Changeset f4ac9ccd in mod_gnutls

Timestamp:

Apr 16, 2018, 8:43:01 PM (5 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, upstream

Children:

8982265

Parents:

f5342b1 (diff), e00a037 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

New upstream version 0.8.4

Files:

• CHANGELOG (modified) (1 diff)
• README (modified) (2 diffs)
• configure.ac (modified) (2 diffs)
• include/mod_gnutls.h.in (modified) (4 diffs)
• src/gnutls_cache.c (modified) (1 diff)
• src/gnutls_cache.h (modified) (1 diff)
• src/gnutls_config.c (modified) (1 diff)
• src/gnutls_config.h (modified) (1 diff)
• src/gnutls_hooks.c (modified) (13 diffs)
• src/gnutls_io.c (modified) (1 diff)
• src/gnutls_ocsp.c (modified) (6 diffs)
• src/gnutls_ocsp.h (modified) (1 diff)
• src/gnutls_util.c (modified) (2 diffs)
• src/gnutls_util.h (modified) (3 diffs)
• src/mod_gnutls.c (modified) (7 diffs)
• test/Makefile.am (modified) (1 diff)
• test/README (modified) (1 diff)
• test/cert_helper.c (modified) (1 diff)
• test/cert_helper.h (modified) (1 diff)
• test/data/ocsp.cgi (modified) (1 diff)
• test/gen_ocsp_index.c (modified) (1 diff)
• test/gnutls_openpgp_support.c (modified) (1 diff)
• test/runtests (modified) (1 diff)
• test/test-26_redirect_HTTP_to_HTTPS.bash (modified) (2 diffs)
• test/test-28_HTTP2_support.bash (added)
• test/test_ca.mk (modified) (1 diff)
• test/tests/28_HTTP2_support/apache.conf (added)
• test/tests/Makefile.am (modified) (1 diff)

CHANGELOG

@@ +1 @@
+** Version 0.8.4 (2018-04-13)
+- Support Apache HTTPD 2.4.33 API for proxy TLS connections
+- Support TLS for HTTP/2 connections with mod_http2
+- Fix configuration of OCSP stapling callback
+
 ** Version 0.8.3 (2017-10-20)
 - Use GnuTLS' default DH parameters by default

README

@@ -10 +10 @@
 Lead Maintainer:
 
-  Thomas Klute <thomas2.klute@uni-dortmund.de>
+  Fiona Klute <fiona.klute@gmx.de>
 
 Past maintainers and other contributors:
@@ -23 +23 @@
 
  * GnuTLS          >= 3.3 <https://www.gnutls.org/> (3.4 or newer recommended)
- * Apache HTTPD    >= 2.4 <https://httpd.apache.org/>
+ * Apache HTTPD    >= 2.4.17 <https://httpd.apache.org/>
  * autotools, GNU make, & GCC
  * libmsv          >= 0.1 (Optional, enable with ./configure --enable-msva)

configure.ac

@@ -1 @@
-AC_INIT(mod_gnutls, 0.8.3)
+AC_INIT(mod_gnutls, 0.8.4)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
@@ -25 +25 @@
 AC_CONFIG_MACRO_DIR([m4])
 
-AP_VERSION=2.4.0
+AP_VERSION=2.4.17
 CHECK_APACHE(,$AP_VERSION,
     :,:,

include/mod_gnutls.h.in

@@ -2 +2 @@
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2014 Nikos Mavrogiannopoulos
- *  Copyright 2015-2016 Thomas Klute
+ *  Copyright 2015-2018 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -292 +292 @@
 is using SSL/TLS. */
 APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+/* The ssl_var_lookup() optional function retrieves SSL environment
+ * variables. */
+APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
+                        (apr_pool_t *, server_rec *,
+                         conn_rec *, request_rec *,
+                         char *));
 /* The ssl_proxy_enable() and ssl_engine_disable() optional functions
  * are used by mod_proxy to enable use of SSL for outgoing
@@ -297 +303 @@
 APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
 APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
+                                              ap_conf_vector_t *,
+                                              int proxy, int enable));
+mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c);
 int ssl_is_https(conn_rec *c);
+char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c,
+                     request_rec *r, char *var);
 int ssl_proxy_enable(conn_rec *c);
 int ssl_engine_disable(conn_rec *c);
@@ -458 +470 @@
 int mgs_hook_pre_connection(conn_rec * c, void *csd);
 
