Changeset 33826c5 in mod_gnutls


Ignore:
Timestamp:
Oct 4, 2011, 7:01:32 AM (8 years ago)
Author:
Dash Shendy <neuromancer@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream
Children:
37f8282
Parents:
a4feefc
Message:

mod_proxy support

Files:
5 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    ra4feefc r33826c5  
    110110    apr_time_t last_cache_check;
    111111    int tickets; /* whether session tickets are allowed */
     112    int proxy_enabled;
     113    int non_ssl_request;
    112114} mgs_srvconf_rec;
    113115
     
    122124    conn_rec* c;
    123125    gnutls_session_t session;
    124 
    125126    apr_status_t input_rc;
    126127    ap_filter_t *input_filter;
     
    130131    mgs_char_buffer_t input_cbuf;
    131132    char input_buffer[AP_IOBUFSIZE];
    132 
    133133    apr_status_t output_rc;
    134134    ap_filter_t *output_filter;
     
    137137    apr_size_t output_blen;
    138138    apr_size_t output_length;
    139 
    140139    int status;
    141     int non_https;
    142140} mgs_handle_t;
    143141
     
    146144/* apr_signal_block() for blocking SIGPIPE */
    147145apr_status_t apr_signal_block(int signum);
     146
     147 /* Proxy Support */
     148int ssl_proxy_enable(conn_rec *c);
     149int ssl_engine_disable(conn_rec *c);
    148150
    149151/**
  • src/gnutls_config.c

    ra4feefc r33826c5  
    545545}
    546546
     547const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
     548        const char *arg) {
     549   
     550    mgs_srvconf_rec *sc =(mgs_srvconf_rec *)
     551            ap_get_module_config(parms->server->module_config, &gnutls_module);
     552   
     553    if (!strcasecmp(arg, "On")) {
     554        sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
     555    } else if (!strcasecmp(arg, "Off")) {
     556        sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
     557    } else {
     558        return "SSLProxyEngine must be set to 'On' or 'Off'";
     559    }
     560
     561    return NULL;
     562}
     563
    547564const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
    548565        const char *arg) {
  • src/gnutls_hooks.c

    ra4feefc r33826c5  
    5252
    5353#if MOD_GNUTLS_DEBUG
    54 
    5554static void gnutls_debug_log_all(int level, const char *str) {
    5655    apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
    5756}
    58 
    5957#define _gnutls_log apr_file_printf
    6058#else
     
    6260#endif
    6361
    64 int
    65 mgs_hook_pre_config(apr_pool_t * pconf,
    66         apr_pool_t * plog, apr_pool_t * ptemp) {
    67     int ret;
    68 
     62int mgs_hook_open_logs(apr_pool_t * pconf,apr_pool_t * plog,
     63        apr_pool_t * ptemp) {
    6964#if MOD_GNUTLS_DEBUG
    7065    apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
     
    7368
    7469    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    75 
    7670    gnutls_global_set_log_level(9);
    7771    gnutls_global_set_log_function(gnutls_debug_log_all);
    7872    _gnutls_log(debug_log_fp, "gnutls: %s\n",
    7973            gnutls_check_version(NULL));
    80 #endif
     74#endif   
     75}
     76
     77int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog,
     78         apr_pool_t * ptemp) {
     79    int ret;
    8180
    8281    if (gnutls_check_version(LIBGNUTLS_VERSION) == NULL) {
     
    8483                "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
    8584                LIBGNUTLS_VERSION, gnutls_check_version(NULL));
    86         return -3;
     85        return DECLINED;
    8786    }
    8887
     
    9190        _gnutls_log(debug_log_fp, "gnutls_global_init: %s\n",
    9291                gnutls_strerror(ret));
    93         return -3;
     92        return DECLINED;
    9493    }
    9594
     
    353352
    354353        /* Check if the priorities have been set */
    355         if (sc->priorities == NULL
    356                 && sc->enabled == GNUTLS_ENABLED_TRUE) {
     354        if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
    357355            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    358356                    "GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
     
    454452        }
    455453    }
     454    /* Block SIGPIPE Signals */
     455    status = apr_signal_block(SIGPIPE);
     456    if(status != APR_SUCCESS) {
     457        /* error sending output */
     458        ap_log_error(APLOG_MARK,APLOG_INFO,ctxt->output_rc,ctxt->c->base_server,
     459                "GnuTLS: Error Blocking SIGPIPE Signal!");       
     460        return status;
     461    }   
    456462}
    457463
     
    625631}
    626632
    627 static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) {
     633static void create_gnutls_handle(conn_rec * c) {
    628634    mgs_handle_t *ctxt;
    629635    /* Get mod_gnutls Configuration Record */
     
    632638
    633639    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    634     ctxt = apr_pcalloc(pool, sizeof (*ctxt));
     640    ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
    635641    ctxt->c = c;
    636642    ctxt->sc = sc;
     
    657663    /* Initialize Session Cache */
    658664    mgs_cache_session_init(ctxt);
    659     /* Return GnuTLS Handle */
    660     return ctxt;
    661 }
    662 
    663 int mgs_hook_pre_connection(conn_rec * c, void *csd) {
    664     mgs_handle_t *ctxt;
    665     mgs_srvconf_rec *sc;
    666 
    667     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    668 
    669     if (c == NULL) {
    670         return DECLINED;
    671     }
    672 
    673     sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->
    674             module_config,
    675             &gnutls_module);
    676 
    677     if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
    678         return DECLINED;
    679     }
    680 
    681     if (c->remote_addr->hostname || apr_strnatcmp(c->remote_ip, c->local_ip) == 0) {
    682         /* Connection initiated by Apache (mod_proxy) => ignore */
    683         return OK;
    684     }
    685 
    686     ctxt = create_gnutls_handle(c->pool, c);
    687 
     665   
     666    /* Set this config for this connection */
    688667    ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
    689 
     668    /* Set pull, push & ptr functions */
    690669    gnutls_transport_set_pull_function(ctxt->session,
    691670            mgs_transport_read);
    692671    gnutls_transport_set_push_function(ctxt->session,
    693672            mgs_transport_write);
    694     gnutls_transport_set_ptr(ctxt->session, ctxt);
    695 
    696     ctxt->input_filter =
    697             ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c);
    698     ctxt->output_filter =
    699             ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c);
     673    gnutls_transport_set_ptr2(ctxt->session, ctxt);
     674    /* Add IO filters */
     675    ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME,
     676            ctxt, NULL, c);
     677    ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME,
     678            ctxt, NULL, c);   
     679}
     680
     681int mgs_hook_pre_connection(conn_rec * c, void *csd) {
     682    mgs_handle_t *ctxt;
     683    mgs_srvconf_rec *sc;
     684
     685    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     686
     687    sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config,
     688            &gnutls_module);
     689
     690    if (sc && !sc->enabled) {
     691        return DECLINED;
     692    }
     693
     694    if (c->remote_addr->hostname) {
     695        /* Connection initiated by Apache (mod_proxy) => ignore */
     696        return OK;
     697    }
     698
     699    create_gnutls_handle(c);
    700700
    701701    return OK;
     
    780780            GNUTLS_CRT_OPENPGP)
    781781        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0,
    782             ctxt->
    783             sc->export_certificates_enabled);
     782            ctxt->sc->export_certificates_enabled);
    784783
    785784    return rv;
  • src/gnutls_io.c

    ra4feefc r33826c5  
    4949
    5050            ctxt->status = -1;
     51            ctxt->non_ssl_request = 1;
    5152
    5253            /* fake the request line */
     
    568569    apr_status_t status = APR_SUCCESS;
    569570    apr_read_type_e rblock = APR_NONBLOCK_READ;
    570 
    571     /* Block SIGPIPE Signals */
    572     status = apr_signal_block(SIGPIPE);
    573     if(status != APR_SUCCESS) {
    574         /* error sending output */
    575         ap_log_error(APLOG_MARK,APLOG_INFO,ctxt->output_rc,ctxt->c->base_server,
    576                 "GnuTLS: Error Blocking SIGPIPE Signal!");       
    577         return status;
    578     }
    579571   
    580572    if (f->c->aborted) {
  • src/mod_gnutls.c

    ra4feefc r33826c5  
    2121
    2222static void gnutls_hooks(apr_pool_t * p) {
    23     ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL,
    24             APR_HOOK_MIDDLE);
    25     ap_hook_post_config(mgs_hook_post_config, NULL, NULL,
    26             APR_HOOK_MIDDLE);
     23
     24    ap_hook_open_logs(mgs_hook_open_logs, NULL, NULL,APR_HOOK_MIDDLE);
     25    /* Try Run Post-Config Hook After mod_proxy */
     26    static const char * const aszPre[] = { "mod_proxy.c", NULL };
     27    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST);
     28    /* HTTP Scheme Hook */
     29#if USING_2_1_RECENT
     30    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
     31#else
     32    ap_hook_http_method(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
     33#endif
     34    /* Default Port Hook */
     35    ap_hook_default_port(nss_hook_default_port,  NULL,NULL, APR_HOOK_MIDDLE);
     36    /* Pre-Connect Hook */
     37    ap_hook_pre_connection(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
     38    /* Pre-Config Hook */
     39    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
     40            APR_HOOK_MIDDLE);   
     41    /* Child-Init Hook */
    2742    ap_hook_child_init(mgs_hook_child_init, NULL, NULL,
    2843            APR_HOOK_MIDDLE);
    29 #if USING_2_1_RECENT
    30     ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL,
    31             APR_HOOK_MIDDLE);
    32 #else
    33     ap_hook_http_method(mgs_hook_http_scheme, NULL, NULL,
    34             APR_HOOK_MIDDLE);
    35 #endif
    36     ap_hook_default_port(mgs_hook_default_port, NULL, NULL,
    37             APR_HOOK_MIDDLE);
    38     ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
    39             APR_HOOK_MIDDLE);
    40 
     44    /* Authentication Hook */
    4145    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
    4246            APR_HOOK_REALLY_FIRST);
    43 
     47    /* Fixups Hook */
    4448    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
    4549
     
    4953     */
    5054
     55    /* Input Filter */
    5156    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME,
    52             mgs_filter_input, NULL,
    53             AP_FTYPE_CONNECTION + 5);
     57            mgs_filter_input, NULL,AP_FTYPE_CONNECTION + 5);
     58    /* Output Filter */
    5459    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME,
    55             mgs_filter_output, NULL,
    56             AP_FTYPE_CONNECTION + 5);
     60            mgs_filter_output, NULL,AP_FTYPE_CONNECTION + 5);
     61   
     62    /* mod_proxy calls these functions */
     63    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
     64    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
     65}
     66
     67int ssl_is_https(conn_rec *c) {
     68    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     69            ap_get_module_config(c->base_server->module_config, &gnutls_module);
     70    if(sc->enabled == GNUTLS_ENABLED_FALSE || sc->non_ssl_request) {
     71        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
     72        return 0;
     73    }
     74    /* Connection is Using SSL/TLS */
     75    return 1;
     76}
     77
     78int ssl_engine_disable(conn_rec *c) {
     79    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     80            ap_get_module_config(c->base_server->module_config, &gnutls_module);
     81    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
     82        return 1;
     83    }
     84    ap_remove_input_filter(c->input_filters);
     85    ap_remove_input_filter(c->output_filters);
     86    mgs_cleanup_pre_config(c->pool);
     87    sc->enabled = 0;
     88    return 1;
     89}
     90
     91int ssl_proxy_enable(conn_rec *c) {
     92    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     93            ap_get_module_config(c->base_server->module_config, &gnutls_module);
     94    return sc->proxy_enabled;
    5795}
    5896
    5997static const command_rec mgs_config_cmds[] = {
     98    AP_INIT_TAKE1("SSLProxyEngine", mgs_set_proxy_engine,
     99    NULL,
     100    RSRC_CONF | OR_AUTHCFG,
     101    "Set Verification Requirements of the Client Certificate"),
    60102    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
    61103    NULL,
Note: See TracChangeset for help on using the changeset viewer.