VladPolskiy/apache-http-server
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-13 14:40:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
1e0682040de4fe18a053451b16e8c70ceb72180f
apache-http-server/modules/ssl/mod_ssl.c
William A. Rowe Jr 1e0682040d Reaction to Jeff Trawick's observations that we are double-initializing 
dynalinked OpenSSL Engines and Configs.  Move the library teardown code
  so that it is torn down in the proper order, corresponding to when the
  library itself was initialized.  And leave a little reminder that some
  memory diagnostics would be good if OpenSSL is built for malloc debugging.

Suggested by: Geoff Thorpe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100288 13f79535-47bb-0310-9956-ffa450edef68
2003-06-17 17:44:40 +00:00

526 lines
18 KiB
C
Raw Blame History

/* _ _
** _ __ ___ ___ __| | ___ ___| | mod_ssl
** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
** |_____|
** mod_ssl.c
** Apache API interface structures
*/
/* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2000-2003 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Apache" and "Apache Software Foundation" must
* not be used to endorse or promote products derived from this
* software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache",
* nor may "Apache" appear in their name, without prior written
* permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*/
#include "mod_ssl.h"
#include "util_md5.h"
#include <assert.h>
/*
* the table of configuration directives we provide
*/
#define SSL_CMD_ALL(name, args, desc) \
AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
NULL, RSRC_CONF|OR_AUTHCFG, desc),
#define SSL_CMD_SRV(name, args, desc) \
AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
NULL, RSRC_CONF, desc),
#define SSL_CMD_DIR(name, type, args, desc) \
AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
NULL, OR_##type, desc),
#define AP_END_CMD { NULL }
const char ssl_valid_ssl_mutex_string[] =
"Valid SSLMutex mechanisms are: `none', `default'"
#if APR_HAS_FLOCK_SERIALIZE
", `flock:/path/to/file'"
#endif
#if APR_HAS_FCNTL_SERIALIZE
", `fcntl:/path/to/file'"
#endif
#if APR_HAS_SYSVSEM_SERIALIZE && !defined(PERCHILD_MPM)
", `sysvsem'"
#endif
#if APR_HAS_POSIXSEM_SERIALIZE
", `posixsem'"
#endif
#if APR_HAS_PROC_PTHREAD_SERIALIZE
", `pthread'"
#endif
#if APR_HAS_FLOCK_SERIALIZE || APR_HAS_FCNTL_SERIALIZE
", `file:/path/to/file'"
#endif
#if (APR_HAS_SYSVSEM_SERIALIZE && !defined(PERCHILD_MPM)) || APR_HAS_POSIXSEM_SERIALIZE
", `sem'"
#endif
" ";
static const command_rec ssl_config_cmds[] = {
/*
* Global (main-server) context configuration directives
*/
SSL_CMD_SRV(Mutex, TAKE1, ssl_valid_ssl_mutex_string)
SSL_CMD_SRV(PassPhraseDialog, TAKE1,
"SSL dialog mechanism for the pass phrase query "
"(`builtin', `|/path/to/pipe_program`, "
"or `exec:/path/to/cgi_program')")
SSL_CMD_SRV(SessionCache, TAKE1,
"SSL Session Cache storage "
"(`none', `dbm:/path/to/file')")
#ifdef HAVE_ENGINE_INIT
SSL_CMD_SRV(CryptoDevice, TAKE1,
"SSL external Crypto Device usage "
"(`builtin', `...')")
