source: mod_gnutls/src/mod_gnutls.c

debian/master debian/0.9.0-1
Last change on this file was 6d8c00c, checked in by Fiona Klute <fiona.klute@…>, 12 months ago

Include apr_strings.h only where needed

  • Property mode set to 100644
File size: 14.2 KB
RevLine 
[104e881]1/*
[fcb122d]2 *  Copyright 2004-2005 Paul Querna
[e021722]3 *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
[e183628]4 *  Copyright 2011 Dash Shendy
[3c123cd]5 *  Copyright 2015-2018 Fiona Klute
[9706fc2]6 *
7 *  Licensed under the Apache License, Version 2.0 (the "License");
8 *  you may not use this file except in compliance with the License.
9 *  You may obtain a copy of the License at
10 *
11 *      http://www.apache.org/licenses/LICENSE-2.0
12 *
13 *  Unless required by applicable law or agreed to in writing, software
14 *  distributed under the License is distributed on an "AS IS" BASIS,
15 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 *  See the License for the specific language governing permissions and
17 *  limitations under the License.
18 */
19
[7e2b223]20#include "mod_gnutls.h"
[0470e44]21#include "gnutls_config.h"
[94cb972]22#include "gnutls_ocsp.h"
[235e109]23#include "gnutls_util.h"
[9706fc2]24
[6d8c00c]25#include <apr_strings.h>
26
[e8acf05]27#ifdef APLOG_USE_MODULE
28APLOG_USE_MODULE(gnutls);
29#endif
[671b64f]30
[23e98b3]31int ssl_engine_set(conn_rec *c,
32                   ap_conf_vector_t *dir_conf __attribute__((unused)),
33                   int proxy, int enable);
34
[4aa63a4]35#define MOD_HTTP2 "mod_http2.c"
[3c475e0]36#define MOD_WATCHDOG "mod_watchdog.c"
[e7cf823]37static const char * const mod_proxy[] = { "mod_proxy.c", NULL };
[4aa63a4]38static const char * const mod_http2[] = { MOD_HTTP2, NULL };
[3c475e0]39static const char * const mod_watchdog[] = { MOD_WATCHDOG, NULL };
[e7cf823]40
[e8acf05]41static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
42{
[4aa63a4]43    /* Watchdog callbacks must be configured before post_config of
[3c475e0]44     * mod_watchdog runs, or the watchdog won't be started. Similarly,
45     * our child_init hook must run before mod_watchdog's because our
46     * watchdog threads are started there and need some child-specific
47     * resources. */
[4aa63a4]48    static const char * const post_conf_succ[] =
[3c475e0]49        { MOD_HTTP2, MOD_WATCHDOG, NULL };
[4aa63a4]50    ap_hook_post_config(mgs_hook_post_config, mod_proxy, post_conf_succ,
[e7cf823]51                        APR_HOOK_MIDDLE);
[33826c5]52    /* HTTP Scheme Hook */
53    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
54    /* Default Port Hook */
[accbb83]55    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
[33826c5]56    /* Pre-Connect Hook */
[e7cf823]57    ap_hook_pre_connection(mgs_hook_pre_connection, mod_http2, NULL,
[accbb83]58                           APR_HOOK_MIDDLE);
[e7cf823]59    ap_hook_process_connection(mgs_hook_process_connection,
60                               NULL, mod_http2, APR_HOOK_MIDDLE);
[33826c5]61    /* Pre-Config Hook */
[e183628]62    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
[accbb83]63                       APR_HOOK_MIDDLE);
[33826c5]64    /* Child-Init Hook */
[3c475e0]65    ap_hook_child_init(mgs_hook_child_init, NULL, mod_watchdog,
[accbb83]66                       APR_HOOK_MIDDLE);
[33826c5]67    /* Authentication Hook */
[e183628]68    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
[accbb83]69                           APR_HOOK_REALLY_FIRST);
[33826c5]70    /* Fixups Hook */
[e183628]71    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
[e02dd8c]72
[de3fad3]73    /* Request hook: Check if TLS connection and request host match */
74    ap_hook_post_read_request(mgs_req_vhost_check, NULL, NULL, APR_HOOK_MIDDLE);
75
[e183628]76    /* TODO: HTTP Upgrade Filter */
[671b64f]77    /* ap_register_output_filter ("UPGRADE_FILTER",
[e183628]78     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
79     */
[e02dd8c]80
[33826c5]81    /* Input Filter */
[accbb83]82    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
83                             NULL, AP_FTYPE_CONNECTION + 5);
[33826c5]84    /* Output Filter */
[accbb83]85    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
86                              NULL, AP_FTYPE_CONNECTION + 5);
[671b64f]87
[33826c5]88    /* mod_proxy calls these functions */
89    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
90    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
[23e98b3]91    APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
[8ac7c0d]92
93    /* mod_rewrite calls this function to detect HTTPS */
94    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
[4cdd4fd]95    /* some modules look up TLS-related variables */
96    APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
97}
98
99
100
101/**
102 * Get the connection context, resolving to a master connection if
103 * any.
104 *
105 * @param c the connection handle
106 *
107 * @return mod_gnutls session context, might be `NULL`
108 */
109mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c)
110{
111    mgs_handle_t *ctxt = (mgs_handle_t *)
112        ap_get_module_config(c->conn_config, &gnutls_module);
113    if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL))
114    {
115        ctxt = (mgs_handle_t *)
116            ap_get_module_config(c->master->conn_config, &gnutls_module);
117    }
118    return ctxt;
[33826c5]119}
120
[8ac7c0d]121
122
[104e881]123/**
124 * mod_rewrite calls this function to fill %{HTTPS}.
125 *
126 * @param c the connection to check
127 * @return non-zero value if HTTPS is in use, zero if not
[8ac7c0d]128 */
[accbb83]129int ssl_is_https(conn_rec *c)
130{
[4cdd4fd]131    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
[671b64f]132    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
[accbb83]133        ap_get_module_config(c->base_server->module_config, &gnutls_module);
[8ac7c0d]134
135    if(sc->enabled == GNUTLS_ENABLED_FALSE
136       || ctxt == NULL
137       || ctxt->enabled == GNUTLS_ENABLED_FALSE)
138    {
[33826c5]139        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
140        return 0;
141    }
142    /* Connection is Using SSL/TLS */
143    return 1;
144}
145
[8ac7c0d]146
147
[23e98b3]148/**
[4cdd4fd]149 * Return variables describing the current TLS session (if any).
150 *
151 * mod_ssl doc for this function: "This function must remain safe to
152 * use for a non-SSL connection." mod_http2 uses it to check if an
153 * acceptable TLS session is used.
154 */
155char* ssl_var_lookup(apr_pool_t *p, server_rec *s __attribute__((unused)),
156                     conn_rec *c, request_rec *r, char *var)
157{
158    /*
159     * When no pool is given try to find one
160     */
161    if (p == NULL) {
162        if (r != NULL)
163            p = r->pool;
164        else if (c != NULL)
165            p = c->pool;
166        else
167            return NULL;
168    }
169
170    if (strcmp(var, "HTTPS") == 0)
171    {
172        if (c != NULL && ssl_is_https(c))
173            return "on";
174        else
175            return "off";
176    }
177
178    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
179
180    /* TLS parameters are empty if there is no session */
181    if (ctxt == NULL || ctxt->c == NULL)
182        return NULL;
183
184    if (strcmp(var, "SSL_PROTOCOL") == 0)
185        return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
186
187    if (strcmp(var, "SSL_CIPHER") == 0)
188        return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
189                                                           gnutls_cipher_get(ctxt->session),
190                                                           gnutls_mac_get(ctxt->session)));
191
192    /* mod_ssl supports a LOT more variables */
193    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c,
194                  "unsupported variable requested: '%s'",
195                  var);
196
197    return NULL;
198}
199
200
201
202/**
[23e98b3]203 * In Apache versions from 2.4.33 mod_proxy uses this function to set
204 * up its client connections. Note that mod_gnutls does not (yet)
205 * implement per directory configuration for such connections.
206 *
207 * @param c the connection
208 * @param dir_conf per directory configuration, unused for now
209 * @param proxy Is this a proxy connection?
