/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License.
*/
/* _ _ * _ __ ___ ___ __| | ___ ___| | mod_ssl * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL * | | | | | | (_) | (_| | \__ \__ \ | * |_| |_| |_|\___/ \__,_|___|___/___/_| * |_____| * ssl_engine_kernel.c * The SSL engine kernel
*/ /* ``It took me fifteen years to discover I had no talent for programming, but I couldn't give it up because by that time I was too famous.''
-- Unknown */ #include"ssl_private.h" #include"mod_ssl.h" #include"util_md5.h" #include"scoreboard.h"
/* Perform a speculative (and non-blocking) read from the connection * filters for the given request, to determine whether there is any
* pending data to read. Return non-zero if there is, else zero. */ staticint has_buffered_data(request_rec *r)
{
apr_bucket_brigade *bb;
apr_off_t len;
apr_status_t rv; int result;
/* If a renegotiation is required for the location, and the request * includes a message body (and the client has not requested a "100 * Continue" response), then the client will be streaming the request * body over the wire already. In that case, it is not possible to * stop and perform a new SSL handshake immediately; once the SSL * library moves to the "accept" state, it will reject the SSL packets * which the client is sending for the request body. * * To allow authentication to complete in the hook, the solution used * here is to fill a (bounded) buffer with the request body, and then * to reinject that request body later. * * This function is called to fill the renegotiation buffer for the * location as required, or fail. Returns zero on success or HTTP_ * error code on failure.
*/ staticint fill_reneg_buffer(request_rec *r, SSLDirConfigRec *dc)
{ int rv;
apr_size_t rsize;
/* ### this is HTTP/1.1 specific, special case for protocol? */ if (r->expecting_100 || !ap_request_has_body(r)) { return 0;
}
rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE : dc->nRenegBufferSize; if (rsize > 0) { /* Fill the I/O buffer with the request body if possible. */
rv = ssl_io_buffer_fill(r, rsize);
} else { /* If the reneg buffer size is set to zero, just fail. */
rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
}
for (i = 0; i < s1->nelts; i++) {
c = APR_ARRAY_IDX(s1, i, constchar *); if (!c || !ap_array_str_contains(s2, c)) { return 0;
}
} return 1;
}
staticint ssl_pk_server_compatible(modssl_pk_server_t *pks1,
modssl_pk_server_t *pks2)
{ if (!pks1 || !pks2) { return 0;
} /* both have the same certificates? */ if ((pks1->ca_name_path != pks2->ca_name_path)
&& (!pks1->ca_name_path || !pks2->ca_name_path
|| strcmp(pks1->ca_name_path, pks2->ca_name_path))) { return 0;
} if ((pks1->ca_name_file != pks2->ca_name_file)
&& (!pks1->ca_name_file || !pks2->ca_name_file
|| strcmp(pks1->ca_name_file, pks2->ca_name_file))) { return 0;
} if (!ap_array_same_str_set(pks1->cert_files, pks2->cert_files)
|| !ap_array_same_str_set(pks1->key_files, pks2->key_files)) { return 0;
} return 1;
}
staticint ssl_auth_compatible(modssl_auth_ctx_t *a1,
modssl_auth_ctx_t *a2)
{ if (!a1 || !a2) { return 0;
} /* both have the same verification */ if ((a1->verify_depth != a2->verify_depth)
|| (a1->verify_mode != a2->verify_mode)) { return 0;
} /* both have the same ca path/file */ if ((a1->ca_cert_path != a2->ca_cert_path)
&& (!a1->ca_cert_path || !a2->ca_cert_path
|| strcmp(a1->ca_cert_path, a2->ca_cert_path))) { return 0;
} if ((a1->ca_cert_file != a2->ca_cert_file)
&& (!a1->ca_cert_file || !a2->ca_cert_file
|| strcmp(a1->ca_cert_file, a2->ca_cert_file))) { return 0;
} /* both have the same ca cipher suite string */ if ((a1->cipher_suite != a2->cipher_suite)
&& (!a1->cipher_suite || !a2->cipher_suite
|| strcmp(a1->cipher_suite, a2->cipher_suite))) { return 0;
} /* both have the same ca cipher suite string */ if ((a1->tls13_ciphers != a2->tls13_ciphers)
&& (!a1->tls13_ciphers || !a2->tls13_ciphers
|| strcmp(a1->tls13_ciphers, a2->tls13_ciphers))) { return 0;
} return 1;
}
/* If we are on a slave connection, we do not expect to have an SSLConnRec,
* but our master connection might. */
sslconn = myConnConfig(r->connection); if (!(sslconn && sslconn->ssl) && r->connection->master) {
sslconn = myConnConfig(r->connection->master);
}
if (!sslconn) { return DECLINED;
}
if (sslconn->service_unavailable) { /* This is set when the SSL properties of this connection are * incomplete or if this connection was made to challenge a * particular hostname (ACME). We never serve any request on
* such a connection. */ /* TODO: a retry-after indicator would be nice here */ return HTTP_SERVICE_UNAVAILABLE;
}
if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) {
apr_table_setn(r->notes, "error-notes", "Reason: You're speaking plain HTTP to an SSL-enabled " "server port. \n Instead use the HTTPS scheme to " "access this URL, please. \n");
/* Now that we have caught this error, forget it. we are done * with using SSL on this request.
