diff options
| author | Ryan Bloom <rbb@apache.org> | 2001-09-12 21:50:56 +0200 |
|---|---|---|
| committer | Ryan Bloom <rbb@apache.org> | 2001-09-12 21:50:56 +0200 |
| commit | e2357e9798ce42184cc48fd582778068fc1cfa8b (patch) | |
| tree | b88b9f943584e523a215661875cafecda93f6a28 | |
| parent | Remove an error during configure. Libtool 1.4 doesn't have ltconfig. (diff) | |
| download | apache2-e2357e9798ce42184cc48fd582778068fc1cfa8b.tar.xz apache2-e2357e9798ce42184cc48fd582778068fc1cfa8b.zip | |
Remove mod_tls. All of the filters in mod_tls can now be found in
mod_ssl. Also, mod_ssl is being kept up to date, while mod_tls is not,
so that if you use mod_tls, there are a lot of bugs, both security related,
and otherwise.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91013 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | modules/tls/.cvsignore | 13 | ||||
| -rw-r--r-- | modules/tls/Makefile.in | 2 | ||||
| -rw-r--r-- | modules/tls/README | 40 | ||||
| -rw-r--r-- | modules/tls/config.m4 | 48 | ||||
| -rw-r--r-- | modules/tls/mod_tls.c | 441 | ||||
| -rw-r--r-- | modules/tls/mod_tls.dsp | 136 | ||||
| -rw-r--r-- | modules/tls/openssl_state_machine.c | 292 | ||||
| -rw-r--r-- | modules/tls/openssl_state_machine.h | 16 |
8 files changed, 0 insertions, 988 deletions
diff --git a/modules/tls/.cvsignore b/modules/tls/.cvsignore deleted file mode 100644 index 79377ba381..0000000000 --- a/modules/tls/.cvsignore +++ /dev/null @@ -1,13 +0,0 @@ -.libs -.deps -Makefile -modules.mk -*.lo -*.la -Debug -Release -*.plg -*.aps -*.dep -*.mak -*.rc diff --git a/modules/tls/Makefile.in b/modules/tls/Makefile.in deleted file mode 100644 index d8187ddf06..0000000000 --- a/modules/tls/Makefile.in +++ /dev/null @@ -1,2 +0,0 @@ -include $(top_srcdir)/build/special.mk - diff --git a/modules/tls/README b/modules/tls/README deleted file mode 100644 index 1f1606088a..0000000000 --- a/modules/tls/README +++ /dev/null @@ -1,40 +0,0 @@ -This currently won't work with Apache unaided. The manual things I -have to do to make it work are: - -To configure this module you must use: - ---enable-tls ---with-ssl=/path/to/ssl/library - -For example: - ---enable-tls ---with-ssl=/home/rbb/openssl-0.9.6 - -NOTE: You must be using OpenSSL 0.9.6 or later in order for this to work. - -Then all you need is "TLSFilter on" and "TLSCertificateFile <file>" in -your config, and you are away (note that the cert file must also -contain the private key at present). - -Ben Laurie, 11 Feb 2001. - - -Win32 plays an entirely different build game. mod_tls.dsp must be built -by choosing it from within the Apache.dsw workspace. A mod_tls.mak is -provided, but has the same limitations as building the .dsp 'project'. - -Unpack or checkout the openssl sources into the directory srclib/openssl, -and follow the build directions for your compiler/assembler/cpu. In the -workspace viewer (File list view) right click on mod_tls to build the -module. The output (based on your choice) will fall in the directory -modules/tls/[Debug|Release]/mod_tls.so. The openssl output is all in -the directory srclib/openssl/out32dll. - -Copy the ssleay32.dll and libeay32.dll files to your target Apache2/bin -install path from srclib/openssl/out32dll (you may also desire openssl.exe) -and copy mod_tls.so into your Apache2/modules directory. - -This could be improved at some point, but not by myself at this moment. - -William Rowe, 11 Jun 2001 diff --git a/modules/tls/config.m4 b/modules/tls/config.m4 deleted file mode 100644 index c7320fd159..0000000000 --- a/modules/tls/config.m4 +++ /dev/null @@ -1,48 +0,0 @@ -APACHE_MODPATH_INIT(tls) - -tls_objs="mod_tls.lo openssl_state_machine.lo" - -APACHE_MODULE(tls, TLS/SSL support, $tls_objs, , no, [ - AC_MSG_CHECKING(for TLS/SSL library) - AC_ARG_WITH(tls, [ --with-tls=DIR use a specific TLS/SSL library], - [ - if test x"$withval" = x"yes"; then - # FreeBSD has OpenSSL in /usr/{include,lib} - for dir in /usr /usr/local/openssl /usr/local/ssl - do - if test -d $dir && test -f $dir/lib/libcrypto.a; then - withval=$dir - break - fi - done - if test x"$withval" = x"yes"; then - AC_MSG_ERROR(Use --with-tls=DIR to specify the location of your SSL installation) - fi - fi - ssl_lib=unknown - for params in \ - "OpenSSL|/include/openssl|/lib|-lssl -lcrypto" \ - "SSLC|/inc||-lsslc" - do - prod=`IFS="|"; set -- $params; echo $1` - incdir=`IFS="|"; set -- $params; echo $2` - libdir=`IFS="|"; set -- $params; echo $3` - libs=`IFS="|"; set -- $params; echo $4` - searchfile="${withval}${incdir}/ssl.h" - if test -f ${searchfile} ; then - APR_ADDTO(INCLUDES, [-I${withval}${incdir}]) - APR_ADDTO(LIBS, [-L${withval}${libdir} ${libs}]) - ssl_lib="${prod}" - break - fi - done - if test x"${ssl_lib}" = x"unknown"; then - AC_MSG_ERROR(--with-tls given but no appropriate lib found) - else - AC_MSG_RESULT(found $ssl_lib) - fi - ],[ - AC_MSG_ERROR(--with-tls not given) - ] ) ] ) - -APACHE_MODPATH_FINISH diff --git a/modules/tls/mod_tls.c b/modules/tls/mod_tls.c deleted file mode 100644 index 2e78bc89a2..0000000000 --- a/modules/tls/mod_tls.c +++ /dev/null @@ -1,441 +0,0 @@ -/* ==================================================================== - * The Apache Software License, Version 1.1 - * - * Copyright (c) 2001 The Apache Software Foundation. All rights - * reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. The end-user documentation included with the redistribution, - * if any, must include the following acknowledgment: - * "This product includes software developed by the - * Apache Software Foundation (http://www.apache.org/)." - * Alternately, this acknowledgment may appear in the software itself, - * if and wherever such third-party acknowledgments normally appear. - * - * 4. The names "Apache" and "Apache Software Foundation" must - * not be used to endorse or promote products derived from this - * software without prior written permission. For written - * permission, please contact apache@apache.org. - * - * 5. Products derived from this software may not be called "Apache", - * nor may "Apache" appear in their name, without prior written - * permission of the Apache Software Foundation. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF - * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND - * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT - * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * ==================================================================== - * - * This software consists of voluntary contributions made by many - * individuals on behalf of the Apache Software Foundation. For more - * information on the Apache Software Foundation, please see - * <http://www.apache.org/>. - * - * Portions of this software are based upon public domain software - * originally written at the National Center for Supercomputing Applications, - * University of Illinois, Urbana-Champaign. - */ - -#include "httpd.h" -#include "http_config.h" -#include "util_filter.h" -#include "http_connection.h" -#include "openssl_state_machine.h" -#include "apr_strings.h" -#include "http_protocol.h" -#include "http_log.h" - -/* temp */ -#include <assert.h> - -module AP_MODULE_DECLARE_DATA tls_module; -static const char tls_filter_name[] = "TLSFilter"; - -typedef struct tls_config_rec -{ - int enabled; - const char *certificate_file; - const char *key_file; -} tls_config_rec; - -typedef struct tls_filter_ctx -{ - SSLStateMachine *state_machine; - ap_filter_t *input_filter; - ap_filter_t *output_filter; - apr_bucket_brigade *bb_encrypted; /* encrypted input */ - apr_bucket_brigade *bb_decrypted; /* decrypted input */ -} tls_filter_ctx; - -static void *create_tls_server_config(apr_pool_t *p, server_rec *s) -{ - tls_config_rec *tcfg = apr_pcalloc(p, sizeof(*tcfg)); - - tcfg->enabled = 0; - tcfg->certificate_file = tcfg->key_file = NULL; - - return tcfg; -} - -static const char *tls_on(cmd_parms *cmd, void *dummy, int arg) -{ - tls_config_rec *tcfg = ap_get_module_config(cmd->server->module_config, - &tls_module); - tcfg->enabled = arg; - return NULL; -} - -static const char *tls_cert_file(cmd_parms *cmd, void *dummy, const char *arg) -{ - tls_config_rec *tcfg = ap_get_module_config(cmd->server->module_config, - &tls_module); - tcfg->certificate_file = ap_server_root_relative(cmd->pool, arg); - - /* temp */ - tcfg->key_file = tcfg->certificate_file; - return NULL; -} - -static apr_status_t tls_filter_cleanup(void *data) -{ - SSLStateMachine_free((SSLStateMachine *)data); - return APR_SUCCESS; -} - -static int tls_filter_inserter(conn_rec *c) -{ - tls_config_rec *tcfg = ap_get_module_config(c->base_server->module_config, - &tls_module); - tls_filter_ctx *ctx; - - if (!tcfg->enabled) - return DECLINED; - - ctx = apr_pcalloc(c->pool, sizeof(*ctx)); - ctx->state_machine = SSLStateMachine_new(tcfg->certificate_file, - tcfg->key_file); - - if (!ctx->state_machine) { - return HTTP_INTERNAL_SERVER_ERROR; - } - - ctx->input_filter = ap_add_input_filter(tls_filter_name, ctx, NULL, c); - ctx->output_filter = ap_add_output_filter(tls_filter_name, ctx, NULL, c); - ctx->bb_encrypted = apr_brigade_create(c->pool); - ctx->bb_decrypted = apr_brigade_create(c->pool); - - apr_pool_cleanup_register(c->pool, (void*)ctx->state_machine, - tls_filter_cleanup, apr_pool_cleanup_null); - - return OK; -} - -static apr_status_t churn_output(tls_filter_ctx *ctx) -{ - apr_bucket_brigade *bb_out = NULL; - int done; - - do { - char buf[1024]; - int n; - apr_bucket *b; - - done = 0; - - if (SSLStateMachine_write_can_extract(ctx->state_machine)) { - n = SSLStateMachine_write_extract(ctx->state_machine, buf, - sizeof(buf)); - if (n > 0) { - char *pbuf; - - if (!bb_out) - bb_out = apr_brigade_create(ctx->output_filter->c->pool); - - pbuf = apr_pmemdup(ctx->output_filter->c->pool, buf, n); - b = apr_bucket_pool_create(pbuf, n, - ctx->output_filter->c->pool); - APR_BRIGADE_INSERT_TAIL(bb_out, b); - done = 1; - /* } else if (n == 0) { - x apr_bucket *b_eos = apr_bucket_create_eos(); - x APR_BRIGADE_INSERT_TAIL(bb_out, b_eos); - x } - */ - } - assert(n > 0); - } - } while (done); - - /* XXX: check for errors */ - if (bb_out) { - apr_bucket *b; - - /* XXX: it may be possible to not always flush */ - b = apr_bucket_flush_create(); - APR_BRIGADE_INSERT_TAIL(bb_out, b); - ap_pass_brigade(ctx->output_filter->next, bb_out); - } - - return APR_SUCCESS; -} - -static apr_status_t churn(tls_filter_ctx *ctx, apr_read_type_e readtype, - apr_size_t *readbytes) -{ - ap_input_mode_t mode = (readtype == APR_BLOCK_READ) - ? AP_MODE_BLOCKING - : AP_MODE_NONBLOCKING; - apr_bucket *b_in; - - if (APR_BRIGADE_EMPTY(ctx->bb_encrypted)) { - ap_get_brigade(ctx->input_filter->next, ctx->bb_encrypted, - mode, readbytes); - if (APR_BRIGADE_EMPTY(ctx->bb_encrypted)) - return APR_EOF; - } - - APR_BRIGADE_FOREACH(b_in, ctx->bb_encrypted) { - const char *data; - apr_size_t len; - int n; - char buf[1024]; - apr_status_t ret; - - if (APR_BUCKET_IS_EOS(b_in)) { - /* XXX: why can't I reuse b_in??? */ - /* Write eof! */ - break; - } - - /* read filter */ - ret = apr_bucket_read(b_in, &data, &len, readtype); - - APR_BUCKET_REMOVE(b_in); - - if (ret == APR_SUCCESS && len == 0 && readtype == APR_BLOCK_READ) - ret = APR_EOF; - - if (len == 0) { - /* Lazy frickin browsers just reset instead of shutting down. */ - if (ret == APR_EOF || APR_STATUS_IS_ECONNRESET(ret)) { - if (APR_BRIGADE_EMPTY(ctx->bb_decrypted)) - return APR_EOF; - else - /* Next time around, the incoming brigade will be empty, - * so we'll return EOF then - */ - return APR_SUCCESS; - } - - if (readtype != APR_NONBLOCK_READ) - ap_log_error(APLOG_MARK, APLOG_ERR, ret, NULL, - "Read failed in tls_in_filter"); - assert(readtype == APR_NONBLOCK_READ); - assert(ret == APR_SUCCESS || APR_STATUS_IS_EAGAIN(ret)); - /* In this case, we have data in the output bucket, or we were - * non-blocking, so returning nothing is fine. - */ - return APR_SUCCESS; - } - - assert(len > 0); - - /* write SSL */ - SSLStateMachine_read_inject(ctx->state_machine, data, len); - - n = SSLStateMachine_read_extract(ctx->state_machine, buf, sizeof(buf)); - if (n > 0) { - apr_bucket *b_out; - char *pbuf; - - pbuf = apr_pmemdup(ctx->input_filter->c->pool, buf, n); - /* XXX: should we use a heap bucket instead? Or a transient (in - * which case we need a separate brigade for each bucket)? - */ - b_out = apr_bucket_pool_create(pbuf, n, ctx->input_filter->c->pool); - APR_BRIGADE_INSERT_TAIL(ctx->bb_decrypted, b_out); - - /* Once we've read something, we can move to non-blocking mode - * (if we weren't already). - */ - readtype = APR_NONBLOCK_READ; - - /* XXX: deal with EOF! */ - /* } else if (n == 0) { - x apr_bucket *b_eos = apr_bucket_create_eos(); - x APR_BRIGADE_INSERT_TAIL(bb_encrypted, b_eos); - x } - */ - } - assert(n >= 0); - - ret = churn_output(ctx); - if (ret != APR_SUCCESS) - return ret; - } - - return churn_output(ctx); -} - -static apr_status_t tls_out_filter(ap_filter_t *f, apr_bucket_brigade *bb_in) -{ - tls_filter_ctx *ctx = f->ctx; - apr_bucket *b_in; - - APR_BRIGADE_FOREACH(b_in, bb_in) { - const char *data; - apr_size_t len; - apr_status_t ret; - - if (APR_BUCKET_IS_EOS(b_in)) { - /* XXX: demote to debug */ - ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "Got EOS on output"); - SSLStateMachine_write_close(ctx->state_machine); - /* XXX: dubious - does this always terminate? - * Does it return the right thing? - */ - for( ; ; ) { - ret = churn_output(ctx); - if (ret != APR_SUCCESS) - return ret; - ret = churn(ctx, APR_NONBLOCK_READ, 0); - if (ret != APR_SUCCESS) { - if (ret == APR_EOF) - return APR_SUCCESS; - else - return ret; - } - } - break; - } - - if (APR_BUCKET_IS_FLUSH(b_in)) { - /* assume that churn will flush (or already has) - * if there's output - */ - ret = churn(ctx, APR_NONBLOCK_READ, 0); - if (ret != APR_SUCCESS) - return ret; - continue; - } - - /* read filter */ - apr_bucket_read(b_in, &data, &len, APR_BLOCK_READ); - - /* write SSL */ - SSLStateMachine_write_inject(ctx->state_machine, data, len); - - /* churn the state machine */ - ret = churn_output(ctx); - if (ret != APR_SUCCESS) - return ret; - } - - return APR_SUCCESS; -} - -static apr_status_t tls_in_filter(ap_filter_t *f, apr_bucket_brigade *bb_out, - ap_input_mode_t mode, apr_size_t *readbytes) -{ - tls_filter_ctx *ctx = f->ctx; - apr_read_type_e readtype = (mode == AP_MODE_BLOCKING) - ? APR_BLOCK_READ - : APR_NONBLOCK_READ; - apr_status_t ret; - - /* XXX: we don't currently support peek - * And we don't need to, it should be eaten by the protocol filter! - */ - assert(mode != AP_MODE_PEEK); - - /* churn the state machine */ - ret = churn(ctx, readtype, readbytes); - if (ret != APR_SUCCESS) - return ret; - - /* XXX: shame that APR_BRIGADE_FOREACH doesn't work here */ - while (!APR_BRIGADE_EMPTY(ctx->bb_decrypted)) { - apr_bucket *b_in = APR_BRIGADE_FIRST(ctx->bb_decrypted); - APR_BUCKET_REMOVE(b_in); - APR_BRIGADE_INSERT_TAIL(bb_out, b_in); - } - - return APR_SUCCESS; -} - -static const char *tls_method(const request_rec *r) -{ - tls_config_rec *tcfg = - ap_get_module_config(r->connection->base_server->module_config, - &tls_module); - - if (!tcfg->enabled) - return NULL; - - return "https"; -} - -static unsigned short tls_port(const request_rec *r) -{ - tls_config_rec *tcfg = - ap_get_module_config(r->connection->base_server->module_config, - &tls_module); - - if (!tcfg->enabled) - return 0; - - return 443; -} - -static const command_rec tls_cmds[] = -{ - /* XXX: We should be able to add the filter using AddOutputFilter */ - AP_INIT_FLAG("TLSFilter", tls_on, NULL, RSRC_CONF, - "Run TLS/SSL on this host"), - AP_INIT_TAKE1("TLSCertificateFile", tls_cert_file, NULL, RSRC_CONF, - "Set the certificate file for this host"), - { NULL } -}; - -static void register_hooks(apr_pool_t *p) -{ - SSLStateMachine_init(); - - ap_register_output_filter(tls_filter_name, tls_out_filter, - AP_FTYPE_NETWORK); - ap_register_input_filter(tls_filter_name, tls_in_filter, - AP_FTYPE_NETWORK); - ap_hook_pre_connection(tls_filter_inserter, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_default_port(tls_port, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_http_method(tls_method, NULL, NULL, APR_HOOK_MIDDLE); -} - -module AP_MODULE_DECLARE_DATA tls_module = { - STANDARD20_MODULE_STUFF, - NULL, /* create per-directory config structure */ - NULL, /* merge per-directory config structures */ - create_tls_server_config, /* create per-server config structure */ - NULL, /* merge per-server config structures */ - tls_cmds, /* command apr_table_t */ - register_hooks /* register hooks */ -}; diff --git a/modules/tls/mod_tls.dsp b/modules/tls/mod_tls.dsp deleted file mode 100644 index 5142001f8e..0000000000 --- a/modules/tls/mod_tls.dsp +++ /dev/null @@ -1,136 +0,0 @@ -# Microsoft Developer Studio Project File - Name="mod_tls" - Package Owner=<4> -# Microsoft Developer Studio Generated Build File, Format Version 6.00 -# ** DO NOT EDIT ** - -# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 - -CFG=mod_tls - Win32 Release -!MESSAGE This is not a valid makefile. To build this project using NMAKE, -!MESSAGE use the Export Makefile command and run -!MESSAGE -!MESSAGE NMAKE /f "mod_tls.mak". -!MESSAGE -!MESSAGE You can specify a configuration when running NMAKE -!MESSAGE by defining the macro CFG on the command line. For example: -!MESSAGE -!MESSAGE NMAKE /f "mod_tls.mak" CFG="mod_tls - Win32 Release" -!MESSAGE -!MESSAGE Possible choices for configuration are: -!MESSAGE -!MESSAGE "mod_tls - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE "mod_tls - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") -!MESSAGE - -# Begin Project -# PROP AllowPerConfigDependencies 0 -# PROP Scc_ProjName "" -# PROP Scc_LocalPath "" -CPP=cl.exe -MTL=midl.exe -RSC=rc.exe - -!IF "$(CFG)" == "mod_tls - Win32 Release" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 0 -# PROP BASE Output_Dir "Release" -# PROP BASE Intermediate_Dir "Release" -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 0 -# PROP Output_Dir "Release" -# PROP Intermediate_Dir "Release" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MD /W3 /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /FD /c -# ADD CPP /nologo /MD /W3 /O2 /I "../../include" /I "../../os/win32" /I "../../srclib/apr/include" /I "../../srclib/apr-util/include" /I "../../srclib/openssl/inc32/openssl" /I "../../srclib/openssl/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /Fd"Release\mod_tls" /FD /c -# ADD BASE MTL /nologo /D "NDEBUG" /win32 -# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "NDEBUG" -# ADD RSC /l 0x409 /d "NDEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 kernel32.lib /nologo /subsystem:windows /dll /map /machine:I386 /out:"Release/mod_tls.so" /base:@..\..\os\win32\BaseAddr.ref,mod_tls -# ADD LINK32 kernel32.lib ssleay32.lib libeay32.lib /nologo /subsystem:windows /dll /map /machine:I386 /out:"Release/mod_tls.so" /libpath:"../../srclib/openssl/out32dll" /base:@..\..\os\win32\BaseAddr.ref,mod_tls - -!ELSEIF "$(CFG)" == "mod_tls - Win32 Debug" - -# PROP BASE Use_MFC 0 -# PROP BASE Use_Debug_Libraries 1 -# PROP BASE Output_Dir "Debug" -# PROP BASE Intermediate_Dir "Debug" -# PROP BASE Target_Dir "" -# PROP Use_MFC 0 -# PROP Use_Debug_Libraries 1 -# PROP Output_Dir "Debug" -# PROP Intermediate_Dir "Debug" -# PROP Ignore_Export_Lib 0 -# PROP Target_Dir "" -# ADD BASE CPP /nologo /MDd /W3 /GX /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FD /c -# ADD CPP /nologo /MDd /W3 /GX /Zi /Od /I "../../include" /I "../../os/win32" /I "../../srclib/apr/include" /I "../../srclib/apr-util/include" /I "../../srclib/openssl/inc32/openssl" /I "../../srclib/openssl/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /Fd"Debug\mod_tls" /FD /c -# ADD BASE MTL /nologo /D "_DEBUG" /win32 -# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 -# ADD BASE RSC /l 0x409 /d "_DEBUG" -# ADD RSC /l 0x409 /d "_DEBUG" -BSC32=bscmake.exe -# ADD BASE BSC32 /nologo -# ADD BSC32 /nologo -LINK32=link.exe -# ADD BASE LINK32 kernel32.lib /nologo /subsystem:windows /dll /incremental:no /map /debug /machine:I386 /out:"Debug/mod_tls.so" /base:@..\..\os\win32\BaseAddr.ref,mod_tls -# ADD LINK32 kernel32.lib ssleay32.lib libeay32.lib /nologo /subsystem:windows /dll /incremental:no /map /debug /machine:I386 /out:"Debug/mod_tls.so" /libpath:"../../srclib/openssl/out32dll.dbg" /base:@..\..\os\win32\BaseAddr.ref,mod_tls - -!ENDIF - -# Begin Target - -# Name "mod_tls - Win32 Release" -# Name "mod_tls - Win32 Debug" -# Begin Source File - -SOURCE=.\mod_tls.c -# End Source File -# Begin Source File - -SOURCE=.\mod_tls.rc -# End Source File -# Begin Source File - -SOURCE=.\openssl_state_machine.c -# End Source File -# Begin Source File - -SOURCE=.\openssl_state_machine.h -# End Source File -# Begin Source File - -SOURCE=..\..\build\win32\win32ver.awk - -!IF "$(CFG)" == "mod_tls - Win32 Release" - -# PROP Ignore_Default_Tool 1 -# Begin Custom Build - Creating Version Resource -InputPath=..\..\build\win32\win32ver.awk - -".\mod_tls.rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - awk -f ../../build/win32/win32ver.awk mod_tls "tls_module for Apache" ../../include/ap_release.h > .\mod_tls.rc - -# End Custom Build - -!ELSEIF "$(CFG)" == "mod_tls - Win32 Debug" - -# PROP Ignore_Default_Tool 1 -# Begin Custom Build - Creating Version Resource -InputPath=..\..\build\win32\win32ver.awk - -".\mod_tls.rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" - awk -f ../../build/win32/win32ver.awk mod_tls "tls_module for Apache" ../../include/ap_release.h > .\mod_tls.rc - -# End Custom Build - -!ENDIF - -# End Source File -# End Target -# End Project diff --git a/modules/tls/openssl_state_machine.c b/modules/tls/openssl_state_machine.c deleted file mode 100644 index d62e123660..0000000000 --- a/modules/tls/openssl_state_machine.c +++ /dev/null @@ -1,292 +0,0 @@ -/* This is adapted from the OpenSSL state_machine demo */ - -/* ==================================================================== - * Copyright (c) 2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* - * Nuron, a leader in hardware encryption technology, generously - * sponsored the development of this demo by Ben Laurie. - * - * See http://www.nuron.com/. - */ - -/* - * the aim of this demo is to provide a fully working state-machine - * style SSL implementation, i.e. one where the main loop acquires - * some data, then converts it from or to SSL by feeding it into the - * SSL state machine. It then does any I/O required by the state machine - * and loops. - * - * In order to keep things as simple as possible, this implementation - * listens on a TCP socket, which it expects to get an SSL connection - * on (for example, from s_client) and from then on writes decrypted - * data to stdout and encrypts anything arriving on stdin. Verbose - * commentary is written to stderr. - * - * This implementation acts as a server, but it can also be done for a client. */ - -#include "apr.h" - -#include <openssl/ssl.h> -#include <assert.h> -#if APR_HAVE_UNISTD_H -#include <unistd.h> -#endif -#include <string.h> -#include <openssl/err.h> -#include "openssl_state_machine.h" - -/* die_unless is intended to work like assert, except that it happens - always, even if NDEBUG is defined. Use assert as a stopgap. */ - -#define die_unless(x) assert(x) - -struct SSLStateMachine - { - SSL_CTX *pCtx; - BIO *pbioRead; - BIO *pbioWrite; - SSL *pSSL; - }; - -void SSLStateMachine_init(void) -{ - static int s_bInitDone; - - if(s_bInitDone) - return; - - SSL_library_init(); - OpenSSL_add_ssl_algorithms(); - SSL_load_error_strings(); - ERR_load_crypto_strings(); - - s_bInitDone=1; -} - -static void SSLStateMachine_print_error(SSLStateMachine *pMachine, - const char *szErr) - { - unsigned long l; - - fprintf(stderr,"%s\n",szErr); - while((l=ERR_get_error())) - { - char buf[1024]; - - ERR_error_string_n(l,buf,sizeof buf); - fprintf(stderr,"Error %lx: %s\n",l,buf); - } - } - -SSLStateMachine *SSLStateMachine_new(const char *szCertificateFile, - const char *szKeyFile) - { - SSLStateMachine *pMachine=malloc(sizeof *pMachine); - int n; - - die_unless(pMachine); - - memset(pMachine, '\0', sizeof *pMachine); - - pMachine->pCtx=SSL_CTX_new(SSLv23_server_method()); - die_unless(pMachine->pCtx); - - n=SSL_CTX_use_certificate_file(pMachine->pCtx,szCertificateFile, - SSL_FILETYPE_PEM); - if (n <= 0) { - SSLStateMachine_print_error(pMachine, - "Error opening certificate file:"); - SSLStateMachine_free(pMachine); - return NULL; - } - - n=SSL_CTX_use_PrivateKey_file(pMachine->pCtx,szKeyFile,SSL_FILETYPE_PEM); - - if (n <= 0) { - SSLStateMachine_print_error(pMachine, - "Error opening private key file:"); - SSLStateMachine_free(pMachine); - return NULL; - } - - pMachine->pSSL=SSL_new(pMachine->pCtx); - die_unless(pMachine->pSSL); - - pMachine->pbioRead=BIO_new(BIO_s_mem()); - - pMachine->pbioWrite=BIO_new(BIO_s_mem()); - - SSL_set_bio(pMachine->pSSL,pMachine->pbioRead,pMachine->pbioWrite); - - SSL_set_accept_state(pMachine->pSSL); - - return pMachine; - } - -void SSLStateMachine_free(SSLStateMachine *pMachine) -{ - if (pMachine->pCtx) { - SSL_CTX_free(pMachine->pCtx); - } - if (pMachine->pSSL) { - SSL_free(pMachine->pSSL); - } - free(pMachine); -} - -void SSLStateMachine_read_inject(SSLStateMachine *pMachine, - const unsigned char *aucBuf,int nBuf) - { - int n=BIO_write(pMachine->pbioRead,aucBuf,nBuf); - /* If it turns out this assert fails, then buffer the data here - * and just feed it in in churn instead. Seems to me that it - * should be guaranteed to succeed, though. - */ - assert(n == nBuf); - fprintf(stderr,"%d bytes of encrypted data fed to state machine\n",n); - } - -int SSLStateMachine_read_extract(SSLStateMachine *pMachine, - unsigned char *aucBuf,int nBuf) - { - int n; - - if(!SSL_is_init_finished(pMachine->pSSL)) - { - fprintf(stderr,"Doing SSL_accept\n"); - n=SSL_accept(pMachine->pSSL); - if(n == 0) - fprintf(stderr,"SSL_accept returned zero\n"); - if(n < 0) - { - int err; - - if((err=SSL_get_error(pMachine->pSSL,n)) == SSL_ERROR_WANT_READ) - { - fprintf(stderr,"SSL_accept wants more data\n"); - return 0; - } - - SSLStateMachine_print_error(pMachine,"SSL_accept error"); - exit(7); - } - return 0; - } - - n=SSL_read(pMachine->pSSL,aucBuf,nBuf); - if(n < 0) - { - int err=SSL_get_error(pMachine->pSSL,n); - - if(err == SSL_ERROR_WANT_READ) - { - fprintf(stderr,"SSL_read wants more data\n"); - return 0; - } - SSLStateMachine_print_error(pMachine,"SSL_read error"); - exit(8); - } - - fprintf(stderr,"%d bytes of decrypted data read from state machine\n",n); - return n; - } - -int SSLStateMachine_write_can_extract(SSLStateMachine *pMachine) - { - int n=BIO_pending(pMachine->pbioWrite); - if(n) - fprintf(stderr,"There is encrypted data available to write\n"); - else - fprintf(stderr,"There is no encrypted data available to write\n"); - - return n; - } - -int SSLStateMachine_write_extract(SSLStateMachine *pMachine, - unsigned char *aucBuf,int nBuf) - { - int n; - - n=BIO_read(pMachine->pbioWrite,aucBuf,nBuf); - fprintf(stderr,"%d bytes of encrypted data read from state machine\n",n); - return n; - } - -void SSLStateMachine_write_inject(SSLStateMachine *pMachine, - const unsigned char *aucBuf,int nBuf) - { - int n=SSL_write(pMachine->pSSL,aucBuf,nBuf); - if(n < 0) - { - if(ERR_peek_error() == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL_WRITE, - SSL_R_PROTOCOL_IS_SHUTDOWN)) - { - SSLStateMachine_print_error(pMachine,"SSL_write error (someone wrote after shutdown)"); - return; - } - SSLStateMachine_print_error(pMachine,"SSL_write error"); - } - /* If it turns out this assert fails, then buffer the data here - * and just feed it in in churn instead. Seems to me that it - * should be guaranteed to succeed, though. - */ - assert(n == nBuf); - fprintf(stderr,"%d bytes of unencrypted data fed to state machine\n",n); - } - -void SSLStateMachine_write_close(SSLStateMachine *pMachine) - { - SSL_shutdown(pMachine->pSSL); - } diff --git a/modules/tls/openssl_state_machine.h b/modules/tls/openssl_state_machine.h deleted file mode 100644 index a041449512..0000000000 --- a/modules/tls/openssl_state_machine.h +++ /dev/null @@ -1,16 +0,0 @@ -typedef struct SSLStateMachine SSLStateMachine; - -void SSLStateMachine_init(void); -SSLStateMachine *SSLStateMachine_new(const char *szCertificateFile, - const char *szKeyFile); -void SSLStateMachine_free(SSLStateMachine *pMachine); -void SSLStateMachine_read_inject(SSLStateMachine *pMachine, - const unsigned char *aucBuf,int nBuf); -int SSLStateMachine_read_extract(SSLStateMachine *pMachine, - unsigned char *aucBuf,int nBuf); -int SSLStateMachine_write_can_extract(SSLStateMachine *pMachine); -int SSLStateMachine_write_extract(SSLStateMachine *pMachine, - unsigned char *aucBuf,int nBuf); -void SSLStateMachine_write_inject(SSLStateMachine *pMachine, - const unsigned char *aucBuf,int nBuf); -void SSLStateMachine_write_close(SSLStateMachine *pMachine); |