Changeset 37f8282 in mod_gnutls
- Timestamp:
- Dec 7, 2011, 12:22:48 AM (11 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, jessie-backports, master, msva, proxy-ticket, upstream
- Children:
- 694fc04
- Parents:
- 33826c5
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
include/mod_gnutls.h.in
r33826c5 r37f8282 111 111 int tickets; /* whether session tickets are allowed */ 112 112 int proxy_enabled; 113 int non_ssl_request;114 113 } mgs_srvconf_rec; 115 114 … … 138 137 apr_size_t output_length; 139 138 int status; 139 int non_ssl_request; 140 140 } mgs_handle_t; 141 141 … … 146 146 147 147 /* Proxy Support */ 148 /* An optional function which returns non-zero if the given connection 149 is using SSL/TLS. */ 150 APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); 151 /* The ssl_proxy_enable() and ssl_engine_disable() optional functions 152 * are used by mod_proxy to enable use of SSL for outgoing 153 * connections. */ 154 APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); 155 APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); 156 int ssl_is_https(conn_rec *c); 148 157 int ssl_proxy_enable(conn_rec *c); 149 158 int ssl_engine_disable(conn_rec *c); 159 const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy, 160 const char *arg); 161 apr_status_t mgs_cleanup_pre_config(void *data); 150 162 151 163 /** -
src/gnutls_hooks.c
r33826c5 r37f8282 43 43 int export_certificates_enabled); 44 44 45 staticapr_status_t mgs_cleanup_pre_config(void *data) {45 apr_status_t mgs_cleanup_pre_config(void *data) { 46 46 gnutls_free(session_ticket_key.data); 47 47 session_ticket_key.data = NULL; … … 60 60 #endif 61 61 62 int mgs_hook_ open_logs(apr_pool_t * pconf,apr_pool_t * plog,63 apr_pool_t * ptemp) {62 int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog, 63 apr_pool_t * ptemp) { 64 64 #if MOD_GNUTLS_DEBUG 65 65 apr_file_open(&debug_log_fp, "/tmp/gnutls_debug", … … 70 70 gnutls_global_set_log_level(9); 71 71 gnutls_global_set_log_function(gnutls_debug_log_all); 72 _gnutls_log(debug_log_fp, "gnutls: %s\n", 73 gnutls_check_version(NULL)); 72 _gnutls_log(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL)); 74 73 #endif 75 }76 77 int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog,78 apr_pool_t * ptemp) {79 74 int ret; 80 75 … … 191 186 } 192 187 193 /* 2048-bit group parameters from SRP specification 188 /* 2048-bit group parameters from SRP specification */ 194 189 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n" 195 190 "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n" … … 200 195 "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n" 201 196 "-----END DH PARAMETERS-----\n"; 202 */203 197 204 198 /* Read the common name or the alternative name of the certificate. … … 316 310 317 311 if (sc_base->dh_params == NULL) { 312 gnutls_datum pdata = { 313 (void *) static_dh_params, 314 sizeof(static_dh_params) 315 }; 316 rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata, 317 GNUTLS_X509_FMT_PEM); 318 /* Generate DH Params 318 319 int dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, 319 320 GNUTLS_SEC_PARAM_NORMAL); … … 322 323 "To avoid this use GnuTLSDHFile to specify DH Params for this host", 323 324 dh_bits); 324 rv = gnutls_dh_params_generate2 (dh_params,dh_bits);325 if (rv < 0) {326 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,327 "GnuTLS: Unable to generate DH Params: (%d) %s",328 rv, gnutls_strerror(rv));329 exit(rv);330 }331 325 #if MOD_GNUTLS_DEBUG 332 326 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, 333 327 "GnuTLS: Generated DH Params of %i bits",dh_bits); 334 #endif 328 #endif 329 rv = gnutls_dh_params_generate2 (dh_params,dh_bits); 330 */ 331 if (rv < 0) { 332 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 333 "GnuTLS: Unable to generate or load DH Params: (%d) %s", 334 rv, gnutls_strerror(rv)); 335 exit(rv); 336 } 335 337 } else { 336 338 dh_params = sc_base->dh_params; … … 453 455 } 454 456 /* Block SIGPIPE Signals */ 455 status= apr_signal_block(SIGPIPE);456 if( status!= APR_SUCCESS) {457 rv = apr_signal_block(SIGPIPE); 458 if(rv != APR_SUCCESS) { 457 459 /* error sending output */ 458 ap_log_error(APLOG_MARK, APLOG_INFO,ctxt->output_rc,ctxt->c->base_server,460 ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, 459 461 "GnuTLS: Error Blocking SIGPIPE Signal!"); 460 return status;461 462 } 462 463 } … … 680 681 681 682 int mgs_hook_pre_connection(conn_rec * c, void *csd) { 682 mgs_handle_t *ctxt;683 683 mgs_srvconf_rec *sc; 684 684 … … 688 688 &gnutls_module); 689 689 690 if (sc && !sc->enabled) {690 if (sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) { 691 691 return DECLINED; 692 692 } 693 693 694 if (c->remote_addr->hostname) {695 /* Connection initiated by Apache (mod_proxy) => ignore */696 return OK;697 }698 699 694 create_gnutls_handle(c); 700 701 695 return OK; 702 696 } -
src/mod_gnutls.c
r33826c5 r37f8282 21 21 22 22 static void gnutls_hooks(apr_pool_t * p) { 23 24 ap_hook_open_logs(mgs_hook_open_logs, NULL, NULL,APR_HOOK_MIDDLE); 23 25 24 /* Try Run Post-Config Hook After mod_proxy */ 26 25 static const char * const aszPre[] = { "mod_proxy.c", NULL }; … … 33 32 #endif 34 33 /* Default Port Hook */ 35 ap_hook_default_port( nss_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);34 ap_hook_default_port(mgs_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE); 36 35 /* Pre-Connect Hook */ 37 ap_hook_pre_connection(mgs_hook_ default_port, NULL, NULL, APR_HOOK_MIDDLE);36 ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE); 38 37 /* Pre-Config Hook */ 39 38 ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL, … … 68 67 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 69 68 ap_get_module_config(c->base_server->module_config, &gnutls_module); 70 if(sc->enabled == GNUTLS_ENABLED_FALSE || sc->non_ssl_request) {69 if(sc->enabled == 0 || sc->non_ssl_request == 1) { 71 70 /* SSL/TLS Disabled or Plain HTTP Connection Detected */ 72 71 return 0; … … 92 91 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 93 92 ap_get_module_config(c->base_server->module_config, &gnutls_module); 94 return sc->proxy_enabled; 93 sc->proxy_enabled = 1; 94 sc->enabled = 0; 95 return 1; 95 96 } 96 97 … … 99 100 NULL, 100 101 RSRC_CONF | OR_AUTHCFG, 101 " Set Verification Requirements of the Client Certificate"),102 "Enable SSL Proxy Engine"), 102 103 AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify, 103 104 NULL,
Note: See TracChangeset
for help on using the changeset viewer.