Changeset e8acf05 in mod_gnutls

Timestamp:

Jan 20, 2015, 10:45:39 AM (8 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, jessie-backports, main, master, proxy-ticket, upstream

Children:

c782c1f

Parents:

e4b58b6

git-author:

Thomas Klute <thomas2.klute@…> (01/20/15 10:30:36)

git-committer:

Thomas Klute <thomas2.klute@…> (01/20/15 10:45:39)

Message:

Enable/disable TLS per connection in ssl_engine_disable

Previously, ssl_engine_disable set the server wide variable sc->enabled
to GNUTLS_ENABLED_FALSE, leading to mod_gnutls refusing to serve any
connection, including incoming client connections. The general HTTP
handler cannot process raw TLS traffic, so all further requests using
TLS failed.

This commit adds a new element "enabled" to struct mgs_handle_t, which
is used to disable TLS per connection, making it possible to disable TLS
for proxy back end connections while continuing to serve TLS clients.

Files:

• include/mod_gnutls.h.in (modified) (1 diff)
• src/gnutls_hooks.c (modified) (5 diffs)
• src/mod_gnutls.c (modified) (3 diffs)

include/mod_gnutls.h.in

@@ -171 +171 @@
         /* Connection record */
     conn_rec* c;
+        /* Is TLS enabled for this connection? */
+    int enabled;
         /* GnuTLS Session handle */
     gnutls_session_t session;

src/gnutls_hooks.c

@@ -682 +682 @@
 }
 
-static void create_gnutls_handle(conn_rec * c) {
-    mgs_handle_t *ctxt;
-    /* Get mod_gnutls Configuration Record */
-    mgs_srvconf_rec *sc =(mgs_srvconf_rec *)
-            ap_get_module_config(c->base_server->module_config,&gnutls_module);
-
-    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-    ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
+static void create_gnutls_handle(conn_rec * c)
+{
+    /* Get mod_gnutls server configuration */
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+            ap_get_module_config(c->base_server->module_config, &gnutls_module);
+
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
+
+    /* Get connection specific configuration */
+    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
+    if (ctxt == NULL)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
+        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
+        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
+    }
+    ctxt->enabled = GNUTLS_ENABLED_TRUE;
     ctxt->c = c;
     ctxt->sc = sc;
@@ -700 +709 @@
     ctxt->output_blen = 0;
     ctxt->output_length = 0;
+
     /* Initialize GnuTLS Library */
     int err = gnutls_init(&ctxt->session, GNUTLS_SERVER);
@@ -721 +731 @@
     mgs_cache_session_init(ctxt);
 
-    /* Set this config for this connection */
-    ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
     /* Set pull, push & ptr functions */
     gnutls_transport_set_pull_function(ctxt->session,
@@ -736 +744 @@
 }
 
-int mgs_hook_pre_connection(conn_rec * c, void *csd __attribute__((unused))) {
-    mgs_srvconf_rec *sc;
-
-    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-
-    sc = (mgs_srvconf_rec *) ap_get_module_config(c->base_server->module_config,
-            &gnutls_module);
-
-    if (sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE)) {
+int mgs_hook_pre_connection(conn_rec * c, void *csd __attribute__((unused)))
+{
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
+
+    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+        ap_get_module_config(c->base_server->module_config, &gnutls_module);
+    mgs_handle_t *ctxt = (mgs_handle_t *)
+        ap_get_module_config(c->conn_config, &gnutls_module);
+
+    if ((sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE))
+        || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE))
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection",
+                      __func__);
         return DECLINED;
     }
@@ -766 +779 @@
     apr_table_t *env = r->subprocess_env;
 
-    ctxt =
-            ap_get_module_config(r->connection->conn_config,
-            &gnutls_module);
-
-    if (!ctxt || ctxt->session == NULL) {
+    ctxt = ap_get_module_config(r->connection->conn_config,
+                                &gnutls_module);
+
+    if (!ctxt || ctxt->enabled != GNUTLS_ENABLED_TRUE || ctxt->session == NULL)
+    {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "request declined in %s", __func__);
         return DECLINED;
     }

src/mod_gnutls.c

@@ -20 +20 @@
 #include "mod_gnutls.h"
 
-static void gnutls_hooks(apr_pool_t * p __attribute__((unused))) {
-
+#ifdef APLOG_USE_MODULE
+APLOG_USE_MODULE(gnutls);
+#endif
+
+static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
+{
     /* Try Run Post-Config Hook After mod_proxy */
     static const char * const aszPre[] = { "mod_proxy.c", NULL };
@@ -75 +79 @@
 }
 
-int ssl_engine_disable(conn_rec *c) {
+int ssl_engine_disable(conn_rec *c)
+{
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-            ap_get_module_config(c->base_server->module_config, &gnutls_module);
+        ap_get_module_config(c->base_server->module_config, &gnutls_module);
     if(sc->enabled == GNUTLS_ENABLED_FALSE) {
         return 1;
     }
+
+    /* disable TLS for this connection */
+    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
+    if (ctxt == NULL)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
+        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
+        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
+    }
+    ctxt->enabled = GNUTLS_ENABLED_FALSE;
+
     if (c->input_filters)
         ap_remove_input_filter(c->input_filters);
@@ -86 +102 @@
         ap_remove_output_filter(c->output_filters);
     mgs_cleanup_pre_config(c->pool);
-    sc->enabled = GNUTLS_ENABLED_FALSE;
     return 1;
 }