updated

author: Paul Querna 2004-09-27 06:54:58 +0000
committer: Paul Querna 2004-09-27 06:54:58 +0000
commit: 6a8a8396ceed9fb87a6586ebcb144b5f4b62a39a (patch)
tree: 17f5b6a7c04e09c1d5545ac605a2af0d2e875166 /src/mod_gnutls.c
parent: 16068f4173883029a5b0aac7540fedcfd9e81940 (diff)
1 files changed, 155 insertions, 49 deletions
diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c
index bf0d9c3..e9ad89c 100644
--- a/src/mod_gnutls.c
+++ b/src/mod_gnutls.c
@@ -34,32 +34,42 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL;
 module AP_MODULE_DECLARE_DATA gnutls_module;
+#ifdef GNUTLS_AS_FILTER
 #define GNUTLS_OUTPUT_FILTER_NAME "GnuTLS Output Filter"
 #define GNUTLS_INPUT_FILTER_NAME "GnuTLS Input Filter"
+#endif
 #define GNUTLS_ENABLED_FALSE 0
 #define GNUTLS_ENABLED_TRUE  1
-typedef struct gnutls_srvconf_t gnutls_srvconf_t;
+typedef struct {
-struct gnutls_srvconf_t
-{
    gnutls_certificate_credentials_t certs;
+    gnutls_anon_server_credentials_t anoncred;
    char *key_file;
    char *cert_file;
    int enabled;
-};
+    int non_https;
+    int ciphers[16];
+    int key_exchange[16];
+    int macs[16];
+    int protocol[16];
+    int compression[16];
+} gnutls_srvconf_rec;
 typedef struct gnutls_handle_t gnutls_handle_t;
 struct gnutls_handle_t
 {
-    gnutls_srvconf_t *sc;
+    gnutls_srvconf_rec *sc;
    gnutls_session_t session;
+#ifdef GNUTLS_AS_FILTER
    ap_filter_t *input_filter;
    apr_bucket_brigade *input_bb;
    apr_read_type_e input_block;
+#endif
 };
+#ifdef GNUTLS_AS_FILTER
 static apr_status_t gnutls_filter_input(ap_filter_t * f,
                                        apr_bucket_brigade * bb,
                                        ap_input_mode_t mode,
@@ -105,6 +115,8 @@ static apr_status_t gnutls_filter_output(ap_filter_t * f,
    return status;
 }
+#endif /* GNUTLS_AS_FILTER */
 static apr_status_t gnutls_cleanup_pre_config(void *data)
 {
    gnutls_global_deinit();
@@ -134,48 +146,44 @@ static int gnutls_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
                                   apr_pool_t * ptemp,
                                   server_rec * base_server)
 {
-    gnutls_srvconf_t *sc;
+    gnutls_srvconf_rec *sc;
    server_rec *s;
    gnutls_dh_params_t dh_params;
    gnutls_rsa_params_t rsa_params;
    /* TODO: Should we regenerate these after X requests / X time ? */
-    gnutls_dh_params_init(&dh_params);
+//    gnutls_dh_params_init(&dh_params);
-    gnutls_dh_params_generate2(dh_params, DH_BITS);
+//    gnutls_dh_params_generate2(dh_params, DH_BITS);
-    gnutls_rsa_params_init(&rsa_params);
+//    gnutls_rsa_params_init(&rsa_params);
-    gnutls_rsa_params_generate2(rsa_params, RSA_BITS);
+//    gnutls_rsa_params_generate2(rsa_params, RSA_BITS);
    for (s = base_server; s; s = s->next) {
-        sc = (gnutls_srvconf_t *) ap_get_module_config(s->module_config,
+        sc = (gnutls_srvconf_rec *) ap_get_module_config(s->module_config,
                                                       &gnutls_module);
        if (sc->cert_file != NULL && sc->key_file != NULL) {
            gnutls_certificate_set_x509_key_file(sc->certs, sc->cert_file,
                                                 sc->key_file,
                                                 GNUTLS_X509_FMT_PEM);
+//          gnutls_certificate_set_rsa_export_params(sc->certs, rsa_params);
+//          gnutls_certificate_set_dh_params(sc->certs, dh_params);
        }
-        else {
+        else if(sc->enabled == GNUTLS_ENABLED_TRUE ){
            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
-                         "[GnuTLS] - Host '%s' is missing a Cert and Key File!",
+                         "[GnuTLS] - Host '%s:%d' is missing a Cert and Key File!",
-                         s->server_hostname);
+                         s->server_hostname, s->port);
        }
-        /**
-         * TODO: Is it okay for all virtual hosts to 
-         *       share the same DH/RSAparams? 
-         */
-        gnutls_certificate_set_dh_params(sc->certs, dh_params);
-        gnutls_certificate_set_rsa_export_params(sc->certs, rsa_params);
    }
    ap_add_version_component(p, "GnuTLS/" LIBGNUTLS_VERSION);
    return OK;
 }
 static const char *gnutls_hook_http_method(const request_rec * r)
 {
-    gnutls_srvconf_t *sc =
+    gnutls_srvconf_rec *sc =
-        (gnutls_srvconf_t *) ap_get_module_config(r->server->module_config,
+        (gnutls_srvconf_rec *) ap_get_module_config(r->server->module_config,
                                                  &gnutls_module);
    if (sc->enabled == GNUTLS_ENABLED_FALSE) {
@@ -187,8 +195,8 @@ static const char *gnutls_hook_http_method(const request_rec * r)
 static apr_port_t gnutls_hook_default_port(const request_rec * r)
 {
-    gnutls_srvconf_t *sc =
+    gnutls_srvconf_rec *sc =
-        (gnutls_srvconf_t *) ap_get_module_config(r->server->module_config,
+        (gnutls_srvconf_rec *) ap_get_module_config(r->server->module_config,
                                                  &gnutls_module);
    if (sc->enabled == GNUTLS_ENABLED_FALSE) {
@@ -198,6 +206,7 @@ static apr_port_t gnutls_hook_default_port(const request_rec * r)
    return 443;
 }
+#ifdef GNUTLS_AS_FILTER
 /**
 * From mod_ssl / ssl_engine_io.c
 * This function will read from a brigade and discard the read buckets as it
@@ -336,15 +345,17 @@ static ssize_t gnutls_transport_write(gnutls_transport_ptr_t ptr,
    //APR_BRIGADE_INSERT_TAIL(outctx->bb, bucket);
    return 0;
 }
+#endif /* GNUTLS_AS_FILTER */
 static int gnutls_hook_pre_connection(conn_rec * c, void *csd)
 {
 #ifndef GNUTLS_AS_FILTER
    int cfd;
+    int ret;
 #endif
    gnutls_handle_t *ctxt;
-    gnutls_srvconf_t *sc =
+    gnutls_srvconf_rec *sc =
-        (gnutls_srvconf_t *) ap_get_module_config(c->base_server->
+        (gnutls_srvconf_rec *) ap_get_module_config(c->base_server->
                                                  module_config,
                                                  &gnutls_module);
@@ -357,13 +368,17 @@ static int gnutls_hook_pre_connection(conn_rec * c, void *csd)
    ctxt->sc = sc;
    gnutls_init(&ctxt->session, GNUTLS_SERVER);
-    gnutls_set_default_priority(ctxt->session);
+    gnutls_cipher_set_priority(ctxt->session, sc->ciphers);
+    gnutls_compression_set_priority(ctxt->session, sc->compression);
+    gnutls_kx_set_priority(ctxt->session, sc->key_exchange);
+    gnutls_protocol_set_priority(ctxt->session, sc->protocol);
+    gnutls_mac_set_priority(ctxt->session, sc->macs);
    gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, sc->certs);
+    gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_IGNORE);
-    gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_REQUEST);
+//    gnutls_dh_set_prime_bits(ctxt->session, DH_BITS);
+  
-    gnutls_dh_set_prime_bits(ctxt->session, DH_BITS);
    ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
@@ -377,41 +392,97 @@ static int gnutls_hook_pre_connection(conn_rec * c, void *csd)
 #else
    apr_os_sock_get(&cfd, csd);
    gnutls_transport_set_ptr(ctxt->session, (gnutls_transport_ptr)cfd);
+    gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON, sc->anoncred);
+    do{
+        ret = gnutls_handshake(ctxt->session);
+        if(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN){
+            continue;
+        }
+        if (ret < 0) {
+            if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) {
+                ret = gnutls_alert_get(ctxt->session);
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
