source: mod_gnutls/src/mod_gnutls.c @ c782c1f

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since c782c1f was c782c1f, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

Don't do global deinit when disabling TLS for a proxy back end connection

Prior to this commit, ssl_engine_disable called mgs_cleanup_pre_config
on the connection pool before returning:

mgs_cleanup_pre_config(c->pool);

mgs_cleanup_pre_config does not even touch the argument, as its
signature shows.

apr_status_t mgs_cleanup_pre_config(void *data attribute((unused)));

It does, however, deinitialize the global session cache and, more
importantly, the global GnuTLS data structures. Trying to use those
deinitialized data structures led to segmentation faults during TLS
handshake.

Since there is no reason to globally deinitialize GnuTLS when disabling
TLS for one specific proxy back end connection, the solution is to
simply remove the call to mgs_cleanup_pre_config from
ssl_engine_disable.

  • Property mode set to 100644
File size: 7.1 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2008 Nikos Mavrogiannopoulos
4 *  Copyright 2011 Dash Shendy
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 *
18 */
19
20#include "mod_gnutls.h"
21
22#ifdef APLOG_USE_MODULE
23APLOG_USE_MODULE(gnutls);
24#endif
25
26static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
27{
28    /* Try Run Post-Config Hook After mod_proxy */
29    static const char * const aszPre[] = { "mod_proxy.c", NULL };
30    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST);
31    /* HTTP Scheme Hook */
32#if USING_2_1_RECENT
33    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
34#else
35    ap_hook_http_method(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
36#endif
37    /* Default Port Hook */
38    ap_hook_default_port(mgs_hook_default_port,  NULL,NULL, APR_HOOK_MIDDLE);
39    /* Pre-Connect Hook */
40    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
41    /* Pre-Config Hook */
42    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
43            APR_HOOK_MIDDLE);
44    /* Child-Init Hook */
45    ap_hook_child_init(mgs_hook_child_init, NULL, NULL,
46            APR_HOOK_MIDDLE);
47    /* Authentication Hook */
48    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
49            APR_HOOK_REALLY_FIRST);
50    /* Fixups Hook */
51    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
52
53    /* TODO: HTTP Upgrade Filter */
54    /* ap_register_output_filter ("UPGRADE_FILTER",
55     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
56     */
57
58    /* Input Filter */
59    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME,
60            mgs_filter_input, NULL,AP_FTYPE_CONNECTION + 5);
61    /* Output Filter */
62    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME,
63            mgs_filter_output, NULL,AP_FTYPE_CONNECTION + 5);
64
65    /* mod_proxy calls these functions */
66    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
67    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
68}
69
70int ssl_is_https(conn_rec *c) {
71    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
72            ap_get_module_config(c->base_server->module_config, &gnutls_module);
73    if(sc->enabled == 0 || sc->non_ssl_request == 1) {
74        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
75        return 0;
76    }
77    /* Connection is Using SSL/TLS */
78    return 1;
79}
80
81int ssl_engine_disable(conn_rec *c)
82{
83    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
84        ap_get_module_config(c->base_server->module_config, &gnutls_module);
85    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
86        return 1;
87    }
88
89    /* disable TLS for this connection */
90    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
91    if (ctxt == NULL)
92    {
93        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
94        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
95        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
96    }
97    ctxt->enabled = GNUTLS_ENABLED_FALSE;
98
99    if (c->input_filters)
100        ap_remove_input_filter(c->input_filters);
101    if (c->output_filters)
102        ap_remove_output_filter(c->output_filters);
103
104    return 1;
105}
106
107int ssl_proxy_enable(conn_rec *c) {
108    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
109            ap_get_module_config(c->base_server->module_config, &gnutls_module);
110    sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
111    sc->enabled = GNUTLS_ENABLED_FALSE;
112    return 1;
113}
114
115static const command_rec mgs_config_cmds[] = {
116    AP_INIT_TAKE1("SSLProxyEngine", mgs_set_proxy_engine,
117    NULL,
118    RSRC_CONF | OR_AUTHCFG,
119    "Enable SSL Proxy Engine"),
120    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
121    NULL,
122    RSRC_CONF | OR_AUTHCFG,
123    "Set Verification Requirements of the Client Certificate"),
124    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
125    NULL,
126    RSRC_CONF,
127    "Set Verification Method of the Client Certificate"),
128    AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
129    NULL,
130    RSRC_CONF,
131    "Set the CA File to verify Client Certificates"),
132    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
133    NULL,
134    RSRC_CONF,
135    "Set the CA File to verify Client Certificates"),
136    AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
137    NULL,
138    RSRC_CONF,
139    "Set the Keyring File to verify Client Certificates"),
140    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
141    NULL,
142    RSRC_CONF,
143    "Set the file to read Diffie Hellman parameters from"),
144    AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
145    NULL,
146    RSRC_CONF,
147    "SSL Server X509 Certificate file"),
148    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
149    NULL,
150    RSRC_CONF,
151    "SSL Server X509 Private Key file"),
152    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
153    NULL,
154    RSRC_CONF,
155    "SSL Server X509 Certificate file"),
156    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
157    NULL,
158    RSRC_CONF,
159    "SSL Server X509 Private Key file"),
160    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
161    NULL,
162    RSRC_CONF,
163    "SSL Server PGP Certificate file"),
164    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
165    NULL,
166    RSRC_CONF,
167    "SSL Server PGP Private key file"),
168#ifdef ENABLE_SRP
169    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
170    NULL,
171    RSRC_CONF,
172    "SSL Server SRP Password Conf file"),
173    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
174    mgs_set_srp_tpasswd_conf_file,
175    NULL,
176    RSRC_CONF,
177    "SSL Server SRP Parameters file"),
178#endif
179    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout,
180    NULL,
181    RSRC_CONF,
182    "Cache Timeout"),
183    AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
184    NULL,
185    RSRC_CONF,
186    "Cache Configuration"),
187    AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets,
188    NULL,
189    RSRC_CONF,
190    "Session Tickets Configuration"),
191    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
192    NULL,
193    RSRC_CONF,
194    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
195    AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
196    NULL,
197    RSRC_CONF,
198    "Whether this server has GnuTLS Enabled. Default: Off"),
199    AP_INIT_TAKE1("GnuTLSExportCertificates",
200    mgs_set_export_certificates_size,
201    NULL,
202    RSRC_CONF,
203    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
204    { NULL },
205};
206
207module AP_MODULE_DECLARE_DATA gnutls_module = {
208    STANDARD20_MODULE_STUFF,
209    .create_dir_config = mgs_config_dir_create,
210    .merge_dir_config = mgs_config_dir_merge,
211    .create_server_config = mgs_config_server_create,
212    .merge_server_config = mgs_config_server_merge,
213    .cmds = mgs_config_cmds,
214    .register_hooks = gnutls_hooks
215};
Note: See TracBrowser for help on using the repository browser.