Changes in / [eea8a16:b324906] in mod_gnutls
- Files:
-
- 5 edited
-
include/mod_gnutls.h.in (modified) (2 diffs)
-
src/gnutls_config.c (modified) (2 diffs)
-
src/gnutls_hooks.c (modified) (8 diffs)
-
src/gnutls_io.c (modified) (16 diffs)
-
src/mod_gnutls.c (modified) (6 diffs)
Legend:
- Unmodified
- Added
- Removed
-
include/mod_gnutls.h.in
reea8a16 rb324906 108 108 /* SRP Certificate Structure*/ 109 109 gnutls_srp_server_credentials_t srp_creds; 110 /* Annonymous Certificate Structure */110 /* Anonymous Certificate Structure */ 111 111 gnutls_anon_server_credentials_t anon_creds; 112 /* Anonymous Client Certificate Structure, used for proxy 113 * connections */ 114 gnutls_anon_client_credentials_t anon_client_creds; 112 115 /* Current x509 Certificate CN [Common Name] */ 113 116 char* cert_cn; … … 173 176 /* Is TLS enabled for this connection? */ 174 177 int enabled; 178 /* Is this a proxy connection? */ 179 int is_proxy; 175 180 /* GnuTLS Session handle */ 176 181 gnutls_session_t session; -
src/gnutls_config.c
reea8a16 rb324906 620 620 return NULL; 621 621 } 622 623 /* FIXME: not ideal, should be called only if SSLProxyEngine is 624 * enabled */ 625 ret = gnutls_anon_allocate_client_credentials(&sc->anon_client_creds); 626 if (ret < 0) 627 { 628 *err = apr_psprintf(p, "GnuTLS: Failed to initialize" 629 ": (%d) %s", ret, 630 gnutls_strerror(ret)); 631 return NULL; 632 } 622 633 #ifdef ENABLE_SRP 623 634 ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds); … … 696 707 gnutls_srvconf_assign(certs); 697 708 gnutls_srvconf_assign(anon_creds); 709 gnutls_srvconf_assign(anon_client_creds); 698 710 gnutls_srvconf_assign(srp_creds); 699 711 gnutls_srvconf_assign(certs_x509_chain); -
src/gnutls_hooks.c
reea8a16 rb324906 40 40 #endif 41 41 42 #define IS_PROXY_STR(c) \ 43 ((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "") 44 42 45 static gnutls_datum_t session_ticket_key = {NULL, 0}; 43 46 … … 147 150 gnutls_certificate_server_set_request(session, ctxt->sc->client_verify_mode); 148 151 152 /* Set x509 credentials */ 153 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs); 149 154 /* Set Anon credentials */ 150 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);151 /* Set x509 credentials */152 155 gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds); 153 156 … … 620 623 #endif 621 624 622 mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) { 625 mgs_srvconf_rec *mgs_find_sni_server(gnutls_session_t session) 626 { 623 627 int rv; 624 628 unsigned int sni_type; … … 671 675 672 676 tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config, 673 &gnutls_module);677 &gnutls_module); 674 678 675 679 if (tsc->enabled != GNUTLS_ENABLED_TRUE) { continue; } 676 680 677 if(check_server_aliases(x, s, tsc)) { 678 return tsc; 679 } 681 if(check_server_aliases(x, s, tsc)) { 682 return tsc; 683 } 684 } 680 685 #endif 681 686 return NULL; 687 } 688 689 /* 690 * This function is intended as a cleanup handler for connections 691 * using GnuTLS. 