Context Navigation

gnutls_io.c @ 265eafc

Visit:

debian/masterdebian/stretch-backportsjessie-backportsupstream

Last change on this file since 265eafc was 265eafc, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

gnutls_io.c: Log connection start/end and unusual input filter events

This helps keeping track of connection status while debugging, but would
create far too much data in production, so log only at level "debug".

Property mode set to 100644

File size: 25.1 KB

Rev	Line
[fcb122d]	1	/**
	2	* Copyright 2004-2005 Paul Querna
[e183628]	3	* Copyright 2008 Nikos Mavrogiannopoulos
	4	* Copyright 2011 Dash Shendy
[7e2b223]	5	*
	6	* Licensed under the Apache License, Version 2.0 (the "License");
	7	* you may not use this file except in compliance with the License.
	8	* You may obtain a copy of the License at
	9	*
	10	* http://www.apache.org/licenses/LICENSE-2.0
	11	*
	12	* Unless required by applicable law or agreed to in writing, software
	13	* distributed under the License is distributed on an "AS IS" BASIS,
	14	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	15	* See the License for the specific language governing permissions and
	16	* limitations under the License.
	17	*
	18	*/
	19
	20	#include "mod_gnutls.h"
	21
[55dc3f0]	22	#ifdef APLOG_USE_MODULE
	23	APLOG_USE_MODULE(gnutls);
	24	#endif
	25
[7e2b223]	26	/**
[671b64f]	27	* Describe how the GnuTLS Filter system works here
[dae0aec]	28	* - Basicly the same as what mod_ssl does with OpenSSL.
	29	*
[7e2b223]	30	*/
	31
[dae0aec]	32	#define HTTP_ON_HTTPS_PORT \
	33	"GET /" CRLF
[7e2b223]	34
[dae0aec]	35	#define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
	36	apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
	37	sizeof(HTTP_ON_HTTPS_PORT) - 1, \
	38	alloc)
[7e2b223]	39
[265eafc]	40	#define IS_PROXY_STR(c) \
	41	((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "")
	42
[dae0aec]	43	static apr_status_t gnutls_io_filter_error(ap_filter_t * f,
[e183628]	44	apr_bucket_brigade * bb,
	45	apr_status_t status) {
	46	mgs_handle_t ctxt = (mgs_handle_t ) f->ctx;
	47	apr_bucket *bucket;
	48
	49	switch (status) {
[4fefa39]	50	case HTTP_BAD_REQUEST:
	51	/* log the situation */
	52	ap_log_error(APLOG_MARK, APLOG_INFO, 0,
	53	f->c->base_server,
	54	"GnuTLS handshake failed: HTTP spoken on HTTPS port; "
	55	"trying to send HTML error page");
	56	mgs_srvconf_rec sc = (mgs_srvconf_rec )
	57	ap_get_module_config(f->c->base_server->module_config,
	58	&gnutls_module);
	59	ctxt->status = -1;
	60	sc->non_ssl_request = 1;
	61
	62	/* fake the request line */
	63	bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
	64	break;
	65
	66	default:
	67	return status;
[e183628]	68	}
	69
	70	APR_BRIGADE_INSERT_TAIL(bb, bucket);
	71	bucket = apr_bucket_eos_create(f->c->bucket_alloc);
	72	APR_BRIGADE_INSERT_TAIL(bb, bucket);
	73
	74	return APR_SUCCESS;
[dae0aec]	75	}
[7e2b223]	76
[e183628]	77	static int char_buffer_read(mgs_char_buffer_t * buffer, char *in, int inl) {
	78	if (!buffer->length) {
	79	return 0;
	80	}
	81
	82	if (buffer->length > inl) {
	83	/* we have have enough to fill the caller's buffer */
	84	memmove(in, buffer->value, inl);
	85	buffer->value += inl;
	86	buffer->length -= inl;
	87	} else {
	88	/* swallow remainder of the buffer */
	89	memmove(in, buffer->value, buffer->length);
	90	inl = buffer->length;
	91	buffer->value = NULL;
	92	buffer->length = 0;
	93	}
	94
	95	return inl;
[dae0aec]	96	}
	97
[e183628]	98	static int char_buffer_write(mgs_char_buffer_t * buffer, char *in, int inl) {
	99	buffer->value = in;
	100	buffer->length = inl;
	101	return inl;
[7e2b223]	102	}
	103
	104	/**
	105	* From mod_ssl / ssl_engine_io.c
	106	* This function will read from a brigade and discard the read buckets as it
	107	* proceeds. It will read at most *len bytes.