+int mgs_hook_process_connection(conn_rec* c);
+
 int mgs_hook_fixups(request_rec *r);
 

src/gnutls_cache.c

@@ -3 +3 @@
  *  Copyright 2008 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
- *  Copyright 2015-2016 Thomas Klute
+ *  Copyright 2015-2016 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");

src/gnutls_cache.h

@@ -2 +2 @@
  *  Copyright 2004-2005 Paul Querna
  *  Copyright 2014 Nikos Mavrogiannopoulos
- *  Copyright 2015-2016 Thomas Klute
+ *  Copyright 2015-2016 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");

src/gnutls_config.c

@@ -3 +3 @@
  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
- *  Copyright 2015-2016 Thomas Klute
+ *  Copyright 2015-2016 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");

src/gnutls_config.h

@@ -1 +1 @@
 /*
- *  Copyright 2016 Thomas Klute
+ *  Copyright 2016 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");

src/gnutls_hooks.c

@@ -4 +4 @@
  *  Copyright 2011 Dash Shendy
  *  Copyright 2013-2014 Daniel Kahn Gillmor
- *  Copyright 2015-2017 Thomas Klute
+ *  Copyright 2015-2018 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -22 +22 @@
 #include "gnutls_cache.h"
 #include "gnutls_ocsp.h"
+#include "gnutls_util.h"
 #include "http_vhost.h"
 #include "ap_mpm.h"
@@ -133 +134 @@
     return OK;
 }
+
+
+
+/**
+ * Get the list of available protocols for this connection and add it
+ * to the GnuTLS session. Must run before the client hello function.
+ */
+static void prepare_alpn_proposals(mgs_handle_t *ctxt)
+{
+    /* Check if any protocol upgrades are available
+     *
+     * The "report_all" parameter to ap_get_protocol_upgrades() is 0
+     * (report only more preferable protocols) because setting it to 1
+     * doesn't actually report ALL protocols, but only all except the
+     * current one. This way we can at least list the current one as
+     * available by appending it without potentially negotiating a
+     * less preferred protocol. */
+    const apr_array_header_t *pupgrades = NULL;
+    apr_status_t ret =
+        ap_get_protocol_upgrades(ctxt->c, NULL, ctxt->c->base_server,
+                                 /*report_all*/ 0, &pupgrades);
+    if (ret != APR_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,
+                      "%s: ap_get_protocol_upgrades() failed, "
+                      "cannot configure ALPN!", __func__);
+        return;
+    }
+
+    if (pupgrades == NULL || pupgrades->nelts == 0)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c,
+                      "%s: No protocol upgrades available.", __func__);
+        return;
+    }
+
+    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
+                  "%s: Found %d protocol upgrade(s) for ALPN: %s",
+                  __func__, pupgrades->nelts,
+                  apr_array_pstrcat(ctxt->c->pool, pupgrades, ','));
+    gnutls_datum_t *alpn_protos =
+        apr_palloc(ctxt->c->pool,
+                   (pupgrades->nelts + 1) * sizeof(gnutls_datum_t));
+    for (int i = 0; i < pupgrades->nelts; i++)
+    {
+        alpn_protos[i].data = (void *) APR_ARRAY_IDX(pupgrades, i, char *);
+        alpn_protos[i].size =
+            strnlen(APR_ARRAY_IDX(pupgrades, i, char *),
+                    pupgrades->elt_size);
+    }
+
+    /* Add the current (default) protocol at the end of the list */
+    alpn_protos[pupgrades->nelts].data =
+        (void*) apr_pstrdup(ctxt->c->pool, ap_get_protocol(ctxt->c));
+    alpn_protos[pupgrades->nelts].size =
+        strlen((char*) alpn_protos[pupgrades->nelts].data);
