Changeset 671b64f in mod_gnutls
- Timestamp:
- Dec 3, 2013, 6:49:15 PM (9 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, jessie-backports, master, proxy-ticket, upstream
- Children:
- 5a3ab3c
- Parents:
- 9720026
- git-author:
- Daniel Kahn Gillmor <dkg@…> (12/03/13 17:55:23)
- git-committer:
- Daniel Kahn Gillmor <dkg@…> (12/03/13 18:49:15)
- Files:
-
- 7 edited
-
include/mod_gnutls.h.in (modified) (10 diffs)
-
src/Makefile.am (modified) (2 diffs)
-
src/gnutls_cache.c (modified) (2 diffs)
-
src/gnutls_config.c (modified) (7 diffs)
-
src/gnutls_hooks.c (modified) (26 diffs)
-
src/gnutls_io.c (modified) (8 diffs)
-
src/mod_gnutls.c (modified) (7 diffs)
Legend:
- Unmodified
- Added
- Removed
-
include/mod_gnutls.h.in
r9720026 r671b64f 57 57 #define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@ 58 58 59 /* 60 * Recent Versions of 2.1 renamed several hooks. 61 * This allows us to compile on 2.0.xx 59 /* 60 * Recent Versions of 2.1 renamed several hooks. 61 * This allows us to compile on 2.0.xx 62 62 */ 63 63 #if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3) … … 65 65 #else 66 66 #define USING_2_1_RECENT 0 67 #endif 67 #endif 68 68 69 69 /* mod_gnutls Cache Types */ … … 105 105 typedef struct { 106 106 /* x509 Certificate Structure */ 107 gnutls_certificate_credentials_t certs; 107 gnutls_certificate_credentials_t certs; 108 108 /* SRP Certificate Structure*/ 109 109 gnutls_srp_server_credentials_t srp_creds; … … 152 152 apr_time_t last_cache_check; 153 153 /* GnuTLS uses Session Tickets */ 154 int tickets; 154 int tickets; 155 155 /* Is mod_proxy enabled? */ 156 156 int proxy_enabled; … … 255 255 256 256 /** 257 * mgs_transport_read is called from GnuTLS to provide encrypted 257 * mgs_transport_read is called from GnuTLS to provide encrypted 258 258 * data from the client. 259 259 * … … 267 267 268 268 /** 269 * mgs_transport_write is called from GnuTLS to 269 * mgs_transport_write is called from GnuTLS to 270 270 * write data to the client. 271 271 * … … 286 286 * Init the Cache after Configuration is done 287 287 */ 288 int mgs_cache_post_config(apr_pool_t *p, server_rec *s, 288 int mgs_cache_post_config(apr_pool_t *p, server_rec *s, 289 289 mgs_srvconf_rec *sc); 290 290 /** 291 291 * Init the Cache inside each Process 292 292 */ 293 int mgs_cache_child_init(apr_pool_t *p, server_rec *s, 293 int mgs_cache_child_init(apr_pool_t *p, server_rec *s, 294 294 mgs_srvconf_rec *sc); 295 295 /** … … 300 300 #define GNUTLS_SESSION_ID_STRING_LEN \ 301 301 ((GNUTLS_MAX_SESSION_ID + 1) * 2) 302 302 303 303 /** 304 304 * Convert a SSL Session ID into a Null Terminated Hex Encoded String … … 366 366 const char *mgs_set_tickets(cmd_parms * parms, void *dummy, 367 367 const char *arg); 368 369 const char *mgs_set_require_section(cmd_parms *cmd, 368 369 const char *mgs_set_require_section(cmd_parms *cmd, 370 370 void *mconfig, const char *arg); 371 371 void *mgs_config_server_create(apr_pool_t * p, server_rec * s); … … 376 376 void *mgs_config_dir_create(apr_pool_t *p, char *dir); 377 377 378 const char *mgs_set_require_bytecode(cmd_parms *cmd, 378 const char *mgs_set_require_bytecode(cmd_parms *cmd, 379 379 void *mconfig, const char *arg); 380 380 -
src/Makefile.am
r9720026 r671b64f 1 1 CLEANFILES = .libs/libmod_gnutls *~ 2 2 3 libmod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c gnutls_hooks.c 3 libmod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c gnutls_hooks.c 4 4 libmod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS} 5 5 libmod_gnutls_la_LDFLAGS = -rpath ${AP_LIBEXECDIR} -module -avoid-version ${MODULE_LIBS} … … 10 10 @if test ! -L mod_gnutls.so ; then ln -s .libs/libmod_gnutls.so mod_gnutls.so ; fi 11 11 12 clean: 12 clean: 13 13 rm -f mod_gnutls.so 14 rm -f *.o *.lo *.la 14 rm -f *.o *.lo *.la 15 15 rm -fr .libs 16 16 -
src/gnutls_cache.c
r9720026 r671b64f 35 35 #endif 36 36 37 /* it seems the default has some strange errors. Use SDBM 37 /* it seems the default has some strange errors. Use SDBM 38 38 */ 39 39 #define MC_TAG "mod_gnutls:" … … 566 566 sc->cache_type = mgs_cache_none; 567 567 /* if GnuTLSCacheTimeout was never explicitly set: */ 568 if (sc->cache_timeout == -1) 568 if (sc->cache_timeout == -1) 569 569 sc->cache_timeout = apr_time_from_sec(300); 570 570 -
src/gnutls_config.c
r9720026 r671b64f 119 119 return apr_psprintf(parms->pool, "GnuTLS: Failed to Import Certificate '%s': (%d) %s", file, ret, gnutls_strerror(ret)); 120 120 } 121 121 122 122 apr_pool_destroy(spool); 123 123 return NULL; … … 134 134 135 135 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config(parms->server->module_config, &gnutls_module); 136 136 137 137 apr_pool_create(&spool, parms->pool); 138 138 … … 518 518 const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy, 519 519 const char *arg) { 520 521 mgs_srvconf_rec *sc =(mgs_srvconf_rec *) 520 521 mgs_srvconf_rec *sc =(mgs_srvconf_rec *) 522 522 ap_get_module_config(parms->server->module_config, &gnutls_module); 523 523 524 524 if (!strcasecmp(arg, "On")) { 525 525 sc->proxy_enabled = GNUTLS_ENABLED_TRUE; … … 569 569 const char *err; 570 570 571 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 571 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 572 572 ap_get_module_config(parms->server->module_config, &gnutls_module); 573 573 … … 576 576 if (ret < 0) { 577 577 if (ret == GNUTLS_E_INVALID_REQUEST) { 578 return apr_psprintf(parms->pool, 578 return apr_psprintf(parms->pool, 579 579 "GnuTLS: Syntax error parsing priorities string at: %s", err); 580 580 } … … 635 635 sc->proxy_enabled = GNUTLS_ENABLED_UNSET; 636 636 sc->export_certificates_enabled = GNUTLS_ENABLED_UNSET; 637 sc->client_verify_method = mgs_cvm_unset; 638 637 sc->client_verify_method = mgs_cvm_unset; 638 639 639 /* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */ 640 sc->client_verify_mode = -1; 640 sc->client_verify_mode = -1; 641 641 642 642 return sc; … … 675 675 * properly disposed of before assigning in order to avoid leaks; 676 676 * so at the moment, we can't actually have them in the config. 677 * what happens during de-allocation? 677 * what happens during de-allocation? 678 678 679 679 * This is probably leaky. -
src/gnutls_hooks.c
r9720026 r671b64f 87 87 gnutls_global_set_log_function(gnutls_debug_log_all); 88 88 _gnutls_log(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL)); 89 #endif 89 #endif 90 90 91 91 int ret; … … 163 163 } 164 164 165 static int cert_retrieve_fn(gnutls_session_t session, 166 const gnutls_datum_t * req_ca_rdn, int nreqs, 167 const gnutls_pk_algorithm_t * pk_algos, int pk_algos_length, 165 static int cert_retrieve_fn(gnutls_session_t session, 166 const gnutls_datum_t * req_ca_rdn, int nreqs, 167 const gnutls_pk_algorithm_t * pk_algos, int pk_algos_length, 168 168 gnutls_retr2_st *ret) { 169 170 169 170 171 171 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 172 172 … … 193 193 // OPENPGP CERTIFICATE 194 194 ret->cert_type = GNUTLS_CRT_OPENPGP; 195 ret->key_type = GNUTLS_PRIVKEY_OPENPGP; 195 ret->key_type = GNUTLS_PRIVKEY_OPENPGP; 196 196 ret->ncerts = 1; 197 197 ret->deinit_all = 0; … … 326 326 sizeof(static_dh_params) 327 327 }; 328 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, GNUTLS_X509_FMT_PEM); 329 /* Generate DH Params 328 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, GNUTLS_X509_FMT_PEM); 329 /* Generate DH Params 330 330 int dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, 331 331 GNUTLS_SEC_PARAM_NORMAL); … … 333 333 "GnuTLS: Generating DH Params of %i bits. " 334 334 "To avoid this use GnuTLSDHFile to specify DH Params for this host", 335 dh_bits); 335 dh_bits); 336 336 #if MOD_GNUTLS_DEBUG 337 337 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, 338 338 "GnuTLS: Generated DH Params of %i bits",dh_bits); 339 #endif 339 #endif 340 340 rv = gnutls_dh_params_generate2 (dh_params,dh_bits); 341 341 */ … … 345 345 rv, gnutls_strerror(rv)); 346 346 exit(rv); 347 } 347 } 348 348 } else { 349 349 dh_params = sc_base->dh_params; … … 388 388 if (sc->dh_params != NULL) { 389 389 gnutls_certificate_set_dh_params(sc->certs, sc->dh_params); 390 gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params); 390 gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params); 391 391 } else if (dh_params) { 392 392 gnutls_certificate_set_dh_params(sc->certs, dh_params); 393 gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params); 393 gnutls_anon_set_server_dh_params(sc->anon_creds, dh_params); 394 394 } 395 395 … … 416 416 if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) && 417 417 sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) { 418 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 419 "[GnuTLS] - Host '%s:%d' is missing a Certificate File!", 418 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 419 "[GnuTLS] - Host '%s:%d' is missing a Certificate File!", 420 420 s->server_hostname, s->port); 421 421 exit(-1); … … 425 425 ((sc->certs_x509_chain != NULL && sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) || 426 426 (sc->cert_pgp != NULL && sc->privkey_pgp == NULL))) { 427 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 428 "[GnuTLS] - Host '%s:%d' is missing a Private Key File!", 427 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 428 "[GnuTLS] - Host '%s:%d' is missing a Private Key File!", 429 429 s->server_hostname, s->port); 430 430 exit(-1); … … 436 436 rv = read_crt_cn(s, p, sc->certs_x509_chain[0], &sc->cert_cn); 437 437 } 438 if (rv < 0 && sc->cert_pgp != NULL) { 438 if (rv < 0 && sc->cert_pgp != NULL) { 439 439 rv = read_pgpcrt_cn(s, p, sc->cert_pgp, &sc->cert_cn); 440 440 } 441 441 442 442 if (rv < 0) { 443 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 444 "[GnuTLS] - Cannot find a certificate for host '%s:%d'!", 443 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 444 "[GnuTLS] - Cannot find a certificate for host '%s:%d'!", 445 445 s->server_hostname, s->port); 446 446 sc->cert_cn = NULL; … … 470 470 } 471 471 /* Block SIGPIPE Signals */ 472 rv = apr_signal_block(SIGPIPE); 472 rv = apr_signal_block(SIGPIPE); 473 473 if(rv != APR_SUCCESS) { 474 474 /* error sending output */ 475 475 ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, 476 "GnuTLS: Error Blocking SIGPIPE Signal!"); 477 } 476 "GnuTLS: Error Blocking SIGPIPE Signal!"); 477 } 478 478 } 479 479 … … 547 547 name = (char **)names->elts; 548 548 for (i = 0; i < names->nelts; ++i) { 549 if (!name[i]) { continue; } 550 if (apr_strnatcasecmp(x->sni_name, name[i]) == 0) { 549 if (!name[i]) { continue; } 550 if (apr_strnatcasecmp(x->sni_name, name[i]) == 0) { 551 551 // We have a match, save this server configuration 552 552 x->sc = tsc; 553 553 rv = 1; 554 } 554 } 555 555 } 556 556 /* Wild any ServerAlias Directives */ … … 560 560 for (i = 0; i < names->nelts; ++i) { 561 561 if (!name[i]) { continue; } 562 if(apr_fnmatch(name[i], x->sni_name , 562 if(apr_fnmatch(name[i], x->sni_name , 563 563 APR_FNM_CASE_BLIND| 564 564 APR_FNM_PERIOD| 565 565 APR_FNM_PATHNAME| 566 APR_FNM_NOESCAPE) == APR_SUCCESS) { 566 APR_FNM_NOESCAPE) == APR_SUCCESS) { 567 567 x->sc = tsc; 568 rv = 1; 568 rv = 1; 569 569 } 570 570 } … … 577 577 vhost_cb_rec *x = baton; 578 578 int ret; 579 579 580 580 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 581 581 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, … … 585 585 return 0; 586 586 } 587 587 588 588 if (tsc->certs_x509_chain_num > 0) { 589 589 /* why are we doing this check? */ … … 652 652 for (s = ap_server_conf; s; s = s->next) { 653 653 654 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 654 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 655 655 &gnutls_module); 656 656 657 657 if (tsc->enabled != GNUTLS_ENABLED_TRUE) { continue; } 658 658 659 659 if(check_server_aliases(x, s, tsc)) { 660 660 return tsc; … … 667 667 mgs_handle_t *ctxt; 668 668 /* Get mod_gnutls Configuration Record */ 669 mgs_srvconf_rec *sc =(mgs_srvconf_rec *) 669 mgs_srvconf_rec *sc =(mgs_srvconf_rec *) 670 670 ap_get_module_config(c->base_server->module_config,&gnutls_module); 671 671 … … 696 696 /* Initialize Session Cache */ 697 697 mgs_cache_session_init(ctxt); 698 698 699 699 /* Set this config for this connection */ 700 700 ap_set_module_config(c->conn_config, &gnutls_module, ctxt); … … 706 706 gnutls_transport_set_ptr(ctxt->session, ctxt); 707 707 /* Add IO filters */ 708 ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, 708 ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, 709 709 ctxt, NULL, c); 710 ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, 711 ctxt, NULL, c); 710 ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, 711 ctxt, NULL, c); 712 712 } 713 713 … … 878 878 879 879 /* @param side is either 0 for SERVER or 1 for CLIENT 880 * 880 * 881 881 * @param export_full_cert (boolean) export the PEM-encoded 882 882 * certificate in full as an environment variable. … … 907 907 else 908 908 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 909 "GnuTLS: Failed to export X.509 certificate to environment"); 910 } 911 909 "GnuTLS: Failed to export X.509 certificate to environment"); 910 } 911 912 912 len = sizeof (buf); 913 913 gnutls_x509_crt_get_dn(cert, buf, &len); … … 1021 1021 1022 1022 /* @param side 0: server, 1: client 1023 * 1023 * 1024 1024 * @param export_full_cert (boolean) export the PEM-encoded 1025 1025 * certificate in full as an environment variable. … … 1048 1048 else 1049 1049 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 1050 "GnuTLS: Failed to export OpenPGP certificate to environment"); 1050 "GnuTLS: Failed to export OpenPGP certificate to environment"); 1051 1051 } 1052 1052 … … 1221 1221 status = GNUTLS_CERT_INVALID; 1222 1222 rv = -1; 1223 } 1223 } 1224 1224 } else { 1225 1225 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, … … 1238 1238 mgs_readable_cvm(ctxt->sc->client_verify_method)); 1239 1239 } 1240 1240 1241 1241 } else { 1242 1242 apr_time_ansi_put(&expiration_time, … … 1435 1435 apr_pool_t *sp=NULL; 1436 1436 1437 if (APR_SUCCESS != apr_pool_create(&sp, pool)) 1437 if (APR_SUCCESS != apr_pool_create(&sp, pool)) 1438 1438 return NULL; /* i'm assuming that libapr would log this kind 1439 1439 * of error on its own */ 1440 1440 1441 1441 /* Name 1442 1442 1443 1443 the name comes from the leaf commonName of the cert's Subject. 1444 1444 1445 1445 (MAYBE: should we look at trying to assemble a candidate from 1446 1446 givenName, surName, suffix, etc? the "name" field -
src/gnutls_io.c
r9720026 r671b64f 21 21 22 22 /** 23 * Describe how the GnuTLS Filter system works here 23 * Describe how the GnuTLS Filter system works here 24 24 * - Basicly the same as what mod_ssl does with OpenSSL. 25 25 * … … 49 49 50 50 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config( 51 f->c->base_server->module_config, 51 f->c->base_server->module_config, 52 52 &gnutls_module 53 53 ); … … 435 435 /* all done with the handshake */ 436 436 ctxt->status = 1; 437 /* If the session was resumed, we did not set the correct 437 /* If the session was resumed, we did not set the correct 438 438 * server_rec in ctxt->sc. Go Find it. (ick!) 439 439 */ … … 573 573 apr_status_t status = APR_SUCCESS; 574 574 apr_read_type_e rblock = APR_NONBLOCK_READ; 575 575 576 576 if (f->c->aborted) { 577 577 apr_brigade_cleanup(bb); … … 592 592 if (APR_BUCKET_IS_EOS(bucket)) { 593 593 return ap_pass_brigade(f->next, bb); 594 } else if (APR_BUCKET_IS_FLUSH(bucket)) { 594 } else if (APR_BUCKET_IS_FLUSH(bucket)) { 595 595 /* Try Flush */ 596 596 if (write_flush(ctxt) < 0) { … … 599 599 } 600 600 /* cleanup! */ 601 apr_bucket_delete(bucket); 601 apr_bucket_delete(bucket); 602 602 } else if (AP_BUCKET_IS_EOC(bucket)) { 603 603 /* End Of Connection */ … … 612 612 } 613 613 /* cleanup! */ 614 apr_bucket_delete(bucket); 614 apr_bucket_delete(bucket); 615 615 /* Pass next brigade! */ 616 616 return ap_pass_brigade(f->next, bb); … … 669 669 } 670 670 } else if (ret != len) { 671 /* Not able to send the entire bucket, 671 /* Not able to send the entire bucket, 672 672 split it and send it again. */ 673 673 apr_bucket_split(bucket, ret); -
src/mod_gnutls.c
r9720026 r671b64f 21 21 22 22 static void gnutls_hooks(apr_pool_t * p) { 23 23 24 24 /* Try Run Post-Config Hook After mod_proxy */ 25 25 static const char * const aszPre[] = { "mod_proxy.c", NULL }; 26 ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST); 26 ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST); 27 27 /* HTTP Scheme Hook */ 28 28 #if USING_2_1_RECENT … … 37 37 /* Pre-Config Hook */ 38 38 ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL, 39 APR_HOOK_MIDDLE); 39 APR_HOOK_MIDDLE); 40 40 /* Child-Init Hook */ 41 41 ap_hook_child_init(mgs_hook_child_init, NULL, NULL, … … 48 48 49 49 /* TODO: HTTP Upgrade Filter */ 50 /* ap_register_output_filter ("UPGRADE_FILTER", 50 /* ap_register_output_filter ("UPGRADE_FILTER", 51 51 * ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5); 52 52 */ … … 58 58 ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, 59 59 mgs_filter_output, NULL,AP_FTYPE_CONNECTION + 5); 60 60 61 61 /* mod_proxy calls these functions */ 62 62 APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); … … 65 65 66 66 int ssl_is_https(conn_rec *c) { 67 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 67 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 68 68 ap_get_module_config(c->base_server->module_config, &gnutls_module); 69 69 if(sc->enabled == 0 || sc->non_ssl_request == 1) { … … 76 76 77 77 int ssl_engine_disable(conn_rec *c) { 78 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 78 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 79 79 ap_get_module_config(c->base_server->module_config, &gnutls_module); 80 80 if(sc->enabled == GNUTLS_ENABLED_FALSE) { 81 81 return 1; 82 } 82 } 83 83 ap_remove_input_filter(c->input_filters); 84 84 ap_remove_input_filter(c->output_filters); … … 89 89 90 90 int ssl_proxy_enable(conn_rec *c) { 91 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 91 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 92 92 ap_get_module_config(c->base_server->module_config, &gnutls_module); 93 93 sc->proxy_enabled = 1;
Note: See TracChangeset
for help on using the changeset viewer.
