Context Navigation

gnutls_io.c @ 7511bfa

Visit:

debian/masterdebian/stretch-backportsupstream

Last change on this file since 7511bfa was 7511bfa, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Use ap_log_cerror() instead of ap_log_error() where reasonable

Probably old code from when ap_log_cerror() did not exist.

Property mode set to 100644

File size: 27.4 KB

Line
1	/**
2	* Copyright 2004-2005 Paul Querna
3	* Copyright 2008 Nikos Mavrogiannopoulos
4	* Copyright 2011 Dash Shendy
5	* Copyright 2015-2016 Thomas Klute
6	*
7	* Licensed under the Apache License, Version 2.0 (the "License");
8	* you may not use this file except in compliance with the License.
9	* You may obtain a copy of the License at
10	*
11	* http://www.apache.org/licenses/LICENSE-2.0
12	*
13	* Unless required by applicable law or agreed to in writing, software
14	* distributed under the License is distributed on an "AS IS" BASIS,
15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16	* See the License for the specific language governing permissions and
17	* limitations under the License.
18	*
19	*/
20
21	#include "mod_gnutls.h"
22
23	#ifdef APLOG_USE_MODULE
24	APLOG_USE_MODULE(gnutls);
25	#endif
26
27	/**
28	* Describe how the GnuTLS Filter system works here
29	* - Basicly the same as what mod_ssl does with OpenSSL.
30	*
31	*/
32
33	#define HTTP_ON_HTTPS_PORT \
34	"GET /" CRLF
35
36	#define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
37	apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
38	sizeof(HTTP_ON_HTTPS_PORT) - 1, \
39	alloc)
40
41	#define IS_PROXY_STR(c) \
42	((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "")
43
44	/**
45	* Convert APR_EINTR or APR_EAGAIN to the match raw error code. Needed
46	* to pass the status on to GnuTLS from the pull function.
47	*/
48	#define EAI_APR_TO_RAW(s) (APR_STATUS_IS_EAGAIN(s) ? EAGAIN : EINTR)
49
50
51
52	static apr_status_t gnutls_io_filter_error(ap_filter_t * f,
53	apr_bucket_brigade * bb,
54	apr_status_t status) {
55	mgs_handle_t ctxt = (mgs_handle_t ) f->ctx;
56	apr_bucket *bucket;
57
58	switch (status) {
59	case HTTP_BAD_REQUEST:
60	/* log the situation */
61	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c,
62	"GnuTLS handshake failed: HTTP spoken on HTTPS port; "
63	"trying to send HTML error page");
64	mgs_srvconf_rec sc = (mgs_srvconf_rec )
65	ap_get_module_config(f->c->base_server->module_config,
66	&gnutls_module);
67	ctxt->status = -1;
68	sc->non_ssl_request = 1;
69
70	/* fake the request line */
71	bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
72	break;
73
74	default:
75	return status;
76	}
77
78	APR_BRIGADE_INSERT_TAIL(bb, bucket);
79	bucket = apr_bucket_eos_create(f->c->bucket_alloc);
80	APR_BRIGADE_INSERT_TAIL(bb, bucket);
81
82	return APR_SUCCESS;
83	}
84
85	static int char_buffer_read(mgs_char_buffer_t * buffer, char *in, int inl) {
86	if (!buffer->length) {
87	return 0;
88	}
89
90	if (buffer->length > inl) {
91	/* we have have enough to fill the caller's buffer */
92	memmove(in, buffer->value, inl);
93	buffer->value += inl;
94	buffer->length -= inl;
95	} else {
96	/* swallow remainder of the buffer */
97	memmove(in, buffer->value, buffer->length);
98	inl = buffer->length;
99	buffer->value = NULL;
100	buffer->length = 0;
101	}
102
103	return inl;
104	}
105
106	static int char_buffer_write(mgs_char_buffer_t * buffer, char *in, int inl) {
107	buffer->value = in;
108	buffer->length = inl;
109	return inl;
110	}
111
112	/**
113	* From mod_ssl / ssl_engine_io.c
114	* This function will read from a brigade and discard the read buckets as it
115	* proceeds. It will read at most *len bytes.
