source: mod_gnutls/src/mod_gnutls.c @ 87f1ed2

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 87f1ed2 was 87f1ed2, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Allow loading of an additional PKCS #11 provider library

When using PKCS #11, it may not be desirable to add the PKCS #11 module
to be used by mod_gnutls to the system wide config, and we definitely
cannot demand it for tests.

To work around such problems, add the new configuration parameter
"GnuTLSP11Module", which may contain the path of a library to load. Note
that the value is only used if present in the base server configuration
(not a virtual host), and that the library is used in addition to
system defaults (if any).

  • Property mode set to 100644
File size: 8.9 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2008 Nikos Mavrogiannopoulos
4 *  Copyright 2011 Dash Shendy
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 *
18 */
19
20#include "mod_gnutls.h"
21
22#ifdef APLOG_USE_MODULE
23APLOG_USE_MODULE(gnutls);
24#endif
25
26static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
27{
28    /* Try Run Post-Config Hook After mod_proxy */
29    static const char * const aszPre[] = { "mod_proxy.c", NULL };
30    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,
31                        APR_HOOK_REALLY_LAST);
32    /* HTTP Scheme Hook */
33#if USING_2_1_RECENT
34    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
35#else
36    ap_hook_http_method(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
37#endif
38    /* Default Port Hook */
39    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
40    /* Pre-Connect Hook */
41    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL,
42                           APR_HOOK_MIDDLE);
43    /* Pre-Config Hook */
44    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
45                       APR_HOOK_MIDDLE);
46    /* Child-Init Hook */
47    ap_hook_child_init(mgs_hook_child_init, NULL, NULL,
48                       APR_HOOK_MIDDLE);
49    /* Authentication Hook */
50    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
51                           APR_HOOK_REALLY_FIRST);
52    /* Fixups Hook */
53    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
54
55    /* TODO: HTTP Upgrade Filter */
56    /* ap_register_output_filter ("UPGRADE_FILTER",
57     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
58     */
59
60    /* Input Filter */
61    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
62                             NULL, AP_FTYPE_CONNECTION + 5);
63    /* Output Filter */
64    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
65                              NULL, AP_FTYPE_CONNECTION + 5);
66
67    /* mod_proxy calls these functions */
68    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
69    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
70}
71
72int ssl_is_https(conn_rec *c)
73{
74    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
75        ap_get_module_config(c->base_server->module_config, &gnutls_module);
76    if(sc->enabled == 0 || sc->non_ssl_request == 1) {
77        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
78        return 0;
79    }
80    /* Connection is Using SSL/TLS */
81    return 1;
82}
83
84int ssl_engine_disable(conn_rec *c)
85{
86    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
87        ap_get_module_config(c->base_server->module_config, &gnutls_module);
88    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
89        return 1;
90    }
91
92    /* disable TLS for this connection */
93    mgs_handle_t *ctxt = (mgs_handle_t *)
94        ap_get_module_config(c->conn_config, &gnutls_module);
95    if (ctxt == NULL)
96    {
97        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
98        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
99    }
100    ctxt->enabled = GNUTLS_ENABLED_FALSE;
101    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
102
103    if (c->input_filters)
104        ap_remove_input_filter(c->input_filters);
105    if (c->output_filters)
106        ap_remove_output_filter(c->output_filters);
107
108    return 1;
109}
110
111int ssl_proxy_enable(conn_rec *c)
112{
113    /* check if TLS proxy support is enabled */
114    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
115        ap_get_module_config(c->base_server->module_config, &gnutls_module);
116    if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE)
117    {
118        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
119                      "%s: mod_proxy requested TLS proxy, but not enabled "
120                      "for %s", __func__, sc->cert_cn);
121        return 0;
122    }
123
124    /* enable TLS for this connection */
125    mgs_handle_t *ctxt = (mgs_handle_t *)
126        ap_get_module_config(c->conn_config, &gnutls_module);
127    if (ctxt == NULL)
128    {
129        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
130        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
131    }
132    ctxt->enabled = GNUTLS_ENABLED_TRUE;
133    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
134    return 1;
135}
136
137static const command_rec mgs_config_cmds[] = {
138    AP_INIT_TAKE1("SSLProxyEngine", mgs_set_proxy_engine,
139    NULL,
140    RSRC_CONF | OR_AUTHCFG,
141    "Enable SSL Proxy Engine"),
142    AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
143    NULL,
144    RSRC_CONF,
145    "Load this additional PKCS #11 provider library"),
146    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
147    NULL,
148    RSRC_CONF,
149    "The PIN to use in case of encrypted keys or PKCS #11 tokens."),
150    AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
151    NULL,
152    RSRC_CONF,
153    "The SRK PIN to use in case of TPM keys."),
154    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
155    NULL,
156    RSRC_CONF | OR_AUTHCFG,
157    "Set Verification Requirements of the Client Certificate"),
158    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
159    NULL,
160    RSRC_CONF,
161    "Set Verification Method of the Client Certificate"),
162    AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
163    NULL,
164    RSRC_CONF,
165    "Set the CA File to verify Client Certificates"),
166    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
167    NULL,
168    RSRC_CONF,
169    "Set the CA File to verify Client Certificates"),
170    AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
171    NULL,
172    RSRC_CONF,
173    "Set the Keyring File to verify Client Certificates"),
174    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
175    NULL,
176    RSRC_CONF,
177    "Set the file to read Diffie Hellman parameters from"),
178    AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
179    NULL,
180    RSRC_CONF,
181    "SSL Server X509 Certificate file"),
182    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
183    NULL,
184    RSRC_CONF,
185    "SSL Server X509 Private Key file"),
186    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
187    NULL,
188    RSRC_CONF,
189    "SSL Server X509 Certificate file"),
190    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
191    NULL,
192    RSRC_CONF,
193    "SSL Server X509 Private Key file"),
194    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
195    NULL,
196    RSRC_CONF,
197    "SSL Server PGP Certificate file"),
198    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
199    NULL,
200    RSRC_CONF,
201    "SSL Server PGP Private key file"),
202#ifdef ENABLE_SRP
203    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
204    NULL,
205    RSRC_CONF,
206    "SSL Server SRP Password Conf file"),
207    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
208    mgs_set_srp_tpasswd_conf_file,
209    NULL,
210    RSRC_CONF,
211    "SSL Server SRP Parameters file"),
212#endif
213    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout,
214    NULL,
215    RSRC_CONF,
216    "Cache Timeout"),
217    AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
218    NULL,
219    RSRC_CONF,
220    "Cache Configuration"),
221    AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets,
222    NULL,
223    RSRC_CONF,
224    "Session Tickets Configuration"),
225    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
226    NULL,
227    RSRC_CONF,
228    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
229    AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
230    NULL,
231    RSRC_CONF,
232    "Whether this server has GnuTLS Enabled. Default: Off"),
233    AP_INIT_TAKE1("GnuTLSExportCertificates",
234    mgs_set_export_certificates_size,
235    NULL,
236    RSRC_CONF,
237    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
238    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
239    NULL,
240    RSRC_CONF,
241    "X509 client private file for proxy connections"),
242    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
243    NULL,
244    RSRC_CONF,
245    "X509 client certificate file for proxy connections"),
246    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
247    NULL,
248    RSRC_CONF,
249    "X509 trusted CA file for proxy connections"),
250    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
251    NULL,
252    RSRC_CONF,
253    "X509 CRL file for proxy connections"),
254    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
255    NULL,
256    RSRC_CONF,
257    "The priorities to enable for proxy connections (ciphers, key exchange, "
258    "MACs, compression)."),
259    { NULL },
260};
261
262module AP_MODULE_DECLARE_DATA gnutls_module = {
263    STANDARD20_MODULE_STUFF,
264    .create_dir_config = mgs_config_dir_create,
265    .merge_dir_config = mgs_config_dir_merge,
266    .create_server_config = mgs_config_server_create,
267    .merge_server_config = mgs_config_server_merge,
268    .cmds = mgs_config_cmds,
269    .register_hooks = gnutls_hooks
270};
Note: See TracBrowser for help on using the repository browser.