tag 894874 + patch thanks Thanks to Thomas Klute, a patch to fix the problem is now available[1]. I am also attaching a slightly modified patch that I used for testing. This applies cleanly on the latest version of mod-gnutls in Debian 0.8.2-3.
Please consider making a release with this patch (probably adding Depends: apache>=2.4.33-1). There is the danger of newer apache2 getting into testing and breaking all FreedomBox machines. Links: 1) https://lists.gnupg.org/pipermail/mod_gnutls-devel/2018-April/000206.html Thank you, -- Sunil
--- a/include/mod_gnutls.h.in +++ b/include/mod_gnutls.h.in @@ -293,6 +293,9 @@ * connections. */ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); +APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *, + ap_conf_vector_t *, + int proxy, int enable)); int ssl_is_https(conn_rec *c); int ssl_proxy_enable(conn_rec *c); int ssl_engine_disable(conn_rec *c); --- a/src/gnutls_hooks.c +++ b/src/gnutls_hooks.c @@ -21,6 +21,7 @@ #include "mod_gnutls.h" #include "gnutls_cache.h" #include "gnutls_ocsp.h" +#include "gnutls_util.h" #include "http_vhost.h" #include "ap_mpm.h" #include "mod_status.h" @@ -788,23 +789,11 @@ static void create_gnutls_handle(conn_rec * c) { - /* Get mod_gnutls server configuration */ - mgs_srvconf_rec *sc = (mgs_srvconf_rec *) - ap_get_module_config(c->base_server->module_config, &gnutls_module); - _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__); /* Get connection specific configuration */ - mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module); - if (ctxt == NULL) - { - ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); - ap_set_module_config(c->conn_config, &gnutls_module, ctxt); - ctxt->is_proxy = GNUTLS_ENABLED_FALSE; - } + mgs_handle_t *ctxt = init_gnutls_ctxt(c); ctxt->enabled = GNUTLS_ENABLED_TRUE; - ctxt->c = c; - ctxt->sc = sc; ctxt->status = 0; ctxt->input_rc = APR_SUCCESS; ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc); --- a/src/gnutls_util.c +++ b/src/gnutls_util.c @@ -125,3 +125,28 @@ return rv; } + + + +mgs_handle_t *init_gnutls_ctxt(conn_rec *c) +{ + mgs_handle_t *ctxt = (mgs_handle_t *) + ap_get_module_config(c->conn_config, &gnutls_module); + if (ctxt == NULL) + { + ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); + ap_set_module_config(c->conn_config, &gnutls_module, ctxt); + + /* Get mod_gnutls server configuration */ + mgs_srvconf_rec *sc = (mgs_srvconf_rec *) + ap_get_module_config(c->base_server->module_config, + &gnutls_module); + + /* Set up connection and server references */ + ctxt->c = c; + ctxt->sc = sc; + /* Default, unconditionally changed in proxy setup functions */ + ctxt->is_proxy = GNUTLS_ENABLED_FALSE; + } + return ctxt; +} --- a/src/gnutls_util.h +++ b/src/gnutls_util.h @@ -20,6 +20,7 @@ #include <apr_pools.h> #include <apr_uri.h> #include <gnutls/gnutls.h> +#include "mod_gnutls.h" #ifndef __MOD_GNUTLS_UTIL_H__ #define __MOD_GNUTLS_UTIL_H__ @@ -66,4 +67,10 @@ gnutls_datum_t *datum) __attribute__((nonnull)); +/** + * Allocate the connection configuration structure if necessary, set + * some defaults. + */ +mgs_handle_t *init_gnutls_ctxt(conn_rec *c); + #endif /* __MOD_GNUTLS_UTIL_H__ */ --- a/src/mod_gnutls.c +++ b/src/mod_gnutls.c @@ -19,11 +19,16 @@ #include "mod_gnutls.h" #include "gnutls_ocsp.h" +#include "gnutls_util.h" #ifdef APLOG_USE_MODULE APLOG_USE_MODULE(gnutls); #endif +int ssl_engine_set(conn_rec *c, + ap_conf_vector_t *dir_conf __attribute__((unused)), + int proxy, int enable); + static void gnutls_hooks(apr_pool_t * p __attribute__((unused))) { /* Try Run Post-Config Hook After mod_proxy */ @@ -64,6 +69,7 @@ /* mod_proxy calls these functions */ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); + APR_REGISTER_OPTIONAL_FN(ssl_engine_set); /* mod_rewrite calls this function to detect HTTPS */ APR_REGISTER_OPTIONAL_FN(ssl_is_https); @@ -95,59 +101,55 @@ return 1; } - - -int ssl_engine_disable(conn_rec *c) +/** + * In Apache versions from 2.4.33 mod_proxy uses this function to set + * up its client connections. Note that mod_gnutls does not (yet) + * implement per directory configuration for such connections. + * + * @param c the connection + * @param dir_conf per directory configuration, unused for now + * @param proxy Is this a proxy connection? + * @param enable Should TLS be enabled on this connection? + * + * @param `true` (1) if successful, `false` (0) otherwise + */ +int ssl_engine_set(conn_rec *c, + ap_conf_vector_t *dir_conf __attribute__((unused)), + int proxy, int enable) { - mgs_srvconf_rec *sc = (mgs_srvconf_rec *) - ap_get_module_config(c->base_server->module_config, &gnutls_module); - if(sc->enabled == GNUTLS_ENABLED_FALSE) { - return 1; - } + mgs_handle_t *ctxt = init_gnutls_ctxt(c); - /* disable TLS for this connection */ - mgs_handle_t *ctxt = (mgs_handle_t *) - ap_get_module_config(c->conn_config, &gnutls_module); - if (ctxt == NULL) + /* If TLS proxy has been requested, check if support is enabled + * for the server */ + if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE)) { - ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); - ap_set_module_config(c->conn_config, &gnutls_module, ctxt); + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, + "%s: mod_proxy requested TLS proxy, but not enabled " + "for %s", __func__, ctxt->sc->cert_cn); + return 0; } - ctxt->enabled = GNUTLS_ENABLED_FALSE; - ctxt->is_proxy = GNUTLS_ENABLED_TRUE; - if (c->input_filters) - ap_remove_input_filter(c->input_filters); - if (c->output_filters) - ap_remove_output_filter(c->output_filters); + if (proxy) + ctxt->is_proxy = GNUTLS_ENABLED_TRUE; + else + ctxt->is_proxy = GNUTLS_ENABLED_FALSE; + + if (enable) + ctxt->enabled = GNUTLS_ENABLED_TRUE; + else + ctxt->enabled = GNUTLS_ENABLED_FALSE; return 1; } -int ssl_proxy_enable(conn_rec *c) +int ssl_engine_disable(conn_rec *c) { - /* check if TLS proxy support is enabled */ - mgs_srvconf_rec *sc = (mgs_srvconf_rec *) - ap_get_module_config(c->base_server->module_config, &gnutls_module); - if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE) - { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, - "%s: mod_proxy requested TLS proxy, but not enabled " - "for %s", __func__, sc->cert_cn); - return 0; - } + return ssl_engine_set(c, NULL, 0, 0); +} - /* enable TLS for this connection */ - mgs_handle_t *ctxt = (mgs_handle_t *) - ap_get_module_config(c->conn_config, &gnutls_module); - if (ctxt == NULL) - { - ctxt = apr_pcalloc(c->pool, sizeof (*ctxt)); - ap_set_module_config(c->conn_config, &gnutls_module, ctxt); - } - ctxt->enabled = GNUTLS_ENABLED_TRUE; - ctxt->is_proxy = GNUTLS_ENABLED_TRUE; - return 1; +int ssl_proxy_enable(conn_rec *c) +{ + return ssl_engine_set(c, NULL, 1, 1); } static const command_rec mgs_config_cmds[] = {
signature.asc
Description: OpenPGP digital signature