*/
sslconn->non_ssl_request = NON_SSL_OK;
return HTTP_BAD_REQUEST;
}
/* * Get the SSL connection structure and perform the * delayed interlinking from SSL back to request_rec
*/
ssl = sslconn->ssl; if (!ssl) { return DECLINED;
} #ifdef HAVE_TLSEXT /* * Perform SNI checks only on the initial request. In particular, * if these checks detect a problem, the checks shouldn't return an * error again when processing an ErrorDocument redirect for the * original problem.
*/ if (r->proxyreq != PROXYREQ_PROXY && ap_is_initial_req(r)) {
server_rec *handshakeserver = sslconn->server;
SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { /* * The SNI extension supplied a hostname. So don't accept requests * with either no hostname or a hostname that selected a different * virtual host than the one used for the handshake, causing * different SSL parameters to be applied, such as SSLProtocol, * SSLCACertificateFile/Path and SSLCADNRequestFile/Path which * cannot be renegotiated (SSLCA* due to current limitations in * OpenSSL, see: * http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3C48592955.2090303@velox.ch%3E * and * http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E * )
*/ if (!r->hostname) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02031) "Hostname %s provided via SNI, but no hostname" " provided in HTTP request", servername); return HTTP_BAD_REQUEST;
}
} elseif (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
|| hssc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
&& r->connection->vhost_lookup_data) { /* * We are using a name based configuration here, but no hostname was * provided via SNI. Don't allow that if are requested to do strict * checking. Check whether this strict checking was set up either in the * server config we used for handshaking or in our current server. * This should avoid insecure configuration by accident.
*/
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02033) "No hostname was provided via SNI for a name based" " virtual host");
apr_table_setn(r->notes, "error-notes", "Reason: The client software did not provide a " "hostname using Server Name Indication (SNI), " "which is required to access this server. \n"); return HTTP_FORBIDDEN;
} if (r->server != handshakeserver
&& !ssl_server_compatible(sslconn->server, r->server)) { /* * The request does not select the virtual host that was * selected for handshaking and its SSL parameters are different
*/
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032) "Hostname %s %s and hostname %s provided" " via HTTP have no compatible SSL setup",
servername ? servername : handshakeserver->server_hostname,
servername ? "provided via SNI" : "(default host as no SNI was provided)",
r->hostname); return HTTP_MISDIRECTED_REQUEST;
}
} #endif
modssl_set_app_data2(ssl, r);
/* * Log information about incoming HTTPS requests
*/ if (APLOGrinfo(r) && ap_is_initial_req(r)) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02034) "%s HTTPS request received for child %ld (server %s)",
(r->connection->keepalives <= 0 ? "Initial (No.1)" :
apr_psprintf(r->pool, "Subsequent (No.%d)",
r->connection->keepalives+1)),
r->connection->id,
ssl_util_vhostid(r->pool, r->server));
}
/* SetEnvIf ssl-*-shutdown flags can only be per-server, * so they won't change across keepalive requests
*/ if (sslconn->shutdown_type == SSL_SHUTDOWN_TYPE_UNSET) {
ssl_configure_env(r, sslconn);
}
return DECLINED;
}
/* * Move SetEnvIf information from request_rec to conn_rec/BUFF * to allow the close connection handler to use them.
