Google Git
Sign in
apache / httpd / 5422fe57879e6867ad06b52ba861ded9b7dd0b91 / . / modules / ssl / ssl_engine_kernel.c
blob: ca1b3f0a55c6a3f7560362b76f748cf5501edf18 [file] [log] [blame]
/* _ _
** _ __ ___ ___ __| | ___ ___| | mod_ssl
** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
** |_____|
** ssl_engine_kernel.c
** The SSL engine kernel
*/
/* ====================================================================
* Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials
* provided with the distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by
* Ralf S. Engelschall <rse@engelschall.com> for use in the
* mod_ssl project (http://www.modssl.org/)."
*
* 4. The names "mod_ssl" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* rse@engelschall.com.
*
* 5. Products derived from this software may not be called "mod_ssl"
* nor may "mod_ssl" appear in their names without prior
* written permission of Ralf S. Engelschall.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by
* Ralf S. Engelschall <rse@engelschall.com> for use in the
* mod_ssl project (http://www.modssl.org/)."
*
* THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR
* HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
/* ====================================================================
* Copyright (c) 1995-1999 Ben Laurie. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by Ben Laurie
* for use in the Apache-SSL HTTP server project."
*
* 4. The name "Apache-SSL Server" must not be used to
* endorse or promote products derived from this software without
* prior written permission.
*
* 5. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by Ben Laurie
* for use in the Apache-SSL HTTP server project."
*
* THIS SOFTWARE IS PROVIDED BY BEN LAURIE ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BEN LAURIE OR
* HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
/* ``It took me fifteen years to discover
I had no talent for programming, but
I couldn't give it up because by that
time I was too famous.''
-- Unknown */
#include "mod_ssl.h"
/* _________________________________________________________________
**
** SSL Engine Kernel
** _________________________________________________________________
*/
/*
* Connect Handler:
* Connect SSL to the accepted socket
*
* Usually we would need an Apache API hook which is triggered right after
* the socket is accepted for handling a new request. But Apache 1.3 doesn't
* provide such a hook, so we have to patch http_main.c and call this
* function directly.
*/
void ssl_hook_NewConnection(conn_rec *conn)
{
server_rec *srvr;
BUFF *fb;
SSLSrvConfigRec *sc;
ap_ctx *apctx;
SSL *ssl;
char *cp;
char *cpVHostID;
char *cpVHostMD5;
X509 *xs;
int rc;
/*
* Get context
*/
srvr = conn->server;
fb = conn->client;
sc = mySrvConfig(srvr);
/*
* Create SSL context
*/
ap_ctx_set(fb->ctx, "ssl", NULL);
/*
* Immediately stop processing if SSL
* is disabled for this connection
*/
if (sc == NULL || !sc->bEnabled)
return;
/*
* Remember the connection information for
* later access inside callback functions
*/
cpVHostID = ssl_util_vhostid(conn->pool, srvr);
ssl_log(srvr, SSL_LOG_INFO, "Connection to child %d established "
"(server %s, client %s)", conn->child_num, cpVHostID,
conn->remote_ip != NULL ? conn->remote_ip : "unknown");
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(srvr, conn->pool, SSL_RSCTX_CONNECT, "");
/*
* Create a new SSL connection with the configured server SSL context and
* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
if ((ssl = SSL_new(sc->pSSLCtx)) == NULL) {
ssl_log(conn->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to create a new SSL connection from the SSL context");
ap_ctx_set(fb->ctx, "ssl", NULL);
ap_bsetflag(fb, B_EOF|B_EOUT, 1);
conn->aborted = 1;
return;
}
SSL_clear(ssl);
cpVHostMD5 = ap_md5(conn->pool, (unsigned char *)cpVHostID);
if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5, strlen(cpVHostMD5))) {
ssl_log(conn->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to set session id context to `%s'", cpVHostMD5);
ap_ctx_set(fb->ctx, "ssl", NULL);
ap_bsetflag(fb, B_EOF|B_EOUT, 1);
conn->aborted = 1;
return;
}
SSL_set_app_data(ssl, conn);
apctx = ap_ctx_new(conn->pool);
ap_ctx_set(apctx, "ssl::request_rec", NULL);
ap_ctx_set(apctx, "ssl::verify::depth", AP_CTX_NUM2PTR(0));
SSL_set_app_data2(ssl, apctx);
SSL_set_fd(ssl, fb->fd);
ap_ctx_set(fb->ctx, "ssl", ssl);
/*
* Configure callbacks for SSL connection
*/
SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH);
if (sc->nLogLevel >= SSL_LOG_DEBUG) {
BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
BIO_set_callback_arg(SSL_get_rbio(ssl), ssl);
}
/*
* Predefine some client verification results
*/
ap_ctx_set(fb->ctx, "ssl::client::dn", NULL);
ap_ctx_set(fb->ctx, "ssl::verify::error", NULL);
ap_ctx_set(fb->ctx, "ssl::verify::info", NULL);
SSL_set_verify_result(ssl, X509_V_OK);
/*
* We have to manage a I/O timeout ourself, because Apache
* does it the first time when reading the request, but we're
* working some time before this happens.
*/
ap_ctx_set(ap_global_ctx, "ssl::handshake::timeout", (void *)FALSE);
ap_set_callback_and_alarm(ssl_hook_TimeoutConnection, srvr->timeout);
/*
* Now enter the SSL Handshake Phase
*/
while (!SSL_is_init_finished(ssl)) {
if ((rc = SSL_accept(ssl)) <= 0) {
if (SSL_get_error(ssl, rc) == SSL_ERROR_ZERO_RETURN) {
/*
* The case where the connection was closed before any data
* was transferred. That's not a real error and can occur
* sporadically with some clients.
*/
ssl_log(srvr, SSL_LOG_INFO,
"SSL handshake stopped: connection was closed");
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(ssl);
SSL_free(ssl);
ap_ctx_set(fb->ctx, "ssl", NULL);
ap_bsetflag(fb, B_EOF|B_EOUT, 1);
conn->aborted = 1;
return;
}
else if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) {
/*
* The case where OpenSSL has recognized a HTTP request:
* This means the client speaks plain HTTP on our HTTPS
* port. Hmmmm... At least for this error we can be more friendly
* and try to provide him with a HTML error page. We have only one
* problem: OpenSSL has already read some bytes from the HTTP
* request. So we have to skip the request line manually and
* instead provide a faked one in order to continue the internal
* Apache processing.