+                    "GnuTLS: Hanshake Alert (%d) '%s'.\n", ret, gnutls_alert_get_name(ret));
+            }
+            if (gnutls_error_is_fatal(ret) != 0) {
+                gnutls_deinit(ctxt->session);
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
+                     "GnuTLS: Handshake Failed (%d) '%s'",ret, gnutls_strerror(ret));
+                sc->non_https = 1;
+                break;
+            }
+        }
+        break; /* all done with the handshake */
+    } while(1);
 #endif
    return OK;
 }
-static const char *gnutls_set_ca_file(cmd_parms * parms, void *dummy,
+static const char *gnutls_set_cert_file(cmd_parms * parms, void *dummy,
                                      const char *arg)
 {
-    gnutls_srvconf_t *sc =
+    gnutls_srvconf_rec *sc =
-        (gnutls_srvconf_t *) ap_get_module_config(parms->server->
+        (gnutls_srvconf_rec *) ap_get_module_config(parms->server->
                                                  module_config,
                                                  &gnutls_module);
-/* TODO: CRL, CAFile */
+    sc->cert_file = apr_pstrdup(parms->pool, arg);
-//    gnutls_certificate_set_x509_trust_file(sc->certs, CAFILE,
+    return NULL;
-//                                         GNUTLS_X509_FMT_PEM);
+}
+static const char *gnutls_set_key_file(cmd_parms * parms, void *dummy,
+                                      const char *arg)
+{
+    gnutls_srvconf_rec *sc =
+        (gnutls_srvconf_rec *) ap_get_module_config(parms->server->
+                                                  module_config,
+                                                  &gnutls_module);
+    sc->key_file =  apr_pstrdup(parms->pool, arg);
+    return NULL;
+}
+static const char *gnutls_set_enabled(cmd_parms * parms, void *dummy,
+                                      const char *arg)
+{
+    gnutls_srvconf_rec *sc =
+        (gnutls_srvconf_rec *) ap_get_module_config(parms->server->
+                                                  module_config,
+                                                  &gnutls_module);
+    if (!strcasecmp(arg, "On")) {
+        sc->enabled = GNUTLS_ENABLED_TRUE;
+    }
+    else if (!strcasecmp(arg, "Off")) {
+        sc->enabled = GNUTLS_ENABLED_FALSE;
+    }
+    else {
+        return "GnuTLSEnable must be set to 'On' or 'Off'";
+    }
    return NULL;
 }
 static const command_rec gnutls_cmds[] = {
-    AP_INIT_FLAG("GnuTLSEnable", ap_set_flag_slot,
+    AP_INIT_TAKE1("GnuTLSCertificateFile", gnutls_set_cert_file,
-                 (void *) APR_OFFSETOF(gnutls_srvconf_t, enabled), RSRC_CONF,
+                  NULL,
-                 "Whether this server has GnuTLS Enabled. Default: Off"),
-    AP_INIT_TAKE1("GnuTLSCertificateFile", ap_set_string_slot,
-                  (void *) APR_OFFSETOF(gnutls_srvconf_t, cert_file),
                  RSRC_CONF,
                  "SSL Server Key file"),
-    AP_INIT_TAKE1("GnuTLSKeyFile", ap_set_string_slot,
+    AP_INIT_TAKE1("GnuTLSKeyFile", gnutls_set_key_file,
-                  (void *) APR_OFFSETOF(gnutls_srvconf_t, key_file),
+                  NULL,
                  RSRC_CONF,
                  "SSL Server Certificate file"),
+    AP_INIT_TAKE1("GnuTLSEnable", gnutls_set_enabled,
+                 NULL, RSRC_CONF,
+                 "Whether this server has GnuTLS Enabled. Default: Off"),
    {NULL}
 };
 /* TODO: CACertificateFile & Client Authentication
 *    AP_INIT_TAKE1("GnuTLSCACertificateFile", ap_set_server_string_slot,
