source: mod_gnutls/debian/patches/enable-tls-per-connection.patch @ 8ed8e96

debian/masterdebian/stretch-backportsjessie-backports
Last change on this file since 8ed8e96 was 8ed8e96, checked in by Daniel Kahn Gillmor <dkg@…>, 4 years ago

committing NMU 0.6-1.4 (thanks, Thomas!)
  • Property mode set to 100644
File size: 6.7 KB

  • include/mod_gnutls.h.in 

    From e8acf058857eae21cde2fca0f4e97338075f5f60 Mon Sep 17 00:00:00 2001
From: Thomas Klute <thomas2.klute@uni-dortmund.de>
Date: Tue, 20 Jan 2015 16:30:36 +0100
Subject: [PATCH] Enable/disable TLS per connection in ssl_engine_disable

Previously, ssl_engine_disable set the server wide variable sc->enabled
to GNUTLS_ENABLED_FALSE, leading to mod_gnutls refusing to serve any
connection, including incoming client connections. The general HTTP
handler cannot process raw TLS traffic, so all further requests using
TLS failed.

This commit adds a new element "enabled" to struct mgs_handle_t, which
is used to disable TLS per connection, making it possible to disable TLS
for proxy back end connections while continuing to serve TLS clients.
---
 include/mod_gnutls.h.in |  2 ++
 src/gnutls_hooks.c      | 50 +++++++++++++++++++++++++++++++------------------
 src/mod_gnutls.c        | 23 +++++++++++++++++++----
 3 files changed, 53 insertions(+), 22 deletions(-)
    old new typedef struct { 
    170170    mgs_srvconf_rec *sc;
    171171        /* Connection record */
    172172    conn_rec* c;
     173        /* Is TLS enabled for this connection? */
     174    int enabled;
    173175        /* GnuTLS Session handle */
    174176    gnutls_session_t session;
    175177        /* module input status */

  • src/gnutls_hooks.c

    old new mgs_srvconf_rec *mgs_find_sni_server(gnu 
    674674    return NULL;
    675675}
    676676
    677 static void create_gnutls_handle(conn_rec * c) {
    678     mgs_handle_t *ctxt;
    679     /* Get mod_gnutls Configuration Record */
    680     mgs_srvconf_rec *sc =(mgs_srvconf_rec *)
    681             ap_get_module_config(c->base_server->module_config,&gnutls_module);
     677static void create_gnutls_handle(conn_rec * c)
     678{
     679    /* Get mod_gnutls server configuration */
     680    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     681            ap_get_module_config(c->base_server->module_config, &gnutls_module);
    682682
    683683    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    684     ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     684
     685    /* Get connection specific configuration */
     686    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
     687    if (ctxt == NULL)
     688    {
     689        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
     690        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     691        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
     692    }
     693    ctxt->enabled = GNUTLS_ENABLED_TRUE;
    685694    ctxt->c = c;
    686695    ctxt->sc = sc;
    687696    ctxt->status = 0;
    static void create_gnutls_handle(conn_re 
    692701    ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc);
    693702    ctxt->output_blen = 0;
    694703    ctxt->output_length = 0;
     704
    695705    /* Initialize GnuTLS Library */
    696706    gnutls_init(&ctxt->session, GNUTLS_SERVER);
    697707    /* Initialize Session Tickets */
    static void create_gnutls_handle(conn_re 
    707717    /* Initialize Session Cache */
    708718    mgs_cache_session_init(ctxt);
    709719
    710     /* Set this config for this connection */
    711     ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
    712720    /* Set pull, push & ptr functions */
    713721    gnutls_transport_set_pull_function(ctxt->session,
    714722            mgs_transport_read);
    static void create_gnutls_handle(conn_re 
    722730            ctxt, NULL, c);
    723731}
    724732
    725 int mgs_hook_pre_connection(conn_rec * c, void *csd) {
    726     mgs_srvconf_rec *sc;
    727 
     733int mgs_hook_pre_connection(conn_rec * c, void *csd)
     734{
    728735    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    729736
    730     sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config,
    731             &gnutls_module);
    732 
    733     if (sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) {
     737    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     738        ap_get_module_config(c->base_server->module_config, &gnutls_module);
     739    mgs_handle_t *ctxt = (mgs_handle_t *)
     740        ap_get_module_config(c->conn_config, &gnutls_module);
     741
     742    if ((sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE))
     743        || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE))
     744    {
     745        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection",
     746                      __func__);
    734747        return DECLINED;
    735748    }
    736749
    int mgs_hook_fixups(request_rec * r) { 
    752765    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    753766    apr_table_t *env = r->subprocess_env;
    754767
    755     ctxt =
    756             ap_get_module_config(r->connection->conn_config,
    757             &gnutls_module);
     768    ctxt = ap_get_module_config(r->connection->conn_config,
     769                                &gnutls_module);
    758770
    759     if (!ctxt || ctxt->session == NULL) {
     771    if (!ctxt || ctxt->enabled != GNUTLS_ENABLED_TRUE || ctxt->session == NULL)
     772    {
     773        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "request declined in %s", __func__);
    760774        return DECLINED;
    761775    }
    762776

  • src/mod_gnutls.c

    old new  
    1919
    2020#include "mod_gnutls.h"
    2121
    22 static void gnutls_hooks(apr_pool_t * p) {
     22#ifdef APLOG_USE_MODULE
     23APLOG_USE_MODULE(gnutls);
     24#endif
    2325
     26static void gnutls_hooks(apr_pool_t * p)
     27{
    2428    /* Try Run Post-Config Hook After mod_proxy */
    2529    static const char * const aszPre[] = { "mod_proxy.c", NULL };
    2630    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST);
    int ssl_is_https(conn_rec *c) { 
    7478    return 1;
    7579}
    7680
    77 int ssl_engine_disable(conn_rec *c) {
     81int ssl_engine_disable(conn_rec *c)
     82{
    7883    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    79             ap_get_module_config(c->base_server->module_config, &gnutls_module);
     84        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    8085    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
    8186        return 1;
    8287    }
     88
     89    /* disable TLS for this connection */
     90    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
     91    if (ctxt == NULL)
     92    {
     93        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
     94        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     95        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
     96    }
     97    ctxt->enabled = GNUTLS_ENABLED_FALSE;
     98
    8399    if (c->input_filters)
    84100        ap_remove_input_filter(c->input_filters);
    85101    if (c->output_filters)
    86102        ap_remove_output_filter(c->output_filters);
    87103    mgs_cleanup_pre_config(c->pool);
    88     sc->enabled = 0;
    89104    return 1;
    90105}
    91106
Note: See TracBrowser for help on using the repository browser.