Context Navigation

mod_gnutls.c @ d036f96

Visit:

asynciodebian/mastermainproxy-ticket

Last change on this file since d036f96 was d036f96, checked in by Fiona Klute <fiona.klute@…>, 5 years ago

Add configuration directive GnuTLSOCSPCache (no-op for now)

First step to a separate cache for OCSP data.

Property mode set to 100644

File size: 13.9 KB

Line
1	/*
2	* Copyright 2004-2005 Paul Querna
3	* Copyright 2008, 2014 Nikos Mavrogiannopoulos
4	* Copyright 2011 Dash Shendy
5	* Copyright 2015-2018 Fiona Klute
6	*
7	* Licensed under the Apache License, Version 2.0 (the "License");
8	* you may not use this file except in compliance with the License.
9	* You may obtain a copy of the License at
10	*
11	* http://www.apache.org/licenses/LICENSE-2.0
12	*
13	* Unless required by applicable law or agreed to in writing, software
14	* distributed under the License is distributed on an "AS IS" BASIS,
15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16	* See the License for the specific language governing permissions and
17	* limitations under the License.
18	*/
19
20	#include "mod_gnutls.h"
21	#include "gnutls_config.h"
22	#include "gnutls_ocsp.h"
23	#include "gnutls_util.h"
24
25	#ifdef APLOG_USE_MODULE
26	APLOG_USE_MODULE(gnutls);
27	#endif
28
29	int ssl_engine_set(conn_rec *c,
30	ap_conf_vector_t *dir_conf __attribute__((unused)),
31	int proxy, int enable);
32
33	#define MOD_HTTP2 "mod_http2.c"
34	#define MOD_WATCHDOG "mod_watchdog.c"
35	static const char * const mod_proxy[] = { "mod_proxy.c", NULL };
36	static const char * const mod_http2[] = { MOD_HTTP2, NULL };
37	static const char * const mod_watchdog[] = { MOD_WATCHDOG, NULL };
38
39	static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
40	{
41	/* Watchdog callbacks must be configured before post_config of
42	* mod_watchdog runs, or the watchdog won't be started. Similarly,
43	* our child_init hook must run before mod_watchdog's because our
44	* watchdog threads are started there and need some child-specific
45	* resources. */
46	static const char * const post_conf_succ[] =
47	{ MOD_HTTP2, MOD_WATCHDOG, NULL };
48	ap_hook_post_config(mgs_hook_post_config, mod_proxy, post_conf_succ,
49	APR_HOOK_MIDDLE);
50	/* HTTP Scheme Hook */
51	ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
52	/* Default Port Hook */
53	ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
54	/* Pre-Connect Hook */
55	ap_hook_pre_connection(mgs_hook_pre_connection, mod_http2, NULL,
56	APR_HOOK_MIDDLE);
57	ap_hook_process_connection(mgs_hook_process_connection,
58	NULL, mod_http2, APR_HOOK_MIDDLE);
59	/* Pre-Config Hook */
60	ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
61	APR_HOOK_MIDDLE);
62	/* Child-Init Hook */
63	ap_hook_child_init(mgs_hook_child_init, NULL, mod_watchdog,
64	APR_HOOK_MIDDLE);
65	/* Authentication Hook */
66	ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
67	APR_HOOK_REALLY_FIRST);
68	/* Fixups Hook */
69	ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
70
71	/* TODO: HTTP Upgrade Filter */
72	/* ap_register_output_filter ("UPGRADE_FILTER",
73	* ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
74	*/
75
76	/* Input Filter */
77	ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
78	NULL, AP_FTYPE_CONNECTION + 5);
79	/* Output Filter */
80	ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
81	NULL, AP_FTYPE_CONNECTION + 5);
82
83	/* mod_proxy calls these functions */
84	APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
85	APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
86	APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
87
88	/* mod_rewrite calls this function to detect HTTPS */
89	APR_REGISTER_OPTIONAL_FN(ssl_is_https);
90	/* some modules look up TLS-related variables */
91	APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
92	}
93
94
95
96	/**
97	* Get the connection context, resolving to a master connection if
98	* any.
99	*
100	* @param c the connection handle
101	*
102	* @return mod_gnutls session context, might be `NULL`
103	*/
104	mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c)
105	{
106	mgs_handle_t ctxt = (mgs_handle_t )
107	ap_get_module_config(c->conn_config, &gnutls_module);
108	if (!(ctxt != NULL && ctxt->enabled) && (c->master != NULL))
109	{
110	ctxt = (mgs_handle_t *)
111	ap_get_module_config(c->master->conn_config, &gnutls_module);
112	}
113	return ctxt;
114	}
115
116
117
118	/**
119	* mod_rewrite calls this function to fill %{HTTPS}.
120	*
121	* @param c the connection to check
122	* @return non-zero value if HTTPS is in use, zero if not
123	*/
124	int ssl_is_https(conn_rec *c)
125	{
126	mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
127	mgs_srvconf_rec sc = (mgs_srvconf_rec )
128	ap_get_module_config(c->base_server->module_config, &gnutls_module);
129
130	if(sc->enabled == GNUTLS_ENABLED_FALSE
131	\|\| ctxt == NULL
132	\|\| ctxt->enabled == GNUTLS_ENABLED_FALSE)
133	{
134	/* SSL/TLS Disabled or Plain HTTP Connection Detected */
135	return 0;
136	}
137	/* Connection is Using SSL/TLS */
138	return 1;
139	}
140
141
142
143	/**
144	* Return variables describing the current TLS session (if any).
145	*
146	* mod_ssl doc for this function: "This function must remain safe to
147	* use for a non-SSL connection." mod_http2 uses it to check if an
148	* acceptable TLS session is used.
149	*/
150	char* ssl_var_lookup(apr_pool_t p, server_rec s __attribute__((unused)),
151	conn_rec c, request_rec r, char *var)
152	{
153	/*
154	* When no pool is given try to find one
155	*/
156	if (p == NULL) {
157	if (r != NULL)
158	p = r->pool;
159	else if (c != NULL)
160	p = c->pool;
161	else
162	return NULL;
163	}
164
165	if (strcmp(var, "HTTPS") == 0)
166	{
167	if (c != NULL && ssl_is_https(c))
168	return "on";
169	else
170	return "off";
171	}
172
173	mgs_handle_t *ctxt = get_effective_gnutls_ctxt(c);
174
175	/* TLS parameters are empty if there is no session */
176	if (ctxt == NULL \|\| ctxt->c == NULL)
177	return NULL;
178
179	if (strcmp(var, "SSL_PROTOCOL") == 0)
180	return apr_pstrdup(p, gnutls_protocol_get_name(gnutls_protocol_get_version(ctxt->session)));
181
182	if (strcmp(var, "SSL_CIPHER") == 0)
183	return apr_pstrdup(p, gnutls_cipher_suite_get_name(gnutls_kx_get(ctxt->session),
184	gnutls_cipher_get(ctxt->session),
185	gnutls_mac_get(ctxt->session)));
186
187	/* mod_ssl supports a LOT more variables */
188	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, c,
189	"unsupported variable requested: '%s'",
190	var);
191
192	return NULL;
193	}
194
195
196
197	/**
198	* In Apache versions from 2.4.33 mod_proxy uses this function to set
199	* up its client connections. Note that mod_gnutls does not (yet)
200	* implement per directory configuration for such connections.
201	*
202	* @param c the connection
203	* @param dir_conf per directory configuration, unused for now
204	* @param proxy Is this a proxy connection?
205	* @param enable Should TLS be enabled on this connection?
206	*
207	* @param `true` (1) if successful, `false` (0) otherwise
208	*/
209	int ssl_engine_set(conn_rec *c,
210	ap_conf_vector_t *dir_conf __attribute__((unused)),
211	int proxy, int enable)
212	{
213	mgs_handle_t *ctxt = init_gnutls_ctxt(c);
214
215	/* If TLS proxy has been requested, check if support is enabled
216	* for the server */
217	if (proxy && (ctxt->sc->proxy_enabled != GNUTLS_ENABLED_TRUE))
218	{
219	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
220	"%s: mod_proxy requested TLS proxy, but not enabled "
221	"for %s", __func__, ctxt->sc->cert_cn);
222	return 0;
223	}
224
225	if (proxy)
226	ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
227	else
228	ctxt->is_proxy = GNUTLS_ENABLED_FALSE;
229
230	if (enable)
231	ctxt->enabled = GNUTLS_ENABLED_TRUE;
232	else
233	ctxt->enabled = GNUTLS_ENABLED_FALSE;
234
235	return 1;
236	}
237
238	int ssl_engine_disable(conn_rec *c)
239	{
240	return ssl_engine_set(c, NULL, 0, 0);
241	}
242
243	int ssl_proxy_enable(conn_rec *c)
244	{
245	return ssl_engine_set(c, NULL, 1, 1);
246	}
247
248	#define OPENPGP_REMOVED "OpenPGP support has been removed."
249
250	static const command_rec mgs_config_cmds[] = {
251	AP_INIT_FLAG("GnuTLSProxyEngine", mgs_set_proxy_engine,
252	NULL,
253	RSRC_CONF \| OR_AUTHCFG,
254	"Enable TLS Proxy Engine"),
255	AP_INIT_TAKE1("GnuTLSP11Module", mgs_set_p11_module,
256	NULL,
257	RSRC_CONF,
258	"Load this specific PKCS #11 provider library"),
259	AP_INIT_RAW_ARGS("GnuTLSPIN", mgs_set_pin,
260	NULL,
261	RSRC_CONF,
262	"The PIN to use in case of encrypted keys or PKCS #11 tokens."),
263	AP_INIT_RAW_ARGS("GnuTLSSRKPIN", mgs_set_srk_pin,
264	NULL,
265	RSRC_CONF,
266	"The SRK PIN to use in case of TPM keys."),
267	AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
268	NULL,
269	RSRC_CONF \| OR_AUTHCFG,
270	"Set Verification Requirements of the Client Certificate"),
271	AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
272	NULL,
273	RSRC_CONF,
274	"Set Verification Method of the Client Certificate"),
275	AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
276	NULL,
277	RSRC_CONF,
278	"Set the CA File to verify Client Certificates"),
279	AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
280	NULL,
281	RSRC_CONF,
282	"Set the CA File to verify Client Certificates"),
283	AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
284	NULL,
285	RSRC_CONF,
286	"Set the file to read Diffie Hellman parameters from"),
287	AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
288	NULL,
289	RSRC_CONF,
290	"TLS Server X509 Certificate file"),
291	AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
292	NULL,
293	RSRC_CONF,
294	"TLS Server X509 Private Key file"),
295	AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
296	NULL,
297	RSRC_CONF,
298	"TLS Server X509 Certificate file"),
299	AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
300	NULL,
301	RSRC_CONF,
302	"TLS Server X509 Private Key file"),
303	#ifdef ENABLE_SRP
304	AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
305	NULL,
306	RSRC_CONF,
307	"TLS Server SRP Password Conf file"),
308	AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
309	mgs_set_srp_tpasswd_conf_file,
310	NULL,
311	RSRC_CONF,
312	"TLS Server SRP Parameters file"),
313	#endif
314	AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_timeout,
315	NULL,
316	RSRC_CONF,
317	"Cache Timeout"),
318	AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
319	NULL,
320	RSRC_CONF,
321	"Session Cache Configuration"),
322	AP_INIT_FLAG("GnuTLSSessionTickets", mgs_set_tickets,
323	NULL,
324	RSRC_CONF,
325	"Session Tickets Configuration"),
326	AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
327	NULL,
328	RSRC_CONF,
329	"The priorities to enable (ciphers, Key exchange, macs, compression)."),
330	AP_INIT_FLAG("GnuTLSEnable", mgs_set_enabled,
331	NULL,
332	RSRC_CONF,
333	"Whether this server has GnuTLS Enabled. Default: Off"),
334	AP_INIT_TAKE1("GnuTLSExportCertificates",
335	mgs_set_export_certificates_size,
336	NULL,
337	RSRC_CONF,
338	"Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
339	AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
340	NULL,
341	RSRC_CONF,
342	"X509 client private file for proxy connections"),
343	AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
344	NULL,
345	RSRC_CONF,
346	"X509 client certificate file for proxy connections"),
347	AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
348	NULL,
349	RSRC_CONF,
350	"X509 trusted CA file for proxy connections"),
351	AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
352	NULL,
353	RSRC_CONF,
354	"X509 CRL file for proxy connections"),
355	AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
356	NULL,
357	RSRC_CONF,
358	"The priorities to enable for proxy connections (ciphers, key exchange, "
359	"MACs, compression)."),
360	AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable,
361	NULL, RSRC_CONF,
362	"Enable OCSP stapling"),
363	AP_INIT_FLAG("GnuTLSOCSPAutoRefresh", mgs_set_ocsp_auto_refresh,
364	NULL, RSRC_CONF,
365	"Regularly refresh cached OCSP response independent "
366	"of TLS handshakes?"),
367	AP_INIT_TAKE12("GnuTLSOCSPCache", mgs_set_cache,
368	NULL,
369	RSRC_CONF,
370	"OCSP Cache Configuration"),
371	AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce,
372	NULL, RSRC_CONF,
373	"Check nonce in OCSP responses?"),
374	AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
375	NULL, RSRC_CONF,
376	"Read OCSP response for stapling from this file instead "
377	"of sending a request over HTTP (must be updated "
378	"externally)"),
379	AP_INIT_TAKE1("GnuTLSOCSPCacheTimeout", mgs_set_timeout,
380	NULL, RSRC_CONF,
381	"Cache timeout for OCSP responses"),
382	AP_INIT_TAKE1("GnuTLSOCSPFailureTimeout", mgs_set_timeout,
383	NULL, RSRC_CONF,
384	"Wait this many seconds before retrying a failed OCSP "
385	"request"),
386	AP_INIT_TAKE1("GnuTLSOCSPFuzzTime", mgs_set_timeout,
387	NULL, RSRC_CONF,
388	"Update cached OCSP response up to this many seconds "
389	"before it expires, if GnuTLSOCSPAutoRefresh is enabled."),
390	AP_INIT_TAKE1("GnuTLSOCSPSocketTimeout", mgs_set_timeout,
391	NULL, RSRC_CONF,
392	"Socket timeout for OCSP requests"),
393	AP_INIT_RAW_ARGS("GnuTLSPGPKeyringFile",
394	ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
395	AP_INIT_RAW_ARGS("GnuTLSPGPCertificateFile",
396	ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
397	AP_INIT_RAW_ARGS("GnuTLSPGPKeyFile",
398	ap_set_deprecated, NULL, OR_ALL, OPENPGP_REMOVED),
399	#ifdef __clang__
400	/* Workaround for this clang bug:
401	* https://llvm.org/bugs/show_bug.cgi?id=21689 */
402	{},
403	#else
404	{ NULL },
405	#endif
406	};
407
408	module AP_MODULE_DECLARE_DATA gnutls_module = {
409	STANDARD20_MODULE_STUFF,
410	.create_dir_config = mgs_config_dir_create,
411	.merge_dir_config = mgs_config_dir_merge,
412	.create_server_config = mgs_config_server_create,
413	.merge_server_config = mgs_config_server_merge,
414	.cmds = mgs_config_cmds,
415	.register_hooks = gnutls_hooks
416	};

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: mod_gnutls/src/mod_gnutls.c @ d036f96

Download in other formats: