source: mod_gnutls/src/mod_gnutls.c @ 2cde026d

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 2cde026d was 2cde026d, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

Merge branch 'new-gnutls-api'

Merge my TLS proxy implementation with Nikos Mavrogiannopoulos' changes
to use the new GnuTLS key handling API. Some conflicts had to be
resolved.

In Nikos' branch, structures for credentials and priorities are
allocated in mgs_load_files (gnutls_config.c), rather than during server
config structure creation as before. This makes sense, but his patch
doesn't consider the proxy credentials because they didn't exist at the
time.

To minimize additional changes during the merge, proxy credentials are
now allocated in load_proxy_x509_credentials (gnutls_hooks.c), and
mgs_set_priorities (gnutls_config.c) treats proxy and front end
credentials differently (value of GnuTLSPriorities is stored for
mgs_load_files, GnuTLSProxyPriorities is parsed immediately).

Unified handling of priority strings in mgs_set_priorities should be
restored later (towards parsing in post config), handling front end and
proxy credentials separately makes sense because the latter need only be
loaded when TLS proxy operation is enabled and there are some
differences between client (proxy back end) and server (front end)
operation.

  • Property mode set to 100644
File size: 8.8 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2008 Nikos Mavrogiannopoulos
4 *  Copyright 2011 Dash Shendy
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 *
18 */
19
20#include "mod_gnutls.h"
21
22#ifdef APLOG_USE_MODULE
23APLOG_USE_MODULE(gnutls);
24#endif
25
26static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
27{
28    /* Try Run Post-Config Hook After mod_proxy */
29    static const char * const aszPre[] = { "mod_proxy.c", NULL };
30    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,
31                        APR_HOOK_REALLY_LAST);
32    /* HTTP Scheme Hook */
33#if USING_2_1_RECENT
34    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
35#else
36    ap_hook_http_method(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
37#endif
38    /* Default Port Hook */
39    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
40    /* Pre-Connect Hook */
41    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL,
42                           APR_HOOK_MIDDLE);
43    /* Pre-Config Hook */
44    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
45                       APR_HOOK_MIDDLE);
46    /* Child-Init Hook */
47    ap_hook_child_init(mgs_hook_child_init, NULL, NULL,
48                       APR_HOOK_MIDDLE);
49    /* Authentication Hook */
50    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
51                           APR_HOOK_REALLY_FIRST);
52    /* Fixups Hook */
53    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
54
55    /* TODO: HTTP Upgrade Filter */
56    /* ap_register_output_filter ("UPGRADE_FILTER",
57     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
58     */
59
60    /* Input Filter */
61    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
62                             NULL, AP_FTYPE_CONNECTION + 5);
63    /* Output Filter */
64    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
65                              NULL, AP_FTYPE_CONNECTION + 5);
66
67    /* mod_proxy calls these functions */
68    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
69    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
70}
71
72int ssl_is_https(conn_rec *c)
73{
74    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
75        ap_get_module_config(c->base_server->module_config, &gnutls_module);
76    if(sc->enabled == 0 || sc->non_ssl_request == 1) {
77        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
78        return 0;
79    }
80    /* Connection is Using SSL/TLS */
81    return 1;
82}
83
84int ssl_engine_disable(conn_rec *c)
85{
86    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
87        ap_get_module_config(c->base_server->module_config, &gnutls_module);
88    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
89        return 1;
90    }
91
92    /* disable TLS for this connection */
93    mgs_handle_t *ctxt = (mgs_handle_t *)
94        ap_get_module_config(c->conn_config, &gnutls_module);
95    if (ctxt == NULL)
96    {
97        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
98        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
99    }
100    ctxt->enabled = GNUTLS_ENABLED_FALSE;
101    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
102
103    if (c->input_filters)
104        ap_remove_input_filter(c->input_filters);
105    if (c->output_filters)
106        ap_remove_output_filter(c->output_filters);
107
108    return 1;
109}
110
111int ssl_proxy_enable(conn_rec *c)
112{
113    /* check if TLS proxy support is enabled */
114    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
115        ap_get_module_config(c->base_server->module_config, &gnutls_module);
116    if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE)
117    {
118        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
119                      "%s: mod_proxy requested TLS proxy, but not enabled "
120                      "for %s", __func__, sc->cert_cn);
121        return 0;
122    }
123
124    /* enable TLS for this connection */
125    mgs_handle_t *ctxt = (mgs_handle_t *)
126        ap_get_module_config(c->conn_config, &gnutls_module);
127    if (ctxt == NULL)
128    {
129        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
130        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
131    }
132    ctxt->enabled = GNUTLS_ENABLED_TRUE;
133    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
134    return 1;
135}
136
137static const command_rec mgs_config_cmds[] = {
138    AP_INIT_TAKE1("SSLProxyEngine", mgs_set_proxy_engine,
139    NULL,
140    RSRC_CONF | OR_AUTHCFG,
141    "Enable SSL Proxy Engine"),
142    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
143    NULL,
144    RSRC_CONF,
145    "The PIN to use in case of encrypted keys or PKCS #11 tokens."),
146    AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
147    NULL,
148    RSRC_CONF,
149    "The SRK PIN to use in case of TPM keys."),
150    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
151    NULL,
152    RSRC_CONF | OR_AUTHCFG,
153    "Set Verification Requirements of the Client Certificate"),
154    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
155    NULL,
156    RSRC_CONF,
157    "Set Verification Method of the Client Certificate"),
158    AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
159    NULL,
160    RSRC_CONF,
161    "Set the CA File to verify Client Certificates"),
162    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
163    NULL,
164    RSRC_CONF,
165    "Set the CA File to verify Client Certificates"),
166    AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
167    NULL,
168    RSRC_CONF,
169    "Set the Keyring File to verify Client Certificates"),
170    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
171    NULL,
172    RSRC_CONF,
173    "Set the file to read Diffie Hellman parameters from"),
174    AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
175    NULL,
176    RSRC_CONF,
177    "SSL Server X509 Certificate file"),
178    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
179    NULL,
180    RSRC_CONF,
181    "SSL Server X509 Private Key file"),
182    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
183    NULL,
184    RSRC_CONF,
185    "SSL Server X509 Certificate file"),
186    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
187    NULL,
188    RSRC_CONF,
189    "SSL Server X509 Private Key file"),
190    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
191    NULL,
192    RSRC_CONF,
193    "SSL Server PGP Certificate file"),
194    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
195    NULL,
196    RSRC_CONF,
197    "SSL Server PGP Private key file"),
198#ifdef ENABLE_SRP
199    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
200    NULL,
201    RSRC_CONF,
202    "SSL Server SRP Password Conf file"),
203    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
204    mgs_set_srp_tpasswd_conf_file,
205    NULL,
206    RSRC_CONF,
207    "SSL Server SRP Parameters file"),
208#endif
209    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout,
210    NULL,
211    RSRC_CONF,
212    "Cache Timeout"),
213    AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
214    NULL,
215    RSRC_CONF,
216    "Cache Configuration"),
217    AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets,
218    NULL,
219    RSRC_CONF,
220    "Session Tickets Configuration"),
221    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
222    NULL,
223    RSRC_CONF,
224    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
225    AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
226    NULL,
227    RSRC_CONF,
228    "Whether this server has GnuTLS Enabled. Default: Off"),
229    AP_INIT_TAKE1("GnuTLSExportCertificates",
230    mgs_set_export_certificates_size,
231    NULL,
232    RSRC_CONF,
233    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
234    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
235    NULL,
236    RSRC_CONF,
237    "X509 client private file for proxy connections"),
238    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
239    NULL,
240    RSRC_CONF,
241    "X509 client certificate file for proxy connections"),
242    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
243    NULL,
244    RSRC_CONF,
245    "X509 trusted CA file for proxy connections"),
246    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
247    NULL,
248    RSRC_CONF,
249    "X509 CRL file for proxy connections"),
250    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
251    NULL,
252    RSRC_CONF,
253    "The priorities to enable for proxy connections (ciphers, key exchange, "
254    "MACs, compression)."),
255    { NULL },
256};
257
258module AP_MODULE_DECLARE_DATA gnutls_module = {
259    STANDARD20_MODULE_STUFF,
260    .create_dir_config = mgs_config_dir_create,
261    .merge_dir_config = mgs_config_dir_merge,
262    .create_server_config = mgs_config_server_create,
263    .merge_server_config = mgs_config_server_merge,
264    .cmds = mgs_config_cmds,
265    .register_hooks = gnutls_hooks
266};
Note: See TracBrowser for help on using the repository browser.