source: mod_gnutls/debian/patches/enable-tls-per-connection.patch @ 037760e

debian/masterdebian/stretch-backportsjessie-backports
Last change on this file since 037760e was 2db6923, checked in by Daniel Kahn Gillmor <dkg@…>, 5 years ago

refresh patches with gbp pq

  • Property mode set to 100644
File size: 6.5 KB
RevLine 
[8ed8e96]1From: Thomas Klute <thomas2.klute@uni-dortmund.de>
2Date: Tue, 20 Jan 2015 16:30:36 +0100
[2db6923]3Subject: Enable/disable TLS per connection in ssl_engine_disable
[8ed8e96]4
5Previously, ssl_engine_disable set the server wide variable sc->enabled
6to GNUTLS_ENABLED_FALSE, leading to mod_gnutls refusing to serve any
7connection, including incoming client connections. The general HTTP
8handler cannot process raw TLS traffic, so all further requests using
9TLS failed.
10
11This commit adds a new element "enabled" to struct mgs_handle_t, which
12is used to disable TLS per connection, making it possible to disable TLS
13for proxy back end connections while continuing to serve TLS clients.
14---
15 include/mod_gnutls.h.in |  2 ++
16 src/gnutls_hooks.c      | 50 +++++++++++++++++++++++++++++++------------------
17 src/mod_gnutls.c        | 23 +++++++++++++++++++----
18 3 files changed, 53 insertions(+), 22 deletions(-)
19
[2db6923]20diff --git a/include/mod_gnutls.h.in b/include/mod_gnutls.h.in
21index 57aa52e..eba4cb2 100644
22--- a/include/mod_gnutls.h.in
23+++ b/include/mod_gnutls.h.in
[8ed8e96]24@@ -170,6 +170,8 @@ typedef struct {
25     mgs_srvconf_rec *sc;
26        /* Connection record */
27     conn_rec* c;
28+       /* Is TLS enabled for this connection? */
29+    int enabled;
30        /* GnuTLS Session handle */
31     gnutls_session_t session;
32        /* module input status */
[2db6923]33diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
34index e6e7a67..9ba4ca1 100644
35--- a/src/gnutls_hooks.c
36+++ b/src/gnutls_hooks.c
37@@ -674,14 +674,23 @@ mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) {
[8ed8e96]38     return NULL;
39 }
40 
41-static void create_gnutls_handle(conn_rec * c) {
42-    mgs_handle_t *ctxt;
43-    /* Get mod_gnutls Configuration Record */
44-    mgs_srvconf_rec *sc =(mgs_srvconf_rec *)
45-            ap_get_module_config(c->base_server->module_config,&gnutls_module);
46+static void create_gnutls_handle(conn_rec * c)
47+{
48+    /* Get mod_gnutls server configuration */
49+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
50+            ap_get_module_config(c->base_server->module_config, &gnutls_module);
51 
52     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
53-    ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
54+
55+    /* Get connection specific configuration */
56+    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
57+    if (ctxt == NULL)
58+    {
59+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
60+        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
61+        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
62+    }
63+    ctxt->enabled = GNUTLS_ENABLED_TRUE;
64     ctxt->c = c;
65     ctxt->sc = sc;
66     ctxt->status = 0;
[2db6923]67@@ -692,6 +701,7 @@ static void create_gnutls_handle(conn_rec * c) {
[8ed8e96]68     ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
69     ctxt->output_blen = 0;
70     ctxt->output_length = 0;
71+
72     /* Initialize GnuTLS Library */
73     gnutls_init(&ctxt->session, GNUTLS_SERVER);
74     /* Initialize Session Tickets */
[2db6923]75@@ -707,8 +717,6 @@ static void create_gnutls_handle(conn_rec * c) {
[8ed8e96]76     /* Initialize Session Cache */
77     mgs_cache_session_init(ctxt);
78 
79-    /* Set this config for this connection */
80-    ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
81     /* Set pull, push & ptr functions */
82     gnutls_transport_set_pull_function(ctxt->session,
83             mgs_transport_read);
[2db6923]84@@ -722,15 +730,20 @@ static void create_gnutls_handle(conn_rec * c) {
[8ed8e96]85             ctxt, NULL, c);
86 }
87 
88-int mgs_hook_pre_connection(conn_rec * c, void *csd) {
89-    mgs_srvconf_rec *sc;
90-
91+int mgs_hook_pre_connection(conn_rec * c, void *csd)
92+{
93     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
94 
95-    sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config,
96-            &gnutls_module);
97+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
98+        ap_get_module_config(c->base_server->module_config, &gnutls_module);
99+    mgs_handle_t *ctxt = (mgs_handle_t *)
100+        ap_get_module_config(c->conn_config, &gnutls_module);
[2db6923]101 
102-    if (sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) {
[8ed8e96]103+    if ((sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE))
104+        || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE))
105+    {
106+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection",
107+                      __func__);
108         return DECLINED;
109     }
110 
111@@ -752,11 +765,12 @@ int mgs_hook_fixups(request_rec * r) {
112     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
113     apr_table_t *env = r->subprocess_env;
114 
115-    ctxt =
116-            ap_get_module_config(r->connection->conn_config,
117-            &gnutls_module);
118+    ctxt = ap_get_module_config(r->connection->conn_config,
119+                                &gnutls_module);
120 
121-    if (!ctxt || ctxt->session == NULL) {
122+    if (!ctxt || ctxt->enabled != GNUTLS_ENABLED_TRUE || ctxt->session == NULL)
123+    {
124+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "request declined in %s", __func__);
125         return DECLINED;
126     }
127 
[2db6923]128diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c
129index 0a32ffd..e974ae8 100644
130--- a/src/mod_gnutls.c
131+++ b/src/mod_gnutls.c
[8ed8e96]132@@ -19,8 +19,12 @@
133 
134 #include "mod_gnutls.h"
135 
136-static void gnutls_hooks(apr_pool_t * p) {
137+#ifdef APLOG_USE_MODULE
138+APLOG_USE_MODULE(gnutls);
139+#endif
140 
141+static void gnutls_hooks(apr_pool_t * p)
142+{
143     /* Try Run Post-Config Hook After mod_proxy */
144     static const char * const aszPre[] = { "mod_proxy.c", NULL };
145     ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST);
146@@ -74,18 +78,29 @@ int ssl_is_https(conn_rec *c) {
147     return 1;
148 }
149 
150-int ssl_engine_disable(conn_rec *c) {
151+int ssl_engine_disable(conn_rec *c)
152+{
153     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
154-            ap_get_module_config(c->base_server->module_config, &gnutls_module);
155+        ap_get_module_config(c->base_server->module_config, &gnutls_module);
156     if(sc->enabled == GNUTLS_ENABLED_FALSE) {
157         return 1;
158     }
159+
160+    /* disable TLS for this connection */
161+    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
162+    if (ctxt == NULL)
163+    {
164+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
165+        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
166+        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
167+    }
168+    ctxt->enabled = GNUTLS_ENABLED_FALSE;
169+
170     if (c->input_filters)
171         ap_remove_input_filter(c->input_filters);
172     if (c->output_filters)
173         ap_remove_output_filter(c->output_filters);
174     mgs_cleanup_pre_config(c->pool);
175-    sc->enabled = 0;
176     return 1;
177 }
178 
Note: See TracBrowser for help on using the repository browser.