#endif
SSL_CMD_SRV(RandomSeed, TAKE23,
"SSL Pseudo Random Number Generator (PRNG) seeding source "
"(`startup|connect builtin|file:/path|exec:/path [bytes]')")
/*
* Per-server context configuration directives
*/
SSL_CMD_SRV(Engine, TAKE1,
"SSL switch for the protocol engine "
"(`on', `off')")
SSL_CMD_ALL(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers "
"(`XXX:...:XXX' - see manual)")
SSL_CMD_SRV(CertificateFile, TAKE1,
"SSL Server Certificate file "
"(`/path/to/file' - PEM or DER encoded)")
SSL_CMD_SRV(CertificateKeyFile, TAKE1,
"SSL Server Private Key file "
"(`/path/to/file' - PEM or DER encoded)")
SSL_CMD_SRV(CertificateChainFile, TAKE1,
"SSL Server CA Certificate Chain file "
"(`/path/to/file' - PEM encoded)")
SSL_CMD_ALL(CACertificatePath, TAKE1,
"SSL CA Certificate path "
"(`/path/to/dir' - contains PEM encoded files)")
SSL_CMD_ALL(CACertificateFile, TAKE1,
"SSL CA Certificate file "
"(`/path/to/file' - PEM encoded)")
SSL_CMD_SRV(CARevocationPath, TAKE1,
"SSL CA Certificate Revocation List (CRL) path "
"(`/path/to/dir' - contains PEM encoded files)")
SSL_CMD_SRV(CARevocationFile, TAKE1,
"SSL CA Certificate Revocation List (CRL) file "
"(`/path/to/file' - PEM encoded)")
SSL_CMD_ALL(VerifyClient, TAKE1,
"SSL Client verify type "
"(`none', `optional', `require', `optional_no_ca')")
SSL_CMD_ALL(VerifyDepth, TAKE1,
"SSL Client verify depth "
"(`N' - number of intermediate certificates)")
SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
"SSL Session Cache object lifetime "
"(`N' - number of seconds)")
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols"
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
/*
* Proxy configuration for remote SSL connections
*/
SSL_CMD_SRV(ProxyEngine, FLAG,
"SSL switch for the proxy protocol engine "
"(`on', `off')")
SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
"(`XXX:...:XXX' - see manual)")
SSL_CMD_SRV(ProxyVerify, TAKE1,
"SSL Proxy: whether to verify the remote certificate "
"(`on' or `off')")
SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
"SSL Proxy: maximum certificate verification depth "
"(`N' - number of intermediate certificates)")
SSL_CMD_SRV(ProxyCACertificateFile, TAKE1,
"SSL Proxy: file containing server certificates "
"(`/path/to/file' - PEM encoded certificates)")
SSL_CMD_SRV(ProxyCACertificatePath, TAKE1,
"SSL Proxy: directory containing server certificates "
"(`/path/to/dir' - contains PEM encoded certificates)")
SSL_CMD_SRV(ProxyCARevocationPath, TAKE1,
"SSL Proxy: CA Certificate Revocation List (CRL) path "
"(`/path/to/dir' - contains PEM encoded files)")
SSL_CMD_SRV(ProxyCARevocationFile, TAKE1,
"SSL Proxy: CA Certificate Revocation List (CRL) file "
"(`/path/to/file' - PEM encoded)")
SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
"SSL Proxy: file containing client certificates "
"(`/path/to/file' - PEM encoded certificates)")
SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
"SSL Proxy: directory containing client certificates "
"(`/path/to/dir' - contains PEM encoded certificates)")
/*
* Per-directory context configuration directives
*/
SSL_CMD_DIR(Options, OPTIONS, RAW_ARGS,
"Set one or more options to configure the SSL engine"
"(`[+-]option[=value] ...' - see manual)")
SSL_CMD_DIR(RequireSSL, AUTHCFG, NO_ARGS,
"Require the SSL protocol for the per-directory context "
"(no arguments)")
SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS,
"Require a boolean expression to evaluate to true for granting access"
"(arbitrary complex boolean expression - see manual)")
/* Deprecated directives. */
AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
"SSLLog directive is no longer supported - use ErrorLog."),
AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
"SSLLogLevel directive is no longer supported - use LogLevel."),
AP_END_CMD
};
/*
* the various processing hooks
*/
static apr_status_t ssl_cleanup_pre_config(void *data)
{
/*
* Try to kill the internals of the SSL library.
*/
#ifdef OPENSSL_VERSION_NUMBER
#if OPENSSL_VERSION_NUMBER >= 0x00907001
/* Corresponds to OPENSSL_load_builtin_modules():
* XXX: borrowed from apps.h, but why not CONF_modules_free()
* which also invokes CONF_modules_finish()?
*/
CONF_modules_unload(1);
#endif
#endif
/* Corresponds to SSL_library_init: */
EVP_cleanup();
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
ERR_free_strings();
/*
* TODO: determine somewhere we can safely shove out diagnostics
* (when enabled) at this late stage in the game:
* CRYPTO_mem_leaks_fp(stderr);
*/
}
static int ssl_hook_pre_config(apr_pool_t *pconf,
apr_pool_t *plog,
apr_pool_t *ptemp)
{
/* We must register the library in full, to ensure our configuration
* code can successfully test the SSL environment.
