diff options
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | doc/libmicrohttpd.texi | 17 | ||||
| -rw-r--r-- | src/include/microhttpd.h | 10 | ||||
| -rw-r--r-- | src/microhttpd/daemon.c | 36 | ||||
| -rw-r--r-- | src/microhttpd/internal.h | 5 |
5 files changed, 66 insertions, 6 deletions
| @@ -1,3 +1,7 @@ | |||
| 1 | Sun Feb 8 01:24:38 CET 2015 | ||
| 2 | Adding MHD_OPTION_HTTPS_KEY_PASSWORD as proposed by | ||
| 3 | Andrew Basile. -CG/AB | ||
| 4 | |||
| 1 | Wed Feb 4 20:34:22 CET 2015 | 5 | Wed Feb 4 20:34:22 CET 2015 |
| 2 | Fix issue where for HTTP/1.0-clients that set | 6 | Fix issue where for HTTP/1.0-clients that set |
| 3 | Connection: Keep-Alive header a response of | 7 | Connection: Keep-Alive header a response of |
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi index c0ad91a1..3fa143cc 100644 --- a/doc/libmicrohttpd.texi +++ b/doc/libmicrohttpd.texi | |||
| @@ -661,6 +661,19 @@ HTTPS daemon. This option should be followed by an | |||
| 661 | "const char*" argument. | 661 | "const char*" argument. |
| 662 | This should be used in conjunction with 'MHD_OPTION_HTTPS_MEM_CERT'. | 662 | This should be used in conjunction with 'MHD_OPTION_HTTPS_MEM_CERT'. |
| 663 | 663 | ||
| 664 | @item MHD_OPTION_HTTPS_KEY_PASSWORD | ||
| 665 | @cindex SSL | ||
| 666 | @cindex TLS | ||
| 667 | Memory pointer to the password that decrypts the | ||
| 668 | private key to be used by the HTTPS daemon. | ||
| 669 | This option should be followed by an | ||
| 670 | "const char*" argument. | ||
| 671 | This should be used in conjunction with 'MHD_OPTION_HTTPS_MEM_KEY'. | ||
| 672 | |||
| 673 | The password (or passphrase) is only used immediately during | ||
| 674 | @code{MHD_start_daemon()}. Thus, the application may want to | ||
| 675 | erase it from memory afterwards for additional security. | ||
| 676 | |||
| 664 | @item MHD_OPTION_HTTPS_MEM_CERT | 677 | @item MHD_OPTION_HTTPS_MEM_CERT |
| 665 | @cindex SSL | 678 | @cindex SSL |
| 666 | @cindex TLS | 679 | @cindex TLS |
| @@ -1103,14 +1116,14 @@ data is available, the first time the callback is | |||
| 1103 | invoked there won't be upload data, as this is done | 1116 | invoked there won't be upload data, as this is done |
| 1104 | just after MHD parses the headers. If supported by | 1117 | just after MHD parses the headers. If supported by |
| 1105 | the client and the HTTP version, the application can | 1118 | the client and the HTTP version, the application can |
| 1106 | at this point queue an error response to possibly | 1119 | at this point queue an error response to possibly |
| 1107 | avoid the upload entirely. If no response is generated, | 1120 | avoid the upload entirely. If no response is generated, |
| 1108 | MHD will (if required) automatically send a 100 CONTINUE | 1121 | MHD will (if required) automatically send a 100 CONTINUE |
| 1109 | reply to the client. | 1122 | reply to the client. |
| 1110 | 1123 | ||
| 1111 | Afterwards, POST data will be passed to the callback | 1124 | Afterwards, POST data will be passed to the callback |
| 1112 | to be processed incrementally by the application. The | 1125 | to be processed incrementally by the application. The |
| 1113 | application may return @code{MHD_NO} to forcefully | 1126 | application may return @code{MHD_NO} to forcefully |
| 1114 | terminate the TCP connection without generating a | 1127 | terminate the TCP connection without generating a |
| 1115 | proper HTTP response. Once all of the upload data has | 1128 | proper HTTP response. Once all of the upload data has |
| 1116 | been provided to the application, the application | 1129 | been provided to the application, the application |
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h index 2a6d0ba4..54377a44 100644 --- a/src/include/microhttpd.h +++ b/src/include/microhttpd.h | |||
| @@ -130,7 +130,7 @@ typedef intptr_t ssize_t; | |||
| 130 | * Current version of the library. | 130 | * Current version of the library. |
| 131 | * 0x01093001 = 1.9.30-1. | 131 | * 0x01093001 = 1.9.30-1. |
| 132 | */ | 132 | */ |
| 133 | #define MHD_VERSION 0x00093902 | 133 | #define MHD_VERSION 0x00093903 |
| 134 | 134 | ||
| 135 | /** | 135 | /** |
| 136 | * MHD-internal return code for "YES". | 136 | * MHD-internal return code for "YES". |
| @@ -863,6 +863,14 @@ enum MHD_OPTION | |||
| 863 | * This option must be followed by a `unsigned int` argument. | 863 | * This option must be followed by a `unsigned int` argument. |
| 864 | */ | 864 | */ |
| 865 | MHD_OPTION_LISTENING_ADDRESS_REUSE = 25, | 865 | MHD_OPTION_LISTENING_ADDRESS_REUSE = 25, |
| 866 | |||
| 867 | /** | ||
| 868 | * Memory pointer for a password that decrypts the private key (key.pem) | ||
| 869 | * to be used by the HTTPS daemon. This option should be followed by a | ||
| 870 | * `const char *` argument. | ||
| 871 | * This should be used in conjunction with #MHD_OPTION_HTTPS_MEM_KEY. | ||
| 872 | */ | ||
| 873 | MHD_OPTION_HTTPS_KEY_PASSWORD = 26 | ||
| 866 | }; | 874 | }; |
| 867 | 875 | ||
| 868 | 876 | ||
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c index c5539581..ae9a984d 100644 --- a/src/microhttpd/daemon.c +++ b/src/microhttpd/daemon.c | |||
| @@ -508,6 +508,7 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon) | |||
| 508 | { | 508 | { |
| 509 | gnutls_datum_t key; | 509 | gnutls_datum_t key; |
| 510 | gnutls_datum_t cert; | 510 | gnutls_datum_t cert; |
| 511 | int ret; | ||
| 511 | 512 | ||
| 512 | #if GNUTLS_VERSION_MAJOR >= 3 | 513 | #if GNUTLS_VERSION_MAJOR >= 3 |
| 513 | if (NULL != daemon->cert_callback) | 514 | if (NULL != daemon->cert_callback) |
| @@ -545,9 +546,24 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon) | |||
| 545 | cert.data = (unsigned char *) daemon->https_mem_cert; | 546 | cert.data = (unsigned char *) daemon->https_mem_cert; |
| 546 | cert.size = strlen (daemon->https_mem_cert); | 547 | cert.size = strlen (daemon->https_mem_cert); |
| 547 | 548 | ||
| 548 | return gnutls_certificate_set_x509_key_mem (daemon->x509_cred, | 549 | if (NULL != daemon->https_key_password) |
| 549 | &cert, &key, | 550 | ret = gnutls_certificate_set_x509_key_mem2 (daemon->x509_cred, |
| 550 | GNUTLS_X509_FMT_PEM); | 551 | &cert, &key, |
| 552 | GNUTLS_X509_FMT_PEM, | ||
| 553 | daemon->https_key_password, | ||
| 554 | 0); | ||
| 555 | |||
| 556 | else | ||
| 557 | ret = gnutls_certificate_set_x509_key_mem (daemon->x509_cred, | ||
| 558 | &cert, &key, | ||
| 559 | GNUTLS_X509_FMT_PEM); | ||
| 560 | #if HAVE_MESSAGES | ||
| 561 | if (0 != ret) | ||
| 562 | MHD_DLOG (daemon, | ||
| 563 | "GnuTLS failed to setup x509 certificate/key: %s\n", | ||
| 564 | gnutls_strerror (ret)); | ||
| 565 | #endif | ||
| 566 | return ret; | ||
| 551 | } | 567 | } |
| 552 | #if GNUTLS_VERSION_MAJOR >= 3 | 568 | #if GNUTLS_VERSION_MAJOR >= 3 |
| 553 | if (NULL != daemon->cert_callback) | 569 | if (NULL != daemon->cert_callback) |
| @@ -3002,6 +3018,16 @@ parse_options_va (struct MHD_Daemon *daemon, | |||
| 3002 | opt); | 3018 | opt); |
| 3003 | #endif | 3019 | #endif |
| 3004 | break; | 3020 | break; |
| 3021 | case MHD_OPTION_HTTPS_KEY_PASSWORD: | ||
| 3022 | if (0 != (daemon->options & MHD_USE_SSL)) | ||
| 3023 | daemon->https_key_password = va_arg (ap, const char *); | ||
| 3024 | #if HAVE_MESSAGES | ||
| 3025 | else | ||
| 3026 | MHD_DLOG (daemon, | ||
| 3027 | "MHD HTTPS option %d passed to MHD but MHD_USE_SSL not set\n", | ||
| 3028 | opt); | ||
| 3029 | #endif | ||
| 3030 | break; | ||
| 3005 | case MHD_OPTION_HTTPS_MEM_CERT: | 3031 | case MHD_OPTION_HTTPS_MEM_CERT: |
| 3006 | if (0 != (daemon->options & MHD_USE_SSL)) | 3032 | if (0 != (daemon->options & MHD_USE_SSL)) |
| 3007 | daemon->https_mem_cert = va_arg (ap, const char *); | 3033 | daemon->https_mem_cert = va_arg (ap, const char *); |
| @@ -3183,6 +3209,7 @@ parse_options_va (struct MHD_Daemon *daemon, | |||
| 3183 | /* all options taking one pointer */ | 3209 | /* all options taking one pointer */ |
| 3184 | case MHD_OPTION_SOCK_ADDR: | 3210 | case MHD_OPTION_SOCK_ADDR: |
| 3185 | case MHD_OPTION_HTTPS_MEM_KEY: | 3211 | case MHD_OPTION_HTTPS_MEM_KEY: |
| 3212 | case MHD_OPTION_HTTPS_KEY_PASSWORD: | ||
| 3186 | case MHD_OPTION_HTTPS_MEM_CERT: | 3213 | case MHD_OPTION_HTTPS_MEM_CERT: |
| 3187 | case MHD_OPTION_HTTPS_MEM_TRUST: | 3214 | case MHD_OPTION_HTTPS_MEM_TRUST: |
| 3188 | case MHD_OPTION_HTTPS_PRIORITIES: | 3215 | case MHD_OPTION_HTTPS_PRIORITIES: |
| @@ -4049,6 +4076,9 @@ MHD_start_daemon_va (unsigned int flags, | |||
| 4049 | } | 4076 | } |
| 4050 | } | 4077 | } |
| 4051 | } | 4078 | } |
| 4079 | /* API promises to never use the password after initialization, | ||
| 4080 | so we additionally NULL it here to not deref a dangling pointer. */ | ||
| 4081 | daemon->https_key_password = NULL; | ||
| 4052 | return daemon; | 4082 | return daemon; |
| 4053 | 4083 | ||
| 4054 | thread_failed: | 4084 | thread_failed: |
diff --git a/src/microhttpd/internal.h b/src/microhttpd/internal.h index da3a976b..c2cab42d 100644 --- a/src/microhttpd/internal.h +++ b/src/microhttpd/internal.h | |||
| @@ -1205,6 +1205,11 @@ struct MHD_Daemon | |||
| 1205 | const char *https_mem_cert; | 1205 | const char *https_mem_cert; |
| 1206 | 1206 | ||
| 1207 | /** | 1207 | /** |
| 1208 | * Pointer to 0-terminated HTTPS passphrase in memory. | ||
| 1209 | */ | ||
| 1210 | const char *https_key_password; | ||
| 1211 | |||
| 1212 | /** | ||
| 1208 | * Pointer to our SSL/TLS certificate authority (in ASCII) in memory. | 1213 | * Pointer to our SSL/TLS certificate authority (in ASCII) in memory. |
| 1209 | */ | 1214 | */ |
| 1210 | const char *https_mem_trust; | 1215 | const char *https_mem_trust; |