	108	*/
	109	static apr_status_t brigade_consume(apr_bucket_brigade * bb,
[e183628]	110	apr_read_type_e block,
	111	char c, apr_size_t len) {
	112	apr_size_t actual = 0;
	113	apr_status_t status = APR_SUCCESS;
	114
	115	while (!APR_BRIGADE_EMPTY(bb)) {
	116	apr_bucket *b = APR_BRIGADE_FIRST(bb);
	117	const char *str;
	118	apr_size_t str_len;
	119	apr_size_t consume;
	120
	121	/* Justin points out this is an http-ism that might
	122	* not fit if brigade_consume is added to APR. Perhaps
	123	* apr_bucket_read(eos_bucket) should return APR_EOF?
	124	* Then this becomes mainline instead of a one-off.
	125	*/
	126	if (APR_BUCKET_IS_EOS(b)) {
	127	status = APR_EOF;
	128	break;
	129	}
	130
	131	/* The reason I'm not offering brigade_consume yet
	132	* across to apr-util is that the following call
	133	* illustrates how borked that API really is. For
	134	* this sort of case (caller provided buffer) it
	135	* would be much more trivial for apr_bucket_consume
	136	* to do all the work that follows, based on the
	137	* particular characteristics of the bucket we are
	138	* consuming here.
	139	*/
	140	status = apr_bucket_read(b, &str, &str_len, block);
	141
	142	if (status != APR_SUCCESS) {
	143	if (APR_STATUS_IS_EOF(status)) {
	144	/* This stream bucket was consumed */
	145	apr_bucket_delete(b);
	146	continue;
	147	}
	148	break;
	149	}
	150
	151	if (str_len > 0) {
	152	/* Do not block once some data has been consumed */
	153	block = APR_NONBLOCK_READ;
	154
	155	/* Assure we don't overflow. */
	156	consume =
	157	(str_len + actual >
	158	len) ? len - actual : str_len;
	159
	160	memcpy(c, str, consume);
	161
	162	c += consume;
	163	actual += consume;
	164
	165	if (consume >= b->length) {
	166	/* This physical bucket was consumed */
	167	apr_bucket_delete(b);
	168	} else {
	169	/* Only part of this physical bucket was consumed */
	170	b->start += consume;
	171	b->length -= consume;
	172	}
	173	} else if (b->length == 0) {
	174	apr_bucket_delete(b);
	175	}
[7e2b223]	176
[e183628]	177	/* This could probably be actual == *len, but be safe from stray
	178	* photons. */
	179	if (actual >= *len) {
	180	break;
	181	}
	182	}
	183
	184	*len = actual;
	185	return status;
	186	}
[7e2b223]	187
[c301152]	188	static apr_status_t gnutls_io_input_read(mgs_handle_t * ctxt,
[398d1a0]	189	char buf, apr_size_t len)
	190	{
[e183628]	191	apr_size_t wanted = *len;
	192	apr_size_t bytes = 0;
	193	int rc;
	194
	195	*len = 0;
	196
	197	/* If we have something leftover from last time, try that first. */
	198	if ((bytes = char_buffer_read(&ctxt->input_cbuf, buf, wanted))) {
	199	*len = bytes;
	200	if (ctxt->input_mode == AP_MODE_SPECULATIVE) {
	201	/* We want to rollback this read. */
	202	if (ctxt->input_cbuf.length > 0) {
	203	ctxt->input_cbuf.value -= bytes;
	204	ctxt->input_cbuf.length += bytes;
	205	} else {
	206	char_buffer_write(&ctxt->input_cbuf, buf,
	207	(int) bytes);
	208	}
	209	return APR_SUCCESS;
	210	}
	211	/* This could probably be *len == wanted, but be safe from stray
	212	* photons.
	213	*/
	214	if (*len >= wanted) {
	215	return APR_SUCCESS;
	216	}
	217	if (ctxt->input_mode == AP_MODE_GETLINE) {
	218	if (memchr(buf, APR_ASCII_LF, *len)) {
	219	return APR_SUCCESS;
	220	}
	221	} else {
	222	/* Down to a nonblock pattern as we have some data already
	223	*/
	224	ctxt->input_block = APR_NONBLOCK_READ;
	225	}
	226	}
	227
	228	if (ctxt->session == NULL) {
[398d1a0]	229	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,
	230	"%s: GnuTLS session is NULL!", __func__);
[e183628]	231	return APR_EGENERAL;
	232	}
	233
	234	while (1) {
	235
[4261999]	236	do
	237	rc = gnutls_record_recv(ctxt->session, buf + bytes,
	238	wanted - bytes);
	239	while (rc == GNUTLS_E_INTERRUPTED \|\| rc == GNUTLS_E_AGAIN);
[e183628]	240
	241	if (rc > 0) {
	242	*len += rc;
	243	if (ctxt->input_mode == AP_MODE_SPECULATIVE) {
	244	/* We want to rollback this read. */
	245	char_buffer_write(&ctxt->input_cbuf, buf,
	246	rc);
	247	}
	248	return ctxt->input_rc;
	249	} else if (rc == 0) {
	250	/* If EAGAIN, we will loop given a blocking read,
	251	* otherwise consider ourselves at EOF.
	252	*/
	253	if (APR_STATUS_IS_EAGAIN(ctxt->input_rc)
	254	\|\| APR_STATUS_IS_EINTR(ctxt->input_rc)) {
	255	/* Already read something, return APR_SUCCESS instead.
	256	* On win32 in particular, but perhaps on other kernels,
	257	* a blocking call isn't 'always' blocking.
	258	*/
	259	if (*len > 0) {
	260	ctxt->input_rc = APR_SUCCESS;
	261	break;
	262	}
	263	if (ctxt->input_block == APR_NONBLOCK_READ) {
	264	break;
	265	}
	266	} else {
	267	if (*len > 0) {
	268	ctxt->input_rc = APR_SUCCESS;
	269	} else {
	270	ctxt->input_rc = APR_EOF;
	271	}
	272	break;
	273	}
	274	} else { /* (rc < 0) */
	275
	276	if (rc == GNUTLS_E_REHANDSHAKE) {
	277	/* A client has asked for a new Hankshake. Currently, we don't do it */
[398d1a0]	278	ap_log_cerror(APLOG_MARK, APLOG_INFO,
[e183628]	279	ctxt->input_rc,
[398d1a0]	280	ctxt->c,
[e183628]	281	"GnuTLS: Error reading data. Client Requested a New Handshake."
	282	" (%d) '%s'", rc,
	283	gnutls_strerror(rc));
	284	} else if (rc == GNUTLS_E_WARNING_ALERT_RECEIVED) {
	285	rc = gnutls_alert_get(ctxt->session);
[398d1a0]	286	ap_log_cerror(APLOG_MARK, APLOG_INFO,
[e183628]	287	ctxt->input_rc,
[398d1a0]	288	ctxt->c,
[e183628]	289	"GnuTLS: Warning Alert From Client: "
	290	" (%d) '%s'", rc,
	291	gnutls_alert_get_name(rc));
	292	} else if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED) {
	293	rc = gnutls_alert_get(ctxt->session);
[398d1a0]	294	ap_log_cerror(APLOG_MARK, APLOG_INFO,
[e183628]	295	ctxt->input_rc,
[398d1a0]	296	ctxt->c,
[e183628]	297	"GnuTLS: Fatal Alert From Client: "
	298	"(%d) '%s'", rc,
	299	gnutls_alert_get_name(rc));
	300	ctxt->input_rc = APR_EGENERAL;
	301	break;
	302	} else {
	303	/* Some Other Error. Report it. Die. */
	304	if (gnutls_error_is_fatal(rc)) {
[398d1a0]	305	ap_log_cerror(APLOG_MARK,
[e183628]	306	APLOG_INFO,
	307	ctxt->input_rc,
[398d1a0]	308	ctxt->c,
[e183628]	309	"GnuTLS: Error reading data. (%d) '%s'",
	310	rc,
	311	gnutls_strerror(rc));
	312	} else if (*len > 0) {
	313	ctxt->input_rc = APR_SUCCESS;
	314	break;
	315	}
	316	}
	317
	318	if (ctxt->input_rc == APR_SUCCESS) {
[4261999]	319	ap_log_cerror(APLOG_MARK, APLOG_INFO, ctxt->input_rc, ctxt->c,
	320	"%s: GnuTLS error: %s (%d)",
	321	__func__, gnutls_strerror(rc), rc);
[e183628]	322	ctxt->input_rc = APR_EGENERAL;
	323	}
	324	break;
	325	}
	326	}
	327	return ctxt->input_rc;
[dae0aec]	328	}
	329
[c301152]	330	static apr_status_t gnutls_io_input_getline(mgs_handle_t * ctxt,
[e183628]	331	char buf, apr_size_t len) {
	332	const char *pos = NULL;
	333	apr_status_t status;
	334	apr_size_t tmplen = len, buflen = len, offset = 0;
[dae0aec]	335
[e183628]	336	*len = 0;
[dae0aec]	337
[e183628]	338	while (tmplen > 0) {
	339	status = gnutls_io_input_read(ctxt, buf + offset, &tmplen);
[dae0aec]	340
[e183628]	341	if (status != APR_SUCCESS) {
	342	return status;
	343	}
[dae0aec]	344
[e183628]	345	*len += tmplen;
[dae0aec]	346
[e183628]	347	if ((pos = memchr(buf, APR_ASCII_LF, *len))) {
	348	break;
	349	}
[dae0aec]	350
[e183628]	351	offset += tmplen;
	352	tmplen = buflen - offset;
	353	}
[dae0aec]	354
[e183628]	355	if (pos) {
	356	char *value;
	357	int length;
	358	apr_size_t bytes = pos - buf;
[dae0aec]	359
[e183628]	360	bytes += 1;
	361	value = buf + bytes;
	362	length = *len - bytes;
[dae0aec]	363
[e183628]	364	char_buffer_write(&ctxt->input_cbuf, value, length);
[dae0aec]	365
[e183628]	366	*len = bytes;
	367	}
[dae0aec]	368
[e183628]	369	return APR_SUCCESS;
[dae0aec]	370	}
	371
[0106b25]	372	#define HANDSHAKE_MAX_TRIES 1024
[e183628]	373
	374	static int gnutls_do_handshake(mgs_handle_t * ctxt) {
	375	int ret;
	376	int errcode;
	377	int maxtries = HANDSHAKE_MAX_TRIES;
	378
	379	if (ctxt->status != 0 \|\| ctxt->session == NULL) {
	380	return -1;
	381	}
	382
	383	tryagain:
	384	do {
	385	ret = gnutls_handshake(ctxt->session);
	386	maxtries--;
	387	} while ((ret == GNUTLS_E_INTERRUPTED \|\| ret == GNUTLS_E_AGAIN)
	388	&& maxtries > 0);
	389
	390	if (maxtries < 1) {
	391	ctxt->status = -1;
[8e33f2d]	392	#if USING_2_1_RECENT
[e183628]	393	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, ctxt->c,
	394	"GnuTLS: Handshake Failed. Hit Maximum Attempts");
[8e33f2d]	395	#else
[e183628]	396	ap_log_error(APLOG_MARK, APLOG_ERR, 0,
	397	ctxt->c->base_server,
	398	"GnuTLS: Handshake Failed. Hit Maximum Attempts");
[8e33f2d]	399	#endif
[e183628]	400	if (ctxt->session) {
	401	gnutls_alert_send(ctxt->session, GNUTLS_AL_FATAL,
	402	gnutls_error_to_alert
	403	(GNUTLS_E_INTERNAL_ERROR, NULL));
	404	gnutls_deinit(ctxt->session);
	405	}
	406	ctxt->session = NULL;
	407	return -1;
	408	}
	409
	410	if (ret < 0) {
	411	if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED
	412	\|\| ret == GNUTLS_E_FATAL_ALERT_RECEIVED) {
	413	errcode = gnutls_alert_get(ctxt->session);
	414	ap_log_error(APLOG_MARK, APLOG_INFO, 0,
	415	ctxt->c->base_server,
[beb14d9]	416	"GnuTLS: Handshake Alert (%d) '%s'.",
[e183628]	417	errcode,
	418	gnutls_alert_get_name(errcode));
	419	}
	420
	421	if (!gnutls_error_is_fatal(ret)) {
	422	ap_log_error(APLOG_MARK, APLOG_INFO, 0,
	423	ctxt->c->base_server,
	424	"GnuTLS: Non-Fatal Handshake Error: (%d) '%s'",
	425	ret, gnutls_strerror(ret));
	426	goto tryagain;
	427	}
[316bd8c]	428	#if USING_2_1_RECENT
[e183628]	429	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,
	430	"GnuTLS: Handshake Failed (%d) '%s'", ret,
	431	gnutls_strerror(ret));
[316bd8c]	432	#else
[e183628]	433	ap_log_error(APLOG_MARK, APLOG_INFO, 0,
	434	ctxt->c->base_server,
	435	"GnuTLS: Handshake Failed (%d) '%s'", ret,
	436	gnutls_strerror(ret));
[316bd8c]	437	#endif
[e183628]	438	ctxt->status = -1;
	439	if (ctxt->session) {
	440	gnutls_alert_send(ctxt->session, GNUTLS_AL_FATAL,
	441	gnutls_error_to_alert(ret,
	442	NULL));
	443	gnutls_deinit(ctxt->session);
	444	}
	445	ctxt->session = NULL;
	446	return ret;
	447	} else {
	448	/* all done with the handshake */
	449	ctxt->status = 1;
[671b64f]	450	/* If the session was resumed, we did not set the correct
[e183628]	451	* server_rec in ctxt->sc. Go Find it. (ick!)
	452	*/
	453	if (gnutls_session_is_resumed(ctxt->session)) {
	454	mgs_srvconf_rec *sc;
	455	sc = mgs_find_sni_server(ctxt->session);
	456	if (sc) {
	457	ctxt->sc = sc;
	458	}
	459	}
	460	return 0;
	461	}
[31645b2]	462	}
	463
[e183628]	464	int mgs_rehandshake(mgs_handle_t * ctxt) {
	465	int rv;
[e02dd8c]	466
[e183628]	467	if (ctxt->session == NULL)
	468	return -1;
[e02dd8c]	469
[e183628]	470	rv = gnutls_rehandshake(ctxt->session);
[e02dd8c]	471
[e183628]	472	if (rv != 0) {
	473	/* the client did not want to rehandshake. goodbye */
	474	ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
	475	ctxt->c->base_server,
	476	"GnuTLS: Client Refused Rehandshake request.");
	477	return -1;
	478	}
[e02dd8c]	479
[e183628]	480	ctxt->status = 0;
[e02dd8c]	481
[e183628]	482	rv = gnutls_do_handshake(ctxt);
[e02dd8c]	483
[e183628]	484	return rv;
[dae0aec]	485	}
	486
[e02dd8c]	487	apr_status_t mgs_filter_input(ap_filter_t * f,
[e183628]	488	apr_bucket_brigade * bb,
	489	ap_input_mode_t mode,
[265eafc]	490	apr_read_type_e block, apr_off_t readbytes)
	491	{
[e183628]	492	apr_status_t status = APR_SUCCESS;
	493	mgs_handle_t ctxt = (mgs_handle_t ) f->ctx;
	494	apr_size_t len = sizeof (ctxt->input_buffer);
	495
	496	if (f->c->aborted) {
	497	apr_bucket *bucket =
	498	apr_bucket_eos_create(f->c->bucket_alloc);
	499	APR_BRIGADE_INSERT_TAIL(bb, bucket);
[265eafc]	500	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
	501	"%s: %sconnection aborted",
	502	__func__, IS_PROXY_STR(ctxt));
[e183628]	503	return APR_ECONNABORTED;
	504	}
	505
	506	if (ctxt->status == 0) {
	507	gnutls_do_handshake(ctxt);
[265eafc]	508	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
	509	"%s: TLS %sconnection opened.",
	510	__func__, IS_PROXY_STR(ctxt));
[e183628]	511	}
	512
	513	if (ctxt->status < 0) {
[265eafc]	514	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
	515	"%s %s: ap_get_brigade", __func__, IS_PROXY_STR(ctxt));
[e183628]	516	return ap_get_brigade(f->next, bb, mode, block, readbytes);
	517	}
	518
	519	/* XXX: we don't currently support anything other than these modes. */
	520	if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE &&
	521	mode != AP_MODE_SPECULATIVE && mode != AP_MODE_INIT) {
	522	return APR_ENOTIMPL;
	523	}
	524
	525	ctxt->input_mode = mode;
	526	ctxt->input_block = block;
	527
	528	if (ctxt->input_mode == AP_MODE_READBYTES \|\|
	529	ctxt->input_mode == AP_MODE_SPECULATIVE) {
[fd82e59]	530	if (readbytes < 0) {
	531	/* you're asking us to speculatively read a negative number of bytes! */
	532	return APR_ENOTIMPL;
	533	}
[e183628]	534	/* Err. This is bad. readbytes can be a 64bit int! len.. is NOT */
[fd82e59]	535	if ((apr_size_t) readbytes < len) {
[e183628]	536	len = (apr_size_t) readbytes;
	537	}
	538	status =
	539	gnutls_io_input_read(ctxt, ctxt->input_buffer, &len);
	540	} else if (ctxt->input_mode == AP_MODE_GETLINE) {
	541	status =
	542	gnutls_io_input_getline(ctxt, ctxt->input_buffer,
	543	&len);
	544	} else {
	545	/* We have no idea what you are talking about, so return an error. */
	546	return APR_ENOTIMPL;
	547	}
	548
	549	if (status != APR_SUCCESS) {
	550	return gnutls_io_filter_error(f, bb, status);
	551	}
	552
	553	/* Create a transient bucket out of the decrypted data. */
	554	if (len > 0) {
	555	apr_bucket *bucket =
	556	apr_bucket_transient_create(ctxt->input_buffer, len,
	557	f->c->bucket_alloc);
	558	APR_BRIGADE_INSERT_TAIL(bb, bucket);
	559	}
	560
	561	return status;
[dae0aec]	562	}
	563
[e183628]	564	static ssize_t write_flush(mgs_handle_t * ctxt) {
	565	apr_bucket *e;
	566
	567	if (!(ctxt->output_blen \|\| ctxt->output_length)) {
	568	ctxt->output_rc = APR_SUCCESS;
	569	return 1;
	570	}
	571
	572	if (ctxt->output_blen) {
	573	e = apr_bucket_transient_create(ctxt->output_buffer,
	574	ctxt->output_blen,
	575	ctxt->output_bb->
	576	bucket_alloc);
	577	/* we filled this buffer first so add it to the
	578	* * head of the brigade
	579	* */
	580	APR_BRIGADE_INSERT_HEAD(ctxt->output_bb, e);
	581	ctxt->output_blen = 0;
	582	}
	583
	584	ctxt->output_length = 0;
	585	e = apr_bucket_flush_create(ctxt->output_bb->bucket_alloc);
	586	APR_BRIGADE_INSERT_TAIL(ctxt->output_bb, e);
	587
	588	ctxt->output_rc = ap_pass_brigade(ctxt->output_filter->next,
	589	ctxt->output_bb);
	590	/* clear the brigade to be ready for next time */
	591	apr_brigade_cleanup(ctxt->output_bb);
	592
	593	return (ctxt->output_rc == APR_SUCCESS) ? 1 : -1;
[485d28e]	594	}
	595
[e183628]	596	apr_status_t mgs_filter_output(ap_filter_t * f, apr_bucket_brigade * bb) {
[fd82e59]	597	int ret;
[e183628]	598	mgs_handle_t ctxt = (mgs_handle_t ) f->ctx;
	599	apr_status_t status = APR_SUCCESS;
	600	apr_read_type_e rblock = APR_NONBLOCK_READ;
[671b64f]	601
[e183628]	602	if (f->c->aborted) {
	603	apr_brigade_cleanup(bb);
	604	return APR_ECONNABORTED;
	605	}
	606
	607	if (ctxt->status == 0) {
	608	gnutls_do_handshake(ctxt);
[265eafc]	609	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
	610	"%s: TLS %sconnection opened.",
	611	__func__, IS_PROXY_STR(ctxt));
[e183628]	612	}
	613
	614	if (ctxt->status < 0) {
	615	return ap_pass_brigade(f->next, bb);
	616	}
	617
	618	while (!APR_BRIGADE_EMPTY(bb)) {
	619	apr_bucket *bucket = APR_BRIGADE_FIRST(bb);
	620
	621	if (APR_BUCKET_IS_EOS(bucket)) {
	622	return ap_pass_brigade(f->next, bb);
[671b64f]	623	} else if (APR_BUCKET_IS_FLUSH(bucket)) {
[e183628]	624	/* Try Flush */
	625	if (write_flush(ctxt) < 0) {
	626	/* Flush Error */
	627	return ctxt->output_rc;
	628	}
	629	/* cleanup! */
[671b64f]	630	apr_bucket_delete(bucket);
[e183628]	631	} else if (AP_BUCKET_IS_EOC(bucket)) {
	632	/* End Of Connection */
	633	if (ctxt->session != NULL) {
	634	/* Try A Clean Shutdown */
	635	do {
[9a9bc1e]	636	ret = gnutls_bye(ctxt->session, GNUTLS_SHUT_WR);
	637	} while (ret == GNUTLS_E_INTERRUPTED \|\| ret == GNUTLS_E_AGAIN);
[265eafc]	638	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, ret, ctxt->c,
	639	"%s: TLS %sconnection closed.",
	640	__func__, IS_PROXY_STR(ctxt));
[e183628]	641	/* De-Initialize Session */
	642	gnutls_deinit(ctxt->session);
	643	ctxt->session = NULL;
	644	}
[9a9bc1e]	645	/* cleanup! */
[671b64f]	646	apr_bucket_delete(bucket);
[e183628]	647	/* Pass next brigade! */
	648	return ap_pass_brigade(f->next, bb);
	649	} else {
	650	/* filter output */
	651	const char *data;
	652	apr_size_t len;
	653
[9a9bc1e]	654	status = apr_bucket_read(bucket, &data, &len, rblock);
[e183628]	655
	656	if (APR_STATUS_IS_EAGAIN(status)) {
	657	/* No data available so Flush! */
	658	if (write_flush(ctxt) < 0) {
	659	return ctxt->output_rc;
	660	}
	661	/* Try again with a blocking read. */
	662	rblock = APR_BLOCK_READ;
	663	continue;
	664	}
	665
	666	rblock = APR_NONBLOCK_READ;
	667
	668	if (!APR_STATUS_IS_EOF(status)
	669	&& (status != APR_SUCCESS)) {
	670	return status;
	671	}
	672
	673	if (len > 0) {
	674
	675	if (ctxt->session == NULL) {
	676	ret = GNUTLS_E_INVALID_REQUEST;
[b4a875b]	677	} else {
[e183628]	678	do {
	679	ret =
	680	gnutls_record_send
	681	(ctxt->session, data,
	682	len);
	683	} while (ret == GNUTLS_E_INTERRUPTED
	684	\|\| ret == GNUTLS_E_AGAIN);
	685	}
	686
	687	if (ret < 0) {
	688	/* error sending output */
	689	ap_log_error(APLOG_MARK,
	690	APLOG_INFO,
	691	ctxt->output_rc,
	692	ctxt->c->base_server,
	693	"GnuTLS: Error writing data."