116	*/
117	static apr_status_t brigade_consume(apr_bucket_brigade * bb,
118	apr_read_type_e block,
119	char c, apr_size_t len) {
120	apr_size_t actual = 0;
121	apr_status_t status = APR_SUCCESS;
122
123	while (!APR_BRIGADE_EMPTY(bb)) {
124	apr_bucket *b = APR_BRIGADE_FIRST(bb);
125	const char *str;
126	apr_size_t str_len;
127	apr_size_t consume;
128
129	/* Justin points out this is an http-ism that might
130	* not fit if brigade_consume is added to APR. Perhaps
131	* apr_bucket_read(eos_bucket) should return APR_EOF?
132	* Then this becomes mainline instead of a one-off.
133	*/
134	if (APR_BUCKET_IS_EOS(b)) {
135	status = APR_EOF;
136	break;
137	}
138
139	/* The reason I'm not offering brigade_consume yet
140	* across to apr-util is that the following call
141	* illustrates how borked that API really is. For
142	* this sort of case (caller provided buffer) it
143	* would be much more trivial for apr_bucket_consume
144	* to do all the work that follows, based on the
145	* particular characteristics of the bucket we are
146	* consuming here.
147	*/
148	status = apr_bucket_read(b, &str, &str_len, block);
149
150	if (status != APR_SUCCESS) {
151	if (APR_STATUS_IS_EOF(status)) {
152	/* This stream bucket was consumed */
153	apr_bucket_delete(b);
154	continue;
155	}
156	break;
157	}
158
159	if (str_len > 0) {
160	/* Do not block once some data has been consumed */
161	block = APR_NONBLOCK_READ;
162
163	/* Assure we don't overflow. */
164	consume =
165	(str_len + actual >
166	len) ? len - actual : str_len;
167
168	memcpy(c, str, consume);
169
170	c += consume;
171	actual += consume;
172
173	if (consume >= b->length) {
174	/* This physical bucket was consumed */
175	apr_bucket_delete(b);
176	} else {
177	/* Only part of this physical bucket was consumed */
178	b->start += consume;
179	b->length -= consume;
180	}
181	} else if (b->length == 0) {
182	apr_bucket_delete(b);
183	}
184
185	/* This could probably be actual == *len, but be safe from stray
186	* photons. */
187	if (actual >= *len) {
188	break;
189	}
190	}
191
192	*len = actual;
193	return status;
194	}
195
196	static apr_status_t gnutls_io_input_read(mgs_handle_t * ctxt,
197	char buf, apr_size_t len)
198	{
199	apr_size_t wanted = *len;
200	apr_size_t bytes = 0;
201	int rc;
202
203	*len = 0;
204
205	/* If we have something leftover from last time, try that first. */
206	if ((bytes = char_buffer_read(&ctxt->input_cbuf, buf, wanted))) {
207	*len = bytes;
208	if (ctxt->input_mode == AP_MODE_SPECULATIVE) {
209	/* We want to rollback this read. */
210	if (ctxt->input_cbuf.length > 0) {
211	ctxt->input_cbuf.value -= bytes;
212	ctxt->input_cbuf.length += bytes;
213	} else {
214	char_buffer_write(&ctxt->input_cbuf, buf,
215	(int) bytes);
216	}
217	return APR_SUCCESS;
218	}
219	/* This could probably be *len == wanted, but be safe from stray
220	* photons.
221	*/
222	if (*len >= wanted) {
223	return APR_SUCCESS;
224	}
225	if (ctxt->input_mode == AP_MODE_GETLINE) {
226	if (memchr(buf, APR_ASCII_LF, *len)) {
227	return APR_SUCCESS;
228	}
229	} else {
230	/* Down to a nonblock pattern as we have some data already
231	*/
232	ctxt->input_block = APR_NONBLOCK_READ;
233	}
234	}
235
236	if (ctxt->session == NULL) {
237	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,
238	"%s: GnuTLS session is NULL!", __func__);
239	return APR_EGENERAL;
240	}
241
242	while (1)
243	{
244	rc = gnutls_record_recv(ctxt->session, buf + bytes, wanted - bytes);
245
246	if (rc == GNUTLS_E_INTERRUPTED)
247	ctxt->input_rc = APR_EINTR;
248	else if (rc == GNUTLS_E_AGAIN)
249	ctxt->input_rc = APR_EAGAIN;
250
251	if (rc > 0) {
252	*len += rc;
253	if (ctxt->input_mode == AP_MODE_SPECULATIVE) {
254	/* We want to rollback this read. */
255	char_buffer_write(&ctxt->input_cbuf, buf,
256	rc);
257	}
258	return ctxt->input_rc;
259	} else if (rc == 0) {
260	/* If EAGAIN, we will loop given a blocking read,
261	* otherwise consider ourselves at EOF.
262	*/
263	if (APR_STATUS_IS_EAGAIN(ctxt->input_rc)
264	\|\| APR_STATUS_IS_EINTR(ctxt->input_rc)) {
265	/* Already read something, return APR_SUCCESS instead.
266	* On win32 in particular, but perhaps on other kernels,
267	* a blocking call isn't 'always' blocking.
268	*/
269	if (*len > 0) {
270	ctxt->input_rc = APR_SUCCESS;
271	break;
272	}
273	if (ctxt->input_block == APR_NONBLOCK_READ) {
274	break;
275	}
276	} else {
277	if (*len > 0) {
278	ctxt->input_rc = APR_SUCCESS;
279	} else {
280	ctxt->input_rc = APR_EOF;
281	}
282	break;
283	}
284	} else { /* (rc < 0) */
285
286	if (rc == GNUTLS_E_REHANDSHAKE) {
287	/* A client has asked for a new Hankshake. Currently, we don't do it */
288	ap_log_cerror(APLOG_MARK, APLOG_INFO,
289	ctxt->input_rc,
290	ctxt->c,
291	"GnuTLS: Error reading data. Client Requested a New Handshake."
292	" (%d) '%s'", rc,
293	gnutls_strerror(rc));
294	} else if (rc == GNUTLS_E_WARNING_ALERT_RECEIVED) {
295	rc = gnutls_alert_get(ctxt->session);
296	ap_log_cerror(APLOG_MARK, APLOG_INFO,
297	ctxt->input_rc,
298	ctxt->c,
299	"GnuTLS: Warning Alert From Client: "
300	" (%d) '%s'", rc,
301	gnutls_alert_get_name(rc));
302	} else if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED) {
303	rc = gnutls_alert_get(ctxt->session);
304	ap_log_cerror(APLOG_MARK, APLOG_INFO,
305	ctxt->input_rc,
306	ctxt->c,
307	"GnuTLS: Fatal Alert From Client: "
308	"(%d) '%s'", rc,
309	gnutls_alert_get_name(rc));
310	ctxt->input_rc = APR_EGENERAL;
311	break;
312	} else {
313	/* Some Other Error. Report it. Die. */
314	if (gnutls_error_is_fatal(rc)) {
315	ap_log_cerror(APLOG_MARK,
316	APLOG_INFO,
317	ctxt->input_rc,
318	ctxt->c,
319	"GnuTLS: Error reading data. (%d) '%s'",
320	rc,
321	gnutls_strerror(rc));
322	} else if (*len > 0) {
323	ctxt->input_rc = APR_SUCCESS;
324	break;
325	}
326	}
327
328	if (ctxt->input_rc == APR_SUCCESS) {
329	ap_log_cerror(APLOG_MARK, APLOG_INFO, ctxt->input_rc, ctxt->c,
330	"%s: GnuTLS error: %s (%d)",
331	__func__, gnutls_strerror(rc), rc);
332	ctxt->input_rc = APR_EGENERAL;
333	}
334	break;
335	}
336	}
337	return ctxt->input_rc;
338	}
339
340	static apr_status_t gnutls_io_input_getline(mgs_handle_t * ctxt,
341	char buf, apr_size_t len) {
342	const char *pos = NULL;
343	apr_status_t status;
344	apr_size_t tmplen = len, buflen = len, offset = 0;
345
346	*len = 0;
347
348	while (tmplen > 0) {
349	status = gnutls_io_input_read(ctxt, buf + offset, &tmplen);
350
351	if (status != APR_SUCCESS) {
352	return status;
353	}
354
355	*len += tmplen;
356
357	if ((pos = memchr(buf, APR_ASCII_LF, *len))) {
358	break;
359	}
360
361	offset += tmplen;
362	tmplen = buflen - offset;
363	}
364
365	if (pos) {
366	char *value;
367	int length;
368	apr_size_t bytes = pos - buf;
369
370	bytes += 1;
371	value = buf + bytes;
372	length = *len - bytes;
373
374	char_buffer_write(&ctxt->input_cbuf, value, length);
375
376	*len = bytes;
377	}
378
379	return APR_SUCCESS;
380	}
381
382	#define HANDSHAKE_MAX_TRIES 1024
383
384	static int gnutls_do_handshake(mgs_handle_t * ctxt) {
385	int ret;
386	int errcode;
387	int maxtries = HANDSHAKE_MAX_TRIES;
388
389	if (ctxt->status != 0 \|\| ctxt->session == NULL) {
390	return -1;
391	}
392
393	tryagain:
394	do {
395	ret = gnutls_handshake(ctxt->session);
396	maxtries--;
397	} while ((ret == GNUTLS_E_INTERRUPTED \|\| ret == GNUTLS_E_AGAIN)
398	&& maxtries > 0);
399
400	if (maxtries < 1) {
401	ctxt->status = -1;
402	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, ctxt->c,
403	"GnuTLS: Handshake Failed. Hit Maximum Attempts");
404	if (ctxt->session) {
405	gnutls_alert_send(ctxt->session, GNUTLS_AL_FATAL,
406	gnutls_error_to_alert
407	(GNUTLS_E_INTERNAL_ERROR, NULL));
408	gnutls_deinit(ctxt->session);
409	}
410	ctxt->session = NULL;
411	return -1;
412	}
413
414	if (ret < 0) {
415	if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED
416	\|\| ret == GNUTLS_E_FATAL_ALERT_RECEIVED) {
417	errcode = gnutls_alert_get(ctxt->session);
418	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,
419	"GnuTLS: Handshake Alert (%d) '%s'.",
420	errcode, gnutls_alert_get_name(errcode));
421	}
422
423	if (!gnutls_error_is_fatal(ret)) {
424	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,
425	"GnuTLS: Non-Fatal Handshake Error: (%d) '%s'",
426	ret, gnutls_strerror(ret));
427	goto tryagain;
428	}
429	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c,
430	"GnuTLS: Handshake Failed (%d) '%s'", ret,
431	gnutls_strerror(ret));
432	ctxt->status = -1;
433	if (ctxt->session) {
434	gnutls_alert_send(ctxt->session, GNUTLS_AL_FATAL,
435	gnutls_error_to_alert(ret,
436	NULL));
437	gnutls_deinit(ctxt->session);
438	}
439	ctxt->session = NULL;
440	return ret;
441	} else {
442	/* all done with the handshake */
443	ctxt->status = 1;
444	/* If the session was resumed, we did not set the correct
445	* server_rec in ctxt->sc. Go Find it. (ick!)
446	*/
447	if (gnutls_session_is_resumed(ctxt->session)) {
448	mgs_srvconf_rec *sc;
449	sc = mgs_find_sni_server(ctxt->session);
450	if (sc) {
451	ctxt->sc = sc;
452	}
453	}
454	return GNUTLS_E_SUCCESS;
455	}
456	}
457
458	int mgs_rehandshake(mgs_handle_t * ctxt) {
459	int rv;
460
461	if (ctxt->session == NULL)
462	return -1;
463
464	rv = gnutls_rehandshake(ctxt->session);
465
466	if (rv != 0) {
467	/* the client did not want to rehandshake. goodbye */
468	ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,
469	"GnuTLS: Client Refused Rehandshake request.");
470	return -1;
471	}
472
473	ctxt->status = 0;
474
475	rv = gnutls_do_handshake(ctxt);
476
477	return rv;
478	}
479
480
481
482	/**
483	* Close the TLS session associated with the given connection
484	* structure and free its resources
485	*/
486	static int mgs_bye(mgs_handle_t* ctxt)
487	{
488	int ret = GNUTLS_E_SUCCESS;
489	/* End Of Connection */
490	if (ctxt->session != NULL)
491	{
492	/* Try A Clean Shutdown */
493	do {
494	ret = gnutls_bye(ctxt->session, GNUTLS_SHUT_WR);
495	} while (ret == GNUTLS_E_INTERRUPTED \|\| ret == GNUTLS_E_AGAIN);
496	if (ret != GNUTLS_E_SUCCESS)
497	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
498	"%s: Error while closing TLS %sconnection: "
499	"'%s' (%d)",
500	__func__, IS_PROXY_STR(ctxt),
501	gnutls_strerror(ret), (int) ret);
502	else
503	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
504	"%s: TLS %sconnection closed.",
505	__func__, IS_PROXY_STR(ctxt));
506	/* De-Initialize Session */
507	gnutls_deinit(ctxt->session);
508	ctxt->session = NULL;
509	}
510	return ret;
511	}
512
513
514
515	apr_status_t mgs_filter_input(ap_filter_t * f,
516	apr_bucket_brigade * bb,
517	ap_input_mode_t mode,
518	apr_read_type_e block, apr_off_t readbytes)
519	{
520	apr_status_t status = APR_SUCCESS;
521	mgs_handle_t ctxt = (mgs_handle_t ) f->ctx;
522	apr_size_t len = sizeof (ctxt->input_buffer);
523
524	if (f->c->aborted) {
525	apr_bucket *bucket =
526	apr_bucket_eos_create(f->c->bucket_alloc);
527	APR_BRIGADE_INSERT_TAIL(bb, bucket);
528	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
529	"%s: %sconnection aborted",
530	__func__, IS_PROXY_STR(ctxt));
531	return APR_ECONNABORTED;
532	}
533
534	if (ctxt->status == 0) {
535	int ret = gnutls_do_handshake(ctxt);
536	if (ret == GNUTLS_E_SUCCESS)
537	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
538	"%s: TLS %sconnection opened.",
539	__func__, IS_PROXY_STR(ctxt));
540	}
541
542	if (ctxt->status < 0) {
543	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
544	"%s %s: ap_get_brigade", __func__, IS_PROXY_STR(ctxt));
545	return ap_get_brigade(f->next, bb, mode, block, readbytes);
546	}
547
548	/* XXX: we don't currently support anything other than these modes. */
549	if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE &&
550	mode != AP_MODE_SPECULATIVE && mode != AP_MODE_INIT) {
551	return APR_ENOTIMPL;
552	}
553
554	ctxt->input_mode = mode;
555	ctxt->input_block = block;
556
557	if (ctxt->input_mode == AP_MODE_READBYTES \|\|
558	ctxt->input_mode == AP_MODE_SPECULATIVE) {
