summaryrefslogtreecommitdiffstatsabout
diff options
context:
space:
mode:
authorNokis Mavrogiannopoulos <nmav@gnutls.org>2008-10-16 18:58:36 (GMT)
committer Nokis Mavrogiannopoulos <nmav@gnutls.org>2008-10-16 18:58:36 (GMT)
commit5353b12db4cb345f358ae8fdf1257acfccdbd842 (patch)
treea68d9716be773eddd52902e2544cb0021aacdd80
parent7729b49ab60c5acbc19851705a7f453afaed78fa (diff)
-rw-r--r--NEWS6
-rw-r--r--README232
-rw-r--r--configure.ac6
-rw-r--r--src/gnutls_hooks.c59
-rw-r--r--src/gnutls_io.c6
5 files changed, 202 insertions, 107 deletions
diff --git a/NEWS b/NEWS
index 0c50249..c77084d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,9 @@
1** Version 0.5.3 (2008-10-16)
2
3- Corrected bug to allow having an OpenPGP-only web site.
4
5- Increased Max handshake tries due to interrupted system calls.
6
1** Version 0.5.2 (2008-06-29) 7** Version 0.5.2 (2008-06-29)
2 8
3- Depend on gnutls 2.4 which has openpgp support in main library. 9- Depend on gnutls 2.4 which has openpgp support in main library.
diff --git a/README b/README
index 5198ed7..ad7f9c6 100644
--- a/README
+++ b/README
@@ -1,111 +1,171 @@
1mod_gnutls
2 1
3This module started back in September of 2004 because I was tired of trying to 2 mod_gnutls, Apache GnuTLS module.
4fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- no offense to it's 3 =================================
5authors is intended -- but I believe it has fallen prey to massive feature bloat.
6 4
7When I started hacking on httpd, mod_ssl remained a great mystery to me, and 5$LastChangedDate: $
8when I actually looked at it, I ran away. The shear ammount code is huge, and it
9does not conform to the style guidelines. It was painful to read, and even harder
10to debug. I wanted to understand how it worked, and I had recently heard about
11GnuTLS, so long story short, I decided to implement a mod_gnutls.
12 6
13Lines of Code in mod_ssl: 15,324 7Contents:
14Lines of Code in mod_gnutls: 3,594
15 8
16Because of writing mod_gnutls, I now understand how input and output filters work, 9 I. ABOUT
17better than I ever thought possible. It was a little painful at times, and some parts 10 II. AUTHORS
18lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl. 11 III. LICENSE
12 IV. STATUS
13 V. BASIC CONFIGURATION
14 VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER
19 15
20----------------------------
21 16
22Author: Paul Querna <chip force-elite.com>
23 17
24Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org> 18I. ABOUT
25 19
26License: Apache Software License v2.0. (see the LICENSE file for details) 20 This module started back in September of 2004 because I was tired of
21 trying to fix bugs in mod_ssl. mod_ssl is a giant beast of a module --
22 no offense to it's authors is intended -- but I believe it has fallen
23 prey to massive feature bloat.
27 24
28Current Status: 25 When I started hacking on httpd, mod_ssl remained a great mystery to me,
29- SSL and TLS connections with all popular browsers work! 26 and when I actually looked at it, I ran away. The shear amount code is
30- Sets enviromental vars for scripts (compatible with mod_ssl vars) 27 huge, and it does not conform to the style guidelines. It was painful to
31- Supports Memcached as a distributed SSL Session Cache 28 read, and even harder to debug. I wanted to understand how it worked,
32- Supports DBM as a local SSL Session Cache 29 and I had recently heard about GnuTLS, so long story short, I decided to
33- Support for Server Name Indication 30 implement a mod_gnutls.
34- Support for Client Certificates
35- Support for TLS-SRP
36 31
37Basic Configuration: 32 Lines of Code in mod_ssl: 15,324
33 Lines of Code in mod_gnutls: 3,594
38 34
39LoadModule gnutls_module modules/mod_gnutls.so 35 Because of writing mod_gnutls, I now understand how input and output
36 filters work, better than I ever thought possible. It was a little
37 painful at times, and some parts lift code and ideas directly from
38 mod_ssl. Kudos to the original authors of mod_ssl.
40 39
41# mod_gnutls can optionaly use a memcached server to store it's SSL Sessions.
42# This is useful in a cluster enviroment, where you want all of your servers
43# to share a single SSL Session Cache.
44#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
45 40
46# The Default method is to use a DBM backed Cache. It isn't super fast, but
47# it is portable and does not require another server to be running like memcached.
48GnuTLSCache dbm conf/gnutls_cache
49 41
50<VirtualHost 1.2.3.4:443> 42II. AUTHORS
51 # insert other directives ... here ...
52 43
53 # This enables the mod_gnutls Handlers for this Virtual Host 44 Paul Querna <chip force-elite.com>
54 GnuTLSEnable On 45 Nikos Mavrogiannopoulos <nmav gnutls.org>
55 46
56 # This is the Private key for your server.
57 GnuTLSX509KeyFile conf/server.key
58 47
59 # This is the Server Certificate.
60 GnuTLSX509CertificateFile conf/server.cert
61</VirtualHost>
62 48
63# a more advanced configuration 49III. LICENSE
64GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
65GnuTLSCacheTimeout 600
66NameVirtualHost 1.2.3.4:443
67 50
68<VirtualHost 1.2.3.4:443> 51 Apache License, Version 2.0 (see the LICENSE file for details)
69 Servername server.com:443 52
53
54
55IV. STATUS
56
57 * SSL and TLS connections with all popular browsers work!
58 * Sets environmental vars for scripts (compatible with mod_ssl vars)
59 * Supports memcached as a distributed SSL session cache
60 * Supports DBM as a local SSL session cache
61 * Support for server name indication (SNI), RFC3546
62 * Support for client certificates
63 * Support for secure remote password (SRP), RFC5054
64
65
66
67V. BASIC CONFIGURATION
68
69 LoadModule gnutls_module modules/mod_gnutls.so
70
71 # mod_gnutls can optionally use a memcached server to store it's SSL
72 # Sessions. This is useful in a cluster environment, where you want all
73 # of your servers to share a single SSL session cache.
74 #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
75
76 # The Default method is to use a DBM backed Cache. It isn't super fast,
77 # but it is portable and does not require another server to be running
78 # like memcached.
79 GnuTLSCache dbm conf/gnutls_cache
80
81 <VirtualHost 1.2.3.4:443>
82
83 # Enable mod_gnutls handlers for this virtual host
84 GnuTLSEnable On
85
86 # This is the private key for your server
87 GnuTLSX509KeyFile conf/server.key
88
89 # This is the server certificate
90 GnuTLSX509CertificateFile conf/server.cert
91
92 </VirtualHost>
93
94 # A more advanced configuration
95 GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
96 GnuTLSCacheTimeout 600
97 NameVirtualHost 1.2.3.4:443
98
99 <VirtualHost 1.2.3.4:443>
100
101 Servername server.com:443
70 GnuTLSEnable on 102 GnuTLSEnable on
71 GnuTLSPriority NORMAL 103 GnuTLSPriority NORMAL
72# To export exactly the same environment variables as mod_ssl to CGI scripts. 104
73 GNUTLSExportCertificates on 105 # Export exactly the same environment variables as mod_ssl to CGI
74 106 # scripts.
75 GnuTLSX509CertificateFile /etc/apache2/server-cert.pem 107 GNUTLSExportCertificates on
76 GnuTLSX509KeyFile /etc/apache2/server-key.pem 108
77 109 GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
78# To enable SRP you must have these files installed. Check the gnutls srptool. 110 GnuTLSX509KeyFile /etc/apache2/server-key.pem
79 GnuTLSSRPPasswdFile /etc/apache2/tpasswd 111
80 GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf 112 # To enable SRP you must have these files installed. Check the gnutls
81 113 # srptool.
82# In order to verify client certificates. Other options to 114 GnuTLSSRPPasswdFile /etc/apache2/tpasswd
83# GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile 115 GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
84# contains the CAs to verify client certificates. 116
85 GnuTLSClientVerify request 117 # In order to verify client certificates. Other options to
86 GnuTLSX509CAFile ca.pem 118 # GnuTLSClientVerify could be ignore or require. The
87 ... 119 # GnuTLSClientCAFile contains the CAs to verify client certificates.
88</VirtualHost> 120 GnuTLSClientVerify request
89 121 GnuTLSX509CAFile ca.pem
90# A setup for OpenPGP and X.509 authentication 122
91<VirtualHost 1.2.3.4:443> 123 </VirtualHost>
92 Servername crystal.lan:443 124
125 # A setup for OpenPGP and X.509 authentication
126 <VirtualHost 1.2.3.4:443>
127
128 Servername crystal.lan:443
93 GnuTLSEnable on 129 GnuTLSEnable on
94 GnuTLSPriorities NORMAL:+COMP-NULL 130 GnuTLSPriorities NORMAL:+COMP-NULL
131
132 # Setup the openpgp keys
133 GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
134 GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
135
136 # - and the X.509 keys
137 GnuTLSCertificateFile /etc/apache2/server-cert.pem
138 GnuTLSKeyFile /etc/apache2/server-key.pem
139
140 GnuTLSClientVerify ignore
141
142 # To avoid using the default DH params
143 GnuTLSDHFile /etc/apache2/dh.pem
144
145 # These are only needed if GnuTLSClientVerify != ignore
146 GnuTLSClientCAFile ca.pem
147 GnuTLSPGPKeyringFile /etc/apache2/ring.asc
148
149 </VirtualHost>
150
151
152
153VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER
154
155 mod_gnutls currently cannot read encrypted OpenPGP credentials. That is,
156 when you generate a key with gpg and gpg prompts you for a passphrase,
157 just press enter. Then press enter again, to confirm an empty
158 passphrase. http://news.gmane.org/gmane.comp.apache.outoforder.modules
95 159
96# setup the openpgp keys 160 These instructions are from the GnuTLS manual:
97 GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc 161 http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv
98 GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
99 162
100# and the X.509 keys 163 $ gpg --gen-key
101 GnuTLSCertificateFile /etc/apache2/server-cert.pem 164 ...enter whatever details you want, use 'test.gnutls.org' as name...
102 GnuTLSKeyFile /etc/apache2/server-key.pem
103 GnuTLSClientVerify ignore
104 165
105# To avoid using the default DH params 166 Make a note of the OpenPGP key identifier of the newly generated key,
106 GnuTLSDHFile /etc/apache2/dh.pem 167 here it was 5D1D14D8. You will need to export the key for GnuTLS to be
168 able to use it.
107 169
108# these are only needed if GnuTLSClientVerify != ignore 170 $ gpg -a --export 5D1D14D8 > openpgp-server.txt
109 GnuTLSClientCAFile ca.pem 171 $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
110 GnuTLSPGPKeyringFile /etc/apache2/ring.asc
111</VirtualHost>
diff --git a/configure.ac b/configure.ac
index 1e42464..0ffc69b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
1dnl 1dnl
2AC_INIT(mod_gnutls, 0.5.2) 2AC_INIT(mod_gnutls, 0.5.3)
3OOO_CONFIG_NICE(config.nice) 3OOO_CONFIG_NICE(config.nice)
4MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION 4MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
5AC_PREREQ(2.53) 5AC_PREREQ(2.53)
@@ -55,8 +55,8 @@ have_apr_memcache=0
55CHECK_APR_MEMCACHE([have_apr_memcache=1], [have_apr_memcache=0]) 55CHECK_APR_MEMCACHE([have_apr_memcache=1], [have_apr_memcache=0])
56AC_SUBST(have_apr_memcache) 56AC_SUBST(have_apr_memcache)
57 57
58MODULE_CFLAGS="${LIBGNUTLS_EXTRA_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}" 58MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}"
59MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_EXTRA_LIBS}" 59MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}"
60 60
61AC_SUBST(MODULE_CFLAGS) 61AC_SUBST(MODULE_CFLAGS)
62AC_SUBST(MODULE_LIBS) 62AC_SUBST(MODULE_LIBS)
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index 5ced25b..57bfeba 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -54,6 +54,9 @@ static void gnutls_debug_log_all(int level, const char *str)
54{ 54{
55 apr_file_printf(debug_log_fp, "<%d> %s\n", level, str); 55 apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
56} 56}
57#define _gnutls_log apr_file_printf
58#else
59# define _gnutls_log(...)
