From 46b85d8e3634f34c0142823d92b037dd33b67898 Mon Sep 17 00:00:00 2001 From: Paul Querna Date: Sun, 24 Apr 2005 22:01:46 +0000 Subject: move config functions to their own file. --- include/mod_gnutls.h.in | 27 +++ mod_gnutls.xcode/project.pbxproj | 10 + src/Makefile.am | 2 +- src/gnutls_cache.c | 2 +- src/gnutls_config.c | 328 ++++++++++++++++++++++++++++++++ src/mod_gnutls.c | 402 +++++---------------------------------- 6 files changed, 415 insertions(+), 356 deletions(-) create mode 100644 src/gnutls_config.c diff --git a/include/mod_gnutls.h.in b/include/mod_gnutls.h.in index 62cae02..61b0198 100644 --- a/include/mod_gnutls.h.in +++ b/include/mod_gnutls.h.in @@ -212,4 +212,31 @@ int mod_gnutls_cache_session_init(mod_gnutls_handle_t *ctxt); char *mod_gnutls_session_id2sz(unsigned char *id, int idlen, char *str, int strsize); +/* Configuration Functions */ + +const char *mgs_set_cert_file(cmd_parms * parms, void *dummy, + const char *arg); + +const char *mgs_set_key_file(cmd_parms * parms, void *dummy, + const char *arg); + +const char *mgs_set_cache(cmd_parms * parms, void *dummy, + const char *type, const char* arg); + +const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy, + const char *arg); + +const char *mgs_set_client_verify(cmd_parms * parms, void *dummy, + const char *arg); + +const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, + const char *arg); + +const char *mgs_set_enabled(cmd_parms * parms, void *dummy, + const char *arg); + +void *mgs_config_server_create(apr_pool_t * p, server_rec * s); + +void *mgs_config_dir_create(apr_pool_t *p, char *dir); + #endif /* __mod_gnutls_h_inc */ diff --git a/mod_gnutls.xcode/project.pbxproj b/mod_gnutls.xcode/project.pbxproj index 7b9c1e0..fd24bb2 100644 --- a/mod_gnutls.xcode/project.pbxproj +++ b/mod_gnutls.xcode/project.pbxproj @@ -5,8 +5,18 @@ }; objectVersion = 39; objects = { + 4541F3BA081C4B1A007457C1 = { + fileEncoding = 30; + isa = PBXFileReference; + lastKnownFileType = sourcecode.c.c; + name = gnutls_config.c; + path = src/gnutls_config.c; + refType = 2; + sourceTree = SOURCE_ROOT; + }; 45B624630802F1E200CBFD9A = { children = ( + 4541F3BA081C4B1A007457C1, 45B6246D0802F20D00CBFD9A, 45B6247D0802F85B00CBFD9A, 45B6247A0802F84500CBFD9A, diff --git a/src/Makefile.am b/src/Makefile.am index 30315a1..a15fc57 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,6 +1,6 @@ CLEANFILES = .libs/libmod_gnutls *~ -libmod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c +libmod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c libmod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS} libmod_gnutls_la_LDFLAGS = -rpath ${AP_LIBEXECDIR} -module -avoid-version ${MODULE_LIBS} diff --git a/src/gnutls_cache.c b/src/gnutls_cache.c index eaeeea6..8499b84 100644 --- a/src/gnutls_cache.c +++ b/src/gnutls_cache.c @@ -79,7 +79,7 @@ char *mod_gnutls_session_id2sz(unsigned char *id, int idlen, /* The underlying apr_memcache system is thread safe... woohoo */ static apr_memcache_t* mc; -int mc_cache_child_init(apr_pool_t *p, server_rec *s, +static int mc_cache_child_init(apr_pool_t *p, server_rec *s, mod_gnutls_srvconf_rec *sc) { apr_status_t rv = APR_SUCCESS; diff --git a/src/gnutls_config.c b/src/gnutls_config.c new file mode 100644 index 0000000..2c29ccb --- /dev/null +++ b/src/gnutls_config.c @@ -0,0 +1,328 @@ +/** + * Copyright 2004-2005 Paul Querna + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include "mod_gnutls.h" + +static int load_datum_from_file(apr_pool_t* pool, + const char* file, + gnutls_datum_t* data) +{ + apr_file_t* fp; + apr_finfo_t finfo; + apr_status_t rv; + apr_size_t br = 0; + + rv = apr_file_open(&fp, file, APR_READ|APR_BINARY, APR_OS_DEFAULT, + pool); + if (rv != APR_SUCCESS) { + return rv; + } + + rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp); + + if (rv != APR_SUCCESS) { + return rv; + } + + data->data = apr_palloc(pool, finfo.size+1); + rv = apr_file_read_full(fp, data->data, finfo.size, &br); + + if (rv != APR_SUCCESS) { + return rv; + } + apr_file_close(fp); + + data->data[br] = '\0'; + data->size = br; + + return 0; +} + +const char *mgs_set_cert_file(cmd_parms * parms, void *dummy, + const char *arg) +{ + int ret; + gnutls_datum_t data; + const char* file; + apr_pool_t* spool; + mod_gnutls_srvconf_rec *sc = + (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> + module_config, + &gnutls_module); + apr_pool_create(&spool, parms->pool); + + file = ap_server_root_relative(spool, arg); + + if (load_datum_from_file(spool, file, &data) != 0) { + return apr_psprintf(parms->pool, "GnuTLS: Error Reading " + "Certificate '%s'", file); + } + + gnutls_x509_crt_init(&sc->cert_x509); + ret = gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM); + if (ret != 0) { + return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " + "Certificate'%s': (%d) %s", file, ret, + gnutls_strerror(ret)); + } + + apr_pool_destroy(spool); + return NULL; +} + +const char *mgs_set_key_file(cmd_parms * parms, void *dummy, + const char *arg) +{ + int ret; + gnutls_datum_t data; + const char* file; + apr_pool_t* spool; + mod_gnutls_srvconf_rec *sc = + (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> + module_config, + &gnutls_module); + apr_pool_create(&spool, parms->pool); + + file = ap_server_root_relative(spool, arg); + + if (load_datum_from_file(spool, file, &data) != 0) { + return apr_psprintf(parms->pool, "GnuTLS: Error Reading " + "Private Key '%s'", file); + } + + gnutls_x509_privkey_init(&sc->privkey_x509); + ret = gnutls_x509_privkey_import(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM); + if (ret != 0) { + return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " + "Private Key '%s': (%d) %s", file, ret, + gnutls_strerror(ret)); + } + apr_pool_destroy(spool); + return NULL; +} + +const char *mgs_set_cache(cmd_parms * parms, void *dummy, + const char *type, const char* arg) +{ + const char* err; + mod_gnutls_srvconf_rec *sc = ap_get_module_config(parms->server-> + module_config, + &gnutls_module); + if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { + return err; + } + + if (strcasecmp("none", type) == 0) { + sc->cache_type = mod_gnutls_cache_none; + } + else if (strcasecmp("dbm", type) == 0) { + sc->cache_type = mod_gnutls_cache_dbm; + } +#if HAVE_APR_MEMCACHE + else if (strcasecmp("memcache", type) == 0) { + sc->cache_type = mod_gnutls_cache_memcache; + } +#endif + else { + return "Invalid Type for GnuTLSCache!"; + } + + if (sc->cache_type == mod_gnutls_cache_dbm) { + sc->cache_config = ap_server_root_relative(parms->pool, arg); + } + else { + sc->cache_config = apr_pstrdup(parms->pool, arg); + } + + return NULL; +} + +const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy, + const char *arg) +{ + int argint; + mod_gnutls_srvconf_rec *sc = + (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> + module_config, + &gnutls_module); + + argint = atoi(arg); + + if (argint < 0) { + return "GnuTLSCacheTimeout: Invalid argument"; + } + else if (argint == 0) { + sc->cache_timeout = 0; + } + else { + sc->cache_timeout = apr_time_from_sec(argint); + } + + return NULL; +} + +const char *mgs_set_client_verify(cmd_parms * parms, void *dummy, + const char *arg) +{ + int mode; + + if (strcasecmp("none", arg) == 0 || strcasecmp("ignore", arg) == 0) { + mode = GNUTLS_CERT_IGNORE; + } + else if (strcasecmp("optional", arg) == 0 || strcasecmp("request", arg) == 0) { + mode = GNUTLS_CERT_REQUEST; + } + else if (strcasecmp("require", arg) == 0) { + mode = GNUTLS_CERT_REQUIRE; + } + else { + return "GnuTLSClientVerify: Invalid argument"; + } + + /* This was set from a directory context */ + if (parms->path) { + mod_gnutls_dirconf_rec *dc = (mod_gnutls_dirconf_rec *)dummy; + dc->client_verify_mode = mode; + } + else { + mod_gnutls_srvconf_rec *sc = + (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> + module_config, + &gnutls_module); + sc->client_verify_mode = mode; + } + + return NULL; +} + +const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, + const char *arg) +{ + int rv; + const char* file; + mod_gnutls_srvconf_rec *sc = + (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> + module_config, + &gnutls_module); + file = ap_server_root_relative(parms->pool, arg); + rv = gnutls_certificate_set_x509_trust_file(sc->certs, + file, GNUTLS_X509_FMT_PEM); + + if (rv < 0) { + return apr_psprintf(parms->pool, "GnuTLS: Failed to load " + "Client CA File '%s': (%d) %s", file, rv, + gnutls_strerror(rv)); + } + return NULL; +} + +const char *mgs_set_enabled(cmd_parms * parms, void *dummy, + const char *arg) +{ + mod_gnutls_srvconf_rec *sc = + (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> + module_config, + &gnutls_module); + if (!strcasecmp(arg, "On")) { + sc->enabled = GNUTLS_ENABLED_TRUE; + } + else if (!strcasecmp(arg, "Off")) { + sc->enabled = GNUTLS_ENABLED_FALSE; + } + else { + return "GnuTLSEnable must be set to 'On' or 'Off'"; + } + + return NULL; +} + +void *mgs_config_server_create(apr_pool_t * p, server_rec * s) +{ + int i; + mod_gnutls_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc)); + + sc->enabled = GNUTLS_ENABLED_FALSE; + + gnutls_certificate_allocate_credentials(&sc->certs); + sc->privkey_x509 = NULL; + sc->cert_x509 = NULL; + sc->cache_timeout = apr_time_from_sec(300); + sc->cache_type = mod_gnutls_cache_dbm; + sc->cache_config = ap_server_root_relative(p, "conf/gnutls_cache"); + + /* TODO: Make this Configurable. But it isn't configurable in mod_ssl? */ + sc->dh_params_file = ap_server_root_relative(p, "conf/dhfile"); + sc->rsa_params_file = ap_server_root_relative(p, "conf/rsafile"); + + /* Finish SSL Client Certificate Support */ + sc->client_verify_mode = GNUTLS_CERT_IGNORE; + + /* TODO: Make this Configurable ! */ + /* mod_ssl uses a flex based parser for this part.. sigh */ + i = 0; + sc->ciphers[i++] = GNUTLS_CIPHER_AES_256_CBC; + sc->ciphers[i++] = GNUTLS_CIPHER_AES_128_CBC; + sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_128; + sc->ciphers[i++] = GNUTLS_CIPHER_3DES_CBC; + sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_40; + sc->ciphers[i] = 0; + + i = 0; + sc->key_exchange[i++] = GNUTLS_KX_RSA; + sc->key_exchange[i++] = GNUTLS_KX_RSA_EXPORT; + sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS; + sc->key_exchange[i++] = GNUTLS_KX_DHE_RSA; + sc->key_exchange[i++] = GNUTLS_KX_ANON_DH; + sc->key_exchange[i++] = GNUTLS_KX_SRP; + sc->key_exchange[i++] = GNUTLS_KX_SRP_RSA; + sc->key_exchange[i++] = GNUTLS_KX_SRP_DSS; + sc->key_exchange[i] = 0; + + i = 0; + sc->macs[i++] = GNUTLS_MAC_SHA; + sc->macs[i++] = GNUTLS_MAC_MD5; + sc->macs[i++] = GNUTLS_MAC_RMD160; + sc->macs[i] = 0; + + i = 0; + sc->protocol[i++] = GNUTLS_TLS1_1; + sc->protocol[i++] = GNUTLS_TLS1; + sc->protocol[i++] = GNUTLS_SSL3; + sc->protocol[i] = 0; + + i = 0; + sc->compression[i++] = GNUTLS_COMP_NULL; + sc->compression[i++] = GNUTLS_COMP_ZLIB; + sc->compression[i++] = GNUTLS_COMP_LZO; + sc->compression[i] = 0; + + i = 0; + sc->cert_types[i++] = GNUTLS_CRT_X509; + sc->cert_types[i] = 0; + + return sc; +} + +void *mgs_config_dir_create(apr_pool_t *p, char *dir) +{ + mod_gnutls_dirconf_rec *dc = apr_palloc(p, sizeof(*dc)); + + dc->client_verify_mode = -1; + + return dc; +} + diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c index 681411b..fbcbc52 100644 --- a/src/mod_gnutls.c +++ b/src/mod_gnutls.c @@ -292,11 +292,6 @@ static apr_port_t mod_gnutls_hook_default_port(const request_rec * r) return 443; } -static void mod_gnutls_changed_servers(mod_gnutls_handle_t *ctxt) -{ - gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode); -} - #define MAX_HOST_LEN 255 #if USING_2_1_RECENT @@ -334,7 +329,11 @@ int vhost_cb (void* baton, conn_rec* conn, server_rec* s) * things like ClientVerify. */ x->ctxt->sc = tsc; - mod_gnutls_changed_servers(x->ctxt); + /* Shit. Crap. Dammit. We *really* should rehandshake here, as our + * certificate structure *should* change when the server changes. + * acccckkkkkk. + */ + gnutls_certificate_server_set_request(x->ctxt->session, x->ctxt->sc->client_verify_mode); return 1; } return 0; @@ -425,7 +424,7 @@ static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st* ret) "'%s' == '%s'", tsc->cert_cn, sni_name); #endif ctxt->sc = tsc; - mod_gnutls_changed_servers(ctxt); + gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode); return 0; } } @@ -482,8 +481,7 @@ static mod_gnutls_handle_t* create_gnutls_handle(apr_pool_t* pool, conn_rec * c) gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs); gnutls_certificate_server_set_retrieve_function(sc->certs, cert_retrieve_fn); - - mod_gnutls_changed_servers(ctxt); + gnutls_certificate_server_set_request(ctxt->session, ctxt->sc->client_verify_mode); return ctxt; } @@ -560,273 +558,6 @@ static int mod_gnutls_hook_fixups(request_rec *r) return OK; } -static int load_datum_from_file(apr_pool_t* pool, - const char* file, - gnutls_datum_t* data) -{ - apr_file_t* fp; - apr_finfo_t finfo; - apr_status_t rv; - apr_size_t br = 0; - - rv = apr_file_open(&fp, file, APR_READ|APR_BINARY, APR_OS_DEFAULT, - pool); - if (rv != APR_SUCCESS) { - return rv; - } - - rv = apr_file_info_get(&finfo, APR_FINFO_SIZE, fp); - - if (rv != APR_SUCCESS) { - return rv; - } - - data->data = apr_palloc(pool, finfo.size+1); - rv = apr_file_read_full(fp, data->data, finfo.size, &br); - - if (rv != APR_SUCCESS) { - return rv; - } - apr_file_close(fp); - - data->data[br] = '\0'; - data->size = br; - - return 0; -} - -static const char *gnutls_set_cert_file(cmd_parms * parms, void *dummy, - const char *arg) -{ - int ret; - gnutls_datum_t data; - const char* file; - apr_pool_t* spool; - mod_gnutls_srvconf_rec *sc = - (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> - module_config, - &gnutls_module); - apr_pool_create(&spool, parms->pool); - - file = ap_server_root_relative(spool, arg); - - if (load_datum_from_file(spool, file, &data) != 0) { - return apr_psprintf(parms->pool, "GnuTLS: Error Reading " - "Certificate '%s'", file); - } - - gnutls_x509_crt_init(&sc->cert_x509); - ret = gnutls_x509_crt_import(sc->cert_x509, &data, GNUTLS_X509_FMT_PEM); - if (ret != 0) { - return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " - "Certificate'%s': (%d) %s", file, ret, - gnutls_strerror(ret)); - } - - apr_pool_destroy(spool); - return NULL; -} - -static const char *gnutls_set_key_file(cmd_parms * parms, void *dummy, - const char *arg) -{ - int ret; - gnutls_datum_t data; - const char* file; - apr_pool_t* spool; - mod_gnutls_srvconf_rec *sc = - (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> - module_config, - &gnutls_module); - apr_pool_create(&spool, parms->pool); - - file = ap_server_root_relative(spool, arg); - - if (load_datum_from_file(spool, file, &data) != 0) { - return apr_psprintf(parms->pool, "GnuTLS: Error Reading " - "Private Key '%s'", file); - } - - gnutls_x509_privkey_init(&sc->privkey_x509); - ret = gnutls_x509_privkey_import(sc->privkey_x509, &data, GNUTLS_X509_FMT_PEM); - if (ret != 0) { - return apr_psprintf(parms->pool, "GnuTLS: Failed to Import " - "Private Key '%s': (%d) %s", file, ret, - gnutls_strerror(ret)); - } - apr_pool_destroy(spool); - return NULL; -} - -static const char *gnutls_set_cache(cmd_parms * parms, void *dummy, - const char *type, const char* arg) -{ - const char* err; - mod_gnutls_srvconf_rec *sc = ap_get_module_config(parms->server-> - module_config, - &gnutls_module); - if ((err = ap_check_cmd_context(parms, GLOBAL_ONLY))) { - return err; - } - - if (strcasecmp("none", type) == 0) { - sc->cache_type = mod_gnutls_cache_none; - } - else if (strcasecmp("dbm", type) == 0) { - sc->cache_type = mod_gnutls_cache_dbm; - } -#if HAVE_APR_MEMCACHE - else if (strcasecmp("memcache", type) == 0) { - sc->cache_type = mod_gnutls_cache_memcache; - } -#endif - else { - return "Invalid Type for GnuTLSCache!"; - } - - if (sc->cache_type == mod_gnutls_cache_dbm) { - sc->cache_config = ap_server_root_relative(parms->pool, arg); - } - else { - sc->cache_config = apr_pstrdup(parms->pool, arg); - } - - return NULL; -} - -static const char *gnutls_set_cache_timeout(cmd_parms * parms, void *dummy, - const char *arg) -{ - int argint; - mod_gnutls_srvconf_rec *sc = - (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> - module_config, - &gnutls_module); - - argint = atoi(arg); - - if (argint < 0) { - return "GnuTLSCacheTimeout: Invalid argument"; - } - else if (argint == 0) { - sc->cache_timeout = 0; - } - else { - sc->cache_timeout = apr_time_from_sec(argint); - } - - return NULL; -} - - -static const char *gnutls_set_client_verify(cmd_parms * parms, void *dummy, - const char *arg) -{ - int mode; - - if (strcasecmp("none", arg) == 0 || strcasecmp("ignore", arg) == 0) { - mode = GNUTLS_CERT_IGNORE; - } - else if (strcasecmp("optional", arg) == 0 || strcasecmp("request", arg) == 0) { - mode = GNUTLS_CERT_REQUEST; - } - else if (strcasecmp("require", arg) == 0) { - mode = GNUTLS_CERT_REQUIRE; - } - else { - return "GnuTLSClientVerify: Invalid argument"; - } - - /* This was set from a directory context */ - if (parms->path) { - mod_gnutls_dirconf_rec *dc = (mod_gnutls_dirconf_rec *)dummy; - dc->client_verify_mode = mode; - } - else { - mod_gnutls_srvconf_rec *sc = - (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> - module_config, - &gnutls_module); - sc->client_verify_mode = mode; - } - - return NULL; -} - -static const char *gnutls_set_client_ca_file(cmd_parms * parms, void *dummy, - const char *arg) -{ - int rv; - const char* file; - mod_gnutls_srvconf_rec *sc = - (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> - module_config, - &gnutls_module); - file = ap_server_root_relative(parms->pool, arg); - rv = gnutls_certificate_set_x509_trust_file(sc->certs, - file, GNUTLS_X509_FMT_PEM); - - if (rv < 0) { - return apr_psprintf(parms->pool, "GnuTLS: Failed to load " - "Client CA File '%s': (%d) %s", file, rv, - gnutls_strerror(rv)); - } - return NULL; -} - - -static const char *gnutls_set_enabled(cmd_parms * parms, void *dummy, - const char *arg) -{ - mod_gnutls_srvconf_rec *sc = - (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> - module_config, - &gnutls_module); - if (!strcasecmp(arg, "On")) { - sc->enabled = GNUTLS_ENABLED_TRUE; - } - else if (!strcasecmp(arg, "Off")) { - sc->enabled = GNUTLS_ENABLED_FALSE; - } - else { - return "GnuTLSEnable must be set to 'On' or 'Off'"; - } - - return NULL; -} - -static const command_rec gnutls_cmds[] = { - AP_INIT_TAKE1("GnuTLSClientVerify", gnutls_set_client_verify, - NULL, - RSRC_CONF|OR_AUTHCFG, - "Set Verification Requirements of the Client Certificate"), - AP_INIT_TAKE1("GnuTLSClientCAFile", gnutls_set_client_ca_file, - NULL, - RSRC_CONF, - "Set the CA File for Client Certificates"), - AP_INIT_TAKE1("GnuTLSCertificateFile", gnutls_set_cert_file, - NULL, - RSRC_CONF, - "SSL Server Key file"), - AP_INIT_TAKE1("GnuTLSKeyFile", gnutls_set_key_file, - NULL, - RSRC_CONF, - "SSL Server Certificate file"), - AP_INIT_TAKE1("GnuTLSCacheTimeout", gnutls_set_cache_timeout, - NULL, - RSRC_CONF, - "Cache Timeout"), - AP_INIT_TAKE2("GnuTLSCache", gnutls_set_cache, - NULL, - RSRC_CONF, - "Cache Configuration"), - AP_INIT_TAKE1("GnuTLSEnable", gnutls_set_enabled, - NULL, RSRC_CONF, - "Whether this server has GnuTLS Enabled. Default: Off"), - - {NULL} -}; - int mod_gnutls_hook_authz(request_rec *r) { int rv; @@ -836,6 +567,14 @@ int mod_gnutls_hook_authz(request_rec *r) &gnutls_module); ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module); + + if (!ctxt) { + return DECLINED; + } + + if (!dc) { + dc = mgs_config_dir_create(r->pool, NULL); + } if (dc->client_verify_mode == GNUTLS_CERT_IGNORE) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, @@ -947,89 +686,44 @@ static void gnutls_hooks(apr_pool_t * p) AP_FTYPE_CONNECTION + 5); } -static void *gnutls_config_server_create(apr_pool_t * p, server_rec * s) -{ - int i; - mod_gnutls_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc)); - - sc->enabled = GNUTLS_ENABLED_FALSE; - - gnutls_certificate_allocate_credentials(&sc->certs); - sc->privkey_x509 = NULL; - sc->cert_x509 = NULL; - sc->cache_timeout = apr_time_from_sec(300); - sc->cache_type = mod_gnutls_cache_dbm; - sc->cache_config = ap_server_root_relative(p, "conf/gnutls_cache"); - - /* TODO: Make this Configurable. But it isn't configurable in mod_ssl? */ - sc->dh_params_file = ap_server_root_relative(p, "conf/dhfile"); - sc->rsa_params_file = ap_server_root_relative(p, "conf/rsafile"); - - /* Finish SSL Client Certificate Support */ - sc->client_verify_mode = GNUTLS_CERT_IGNORE; - - /* TODO: Make this Configurable ! */ - /* mod_ssl uses a flex based parser for this part.. sigh */ - i = 0; - sc->ciphers[i++] = GNUTLS_CIPHER_AES_256_CBC; - sc->ciphers[i++] = GNUTLS_CIPHER_AES_128_CBC; - sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_128; - sc->ciphers[i++] = GNUTLS_CIPHER_3DES_CBC; - sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_40; - sc->ciphers[i] = 0; - - i = 0; - sc->key_exchange[i++] = GNUTLS_KX_RSA; - sc->key_exchange[i++] = GNUTLS_KX_RSA_EXPORT; - sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS; - sc->key_exchange[i++] = GNUTLS_KX_DHE_RSA; - sc->key_exchange[i++] = GNUTLS_KX_ANON_DH; - sc->key_exchange[i++] = GNUTLS_KX_SRP; - sc->key_exchange[i++] = GNUTLS_KX_SRP_RSA; - sc->key_exchange[i++] = GNUTLS_KX_SRP_DSS; - sc->key_exchange[i] = 0; - - i = 0; - sc->macs[i++] = GNUTLS_MAC_SHA; - sc->macs[i++] = GNUTLS_MAC_MD5; - sc->macs[i++] = GNUTLS_MAC_RMD160; - sc->macs[i] = 0; - - i = 0; - sc->protocol[i++] = GNUTLS_TLS1_1; - sc->protocol[i++] = GNUTLS_TLS1; - sc->protocol[i++] = GNUTLS_SSL3; - sc->protocol[i] = 0; - - i = 0; - sc->compression[i++] = GNUTLS_COMP_NULL; - sc->compression[i++] = GNUTLS_COMP_ZLIB; - sc->compression[i++] = GNUTLS_COMP_LZO; - sc->compression[i] = 0; - - i = 0; - sc->cert_types[i++] = GNUTLS_CRT_X509; - sc->cert_types[i] = 0; - - return sc; -} - -void *gnutls_config_dir_create(apr_pool_t *p, char *dir) -{ - mod_gnutls_dirconf_rec *dc = apr_palloc(p, sizeof(*dc)); - - dc->client_verify_mode = -1; +static const command_rec mgs_config_cmds[] = { + AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify, + NULL, + RSRC_CONF|OR_AUTHCFG, + "Set Verification Requirements of the Client Certificate"), + AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file, + NULL, + RSRC_CONF, + "Set the CA File for Client Certificates"), + AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file, + NULL, + RSRC_CONF, + "SSL Server Key file"), + AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file, + NULL, + RSRC_CONF, + "SSL Server Certificate file"), + AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout, + NULL, + RSRC_CONF, + "Cache Timeout"), + AP_INIT_TAKE2("GnuTLSCache", mgs_set_cache, + NULL, + RSRC_CONF, + "Cache Configuration"), + AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled, + NULL, RSRC_CONF, + "Whether this server has GnuTLS Enabled. Default: Off"), - return dc; -} + {NULL} +}; module AP_MODULE_DECLARE_DATA gnutls_module = { STANDARD20_MODULE_STUFF, - gnutls_config_dir_create, + mgs_config_dir_create, NULL, - gnutls_config_server_create, + mgs_config_server_create, NULL, -/* gnutls_config_server_merge, */ - gnutls_cmds, + mgs_config_cmds, gnutls_hooks }; -- cgit