Description: Implement support for GnuTLS.
 This patch set implements the option to let GnuTLS replace OpenSSL,
 which was the only uption in the original source code.
 .
 The alterations leave OpenSSL code intact, and also lets GnuTLS
 be used in a threaded setting.
 .
 No client verifications are implemented, neither can the crypto
 key be protected by a pass phrase at this time.
 .
 Explicit linking to "gcrypt". This is needed by "binutils-gold".
 Reported as LP: #665276. Contributed by Roy Jamison.
Author: Mats Erik Andersson <debian@gisladisker.se>
Forwarded: no
Last-Update: 2010-10-26
--- webfs-1.21+ds1/GNUmakefile.debian
+++ webfs-1.21+ds1/GNUmakefile
@@ -24,6 +24,7 @@ LIB          := $(LIB)
 SYSTEM       := $(call ac_uname)
 USE_SENDFILE := yes
 USE_THREADS  := no
+USE_GNUTLS   := $(call ac_header,gnutls/gnutls.h)
 USE_SSL      := $(call ac_header,openssl/ssl.h)
 USE_DIET     := $(call ac_binary,diet)
 endef
@@ -42,6 +43,13 @@ ifeq ($(USE_THREADS)-$(SYSTEM),yes-freeb
 CFLAGS	+= -DUSE_THREADS=1 -D_REENTRANT -pthread
 endif
 
+ifeq ($(USE_GNUTLS),yes)
+USE_SSL = no
+CFLAGS	+= -DUSE_GNUTLS=1
+OBJS	+= ssl.o
+LDLIBS	+= -lgnutls -lgcrypt
+endif
+
 
 # OpenSSL yes/no
 ifeq ($(USE_SSL),yes)
--- webfs-1.21+ds1/httpd.h.debian
+++ webfs-1.21+ds1/httpd.h
@@ -19,8 +19,23 @@
 #define STATE_CGI_BODY_OUT 12
 
 #ifdef USE_SSL
+
 # include <openssl/ssl.h>
-#endif
+
+#elif defined(USE_GNUTLS)
+
+# include <gnutls/gnutls.h>
+# include <gnutls/x509.h>
+
+# ifndef DH_PARAMS_LEN
+#   define DH_PARAMS_LEN	1024
+# endif
+
+# ifndef WEBFS_CIPHERS
+#   define WEBFS_CIPHERS	"NORMAL"
+# endif
+
+#endif /* USE_SSL or USE_GNUTLS */
 
 #define MAX_HEADER 4096
 #define MAX_PATH   2048
@@ -109,6 +124,8 @@ struct REQUEST {
 #ifdef USE_SSL
     /* SSL */
     SSL		*ssl_s;
+#elif defined(USE_GNUTLS)
+    gnutls_session_t	client_session;
 #endif
 
     /* linked list */
@@ -176,6 +193,13 @@ extern SSL_CTX  *ctx;
 extern BIO	*sbio, *ssl_bio;
 extern char     *certificate;
 extern char     *password;
+#elif defined(USE_GNUTLS)
+extern int      with_ssl;
+extern char     *certificate;
+extern char     *password;
+extern gnutls_certificate_credentials_t x509_cred;
+extern gnutls_dh_params_t dh_params;
+extern gnutls_priority_t tls_priority_cache;
 #endif
 
 void xperror(int loglevel, char *txt, char *peerhost);
@@ -189,7 +213,7 @@ static void inline close_on_exec(int fd)
 
 /* --- ssl.c ---------------------------------------------------- */
 
-#ifdef USE_SSL
+#if defined(USE_SSL) || defined(USE_GNUTLS)
 extern int ssl_read(struct REQUEST *req, char *buf, int len);
 extern int ssl_write(struct REQUEST *req, char *buf, int len);
 extern int ssl_blk_write(struct REQUEST *req, int offset, int len);
--- webfs-1.21+ds1/request.c.debian
+++ webfs-1.21+ds1/request.c
@@ -24,7 +24,7 @@ read_request(struct REQUEST *req, int pi
     char            *h;
 
  restart:
-#ifdef USE_SSL
+#if defined(USE_SSL) || defined(USE_GNUTLS)
     if (with_ssl)
 	rc = ssl_read(req, req->hreq + req->hdata, MAX_HEADER - req->hdata);
     else
--- webfs-1.21+ds1/response.c.debian
+++ webfs-1.21+ds1/response.c
@@ -121,7 +121,7 @@ static ssize_t xsendfile(int out, int in
 
 /* ---------------------------------------------------------------------- */
 
-#ifdef USE_SSL
+#if defined(USE_SSL) || defined(USE_GNUTLS)
 
 static inline int wrap_xsendfile(struct REQUEST *req, off_t off, off_t bytes)
 {
--- webfs-1.21+ds1/ssl.c.debian
+++ webfs-1.21+ds1/ssl.c
@@ -3,10 +3,13 @@
 #include <string.h>
 #include <fcntl.h>
 #include <unistd.h>
+#include <errno.h>
 #include <sys/socket.h>
 
+#ifdef USE_SSL
 #include <openssl/err.h>
 #include <openssl/evp.h>
+#endif
 
 #include "httpd.h"
 
@@ -18,6 +21,23 @@ int ssl_read(struct REQUEST *req, char *
 {
     int rc;
 
+#ifdef USE_GNUTLS
+    memset(buf, 0, len);
+    while (1) {
+	rc = gnutls_record_recv(req->client_session, buf, len);
+	if (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN)
+	    continue;
+	break;
+    }
+    if (debug && (rc < 0)) {
+	fprintf(stderr, "%03d: gnutls read error: %s\n", req->fd,
+		    gnutls_strerror(rc));
+	/* An invalidating event has happened. Probably an
+	 * interrupted session. */
+	errno = EINVAL;
+	return -1;
+    }
+#elif defined(USE_SSL)
     ERR_clear_error();
     rc = SSL_read(req->ssl_s, buf, len);
     if (rc < 0  &&  SSL_get_error(req->ssl_s, rc) == SSL_ERROR_WANT_READ) {
@@ -36,6 +56,7 @@ int ssl_read(struct REQUEST *req, char *
 	errno = EIO;
 	return -1;
     }
+#endif
     return rc;
 }
 
@@ -43,6 +64,20 @@ int ssl_write(struct REQUEST *req, char 
 {
     int rc;
 
+#ifdef USE_GNUTLS
+    while (1) {
+	rc = gnutls_record_send(req->client_session, buf, len);
+	if (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN)
+	    continue;
+	break;
+    }
+    if (debug && (rc < 0)) {
+	fprintf(stderr, "%03d: gnutls write error: %s\n", req->fd,
+		    gnutls_strerror(rc));
+	errno = EINVAL;
+	return -1;
+    }
+#elif defined(USE_SSL)
     ERR_clear_error();
     rc = SSL_write(req->ssl_s, buf, len);
     if (rc < 0 && SSL_get_error(req->ssl_s, rc) == SSL_ERROR_WANT_WRITE) {
@@ -61,6 +96,7 @@ int ssl_write(struct REQUEST *req, char 
 	errno = EIO;
 	return -1;
     }
+#endif
     return rc;
 }
 
@@ -86,6 +122,7 @@ int ssl_blk_write(struct REQUEST *req, i
     return ssl_write(req, buf, rc);
 }
 
+#if defined(USE_SSL) && !defined(USE_GNUTLS)
 static int password_cb(char *buf, int num, int rwflag, void *userdata)
 {
     if (NULL == password)
@@ -96,11 +133,44 @@ static int password_cb(char *buf, int nu
     strcpy(buf,password);
     return(strlen(buf));
 }
+#endif
 
 int init_ssl(void)
 {
     int rc;
 
