Context Navigation

source: mod_gnutls/src/mod_gnutls.c

Visit:

mod_gnutls/0.10.0

Last change on this file was 05e2d9e, checked in by Fiona Klute <fiona.klute@…>, 7 weeks ago
Move function declarations for gnutls_io.c into a separate header
Property mode set to `100644`
File size: 14.5 KB

Rev	Line
[104e881]	1	/*
[fcb122d]	2	* Copyright 2004-2005 Paul Querna
[e021722]	3	* Copyright 2008, 2014 Nikos Mavrogiannopoulos
[e183628]	4	* Copyright 2011 Dash Shendy
[a3e0f7b]	5	* Copyright 2015-2020 Fiona Klute
[9706fc2]	6	*
	7	* Licensed under the Apache License, Version 2.0 (the "License");
	8	* you may not use this file except in compliance with the License.
	9	* You may obtain a copy of the License at
	10	*
	11	* http://www.apache.org/licenses/LICENSE-2.0
	12	*
	13	* Unless required by applicable law or agreed to in writing, software
	14	* distributed under the License is distributed on an "AS IS" BASIS,
	15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	16	* See the License for the specific language governing permissions and
	17	* limitations under the License.
	18	*/
	19
[7e2b223]	20	#include "mod_gnutls.h"
[0470e44]	21	#include "gnutls_config.h"
[05e2d9e]	22	#include "gnutls_io.h"
[94cb972]	23	#include "gnutls_ocsp.h"
[235e109]	24	#include "gnutls_util.h"
[9706fc2]	25
[6d8c00c]	26	#include <apr_strings.h>
	27
[e8acf05]	28	#ifdef APLOG_USE_MODULE
	29	APLOG_USE_MODULE(gnutls);
	30	#endif
[671b64f]	31
[23e98b3]	32	int ssl_engine_set(conn_rec *c,
	33	ap_conf_vector_t *dir_conf __attribute__((unused)),
	34	int proxy, int enable);
	35
[4aa63a4]	36	#define MOD_HTTP2 "mod_http2.c"
[3c475e0]	37	#define MOD_WATCHDOG "mod_watchdog.c"
[e7cf823]	38	static const char * const mod_proxy[] = { "mod_proxy.c", NULL };
[4aa63a4]	39	static const char * const mod_http2[] = { MOD_HTTP2, NULL };
[3c475e0]	40	static const char * const mod_watchdog[] = { MOD_WATCHDOG, NULL };
[e7cf823]	41
[e8acf05]	42	static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
	43	{
[4aa63a4]	44	/* Watchdog callbacks must be configured before post_config of
[3c475e0]	45	* mod_watchdog runs, or the watchdog won't be started. Similarly,
	46	* our child_init hook must run before mod_watchdog's because our
	47	* watchdog threads are started there and need some child-specific
	48	* resources. */
[4aa63a4]	49	static const char * const post_conf_succ[] =
[3c475e0]	50	{ MOD_HTTP2, MOD_WATCHDOG, NULL };
[4aa63a4]	51	ap_hook_post_config(mgs_hook_post_config, mod_proxy, post_conf_succ,
[e7cf823]	52	APR_HOOK_MIDDLE);
[33826c5]	53	/* HTTP Scheme Hook */
	54	ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
	55	/* Default Port Hook */
[accbb83]	56	ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
[33826c5]	57	/* Pre-Connect Hook */
[e7cf823]	58	ap_hook_pre_connection(mgs_hook_pre_connection, mod_http2, NULL,
[accbb83]	59	APR_HOOK_MIDDLE);
[e7cf823]	60	ap_hook_process_connection(mgs_hook_process_connection,
	61	NULL, mod_http2, APR_HOOK_MIDDLE);
[33826c5]	62	/* Pre-Config Hook */
[e183628]	63	ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
[accbb83]	64	APR_HOOK_MIDDLE);
[33826c5]	65	/* Child-Init Hook */
[3c475e0]	66	ap_hook_child_init(mgs_hook_child_init, NULL, mod_watchdog,
[accbb83]	67	APR_HOOK_MIDDLE);
[33826c5]	68	/* Authentication Hook */
[e183628]	69	ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
[accbb83]	70	APR_HOOK_REALLY_FIRST);
[33826c5]	71	/* Fixups Hook */
[e183628]	72	ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
[e02dd8c]	73
[de3fad3]	74	/* Request hook: Check if TLS connection and request host match */
	75	ap_hook_post_read_request(mgs_req_vhost_check, NULL, NULL, APR_HOOK_MIDDLE);
	76
[e183628]	77	/* TODO: HTTP Upgrade Filter */
[671b64f]	78	/* ap_register_output_filter ("UPGRADE_FILTER",
[e183628]	79	* ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
	80	*/
[e02dd8c]	81
[33826c5]	82	/* Input Filter */
[accbb83]	83	ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
	84	NULL, AP_FTYPE_CONNECTION + 5);
[33826c5]	85	/* Output Filter */
[accbb83]	86	ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
