Changeset 4cdd4fd in mod_gnutls


Ignore:
Timestamp:
Apr 10, 2018, 2:30:52 AM (6 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
e7cf823
Parents:
23e98b3
Message:

Implement ssl_var_lookup function (subset of mod_ssl implementation)

mod_http2 uses the ssl_var_lookup function to check if the TLS
connection is acceptable. The implementation added here provides the
subset used there, not all varibles provided by mod_ssl.

Files:
2 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r23e98b3 r4cdd4fd  
    292292is using SSL/TLS. */
    293293APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
     294/* The ssl_var_lookup() optional function retrieves SSL environment
     295 * variables. */
     296APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
     297                        (apr_pool_t *, server_rec *,
     298                         conn_rec *, request_rec *,
     299                         char *));
    294300/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
    295301 * are used by mod_proxy to enable use of SSL for outgoing
     
    300306                                              ap_conf_vector_t *,
    301307                                              int proxy, int enable));
     308mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c);
    302309int ssl_is_https(conn_rec *c);
     310char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c,
     311                     request_rec *r, char *var);
    303312int ssl_proxy_enable(conn_rec *c);
    304313int ssl_engine_disable(conn_rec *c);
  • src/mod_gnutls.c

    r23e98b3 r4cdd4fd  
    7474    /* mod_rewrite calls this function to detect HTTPS */
    7575    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
     76    /* some modules look up TLS-related variables */
     77    APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
     78}
     79
     80
     81
     82/**
     83 * Get the connection context, resolving to a master connection if
     84 * any.
     85 *
     86 * @param c the connection handle
     87 *
     88 * @return mod_gnutls session context, might be `NULL`
     89 */
     90mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c)
     91{
     92    mgs_handle_t *ctxt = (mgs_handle_t *)
     93        ap_get_module_config(c->conn_config, &gnutls_module);
     94    if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL))
     95    {
     96        ctxt = (mgs_handle_t *)
     97            ap_get_module_config(c->master->conn_config, &gnutls_module);
     98    }
     99    return ctxt;
    76100}
    77101
     
    86110int ssl_is_https(conn_rec *c)
    87111{
     112    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
    88113    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    89114        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    90     mgs_handle_t *ctxt = (mgs_handle_t *)
    91         ap_get_module_config(c->conn_config, &gnutls_module);
    92115
    93116    if(sc->enabled == GNUTLS_ENABLED_FALSE
     
    100123    /* Connection is Using SSL/TLS */
    101124    return 1;
     125}
     126
     127
     128
     129/**
     130 * Return variables describing the current TLS session (if any).
     131 *
     132 * mod_ssl doc for this function: "This function must remain safe to
     133 * use for a non-SSL connection." mod_http2 uses it to check if an
     134 * acceptable TLS session is used.
     135 */
     136char* ssl_var_lookup(apr_pool_t *p, server_rec *s __attribute__((unused)),
     137                     conn_rec *c, request_rec *r, char *var)
     138{
     139    /*
     140     * When no pool is given try to find one
     141     */
     142    if (p == NULL) {
     143        if (r != NULL)
     144            p = r->pool;
     145        else if (c != NULL)
     146            p = c->pool;
     147        else
     148            return NULL;
     149    }
     150
     151    if (strcmp(var, "HTTPS") == 0)
     152    {
     153        if (c != NULL && ssl_is_https(c))
     154            return "on";
     155        else
     156            return "off";
     157    }
     158
     159    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
     160
     161    /* TLS parameters are empty if there is no session */
     162    if (ctxt == NULL || ctxt->c == NULL)
     163        return NULL;
     164
     165    if (strcmp(var, "SSL_PROTOCOL") == 0)
     166        return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
     167
     168    if (strcmp(var, "SSL_CIPHER") == 0)
     169        return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
     170                                                           gnutls_cipher_get(ctxt->session),
     171                                                           gnutls_mac_get(ctxt->session)));
     172
     173    /* mod_ssl supports a LOT more variables */
     174    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c,
     175                  "unsupported variable requested: '%s'",
     176                  var);
     177
     178    return NULL;
    102179}
    103180
Note: See TracChangeset for help on using the changeset viewer.