; | ||
299 | |||
300 | if (load != NULL) | ||
301 | gnutls_certificate_set_rsa_export_params(sc->certs, load); | ||
377 | 302 | ||
378 | 303 | ||
379 | gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params); | 304 | load = NULL; |
305 | if (sc->dh_params != NULL) | ||
306 | load = sc->dh_params; | ||
307 | else if (dh_params) load = dh_params; | ||
308 | |||
309 | if (load != NULL) { /* not needed but anyway */ | ||
310 | gnutls_certificate_set_dh_params(sc->certs, load); | ||
311 | gnutls_anon_set_server_dh_params(sc->anon_creds, load); | ||
312 | } | ||
380 | 313 | ||
381 | gnutls_certificate_server_set_retrieve_function(sc->certs, | 314 | gnutls_certificate_server_set_retrieve_function(sc->certs, |
382 | cert_retrieve_fn); | 315 | cert_retrieve_fn); |