+#ifdef USE_GNUTLS
+    DO_LOCK(lock_ssl);
+    gnutls_global_init();
+
+    gnutls_certificate_allocate_credentials(&x509_cred);
+    rc = gnutls_certificate_set_x509_key_file(x509_cred,
+                         certificate, certificate, GNUTLS_X509_FMT_PEM);
+    if (rc != GNUTLS_E_SUCCESS) {
+	fprintf(stderr, "GnuTLS certificate error [%s]\n",
+		gnutls_strerror(rc));
+	DO_UNLOCK(lock_ssl);
+	exit (1);
+    } else if (debug)
+	fprintf(stderr, "GnuTLS certificate load successful.\n");
+
+    gnutls_dh_params_init(&dh_params);
+    gnutls_dh_params_generate2(dh_params, DH_PARAMS_LEN);
+
+    rc = gnutls_priority_init(&tls_priority_cache, WEBFS_CIPHERS, NULL);
+    if (rc != GNUTLS_E_SUCCESS) {
+	fprintf(stderr, "Cipher priority error [%s]\nPriority string: %s\n",
+		gnutls_strerror(rc), WEBFS_CIPHERS);
+	DO_UNLOCK(lock_ssl);
+	exit (1);
+    } else if (debug)
+	fprintf(stderr, "Cipher type \"%s\" successful.\n", WEBFS_CIPHERS);
+
+    gnutls_certificate_set_dh_params(x509_cred, dh_params);
+    DO_UNLOCK(lock_ssl);
+    return rc;
+
+#elif defined(USE_SSL)
     OpenSSL_add_all_algorithms();
     SSL_load_error_strings();
     SSL_library_init();
@@ -137,10 +207,37 @@ int init_ssl(void)
 
     SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
     return rc;
+#endif
 }
 
 int open_ssl_session(struct REQUEST *req)
 {
+#ifdef USE_GNUTLS
+    int rc;
+
+    DO_LOCK(lock_ssl);
+    rc = gnutls_init(&req->client_session, GNUTLS_SERVER);
+    if (rc != GNUTLS_E_SUCCESS) {
+	DO_UNLOCK(lock_ssl);
+	return rc;
+    }
+    rc = gnutls_priority_set(req->client_session, tls_priority_cache);
+    if (rc != GNUTLS_E_SUCCESS) {
+	gnutls_deinit(req->client_session);
+	DO_UNLOCK(lock_ssl);
+	return rc;
+    }
+    gnutls_credentials_set(req->client_session,
+                    GNUTLS_CRD_CERTIFICATE, x509_cred);
+    gnutls_certificate_server_set_request(req->client_session,
+                    GNUTLS_CERT_REQUEST);
+#if !defined(USE_TLS_NO_COMPATIBILITY)
+    gnutls_session_enable_compatibility_mode(req->client_session);
+#endif
+    DO_UNLOCK(lock_ssl);
+    return GNUTLS_E_SUCCESS;
+
+#elif defined(USE_SSL)
     DO_LOCK(lock_ssl);
     req->ssl_s = SSL_new(ctx);
     if (req->ssl_s == NULL) {
@@ -154,4 +251,5 @@ int open_ssl_session(struct REQUEST *req
     SSL_set_read_ahead(req->ssl_s, 0); /* to prevent unwanted buffering in ssl layer */
     DO_UNLOCK(lock_ssl);
     return 0;
+#endif
 }
--- webfs-1.21+ds1/webfsd.c.debian
+++ webfs-1.21+ds1/webfsd.c
@@ -23,6 +23,13 @@
 
 #include "httpd.h"
 
+#ifdef USE_GNUTLS
+#include <gcrypt.h>
+# if USE_THREADS
+   GCRY_THREAD_OPTION_PTHREAD_IMPL;
+# endif
+#endif /* USE_GNUTLS */
+
 /* ---------------------------------------------------------------------- */
 /* public variables - server configuration                                */
 
@@ -73,6 +80,13 @@ char	*password;
 int	with_ssl       = 0;
 SSL_CTX *ctx;
 BIO	*sbio, *ssl_bio;
+#elif defined(USE_GNUTLS)
+int      with_ssl      = 0;
+char     *certificate  = "server.pem";
+char     *password     = NULL;
+gnutls_certificate_credentials_t x509_cred;
+gnutls_priority_t tls_priority_cache;
+gnutls_dh_params_t dh_params;
 #endif
 
 /* ---------------------------------------------------------------------- */
@@ -132,10 +146,12 @@ usage(char *name)
 	    "           files (basic authentication)\n"
 	    "  -e sec   limit live span of files to sec\n"
 	    "           seconds (using expires header)\n"
-#ifdef USE_SSL
-	    "  -S       enable SSL mode\n"
-	    "  -C file  SSL-Certificate file                [%s]\n"
+#if defined(USE_SSL) || defined(USE_GNUTLS)
+	    "  -S       enable SSL/TLS mode\n"
+	    "  -C file  SSL-Certificate and key file        [%s]\n"
+#   if ! defined(USE_GNUTLS)
 	    "  -P pass  SSL-Certificate password\n"
+#   endif
 #endif
 	    "  -x dir   CGI script directory (relative to\n"
 	    "           document root)                      [%s]\n"
@@ -158,7 +174,7 @@ usage(char *name)
 	    logfile ? logfile : "none",
 	    mimetypes,
 	    pidfile ? pidfile : "none",
-#ifdef USE_SSL
+#if defined(USE_SSL) || defined(USE_GNUTLS)
 	    certificate,
 #endif
 	    cgipath ? cgipath : "none");
@@ -416,7 +432,7 @@ mainloop(void *thread_arg)
 	    case STATE_WRITE_RANGES:
 	    case STATE_CGI_BODY_OUT:
 		FD_SET(req->fd,&wr);
-#ifdef USE_SSL
+#if defined(USE_SSL) || defined(USE_GNUTLS)
 		if (with_ssl)
 		    FD_SET(req->fd,&rd);
 #endif
@@ -466,9 +482,49 @@ mainloop(void *thread_arg)
 		    curr_conn++;
 		    if (debug)
 			fprintf(stderr,"%03d: new request (%d)\n",req->fd,curr_conn);
-#ifdef USE_SSL
+#if defined(USE_SSL)
 		    if (with_ssl)
 			open_ssl_session(req);
+#elif defined(USE_GNUTLS)
+		    if (with_ssl) {
+			int rc, failure = 0;
+			rc = open_ssl_session(req);
+			if (rc != GNUTLS_E_SUCCESS) {
+			    if (debug)
+				fprintf(stderr, "%03d: session init: %s\n",
+					req->fd, gnutls_strerror(rc));
+			    failure = 1;
+			} else {
+			    gnutls_transport_set_ptr(req->client_session,
+					(gnutls_transport_ptr_t) req->fd);
+			    while (1) {
+				rc = gnutls_handshake(req->client_session);
+				if (rc == GNUTLS_E_SUCCESS)
+				    break;
+				if (rc == GNUTLS_E_AGAIN ||
+					rc == GNUTLS_E_INTERRUPTED) {
+				    /* Prevent overload, due to delayed
+				     * handshake on the client side. */
+				    usleep(5000);
+				    continue;
+				}
+				/* Failed handshake. */
+				if (debug)
+				    fprintf(stderr, "%03d: handshake: %s\n",
+					    req->fd, gnutls_strerror(rc));
+				gnutls_deinit(req->client_session);
+				failure = 1;
+				break;
+			    }
+			}
+			/* Common elimination of failed connection. */
+			if (failure) {
+			    close(req->fd);
+			    conns = req->next;
+			    free(req);
+			    req = NULL;
+			}
+		    }
 #endif
 		    /* Make sure the request has not been cancelled!
 		     * Otherwise just ignore it. */
@@ -511,7 +567,7 @@ mainloop(void *thread_arg)
 		    write_request(req);
 		    req->ping = now;
 		}
-#ifdef USE_SSL
+#if defined(USE_SSL) || defined(USE_GNUTLS)
 		if (with_ssl && FD_ISSET(req->fd,&rd)) {
 		    write_request(req);
 		    req->ping = now;
@@ -640,10 +696,17 @@ header_parsing:
 		if (logfh)
 		    access_log(req,now);
 		/* cleanup */
+#ifdef USE_GNUTLS
+		if (with_ssl && req->client_session)
+		    gnutls_bye(req->client_session, GNUTLS_SHUT_RDWR);
+#endif
 		close(req->fd);
 #ifdef USE_SSL
 		if (with_ssl)
 		    SSL_free(req->ssl_s);
+#elif defined(USE_GNUTLS)
+		if (with_ssl && (req->fd >=0))
+		    gnutls_deinit(req->client_session);
 #endif
 		if (req->bfd != -1)
 		    close(req->bfd);
@@ -695,6 +758,14 @@ main(int argc, char *argv[])
     char serv[16];
     char mypid[12];
 
+#ifdef USE_GNUTLS
+    /* Avoid using '/dev/random' since it blocks reading. */
+    gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+#  if USE_THREADS
+    gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+#  endif
+#endif /* USE_GNUTLS */
+
     uid  = getuid();
     euid = geteuid();
     if (uid != euid)
@@ -804,7 +875,7 @@ main(int argc, char *argv[])
 	    nthreads = atoi(optarg);
 	    break;
 #endif
-#ifdef USE_SSL
+#if defined(USE_SSL) || defined(USE_GNUTLS)
 	case 'S':
 	    with_ssl++;
 	    break;
@@ -829,6 +900,11 @@ main(int argc, char *argv[])
     if (usesyslog)
 	syslog_init();
 
+#ifdef USE_GNUTLS
+    if (with_ssl)
+	init_ssl();
+#endif
+
     /* bind to socket */
     slisten = -1;
     memset(&ask,0,sizeof(ask));
@@ -957,7 +1033,7 @@ main(int argc, char *argv[])
 	fprintf(stderr,
 		"http server started\n"
 		"  ipv6  : %s\n"
-#ifdef USE_SSL
+#if defined(USE_SSL) || defined(USE_GNUTLS)
 	        "  ssl   : %s\n"
 #endif
 		"  node  : %s\n"
@@ -967,7 +1043,7 @@ main(int argc, char *argv[])
 		"  user  : %s\n"
 		"  group : %s\n",
 		res->ai_family == PF_INET6 ? "yes" : "no",
-#ifdef USE_SSL
+#if defined(USE_SSL) || defined(USE_GNUTLS)
 		with_ssl ? "yes" : "no",
 #endif
 		server_host,host,tcp_port,doc_root,user,group);
@@ -1022,9 +1098,16 @@ main(int argc, char *argv[])
 #endif
     mainloop(NULL);
     
-#ifdef USE_SSL
-    if (with_ssl)
+#if defined(USE_SSL) || defined(USE_GNUTLS)
+    if (with_ssl) {
+# if defined(USE_GNUTLS)
+	gnutls_certificate_free_credentials(x509_cred);
+	gnutls_priority_deinit(tls_priority_cache);
+	gnutls_global_deinit();
+# else /* USE_SSL */
 	SSL_CTX_free(ctx);
+# endif
+    }
 #endif
     if (logfh)
 	fclose(logfh);
--- webfs-1.21+ds1/webfsd.man.debian
+++ webfs-1.21+ds1/webfsd.man
@@ -130,12 +130,12 @@
 .B -S
 \fBS\fPecure web server mode. Warning: This mode is strictly for https.
 .TP
-.B -C
+.B -C path
 File to use as SSL \fBc\fPertificate. This file must be in chained PEM
-format, first the privat RSA key, followed by the certificate.
-.TP
-.B -P
-\fBP\fPassword for accessing the SSL certificate.
+format, containing both privat RSA key and corresponding certificate.
+.\".TP
+.\".B -P
+.\"\fBP\fPassword for accessing the SSL certificate.
 .P
 Webfsd can be installed suid root (although the default install
 isn't suid root).  This allows users to start webfsd chroot()ed