From 61c98e4aa9db50970b030d71f6e7640f5a67d743 Mon Sep 17 00:00:00 2001 From: Nokis Mavrogiannopoulos Date: Wed, 1 Oct 2008 15:50:40 +0000 Subject: updated README file to account for openpgp keys --patch by Jack Bates --- README | 19 +++++++++++++++++++ src/gnutls_hooks.c | 43 ++++++++++++++++++++++++++++++++----------- 2 files changed, 51 insertions(+), 11 deletions(-) diff --git a/README b/README index 5198ed7..34054b6 100644 --- a/README +++ b/README @@ -109,3 +109,22 @@ NameVirtualHost 1.2.3.4:443 GnuTLSClientCAFile ca.pem GnuTLSPGPKeyringFile /etc/apache2/ring.asc + +Create OpenPGP credentials for the server: + +IMPORTANT: mod_gnutls currently cannot read encrypted OpenPGP credentials. That +is, when you generate a key with gpg and gpg prompts you for a passphrase, just +press enter. Then press enter again, to confirm an empty passphrase. +http://news.gmane.org/gmane.comp.apache.outoforder.modules + +These instructions are from the GnuTLS manual: +http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv + + $ gpg --gen-key + ...enter whatever details you want, use 'test.gnutls.org' as name... + +Make a note of the OpenPGP key identifier of the newly generated key, here it +was 5D1D14D8. You will need to export the key for GnuTLS to be able to use it. + + $ gpg -a --export 5D1D14D8 > openpgp-server.txt + $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c index fd62164..54b0a83 100644 --- a/src/gnutls_hooks.c +++ b/src/gnutls_hooks.c @@ -62,6 +62,18 @@ mgs_hook_pre_config(apr_pool_t * pconf, { int ret; +#if MOD_GNUTLS_DEBUG + apr_file_open(&debug_log_fp, "/tmp/gnutls_debug", + APR_APPEND | APR_WRITE | APR_CREATE, APR_OS_DEFAULT, + pconf); + + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); + + gnutls_global_set_log_level(9); + gnutls_global_set_log_function(gnutls_debug_log_all); + apr_file_printf(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL)); +#endif + #if APR_HAS_THREADS ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded); if (mpm_is_threaded) { @@ -72,29 +84,20 @@ int ret; #endif if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) { - fprintf(stderr, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n", + apr_file_printf(debug_log_fp, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n", LIBGNUTLS_VERSION, gnutls_check_version(NULL)); return -3; } ret = gnutls_global_init(); if (ret < 0) { - fprintf(stderr, "gnutls_global_init: %s\n", gnutls_strerror(ret)); + apr_file_printf(debug_log_fp, "gnutls_global_init: %s\n", gnutls_strerror(ret)); return -3; } apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, apr_pool_cleanup_null); -#if MOD_GNUTLS_DEBUG - apr_file_open(&debug_log_fp, "/tmp/gnutls_debug", - APR_APPEND | APR_WRITE | APR_CREATE, APR_OS_DEFAULT, - pconf); - - gnutls_global_set_log_level(9); - gnutls_global_set_log_function(gnutls_debug_log_all); - apr_file_printf(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL)); -#endif return OK; } @@ -106,6 +109,8 @@ static int mgs_select_virtual_server_cb(gnutls_session_t session) int ret; int cprio[2]; + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); + ctxt = gnutls_transport_get_ptr(session); /* find the virtual server */ @@ -162,6 +167,7 @@ static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret) { mgs_handle_t *ctxt; + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); ctxt = gnutls_transport_get_ptr(session); if (ctxt == NULL) @@ -213,6 +219,7 @@ static int read_crt_cn(server_rec * s, apr_pool_t * p, size_t data_len; + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); *cert_cn = NULL; data_len = 0; @@ -264,6 +271,7 @@ static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p, size_t data_len; + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); *cert_cn = NULL; data_len = 0; @@ -296,6 +304,7 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, int first_run = 0; const char *userdata_key = "mgs_init"; + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); apr_pool_userdata_get(&data, userdata_key, base_server->process->pool); if (data == NULL) { first_run = 1; @@ -442,6 +451,7 @@ void mgs_hook_child_init(apr_pool_t * p, server_rec * s) mgs_srvconf_rec *sc = ap_get_module_config(s->module_config, &gnutls_module); + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); if (sc->cache_type != mgs_cache_none) { rv = mgs_cache_child_init(p, s, sc); if (rv != APR_SUCCESS) { @@ -460,6 +470,7 @@ const char *mgs_hook_http_scheme(const request_rec * r) (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, &gnutls_module); + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); if (sc->enabled == GNUTLS_ENABLED_FALSE) { return NULL; } @@ -473,6 +484,7 @@ apr_port_t mgs_hook_default_port(const request_rec * r) (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, &gnutls_module); + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); if (sc->enabled == GNUTLS_ENABLED_FALSE) { return 0; } @@ -494,6 +506,7 @@ static int vhost_cb(void *baton, conn_rec * conn, server_rec * s) mgs_srvconf_rec *tsc; vhost_cb_rec *x = baton; + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, &gnutls_module); @@ -546,6 +559,7 @@ mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) mgs_srvconf_rec *tsc; #endif + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); ctxt = gnutls_transport_get_ptr(session); rv = gnutls_server_name_get(ctxt->session, sni_name, @@ -623,6 +637,7 @@ static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) module_config, &gnutls_module); + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); ctxt = apr_pcalloc(pool, sizeof(*ctxt)); ctxt->c = c; ctxt->sc = sc; @@ -661,6 +676,7 @@ int mgs_hook_pre_connection(conn_rec * c, void *csd) module_config, &gnutls_module); + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) { return DECLINED; } @@ -690,6 +706,7 @@ int mgs_hook_fixups(request_rec * r) mgs_handle_t *ctxt; int rv = OK; + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); apr_table_t *env = r->subprocess_env; ctxt = @@ -764,6 +781,7 @@ int mgs_hook_authz(request_rec * r) mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config, &gnutls_module); + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module); @@ -825,6 +843,7 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, apr_table_t *env = r->subprocess_env; + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); if (export_certificates_enabled != 0) { char cert_buf[10 * 1024]; len = sizeof(cert_buf); @@ -931,6 +950,7 @@ mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side size_t len; int ret; + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); apr_table_t *env = r->subprocess_env; if (export_certificates_enabled != 0) { @@ -997,6 +1017,7 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) } cert; apr_time_t activation_time, expiration_time, cur_time; + apr_file_printf(debug_log_fp, "%s: %d\n", __func__, __LINE__); cert_list = gnutls_certificate_get_peers(ctxt->session, &cert_list_size); -- cgit