- *                 (void *) APR_OFFSETOF(gnutls_srvconf_t, key_file), NULL,
+ *                 (void *) APR_OFFSETOF(gnutls_srvconf_rec, key_file), NULL,
 *                 RSRC_CONF,
 *                 "CA"),
 */
@@ -430,24 +501,59 @@ static void gnutls_hooks(apr_pool_t * p)
    /* ap_register_output_filter ("UPGRADE_FILTER", 
     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
     */
+#ifdef GNUTLS_AS_FILTER
    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, gnutls_filter_input,
                             NULL, AP_FTYPE_CONNECTION + 5);
    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, gnutls_filter_output,
                              NULL, AP_FTYPE_CONNECTION + 5);
+#endif
 }
 static void *gnutls_config_server_create(apr_pool_t * p, server_rec * s)
 {
-    gnutls_srvconf_t *sc = apr_pcalloc(p, sizeof *sc);
+    int i;
+    gnutls_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc));
    sc->enabled = GNUTLS_ENABLED_FALSE;
+    sc->non_https = 0;
    gnutls_certificate_allocate_credentials(&sc->certs);
+    gnutls_anon_allocate_server_credentials(&sc->anoncred);
    sc->key_file = NULL;
    sc->cert_file = NULL;
+    i = 0;
+    sc->ciphers[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
+    sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_128;
+    sc->ciphers[i++] = GNUTLS_CIPHER_3DES_CBC;
+    sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_40;
+    sc->ciphers[i]   = 0;
+    i = 0;
+    sc->key_exchange[i++] = GNUTLS_KX_RSA;
+    sc->key_exchange[i++] = GNUTLS_KX_RSA_EXPORT;
+    sc->key_exchange[i++] = GNUTLS_KX_DHE_RSA;
+    sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS;
+    sc->key_exchange[i] = 0;
+    i = 0;
+    sc->macs[i++] = GNUTLS_MAC_MD5;
+    sc->macs[i++] = GNUTLS_MAC_SHA;
+    sc->macs[i++] = GNUTLS_MAC_RMD160;
+    sc->macs[i] = 0;
+    i = 0;
+    sc->protocol[i++] = GNUTLS_TLS1_1;
+    sc->protocol[i++] = GNUTLS_TLS1;
+    sc->protocol[i++] = GNUTLS_SSL3;
+    sc->protocol[i] = 0;
+    i = 0;
+    sc->compression[i++] = GNUTLS_COMP_NULL;
+    sc->compression[i++] = GNUTLS_COMP_ZLIB;
+    sc->compression[i++] = GNUTLS_COMP_LZO;
+    sc->compression[i] = 0;
    return sc;
 }
author	Paul Querna	2004-09-27 06:54:58 +0000
committer	Paul Querna	2004-09-27 06:54:58 +0000
commit	6a8a8396ceed9fb87a6586ebcb144b5f4b62a39a (patch)
tree	17f5b6a7c04e09c1d5545ac605a2af0d2e875166 /src/mod_gnutls.c
parent	16068f4173883029a5b0aac7540fedcfd9e81940 (diff)

diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c index bf0d9c3..e9ad89c 100644 --- a/src/mod_gnutls.c +++ b/src/mod_gnutls.c
@@ -34,32 +34,42 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL;
34		34
35	module AP_MODULE_DECLARE_DATA gnutls_module;	35	module AP_MODULE_DECLARE_DATA gnutls_module;
36		36
		37	#ifdef GNUTLS_AS_FILTER
37	#define GNUTLS_OUTPUT_FILTER_NAME "GnuTLS Output Filter"	38	#define GNUTLS_OUTPUT_FILTER_NAME "GnuTLS Output Filter"
38	#define GNUTLS_INPUT_FILTER_NAME "GnuTLS Input Filter"	39	#define GNUTLS_INPUT_FILTER_NAME "GnuTLS Input Filter"
		40	#endif
39		41
40	#define GNUTLS_ENABLED_FALSE 0	42	#define GNUTLS_ENABLED_FALSE 0
41	#define GNUTLS_ENABLED_TRUE 1	43	#define GNUTLS_ENABLED_TRUE 1
42		44
43		45
44	typedef struct gnutls_srvconf_t gnutls_srvconf_t;	46	typedef struct {
45	struct gnutls_srvconf_t
46	{
47	gnutls_certificate_credentials_t certs;	47	gnutls_certificate_credentials_t certs;
		48	gnutls_anon_server_credentials_t anoncred;
48	char *key_file;	49	char *key_file;
49	char *cert_file;	50	char *cert_file;
50	int enabled;	51	int enabled;