692 * 693 * @param data must point to the mgs_handle_t associated with the 694 * connection 695 */ 696 static apr_status_t cleanup_gnutls_session(void *data) 697 { 698 /* nothing to do */ 699 if (data == NULL) 700 return APR_SUCCESS; 701 702 /* check if session needs closing */ 703 mgs_handle_t *ctxt = (mgs_handle_t *) data; 704 if (ctxt->session != NULL) 705 { 706 int ret; 707 /* Try A Clean Shutdown */ 708 do 709 ret = gnutls_bye(ctxt->session, GNUTLS_SHUT_WR); 710 while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); 711 if (ret != GNUTLS_E_SUCCESS) 712 ap_log_cerror(APLOG_MARK, APLOG_INFO, ret, ctxt->c, 713 "%s: error while closing TLS %sconnection: %s (%d)", 714 __func__, IS_PROXY_STR(ctxt), 715 gnutls_strerror(ret), ret); 716 else 717 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, ret, ctxt->c, 718 "%s: TLS %sconnection closed.", 719 __func__, IS_PROXY_STR(ctxt)); 720 /* De-Initialize Session */ 721 gnutls_deinit(ctxt->session); 722 ctxt->session = NULL; 723 } 724 return APR_SUCCESS; 682 725 } 683 726 … … 694 737 if (ctxt == NULL) 695 738 { 696 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);697 739 ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); 698 740 ap_set_module_config(c->conn_config, &gnutls_module, ctxt); 741 ctxt->is_proxy = GNUTLS_ENABLED_FALSE; 699 742 } 700 743 ctxt->enabled = GNUTLS_ENABLED_TRUE; … … 711 754 712 755 /* Initialize GnuTLS Library */ 713 int err = gnutls_init(&ctxt->session, GNUTLS_SERVER); 714 if (err != GNUTLS_E_SUCCESS) 715 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_init failed!"); 716 /* Initialize Session Tickets */ 717 if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0) { 718 err = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key); 756 int err = 0; 757 if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE) 758 { 759 /* this is an outgoing proxy connection, client mode */ 760 err = gnutls_init(&ctxt->session, GNUTLS_CLIENT); 719 761 if (err != GNUTLS_E_SUCCESS) 720 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_session_ticket_enable_server failed!"); 762 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, 763 "gnutls_init for proxy connection failed: %s (%d)", 764 gnutls_strerror(err), err); 765 err = gnutls_session_ticket_enable_client(ctxt->session); 766 if (err != GNUTLS_E_SUCCESS) 767 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, 768 "gnutls_session_ticket_enable_client failed: %s (%d)", 769 gnutls_strerror(err), err); 770 /* Try to close and deinit the session when the connection 771 * pool is cleared. Note that mod_proxy might not close 772 * connections immediately, if you need that, look at the 773 * "proxy-nokeepalive" environment variable for 774 * mod_proxy_http. */ 775 apr_pool_pre_cleanup_register(c->pool, ctxt, cleanup_gnutls_session); 776 } 777 else 778 { 779 /* incoming connection, server mode */ 780 err = gnutls_init(&ctxt->session, GNUTLS_SERVER); 781 if (err != GNUTLS_E_SUCCESS) 782 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, 783 "gnutls_init for server side failed: %s (%d)", 784 gnutls_strerror(err), err); 785 /* Initialize Session Tickets */ 786 if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0) 787 { 788 err = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key); 789 if (err != GNUTLS_E_SUCCESS) 790 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, 791 "gnutls_session_ticket_enable_server failed: %s (%d)", 792 gnutls_strerror(err), err); 793 } 721 794 } 722 795 … … 728 801 gnutls_handshake_set_post_client_hello_function(ctxt->session, 729 802 mgs_select_virtual_server_cb); 803 804 /* If mod_gnutls is the TLS server, mgs_select_virtual_server_cb 805 * will load appropriate credentials during handshake. However, 806 * when handling a proxy backend connection, mod_gnutls acts as 807 * TLS client and credentials must be loaded here. */ 808 if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE) 809 { 810 /* Set anonymous client credentials for proxy connections */ 811 gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON, 812 ctxt->sc->anon_client_creds); 813 /* Set x509 credentials */ 814 gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE, 815 ctxt->sc->certs); 816 /* Load priorities from the server configuration */ 817 err = gnutls_priority_set(ctxt->session, ctxt->sc->priorities); 818 if (err != GNUTLS_E_SUCCESS) 819 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, 820 "%s: setting priorities for proxy connection failed: %s (%d)", 821 __func__, gnutls_strerror(err), err); 822 } 823 730 824 /* Initialize Session Cache */ 731 825 mgs_cache_session_init(ctxt); … … 753 847 ap_get_module_config(c->conn_config, &gnutls_module); 754 848 755 if ((sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) 756 || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE)) 849 if ((sc && (!sc->enabled)) || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE)) 757 850 { 758 851 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection", -
src/gnutls_io.c
reea8a16 rb324906 38 38 alloc) 39 39 40 #define IS_PROXY_STR(c) \ 41 ((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "") 42 40 43 static apr_status_t gnutls_io_filter_error(ap_filter_t * f, 41 44 apr_bucket_brigade * bb, … … 45 48 46 49 switch (status) { 47 case HTTP_BAD_REQUEST: 48 /* log the situation */ 49 ap_log_error(APLOG_MARK, APLOG_INFO, 0, 50 f->c->base_server, 51 "GnuTLS handshake failed: HTTP spoken on HTTPS port; " 52 "trying to send HTML error page"); 53 54 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) ap_get_module_config( 55 f->c->base_server->module_config, 56 &gnutls_module 57 ); 58 ctxt->status = -1; 59 sc->non_ssl_request = 1; 60 61 /* fake the request line */ 62 bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc); 63 break; 64 65 default: 66 return status; 50 case HTTP_BAD_REQUEST: 51 /* log the situation */ 52 ap_log_error(APLOG_MARK, APLOG_INFO, 0, 53 f->c->base_server, 54 "GnuTLS handshake failed: HTTP spoken on HTTPS port; " 55 "trying to send HTML error page"); 56 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 57 ap_get_module_config(f->c->base_server->module_config, 58 &gnutls_module); 59 ctxt->status = -1; 60 sc->non_ssl_request = 1; 61 62 /* fake the request line */ 63 bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc); 64 break; 65 66 default: 67 return status; 67 68 } 68 69 … … 186 187 187 188 static apr_status_t gnutls_io_input_read(mgs_handle_t * ctxt, 188 char *buf, apr_size_t * len) { 189 char *buf, apr_size_t * len) 190 { 189 191 apr_size_t wanted = *len; 190 192 apr_size_t bytes = 0; … … 225 227 226 228 if (ctxt->session == NULL) { 229 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, ctxt->c, 230 "%s: GnuTLS session is NULL!", __func__); 227 231 return APR_EGENERAL; 228 232 } … … 230 234 while (1) { 231 235 232 rc = gnutls_record_recv(ctxt->session, buf + bytes, 233 wanted - bytes); 236 do 237 rc = gnutls_record_recv(ctxt->session, buf + bytes, 238 wanted - bytes); 239 while (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN); 234 240 235 241 if (rc > 0) { … … 270 276 if (rc == GNUTLS_E_REHANDSHAKE) { 271 277 /* A client has asked for a new Hankshake. Currently, we don't do it */ 272 ap_log_ error(APLOG_MARK, APLOG_INFO,278 ap_log_cerror(APLOG_MARK, APLOG_INFO, 273 279 ctxt->input_rc, 274 ctxt->c ->base_server,280 ctxt->c, 275 281 "GnuTLS: Error reading data. Client Requested a New Handshake." 