	87	NULL, AP_FTYPE_CONNECTION + 5);
[671b64f]	88
[33826c5]	89	/* mod_proxy calls these functions */
	90	APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
	91	APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
[23e98b3]	92	APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
[8ac7c0d]	93
	94	/* mod_rewrite calls this function to detect HTTPS */
	95	APR_REGISTER_OPTIONAL_FN(ssl_is_https);
[4cdd4fd]	96	/* some modules look up TLS-related variables */
	97	APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
	98	}
	99
	100
	101
	102	/**
	103	* Get the connection context, resolving to a master connection if
	104	* any.
	105	*
	106	* @param c the connection handle
	107	*
	108	* @return mod_gnutls session context, might be `NULL`
	109	*/
	110	mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c)
	111	{
	112	mgs_handle_t ctxt = (mgs_handle_t )
	113	ap_get_module_config(c->conn_config, &gnutls_module);
	114	if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL))
	115	{
	116	ctxt = (mgs_handle_t *)
	117	ap_get_module_config(c->master->conn_config, &gnutls_module);
	118	}
	119	return ctxt;
[33826c5]	120	}
	121
[8ac7c0d]	122
	123
[104e881]	124	/**
	125	* mod_rewrite calls this function to fill %{HTTPS}.
	126	*
	127	* @param c the connection to check
	128	* @return non-zero value if HTTPS is in use, zero if not
[8ac7c0d]	129	*/
[accbb83]	130	int ssl_is_https(conn_rec *c)
	131	{
[4cdd4fd]	132	mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
[671b64f]	133	mgs_srvconf_rec sc = (mgs_srvconf_rec )
[accbb83]	134	ap_get_module_config(c->base_server->module_config, &gnutls_module);
[8ac7c0d]	135
	136	if(sc->enabled == GNUTLS_ENABLED_FALSE
	137	\|\| ctxt == NULL
	138	\|\| ctxt->enabled == GNUTLS_ENABLED_FALSE)
	139	{
[33826c5]	140	/* SSL/TLS Disabled or Plain HTTP Connection Detected */
	141	return 0;
	142	}
	143	/* Connection is Using SSL/TLS */
	144	return 1;
	145	}
	146
[8ac7c0d]	147
	148
[23e98b3]	149	/**
[4cdd4fd]	150	* Return variables describing the current TLS session (if any).
	151	*
	152	* mod_ssl doc for this function: "This function must remain safe to
	153	* use for a non-SSL connection." mod_http2 uses it to check if an
	154	* acceptable TLS session is used.
	155	*/
	156	char* ssl_var_lookup(apr_pool_t p, server_rec s __attribute__((unused)),
	157	conn_rec c, request_rec r, char *var)
	158	{
	159	/*
	160	* When no pool is given try to find one
	161	*/
	162	if (p == NULL) {
	163	if (r != NULL)
	164	p = r->pool;
	165	else if (c != NULL)
	166	p = c->pool;
	167	else
	168	return NULL;
	169	}
	170
	171	if (strcmp(var, "HTTPS") == 0)
	172	{
	173	if (c != NULL && ssl_is_https(c))
	174	return "on";
	175	else
	176	return "off";
	177	}
	178
	179	mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
	180
	181	/* TLS parameters are empty if there is no session */
[dcec209]	182	if (ctxt == NULL \|\| ctxt->c == NULL \|\| ctxt->session == NULL)
[4cdd4fd]	183	return NULL;
	184
	185	if (strcmp(var, "SSL_PROTOCOL") == 0)
	186	return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
	187
	188	if (strcmp(var, "SSL_CIPHER") == 0)
	189	return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
	190	gnutls_cipher_get(ctxt->session),
	191	gnutls_mac_get(ctxt->session)));
	192
	193	/* mod_ssl supports a LOT more variables */
	194	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c,
	195	"unsupported variable requested: '%s'",
	196	var);
	197
	198	return NULL;
	199	}
	200
	201
	202
	203	/**
[23e98b3]	204	* In Apache versions from 2.4.33 mod_proxy uses this function to set
	205	* up its client connections. Note that mod_gnutls does not (yet)
	206	* implement per directory configuration for such connections.
	207	*
	208	* @param c the connection
	209	* @param dir_conf per directory configuration, unused for now
	210	* @param proxy Is this a proxy connection?
	211	* @param enable Should TLS be enabled on this connection?
	212	*
	213	* @param `true` (1) if successful, `false` (0) otherwise
	214	*/
	215	int ssl_engine_set(conn_rec *c,
	216	ap_conf_vector_t *dir_conf __attribute__((unused)),
	217	int proxy, int enable)
[e8acf05]	218	{
[235e109]	219	mgs_handle_t *ctxt = init_gnutls_ctxt(c);
[e8acf05]	220
[23e98b3]	221	/* If TLS proxy has been requested, check if support is enabled
	222	* for the server */
	223	if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
[07d548d]	224	{
	225	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
	226	"%s: mod_proxy requested TLS proxy, but not enabled "
[adceac0]	227	"for %s:%d", __func__,
	228	ctxt->c->base_server->server_hostname,
	229	ctxt->c->base_server->addrs->host_port);
[07d548d]	230	return 0;
	231	}
	232
[23e98b3]	233	if (proxy)
	234	ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
	235	else
	236	ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
	237
	238	if (enable)
	239	ctxt->enabled = GNUTLS_ENABLED_TRUE;
	240	else
	241	ctxt->enabled = GNUTLS_ENABLED_FALSE;
	242
[37f8282]	243	return 1;
[9706fc2]	244	}
	245
[23e98b3]	246	int ssl_engine_disable(conn_rec *c)
	247	{
	248	return ssl_engine_set(c, NULL, 0, 0);
	249	}
	250
	251	int ssl_proxy_enable(conn_rec *c)
	252	{
	253	return ssl_engine_set(c, NULL, 1, 1);
	254	}
	255
[7921dc7]	256	#define OPENPGP_REMOVED "OpenPGP support has been removed."
	257
[46b85d8]	258	static const command_rec mgs_config_cmds[] = {
[176047e]	259	AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
[33826c5]	260	NULL,
	261	RSRC_CONF \| OR_AUTHCFG,
[176047e]	262	"Enable TLS Proxy Engine"),
[87f1ed2]	263	AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
	264	NULL,
	265	RSRC_CONF,
[f21d2a6]	266	"Load this specific PKCS #11 provider library"),
[031acac]	267	AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
	268	NULL,
	269	RSRC_CONF,
	270	"The PIN to use in case of encrypted keys or PKCS #11 tokens."),
	271	AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
	272	NULL,
	273	RSRC_CONF,
	274	"The SRK PIN to use in case of TPM keys."),
[e183628]	275	AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
	276	NULL,
	277	RSRC_CONF \| OR_AUTHCFG,
	278	"Set Verification Requirements of the Client Certificate"),
[cf2b905]	279	AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
	280	NULL,
	281	RSRC_CONF,
	282	"Set Verification Method of the Client Certificate"),
[e183628]	283	AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
	284	NULL,
	285	RSRC_CONF,
	286	"Set the CA File to verify Client Certificates"),
	287	AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
	288	NULL,
	289	RSRC_CONF,
	290	"Set the CA File to verify Client Certificates"),
	291	AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
	292	NULL,
	293	RSRC_CONF,
	294	"Set the file to read Diffie Hellman parameters from"),
	295	AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
	296	NULL,
	297	RSRC_CONF,
[88df24d]	298	"TLS Server X509 Certificate file"),
[e183628]	299	AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
	300	NULL,
	301	RSRC_CONF,
[88df24d]	302	"TLS Server X509 Private Key file"),
[e183628]	303	AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
	304	NULL,
	305	RSRC_CONF,
[88df24d]	306	"TLS Server X509 Certificate file"),
[e183628]	307	AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
	308	NULL,
	309	RSRC_CONF,
[88df24d]	310	"TLS Server X509 Private Key file"),
[787dab7]	311	#ifdef ENABLE_SRP
[e183628]	312	AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
	313	NULL,
	314	RSRC_CONF,
[88df24d]	315	"TLS Server SRP Password Conf file"),
[e183628]	316	AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
	317	mgs_set_srp_tpasswd_conf_file,
	318	NULL,
	319	RSRC_CONF,
[88df24d]	320	"TLS Server SRP Parameters file"),
[787dab7]	321	#endif
[70a1e5a]	322	AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_timeout,
[e183628]	323	NULL,
	324	RSRC_CONF,
	325	"Cache Timeout"),
	326	AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
	327	NULL,
	328	RSRC_CONF,
[d036f96]	329	"Session Cache Configuration"),
[176047e]	330	AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets,
[e183628]	331	NULL,
	332	RSRC_CONF,
	333	"Session Tickets Configuration"),
	334	AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
	335	NULL,
	336	RSRC_CONF,
	337	"The priorities to enable (ciphers, Key exchange, macs, compression)."),
[176047e]	338	AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled,
[e183628]	339	NULL,
	340	RSRC_CONF,
	341	"Whether this server has GnuTLS Enabled. Default: Off"),
[7d1ab49]	342	AP_INIT_TAKE1("GnuTLSExportCertificates",
[2aaf4f5]	343	mgs_set_export_certificates_size,
[7d1ab49]	344	NULL,
	345	RSRC_CONF,
[2aaf4f5]	346	"Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
[0de1839]	347	AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
	348	NULL,
	349	RSRC_CONF,
	350	"X509 client private file for proxy connections"),
	351	AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
	352	NULL,
	353	RSRC_CONF,
	354	"X509 client certificate file for proxy connections"),
	355	AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
	356	NULL,
	357	RSRC_CONF,
	358	"X509 trusted CA file for proxy connections"),
[809c422]	359	AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
	360	NULL,
	361	RSRC_CONF,
	362	"X509 CRL file for proxy connections"),
[f030883]	363	AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
	364	NULL,
	365	RSRC_CONF,
	366	"The priorities to enable for proxy connections (ciphers, key exchange, "
	367	"MACs, compression)."),
[4d4a406]	368	AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable,
[78b75b3]	369	NULL, RSRC_CONF,
[3475e62]	370	"Enable OCSP stapling"),
[2246a84]	371	AP_INIT_FLAG("GnuTLSOCSPAutoRefresh", mgs_set_ocsp_auto_refresh,
	372	NULL, RSRC_CONF,
	373	"Regularly refresh cached OCSP response independent "
	374	"of TLS handshakes?"),
[d036f96]	375	AP_INIT_TAKE12("GnuTLSOCSPCache", mgs_set_cache,
	376	NULL,
	377	RSRC_CONF,
	378	"OCSP Cache Configuration"),
[b888e8b]	379	AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce,
	380	NULL, RSRC_CONF,
	381	"Check nonce in OCSP responses?"),
[a3e0f7b]	382	AP_INIT_TAKE_ARGV("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
[78b75b3]	383	NULL, RSRC_CONF,
[a3e0f7b]	384	"Read OCSP responses for stapling from these files instead "
	385	"of sending a request over HTTP. Files must be listed in "
	386	"the same order as listed in GnuTLSX509CertificateFile, "
	387	"and must be updated externally. Use the empty string "
	388	"(\"\") to skip a certificate in the list."),
[e1c094c]	389	AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
[78b75b3]	390	NULL, RSRC_CONF,
[e1c094c]	391	"Cache timeout for OCSP responses"),
[c6dda6d]	392	AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
	393	NULL, RSRC_CONF,
[3475e62]	394	"Wait this many seconds before retrying a failed OCSP "
	395	"request"),
[2246a84]	396	AP_INIT_TAKE1("GnuTLSOCSPFuzzTime", mgs_set_timeout,
	397	NULL, RSRC_CONF,
	398	"Update cached OCSP response up to this many seconds "
	399	"before it expires, if GnuTLSOCSPAutoRefresh is enabled."),
[333bbc7]	400	AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
	401	NULL, RSRC_CONF,
[3475e62]	402	"Socket timeout for OCSP requests"),
[7921dc7]	403	AP_INIT_RAW_ARGS("GnuTLSPGPKeyringFile",
	404	ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
	405	AP_INIT_RAW_ARGS("GnuTLSPGPCertificateFile",
	406	ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
	407	AP_INIT_RAW_ARGS("GnuTLSPGPKeyFile",
	408	ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
[15b22cb]	409	#ifdef __clang__
	410	/* Workaround for this clang bug:
	411	* https://llvm.org/bugs/show_bug.cgi?id=21689 */
	412	{},
	413	#else
[7d1ab49]	414	{ NULL },
[15b22cb]	415	#endif
[46b85d8]	416	};
[9706fc2]	417
	418	module AP_MODULE_DECLARE_DATA gnutls_module = {
[e183628]	419	STANDARD20_MODULE_STUFF,
[2d0f6cf]	420	.create_dir_config = mgs_config_dir_create,
	421	.merge_dir_config = mgs_config_dir_merge,
	422	.create_server_config = mgs_config_server_create,
[040387c]	423	.merge_server_config = mgs_config_server_merge,
[2d0f6cf]	424	.cmds = mgs_config_cmds,
	425	.register_hooks = gnutls_hooks
[9706fc2]	426	};

Note: See TracBrowser for help on using the repository browser.

Download in other formats: