Context Navigation

source: mod_gnutls/src/mod_gnutls.c @ 76bd3bf

Visit:

debian/masterdebian/stretch-backportsjessie-backportsmsvaupstream

Last change on this file since 76bd3bf was 76bd3bf, checked in by Paul Querna <chip@…>, 15 years ago
add check for apr_memcache
Property mode set to `100644`
File size: 12.4 KB

Line
1	/* ====================================================================
2	* Copyright 2004 Paul Querna
3	*
4	* Licensed under the Apache License, Version 2.0 (the "License");
5	* you may not use this file except in compliance with the License.
6	* You may obtain a copy of the License at
7	*
8	* http://www.apache.org/licenses/LICENSE-2.0
9	*
10	* Unless required by applicable law or agreed to in writing, software
11	* distributed under the License is distributed on an "AS IS" BASIS,
12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	* See the License for the specific language governing permissions and
14	* limitations under the License.
15	*
16	*/
17
18	#include "mod_gnutls.h"
19
20	#if APR_HAS_THREADS
21	GCRY_THREAD_OPTION_PTHREAD_IMPL;
22	#endif
23
24	static apr_status_t mod_gnutls_cleanup_pre_config(void *data)
25	{
26	gnutls_global_deinit();
27	return APR_SUCCESS;
28	}
29
30	static int mod_gnutls_hook_pre_config(apr_pool_t * pconf,
31	apr_pool_t * plog, apr_pool_t * ptemp)
32	{
33
34	#if APR_HAS_THREADS
35	gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
36	#endif
37
38	gnutls_global_init();
39
40	apr_pool_cleanup_register(pconf, NULL, mod_gnutls_cleanup_pre_config,
41	apr_pool_cleanup_null);
42
43	return OK;
44	}
45
46	#define DH_BITS 1024
47	#ifdef USE_RSA
48	#define RSA_BITS 512
49	#endif
50	static int mod_gnutls_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
51	apr_pool_t * ptemp,
52	server_rec * base_server)
53	{
54	mod_gnutls_srvconf_rec *sc;
55	void *data = NULL;
56	int first_run = 0;
57	server_rec *s;
58	gnutls_dh_params_t dh_params;
59	#ifdef USE_RSA
60	gnutls_rsa_params_t rsa_params;
61	#endif
62	const char *userdata_key = "mod_gnutls_init";
63
64	apr_pool_userdata_get(&data, userdata_key, base_server->process->pool);
65	if (data == NULL) {
66	first_run = 1;
67	apr_pool_userdata_set((const void *)1, userdata_key,
68	apr_pool_cleanup_null,
69	base_server->process->pool);
70	}
71
72
73	if(first_run) {
74	/* TODO: Should we regenerate these after X requests / X time ? */
75	gnutls_dh_params_init(&dh_params);
76	gnutls_dh_params_generate2(dh_params, DH_BITS);
77	#ifdef USE_RSA
78	gnutls_rsa_params_init(&rsa_params);
79	gnutls_rsa_params_generate2(rsa_params, RSA_BITS);
80	#endif
81	}
82
83	for (s = base_server; s; s = s->next) {
84	sc = (mod_gnutls_srvconf_rec *) ap_get_module_config(s->module_config,
85	&gnutls_module);
86	if (sc->cert_file != NULL && sc->key_file != NULL) {
87	gnutls_certificate_set_x509_key_file(sc->certs, sc->cert_file,
88	sc->key_file,
89	GNUTLS_X509_FMT_PEM);
90	#ifdef USE_RSA
91	gnutls_certificate_set_rsa_export_params(sc->certs, rsa_params);
92	#endif
93	gnutls_certificate_set_dh_params(sc->certs, dh_params);
94	}
95	else if (sc->enabled == GNUTLS_ENABLED_TRUE) {
96	ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
97	"[GnuTLS] - Host '%s:%d' is missing a Cert and Key File!",
98	s->server_hostname, s->port);
99	}
100	}
101
102
103	ap_add_version_component(p, "GnuTLS/" LIBGNUTLS_VERSION);
104
105	return OK;
106	}
107
108	static const char mod_gnutls_hook_http_method(const request_rec r)
109	{
110	mod_gnutls_srvconf_rec *sc =
111	(mod_gnutls_srvconf_rec *) ap_get_module_config(r->server->
112	module_config,
113	&gnutls_module);
114
115	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
116	return NULL;
117	}
118
119	return "https";
120	}
121
122	static apr_port_t mod_gnutls_hook_default_port(const request_rec * r)
123	{
124	mod_gnutls_srvconf_rec *sc =
125	(mod_gnutls_srvconf_rec *) ap_get_module_config(r->server->
126	module_config,
127	&gnutls_module);
128
129	if (sc->enabled == GNUTLS_ENABLED_FALSE) {
130	return 0;
131	}
132
133	return 443;
134	}
135
136	static mod_gnutls_handle_t* create_gnutls_handle(apr_pool_t* pool, conn_rec * c)
137	{
138	mod_gnutls_handle_t *ctxt;
139	mod_gnutls_srvconf_rec *sc =
140	(mod_gnutls_srvconf_rec *) ap_get_module_config(c->base_server->
141	module_config,
142	&gnutls_module);
143
144	ctxt = apr_pcalloc(pool, sizeof(*ctxt));
145	ctxt->c = c;
146	ctxt->sc = sc;
147	ctxt->status = 0;
148
149	ctxt->input_rc = APR_SUCCESS;
150	ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
151	ctxt->input_cbuf.length = 0;
152
153	ctxt->output_rc = APR_SUCCESS;
154	ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
155	ctxt->output_blen = 0;
156	ctxt->output_length = 0;
157
158	gnutls_init(&ctxt->session, GNUTLS_SERVER);
159
160	gnutls_cipher_set_priority(ctxt->session, sc->ciphers);
161	gnutls_compression_set_priority(ctxt->session, sc->compression);
162	gnutls_kx_set_priority(ctxt->session, sc->key_exchange);
163	gnutls_protocol_set_priority(ctxt->session, sc->protocol);
164	gnutls_mac_set_priority(ctxt->session, sc->macs);
165
166	gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, sc->certs);
167	// if(anon) {
168	// gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON, sc->anoncred);
169	// }
170
171	gnutls_certificate_server_set_request(ctxt->session, GNUTLS_CERT_IGNORE);
172
173	gnutls_dh_set_prime_bits(ctxt->session, DH_BITS);
174
175	return ctxt;
176	}
177
178	static int mod_gnutls_hook_pre_connection(conn_rec * c, void *csd)
179	{
180	mod_gnutls_handle_t *ctxt;
181	mod_gnutls_srvconf_rec *sc =
182	(mod_gnutls_srvconf_rec *) ap_get_module_config(c->base_server->
183	module_config,
184	&gnutls_module);
185
186	if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
187	return DECLINED;
188	}
189
190	ctxt = create_gnutls_handle(c->pool, c);
191
192	ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
193
194	gnutls_transport_set_pull_function(ctxt->session,
195	mod_gnutls_transport_read);
196	gnutls_transport_set_push_function(ctxt->session,
197	mod_gnutls_transport_write);
198	gnutls_transport_set_ptr(ctxt->session, ctxt);
199	ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c);
200	ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c);
201
202	return OK;
203	}
204
205	static int mod_gnutls_hook_fixups(request_rec *r)
206	{
207	const char* tmp;
208	mod_gnutls_handle_t *ctxt;
209	apr_table_t *env = r->subprocess_env;
210
211	ctxt = ap_get_module_config(r->connection->conn_config, &gnutls_module);
212
213	if(!ctxt) {
214	return DECLINED;
215	}
216	apr_table_setn(env, "HTTPS", "on");
217	apr_table_setn(env, "SSL_PROTOCOL",
218	gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
219	apr_table_setn(env, "SSL_CIPHER",
220	gnutls_cipher_get_name(gnutls_cipher_get(ctxt->session)));
221
222	tmp = apr_psprintf(r->pool, "%d",
223	8 * gnutls_cipher_get_key_size(gnutls_cipher_get(ctxt->session)));
224
225	apr_table_setn(env, "SSL_CIPHER_USEKEYSIZE", tmp);
226	apr_table_setn(env, "SSL_CIPHER_ALGKEYSIZE", tmp);
227
228	return OK;
229	}
230
231	static const char gnutls_set_cert_file(cmd_parms parms, void *dummy,
232	const char *arg)
233	{
234	mod_gnutls_srvconf_rec *sc =
235	(mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server->
236	module_config,
237	&gnutls_module);
238	sc->cert_file = ap_server_root_relative(parms->pool, arg);
239	return NULL;
240	}
241
242	static const char gnutls_set_key_file(cmd_parms parms, void *dummy,
243	const char *arg)
244	{
245	mod_gnutls_srvconf_rec *sc =
246	(mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server->
247	module_config,
248	&gnutls_module);
249	sc->key_file = ap_server_root_relative(parms->pool, arg);
250	return NULL;
251	}
252
253	static const char gnutls_set_enabled(cmd_parms parms, void *dummy,
254	const char *arg)
255	{
256	mod_gnutls_srvconf_rec *sc =
257	(mod_gnutls_srvconf_rec *) ap_get_module_config(parms->server->
258	module_config,
259	&gnutls_module);
260	if (!strcasecmp(arg, "On")) {
261	sc->enabled = GNUTLS_ENABLED_TRUE;
262	}
263	else if (!strcasecmp(arg, "Off")) {
264	sc->enabled = GNUTLS_ENABLED_FALSE;
265	}
266	else {
267	return "GnuTLSEnable must be set to 'On' or 'Off'";
268	}
269
270	return NULL;
271	}
272
273	static const command_rec gnutls_cmds[] = {
274	AP_INIT_TAKE1("GnuTLSCertificateFile", gnutls_set_cert_file,
275	NULL,
276	RSRC_CONF,
277	"SSL Server Key file"),
278	AP_INIT_TAKE1("GnuTLSKeyFile", gnutls_set_key_file,
279	NULL,
280	RSRC_CONF,
281	"SSL Server Certificate file"),
282	AP_INIT_TAKE1("GnuTLSEnable", gnutls_set_enabled,
283	NULL, RSRC_CONF,
284	"Whether this server has GnuTLS Enabled. Default: Off"),
285
286	{NULL}
287	};
288
289	/* TODO: CACertificateFile & Client Authentication
290	* AP_INIT_TAKE1("GnuTLSCACertificateFile", ap_set_server_string_slot,
291	* (void *) APR_OFFSETOF(gnutls_srvconf_rec, key_file), NULL,
292	* RSRC_CONF,
293	* "CA"),
294	*/
295
296	static void gnutls_hooks(apr_pool_t * p)
297	{
298	ap_hook_pre_connection(mod_gnutls_hook_pre_connection, NULL, NULL,
299	APR_HOOK_MIDDLE);
300	ap_hook_post_config(mod_gnutls_hook_post_config, NULL, NULL,
301	APR_HOOK_MIDDLE);
302	ap_hook_http_method(mod_gnutls_hook_http_method, NULL, NULL,
303	APR_HOOK_MIDDLE);
304	ap_hook_default_port(mod_gnutls_hook_default_port, NULL, NULL,
305	APR_HOOK_MIDDLE);
306	ap_hook_pre_config(mod_gnutls_hook_pre_config, NULL, NULL,
307	APR_HOOK_MIDDLE);
308
309	ap_hook_fixups(mod_gnutls_hook_fixups, NULL, NULL, APR_HOOK_MIDDLE);
310
311	/* TODO: HTTP Upgrade Filter */
312	/* ap_register_output_filter ("UPGRADE_FILTER",
313	* ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
314	*/
315	ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME,
316	mod_gnutls_filter_input, NULL,
317	AP_FTYPE_CONNECTION + 5);
318	ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME,
319	mod_gnutls_filter_output, NULL,
320	AP_FTYPE_CONNECTION + 5);
321	}
322
323	static void gnutls_config_server_create(apr_pool_t p, server_rec * s)
324	{
325	int i;
326	mod_gnutls_srvconf_rec sc = apr_pcalloc(p, sizeof(sc));
327
328	sc->enabled = GNUTLS_ENABLED_FALSE;
329
330	gnutls_certificate_allocate_credentials(&sc->certs);
331	gnutls_anon_allocate_server_credentials(&sc->anoncred);
332	sc->key_file = NULL;
333	sc->cert_file = NULL;
334
335	i = 0;
336	sc->ciphers[i++] = GNUTLS_CIPHER_AES_256_CBC;
337	sc->ciphers[i++] = GNUTLS_CIPHER_AES_128_CBC;
338	sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_128;
339	sc->ciphers[i++] = GNUTLS_CIPHER_3DES_CBC;
340	sc->ciphers[i++] = GNUTLS_CIPHER_ARCFOUR_40;
341	sc->ciphers[i] = 0;
342
343	i = 0;
344	sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS;
345	sc->key_exchange[i++] = GNUTLS_KX_RSA;
346	sc->key_exchange[i++] = GNUTLS_KX_DHE_RSA;
347	sc->key_exchange[i++] = GNUTLS_KX_RSA_EXPORT;
348	sc->key_exchange[i++] = GNUTLS_KX_DHE_DSS;
349	sc->key_exchange[i] = 0;
350
351	i = 0;
352	sc->macs[i++] = GNUTLS_MAC_SHA;
353	sc->macs[i++] = GNUTLS_MAC_MD5;
354	sc->macs[i++] = GNUTLS_MAC_RMD160;
355	sc->macs[i] = 0;
356
357	i = 0;
358	sc->protocol[i++] = GNUTLS_TLS1_1;
359	sc->protocol[i++] = GNUTLS_TLS1;
360	sc->protocol[i++] = GNUTLS_SSL3;
361	sc->protocol[i] = 0;
362
363	i = 0;
364	sc->compression[i++] = GNUTLS_COMP_NULL;
365	sc->compression[i++] = GNUTLS_COMP_ZLIB;
366	sc->compression[i++] = GNUTLS_COMP_LZO;
367	sc->compression[i] = 0;
368
369	return sc;
370	}
371
372
373
374	module AP_MODULE_DECLARE_DATA gnutls_module = {
375	STANDARD20_MODULE_STUFF,
376	NULL,
377	NULL,
378	gnutls_config_server_create,
379	NULL,
380	/* gnutls_config_server_merge, */
381	gnutls_cmds,
382	gnutls_hooks
383	};

Note: See TracBrowser for help on using the repository browser.

Download in other formats: