aboutsummaryrefslogtreecommitdiffstats
path: root/src/gnutls_config.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/gnutls_config.c')
-rw-r--r--src/gnutls_config.c603
1 files changed, 418 insertions, 185 deletions
diff --git a/src/gnutls_config.c b/src/gnutls_config.c
index d3879f1..f08512e 100644
--- a/src/gnutls_config.c
+++ b/src/gnutls_config.c
@@ -1,5 +1,6 @@
1/** 1/**
2 * Copyright 2004-2005 Paul Querna 2 * Copyright 2004-2005 Paul Querna
3 * Copyright 2007 Nikos Mavrogiannopoulos
3 * 4 *
4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License. 6 * you may not use this file except in compliance with the License.
@@ -17,225 +18,449 @@
17 18
18#include "mod_gnutls.h" 19#include "mod_gnutls.h"
19 20
20static int load_datum_from_file(apr_pool_t* pool, 21static int load_datum_from_file(apr_pool_t * pool,
21 const char* file, 22 const char *file, gnutls_datum_t * data)
22 gnutls_datum_t* data)
23{ 23{
24 apr_file_t* fp; 24 apr_file_t *fp;
25 apr_finfo_t finfo; 25 apr_finfo_t finfo;
26 apr_status_t rv; 26 apr_status_t rv;
27 apr_size_t br = 0; 27 apr_size_t br = 0;
28 28
29 rv = apr_file_open(&fp, file, APR_READ|APR_BINARY, APR_OS_DEFAULT, 29 rv = apr_file_open(&fp, file, APR_READ | APR_BINARY, APR_OS_DEFAULT,
30 pool); 30 pool);
31 if (rv != APR_SUCCESS) { 31 if (rv != APR_SUCCESS) {
32 return rv; 32 return rv;
33 } 33 }
34 34
35 rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp); 35 rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp);
36 36
37 if (rv != APR_SUCCESS) { 37 if (rv != APR_SUCCESS) {
38 return rv; 38 return rv;
39 } 39 }
40 40
41 data->data = apr_palloc(pool, finfo.size+1); 41 data->data = apr_palloc(pool, finfo.size + 1);
42 rv = apr_file_read_full(fp, data->data, finfo.size, &br); 42 rv = apr_file_read_full(fp, data->data, finfo.size, &br);
43 43
44 if (rv != APR_SUCCESS) { 44 if (rv != APR_SUCCESS) {
45 return rv; 45 return rv;
46 } 46 }
47 apr_file_close(fp); 47 apr_file_close(fp);
48 48
49 data->data[br] = '\0'; 49 data->data[br] = '\0';
50 data->size = br; 50 data->size = br;
51 51
52 return 0; 52 return 0;
53} 53}
54 54
55const char *mgs_set_cert_file(cmd_parms * parms, void *dummy, 55const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
56 const char *arg) 56 const char *arg)
57{ 57{
58 int ret; 58 int ret;
59 gnutls_datum_t data; 59 gnutls_datum_t data;
60 const char* file; 60 const char *file;
61 apr_pool_t* spool; 61 apr_pool_t *spool;
62 mgs_srvconf_rec *sc = 62 mgs_srvconf_rec *sc =
63 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 63 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
64 module_config, 64 module_config,
65 &gnutls_module); 65 &gnutls_module);
66
66 apr_pool_create(&spool, parms->pool); 67 apr_pool_create(&spool, parms->pool);
67 68
68 file = ap_server_root_relative(spool, arg); 69 file = ap_server_root_relative(spool, arg);
69 70
70 if (load_datum_from_file(spool, file, &data) != 0) { 71 if (load_datum_from_file(spool, file, &data) != 0) {
71 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 72 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
72 "Certificate '%s'", file); 73 "DH params '%s'", file);
73 } 74 }
74 75
75 gnutls_x509_crt_init(&sc->cert_x509); 76 ret = gnutls_dh_params_init(&sc->dh_params);
76 ret = gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM); 77 if (ret < 0) {
78 return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
79 ": (%d) %s", ret, gnutls_strerror(ret));
80 }
81
82 ret =
83 gnutls_dh_params_import_pkcs3(sc->dh_params, &data, GNUTLS_X509_FMT_PEM);
84 if (ret < 0) {
85 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
86 "DH params '%s': (%d) %s", file, ret,
87 gnutls_strerror(ret));
88 }
89
90 apr_pool_destroy(spool);
91
92 return NULL;
93}
94
95const char *mgs_set_rsa_export_file(cmd_parms * parms, void *dummy,
96 const char *arg)
97{
98 int ret;
99 gnutls_datum_t data;
100 const char *file;
101 apr_pool_t *spool;
102 mgs_srvconf_rec *sc =
103 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
104 module_config,
105 &gnutls_module);
106
107 apr_pool_create(&spool, parms->pool);
108
109 file = ap_server_root_relative(spool, arg);
110
111 if (load_datum_from_file(spool, file, &data) != 0) {
112 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
113 "RSA params '%s'", file);
114 }
115
116 ret = gnutls_rsa_params_init(&sc->rsa_params);
117 if (ret < 0) {
118 return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
119 ": (%d) %s", ret, gnutls_strerror(ret));
120 }
121
122 ret =
123 gnutls_rsa_params_import_pkcs1(sc->rsa_params, &data, GNUTLS_X509_FMT_PEM);
77 if (ret != 0) { 124 if (ret != 0) {
78 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " 125 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
79 "Certificate'%s': (%d) %s", file, ret, 126 "RSA params '%s': (%d) %s", file, ret,
80 gnutls_strerror(ret)); 127 gnutls_strerror(ret));
81 } 128 }
82 129
130 apr_pool_destroy(spool);
131 return NULL;
132}
133
134
135const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
136 const char *arg)
137{
138 int ret;
139 gnutls_datum_t data;
140 const char *file;
141 apr_pool_t *spool;
142 mgs_srvconf_rec *sc =
143 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
144 module_config,
145 &gnutls_module);
146 apr_pool_create(&spool, parms->pool);
147
148 file = ap_server_root_relative(spool, arg);
149
150 if (load_datum_from_file(spool, file, &data) != 0) {
151 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
152 "Certificate '%s'", file);
153 }
154
155 sc->certs_x509_num = MAX_CHAIN_SIZE;
156 ret =
157 gnutls_x509_crt_list_import(sc->certs_x509, &sc->certs_x509_num, &data, GNUTLS_X509_FMT_PEM, 0);
158 if (ret < 0) {
159 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
160 "Certificate '%s': (%d) %s", file, ret,
161 gnutls_strerror(ret));
162 }
163
83 apr_pool_destroy(spool); 164 apr_pool_destroy(spool);
84 return NULL; 165 return NULL;
85} 166}
86 167
87const char *mgs_set_key_file(cmd_parms * parms, void *dummy, 168const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
88 const char *arg) 169 const char *arg)
89{ 170{
90 int ret; 171 int ret;
91 gnutls_datum_t data; 172 gnutls_datum_t data;
92 const char* file; 173 const char *file;
93 apr_pool_t* spool; 174 apr_pool_t *spool;
94 mgs_srvconf_rec *sc = 175 mgs_srvconf_rec *sc =
95 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 176 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
96 module_config, 177 module_config,
97 &gnutls_module); 178 &gnutls_module);
98 apr_pool_create(&spool, parms->pool); 179 apr_pool_create(&spool, parms->pool);
99 180
100 file = ap_server_root_relative(spool, arg); 181 file = ap_server_root_relative(spool, arg);
101 182
102 if (load_datum_from_file(spool, file, &data) != 0) { 183 if (load_datum_from_file(spool, file, &data) != 0) {
103 return apr_psprintf(parms->pool, "GnuTLS: Error Reading " 184 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
104 "Private Key '%s'", file); 185 "Private Key '%s'", file);
105 } 186 }
106 187
107 gnutls_x509_privkey_init(&sc->privkey_x509); 188 ret = gnutls_x509_privkey_init(&sc->privkey_x509);
108 ret = gnutls_x509_privkey_import(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM); 189 if (ret < 0) {
