source: mod_gnutls/src/mod_gnutls.c @ f030883

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since f030883 was f030883, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

Set GnuTLS priorities for proxy connections separately

Until now, proxy connections were configured with the same priorities as
the server side. This commit introduces the new configuration option
"GnuTLSProxyPriorities" to set the priorities for proxy connections
separately. Note that GnuTLSProxyPriorities MUST be set when
SSLProxyEngine is enabled.

Since the parameters to GnuTLSPriorities and GnuTLSProxyPriorities need
the same processing, mgs_set_priorities has been rewritten to select the
priority cache to write to based on the option name, rather than adding
a new function to handle GnuTLSProxyPriorities.

  • Property mode set to 100644
File size: 8.5 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2008 Nikos Mavrogiannopoulos
4 *  Copyright 2011 Dash Shendy
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 *
18 */
19
20#include "mod_gnutls.h"
21
22#ifdef APLOG_USE_MODULE
23APLOG_USE_MODULE(gnutls);
24#endif
25
26static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
27{
28    /* Try Run Post-Config Hook After mod_proxy */
29    static const char * const aszPre[] = { "mod_proxy.c", NULL };
30    ap_hook_post_config(mgs_hook_post_config, aszPre, NULL,
31                        APR_HOOK_REALLY_LAST);
32    /* HTTP Scheme Hook */
33#if USING_2_1_RECENT
34    ap_hook_http_scheme(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
35#else
36    ap_hook_http_method(mgs_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
37#endif
38    /* Default Port Hook */
39    ap_hook_default_port(mgs_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
40    /* Pre-Connect Hook */
41    ap_hook_pre_connection(mgs_hook_pre_connection, NULL, NULL,
42                           APR_HOOK_MIDDLE);
43    /* Pre-Config Hook */
44    ap_hook_pre_config(mgs_hook_pre_config, NULL, NULL,
45                       APR_HOOK_MIDDLE);
46    /* Child-Init Hook */
47    ap_hook_child_init(mgs_hook_child_init, NULL, NULL,
48                       APR_HOOK_MIDDLE);
49    /* Authentication Hook */
50    ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
51                           APR_HOOK_REALLY_FIRST);
52    /* Fixups Hook */
53    ap_hook_fixups(mgs_hook_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
54
55    /* TODO: HTTP Upgrade Filter */
56    /* ap_register_output_filter ("UPGRADE_FILTER",
57     *          ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
58     */
59
60    /* Input Filter */
61    ap_register_input_filter(GNUTLS_INPUT_FILTER_NAME, mgs_filter_input,
62                             NULL, AP_FTYPE_CONNECTION + 5);
63    /* Output Filter */
64    ap_register_output_filter(GNUTLS_OUTPUT_FILTER_NAME, mgs_filter_output,
65                              NULL, AP_FTYPE_CONNECTION + 5);
66
67    /* mod_proxy calls these functions */
68    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
69    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
70}
71
72int ssl_is_https(conn_rec *c)
73{
74    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
75        ap_get_module_config(c->base_server->module_config, &gnutls_module);
76    if(sc->enabled == 0 || sc->non_ssl_request == 1) {
77        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
78        return 0;
79    }
80    /* Connection is Using SSL/TLS */
81    return 1;
82}
83
84int ssl_engine_disable(conn_rec *c)
85{
86    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
87        ap_get_module_config(c->base_server->module_config, &gnutls_module);
88    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
89        return 1;
90    }
91
92    /* disable TLS for this connection */
93    mgs_handle_t *ctxt = (mgs_handle_t *)
94        ap_get_module_config(c->conn_config, &gnutls_module);
95    if (ctxt == NULL)
96    {
97        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
98        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
99    }
100    ctxt->enabled = GNUTLS_ENABLED_FALSE;
101    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
102
103    if (c->input_filters)
104        ap_remove_input_filter(c->input_filters);
105    if (c->output_filters)
106        ap_remove_output_filter(c->output_filters);
107
108    return 1;
109}
110
111int ssl_proxy_enable(conn_rec *c)
112{
113    /* check if TLS proxy support is enabled */
114    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
115        ap_get_module_config(c->base_server->module_config, &gnutls_module);
116    if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE)
117    {
118        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
119                      "%s: mod_proxy requested TLS proxy, but not enabled "
120                      "for %s", __func__, sc->cert_cn);
121        return 0;
122    }
123
124    /* enable TLS for this connection */
125    mgs_handle_t *ctxt = (mgs_handle_t *)
126        ap_get_module_config(c->conn_config, &gnutls_module);
127    if (ctxt == NULL)
128    {
129        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
130        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
131    }
132    ctxt->enabled = GNUTLS_ENABLED_TRUE;
133    ctxt->is_proxy = GNUTLS_ENABLED_TRUE;
134    return 1;
135}
136
137static const command_rec mgs_config_cmds[] = {
138    AP_INIT_TAKE1("SSLProxyEngine", mgs_set_proxy_engine,
139    NULL,
140    RSRC_CONF | OR_AUTHCFG,
141    "Enable SSL Proxy Engine"),
142    AP_INIT_TAKE1("GnuTLSClientVerify", mgs_set_client_verify,
143    NULL,
144    RSRC_CONF | OR_AUTHCFG,
145    "Set Verification Requirements of the Client Certificate"),
146    AP_INIT_TAKE1("GnuTLSClientVerifyMethod", mgs_set_client_verify_method,
147    NULL,
148    RSRC_CONF,
149    "Set Verification Method of the Client Certificate"),
150    AP_INIT_TAKE1("GnuTLSClientCAFile", mgs_set_client_ca_file,
151    NULL,
152    RSRC_CONF,
153    "Set the CA File to verify Client Certificates"),
154    AP_INIT_TAKE1("GnuTLSX509CAFile", mgs_set_client_ca_file,
155    NULL,
156    RSRC_CONF,
157    "Set the CA File to verify Client Certificates"),
158    AP_INIT_TAKE1("GnuTLSPGPKeyringFile", mgs_set_keyring_file,
159    NULL,
160    RSRC_CONF,
161    "Set the Keyring File to verify Client Certificates"),
162    AP_INIT_TAKE1("GnuTLSDHFile", mgs_set_dh_file,
163    NULL,
164    RSRC_CONF,
165    "Set the file to read Diffie Hellman parameters from"),
166    AP_INIT_TAKE1("GnuTLSCertificateFile", mgs_set_cert_file,
167    NULL,
168    RSRC_CONF,
169    "SSL Server X509 Certificate file"),
170    AP_INIT_TAKE1("GnuTLSKeyFile", mgs_set_key_file,
171    NULL,
172    RSRC_CONF,
173    "SSL Server X509 Private Key file"),
174    AP_INIT_TAKE1("GnuTLSX509CertificateFile", mgs_set_cert_file,
175    NULL,
176    RSRC_CONF,
177    "SSL Server X509 Certificate file"),
178    AP_INIT_TAKE1("GnuTLSX509KeyFile", mgs_set_key_file,
179    NULL,
180    RSRC_CONF,
181    "SSL Server X509 Private Key file"),
182    AP_INIT_TAKE1("GnuTLSPGPCertificateFile", mgs_set_pgpcert_file,
183    NULL,
184    RSRC_CONF,
185    "SSL Server PGP Certificate file"),
186    AP_INIT_TAKE1("GnuTLSPGPKeyFile", mgs_set_pgpkey_file,
187    NULL,
188    RSRC_CONF,
189    "SSL Server PGP Private key file"),
190#ifdef ENABLE_SRP
191    AP_INIT_TAKE1("GnuTLSSRPPasswdFile", mgs_set_srp_tpasswd_file,
192    NULL,
193    RSRC_CONF,
194    "SSL Server SRP Password Conf file"),
195    AP_INIT_TAKE1("GnuTLSSRPPasswdConfFile",
196    mgs_set_srp_tpasswd_conf_file,
197    NULL,
198    RSRC_CONF,
199    "SSL Server SRP Parameters file"),
200#endif
201    AP_INIT_TAKE1("GnuTLSCacheTimeout", mgs_set_cache_timeout,
202    NULL,
203    RSRC_CONF,
204    "Cache Timeout"),
205    AP_INIT_TAKE12("GnuTLSCache", mgs_set_cache,
206    NULL,
207    RSRC_CONF,
208    "Cache Configuration"),
209    AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets,
210    NULL,
211    RSRC_CONF,
212    "Session Tickets Configuration"),
213    AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities,
214    NULL,
215    RSRC_CONF,
216    "The priorities to enable (ciphers, Key exchange, macs, compression)."),
217    AP_INIT_TAKE1("GnuTLSEnable", mgs_set_enabled,
218    NULL,
219    RSRC_CONF,
220    "Whether this server has GnuTLS Enabled. Default: Off"),
221    AP_INIT_TAKE1("GnuTLSExportCertificates",
222    mgs_set_export_certificates_size,
223    NULL,
224    RSRC_CONF,
225    "Max size to export PEM encoded certificates to CGIs (or off to disable). Default: off"),
226    AP_INIT_TAKE1("GnuTLSProxyKeyFile", mgs_store_cred_path,
227    NULL,
228    RSRC_CONF,
229    "X509 client private file for proxy connections"),
230    AP_INIT_TAKE1("GnuTLSProxyCertificateFile", mgs_store_cred_path,
231    NULL,
232    RSRC_CONF,
233    "X509 client certificate file for proxy connections"),
234    AP_INIT_TAKE1("GnuTLSProxyCAFile", mgs_store_cred_path,
235    NULL,
236    RSRC_CONF,
237    "X509 trusted CA file for proxy connections"),
238    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
239    NULL,
240    RSRC_CONF,
241    "X509 CRL file for proxy connections"),
242    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
243    NULL,
244    RSRC_CONF,
245    "The priorities to enable for proxy connections (ciphers, key exchange, "
246    "MACs, compression)."),
247    { NULL },
248};
249
250module AP_MODULE_DECLARE_DATA gnutls_module = {
251    STANDARD20_MODULE_STUFF,
252    .create_dir_config = mgs_config_dir_create,
253    .merge_dir_config = mgs_config_dir_merge,
254    .create_server_config = mgs_config_server_create,
255    .merge_server_config = mgs_config_server_merge,
256    .cmds = mgs_config_cmds,
257    .register_hooks = gnutls_hooks
258};
Note: See TracBrowser for help on using the repository browser.