diff options
-rw-r--r-- | LICENSE | 202 | ||||
-rw-r--r-- | Makefile.am | 3 | ||||
-rwxr-xr-x | autogen.sh | 10 | ||||
-rw-r--r-- | configure.ac | 41 | ||||
-rw-r--r-- | src/Makefile.am | 41 | ||||
-rw-r--r-- | src/mod_gnutls.c | 465 |
6 files changed, 762 insertions, 0 deletions
@@ -0,0 +1,202 @@ | |||
1 | Apache License | ||
2 | Version 2.0, January 2004 | ||
3 | http://www.apache.org/licenses/ | ||
4 | |||
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION | ||
6 | |||
7 | 1. Definitions. | ||
8 | |||
9 | "License" shall mean the terms and conditions for use, reproduction, | ||
10 | and distribution as defined by Sections 1 through 9 of this document. | ||
11 | |||
12 | "Licensor" shall mean the copyright owner or entity authorized by | ||
13 | the copyright owner that is granting the License. | ||
14 | |||
15 | "Legal Entity" shall mean the union of the acting entity and all | ||
16 | other entities that control, are controlled by, or are under common | ||
17 | control with that entity. For the purposes of this definition, | ||
18 | "control" means (i) the power, direct or indirect, to cause the | ||
19 | direction or management of such entity, whether by contract or | ||
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the | ||
21 | outstanding shares, or (iii) beneficial ownership of such entity. | ||
22 | |||
23 | "You" (or "Your") shall mean an individual or Legal Entity | ||
24 | exercising permissions granted by this License. | ||
25 | |||
26 | "Source" form shall mean the preferred form for making modifications, | ||
27 | including but not limited to software source code, documentation | ||
28 | source, and configuration files. | ||
29 | |||
30 | "Object" form shall mean any form resulting from mechanical | ||
31 | transformation or translation of a Source form, including but | ||
32 | not limited to compiled object code, generated documentation, | ||
33 | and conversions to other media types. | ||
34 | |||
35 | "Work" shall mean the work of authorship, whether in Source or | ||
36 | Object form, made available under the License, as indicated by a | ||
37 | copyright notice that is included in or attached to the work | ||
38 | (an example is provided in the Appendix below). | ||
39 | |||
40 | "Derivative Works" shall mean any work, whether in Source or Object | ||
41 | form, that is based on (or derived from) the Work and for which the | ||
42 | editorial revisions, annotations, elaborations, or other modifications | ||
43 | represent, as a whole, an original work of authorship. For the purposes | ||
44 | of this License, Derivative Works shall not include works that remain | ||
45 | separable from, or merely link (or bind by name) to the interfaces of, | ||
46 | the Work and Derivative Works thereof. | ||
47 | |||
48 | "Contribution" shall mean any work of authorship, including | ||
49 | the original version of the Work and any modifications or additions | ||
50 | to that Work or Derivative Works thereof, that is intentionally | ||
51 | submitted to Licensor for inclusion in the Work by the copyright owner | ||
52 | or by an individual or Legal Entity authorized to submit on behalf of | ||
53 | the copyright owner. For the purposes of this definition, "submitted" | ||
54 | means any form of electronic, verbal, or written communication sent | ||
55 | to the Licensor or its representatives, including but not limited to | ||
56 | communication on electronic mailing lists, source code control systems, | ||
57 | and issue tracking systems that are managed by, or on behalf of, the | ||
58 | Licensor for the purpose of discussing and improving the Work, but | ||
59 | excluding communication that is conspicuously marked or otherwise | ||
60 | designated in writing by the copyright owner as "Not a Contribution." | ||
61 | |||
62 | "Contributor" shall mean Licensor and any individual or Legal Entity | ||
63 | on behalf of whom a Contribution has been received by Licensor and | ||
64 | subsequently incorporated within the Work. | ||
65 | |||
66 | 2. Grant of Copyright License. Subject to the terms and conditions of | ||
67 | this License, each Contributor hereby grants to You a perpetual, | ||
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable | ||
69 | copyright license to reproduce, prepare Derivative Works of, | ||
70 | publicly display, publicly perform, sublicense, and distribute the | ||
71 | Work and such Derivative Works in Source or Object form. | ||
72 | |||
73 | 3. Grant of Patent License. Subject to the terms and conditions of | ||
74 | this License, each Contributor hereby grants to You a perpetual, | ||
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable | ||
76 | (except as stated in this section) patent license to make, have made, | ||
77 | use, offer to sell, sell, import, and otherwise transfer the Work, | ||
78 | where such license applies only to those patent claims licensable | ||
79 | by such Contributor that are necessarily infringed by their | ||
80 | Contribution(s) alone or by combination of their Contribution(s) | ||
81 | with the Work to which such Contribution(s) was submitted. If You | ||
82 | institute patent litigation against any entity (including a | ||
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work | ||
84 | or a Contribution incorporated within the Work constitutes direct | ||
85 | or contributory patent infringement, then any patent licenses | ||
86 | granted to You under this License for that Work shall terminate | ||
87 | as of the date such litigation is filed. | ||
88 | |||
89 | 4. Redistribution. You may reproduce and distribute copies of the | ||
90 | Work or Derivative Works thereof in any medium, with or without | ||
91 | modifications, and in Source or Object form, provided that You | ||
92 | meet the following conditions: | ||
93 | |||
94 | (a) You must give any other recipients of the Work or | ||
95 | Derivative Works a copy of this License; and | ||
96 | |||
97 | (b) You must cause any modified files to carry prominent notices | ||
98 | stating that You changed the files; and | ||
99 | |||
100 | (c) You must retain, in the Source form of any Derivative Works | ||
101 | that You distribute, all copyright, patent, trademark, and | ||
102 | attribution notices from the Source form of the Work, | ||
103 | excluding those notices that do not pertain to any part of | ||
104 | the Derivative Works; and | ||
105 | |||
106 | (d) If the Work includes a "NOTICE" text file as part of its | ||
107 | distribution, then any Derivative Works that You distribute must | ||
108 | include a readable copy of the attribution notices contained | ||
109 | within such NOTICE file, excluding those notices that do not | ||
110 | pertain to any part of the Derivative Works, in at least one | ||
111 | of the following places: within a NOTICE text file distributed | ||
112 | as part of the Derivative Works; within the Source form or | ||
113 | documentation, if provided along with the Derivative Works; or, | ||
114 | within a display generated by the Derivative Works, if and | ||
115 | wherever such third-party notices normally appear. The contents | ||
116 | of the NOTICE file are for informational purposes only and | ||
117 | do not modify the License. You may add Your own attribution | ||
118 | notices within Derivative Works that You distribute, alongside | ||
119 | or as an addendum to the NOTICE text from the Work, provided | ||
120 | that such additional attribution notices cannot be construed | ||
121 | as modifying the License. | ||
122 | |||
123 | You may add Your own copyright statement to Your modifications and | ||
124 | may provide additional or different license terms and conditions | ||
125 | for use, reproduction, or distribution of Your modifications, or | ||
126 | for any such Derivative Works as a whole, provided Your use, | ||
127 | reproduction, and distribution of the Work otherwise complies with | ||
128 | the conditions stated in this License. | ||
129 | |||
130 | 5. Submission of Contributions. Unless You explicitly state otherwise, | ||
131 | any Contribution intentionally submitted for inclusion in the Work | ||
132 | by You to the Licensor shall be under the terms and conditions of | ||
133 | this License, without any additional terms or conditions. | ||
134 | Notwithstanding the above, nothing herein shall supersede or modify | ||
135 | the terms of any separate license agreement you may have executed | ||
136 | with Licensor regarding such Contributions. | ||
137 | |||
138 | 6. Trademarks. This License does not grant permission to use the trade | ||
139 | names, trademarks, service marks, or product names of the Licensor, | ||
140 | except as required for reasonable and customary use in describing the | ||
141 | origin of the Work and reproducing the content of the NOTICE file. | ||
142 | |||
143 | 7. Disclaimer of Warranty. Unless required by applicable law or | ||
144 | agreed to in writing, Licensor provides the Work (and each | ||
145 | Contributor provides its Contributions) on an "AS IS" BASIS, | ||
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or | ||
147 | implied, including, without limitation, any warranties or conditions | ||
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A | ||
149 | PARTICULAR PURPOSE. You are solely responsible for determining the | ||
150 | appropriateness of using or redistributing the Work and assume any | ||
151 | risks associated with Your exercise of permissions under this License. | ||
152 | |||
153 | 8. Limitation of Liability. In no event and under no legal theory, | ||
154 | whether in tort (including negligence), contract, or otherwise, | ||
155 | unless required by applicable law (such as deliberate and grossly | ||
156 | negligent acts) or agreed to in writing, shall any Contributor be | ||
157 | liable to You for damages, including any direct, indirect, special, | ||
158 | incidental, or consequential damages of any character arising as a | ||
159 | result of this License or out of the use or inability to use the | ||
160 | Work (including but not limited to damages for loss of goodwill, | ||
161 | work stoppage, computer failure or malfunction, or any and all | ||
162 | other commercial damages or losses), even if such Contributor | ||
163 | has been advised of the possibility of such damages. | ||
164 | |||
165 | 9. Accepting Warranty or Additional Liability. While redistributing | ||
166 | the Work or Derivative Works thereof, You may choose to offer, | ||
167 | and charge a fee for, acceptance of support, warranty, indemnity, | ||
168 | or other liability obligations and/or rights consistent with this | ||
169 | License. However, in accepting such obligations, You may act only | ||
170 | on Your own behalf and on Your sole responsibility, not on behalf | ||
171 | of any other Contributor, and only if You agree to indemnify, | ||
172 | defend, and hold each Contributor harmless for any liability | ||
173 | incurred by, or claims asserted against, such Contributor by reason | ||
174 | of your accepting any such warranty or additional liability. | ||
175 | |||
176 | END OF TERMS AND CONDITIONS | ||
177 | |||
178 | APPENDIX: How to apply the Apache License to your work. | ||
179 | |||
180 | To apply the Apache License to your work, attach the following | ||
181 | boilerplate notice, with the fields enclosed by brackets "[]" | ||
182 | replaced with your own identifying information. (Don't include | ||
183 | the brackets!) The text should be enclosed in the appropriate | ||
184 | comment syntax for the file format. We also recommend that a | ||
185 | file or class name and description of purpose be included on the | ||
186 | same "printed page" as the copyright notice for easier | ||
187 | identification within third-party archives. | ||
188 | |||
189 | Copyright [yyyy] [name of copyright owner] | ||
190 | |||
191 | Licensed under the Apache License, Version 2.0 (the "License"); | ||
192 | you may not use this file except in compliance with the License. | ||
193 | You may obtain a copy of the License at | ||
194 | |||
195 | http://www.apache.org/licenses/LICENSE-2.0 | ||
196 | |||