190 return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
191 ": (%d) %s", ret, gnutls_strerror(ret));
192 }
193
194 ret =
195 gnutls_x509_privkey_import(sc->privkey_x509, &data,
196 GNUTLS_X509_FMT_PEM);
109 if (ret != 0) { 197 if (ret != 0) {
110 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " 198 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
111 "Private Key '%s': (%d) %s", file, ret, 199 "Private Key '%s': (%d) %s", file, ret,
112 gnutls_strerror(ret)); 200 gnutls_strerror(ret));
113 } 201 }
114 apr_pool_destroy(spool); 202 apr_pool_destroy(spool);
115 return NULL; 203 return NULL;
116} 204}
117 205
206const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
207 const char *arg)
208{
209 int ret;
210 gnutls_datum_t data;
211 const char *file;
212 apr_pool_t *spool;
213 mgs_srvconf_rec *sc =
214 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
215 module_config,
216 &gnutls_module);
217 apr_pool_create(&spool, parms->pool);
218
219 file = ap_server_root_relative(spool, arg);
220
221 if (load_datum_from_file(spool, file, &data) != 0) {
222 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
223 "Certificate '%s'", file);
224 }
225
226 ret = gnutls_openpgp_crt_init( &sc->cert_pgp);
227 if (ret < 0) {
228 return apr_psprintf(parms->pool, "GnuTLS: Failed to Init "
229 "PGP Certificate: (%d) %s", ret,
230 gnutls_strerror(ret));
231 }
232
233 ret =
234 gnutls_openpgp_crt_import(sc->cert_pgp, &data, GNUTLS_OPENPGP_FMT_BASE64);
235 if (ret < 0) {
236 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
237 "PGP Certificate '%s': (%d) %s", file, ret,
238 gnutls_strerror(ret));
239 }
240
241 apr_pool_destroy(spool);
242 return NULL;
243}
244
245const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
246 const char *arg)
247{
248 int ret;
249 gnutls_datum_t data;
250 const char *file;
251 apr_pool_t *spool;
252 mgs_srvconf_rec *sc =
253 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
254 module_config,
255 &gnutls_module);
256 apr_pool_create(&spool, parms->pool);
257
258 file = ap_server_root_relative(spool, arg);
259
260 if (load_datum_from_file(spool, file, &data) != 0) {
261 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
262 "Private Key '%s'", file);
263 }
264
265 ret = gnutls_openpgp_privkey_init(&sc->privkey_pgp);
266 if (ret < 0) {
267 return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
268 ": (%d) %s", ret, gnutls_strerror(ret));
269 }
270
271 ret =
272 gnutls_openpgp_privkey_import(sc->privkey_pgp, &data,
273 GNUTLS_OPENPGP_FMT_BASE64, NULL, 0);
274 if (ret != 0) {
275 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import "
276 "PGP Private Key '%s': (%d) %s", file, ret,
277 gnutls_strerror(ret));
278 }
279 apr_pool_destroy(spool);
280 return NULL;
281}
282
283
284const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
285 const char *arg)
286{
287 mgs_srvconf_rec *sc =
288 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
289 module_config,
290 &gnutls_module);
291
292 sc->srp_tpasswd_file = ap_server_root_relative(parms->pool, arg);
293
294 return NULL;
295}
296
297const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
298 const char *arg)
299{
300 mgs_srvconf_rec *sc =
301 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
302 module_config,
303 &gnutls_module);
304
305 sc->srp_tpasswd_conf_file = ap_server_root_relative(parms->pool, arg);
306
307 return NULL;
308}
309
118const char *mgs_set_cache(cmd_parms * parms, void *dummy, 310const char *mgs_set_cache(cmd_parms * parms, void *dummy,
119 const char *type, const char* arg) 311 const char *type, const char *arg)
120{ 312{
121 const char* err; 313 const char *err;
122 mgs_srvconf_rec *sc = ap_get_module_config(parms->server-> 314 mgs_srvconf_rec *sc = ap_get_module_config(parms->server->
123 module_config, 315 module_config,
124 &gnutls_module); 316 &gnutls_module);
125 if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { 317 if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) {
126 return err; 318 return err;
127 } 319 }
128 320
129 if (strcasecmp("none", type) == 0) { 321 if (strcasecmp("none", type) == 0) {
130 sc->cache_type = mgs_cache_none; 322 sc->cache_type = mgs_cache_none;
131 } 323 } else if (strcasecmp("dbm", type) == 0) {
132 else if (strcasecmp("dbm", type) == 0) { 324 sc->cache_type = mgs_cache_dbm;
133 sc->cache_type = mgs_cache_dbm;
134 } 325 }
135#if HAVE_APR_MEMCACHE 326#if HAVE_APR_MEMCACHE
136 else if (strcasecmp("memcache", type) == 0) { 327 else if (strcasecmp("memcache", type) == 0) {
137 sc->cache_type = mgs_cache_memcache; 328 sc->cache_type = mgs_cache_memcache;
138 } 329 }
139#endif 330#endif
140 else { 331 else {
141 return "Invalid Type for GnuTLSCache!"; 332 return "Invalid Type for GnuTLSCache!";
142 } 333 }
143 334
144 if (sc->cache_type == mgs_cache_dbm) { 335 if (sc->cache_type == mgs_cache_dbm) {
145 sc->cache_config = ap_server_root_relative(parms->pool, arg); 336 sc->cache_config = ap_server_root_relative(parms->pool, arg);
146 } 337 } else {
147 else { 338 sc->cache_config = apr_pstrdup(parms->pool, arg);
148 sc->cache_config = apr_pstrdup(parms->pool, arg);
149 } 339 }
150 340
151 return NULL; 341 return NULL;
152} 342}
153 343
154const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy, 344const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
155 const char *arg) 345 const char *arg)
156{ 346{
157 int argint; 347 int argint;
158 mgs_srvconf_rec *sc = 348 mgs_srvconf_rec *sc =
159 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 349 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
160 module_config, 350 module_config,
161 &gnutls_module); 351 &gnutls_module);
162 352
163 argint = atoi(arg); 353 argint = atoi(arg);
164 354
165 if (argint < 0) { 355 if (argint < 0) {
166 return "GnuTLSCacheTimeout: Invalid argument"; 356 return "GnuTLSCacheTimeout: Invalid argument";
167 } 357 } else if (argint == 0) {
168 else if (argint == 0) { 358 sc->cache_timeout = 0;
169 sc->cache_timeout = 0; 359 } else {
360 sc->cache_timeout = apr_time_from_sec(argint);
170 } 361 }
171 else { 362
172 sc->cache_timeout = apr_time_from_sec(argint);
173 }
174
175 return NULL; 363 return NULL;
176} 364}
177 365
178const char *mgs_set_client_verify(cmd_parms * parms, void *dummy, 366const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
179 const char *arg) 367 const char *arg)
180{ 368{
181 int mode; 369 int mode;
182 370
183 if (strcasecmp("none", arg) == 0 || strcasecmp("ignore", arg) == 0) { 371 if (strcasecmp("none", arg) == 0 || strcasecmp("ignore", arg) == 0) {
184 mode = GNUTLS_CERT_IGNORE; 372 mode = GNUTLS_CERT_IGNORE;
185 } 373 } else if (strcasecmp("optional", arg) == 0
186 else if (strcasecmp("optional", arg) == 0 || strcasecmp("request", arg) == 0) { 374 || strcasecmp("request", arg) == 0) {
187 mode = GNUTLS_CERT_REQUEST; 375 mode = GNUTLS_CERT_REQUEST;
188 } 376 } else if (strcasecmp("require", arg) == 0) {
189 else if (strcasecmp("require", arg) == 0) { 377 mode = GNUTLS_CERT_REQUIRE;
190 mode = GNUTLS_CERT_REQUIRE; 378 } else {
191 } 379 return "GnuTLSClientVerify: Invalid argument";
192 else {
193 return "GnuTLSClientVerify: Invalid argument";
194 } 380 }
195 381
196 /* This was set from a directory context */ 382 /* This was set from a directory context */
197 if (parms->path) { 383 if (parms->path) {
198 mgs_dirconf_rec *dc = (mgs_dirconf_rec *)dummy; 384 mgs_dirconf_rec *dc = (mgs_dirconf_rec *) dummy;
199 dc->client_verify_mode = mode; 385 dc->client_verify_mode = mode;
200 } 386 } else {
201 else { 387 mgs_srvconf_rec *sc =
202 mgs_srvconf_rec *sc = 388 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
203 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 389 module_config,
204 module_config, 390 &gnutls_module);
205 &gnutls_module); 391 sc->client_verify_mode = mode;
206 sc->client_verify_mode = mode;
207 } 392 }
208 393
209 return NULL; 394 return NULL;
210} 395}
211 396
212const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, 397const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
213 const char *arg) 398 const char *arg)
214{ 399{
215 int rv; 400 int rv;
216 const char* file; 401 const char *file;
217 apr_pool_t* spool; 402 apr_pool_t *spool;
218 gnutls_datum_t data; 403 gnutls_datum_t data;
219 404
220 mgs_srvconf_rec *sc = 405 mgs_srvconf_rec *sc =
221 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 406 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
222 module_config, 407 module_config,
223 &gnutls_module); 408 &gnutls_module);
224 apr_pool_create(&spool, parms->pool); 409 apr_pool_create(&spool, parms->pool);
225 410
226 file = ap_server_root_relative(spool, arg); 411 file = ap_server_root_relative(spool, arg);
227 412
228 sc->ca_list_size = 16; 413 if (load_datum_from_file(spool, file, &data) != 0) {
414 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
415 "Client CA File '%s'", file);
416 }
417
418 sc->ca_list_size = MAX_CA_CRTS;
419 rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size,
420 &data, GNUTLS_X509_FMT_PEM,
421 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
422 if (rv < 0) {
423 return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
424 "Client CA File '%s': (%d) %s", file, rv,
425 gnutls_strerror(rv));
426 }
229 427
230 load_datum_from_file(spool, file, &data); 428 apr_pool_destroy(spool);
429 return NULL;
430}
231 431
232 rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size, 432const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
233 &data, GNUTLS_X509_FMT_PEM, 433 const char *arg)
234 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); 434{
435 int rv;
436 const char *file;
437 apr_pool_t *spool;
438 gnutls_datum_t data;
439
440 mgs_srvconf_rec *sc =
441 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
442 module_config,
443 &gnutls_module);
444 apr_pool_create(&spool, parms->pool);
445
446 file = ap_server_root_relative(spool, arg);
447
448 if (load_datum_from_file(spool, file, &data) != 0) {
449 return apr_psprintf(parms->pool, "GnuTLS: Error Reading "
450 "Keyring File '%s'", file);
451 }
452
453 rv = gnutls_openpgp_keyring_init(&sc->pgp_list);
235 if (rv < 0) { 454 if (rv < 0) {
236 return apr_psprintf(parms->pool, "GnuTLS: Failed to load " 455 return apr_psprintf(parms->pool, "GnuTLS: Failed to initialize"
237 "Client CA File '%s': (%d) %s", file, rv, 456 "keyring: (%d) %s", rv, gnutls_strerror(rv));
238 gnutls_strerror(rv)); 457 }
458
459 rv = gnutls_openpgp_keyring_import(sc->pgp_list, &data, GNUTLS_OPENPGP_FMT_BASE64);
460 if (rv < 0) {
461 return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
462 "Keyring File '%s': (%d) %s", file, rv,
463 gnutls_strerror(rv));
239 } 464 }
240 465
241 apr_pool_destroy(spool); 466 apr_pool_destroy(spool);
@@ -243,20 +468,57 @@ const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
243} 468}
244 469
245const char *mgs_set_enabled(cmd_parms * parms, void *dummy, 470const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
246 const char *arg) 471 const char *arg)
247{ 472{
248 mgs_srvconf_rec *sc = 473 mgs_srvconf_rec *sc =
249 (mgs_srvconf_rec *) ap_get_module_config(parms->server-> 474 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
250 module_config, 475 module_config,
251 &gnutls_module); 476 &gnutls_module);
252 if (!strcasecmp(arg, "On")) { 477 if (!strcasecmp(arg, "On")) {
253 sc->enabled = GNUTLS_ENABLED_TRUE; 478 sc->enabled = GNUTLS_ENABLED_TRUE;
479 } else if (!strcasecmp(arg, "Off")) {
480 sc->enabled = GNUTLS_ENABLED_FALSE;
481 } else {
482 return "GnuTLSEnable must be set to 'On' or 'Off'";
254 } 483 }
255 else if (!strcasecmp(arg, "Off")) { 484
256 sc->enabled = GNUTLS_ENABLED_FALSE; 485 return NULL;
486}
487
488const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy,
489 const char *arg)
490{
491 mgs_srvconf_rec *sc =
492 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
493 module_config,
494 &gnutls_module);
495 if (!strcasecmp(arg, "On")) {
496 sc->export_certificates_enabled = GNUTLS_ENABLED_TRUE;
497 } else if (!strcasecmp(arg, "Off")) {
498 sc->export_certificates_enabled = GNUTLS_ENABLED_FALSE;
499 } else {
500 return "GnuTLSExportCertificates must be set to 'On' or 'Off'";
257 } 501 }
258 else { 502
259 return "GnuTLSEnable must be set to 'On' or 'Off'"; 503 return NULL;
504}
505
506
507const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg)
508{
509 int ret;
510 const char *err;
511 mgs_srvconf_rec *sc =
512 (mgs_srvconf_rec *) ap_get_module_config(parms->server->
513 module_config,
514 &gnutls_module);
515
516
517 ret = gnutls_priority_init( &sc->priorities, arg, &err);
518 if (ret < 0) {
519 if (ret == GNUTLS_E_INVALID_REQUEST)
520 return apr_psprintf(parms->pool, "GnuTLS: Syntax error parsing priorities string at: %s", err);
521 return "Error setting priorities";
260 } 522 }
261 523
262 return NULL; 524 return NULL;
@@ -264,92 +526,63 @@ const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
264 526
265void *mgs_config_server_create(apr_pool_t * p, server_rec * s) 527void *mgs_config_server_create(apr_pool_t * p, server_rec * s)
266{ 528{
267 int i;
268 mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc)); 529 mgs_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc));
530 int ret;
269 531
270 sc->enabled = GNUTLS_ENABLED_FALSE; 532 sc->enabled = GNUTLS_ENABLED_FALSE;
271 533
272 gnutls_certificate_allocate_credentials(&sc->certs); 534 ret = gnutls_certificate_allocate_credentials(&sc->certs);
535 if (ret < 0) {
536 return apr_psprintf(p, "GnuTLS: Failed to initialize"
537 ": (%d) %s", ret, gnutls_strerror(ret));
538 }
539
540 ret = gnutls_anon_allocate_server_credentials(&sc->anon_creds);
541 if (ret < 0) {
542 return apr_psprintf(p, "GnuTLS: Failed to initialize"
543 ": (%d) %s", ret, gnutls_strerror(ret));
544 }
545
546 ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
547 if (ret < 0) {
548 return apr_psprintf(p, "GnuTLS: Failed to initialize"
549 ": (%d) %s", ret, gnutls_strerror(ret));
550 }
551
552 sc->srp_tpasswd_conf_file = NULL;
553 sc->srp_tpasswd_file = NULL;
273 sc->privkey_x509 = NULL; 554 sc->privkey_x509 = NULL;
274 sc->cert_x509 = NULL; 555 memset( sc->certs_x509, 0, sizeof(sc->certs_x509));
556 sc->certs_x509_num = 0;
275 sc->cache_timeout = apr_time_from_sec(300); 557 sc->cache_timeout = apr_time_from_sec(300);
