source: mod_gnutls/debian/patches/enable-tls-per-connection.patch @ 8ed8e96

debian/masterdebian/stretch-backportsjessie-backports
Last change on this file since 8ed8e96 was 8ed8e96, checked in by Daniel Kahn Gillmor <dkg@…>, 5 years ago

committing NMU 0.6-1.4 (thanks, Thomas!)

  • Property mode set to 100644
File size: 6.7 KB
RevLine 
[8ed8e96]1From e8acf058857eae21cde2fca0f4e97338075f5f60 Mon Sep 17 00:00:00 2001
2From: Thomas Klute <thomas2.klute@uni-dortmund.de>
3Date: Tue, 20 Jan 2015 16:30:36 +0100
4Subject: [PATCH] Enable/disable TLS per connection in ssl_engine_disable
5
6Previously, ssl_engine_disable set the server wide variable sc->enabled
7to GNUTLS_ENABLED_FALSE, leading to mod_gnutls refusing to serve any
8connection, including incoming client connections. The general HTTP
9handler cannot process raw TLS traffic, so all further requests using
10TLS failed.
11
12This commit adds a new element "enabled" to struct mgs_handle_t, which
13is used to disable TLS per connection, making it possible to disable TLS
14for proxy back end connections while continuing to serve TLS clients.
15---
16 include/mod_gnutls.h.in |  2 ++
17 src/gnutls_hooks.c      | 50 +++++++++++++++++++++++++++++++------------------
18 src/mod_gnutls.c        | 23 +++++++++++++++++++----
19 3 files changed, 53 insertions(+), 22 deletions(-)
20
21Index: mod-gnutls-0.6/include/mod_gnutls.h.in
22===================================================================
23--- mod-gnutls-0.6.orig/include/mod_gnutls.h.in
24+++ mod-gnutls-0.6/include/mod_gnutls.h.in
25@@ -170,6 +170,8 @@ typedef struct {
26     mgs_srvconf_rec *sc;
27        /* Connection record */
28     conn_rec* c;
29+       /* Is TLS enabled for this connection? */
30+    int enabled;
31        /* GnuTLS Session handle */
32     gnutls_session_t session;
33        /* module input status */
34Index: mod-gnutls-0.6/src/gnutls_hooks.c
35===================================================================
36--- mod-gnutls-0.6.orig/src/gnutls_hooks.c
37+++ mod-gnutls-0.6/src/gnutls_hooks.c
38@@ -674,14 +674,23 @@ mgs_srvconf_rec *mgs_find_sni_server(gnu
39     return NULL;
40 }
41 
42-static void create_gnutls_handle(conn_rec * c) {
43-    mgs_handle_t *ctxt;
44-    /* Get mod_gnutls Configuration Record */
45-    mgs_srvconf_rec *sc =(mgs_srvconf_rec *)
46-            ap_get_module_config(c->base_server->module_config,&gnutls_module);
47+static void create_gnutls_handle(conn_rec * c)
48+{
49+    /* Get mod_gnutls server configuration */
50+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
51+            ap_get_module_config(c->base_server->module_config, &gnutls_module);
52 
53     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
54-    ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
55+
56+    /* Get connection specific configuration */
57+    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
58+    if (ctxt == NULL)
59+    {
60+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
61+        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
62+        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
63+    }
64+    ctxt->enabled = GNUTLS_ENABLED_TRUE;
65     ctxt->c = c;
66     ctxt->sc = sc;
67     ctxt->status = 0;
68@@ -692,6 +701,7 @@ static void create_gnutls_handle(conn_re
69     ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
70     ctxt->output_blen = 0;
71     ctxt->output_length = 0;
72+
73     /* Initialize GnuTLS Library */
74     gnutls_init(&ctxt->session, GNUTLS_SERVER);
75     /* Initialize Session Tickets */
76@@ -707,8 +717,6 @@ static void create_gnutls_handle(conn_re
77     /* Initialize Session Cache */
78     mgs_cache_session_init(ctxt);
79 
80-    /* Set this config for this connection */
81-    ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
82     /* Set pull, push & ptr functions */
83     gnutls_transport_set_pull_function(ctxt->session,
84             mgs_transport_read);
85@@ -722,15 +730,20 @@ static void create_gnutls_handle(conn_re
86             ctxt, NULL, c);
87 }
88 
89-int mgs_hook_pre_connection(conn_rec * c, void *csd) {
90-    mgs_srvconf_rec *sc;
91-
92+int mgs_hook_pre_connection(conn_rec * c, void *csd)
93+{
94     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
95 
96-    sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config,
97-            &gnutls_module);
98-
99-    if (sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) {
100+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
101+        ap_get_module_config(c->base_server->module_config, &gnutls_module);
102+    mgs_handle_t *ctxt = (mgs_handle_t *)
103+        ap_get_module_config(c->conn_config, &gnutls_module);
104+
105+    if ((sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE))
106+        || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE))
107+    {
108+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection",
109+                      __func__);
110         return DECLINED;
111     }
112 
113@@ -752,11 +765,12 @@ int mgs_hook_fixups(request_rec * r) {
114     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
115     apr_table_t *env = r->subprocess_env;
116 
117-    ctxt =
118-            ap_get_module_config(r->connection->conn_config,
119-            &gnutls_module);
120+    ctxt = ap_get_module_config(r->connection->conn_config,
121+                                &gnutls_module);
122 
123-    if (!ctxt || ctxt->session == NULL) {
124+    if (!ctxt || ctxt->enabled != GNUTLS_ENABLED_TRUE || ctxt->session == NULL)
125+    {
126+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "request declined in %s", __func__);
127         return DECLINED;
128     }
129 
130Index: mod-gnutls-0.6/src/mod_gnutls.c
131===================================================================
132--- mod-gnutls-0.6.orig/src/mod_gnutls.c
133+++ mod-gnutls-0.6/src/mod_gnutls.c
134@@ -19,8 +19,12 @@
135 
136 #include "mod_gnutls.h"
137 
138-static void gnutls_hooks(apr_pool_t * p) {
139+#ifdef APLOG_USE_MODULE
140+APLOG_USE_MODULE(gnutls);
141+#endif
142 
143+static void gnutls_hooks(apr_pool_t * p)
144+{
145     /* Try Run Post-Config Hook After mod_proxy */
146     static const char * const aszPre[] = { "mod_proxy.c", NULL };
147     ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST);
148@@ -74,18 +78,29 @@ int ssl_is_https(conn_rec *c) {
149     return 1;
150 }
151 
152-int ssl_engine_disable(conn_rec *c) {
153+int ssl_engine_disable(conn_rec *c)
154+{
155     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
156-            ap_get_module_config(c->base_server->module_config, &gnutls_module);
157+        ap_get_module_config(c->base_server->module_config, &gnutls_module);
158     if(sc->enabled == GNUTLS_ENABLED_FALSE) {
159         return 1;
160     }
161+
162+    /* disable TLS for this connection */
163+    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
164+    if (ctxt == NULL)
165+    {
166+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
167+        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
168+        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
169+    }
170+    ctxt->enabled = GNUTLS_ENABLED_FALSE;
171+
172     if (c->input_filters)
173         ap_remove_input_filter(c->input_filters);
174     if (c->output_filters)
175         ap_remove_output_filter(c->output_filters);
176     mgs_cleanup_pre_config(c->pool);
177-    sc->enabled = 0;
178     return 1;
179 }
180 
Note: See TracBrowser for help on using the repository browser.