Changeset 33826c5 in mod_gnutls

Timestamp:

Oct 4, 2011, 7:01:32 AM (11 years ago)

Author:

Dash Shendy <neuromancer@…>

Branches:

asyncio, debian/master, debian/stretch-backports, jessie-backports, main, master, msva, proxy-ticket, upstream

Children:

37f8282

Parents:

a4feefc

Message:

mod_proxy support

Files:

• include/mod_gnutls.h.in (modified) (5 diffs)
• src/gnutls_config.c (modified) (1 diff)
• src/gnutls_hooks.c (modified) (11 diffs)
• src/gnutls_io.c (modified) (2 diffs)
• src/mod_gnutls.c (modified) (2 diffs)

include/mod_gnutls.h.in

@@ -110 +110 @@
     apr_time_t last_cache_check;
     int tickets; /* whether session tickets are allowed */
+    int proxy_enabled;
+    int non_ssl_request;
 } mgs_srvconf_rec;
 
@@ -122 +124 @@
     conn_rec* c;
     gnutls_session_t session;
-
     apr_status_t input_rc;
     ap_filter_t *input_filter;
@@ -130 +131 @@
     mgs_char_buffer_t input_cbuf;
     char input_buffer[AP_IOBUFSIZE];
-
     apr_status_t output_rc;
     ap_filter_t *output_filter;
@@ -137 +137 @@
     apr_size_t output_blen;
     apr_size_t output_length;
-
     int status;
-    int non_https;
 } mgs_handle_t;
 
@@ -146 +144 @@
 /* apr_signal_block() for blocking SIGPIPE */
 apr_status_t apr_signal_block(int signum);
+
+ /* Proxy Support */
+int ssl_proxy_enable(conn_rec *c);
+int ssl_engine_disable(conn_rec *c);
 
 /**

src/gnutls_config.c

@@ -545 +545 @@
 }
 
+const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
+        const char *arg) {
+    
+    mgs_srvconf_rec *sc =(mgs_srvconf_rec *) 
+            ap_get_module_config(parms->server->module_config, &gnutls_module);
+    
+    if (!strcasecmp(arg, "On")) {
+        sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
+    } else if (!strcasecmp(arg, "Off")) {
+        sc->proxy_enabled = GNUTLS_ENABLED_FALSE;
+    } else {
+        return "SSLProxyEngine must be set to 'On' or 'Off'";
+    }
+
+    return NULL;
+}
+
 const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
         const char *arg) {

src/gnutls_hooks.c

@@ -52 +52 @@
 
 #if MOD_GNUTLS_DEBUG
-
 static void gnutls_debug_log_all(int level, const char *str) {
     apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
 }
-
 #define _gnutls_log apr_file_printf
 #else
@@ -62 +60 @@
 #endif
 
-int
-mgs_hook_pre_config(apr_pool_t * pconf,
-        apr_pool_t * plog, apr_pool_t * ptemp) {
-    int ret;
-
+int mgs_hook_open_logs(apr_pool_t * pconf,apr_pool_t * plog, 
+        apr_pool_t * ptemp) {
 #if MOD_GNUTLS_DEBUG
     apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
@@ -73 +68 @@
 
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-
     gnutls_global_set_log_level(9);
     gnutls_global_set_log_function(gnutls_debug_log_all);
     _gnutls_log(debug_log_fp, "gnutls: %s\n",
             gnutls_check_version(NULL));
-#endif
+#endif    
+}
+
+int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog,
+         apr_pool_t * ptemp) {
+    int ret;
 
     if (gnutls_check_version(LIBGNUTLS_VERSION) == NULL) {
@@ -84 +83 @@
                 "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n",
                 LIBGNUTLS_VERSION, gnutls_check_version(NULL));
-        return -3;
+        return DECLINED;
     }
 
@@ -91 +90 @@
         _gnutls_log(debug_log_fp, "gnutls_global_init: %s\n",
                 gnutls_strerror(ret));
-        return -3;
+        return DECLINED;
     }
 
@@ -353 +352 @@
 
         /* Check if the priorities have been set */
-        if (sc->priorities == NULL
-                && sc->enabled == GNUTLS_ENABLED_TRUE) {
+        if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                     "GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
@@ -454 +452 @@
         }
     }
+    /* Block SIGPIPE Signals */
+    status = apr_signal_block(SIGPIPE); 
+    if(status != APR_SUCCESS) {
+        /* error sending output */
+        ap_log_error(APLOG_MARK,APLOG_INFO,ctxt->output_rc,ctxt->c->base_server,
+                "GnuTLS: Error Blocking SIGPIPE Signal!");        
+        return status;
+    }    
 }
 
@@ -625 +631 @@
 }
 
-static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) {
+static void create_gnutls_handle(conn_rec * c) {
     mgs_handle_t *ctxt;
     /* Get mod_gnutls Configuration Record */
@@ -632 +638 @@
 
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-    ctxt = apr_pcalloc(pool, sizeof (*ctxt));
+    ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     ctxt->c = c;
     ctxt->sc = sc;
@@ -657 +663 @@
     /* Initialize Session Cache */
     mgs_cache_session_init(ctxt);
-    /* Return GnuTLS Handle */
-    return ctxt;
-}
-
-int mgs_hook_pre_connection(conn_rec * c, void *csd) {
-    mgs_handle_t *ctxt;
-    mgs_srvconf_rec *sc;
-
-    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-
-    if (c == NULL) {
-        return DECLINED;
-    }
-
-    sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->
-            module_config,
-            &gnutls_module);
-
-    if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
-        return DECLINED;
-    }
-
-    if (c->remote_addr->hostname || apr_strnatcmp(c->remote_ip, c->local_ip) == 0) {
-        /* Connection initiated by Apache (mod_proxy) => ignore */
-        return OK;
-    }
-
-    ctxt = create_gnutls_handle(c->pool, c);
-
+    
+    /* Set this config for this connection */
     ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
-
+    /* Set pull, push & ptr functions */
     gnutls_transport_set_pull_function(ctxt->session,
             mgs_transport_read);
     gnutls_transport_set_push_function(ctxt->session,
             mgs_transport_write);
-    gnutls_transport_set_ptr(ctxt->session, ctxt);
-
-    ctxt->input_filter =
-            ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, ctxt, NULL, c);
-    ctxt->output_filter =
-            ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, ctxt, NULL, c);
+    gnutls_transport_set_ptr2(ctxt->session, ctxt);
+    /* Add IO filters */
+    ctxt->input_filter = ap_add_input_filter(GNUTLS_INPUT_FILTER_NAME, 
+            ctxt, NULL, c);
+    ctxt->output_filter = ap_add_output_filter(GNUTLS_OUTPUT_FILTER_NAME, 
+            ctxt, NULL, c);    
+}
+
+int mgs_hook_pre_connection(conn_rec * c, void *csd) {
+    mgs_handle_t *ctxt;
+    mgs_srvconf_rec *sc;
+
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
+
+    sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config,
+            &gnutls_module);
+
+    if (sc && !sc->enabled) {
+        return DECLINED;
+    }
+
+    if (c->remote_addr->hostname) {
+        /* Connection initiated by Apache (mod_proxy) => ignore */
+        return OK;
+    }
+
+    create_gnutls_handle(c);
 
     return OK;
@@ -780 +780 @@
             GNUTLS_CRT_OPENPGP)
         mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0,
-            ctxt->
-            sc->export_certificates_enabled);
+            ctxt->sc->export_certificates_enabled);
 
     return rv;

src/gnutls_io.c

@@ -49 +49 @@
 
             ctxt->status = -1;
+            ctxt->non_ssl_request = 1;
 
             /* fake the request line */
@@ -568 +569 @@
     apr_status_t status = APR_SUCCESS;
     apr_read_type_e rblock = APR_NONBLOCK_READ;
-
-    /* Block SIGPIPE Signals */
-    status = apr_signal_block(SIGPIPE); 
-    if(status != APR_SUCCESS) {
-        /* error sending output */
-        ap_log_error(APLOG_MARK,APLOG_INFO,ctxt->output_rc,ctxt->c->base_server,
-                "GnuTLS: Error Blocking SIGPIPE Signal!");        
-        return status;
-    }
     
     if (f->c->aborted) {

src/mod_gnutls.c

@@ -21 +21 @@
 
 static void gnutls_hooks(apr_pool_t * p) {
-    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL,
-            APR_HOOK_MIDDLE);
-    ap_hook_post_config(mgs_hook_post_config, NULL, NULL,
-            APR_HOOK_MIDDLE);
+
+    ap_hook_open_logs(mgs_hook_open_logs, NULL, NULL,APR_HOOK_MIDDLE);
+    /* Try Run Post-Config Hook After mod_proxy */
+    static const char * const aszPre[] = { "mod_proxy.c", NULL };
+    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST); 
+    /* HTTP Scheme Hook */
+#if USING_2_1_RECENT
+    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
+#else
+    ap_hook_http_method(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
+#endif
+    /* Default Port Hook */
+    ap_hook_default_port(nss_hook_default_port,  NULL,NULL, APR_HOOK_MIDDLE);
+    /* Pre-Connect Hook */
+    ap_hook_pre_connection(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
+    /* Pre-Config Hook */
+    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
+            APR_HOOK_MIDDLE);    
+    /* Child-Init Hook */
     ap_hook_child_init(mgs_hook_child_init, NULL, NULL,
             APR_HOOK_MIDDLE);
-#if USING_2_1_RECENT
-    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL,
-            APR_HOOK_MIDDLE);
-#else
-    ap_hook_http_method(mgs_hook_http_scheme, NULL, NULL,
-            APR_HOOK_MIDDLE);
-#endif
-    ap_hook_default_port(mgs_hook_default_port, NULL, NULL,
-            APR_HOOK_MIDDLE);
-    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
-            APR_HOOK_MIDDLE);
-
+    /* Authentication Hook */
     ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
             APR_HOOK_REALLY_FIRST);
-
+    /* Fixups Hook */
     ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
 
@@ -49 +53 @@
      */
 
+    /* Input Filter */
     ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME,
-            mgs_filter_input, NULL,
-            AP_FTYPE_CONNECTION + 5);
+            mgs_filter_input, NULL,AP_FTYPE_CONNECTION + 5);
+    /* Output Filter */
     ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME,
-            mgs_filter_output, NULL,
-            AP_FTYPE_CONNECTION + 5);
+            mgs_filter_output, NULL,AP_FTYPE_CONNECTION + 5);
+    
+    /* mod_proxy calls these functions */
+    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+}
+
+int ssl_is_https(conn_rec *c) {
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 
+            ap_get_module_config(c->base_server->module_config, &gnutls_module);
+    if(sc->enabled == GNUTLS_ENABLED_FALSE || sc->non_ssl_request) {
+        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
+        return 0;
+    }
+    /* Connection is Using SSL/TLS */
+    return 1;
+}
+
+int ssl_engine_disable(conn_rec *c) {
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 
+            ap_get_module_config(c->base_server->module_config, &gnutls_module);
+    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
+        return 1;
+    } 
+    ap_remove_input_filter(c->input_filters);
+    ap_remove_input_filter(c->output_filters);
+    mgs_cleanup_pre_config(c->pool);
+    sc->enabled = 0;
+    return 1;
+}
+
+int ssl_proxy_enable(conn_rec *c) {
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 
+            ap_get_module_config(c->base_server->module_config, &gnutls_module);
+    return sc->proxy_enabled;
 }
 
 static const command_rec mgs_config_cmds[] = {
+    AP_INIT_TAKE1("SSLProxyEngine", mgs_set_proxy_engine,
+    NULL,
+    RSRC_CONF | OR_AUTHCFG,
+    "Set Verification Requirements of the Client Certificate"),
     AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
     NULL,