diff options
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | README | 232 | ||||
-rw-r--r-- | configure.ac | 6 | ||||
-rw-r--r-- | src/gnutls_hooks.c | 59 | ||||
-rw-r--r-- | src/gnutls_io.c | 6 |
5 files changed, 202 insertions, 107 deletions
@@ -1,3 +1,9 @@ | |||
1 | ** Version 0.5.3 (2008-10-16) | ||
2 | |||
3 | - Corrected bug to allow having an OpenPGP-only web site. | ||
4 | |||
5 | - Increased Max handshake tries due to interrupted system calls. | ||
6 | |||
1 | ** Version 0.5.2 (2008-06-29) | 7 | ** Version 0.5.2 (2008-06-29) |
2 | 8 | ||
3 | - Depend on gnutls 2.4 which has openpgp support in main library. | 9 | - Depend on gnutls 2.4 which has openpgp support in main library. |
@@ -1,111 +1,171 @@ | |||
1 | mod_gnutls | ||
2 | 1 | ||
3 | This module started back in September of 2004 because I was tired of trying to | 2 | mod_gnutls, Apache GnuTLS module. |
4 | fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- no offense to it's | 3 | ================================= |
5 | authors is intended -- but I believe it has fallen prey to massive feature bloat. | ||
6 | 4 | ||
7 | When I started hacking on httpd, mod_ssl remained a great mystery to me, and | 5 | $LastChangedDate: $ |
8 | when I actually looked at it, I ran away. The shear ammount code is huge, and it | ||
9 | does not conform to the style guidelines. It was painful to read, and even harder | ||
10 | to debug. I wanted to understand how it worked, and I had recently heard about | ||
11 | GnuTLS, so long story short, I decided to implement a mod_gnutls. | ||
12 | 6 | ||
13 | Lines of Code in mod_ssl: 15,324 | 7 | Contents: |
14 | Lines of Code in mod_gnutls: 3,594 | ||
15 | 8 | ||
16 | Because of writing mod_gnutls, I now understand how input and output filters work, | 9 | I. ABOUT |
17 | better than I ever thought possible. It was a little painful at times, and some parts | 10 | II. AUTHORS |
18 | lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl. | 11 | III. LICENSE |
12 | IV. STATUS | ||
13 | V. BASIC CONFIGURATION | ||
14 | VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER | ||
19 | 15 | ||
20 | ---------------------------- | ||
21 | 16 | ||
22 | Author: Paul Querna <chip force-elite.com> | ||
23 | 17 | ||
24 | Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org> | 18 | I. ABOUT |
25 | 19 | ||
26 | License: Apache Software License v2.0. (see the LICENSE file for details) | 20 | This module started back in September of 2004 because I was tired of |
21 | trying to fix bugs in mod_ssl. mod_ssl is a giant beast of a module -- | ||
22 | no offense to it's authors is intended -- but I believe it has fallen | ||
23 | prey to massive feature bloat. | ||
27 | 24 | ||
28 | Current Status: | 25 | When I started hacking on httpd, mod_ssl remained a great mystery to me, |
29 | - SSL and TLS connections with all popular browsers work! | 26 | and when I actually looked at it, I ran away. The shear amount code is |
30 | - Sets enviromental vars for scripts (compatible with mod_ssl vars) | 27 | huge, and it does not conform to the style guidelines. It was painful to |
31 | - Supports Memcached as a distributed SSL Session Cache | 28 | read, and even harder to debug. I wanted to understand how it worked, |
32 | - Supports DBM as a local SSL Session Cache | 29 | and I had recently heard about GnuTLS, so long story short, I decided to |
33 | - Support for Server Name Indication | 30 | implement a mod_gnutls. |
34 | - Support for Client Certificates | ||
35 | - Support for TLS-SRP | ||
36 | 31 | ||
37 | Basic Configuration: | 32 | Lines of Code in mod_ssl: 15,324 |
33 | Lines of Code in mod_gnutls: 3,594 | ||
38 | 34 | ||
39 | LoadModule gnutls_module modules/mod_gnutls.so | 35 | Because of writing mod_gnutls, I now understand how input and output |
36 | filters work, better than I ever thought possible. It was a little | ||
37 | painful at times, and some parts lift code and ideas directly from | ||
38 | mod_ssl. Kudos to the original authors of mod_ssl. | ||
40 | 39 | ||
41 | # mod_gnutls can optionaly use a memcached server to store it's SSL Sessions. | ||
42 | # This is useful in a cluster enviroment, where you want all of your servers | ||
43 | # to share a single SSL Session Cache. | ||
44 | #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com" | ||
45 | 40 | ||
46 | # The Default method is to use a DBM backed Cache. It isn't super fast, but | ||
47 | # it is portable and does not require another server to be running like memcached. | ||
48 | GnuTLSCache dbm conf/gnutls_cache | ||
49 | 41 | ||
50 | <VirtualHost 1.2.3.4:443> | 42 | II. AUTHORS |
51 | # insert other directives ... here ... | ||
52 | 43 | ||
53 | # This enables the mod_gnutls Handlers for this Virtual Host | 44 | Paul Querna <chip force-elite.com> |
54 | GnuTLSEnable On | 45 | Nikos Mavrogiannopoulos <nmav gnutls.org> |
55 | 46 | ||
56 | # This is the Private key for your server. | ||
57 | GnuTLSX509KeyFile conf/server.key | ||
58 | 47 | ||
59 | # This is the Server Certificate. | ||
60 | GnuTLSX509CertificateFile conf/server.cert | ||
61 | </VirtualHost> | ||
62 | 48 | ||
63 | # a more advanced configuration | 49 | III. LICENSE |
64 | GnuTLSCache dbm "/var/cache/www-tls-cache/cache" | ||
65 | GnuTLSCacheTimeout 600 | ||
66 | NameVirtualHost 1.2.3.4:443 | ||
67 | 50 | ||
68 | <VirtualHost 1.2.3.4:443> | 51 | Apache License, Version 2.0 (see the LICENSE file for details) |
69 | Servername server.com:443 | 52 | |
53 | |||
54 | |||
55 | IV. STATUS | ||
56 | |||
57 | * SSL and TLS connections with all popular browsers work! | ||
58 | * Sets environmental vars for scripts (compatible with mod_ssl vars) | ||
59 | * Supports memcached as a distributed SSL session cache | ||
60 | * Supports DBM as a local SSL session cache | ||
61 | * Support for server name indication (SNI), RFC3546 | ||
62 | * Support for client certificates | ||
63 | * Support for secure remote password (SRP), RFC5054 | ||
64 | |||
65 | |||
66 | |||
67 | V. BASIC CONFIGURATION | ||
68 | |||
69 | LoadModule gnutls_module modules/mod_gnutls.so | ||
70 | |||
71 | # mod_gnutls can optionally use a memcached server to store it's SSL | ||
72 | # Sessions. This is useful in a cluster environment, where you want all | ||
73 | # of your servers to share a single SSL session cache. | ||
74 | #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com" | ||
75 | |||
76 | # The Default method is to use a DBM backed Cache. It isn't super fast, | ||
77 | # but it is portable and does not require another server to be running | ||
78 | # like memcached. | ||
79 | GnuTLSCache dbm conf/gnutls_cache | ||
80 | |||
81 | <VirtualHost 1.2.3.4:443> | ||
82 | |||
83 | # Enable mod_gnutls handlers for this virtual host | ||
84 | GnuTLSEnable On | ||
85 | |||
86 | # This is the private key for your server | ||
87 | GnuTLSX509KeyFile conf/server.key | ||
88 | |||
89 | # This is the server certificate | ||
90 | GnuTLSX509CertificateFile conf/server.cert | ||
91 | |||
92 | </VirtualHost> | ||
93 | |||
94 | # A more advanced configuration | ||
95 | GnuTLSCache dbm "/var/cache/www-tls-cache/cache" | ||
96 | GnuTLSCacheTimeout 600 | ||
97 | NameVirtualHost 1.2.3.4:443 | ||
98 | |||
99 | <VirtualHost 1.2.3.4:443> | ||
100 | |||
101 | Servername server.com:443 | ||
70 | GnuTLSEnable on | 102 | GnuTLSEnable on |
71 | GnuTLSPriority NORMAL | 103 | GnuTLSPriority NORMAL |
72 | # To export exactly the same environment variables as mod_ssl to CGI scripts. | 104 | |
73 | GNUTLSExportCertificates on | 105 | # Export exactly the same environment variables as mod_ssl to CGI |
74 | 106 | # scripts. | |
75 | GnuTLSX509CertificateFile /etc/apache2/server-cert.pem | 107 | GNUTLSExportCertificates on |
76 | GnuTLSX509KeyFile /etc/apache2/server-key.pem | 108 | |
77 | 109 | GnuTLSX509CertificateFile /etc/apache2/server-cert.pem | |
78 | # To enable SRP you must have these files installed. Check the gnutls srptool. | 110 | GnuTLSX509KeyFile /etc/apache2/server-key.pem |
79 | GnuTLSSRPPasswdFile /etc/apache2/tpasswd | 111 | |
80 | GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf | 112 | # To enable SRP you must have these files installed. Check the gnutls |
81 | 113 | # srptool. | |
82 | # In order to verify client certificates. Other options to | 114 | GnuTLSSRPPasswdFile /etc/apache2/tpasswd |
83 | # GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile | 115 | GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf |
84 | # contains the CAs to verify client certificates. | 116 | |
85 | GnuTLSClientVerify request | 117 | # In order to verify client certificates. Other options to |
86 | GnuTLSX509CAFile ca.pem | 118 | # GnuTLSClientVerify could be ignore or require. The |
87 | ... | 119 | # GnuTLSClientCAFile contains the CAs to verify client certificates. |
88 | </VirtualHost> | 120 | GnuTLSClientVerify request |
89 | 121 | GnuTLSX509CAFile ca.pem | |
90 | # A setup for OpenPGP and X.509 authentication | 122 | |
91 | <VirtualHost 1.2.3.4:443> | 123 | </VirtualHost> |
92 | Servername crystal.lan:443 | 124 | |
125 | # A setup for OpenPGP and X.509 authentication | ||
126 | <VirtualHost 1.2.3.4:443> | ||
127 | |||
128 | Servername crystal.lan:443 | ||
93 | GnuTLSEnable on | 129 | GnuTLSEnable on |
94 | GnuTLSPriorities NORMAL:+COMP-NULL | 130 | GnuTLSPriorities NORMAL:+COMP-NULL |
131 | |||
132 | # Setup the openpgp keys | ||
133 | GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc | ||
134 | GnuTLSPGPKeyFile /etc/apache2/test.sec.asc | ||
135 | |||
136 | # - and the X.509 keys | ||
137 | GnuTLSCertificateFile /etc/apache2/server-cert.pem | ||
138 | GnuTLSKeyFile /etc/apache2/server-key.pem | ||
139 | |||
140 | GnuTLSClientVerify ignore | ||
141 | |||
142 | # To avoid using the default DH params | ||
143 | GnuTLSDHFile /etc/apache2/dh.pem | ||
144 | |||
145 | # These are only needed if GnuTLSClientVerify != ignore | ||
146 | GnuTLSClientCAFile ca.pem | ||
147 | GnuTLSPGPKeyringFile /etc/apache2/ring.asc | ||
148 | |||
149 | </VirtualHost> | ||
150 | |||
151 | |||
152 | |||
153 | VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER | ||
154 | |||
155 | mod_gnutls currently cannot read encrypted OpenPGP credentials. That is, | ||
156 | when you generate a key with gpg and gpg prompts you for a passphrase, | ||
157 | just press enter. Then press enter again, to confirm an empty | ||
158 | passphrase. http://news.gmane.org/gmane.comp.apache.outoforder.modules | ||
95 | 159 | ||
96 | # setup the openpgp keys | 160 | These instructions are from the GnuTLS manual: |
97 | GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc | 161 | http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv |
98 | GnuTLSPGPKeyFile /etc/apache2/test.sec.asc | ||
99 | 162 | ||
100 | # and the X.509 keys | 163 | $ gpg --gen-key |
101 | GnuTLSCertificateFile /etc/apache2/server-cert.pem | 164 | ...enter whatever details you want, use 'test.gnutls.org' as name... |
102 | GnuTLSKeyFile /etc/apache2/server-key.pem | ||
103 | GnuTLSClientVerify ignore | ||
104 | 165 | ||
105 | # To avoid using the default DH params | 166 | Make a note of the OpenPGP key identifier of the newly generated key, |
106 | GnuTLSDHFile /etc/apache2/dh.pem | 167 | here it was 5D1D14D8. You will need to export the key for GnuTLS to be |
168 | able to use it. | ||
107 | 169 | ||
108 | # these are only needed if GnuTLSClientVerify != ignore | 170 | $ gpg -a --export 5D1D14D8 > openpgp-server.txt |
109 | GnuTLSClientCAFile ca.pem | 171 | $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt |
110 | GnuTLSPGPKeyringFile /etc/apache2/ring.asc | ||
111 | </VirtualHost> | ||
diff --git a/configure.ac b/configure.ac index 1e42464..0ffc69b 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | dnl | 1 | dnl |
2 | AC_INIT(mod_gnutls, 0.5.2) | 2 | AC_INIT(mod_gnutls, 0.5.3) |
3 | OOO_CONFIG_NICE(config.nice) | 3 | OOO_CONFIG_NICE(config.nice) |
4 | MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION | 4 | MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION |
5 | AC_PREREQ(2.53) | 5 | AC_PREREQ(2.53) |
@@ -55,8 +55,8 @@ have_apr_memcache=0 | |||
55 | CHECK_APR_MEMCACHE([have_apr_memcache=1], [have_apr_memcache=0]) | 55 | CHECK_APR_MEMCACHE([have_apr_memcache=1], [have_apr_memcache=0]) |
56 | AC_SUBST(have_apr_memcache) | 56 | AC_SUBST(have_apr_memcache) |
57 | 57 | ||
58 | MODULE_CFLAGS="${LIBGNUTLS_EXTRA_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}" | 58 | MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}" |
59 | MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_EXTRA_LIBS}" | 59 | MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}" |
60 | 60 | ||
61 | AC_SUBST(MODULE_CFLAGS) | 61 | AC_SUBST(MODULE_CFLAGS) |
62 | AC_SUBST(MODULE_LIBS) | 62 | AC_SUBST(MODULE_LIBS) |
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c index 5ced25b..57bfeba 100644 --- a/src/gnutls_hooks.c +++ b/src/gnutls_hooks.c | |||
@@ -54,6 +54,9 @@ static void gnutls_debug_log_all(int level, const char *str) | |||
54 | { | 54 | { |
55 | apr_file_printf(debug_log_fp, "<%d> %s\n", level, str); | 55 | apr_file_printf(debug_log_fp, "<%d> %s\n", level, str); |
56 | } | 56 | } |
57 | #define _gnutls_log apr_file_printf | ||
58 | #else | ||
59 | # define _gnutls_log(...) | ||
57 | #endif | 60 | #endif |
58 | 61 | ||
59 | int | 62 | int |
@@ -62,6 +65,18 @@ mgs_hook_pre_config(apr_pool_t * pconf, | |||
62 | { | 65 | { |
63 | int ret; | 66 | int ret; |
64 | 67 | ||
68 | #if MOD_GNUTLS_DEBUG | ||
69 | apr_file_open(&debug_log_fp, "/tmp/gnutls_debug", | ||
70 | APR_APPEND | APR_WRITE | APR_CREATE, APR_OS_DEFAULT, | ||
71 | pconf); | ||
72 | |||
73 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
74 | |||
75 | gnutls_global_set_log_level(9); | ||
76 | gnutls_global_set_log_function(gnutls_debug_log_all); | ||
77 | _gnutls_log(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL)); | ||
78 | #endif | ||
79 | |||
65 | #if APR_HAS_THREADS | 80 | #if APR_HAS_THREADS |
66 | ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded); | 81 | ap_mpm_query(AP_MPMQ_IS_THREADED, &mpm_is_threaded); |
67 | if (mpm_is_threaded) { | 82 | if (mpm_is_threaded) { |
@@ -72,29 +87,20 @@ int ret; | |||
72 | #endif | 87 | #endif |
73 | 88 | ||
74 | if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) { | 89 | if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) { |
75 | fprintf(stderr, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n", | 90 | _gnutls_log(debug_log_fp, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n", |
76 | LIBGNUTLS_VERSION, gnutls_check_version(NULL)); | 91 | LIBGNUTLS_VERSION, gnutls_check_version(NULL)); |
77 | return -3; | 92 | return -3; |
78 | } | 93 | } |
79 | 94 | ||
80 | ret = gnutls_global_init(); | 95 | ret = gnutls_global_init(); |
81 | if (ret < 0) { | 96 | if (ret < 0) { |
82 | fprintf(stderr, "gnutls_global_init: %s\n", gnutls_strerror(ret)); | 97 | _gnutls_log(debug_log_fp, "gnutls_global_init: %s\n", gnutls_strerror(ret)); |
83 | return -3; | 98 | return -3; |
84 | } | 99 | } |
85 | 100 | ||
86 | apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, | 101 | apr_pool_cleanup_register(pconf, NULL, mgs_cleanup_pre_config, |
87 | apr_pool_cleanup_null); | 102 | apr_pool_cleanup_null); |
88 | 103 | ||
89 | #if MOD_GNUTLS_DEBUG | ||
90 | apr_file_open(&debug_log_fp, "/tmp/gnutls_debug", | ||
91 | APR_APPEND | APR_WRITE | APR_CREATE, APR_OS_DEFAULT, | ||
92 | pconf); | ||
93 | |||
94 | gnutls_global_set_log_level(9); | ||
95 | gnutls_global_set_log_function(gnutls_debug_log_all); | ||
96 | apr_file_printf(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL)); | ||
97 | #endif | ||
98 | 104 | ||
99 | return OK; | 105 | return OK; |
100 | } | 106 | } |
@@ -106,6 +112,8 @@ static int mgs_select_virtual_server_cb(gnutls_session_t session) | |||
106 | int ret; | 112 | int ret; |
107 | int cprio[2]; | 113 | int cprio[2]; |
108 | 114 | ||
115 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
116 | |||
109 | ctxt = gnutls_transport_get_ptr(session); | 117 | ctxt = gnutls_transport_get_ptr(session); |
110 | 118 | ||
111 | /* find the virtual server */ | 119 | /* find the virtual server */ |
@@ -162,8 +170,12 @@ static int cert_retrieve_fn(gnutls_session_t session, gnutls_retr_st * ret) | |||
162 | { | 170 | { |
163 | mgs_handle_t *ctxt; | 171 | mgs_handle_t *ctxt; |
164 | 172 | ||
173 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
165 | ctxt = gnutls_transport_get_ptr(session); | 174 | ctxt = gnutls_transport_get_ptr(session); |
166 | 175 | ||
176 | if (ctxt == NULL) | ||
177 | return GNUTLS_E_INTERNAL_ERROR; | ||
178 | |||
167 | if (gnutls_certificate_type_get( session) == GNUTLS_CRT_X509) { | 179 | if (gnutls_certificate_type_get( session) == GNUTLS_CRT_X509) { |
168 | ret->type = GNUTLS_CRT_X509; | 180 | ret->type = GNUTLS_CRT_X509; |
169 | ret->ncerts = ctxt->sc->certs_x509_num; | 181 | ret->ncerts = ctxt->sc->certs_x509_num; |
@@ -210,6 +222,7 @@ static int read_crt_cn(server_rec * s, apr_pool_t * p, | |||
210 | size_t data_len; | 222 | size_t data_len; |
211 | 223 | ||
212 | 224 | ||
225 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
213 | *cert_cn = NULL; | 226 | *cert_cn = NULL; |
214 | 227 | ||
215 | data_len = 0; | 228 | data_len = 0; |
@@ -261,6 +274,7 @@ static int read_pgpcrt_cn(server_rec * s, apr_pool_t * p, | |||
261 | size_t data_len; | 274 | size_t data_len; |
262 | 275 | ||
263 | 276 | ||
277 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
264 | *cert_cn = NULL; | 278 | *cert_cn = NULL; |
265 | 279 | ||
266 | data_len = 0; | 280 | data_len = 0; |
@@ -293,6 +307,7 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | |||
293 | int first_run = 0; | 307 | int first_run = 0; |
294 | const char *userdata_key = "mgs_init"; | 308 | const char *userdata_key = "mgs_init"; |
295 | 309 | ||
310 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
296 | apr_pool_userdata_get(&data, userdata_key, base_server->process->pool); | 311 | apr_pool_userdata_get(&data, userdata_key, base_server->process->pool); |
297 | if (data == NULL) { | 312 | if (data == NULL) { |
298 | first_run = 1; | 313 | first_run = 1; |
@@ -394,8 +409,9 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | |||
394 | } | 409 | } |
395 | #endif | 410 | #endif |
396 | 411 | ||
397 | if (sc->certs_x509[0] == NULL | 412 | if (sc->certs_x509[0] == NULL && |
398 | && sc->enabled == GNUTLS_ENABLED_TRUE) { | 413 | sc->cert_pgp == NULL && |
414 | sc->enabled == GNUTLS_ENABLED_TRUE) { | ||
399 | ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, | 415 | ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, |
400 | "[GnuTLS] - Host '%s:%d' is missing a " | 416 | "[GnuTLS] - Host '%s:%d' is missing a " |
401 | "Certificate File!", s->server_hostname, | 417 | "Certificate File!", s->server_hostname, |
@@ -403,8 +419,9 @@ mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog, | |||
403 | exit(-1); | 419 | exit(-1); |
404 | } | 420 | } |
405 | 421 | ||
406 | if (sc->privkey_x509 == NULL | 422 | if (sc->enabled == GNUTLS_ENABLED_TRUE && |
407 | && sc->enabled == GNUTLS_ENABLED_TRUE) { | 423 | ((sc->certs_x509[0] != NULL && sc->privkey_x509 == NULL) || |
424 | (sc->cert_pgp != NULL && sc->privkey_pgp == NULL))) { | ||
408 | ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, | 425 | ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, |
409 | "[GnuTLS] - Host '%s:%d' is missing a " | 426 | "[GnuTLS] - Host '%s:%d' is missing a " |
410 | "Private Key File!", | 427 | "Private Key File!", |
@@ -439,6 +456,7 @@ void mgs_hook_child_init(apr_pool_t * p, server_rec * s) | |||
439 | mgs_srvconf_rec *sc = ap_get_module_config(s->module_config, | 456 | mgs_srvconf_rec *sc = ap_get_module_config(s->module_config, |
440 | &gnutls_module); | 457 | &gnutls_module); |
441 | 458 | ||
459 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
442 | if (sc->cache_type != mgs_cache_none) { | 460 | if (sc->cache_type != mgs_cache_none) { |
443 | rv = mgs_cache_child_init(p, s, sc); | 461 | rv = mgs_cache_child_init(p, s, sc); |
444 | if (rv != APR_SUCCESS) { | 462 | if (rv != APR_SUCCESS) { |
@@ -457,6 +475,7 @@ const char *mgs_hook_http_scheme(const request_rec * r) | |||
457 | (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, | 475 | (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, |
458 | &gnutls_module); | 476 | &gnutls_module); |
459 | 477 | ||
478 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
460 | if (sc->enabled == GNUTLS_ENABLED_FALSE) { | 479 | if (sc->enabled == GNUTLS_ENABLED_FALSE) { |
461 | return NULL; | 480 | return NULL; |
462 | } | 481 | } |
@@ -470,6 +489,7 @@ apr_port_t mgs_hook_default_port(const request_rec * r) | |||
470 | (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, | 489 | (mgs_srvconf_rec *) ap_get_module_config(r->server->module_config, |
471 | &gnutls_module); | 490 | &gnutls_module); |
472 | 491 | ||
492 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
473 | if (sc->enabled == GNUTLS_ENABLED_FALSE) { | 493 | if (sc->enabled == GNUTLS_ENABLED_FALSE) { |
474 | return 0; | 494 | return 0; |
475 | } | 495 | } |
@@ -491,6 +511,7 @@ static int vhost_cb(void *baton, conn_rec * conn, server_rec * s) | |||
491 | mgs_srvconf_rec *tsc; | 511 | mgs_srvconf_rec *tsc; |
492 | vhost_cb_rec *x = baton; | 512 | vhost_cb_rec *x = baton; |
493 | 513 | ||
514 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
494 | tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, | 515 | tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, |
495 | &gnutls_module); | 516 | &gnutls_module); |
496 | 517 | ||
@@ -543,6 +564,7 @@ mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) | |||
543 | mgs_srvconf_rec *tsc; | 564 | mgs_srvconf_rec *tsc; |
544 | #endif | 565 | #endif |
545 | 566 | ||
567 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
546 | ctxt = gnutls_transport_get_ptr(session); | 568 | ctxt = gnutls_transport_get_ptr(session); |
547 | 569 | ||
548 | rv = gnutls_server_name_get(ctxt->session, sni_name, | 570 | rv = gnutls_server_name_get(ctxt->session, sni_name, |
@@ -620,6 +642,7 @@ static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) | |||
620 | module_config, | 642 | module_config, |
621 | &gnutls_module); | 643 | &gnutls_module); |
622 | 644 | ||
645 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
623 | ctxt = apr_pcalloc(pool, sizeof(*ctxt)); | 646 | ctxt = apr_pcalloc(pool, sizeof(*ctxt)); |
624 | ctxt->c = c; | 647 | ctxt->c = c; |
625 | ctxt->sc = sc; | 648 | ctxt->sc = sc; |
@@ -658,6 +681,7 @@ int mgs_hook_pre_connection(conn_rec * c, void *csd) | |||
658 | module_config, | 681 | module_config, |
659 | &gnutls_module); | 682 | &gnutls_module); |
660 | 683 | ||
684 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
661 | if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) { | 685 | if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) { |
662 | return DECLINED; | 686 | return DECLINED; |
663 | } | 687 | } |
@@ -687,6 +711,7 @@ int mgs_hook_fixups(request_rec * r) | |||
687 | mgs_handle_t *ctxt; | 711 | mgs_handle_t *ctxt; |
688 | int rv = OK; | 712 | int rv = OK; |
689 | 713 | ||
714 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
690 | apr_table_t *env = r->subprocess_env; | 715 | apr_table_t *env = r->subprocess_env; |
691 | 716 | ||
692 | ctxt = | 717 | ctxt = |
@@ -761,6 +786,7 @@ int mgs_hook_authz(request_rec * r) | |||
761 | mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config, | 786 | mgs_dirconf_rec *dc = ap_get_module_config(r->per_dir_config, |
762 | &gnutls_module); | 787 | &gnutls_module); |
763 | 788 | ||
789 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
764 | ctxt = | 790 | ctxt = |
765 | ap_get_module_config(r->connection->conn_config, &gnutls_module); | 791 | ap_get_module_config(r->connection->conn_config, &gnutls_module); |
766 | 792 | ||
@@ -822,6 +848,7 @@ mgs_add_common_cert_vars(request_rec * r, gnutls_x509_crt_t cert, int side, | |||
822 | 848 | ||
823 | apr_table_t *env = r->subprocess_env; | 849 | apr_table_t *env = r->subprocess_env; |
824 | 850 | ||
851 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
825 | if (export_certificates_enabled != 0) { | 852 | if (export_certificates_enabled != 0) { |
826 | char cert_buf[10 * 1024]; | 853 | char cert_buf[10 * 1024]; |
827 | len = sizeof(cert_buf); | 854 | len = sizeof(cert_buf); |
@@ -928,6 +955,7 @@ mgs_add_common_pgpcert_vars(request_rec * r, gnutls_openpgp_crt_t cert, int side | |||
928 | size_t len; | 955 | size_t len; |
929 | int ret; | 956 | int ret; |
930 | 957 | ||
958 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
931 | apr_table_t *env = r->subprocess_env; | 959 | apr_table_t *env = r->subprocess_env; |
932 | 960 | ||
933 | if (export_certificates_enabled != 0) { | 961 | if (export_certificates_enabled != 0) { |
@@ -994,6 +1022,7 @@ static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt) | |||
994 | } cert; | 1022 | } cert; |
995 | apr_time_t activation_time, expiration_time, cur_time; | 1023 | apr_time_t activation_time, expiration_time, cur_time; |
996 | 1024 | ||
1025 | _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); | ||
997 | cert_list = | 1026 | cert_list = |
998 | gnutls_certificate_get_peers(ctxt->session, &cert_list_size); | 1027 | gnutls_certificate_get_peers(ctxt->session, &cert_list_size); |
999 | 1028 | ||
diff --git a/src/gnutls_io.c b/src/gnutls_io.c index 753c87b..4f8e486 100644 --- a/src/gnutls_io.c +++ b/src/gnutls_io.c | |||
@@ -72,13 +72,13 @@ static int char_buffer_read(mgs_char_buffer_t * buffer, char *in, | |||
72 | 72 | ||
73 | if (buffer->length > inl) { | 73 | if (buffer->length > inl) { |
74 | /* we have have enough to fill the caller's buffer */ | 74 | /* we have have enough to fill the caller's buffer */ |
75 | memcpy(in, buffer->value, inl); | 75 | memmove(in, buffer->value, inl); |
76 | buffer->value += inl; | 76 | buffer->value += inl; |
77 | buffer->length -= inl; | 77 | buffer->length -= inl; |
78 | } | 78 | } |
79 | else { | 79 | else { |
80 | /* swallow remainder of the buffer */ | 80 | /* swallow remainder of the buffer */ |
81 | memcpy(in, buffer->value, buffer->length); | 81 | memmove(in, buffer->value, buffer->length); |
82 | inl = buffer->length; | 82 | inl = buffer->length; |
83 | buffer->value = NULL; | 83 | buffer->value = NULL; |
84 | buffer->length = 0; | 84 | buffer->length = 0; |
@@ -353,7 +353,7 @@ static apr_status_t gnutls_io_input_getline(mgs_handle_t * ctxt, | |||
353 | return APR_SUCCESS; | 353 | return APR_SUCCESS; |
354 | } | 354 | } |
355 | 355 | ||
356 | #define HANDSHAKE_MAX_TRIES 100 | 356 | #define HANDSHAKE_MAX_TRIES 1024 |
357 | static int gnutls_do_handshake(mgs_handle_t * ctxt) | 357 | static int gnutls_do_handshake(mgs_handle_t * ctxt) |
358 | { | 358 | { |
359 | int ret; | 359 | int ret; |