diff options
-rw-r--r-- | src/gnutls_io.c | 56 | ||||
-rw-r--r-- | src/mod_gnutls.c | 9 |
2 files changed, 33 insertions, 32 deletions
diff --git a/src/gnutls_io.c b/src/gnutls_io.c index 659effa..ec2d08c 100644 --- a/src/gnutls_io.c +++ b/src/gnutls_io.c | |||
@@ -224,14 +224,6 @@ static apr_status_t gnutls_io_input_read(mod_gnutls_handle_t * ctxt, | |||
224 | 224 | ||
225 | while (1) { | 225 | while (1) { |
226 | 226 | ||
227 | if (ctxt->status < 0) { | ||
228 | /* Ensure a non-zero error code is returned */ | ||
229 | if (ctxt->input_rc == APR_SUCCESS) { | ||
230 | ctxt->input_rc = APR_EGENERAL; | ||
231 | } | ||
232 | break; | ||
233 | } | ||
234 | |||
235 | rc = gnutls_record_recv(ctxt->session, buf + bytes, wanted - bytes); | 227 | rc = gnutls_record_recv(ctxt->session, buf + bytes, wanted - bytes); |
236 | 228 | ||
237 | if (rc > 0) { | 229 | if (rc > 0) { |
@@ -348,6 +340,7 @@ static void gnutls_do_handshake(mod_gnutls_handle_t * ctxt) | |||
348 | 340 | ||
349 | if (ctxt->status != 0) | 341 | if (ctxt->status != 0) |
350 | return; | 342 | return; |
343 | #if 0 | ||
351 | 344 | ||
352 | for (i = GNUTLS_HANDSHAKE_ATTEMPTS; i > 0; i--) { | 345 | for (i = GNUTLS_HANDSHAKE_ATTEMPTS; i > 0; i--) { |
353 | ret = gnutls_handshake(ctxt->session); | 346 | ret = gnutls_handshake(ctxt->session); |
@@ -364,14 +357,12 @@ static void gnutls_do_handshake(mod_gnutls_handle_t * ctxt) | |||
364 | gnutls_alert_get_name(ret)); | 357 | gnutls_alert_get_name(ret)); |
365 | } | 358 | } |
366 | 359 | ||
367 | if (gnutls_error_is_fatal(ret) != 0) { | 360 | gnutls_deinit(ctxt->session); |
368 | gnutls_deinit(ctxt->session); | 361 | ap_log_error(APLOG_MARK, APLOG_ERR, 0, ctxt->c->base_server, |
369 | ap_log_error(APLOG_MARK, APLOG_ERR, 0, ctxt->c->base_server, | ||
370 | "GnuTLS: Handshake Failed (%d) '%s'", ret, | 362 | "GnuTLS: Handshake Failed (%d) '%s'", ret, |
371 | gnutls_strerror(ret)); | 363 | gnutls_strerror(ret)); |
372 | ctxt->status = -1; | 364 | ctxt->status = -1; |
373 | return; | 365 | return; |
374 | } | ||
375 | } | 366 | } |
376 | else { | 367 | else { |
377 | ctxt->status = 1; | 368 | ctxt->status = 1; |
@@ -380,6 +371,30 @@ static void gnutls_do_handshake(mod_gnutls_handle_t * ctxt) | |||
380 | } | 371 | } |
381 | ctxt->status = -1; | 372 | ctxt->status = -1; |
382 | return; | 373 | return; |
374 | #else | ||
375 | ret = gnutls_handshake(ctxt->session); | ||
376 | if (ret < 0) { | ||
377 | if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED | ||
378 | || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { | ||
379 | ret = gnutls_alert_get(ctxt->session); | ||
380 | ap_log_error(APLOG_MARK, APLOG_ERR, 0, ctxt->c->base_server, | ||
381 | "GnuTLS: Hanshake Alert (%d) '%s'.\n", ret, | ||
382 | gnutls_alert_get_name(ret)); | ||
383 | } | ||
384 | |||
385 | gnutls_deinit(ctxt->session); | ||
386 | ap_log_error(APLOG_MARK, APLOG_ERR, 0, ctxt->c->base_server, | ||
387 | "GnuTLS: Handshake Failed (%d) '%s'", ret, | ||
388 | gnutls_strerror(ret)); | ||
389 | ctxt->status = -1; | ||
390 | return; | ||
391 | } | ||
392 | else { | ||
393 | ctxt->status = 1; | ||
394 | return; /* all done with the handshake */ | ||
395 | } | ||
396 | |||
397 | #endif | ||
383 | } | 398 | } |
384 | 399 | ||
385 | 400 | ||
@@ -404,7 +419,7 @@ apr_status_t mod_gnutls_filter_input(ap_filter_t * f, | |||
404 | } | 419 | } |
405 | 420 | ||
406 | if (ctxt->status < 0) { | 421 | if (ctxt->status < 0) { |
407 | return ap_get_brigade(f->next, bb, mode, block, readbytes); | 422 | // return ap_get_brigade(f->next, bb, mode, block, readbytes); |
408 | } | 423 | } |
409 | 424 | ||
410 | /* XXX: we don't currently support anything other than these modes. */ | 425 | /* XXX: we don't currently support anything other than these modes. */ |
@@ -643,19 +658,6 @@ ssize_t mod_gnutls_transport_write(gnutls_transport_ptr_t ptr, | |||
643 | { | 658 | { |
644 | mod_gnutls_handle_t *ctxt = ptr; | 659 | mod_gnutls_handle_t *ctxt = ptr; |
645 | 660 | ||
646 | if (!ctxt->output_length | ||
647 | && (len + ctxt->output_blen < sizeof(ctxt->output_buffer))) { | ||
648 | /* the first two SSL_writes (of 1024 and 261 bytes) | ||
649 | * need to be in the same packet (vec[0].iov_base) | ||
650 | */ | ||
651 | /* XXX: could use apr_brigade_write() to make code look cleaner | ||
652 | * but this way we avoid the malloc(APR_BUCKET_BUFF_SIZE) | ||
653 | * and free() of it later | ||
654 | */ | ||
655 | memcpy(&ctxt->output_buffer[ctxt->output_blen], buffer, len); | ||
656 | ctxt->output_blen += len; | ||
657 | } | ||
658 | else { | ||
659 | /* pass along the encrypted data | 661 | /* pass along the encrypted data |
660 | * need to flush since we're using SSL's malloc-ed buffer | 662 | * need to flush since we're using SSL's malloc-ed buffer |
661 | * which will be overwritten once we leave here | 663 | * which will be overwritten once we leave here |
@@ -670,7 +672,5 @@ ssize_t mod_gnutls_transport_write(gnutls_transport_ptr_t ptr, | |||
670 | if (write_flush(ctxt) < 0) { | 672 | if (write_flush(ctxt) < 0) { |
671 | return -1; | 673 | return -1; |
672 | } | 674 | } |
673 | } | ||
674 | |||
675 | return len; | 675 | return len; |
676 | } | 676 | } |
diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c index d4f1f16..9cccb03 100644 --- a/src/mod_gnutls.c +++ b/src/mod_gnutls.c | |||
@@ -149,7 +149,7 @@ static mod_gnutls_handle_t* create_gnutls_handle(apr_pool_t* pool, conn_rec * c) | |||
149 | 149 | ||
150 | gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_IGNORE); | 150 | gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_IGNORE); |
151 | 151 | ||
152 | // gnutls_dh_set_prime_bits(ctxt->session, DH_BITS); | 152 | gnutls_dh_set_prime_bits(ctxt->session, DH_BITS); |
153 | 153 | ||
154 | return ctxt; | 154 | return ctxt; |
155 | } | 155 | } |
@@ -188,7 +188,7 @@ static const char *gnutls_set_cert_file(cmd_parms * parms, void *dummy, | |||
188 | (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> | 188 | (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> |
189 | module_config, | 189 | module_config, |
190 | &gnutls_module); | 190 | &gnutls_module); |
191 | sc->cert_file = apr_pstrdup(parms->pool, arg); | 191 | sc->cert_file = ap_server_root_relative(parms->pool, arg); |
192 | return NULL; | 192 | return NULL; |
193 | } | 193 | } |
194 | 194 | ||
@@ -199,7 +199,7 @@ static const char *gnutls_set_key_file(cmd_parms * parms, void *dummy, | |||
199 | (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> | 199 | (mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server-> |
200 | module_config, | 200 | module_config, |
201 | &gnutls_module); | 201 | &gnutls_module); |
202 | sc->key_file = apr_pstrdup(parms->pool, arg); | 202 | sc->key_file = ap_server_root_relative(parms->pool, arg); |
203 | return NULL; | 203 | return NULL; |
204 | } | 204 | } |
205 | 205 | ||
@@ -291,9 +291,10 @@ static void *gnutls_config_server_create(apr_pool_t * p, server_rec * s) | |||
291 | sc->ciphers[i] = 0; | 291 | sc->ciphers[i] = 0; |
292 | 292 | ||
293 | i = 0; | 293 | i = 0; |
294 | sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS; | ||
294 | sc->key_exchange[i++] = GNUTLS_KX_RSA; | 295 | sc->key_exchange[i++] = GNUTLS_KX_RSA; |
295 | sc->key_exchange[i++] = GNUTLS_KX_RSA_EXPORT; | ||
296 | sc->key_exchange[i++] = GNUTLS_KX_DHE_RSA; | 296 | sc->key_exchange[i++] = GNUTLS_KX_DHE_RSA; |
297 | sc->key_exchange[i++] = GNUTLS_KX_RSA_EXPORT; | ||
297 | sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS; | 298 | sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS; |
298 | sc->key_exchange[i] = 0; | 299 | sc->key_exchange[i] = 0; |
299 | 300 | ||