Changeset 71e9a5c in mod_gnutls for src/mod_gnutls.c

Timestamp:

Aug 22, 2015, 3:53:31 PM (6 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports

Children:

b837187

Parents:

2db6923 (diff), 4addf74 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge tag 'upstream/0.7' into debian

Upstream version 0.7

File:

• src/mod_gnutls.c (modified) (7 diffs)

src/mod_gnutls.c

@@ -1 +1 @@
 /**
  *  Copyright 2004-2005 Paul Querna
- *  Copyright 2008 Nikos Mavrogiannopoulos
+ *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
+ *  Copyright 2015 Thomas Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -20 +21 @@
 #include "mod_gnutls.h"
 
-static void gnutls_hooks(apr_pool_t * p) {
-
+#ifdef APLOG_USE_MODULE
+APLOG_USE_MODULE(gnutls);
+#endif
+
+static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
+{
     /* Try Run Post-Config Hook After mod_proxy */
     static const char * const aszPre[] = { "mod_proxy.c", NULL };
-    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST);
+    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,
+                        APR_HOOK_REALLY_LAST);
     /* HTTP Scheme Hook */
 #if USING_2_1_RECENT
@@ -32 +38 @@
 #endif
     /* Default Port Hook */
-    ap_hook_default_port(mgs_hook_default_port,  NULL,NULL, APR_HOOK_MIDDLE);
+    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
     /* Pre-Connect Hook */
-    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
+    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL,
+                           APR_HOOK_MIDDLE);
     /* Pre-Config Hook */
     ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
-            APR_HOOK_MIDDLE);
+                       APR_HOOK_MIDDLE);
     /* Child-Init Hook */
     ap_hook_child_init(mgs_hook_child_init, NULL, NULL,
-            APR_HOOK_MIDDLE);
+                       APR_HOOK_MIDDLE);
     /* Authentication Hook */
     ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
-            APR_HOOK_REALLY_FIRST);
+                           APR_HOOK_REALLY_FIRST);
     /* Fixups Hook */
     ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
@@ -53 +60 @@
 
     /* Input Filter */
-    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME,
-            mgs_filter_input, NULL,AP_FTYPE_CONNECTION + 5);
+    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
+                             NULL, AP_FTYPE_CONNECTION + 5);
     /* Output Filter */
-    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME,
-            mgs_filter_output, NULL,AP_FTYPE_CONNECTION + 5);
+    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
+                              NULL, AP_FTYPE_CONNECTION + 5);
 
     /* mod_proxy calls these functions */
@@ -64 +71 @@
 }
 
-int ssl_is_https(conn_rec *c) {
+int ssl_is_https(conn_rec *c)
+{
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-            ap_get_module_config(c->base_server->module_config, &gnutls_module);
+        ap_get_module_config(c->base_server->module_config, &gnutls_module);
     if(sc->enabled == 0 || sc->non_ssl_request == 1) {
         /* SSL/TLS Disabled or Plain HTTP Connection Detected */
@@ -75 +83 @@
 }
 
-int ssl_engine_disable(conn_rec *c) {
+int ssl_engine_disable(conn_rec *c)
+{
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-            ap_get_module_config(c->base_server->module_config, &gnutls_module);
+        ap_get_module_config(c->base_server->module_config, &gnutls_module);
     if(sc->enabled == GNUTLS_ENABLED_FALSE) {
         return 1;
     }
-    ap_remove_input_filter(c->input_filters);
-    ap_remove_input_filter(c->output_filters);
-    mgs_cleanup_pre_config(c->pool);
-    sc->enabled = 0;
+
+    /* disable TLS for this connection */
+    mgs_handle_t *ctxt = (mgs_handle_t *)
+        ap_get_module_config(c->conn_config, &gnutls_module);
+    if (ctxt == NULL)
+    {
+        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
+        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
+    }
+    ctxt->enabled = GNUTLS_ENABLED_FALSE;
+    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
+
+    if (c->input_filters)
+        ap_remove_input_filter(c->input_filters);
+    if (c->output_filters)
+        ap_remove_output_filter(c->output_filters);
+
     return 1;
 }
 
-int ssl_proxy_enable(conn_rec *c) {
+int ssl_proxy_enable(conn_rec *c)
+{
+    /* check if TLS proxy support is enabled */
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-            ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    sc->proxy_enabled = 1;
-    sc->enabled = 0;
+        ap_get_module_config(c->base_server->module_config, &gnutls_module);
+    if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+                      "%s: mod_proxy requested TLS proxy, but not enabled "
+                      "for %s", __func__, sc->cert_cn);
+        return 0;
+    }
+
+    /* enable TLS for this connection */
+    mgs_handle_t *ctxt = (mgs_handle_t *)
+        ap_get_module_config(c->conn_config, &gnutls_module);
+    if (ctxt == NULL)
+    {
+        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
+        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
+    }
+    ctxt->enabled = GNUTLS_ENABLED_TRUE;
+    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
     return 1;
 }
 
 static const command_rec mgs_config_cmds[] = {
-    AP_INIT_TAKE1("SSLProxyEngine", mgs_set_proxy_engine,
+    AP_INIT_TAKE1("GnuTLSProxyEngine", mgs_set_proxy_engine,
     NULL,
     RSRC_CONF | OR_AUTHCFG,
     "Enable SSL Proxy Engine"),
+    AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
+    NULL,
+    RSRC_CONF,
+    "Load this additional PKCS #11 provider library"),
+    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
+    NULL,
+    RSRC_CONF,
+    "The PIN to use in case of encrypted keys or PKCS #11 tokens."),
+    AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
+    NULL,
+    RSRC_CONF,
+    "The SRK PIN to use in case of TPM keys."),
     AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
     NULL,
@@ -181 +233 @@
     "Whether this server has GnuTLS Enabled. Default: Off"),
     AP_INIT_TAKE1("GnuTLSExportCertificates",
-    mgs_set_export_certificates_enabled,
-    NULL,
-    RSRC_CONF,
-    "Whether to export PEM encoded certificates to CGIs. Default: Off"),
+    mgs_set_export_certificates_size,
+    NULL,
+    RSRC_CONF,
+    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
+    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
+    NULL,
+    RSRC_CONF,
+    "X509 client private file for proxy connections"),
+    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
+    NULL,
+    RSRC_CONF,
+    "X509 client certificate file for proxy connections"),
+    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
+    NULL,
+    RSRC_CONF,
+    "X509 trusted CA file for proxy connections"),
+    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
+    NULL,
+    RSRC_CONF,
+    "X509 CRL file for proxy connections"),
+    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
+    NULL,
+    RSRC_CONF,
+    "The priorities to enable for proxy connections (ciphers, key exchange, "
+    "MACs, compression)."),
     { NULL },
 };