Changeset e8acf05 in mod_gnutls


Ignore:
Timestamp:
Jan 20, 2015, 10:45:39 AM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, jessie-backports, upstream
Children:
c782c1f
Parents:
e4b58b6
git-author:
Thomas Klute <thomas2.klute@…> (01/20/15 10:30:36)
git-committer:
Thomas Klute <thomas2.klute@…> (01/20/15 10:45:39)
Message:

Enable/disable TLS per connection in ssl_engine_disable

Previously, ssl_engine_disable set the server wide variable sc->enabled
to GNUTLS_ENABLED_FALSE, leading to mod_gnutls refusing to serve any
connection, including incoming client connections. The general HTTP
handler cannot process raw TLS traffic, so all further requests using
TLS failed.

This commit adds a new element "enabled" to struct mgs_handle_t, which
is used to disable TLS per connection, making it possible to disable TLS
for proxy back end connections while continuing to serve TLS clients.

Files:
3 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r2aaf4f5 re8acf05  
    171171        /* Connection record */
    172172    conn_rec* c;
     173        /* Is TLS enabled for this connection? */
     174    int enabled;
    173175        /* GnuTLS Session handle */
    174176    gnutls_session_t session;
  • src/gnutls_hooks.c

    re4b58b6 re8acf05  
    682682}
    683683
    684 static void create_gnutls_handle(conn_rec * c) {
    685     mgs_handle_t *ctxt;
    686     /* Get mod_gnutls Configuration Record */
    687     mgs_srvconf_rec *sc =(mgs_srvconf_rec *)
    688             ap_get_module_config(c->base_server->module_config,&gnutls_module);
    689 
    690     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    691     ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     684static void create_gnutls_handle(conn_rec * c)
     685{
     686    /* Get mod_gnutls server configuration */
     687    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     688            ap_get_module_config(c->base_server->module_config, &gnutls_module);
     689
     690    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     691
     692    /* Get connection specific configuration */
     693    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
     694    if (ctxt == NULL)
     695    {
     696        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
     697        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     698        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
     699    }
     700    ctxt->enabled = GNUTLS_ENABLED_TRUE;
    692701    ctxt->c = c;
    693702    ctxt->sc = sc;
     
    700709    ctxt->output_blen = 0;
    701710    ctxt->output_length = 0;
     711
    702712    /* Initialize GnuTLS Library */
    703713    int err = gnutls_init(&ctxt->session, GNUTLS_SERVER);
     
    721731    mgs_cache_session_init(ctxt);
    722732
    723     /* Set this config for this connection */
    724     ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
    725733    /* Set pull, push & ptr functions */
    726734    gnutls_transport_set_pull_function(ctxt->session,
     
    736744}
    737745
    738 int mgs_hook_pre_connection(conn_rec * c, void *csd __attribute__((unused))) {
    739     mgs_srvconf_rec *sc;
    740 
    741     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
    742 
    743     sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config,
    744             &gnutls_module);
    745 
    746     if (sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) {
     746int mgs_hook_pre_connection(conn_rec * c, void *csd __attribute__((unused)))
     747{
     748    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     749
     750    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     751        ap_get_module_config(c->base_server->module_config, &gnutls_module);
     752    mgs_handle_t *ctxt = (mgs_handle_t *)
     753        ap_get_module_config(c->conn_config, &gnutls_module);
     754
     755    if ((sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE))
     756        || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE))
     757    {
     758        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection",
     759                      __func__);
    747760        return DECLINED;
    748761    }
     
    766779    apr_table_t *env = r->subprocess_env;
    767780
    768     ctxt =
    769             ap_get_module_config(r->connection->conn_config,
    770             &gnutls_module);
    771 
    772     if (!ctxt || ctxt->session == NULL) {
     781    ctxt = ap_get_module_config(r->connection->conn_config,
     782                                &gnutls_module);
     783
     784    if (!ctxt || ctxt->enabled != GNUTLS_ENABLED_TRUE || ctxt->session == NULL)
     785    {
     786        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "request declined in %s", __func__);
    773787        return DECLINED;
    774788    }
  • src/mod_gnutls.c

    r3d361b8 re8acf05  
    2020#include "mod_gnutls.h"
    2121
    22 static void gnutls_hooks(apr_pool_t * p __attribute__((unused))) {
    23 
     22#ifdef APLOG_USE_MODULE
     23APLOG_USE_MODULE(gnutls);
     24#endif
     25
     26static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
     27{
    2428    /* Try Run Post-Config Hook After mod_proxy */
    2529    static const char * const aszPre[] = { "mod_proxy.c", NULL };
     
    7579}
    7680
    77 int ssl_engine_disable(conn_rec *c) {
     81int ssl_engine_disable(conn_rec *c)
     82{
    7883    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    79             ap_get_module_config(c->base_server->module_config, &gnutls_module);
     84        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    8085    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
    8186        return 1;
    8287    }
     88
     89    /* disable TLS for this connection */
     90    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
     91    if (ctxt == NULL)
     92    {
     93        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
     94        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     95        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
     96    }
     97    ctxt->enabled = GNUTLS_ENABLED_FALSE;
     98
    8399    if (c->input_filters)
    84100        ap_remove_input_filter(c->input_filters);
     
    86102        ap_remove_output_filter(c->output_filters);
    87103    mgs_cleanup_pre_config(c->pool);
    88     sc->enabled = GNUTLS_ENABLED_FALSE;
    89104    return 1;
    90105}
Note: See TracChangeset for help on using the changeset viewer.