*/
for (i = 0; i < arr->nelts; i++) { constchar *key = elts[i].key;
switch (*key) { case's': /* being case-sensitive here. * and not checking for the -shutdown since these are the only * SetEnvIf "flags" we support
*/ if (!strncmp(key+1, "sl-", 3)) {
key += 4; if (!strncmp(key, "unclean", 7)) {
sslconn->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN;
} elseif (!strncmp(key, "accurate", 8)) {
sslconn->shutdown_type = SSL_SHUTDOWN_TYPE_ACCURATE;
} return; /* should only ever be one ssl-*-shutdown */
} break;
}
}
}
if (do_verify) { if (cert == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02263) "Re-negotiation handshake failed: " "Client certificate missing");
return HTTP_FORBIDDEN;
}
}
} return OK;
}
/* * Access Handler, classic flavour, for SSL/TLS up to v1.2 * where everything can be renegotiated and no one is happy.
*/ staticint ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc,
SSLConnRec *sslconn, SSL *ssl)
{
server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
SSL_CTX *ctx = ssl ? SSL_get_SSL_CTX(ssl) : NULL; BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
X509 *peercert;
X509_STORE *cert_store = NULL;
X509_STORE_CTX *cert_store_ctx;
STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL; const SSL_CIPHER *cipher = NULL; int depth, verify_old, verify, n, rc; constchar *ncipher_suite;
#ifdef HAVE_SRP /* * Support for per-directory reconfigured SSL connection parameters * * We do not force any renegotiation if the user is already authenticated * via SRP. *
*/ if (SSL_get_srp_username(ssl)) { return DECLINED;
} #endif
/* * Support for per-directory reconfigured SSL connection parameters. * * This is implemented by forcing an SSL renegotiation with the * reconfigured parameter suite. But Apache's internal API processing * makes our life very hard here, because when internal sub-requests occur * we nevertheless should avoid multiple unnecessary SSL handshakes (they * require extra network I/O and especially time to perform). * * But the optimization for filtering out the unnecessary handshakes isn't * obvious and trivial. Especially because while Apache is in its * sub-request processing the client could force additional handshakes, * too. And these take place perhaps without our notice. So the only * possibility is to explicitly _ask_ OpenSSL whether the renegotiation * has to be performed or not. It has to performed when some parameters * which were previously known (by us) are not those we've now * reconfigured (as known by OpenSSL) or (in optimized way) at least when * the reconfigured parameter suite is stronger (more restrictions) than * the currently active one.
*/
/* * Override of SSLCipherSuite * * We provide two options here: * * o The paranoid and default approach where we force a renegotiation when * the cipher suite changed in _any_ way (which is straight-forward but * often forces renegotiations too often and is perhaps not what the * user actually wanted). * * o The optimized and still secure way where we force a renegotiation * only if the currently active cipher is no longer contained in the * reconfigured/new cipher suite. Any other changes are not important * because it's the servers choice to select a cipher from the ones the * client supports. So as long as the current cipher is still in the new * cipher suite we're happy. Because we can assume we would have * selected it again even when other (better) ciphers exists now in the * new cipher suite. This approach is fine because the user explicitly * has to enable this via ``SSLOptions +OptRenegotiate''. So we do no * implicit optimizations.
*/
ncipher_suite = (dc->szCipherSuite?
dc->szCipherSuite : (r->server != handshakeserver)?
sc->server->auth.cipher_suite : NULL);
if (ncipher_suite && (!sslconn->cipher_suite
|| strcmp(ncipher_suite, sslconn->cipher_suite))) { /* remember old state */
if (cipher_list_old) {
cipher_list_old = sk_SSL_CIPHER_dup(cipher_list_old);
}
}
/* configure new state */ if (r->connection->master) { /* TODO: this categorically fails changed cipher suite settings * on slave connections. We could do better by * - create a new SSL* from our SSL_CTX and set cipher suite there, * and retrieve ciphers, free afterwards * Modifying the SSL on a slave connection is no good.