197 | Unless required by applicable law or agreed to in writing, software | ||
198 | distributed under the License is distributed on an "AS IS" BASIS, | ||
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
200 | See the License for the specific language governing permissions and | ||
201 | limitations under the License. | ||
202 | |||
diff --git a/Makefile.am b/Makefile.am new file mode 100644 index 0000000..aebf68d --- /dev/null +++ b/Makefile.am | |||
@@ -0,0 +1,3 @@ | |||
1 | EXTRA_DIST = m4/outoforder.m4 m4/apache.m4 | ||
2 | |||
3 | SUBDIRS = src | ||
diff --git a/autogen.sh b/autogen.sh new file mode 100755 index 0000000..6c8e11f --- /dev/null +++ b/autogen.sh | |||
@@ -0,0 +1,10 @@ | |||
1 | #!/bin/sh | ||
2 | # autogen.sh - generates configure using the autotools | ||
3 | # $Id: autogen.sh,v 1.1 2004/03/04 08:12:13 firechipmunk Exp $ | ||
4 | libtoolize --force --copy | ||
5 | #libtoolize14 --force --copy | ||
6 | aclocal -I m4 | ||
7 | autoheader | ||
8 | automake --add-missing --copy --foreign | ||
9 | autoconf | ||
10 | rm -rf autom4te.cache | ||
diff --git a/configure.ac b/configure.ac new file mode 100644 index 0000000..0cc92c4 --- /dev/null +++ b/configure.ac | |||
@@ -0,0 +1,41 @@ | |||
1 | AC_INIT | ||
2 | OOO_CONFIG_NICE(config.nice) | ||
3 | AC_CONFIG_SRCDIR([src/mod_gnutls.c]) | ||
4 | AM_MAINTAINER_MODE | ||
5 | AC_CANONICAL_TARGET | ||
6 | AM_INIT_AUTOMAKE(mod_gnutls, 0.1.0) | ||
7 | AM_CONFIG_HEADER([include/mod_gnutls_config.h:config.in]) | ||
8 | |||
9 | |||
10 | AC_PROG_CC | ||
11 | AC_PROG_LD | ||
12 | AC_PROG_INSTALL | ||
13 | AM_PROG_LIBTOOL | ||
14 | |||
15 | |||
16 | AC_PATH_PROG(PKG_CONFIG, pkg-config, no) | ||
17 | if test "x$PKG_CONFIG" = "xno"; then | ||
18 | AC_MSG_ERROR([You need to install pkg-config]) | ||
19 | fi | ||
20 | |||
21 | PKG_PATH= | ||
22 | |||
23 | AP_VERSION=2.0.40 | ||
24 | CHECK_APACHE(,$AP_VERSION, | ||
25 | :,:, | ||
26 | AC_MSG_ERROR([*** Apache version $AP_VERSION not found!]) | ||
27 | ) | ||
28 | |||
29 | MODULE_CFLAGS="${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}" | ||
30 | |||
31 | AC_SUBST(MODULE_CFLAGS) | ||
32 | |||
33 | AC_CONFIG_FILES([Makefile src/Makefile]) | ||
34 | AC_OUTPUT | ||
35 | |||
36 | echo "---" | ||
37 | echo "Configuration summary for mod_gnutls" | ||
38 | echo "" | ||
39 | echo " * Apache modules directory = ${AP_LIBEXECDIR}" | ||
40 | echo "" | ||
41 | echo "---" | ||
diff --git a/src/Makefile.am b/src/Makefile.am new file mode 100644 index 0000000..7a4903a --- /dev/null +++ b/src/Makefile.am | |||
@@ -0,0 +1,41 @@ | |||
1 | CLEANFILES = .libs/libmod_gnutls *~ | ||
2 | |||
3 | libmod_gnutls_la_SOURCES = mod_gnutls.c | ||
4 | libmod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS} | ||
5 | libmod_gnutls_la_LDFLAGS = | ||
6 | |||
7 | lib_LTLIBRARIES = libmod_gnutls.la | ||
8 | |||
9 | make_so: $(lib_LTLIBRARIES) | ||
10 | @if test ! -L mod_gnutls.so ; then ln -s .libs/libmod_gnutls.so mod_gnutls.so ; fi | ||
11 | |||
12 | clean: | ||
13 | rm -f mod_gnutls.so | ||
14 | rm -f *.o *.lo *.la | ||
15 | rm -fr .libs | ||
16 | |||
17 | install: make_so | ||
18 | @${APXS_BIN} -i -n svn_view mod_gnutls.so | ||
19 | @echo "" | ||
20 | @echo "" | ||
21 | @echo "***********************************************" | ||
22 | @echo "" | ||
23 | @echo " Please read the documentation at " | ||
24 | @echo " http://www.outoforder.cc/ for " | ||
25 | @echo " details on configuration of this module " | ||
26 | @echo "" | ||
27 | @echo "***********************************************" | ||
28 | @echo "" | ||
29 | |||
30 | activate: make_so | ||
31 | @${APXS_BIN} -i -a -n svn_view mod_gnutls.so | ||
32 | @echo "" | ||
33 | @echo "" | ||
34 | @echo "***********************************************" | ||
35 | @echo "" | ||
36 | @echo " Please read the documentation at " | ||
37 | @echo " http://www.outoforder.cc/ for " | ||
38 | @echo " details on configuration of this module " | ||
39 | @echo "" | ||
40 | @echo "***********************************************" | ||
41 | @echo "" | ||
diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c new file mode 100644 index 0000000..bf0d9c3 --- /dev/null +++ b/src/mod_gnutls.c | |||
@@ -0,0 +1,465 @@ | |||
1 | /* ==================================================================== | ||
2 | * Copyright 2004 Paul Querna | ||
3 | * | ||
4 | * Licensed under the Apache License, Version 2.0 (the "License"); | ||
5 | * you may not use this file except in compliance with the License. | ||
6 | * You may obtain a copy of the License at | ||
7 | * | ||
8 | * http://www.apache.org/licenses/LICENSE-2.0 | ||
9 | * | ||
10 | * Unless required by applicable law or agreed to in writing, software | ||
11 | * distributed under the License is distributed on an "AS IS" BASIS, | ||
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
13 | * See the License for the specific language governing permissions and | ||
14 | * limitations under the License. | ||
15 | * | ||
16 | */ | ||
17 | |||
18 | #include "httpd.h" | ||
19 | #include "http_config.h" | ||
20 | #include "http_protocol.h" | ||
21 | #include "http_connection.h" | ||
22 | #include "http_core.h" | ||
23 | #include "http_log.h" | ||
24 | #include "apr_buckets.h" | ||
25 | #include "apr_strings.h" | ||
26 | #include "apr_tables.h" | ||
27 | |||
28 | #include <gcrypt.h> | ||
29 | #include <gnutls/gnutls.h> | ||
30 | |||
31 | #if APR_HAS_THREADS | ||
32 | GCRY_THREAD_OPTION_PTHREAD_IMPL; | ||
33 | #endif | ||
34 | |||
35 | module AP_MODULE_DECLARE_DATA gnutls_module; | ||
36 | |||
37 | #define GNUTLS_OUTPUT_FILTER_NAME "GnuTLS Output Filter" | ||
38 | #define GNUTLS_INPUT_FILTER_NAME "GnuTLS Input Filter" | ||
39 | |||
40 | #define GNUTLS_ENABLED_FALSE 0 | ||
41 | #define GNUTLS_ENABLED_TRUE 1 | ||
42 | |||
43 | |||
44 | typedef struct gnutls_srvconf_t gnutls_srvconf_t; | ||
45 | struct gnutls_srvconf_t | ||
46 | { | ||
47 | gnutls_certificate_credentials_t certs; | ||
48 | char *key_file; | ||
49 | char *cert_file; | ||
50 | int enabled; | ||
51 | }; | ||
52 | |||
53 | typedef struct gnutls_handle_t gnutls_handle_t; | ||
54 | struct gnutls_handle_t | ||
55 | { | ||
56 | gnutls_srvconf_t *sc; | ||
57 | gnutls_session_t session; | ||
58 | ap_filter_t *input_filter; | ||
59 | apr_bucket_brigade *input_bb; | ||
60 | apr_read_type_e input_block; | ||
61 | }; | ||
62 | |||
63 | static apr_status_t gnutls_filter_input(ap_filter_t * f, | ||
64 | apr_bucket_brigade * bb, | ||
65 | ap_input_mode_t mode, | ||
66 | apr_read_type_e block, | ||
67 | apr_off_t readbytes) | ||
68 | { | ||
69 | apr_status_t status = APR_SUCCESS; | ||
70 | gnutls_handle_t *ctxt = (gnutls_handle_t *) f->ctx; | ||
71 | |||
72 | if (f->c->aborted) { | ||
73 | apr_bucket *bucket = apr_bucket_eos_create(f->c->bucket_alloc); | ||
74 | APR_BRIGADE_INSERT_TAIL(bb, bucket); | ||
75 | return APR_ECONNABORTED; | ||
76 | } | ||
77 | |||
78 | return status; | ||
79 | } | ||
80 | |||
81 | static apr_status_t gnutls_filter_output(ap_filter_t * f, | ||
82 | apr_bucket_brigade * bb) | ||
83 | { | ||
84 | apr_bucket *b; | ||
85 | const char *buf = 0; | ||
86 | apr_size_t bytes = 0; | ||
87 | gnutls_handle_t *ctxt = (gnutls_handle_t *) f->ctx; | ||
88 | apr_status_t status = APR_SUCCESS; | ||
89 | |||
90 | if (!ctxt) { | ||
91 | /* first run. */ | ||
92 | } | ||
93 | |||
94 | for (b = APR_BRIGADE_FIRST(bb); | ||
95 | b != APR_BRIGADE_SENTINEL(bb); b = APR_BUCKET_NEXT(b)) { | ||
96 | if (APR_BUCKET_IS_EOS(b)) { | ||
97 | /* end of connection */ | ||
98 | } | ||
99 | else if (apr_bucket_read(b, &buf, &bytes, APR_BLOCK_READ) | ||
100 | == APR_SUCCESS) { | ||
101 | /* more data */ | ||
102 | } | ||
103 | } | ||
104 | |||
105 | return status; | ||
106 | } | ||
107 | |||
108 | static apr_status_t gnutls_cleanup_pre_config(void *data) | ||
109 | { | ||
110 | gnutls_global_deinit(); | ||
111 | return APR_SUCCESS; | ||
112 | } | ||
113 | |||
114 | static int gnutls_hook_pre_config(apr_pool_t * pconf, | ||
115 | apr_pool_t * plog, apr_pool_t * ptemp) | ||
116 | { | ||
117 | |||
118 | #if APR_HAS_THREADS | ||
119 | gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); | ||
120 | #endif | ||
121 | |||
122 | gnutls_global_init(); | ||
123 | |||
124 | apr_pool_cleanup_register(pconf, NULL, gnutls_cleanup_pre_config, | ||
125 | apr_pool_cleanup_null); | ||
126 | |||
127 | return OK; | ||
128 | } | ||
129 | |||
130 | #define DH_BITS 1024 | ||
131 | #define RSA_BITS 512 | ||
132 | |||
133 | static int gnutls_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | ||
134 | apr_pool_t * ptemp, | ||
135 | server_rec * base_server) | ||
136 | { | ||
137 | gnutls_srvconf_t *sc; | ||
138 | server_rec *s; | ||
139 | gnutls_dh_params_t dh_params; | ||
140 | gnutls_rsa_params_t rsa_params; | ||
141 | |||
142 | |||
143 | /* TODO: Should we regenerate these after X requests / X time ? */ | ||
144 | gnutls_dh_params_init(&dh_params); | ||
145 | gnutls_dh_params_generate2(dh_params, DH_BITS); | ||
146 | gnutls_rsa_params_init(&rsa_params); | ||
147 | gnutls_rsa_params_generate2(rsa_params, RSA_BITS); | ||
148 | |||
149 | for (s = base_server; s; s = s->next) { | ||
150 | sc = (gnutls_srvconf_t *) ap_get_module_config(s->module_config, | ||
151 | &gnutls_module); | ||
152 | if (sc->cert_file != NULL && sc->key_file != NULL) { | ||
153 | gnutls_certificate_set_x509_key_file(sc->certs, sc->cert_file, | ||
154 | sc->key_file, | ||
155 | GNUTLS_X509_FMT_PEM); | ||
156 | } | ||
157 | else { | ||
158 | ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, | ||
159 | "[GnuTLS] - Host '%s' is missing a Cert and Key File!", | ||
160 | s->server_hostname); | ||
161 | } | ||
162 | |||
163 | /** | ||
164 | * TODO: Is it okay for all virtual hosts to | ||
165 | * share the same DH/RSAparams? | ||
166 | */ | ||
167 | gnutls_certificate_set_dh_params(sc->certs, dh_params); | ||
168 | gnutls_certificate_set_rsa_export_params(sc->certs, rsa_params); | ||
169 | } | ||
170 | |||
171 | ap_add_version_component(p, "GnuTLS/" LIBGNUTLS_VERSION); | ||
172 | return OK; | ||
173 | } | ||
174 | |||
175 | static const char *gnutls_hook_http_method(const request_rec * r) | ||
176 | { | ||
177 | gnutls_srvconf_t *sc = | ||
178 | (gnutls_srvconf_t *) ap_get_module_config(r->server->module_config, | ||
179 | &gnutls_module); | ||
180 | |||
181 | if (sc->enabled == GNUTLS_ENABLED_FALSE) { | ||
182 | return NULL; | ||
183 | } | ||
184 | |||
185 | return "https"; | ||
186 | } | ||
187 | |||
188 | static apr_port_t gnutls_hook_default_port(const request_rec * r) | ||
189 | { | ||
190 | gnutls_srvconf_t *sc = | ||
191 | (gnutls_srvconf_t *) ap_get_module_config(r->server->module_config, | ||
192 | &gnutls_module); | ||
193 | |||
194 | if (sc->enabled == GNUTLS_ENABLED_FALSE) { | ||
195 | return 0; | ||
196 | } | ||
197 | |||
198 | return 443; | ||
199 | } | ||
200 | |||
201 | /** | ||
202 | * From mod_ssl / ssl_engine_io.c | ||
203 | * This function will read from a brigade and discard the read buckets as it | ||
204 | * proceeds. It will read at most *len bytes. | ||
205 | */ | ||
206 | static apr_status_t brigade_consume(apr_bucket_brigade * bb, | ||
207 | apr_read_type_e block, | ||
208 | char *c, apr_size_t * len) | ||
209 | { | ||
210 | apr_size_t actual = 0; | ||
211 | apr_status_t status = APR_SUCCESS; | ||
212 | |||
213 | while (!APR_BRIGADE_EMPTY(bb)) { | ||
214 | apr_bucket *b = APR_BRIGADE_FIRST(bb); | ||
215 | const char *str; | ||
216 | apr_size_t str_len; | ||
217 | apr_size_t consume; | ||
218 | |||
219 | /* Justin points out this is an http-ism that might | ||
220 | * not fit if brigade_consume is added to APR. Perhaps | ||
221 | * apr_bucket_read(eos_bucket) should return APR_EOF? | ||
222 | * Then this becomes mainline instead of a one-off. | ||
223 | */ | ||
224 | if (APR_BUCKET_IS_EOS(b)) { | ||
225 | status = APR_EOF; | ||
226 | break; | ||
227 | } | ||
228 | |||
229 | /* The reason I'm not offering brigade_consume yet | ||
230 | * across to apr-util is that the following call | ||
231 | * illustrates how borked that API really is. For | ||
232 | * this sort of case (caller provided buffer) it | ||
233 | * would be much more trivial for apr_bucket_consume | ||
234 | * to do all the work that follows, based on the | ||
235 | * particular characteristics of the bucket we are | ||
236 | * consuming here. | ||
237 | */ | ||
238 | status = apr_bucket_read(b, &str, &str_len, block); | ||
239 | |||
240 | if (status != APR_SUCCESS) { | ||
241 | if (APR_STATUS_IS_EOF(status)) { | ||
242 | /* This stream bucket was consumed */ | ||
243 | apr_bucket_delete(b); | ||
244 | continue; | ||
245 | } | ||
246 | break; | ||
247 | } | ||
248 | |||
249 | if (str_len > 0) { | ||
250 | /* Do not block once some data has been consumed */ | ||
251 | block = APR_NONBLOCK_READ; | ||
252 | |||
253 | /* Assure we don't overflow. */ | ||
254 | consume = (str_len + actual > *len) ? *len - actual : str_len; | ||
255 | |||
256 | memcpy(c, str, consume); | ||
257 | |||
258 | c += consume; | ||
259 | actual += consume; | ||
260 | |||
261 | if (consume >= b->length) { | ||
262 | /* This physical bucket was consumed */ | ||
263 | apr_bucket_delete(b); | ||
264 | } | ||
265 | else { | ||
266 | /* Only part of this physical bucket was consumed */ | ||
267 | b->start += consume; | ||
268 | b->length -= consume; | ||
269 | } | ||
270 | } | ||
271 | else if (b->length == 0) { | ||
272 | apr_bucket_delete(b); | ||
273 | } | ||
274 | |||
275 | /* This could probably be actual == *len, but be safe from stray | ||
276 | * photons. */ | ||
277 | if (actual >= *len) { | ||
278 | break; | ||
279 | } | ||
280 | } | ||
281 | |||
282 | *len = actual; | ||
283 | return status; | ||
284 | } | ||
285 | |||
286 | |||
287 | static ssize_t gnutls_transport_read(gnutls_transport_ptr_t ptr, | ||
288 | void *buffer, size_t len) | ||
289 | { | ||
290 | gnutls_handle_t *ctxt = ptr; | ||
291 | apr_status_t rc; | ||
292 | apr_size_t in = len; | ||
293 | /* If Len = 0, we don't do anything. */ | ||
294 | if (!len) | ||
295 | return 0; | ||
296 | |||
297 | if (APR_BRIGADE_EMPTY(ctxt->input_bb)) { | ||
298 | |||
299 | rc = ap_get_brigade(ctxt->input_filter->next, ctxt->input_bb, | ||
300 | AP_MODE_READBYTES, ctxt->input_block, in); | ||
301 | |||
302 | /* Not a problem, there was simply no data ready yet. | ||
303 | */ | ||
304 | if (APR_STATUS_IS_EAGAIN(rc) || APR_STATUS_IS_EINTR(rc) | ||
305 | || (rc == APR_SUCCESS && APR_BRIGADE_EMPTY(ctxt->input_bb))) { | ||
306 | return 0; | ||
307 | } | ||
308 | |||
309 | if (rc != APR_SUCCESS) { | ||
310 | /* Unexpected errors discard the brigade */ | ||
311 | apr_brigade_cleanup(ctxt->input_bb); | ||
312 | ctxt->input_bb = NULL; | ||
313 | return -1; | ||
314 | } | ||
315 | } | ||
316 | |||
317 | // brigade_consume(ctxt->input_bb, ctxt->input_block, buffer, &len); | ||
318 | |||
319 | |||
320 | ap_get_brigade(ctxt->input_filter->next, ctxt->input_bb, | ||
321 | AP_MODE_READBYTES, ctxt->input_block, len); | ||
322 | |||
323 | return len; | ||
324 | } | ||
325 | |||
326 | static ssize_t gnutls_transport_write(gnutls_transport_ptr_t ptr, | ||
327 | const void *buffer, size_t len) | ||
328 | { | ||
329 | gnutls_handle_t *ctxt = ptr; | ||
330 | |||
331 | // apr_bucket *bucket = apr_bucket_transient_create(in, inl, | ||
332 | // outctx->bb-> | ||
333 | // bucket_alloc); | ||
334 | |||
335 | // outctx->length += inl; | ||
336 | //APR_BRIGADE_INSERT_TAIL(outctx->bb, bucket); | ||
337 | return 0; | ||
338 | } | ||
339 | |||
340 | static int gnutls_hook_pre_connection(conn_rec * c, void *csd) | ||
341 | { | ||
342 | #ifndef GNUTLS_AS_FILTER | ||
343 | int cfd; | ||
344 | #endif | ||
345 | gnutls_handle_t *ctxt; | ||
346 | gnutls_srvconf_t *sc = | ||
347 | (gnutls_srvconf_t *) ap_get_module_config(c->base_server-> | ||
348 | module_config, | ||
349 | &gnutls_module); | ||
350 | |||
351 | if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) { | ||
352 | return DECLINED; | ||
353 | } | ||
354 | |||
355 | ctxt = apr_pcalloc(c->pool, sizeof(*ctxt)); | ||
356 | |||
357 | ctxt->sc = sc; | ||
358 | gnutls_init(&ctxt->session, GNUTLS_SERVER); | ||
359 | |||
360 | gnutls_set_default_priority(ctxt->session); | ||
361 | |||
362 | gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, sc->certs); | ||
363 | |||
364 | gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_REQUEST); | ||
365 | |||
366 | gnutls_dh_set_prime_bits(ctxt->session, DH_BITS); | ||
367 | |||
368 | ap_set_module_config(c->conn_config, &gnutls_module, ctxt); | ||
369 | |||
370 | #ifdef GNUTLS_AS_FILTER | ||
371 | gnutls_transport_set_pull_function(ctxt->session, gnutls_transport_read); | ||
372 | gnutls_transport_set_push_function(ctxt->session, gnutls_transport_write); | ||
373 | gnutls_transport_set_ptr(ctxt->session, ctxt); | ||
374 | |||
375 | ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c); | ||
376 | ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c); | ||
377 | #else | ||
378 | apr_os_sock_get(&cfd, csd); | ||
379 | gnutls_transport_set_ptr(ctxt->session, (gnutls_transport_ptr)cfd); | ||
380 | #endif | ||
381 | return OK; | ||
382 | } | ||
383 | |||
384 | static const char *gnutls_set_ca_file(cmd_parms * parms, void *dummy, | ||
385 | const char *arg) | ||
386 | { | ||
387 | gnutls_srvconf_t *sc = | ||
388 | (gnutls_srvconf_t *) ap_get_module_config(parms->server-> | ||
389 | module_config, | ||
390 | &gnutls_module); | ||
391 | /* TODO: CRL, CAFile */ | ||
392 | // gnutls_certificate_set_x509_trust_file(sc->certs, CAFILE, | ||
393 | // GNUTLS_X509_FMT_PEM); | ||
394 | return NULL; | ||
395 | } | ||
396 | |||
397 | static const command_rec gnutls_cmds[] = { | ||
398 | AP_INIT_FLAG("GnuTLSEnable", ap_set_flag_slot, | ||
399 | (void *) APR_OFFSETOF(gnutls_srvconf_t, enabled), RSRC_CONF, | ||
400 | "Whether this server has GnuTLS Enabled. Default: Off"), | ||
401 | AP_INIT_TAKE1("GnuTLSCertificateFile", ap_set_string_slot, | ||
402 | (void *) APR_OFFSETOF(gnutls_srvconf_t, cert_file), | ||
403 | RSRC_CONF, | ||
404 | "SSL Server Key file"), | ||
405 | AP_INIT_TAKE1("GnuTLSKeyFile", ap_set_string_slot, | ||
406 | (void *) APR_OFFSETOF(gnutls_srvconf_t, key_file), | ||
407 | RSRC_CONF, | ||
408 | "SSL Server Certificate file"), | ||
409 | {NULL} | ||
410 | }; | ||
411 | |||
412 | /* TODO: CACertificateFile & Client Authentication | ||
413 | * AP_INIT_TAKE1("GnuTLSCACertificateFile", ap_set_server_string_slot, | ||
414 | * (void *) APR_OFFSETOF(gnutls_srvconf_t, key_file), NULL, | ||
415 | * RSRC_CONF, | ||
416 | * "CA"), | ||
417 | */ | ||
418 | |||
419 | static void gnutls_hooks(apr_pool_t * p) | ||
420 | { | ||
421 | ap_hook_pre_connection(gnutls_hook_pre_connection, NULL, NULL, | ||
422 | APR_HOOK_MIDDLE); | ||
423 | ap_hook_post_config(gnutls_hook_post_config, NULL, NULL, APR_HOOK_MIDDLE); | ||
424 | ap_hook_http_method(gnutls_hook_http_method, NULL, NULL, APR_HOOK_MIDDLE); | ||
425 | ap_hook_default_port(gnutls_hook_default_port, NULL, NULL, | ||
426 | APR_HOOK_MIDDLE); | ||
427 | ap_hook_pre_config(gnutls_hook_pre_config, NULL, NULL, APR_HOOK_MIDDLE); | ||
428 | |||
429 | /* TODO: HTTP Upgrade Filter */ | ||
430 | /* ap_register_output_filter ("UPGRADE_FILTER", | ||
431 | * ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5); | ||
432 | */ | ||
433 | |||
434 | ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, gnutls_filter_input, | ||
435 | NULL, AP_FTYPE_CONNECTION + 5); | ||
436 | ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, gnutls_filter_output, | ||
437 | NULL, AP_FTYPE_CONNECTION + 5); | ||
438 | |||
439 | } | ||
440 | |||
441 | static void *gnutls_config_server_create(apr_pool_t * p, server_rec * s) | ||
442 | { | ||
443 | gnutls_srvconf_t *sc = apr_pcalloc(p, sizeof *sc); | ||
444 | |||
445 | sc->enabled = GNUTLS_ENABLED_FALSE; | ||
446 | |||
447 | gnutls_certificate_allocate_credentials(&sc->certs); | ||
448 | |||
449 | sc->key_file = NULL; | ||
450 | sc->cert_file = NULL; | ||
451 | return sc; | ||
452 | } | ||
453 | |||
454 | |||
455 | |||
456 | module AP_MODULE_DECLARE_DATA gnutls_module = { | ||
457 | STANDARD20_MODULE_STUFF, | ||
458 | NULL, | ||
459 | NULL, | ||
460 | gnutls_config_server_create, | ||
461 | NULL, | ||
462 | /* gnutls_config_server_merge, */ | ||
463 | gnutls_cmds, | ||
464 | gnutls_hooks | ||
465 | }; | ||