1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /* _ _
18 * _ __ ___ ___ __| | ___ ___| | mod_ssl
19 * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
20 * | | | | | | (_) | (_| | \__ \__ \ |
21 * |_| |_| |_|\___/ \__,_|___|___/___/_|
22 * |_____|
23 * mod_ssl.c
24 * Apache API interface structures
25 */
26
27 #include "ssl_private.h"
28 #include "mod_ssl.h"
29 #include "mod_ssl_openssl.h"
30 #include "util_md5.h"
31 #include "util_mutex.h"
32 #include "ap_provider.h"
33 #include "http_config.h"
34
35 #include "mod_proxy.h" /* for proxy_hook_section_post_config() */
36
37 #include <assert.h>
38
39 static int modssl_running_statically = 0;
40
41 APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, pre_handshake,
42 (conn_rec *c,SSL *ssl,int is_proxy),
43 (c,ssl,is_proxy), OK, DECLINED);
44
45 /*
46 * the table of configuration directives we provide
47 */
48
49 #define SSL_CMD_ALL(name, args, desc) \
50 AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
51 NULL, RSRC_CONF|OR_AUTHCFG, desc),
52
53 #define SSL_CMD_SRV(name, args, desc) \
54 AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
55 NULL, RSRC_CONF, desc),
56
57 #define SSL_CMD_PXY(name, args, desc) \
58 AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
59 NULL, RSRC_CONF|PROXY_CONF, desc),
60
61 #define SSL_CMD_DIR(name, type, args, desc) \
62 AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
63 NULL, OR_##type, desc),
64
65 #define AP_END_CMD { NULL }
66
67 static const command_rec ssl_config_cmds[] = {
68 /*
69 * Global (main-server) context configuration directives
70 */
71 SSL_CMD_SRV(PassPhraseDialog, TAKE1,
72 "SSL dialog mechanism for the pass phrase query "
73 "('builtin', '|/path/to/pipe_program', "
74 "or 'exec:/path/to/cgi_program')")
75 SSL_CMD_SRV(SessionCache, TAKE1,
76 "SSL Session Cache storage "
77 "('none', 'nonenotnull', 'dbm:/path/to/file')")
78 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
79 SSL_CMD_SRV(CryptoDevice, TAKE1,
80 "SSL external Crypto Device usage "
81 "('builtin', '...')")
82 #endif
83 SSL_CMD_SRV(RandomSeed, TAKE23,
84 "SSL Pseudo Random Number Generator (PRNG) seeding source "
85 "('startup|connect builtin|file:/path|exec:/path [bytes]')")
86
87 /*
88 * Per-server context configuration directives
89 */
90 SSL_CMD_SRV(Engine, TAKE1,
91 "SSL switch for the protocol engine "
92 "('on', 'off')")
93 SSL_CMD_SRV(FIPS, FLAG,
94 "Enable FIPS-140 mode "
95 "(`on', `off')")
96 SSL_CMD_ALL(CipherSuite, TAKE12,
97 "Colon-delimited list of permitted SSL Ciphers, optional preceded "
98 "by protocol identifier ('XXX:...:XXX' - see manual)")
99 SSL_CMD_SRV(CertificateFile, TAKE1,
100 "SSL Server Certificate file "
101 "('/path/to/file' - PEM or DER encoded)")
102 SSL_CMD_SRV(CertificateKeyFile, TAKE1,
103 "SSL Server Private Key file "
104 "('/path/to/file' - PEM or DER encoded)")
105 SSL_CMD_SRV(CertificateChainFile, TAKE1,
106 "SSL Server CA Certificate Chain file "
107 "('/path/to/file' - PEM encoded)")
108 #ifdef HAVE_TLS_SESSION_TICKETS
109 SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
110 "TLS session ticket encryption/decryption key file (RFC 5077) "
111 "('/path/to/file' - file with 48 bytes of random data)")
112 #endif
113 SSL_CMD_ALL(CACertificatePath, TAKE1,
114 "SSL CA Certificate path "
115 "('/path/to/dir' - contains PEM encoded files)")
116 SSL_CMD_ALL(CACertificateFile, TAKE1,
117 "SSL CA Certificate file "
118 "('/path/to/file' - PEM encoded)")
119 SSL_CMD_SRV(CADNRequestPath, TAKE1,
120 "SSL CA Distinguished Name path "
121 "('/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
122 SSL_CMD_SRV(CADNRequestFile, TAKE1,
123 "SSL CA Distinguished Name file "