*/
apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "cipher-suite"); return HTTP_FORBIDDEN;
}
if (!SSL_set_cipher_list(ssl, ncipher_suite)) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02253) "Unable to reconfigure (per-directory) " "permitted SSL ciphers");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
if (cipher_list_old) {
sk_SSL_CIPHER_free(cipher_list_old);
}
return HTTP_FORBIDDEN;
}
/* determine whether a renegotiation has to be forced */
cipher_list = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
/* cleanup */ if (cipher_list_old) {
sk_SSL_CIPHER_free(cipher_list_old);
}
if (renegotiate) { if (r->connection->master) { /* The request causes renegotiation on a slave connection. * This is not allowed since we might have concurrent requests * on this connection.
*/
apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "cipher-suite"); return HTTP_FORBIDDEN;
}
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE if (sc->cipher_server_pref == TRUE) {
SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
} #endif /* tracing */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02220) "Reconfigured cipher suite will force renegotiation");
}
}
/* * override of SSLVerifyClient * * We force a renegotiation if the reconfigured/new verify type is * stronger than the currently active verify type. * * The order is: none << optional_no_ca << optional << require * * Additionally the following optimization is possible here: When the * currently active verify type is "none" but a client certificate is * already known/present, it's enough to manually force a client * verification but at least skip the I/O-intensive renegotiation * handshake.
*/ if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
(sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
/* remember old state */
verify_old = SSL_get_verify_mode(ssl); /* configure new state */
verify = SSL_VERIFY_NONE;
/* TODO: this seems premature since we do not know if there * are any changes required.
*/
SSL_set_verify(ssl, verify, ssl_callback_SSLVerify);
SSL_set_verify_result(ssl, X509_V_OK);
/* determine whether we've to force a renegotiation */ if (!renegotiate && verify != verify_old) { if (((verify_old == SSL_VERIFY_NONE) &&
(verify != SSL_VERIFY_NONE)) ||
(!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
(verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
{
renegotiate = TRUE; if (r->connection->master) { /* The request causes renegotiation on a slave connection. * This is not allowed since we might have concurrent requests * on this connection.
*/
apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client");
SSL_set_verify(ssl, verify_old, ssl_callback_SSLVerify); return HTTP_FORBIDDEN;
} /* optimization */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02255) "Changed client verification type will force " "%srenegotiation",
renegotiate_quick ? "quick " : "");
} elseif (verify != SSL_VERIFY_NONE) { /* * override of SSLVerifyDepth * * The depth checks are handled by us manually inside the * verify callback function and not by OpenSSL internally * (and our function is aware of both the per-server and * per-directory contexts). So we cannot ask OpenSSL about * the currently verify depth. Instead we remember it in our * SSLConnRec attached to the SSL* of OpenSSL. We've to force * the renegotiation if the reconfigured/new verify depth is * less than the currently active/remembered verify depth * (because this means more restriction on the certificate * chain).
*/
n = (sslconn->verify_depth != UNSET)
? sslconn->verify_depth
: hssc->server->auth.verify_depth; /* determine the new depth */
sslconn->verify_depth = (dc->nVerifyDepth != UNSET)
? dc->nVerifyDepth
: sc->server->auth.verify_depth; if (sslconn->verify_depth < n) {
renegotiate = TRUE;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254) "Reduced client verification depth will " "force renegotiation");
}
}
} /* If we're handling a request for a vhost other than the default one, * then we need to make sure that client authentication is properly * enforced. For clients supplying an SNI extension, the peer * certificate verification has happened in the handshake already * (and r->server == handshakeserver). For non-SNI requests, * an additional check is needed here. If client authentication * is configured as mandatory, then we can only proceed if the * CA list doesn't have to be changed (OpenSSL doesn't provide * an option to change the list for an existing session).
*/ if ((r->server != handshakeserver)
&& renegotiate
&& ((verify & SSL_VERIFY_PEER) ||
(verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { #define MODSSL_CFG_CA_NE(f, sc1, sc2) \
(sc1->server->auth.f && \
(!sc2->server->auth.f || \
strNE(sc1->server->auth.f, sc2->server->auth.f)))
if (MODSSL_CFG_CA_NE(ca_cert_file, sc, hssc) ||
MODSSL_CFG_CA_NE(ca_cert_path, sc, hssc)) { if (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02256) "Non-default virtual host with SSLVerify set to " "'require' and VirtualHost-specific CA certificate " "list is only available to clients with TLS server " "name indication (SNI) support");
SSL_set_verify(ssl, verify_old, NULL); return HTTP_FORBIDDEN;
} else /* let it pass, possibly with an "incorrect" peer cert, * so make sure the SSL_CLIENT_VERIFY environment variable * will indicate partial success only, later on.
*/
sslconn->verify_info = "GENEROUS";
}
}
}
/* Fill reneg buffer if required. */ if (renegotiate && !renegotiate_quick) {
rc = fill_reneg_buffer(r, dc); if (rc) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02257) "could not buffer message body to allow " "SSL renegotiation to proceed"); return rc;
}
}
/* * now do the renegotiation if anything was actually reconfigured
*/ if (renegotiate) { /* * Now we force the SSL renegotiation by sending the Hello Request * message to the client. Here we have to do a workaround: Actually * OpenSSL returns immediately after sending the Hello Request (the * intent AFAIK is because the SSL/TLS protocol says it's not a must * that the client replies to a Hello Request). But because we insist * on a reply (anything else is an error for us) we have to go to the * ACCEPT state manually. Using SSL_set_accept_state() doesn't work * here because it resets too much of the connection. So we set the * state explicitly and continue the handshake manually.
*/
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02221) "Requesting connection re-negotiation");
if (renegotiate_quick) {
STACK_OF(X509) *cert_stack;
X509 *cert;
/* perform just a manual re-verification of the peer */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02258) "Performing quick renegotiation: " "just re-verifying the peer");
if (!cert_stack || (sk_X509_num(cert_stack) == 0)) { if (!cert) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222) "Cannot find peer certificate chain");
return HTTP_FORBIDDEN;
}
/* client cert is in the session cache, but there is * no chain, since ssl3_get_client_certificate() * sk_X509_shift-ed the peer cert out of the chain. * we put it back here for the purpose of quick_renegotiation.
*/
cert_stack = sk_X509_new_null();
sk_X509_push(cert_stack, cert);
}
if (cert_stack != SSL_get_peer_cert_chain(ssl)) { /* we created this ourselves, so free it */
sk_X509_pop_free(cert_stack, X509_free);
}
} else { char peekbuf[1]; constchar *reneg_support;
request_rec *id = r->main ? r->main : r;
/* Additional mitigation for CVE-2009-3555: At this point, * before renegotiating, an (entire) request has been read * from the connection. An attacker may have sent further * data to "prefix" any subsequent request by the victim's * client after the renegotiation; this data may already * have been read and buffered. Forcing a connection * closure after the response ensures such data will be * discarded. Legimately pipelined HTTP requests will be
* retried anyway with this approach. */ if (has_buffered_data(r)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02259) "insecure SSL re-negotiation required, but " "a pipelined request is present; keepalive " "disabled");
r->connection->keepalive = AP_CONN_CLOSE;
}
#ifdefined(SSL_get_secure_renegotiation_support)
reneg_support = SSL_get_secure_renegotiation_support(ssl) ? "client does" : "client does not"; #else
reneg_support = "server does not"; #endif /* Perform a full renegotiation. */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02260) "Performing full renegotiation: complete handshake " "protocol (%s support secure renegotiation)",
reneg_support);
/* XXX: Should replace setting state with SSL_renegotiate(ssl); * However, this causes failures in perl-framework currently, * perhaps pre-test if we have already negotiated?
*/ /* Need to trigger renegotiation handshake by reading. * Peeking 0 bytes actually works. * See: http://marc.info/?t=145493359200002&r=1&w=2
*/
SSL_peek(ssl, peekbuf, 0);
/* * Also check that SSLCipherSuite has been enforced as expected.
*/ if (cipher_list) {
cipher = SSL_get_current_cipher(ssl); if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02264) "SSL cipher suite not renegotiated: " "access to %s denied using cipher %s",
r->filename,
SSL_CIPHER_get_name(cipher)); return HTTP_FORBIDDEN;
}
} /* remember any new cipher suite used in renegotiation */ if (ncipher_suite) {
sslconn->cipher_suite = ncipher_suite;
}
}
return DECLINED;
}
#if SSL_HAVE_PROTOCOL_TLSV1_3 /* * Access Handler, modern flavour, for SSL/TLS v1.3 and onward. * Only client certificates can be requested, everything else stays.
*/ staticint ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc,
SSLConnRec *sslconn, SSL *ssl)
{ if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
(sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { int vmode_inplace, vmode_needed; int change_vmode = FALSE; int n, rc;
if (vmode_needed == SSL_VERIFY_NONE) { return DECLINED;
}
vmode_needed |= SSL_VERIFY_CLIENT_ONCE; if (vmode_inplace != vmode_needed) { /* Need to change, if new setting is more restrictive than existing one */
if ((vmode_inplace == SSL_VERIFY_NONE)
|| (!(vmode_inplace & SSL_VERIFY_PEER)
&& (vmode_needed & SSL_VERIFY_PEER))
|| (!(vmode_inplace & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
&& (vmode_needed & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { /* need to change the effective verify mode */
change_vmode = TRUE;
} else { /* FIXME: does this work with TLSv1.3? Is this more than re-inspecting
* the certificate we should already have? */ /* * override of SSLVerifyDepth * * The depth checks are handled by us manually inside the * verify callback function and not by OpenSSL internally * (and our function is aware of both the per-server and * per-directory contexts). So we cannot ask OpenSSL about * the currently verify depth. Instead we remember it in our * SSLConnRec attached to the SSL* of OpenSSL. We've to force * the renegotiation if the reconfigured/new verify depth is * less than the currently active/remembered verify depth * (because this means more restriction on the certificate * chain).
*/
n = (sslconn->verify_depth != UNSET)?
sslconn->verify_depth : sc->server->auth.verify_depth; /* determine the new depth */
sslconn->verify_depth = (dc->nVerifyDepth != UNSET)
? dc->nVerifyDepth
: sc->server->auth.verify_depth; if (sslconn->verify_depth < n) {
change_vmode = TRUE;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10128) "Reduced client verification depth will " "force renegotiation");
}
}
}
/* Fill reneg buffer if required. */ if (change_vmode) { char peekbuf[1];
if (r->connection->master) { /* FIXME: modifying the SSL on a slave connection is no good. * We would need to push this back to the master connection * somehow.
*/
apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client"); return HTTP_FORBIDDEN;
}
rc = fill_reneg_buffer(r, dc); if (rc) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10228) "could not buffer message body to allow " "TLS Post-Handshake Authentication to proceed"); return rc;
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10129) "verify client post handshake");
/* On a slave connection, we do not expect to have an SSLConnRec, but
* our master connection might have one. */ if (!(sslconn && ssl) && r->connection->master) {
sslconn = myConnConfig(r->connection->master);
ssl = sslconn ? sslconn->ssl : NULL;
}
/* * We should have handshaken here, otherwise we are being * redirected (ErrorDocument) from a renegotiation failure below. * The access is still forbidden in the latter case, let ap_die() handle * this recursive (same) error.
*/ if (ssl && !SSL_is_init_finished(ssl)) { return HTTP_FORBIDDEN;
}
/* * Support for SSLRequireSSL directive
*/ if (dc->bSSLRequired && !ssl) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219) "access to %s failed, reason: %s",
r->filename, "SSL connection required");
/* * Check to see whether SSL is in use; if it's not, then no * further access control checks are relevant. (the test for * sc->enabled is probably strictly unnecessary)
*/ if (sc->enabled == SSL_ENABLED_FALSE || !ssl) { return DECLINED;
}
#if SSL_HAVE_PROTOCOL_TLSV1_3 /* TLSv1.3+ is less complicated here. Branch off into a new codeline
* and avoid messing with the past. */ if (SSL_version(ssl) >= TLS1_3_VERSION) {
ret = ssl_hook_Access_modern(r, sc, dc, sslconn, ssl);
} else #endif
{
ret = ssl_hook_Access_classic(r, sc, dc, sslconn, ssl);
}
if (ret != DECLINED) { return ret;
}
/* If we're trying to have the user name set from a client * certificate then we need to set it here. This should be safe as * the user name probably isn't important from an auth checking point * of view as the certificate supplied acts in that capacity. * However, if FakeAuth is being used then this isn't the case so * we need to postpone setting the username until later.
*/ if ((dc->nOptions & SSL_OPT_FAKEBASICAUTH) == 0 && dc->szUserName) { char *val = ssl_var_lookup(r->pool, r->server, r->connection,
r, (char *)dc->szUserName); if (val && val[0])
r->user = val; else
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02227) "Failed to set r->user to '%s'", dc->szUserName);
}
/* * Else access is granted from our point of view (except vendor * handlers override). But we have to return DECLINED here instead * of OK, because mod_auth and other modules still might want to * deny access.
*/
return DECLINED;
}
/* * Authentication Handler: * Fake a Basic authentication from the X509 client certificate. * * This must be run fairly early on to prevent a real authentication from * occurring, in particular it must be run before anything else that * authenticates a user. This means that the Module statement for this * module should be LAST in the Configuration file.
*/ int ssl_hook_UserCheck(request_rec *r)
{
SSLConnRec *sslconn;
SSLDirConfigRec *dc = myDirConfig(r); char *clientdn; constchar *auth_line, *username, *password;
/* * Additionally forbid access (again) * when strict require option is used.
*/ if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) &&
(apr_table_get(r->notes, "ssl-access-forbidden")))
{ return HTTP_FORBIDDEN;
}
/* * We decline when we are in a subrequest. The Authorization header * would already be present if it was added in the main request.
*/ if (!ap_is_initial_req(r)) { return DECLINED;
}
/* * Make sure the user is not able to fake the client certificate * based authentication by just entering an X.509 Subject DN * ("/XX=YYY/XX=YYY/..") as the username and "password" as the * password.
*/ if ((auth_line = apr_table_get(r->headers_in, "Authorization"))) { if (strcEQ(ap_getword(r->pool, &auth_line, ' '), "Basic")) { while ((*auth_line == ' ') || (*auth_line == '\t')) {
auth_line++;
}
/* * Fake a password - which one would be immaterial, as, it seems, an empty * password in the users file would match ALL incoming passwords, if only * we were using the standard crypt library routine. Unfortunately, OpenSSL * "fixes" a "bug" in crypt and thus prevents blank passwords from * working. (IMHO what they really fix is a bug in the users of the code * - failing to program correctly for shadow passwords). We need, * therefore, to provide a password. This password can be matched by * adding the string "xxj31ZMTZzkVA" as the password in the user file. * This is just the crypted variant of the word "password" ;-)
*/
auth_line = apr_pstrcat(r->pool, "Basic ",
ap_pbase64encode(r->pool,
apr_pstrcat(r->pool, clientdn, ":password", NULL)),
NULL);
apr_table_setn(r->headers_in, "Authorization", auth_line);
if (!modssl_request_is_tls(r, &sslconn)) { return DECLINED;
}
ssl = sslconn->ssl;
/* * Annotate the SSI/CGI environment with standard SSL information
*/ /* the always present HTTPS (=HTTP over SSL) flag! */
apr_table_setn(env, "HTTPS", "on");
#ifdef HAVE_TLSEXT /* add content of SNI TLS extension (if supplied with ClientHello) */ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
apr_table_set(env, "SSL_TLS_SNI", servername);
} #endif
/* standard SSL environment variables */ if (dc->nOptions & SSL_OPT_STDENVVARS) {
modssl_var_extract_dns(env, ssl, r->pool);
modssl_var_extract_san_entries(env, ssl, r->pool);
for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
var = (char *)ssl_hook_Fixup_vars[i];
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); if (!strIsEmpty(val)) {
apr_table_setn(env, var, val);
}
}
}
/* * On-demand bloat up the SSI/CGI environment with certificate data
*/ if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) {
val = ssl_var_lookup(r->pool, r->server, r->connection,
r, "SSL_SERVER_CERT");
apr_table_setn(env, "SSL_SERVER_CERT", val);
val = ssl_var_lookup(r->pool, r->server, r->connection,
r, "SSL_CLIENT_CERT");
apr_table_setn(env, "SSL_CLIENT_CERT", val);
if ((peer_certs = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl))) { for (i = 0; i < sk_X509_num(peer_certs); i++) {
var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
val = ssl_var_lookup(r->pool, r->server, r->connection,
r, var); if (val) {
apr_table_setn(env, var, val);
}
}
}
}
/* _________________________________________________________________ ** ** Authz providers for use with mod_authz_core ** _________________________________________________________________
*/
staticconstchar *ssl_authz_require_ssl_parse(cmd_parms *cmd, constchar *require_line, constvoid **parsed)
{ if (require_line && require_line[0]) return"'Require ssl' does not take arguments";
staticconstchar *ssl_authz_verify_client_parse(cmd_parms *cmd, constchar *require_line, constvoid **parsed)
{ if (require_line && require_line[0]) return"'Require ssl-verify-client' does not take arguments";
#if MODSSL_USE_OPENSSL_PRE_1_1_API /* * Hand out standard DH parameters, based on the authentication strength
*/
DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
EVP_PKEY *pkey; int type;
#ifdef SSL_CERT_SET_SERVER /* * When multiple certs/keys are configured for the SSL_CTX: make sure * that we get the private key which is indeed used for the current * SSL connection (available in OpenSSL 1.0.2 or later only)
*/
SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER); #endif
pkey = SSL_get_privatekey(ssl); #if OPENSSL_VERSION_NUMBER < 0x10100000L
type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; #else
type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE; #endif
/* * OpenSSL will call us with either keylen == 512 or keylen == 1024 * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h). * Adjust the DH parameter length according to the size of the * RSA/DSA private key used for the current connection, and always * use at least 1024-bit parameters. * Note: This may cause interoperability issues with implementations * which limit their DH support to 1024 bit - e.g. Java 7 and earlier. * In this case, SSLCertificateFile can be used to specify fixed * 1024-bit DH parameters (with the effect that OpenSSL skips this * callback).
*/ if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) {
keylen = EVP_PKEY_bits(pkey);
}
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "handing out built-in DH parameters for %d-bit authenticated connection", keylen);
return modssl_get_dh_params(keylen);
} #endif
/* * This OpenSSL callback function is called when OpenSSL * does client authentication and verifies the certificate chain.
*/ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
{ /* Get Apache context back through OpenSSL context */
SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
request_rec *r = (request_rec *)modssl_get_app_data2(ssl);
server_rec *s = r ? r->server : mySrvFromConn(conn);
/* Get verify ingredients */ int errnum = X509_STORE_CTX_get_error(ctx); int errdepth = X509_STORE_CTX_get_error_depth(ctx); int depth = UNSET; int verify = SSL_CVERIFY_UNSET;
/* * Check for optionally acceptable non-verifiable issuer situation
*/ if (dc) { if (conn->outgoing) {
verify = dc->proxy->auth.verify_mode;
} else {
verify = dc->nVerifyClient;
}
} if (!dc || (verify == SSL_CVERIFY_UNSET)) {
verify = mctx->auth.verify_mode;
}
if (verify == SSL_CVERIFY_NONE) { /* * SSLProxyVerify is either not configured or set to "none". * (this callback doesn't happen in the server context if SSLVerify * is not configured or set to "none")
*/ returnTRUE;
}
if (ssl_verify_error_is_optional(errnum) &&
(verify == SSL_CVERIFY_OPTIONAL_NO_CA))
{
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn, APLOGNO(02037) "Certificate Verification: Verifiable Issuer is " "configured as optional, therefore we're accepting " "the certificate");
sslconn->verify_info = "GENEROUS";
ok = TRUE;
}
/* * Expired certificates vs. "expired" CRLs: by default, OpenSSL * turns X509_V_ERR_CRL_HAS_EXPIRED into a "certificate_expired(45)" * SSL alert, but that's not really the message we should convey to the * peer (at the very least, it's confusing, and in many cases, it's also * inaccurate, as the certificate itself may very well not have expired * yet). We set the X509_STORE_CTX error to something which OpenSSL's * s3_both.c:ssl_verify_alarm_type() maps to SSL_AD_CERTIFICATE_UNKNOWN, * i.e. the peer will receive a "certificate_unknown(46)" alert. * We do not touch errnum, though, so that later on we will still log * the "real" error, as returned by OpenSSL.
*/ if (!ok && errnum == X509_V_ERR_CRL_HAS_EXPIRED) {
X509_STORE_CTX_set_error(ctx, -1);
}
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
