Changes in src/mod_gnutls.c [fd82e59:e391197] in mod_gnutls


Ignore:
File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/mod_gnutls.c

    rfd82e59 re391197  
    33 *  Copyright 2008 Nikos Mavrogiannopoulos
    44 *  Copyright 2011 Dash Shendy
     5 *  Copyright 2015 Thomas Klute
    56 *
    67 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    2021#include "mod_gnutls.h"
    2122
    22 static void gnutls_hooks(apr_pool_t * p __attribute__((unused))) {
    23 
     23#ifdef APLOG_USE_MODULE
     24APLOG_USE_MODULE(gnutls);
     25#endif
     26
     27static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
     28{
    2429    /* Try Run Post-Config Hook After mod_proxy */
    2530    static const char * const aszPre[] = { "mod_proxy.c", NULL };
    26     ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,APR_HOOK_REALLY_LAST);
     31    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,
     32                        APR_HOOK_REALLY_LAST);
    2733    /* HTTP Scheme Hook */
    2834#if USING_2_1_RECENT
     
    3238#endif
    3339    /* Default Port Hook */
    34     ap_hook_default_port(mgs_hook_default_port,  NULL,NULL, APR_HOOK_MIDDLE);
     40    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
    3541    /* Pre-Connect Hook */
    36     ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
     42    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL,
     43                           APR_HOOK_MIDDLE);
    3744    /* Pre-Config Hook */
    3845    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
    39             APR_HOOK_MIDDLE);
     46                       APR_HOOK_MIDDLE);
    4047    /* Child-Init Hook */
    4148    ap_hook_child_init(mgs_hook_child_init, NULL, NULL,
    42             APR_HOOK_MIDDLE);
     49                       APR_HOOK_MIDDLE);
    4350    /* Authentication Hook */
    4451    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
    45             APR_HOOK_REALLY_FIRST);
     52                           APR_HOOK_REALLY_FIRST);
    4653    /* Fixups Hook */
    4754    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
     
    5360
    5461    /* Input Filter */
    55     ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME,
    56             mgs_filter_input, NULL,AP_FTYPE_CONNECTION + 5);
     62    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
     63                             NULL, AP_FTYPE_CONNECTION + 5);
    5764    /* Output Filter */
    58     ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME,
    59             mgs_filter_output, NULL,AP_FTYPE_CONNECTION + 5);
     65    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
     66                              NULL, AP_FTYPE_CONNECTION + 5);
    6067
    6168    /* mod_proxy calls these functions */
     
    6471}
    6572
    66 int ssl_is_https(conn_rec *c) {
     73int ssl_is_https(conn_rec *c)
     74{
    6775    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    68             ap_get_module_config(c->base_server->module_config, &gnutls_module);
     76        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    6977    if(sc->enabled == 0 || sc->non_ssl_request == 1) {
    7078        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
     
    7583}
    7684
    77 int ssl_engine_disable(conn_rec *c) {
     85int ssl_engine_disable(conn_rec *c)
     86{
    7887    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    79             ap_get_module_config(c->base_server->module_config, &gnutls_module);
     88        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    8089    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
    8190        return 1;
    8291    }
    83     ap_remove_input_filter(c->input_filters);
    84     ap_remove_input_filter(c->output_filters);
    85     mgs_cleanup_pre_config(c->pool);
    86     sc->enabled = 0;
     92
     93    /* disable TLS for this connection */
     94    mgs_handle_t *ctxt = (mgs_handle_t *)
     95        ap_get_module_config(c->conn_config, &gnutls_module);
     96    if (ctxt == NULL)
     97    {
     98        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     99        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
     100    }
     101    ctxt->enabled = GNUTLS_ENABLED_FALSE;
     102    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
     103
     104    if (c->input_filters)
     105        ap_remove_input_filter(c->input_filters);
     106    if (c->output_filters)
     107        ap_remove_output_filter(c->output_filters);
     108
    87109    return 1;
    88110}
    89111
    90 int ssl_proxy_enable(conn_rec *c) {
     112int ssl_proxy_enable(conn_rec *c)
     113{
     114    /* check if TLS proxy support is enabled */
    91115    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    92             ap_get_module_config(c->base_server->module_config, &gnutls_module);
    93     sc->proxy_enabled = 1;
    94     sc->enabled = 0;
     116        ap_get_module_config(c->base_server->module_config, &gnutls_module);
     117    if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE)
     118    {
     119        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
     120                      "%s: mod_proxy requested TLS proxy, but not enabled "
     121                      "for %s", __func__, sc->cert_cn);
     122        return 0;
     123    }
     124
     125    /* enable TLS for this connection */
     126    mgs_handle_t *ctxt = (mgs_handle_t *)
     127        ap_get_module_config(c->conn_config, &gnutls_module);
     128    if (ctxt == NULL)
     129    {
     130        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     131        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
     132    }
     133    ctxt->enabled = GNUTLS_ENABLED_TRUE;
     134    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
    95135    return 1;
    96136}
    97137
    98138static const command_rec mgs_config_cmds[] = {
    99     AP_INIT_TAKE1("SSLProxyEngine", mgs_set_proxy_engine,
     139    AP_INIT_TAKE1("GnuTLSProxyEngine", mgs_set_proxy_engine,
    100140    NULL,
    101141    RSRC_CONF | OR_AUTHCFG,
    102142    "Enable SSL Proxy Engine"),
     143    AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
     144    NULL,
     145    RSRC_CONF,
     146    "Load this additional PKCS #11 provider library"),
     147    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
     148    NULL,
     149    RSRC_CONF,
     150    "The PIN to use in case of encrypted keys or PKCS #11 tokens."),
     151    AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
     152    NULL,
     153    RSRC_CONF,
     154    "The SRK PIN to use in case of TPM keys."),
    103155    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
    104156    NULL,
     
    185237    RSRC_CONF,
    186238    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
     239    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
     240    NULL,
     241    RSRC_CONF,
     242    "X509 client private file for proxy connections"),
     243    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
     244    NULL,
     245    RSRC_CONF,
     246    "X509 client certificate file for proxy connections"),
     247    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
     248    NULL,
     249    RSRC_CONF,
     250    "X509 trusted CA file for proxy connections"),
     251    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
     252    NULL,
     253    RSRC_CONF,
     254    "X509 CRL file for proxy connections"),
     255    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
     256    NULL,
     257    RSRC_CONF,
     258    "The priorities to enable for proxy connections (ciphers, key exchange, "
     259    "MACs, compression)."),
    187260    { NULL },
    188261};
Note: See TracChangeset for help on using the changeset viewer.