	694	" (%d) '%s'",
	695	(int) ret,
	696	gnutls_strerror(ret));
	697	if (ctxt->output_rc == APR_SUCCESS) {
	698	ctxt->output_rc =
	699	APR_EGENERAL;
	700	return ctxt->output_rc;
	701	}
[fd82e59]	702	} else if ((apr_size_t)(ret) != len) {
	703	/* we know the above cast is OK because len > 0 and ret >= 0 */
[671b64f]	704	/* Not able to send the entire bucket,
[e183628]	705	split it and send it again. */
	706	apr_bucket_split(bucket, ret);
	707	}
	708	}
	709
	710	apr_bucket_delete(bucket);
	711	}
	712	}
	713
	714	return status;
[dae0aec]	715	}
	716
[c301152]	717	ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
[e183628]	718	void *buffer, size_t len) {
	719	mgs_handle_t *ctxt = ptr;
	720	apr_status_t rc;
	721	apr_size_t in = len;
	722	apr_read_type_e block = ctxt->input_block;
	723
	724	ctxt->input_rc = APR_SUCCESS;
	725
	726	/* If Len = 0, we don't do anything. */
	727	if (!len \|\| buffer == NULL) {
	728	return 0;
	729	}
	730	if (!ctxt->input_bb) {
	731	ctxt->input_rc = APR_EOF;
	732	return -1;
	733	}
	734
	735	if (APR_BRIGADE_EMPTY(ctxt->input_bb)) {
	736
	737	rc = ap_get_brigade(ctxt->input_filter->next,
	738	ctxt->input_bb, AP_MODE_READBYTES,
	739	ctxt->input_block, in);
	740
	741	/* Not a problem, there was simply no data ready yet.
	742	*/
	743	if (APR_STATUS_IS_EAGAIN(rc) \|\| APR_STATUS_IS_EINTR(rc)
	744	\|\| (rc == APR_SUCCESS
	745	&& APR_BRIGADE_EMPTY(ctxt->input_bb))) {
	746
	747	if (APR_STATUS_IS_EOF(ctxt->input_rc)) {
	748	return 0;
	749	} else {
	750	if (ctxt->session)
	751	gnutls_transport_set_errno(ctxt->
	752	session,
	753	EINTR);
	754	return -1;
	755	}
	756	}
[e02dd8c]	757
	758
[e183628]	759	if (rc != APR_SUCCESS) {
	760	/* Unexpected errors discard the brigade */
	761	apr_brigade_cleanup(ctxt->input_bb);
	762	ctxt->input_bb = NULL;
	763	return -1;
	764	}
	765	}
	766
	767	ctxt->input_rc =
	768	brigade_consume(ctxt->input_bb, block, buffer, &len);
	769
	770	if (ctxt->input_rc == APR_SUCCESS) {
	771	return (ssize_t) len;
	772	}
	773
	774	if (APR_STATUS_IS_EAGAIN(ctxt->input_rc)
	775	\|\| APR_STATUS_IS_EINTR(ctxt->input_rc)) {
	776	if (len == 0) {
	777	if (ctxt->session)
	778	gnutls_transport_set_errno(ctxt->session,
	779	EINTR);
	780	return -1;
[60cf11c]	781	}
[e183628]	782
	783	return (ssize_t) len;
	784	}
	785
	786	/* Unexpected errors and APR_EOF clean out the brigade.
	787	* Subsequent calls will return APR_EOF.
	788	*/
	789	apr_brigade_cleanup(ctxt->input_bb);
	790	ctxt->input_bb = NULL;
	791
	792	if (APR_STATUS_IS_EOF(ctxt->input_rc) && len) {
	793	/* Provide the results of this read pass,
	794	* without resetting the BIO retry_read flag
	795	*/
	796	return (ssize_t) len;
	797	}
	798
	799	return -1;
[dae0aec]	800	}
	801
[c301152]	802	ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
[e183628]	803	const void *buffer, size_t len) {
	804	mgs_handle_t *ctxt = ptr;
	805
	806	/* pass along the encrypted data
	807	* need to flush since we're using SSL's malloc-ed buffer
	808	* which will be overwritten once we leave here
	809	*/
	810	apr_bucket *bucket = apr_bucket_transient_create(buffer, len,
	811	ctxt->output_bb->
	812	bucket_alloc);
	813	ctxt->output_length += len;
	814	APR_BRIGADE_INSERT_TAIL(ctxt->output_bb, bucket);
	815
	816	if (write_flush(ctxt) < 0) {
	817	return -1;
	818	}
	819	return len;
[7e2b223]	820	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/gnutls_io.c @ 265eafc

Download in other formats: