source: mod_gnutls/src/mod_gnutls.c @ adceac0

debian/master
Last change on this file since adceac0 was adceac0, checked in by Fiona Klute <fiona.klute@…>, 15 months ago

Remove unneeded server variables "cert_cn" and "cert_san"

"cert_san" wasn't used or assigned at all, "cert_cn" filled but used
only in a redundant check for assignment and a log message that's
better served by the server name of the virtual host.

  • Property mode set to 100644
File size: 14.1 KB
Line 
1/*
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2008, 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2011 Dash Shendy
5 *  Copyright 2015-2018 Fiona Klute
6 *
7 *  Licensed under the Apache License, Version 2.0 (the "License");
8 *  you may not use this file except in compliance with the License.
9 *  You may obtain a copy of the License at
10 *
11 *      http://www.apache.org/licenses/LICENSE-2.0
12 *
13 *  Unless required by applicable law or agreed to in writing, software
14 *  distributed under the License is distributed on an "AS IS" BASIS,
15 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 *  See the License for the specific language governing permissions and
17 *  limitations under the License.
18 */
19
20#include "mod_gnutls.h"
21#include "gnutls_config.h"
22#include "gnutls_ocsp.h"
23#include "gnutls_util.h"
24
25#ifdef APLOG_USE_MODULE
26APLOG_USE_MODULE(gnutls);
27#endif
28
29int ssl_engine_set(conn_rec *c,
30                   ap_conf_vector_t *dir_conf __attribute__((unused)),
31                   int proxy, int enable);
32
33#define MOD_HTTP2 "mod_http2.c"
34#define MOD_WATCHDOG "mod_watchdog.c"
35static const char * const mod_proxy[] = { "mod_proxy.c", NULL };
36static const char * const mod_http2[] = { MOD_HTTP2, NULL };
37static const char * const mod_watchdog[] = { MOD_WATCHDOG, NULL };
38
39static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
40{
41    /* Watchdog callbacks must be configured before post_config of
42     * mod_watchdog runs, or the watchdog won't be started. Similarly,
43     * our child_init hook must run before mod_watchdog's because our
44     * watchdog threads are started there and need some child-specific
45     * resources. */
46    static const char * const post_conf_succ[] =
47        { MOD_HTTP2, MOD_WATCHDOG, NULL };
48    ap_hook_post_config(mgs_hook_post_config, mod_proxy, post_conf_succ,
49                        APR_HOOK_MIDDLE);
50    /* HTTP Scheme Hook */
51    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
52    /* Default Port Hook */
53    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
54    /* Pre-Connect Hook */
55    ap_hook_pre_connection(mgs_hook_pre_connection, mod_http2, NULL,
56                           APR_HOOK_MIDDLE);
57    ap_hook_process_connection(mgs_hook_process_connection,
58                               NULL, mod_http2, APR_HOOK_MIDDLE);
59    /* Pre-Config Hook */
60    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
61                       APR_HOOK_MIDDLE);
62    /* Child-Init Hook */
63    ap_hook_child_init(mgs_hook_child_init, NULL, mod_watchdog,
64                       APR_HOOK_MIDDLE);
65    /* Authentication Hook */
66    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
67                           APR_HOOK_REALLY_FIRST);
68    /* Fixups Hook */
69    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
70
71    /* TODO: HTTP Upgrade Filter */
72    /* ap_register_output_filter ("UPGRADE_FILTER",
73     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
74     */
75
76    /* Input Filter */
77    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
78                             NULL, AP_FTYPE_CONNECTION + 5);
79    /* Output Filter */
80    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
81                              NULL, AP_FTYPE_CONNECTION + 5);
82
83    /* mod_proxy calls these functions */
84    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
85    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
86    APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
87
88    /* mod_rewrite calls this function to detect HTTPS */
89    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
90    /* some modules look up TLS-related variables */
91    APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
92}
93
94
95
96/**
97 * Get the connection context, resolving to a master connection if
98 * any.
99 *
100 * @param c the connection handle
101 *
102 * @return mod_gnutls session context, might be `NULL`
103 */
104mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c)
105{
106    mgs_handle_t *ctxt = (mgs_handle_t *)
107        ap_get_module_config(c->conn_config, &gnutls_module);
108    if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL))
109    {
110        ctxt = (mgs_handle_t *)
111            ap_get_module_config(c->master->conn_config, &gnutls_module);
112    }
113    return ctxt;
114}
115
116
117
118/**
119 * mod_rewrite calls this function to fill %{HTTPS}.
120 *
121 * @param c the connection to check
122 * @return non-zero value if HTTPS is in use, zero if not
123 */
124int ssl_is_https(conn_rec *c)
125{
126    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
127    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
128        ap_get_module_config(c->base_server->module_config, &gnutls_module);
129
130    if(sc->enabled == GNUTLS_ENABLED_FALSE
131       || ctxt == NULL
132       || ctxt->enabled == GNUTLS_ENABLED_FALSE)
133    {
134        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
135        return 0;
136    }
137    /* Connection is Using SSL/TLS */
138    return 1;
139}
140
141
142
143/**
144 * Return variables describing the current TLS session (if any).
145 *
146 * mod_ssl doc for this function: "This function must remain safe to
147 * use for a non-SSL connection." mod_http2 uses it to check if an
148 * acceptable TLS session is used.
149 */
150char* ssl_var_lookup(apr_pool_t *p, server_rec *s __attribute__((unused)),
151                     conn_rec *c, request_rec *r, char *var)
152{
153    /*
154     * When no pool is given try to find one
155     */
156    if (p == NULL) {
157        if (r != NULL)
158            p = r->pool;
159        else if (c != NULL)
160            p = c->pool;
161        else
162            return NULL;
163    }
164
165    if (strcmp(var, "HTTPS") == 0)
166    {
167        if (c != NULL && ssl_is_https(c))
168            return "on";
169        else
170            return "off";
171    }
172
173    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
174
175    /* TLS parameters are empty if there is no session */
176    if (ctxt == NULL || ctxt->c == NULL)
177        return NULL;
178
179    if (strcmp(var, "SSL_PROTOCOL") == 0)
180        return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
181
182    if (strcmp(var, "SSL_CIPHER") == 0)
183        return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
184                                                           gnutls_cipher_get(ctxt->session),
185                                                           gnutls_mac_get(ctxt->session)));
186
187    /* mod_ssl supports a LOT more variables */
188    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c,
189                  "unsupported variable requested: '%s'",
190                  var);
191
192    return NULL;
193}
194
195
196
197/**
198 * In Apache versions from 2.4.33 mod_proxy uses this function to set
199 * up its client connections. Note that mod_gnutls does not (yet)
200 * implement per directory configuration for such connections.
201 *
202 * @param c the connection
203 * @param dir_conf per directory configuration, unused for now
204 * @param proxy Is this a proxy connection?
205 * @param enable Should TLS be enabled on this connection?
206 *
207 * @param `true` (1) if successful, `false` (0) otherwise
208 */
209int ssl_engine_set(conn_rec *c,
210                   ap_conf_vector_t *dir_conf __attribute__((unused)),
211                   int proxy, int enable)
212{
213    mgs_handle_t *ctxt = init_gnutls_ctxt(c);
214
215    /* If TLS proxy has been requested, check if support is enabled
216     * for the server */
217    if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
218    {
219        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
220                      "%s: mod_proxy requested TLS proxy, but not enabled "
221                      "for %s:%d", __func__,
222                      ctxt->c->base_server->server_hostname,
223                      ctxt->c->base_server->addrs->host_port);
224        return 0;
225    }
226
227    if (proxy)
228        ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
229    else
230        ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
231
232    if (enable)
233        ctxt->enabled = GNUTLS_ENABLED_TRUE;
234    else
235        ctxt->enabled = GNUTLS_ENABLED_FALSE;
236
237    return 1;
238}
239
240int ssl_engine_disable(conn_rec *c)
241{
242    return ssl_engine_set(c, NULL, 0, 0);
243}
244
245int ssl_proxy_enable(conn_rec *c)
246{
247    return ssl_engine_set(c, NULL, 1, 1);
248}
249
250#define OPENPGP_REMOVED "OpenPGP support has been removed."
251
252static const command_rec mgs_config_cmds[] = {
253    AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
254    NULL,
255    RSRC_CONF | OR_AUTHCFG,
256    "Enable TLS Proxy Engine"),
257    AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
258    NULL,
259    RSRC_CONF,
260    "Load this specific PKCS #11 provider library"),
261    AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
262    NULL,
263    RSRC_CONF,
264    "The PIN to use in case of encrypted keys or PKCS #11 tokens."),
265    AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
266    NULL,
267    RSRC_CONF,
268    "The SRK PIN to use in case of TPM keys."),
269    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
270    NULL,
271    RSRC_CONF | OR_AUTHCFG,
272    "Set Verification Requirements of the Client Certificate"),
273    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
274    NULL,
275    RSRC_CONF,
276    "Set Verification Method of the Client Certificate"),
277    AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
278    NULL,
279    RSRC_CONF,
280    "Set the CA File to verify Client Certificates"),
281    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
282    NULL,
283    RSRC_CONF,
284    "Set the CA File to verify Client Certificates"),
285    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
286    NULL,
287    RSRC_CONF,
288    "Set the file to read Diffie Hellman parameters from"),
289    AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
290    NULL,
291    RSRC_CONF,
292    "TLS Server X509 Certificate file"),
293    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
294    NULL,
295    RSRC_CONF,
296    "TLS Server X509 Private Key file"),
297    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
298    NULL,
299    RSRC_CONF,
300    "TLS Server X509 Certificate file"),
301    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
302    NULL,
303    RSRC_CONF,
304    "TLS Server X509 Private Key file"),
305#ifdef ENABLE_SRP
306    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
307    NULL,
308    RSRC_CONF,
309    "TLS Server SRP Password Conf file"),
310    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
311    mgs_set_srp_tpasswd_conf_file,
312    NULL,
313    RSRC_CONF,
314    "TLS Server SRP Parameters file"),
315#endif
316    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_timeout,
317    NULL,
318    RSRC_CONF,
319    "Cache Timeout"),
320    AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
321    NULL,
322    RSRC_CONF,
323    "Session Cache Configuration"),
324    AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets,
325    NULL,
326    RSRC_CONF,
327    "Session Tickets Configuration"),
328    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
329    NULL,
330    RSRC_CONF,
331    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
332    AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled,
333    NULL,
334    RSRC_CONF,
335    "Whether this server has GnuTLS Enabled. Default: Off"),
336    AP_INIT_TAKE1("GnuTLSExportCertificates",
337    mgs_set_export_certificates_size,
338    NULL,
339    RSRC_CONF,
340    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
341    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
342    NULL,
343    RSRC_CONF,
344    "X509 client private file for proxy connections"),
345    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
346    NULL,
347    RSRC_CONF,
348    "X509 client certificate file for proxy connections"),
349    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
350    NULL,
351    RSRC_CONF,
352    "X509 trusted CA file for proxy connections"),
353    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
354    NULL,
355    RSRC_CONF,
356    "X509 CRL file for proxy connections"),
357    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
358    NULL,
359    RSRC_CONF,
360    "The priorities to enable for proxy connections (ciphers, key exchange, "
361    "MACs, compression)."),
362    AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable,
363                 NULL, RSRC_CONF,
364                 "Enable OCSP stapling"),
365    AP_INIT_FLAG("GnuTLSOCSPAutoRefresh", mgs_set_ocsp_auto_refresh,
366                 NULL, RSRC_CONF,
367                 "Regularly refresh cached OCSP response independent "
368                 "of TLS handshakes?"),
369    AP_INIT_TAKE12("GnuTLSOCSPCache", mgs_set_cache,
370                   NULL,
371                   RSRC_CONF,
372                  "OCSP Cache Configuration"),
373    AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce,
374                 NULL, RSRC_CONF,
375                 "Check nonce in OCSP responses?"),
376    AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
377                  NULL, RSRC_CONF,
378                  "Read OCSP response for stapling from this file instead "
379                  "of sending a request over HTTP (must be updated "
380                  "externally)"),
381    AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
382                  NULL, RSRC_CONF,
383                  "Cache timeout for OCSP responses"),
384    AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
385                  NULL, RSRC_CONF,
386                  "Wait this many seconds before retrying a failed OCSP "
387                  "request"),
388    AP_INIT_TAKE1("GnuTLSOCSPFuzzTime", mgs_set_timeout,
389                  NULL, RSRC_CONF,
390                  "Update cached OCSP response up to this many seconds "
391                  "before it expires, if GnuTLSOCSPAutoRefresh is enabled."),
392    AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
393                  NULL, RSRC_CONF,
394                  "Socket timeout for OCSP requests"),
395    AP_INIT_RAW_ARGS("GnuTLSPGPKeyringFile",
396                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
397    AP_INIT_RAW_ARGS("GnuTLSPGPCertificateFile",
398                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
399    AP_INIT_RAW_ARGS("GnuTLSPGPKeyFile",
400                     ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
401#ifdef __clang__
402    /* Workaround for this clang bug:
403     * https://llvm.org/bugs/show_bug.cgi?id=21689 */
404    {},
405#else
406    { NULL },
407#endif
408};
409
410module AP_MODULE_DECLARE_DATA gnutls_module = {
411    STANDARD20_MODULE_STUFF,
412    .create_dir_config = mgs_config_dir_create,
413    .merge_dir_config = mgs_config_dir_merge,
414    .create_server_config = mgs_config_server_create,
415    .merge_server_config = mgs_config_server_merge,
416    .cmds = mgs_config_cmds,
417    .register_hooks = gnutls_hooks
418};
Note: See TracBrowser for help on using the repository browser.