Changeset 8982265 in mod_gnutls for src/mod_gnutls.c


Ignore:
Timestamp:
Apr 16, 2018, 8:43:01 PM (3 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports
Children:
85c5a22
Parents:
300ae82 (diff), f4ac9ccd (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge tag 'upstream/0.8.4' into debian/master

Upstream version 0.8.4

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/mod_gnutls.c

    r300ae82 r8982265  
    33 *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
    44 *  Copyright 2011 Dash Shendy
    5  *  Copyright 2015-2016 Thomas Klute
     5 *  Copyright 2015-2018 Fiona Klute
    66 *
    77 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    2020#include "mod_gnutls.h"
    2121#include "gnutls_ocsp.h"
     22#include "gnutls_util.h"
    2223
    2324#ifdef APLOG_USE_MODULE
     
    2526#endif
    2627
     28int ssl_engine_set(conn_rec *c,
     29                   ap_conf_vector_t *dir_conf __attribute__((unused)),
     30                   int proxy, int enable);
     31
     32static const char * const mod_proxy[] = { "mod_proxy.c", NULL };
     33static const char * const mod_http2[] = { "mod_http2.c", NULL };
     34
    2735static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
    2836{
    2937    /* Try Run Post-Config Hook After mod_proxy */
    30     static const char * const aszPre[] = { "mod_proxy.c", NULL };
    31     ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,
    32                         APR_HOOK_REALLY_LAST);
     38    ap_hook_post_config(mgs_hook_post_config, mod_proxy, mod_http2,
     39                        APR_HOOK_MIDDLE);
    3340    /* HTTP Scheme Hook */
    3441    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
     
    3643    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
    3744    /* Pre-Connect Hook */
    38     ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL,
     45    ap_hook_pre_connection(mgs_hook_pre_connection, mod_http2, NULL,
    3946                           APR_HOOK_MIDDLE);
     47    ap_hook_process_connection(mgs_hook_process_connection,
     48                               NULL, mod_http2, APR_HOOK_MIDDLE);
    4049    /* Pre-Config Hook */
    4150    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
     
    6574    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
    6675    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
     76    APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
    6777
    6878    /* mod_rewrite calls this function to detect HTTPS */
    6979    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
     80    /* some modules look up TLS-related variables */
     81    APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
     82}
     83
     84
     85
     86/**
     87 * Get the connection context, resolving to a master connection if
     88 * any.
     89 *
     90 * @param c the connection handle
     91 *
     92 * @return mod_gnutls session context, might be `NULL`
     93 */
     94mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c)
     95{
     96    mgs_handle_t *ctxt = (mgs_handle_t *)
     97        ap_get_module_config(c->conn_config, &gnutls_module);
     98    if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL))
     99    {
     100        ctxt = (mgs_handle_t *)
     101            ap_get_module_config(c->master->conn_config, &gnutls_module);
     102    }
     103    return ctxt;
    70104}
    71105
     
    80114int ssl_is_https(conn_rec *c)
    81115{
     116    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
    82117    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    83118        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    84     mgs_handle_t *ctxt = (mgs_handle_t *)
    85         ap_get_module_config(c->conn_config, &gnutls_module);
    86119
    87120    if(sc->enabled == GNUTLS_ENABLED_FALSE
     
    98131
    99132
    100 int ssl_engine_disable(conn_rec *c)
    101 {
    102     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    103         ap_get_module_config(c->base_server->module_config, &gnutls_module);
    104     if(sc->enabled == GNUTLS_ENABLED_FALSE) {
    105         return 1;
    106     }
    107 
    108     /* disable TLS for this connection */
    109     mgs_handle_t *ctxt = (mgs_handle_t *)
    110         ap_get_module_config(c->conn_config, &gnutls_module);
    111     if (ctxt == NULL)
     133/**
     134 * Return variables describing the current TLS session (if any).
     135 *
     136 * mod_ssl doc for this function: "This function must remain safe to
     137 * use for a non-SSL connection." mod_http2 uses it to check if an
     138 * acceptable TLS session is used.
     139 */
     140char* ssl_var_lookup(apr_pool_t *p, server_rec *s __attribute__((unused)),
     141                     conn_rec *c, request_rec *r, char *var)
     142{
     143    /*
     144     * When no pool is given try to find one
     145     */
     146    if (p == NULL) {
     147        if (r != NULL)
     148            p = r->pool;
     149        else if (c != NULL)
     150            p = c->pool;
     151        else
     152            return NULL;
     153    }
     154
     155    if (strcmp(var, "HTTPS") == 0)
    112156    {
    113         ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
    114         ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
    115     }
    116     ctxt->enabled = GNUTLS_ENABLED_FALSE;
    117     ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
    118 
    119     if (c->input_filters)
    120         ap_remove_input_filter(c->input_filters);
    121     if (c->output_filters)
    122         ap_remove_output_filter(c->output_filters);
    123 
    124     return 1;
    125 }
    126 
    127 int ssl_proxy_enable(conn_rec *c)
    128 {
    129     /* check if TLS proxy support is enabled */
    130     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    131         ap_get_module_config(c->base_server->module_config, &gnutls_module);
    132     if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE)
     157        if (c != NULL && ssl_is_https(c))
     158            return "on";
     159        else
     160            return "off";
     161    }
     162
     163    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
     164
     165    /* TLS parameters are empty if there is no session */
     166    if (ctxt == NULL || ctxt->c == NULL)
     167        return NULL;
     168
     169    if (strcmp(var, "SSL_PROTOCOL") == 0)
     170        return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
     171
     172    if (strcmp(var, "SSL_CIPHER") == 0)
     173        return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
     174                                                           gnutls_cipher_get(ctxt->session),
     175                                                           gnutls_mac_get(ctxt->session)));
     176
     177    /* mod_ssl supports a LOT more variables */
     178    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c,
     179                  "unsupported variable requested: '%s'",
     180                  var);
     181
     182    return NULL;
     183}
     184
     185
     186
     187/**
     188 * In Apache versions from 2.4.33 mod_proxy uses this function to set
     189 * up its client connections. Note that mod_gnutls does not (yet)
     190 * implement per directory configuration for such connections.
     191 *
     192 * @param c the connection
     193 * @param dir_conf per directory configuration, unused for now
     194 * @param proxy Is this a proxy connection?
     195 * @param enable Should TLS be enabled on this connection?
     196 *
     197 * @param `true` (1) if successful, `false` (0) otherwise
     198 */
     199int ssl_engine_set(conn_rec *c,
     200                   ap_conf_vector_t *dir_conf __attribute__((unused)),
     201                   int proxy, int enable)
     202{
     203    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
     204
     205    /* If TLS proxy has been requested, check if support is enabled
     206     * for the server */
     207    if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
    133208    {
    134209        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
    135210                      "%s: mod_proxy requested TLS proxy, but not enabled "
    136                       "for %s", __func__, sc->cert_cn);
     211                      "for %s", __func__, ctxt->sc->cert_cn);
    137212        return 0;
    138213    }
    139214
    140     /* enable TLS for this connection */
    141     mgs_handle_t *ctxt = (mgs_handle_t *)
    142         ap_get_module_config(c->conn_config, &gnutls_module);
    143     if (ctxt == NULL)
    144     {
    145         ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
    146         ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
    147     }
    148     ctxt->enabled = GNUTLS_ENABLED_TRUE;
    149     ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
     215    if (proxy)
     216        ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
     217    else
     218        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
     219
     220    if (enable)
     221        ctxt->enabled = GNUTLS_ENABLED_TRUE;
     222    else
     223        ctxt->enabled = GNUTLS_ENABLED_FALSE;
     224
    150225    return 1;
     226}
     227
     228int ssl_engine_disable(conn_rec *c)
     229{
     230    return ssl_engine_set(c, NULL, 0, 0);
     231}
     232
     233int ssl_proxy_enable(conn_rec *c)
     234{
     235    return ssl_engine_set(c, NULL, 1, 1);
    151236}
    152237
Note: See TracChangeset for help on using the changeset viewer.