124 "('/path/to/file' - PEM encoded to derive acceptable CA names to request)")
125 SSL_CMD_SRV(CARevocationPath, TAKE1,
126 "SSL CA Certificate Revocation List (CRL) path "
127 "('/path/to/dir' - contains PEM encoded files)")
128 SSL_CMD_SRV(CARevocationFile, TAKE1,
129 "SSL CA Certificate Revocation List (CRL) file "
130 "('/path/to/file' - PEM encoded)")
131 SSL_CMD_SRV(CARevocationCheck, RAW_ARGS,
132 "SSL CA Certificate Revocation List (CRL) checking mode")
133 SSL_CMD_ALL(VerifyClient, TAKE1,
134 "SSL Client verify type "
135 "('none', 'optional', 'require', 'optional_no_ca')")
136 SSL_CMD_ALL(VerifyDepth, TAKE1,
137 "SSL Client verify depth "
138 "('N' - number of intermediate certificates)")
139 SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
140 "SSL Session Cache object lifetime "
141 "('N' - number of seconds)")
142 #ifdef OPENSSL_NO_SSL3
143 #define SSLv3_PROTO_PREFIX ""
144 #else
145 #define SSLv3_PROTO_PREFIX "SSLv3|"
146 #endif
147 #ifdef HAVE_TLSV1_X
148 #define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
149 #else
150 #define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1"
151 #endif
152 SSL_CMD_SRV(Protocol, RAW_ARGS,
153 "Enable or disable various SSL protocols "
154 "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
155 SSL_CMD_SRV(HonorCipherOrder, FLAG,
156 "Use the server's cipher ordering preference")
157 SSL_CMD_SRV(Compression, FLAG,
158 "Enable SSL level compression "
159 "(`on', `off')")
160 SSL_CMD_SRV(SessionTickets, FLAG,
161 "Enable or disable TLS session tickets"
162 "(`on', `off')")
163 SSL_CMD_SRV(InsecureRenegotiation, FLAG,
164 "Enable support for insecure renegotiation")
165 SSL_CMD_ALL(UserName, TAKE1,
166 "Set user name to SSL variable value")
167 SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
168 "Strict SNI virtual host checking")
169
170 #ifdef HAVE_SRP
171 SSL_CMD_SRV(SRPVerifierFile, TAKE1,
172 "SRP verifier file "
173 "('/path/to/file' - created by srptool)")
174 SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1,
175 "SRP seed for unknown users (to avoid leaking a user's existence) "
176 "('some secret text')")
177 #endif
178
179 /*
180 * Proxy configuration for remote SSL connections
181 */
182 SSL_CMD_PXY(ProxyEngine, FLAG,
183 "SSL switch for the proxy protocol engine "
184 "('on', 'off')")
185 SSL_CMD_PXY(ProxyProtocol, RAW_ARGS,
186 "SSL Proxy: enable or disable SSL protocol flavors "
187 "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
188 SSL_CMD_PXY(ProxyCipherSuite, TAKE12,
189 "SSL Proxy: colon-delimited list of permitted SSL ciphers "
190 ", optionally preceded by protocol specifier ('XXX:...:XXX' - see manual)")
191 SSL_CMD_PXY(ProxyVerify, TAKE1,
192 "SSL Proxy: whether to verify the remote certificate "
193 "('on' or 'off')")
194 SSL_CMD_PXY(ProxyVerifyDepth, TAKE1,
195 "SSL Proxy: maximum certificate verification depth "
196 "('N' - number of intermediate certificates)")
197 SSL_CMD_PXY(ProxyCACertificateFile, TAKE1,
198 "SSL Proxy: file containing server certificates "
199 "('/path/to/file' - PEM encoded certificates)")
200 SSL_CMD_PXY(ProxyCACertificatePath, TAKE1,
201 "SSL Proxy: directory containing server certificates "
202 "('/path/to/dir' - contains PEM encoded certificates)")
203 SSL_CMD_PXY(ProxyCARevocationPath, TAKE1,
204 "SSL Proxy: CA Certificate Revocation List (CRL) path "
205 "('/path/to/dir' - contains PEM encoded files)")
206 SSL_CMD_PXY(ProxyCARevocationFile, TAKE1,
207 "SSL Proxy: CA Certificate Revocation List (CRL) file "
208 "('/path/to/file' - PEM encoded)")
209 SSL_CMD_PXY(ProxyCARevocationCheck, RAW_ARGS,
210 "SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
211 SSL_CMD_PXY(ProxyMachineCertificateFile, TAKE1,
212 "SSL Proxy: file containing client certificates "
213 "('/path/to/file' - PEM encoded certificates)")
214 SSL_CMD_PXY(ProxyMachineCertificatePath, TAKE1,
215 "SSL Proxy: directory containing client certificates "
216 "('/path/to/dir' - contains PEM encoded certificates)")
217 SSL_CMD_PXY(ProxyMachineCertificateChainFile, TAKE1,
218 "SSL Proxy: file containing issuing certificates "
219 "of the client certificate "
220 "(`/path/to/file' - PEM encoded certificates)")
221 SSL_CMD_PXY(ProxyCheckPeerExpire, FLAG,
222 "SSL Proxy: check the peer certificate's expiration date")
223 SSL_CMD_PXY(ProxyCheckPeerCN, FLAG,
224 "SSL Proxy: check the peer certificate's CN")
225 SSL_CMD_PXY(ProxyCheckPeerName, FLAG,
226 "SSL Proxy: check the peer certificate's name "
227 "(must be present in subjectAltName extension or CN")
228
229 /*
230 * Per-directory context configuration directives
231 */
232 SSL_CMD_DIR(Options, OPTIONS, RAW_ARGS,
233 "Set one or more options to configure the SSL engine"
234 "('[+-]option[=value] ...' - see manual)")
235 SSL_CMD_DIR(RequireSSL, AUTHCFG, NO_ARGS,
236 "Require the SSL protocol for the per-directory context "
237 "(no arguments)")
238 SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS,
239 "Require a boolean expression to evaluate to true for granting access"
240 "(arbitrary complex boolean expression - see manual)")
241 SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1,
242 "Configure the amount of memory that will be used for buffering the "
243 "request body if a per-location SSL renegotiation is required due to "
244 "changed access control requirements")
245
246 SSL_CMD_SRV(OCSPEnable, RAW_ARGS,
247 "Enable use of OCSP to verify certificate revocation mode ('on', 'leaf', 'off')")
248 SSL_CMD_SRV(OCSPDefaultResponder, TAKE1,
249 "URL of the default OCSP Responder")
250 SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
251 "Force use of the default responder URL ('on', 'off')")
252 SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1,
253 "Maximum time difference in OCSP responses")
254 SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1,
255 "Maximum age of OCSP responses")
256 SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
257 "OCSP responder query timeout")
258 SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
259 "Whether OCSP queries use a nonce or not ('on', 'off')")
260 SSL_CMD_SRV(OCSPProxyURL, TAKE1,
261 "Proxy URL to use for OCSP requests")
262
263 /* Define OCSP Responder Certificate Verification Directive */
264 SSL_CMD_SRV(OCSPNoVerify, FLAG,
265 "Do not verify OCSP Responder certificate ('on', 'off')")
266 /* Define OCSP Responder File Configuration Directive */
267 SSL_CMD_SRV(OCSPResponderCertificateFile, TAKE1,
268 "Trusted OCSP responder certificates"
269 "(`/path/to/file' - PEM encoded certificates)")
270
271 #ifdef HAVE_OCSP_STAPLING
272 /*
273 * OCSP Stapling options
274 */
275 SSL_CMD_SRV(StaplingCache, TAKE1,
276 "SSL Stapling Response Cache storage "
277 "(`dbm:/path/to/file')")
278 SSL_CMD_SRV(UseStapling, FLAG,
279 "SSL switch for the OCSP Stapling protocol " "(`on', `off')")
280 SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
281 "SSL stapling option for maximum time difference in OCSP responses")
282 SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
283 "SSL stapling option for OCSP responder timeout")
284 SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1,
285 "SSL stapling option for maximum age of OCSP responses")
286 SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
287 "SSL stapling option for normal OCSP Response Cache Lifetime")
288 SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
289 "SSL stapling switch to return Status Errors Back to Client"
290 "(`on', `off')")
291 SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
292 "SSL stapling switch to send tryLater response to client on error "
293 "(`on', `off')")
294 SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
295 "SSL stapling option for OCSP Response Error Cache Lifetime")
296 SSL_CMD_SRV(StaplingForceURL, TAKE1,
297 "SSL stapling option to Force the OCSP Stapling URL")
298 #endif
299
300 #ifdef HAVE_SSL_CONF_CMD
301 SSL_CMD_SRV(OpenSSLConfCmd, TAKE2,
302 "OpenSSL configuration command")
303 #endif
304
305 /* Deprecated directives. */
306 AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
307 "SSLLog directive is no longer supported - use ErrorLog."),
308 AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
309 "SSLLogLevel directive is no longer supported - use LogLevel."),
310
311 AP_END_CMD
312 };
313
314 /*
315 * the various processing hooks
316 */
modssl_is_prelinked(void)317 static int modssl_is_prelinked(void)
318 {
319 apr_size_t i = 0;
320 const module *mod;
321 while ((mod = ap_prelinked_modules[i++])) {
322 if (strcmp(mod->name, "mod_ssl.c") == 0) {
323 return 1;
324 }
325 }
326 return 0;
327 }
328
ssl_cleanup_pre_config(void * data)329 static apr_status_t ssl_cleanup_pre_config(void *data)
330 {
331 #if HAVE_OPENSSL_INIT_SSL || (OPENSSL_VERSION_NUMBER >= 0x10100000L && \
332 !defined(LIBRESSL_VERSION_NUMBER))
333 /* Openssl v1.1+ handles all termination automatically from
334 * OPENSSL_init_ssl(). Do nothing in this case.
335 */
336
337 #else
338 /* Termination below is for legacy Openssl versions v1.0.x and
339 * older.
340 */
341
342 /* Corresponds to OBJ_create()s */
343 OBJ_cleanup();
344 /* Corresponds to OPENSSL_load_builtin_modules() */
345 CONF_modules_free();
346 /* Corresponds to SSL_library_init: */
347 EVP_cleanup();
348 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
349 ENGINE_cleanup();
350 #endif
351 #if OPENSSL_VERSION_NUMBER >= 0x1000200fL
352 #ifndef OPENSSL_NO_COMP
353 SSL_COMP_free_compression_methods();
354 #endif
355 #endif
356
357 /* Usually needed per thread, but this parent process is single-threaded */
358 #if MODSSL_USE_OPENSSL_PRE_1_1_API
359 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
360 ERR_remove_thread_state(NULL);
361 #else
362 ERR_remove_state(0);
363 #endif
364 #endif
365
366 /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
367 * actually loaded the error strings once per process due to static
368 * variable abuse in OpenSSL. */
369 #if (OPENSSL_VERSION_NUMBER >= 0x00090805f)
370 ERR_free_strings();
371 #endif
372
373 /* Also don't call CRYPTO_cleanup_all_ex_data when linked statically here;
374 * any registered ex_data indices may have been cached in static variables
375 * in OpenSSL; removing them may cause havoc. Notably, with OpenSSL
376 * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
377 * could result in a per-connection memory leak (!). */
378 if (!modssl_running_statically) {
379 CRYPTO_cleanup_all_ex_data();
380 }
381 #endif
382
383 /*
384 * TODO: determine somewhere we can safely shove out diagnostics
385 * (when enabled) at this late stage in the game:
386 * CRYPTO_mem_leaks_fp(stderr);
387 */
388
389 return APR_SUCCESS;
390 }
391
ssl_hook_pre_config(apr_pool_t * pconf,apr_pool_t * plog,apr_pool_t * ptemp)392 static int ssl_hook_pre_config(apr_pool_t *pconf,
393 apr_pool_t *plog,
394 apr_pool_t *ptemp)
395 {
396 modssl_running_statically = modssl_is_prelinked();
397
398 #if HAVE_OPENSSL_INIT_SSL || (OPENSSL_VERSION_NUMBER >= 0x10100000L && \
399 !defined(LIBRESSL_VERSION_NUMBER))
400 /* Openssl v1.1+ handles all initialisation automatically, apart
401 * from hints as to how we want to use the library.
402 *
403 * We tell openssl we want to include engine support.
404 */
405 OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
406
407 #else
408 /* Configuration below is for legacy versions Openssl v1.0 and
409 * older.
410 */
411
412 #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
413 ssl_util_thread_id_setup(pconf);
414 #endif
415 #if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
416 (void)CRYPTO_malloc_init();
417 #else
418 OPENSSL_malloc_init();
419 #endif
420 ERR_load_crypto_strings();
421 SSL_load_error_strings();
422 SSL_library_init();
423 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
424 ENGINE_load_builtin_engines();
425 #endif
426 OpenSSL_add_all_algorithms();
427 OPENSSL_load_builtin_modules();
428 #endif
429
430 if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
431 (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
432 "SRVName otherName form");
433 }
434
435 /* Start w/o errors (e.g. OBJ_txt2nid() above) */
436 ERR_clear_error();
437
438 /*
439 * Let us cleanup the ssl library when the module is unloaded
440 */
441 apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config,
442 apr_pool_cleanup_null);
443
444 /* Register us to handle mod_log_config %c/%x variables */
445 ssl_var_log_config_register(pconf);
446
447 /* Register to handle mod_status status page generation */
448 ssl_scache_status_register(pconf);
449
450 /* Register mutex type names so they can be configured with Mutex */
451 ap_mutex_register(pconf, SSL_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0);
452 #ifdef HAVE_OCSP_STAPLING
453 ap_mutex_register(pconf, SSL_STAPLING_CACHE_MUTEX_TYPE, NULL,
454 APR_LOCK_DEFAULT, 0);
455 ap_mutex_register(pconf, SSL_STAPLING_REFRESH_MUTEX_TYPE, NULL,
456 APR_LOCK_DEFAULT, 0);
457 #endif
458
459 return OK;
460 }
461
ssl_init_connection_ctx(conn_rec * c,ap_conf_vector_t * per_dir_config,int reinit)462 static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
463 ap_conf_vector_t *per_dir_config,
464 int reinit)
465 {
466 SSLConnRec *sslconn = myConnConfig(c);
467 int need_setup = 0;
468
469 /* mod_proxy's (r->)per_dir_config has the lifetime of the request, thus
470 * it uses ssl_engine_set() to reset sslconn->dc when reusing SSL backend
471 * connections, so we must fall through here. But in the case where we are
472 * called from ssl_init_ssl_connection() with no per_dir_config (which also
473 * includes mod_proxy's later run_pre_connection call), sslconn->dc should
474 * be preserved if it's already set.
475 */
476 if (!sslconn) {
477 sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
478 need_setup = 1;
479 }
480 else if (!reinit) {
481 return sslconn;
482 }
483
484 /* Reinit dc in any case because it may be r->per_dir_config scoped
485 * and thus a caller like mod_proxy needs to update it per request.
486 */
487 if (per_dir_config) {
488 sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
489 }
490 else {
491 sslconn->dc = ap_get_module_config(c->base_server->lookup_defaults,
492 &ssl_module);
493 }
494
495 if (need_setup) {
496 sslconn->server = c->base_server;
497 sslconn->verify_depth = UNSET;
498 if (c->outgoing) {
499 sslconn->cipher_suite = sslconn->dc->proxy->auth.cipher_suite;
500 }
501 else {
502 SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
503 sslconn->cipher_suite = sc->server->auth.cipher_suite;
504 }
505
506 myConnConfigSet(c, sslconn);
507 }
508
509 return sslconn;
510 }
511
ssl_engine_status(conn_rec * c,SSLConnRec * sslconn)512 static int ssl_engine_status(conn_rec *c, SSLConnRec *sslconn)
513 {
514 if (c->master) {
515 return DECLINED;
516 }
517 if (sslconn) {
518 /* This connection has already been configured. Check what applies. */
519 if (sslconn->disabled) {
520 return SUSPENDED;
521 }
522 if (c->outgoing) {
523 if (!sslconn->dc->proxy_enabled) {
524 return DECLINED;
525 }
526 }
527 else {
528 if (mySrvConfig(sslconn->server)->enabled != SSL_ENABLED_TRUE) {
529 return DECLINED;
530 }
531 }
532 }
533 else {
534 /* we decline by default for outgoing connections and for incoming
535 * where the base_server is not enabled. */
536 if (c->outgoing || mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) {
537 return DECLINED;
538 }
539 }
540 return OK;
541 }
542
ssl_hook_ssl_bind_outgoing(conn_rec * c,ap_conf_vector_t * per_dir_config,int enable_ssl)543 static int ssl_hook_ssl_bind_outgoing(conn_rec *c,
544 ap_conf_vector_t *per_dir_config,
545 int enable_ssl)
546 {
547 SSLConnRec *sslconn;
548 int status;
549
550 sslconn = ssl_init_connection_ctx(c, per_dir_config, 1);
551 status = ssl_engine_status(c, sslconn);
552 if (enable_ssl) {
553 if (status != OK) {
554 SSLSrvConfigRec *sc = mySrvConfig(sslconn->server);
555 sslconn->disabled = 1;
556 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(10272)
557 "SSL Proxy requested for %s but not enabled for us.",
558 sc->vhost_id);
559 }
560 else {
561 sslconn->disabled = 0;
562 return OK;
563 }
564 }
565 else {
566 sslconn->disabled = 1;
567 }
568 return DECLINED;
569 }
570
ssl_init_ssl_connection(conn_rec * c,request_rec * r)571 int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
572 {
573 SSLSrvConfigRec *sc;
574 SSL *ssl;
575 SSLConnRec *sslconn;
576 char *vhost_md5;
577 int rc;
578 modssl_ctx_t *mctx;
579 server_rec *server;
580
581 /*
582 * Create or retrieve SSL context
583 */
584 sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL, 0);
585 server = sslconn->server;
586 sc = mySrvConfig(server);
587
588 /*
589 * Seed the Pseudo Random Number Generator (PRNG)
590 */
591 ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT,
592 c->outgoing ? "Proxy: " : "Server: ");
593
594 mctx = myConnCtxConfig(c, sc);
595
596 /*
597 * Create a new SSL connection with the configured server SSL context and
598 * attach this to the socket. Additionally we register this attachment
599 * so we can detach later.
600 */
601 if (!(sslconn->ssl = ssl = SSL_new(mctx->ssl_ctx))) {
602 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01962)
603 "Unable to create a new SSL connection from the SSL "
604 "context");
605 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
606
607 c->aborted = 1;
608
609 return DECLINED; /* XXX */
610 }
611
612 rc = ssl_run_pre_handshake(c, ssl, c->outgoing ? 1 : 0);
613 if (rc != OK && rc != DECLINED) {
614 return rc;
615 }
616
617 vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
618 sc->vhost_id_len);
619
620 if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
621 APR_MD5_DIGESTSIZE*2))
622 {
623 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963)
624 "Unable to set session id context to '%s'", vhost_md5);
625 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
626
627 c->aborted = 1;
628
629 return DECLINED; /* XXX */
630 }
631
632 SSL_set_app_data(ssl, c);
633 modssl_set_app_data2(ssl, NULL); /* will be request_rec */
634
635 SSL_set_verify_result(ssl, X509_V_OK);
636
637 ssl_io_filter_init(c, r, ssl);
638
639 return APR_SUCCESS;
640 }
641
ssl_hook_http_scheme(const request_rec * r)642 static const char *ssl_hook_http_scheme(const request_rec *r)
643 {
644 return modssl_request_is_tls(r, NULL) ? "https" : NULL;
645 }
646
ssl_hook_default_port(const request_rec * r)647 static apr_port_t ssl_hook_default_port(const request_rec *r)
648 {
649 return modssl_request_is_tls(r, NULL) ? 443 : 0;
650 }
651
ssl_hook_pre_connection(conn_rec * c,void * csd)652 static int ssl_hook_pre_connection(conn_rec *c, void *csd)
653 {
654 SSLSrvConfigRec *sc;
655 SSLConnRec *sslconn = myConnConfig(c);
656
657 /*
658 * Immediately stop processing if SSL is disabled for this connection
659 */
660 if (ssl_engine_status(c, sslconn) != OK) {
661 return DECLINED;
662 }
663
664 if (sslconn) {
665 sc = mySrvConfig(sslconn->server);
666 }
667 else {
668 sc = mySrvConfig(c->base_server);
669 }
670
671 /*
672 * Remember the connection information for
673 * later access inside callback functions
674 */
675
676 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(01964)
677 "Connection to child %ld established "
678 "(server %s)", c->id, sc->vhost_id);
679
680 return ssl_init_ssl_connection(c, NULL);
681 }
682
ssl_hook_process_connection(conn_rec * c)683 static int ssl_hook_process_connection(conn_rec* c)
684 {
685 SSLConnRec *sslconn = myConnConfig(c);
686
687 if (sslconn && !sslconn->disabled) {
688 /* On an active SSL connection, let the input filters initialize
689 * themselves which triggers the handshake, which again triggers
690 * all kinds of useful things such as SNI and ALPN.
691 */
692 apr_bucket_brigade* temp;
693
694 temp = apr_brigade_create(c->pool, c->bucket_alloc);
695 ap_get_brigade(c->input_filters, temp,
696 AP_MODE_INIT, APR_BLOCK_READ, 0);
697 apr_brigade_destroy(temp);
698 }
699
700 return DECLINED;
701 }
702
703 /*
704 * the module registration phase
705 */
706
ssl_register_hooks(apr_pool_t * p)707 static void ssl_register_hooks(apr_pool_t *p)
708 {
709 /* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
710 * run after mod_setenvif's post_read_request hook. */
711 static const char *pre_prr[] = { "mod_setenvif.c", NULL };
712 /* The ssl_init_Module post_config hook should run before mod_proxy's
713 * for the ssl proxy main configs to be merged with vhosts' before being
714 * themselves merged with mod_proxy's in proxy_hook_section_post_config.
715 */
716 static const char *b_pc[] = { "mod_proxy.c", NULL};
717
718
719 ssl_io_filter_register(p);
720
721 ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
722 ap_hook_process_connection(ssl_hook_process_connection,
723 NULL, NULL, APR_HOOK_MIDDLE);
724 ap_hook_test_config (ssl_hook_ConfigTest, NULL,NULL, APR_HOOK_MIDDLE);
725 ap_hook_post_config (ssl_init_Module, NULL,b_pc, APR_HOOK_MIDDLE);
726 ap_hook_http_scheme (ssl_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE);
727 ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
728 ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
729 ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
730 ap_hook_check_authn (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST,
731 AP_AUTH_INTERNAL_PER_CONF);
732 ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
733 ap_hook_check_access (ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE,
734 AP_AUTH_INTERNAL_PER_CONF);
735 ap_hook_check_authz (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE,
736 AP_AUTH_INTERNAL_PER_CONF);
737 ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
738
739 APR_OPTIONAL_HOOK(proxy, section_post_config,
740 ssl_proxy_section_post_config, NULL, NULL,
741 APR_HOOK_MIDDLE);
742
743 ssl_var_register(p);
744 ap_hook_ssl_bind_outgoing (ssl_hook_ssl_bind_outgoing, NULL, NULL, APR_HOOK_MIDDLE);
745
746 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
747 AUTHZ_PROVIDER_VERSION,
748 &ssl_authz_provider_require_ssl,
749 AP_AUTH_INTERNAL_PER_CONF);
750
751 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl-verify-client",
752 AUTHZ_PROVIDER_VERSION,
753 &ssl_authz_provider_verify_client,
754 AP_AUTH_INTERNAL_PER_CONF);
755 }
756
757 module AP_MODULE_DECLARE_DATA ssl_module = {
758 STANDARD20_MODULE_STUFF,
759 ssl_config_perdir_create, /* create per-dir config structures */
760 ssl_config_perdir_merge, /* merge per-dir config structures */
761 ssl_config_server_create, /* create per-server config structures */
762 ssl_config_server_merge, /* merge per-server config structures */
763 ssl_config_cmds, /* table of configuration directives */
764 ssl_register_hooks /* register hooks */
765 #if defined(AP_MODULE_HAS_FLAGS)
766 ,AP_MODULE_FLAG_ALWAYS_MERGE /* flags */
767 #endif
768 };
769