Bug#894874: A patch is available

Wed, 11 Apr 2018 05:33:34 -0700 

tag 894874 + patch
thanks

Thanks to Thomas Klute, a patch to fix the problem is now available[1].
I am also attaching a slightly modified patch that I used for testing.
This applies cleanly on the latest version of mod-gnutls in Debian 0.8.2-3.

Please consider making a release with this patch (probably adding
Depends: apache>=2.4.33-1). There is the danger of newer apache2 getting
into testing and breaking all FreedomBox machines.

Links:

1) https://lists.gnupg.org/pipermail/mod_gnutls-devel/2018-April/000206.html

Thank you,

-- 
Sunil

--- a/include/mod_gnutls.h.in
+++ b/include/mod_gnutls.h.in
@@ -293,6 +293,9 @@
  * connections. */
 APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
 APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
+                                              ap_conf_vector_t *,
+                                              int proxy, int enable));
 int ssl_is_https(conn_rec *c);
 int ssl_proxy_enable(conn_rec *c);
 int ssl_engine_disable(conn_rec *c);
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -21,6 +21,7 @@
 #include "mod_gnutls.h"
 #include "gnutls_cache.h"
 #include "gnutls_ocsp.h"
+#include "gnutls_util.h"
 #include "http_vhost.h"
 #include "ap_mpm.h"
 #include "mod_status.h"
@@ -788,23 +789,11 @@
 
 static void create_gnutls_handle(conn_rec * c)
 {
-    /* Get mod_gnutls server configuration */
-    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-            ap_get_module_config(c->base_server->module_config, &gnutls_module);
-
     _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
 
     /* Get connection specific configuration */
-    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
-    if (ctxt == NULL)
-    {
-        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
-        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
-        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
-    }
+    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
     ctxt->enabled = GNUTLS_ENABLED_TRUE;
-    ctxt->c = c;
-    ctxt->sc = sc;
     ctxt->status = 0;
     ctxt->input_rc = APR_SUCCESS;
     ctxt->input_bb = apr_brigade_create(c->pool, c->bucket_alloc);
--- a/src/gnutls_util.c
+++ b/src/gnutls_util.c
@@ -125,3 +125,28 @@
 
     return rv;
 }
+
+
+
+mgs_handle_t *init_gnutls_ctxt(conn_rec *c)
+{
+    mgs_handle_t *ctxt = (mgs_handle_t *)
+        ap_get_module_config(c->conn_config, &gnutls_module);
+    if (ctxt == NULL)
+    {
+        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
+        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
+
+        /* Get mod_gnutls server configuration */
+        mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
+            ap_get_module_config(c->base_server->module_config,
+                                 &gnutls_module);
+
+        /* Set up connection and server references */
+        ctxt->c = c;
+        ctxt->sc = sc;
+        /* Default, unconditionally changed in proxy setup functions */
+        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
+    }
+    return ctxt;
+}
--- a/src/gnutls_util.h
+++ b/src/gnutls_util.h
@@ -20,6 +20,7 @@
 #include <apr_pools.h>
 #include <apr_uri.h>
 #include <gnutls/gnutls.h>
+#include "mod_gnutls.h"
 
 #ifndef __MOD_GNUTLS_UTIL_H__
 #define __MOD_GNUTLS_UTIL_H__
@@ -66,4 +67,10 @@
                              gnutls_datum_t *datum)
     __attribute__((nonnull));
 
+/**
+ * Allocate the connection configuration structure if necessary, set
+ * some defaults.
+ */
+mgs_handle_t *init_gnutls_ctxt(conn_rec *c);
+
 #endif /* __MOD_GNUTLS_UTIL_H__ */
--- a/src/mod_gnutls.c
+++ b/src/mod_gnutls.c
@@ -19,11 +19,16 @@
 
 #include "mod_gnutls.h"
 #include "gnutls_ocsp.h"
+#include "gnutls_util.h"
 
 #ifdef APLOG_USE_MODULE
 APLOG_USE_MODULE(gnutls);
 #endif
 
+int ssl_engine_set(conn_rec *c,
+                   ap_conf_vector_t *dir_conf __attribute__((unused)),
+                   int proxy, int enable);
+
 static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
 {
     /* Try Run Post-Config Hook After mod_proxy */
@@ -64,6 +69,7 @@
     /* mod_proxy calls these functions */
     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+    APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
 
     /* mod_rewrite calls this function to detect HTTPS */
     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
@@ -95,59 +101,55 @@
     return 1;
 }
 
-
-
-int ssl_engine_disable(conn_rec *c)
+/**
+ * In Apache versions from 2.4.33 mod_proxy uses this function to set
+ * up its client connections. Note that mod_gnutls does not (yet)
+ * implement per directory configuration for such connections.
+ *
+ * @param c the connection
+ * @param dir_conf per directory configuration, unused for now
+ * @param proxy Is this a proxy connection?
+ * @param enable Should TLS be enabled on this connection?
+ *
+ * @param `true` (1) if successful, `false` (0) otherwise
+ */
+int ssl_engine_set(conn_rec *c,
+                   ap_conf_vector_t *dir_conf __attribute__((unused)),
+                   int proxy, int enable)
 {
-    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-        ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
-        return 1;
-    }
+    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
 
-    /* disable TLS for this connection */
-    mgs_handle_t *ctxt = (mgs_handle_t *)
-        ap_get_module_config(c->conn_config, &gnutls_module);
-    if (ctxt == NULL)
+    /* If TLS proxy has been requested, check if support is enabled
+     * for the server */
+    if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
     {
-        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
-        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+                      "%s: mod_proxy requested TLS proxy, but not enabled "
+                      "for %s", __func__, ctxt->sc->cert_cn);
+        return 0;
     }
-    ctxt->enabled = GNUTLS_ENABLED_FALSE;
-    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
 
-    if (c->input_filters)
-        ap_remove_input_filter(c->input_filters);
-    if (c->output_filters)
-        ap_remove_output_filter(c->output_filters);
+    if (proxy)
+        ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
+    else
+        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
+
+    if (enable)
+        ctxt->enabled = GNUTLS_ENABLED_TRUE;
+    else
+        ctxt->enabled = GNUTLS_ENABLED_FALSE;
 
     return 1;
 }
 
-int ssl_proxy_enable(conn_rec *c)
+int ssl_engine_disable(conn_rec *c)
 {
-    /* check if TLS proxy support is enabled */
-    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
-        ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE)
-    {
-        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
-                      "%s: mod_proxy requested TLS proxy, but not enabled "
-                      "for %s", __func__, sc->cert_cn);
-        return 0;
-    }
+    return ssl_engine_set(c, NULL, 0, 0);
+}
 
-    /* enable TLS for this connection */
-    mgs_handle_t *ctxt = (mgs_handle_t *)
-        ap_get_module_config(c->conn_config, &gnutls_module);
-    if (ctxt == NULL)
-    {
-        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
-        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
-    }
-    ctxt->enabled = GNUTLS_ENABLED_TRUE;
-    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
-    return 1;
+int ssl_proxy_enable(conn_rec *c)
+{
+    return ssl_engine_set(c, NULL, 1, 1);
 }
 
 static const command_rec mgs_config_cmds[] = {

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to