Changeset 23e98b3 in mod_gnutls

Timestamp:

Apr 9, 2018, 2:52:27 AM (5 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream

Children:

4cdd4fd

Parents:

235e109

git-author:

Fiona Klute <fiona.klute@…> (04/09/18 02:47:29)

git-committer:

Fiona Klute <fiona.klute@…> (04/09/18 02:52:27)

Message:

Implement ssl_engine_set as introduced by mod_ssl in Apache 2.4.33

Files:

• include/mod_gnutls.h.in (modified) (1 diff)
• src/mod_gnutls.c (modified) (3 diffs)

include/mod_gnutls.h.in

@@ -297 +297 @@
 APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
 APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
+                                              ap_conf_vector_t *,
+                                              int proxy, int enable));
 int ssl_is_https(conn_rec *c);
 int ssl_proxy_enable(conn_rec *c);

src/mod_gnutls.c

@@ -25 +25 @@
 APLOG_USE_MODULE(gnutls);
 #endif
+
+int ssl_engine_set(conn_rec *c,
+                   ap_conf_vector_t *dir_conf __attribute__((unused)),
+                   int proxy, int enable);
 
 static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
@@ -66 +70 @@
     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+    APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
 
     /* mod_rewrite calls this function to detect HTTPS */
@@ -99 +104 @@
 
 
-int ssl_engine_disable(conn_rec *c)
-{
-    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-        ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
-        return 1;
-    }
-
-    /* disable TLS for this connection */
+/**
+ * In Apache versions from 2.4.33 mod_proxy uses this function to set
+ * up its client connections. Note that mod_gnutls does not (yet)
+ * implement per directory configuration for such connections.
+ *
+ * @param c the connection
+ * @param dir_conf per directory configuration, unused for now
+ * @param proxy Is this a proxy connection?
+ * @param enable Should TLS be enabled on this connection?
+ *
+ * @param `true` (1) if successful, `false` (0) otherwise
+ */
+int ssl_engine_set(conn_rec *c,
+                   ap_conf_vector_t *dir_conf __attribute__((unused)),
+                   int proxy, int enable)
+{
     mgs_handle_t *ctxt = init_gnutls_ctxt(c);
-    ctxt->enabled = GNUTLS_ENABLED_FALSE;
-    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
-
-    if (ctxt->input_filter)
-        ap_remove_input_filter(ctxt->input_filter);
-    if (ctxt->output_filter)
-        ap_remove_output_filter(ctxt->output_filter);
-
-    return 1;
-}
-
-int ssl_proxy_enable(conn_rec *c)
-{
-    /* check if TLS proxy support is enabled */
-    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-        ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE)
+
+    /* If TLS proxy has been requested, check if support is enabled
+     * for the server */
+    if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
     {
         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
                       "%s: mod_proxy requested TLS proxy, but not enabled "
-                      "for %s", __func__, sc->cert_cn);
+                      "for %s", __func__, ctxt->sc->cert_cn);
         return 0;
     }
 
-    /* enable TLS for this connection */
-    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
-    ctxt->enabled = GNUTLS_ENABLED_TRUE;
-    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
+    if (proxy)
+        ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
+    else
+        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
+
+    if (enable)
+        ctxt->enabled = GNUTLS_ENABLED_TRUE;
+    else
+        ctxt->enabled = GNUTLS_ENABLED_FALSE;
+
     return 1;
+}
+
+int ssl_engine_disable(conn_rec *c)
+{
+    return ssl_engine_set(c, NULL, 0, 0);
+}
+
+int ssl_proxy_enable(conn_rec *c)
+{
+    return ssl_engine_set(c, NULL, 1, 1);
 }