diff options
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | doc/libmicrohttpd.texi | 17 | ||||
-rw-r--r-- | src/include/microhttpd.h | 10 | ||||
-rw-r--r-- | src/microhttpd/daemon.c | 36 | ||||
-rw-r--r-- | src/microhttpd/internal.h | 5 |
5 files changed, 66 insertions, 6 deletions
@@ -1,3 +1,7 @@ | |||
1 | Sun Feb 8 01:24:38 CET 2015 | ||
2 | Adding MHD_OPTION_HTTPS_KEY_PASSWORD as proposed by | ||
3 | Andrew Basile. -CG/AB | ||
4 | |||
1 | Wed Feb 4 20:34:22 CET 2015 | 5 | Wed Feb 4 20:34:22 CET 2015 |
2 | Fix issue where for HTTP/1.0-clients that set | 6 | Fix issue where for HTTP/1.0-clients that set |
3 | Connection: Keep-Alive header a response of | 7 | Connection: Keep-Alive header a response of |
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi index c0ad91a1..3fa143cc 100644 --- a/doc/libmicrohttpd.texi +++ b/doc/libmicrohttpd.texi | |||
@@ -661,6 +661,19 @@ HTTPS daemon. This option should be followed by an | |||
661 | "const char*" argument. | 661 | "const char*" argument. |
662 | This should be used in conjunction with 'MHD_OPTION_HTTPS_MEM_CERT'. | 662 | This should be used in conjunction with 'MHD_OPTION_HTTPS_MEM_CERT'. |
663 | 663 | ||
664 | @item MHD_OPTION_HTTPS_KEY_PASSWORD | ||
665 | @cindex SSL | ||
666 | @cindex TLS | ||
667 | Memory pointer to the password that decrypts the | ||
668 | private key to be used by the HTTPS daemon. | ||
669 | This option should be followed by an | ||
670 | "const char*" argument. | ||
671 | This should be used in conjunction with 'MHD_OPTION_HTTPS_MEM_KEY'. | ||
672 | |||
673 | The password (or passphrase) is only used immediately during | ||
674 | @code{MHD_start_daemon()}. Thus, the application may want to | ||
675 | erase it from memory afterwards for additional security. | ||
676 | |||
664 | @item MHD_OPTION_HTTPS_MEM_CERT | 677 | @item MHD_OPTION_HTTPS_MEM_CERT |
665 | @cindex SSL | 678 | @cindex SSL |
666 | @cindex TLS | 679 | @cindex TLS |
@@ -1103,14 +1116,14 @@ data is available, the first time the callback is | |||
1103 | invoked there won't be upload data, as this is done | 1116 | invoked there won't be upload data, as this is done |
1104 | just after MHD parses the headers. If supported by | 1117 | just after MHD parses the headers. If supported by |
1105 | the client and the HTTP version, the application can | 1118 | the client and the HTTP version, the application can |
1106 | at this point queue an error response to possibly | 1119 | at this point queue an error response to possibly |
1107 | avoid the upload entirely. If no response is generated, | 1120 | avoid the upload entirely. If no response is generated, |
1108 | MHD will (if required) automatically send a 100 CONTINUE | 1121 | MHD will (if required) automatically send a 100 CONTINUE |
1109 | reply to the client. | 1122 | reply to the client. |
1110 | 1123 | ||
1111 | Afterwards, POST data will be passed to the callback | 1124 | Afterwards, POST data will be passed to the callback |
1112 | to be processed incrementally by the application. The | 1125 | to be processed incrementally by the application. The |
1113 | application may return @code{MHD_NO} to forcefully | 1126 | application may return @code{MHD_NO} to forcefully |
1114 | terminate the TCP connection without generating a | 1127 | terminate the TCP connection without generating a |
1115 | proper HTTP response. Once all of the upload data has | 1128 | proper HTTP response. Once all of the upload data has |
1116 | been provided to the application, the application | 1129 | been provided to the application, the application |
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h index 2a6d0ba4..54377a44 100644 --- a/src/include/microhttpd.h +++ b/src/include/microhttpd.h | |||
@@ -130,7 +130,7 @@ typedef intptr_t ssize_t; | |||
130 | * Current version of the library. | 130 | * Current version of the library. |
131 | * 0x01093001 = 1.9.30-1. | 131 | * 0x01093001 = 1.9.30-1. |
132 | */ | 132 | */ |
133 | #define MHD_VERSION 0x00093902 | 133 | #define MHD_VERSION 0x00093903 |
134 | 134 | ||
135 | /** | 135 | /** |
136 | * MHD-internal return code for "YES". | 136 | * MHD-internal return code for "YES". |
@@ -863,6 +863,14 @@ enum MHD_OPTION | |||
863 | * This option must be followed by a `unsigned int` argument. | 863 | * This option must be followed by a `unsigned int` argument. |
864 | */ | 864 | */ |
865 | MHD_OPTION_LISTENING_ADDRESS_REUSE = 25, | 865 | MHD_OPTION_LISTENING_ADDRESS_REUSE = 25, |
866 | |||
867 | /** | ||
868 | * Memory pointer for a password that decrypts the private key (key.pem) | ||
869 | * to be used by the HTTPS daemon. This option should be followed by a | ||
870 | * `const char *` argument. | ||
871 | * This should be used in conjunction with #MHD_OPTION_HTTPS_MEM_KEY. | ||
872 | */ | ||
873 | MHD_OPTION_HTTPS_KEY_PASSWORD = 26 | ||
866 | }; | 874 | }; |
867 | 875 | ||
868 | 876 | ||
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c index c5539581..ae9a984d 100644 --- a/src/microhttpd/daemon.c +++ b/src/microhttpd/daemon.c | |||
@@ -508,6 +508,7 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon) | |||
508 | { | 508 | { |
509 | gnutls_datum_t key; | 509 | gnutls_datum_t key; |
510 | gnutls_datum_t cert; | 510 | gnutls_datum_t cert; |
511 | int ret; | ||
511 | 512 | ||
512 | #if GNUTLS_VERSION_MAJOR >= 3 | 513 | #if GNUTLS_VERSION_MAJOR >= 3 |
513 | if (NULL != daemon->cert_callback) | 514 | if (NULL != daemon->cert_callback) |
@@ -545,9 +546,24 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon) | |||
545 | cert.data = (unsigned char *) daemon->https_mem_cert; | 546 | cert.data = (unsigned char *) daemon->https_mem_cert; |
546 | cert.size = strlen (daemon->https_mem_cert); | 547 | cert.size = strlen (daemon->https_mem_cert); |
547 | 548 | ||
548 | return gnutls_certificate_set_x509_key_mem (daemon->x509_cred, | 549 | if (NULL != daemon->https_key_password) |
549 | &cert, &key, | 550 | ret = gnutls_certificate_set_x509_key_mem2 (daemon->x509_cred, |
550 | GNUTLS_X509_FMT_PEM); | 551 | &cert, &key, |
552 | GNUTLS_X509_FMT_PEM, | ||
553 | daemon->https_key_password, | ||
554 | 0); | ||
555 | |||
556 | else | ||
557 | ret = gnutls_certificate_set_x509_key_mem (daemon->x509_cred, | ||
558 | &cert, &key, | ||
559 | GNUTLS_X509_FMT_PEM); | ||
560 | #if HAVE_MESSAGES | ||
561 | if (0 != ret) | ||
562 | MHD_DLOG (daemon, | ||
563 | "GnuTLS failed to setup x509 certificate/key: %s\n", | ||
564 | gnutls_strerror (ret)); | ||
565 | #endif | ||
566 | return ret; | ||
551 | } | 567 | } |
552 | #if GNUTLS_VERSION_MAJOR >= 3 | 568 | #if GNUTLS_VERSION_MAJOR >= 3 |
553 | if (NULL != daemon->cert_callback) | 569 | if (NULL != daemon->cert_callback) |
@@ -3002,6 +3018,16 @@ parse_options_va (struct MHD_Daemon *daemon, | |||
3002 | opt); | 3018 | opt); |
3003 | #endif | 3019 | #endif |
3004 | break; | 3020 | break; |
3021 | case MHD_OPTION_HTTPS_KEY_PASSWORD: | ||
3022 | if (0 != (daemon->options & MHD_USE_SSL)) | ||
3023 | daemon->https_key_password = va_arg (ap, const char *); | ||
3024 | #if HAVE_MESSAGES | ||
3025 | else | ||
3026 | MHD_DLOG (daemon, | ||
3027 | "MHD HTTPS option %d passed to MHD but MHD_USE_SSL not set\n", | ||
3028 | opt); | ||
3029 | #endif | ||
3030 | break; | ||
3005 | case MHD_OPTION_HTTPS_MEM_CERT: | 3031 | case MHD_OPTION_HTTPS_MEM_CERT: |
3006 | if (0 != (daemon->options & MHD_USE_SSL)) | 3032 | if (0 != (daemon->options & MHD_USE_SSL)) |
3007 | daemon->https_mem_cert = va_arg (ap, const char *); | 3033 | daemon->https_mem_cert = va_arg (ap, const char *); |
@@ -3183,6 +3209,7 @@ parse_options_va (struct MHD_Daemon *daemon, | |||
3183 | /* all options taking one pointer */ | 3209 | /* all options taking one pointer */ |
3184 | case MHD_OPTION_SOCK_ADDR: | 3210 | case MHD_OPTION_SOCK_ADDR: |
3185 | case MHD_OPTION_HTTPS_MEM_KEY: | 3211 | case MHD_OPTION_HTTPS_MEM_KEY: |
3212 | case MHD_OPTION_HTTPS_KEY_PASSWORD: | ||
3186 | case MHD_OPTION_HTTPS_MEM_CERT: | 3213 | case MHD_OPTION_HTTPS_MEM_CERT: |
3187 | case MHD_OPTION_HTTPS_MEM_TRUST: | 3214 | case MHD_OPTION_HTTPS_MEM_TRUST: |
3188 | case MHD_OPTION_HTTPS_PRIORITIES: | 3215 | case MHD_OPTION_HTTPS_PRIORITIES: |
@@ -4049,6 +4076,9 @@ MHD_start_daemon_va (unsigned int flags, | |||
4049 | } | 4076 | } |
4050 | } | 4077 | } |
4051 | } | 4078 | } |
4079 | /* API promises to never use the password after initialization, | ||
4080 | so we additionally NULL it here to not deref a dangling pointer. */ | ||
4081 | daemon->https_key_password = NULL; | ||
4052 | return daemon; | 4082 | return daemon; |
4053 | 4083 | ||
4054 | thread_failed: | 4084 | thread_failed: |
diff --git a/src/microhttpd/internal.h b/src/microhttpd/internal.h index da3a976b..c2cab42d 100644 --- a/src/microhttpd/internal.h +++ b/src/microhttpd/internal.h | |||
@@ -1205,6 +1205,11 @@ struct MHD_Daemon | |||
1205 | const char *https_mem_cert; | 1205 | const char *https_mem_cert; |
1206 | 1206 | ||
1207 | /** | 1207 | /** |
1208 | * Pointer to 0-terminated HTTPS passphrase in memory. | ||
1209 | */ | ||
1210 | const char *https_key_password; | ||
1211 | |||
1212 | /** | ||
1208 | * Pointer to our SSL/TLS certificate authority (in ASCII) in memory. | 1213 | * Pointer to our SSL/TLS certificate authority (in ASCII) in memory. |
1209 | */ | 1214 | */ |
1210 | const char *https_mem_trust; | 1215 | const char *https_mem_trust; |