57#endif 60#endif
58 61
59int 62int
@@ -62,6 +65,18 @@ mgs_hook_pre_config(apr_pool_t * pconf,
62{ 65{
63int ret; 66int ret;
64 67
68#if MOD_GNUTLS_DEBUG
69 apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
70 APR_APPEND | APR_WRITE | APR_CREATE, APR_OS_DEFAULT,
71 pconf);
72
73 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
74
75 gnutls_global_set_log_level(9);
76 gnutls_global_set_log_function(gnutls_debug_log_all);
77 _gnutls_log(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
78#endif
79
65#if APR_HAS_THREADS 80#if APR_HAS_THREADS
66 ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded); 81 ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded);
67 if (mpm_is_threaded) { 82 if (mpm_is_threaded) {
@@ -72,29 +87,20 @@ int ret;
72#endif 87#endif
73 88
74 if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) { 89 if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) {
75 fprintf(stderr, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n", 90 _gnutls_log(debug_log_fp, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
76 LIBGNUTLS_VERSION, gnutls_check_version(NULL)); 91 LIBGNUTLS_VERSION, gnutls_check_version(NULL));
77 return -3; 92 return -3;
78 } 93 }
79 94
80 ret = gnutls_global_init(); 95 ret = gnutls_global_init();
81 if (ret < 0) { 96 if (ret < 0) {
82 fprintf(stderr, "gnutls_global_init: %s\n", gnutls_strerror(ret)); 97 _gnutls_log(debug_log_fp, "gnutls_global_init: %s\n", gnutls_strerror(ret));
83 return -3; 98 return -3;
84 } 99 }
85 100
86 apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, 101 apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config,
87 apr_pool_cleanup_null); 102 apr_pool_cleanup_null);
88 103
89#if MOD_GNUTLS_DEBUG
90 apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
91 APR_APPEND | APR_WRITE | APR_CREATE, APR_OS_DEFAULT,
92 pconf);
93
94 gnutls_global_set_log_level(9);
95 gnutls_global_set_log_function(gnutls_debug_log_all);
96 apr_file_printf(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
97#endif
98 104
99 return OK; 105 return OK;
100} 106}
@@ -106,6 +112,8 @@ static int mgs_select_virtual_server_cb(gnutls_session_t session)
106 int ret; 112 int ret;
107 int cprio[2]; 113 int cprio[2];
108 114
115 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
116
109 ctxt = gnutls_transport_get_ptr(session); 117 ctxt = gnutls_transport_get_ptr(session);
110 118
111 /* find the virtual server */ 119 /* find the virtual server */
@@ -162,8 +170,12 @@ static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret)
162{ 170{
163 mgs_handle_t *ctxt; 171 mgs_handle_t *ctxt;
164 172
173 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
165 ctxt = gnutls_transport_get_ptr(session); 174 ctxt = gnutls_transport_get_ptr(session);
166 175
176 if (ctxt == NULL)
177 return GNUTLS_E_INTERNAL_ERROR;
178
167 if (gnutls_certificate_type_get( session) == GNUTLS_CRT_X509) { 179 if (gnutls_certificate_type_get( session) == GNUTLS_CRT_X509) {
168 ret->type = GNUTLS_CRT_X509; 180 ret->type = GNUTLS_CRT_X509;
169 ret->ncerts = ctxt->sc->certs_x509_num; 181 ret->ncerts = ctxt->sc->certs_x509_num;
@@ -210,6 +222,7 @@ static int read_crt_cn(server_rec * s, apr_pool_t * p,
210 size_t data_len; 222 size_t data_len;
211 223
212 224
225 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
213 *cert_cn = NULL; 226 *cert_cn = NULL;
214 227
215 data_len = 0; 228 data_len = 0;
@@ -261,6 +274,7 @@ static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p,
261 size_t data_len; 274 size_t data_len;
262 275
263 276
277 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
264 *cert_cn = NULL; 278 *cert_cn = NULL;
265 279
266 data_len = 0; 280 data_len = 0;
@@ -293,6 +307,7 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
293 int first_run = 0; 307 int first_run = 0;
294 const char *userdata_key = "mgs_init"; 308 const char *userdata_key = "mgs_init";
295 309
310 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
296 apr_pool_userdata_get(&data, userdata_key, base_server->process->pool); 311 apr_pool_userdata_get(&data, userdata_key, base_server->process->pool);
297 if (data == NULL) { 312 if (data == NULL) {
298 first_run = 1; 313 first_run = 1;
@@ -394,8 +409,9 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
394 } 409 }
395#endif 410#endif
396 411
397 if (sc->certs_x509[0] == NULL 412 if (sc->certs_x509[0] == NULL &&
398 && sc->enabled == GNUTLS_ENABLED_TRUE) { 413 sc->cert_pgp == NULL &&
414 sc->enabled == GNUTLS_ENABLED_TRUE) {
399 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 415 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
400 "[GnuTLS] - Host '%s:%d' is missing a " 416 "[GnuTLS] - Host '%s:%d' is missing a "
401 "Certificate File!", s->server_hostname, 417 "Certificate File!", s->server_hostname,
@@ -403,8 +419,9 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
403 exit(-1); 419 exit(-1);
404 } 420 }
405 421
406 if (sc->privkey_x509 == NULL 422 if (sc->enabled == GNUTLS_ENABLED_TRUE &&
407 && sc->enabled == GNUTLS_ENABLED_TRUE) { 423 ((sc->certs_x509[0] != NULL && sc->privkey_x509 == NULL) ||
424 (sc->cert_pgp != NULL && sc->privkey_pgp == NULL))) {
408 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 425 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
409 "[GnuTLS] - Host '%s:%d' is missing a " 426 "[GnuTLS] - Host '%s:%d' is missing a "
410 "Private Key File!", 427 "Private Key File!",
@@ -439,6 +456,7 @@ void mgs_hook_child_init(apr_pool_t * p, server_rec * s)
439 mgs_srvconf_rec *sc = ap_get_module_config(s->module_config, 456 mgs_srvconf_rec *sc = ap_get_module_config(s->module_config,
440 &gnutls_module); 457 &gnutls_module);
441 458
459 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
442 if (sc->cache_type != mgs_cache_none) { 460 if (sc->cache_type != mgs_cache_none) {
443 rv = mgs_cache_child_init(p, s, sc); 461 rv = mgs_cache_child_init(p, s, sc);
444 if (rv != APR_SUCCESS) { 462 if (rv != APR_SUCCESS) {
@@ -457,6 +475,7 @@ const char *mgs_hook_http_scheme(const request_rec * r)
457 (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, 475 (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config,
458 &gnutls_module); 476 &gnutls_module);
459 477
478 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
460 if (sc->enabled == GNUTLS_ENABLED_FALSE) { 479 if (sc->enabled == GNUTLS_ENABLED_FALSE) {
461 return NULL; 480 return NULL;
462 } 481 }
@@ -470,6 +489,7 @@ apr_port_t mgs_hook_default_port(const request_rec * r)
470 (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, 489 (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config,
471 &gnutls_module); 490 &gnutls_module);
472 491
492 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
473 if (sc->enabled == GNUTLS_ENABLED_FALSE) { 493 if (sc->enabled == GNUTLS_ENABLED_FALSE) {
474 return 0; 494 return 0;
475 } 495 }
@@ -491,6 +511,7 @@ static int vhost_cb(void *baton, conn_rec * conn, server_rec * s)
491 mgs_srvconf_rec *tsc; 511 mgs_srvconf_rec *tsc;
492 vhost_cb_rec *x = baton; 512 vhost_cb_rec *x = baton;
493 513
514 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
494 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 515 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
495 &gnutls_module); 516 &gnutls_module);
496 517
@@ -543,6 +564,7 @@ mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session)
543 mgs_srvconf_rec *tsc; 564 mgs_srvconf_rec *tsc;
544#endif 565#endif
545 566
567 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
546 ctxt = gnutls_transport_get_ptr(session); 568 ctxt = gnutls_transport_get_ptr(session);
547 569
548 rv = gnutls_server_name_get(ctxt->session, sni_name, 570 rv = gnutls_server_name_get(ctxt->session, sni_name,
@@ -620,6 +642,7 @@ static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c)
620 module_config, 642 module_config,
621 &gnutls_module); 643 &gnutls_module);
622 644
645 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
623 ctxt = apr_pcalloc(pool, sizeof(*ctxt)); 646 ctxt = apr_pcalloc(pool, sizeof(*ctxt));
624 ctxt->c = c; 647 ctxt->c = c;
625 ctxt->sc = sc; 648 ctxt->sc = sc;
@@ -658,6 +681,7 @@ int mgs_hook_pre_connection(conn_rec * c, void *csd)
658 module_config, 681 module_config,
659 &gnutls_module); 682 &gnutls_module);
660 683
684 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
661 if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) { 685 if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
662 return DECLINED; 686 return DECLINED;
663 } 687 }
@@ -687,6 +711,7 @@ int mgs_hook_fixups(request_rec * r)
687 mgs_handle_t *ctxt; 711 mgs_handle_t *ctxt;
688 int rv = OK; 712 int rv = OK;
689 713
714 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
690 apr_table_t *env = r->subprocess_env; 715 apr_table_t *env = r->subprocess_env;
691 716
692 ctxt = 717 ctxt =
@@ -761,6 +786,7 @@ int mgs_hook_authz(request_rec * r)
761 mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config, 786 mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config,
762 &gnutls_module); 787 &gnutls_module);
763 788
789 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
764 ctxt = 790 ctxt =
765 ap_get_module_config(r->connection->conn_config, &gnutls_module); 791 ap_get_module_config(r->connection->conn_config, &gnutls_module);
766 792
@@ -822,6 +848,7 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side,
822 848
823 apr_table_t *env = r->subprocess_env; 849 apr_table_t *env = r->subprocess_env;
824 850
851 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
825 if (export_certificates_enabled != 0) { 852 if (export_certificates_enabled != 0) {
826 char cert_buf[10 * 1024]; 853 char cert_buf[10 * 1024];
827 len = sizeof(cert_buf); 854 len = sizeof(cert_buf);
@@ -928,6 +955,7 @@ mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side
928 size_t len; 955 size_t len;
929 int ret; 956 int ret;
930 957
958 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
931 apr_table_t *env = r->subprocess_env; 959 apr_table_t *env = r->subprocess_env;
932 960
933 if (export_certificates_enabled != 0) { 961 if (export_certificates_enabled != 0) {
@@ -994,6 +1022,7 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt)
994 } cert; 1022 } cert;
995 apr_time_t activation_time, expiration_time, cur_time; 1023 apr_time_t activation_time, expiration_time, cur_time;
996 1024
1025 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
997 cert_list = 1026 cert_list =
998 gnutls_certificate_get_peers(ctxt->session, &cert_list_size); 1027 gnutls_certificate_get_peers(ctxt->session, &cert_list_size);
999 1028
diff --git a/src/gnutls_io.c b/src/gnutls_io.c
index 753c87b..4f8e486 100644
--- a/src/gnutls_io.c
+++ b/src/gnutls_io.c
@@ -72,13 +72,13 @@ static int char_buffer_read(mgs_char_buffer_t * buffer, char *in,
72 72
73 if (buffer->length > inl) { 73 if (buffer->length > inl) {
74 /* we have have enough to fill the caller's buffer */ 74 /* we have have enough to fill the caller's buffer */
75 memcpy(in, buffer->value, inl); 75 memmove(in, buffer->value, inl);
76 buffer->value += inl; 76 buffer->value += inl;
77 buffer->length -= inl; 77 buffer->length -= inl;
78 } 78 }
79 else { 79 else {
80 /* swallow remainder of the buffer */ 80 /* swallow remainder of the buffer */
81 memcpy(in, buffer->value, buffer->length); 81 memmove(in, buffer->value, buffer->length);
82 inl = buffer->length; 82 inl = buffer->length;
83 buffer->value = NULL; 83 buffer->value = NULL;
84 buffer->length = 0; 84 buffer->length = 0;
@@ -353,7 +353,7 @@ static apr_status_t gnutls_io_input_getline(mgs_handle_t * ctxt,
353 return APR_SUCCESS; 353 return APR_SUCCESS;
354} 354}
355 355
356#define HANDSHAKE_MAX_TRIES 100 356#define HANDSHAKE_MAX_TRIES 1024
357static int gnutls_do_handshake(mgs_handle_t * ctxt) 357static int gnutls_do_handshake(mgs_handle_t * ctxt)
358{ 358{
359 int ret; 359 int ret;