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c,
+                  "%s: Adding current protocol %s to ALPN set.",
+                  __func__, alpn_protos[pupgrades->nelts].data);
+
+    gnutls_alpn_set_protocols(ctxt->session,
+                              alpn_protos,
+                              pupgrades->nelts,
+                              GNUTLS_ALPN_SERVER_PRECEDENCE);
+}
+
+
+
+/**
+ * Check if ALPN selected any protocol upgrade, try to switch if so.
+ */
+static int process_alpn_result(mgs_handle_t *ctxt)
+{
+    int ret = 0;
+    gnutls_datum_t alpn_proto;
+    ret = gnutls_alpn_get_selected_protocol(ctxt->session, &alpn_proto);
+    if (ret != GNUTLS_E_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                      "%s: No ALPN result: %s (%d)",
+                      __func__, gnutls_strerror(ret), ret);
+        return GNUTLS_E_SUCCESS;
+    }
+
+    apr_array_header_t *client_protos =
+        apr_array_make(ctxt->c->pool, 1, sizeof(char *));
+    /* apr_pstrndup to ensure that the protocol is null terminated */
+    APR_ARRAY_PUSH(client_protos, char *) =
+        apr_pstrndup(ctxt->c->pool, (char*) alpn_proto.data, alpn_proto.size);
+    const char *selected =
+        ap_select_protocol(ctxt->c, NULL, ctxt->c->base_server,
+                           client_protos);
+
+    /* ap_select_protocol() will return NULL if none of the ALPN
+     * proposals matched. GnuTLS negotiated alpn_proto based on the
+     * list provided by the server, but the vhost might have changed
+     * based on SNI. Apache seems to adjust the proposal list to avoid
+     * such issues though.
+     *
+     * GnuTLS will return a fatal "no_application_protocol" alert as
+     * required by RFC 7301 if the post client hello function returns
+     * GNUTLS_E_NO_APPLICATION_PROTOCOL. */
+    if (!selected)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
+                      "%s: ap_select_protocol() returned NULL! Please "
+                      "make sure any overlapping vhosts have the same "
+                      "protocols available.",
+                      __func__);
+        return GNUTLS_E_NO_APPLICATION_PROTOCOL;
+    }
+
+    if (strcmp(selected, ap_get_protocol(ctxt->c)) == 0)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                      "%s: Already using protocol '%s', nothing to do.",
+                      __func__, selected);
+        return GNUTLS_E_SUCCESS;
+    }
+
+    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
+                  "%s: Switching protocol to '%s' based on ALPN.",
+                  __func__, selected);
+    apr_status_t status = ap_switch_protocol(ctxt->c, NULL,
+                                             ctxt->c->base_server,
+                                             selected);
+    if (status != APR_SUCCESS)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, status, ctxt->c,
+                      "%s: Protocol switch to '%s' failed!",
+                      __func__, selected);
+        return GNUTLS_E_NO_APPLICATION_PROTOCOL;
+    }
+    /* ALPN done! */
+    return GNUTLS_E_SUCCESS;
+}
+
+
 
 /**
@@ -165 +304 @@
     gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
 
-    if (ctxt->sc->ocsp_staple)
-    {
-        gnutls_certificate_set_ocsp_status_request_function(ctxt->sc->certs,
-                                                            mgs_get_ocsp_response,
-                                                            ctxt);
-    }
-
 #ifdef ENABLE_SRP
         /* Set SRP credentials */
@@ -179 +311 @@
 #endif
 
-    /* update the priorities - to avoid negotiating a ciphersuite that is not
+    ret = process_alpn_result(ctxt);
+    if (ret != GNUTLS_E_SUCCESS)
+        return ret;
+
+    /* Update the priorities - to avoid negotiating a ciphersuite that is not
      * enabled on this virtual server. Note that here we ignore the version
-     * negotiation.
-     */
+     * negotiation. */
     ret = gnutls_priority_set(session, ctxt->sc->priorities);
 
@@ -964 +1099 @@
 static void create_gnutls_handle(conn_rec * c)
 {
-    /* Get mod_gnutls server configuration */
-    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-            ap_get_module_config(c->base_server->module_config, &gnutls_module);
-
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
 
     /* Get connection specific configuration */
-    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
-    if (ctxt == NULL)
-    {
-        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
-        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
-        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
-    }
+    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
     ctxt->enabled = GNUTLS_ENABLED_TRUE;
-    ctxt->c = c;
-    ctxt->sc = sc;
     ctxt->status = 0;
     ctxt->input_rc = APR_SUCCESS;
@@ -1058 +1181 @@
     }
 
+    prepare_alpn_proposals(ctxt);
+
     /* Initialize Session Cache */
     mgs_cache_session_init(ctxt);
@@ -1078 +1203 @@
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
 
+    if (c->master)
+    {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,
+                      "%s declined secondary connection", __func__);
+        return DECLINED;
+    }
+
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
         ap_get_module_config(c->base_server->module_config, &gnutls_module);
@@ -1083 +1215 @@
         ap_get_module_config(c->conn_config, &gnutls_module);
 
-    if ((sc && (!sc->enabled)) || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE))
+    if ((sc && (!sc->enabled))
+        || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE))
     {
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection",
@@ -1093 +1226 @@
     return OK;
 }
+
+
+
+/**
+ * process_connection hook: Do a zero byte read to trigger the
+ * handshake. Doesn't change anything for traditional protocols that
+ * just do reads, but HTTP/2 needs the TLS handshake and ALPN to
+ * happen before its process_connection hook runs.
+ */
+int mgs_hook_process_connection(conn_rec* c)
+{
+    mgs_handle_t *ctxt = (mgs_handle_t *)
+        ap_get_module_config(c->conn_config, &gnutls_module);
+
+    if ((ctxt != NULL) && (ctxt->enabled == GNUTLS_ENABLED_TRUE))
+    {
+        /* This connection is supposed to use TLS. Give the filters a
+         * kick with a zero byte read to trigger the handshake. */
+        apr_bucket_brigade* temp =
+            apr_brigade_create(c->pool, c->bucket_alloc);
+        ap_get_brigade(c->input_filters, temp,
+                       AP_MODE_INIT, APR_BLOCK_READ, 0);
+        apr_brigade_destroy(temp);
+    }
+    return DECLINED;
+}
+
+
 
 int mgs_hook_fixups(request_rec * r) {
@@ -1107 +1268 @@
     apr_table_t *env = r->subprocess_env;
 
-    ctxt = ap_get_module_config(r->connection->conn_config,
-                                &gnutls_module);
+    ctxt = get_effective_gnutls_ctxt(r->connection);
 
     if (!ctxt || ctxt->enabled != GNUTLS_ENABLED_TRUE || ctxt->session == NULL)
@@ -1188 +1348 @@
 
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
-    ctxt =
-            ap_get_module_config(r->connection->conn_config,
-            &gnutls_module);
+    ctxt = get_effective_gnutls_ctxt(r->connection);
 
     if (!ctxt || ctxt->session == NULL) {
@@ -1920 +2078 @@
     if (sc->enabled != GNUTLS_ENABLED_FALSE)
     {
-        mgs_handle_t* ctxt =
-            ap_get_module_config(r->connection->conn_config, &gnutls_module);
+        mgs_handle_t* ctxt = get_effective_gnutls_ctxt(r->connection);
         if (ctxt && ctxt->session != NULL)
         {

src/gnutls_io.c

@@ -3 +3 @@
  *  Copyright 2008 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
- *  Copyright 2015-2017 Thomas Klute
+ *  Copyright 2015-2017 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");

src/gnutls_ocsp.c

@@ -1 +1 @@
 /*
- *  Copyright 2016 Thomas Klute
+ *  Copyright 2016 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -737 +737 @@
 
 
-int mgs_get_ocsp_response(gnutls_session_t session __attribute__((unused)),
-                          void *ptr,
+int mgs_get_ocsp_response(gnutls_session_t session,
+                          void *ptr __attribute__((unused)),
                           gnutls_datum_t *ocsp_response)
 {
-    mgs_handle_t *ctxt = (mgs_handle_t *) ptr;
-    if (!ctxt->sc->ocsp_staple || ctxt->sc->cache == NULL)
+    mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
+    mgs_srvconf_rec *sc = ctxt->sc;
+
+    if (!sc->ocsp_staple || sc->cache == NULL)
     {
         /* OCSP must be enabled and caching requires a cache. */
@@ -748 +750 @@
     }
 
-    *ocsp_response = ctxt->sc->cache->fetch(ctxt,
-                                            ctxt->sc->ocsp->fingerprint);
+    *ocsp_response = sc->cache->fetch(ctxt,
+                                      sc->ocsp->fingerprint);
     if (ocsp_response->size == 0)
     {
@@ -775 +777 @@
                   "No valid OCSP response in cache, trying to update.");
 
-    apr_status_t rv = apr_global_mutex_trylock(ctxt->sc->ocsp_mutex);
+    apr_status_t rv = apr_global_mutex_trylock(sc->ocsp_mutex);
     if (APR_STATUS_IS_EBUSY(rv))
     {
         /* Another thread is currently holding the mutex, wait. */
-        apr_global_mutex_lock(ctxt->sc->ocsp_mutex);
+        apr_global_mutex_lock(sc->ocsp_mutex);
         /* Check if this other thread updated the response we need. It
          * would be better to have a vhost specific mutex, but at the
          * moment there's no good way to integrate that with the
          * Apache Mutex directive. */
-        *ocsp_response = ctxt->sc->cache->fetch(ctxt,
-                                                ctxt->sc->ocsp->fingerprint);
+        *ocsp_response = sc->cache->fetch(ctxt,
+                                          sc->ocsp->fingerprint);
         if (ocsp_response->size > 0)
         {
             /* Got a valid response now, unlock mutex and return. */
-            apr_global_mutex_unlock(ctxt->sc->ocsp_mutex);
+            apr_global_mutex_unlock(sc->ocsp_mutex);
             return GNUTLS_E_SUCCESS;
         }
@@ -806 +808 @@
         /* cache failure to rate limit retries */
         mgs_cache_ocsp_failure(ctxt->c->base_server);
-        apr_global_mutex_unlock(ctxt->sc->ocsp_mutex);
+        apr_global_mutex_unlock(sc->ocsp_mutex);
         goto fail_cleanup;
     }
-    apr_global_mutex_unlock(ctxt->sc->ocsp_mutex);
+    apr_global_mutex_unlock(sc->ocsp_mutex);
 
     /* retry reading from cache */
-    *ocsp_response = ctxt->sc->cache->fetch(ctxt,
-                                            ctxt->sc->ocsp->fingerprint);
+    *ocsp_response = sc->cache->fetch(ctxt,
+                                      sc->ocsp->fingerprint);
     if (ocsp_response->size == 0)
     {
@@ -976 +978 @@
                               apr_pool_cleanup_null);
 
+    /* enable status request callback */
+    gnutls_certificate_set_ocsp_status_request_function(sc->certs,
+                                                        mgs_get_ocsp_response,
+                                                        sc);
+
     return OK;
 }

src/gnutls_ocsp.h

@@ -1 +1 @@
 /*
- *  Copyright 2016 Thomas Klute
+ *  Copyright 2016 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");

src/gnutls_util.c

@@ -1 +1 @@
 /*
- *  Copyright 2016 Thomas Klute
+ *  Copyright 2016-2018 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -126 +126 @@
     return rv;
 }
+
+
+
+mgs_handle_t *init_gnutls_ctxt(conn_rec *c)
+{
+    mgs_handle_t *ctxt = (mgs_handle_t *)
+        ap_get_module_config(c->conn_config, &gnutls_module);
+    if (ctxt == NULL)
+    {
+        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
+        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
+
+        /* Get mod_gnutls server configuration */
+        mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+            ap_get_module_config(c->base_server->module_config,
+                                 &gnutls_module);
+
+        /* Set up connection and server references */
+        ctxt->c = c;
+        ctxt->sc = sc;
+        /* Default, unconditionally changed in proxy setup functions */
+        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
+    }
+    return ctxt;
+}

src/gnutls_util.h

@@ -1 +1 @@
 /*
- *  Copyright 2016 Thomas Klute
+ *  Copyright 2016-2018 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -21 +21 @@
 #include <apr_uri.h>
 #include <gnutls/gnutls.h>
+#include "mod_gnutls.h"
 
 #ifndef __MOD_GNUTLS_UTIL_H__
@@ -67 +68 @@
     __attribute__((nonnull));
 
+/**
+ * Allocate the connection configuration structure if necessary, set
+ * some defaults.
+ */
+mgs_handle_t *init_gnutls_ctxt(conn_rec *c);
+
 #endif /* __MOD_GNUTLS_UTIL_H__ */

src/mod_gnutls.c

@@ -3 +3 @@
  *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
  *  Copyright 2011 Dash Shendy
- *  Copyright 2015-2016 Thomas Klute
+ *  Copyright 2015-2018 Fiona Klute
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
@@ -20 +20 @@
 #include "mod_gnutls.h"
 #include "gnutls_ocsp.h"
+#include "gnutls_util.h"
 
 #ifdef APLOG_USE_MODULE
@@ -25 +26 @@
 #endif
 
+int ssl_engine_set(conn_rec *c,
+                   ap_conf_vector_t *dir_conf __attribute__((unused)),
+                   int proxy, int enable);
+
+static const char * const mod_proxy[] = { "mod_proxy.c", NULL };
+static const char * const mod_http2[] = { "mod_http2.c", NULL };
+
 static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
 {
     /* Try Run Post-Config Hook After mod_proxy */
-    static const char * const aszPre[] = { "mod_proxy.c", NULL };
-    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,
-                        APR_HOOK_REALLY_LAST);
+    ap_hook_post_config(mgs_hook_post_config, mod_proxy, mod_http2,
+                        APR_HOOK_MIDDLE);
     /* HTTP Scheme Hook */
     ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
@@ -36 +43 @@
     ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
     /* Pre-Connect Hook */
-    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL,
+    ap_hook_pre_connection(mgs_hook_pre_connection, mod_http2, NULL,
                            APR_HOOK_MIDDLE);
+    ap_hook_process_connection(mgs_hook_process_connection,
+                               NULL, mod_http2, APR_HOOK_MIDDLE);
     /* Pre-Config Hook */
     ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
@@ -65 +74 @@
     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+    APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
 
     /* mod_rewrite calls this function to detect HTTPS */
     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+    /* some modules look up TLS-related variables */
+    APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+}
+
+
+
+/**
+ * Get the connection context, resolving to a master connection if
+ * any.
+ *
+ * @param c the connection handle
+ *
+ * @return mod_gnutls session context, might be `NULL`
+ */
+mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c)
+{
+    mgs_handle_t *ctxt = (mgs_handle_t *)
+        ap_get_module_config(c->conn_config, &gnutls_module);
+    if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL))
+    {
+        ctxt = (mgs_handle_t *)
+            ap_get_module_config(c->master->conn_config, &gnutls_module);
+    }
+    return ctxt;
 }
 
@@ -80 +114 @@
 int ssl_is_https(conn_rec *c)
 {
+    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
         ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    mgs_handle_t *ctxt = (mgs_handle_t *)
-        ap_get_module_config(c->conn_config, &gnutls_module);
 
     if(sc->enabled == GNUTLS_ENABLED_FALSE
@@ -98 +131 @@
 
 
-int ssl_engine_disable(conn_rec *c)
-{
-    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-        ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
-        return 1;
-    }
-
-    /* disable TLS for this connection */
-    mgs_handle_t *ctxt = (mgs_handle_t *)
-        ap_get_module_config(c->conn_config, &gnutls_module);
-    if (ctxt == NULL)
+/**
+ * Return variables describing the current TLS session (if any).
+ *
+ * mod_ssl doc for this function: "This function must remain safe to
+ * use for a non-SSL connection." mod_http2 uses it to check if an
+ * acceptable TLS session is used.
+ */
+char* ssl_var_lookup(apr_pool_t *p, server_rec *s __attribute__((unused)),
+                     conn_rec *c, request_rec *r, char *var)
+{
+    /*
+     * When no pool is given try to find one
+     */
+    if (p == NULL) {
+        if (r != NULL)
+            p = r->pool;
+        else if (c != NULL)
+            p = c->pool;
+        else
+            return NULL;
+    }
+
+    if (strcmp(var, "HTTPS") == 0)
     {
-        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
-        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
-    }
-    ctxt->enabled = GNUTLS_ENABLED_FALSE;
-    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
-
-    if (c->input_filters)
-        ap_remove_input_filter(c->input_filters);
-    if (c->output_filters)
-        ap_remove_output_filter(c->output_filters);
-
-    return 1;
-}
-
-int ssl_proxy_enable(conn_rec *c)
-{
-    /* check if TLS proxy support is enabled */
-    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-        ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE)
+        if (c != NULL && ssl_is_https(c))
+            return "on";
+        else
+            return "off";
+    }
+
+    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
+
+    /* TLS parameters are empty if there is no session */
+    if (ctxt == NULL || ctxt->c == NULL)
+        return NULL;
+
+    if (strcmp(var, "SSL_PROTOCOL") == 0)
+        return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
+
+    if (strcmp(var, "SSL_CIPHER") == 0)
+        return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
+                                                           gnutls_cipher_get(ctxt->session),
+                                                           gnutls_mac_get(ctxt->session)));
+
+    /* mod_ssl supports a LOT more variables */
+    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c,
+                  "unsupported variable requested: '%s'",
+                  var);
+
+    return NULL;
+}
+
+
+
+/**
+ * In Apache versions from 2.4.33 mod_proxy uses this function to set
+ * up its client connections. Note that mod_gnutls does not (yet)
+ * implement per directory configuration for such connections.
+ *
+ * @param c the connection
+ * @param dir_conf per directory configuration, unused for now
+ * @param proxy Is this a proxy connection?
+ * @param enable Should TLS be enabled on this connection?
+ *
+ * @param `true` (1) if successful, `false` (0) otherwise
+ */
+int ssl_engine_set(conn_rec *c,
+                   ap_conf_vector_t *dir_conf __attribute__((unused)),
+                   int proxy, int enable)
+{
+    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
+
+    /* If TLS proxy has been requested, check if support is enabled
+     * for the server */
+    if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
     {
         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
                       "%s: mod_proxy requested TLS proxy, but not enabled "
-                      "for %s", __func__, sc->cert_cn);
+                      "for %s", __func__, ctxt->sc->cert_cn);
         return 0;
     }
 
-    /* enable TLS for this connection */
-    mgs_handle_t *ctxt = (mgs_handle_t *)
-        ap_get_module_config(c->conn_config, &gnutls_module);
-    if (ctxt == NULL)
-    {
-        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
-        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
-    }
-    ctxt->enabled = GNUTLS_ENABLED_TRUE;
-    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
+    if (proxy)
+        ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
+    else
+        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
+
+    if (enable)
+        ctxt->enabled = GNUTLS_ENABLED_TRUE;
+    else
+        ctxt->enabled = GNUTLS_ENABLED_FALSE;
+
     return 1;
+}
+
+int ssl_engine_disable(conn_rec *c)
+{
+    return ssl_engine_set(c, NULL, 0, 0);
+}
+
+int ssl_proxy_enable(conn_rec *c)
+{
+    return ssl_engine_set(c, NULL, 1, 1);
 }
 

test/Makefile.am

@@ -30 +30 @@
         test-25_Disable_TLS_1.0.bash \
         test-26_redirect_HTTP_to_HTTPS.bash \
-        test-27_OCSP_server.bash
+        test-27_OCSP_server.bash \
+        test-28_HTTP2_support.bash
 
 TEST_EXTENSIONS = .bash

test/README

@@ -3 +3 @@
 
 Authors: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-         Thomas Klute <thomas2.klute@uni-dortmund.de>
+         Fiona Klute <fiona.klute@gmx.de>
 
 There are a lot of ways that a TLS-capable web server can go wrong.  I

test/cert_helper.c

@@ -2 +2 @@
  * Helper functions for certificate handling in the mod_gnutls test suite
  *
- * Copyright 2016 Thomas Klute
+ * Copyright 2016 Fiona Klute
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you

test/cert_helper.h

@@ -2 +2 @@
  * Helper functions for certificate handling in the mod_gnutls test suite
  *
- * Copyright 2016 Thomas Klute
+ * Copyright 2016 Fiona Klute
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you

test/data/ocsp.cgi

@@ -2 +2 @@
 # CGI wrapper to use "openssl ocsp" as a simple OCSP responder
 #
-# Copyright 2016 Thomas Klute
+# Copyright 2016 Fiona Klute
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you

test/gen_ocsp_index.c

@@ -5 +5 @@
  * moment, all certificates are marked as valid.
  *
- * Copyright 2016 Thomas Klute
+ * Copyright 2016 Fiona Klute
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you

test/gnutls_openpgp_support.c

@@ -2 +2 @@
  * Check if GnuTLS was compiled with OpenPGP support
  *
- * Copyright 2017 Thomas Klute
+ * Copyright 2017 Fiona Klute
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you

test/runtests

@@ -3 +3 @@
 # Authors:
 # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-# Thomas Klute <thomas2.klute@uni-dortmund.de>
+# Fiona Klute <fiona.klute@gmx.de>
 
 set -e

test/test-26_redirect_HTTP_to_HTTPS.bash

@@ -16 +16 @@
 export TEST_HTTP_PORT
 
-# "Proxy backend" functions are used to start the only instance needed
-# here without "runtests". We have to override BACKEND_PORT to make it
-# match what a runtests-based test would use.
-export BACKEND_PORT="${TEST_PORT}"
-function stop_backend
+function stop_server
 {
     apache_service "${testdir}" "apache.conf" stop
 }
 apache_service "${testdir}" "apache.conf" start "${TEST_LOCK}"
-trap stop_backend EXIT
+trap stop_server EXIT
 
 output="outputs/${TEST_NAME}.output"
@@ -46 +42 @@
 grep "Current TLS session: (TLS" "${output}"
 
-apache_service "${testdir}" "apache.conf" stop
+stop_server
 trap - EXIT

test/test_ca.mk

@@ -2 +2 @@
 # Authors:
 # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-# Thomas Klute <thomas2.klute@uni-dortmund.de>
+# Fiona Klute <fiona.klute@gmx.de>
 
 # General rules to set up a miniature CA & server & client environment

test/tests/Makefile.am

@@ -27 +27 @@
         25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
         26_redirect_HTTP_to_HTTPS/apache.conf \
-        27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/ocsp.conf 27_OCSP_server/output
+        27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/ocsp.conf 27_OCSP_server/output \
+        28_HTTP2_support/apache.conf