source: mod_gnutls/src/mod_gnutls.c @ 3c475e0

debian/masterproxy-ticket
Last change on this file since 3c475e0 was 3c475e0, checked in by Fiona Klute <fiona.klute@…>, 3 years ago

Ensure that mod_gnutls child_init runs before mod_watchdog's

Our child_init hook must run before mod_watchdog's because our
watchdog threads are started there and need some child-specific
resources. A child process might (race condition) segfault if these
structures haven't been properly initialized.

  • Property mode set to 100644
File size: 13.3 KB
Line 
1/*
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2011 Dash Shendy
5 *  Copyright 2015-2018 Fiona Klute
6 *
7 *  Licensed under the Apache License, Version 2.0 (the "License");
8 *  you may not use this file except in compliance with the License.
9 *  You may obtain a copy of the License at
10 *
11 *      http://www.apache.org/licenses/LICENSE-2.0
12 *
13 *  Unless required by applicable law or agreed to in writing, software
14 *  distributed under the License is distributed on an "AS IS" BASIS,
15 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 *  See the License for the specific language governing permissions and
17 *  limitations under the License.
18 */
19
20#include "mod_gnutls.h"
21#include "gnutls_ocsp.h"
22#include "gnutls_util.h"
23
24#ifdef APLOG_USE_MODULE
25APLOG_USE_MODULE(gnutls);
26#endif
27
28int ssl_engine_set(conn_rec *c,
29                   ap_conf_vector_t *dir_conf __attribute__((unused)),
30                   int proxy, int enable);
31
32#define MOD_HTTP2 "mod_http2.c"
33#define MOD_WATCHDOG "mod_watchdog.c"
34static const char * const mod_proxy[] = { "mod_proxy.c", NULL };
35static const char * const mod_http2[] = { MOD_HTTP2, NULL };
36static const char * const mod_watchdog[] = { MOD_WATCHDOG, NULL };
37
38static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
39{
40    /* Watchdog callbacks must be configured before post_config of
41     * mod_watchdog runs, or the watchdog won't be started. Similarly,
42     * our child_init hook must run before mod_watchdog's because our
43     * watchdog threads are started there and need some child-specific
44     * resources. */
45    static const char * const post_conf_succ[] =
46        { MOD_HTTP2, MOD_WATCHDOG, NULL };
47    ap_hook_post_config(mgs_hook_post_config, mod_proxy, post_conf_succ,
48                        APR_HOOK_MIDDLE);
49    /* HTTP Scheme Hook */
50    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
51    /* Default Port Hook */
52    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
53    /* Pre-Connect Hook */
54    ap_hook_pre_connection(mgs_hook_pre_connection, mod_http2, NULL,
55                           APR_HOOK_MIDDLE);
56    ap_hook_process_connection(mgs_hook_process_connection,
57                               NULL, mod_http2, APR_HOOK_MIDDLE);
58    /* Pre-Config Hook */
59    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
60                       APR_HOOK_MIDDLE);
61    /* Child-Init Hook */
62    ap_hook_child_init(mgs_hook_child_init, NULL, mod_watchdog,
63                       APR_HOOK_MIDDLE);
64    /* Authentication Hook */
65    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
66                           APR_HOOK_REALLY_FIRST);
67    /* Fixups Hook */
68    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
69
70    /* TODO: HTTP Upgrade Filter */
71    /* ap_register_output_filter ("UPGRADE_FILTER",
72     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
73     */
74
75    /* Input Filter */
76    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
77                             NULL, AP_FTYPE_CONNECTION + 5);
78    /* Output Filter */
79    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
80                              NULL, AP_FTYPE_CONNECTION + 5);
81
82    /* mod_proxy calls these functions */
83    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
84    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
85    APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
86
87    /* mod_rewrite calls this function to detect HTTPS */
88    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
89    /* some modules look up TLS-related variables */
90    APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
91}
92
93
94
95/**
96 * Get the connection context, resolving to a master connection if
97 * any.
98 *
99 * @param c the connection handle
100 *
101 * @return mod_gnutls session context, might be `NULL`
102 */
103mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c)
104{
105    mgs_handle_t *ctxt = (mgs_handle_t *)
106        ap_get_module_config(c->conn_config, &gnutls_module);
107    if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL))
108    {
109        ctxt = (mgs_handle_t *)
110            ap_get_module_config(c->master->conn_config, &gnutls_module);
111    }
112    return ctxt;
113}
114
115
116
117/**
118 * mod_rewrite calls this function to fill %{HTTPS}.
119 *
120 * @param c the connection to check
121 * @return non-zero value if HTTPS is in use, zero if not
122 */
123int ssl_is_https(conn_rec *c)
124{
125    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
126    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
127        ap_get_module_config(c->base_server->module_config, &gnutls_module);
128
129    if(sc->enabled == GNUTLS_ENABLED_FALSE
130       || ctxt == NULL
131       || ctxt->enabled == GNUTLS_ENABLED_FALSE)
132    {
133        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
134        return 0;
135    }
136    /* Connection is Using SSL/TLS */
137    return 1;
138}
139
140
141
142/**
143 * Return variables describing the current TLS session (if any).
144 *
145 * mod_ssl doc for this function: "This function must remain safe to
146 * use for a non-SSL connection." mod_http2 uses it to check if an
147 * acceptable TLS session is used.
148 */
149char* ssl_var_lookup(apr_pool_t *p, server_rec *s __attribute__((unused)),
150                     conn_rec *c, request_rec *r, char *var)
151{
152    /*
153     * When no pool is given try to find one
154     */
155    if (p == NULL) {
156        if (r != NULL)
157            p = r->pool;
158        else if (c != NULL)
159            p = c->pool;
160        else
161            return NULL;
162    }
163
164    if (strcmp(var, "HTTPS") == 0)
165    {
166        if (c != NULL && ssl_is_https(c))
167            return "on";
168        else
169            return "off";
170    }
171
172    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
173
174    /* TLS parameters are empty if there is no session */
175    if (ctxt == NULL || ctxt->c == NULL)
176        return NULL;
177
178    if (strcmp(var, "SSL_PROTOCOL") == 0)
179        return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
180
181    if (strcmp(var, "SSL_CIPHER") == 0)
182        return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
183                                                           gnutls_cipher_get(ctxt->session),
184                                                           gnutls_mac_get(ctxt->session)));
185
186    /* mod_ssl supports a LOT more variables */
187    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c,
188                  "unsupported variable requested: '%s'",
189                  var);
190
191    return NULL;
192}
193
194
195
196/**
197 * In Apache versions from 2.4.33 mod_proxy uses this function to set
198 * up its client connections. Note that mod_gnutls does not (yet)
199 * implement per directory configuration for such connections.
200 *
201 * @param c the connection
202 * @param dir_conf per directory configuration, unused for now
203 * @param proxy Is this a proxy connection?
204 * @param enable Should TLS be enabled on this connection?
205 *
206 * @param `true` (1) if successful, `false` (0) otherwise
207 */
208int ssl_engine_set(conn_rec *c,
209                   ap_conf_vector_t *dir_conf __attribute__((unused)),
210                   int proxy, int enable)
211{
212    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
213
214    /* If TLS proxy has been requested, check if support is enabled
215     * for the server */
216    if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
217    {
218        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
219                      "%s: mod_proxy requested TLS proxy, but not enabled "
220                      "for %s", __func__, ctxt->sc->cert_cn);
221        return 0;
222    }
223
224    if (proxy)
225        ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
226    else
227        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
228
229    if (enable)
230        ctxt->enabled = GNUTLS_ENABLED_TRUE;
231    else
232        ctxt->enabled = GNUTLS_ENABLED_FALSE;
233
234    return 1;
235}
236
237int ssl_engine_disable(conn_rec *c)
238{
239    return ssl_engine_set(c, NULL, 0, 0);
240}
241
242int ssl_proxy_enable(conn_rec *c)
243{
244    return ssl_engine_set(c, NULL, 1, 1);
245}
246
247static const command_rec mgs_config_cmds[] = {
248    AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
249    NULL,
250    RSRC_CONF | OR_AUTHCFG,
251    "Enable TLS Proxy Engine"),
252    AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
253    NULL,
254    RSRC_CONF,
255    "Load this specific PKCS #11 provider library"),
256    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
257    NULL,
258    RSRC_CONF,
259    "The PIN to use in case of encrypted keys or PKCS #11 tokens."),
260    AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
261    NULL,
262    RSRC_CONF,
263    "The SRK PIN to use in case of TPM keys."),
264    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
265    NULL,
266    RSRC_CONF | OR_AUTHCFG,
267    "Set Verification Requirements of the Client Certificate"),
268    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
269    NULL,
270    RSRC_CONF,
271    "Set Verification Method of the Client Certificate"),
272    AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
273    NULL,
274    RSRC_CONF,
275    "Set the CA File to verify Client Certificates"),
276    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
277    NULL,
278    RSRC_CONF,
279    "Set the CA File to verify Client Certificates"),
280    AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
281    NULL,
282    RSRC_CONF,
283    "Set the Keyring File to verify Client Certificates"),
284    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
285    NULL,
286    RSRC_CONF,
287    "Set the file to read Diffie Hellman parameters from"),
288    AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
289    NULL,
290    RSRC_CONF,
291    "TLS Server X509 Certificate file"),
292    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
293    NULL,
294    RSRC_CONF,
295    "TLS Server X509 Private Key file"),
296    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
297    NULL,
298    RSRC_CONF,
299    "TLS Server X509 Certificate file"),
300    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
301    NULL,
302    RSRC_CONF,
303    "TLS Server X509 Private Key file"),
304    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
305    NULL,
306    RSRC_CONF,
307    "TLS Server PGP Certificate file"),
308    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
309    NULL,
310    RSRC_CONF,
311    "TLS Server PGP Private key file"),
312#ifdef ENABLE_SRP
313    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
314    NULL,
315    RSRC_CONF,
316    "TLS Server SRP Password Conf file"),
317    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
318    mgs_set_srp_tpasswd_conf_file,
319    NULL,
320    RSRC_CONF,
321    "TLS Server SRP Parameters file"),
322#endif
323    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_timeout,
324    NULL,
325    RSRC_CONF,
326    "Cache Timeout"),
327    AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
328    NULL,
329    RSRC_CONF,
330    "Cache Configuration"),
331    AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets,
332    NULL,
333    RSRC_CONF,
334    "Session Tickets Configuration"),
335    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
336    NULL,
337    RSRC_CONF,
338    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
339    AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled,
340    NULL,
341    RSRC_CONF,
342    "Whether this server has GnuTLS Enabled. Default: Off"),
343    AP_INIT_TAKE1("GnuTLSExportCertificates",
344    mgs_set_export_certificates_size,
345    NULL,
346    RSRC_CONF,
347    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
348    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
349    NULL,
350    RSRC_CONF,
351    "X509 client private file for proxy connections"),
352    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
353    NULL,
354    RSRC_CONF,
355    "X509 client certificate file for proxy connections"),
356    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
357    NULL,
358    RSRC_CONF,
359    "X509 trusted CA file for proxy connections"),
360    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
361    NULL,
362    RSRC_CONF,
363    "X509 CRL file for proxy connections"),
364    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
365    NULL,
366    RSRC_CONF,
367    "The priorities to enable for proxy connections (ciphers, key exchange, "
368    "MACs, compression)."),
369    AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable,
370                 NULL, RSRC_CONF,
371                 "Enable OCSP stapling"),
372    AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce,
373                 NULL, RSRC_CONF,
374                 "Check nonce in OCSP responses?"),
375    AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
376                  NULL, RSRC_CONF,
377                  "Read OCSP response for stapling from this file instead "
378                  "of sending a request over HTTP (must be updated "
379                  "externally)"),
380    AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
381                  NULL, RSRC_CONF,
382                  "Cache timeout for OCSP responses"),
383    AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
384                  NULL, RSRC_CONF,
385                  "Wait this many seconds before retrying a failed OCSP "
386                  "request"),
387    AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
388                  NULL, RSRC_CONF,
389                  "Socket timeout for OCSP requests"),
390#ifdef __clang__
391    /* Workaround for this clang bug:
392     * https://llvm.org/bugs/show_bug.cgi?id=21689 */
393    {},
394#else
395    { NULL },
396#endif
397};
398
399module AP_MODULE_DECLARE_DATA gnutls_module = {
400    STANDARD20_MODULE_STUFF,
401    .create_dir_config = mgs_config_dir_create,
402    .merge_dir_config = mgs_config_dir_merge,
403    .create_server_config = mgs_config_server_create,
404    .merge_server_config = mgs_config_server_merge,
405    .cmds = mgs_config_cmds,
406    .register_hooks = gnutls_hooks
407};
Note: See TracBrowser for help on using the repository browser.