51	};	52	int non_https;
		53	int ciphers[16];
		54	int key_exchange[16];
		55	int macs[16];
		56	int protocol[16];
		57	int compression[16];
		58	} gnutls_srvconf_rec;
52		59
53	typedef struct gnutls_handle_t gnutls_handle_t;	60	typedef struct gnutls_handle_t gnutls_handle_t;
54	struct gnutls_handle_t	61	struct gnutls_handle_t
55	{	62	{
56	gnutls_srvconf_t *sc;	63	gnutls_srvconf_rec *sc;
57	gnutls_session_t session;	64	gnutls_session_t session;
		65	#ifdef GNUTLS_AS_FILTER
58	ap_filter_t *input_filter;	66	ap_filter_t *input_filter;
59	apr_bucket_brigade *input_bb;	67	apr_bucket_brigade *input_bb;
60	apr_read_type_e input_block;	68	apr_read_type_e input_block;
		69	#endif
61	};	70	};
62		71
		72	#ifdef GNUTLS_AS_FILTER
63	static apr_status_t gnutls_filter_input(ap_filter_t * f,	73	static apr_status_t gnutls_filter_input(ap_filter_t * f,
64	apr_bucket_brigade * bb,	74	apr_bucket_brigade * bb,
65	ap_input_mode_t mode,	75	ap_input_mode_t mode,
@@ -105,6 +115,8 @@ static apr_status_t gnutls_filter_output(ap_filter_t * f,
105	return status;	115	return status;
106	}	116	}
107		117
		118	#endif /* GNUTLS_AS_FILTER */
		119
108	static apr_status_t gnutls_cleanup_pre_config(void *data)	120	static apr_status_t gnutls_cleanup_pre_config(void *data)
109	{	121	{
110	gnutls_global_deinit();	122	gnutls_global_deinit();
@@ -134,48 +146,44 @@ static int gnutls_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
134	apr_pool_t * ptemp,	146	apr_pool_t * ptemp,
135	server_rec * base_server)	147	server_rec * base_server)
136	{	148	{
137	gnutls_srvconf_t *sc;	149	gnutls_srvconf_rec *sc;
138	server_rec *s;	150	server_rec *s;
139	gnutls_dh_params_t dh_params;	151	gnutls_dh_params_t dh_params;
140	gnutls_rsa_params_t rsa_params;	152	gnutls_rsa_params_t rsa_params;
141		153
142		154
143	/* TODO: Should we regenerate these after X requests / X time ? */	155	/* TODO: Should we regenerate these after X requests / X time ? */
144	gnutls_dh_params_init(&dh_params);	156	// gnutls_dh_params_init(&dh_params);
145	gnutls_dh_params_generate2(dh_params, DH_BITS);	157	// gnutls_dh_params_generate2(dh_params, DH_BITS);
146	gnutls_rsa_params_init(&rsa_params);	158	// gnutls_rsa_params_init(&rsa_params);
147	gnutls_rsa_params_generate2(rsa_params, RSA_BITS);	159	// gnutls_rsa_params_generate2(rsa_params, RSA_BITS);
148		160
149	for (s = base_server; s; s = s->next) {	161	for (s = base_server; s; s = s->next) {
150	sc = (gnutls_srvconf_t *) ap_get_module_config(s->module_config,	162	sc = (gnutls_srvconf_rec *) ap_get_module_config(s->module_config,
151	&gnutls_module);	163	&gnutls_module);
152	if (sc->cert_file != NULL && sc->key_file != NULL) {	164	if (sc->cert_file != NULL && sc->key_file != NULL) {
153	gnutls_certificate_set_x509_key_file(sc->certs, sc->cert_file,	165	gnutls_certificate_set_x509_key_file(sc->certs, sc->cert_file,
154	sc->key_file,	166	sc->key_file,
155	GNUTLS_X509_FMT_PEM);	167	GNUTLS_X509_FMT_PEM);
		168	// gnutls_certificate_set_rsa_export_params(sc->certs, rsa_params);
		169	// gnutls_certificate_set_dh_params(sc->certs, dh_params);
156	}	170	}
157	else {	171	else if(sc->enabled == GNUTLS_ENABLED_TRUE ){
158	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,	172	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
159	"[GnuTLS] - Host '%s' is missing a Cert and Key File!",	173	"[GnuTLS] - Host '%s:%d' is missing a Cert and Key File!",
160	s->server_hostname);	174	s->server_hostname, s->port);
161	}	175	}
162
163	/**
164	* TODO: Is it okay for all virtual hosts to
165	* share the same DH/RSAparams?
