source: mod_gnutls/src/mod_gnutls.c @ fd82e59

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since fd82e59 was fd82e59, checked in by Daniel Kahn Gillmor <dkg@…>, 6 years ago

use strict compiler arguments by default (-Wall -Werror -Wextra)

Because apache modules make heavy use of generic hooks that have to
have arguments that cover every corner use case, and we don't need all
that data, many mod_gnutls functions have unused parameters, which
have now been explicitly designated as unused.

We also have at least one generic function signature declared for our
interaction with GnuTLS as well, and we aren't using some of those
parameters either.

A useful future review might be to read up on how the unused
parameters are used by other apache modules or users of GnuTLS, to see
if we might gather useful ideas.

  • Property mode set to 100644
File size: 6.6 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2008 Nikos Mavrogiannopoulos
4 *  Copyright 2011 Dash Shendy
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 *
18 */
19
20#include "mod_gnutls.h"
21
22static void gnutls_hooks(apr_pool_t * p __attribute__((unused))) {
23
24    /* Try Run Post-Config Hook After mod_proxy */
25    static const char * const aszPre[] = { "mod_proxy.c", NULL };
26    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST);
27    /* HTTP Scheme Hook */
28#if USING_2_1_RECENT
29    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
30#else
31    ap_hook_http_method(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
32#endif
33    /* Default Port Hook */
34    ap_hook_default_port(mgs_hook_default_port,  NULL,NULL, APR_HOOK_MIDDLE);
35    /* Pre-Connect Hook */
36    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
37    /* Pre-Config Hook */
38    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
39            APR_HOOK_MIDDLE);
40    /* Child-Init Hook */
41    ap_hook_child_init(mgs_hook_child_init, NULL, NULL,
42            APR_HOOK_MIDDLE);
43    /* Authentication Hook */
44    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
45            APR_HOOK_REALLY_FIRST);
46    /* Fixups Hook */
47    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
48
49    /* TODO: HTTP Upgrade Filter */
50    /* ap_register_output_filter ("UPGRADE_FILTER",
51     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
52     */
53
54    /* Input Filter */
55    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME,
56            mgs_filter_input, NULL,AP_FTYPE_CONNECTION + 5);
57    /* Output Filter */
58    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME,
59            mgs_filter_output, NULL,AP_FTYPE_CONNECTION + 5);
60
61    /* mod_proxy calls these functions */
62    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
63    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
64}
65
66int ssl_is_https(conn_rec *c) {
67    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
68            ap_get_module_config(c->base_server->module_config, &gnutls_module);
69    if(sc->enabled == 0 || sc->non_ssl_request == 1) {
70        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
71        return 0;
72    }
73    /* Connection is Using SSL/TLS */
74    return 1;
75}
76
77int ssl_engine_disable(conn_rec *c) {
78    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
79            ap_get_module_config(c->base_server->module_config, &gnutls_module);
80    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
81        return 1;
82    }
83    ap_remove_input_filter(c->input_filters);
84    ap_remove_input_filter(c->output_filters);
85    mgs_cleanup_pre_config(c->pool);
86    sc->enabled = 0;
87    return 1;
88}
89
90int ssl_proxy_enable(conn_rec *c) {
91    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
92            ap_get_module_config(c->base_server->module_config, &gnutls_module);
93    sc->proxy_enabled = 1;
94    sc->enabled = 0;
95    return 1;
96}
97
98static const command_rec mgs_config_cmds[] = {
99    AP_INIT_TAKE1("SSLProxyEngine", mgs_set_proxy_engine,
100    NULL,
101    RSRC_CONF | OR_AUTHCFG,
102    "Enable SSL Proxy Engine"),
103    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
104    NULL,
105    RSRC_CONF | OR_AUTHCFG,
106    "Set Verification Requirements of the Client Certificate"),
107    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
108    NULL,
109    RSRC_CONF,
110    "Set Verification Method of the Client Certificate"),
111    AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
112    NULL,
113    RSRC_CONF,
114    "Set the CA File to verify Client Certificates"),
115    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
116    NULL,
117    RSRC_CONF,
118    "Set the CA File to verify Client Certificates"),
119    AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
120    NULL,
121    RSRC_CONF,
122    "Set the Keyring File to verify Client Certificates"),
123    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
124    NULL,
125    RSRC_CONF,
126    "Set the file to read Diffie Hellman parameters from"),
127    AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
128    NULL,
129    RSRC_CONF,
130    "SSL Server X509 Certificate file"),
131    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
132    NULL,
133    RSRC_CONF,
134    "SSL Server X509 Private Key file"),
135    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
136    NULL,
137    RSRC_CONF,
138    "SSL Server X509 Certificate file"),
139    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
140    NULL,
141    RSRC_CONF,
142    "SSL Server X509 Private Key file"),
143    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
144    NULL,
145    RSRC_CONF,
146    "SSL Server PGP Certificate file"),
147    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
148    NULL,
149    RSRC_CONF,
150    "SSL Server PGP Private key file"),
151#ifdef ENABLE_SRP
152    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
153    NULL,
154    RSRC_CONF,
155    "SSL Server SRP Password Conf file"),
156    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
157    mgs_set_srp_tpasswd_conf_file,
158    NULL,
159    RSRC_CONF,
160    "SSL Server SRP Parameters file"),
161#endif
162    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout,
163    NULL,
164    RSRC_CONF,
165    "Cache Timeout"),
166    AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
167    NULL,
168    RSRC_CONF,
169    "Cache Configuration"),
170    AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets,
171    NULL,
172    RSRC_CONF,
173    "Session Tickets Configuration"),
174    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
175    NULL,
176    RSRC_CONF,
177    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
178    AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
179    NULL,
180    RSRC_CONF,
181    "Whether this server has GnuTLS Enabled. Default: Off"),
182    AP_INIT_TAKE1("GnuTLSExportCertificates",
183    mgs_set_export_certificates_size,
184    NULL,
185    RSRC_CONF,
186    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
187    { NULL },
188};
189
190module AP_MODULE_DECLARE_DATA gnutls_module = {
191    STANDARD20_MODULE_STUFF,
192    .create_dir_config = mgs_config_dir_create,
193    .merge_dir_config = mgs_config_dir_merge,
194    .create_server_config = mgs_config_server_create,
195    .merge_server_config = mgs_config_server_merge,
196    .cmds = mgs_config_cmds,
197    .register_hooks = gnutls_hooks
198};
Note: See TracBrowser for help on using the repository browser.