Changeset f030883 in mod_gnutls for src


Ignore:
Timestamp:
Apr 9, 2015, 1:02:39 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
73f6f12
Parents:
8b472af
Message:

Set GnuTLS priorities for proxy connections separately

Until now, proxy connections were configured with the same priorities as
the server side. This commit introduces the new configuration option
"GnuTLSProxyPriorities" to set the priorities for proxy connections
separately. Note that GnuTLSProxyPriorities MUST be set when
SSLProxyEngine is enabled.

Since the parameters to GnuTLSPriorities and GnuTLSProxyPriorities need
the same processing, mgs_set_priorities has been rewritten to select the
priority cache to write to based on the option name, rather than adding
a new function to handle GnuTLSProxyPriorities.

Location:
src
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_config.c

    r8b472af rf030883  
    578578}
    579579
    580 const char *mgs_set_priorities(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) {
    581 
    582         int ret;
     580
     581
     582/*
     583 * Initialize a GnuTLS priorities cache from a configuration
     584 * string. Used for GnuTLSPriorities and GnuTLSProxyPriorities.
     585 */
     586const char *mgs_set_priorities(cmd_parms * parms,
     587                               void *dummy __attribute__((unused)),
     588                               const char *arg)
     589{
     590    int ret;
    583591    const char *err;
    584592
    585593    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    586                                                   ap_get_module_config(parms->server->module_config, &gnutls_module);
    587 
    588     ret = gnutls_priority_init(&sc->priorities, arg, &err);
    589 
    590     if (ret < 0) {
    591         if (ret == GNUTLS_E_INVALID_REQUEST) {
     594        ap_get_module_config(parms->server->module_config, &gnutls_module);
     595
     596    /* Setting a priority cache works the same no matter for which
     597     * option. Just point the pointer at the right one. */
     598    gnutls_priority_t *prio = NULL;
     599    if (!strcasecmp(parms->directive->directive, "GnuTLSPriorities"))
     600        prio = &sc->priorities;
     601    else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyPriorities"))
     602        prio = &sc->proxy_priorities;
     603    else
     604        /* Can't happen unless there's a serious bug in mod_gnutls or Apache */
     605        return apr_psprintf(parms->pool,
     606                            "mod_gnutls: %s called for invalid option '%s'",
     607                            __func__, parms->directive->directive);
     608
     609    ret = gnutls_priority_init(prio, arg, &err);
     610    if (ret < 0)
     611    {
     612        if (ret == GNUTLS_E_INVALID_REQUEST)
    592613            return apr_psprintf(parms->pool,
    593                                                                 "GnuTLS: Syntax error parsing priorities string at: %s", err);
    594                 }
    595         return "Error setting priorities";
     614                                "mod_gnutls: Syntax error parsing priorities "
     615                                "string for %s at: %s",
     616                                parms->directive->directive, err);
     617        return  apr_psprintf(parms->pool,
     618                             "Error setting priorities: %s (%d)",
     619                             gnutls_strerror(ret), ret);
    596620    }
    597621
     
    636660    sc->proxy_x509_ca_file = NULL;
    637661    sc->proxy_x509_crl_file = NULL;
     662    sc->proxy_priorities = NULL;
    638663    ret = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds);
    639664    if (ret < 0)
     
    716741    gnutls_srvconf_merge(proxy_x509_ca_file, NULL);
    717742    gnutls_srvconf_merge(proxy_x509_crl_file, NULL);
     743    gnutls_srvconf_merge(proxy_priorities, NULL);
    718744
    719745    /* FIXME: the following items are pre-allocated, and should be
  • src/gnutls_hooks.c

    r8b472af rf030883  
    463463            && sc->proxy_enabled == GNUTLS_ENABLED_TRUE)
    464464        {
     465            /* Check if the proxy priorities have been set */
     466            if (sc->proxy_priorities == NULL)
     467            {
     468                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     469                             "Host '%s:%d' is missing the "
     470                             "GnuTLSProxyPriorities directive!",
     471                             s->server_hostname, s->port);
     472                exit(-1);
     473            }
     474            /* Set up proxy credentials */
    465475            load_proxy_x509_credentials(s);
    466476        }
     
    826836                               ctxt->sc->proxy_x509_creds);
    827837        /* Load priorities from the server configuration */
    828         err = gnutls_priority_set(ctxt->session, ctxt->sc->priorities);
     838        err = gnutls_priority_set(ctxt->session, ctxt->sc->proxy_priorities);
    829839        if (err != GNUTLS_E_SUCCESS)
    830840            ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
    831                           "%s: setting priorities for proxy connection failed: %s (%d)",
     841                          "%s: setting priorities for proxy connection "
     842                          "failed: %s (%d)",
    832843                          __func__, gnutls_strerror(err), err);
    833844    }
  • src/mod_gnutls.c

    r8b472af rf030883  
    240240    RSRC_CONF,
    241241    "X509 CRL file for proxy connections"),
     242    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
     243    NULL,
     244    RSRC_CONF,
     245    "The priorities to enable for proxy connections (ciphers, key exchange, "
     246    "MACs, compression)."),
    242247    { NULL },
    243248};
Note: See TracChangeset for help on using the changeset viewer.