Changeset 37f8282 in mod_gnutls

Timestamp:

Dec 7, 2011, 12:22:48 AM (8 years ago)

Author:

Dash Shendy <neuromancer@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream

Children:

694fc04

Parents:

33826c5

Message:

mod_proxy support continued

Signed-off-by: Dash Shendy <neuromancer@…>

Files:

• include/mod_gnutls.h.in (modified) (3 diffs)
• src/gnutls_hooks.c (modified) (10 diffs)
• src/mod_gnutls.c (modified) (5 diffs)

include/mod_gnutls.h.in

@@ -111 +111 @@
     int tickets; /* whether session tickets are allowed */
     int proxy_enabled;
-    int non_ssl_request;
 } mgs_srvconf_rec;
 
@@ -138 +137 @@
     apr_size_t output_length;
     int status;
+    int non_ssl_request;
 } mgs_handle_t;
 
@@ -146 +146 @@
 
  /* Proxy Support */
+/* An optional function which returns non-zero if the given connection
+is using SSL/TLS. */
+APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
+ * are used by mod_proxy to enable use of SSL for outgoing
+ * connections. */
+APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+int ssl_is_https(conn_rec *c);
 int ssl_proxy_enable(conn_rec *c);
 int ssl_engine_disable(conn_rec *c);
+const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
+    const char *arg);
+apr_status_t mgs_cleanup_pre_config(void *data);
 
 /**

src/gnutls_hooks.c

@@ -43 +43 @@
         int export_certificates_enabled);
 
-static apr_status_t mgs_cleanup_pre_config(void *data) {
+apr_status_t mgs_cleanup_pre_config(void *data) {
     gnutls_free(session_ticket_key.data);
     session_ticket_key.data = NULL;
@@ -60 +60 @@
 #endif
 
-int mgs_hook_open_logs(apr_pool_t * pconf,apr_pool_t * plog, 
-        apr_pool_t * ptemp) {
+int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog,
+         apr_pool_t * ptemp) {
 #if MOD_GNUTLS_DEBUG
     apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
@@ -70 +70 @@
     gnutls_global_set_log_level(9);
     gnutls_global_set_log_function(gnutls_debug_log_all);
-    _gnutls_log(debug_log_fp, "gnutls: %s\n",
-            gnutls_check_version(NULL));
+    _gnutls_log(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
 #endif    
-}
-
-int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog,
-         apr_pool_t * ptemp) {
     int ret;
 
@@ -191 +186 @@
 }
 
-/* 2048-bit group parameters from SRP specification 
+/* 2048-bit group parameters from SRP specification */
 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
         "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
@@ -200 +195 @@
         "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
         "-----END DH PARAMETERS-----\n";
-*/
 
 /* Read the common name or the alternative name of the certificate.
@@ -316 +310 @@
 
     if (sc_base->dh_params == NULL) {
+        gnutls_datum pdata = {
+            (void *) static_dh_params,
+            sizeof(static_dh_params)
+        };
+        rv = gnutls_dh_params_import_pkcs3(dh_params, &pdata,
+                GNUTLS_X509_FMT_PEM);       
+        /* Generate DH Params 
         int dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH,
                 GNUTLS_SEC_PARAM_NORMAL);
@@ -322 +323 @@
             "To avoid this use GnuTLSDHFile to specify DH Params for this host",
             dh_bits);                
-        rv = gnutls_dh_params_generate2 (dh_params,dh_bits);
-        if (rv < 0) {
-            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
-                    "GnuTLS: Unable to generate DH Params: (%d) %s",
-                    rv, gnutls_strerror(rv));
-            exit(rv);
-        }
 #if MOD_GNUTLS_DEBUG
             ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
                     "GnuTLS: Generated DH Params of %i bits",dh_bits);
-#endif        
+#endif  
+        rv = gnutls_dh_params_generate2 (dh_params,dh_bits);
+        */
+        if (rv < 0) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                    "GnuTLS: Unable to generate or load DH Params: (%d) %s",
+                    rv, gnutls_strerror(rv));
+            exit(rv);
+        }               
     } else {
         dh_params = sc_base->dh_params;
@@ -453 +455 @@
     }
     /* Block SIGPIPE Signals */
-    status = apr_signal_block(SIGPIPE); 
-    if(status != APR_SUCCESS) {
+    rv = apr_signal_block(SIGPIPE); 
+    if(rv != APR_SUCCESS) {
         /* error sending output */
-        ap_log_error(APLOG_MARK,APLOG_INFO,ctxt->output_rc,ctxt->c->base_server,
+        ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
                 "GnuTLS: Error Blocking SIGPIPE Signal!");        
-        return status;
     }    
 }
@@ -680 +681 @@
 
 int mgs_hook_pre_connection(conn_rec * c, void *csd) {
-    mgs_handle_t *ctxt;
     mgs_srvconf_rec *sc;
 
@@ -688 +688 @@
             &gnutls_module);
 
-    if (sc && !sc->enabled) {
+    if (sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) {
         return DECLINED;
     }
 
-    if (c->remote_addr->hostname) {
-        /* Connection initiated by Apache (mod_proxy) => ignore */
-        return OK;
-    }
-
     create_gnutls_handle(c);
-
     return OK;
 }

src/mod_gnutls.c

@@ -21 +21 @@
 
 static void gnutls_hooks(apr_pool_t * p) {
-
-    ap_hook_open_logs(mgs_hook_open_logs, NULL, NULL,APR_HOOK_MIDDLE);
+    
     /* Try Run Post-Config Hook After mod_proxy */
     static const char * const aszPre[] = { "mod_proxy.c", NULL };
@@ -33 +32 @@
 #endif
     /* Default Port Hook */
-    ap_hook_default_port(nss_hook_default_port,  NULL,NULL, APR_HOOK_MIDDLE);
+    ap_hook_default_port(mgs_hook_default_port,  NULL,NULL, APR_HOOK_MIDDLE);
     /* Pre-Connect Hook */
-    ap_hook_pre_connection(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
+    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
     /* Pre-Config Hook */
     ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
@@ -68 +67 @@
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 
             ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    if(sc->enabled == GNUTLS_ENABLED_FALSE || sc->non_ssl_request) {
+    if(sc->enabled == 0 || sc->non_ssl_request == 1) {
         /* SSL/TLS Disabled or Plain HTTP Connection Detected */
         return 0;
@@ -92 +91 @@
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 
             ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    return sc->proxy_enabled;
+    sc->proxy_enabled = 1;
+    sc->enabled = 0;
+    return 1;
 }
 
@@ -99 +100 @@
     NULL,
     RSRC_CONF | OR_AUTHCFG,
-    "Set Verification Requirements of the Client Certificate"),
+    "Enable SSL Proxy Engine"),
     AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
     NULL,