source: mod_gnutls/src/mod_gnutls.c

mod_gnutls/0.10.0
Last change on this file was 05e2d9e, checked in by Fiona Klute <fiona.klute@…>, 2 months ago

Move function declarations for gnutls_io.c into a separate header

  • Property mode set to 100644
File size: 14.5 KB
Line 
1/*
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2011 Dash Shendy
5 *  Copyright 2015-2020 Fiona Klute
6 *
7 *  Licensed under the Apache License, Version 2.0 (the "License");
8 *  you may not use this file except in compliance with the License.
9 *  You may obtain a copy of the License at
10 *
11 *      http://www.apache.org/licenses/LICENSE-2.0
12 *
13 *  Unless required by applicable law or agreed to in writing, software
14 *  distributed under the License is distributed on an "AS IS" BASIS,
15 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 *  See the License for the specific language governing permissions and
17 *  limitations under the License.
18 */
19
20#include "mod_gnutls.h"
21#include "gnutls_config.h"
22#include "gnutls_io.h"
23#include "gnutls_ocsp.h"
24#include "gnutls_util.h"
25
26#include <apr_strings.h>
27
28#ifdef APLOG_USE_MODULE
29APLOG_USE_MODULE(gnutls);
30#endif
31
32int ssl_engine_set(conn_rec *c,
33                   ap_conf_vector_t *dir_conf __attribute__((unused)),
34                   int proxy, int enable);
35
36#define MOD_HTTP2 "mod_http2.c"
37#define MOD_WATCHDOG "mod_watchdog.c"
38static const char * const mod_proxy[] = { "mod_proxy.c", NULL };
39static const char * const mod_http2[] = { MOD_HTTP2, NULL };
40static const char * const mod_watchdog[] = { MOD_WATCHDOG, NULL };
41
42static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
43{
44    /* Watchdog callbacks must be configured before post_config of
45     * mod_watchdog runs, or the watchdog won't be started. Similarly,
46     * our child_init hook must run before mod_watchdog's because our
47     * watchdog threads are started there and need some child-specific
48     * resources. */
49    static const char * const post_conf_succ[] =
50        { MOD_HTTP2, MOD_WATCHDOG, NULL };
51    ap_hook_post_config(mgs_hook_post_config, mod_proxy, post_conf_succ,
52                        APR_HOOK_MIDDLE);
53    /* HTTP Scheme Hook */
54    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
55    /* Default Port Hook */
56    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
57    /* Pre-Connect Hook */
58    ap_hook_pre_connection(mgs_hook_pre_connection, mod_http2, NULL,
59                           APR_HOOK_MIDDLE);
60    ap_hook_process_connection(mgs_hook_process_connection,
61                               NULL, mod_http2, APR_HOOK_MIDDLE);
62    /* Pre-Config Hook */
63    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
64                       APR_HOOK_MIDDLE);
65    /* Child-Init Hook */
66    ap_hook_child_init(mgs_hook_child_init, NULL, mod_watchdog,
67                       APR_HOOK_MIDDLE);
68    /* Authentication Hook */
69    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
70                           APR_HOOK_REALLY_FIRST);
71    /* Fixups Hook */
72    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
73
74    /* Request hook: Check if TLS connection and request host match */
75    ap_hook_post_read_request(mgs_req_vhost_check, NULL, NULL, APR_HOOK_MIDDLE);
76
77    /* TODO: HTTP Upgrade Filter */
78    /* ap_register_output_filter ("UPGRADE_FILTER",
79     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
80     */
81
82    /* Input Filter */
83    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
84                             NULL, AP_FTYPE_CONNECTION + 5);
85    /* Output Filter */
86    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
87                              NULL, AP_FTYPE_CONNECTION + 5);
88
89    /* mod_proxy calls these functions */
90    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
91    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
92    APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
93
94    /* mod_rewrite calls this function to detect HTTPS */
95    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
96    /* some modules look up TLS-related variables */
97    APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
98}
99
100
101
102/**
103 * Get the connection context, resolving to a master connection if
104 * any.
105 *
106 * @param c the connection handle
107 *
108 * @return mod_gnutls session context, might be `NULL`
109 */
110mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c)
111{
112    mgs_handle_t *ctxt = (mgs_handle_t *)
113        ap_get_module_config(c->conn_config, &gnutls_module);
114    if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL))
115    {
116        ctxt = (mgs_handle_t *)
117            ap_get_module_config(c->master->conn_config, &gnutls_module);
118    }
119    return ctxt;
120}
121
122
123
124/**
125 * mod_rewrite calls this function to fill %{HTTPS}.
126 *
127 * @param c the connection to check
128 * @return non-zero value if HTTPS is in use, zero if not
129 */
130int ssl_is_https(conn_rec *c)
131{
132    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
133    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
134        ap_get_module_config(c->base_server->module_config, &gnutls_module);
135
136    if(sc->enabled == GNUTLS_ENABLED_FALSE
137       || ctxt == NULL
138       || ctxt->enabled == GNUTLS_ENABLED_FALSE)
139    {
140        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
141        return 0;
142    }
143    /* Connection is Using SSL/TLS */
144    return 1;
145}
146
147
148
149/**
150 * Return variables describing the current TLS session (if any).
151 *
152 * mod_ssl doc for this function: "This function must remain safe to
153 * use for a non-SSL connection." mod_http2 uses it to check if an
154 * acceptable TLS session is used.
155 */
156char* ssl_var_lookup(apr_pool_t *p, server_rec *s __attribute__((unused)),
157                     conn_rec *c, request_rec *r, char *var)
158{
159    /*
160     * When no pool is given try to find one
161     */
162    if (p == NULL) {
163        if (r != NULL)
164            p = r->pool;
165        else if (c != NULL)
166            p = c->pool;
167        else
168            return NULL;
169    }
170
171    if (strcmp(var, "HTTPS") == 0)
172    {
173        if (c != NULL && ssl_is_https(c))
174            return "on";
175        else
176            return "off";
177    }
178
179    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
180
181    /* TLS parameters are empty if there is no session */
182    if (ctxt == NULL || ctxt->c == NULL || ctxt->session == NULL)
183        return NULL;
184
185    if (strcmp(var, "SSL_PROTOCOL") == 0)
186        return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
187
188    if (strcmp(var, "SSL_CIPHER") == 0)
189        return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
190                                                           gnutls_cipher_get(ctxt->session),
191                                                           gnutls_mac_get(ctxt->session)));
192
193    /* mod_ssl supports a LOT more variables */
194    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c,
195                  "unsupported variable requested: '%s'",
196                  var);
197
198    return NULL;
199}
200
201
202
203/**
204 * In Apache versions from 2.4.33 mod_proxy uses this function to set
205 * up its client connections. Note that mod_gnutls does not (yet)
206 * implement per directory configuration for such connections.
207 *
208 * @param c the connection
209 * @param dir_conf per directory configuration, unused for now
210 * @param proxy Is this a proxy connection?
211 * @param enable Should TLS be enabled on this connection?
212 *
213 * @param `true` (1) if successful, `false` (0) otherwise
214 */
215int ssl_engine_set(conn_rec *c,
216                   ap_conf_vector_t *dir_conf __attribute__((unused)),
217                   int proxy, int enable)
218{
219    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
220
221    /* If TLS proxy has been requested, check if support is enabled
222     * for the server */
223    if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
224    {
225        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
226                      "%s: mod_proxy requested TLS proxy, but not enabled "
227                      "for %s:%d", __func__,
228                      ctxt->c->base_server->server_hostname,
229                      ctxt->c->base_server->addrs->host_port);
230        return 0;
231    }
232
233    if (proxy)
234        ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
235    else
236        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
237
238    if (enable)
239        ctxt->enabled = GNUTLS_ENABLED_TRUE;
240    else
241        ctxt->enabled = GNUTLS_ENABLED_FALSE;
242
243    return 1;
244}
245
246int ssl_engine_disable(conn_rec *c)
247{
248    return ssl_engine_set(c, NULL, 0, 0);
249}
250
251int ssl_proxy_enable(conn_rec *c)
252{
253    return ssl_engine_set(c, NULL, 1, 1);
254}
255
256#define OPENPGP_REMOVED "OpenPGP support has been removed."
257
258static const command_rec mgs_config_cmds[] = {
259    AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
260    NULL,
261    RSRC_CONF | OR_AUTHCFG,
262    "Enable TLS Proxy Engine"),
263    AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
264    NULL,
265    RSRC_CONF,
266    "Load this specific PKCS #11 provider library"),
267    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
268    NULL,
269    RSRC_CONF,
270    "The PIN to use in case of encrypted keys or PKCS #11 tokens."),
271    AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
272    NULL,
273    RSRC_CONF,
274    "The SRK PIN to use in case of TPM keys."),
275    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
276    NULL,
277    RSRC_CONF | OR_AUTHCFG,
278    "Set Verification Requirements of the Client Certificate"),
279    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
280    NULL,
281    RSRC_CONF,
282    "Set Verification Method of the Client Certificate"),
283    AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
284    NULL,
285    RSRC_CONF,
286    "Set the CA File to verify Client Certificates"),
287    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
288    NULL,
289    RSRC_CONF,
290    "Set the CA File to verify Client Certificates"),
291    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
292    NULL,
293    RSRC_CONF,
294    "Set the file to read Diffie Hellman parameters from"),
295    AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
296    NULL,
297    RSRC_CONF,
298    "TLS Server X509 Certificate file"),
299    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
300    NULL,
301    RSRC_CONF,
302    "TLS Server X509 Private Key file"),
303    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
304    NULL,
305    RSRC_CONF,
306    "TLS Server X509 Certificate file"),
307    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
308    NULL,
309    RSRC_CONF,
310    "TLS Server X509 Private Key file"),
311#ifdef ENABLE_SRP
312    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
313    NULL,
314    RSRC_CONF,
315    "TLS Server SRP Password Conf file"),
316    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
317    mgs_set_srp_tpasswd_conf_file,
318    NULL,
319    RSRC_CONF,
320    "TLS Server SRP Parameters file"),
321#endif
322    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_timeout,
323    NULL,
324    RSRC_CONF,
325    "Cache Timeout"),
326    AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
327    NULL,
328    RSRC_CONF,
329    "Session Cache Configuration"),
330    AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets,
331    NULL,
332    RSRC_CONF,
333    "Session Tickets Configuration"),
334    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
335    NULL,
336    RSRC_CONF,
337    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
338    AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled,
339    NULL,
340    RSRC_CONF,
341    "Whether this server has GnuTLS Enabled. Default: Off"),
342    AP_INIT_TAKE1("GnuTLSExportCertificates",
343    mgs_set_export_certificates_size,
344    NULL,
345    RSRC_CONF,
346    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
347    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
348    NULL,
349    RSRC_CONF,
350    "X509 client private file for proxy connections"),
351    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
352    NULL,
353    RSRC_CONF,
354    "X509 client certificate file for proxy connections"),
355    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
356    NULL,
357    RSRC_CONF,
358    "X509 trusted CA file for proxy connections"),
359    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
360    NULL,
361    RSRC_CONF,
362    "X509 CRL file for proxy connections"),
363    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
364    NULL,
365    RSRC_CONF,
366    "The priorities to enable for proxy connections (ciphers, key exchange, "
367    "MACs, compression)."),
368    AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable,
369                 NULL, RSRC_CONF,
370                 "Enable OCSP stapling"),
371    AP_INIT_FLAG("GnuTLSOCSPAutoRefresh", mgs_set_ocsp_auto_refresh,
372                 NULL, RSRC_CONF,
373                 "Regularly refresh cached OCSP response independent "
374                 "of TLS handshakes?"),
375    AP_INIT_TAKE12("GnuTLSOCSPCache", mgs_set_cache,
376                   NULL,
377                   RSRC_CONF,
378                  "OCSP Cache Configuration"),
379    AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce,
380                 NULL, RSRC_CONF,
381                 "Check nonce in OCSP responses?"),
382    AP_INIT_TAKE_ARGV("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
383                  NULL, RSRC_CONF,
384                  "Read OCSP responses for stapling from these files instead "
385                  "of sending a request over HTTP. Files must be listed in "
386                  "the same order as listed in GnuTLSX509CertificateFile, "
387                  "and must be updated externally. Use the empty string "
388                  "(\"\") to skip a certificate in the list."),
389    AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
390                  NULL, RSRC_CONF,
391                  "Cache timeout for OCSP responses"),
392    AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
393                  NULL, RSRC_CONF,
394                  "Wait this many seconds before retrying a failed OCSP "
395                  "request"),
396    AP_INIT_TAKE1("GnuTLSOCSPFuzzTime", mgs_set_timeout,
397                  NULL, RSRC_CONF,
398                  "Update cached OCSP response up to this many seconds "
399                  "before it expires, if GnuTLSOCSPAutoRefresh is enabled."),
400    AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
401                  NULL, RSRC_CONF,
402                  "Socket timeout for OCSP requests"),
403    AP_INIT_RAW_ARGS("GnuTLSPGPKeyringFile",
404                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
405    AP_INIT_RAW_ARGS("GnuTLSPGPCertificateFile",
406                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
407    AP_INIT_RAW_ARGS("GnuTLSPGPKeyFile",
408                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
409#ifdef __clang__
410    /* Workaround for this clang bug:
411     * https://llvm.org/bugs/show_bug.cgi?id=21689 */
412    {},
413#else
414    { NULL },
415#endif
416};
417
418module AP_MODULE_DECLARE_DATA gnutls_module = {
419    STANDARD20_MODULE_STUFF,
420    .create_dir_config = mgs_config_dir_create,
421    .merge_dir_config = mgs_config_dir_merge,
422    .create_server_config = mgs_config_server_create,
423    .merge_server_config = mgs_config_server_merge,
424    .cmds = mgs_config_cmds,
425    .register_hooks = gnutls_hooks
426};
Note: See TracBrowser for help on using the repository browser.