210 * @param enable Should TLS be enabled on this connection?
211 *
212 * @param `true` (1) if successful, `false` (0) otherwise
213 */
214int ssl_engine_set(conn_rec *c,
215                   ap_conf_vector_t *dir_conf __attribute__((unused)),
216                   int proxy, int enable)
[e8acf05]217{
[235e109]218    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
[e8acf05]219
[23e98b3]220    /* If TLS proxy has been requested, check if support is enabled
221     * for the server */
222    if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
[07d548d]223    {
224        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
225                      "%s: mod_proxy requested TLS proxy, but not enabled "
[adceac0]226                      "for %s:%d", __func__,
227                      ctxt->c->base_server->server_hostname,
228                      ctxt->c->base_server->addrs->host_port);
[07d548d]229        return 0;
230    }
231
[23e98b3]232    if (proxy)
233        ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
234    else
235        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
236
237    if (enable)
238        ctxt->enabled = GNUTLS_ENABLED_TRUE;
239    else
240        ctxt->enabled = GNUTLS_ENABLED_FALSE;
241
[37f8282]242    return 1;
[9706fc2]243}
244
[23e98b3]245int ssl_engine_disable(conn_rec *c)
246{
247    return ssl_engine_set(c, NULL, 0, 0);
248}
249
250int ssl_proxy_enable(conn_rec *c)
251{
252    return ssl_engine_set(c, NULL, 1, 1);
253}
254
[7921dc7]255#define OPENPGP_REMOVED "OpenPGP support has been removed."
256
[46b85d8]257static const command_rec mgs_config_cmds[] = {
[176047e]258    AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
[33826c5]259    NULL,
260    RSRC_CONF | OR_AUTHCFG,
[176047e]261    "Enable TLS Proxy Engine"),
[87f1ed2]262    AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
263    NULL,
264    RSRC_CONF,
[f21d2a6]265    "Load this specific PKCS #11 provider library"),
[031acac]266    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
267    NULL,
268    RSRC_CONF,
269    "The PIN to use in case of encrypted keys or PKCS #11 tokens."),
270    AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
271    NULL,
272    RSRC_CONF,
273    "The SRK PIN to use in case of TPM keys."),
[e183628]274    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
275    NULL,
276    RSRC_CONF | OR_AUTHCFG,
277    "Set Verification Requirements of the Client Certificate"),
[cf2b905]278    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
279    NULL,
280    RSRC_CONF,
281    "Set Verification Method of the Client Certificate"),
[e183628]282    AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
283    NULL,
284    RSRC_CONF,
285    "Set the CA File to verify Client Certificates"),
286    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
287    NULL,
288    RSRC_CONF,
289    "Set the CA File to verify Client Certificates"),
290    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
291    NULL,
292    RSRC_CONF,
293    "Set the file to read Diffie Hellman parameters from"),
294    AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
295    NULL,
296    RSRC_CONF,
[88df24d]297    "TLS Server X509 Certificate file"),
[e183628]298    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
299    NULL,
300    RSRC_CONF,
[88df24d]301    "TLS Server X509 Private Key file"),
[e183628]302    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
303    NULL,
304    RSRC_CONF,
[88df24d]305    "TLS Server X509 Certificate file"),
[e183628]306    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
307    NULL,
308    RSRC_CONF,
[88df24d]309    "TLS Server X509 Private Key file"),
[787dab7]310#ifdef ENABLE_SRP
[e183628]311    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
312    NULL,
313    RSRC_CONF,
[88df24d]314    "TLS Server SRP Password Conf file"),
[e183628]315    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
316    mgs_set_srp_tpasswd_conf_file,
317    NULL,
318    RSRC_CONF,
[88df24d]319    "TLS Server SRP Parameters file"),
[787dab7]320#endif
[70a1e5a]321    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_timeout,
[e183628]322    NULL,
323    RSRC_CONF,
324    "Cache Timeout"),
325    AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
326    NULL,
327    RSRC_CONF,
[d036f96]328    "Session Cache Configuration"),
[176047e]329    AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets,
[e183628]330    NULL,
331    RSRC_CONF,
332    "Session Tickets Configuration"),
333    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
334    NULL,
335    RSRC_CONF,
336    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
[176047e]337    AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled,
[e183628]338    NULL,
339    RSRC_CONF,
340    "Whether this server has GnuTLS Enabled. Default: Off"),
[7d1ab49]341    AP_INIT_TAKE1("GnuTLSExportCertificates",
[2aaf4f5]342    mgs_set_export_certificates_size,
[7d1ab49]343    NULL,
344    RSRC_CONF,
[2aaf4f5]345    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
[0de1839]346    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
347    NULL,
348    RSRC_CONF,
349    "X509 client private file for proxy connections"),
350    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
351    NULL,
352    RSRC_CONF,
353    "X509 client certificate file for proxy connections"),
354    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
355    NULL,
356    RSRC_CONF,
357    "X509 trusted CA file for proxy connections"),
[809c422]358    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
359    NULL,
360    RSRC_CONF,
361    "X509 CRL file for proxy connections"),
[f030883]362    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
363    NULL,
364    RSRC_CONF,
365    "The priorities to enable for proxy connections (ciphers, key exchange, "
366    "MACs, compression)."),
[4d4a406]367    AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable,
[78b75b3]368                 NULL, RSRC_CONF,
[3475e62]369                 "Enable OCSP stapling"),
[2246a84]370    AP_INIT_FLAG("GnuTLSOCSPAutoRefresh", mgs_set_ocsp_auto_refresh,
371                 NULL, RSRC_CONF,
372                 "Regularly refresh cached OCSP response independent "
373                 "of TLS handshakes?"),
[d036f96]374    AP_INIT_TAKE12("GnuTLSOCSPCache", mgs_set_cache,
375                   NULL,
376                   RSRC_CONF,
377                  "OCSP Cache Configuration"),
[b888e8b]378    AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce,
379                 NULL, RSRC_CONF,
380                 "Check nonce in OCSP responses?"),
[94cb972]381    AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
[78b75b3]382                  NULL, RSRC_CONF,
[3475e62]383                  "Read OCSP response for stapling from this file instead "
384                  "of sending a request over HTTP (must be updated "
385                  "externally)"),
[e1c094c]386    AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
[78b75b3]387                  NULL, RSRC_CONF,
[e1c094c]388                  "Cache timeout for OCSP responses"),
[c6dda6d]389    AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
390                  NULL, RSRC_CONF,
[3475e62]391                  "Wait this many seconds before retrying a failed OCSP "
392                  "request"),
[2246a84]393    AP_INIT_TAKE1("GnuTLSOCSPFuzzTime", mgs_set_timeout,
394                  NULL, RSRC_CONF,
395                  "Update cached OCSP response up to this many seconds "
396                  "before it expires, if GnuTLSOCSPAutoRefresh is enabled."),
[333bbc7]397    AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
398                  NULL, RSRC_CONF,
[3475e62]399                  "Socket timeout for OCSP requests"),
[7921dc7]400    AP_INIT_RAW_ARGS("GnuTLSPGPKeyringFile",
401                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
402    AP_INIT_RAW_ARGS("GnuTLSPGPCertificateFile",
403                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
404    AP_INIT_RAW_ARGS("GnuTLSPGPKeyFile",
405                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
[15b22cb]406#ifdef __clang__
407    /* Workaround for this clang bug:
408     * https://llvm.org/bugs/show_bug.cgi?id=21689 */
409    {},
410#else
[7d1ab49]411    { NULL },
[15b22cb]412#endif
[46b85d8]413};
[9706fc2]414
415module AP_MODULE_DECLARE_DATA gnutls_module = {
[e183628]416    STANDARD20_MODULE_STUFF,
[2d0f6cf]417    .create_dir_config = mgs_config_dir_create,
418    .merge_dir_config = mgs_config_dir_merge,
419    .create_server_config = mgs_config_server_create,
[040387c]420    .merge_server_config = mgs_config_server_merge,
[2d0f6cf]421    .cmds = mgs_config_cmds,
422    .register_hooks = gnutls_hooks
[9706fc2]423};
Note: See TracBrowser for help on using the repository browser.