166	*/
167	gnutls_certificate_set_dh_params(sc->certs, dh_params);
168	gnutls_certificate_set_rsa_export_params(sc->certs, rsa_params);
169	}	176	}
170		177
		178
171	ap_add_version_component(p, "GnuTLS/" LIBGNUTLS_VERSION);	179	ap_add_version_component(p, "GnuTLS/" LIBGNUTLS_VERSION);
172	return OK;	180	return OK;
173	}	181	}
174		182
175	static const char gnutls_hook_http_method(const request_rec r)	183	static const char gnutls_hook_http_method(const request_rec r)
176	{	184	{
177	gnutls_srvconf_t *sc =	185	gnutls_srvconf_rec *sc =
178	(gnutls_srvconf_t *) ap_get_module_config(r->server->module_config,	186	(gnutls_srvconf_rec *) ap_get_module_config(r->server->module_config,
179	&gnutls_module);	187	&gnutls_module);
180		188
181	if (sc->enabled == GNUTLS_ENABLED_FALSE) {	189	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
@@ -187,8 +195,8 @@ static const char gnutls_hook_http_method(const request_rec r)
187		195
188	static apr_port_t gnutls_hook_default_port(const request_rec * r)	196	static apr_port_t gnutls_hook_default_port(const request_rec * r)
189	{	197	{
190	gnutls_srvconf_t *sc =	198	gnutls_srvconf_rec *sc =
191	(gnutls_srvconf_t *) ap_get_module_config(r->server->module_config,	199	(gnutls_srvconf_rec *) ap_get_module_config(r->server->module_config,
192	&gnutls_module);	200	&gnutls_module);
193		201
194	if (sc->enabled == GNUTLS_ENABLED_FALSE) {	202	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
@@ -198,6 +206,7 @@ static apr_port_t gnutls_hook_default_port(const request_rec * r)
198	return 443;	206	return 443;
199	}	207	}
200		208
		209	#ifdef GNUTLS_AS_FILTER
201	/**	210	/**
202	* From mod_ssl / ssl_engine_io.c	211	* From mod_ssl / ssl_engine_io.c
203	* This function will read from a brigade and discard the read buckets as it	212	* This function will read from a brigade and discard the read buckets as it
@@ -336,15 +345,17 @@ static ssize_t gnutls_transport_write(gnutls_transport_ptr_t ptr,
336	//APR_BRIGADE_INSERT_TAIL(outctx->bb, bucket);	345	//APR_BRIGADE_INSERT_TAIL(outctx->bb, bucket);
337	return 0;	346	return 0;
338	}	347	}
		348	#endif /* GNUTLS_AS_FILTER */
339		349
340	static int gnutls_hook_pre_connection(conn_rec * c, void *csd)	350	static int gnutls_hook_pre_connection(conn_rec * c, void *csd)
341	{	351	{
342	#ifndef GNUTLS_AS_FILTER	352	#ifndef GNUTLS_AS_FILTER
343	int cfd;	353	int cfd;
		354	int ret;
344	#endif	355	#endif
345	gnutls_handle_t *ctxt;	356	gnutls_handle_t *ctxt;
346	gnutls_srvconf_t *sc =	357	gnutls_srvconf_rec *sc =
347	(gnutls_srvconf_t *) ap_get_module_config(c->base_server->	358	(gnutls_srvconf_rec *) ap_get_module_config(c->base_server->
348	module_config,	359	module_config,
349	&gnutls_module);	360	&gnutls_module);
350		361
@@ -357,13 +368,17 @@ static int gnutls_hook_pre_connection(conn_rec * c, void *csd)
357	ctxt->sc = sc;	368	ctxt->sc = sc;
358	gnutls_init(&ctxt->session, GNUTLS_SERVER);	369	gnutls_init(&ctxt->session, GNUTLS_SERVER);
359		370
360	gnutls_set_default_priority(ctxt->session);	371	gnutls_cipher_set_priority(ctxt->session, sc->ciphers);
		372	gnutls_compression_set_priority(ctxt->session, sc->compression);
		373	gnutls_kx_set_priority(ctxt->session, sc->key_exchange);
		374	gnutls_protocol_set_priority(ctxt->session, sc->protocol);
		375	gnutls_mac_set_priority(ctxt->session, sc->macs);
361		376
362	gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, sc->certs);	377	gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, sc->certs);
		378	gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_IGNORE);
363		379
364	gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_REQUEST);	380	// gnutls_dh_set_prime_bits(ctxt->session, DH_BITS);
365		381
366	gnutls_dh_set_prime_bits(ctxt->session, DH_BITS);
367		382
368	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);	383	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
369		384
@@ -377,41 +392,97 @@ static int gnutls_hook_pre_connection(conn_rec * c, void *csd)
377	#else	392	#else
378	apr_os_sock_get(&cfd, csd);	393	apr_os_sock_get(&cfd, csd);
379	gnutls_transport_set_ptr(ctxt->session, (gnutls_transport_ptr)cfd);	394	gnutls_transport_set_ptr(ctxt->session, (gnutls_transport_ptr)cfd);
		395	gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON, sc->anoncred);
		396
		397	do{
		398	ret = gnutls_handshake(ctxt->session);
		399
		400	if(ret == GNUTLS_E_INTERRUPTED \|\| ret == GNUTLS_E_AGAIN){
		401	continue;
		402	}
		403
		404	if (ret < 0) {
		405	if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED \|\| ret == GNUTLS_E_FATAL_ALERT_RECEIVED) {
		406	ret = gnutls_alert_get(ctxt->session);
		407	ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
		408	"GnuTLS: Hanshake Alert (%d) '%s'.\n", ret, gnutls_alert_get_name(ret));
		409	}
		410
		411	if (gnutls_error_is_fatal(ret) != 0) {
		412	gnutls_deinit(ctxt->session);
		413	ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
		414	"GnuTLS: Handshake Failed (%d) '%s'",ret, gnutls_strerror(ret));
		415	sc->non_https = 1;
		416	break;
		417	}
		418	}
		419	break; /* all done with the handshake */
		420	} while(1);
380	#endif	421	#endif
381	return OK;	422	return OK;
382	}	423	}
383		424
384	static const char gnutls_set_ca_file(cmd_parms parms, void *dummy,	425	static const char gnutls_set_cert_file(cmd_parms parms, void *dummy,
385	const char *arg)	426	const char *arg)
386	{	427	{
387	gnutls_srvconf_t *sc =	428	gnutls_srvconf_rec *sc =
388	(gnutls_srvconf_t *) ap_get_module_config(parms->server->	429	(gnutls_srvconf_rec *) ap_get_module_config(parms->server->
389	module_config,	430	module_config,
390	&gnutls_module);	431	&gnutls_module);
391	/* TODO: CRL, CAFile */	432	sc->cert_file = apr_pstrdup(parms->pool, arg);
392	// gnutls_certificate_set_x509_trust_file(sc->certs, CAFILE,	433	return NULL;
393	// GNUTLS_X509_FMT_PEM);	434	}
		435
		436	static const char gnutls_set_key_file(cmd_parms parms, void *dummy,
		437	const char *arg)
		438	{
		439	gnutls_srvconf_rec *sc =
		440	(gnutls_srvconf_rec *) ap_get_module_config(parms->server->
		441	module_config,
		442	&gnutls_module);
		443	sc->key_file = apr_pstrdup(parms->pool, arg);
		444	return NULL;
		445	}
		446
		447	static const char gnutls_set_enabled(cmd_parms parms, void *dummy,
		448	const char *arg)
		449	{
		450	gnutls_srvconf_rec *sc =
		451	(gnutls_srvconf_rec *) ap_get_module_config(parms->server->
		452	module_config,
		453	&gnutls_module);
		454	if (!strcasecmp(arg, "On")) {
		455	sc->enabled = GNUTLS_ENABLED_TRUE;
		456	}
		457	else if (!strcasecmp(arg, "Off")) {
		458	sc->enabled = GNUTLS_ENABLED_FALSE;
		459	}
		460	else {
		461	return "GnuTLSEnable must be set to 'On' or 'Off'";
		462	}
		463
394	return NULL;	464	return NULL;
395	}	465	}
396		466
397	static const command_rec gnutls_cmds[] = {	467	static const command_rec gnutls_cmds[] = {
398	AP_INIT_FLAG("GnuTLSEnable", ap_set_flag_slot,	468	AP_INIT_TAKE1("GnuTLSCertificateFile", gnutls_set_cert_file,
399	(void *) APR_OFFSETOF(gnutls_srvconf_t, enabled), RSRC_CONF,	469	NULL,
400	"Whether this server has GnuTLS Enabled. Default: Off"),
401	AP_INIT_TAKE1("GnuTLSCertificateFile", ap_set_string_slot,
402	(void *) APR_OFFSETOF(gnutls_srvconf_t, cert_file),
403	RSRC_CONF,	470	RSRC_CONF,
404	"SSL Server Key file"),	471	"SSL Server Key file"),
405	AP_INIT_TAKE1("GnuTLSKeyFile", ap_set_string_slot,	472	AP_INIT_TAKE1("GnuTLSKeyFile", gnutls_set_key_file,
406	(void *) APR_OFFSETOF(gnutls_srvconf_t, key_file),	473	NULL,
407	RSRC_CONF,	474	RSRC_CONF,
408	"SSL Server Certificate file"),	475	"SSL Server Certificate file"),
		476	AP_INIT_TAKE1("GnuTLSEnable", gnutls_set_enabled,
		477	NULL, RSRC_CONF,
		478	"Whether this server has GnuTLS Enabled. Default: Off"),
		479
409	{NULL}	480	{NULL}
410	};	481	};
411		482
412	/* TODO: CACertificateFile & Client Authentication	483	/* TODO: CACertificateFile & Client Authentication
413	* AP_INIT_TAKE1("GnuTLSCACertificateFile", ap_set_server_string_slot,	484	* AP_INIT_TAKE1("GnuTLSCACertificateFile", ap_set_server_string_slot,
414	* (void *) APR_OFFSETOF(gnutls_srvconf_t, key_file), NULL,	485	* (void *) APR_OFFSETOF(gnutls_srvconf_rec, key_file), NULL,
415	* RSRC_CONF,	486	* RSRC_CONF,
416	* "CA"),	487	* "CA"),
417	*/	488	*/
@@ -430,24 +501,59 @@ static void gnutls_hooks(apr_pool_t * p)
430	/* ap_register_output_filter ("UPGRADE_FILTER",	501	/* ap_register_output_filter ("UPGRADE_FILTER",
431	* ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);	502	* ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
432	*/	503	*/
433		504	#ifdef GNUTLS_AS_FILTER
434	ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, gnutls_filter_input,	505	ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, gnutls_filter_input,
435	NULL, AP_FTYPE_CONNECTION + 5);	506	NULL, AP_FTYPE_CONNECTION + 5);
436	ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, gnutls_filter_output,	507	ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, gnutls_filter_output,
437	NULL, AP_FTYPE_CONNECTION + 5);	508	NULL, AP_FTYPE_CONNECTION + 5);
438		509	#endif
439	}	510	}
440		511
441	static void gnutls_config_server_create(apr_pool_t p, server_rec * s)	512	static void gnutls_config_server_create(apr_pool_t p, server_rec * s)
442	{	513	{
443	gnutls_srvconf_t sc = apr_pcalloc(p, sizeof sc);	514	int i;
		515	gnutls_srvconf_rec sc = apr_pcalloc(p, sizeof(sc));
444		516
445	sc->enabled = GNUTLS_ENABLED_FALSE;	517	sc->enabled = GNUTLS_ENABLED_FALSE;
		518	sc->non_https = 0;
446		519
447	gnutls_certificate_allocate_credentials(&sc->certs);	520	gnutls_certificate_allocate_credentials(&sc->certs);
448		521	gnutls_anon_allocate_server_credentials(&sc->anoncred);
449	sc->key_file = NULL;	522	sc->key_file = NULL;
450	sc->cert_file = NULL;	523	sc->cert_file = NULL;
		524
		525	i = 0;
		526	sc->ciphers[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC;
		527	sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_128;
		528	sc->ciphers[i++] = GNUTLS_CIPHER_3DES_CBC;
		529	sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_40;
		530	sc->ciphers[i] = 0;
		531
		532	i = 0;
		533	sc->key_exchange[i++] = GNUTLS_KX_RSA;
		534	sc->key_exchange[i++] = GNUTLS_KX_RSA_EXPORT;
		535	sc->key_exchange[i++] = GNUTLS_KX_DHE_RSA;
		536	sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS;
		537	sc->key_exchange[i] = 0;
		538
		539	i = 0;
		540	sc->macs[i++] = GNUTLS_MAC_MD5;
		541	sc->macs[i++] = GNUTLS_MAC_SHA;
		542	sc->macs[i++] = GNUTLS_MAC_RMD160;
		543	sc->macs[i] = 0;
		544
		545	i = 0;
		546	sc->protocol[i++] = GNUTLS_TLS1_1;
		547	sc->protocol[i++] = GNUTLS_TLS1;
		548	sc->protocol[i++] = GNUTLS_SSL3;
		549	sc->protocol[i] = 0;
		550
		551	i = 0;
		552	sc->compression[i++] = GNUTLS_COMP_NULL;
		553	sc->compression[i++] = GNUTLS_COMP_ZLIB;
		554	sc->compression[i++] = GNUTLS_COMP_LZO;
		555	sc->compression[i] = 0;
		556
451	return sc;	557	return sc;
452	}	558	}
453		559