source: mod_gnutls/src/mod_gnutls.c @ 23e98b3

asynciodebian/masterdebian/stretch-backportsproxy-ticketupstream
Last change on this file since 23e98b3 was 23e98b3, checked in by Fiona Klute <fiona.klute@…>, 3 years ago

Implement ssl_engine_set as introduced by mod_ssl in Apache 2.4.33

  • Property mode set to 100644
File size: 10.5 KB
Line 
1/*
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2011 Dash Shendy
5 *  Copyright 2015-2016 Thomas Klute
6 *
7 *  Licensed under the Apache License, Version 2.0 (the "License");
8 *  you may not use this file except in compliance with the License.
9 *  You may obtain a copy of the License at
10 *
11 *      http://www.apache.org/licenses/LICENSE-2.0
12 *
13 *  Unless required by applicable law or agreed to in writing, software
14 *  distributed under the License is distributed on an "AS IS" BASIS,
15 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 *  See the License for the specific language governing permissions and
17 *  limitations under the License.
18 */
19
20#include "mod_gnutls.h"
21#include "gnutls_ocsp.h"
22#include "gnutls_util.h"
23
24#ifdef APLOG_USE_MODULE
25APLOG_USE_MODULE(gnutls);
26#endif
27
28int ssl_engine_set(conn_rec *c,
29                   ap_conf_vector_t *dir_conf __attribute__((unused)),
30                   int proxy, int enable);
31
32static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
33{
34    /* Try Run Post-Config Hook After mod_proxy */
35    static const char * const aszPre[] = { "mod_proxy.c", NULL };
36    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,
37                        APR_HOOK_REALLY_LAST);
38    /* HTTP Scheme Hook */
39    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
40    /* Default Port Hook */
41    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
42    /* Pre-Connect Hook */
43    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL,
44                           APR_HOOK_MIDDLE);
45    /* Pre-Config Hook */
46    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
47                       APR_HOOK_MIDDLE);
48    /* Child-Init Hook */
49    ap_hook_child_init(mgs_hook_child_init, NULL, NULL,
50                       APR_HOOK_MIDDLE);
51    /* Authentication Hook */
52    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
53                           APR_HOOK_REALLY_FIRST);
54    /* Fixups Hook */
55    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
56
57    /* TODO: HTTP Upgrade Filter */
58    /* ap_register_output_filter ("UPGRADE_FILTER",
59     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
60     */
61
62    /* Input Filter */
63    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
64                             NULL, AP_FTYPE_CONNECTION + 5);
65    /* Output Filter */
66    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
67                              NULL, AP_FTYPE_CONNECTION + 5);
68
69    /* mod_proxy calls these functions */
70    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
71    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
72    APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
73
74    /* mod_rewrite calls this function to detect HTTPS */
75    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
76}
77
78
79
80/**
81 * mod_rewrite calls this function to fill %{HTTPS}.
82 *
83 * @param c the connection to check
84 * @return non-zero value if HTTPS is in use, zero if not
85 */
86int ssl_is_https(conn_rec *c)
87{
88    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
89        ap_get_module_config(c->base_server->module_config, &gnutls_module);
90    mgs_handle_t *ctxt = (mgs_handle_t *)
91        ap_get_module_config(c->conn_config, &gnutls_module);
92
93    if(sc->enabled == GNUTLS_ENABLED_FALSE
94       || ctxt == NULL
95       || ctxt->enabled == GNUTLS_ENABLED_FALSE)
96    {
97        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
98        return 0;
99    }
100    /* Connection is Using SSL/TLS */
101    return 1;
102}
103
104
105
106/**
107 * In Apache versions from 2.4.33 mod_proxy uses this function to set
108 * up its client connections. Note that mod_gnutls does not (yet)
109 * implement per directory configuration for such connections.
110 *
111 * @param c the connection
112 * @param dir_conf per directory configuration, unused for now
113 * @param proxy Is this a proxy connection?
114 * @param enable Should TLS be enabled on this connection?
115 *
116 * @param `true` (1) if successful, `false` (0) otherwise
117 */
118int ssl_engine_set(conn_rec *c,
119                   ap_conf_vector_t *dir_conf __attribute__((unused)),
120                   int proxy, int enable)
121{
122    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
123
124    /* If TLS proxy has been requested, check if support is enabled
125     * for the server */
126    if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
127    {
128        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
129                      "%s: mod_proxy requested TLS proxy, but not enabled "
130                      "for %s", __func__, ctxt->sc->cert_cn);
131        return 0;
132    }
133
134    if (proxy)
135        ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
136    else
137        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
138
139    if (enable)
140        ctxt->enabled = GNUTLS_ENABLED_TRUE;
141    else
142        ctxt->enabled = GNUTLS_ENABLED_FALSE;
143
144    return 1;
145}
146
147int ssl_engine_disable(conn_rec *c)
148{
149    return ssl_engine_set(c, NULL, 0, 0);
150}
151
152int ssl_proxy_enable(conn_rec *c)
153{
154    return ssl_engine_set(c, NULL, 1, 1);
155}
156
157static const command_rec mgs_config_cmds[] = {
158    AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
159    NULL,
160    RSRC_CONF | OR_AUTHCFG,
161    "Enable TLS Proxy Engine"),
162    AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
163    NULL,
164    RSRC_CONF,
165    "Load this specific PKCS #11 provider library"),
166    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
167    NULL,
168    RSRC_CONF,
169    "The PIN to use in case of encrypted keys or PKCS #11 tokens."),
170    AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
171    NULL,
172    RSRC_CONF,
173    "The SRK PIN to use in case of TPM keys."),
174    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
175    NULL,
176    RSRC_CONF | OR_AUTHCFG,
177    "Set Verification Requirements of the Client Certificate"),
178    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
179    NULL,
180    RSRC_CONF,
181    "Set Verification Method of the Client Certificate"),
182    AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
183    NULL,
184    RSRC_CONF,
185    "Set the CA File to verify Client Certificates"),
186    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
187    NULL,
188    RSRC_CONF,
189    "Set the CA File to verify Client Certificates"),
190    AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
191    NULL,
192    RSRC_CONF,
193    "Set the Keyring File to verify Client Certificates"),
194    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
195    NULL,
196    RSRC_CONF,
197    "Set the file to read Diffie Hellman parameters from"),
198    AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
199    NULL,
200    RSRC_CONF,
201    "TLS Server X509 Certificate file"),
202    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
203    NULL,
204    RSRC_CONF,
205    "TLS Server X509 Private Key file"),
206    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
207    NULL,
208    RSRC_CONF,
209    "TLS Server X509 Certificate file"),
210    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
211    NULL,
212    RSRC_CONF,
213    "TLS Server X509 Private Key file"),
214    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
215    NULL,
216    RSRC_CONF,
217    "TLS Server PGP Certificate file"),
218    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
219    NULL,
220    RSRC_CONF,
221    "TLS Server PGP Private key file"),
222#ifdef ENABLE_SRP
223    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
224    NULL,
225    RSRC_CONF,
226    "TLS Server SRP Password Conf file"),
227    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
228    mgs_set_srp_tpasswd_conf_file,
229    NULL,
230    RSRC_CONF,
231    "TLS Server SRP Parameters file"),
232#endif
233    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_timeout,
234    NULL,
235    RSRC_CONF,
236    "Cache Timeout"),
237    AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
238    NULL,
239    RSRC_CONF,
240    "Cache Configuration"),
241    AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets,
242    NULL,
243    RSRC_CONF,
244    "Session Tickets Configuration"),
245    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
246    NULL,
247    RSRC_CONF,
248    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
249    AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled,
250    NULL,
251    RSRC_CONF,
252    "Whether this server has GnuTLS Enabled. Default: Off"),
253    AP_INIT_TAKE1("GnuTLSExportCertificates",
254    mgs_set_export_certificates_size,
255    NULL,
256    RSRC_CONF,
257    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
258    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
259    NULL,
260    RSRC_CONF,
261    "X509 client private file for proxy connections"),
262    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
263    NULL,
264    RSRC_CONF,
265    "X509 client certificate file for proxy connections"),
266    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
267    NULL,
268    RSRC_CONF,
269    "X509 trusted CA file for proxy connections"),
270    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
271    NULL,
272    RSRC_CONF,
273    "X509 CRL file for proxy connections"),
274    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
275    NULL,
276    RSRC_CONF,
277    "The priorities to enable for proxy connections (ciphers, key exchange, "
278    "MACs, compression)."),
279    AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable,
280                 NULL, RSRC_CONF,
281                 "Enable OCSP stapling"),
282    AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce,
283                 NULL, RSRC_CONF,
284                 "Check nonce in OCSP responses?"),
285    AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
286                  NULL, RSRC_CONF,
287                  "Read OCSP response for stapling from this file instead "
288                  "of sending a request over HTTP (must be updated "
289                  "externally)"),
290    AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
291                  NULL, RSRC_CONF,
292                  "Cache timeout for OCSP responses"),
293    AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
294                  NULL, RSRC_CONF,
295                  "Wait this many seconds before retrying a failed OCSP "
296                  "request"),
297    AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
298                  NULL, RSRC_CONF,
299                  "Socket timeout for OCSP requests"),
300#ifdef __clang__
301    /* Workaround for this clang bug:
302     * https://llvm.org/bugs/show_bug.cgi?id=21689 */
303    {},
304#else
305    { NULL },
306#endif
307};
308
309module AP_MODULE_DECLARE_DATA gnutls_module = {
310    STANDARD20_MODULE_STUFF,
311    .create_dir_config = mgs_config_dir_create,
312    .merge_dir_config = mgs_config_dir_merge,
313    .create_server_config = mgs_config_server_create,
314    .merge_server_config = mgs_config_server_merge,
315    .cmds = mgs_config_cmds,
316    .register_hooks = gnutls_hooks
317};
Note: See TracBrowser for help on using the repository browser.