*
*/
char ca[2];
int rv;
/* log the situation */
ssl_log(srvr, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"SSL handshake failed: HTTP spoken on HTTPS port; "
"trying to send HTML error page");
/* first: skip the remaining bytes of the request line */
do {
do {
rv = read(fb->fd, ca, 1);
} while (rv == -1 && errno == EINTR);
} while (rv > 0 && ca[0] != '\012' /*LF*/);
/* second: fake the request line */
fb->inbase = ap_palloc(fb->pool, fb->bufsiz);
ap_cpystrn((char *)fb->inbase, "GET /mod_ssl:error:HTTP-request HTTP/1.0\r\n",
fb->bufsiz);
fb->inptr = fb->inbase;
fb->incnt = strlen((char *)fb->inptr);
/* third: kick away the SSL stuff */
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(ssl);
SSL_free(ssl);
ap_ctx_set(fb->ctx, "ssl", NULL);
/* finally: let Apache go on with processing */
return;
}
else if (ap_ctx_get(ap_global_ctx, "ssl::handshake::timeout") == (void *)TRUE) {
ssl_log(srvr, SSL_LOG_ERROR,
"SSL handshake timed out (client %s, server %s)",
conn->remote_ip != NULL ? conn->remote_ip : "unknown", cpVHostID);
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(ssl);
SSL_free(ssl);
ap_ctx_set(fb->ctx, "ssl", NULL);
ap_bsetflag(fb, B_EOF|B_EOUT, 1);
conn->aborted = 1;
return;
}
else if (SSL_get_error(ssl, rc) == SSL_ERROR_SYSCALL) {
if (errno == EINTR)
continue;
if (errno > 0)
ssl_log(srvr, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
"SSL handshake interrupted by system "
"[Hint: Stop button pressed in browser?!]");
else
ssl_log(srvr, SSL_LOG_INFO|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
"Spurious SSL handshake interrupt"
"[Hint: Usually just one of those OpenSSL confusions!?]");
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(ssl);
SSL_free(ssl);
ap_ctx_set(fb->ctx, "ssl", NULL);
ap_bsetflag(fb, B_EOF|B_EOUT, 1);
conn->aborted = 1;
return;
}
else {
/*
* Ok, anything else is a fatal error
*/
ssl_log(srvr, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
"SSL handshake failed (server %s, client %s)", cpVHostID,
conn->remote_ip != NULL ? conn->remote_ip : "unknown");
/*
* try to gracefully shutdown the connection:
* - send an own shutdown message (be gracefully)
* - don't wait for peer's shutdown message (deadloop)
* - kick away the SSL stuff immediately
* - block the socket, so Apache cannot operate any more
*/
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(ssl);
SSL_free(ssl);
ap_ctx_set(fb->ctx, "ssl", NULL);
ap_bsetflag(fb, B_EOF|B_EOUT, 1);
conn->aborted = 1;
return;
}
}
/*
* Check for failed client authentication
*/
if ( SSL_get_verify_result(ssl) != X509_V_OK
|| ap_ctx_get(fb->ctx, "ssl::verify::error") != NULL) {
cp = (char *)ap_ctx_get(fb->ctx, "ssl::verify::error");
ssl_log(srvr, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"SSL client authentication failed: %s",
cp != NULL ? cp : "unknown reason");
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(ssl);
SSL_free(ssl);
ap_ctx_set(fb->ctx, "ssl", NULL);
ap_bsetflag(fb, B_EOF|B_EOUT, 1);
conn->aborted = 1;
return;
}
/*
* Remember the peer certificate's DN
*/
if ((xs = SSL_get_peer_certificate(ssl)) != NULL) {
cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
ap_ctx_set(fb->ctx, "ssl::client::dn", ap_pstrdup(conn->pool, cp));
free(cp);
}
/*
* Make really sure that when a peer certificate
* is required we really got one... (be paranoid)
*/
if ( sc->nVerifyClient == SSL_CVERIFY_REQUIRE
&& ap_ctx_get(fb->ctx, "ssl::client::dn") == NULL) {
ssl_log(srvr, SSL_LOG_ERROR,
"No acceptable peer certificate available");
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(ssl);
SSL_free(ssl);
ap_ctx_set(fb->ctx, "ssl", NULL);
ap_bsetflag(fb, B_EOF|B_EOUT, 1);
conn->aborted = 1;
return;
}
}
/*
* Remove the timeout handling
*/
ap_set_callback_and_alarm(NULL, 0);
ap_ctx_set(ap_global_ctx, "ssl::handshake::timeout", (void *)FALSE);
/*
* Improve I/O throughput by using
* OpenSSL's read-ahead functionality
* (don't used under Win32, because
* there we use select())
*/
#ifndef WIN32
SSL_set_read_ahead(ssl, TRUE);
#endif
#ifdef SSL_VENDOR
/* Allow vendors to do more things on connection time... */
ap_hook_use("ap::mod_ssl::vendor::new_connection",
AP_HOOK_SIG2(void,ptr), AP_HOOK_ALL, conn);
#endif
return;
}
/*
* Signal handler function for the SSL handshake phase
*/
void ssl_hook_TimeoutConnection(int sig)
{
/* we just set a flag for the handshake processing loop */
ap_ctx_set(ap_global_ctx, "ssl::handshake::timeout", (void *)TRUE);
return;
}
/*
* Close the SSL part of the socket connection
* (called immediately _before_ the socket is closed)
*/
void ssl_hook_CloseConnection(conn_rec *conn)
{
SSL *ssl;
char *cpType;
ssl = ap_ctx_get(conn->client->ctx, "ssl");
if (ssl == NULL)
return;
/*
* First make sure that no more data is pending in Apache's BUFF,
* because when it's (implicitly) flushed later by the ap_bclose()
* calls of Apache it would lead to an I/O error in the browser due
* to the fact that the SSL layer was already removed by us.
*/
ap_bflush(conn->client);
/*
* Now close the SSL layer of the connection. We've to take
* the TLSv1 standard into account here:
*
* | 7.2.1. Closure alerts
* |
* | The client and the server must share knowledge that the connection is
* | ending in order to avoid a truncation attack. Either party may
* | initiate the exchange of closing messages.
* |
* | close_notify
* | This message notifies the recipient that the sender will not send
* | any more messages on this connection. The session becomes
* | unresumable if any connection is terminated without proper
* | close_notify messages with level equal to warning.
* |
* | Either party may initiate a close by sending a close_notify alert.
* | Any data received after a closure alert is ignored.
* |
* | Each party is required to send a close_notify alert before closing
* | the write side of the connection. It is required that the other party
* | respond with a close_notify alert of its own and close down the
* | connection immediately, discarding any pending writes. It is not
* | required for the initiator of the close to wait for the responding
* | close_notify alert before closing the read side of the connection.
*
* This means we've to send a close notify message, but haven't to wait
* for the close notify of the client. Actually we cannot wait for the
* close notify of the client because some clients (including Netscape
* 4.x) don't send one, so we would hang.
*/
/*
* exchange close notify messages, but allow the user
* to force the type of handshake via SetEnvIf directive
*/
if (ap_ctx_get(conn->client->ctx, "ssl::flag::unclean-shutdown") == PTRUE) {
/* perform no close notify handshake at all
(violates the SSL/TLS standard!) */
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
cpType = "unclean";
}
else if (ap_ctx_get(conn->client->ctx, "ssl::flag::accurate-shutdown") == PTRUE) {
/* send close notify and wait for clients close notify
(standard compliant, but usually causes connection hangs) */
SSL_set_shutdown(ssl, 0);
cpType = "accurate";
}
else {
/* send close notify, but don't wait for clients close notify
(standard compliant and safe, so it's the DEFAULT!) */
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
cpType = "standard";
}
SSL_smart_shutdown(ssl);
/* deallocate the SSL connection */
SSL_free(ssl);
ap_ctx_set(conn->client->ctx, "ssl", NULL);
/* and finally log the fact that we've closed the connection */
ssl_log(conn->server, SSL_LOG_INFO,
"Connection to child %d closed with %s shutdown (server %s, client %s)",
conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server),
conn->remote_ip != NULL ? conn->remote_ip : "unknown");
return;
}
/*
* Post Read Request Handler
*/
int ssl_hook_ReadReq(request_rec *r)
{
SSL *ssl;
ap_ctx *apctx;
/*
* Get the SSL connection structure and perform the
* delayed interlinking from SSL back to request_rec
*/
ssl = ap_ctx_get(r->connection->client->ctx, "ssl");
if (ssl != NULL) {
apctx = SSL_get_app_data2(ssl);
ap_ctx_set(apctx, "ssl::request_rec", r);
}
/*
* Force the mod_ssl content handler when URL indicates this
*/
if (strEQn(r->uri, "/mod_ssl:", 9))
r->handler = "mod_ssl:content-handler";
if (ssl != NULL) {
ap_ctx_set(r->ctx, "ap::http::method", "https");
ap_ctx_set(r->ctx, "ap::default::port", "443");
}
else {
ap_ctx_set(r->ctx, "ap::http::method", NULL);
ap_ctx_set(r->ctx, "ap::default::port", NULL);
}
return DECLINED;
}
/*
* URL Translation Handler
*/
int ssl_hook_Translate(request_rec *r)
{
if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL)
return DECLINED;
/*
* Log information about incoming HTTPS requests
*/
if (ap_is_initial_req(r))
ssl_log(r->server, SSL_LOG_INFO,
"%s HTTPS request received for child %d (server %s)",
r->connection->keepalives <= 0 ?
"Initial (No.1)" :
ap_psprintf(r->pool, "Subsequent (No.%d)",
r->connection->keepalives+1),
r->connection->child_num,
ssl_util_vhostid(r->pool, r->server));
/*
* Move SetEnvIf information from request_rec to conn_rec/BUFF
* to allow the close connection handler to use them.
*/
if (ap_table_get(r->subprocess_env, "ssl-unclean-shutdown") != NULL)
ap_ctx_set(r->connection->client->ctx, "ssl::flag::unclean-shutdown", PTRUE);
else
ap_ctx_set(r->connection->client->ctx, "ssl::flag::unclean-shutdown", PFALSE);
if (ap_table_get(r->subprocess_env, "ssl-accurate-shutdown") != NULL)
ap_ctx_set(r->connection->client->ctx, "ssl::flag::accurate-shutdown", PTRUE);
else
ap_ctx_set(r->connection->client->ctx, "ssl::flag::accurate-shutdown", PFALSE);
return DECLINED;
}
/*
* Content Handler
*/
int ssl_hook_Handler(request_rec *r)
{
int port;
char *thisport;
char *thisurl;
if (strNEn(r->uri, "/mod_ssl:", 9))
return DECLINED;
if (strEQ(r->uri, "/mod_ssl:error:HTTP-request")) {
thisport = "";
port = ap_get_server_port(r);
if (!ap_is_default_port(port, r))
thisport = ap_psprintf(r->pool, ":%u", port);
thisurl = ap_psprintf(r->pool, "https://%s%s/",
ap_get_server_name(r), thisport);
ap_table_setn(r->notes, "error-notes", ap_psprintf(r->pool,
"Reason: You're speaking plain HTTP to an SSL-enabled server port.<BR>\n"
"Instead use the HTTPS scheme to access this URL, please.<BR>\n"
"<BLOCKQUOTE>Hint: <A HREF=\"%s\"><B>%s</B></A></BLOCKQUOTE>",
thisurl, thisurl));
}
return HTTP_BAD_REQUEST;
}
/*
* Access Handler
*/
int ssl_hook_Access(request_rec *r)
{
SSLDirConfigRec *dc;
SSLSrvConfigRec *sc;
SSL *ssl;
SSL_CTX *ctx = NULL;
array_header *apRequirement;
ssl_require_t *pRequirements;
ssl_require_t *pRequirement;
char *cp;
int ok;
int i;
BOOL renegotiate;
BOOL renegotiate_quick;
#ifdef SSL_EXPERIMENTAL_PERDIRCA
BOOL reconfigured_locations;
STACK_OF(X509_NAME) *skCAList;
char *cpCAPath;
char *cpCAFile;
#endif
X509 *cert;
STACK_OF(X509) *certstack;
X509_STORE *certstore;
X509_STORE_CTX certstorectx;
int depth;
STACK_OF(SSL_CIPHER) *skCipherOld;
STACK_OF(SSL_CIPHER) *skCipher;
SSL_CIPHER *pCipher;
ap_ctx *apctx;
int nVerifyOld;
int nVerify;
int n;
void *vp;
int rc;
dc = myDirConfig(r);
sc = mySrvConfig(r->server);
ssl = ap_ctx_get(r->connection->client->ctx, "ssl");
if (ssl != NULL)
ctx = SSL_get_SSL_CTX(ssl);
/*
* Support for SSLRequireSSL directive
*/
if (dc->bSSLRequired && ssl == NULL) {
ap_log_reason("SSL connection required", r->filename, r);
/* remember forbidden access for strict require option */
ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
return FORBIDDEN;
}
/*
* Check to see if SSL protocol is on
*/
if (!sc->bEnabled)
return DECLINED;
if (ssl == NULL)
return DECLINED;
/*
* Support for per-directory reconfigured SSL connection parameters.
*
* This is implemented by forcing an SSL renegotiation with the
* reconfigured parameter suite. But Apache's internal API processing
* makes our life very hard here, because when internal sub-requests occur
* we nevertheless should avoid multiple unnecessary SSL handshakes (they
* require extra network I/O and especially time to perform).
*
* But the optimization for filtering out the unnecessary handshakes isn't
* obvious and trivial. Especially because while Apache is in its
* sub-request processing the client could force additional handshakes,
* too. And these take place perhaps without our notice. So the only
* possibility is to explicitly _ask_ OpenSSL whether the renegotiation
* has to be performed or not. It has to performed when some parameters
* which were previously known (by us) are not those we've now
* reconfigured (as known by OpenSSL) or (in optimized way) at least when
* the reconfigured parameter suite is stronger (more restrictions) than
* the currently active one.
*/
renegotiate = FALSE;
renegotiate_quick = FALSE;
#ifdef SSL_EXPERIMENTAL_PERDIRCA
reconfigured_locations = FALSE;
#endif
/*
* Override of SSLCipherSuite
*
* We provide two options here:
*
* o The paranoid and default approach where we force a renegotiation when
* the cipher suite changed in _any_ way (which is straight-forward but
* often forces renegotiations too often and is perhaps not what the
* user actually wanted).
*
* o The optimized and still secure way where we force a renegotiation
* only if the currently active cipher is no longer contained in the
* reconfigured/new cipher suite. Any other changes are not important
* because it's the servers choice to select a cipher from the ones the
* client supports. So as long as the current cipher is still in the new
* cipher suite we're happy. Because we can assume we would have
* selected it again even when other (better) ciphers exists now in the
* new cipher suite. This approach is fine because the user explicitly
* has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
* implicit optimizations.
*/
if (dc->szCipherSuite != NULL) {
/* remember old state */
pCipher = NULL;
skCipherOld = NULL;
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE)
pCipher = SSL_get_current_cipher(ssl);
else {
skCipherOld = SSL_get_ciphers(ssl);
if (skCipherOld != NULL)
skCipherOld = sk_SSL_CIPHER_dup(skCipherOld);
}
/* configure new state */
if (!SSL_set_cipher_list(ssl, dc->szCipherSuite)) {
ssl_log(r->server, SSL_LOG_WARN|SSL_ADD_SSLERR,
"Unable to reconfigure (per-directory) permitted SSL ciphers");
if (skCipherOld != NULL)
sk_SSL_CIPHER_free(skCipherOld);
return FORBIDDEN;
}
/* determine whether a renegotiation has to be forced */
skCipher = SSL_get_ciphers(ssl);
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
/* optimized way */
if ((pCipher == NULL && skCipher != NULL) ||
(pCipher != NULL && skCipher == NULL) )
renegotiate = TRUE;
else if (pCipher != NULL && skCipher != NULL
&& sk_SSL_CIPHER_find(skCipher, pCipher) < 0) {
renegotiate = TRUE;
}
}
else {
/* paranoid way */
if ((skCipherOld == NULL && skCipher != NULL) ||
(skCipherOld != NULL && skCipher == NULL) )
renegotiate = TRUE;
else if (skCipherOld != NULL && skCipher != NULL) {
for (n = 0; !renegotiate && n < sk_SSL_CIPHER_num(skCipher); n++) {
if (sk_SSL_CIPHER_find(skCipherOld, sk_SSL_CIPHER_value(skCipher, n)) < 0)
renegotiate = TRUE;
}
for (n = 0; !renegotiate && n < sk_SSL_CIPHER_num(skCipherOld); n++) {
if (sk_SSL_CIPHER_find(skCipher, sk_SSL_CIPHER_value(skCipherOld, n)) < 0)
renegotiate = TRUE;
}
}
}
/* cleanup */
if (skCipherOld != NULL)
sk_SSL_CIPHER_free(skCipherOld);
/* tracing */
if (renegotiate)
ssl_log(r->server, SSL_LOG_TRACE,
"Reconfigured cipher suite will force renegotiation");
}
/*
* override of SSLVerifyDepth
*
* The depth checks are handled by us manually inside the verify callback
* function and not by OpenSSL internally (and our function is aware of
* both the per-server and per-directory contexts). So we cannot ask
* OpenSSL about the currently verify depth. Instead we remember it in our
* ap_ctx attached to the SSL* of OpenSSL. We've to force the
* renegotiation if the reconfigured/new verify depth is less than the
* currently active/remembered verify depth (because this means more
* restriction on the certificate chain).
*/
if (dc->nVerifyDepth != UNSET) {
apctx = SSL_get_app_data2(ssl);
if ((vp = ap_ctx_get(apctx, "ssl::verify::depth")) != NULL)
n = (int)AP_CTX_PTR2NUM(vp);
else
n = sc->nVerifyDepth;
ap_ctx_set(apctx, "ssl::verify::depth",
AP_CTX_NUM2PTR(dc->nVerifyDepth));
/* determine whether a renegotiation has to be forced */
if (dc->nVerifyDepth < n) {
renegotiate = TRUE;
ssl_log(r->server, SSL_LOG_TRACE,
"Reduced client verification depth will force renegotiation");
}
}
/*
* override of SSLVerifyClient
*
* We force a renegotiation if the reconfigured/new verify type is
* stronger than the currently active verify type.
*
* The order is: none << optional_no_ca << optional << require
*
* Additionally the following optimization is possible here: When the
* currently active verify type is "none" but a client certificate is
* already known/present, it's enough to manually force a client
* verification but at least skip the I/O-intensive renegotation
* handshake.
*/
if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
/* remember old state */
nVerifyOld = SSL_get_verify_mode(ssl);
/* configure new state */
nVerify = SSL_VERIFY_NONE;
if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE)
nVerify |= SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
if ( (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL)
|| (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) )
nVerify |= SSL_VERIFY_PEER;
SSL_set_verify(ssl, nVerify, ssl_callback_SSLVerify);
SSL_set_verify_result(ssl, X509_V_OK);
/* determine whether we've to force a renegotiation */
if (nVerify != nVerifyOld) {
if ( ( (nVerifyOld == SSL_VERIFY_NONE)
&& (nVerify != SSL_VERIFY_NONE))
|| ( !(nVerifyOld & SSL_VERIFY_PEER)
&& (nVerify & SSL_VERIFY_PEER))
|| ( !(nVerifyOld & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
&& (nVerify & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))) {
renegotiate = TRUE;
/* optimization */
if ( dc->nOptions & SSL_OPT_OPTRENEGOTIATE
&& nVerifyOld == SSL_VERIFY_NONE
&& SSL_get_peer_certificate(ssl) != NULL)
renegotiate_quick = TRUE;
ssl_log(r->server, SSL_LOG_TRACE,
"Changed client verification type will force %srenegotiation",
renegotiate_quick ? "quick " : "");
}
}
}
/*
* override SSLCACertificateFile & SSLCACertificatePath
* This is tagged experimental because it has to use an ugly kludge: We
* have to change the locations inside the SSL_CTX* (per-server global)
* instead inside SSL* (per-connection local) and reconfigure it to the
* old values later. That's problematic at least for the threaded process
* model of Apache under Win32 or when an error occurs. But unless
* OpenSSL provides a SSL_load_verify_locations() function we've no other
* chance to provide this functionality...
*/
#ifdef SSL_EXPERIMENTAL_PERDIRCA
if ( ( dc->szCACertificateFile != NULL
&& ( sc->szCACertificateFile == NULL
|| ( sc->szCACertificateFile != NULL
&& strNE(dc->szCACertificateFile, sc->szCACertificateFile))))
|| ( dc->szCACertificatePath != NULL
&& ( sc->szCACertificatePath == NULL
|| ( sc->szCACertificatePath != NULL
&& strNE(dc->szCACertificatePath, sc->szCACertificatePath)))) ) {
cpCAFile = dc->szCACertificateFile != NULL ?
dc->szCACertificateFile : sc->szCACertificateFile;
cpCAPath = dc->szCACertificatePath != NULL ?
dc->szCACertificatePath : sc->szCACertificatePath;
/*
FIXME: This should be...
if (!SSL_load_verify_locations(ssl, cpCAFile, cpCAPath)) {
...but OpenSSL still doesn't provide this!
*/
if (!SSL_CTX_load_verify_locations(ctx, cpCAFile, cpCAPath)) {
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to reconfigure verify locations "
"for client authentication");
return FORBIDDEN;
}
if ((skCAList = ssl_init_FindCAList(r->server, r->pool,
cpCAFile, cpCAPath)) == NULL) {
ssl_log(r->server, SSL_LOG_ERROR,
"Unable to determine list of available "
"CA certificates for client authentication");
return FORBIDDEN;
}
SSL_set_client_CA_list(ssl, skCAList);
renegotiate = TRUE;
reconfigured_locations = TRUE;
ssl_log(r->server, SSL_LOG_TRACE,
"Changed client verification locations will force renegotiation");
}
#endif /* SSL_EXPERIMENTAL_PERDIRCA */
#ifdef SSL_CONSERVATIVE
/*
* SSL renegotiations in conjunction with HTTP
* requests using the POST method are not supported.
*/
if (renegotiate && r->method_number == M_POST) {
ssl_log(r->server, SSL_LOG_ERROR,
"SSL Re-negotiation in conjunction with POST method not supported!");
ssl_log(r->server, SSL_LOG_INFO,
"You have to compile without -DSSL_CONSERVATIVE to enabled support for this.");
return METHOD_NOT_ALLOWED;
}
#endif /* SSL_CONSERVATIVE */
/*
* now do the renegotiation if anything was actually reconfigured
*/
if (renegotiate) {
/*
* Now we force the SSL renegotation by sending the Hello Request
* message to the client. Here we have to do a workaround: Actually
* OpenSSL returns immediately after sending the Hello Request (the
* intent AFAIK is because the SSL/TLS protocol says it's not a must
* that the client replies to a Hello Request). But because we insist
* on a reply (anything else is an error for us) we have to go to the
* ACCEPT state manually. Using SSL_set_accept_state() doesn't work
* here because it resets too much of the connection. So we set the
* state explicitly and continue the handshake manually.
*/
ssl_log(r->server, SSL_LOG_INFO, "Requesting connection re-negotiation");
if (renegotiate_quick) {
/* perform just a manual re-verification of the peer */
ssl_log(r->server, SSL_LOG_TRACE,
"Performing quick renegotiation: just re-verifying the peer");
certstore = SSL_CTX_get_cert_store(ctx);
if (certstore == NULL) {
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find certificate storage");
return FORBIDDEN;
}
certstack = SSL_get_peer_cert_chain(ssl);
if (certstack == NULL || sk_X509_num(certstack) == 0) {
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer certificate chain");
return FORBIDDEN;
}
cert = sk_X509_value(certstack, 0);
X509_STORE_CTX_init(&certstorectx, certstore, cert, certstack);
depth = SSL_get_verify_depth(ssl);
if (depth >= 0)
X509_STORE_CTX_set_depth(&certstorectx, depth);
X509_STORE_CTX_set_ex_data(&certstorectx,
SSL_get_ex_data_X509_STORE_CTX_idx(), (char *)ssl);
if (!X509_verify_cert(&certstorectx))
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Re-negotiation verification step failed");
SSL_set_verify_result(ssl, certstorectx.error);
X509_STORE_CTX_cleanup(&certstorectx);
}
else {
/* do a full renegotiation */
ssl_log(r->server, SSL_LOG_TRACE,
"Performing full renegotiation: complete handshake protocol");
if (r->main != NULL)
SSL_set_session_id_context(ssl, (unsigned char *)&(r->main), sizeof(r->main));
else
SSL_set_session_id_context(ssl, (unsigned char *)&r, sizeof(r));
#ifndef SSL_CONSERVATIVE
ssl_io_suck(r, ssl);
#endif
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
if (SSL_get_state(ssl) != SSL_ST_OK) {
ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation request failed");
return FORBIDDEN;
}
ssl_log(r->server, SSL_LOG_INFO, "Awaiting re-negotiation handshake");
SSL_set_state(ssl, SSL_ST_ACCEPT);
SSL_do_handshake(ssl);
if (SSL_get_state(ssl) != SSL_ST_OK) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Not accepted by client!?");
return FORBIDDEN;
}
}
/*
* Remember the peer certificate's DN
*/
if ((cert = SSL_get_peer_certificate(ssl)) != NULL) {
cp = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
ap_ctx_set(r->connection->client->ctx, "ssl::client::dn",
ap_pstrdup(r->connection->pool, cp));
free(cp);
}
/*
* Finally check for acceptable renegotiation results
*/
if (dc->nVerifyClient != SSL_CVERIFY_NONE) {
if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE
&& SSL_get_verify_result(ssl) != X509_V_OK ) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Client verification failed");
return FORBIDDEN;
}
if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE
&& SSL_get_peer_certificate(ssl) == NULL ) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Client certificate missing");
return FORBIDDEN;
}
}
}
/*
* Under old OpenSSL we had to change the X509_STORE inside the
* SSL_CTX instead inside the SSL structure, so we have to reconfigure it
* to the old values. This should be changed with forthcoming OpenSSL
* versions when better functionality is avaiable.
*/
#ifdef SSL_EXPERIMENTAL_PERDIRCA
if (renegotiate && reconfigured_locations) {
if (!SSL_CTX_load_verify_locations(ctx,
sc->szCACertificateFile, sc->szCACertificatePath)) {
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to reconfigure verify locations "
"to per-server configuration parameters");
return FORBIDDEN;
}
}
#endif /* SSL_EXPERIMENTAL_PERDIRCA */
/*
* Check SSLRequire boolean expressions
*/
apRequirement = dc->aRequirement;
pRequirements = (ssl_require_t *)apRequirement->elts;
for (i = 0; i < apRequirement->nelts; i++) {
pRequirement = &pRequirements[i];
ok = ssl_expr_exec(r, pRequirement->mpExpr);
if (ok < 0) {
cp = ap_psprintf(r->pool, "Failed to execute SSL requirement expression: %s",
ssl_expr_get_error());
ap_log_reason(cp, r->filename, r);
/* remember forbidden access for strict require option */
ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
return FORBIDDEN;
}
if (ok != 1) {
ssl_log(r->server, SSL_LOG_INFO,
"Access to %s denied for %s (requirement expression not fulfilled)",
r->filename, r->connection->remote_ip);
ssl_log(r->server, SSL_LOG_INFO,
"Failed expression: %s", pRequirement->cpExpr);
ap_log_reason("SSL requirement expression not fulfilled "
"(see SSL logfile for more details)", r->filename, r);
/* remember forbidden access for strict require option */
ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
return FORBIDDEN;
}
}
/*
* Else access is granted from our point of view (except vendor
* handlers override). But we have to return DECLINED here instead
* of OK, because mod_auth and other modules still might want to
* deny access.
*/
rc = DECLINED;
#ifdef SSL_VENDOR
ap_hook_use("ap::mod_ssl::vendor::access_handler",
AP_HOOK_SIG2(int,ptr), AP_HOOK_DECLINE(DECLINED),
&rc, r);
#endif
return rc;
}
/*
* Auth Handler:
* Fake a Basic authentication from the X509 client certificate.
*
* This must be run fairly early on to prevent a real authentication from
* occuring, in particular it must be run before anything else that
* authenticates a user. This means that the Module statement for this
* module should be LAST in the Configuration file.
*/
int ssl_hook_Auth(request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
char b1[MAX_STRING_LEN], b2[MAX_STRING_LEN];
char *clientdn;
const char *cpAL;
const char *cpUN;
const char *cpPW;
/*
* Additionally forbid access (again)
* when strict require option is used.
*/
if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE)
&& (ap_table_get(r->notes, "ssl-access-forbidden") != NULL))
return FORBIDDEN;
/*
* Make sure the user is not able to fake the client certificate
* based authentication by just entering an X.509 Subject DN
* ("/XX=YYY/XX=YYY/..") as the username and "password" as the
* password.
*/
if ((cpAL = ap_table_get(r->headers_in, "Authorization")) != NULL) {
if (strcEQ(ap_getword(r->pool, &cpAL, ' '), "Basic")) {
while (*cpAL == ' ' || *cpAL == '\t')
cpAL++;
cpAL = ap_pbase64decode(r->pool, cpAL);
cpUN = ap_getword_nulls(r->pool, &cpAL, ':');
cpPW = cpAL;
if (cpUN[0] == '/' && strEQ(cpPW, "password"))
return FORBIDDEN;
}
}
/*
* We decline operation in various situations...
*/
if (!sc->bEnabled)
return DECLINED;
if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL)
return DECLINED;
if (!(dc->nOptions & SSL_OPT_FAKEBASICAUTH))
return DECLINED;
if (r->connection->user)
return DECLINED;
if ((clientdn = (char *)ap_ctx_get(r->connection->client->ctx, "ssl::client::dn")) == NULL)
return DECLINED;
/*
* Fake a password - which one would be immaterial, as, it seems, an empty
* password in the users file would match ALL incoming passwords, if only
* we were using the standard crypt library routine. Unfortunately, OpenSSL
* "fixes" a "bug" in crypt and thus prevents blank passwords from
* working. (IMHO what they really fix is a bug in the users of the code
* - failing to program correctly for shadow passwords). We need,
* therefore, to provide a password. This password can be matched by
* adding the string "xxj31ZMTZzkVA" as the password in the user file.
* This is just the crypted variant of the word "password" ;-)
*/
ap_snprintf(b1, sizeof(b1), "%s:password", clientdn);
ssl_util_uuencode(b2, b1, FALSE);
ap_snprintf(b1, sizeof(b1), "Basic %s", b2);
ap_table_set(r->headers_in, "Authorization", b1);
ssl_log(r->server, SSL_LOG_INFO,
"Faking HTTP Basic Auth header: \"Authorization: %s\"", b1);
return DECLINED;
}
int ssl_hook_UserCheck(request_rec *r)
{
SSLDirConfigRec *dc = myDirConfig(r);
/*
* Additionally forbid access (again)
* when strict require option is used.
*/
if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE)
&& (ap_table_get(r->notes, "ssl-access-forbidden") != NULL))
return FORBIDDEN;
return DECLINED;
}
/*
* Fixup Handler
*/
static const char *ssl_hook_Fixup_vars[] = {
"SSL_VERSION_INTERFACE",
"SSL_VERSION_LIBRARY",
"SSL_PROTOCOL",
"SSL_CIPHER",
"SSL_CIPHER_EXPORT",
"SSL_CIPHER_USEKEYSIZE",
"SSL_CIPHER_ALGKEYSIZE",
"SSL_CLIENT_VERIFY",
"SSL_CLIENT_M_VERSION",
"SSL_CLIENT_M_SERIAL",
"SSL_CLIENT_V_START",
"SSL_CLIENT_V_END",
"SSL_CLIENT_S_DN",
"SSL_CLIENT_S_DN_C",
"SSL_CLIENT_S_DN_ST",
"SSL_CLIENT_S_DN_L",
"SSL_CLIENT_S_DN_O",
"SSL_CLIENT_S_DN_OU",
"SSL_CLIENT_S_DN_CN",
"SSL_CLIENT_S_DN_T",
"SSL_CLIENT_S_DN_I",
"SSL_CLIENT_S_DN_G",
"SSL_CLIENT_S_DN_S",
"SSL_CLIENT_S_DN_D",
"SSL_CLIENT_S_DN_UID",
"SSL_CLIENT_S_DN_Email",
"SSL_CLIENT_I_DN",
"SSL_CLIENT_I_DN_C",
"SSL_CLIENT_I_DN_ST",
"SSL_CLIENT_I_DN_L",
"SSL_CLIENT_I_DN_O",
"SSL_CLIENT_I_DN_OU",
"SSL_CLIENT_I_DN_CN",
"SSL_CLIENT_I_DN_T",
"SSL_CLIENT_I_DN_I",
"SSL_CLIENT_I_DN_G",
"SSL_CLIENT_I_DN_S",
"SSL_CLIENT_I_DN_D",
"SSL_CLIENT_I_DN_UID",
"SSL_CLIENT_I_DN_Email",
"SSL_CLIENT_A_KEY",
"SSL_CLIENT_A_SIG",
"SSL_SERVER_M_VERSION",
"SSL_SERVER_M_SERIAL",
"SSL_SERVER_V_START",
"SSL_SERVER_V_END",
"SSL_SERVER_S_DN",
"SSL_SERVER_S_DN_C",
"SSL_SERVER_S_DN_ST",
"SSL_SERVER_S_DN_L",
"SSL_SERVER_S_DN_O",
"SSL_SERVER_S_DN_OU",
"SSL_SERVER_S_DN_CN",
"SSL_SERVER_S_DN_T",
"SSL_SERVER_S_DN_I",
"SSL_SERVER_S_DN_G",
"SSL_SERVER_S_DN_S",
"SSL_SERVER_S_DN_D",
"SSL_SERVER_S_DN_UID",
"SSL_SERVER_S_DN_Email",
"SSL_SERVER_I_DN",
"SSL_SERVER_I_DN_C",
"SSL_SERVER_I_DN_ST",
"SSL_SERVER_I_DN_L",
"SSL_SERVER_I_DN_O",
"SSL_SERVER_I_DN_OU",
"SSL_SERVER_I_DN_CN",
"SSL_SERVER_I_DN_T",
"SSL_SERVER_I_DN_I",
"SSL_SERVER_I_DN_G",
"SSL_SERVER_I_DN_S",
"SSL_SERVER_I_DN_D",
"SSL_SERVER_I_DN_UID",
"SSL_SERVER_I_DN_Email",
"SSL_SERVER_A_KEY",
"SSL_SERVER_A_SIG",
"SSL_SESSION_ID",
NULL
};
int ssl_hook_Fixup(request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
table *e = r->subprocess_env;
char *var;
char *val;
STACK_OF(X509) *sk;
SSL *ssl;
int i;
/*
* Check to see if SSL is on
*/
if (!sc->bEnabled)
return DECLINED;
if ((ssl = ap_ctx_get(r->connection->client->ctx, "ssl")) == NULL)
return DECLINED;
/*
* Annotate the SSI/CGI environment with standard SSL information
*/
/* the always present HTTPS (=HTTP over SSL) flag! */
ap_table_set(e, "HTTPS", "on");
/* standard SSL environment variables */
if (dc->nOptions & SSL_OPT_STDENVVARS) {
for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) {
var = (char *)ssl_hook_Fixup_vars[i];
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
if (!strIsEmpty(val))
ap_table_set(e, var, val);
}
}
/*
* On-demand bloat up the SSI/CGI environment with certificate data
*/
if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) {
val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_SERVER_CERT");
ap_table_set(e, "SSL_SERVER_CERT", val);
val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
ap_table_set(e, "SSL_CLIENT_CERT", val);
if ((sk = SSL_get_peer_cert_chain(ssl)) != NULL) {
for (i = 0; i < sk_X509_num(sk); i++) {
var = ap_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
if (val != NULL)
ap_table_set(e, var, val);
}
}
}
/*
* On-demand bloat up the SSI/CGI environment with compat variables
*/
#ifdef SSL_COMPAT
if (dc->nOptions & SSL_OPT_COMPATENVVARS)
ssl_compat_variables(r);
#endif
return DECLINED;
}
/* _________________________________________________________________
**
** OpenSSL Callback Functions
** _________________________________________________________________
*/
/*
* Handle out temporary RSA private keys on demand
*
* The background of this as the TLSv1 standard explains it:
*
* | D.1. Temporary RSA keys
* |
* | US Export restrictions limit RSA keys used for encryption to 512
* | bits, but do not place any limit on lengths of RSA keys used for
* | signing operations. Certificates often need to be larger than 512
* | bits, since 512-bit RSA keys are not secure enough for high-value
* | transactions or for applications requiring long-term security. Some
* | certificates are also designated signing-only, in which case they
* | cannot be used for key exchange.
* |
* | When the public key in the certificate cannot be used for encryption,
* | the server signs a temporary RSA key, which is then exchanged. In
* | exportable applications, the temporary RSA key should be the maximum
* | allowable length (i.e., 512 bits). Because 512-bit RSA keys are
* | relatively insecure, they should be changed often. For typical
* | electronic commerce applications, it is suggested that keys be
* | changed daily or every 500 transactions, and more often if possible.
* | Note that while it is acceptable to use the same temporary key for
* | multiple transactions, it must be signed each time it is used.
* |
* | RSA key generation is a time-consuming process. In many cases, a
* | low-priority process can be assigned the task of key generation.
* | Whenever a new key is completed, the existing temporary key can be
* | replaced with the new one.
*
* So we generated 512 and 1024 bit temporary keys on startup
* which we now just handle out on demand....
*/
RSA *ssl_callback_TmpRSA(SSL *pSSL, int nExport, int nKeyLen)
{
SSLModConfigRec *mc = myModConfig();
RSA *rsa;
rsa = NULL;
if (nExport) {
/* It's because an export cipher is used */
if (nKeyLen == 512)
rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA512];
else if (nKeyLen == 1024)
rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024];
else
/* it's too expensive to generate on-the-fly, so keep 1024bit */
rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024];
}
else {
/* It's because a sign-only certificate situation exists */
rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024];
}
return rsa;
}
/*
* Handle out the already generated DH parameters...
*/
DH *ssl_callback_TmpDH(SSL *pSSL, int nExport, int nKeyLen)
{
SSLModConfigRec *mc = myModConfig();
DH *dh;
dh = NULL;
if (nExport) {
/* It's because an export cipher is used */
if (nKeyLen == 512)
dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH512];
else if (nKeyLen == 1024)
dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024];
else
/* it's too expensive to generate on-the-fly, so keep 1024bit */
dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024];
}
else {
/* It's because a sign-only certificate situation exists */
dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024];
}
return dh;
}
/*
* This OpenSSL callback function is called when OpenSSL
* does client authentication and verifies the certificate chain.
*/
int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
{
SSL *ssl;
conn_rec *conn;
server_rec *s;
request_rec *r;
SSLSrvConfigRec *sc;
SSLDirConfigRec *dc;
ap_ctx *actx;
X509 *xs;
int errnum;
int errdepth;
char *cp;
char *cp2;
int depth;
int verify;
/*
* Get Apache context back through OpenSSL context
*/
ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
conn = (conn_rec *)SSL_get_app_data(ssl);
actx = (ap_ctx *)SSL_get_app_data2(ssl);
r = (request_rec *)ap_ctx_get(actx, "ssl::request_rec");
s = conn->server;
sc = mySrvConfig(s);
dc = (r != NULL ? myDirConfig(r) : NULL);
/*
* Get verify ingredients
*/
xs = X509_STORE_CTX_get_current_cert(ctx);
errnum = X509_STORE_CTX_get_error(ctx);
errdepth = X509_STORE_CTX_get_error_depth(ctx);
/*
* Log verification information
*/
cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
cp2 = X509_NAME_oneline(X509_get_issuer_name(xs), NULL, 0);
ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: depth: %d, subject: %s, issuer: %s",
errdepth, cp != NULL ? cp : "-unknown-",
cp2 != NULL ? cp2 : "-unknown");
if (cp)
free(cp);
if (cp2)
free(cp2);
/*
* Check for optionally acceptable non-verifiable issuer situation
*/
if (dc != NULL && dc->nVerifyClient != SSL_CVERIFY_UNSET)
verify = dc->nVerifyClient;
else
verify = sc->nVerifyClient;
if ( ( errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
|| errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
|| errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
#if SSL_LIBRARY_VERSION >= 0x00905000
|| errnum == X509_V_ERR_CERT_UNTRUSTED
#endif
|| errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE )
&& verify == SSL_CVERIFY_OPTIONAL_NO_CA ) {
ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: Verifiable Issuer is configured as "
"optional, therefore we're accepting the certificate");
ap_ctx_set(conn->client->ctx, "ssl::verify::info", "GENEROUS");
ok = TRUE;
}
/*
* Additionally perform CRL-based revocation checks
*/
if (ok) {
ok = ssl_callback_SSLVerify_CRL(ok, ctx, s);
if (!ok)
errnum = X509_STORE_CTX_get_error(ctx);
}
/*
* If we already know it's not ok, log the real reason
*/
if (!ok) {
ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s",
errnum, X509_verify_cert_error_string(errnum));
ap_ctx_set(conn->client->ctx, "ssl::client::dn", NULL);
ap_ctx_set(conn->client->ctx, "ssl::verify::error",
(void *)X509_verify_cert_error_string(errnum));
}
/*
* Finally check the depth of the certificate verification
*/
if (dc != NULL && dc->nVerifyDepth != UNSET)
depth = dc->nVerifyDepth;
else
depth = sc->nVerifyDepth;
if (errdepth > depth) {
ssl_log(s, SSL_LOG_ERROR,
"Certificate Verification: Certificate Chain too long "
"(chain has %d certificates, but maximum allowed are only %d)",
errdepth, depth);
ap_ctx_set(conn->client->ctx, "ssl::verify::error",
(void *)X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG));
ok = FALSE;
}
/*
* And finally signal OpenSSL the (perhaps changed) state
*/
return (ok);
}
int ssl_callback_SSLVerify_CRL(
int ok, X509_STORE_CTX *ctx, server_rec *s)
{
SSLSrvConfigRec *sc;
X509_OBJECT obj;
X509_NAME *subject;
X509_NAME *issuer;
X509 *xs;
X509_CRL *crl;
X509_REVOKED *revoked;
long serial;
BIO *bio;
int i, n, rc;
char *cp;
char *cp2;
/*
* Unless a revocation store for CRLs was created we
* cannot do any CRL-based verification, of course.
*/
sc = mySrvConfig(s);
if (sc->pRevocationStore == NULL)
return ok;
/*
* Determine certificate ingredients in advance
*/
xs = X509_STORE_CTX_get_current_cert(ctx);
subject = X509_get_subject_name(xs);
issuer = X509_get_issuer_name(xs);
/*
* OpenSSL provides the general mechanism to deal with CRLs but does not
* use them automatically when verifying certificates, so we do it
* explicitly here. We will check the CRL for the currently checked
* certificate, if there is such a CRL in the store.
*
* We come through this procedure for each certificate in the certificate
* chain, starting with the root-CA's certificate. At each step we've to
* both verify the signature on the CRL (to make sure it's a valid CRL)
* and it's revocation list (to make sure the current certificate isn't
* revoked). But because to check the signature on the CRL we need the
* public key of the issuing CA certificate (which was already processed
* one round before), we've a little problem. But we can both solve it and
* at the same time optimize the processing by using the following
* verification scheme (idea and code snippets borrowed from the GLOBUS
* project):
*
* 1. We'll check the signature of a CRL in each step when we find a CRL
* through the _subject_ name of the current certificate. This CRL
* itself will be needed the first time in the next round, of course.
* But we do the signature processing one round before this where the
* public key of the CA is available.
*
* 2. We'll check the revocation list of a CRL in each step when
* we find a CRL through the _issuer_ name of the current certificate.
* This CRLs signature was then already verified one round before.
*
* This verification scheme allows a CA to revoke its own certificate as
* well, of course.
*/
/*
* Try to retrieve a CRL corresponding to the _subject_ of
* the current certificate in order to verify it's integrity.
*/
memset((char *)&obj, 0, sizeof(obj));
rc = SSL_X509_STORE_lookup(sc->pRevocationStore, X509_LU_CRL, subject, &obj);
crl = obj.data.crl;
if (rc > 0 && crl != NULL) {
/*
* Log information about CRL
* (A little bit complicated because of ASN.1 and BIOs...)
*/
if (ssl_log_applies(s, SSL_LOG_TRACE)) {
bio = BIO_new(BIO_s_mem());
BIO_printf(bio, "lastUpdate: ");
ASN1_UTCTIME_print(bio, X509_CRL_get_lastUpdate(crl));
BIO_printf(bio, ", nextUpdate: ");
ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
n = BIO_pending(bio);
cp = malloc(n+1);
n = BIO_read(bio, cp, n);
cp[n] = NUL;
BIO_free(bio);
cp2 = X509_NAME_oneline(subject, NULL, 0);
ssl_log(s, SSL_LOG_TRACE, "CA CRL: Issuer: %s, %s", cp2, cp);
free(cp2);
free(cp);
}
/*
* Verify the signature on this CRL
*/
if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0) {
ssl_log(s, SSL_LOG_WARN, "Invalid signature on CRL");
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
X509_OBJECT_free_contents(&obj);
return FALSE;
}
/*
* Check date of CRL to make sure it's not expired
*/
i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
if (i == 0) {
ssl_log(s, SSL_LOG_WARN, "Found CRL has invalid nextUpdate field");
X509_STORE_CTX_set_error(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
X509_OBJECT_free_contents(&obj);
return FALSE;
}
if (i < 0) {
ssl_log(s, SSL_LOG_WARN,
"Found CRL is expired - "
"revoking all certificates until you get updated CRL");
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED);
X509_OBJECT_free_contents(&obj);
return FALSE;
}
X509_OBJECT_free_contents(&obj);
}
/*
* Try to retrieve a CRL corresponding to the _issuer_ of
* the current certificate in order to check for revocation.
*/
memset((char *)&obj, 0, sizeof(obj));
rc = SSL_X509_STORE_lookup(sc->pRevocationStore, X509_LU_CRL, issuer, &obj);
crl = obj.data.crl;
if (rc > 0 && crl != NULL) {
/*
* Check if the current certificate is revoked by this CRL
*/
#if SSL_LIBRARY_VERSION < 0x00904000
n = sk_num(X509_CRL_get_REVOKED(crl));
#else
n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
#endif
for (i = 0; i < n; i++) {
#if SSL_LIBRARY_VERSION < 0x00904000
revoked = (X509_REVOKED *)sk_value(X509_CRL_get_REVOKED(crl), i);
#else
revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
#endif
if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(xs)) == 0) {
serial = ASN1_INTEGER_get(revoked->serialNumber);
cp = X509_NAME_oneline(issuer, NULL, 0);
ssl_log(s, SSL_LOG_INFO,
"Certificate with serial %ld (0x%lX) "
"revoked per CRL from issuer %s",
serial, serial, cp);
free(cp);
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
X509_OBJECT_free_contents(&obj);
return FALSE;
}
}
X509_OBJECT_free_contents(&obj);
}
return ok;
}
/*
* This callback function is executed by OpenSSL whenever a new SSL_SESSION is
* added to the internal OpenSSL session cache. We use this hook to spread the
* SSL_SESSION also to the inter-process disk-cache to make share it with our
* other Apache pre-forked server processes.
*/
int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
{
conn_rec *conn;
server_rec *s;
SSLSrvConfigRec *sc;
long t;
BOOL rc;
/*
* Get Apache context back through OpenSSL context
*/
conn = (conn_rec *)SSL_get_app_data(ssl);
s = conn->server;
sc = mySrvConfig(s);
/*
* Set the timeout also for the internal OpenSSL cache, because this way
* our inter-process cache is consulted only when it's really necessary.
*/
t = sc->nSessionCacheTimeout;
SSL_set_timeout(pNew, t);
/*
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
t = (SSL_get_time(pNew) + sc->nSessionCacheTimeout);
rc = ssl_scache_store(s, pNew->session_id, pNew->session_id_length, t, pNew);
/*
* Log this cache operation
*/
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=SET status=%s id=%s timeout=%ds (session caching)",
rc == TRUE ? "OK" : "BAD",
SSL_SESSION_id2sz(pNew->session_id, pNew->session_id_length),
t-time(NULL));
/*
* return 0 which means to OpenSSL that the pNew is still
* valid and was not freed by us with SSL_SESSION_free().
*/
return 0;
}
/*
* This callback function is executed by OpenSSL whenever a
* SSL_SESSION is looked up in the internal OpenSSL cache and it
* was not found. We use this to lookup the SSL_SESSION in the
* inter-process disk-cache where it was perhaps stored by one
* of our other Apache pre-forked server processes.
*/
SSL_SESSION *ssl_callback_GetSessionCacheEntry(
SSL *ssl, unsigned char *id, int idlen, int *pCopy)
{
conn_rec *conn;
server_rec *s;
SSL_SESSION *pSession;
/*
* Get Apache context back through OpenSSL context
*/
conn = (conn_rec *)SSL_get_app_data(ssl);
s = conn->server;
/*
* Try to retrieve the SSL_SESSION from the inter-process cache
*/
pSession = ssl_scache_retrieve(s, id, idlen);
/*
* Log this cache operation
*/
if (pSession != NULL)
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=GET status=FOUND id=%s (session reuse)",
SSL_SESSION_id2sz(id, idlen));
else
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=GET status=MISSED id=%s (session renewal)",
SSL_SESSION_id2sz(id, idlen));
/*
* Return NULL or the retrieved SSL_SESSION. But indicate (by
* setting pCopy to 0) that the reference count on the
* SSL_SESSION should not be incremented by the SSL library,
* because we will no longer hold a reference to it ourself.
*/
*pCopy = 0;
return pSession;
}
/*
* This callback function is executed by OpenSSL whenever a
* SSL_SESSION is removed from the the internal OpenSSL cache.
* We use this to remove the SSL_SESSION in the inter-process
* disk-cache, too.
*/
void ssl_callback_DelSessionCacheEntry(
SSL_CTX *ctx, SSL_SESSION *pSession)
{
server_rec *s;
/*
* Get Apache context back through OpenSSL context
*/
s = (server_rec *)SSL_CTX_get_app_data(ctx);
if (s == NULL) /* on server shutdown Apache is already gone */
return;
/*
* Remove the SSL_SESSION from the inter-process cache
*/
ssl_scache_remove(s, pSession->session_id, pSession->session_id_length);
/*
* Log this cache operation
*/
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=REM status=OK id=%s (session dead)",
SSL_SESSION_id2sz(pSession->session_id,
pSession->session_id_length));
return;
}
/*
* This callback function is executed while OpenSSL processes the
* SSL handshake and does SSL record layer stuff. We use it to
* trace OpenSSL's processing in out SSL logfile.
*/
void ssl_callback_LogTracingState(SSL *ssl, int where, int rc)
{
conn_rec *c;
server_rec *s;
SSLSrvConfigRec *sc;
char *str;
/*
* find corresponding server
*/
if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL)
return;
s = c->server;
if ((sc = mySrvConfig(s)) == NULL)
return;
/*
* create the various trace messages
*/
if (sc->nLogLevel >= SSL_LOG_TRACE) {
if (where & SSL_CB_HANDSHAKE_START)
ssl_log(s, SSL_LOG_TRACE, "%s: Handshake: start", SSL_LIBRARY_NAME);
else if (where & SSL_CB_HANDSHAKE_DONE)
ssl_log(s, SSL_LOG_TRACE, "%s: Handshake: done", SSL_LIBRARY_NAME);
else if (where & SSL_CB_LOOP)
ssl_log(s, SSL_LOG_TRACE, "%s: Loop: %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
else if (where & SSL_CB_READ)
ssl_log(s, SSL_LOG_TRACE, "%s: Read: %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
else if (where & SSL_CB_WRITE)
ssl_log(s, SSL_LOG_TRACE, "%s: Write: %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
else if (where & SSL_CB_ALERT) {
str = (where & SSL_CB_READ) ? "read" : "write";
ssl_log(s, SSL_LOG_TRACE, "%s: Alert: %s:%s:%s\n",
SSL_LIBRARY_NAME, str,
SSL_alert_type_string_long(rc),
SSL_alert_desc_string_long(rc));
}
else if (where & SSL_CB_EXIT) {
if (rc == 0)
ssl_log(s, SSL_LOG_TRACE, "%s: Exit: failed in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
else if (rc < 0)
ssl_log(s, SSL_LOG_TRACE, "%s: Exit: error in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
}
/*
* Because SSL renegotations can happen at any time (not only after
* SSL_accept()), the best way to log the current connection details is
* right after a finished handshake.
*/
if (where & SSL_CB_HANDSHAKE_DONE) {
ssl_log(s, SSL_LOG_INFO,
"Connection: Client IP: %s, Protocol: %s, Cipher: %s (%s/%s bits)",
ssl_var_lookup(NULL, s, c, NULL, "REMOTE_ADDR"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_PROTOCOL"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE"));
}
return;
}