559	if (readbytes < 0) {
560	/* you're asking us to speculatively read a negative number of bytes! */
561	return APR_ENOTIMPL;
562	}
563	/* Err. This is bad. readbytes can be a 64bit int! len.. is NOT */
564	if ((apr_size_t) readbytes < len) {
565	len = (apr_size_t) readbytes;
566	}
567	status =
568	gnutls_io_input_read(ctxt, ctxt->input_buffer, &len);
569	} else if (ctxt->input_mode == AP_MODE_GETLINE) {
570	status =
571	gnutls_io_input_getline(ctxt, ctxt->input_buffer,
572	&len);
573	} else {
574	/* We have no idea what you are talking about, so return an error. */
575	return APR_ENOTIMPL;
576	}
577
578	if (status != APR_SUCCESS)
579	{
580	/* no data for nonblocking read, return APR_EAGAIN */
581	if ((block == APR_NONBLOCK_READ) && APR_STATUS_IS_EINTR(status))
582	return APR_EAGAIN;
583
584	/* Close TLS session and free resources on EOF,
585	* gnutls_io_filter_error will add an EOS bucket */
586	if (APR_STATUS_IS_EOF(status))
587	mgs_bye(ctxt);
588
589	return gnutls_io_filter_error(f, bb, status);
590	}
591
592	/* Create a transient bucket out of the decrypted data. */
593	if (len > 0) {
594	apr_bucket *bucket =
595	apr_bucket_transient_create(ctxt->input_buffer, len,
596	f->c->bucket_alloc);
597	APR_BRIGADE_INSERT_TAIL(bb, bucket);
598	}
599
600	return status;
601	}
602
603	static ssize_t write_flush(mgs_handle_t * ctxt) {
604	apr_bucket *e;
605
606	if (!(ctxt->output_blen \|\| ctxt->output_length)) {
607	ctxt->output_rc = APR_SUCCESS;
608	return 1;
609	}
610
611	if (ctxt->output_blen) {
612	e = apr_bucket_transient_create(ctxt->output_buffer,
613	ctxt->output_blen,
614	ctxt->output_bb->
615	bucket_alloc);
616	/* we filled this buffer first so add it to the
617	* * head of the brigade
618	* */
619	APR_BRIGADE_INSERT_HEAD(ctxt->output_bb, e);
620	ctxt->output_blen = 0;
621	}
622
623	ctxt->output_length = 0;
624	e = apr_bucket_flush_create(ctxt->output_bb->bucket_alloc);
625	APR_BRIGADE_INSERT_TAIL(ctxt->output_bb, e);
626
627	ctxt->output_rc = ap_pass_brigade(ctxt->output_filter->next,
628	ctxt->output_bb);
629	/* clear the brigade to be ready for next time */
630	apr_brigade_cleanup(ctxt->output_bb);
631
632	return (ctxt->output_rc == APR_SUCCESS) ? 1 : -1;
633	}
634
635	apr_status_t mgs_filter_output(ap_filter_t * f, apr_bucket_brigade * bb) {
636	int ret;
637	mgs_handle_t ctxt = (mgs_handle_t ) f->ctx;
638	apr_status_t status = APR_SUCCESS;
639	apr_read_type_e rblock = APR_NONBLOCK_READ;
640
641	if (f->c->aborted) {
642	apr_brigade_cleanup(bb);
643	return APR_ECONNABORTED;
644	}
645
646	if (ctxt->status == 0) {
647	ret = gnutls_do_handshake(ctxt);
648	if (ret == GNUTLS_E_SUCCESS)
649	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
650	"%s: TLS %sconnection opened.",
651	__func__, IS_PROXY_STR(ctxt));
652	}
653
654	if (ctxt->status < 0) {
655	return ap_pass_brigade(f->next, bb);
656	}
657
658	while (!APR_BRIGADE_EMPTY(bb)) {
659	apr_bucket *bucket = APR_BRIGADE_FIRST(bb);
660
661	if (APR_BUCKET_IS_EOS(bucket)) {
662	return ap_pass_brigade(f->next, bb);
663	} else if (APR_BUCKET_IS_FLUSH(bucket)) {
664	/* Try Flush */
665	if (write_flush(ctxt) < 0) {
666	/* Flush Error */
667	return ctxt->output_rc;
668	}
669	/* cleanup! */
670	apr_bucket_delete(bucket);
671	} else if (AP_BUCKET_IS_EOC(bucket)) {
672	/* End Of Connection, close TLS session and free
673	* resources */
674	mgs_bye(ctxt);
675	/* cleanup! */
676	apr_bucket_delete(bucket);
677	/* Pass next brigade! */
678	return ap_pass_brigade(f->next, bb);
679	} else {
680	/* filter output */
681	const char *data;
682	apr_size_t len;
683
684	status = apr_bucket_read(bucket, &data, &len, rblock);
685
686	if (APR_STATUS_IS_EAGAIN(status)) {
687	/* No data available so Flush! */
688	if (write_flush(ctxt) < 0) {
689	return ctxt->output_rc;
690	}
691	/* Try again with a blocking read. */
692	rblock = APR_BLOCK_READ;
693	continue;
694	}
695
696	rblock = APR_NONBLOCK_READ;
697
698	if (!APR_STATUS_IS_EOF(status)
699	&& (status != APR_SUCCESS)) {
700	return status;
701	}
702
703	if (len > 0) {
704
705	if (ctxt->session == NULL) {
706	ret = GNUTLS_E_INVALID_REQUEST;
707	} else {
708	do {
709	ret =
710	gnutls_record_send
711	(ctxt->session, data,
712	len);
713	} while (ret == GNUTLS_E_INTERRUPTED
714	\|\| ret == GNUTLS_E_AGAIN);
715	}
716
717	if (ret < 0) {
718	/* error sending output */
719	ap_log_cerror(APLOG_MARK, APLOG_INFO, ctxt->output_rc,
720	ctxt->c,
721	"GnuTLS: Error writing data. (%d) '%s'",
722	ret, gnutls_strerror(ret));
723	if (ctxt->output_rc == APR_SUCCESS) {
724	ctxt->output_rc =
725	APR_EGENERAL;
726	return ctxt->output_rc;
727	}
728	} else if ((apr_size_t)(ret) != len) {
729	/* we know the above cast is OK because len > 0 and ret >= 0 */
730	/* Not able to send the entire bucket,
731	split it and send it again. */
732	apr_bucket_split(bucket, ret);
733	}
734	}
735
736	apr_bucket_delete(bucket);
737	}
738	}
739
740	return status;
741	}
742
743	/**
744	* Pull function for GnuTLS
745	*
746	* Generic errnos used for gnutls_transport_set_errno:
747	* EIO: Unknown I/O error
748	* ECONNABORTED: Input BB does not exist (NULL)
749	*
750	* The reason we are not using APR_TO_OS_ERROR to map apr_status_t to
751	* errnos is this warning in the APR documentation: "If the statcode
752	* was not created by apr_get_os_error or APR_FROM_OS_ERROR, the
753	* results are undefined." We cannot know if this applies to any error
754	* we might encounter.
755	*/
756	ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
757	void *buffer, size_t len)
758	{
759	mgs_handle_t *ctxt = ptr;
760	apr_status_t rc;
761	apr_size_t in = len;
762	apr_read_type_e block = ctxt->input_block;
763
764	ctxt->input_rc = APR_SUCCESS;
765
766	/* If Len = 0, we don't do anything. */
767	if (!len \|\| buffer == NULL)
768	{
769	return 0;
770	}
771	/* Input bucket brigade is missing, EOF */
772	if (!ctxt->input_bb)
773	{
774	ctxt->input_rc = APR_EOF;
775	gnutls_transport_set_errno(ctxt->session, ECONNABORTED);
776	return -1;
777	}
778
779	if (APR_BRIGADE_EMPTY(ctxt->input_bb))
780	{
781	rc = ap_get_brigade(ctxt->input_filter->next,
782	ctxt->input_bb, AP_MODE_READBYTES,
783	ctxt->input_block, in);
784
785	/* Not a problem, there was simply no data ready yet.
786	*/
787	if (APR_STATUS_IS_EAGAIN(rc) \|\| APR_STATUS_IS_EINTR(rc)
788	\|\| (rc == APR_SUCCESS
789	&& APR_BRIGADE_EMPTY(ctxt->input_bb)))
790	{
791	if (APR_STATUS_IS_EOF(ctxt->input_rc))
792	{
793	return 0;
794	}
795	else
796	{
797	gnutls_transport_set_errno(ctxt->session,
798	EAI_APR_TO_RAW(ctxt->input_rc));
799	return -1;
800	}
801	}
802
803	if (rc != APR_SUCCESS)
804	{
805	/* Unexpected errors discard the brigade */
806	apr_brigade_cleanup(ctxt->input_bb);
807	ctxt->input_bb = NULL;
808	gnutls_transport_set_errno(ctxt->session, EIO);
809	return -1;
810	}
811	}
812
813	ctxt->input_rc = brigade_consume(ctxt->input_bb, block, buffer, &len);
814
815	if (ctxt->input_rc == APR_SUCCESS)
816	{
817	return (ssize_t) len;
818	}
819
820	if (APR_STATUS_IS_EAGAIN(ctxt->input_rc)
821	\|\| APR_STATUS_IS_EINTR(ctxt->input_rc))
822	{
823	if (len == 0)
824	{
825	gnutls_transport_set_errno(ctxt->session,
826	EAI_APR_TO_RAW(ctxt->input_rc));
827	return -1;
828	}
829
830	return (ssize_t) len;
831	}
832
833	/* Unexpected errors and APR_EOF clean out the brigade.
834	* Subsequent calls will return APR_EOF. */
835	apr_brigade_cleanup(ctxt->input_bb);
836	ctxt->input_bb = NULL;
837
838	if (APR_STATUS_IS_EOF(ctxt->input_rc) && len)
839	{
840	/* Some data has been received before EOF, return it. */
841	return (ssize_t) len;
842	}
843
844	gnutls_transport_set_errno(ctxt->session, EIO);
845	return -1;
846	}
847
848	/**
849	* Push function for GnuTLS
850	*
851	* In case of unexpected errors gnutls_transport_set_errno is called
852	* with EIO. The reason we are not using APR_TO_OS_ERROR to map
853	* apr_status_t to errnos is this warning in the APR documentation:
854	* "If the statcode was not created by apr_get_os_error or
855	* APR_FROM_OS_ERROR, the results are undefined." We cannot know if
856	* this applies to any error we might encounter.
857	*/
858	ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
859	const void *buffer, size_t len)
860	{
861	mgs_handle_t *ctxt = ptr;
862
863	/* pass along the encrypted data
864	* need to flush since we're using SSL's malloc-ed buffer
865	* which will be overwritten once we leave here
866	*/
867	apr_bucket *bucket = apr_bucket_transient_create(buffer, len,
868	ctxt->output_bb->
869	bucket_alloc);
870	ctxt->output_length += len;
871	APR_BRIGADE_INSERT_TAIL(ctxt->output_bb, bucket);
872
873	if (write_flush(ctxt) < 0)
874	{
875	/* We encountered an error. APR_EINTR or APR_EAGAIN can be
876	* handled, treat everything else as a generic I/O error. */
877	int err = EIO;
878	if (APR_STATUS_IS_EAGAIN(ctxt->output_rc)
879	\|\| APR_STATUS_IS_EINTR(ctxt->output_rc))
880	err = EAI_APR_TO_RAW(ctxt->output_rc);
881
882	gnutls_transport_set_errno(ctxt->session, err);
883	return -1;
884	}
885	return len;
886	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/gnutls_io.c @ 7511bfa

Download in other formats: