aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/mod_gnutls.c169
1 files changed, 114 insertions, 55 deletions
diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c
index e9ad89c..e696ec6 100644
--- a/src/mod_gnutls.c
+++ b/src/mod_gnutls.c
@@ -49,7 +49,6 @@ typedef struct {
49 char *key_file; 49 char *key_file;
50 char *cert_file; 50 char *cert_file;
51 int enabled; 51 int enabled;
52 int non_https;
53 int ciphers[16]; 52 int ciphers[16];
54 int key_exchange[16]; 53 int key_exchange[16];
55 int macs[16]; 54 int macs[16];
@@ -62,14 +61,13 @@ struct gnutls_handle_t
62{ 61{
63 gnutls_srvconf_rec *sc; 62 gnutls_srvconf_rec *sc;
64 gnutls_session_t session; 63 gnutls_session_t session;
65#ifdef GNUTLS_AS_FILTER
66 ap_filter_t *input_filter; 64 ap_filter_t *input_filter;
67 apr_bucket_brigade *input_bb; 65 apr_bucket_brigade *input_bb;
68 apr_read_type_e input_block; 66 apr_read_type_e input_block;
69#endif 67 int status;
68 int non_https;
70}; 69};
71 70
72#ifdef GNUTLS_AS_FILTER
73static apr_status_t gnutls_filter_input(ap_filter_t * f, 71static apr_status_t gnutls_filter_input(ap_filter_t * f,
74 apr_bucket_brigade * bb, 72 apr_bucket_brigade * bb,
72008-10-01
|
* updated README file to account for openpgp keys --patch by Jack BatesGravatar Nikos Mavrogiannopoulos 2008-10-01
|
* use memmove instead of memcpy because buffers might overlap. Gravatar Nikos Mavrogiannopoulos 2008-09-14
|
* added check for invalid contextGravatar Nikos Mavrogiannopoulos 2008-09-14
|
* depend on main libgnutls library (and gnutls 2.4.x)Gravatar Nikos Mavrogiannopoulos 2008-06-29
|
* send database store failure as DEBUGGravatar Nikos Mavrogiannopoulos 2008-03-05
|
* corrected SRP enable flag, and corrected the DBM hook support. It now free ↵Gravatar Nikos Mavrogiannopoulos 2008-03-03
| | | | data needed by some DBM providers.
* added option to disable srp (for distributions that disable it in gnutls)Gravatar Nikos Mavrogiannopoulos 2008-02-20
|
* prepare for an alpha releaseGravatar Nikos Mavrogiannopoulos 2008-01-24
|
* (no commit message)Gravatar Nikos Mavrogiannopoulos 2007-12-16
|
* more changes for openpgp support. Seems to be at a workable state.Gravatar Nikos Mavrogiannopoulos 2007-12-16
|
* print error if preconfiguration failsGravatar Nikos Mavrogiannopoulos 2007-12-15
|
* Initial support for openpgp keysGravatar Nikos Mavrogiannopoulos 2007-12-15
|
* (no commit message)Gravatar Nikos Mavrogiannopoulos 2007-12-10
|
* (no commit message)Gravatar Nikos Mavrogiannopoulos 2007-12-10
|
* (no commit message)Gravatar Nikos Mavrogiannopoulos 2007-12-09
|
* Do not allow resuming sessions on different servers.Gravatar Nikos Mavrogiannopoulos 2007-12-09
|
* Corrected bug which did not allow the TLS session cache to be used.Gravatar Nikos Mavrogiannopoulos 2007-12-09
|
* Added support for sending more than one certificate.Gravatar Nikos Mavrogiannopoulos 2007-12-08
|
* added more error checks.Gravatar Nikos Mavrogiannopoulos 2007-12-03
|
* better handling of RSAFile and DHFileGravatar Nikos Mavrogiannopoulos 2007-12-03
|
* report the missing GnuTLSPriorities for the gnutls enabled hosts only.Gravatar Nikos Mavrogiannopoulos 2007-12-02
|
* No more defaults for dhparams, rsaparams. Check for GnuTLSPriorities.Gravatar Nikos Mavrogiannopoulos 2007-12-02
|
* The compatibility mode can now be enabled only using the GnuTLSPriorities ↵Gravatar Nikos Mavrogiannopoulos 2007-12-02
| | | | string.
* (no commit message)Gravatar Nikos Mavrogiannopoulos 2007-12-02
|
* added SSL_SERVER/CLIENT_S_TYPEGravatar Nikos Mavrogiannopoulos 2007-12-02
|
* export the alternative names of the certificateGravatar Nikos Mavrogiannopoulos 2007-12-02
|
* added SSL_SERVER_M_SERIAL environment variableGravatar Nikos Mavrogiannopoulos 2007-12-02
|
* more fixes for subject alternative name.Gravatar Nikos Mavrogiannopoulos 2007-12-02
|
* some fixes in alternative name supportGravatar Nikos Mavrogiannopoulos 2007-12-02
|
* Added support for subject alternative names. (untested)Gravatar Nikos Mavrogiannopoulos 2007-12-01
|
* upgraded to 0.4.0Gravatar Nikos Mavrogiannopoulos 2007-11-28
|
* Put a limit on the number of times we try to handshake.Gravatar Paul Querna 2005-09-25
|
* start the CA Certificate code.Gravatar Paul Querna 2005-05-24
|
* - add lua to do client verificationGravatar Paul Querna 2005-05-17
| | | | | - only use gcrypt locking when required to
* Refactor finding the correct server record to fix resumed sessions.0.2.00.2.xGravatar Paul Querna 2005-04-25
|
* apr_table_setn doesn't copy the data. oops.Gravatar Paul Querna 2005-04-24
|
* We already have a Certificate, use it directly. With SNI, GnuTLS doesn't ↵Gravatar Paul Querna 2005-04-24
| | | | properly update it's internal state. ick.
generated by cgit (git 2.34.1) at 2025-09-11 14:15:09 +0000
='/httpd/mod_gnutls/tree/src/mod_gnutls.c?id=6a8a8396ceed9fb87a6586ebcb144b5f4b62a39a#n110'>110 == APR_SUCCESS) { 162 gnutls_bye(ctxt->session, GNUTLS_SHUT_WR); 111 /* more data */ 163 164 if ((status = ap_pass_brigade(f->next, bb)) != APR_SUCCESS) { 165 return status; 166 } 167 break; 168 } 169 else { 170 /* filter output */ 171 const char *data; 172 apr_size_t len; 173 174 status = apr_bucket_read(bucket, &data, &len, rblock); 175 176 if (APR_STATUS_IS_EAGAIN(status)) { 177 rblock = APR_BLOCK_READ; 178 continue; /* and try again with a blocking read. */ 179 } 180 181 rblock = APR_NONBLOCK_READ; 182 183 if (!APR_STATUS_IS_EOF(status) && (status != APR_SUCCESS)) { 184 break; 185 } 186 187 ret = gnutls_record_send(ctxt->session, data, len); 188 status = ssl_filter_write(f, data, len); 189 if(ret < 0) { 190 /* error sending output */ 191 } 192 else if ((apr_size_t)res != len) { 193 /* not all of the data was sent. */ 194 /* mod_ssl basicly errors out here.. this doesn't seem right? */ 195 } 196 else { 197 /* send complete */ 198 199 } 200 201 apr_bucket_delete(bucket); 202 203 if (status != APR_SUCCESS) { 204 break; 205 } 206 112 } 207 } 113 } 208 } 114 209 115 return status; 210 return status; 116} 211} 117 212 118#endif /* GNUTLS_AS_FILTER */ 119 120static apr_status_t gnutls_cleanup_pre_config(void *data) 213static apr_status_t gnutls_cleanup_pre_config(void *data) 121{ 214{ 122 gnutls_global_deinit(); 215 gnutls_global_deinit();@@ -206,7 +299,6 @@ static apr_port_t gnutls_hook_default_port(const request_rec * r) 206 return 443; 299 return 443; 207} 300} 208 301 209#ifdef GNUTLS_AS_FILTER 210/** 302/** 211 * From mod_ssl / ssl_engine_io.c 303 * From mod_ssl / ssl_engine_io.c 212 * This function will read from a brigade and discard the read buckets as it 304 * This function will read from a brigade and discard the read buckets as it@@ -345,14 +437,9 @@ static ssize_t gnutls_transport_write(gnutls_transport_ptr_t ptr, 345 //APR_BRIGADE_INSERT_TAIL(outctx->bb, bucket); 437 //APR_BRIGADE_INSERT_TAIL(outctx->bb, bucket); 346 return 0; 438 return 0; 347} 439} 348#endif /* GNUTLS_AS_FILTER */ 349 440 350static int gnutls_hook_pre_connection(conn_rec * c, void *csd) 441static int gnutls_hook_pre_connection(conn_rec * c, void *csd) 351{ 442{ 352#ifndef GNUTLS_AS_FILTER 353 int cfd; 354 int ret; 355#endif 356 gnutls_handle_t *ctxt; 443 gnutls_handle_t *ctxt; 357 gnutls_srvconf_rec *sc = 444 gnutls_srvconf_rec *sc = 358 (gnutls_srvconf_rec *) ap_get_module_config(c->base_server-> 445 (gnutls_srvconf_rec *) ap_get_module_config(c->base_server->@@ -366,6 +453,7 @@ static int gnutls_hook_pre_connection(conn_rec * c, void *csd) 366 ctxt = apr_pcalloc(c->pool, sizeof(*ctxt)); 453 ctxt = apr_pcalloc(c->pool, sizeof(*ctxt)); 367 454 368 ctxt->sc = sc; 455 ctxt->sc = sc; 456 ctxt->status = 0; 369 gnutls_init(&ctxt->session, GNUTLS_SERVER); 457 gnutls_init(&ctxt->session, GNUTLS_SERVER); 370 458 371 gnutls_cipher_set_priority(ctxt->session, sc->ciphers); 459 gnutls_cipher_set_priority(ctxt->session, sc->ciphers);@@ -375,6 +463,10 @@ static int gnutls_hook_pre_connection(conn_rec * c, void *csd) 375 gnutls_mac_set_priority(ctxt->session, sc->macs); 463 gnutls_mac_set_priority(ctxt->session, sc->macs); 376 464 377 gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, sc->certs); 465 gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, sc->certs); 466// if(anon) { 467// gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON, sc->anoncred); 468// } 469 378 gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_IGNORE); 470 gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_IGNORE); 379 471 380// gnutls_dh_set_prime_bits(ctxt->session, DH_BITS); 472// gnutls_dh_set_prime_bits(ctxt->session, DH_BITS);@@ -382,43 +474,12 @@ static int gnutls_hook_pre_connection(conn_rec * c, void *csd) 382 474 383 ap_set_module_config(c->conn_config, &gnutls_module, ctxt); 475 ap_set_module_config(c->conn_config, &gnutls_module, ctxt); 384 476 385#ifdef GNUTLS_AS_FILTER 386 gnutls_transport_set_pull_function(ctxt->session, gnutls_transport_read); 477 gnutls_transport_set_pull_function(ctxt->session, gnutls_transport_read); 387 gnutls_transport_set_push_function(ctxt->session, gnutls_transport_write); 478 gnutls_transport_set_push_function(ctxt->session, gnutls_transport_write); 388 gnutls_transport_set_ptr(ctxt->session, ctxt); 479 gnutls_transport_set_ptr(ctxt->session, ctxt); 389 390 ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c); 480 ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c); 391 ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c); 481 ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c); 392#else 393 apr_os_sock_get(&cfd, csd); 394 gnutls_transport_set_ptr(ctxt->session, (gnutls_transport_ptr)cfd); 395 gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON, sc->anoncred); 396 482 397 do{ 398 ret = gnutls_handshake(ctxt->session); 399 400 if(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN){ 401 continue; 402 } 403 404 if (ret < 0) { 405 if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { 406 ret = gnutls_alert_get(ctxt->session); 407 ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, 408 "GnuTLS: Hanshake Alert (%d) '%s'.\n", ret, gnutls_alert_get_name(ret)); 409 } 410 411 if (gnutls_error_is_fatal(ret) != 0) { 412 gnutls_deinit(ctxt->session); 413 ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, 414 "GnuTLS: Handshake Failed (%d) '%s'",ret, gnutls_strerror(ret)); 415 sc->non_https = 1; 416 break; 417 } 418 } 419 break; /* all done with the handshake */ 420 } while(1); 421#endif 422 return OK; 483 return OK; 423} 484} 424 485@@ -501,12 +562,10 @@ static void gnutls_hooks(apr_pool_t * p) 501 /* ap_register_output_filter ("UPGRADE_FILTER", 562 /* ap_register_output_filter ("UPGRADE_FILTER", 502 * ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5); 563 * ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5); 503 */ 564 */ 504#ifdef GNUTLS_AS_FILTER 505 ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, gnutls_filter_input, 565 ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, gnutls_filter_input, 506 NULL, AP_FTYPE_CONNECTION + 5); 566 NULL, AP_FTYPE_CONNECTION + 5); 507 ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, gnutls_filter_output, 567 ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, gnutls_filter_output, 508 NULL, AP_FTYPE_CONNECTION + 5); 568 NULL, AP_FTYPE_CONNECTION + 5); 509#endif 510} 569} 511 570 512static void *gnutls_config_server_create(apr_pool_t * p, server_rec * s) 571static void *gnutls_config_server_create(apr_pool_t * p, server_rec * s)
generated by cgit (git 2.34.1) at 2025-09-11 14:15:08 +0000