aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/Makefile.am2
-rw-r--r--src/mod_gnutls.c204
2 files changed, 156 insertions, 50 deletions
diff --git a/src/Makefile.am b/src/Makefile.am
index 7a4903a..00ef272 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -2,7 +2,7 @@ CLEANFILES = .libs/libmod_gnutls *~
2 2
3libmod_gnutls_la_SOURCES = mod_gnutls.c 3libmod_gnutls_la_SOURCES = mod_gnutls.c
4libmod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS} 4libmod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}
5libmod_gnutls_la_LDFLAGS = 5libmod_gnutls_la_LDFLAGS = ${MODULE_LIBS}
6 6
7lib_LTLIBRARIES = libmod_gnutls.la 7lib_LTLIBRARIES = libmod_gnutls.la
Edward Rudd 2004-04-30
* updated cvsignore files (from svn:ignore)Gravatar Edward Rudd 2004-04-29
* update svn:ignoreGravatar Edward Rudd 2004-04-29
* win32 fixes for apache 1.3Gravatar Edward Rudd 2004-04-29
* added Sleep for win32 on apache 1.3Gravatar Edward Rudd 2004-04-29
* fixed signal macrosGravatar Edward Rudd 2004-04-29
* win32 updates and build scriptGravatar Edward Rudd 2004-04-29
* updated eol:style added winconfig.hGravatar Edward Rudd 2004-04-29
* moved m4 files to separate repositoryGravatar Edward Rudd 2004-04-29
* lowered minimum apache version to 2.0.40Gravatar Edward Rudd 2004-04-29
* fixed documentation about LOgSQLloginInfoGravatar Edward Rudd 2004-04-29
* Changed mimetype to text/xmlGravatar Edward Rudd 2004-04-17
* beginnings of postgresql driver integrated into autoconfGravatar Edward Rudd 2004-04-17
* copied mysql driver to mod_log_sql_pgsql.c to start on PostgreSQL driverGravatar Edward Rudd 2004-04-10
* Made to work under Apache 1.3 again1.97Gravatar Edward Rudd 2004-04-09
* added TODO, include13, and include20 to ignore listGravatar Edward Rudd 2004-04-08
* Added registration function for database driversGravatar Edward Rudd 2004-04-07
* Updated to new logging function with apaceh 2 prototype instead of 1.3 so i c...Gravatar Edward Rudd 2004-04-04
* Added gen_todo.pl to extract TODO items from source code.Gravatar Edward Rudd 2004-04-03
* Added alternat loginInfo form.. driver://user;passwd@host:port/databasenameGravatar Edward Rudd 2004-04-02
* Fixed issue with different include directories for APR and APU.Gravatar Edward Rudd 2004-03-22
* updated release date1.96Gravatar Edward Rudd 2004-03-05
* updated Documentation READMEGravatar Edward Rudd 2004-03-05
* removed make_combined_log.pl as it's in the contrib subdirGravatar Edward Rudd 2004-03-05
* updated compatability header for Apache 1.3Gravatar Edward Rudd 2004-03-05
* removed all #ifdef DEBUGGravatar Edward Rudd 2004-03-04
* complete DB separation from core module code.Gravatar Edward Rudd 2004-03-04
* Documentation conversion completeGravatar Edward Rudd 2004-03-03
* mysql code separation complete..Gravatar Edward Rudd 2004-03-02
* separated out most mysql specific code to mod_log_sql_mysql.cGravatar Edward Rudd 2004-02-29
* Fixed version and help flags so they work.Gravatar Edward Rudd 2004-02-21
* Added mysql_import_combined_log.pl to distribution with permission from Aaron...Gravatar Edward Rudd 2004-02-12
* Updated help and added check and error to make sure the user edited the file ...Gravatar Edward Rudd 2004-02-12
* Updated Author information in file.Gravatar Edward Rudd 2004-02-12
* moved create_tables.sql and make_combined_log.pl into contrib directory.Gravatar Edward Rudd 2004-02-12
* Split Changelog and TODO to separate files.Gravatar Edward Rudd 2004-02-12
* Fixed preserve_file configuration parameter.Gravatar Edward Rudd 2004-02-12
* Cleaned up changelogGravatar Edward Rudd 2004-02-12
generated by cgit (git 2.34.1) at 2026-01-31 14:19:12 +0000
od_gnutls.c?id=16068f4173883029a5b0aac7540fedcfd9e81940#n107'>107 117 118#endif /* GNUTLS_AS_FILTER */ 119 108static apr_status_t gnutls_cleanup_pre_config(void *data) 120static apr_status_t gnutls_cleanup_pre_config(void *data) 109{ 121{ 110 gnutls_global_deinit(); 122 gnutls_global_deinit();@@ -134,48 +146,44 @@ static int gnutls_hook_post_config(apr_pool_t * p, apr_pool_t * plog, 134 apr_pool_t * ptemp, 146 apr_pool_t * ptemp, 135 server_rec * base_server) 147 server_rec * base_server) 136{ 148{ 137 gnutls_srvconf_t *sc; 149 gnutls_srvconf_rec *sc; 138 server_rec *s; 150 server_rec *s; 139 gnutls_dh_params_t dh_params; 151 gnutls_dh_params_t dh_params; 140 gnutls_rsa_params_t rsa_params; 152 gnutls_rsa_params_t rsa_params; 141 153 142 154 143 /* TODO: Should we regenerate these after X requests / X time ? */ 155 /* TODO: Should we regenerate these after X requests / X time ? */ 144 gnutls_dh_params_init(&dh_params); 156// gnutls_dh_params_init(&dh_params); 145 gnutls_dh_params_generate2(dh_params, DH_BITS); 157// gnutls_dh_params_generate2(dh_params, DH_BITS); 146 gnutls_rsa_params_init(&rsa_params); 158// gnutls_rsa_params_init(&rsa_params); 147 gnutls_rsa_params_generate2(rsa_params, RSA_BITS); 159// gnutls_rsa_params_generate2(rsa_params, RSA_BITS); 148 160 149 for (s = base_server; s; s = s->next) { 161 for (s = base_server; s; s = s->next) { 150 sc = (gnutls_srvconf_t *) ap_get_module_config(s->module_config, 162 sc = (gnutls_srvconf_rec *) ap_get_module_config(s->module_config, 151 &gnutls_module); 163 &gnutls_module); 152 if (sc->cert_file != NULL && sc->key_file != NULL) { 164 if (sc->cert_file != NULL && sc->key_file != NULL) { 153 gnutls_certificate_set_x509_key_file(sc->certs, sc->cert_file, 165 gnutls_certificate_set_x509_key_file(sc->certs, sc->cert_file, 154 sc->key_file, 166 sc->key_file, 155 GNUTLS_X509_FMT_PEM); 167 GNUTLS_X509_FMT_PEM); 168// gnutls_certificate_set_rsa_export_params(sc->certs, rsa_params); 169// gnutls_certificate_set_dh_params(sc->certs, dh_params); 156 } 170 } 157 else { 171 else if(sc->enabled == GNUTLS_ENABLED_TRUE ){ 158 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 172 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, 159 "[GnuTLS] - Host '%s' is missing a Cert and Key File!", 173 "[GnuTLS] - Host '%s:%d' is missing a Cert and Key File!", 160 s->server_hostname); 174 s->server_hostname, s->port); 161 } 175 } 162 163 /** 164 * TODO: Is it okay for all virtual hosts to 165 * share the same DH/RSAparams? 166 */ 167 gnutls_certificate_set_dh_params(sc->certs, dh_params); 168 gnutls_certificate_set_rsa_export_params(sc->certs, rsa_params); 169 } 176 } 170 177 178 171 ap_add_version_component(p, "GnuTLS/" LIBGNUTLS_VERSION); 179 ap_add_version_component(p, "GnuTLS/" LIBGNUTLS_VERSION); 172 return OK; 180 return OK; 173} 181} 174 182 175static const char *gnutls_hook_http_method(const request_rec * r) 183static const char *gnutls_hook_http_method(const request_rec * r) 176{ 184{ 177 gnutls_srvconf_t *sc = 185 gnutls_srvconf_rec *sc = 178 (gnutls_srvconf_t *) ap_get_module_config(r->server->module_config, 186 (gnutls_srvconf_rec *) ap_get_module_config(r->server->module_config, 179 &gnutls_module); 187 &gnutls_module); 180 188 181 if (sc->enabled == GNUTLS_ENABLED_FALSE) { 189 if (sc->enabled == GNUTLS_ENABLED_FALSE) {@@ -187,8 +195,8 @@ static const char *gnutls_hook_http_method(const request_rec * r) 187 195 188static apr_port_t gnutls_hook_default_port(const request_rec * r) 196static apr_port_t gnutls_hook_default_port(const request_rec * r) 189{ 197{ 190 gnutls_srvconf_t *sc = 198 gnutls_srvconf_rec *sc = 191 (gnutls_srvconf_t *) ap_get_module_config(r->server->module_config, 199 (gnutls_srvconf_rec *) ap_get_module_config(r->server->module_config, 192 &gnutls_module); 200 &gnutls_module); 193 201 194 if (sc->enabled == GNUTLS_ENABLED_FALSE) { 202 if (sc->enabled == GNUTLS_ENABLED_FALSE) {@@ -198,6 +206,7 @@ static apr_port_t gnutls_hook_default_port(const request_rec * r) 198 return 443; 206 return 443; 199} 207} 200 208 209#ifdef GNUTLS_AS_FILTER 201/** 210/** 202 * From mod_ssl / ssl_engine_io.c 211 * From mod_ssl / ssl_engine_io.c 203 * This function will read from a brigade and discard the read buckets as it 212 * This function will read from a brigade and discard the read buckets as it@@ -336,15 +345,17 @@ static ssize_t gnutls_transport_write(gnutls_transport_ptr_t ptr, 336 //APR_BRIGADE_INSERT_TAIL(outctx->bb, bucket); 345 //APR_BRIGADE_INSERT_TAIL(outctx->bb, bucket); 337 return 0; 346 return 0; 338} 347} 348#endif /* GNUTLS_AS_FILTER */ 339 349 340static int gnutls_hook_pre_connection(conn_rec * c, void *csd) 350static int gnutls_hook_pre_connection(conn_rec * c, void *csd) 341{ 351{ 342#ifndef GNUTLS_AS_FILTER 352#ifndef GNUTLS_AS_FILTER 343 int cfd; 353 int cfd; 354 int ret; 344#endif 355#endif 345 gnutls_handle_t *ctxt; 356 gnutls_handle_t *ctxt; 346 gnutls_srvconf_t *sc = 357 gnutls_srvconf_rec *sc = 347 (gnutls_srvconf_t *) ap_get_module_config(c->base_server-> 358 (gnutls_srvconf_rec *) ap_get_module_config(c->base_server-> 348 module_config, 359 module_config, 349 &gnutls_module); 360 &gnutls_module); 350 361@@ -357,13 +368,17 @@ static int gnutls_hook_pre_connection(conn_rec * c, void *csd) 357 ctxt->sc = sc; 368 ctxt->sc = sc; 358 gnutls_init(&ctxt->session, GNUTLS_SERVER); 369 gnutls_init(&ctxt->session, GNUTLS_SERVER); 359 370 360 gnutls_set_default_priority(ctxt->session); 371 gnutls_cipher_set_priority(ctxt->session, sc->ciphers); 372 gnutls_compression_set_priority(ctxt->session, sc->compression); 373 gnutls_kx_set_priority(ctxt->session, sc->key_exchange); 374 gnutls_protocol_set_priority(ctxt->session, sc->protocol); 375 gnutls_mac_set_priority(ctxt->session, sc->macs); 361 376 362 gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, sc->certs); 377 gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, sc->certs); 378 gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_IGNORE); 363 379 364 gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_REQUEST); 380// gnutls_dh_set_prime_bits(ctxt->session, DH_BITS); 365 381 366 gnutls_dh_set_prime_bits(ctxt->session, DH_BITS); 367 382 368 ap_set_module_config(c->conn_config, &gnutls_module, ctxt); 383 ap_set_module_config(c->conn_config, &gnutls_module, ctxt); 369 384@@ -377,41 +392,97 @@ static int gnutls_hook_pre_connection(conn_rec * c, void *csd) 377#else 392#else 378 apr_os_sock_get(&cfd, csd); 393 apr_os_sock_get(&cfd, csd); 379 gnutls_transport_set_ptr(ctxt->session, (gnutls_transport_ptr)cfd); 394 gnutls_transport_set_ptr(ctxt->session, (gnutls_transport_ptr)cfd); 395 gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON, sc->anoncred); 396 397 do{ 398 ret = gnutls_handshake(ctxt->session); 399 400 if(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN){ 401 continue; 402 } 403 404 if (ret < 0) { 405 if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) { 406 ret = gnutls_alert_get(ctxt->session); 407 ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, 408 "GnuTLS: Hanshake Alert (%d) '%s'.\n", ret, gnutls_alert_get_name(ret)); 409 } 410 411 if (gnutls_error_is_fatal(ret) != 0) { 412 gnutls_deinit(ctxt->session); 413 ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, 414 "GnuTLS: Handshake Failed (%d) '%s'",ret, gnutls_strerror(ret)); 415 sc->non_https = 1; 416 break; 417 } 418 } 419 break; /* all done with the handshake */ 420 } while(1); 380#endif 421#endif 381 return OK; 422 return OK; 382} 423} 383 424 384static const char *gnutls_set_ca_file(cmd_parms * parms, void *dummy, 425static const char *gnutls_set_cert_file(cmd_parms * parms, void *dummy, 385 const char *arg) 426 const char *arg) 386{ 427{ 387 gnutls_srvconf_t *sc = 428 gnutls_srvconf_rec *sc = 388 (gnutls_srvconf_t *) ap_get_module_config(parms->server-> 429 (gnutls_srvconf_rec *) ap_get_module_config(parms->server-> 389 module_config, 430 module_config, 390 &gnutls_module); 431 &gnutls_module); 391/* TODO: CRL, CAFile */ 432 sc->cert_file = apr_pstrdup(parms->pool, arg); 392// gnutls_certificate_set_x509_trust_file(sc->certs, CAFILE, 433 return NULL; 393// GNUTLS_X509_FMT_PEM); 434} 435 436static const char *gnutls_set_key_file(cmd_parms * parms, void *dummy, 437 const char *arg) 438{ 439 gnutls_srvconf_rec *sc = 440 (gnutls_srvconf_rec *) ap_get_module_config(parms->server-> 441 module_config, 442 &gnutls_module); 443 sc->key_file = apr_pstrdup(parms->pool, arg); 444 return NULL; 445} 446 447static const char *gnutls_set_enabled(cmd_parms * parms, void *dummy, 448 const char *arg) 449{ 450 gnutls_srvconf_rec *sc = 451 (gnutls_srvconf_rec *) ap_get_module_config(parms->server-> 452 module_config, 453 &gnutls_module); 454 if (!strcasecmp(arg, "On")) { 455 sc->enabled = GNUTLS_ENABLED_TRUE; 456 } 457 else if (!strcasecmp(arg, "Off")) { 458 sc->enabled = GNUTLS_ENABLED_FALSE; 459 } 460 else { 461 return "GnuTLSEnable must be set to 'On' or 'Off'"; 462 } 463 394 return NULL; 464 return NULL; 395} 465} 396 466 397static const command_rec gnutls_cmds[] = { 467static const command_rec gnutls_cmds[] = { 398 AP_INIT_FLAG("GnuTLSEnable", ap_set_flag_slot, 468 AP_INIT_TAKE1("GnuTLSCertificateFile", gnutls_set_cert_file, 399 (void *) APR_OFFSETOF(gnutls_srvconf_t, enabled), RSRC_CONF, 469 NULL, 400 "Whether this server has GnuTLS Enabled. Default: Off"), 401 AP_INIT_TAKE1("GnuTLSCertificateFile", ap_set_string_slot, 402 (void *) APR_OFFSETOF(gnutls_srvconf_t, cert_file), 403 RSRC_CONF, 470 RSRC_CONF, 404 "SSL Server Key file"), 471 "SSL Server Key file"), 405 AP_INIT_TAKE1("GnuTLSKeyFile", ap_set_string_slot, 472 AP_INIT_TAKE1("GnuTLSKeyFile", gnutls_set_key_file, 406 (void *) APR_OFFSETOF(gnutls_srvconf_t, key_file), 473 NULL, 407 RSRC_CONF, 474 RSRC_CONF, 408 "SSL Server Certificate file"), 475 "SSL Server Certificate file"), 476 AP_INIT_TAKE1("GnuTLSEnable", gnutls_set_enabled, 477 NULL, RSRC_CONF, 478 "Whether this server has GnuTLS Enabled. Default: Off"), 479 409 {NULL} 480 {NULL} 410}; 481}; 411 482 412/* TODO: CACertificateFile & Client Authentication 483/* TODO: CACertificateFile & Client Authentication 413 * AP_INIT_TAKE1("GnuTLSCACertificateFile", ap_set_server_string_slot, 484 * AP_INIT_TAKE1("GnuTLSCACertificateFile", ap_set_server_string_slot, 414 * (void *) APR_OFFSETOF(gnutls_srvconf_t, key_file), NULL, 485 * (void *) APR_OFFSETOF(gnutls_srvconf_rec, key_file), NULL, 415 * RSRC_CONF, 486 * RSRC_CONF, 416 * "CA"), 487 * "CA"), 417 */ 488 */@@ -430,24 +501,59 @@ static void gnutls_hooks(apr_pool_t * p) 430 /* ap_register_output_filter ("UPGRADE_FILTER", 501 /* ap_register_output_filter ("UPGRADE_FILTER", 431 * ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5); 502 * ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5); 432 */ 503 */ 433 504#ifdef GNUTLS_AS_FILTER 434 ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, gnutls_filter_input, 505 ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, gnutls_filter_input, 435 NULL, AP_FTYPE_CONNECTION + 5); 506 NULL, AP_FTYPE_CONNECTION + 5); 436 ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, gnutls_filter_output, 507 ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, gnutls_filter_output, 437 NULL, AP_FTYPE_CONNECTION + 5); 508 NULL, AP_FTYPE_CONNECTION + 5); 438 509#endif 439} 510} 440 511 441static void *gnutls_config_server_create(apr_pool_t * p, server_rec * s) 512static void *gnutls_config_server_create(apr_pool_t * p, server_rec * s) 442{ 513{ 443 gnutls_srvconf_t *sc = apr_pcalloc(p, sizeof *sc); 514 int i; 515 gnutls_srvconf_rec *sc = apr_pcalloc(p, sizeof(*sc)); 444 516 445 sc->enabled = GNUTLS_ENABLED_FALSE; 517 sc->enabled = GNUTLS_ENABLED_FALSE; 518 sc->non_https = 0; 446 519 447 gnutls_certificate_allocate_credentials(&sc->certs); 520 gnutls_certificate_allocate_credentials(&sc->certs); 448 521 gnutls_anon_allocate_server_credentials(&sc->anoncred); 449 sc->key_file = NULL; 522 sc->key_file = NULL; 450 sc->cert_file = NULL; 523 sc->cert_file = NULL; 524 525 i = 0; 526 sc->ciphers[i++] = GNUTLS_CIPHER_RIJNDAEL_128_CBC; 527 sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_128; 528 sc->ciphers[i++] = GNUTLS_CIPHER_3DES_CBC; 529 sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_40; 530 sc->ciphers[i] = 0; 531 532 i = 0; 533 sc->key_exchange[i++] = GNUTLS_KX_RSA; 534 sc->key_exchange[i++] = GNUTLS_KX_RSA_EXPORT; 535 sc->key_exchange[i++] = GNUTLS_KX_DHE_RSA; 536 sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS; 537 sc->key_exchange[i] = 0; 538 539 i = 0; 540 sc->macs[i++] = GNUTLS_MAC_MD5; 541 sc->macs[i++] = GNUTLS_MAC_SHA; 542 sc->macs[i++] = GNUTLS_MAC_RMD160; 543 sc->macs[i] = 0; 544 545 i = 0; 546 sc->protocol[i++] = GNUTLS_TLS1_1; 547 sc->protocol[i++] = GNUTLS_TLS1; 548 sc->protocol[i++] = GNUTLS_SSL3; 549 sc->protocol[i] = 0; 550 551 i = 0; 552 sc->compression[i++] = GNUTLS_COMP_NULL; 553 sc->compression[i++] = GNUTLS_COMP_ZLIB; 554 sc->compression[i++] = GNUTLS_COMP_LZO; 555 sc->compression[i] = 0; 556 451 return sc; 557 return sc; 452} 558} 453 559
generated by cgit (git 2.34.1) at 2026-01-31 14:19:11 +0000