source:
mod_gnutls/debian/patches/enable-tls-per-connection.patch
@
8ed8e96
Last change on this file since 8ed8e96 was 8ed8e96, checked in by , 7 years ago | |
---|---|
|
|
File size: 6.7 KB |
-
include/mod_gnutls.h.in
From e8acf058857eae21cde2fca0f4e97338075f5f60 Mon Sep 17 00:00:00 2001 From: Thomas Klute <thomas2.klute@uni-dortmund.de> Date: Tue, 20 Jan 2015 16:30:36 +0100 Subject: [PATCH] Enable/disable TLS per connection in ssl_engine_disable Previously, ssl_engine_disable set the server wide variable sc->enabled to GNUTLS_ENABLED_FALSE, leading to mod_gnutls refusing to serve any connection, including incoming client connections. The general HTTP handler cannot process raw TLS traffic, so all further requests using TLS failed. This commit adds a new element "enabled" to struct mgs_handle_t, which is used to disable TLS per connection, making it possible to disable TLS for proxy back end connections while continuing to serve TLS clients. --- include/mod_gnutls.h.in | 2 ++ src/gnutls_hooks.c | 50 +++++++++++++++++++++++++++++++------------------ src/mod_gnutls.c | 23 +++++++++++++++++++---- 3 files changed, 53 insertions(+), 22 deletions(-)
old new typedef struct { 170 170 mgs_srvconf_rec *sc; 171 171 /* Connection record */ 172 172 conn_rec* c; 173 /* Is TLS enabled for this connection? */ 174 int enabled; 173 175 /* GnuTLS Session handle */ 174 176 gnutls_session_t session; 175 177 /* module input status */ -
src/gnutls_hooks.c
old new mgs_srvconf_rec *mgs_find_sni_server(gnu 674 674 return NULL; 675 675 } 676 676 677 static void create_gnutls_handle(conn_rec * c) {678 mgs_handle_t *ctxt; 679 /* Get mod_gnutls Configuration Record*/680 mgs_srvconf_rec *sc = (mgs_srvconf_rec *)681 ap_get_module_config(c->base_server->module_config, &gnutls_module);677 static void create_gnutls_handle(conn_rec * c) 678 { 679 /* Get mod_gnutls server configuration */ 680 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 681 ap_get_module_config(c->base_server->module_config, &gnutls_module); 682 682 683 683 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 684 ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); 684 685 /* Get connection specific configuration */ 686 mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module); 687 if (ctxt == NULL) 688 { 689 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__); 690 ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); 691 ap_set_module_config(c->conn_config, &gnutls_module, ctxt); 692 } 693 ctxt->enabled = GNUTLS_ENABLED_TRUE; 685 694 ctxt->c = c; 686 695 ctxt->sc = sc; 687 696 ctxt->status = 0; … … static void create_gnutls_handle(conn_re 692 701 ctxt->output_bb = apr_brigade_create(c->pool, c->bucket_alloc); 693 702 ctxt->output_blen = 0; 694 703 ctxt->output_length = 0; 704 695 705 /* Initialize GnuTLS Library */ 696 706 gnutls_init(&ctxt->session, GNUTLS_SERVER); 697 707 /* Initialize Session Tickets */ … … static void create_gnutls_handle(conn_re 707 717 /* Initialize Session Cache */ 708 718 mgs_cache_session_init(ctxt); 709 719 710 /* Set this config for this connection */711 ap_set_module_config(c->conn_config, &gnutls_module, ctxt);712 720 /* Set pull, push & ptr functions */ 713 721 gnutls_transport_set_pull_function(ctxt->session, 714 722 mgs_transport_read); … … static void create_gnutls_handle(conn_re 722 730 ctxt, NULL, c); 723 731 } 724 732 725 int mgs_hook_pre_connection(conn_rec * c, void *csd) { 726 mgs_srvconf_rec *sc; 727 733 int mgs_hook_pre_connection(conn_rec * c, void *csd) 734 { 728 735 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 729 736 730 sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config, 731 &gnutls_module); 732 733 if (sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) { 737 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 738 ap_get_module_config(c->base_server->module_config, &gnutls_module); 739 mgs_handle_t *ctxt = (mgs_handle_t *) 740 ap_get_module_config(c->conn_config, &gnutls_module); 741 742 if ((sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) 743 || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE)) 744 { 745 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection", 746 __func__); 734 747 return DECLINED; 735 748 } 736 749 … … int mgs_hook_fixups(request_rec * r) { 752 765 _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); 753 766 apr_table_t *env = r->subprocess_env; 754 767 755 ctxt = 756 ap_get_module_config(r->connection->conn_config, 757 &gnutls_module); 768 ctxt = ap_get_module_config(r->connection->conn_config, 769 &gnutls_module); 758 770 759 if (!ctxt || ctxt->session == NULL) { 771 if (!ctxt || ctxt->enabled != GNUTLS_ENABLED_TRUE || ctxt->session == NULL) 772 { 773 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "request declined in %s", __func__); 760 774 return DECLINED; 761 775 } 762 776 -
src/mod_gnutls.c
old new 19 19 20 20 #include "mod_gnutls.h" 21 21 22 static void gnutls_hooks(apr_pool_t * p) { 22 #ifdef APLOG_USE_MODULE 23 APLOG_USE_MODULE(gnutls); 24 #endif 23 25 26 static void gnutls_hooks(apr_pool_t * p) 27 { 24 28 /* Try Run Post-Config Hook After mod_proxy */ 25 29 static const char * const aszPre[] = { "mod_proxy.c", NULL }; 26 30 ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST); … … int ssl_is_https(conn_rec *c) { 74 78 return 1; 75 79 } 76 80 77 int ssl_engine_disable(conn_rec *c) { 81 int ssl_engine_disable(conn_rec *c) 82 { 78 83 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 79 84 ap_get_module_config(c->base_server->module_config, &gnutls_module); 80 85 if(sc->enabled == GNUTLS_ENABLED_FALSE) { 81 86 return 1; 82 87 } 88 89 /* disable TLS for this connection */ 90 mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module); 91 if (ctxt == NULL) 92 { 93 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__); 94 ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); 95 ap_set_module_config(c->conn_config, &gnutls_module, ctxt); 96 } 97 ctxt->enabled = GNUTLS_ENABLED_FALSE; 98 83 99 if (c->input_filters) 84 100 ap_remove_input_filter(c->input_filters); 85 101 if (c->output_filters) 86 102 ap_remove_output_filter(c->output_filters); 87 103 mgs_cleanup_pre_config(c->pool); 88 sc->enabled = 0;89 104 return 1; 90 105 } 91 106
Note: See TracBrowser
for help on using the repository browser.