source: mod_gnutls/src/mod_gnutls.c @ e7cf823

asynciodebian/masterdebian/stretch-backportsproxy-ticketupstream
Last change on this file since e7cf823 was e7cf823, checked in by Fiona Klute <fiona.klute@…>, 3 years ago

Add process_connection hook, adjust hook order for mod_http2 compatibility

The TLS handshake must have happened before the mod_http2
process_connection hook runs, which means we have to trigger it
explicitly before any reads happen. Some other hooks must have a
certain order relative to mod_http2 as well.
  • Property mode set to 100644
File size: 12.8 KB
RevLine 
[104e881]1/*
[fcb122d]2 *  Copyright 2004-2005 Paul Querna
[e021722]3 *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
[e183628]4 *  Copyright 2011 Dash Shendy
[8913410]5 *  Copyright 2015-2016 Thomas Klute
[9706fc2]6 *
7 *  Licensed under the Apache License, Version 2.0 (the "License");
8 *  you may not use this file except in compliance with the License.
9 *  You may obtain a copy of the License at
10 *
11 *      http://www.apache.org/licenses/LICENSE-2.0
12 *
13 *  Unless required by applicable law or agreed to in writing, software
14 *  distributed under the License is distributed on an "AS IS" BASIS,
15 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 *  See the License for the specific language governing permissions and
17 *  limitations under the License.
18 */
19
[7e2b223]20#include "mod_gnutls.h"
[94cb972]21#include "gnutls_ocsp.h"
[235e109]22#include "gnutls_util.h"
[9706fc2]23
[e8acf05]24#ifdef APLOG_USE_MODULE
25APLOG_USE_MODULE(gnutls);
26#endif
[671b64f]27
[23e98b3]28int ssl_engine_set(conn_rec *c,
29                   ap_conf_vector_t *dir_conf __attribute__((unused)),
30                   int proxy, int enable);
31
[e7cf823]32static const char * const mod_proxy[] = { "mod_proxy.c", NULL };
33static const char * const mod_http2[] = { "mod_http2.c", NULL };
34
[e8acf05]35static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
36{
[33826c5]37    /* Try Run Post-Config Hook After mod_proxy */
[e7cf823]38    ap_hook_post_config(mgs_hook_post_config, mod_proxy, mod_http2,
39                        APR_HOOK_MIDDLE);
[33826c5]40    /* HTTP Scheme Hook */
41    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
42    /* Default Port Hook */
[accbb83]43    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
[33826c5]44    /* Pre-Connect Hook */
[e7cf823]45    ap_hook_pre_connection(mgs_hook_pre_connection, mod_http2, NULL,
[accbb83]46                           APR_HOOK_MIDDLE);
[e7cf823]47    ap_hook_process_connection(mgs_hook_process_connection,
48                               NULL, mod_http2, APR_HOOK_MIDDLE);
[33826c5]49    /* Pre-Config Hook */
[e183628]50    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
[accbb83]51                       APR_HOOK_MIDDLE);
[33826c5]52    /* Child-Init Hook */
53    ap_hook_child_init(mgs_hook_child_init, NULL, NULL,
[accbb83]54                       APR_HOOK_MIDDLE);
[33826c5]55    /* Authentication Hook */
[e183628]56    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
[accbb83]57                           APR_HOOK_REALLY_FIRST);
[33826c5]58    /* Fixups Hook */
[e183628]59    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
[e02dd8c]60
[e183628]61    /* TODO: HTTP Upgrade Filter */
[671b64f]62    /* ap_register_output_filter ("UPGRADE_FILTER",
[e183628]63     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
64     */
[e02dd8c]65
[33826c5]66    /* Input Filter */
[accbb83]67    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
68                             NULL, AP_FTYPE_CONNECTION + 5);
[33826c5]69    /* Output Filter */
[accbb83]70    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
71                              NULL, AP_FTYPE_CONNECTION + 5);
[671b64f]72
[33826c5]73    /* mod_proxy calls these functions */
74    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
75    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
[23e98b3]76    APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
[8ac7c0d]77
78    /* mod_rewrite calls this function to detect HTTPS */
79    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
[4cdd4fd]80    /* some modules look up TLS-related variables */
81    APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
82}
83
84
85
86/**
87 * Get the connection context, resolving to a master connection if
88 * any.
89 *
90 * @param c the connection handle
91 *
92 * @return mod_gnutls session context, might be `NULL`
93 */
94mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c)
95{
96    mgs_handle_t *ctxt = (mgs_handle_t *)
97        ap_get_module_config(c->conn_config, &gnutls_module);
98    if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL))
99    {
100        ctxt = (mgs_handle_t *)
101            ap_get_module_config(c->master->conn_config, &gnutls_module);
102    }
103    return ctxt;
[33826c5]104}
105
[8ac7c0d]106
107
[104e881]108/**
109 * mod_rewrite calls this function to fill %{HTTPS}.
110 *
111 * @param c the connection to check
112 * @return non-zero value if HTTPS is in use, zero if not
[8ac7c0d]113 */
[accbb83]114int ssl_is_https(conn_rec *c)
115{
[4cdd4fd]116    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
[671b64f]117    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
[accbb83]118        ap_get_module_config(c->base_server->module_config, &gnutls_module);
[8ac7c0d]119
120    if(sc->enabled == GNUTLS_ENABLED_FALSE
121       || ctxt == NULL
122       || ctxt->enabled == GNUTLS_ENABLED_FALSE)
123    {
[33826c5]124        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
125        return 0;
126    }
127    /* Connection is Using SSL/TLS */
128    return 1;
129}
130
[8ac7c0d]131
132
[23e98b3]133/**
[4cdd4fd]134 * Return variables describing the current TLS session (if any).
135 *
136 * mod_ssl doc for this function: "This function must remain safe to
137 * use for a non-SSL connection." mod_http2 uses it to check if an
138 * acceptable TLS session is used.
139 */
140char* ssl_var_lookup(apr_pool_t *p, server_rec *s __attribute__((unused)),
141                     conn_rec *c, request_rec *r, char *var)
142{
143    /*
144     * When no pool is given try to find one
145     */
146    if (p == NULL) {
147        if (r != NULL)
148            p = r->pool;
149        else if (c != NULL)
150            p = c->pool;
151        else
152            return NULL;
153    }
154
155    if (strcmp(var, "HTTPS") == 0)
156    {
157        if (c != NULL && ssl_is_https(c))
158            return "on";
159        else
160            return "off";
161    }
162
163    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
164
165    /* TLS parameters are empty if there is no session */
166    if (ctxt == NULL || ctxt->c == NULL)
167        return NULL;
168
169    if (strcmp(var, "SSL_PROTOCOL") == 0)
170        return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
171
172    if (strcmp(var, "SSL_CIPHER") == 0)
173        return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
174                                                           gnutls_cipher_get(ctxt->session),
175                                                           gnutls_mac_get(ctxt->session)));
176
177    /* mod_ssl supports a LOT more variables */
178    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c,
179                  "unsupported variable requested: '%s'",
180                  var);
181
182    return NULL;
183}
184
185
186
187/**
[23e98b3]188 * In Apache versions from 2.4.33 mod_proxy uses this function to set
189 * up its client connections. Note that mod_gnutls does not (yet)
190 * implement per directory configuration for such connections.
191 *
192 * @param c the connection
193 * @param dir_conf per directory configuration, unused for now
194 * @param proxy Is this a proxy connection?
195 * @param enable Should TLS be enabled on this connection?
196 *
197 * @param `true` (1) if successful, `false` (0) otherwise
198 */
199int ssl_engine_set(conn_rec *c,
200                   ap_conf_vector_t *dir_conf __attribute__((unused)),
201                   int proxy, int enable)
[e8acf05]202{
[235e109]203    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
[e8acf05]204
[23e98b3]205    /* If TLS proxy has been requested, check if support is enabled
206     * for the server */
207    if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
[07d548d]208    {
209        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
210                      "%s: mod_proxy requested TLS proxy, but not enabled "
[23e98b3]211                      "for %s", __func__, ctxt->sc->cert_cn);
[07d548d]212        return 0;
213    }
214
[23e98b3]215    if (proxy)
216        ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
217    else
218        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
219
220    if (enable)
221        ctxt->enabled = GNUTLS_ENABLED_TRUE;
222    else
223        ctxt->enabled = GNUTLS_ENABLED_FALSE;
224
[37f8282]225    return 1;
[9706fc2]226}
227
[23e98b3]228int ssl_engine_disable(conn_rec *c)
229{
230    return ssl_engine_set(c, NULL, 0, 0);
231}
232
233int ssl_proxy_enable(conn_rec *c)
234{
235    return ssl_engine_set(c, NULL, 1, 1);
236}
237
[46b85d8]238static const command_rec mgs_config_cmds[] = {
[176047e]239    AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
[33826c5]240    NULL,
241    RSRC_CONF | OR_AUTHCFG,
[176047e]242    "Enable TLS Proxy Engine"),
[87f1ed2]243    AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
244    NULL,
245    RSRC_CONF,
[f21d2a6]246    "Load this specific PKCS #11 provider library"),
[031acac]247    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
248    NULL,
249    RSRC_CONF,
250    "The PIN to use in case of encrypted keys or PKCS #11 tokens."),
251    AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
252    NULL,
253    RSRC_CONF,
254    "The SRK PIN to use in case of TPM keys."),
[e183628]255    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
256    NULL,
257    RSRC_CONF | OR_AUTHCFG,
258    "Set Verification Requirements of the Client Certificate"),
[cf2b905]259    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
260    NULL,
261    RSRC_CONF,
262    "Set Verification Method of the Client Certificate"),
[e183628]263    AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
264    NULL,
265    RSRC_CONF,
266    "Set the CA File to verify Client Certificates"),
267    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
268    NULL,
269    RSRC_CONF,
270    "Set the CA File to verify Client Certificates"),
271    AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
272    NULL,
273    RSRC_CONF,
274    "Set the Keyring File to verify Client Certificates"),
275    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
276    NULL,
277    RSRC_CONF,
278    "Set the file to read Diffie Hellman parameters from"),
279    AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
280    NULL,
281    RSRC_CONF,
[88df24d]282    "TLS Server X509 Certificate file"),
[e183628]283    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
284    NULL,
285    RSRC_CONF,
[88df24d]286    "TLS Server X509 Private Key file"),
[e183628]287    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
288    NULL,
289    RSRC_CONF,
[88df24d]290    "TLS Server X509 Certificate file"),
[e183628]291    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
292    NULL,
293    RSRC_CONF,
[88df24d]294    "TLS Server X509 Private Key file"),
[e183628]295    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
296    NULL,
297    RSRC_CONF,
[88df24d]298    "TLS Server PGP Certificate file"),
[e183628]299    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
300    NULL,
301    RSRC_CONF,
[88df24d]302    "TLS Server PGP Private key file"),
[787dab7]303#ifdef ENABLE_SRP
[e183628]304    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
305    NULL,
306    RSRC_CONF,
[88df24d]307    "TLS Server SRP Password Conf file"),
[e183628]308    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
309    mgs_set_srp_tpasswd_conf_file,
310    NULL,
311    RSRC_CONF,
[88df24d]312    "TLS Server SRP Parameters file"),
[787dab7]313#endif
[70a1e5a]314    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_timeout,
[e183628]315    NULL,
316    RSRC_CONF,
317    "Cache Timeout"),
318    AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
319    NULL,
320    RSRC_CONF,
321    "Cache Configuration"),
[176047e]322    AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets,
[e183628]323    NULL,
324    RSRC_CONF,
325    "Session Tickets Configuration"),
326    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
327    NULL,
328    RSRC_CONF,
329    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
[176047e]330    AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled,
[e183628]331    NULL,
332    RSRC_CONF,
333    "Whether this server has GnuTLS Enabled. Default: Off"),
[7d1ab49]334    AP_INIT_TAKE1("GnuTLSExportCertificates",
[2aaf4f5]335    mgs_set_export_certificates_size,
[7d1ab49]336    NULL,
337    RSRC_CONF,
[2aaf4f5]338    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
[0de1839]339    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
340    NULL,
341    RSRC_CONF,
342    "X509 client private file for proxy connections"),
343    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
344    NULL,
345    RSRC_CONF,
346    "X509 client certificate file for proxy connections"),
347    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
348    NULL,
349    RSRC_CONF,
350    "X509 trusted CA file for proxy connections"),
[809c422]351    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
352    NULL,
353    RSRC_CONF,
354    "X509 CRL file for proxy connections"),
[f030883]355    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
356    NULL,
357    RSRC_CONF,
358    "The priorities to enable for proxy connections (ciphers, key exchange, "
359    "MACs, compression)."),
[4d4a406]360    AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable,
[78b75b3]361                 NULL, RSRC_CONF,
[3475e62]362                 "Enable OCSP stapling"),
[b888e8b]363    AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce,
364                 NULL, RSRC_CONF,
365                 "Check nonce in OCSP responses?"),
[94cb972]366    AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
[78b75b3]367                  NULL, RSRC_CONF,
[3475e62]368                  "Read OCSP response for stapling from this file instead "
369                  "of sending a request over HTTP (must be updated "
370                  "externally)"),
[e1c094c]371    AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
[78b75b3]372                  NULL, RSRC_CONF,
[e1c094c]373                  "Cache timeout for OCSP responses"),
[c6dda6d]374    AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
375                  NULL, RSRC_CONF,
[3475e62]376                  "Wait this many seconds before retrying a failed OCSP "
377                  "request"),
[333bbc7]378    AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
379                  NULL, RSRC_CONF,
[3475e62]380                  "Socket timeout for OCSP requests"),
[15b22cb]381#ifdef __clang__
382    /* Workaround for this clang bug:
383     * https://llvm.org/bugs/show_bug.cgi?id=21689 */
384    {},
385#else
[7d1ab49]386    { NULL },
[15b22cb]387#endif
[46b85d8]388};
[9706fc2]389
390module AP_MODULE_DECLARE_DATA gnutls_module = {
[e183628]391    STANDARD20_MODULE_STUFF,
[2d0f6cf]392    .create_dir_config = mgs_config_dir_create,
393    .merge_dir_config = mgs_config_dir_merge,
394    .create_server_config = mgs_config_server_create,
[040387c]395    .merge_server_config = mgs_config_server_merge,
[2d0f6cf]396    .cmds = mgs_config_cmds,
397    .register_hooks = gnutls_hooks
[9706fc2]398};
Note: See TracBrowser for help on using the repository browser.