[zorp] Stacking programs doesn’t work and how to modify POST parameters?

Balazs Scheidler bazsi at balabit.hu
Sun Jul 20 19:52:42 CEST 2008


On Tue, 2008-07-15 at 02:42 +0200, thomas.wenz at gmx-topmail.de wrote:
> Hi,
> 
> Any idea on the SSL issue? I couldn't find a solution yet so I probably need to go back to 3.1...

The attached patch fixes the SSL problem. There was some API changes in
the Zorp core, which was not followed up in the GPLd pssl proxy. Also
some cleanup was highly due, which I did at the same time.

So please find a patch attached. It made the Pssl proxy work for me
again.

 pssl.c |  197 ++++++++++++++++++++---------------------------------------------
 1 file changed, 62 insertions(+), 135 deletions(-)


-- 
Bazsi
-------------- next part --------------
* added files

    {arch}/zorp-core/zorp-core--dev-bazsi/zorp-core--dev-bazsi--3.3/devel at balabit.hu--zorp-1/patch-log/patch-9

* modified files

--- orig/modules/pssl/pssl.c
+++ mod/modules/pssl/pssl.c
@@ -43,7 +43,6 @@
   ZProxy super;
   ZPoll *poll;
   ZPlugSessionData session_data;
-  gboolean finished;
 
   GString *client_keyfile, *client_certfile;
   GString *server_keyfile, *server_certfile;
@@ -301,11 +300,11 @@
 {
   PsslProxy *self = (PsslProxy *)user_data;
   
-  self->finished = TRUE;
-}    
-    
+  z_poll_quit(self->poll);
+}
+
 guint
-pssl_init_client_ssl(PsslProxy *self)
+pssl_perform_handshake(PsslProxy  *self, gint side)
 {
   ZSSLSession *ssl;
   X509 *peercert;
@@ -314,90 +313,39 @@
   
   z_proxy_enter(self);
   ssl = z_ssl_session_new(self->super.session_id, 
-                          Z_SSL_MODE_SERVER,
+                          side == EP_CLIENT ? Z_SSL_MODE_SERVER : Z_SSL_MODE_CLIENT,
                           self->client_keyfile->str,
                           self->client_certfile->str,
                           self->client_ca_dir->str,
                           self->client_crl_dir->str,
                           self->verify_depth[EP_CLIENT],
                           self->verify_type[EP_CLIENT]);
+
   if (!ssl)
     {
-      z_proxy_log(self, PSSL_ERROR, 1, "Error initializing SSL session on the client side;");
+      z_proxy_log(self, PSSL_ERROR, 1, "Error initializing SSL session; side='%s'", EP_STR(side));
       z_proxy_return(self, FALSE);
     }
-
   SSL_set_options(ssl->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
-  z_stream_set_timeout(self->super.endpoints[EP_CLIENT], self->handshake_timeout);
-  tmpstream = self->super.endpoints[EP_CLIENT];
-  self->super.endpoints[EP_CLIENT] = z_stream_ssl_new(tmpstream, ssl);
-  z_stream_unref(tmpstream);
-  
-  ret = SSL_accept(ssl->ssl);
-  if (ret <= 0)
-    {
-      char buf[1024];
 
-      z_ssl_session_unref(ssl);      
-      z_proxy_log(self, PSSL_ERROR, 1, "SSL handshake failed on the client side; error='%s'", z_ssl_get_error_str(buf, sizeof(buf)));
-      z_proxy_return(self, FALSE);
-    }
-  
-  peercert = SSL_get_peer_certificate(ssl->ssl);
-  if (peercert)
-    {
-      gchar tmp[1024];
-      
-      X509_NAME_oneline(X509_get_subject_name(peercert), tmp, sizeof(tmp) - 1);
-      X509_free(peercert);
-      z_proxy_log(self, PSSL_DEBUG, 4, "Identified peer on the client side; peer='%s'", tmp);
-    }
+  z_stream_set_timeout(self->super.endpoints[side], self->handshake_timeout);
+  tmpstream = self->super.endpoints[side];
+  self->super.endpoints[side] = z_stream_ssl_new(tmpstream, ssl);
+  z_stream_unref(tmpstream);
 
-  z_ssl_session_unref(ssl);  
-  z_stream_set_timeout(self->super.endpoints[EP_CLIENT], -2);
-  z_proxy_log(self, PSSL_DEBUG, 6, "Client side SSL handshake successful;");
-  z_proxy_return(self, TRUE);
-}
+  if (side == EP_CLIENT)
+    ret = SSL_accept(ssl->ssl);
+  else
+    ret = SSL_connect(ssl->ssl);
 
-guint
-pssl_init_server_ssl(PsslProxy *self)
-{
-  ZSSLSession *ssl;
-  X509 *peercert;
-  int ret;
-  ZStream *tmpstream;
-  
-  z_proxy_enter(self);
-  ssl = z_ssl_session_new(self->super.session_id, 
-                          Z_SSL_MODE_CLIENT,
-                          self->server_keyfile->str,
-                          self->server_certfile->str,
-                          self->server_ca_dir->str,
-                          self->server_crl_dir->str,
-                          self->verify_depth[EP_SERVER],
-                          self->verify_type[EP_SERVER]);
-  if (!ssl)
-    {
-      z_proxy_log(self, PSSL_ERROR, 1, "Error initializing SSL session on the server side;");
-      z_proxy_return(self, FALSE);
-    }
-	
-  SSL_set_options(ssl->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
-  z_stream_set_timeout(self->super.endpoints[EP_SERVER], self->handshake_timeout);
-  tmpstream = self->super.endpoints[EP_SERVER];
-  self->super.endpoints[EP_SERVER] = z_stream_ssl_new(tmpstream, ssl);
-  z_stream_unref(tmpstream);
-  
-  ret = SSL_connect(ssl->ssl);
   if (ret <= 0)
     {
       char buf[1024];
       
       z_ssl_session_unref(ssl);
-      z_proxy_log(self, PSSL_ERROR, 1, "SSL handshake failed on the server side; error='%s'", z_ssl_get_error_str(buf, sizeof(buf)));
+      z_proxy_log(self, PSSL_ERROR, 1, "SSL handshake failed; side='%s', error='%s'", EP_STR(side), z_ssl_get_error_str(buf, sizeof(buf)));
       z_proxy_return(self, FALSE);
     }
-  
   peercert = SSL_get_peer_certificate(ssl->ssl);
   if (peercert)
     {
@@ -405,20 +353,21 @@
       
       X509_NAME_oneline(X509_get_subject_name(peercert), tmp, sizeof(tmp));
       X509_free(peercert);
-      z_proxy_log(self, PSSL_DEBUG, 4, "Identified peer on the server side; peer='%s'", tmp);
+      z_proxy_log(self, PSSL_DEBUG, 4, "Identified peer; side='%s', peer='%s'", EP_STR(side), tmp);
     }
     
-  z_ssl_session_unref(ssl);
-  z_stream_set_timeout(self->super.endpoints[EP_SERVER], -2);
-  z_proxy_log(self, PSSL_DEBUG, 6, "Server side SSL handshake successful;");
+  z_ssl_session_unref(ssl);  
+  z_stream_set_timeout(self->super.endpoints[side], -2);
+  z_proxy_log(self, PSSL_DEBUG, 6, "SSL handshake successful; side='%s'", EP_STR(side));
   z_proxy_return(self, TRUE);
+
 }
 
 static gboolean
 pssl_init_streams(PsslProxy *self)
 {
-  ZStream *tmpstream1;
-  ZStream *tmpstream2;
+  ZStream *tmpstream;
+  gint ep;
 
   z_proxy_enter(self);
   if (!self->super.endpoints[EP_CLIENT] || 
@@ -426,36 +375,22 @@
       !self->poll)
     z_proxy_return(self, FALSE);
 
-  tmpstream1 = self->super.endpoints[EP_CLIENT];
-  z_stream_ref(tmpstream1);
-  if (self->need_ssl[EP_CLIENT])
+  for (ep = EP_CLIENT; ep < EP_MAX; ep++)
     {
-      z_proxy_log(self, PSSL_DEBUG, 6, "Client needs ssl.");
-      if (!pssl_init_client_ssl(self))
+      tmpstream = self->super.endpoints[ep];
+      z_stream_ref(tmpstream);
+      if (self->need_ssl[ep])
         {
-          z_stream_unref(tmpstream1);
-          z_proxy_return(self, FALSE);
+          z_proxy_log(self, PSSL_DEBUG, 6, "Performing SSL handshake; side='%s'", EP_STR(ep));
+          if (!pssl_perform_handshake(self, ep))
+            {
+              z_stream_unref(tmpstream);
+              z_proxy_return(self, FALSE);
+            }
         }
+      z_stream_set_nonblock(tmpstream, TRUE);
+      z_stream_unref(tmpstream);
     }
-
-  tmpstream2 = self->super.endpoints[EP_SERVER];
-  z_stream_ref(tmpstream2);
-  if (self->need_ssl[EP_SERVER])
-    {
-      z_proxy_log(self, PSSL_DEBUG, 6, "Server needs ssl.");
-      if (!pssl_init_server_ssl(self))
-        {
-          z_stream_unref(tmpstream1);
-          z_stream_unref(tmpstream2);
-          z_proxy_return(self, FALSE);
-        }
-    }
-
-  z_stream_set_nonblock(tmpstream1, TRUE);
-  z_stream_unref(tmpstream1);
-
-  z_stream_set_nonblock(tmpstream2, TRUE);
-  z_stream_unref(tmpstream2);
   z_proxy_return(self, TRUE);
 }
 
@@ -489,33 +424,6 @@
 }
 
 static gboolean
-pssl_start_main_session(PsslProxy *self)
-{
-  ZStackedProxy *stacked;
-  ZPlugSession *session;
-  
-  z_proxy_enter(self);
-  if (!pssl_request_stack_event(self, &stacked))
-    z_proxy_return(self, FALSE);
-  session = z_plug_session_new(&self->session_data, self->super.endpoints[EP_CLIENT], self->super.endpoints[EP_SERVER], stacked, (gpointer)&self->super);
-  if (!session)
-    {
-      z_stacked_proxy_destroy(stacked);
-      z_proxy_return(self, FALSE);
-    }
-
-  z_stream_unref(self->super.endpoints[EP_CLIENT]);
-  z_stream_unref(self->super.endpoints[EP_SERVER]);
-  self->super.endpoints[EP_CLIENT] = self->super.endpoints[EP_SERVER] = NULL;
-  if (!z_plug_session_start(session, self->poll))
-    {
-      z_plug_session_free(session);
-      z_proxy_return(self, FALSE);
-    }
-  z_proxy_return(self, TRUE);
-}
-
-static gboolean
 pssl_config(ZProxy *s)
 {
   PsslProxy *self = Z_CAST(s, PsslProxy);
@@ -532,25 +440,43 @@
 pssl_main(ZProxy *s)
 {
   PsslProxy *self = Z_CAST(s, PsslProxy);
+  ZStackedProxy *stacked;
+  ZPlugSession *session = NULL;
 
   z_proxy_enter(self);
   /* this sets the server side endpoint if successful */
   if (!z_proxy_connect_server(&self->super, NULL, 0) ||
-      !pssl_init_streams(self) ||
-      !pssl_start_main_session(self))
-    z_proxy_return(self);
+      !pssl_init_streams(self))
+    goto error;
+  
+  if (!pssl_request_stack_event(self, &stacked))
+    goto error;
+    
+  session = z_plug_session_new(&self->session_data, self->super.endpoints[EP_CLIENT], self->super.endpoints[EP_SERVER], stacked, (gpointer)&self->super);
+  if (!session)
+    {
+      z_stacked_proxy_destroy(stacked);
+      goto error;
+    }
+
+  if (!z_plug_session_start(session, self->poll))
+    {
+      goto error;
+    }
     
-  while (self->finished && z_poll_is_running(self->poll))
+  while (z_poll_is_running(self->poll) && z_poll_iter_timeout(self->poll, -1))
     {
       if (!z_proxy_loop_iteration(s))
         {
-          self->finished = TRUE;
           break;
         }
-      /* NOTE: timeouts are handled by ZPlugSession */
-      z_poll_iter_timeout(self->poll, -1);
     }
-
+ error:
+  if (session)
+    {
+      z_plug_session_cancel(session);
+      z_plug_session_free(session);
+    }
   z_proxy_leave(self);
 }
 
@@ -576,6 +502,7 @@
       self->poll = NULL;
     }
   ERR_remove_state(0);
+  z_proxy_free_method(s);
   z_return();
 }
 





More information about the zorp mailing list