276 sc->cache_type = mgs_cache_dbm; 558 sc->cache_type = mgs_cache_dbm;
277 sc->cache_config = ap_server_root_relative(p, "conf/gnutls_cache"); 559 sc->cache_config = ap_server_root_relative(p, "conf/gnutls_cache");
278 560
279 /* TODO: Make this Configurable. But it isn't configurable in mod_ssl? */
280 sc->dh_params_file = ap_server_root_relative(p, "conf/dhfile");
281 sc->rsa_params_file = ap_server_root_relative(p, "conf/rsafile");
282
283 /* Finish SSL Client Certificate Support */
284 sc->client_verify_mode = GNUTLS_CERT_IGNORE; 561 sc->client_verify_mode = GNUTLS_CERT_IGNORE;
285 562
286 /* TODO: Make this Configurable ! */
287 /* mod_ssl uses a flex based parser for this part.. sigh */
288 i = 0;
289 sc->ciphers[i++] = GNUTLS_CIPHER_AES_256_CBC;
290 sc->ciphers[i++] = GNUTLS_CIPHER_AES_128_CBC;
291 sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_128;
292 sc->ciphers[i++] = GNUTLS_CIPHER_3DES_CBC;
293 sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_40;
294 sc->ciphers[i] = 0;
295
296 i = 0;
297 sc->key_exchange[i++] = GNUTLS_KX_RSA;
298 sc->key_exchange[i++] = GNUTLS_KX_RSA_EXPORT;
299 sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS;
300 sc->key_exchange[i++] = GNUTLS_KX_DHE_RSA;
301 sc->key_exchange[i++] = GNUTLS_KX_ANON_DH;
302 sc->key_exchange[i++] = GNUTLS_KX_SRP;
303 sc->key_exchange[i++] = GNUTLS_KX_SRP_RSA;
304 sc->key_exchange[i++] = GNUTLS_KX_SRP_DSS;
305 sc->key_exchange[i] = 0;
306
307 i = 0;
308 sc->macs[i++] = GNUTLS_MAC_SHA;
309 sc->macs[i++] = GNUTLS_MAC_MD5;
310 sc->macs[i++] = GNUTLS_MAC_RMD160;
311 sc->macs[i] = 0;
312
313 i = 0;
314 sc->protocol[i++] = GNUTLS_TLS1_1;
315 sc->protocol[i++] = GNUTLS_TLS1;
316 sc->protocol[i++] = GNUTLS_SSL3;
317 sc->protocol[i] = 0;
318
319 i = 0;
320 sc->compression[i++] = GNUTLS_COMP_NULL;
321 sc->compression[i++] = GNUTLS_COMP_ZLIB;
322 sc->compression[i++] = GNUTLS_COMP_LZO;
323 sc->compression[i] = 0;
324
325 i = 0;
326 sc->cert_types[i++] = GNUTLS_CRT_X509;
327 sc->cert_types[i] = 0;
328
329 return sc; 563 return sc;
330} 564}
331 565
332void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv) 566void *mgs_config_dir_merge(apr_pool_t * p, void *basev, void *addv)
333{ 567{
334 mgs_dirconf_rec *new; 568 mgs_dirconf_rec *new;
335 mgs_dirconf_rec *base = (mgs_dirconf_rec *) basev; 569/* mgs_dirconf_rec *base = (mgs_dirconf_rec *) basev; */
336 mgs_dirconf_rec *add = (mgs_dirconf_rec *) addv; 570 mgs_dirconf_rec *add = (mgs_dirconf_rec *) addv;
337 571
338 new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof(mgs_dirconf_rec)); 572 new = (mgs_dirconf_rec *) apr_pcalloc(p, sizeof(mgs_dirconf_rec));
339 new->lua_bytecode = apr_pstrmemdup(p, add->lua_bytecode, 573 new->lua_bytecode = apr_pstrmemdup(p, add->lua_bytecode,
340 add->lua_bytecode_len); 574 add->lua_bytecode_len);
341 new->lua_bytecode_len = add->lua_bytecode_len; 575 new->lua_bytecode_len = add->lua_bytecode_len;
342 new->client_verify_mode = add->client_verify_mode; 576 new->client_verify_mode = add->client_verify_mode;
343 return new; 577 return new;
344} 578}
345 579
346void *mgs_config_dir_create(apr_pool_t *p, char *dir) 580void *mgs_config_dir_create(apr_pool_t * p, char *dir)
347{ 581{
348 mgs_dirconf_rec *dc = apr_palloc(p, sizeof(*dc)); 582 mgs_dirconf_rec *dc = apr_palloc(p, sizeof(*dc));
349 583
350 dc->client_verify_mode = -1; 584 dc->client_verify_mode = -1;
351 dc->lua_bytecode = NULL; 585 dc->lua_bytecode = NULL;
352 dc->lua_bytecode_len = 0; 586 dc->lua_bytecode_len = 0;
353 return dc; 587 return dc;
354} 588}
355
generated by cgit (git 2.34.1) at 2025-12-24 12:09:49 +0000