276 282 " (%d) '%s'", rc, … … 278 284 } else if (rc == GNUTLS_E_WARNING_ALERT_RECEIVED) { 279 285 rc = gnutls_alert_get(ctxt->session); 280 ap_log_ error(APLOG_MARK, APLOG_INFO,286 ap_log_cerror(APLOG_MARK, APLOG_INFO, 281 287 ctxt->input_rc, 282 ctxt->c ->base_server,288 ctxt->c, 283 289 "GnuTLS: Warning Alert From Client: " 284 290 " (%d) '%s'", rc, … … 286 292 } else if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED) { 287 293 rc = gnutls_alert_get(ctxt->session); 288 ap_log_ error(APLOG_MARK, APLOG_INFO,294 ap_log_cerror(APLOG_MARK, APLOG_INFO, 289 295 ctxt->input_rc, 290 ctxt->c ->base_server,296 ctxt->c, 291 297 "GnuTLS: Fatal Alert From Client: " 292 298 "(%d) '%s'", rc, … … 297 303 /* Some Other Error. Report it. Die. */ 298 304 if (gnutls_error_is_fatal(rc)) { 299 ap_log_ error(APLOG_MARK,305 ap_log_cerror(APLOG_MARK, 300 306 APLOG_INFO, 301 307 ctxt->input_rc, 302 ctxt->c ->base_server,308 ctxt->c, 303 309 "GnuTLS: Error reading data. (%d) '%s'", 304 310 rc, … … 311 317 312 318 if (ctxt->input_rc == APR_SUCCESS) { 319 ap_log_cerror(APLOG_MARK, APLOG_INFO, ctxt->input_rc, ctxt->c, 320 "%s: GnuTLS error: %s (%d)", 321 __func__, gnutls_strerror(rc), rc); 313 322 ctxt->input_rc = APR_EGENERAL; 314 323 } … … 405 414 ap_log_error(APLOG_MARK, APLOG_INFO, 0, 406 415 ctxt->c->base_server, 407 "GnuTLS: Han shake Alert (%d) '%s'.",416 "GnuTLS: Handshake Alert (%d) '%s'.", 408 417 errcode, 409 418 gnutls_alert_get_name(errcode)); … … 479 488 apr_bucket_brigade * bb, 480 489 ap_input_mode_t mode, 481 apr_read_type_e block, apr_off_t readbytes) { 490 apr_read_type_e block, apr_off_t readbytes) 491 { 482 492 apr_status_t status = APR_SUCCESS; 483 493 mgs_handle_t *ctxt = (mgs_handle_t *) f->ctx; … … 488 498 apr_bucket_eos_create(f->c->bucket_alloc); 489 499 APR_BRIGADE_INSERT_TAIL(bb, bucket); 500 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c, 501 "%s: %sconnection aborted", 502 __func__, IS_PROXY_STR(ctxt)); 490 503 return APR_ECONNABORTED; 491 504 } … … 493 506 if (ctxt->status == 0) { 494 507 gnutls_do_handshake(ctxt); 508 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c, 509 "%s: TLS %sconnection opened.", 510 __func__, IS_PROXY_STR(ctxt)); 495 511 } 496 512 497 513 if (ctxt->status < 0) { 514 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c, 515 "%s %s: ap_get_brigade", __func__, IS_PROXY_STR(ctxt)); 498 516 return ap_get_brigade(f->next, bb, mode, block, readbytes); 499 517 } … … 589 607 if (ctxt->status == 0) { 590 608 gnutls_do_handshake(ctxt); 609 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c, 610 "%s: TLS %sconnection opened.", 611 __func__, IS_PROXY_STR(ctxt)); 591 612 } 592 613 … … 615 636 ret = gnutls_bye(ctxt->session, GNUTLS_SHUT_WR); 616 637 } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); 638 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, ret, ctxt->c, 639 "%s: TLS %sconnection closed.", 640 __func__, IS_PROXY_STR(ctxt)); 617 641 /* De-Initialize Session */ 618 642 gnutls_deinit(ctxt->session); -
src/mod_gnutls.c
reea8a16 rb324906 28 28 /* Try Run Post-Config Hook After mod_proxy */ 29 29 static const char * const aszPre[] = { "mod_proxy.c", NULL }; 30 ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST); 30 ap_hook_post_config(mgs_hook_post_config, aszPre, NULL, 31 APR_HOOK_REALLY_LAST); 31 32 /* HTTP Scheme Hook */ 32 33 #if USING_2_1_RECENT … … 36 37 #endif 37 38 /* Default Port Hook */ 38 ap_hook_default_port(mgs_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);39 ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE); 39 40 /* Pre-Connect Hook */ 40 ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE); 41 ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL, 42 APR_HOOK_MIDDLE); 41 43 /* Pre-Config Hook */ 42 44 ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL, 43 APR_HOOK_MIDDLE);45 APR_HOOK_MIDDLE); 44 46 /* Child-Init Hook */ 45 47 ap_hook_child_init(mgs_hook_child_init, NULL, NULL, 46 APR_HOOK_MIDDLE);48 APR_HOOK_MIDDLE); 47 49 /* Authentication Hook */ 48 50 ap_hook_access_checker(mgs_hook_authz, NULL, NULL, 49 APR_HOOK_REALLY_FIRST);51 APR_HOOK_REALLY_FIRST); 50 52 /* Fixups Hook */ 51 53 ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST); … … 57 59 58 60 /* Input Filter */ 59 ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, 60 mgs_filter_input, NULL,AP_FTYPE_CONNECTION + 5);61 ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input, 62 NULL, AP_FTYPE_CONNECTION + 5); 61 63 /* Output Filter */ 62 ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, 63 mgs_filter_output, NULL,AP_FTYPE_CONNECTION + 5);64 ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output, 65 NULL, AP_FTYPE_CONNECTION + 5); 64 66 65 67 /* mod_proxy calls these functions */ … … 68 70 } 69 71 70 int ssl_is_https(conn_rec *c) { 72 int ssl_is_https(conn_rec *c) 73 { 71 74 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 72 75 ap_get_module_config(c->base_server->module_config, &gnutls_module); 73 76 if(sc->enabled == 0 || sc->non_ssl_request == 1) { 74 77 /* SSL/TLS Disabled or Plain HTTP Connection Detected */ … … 88 91 89 92 /* disable TLS for this connection */ 90 mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module); 93 mgs_handle_t *ctxt = (mgs_handle_t *) 94 ap_get_module_config(c->conn_config, &gnutls_module); 91 95 if (ctxt == NULL) 92 96 { 93 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);94 97 ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); 95 98 ap_set_module_config(c->conn_config, &gnutls_module, ctxt); 96 99 } 97 100 ctxt->enabled = GNUTLS_ENABLED_FALSE; 101 ctxt->is_proxy = GNUTLS_ENABLED_TRUE; 98 102 99 103 if (c->input_filters) … … 105 109 } 106 110 107 int ssl_proxy_enable(conn_rec *c) { 111 int ssl_proxy_enable(conn_rec *c) 112 { 113 /* check if TLS proxy support is enabled */ 108 114 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 109 ap_get_module_config(c->base_server->module_config, &gnutls_module); 110 sc->proxy_enabled = GNUTLS_ENABLED_TRUE; 111 sc->enabled = GNUTLS_ENABLED_FALSE; 115 ap_get_module_config(c->base_server->module_config, &gnutls_module); 116 if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE) 117 { 118 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, 119 "%s: mod_proxy requested TLS proxy, but not enabled " 120 "for %s", __func__, sc->cert_cn); 121 return 0; 122 } 123 124 /* enable TLS for this connection */ 125 mgs_handle_t *ctxt = (mgs_handle_t *) 126 ap_get_module_config(c->conn_config, &gnutls_module); 127 if (ctxt == NULL) 128 { 129 ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); 130 ap_set_module_config(c->conn_config, &gnutls_module, ctxt); 131 } 132 ctxt->enabled = GNUTLS_ENABLED_TRUE; 133 ctxt->is_proxy = GNUTLS_ENABLED_TRUE; 112 134 return 1; 113 135 }
Note: See TracChangeset
for help on using the changeset viewer.