*/
CRYPTO_malloc_init();
ERR_load_crypto_strings();
SSL_library_init();
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_load_builtin_engines();
#endif
#ifdef OPENSSL_VERSION_NUMBER
#if OPENSSL_VERSION_NUMBER >= 0x00907001
OPENSSL_load_builtin_modules();
#endif
#endif
SSL_load_error_strings();
/*
* Let us cleanup the ssl library when the module is unloaded
*/
apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config,
apr_pool_cleanup_null);
/* Register us to handle mod_log_config %c/%x variables */
ssl_var_log_config_register(pconf);
#if 0 /* XXX */
/* XXX: Register us to handle mod_status extensions that don't exist yet */
ssl_scache_status_register(pconf);
#endif /* -0- */
return OK;
}
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
{
SSLConnRec *sslconn = myConnConfig(c);
if (sslconn) {
return sslconn;
}
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
myConnConfigSet(c, sslconn);
return sslconn;
}
int ssl_proxy_enable(conn_rec *c)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLConnRec *sslconn = ssl_init_connection_ctx(c);
if (!sc->proxy_enabled) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
"SSL Proxy requested for %s but not enabled "
"[Hint: SSLProxyEngine]", sc->vhost_id);
return 0;
}
sslconn->is_proxy = 1;
sslconn->disabled = 0;
return 1;
}
int ssl_engine_disable(conn_rec *c)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLConnRec *sslconn;
if (!sc->enabled) {
return 0;
}
sslconn = ssl_init_connection_ctx(c);
sslconn->disabled = 1;
return 1;
}
int ssl_init_ssl_connection(conn_rec *c)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSL *ssl;
SSLConnRec *sslconn = myConnConfig(c);
char *vhost_md5;
modssl_ctx_t *mctx;
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, "");
if (!sslconn) {
sslconn = ssl_init_connection_ctx(c);
}
mctx = sslconn->is_proxy ? sc->proxy : sc->server;
/*
* Create a new SSL connection with the configured server SSL context and
* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
if (!(ssl = SSL_new(mctx->ssl_ctx))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
"Unable to create a new SSL connection from the SSL "
"context");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
c->aborted = 1;
return DECLINED; /* XXX */
}
vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
sc->vhost_id_len);
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
MD5_DIGESTSIZE*2))
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
"Unable to set session id context to `%s'", vhost_md5);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
c->aborted = 1;
return DECLINED; /* XXX */
}
SSL_set_app_data(ssl, c);
SSL_set_app_data2(ssl, NULL); /* will be request_rec */
sslconn->ssl = ssl;
/*
* Configure callbacks for SSL connection
*/
SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH);
SSL_set_verify_result(ssl, X509_V_OK);
ssl_io_filter_init(c, ssl);
return APR_SUCCESS;
}
static const char *ssl_hook_http_method(const request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
if (sc->enabled == FALSE) {
return NULL;
}
return "https";
}
static apr_port_t ssl_hook_default_port(const request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
if (sc->enabled == FALSE) {
return 0;
}
return 443;
}
static int ssl_hook_pre_connection(conn_rec *c, void *csd)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLConnRec *sslconn = myConnConfig(c);
/*
* Immediately stop processing if SSL is disabled for this connection
*/
if (!(sc && (sc->enabled == TRUE ||
(sslconn && sslconn->is_proxy))))
{
return DECLINED;
}
/*
* Create SSL context
*/
if (!sslconn) {
sslconn = ssl_init_connection_ctx(c);
}
if (sslconn->disabled) {
return DECLINED;
}
/*
* Remember the connection information for
* later access inside callback functions
*/
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
"Connection to child %ld established "
"(server %s, client %s)", c->id, sc->vhost_id,
c->remote_ip ? c->remote_ip : "unknown");
return ssl_init_ssl_connection(c);
}
static void ssl_hook_Insert_Filter(request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
if (sc->enabled == UNSET) {
ap_add_output_filter("UPGRADE_FILTER", NULL, r, r->connection);
}
}
/*
* the module registration phase
*/
static void ssl_register_hooks(apr_pool_t *p)
{
ssl_io_filter_register(p);
ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_http_method (ssl_hook_http_method, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST);
ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_access_checker(ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_auth_checker (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_post_read_request(ssl_hook_ReadReq, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_insert_filter (ssl_hook_Insert_Filter, NULL,NULL, APR_HOOK_MIDDLE);
/* ap_hook_handler (ssl_hook_Upgrade, NULL,NULL, APR_HOOK_MIDDLE); */
ssl_var_register();
APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
}
module AP_MODULE_DECLARE_DATA ssl_module = {
STANDARD20_MODULE_STUFF,
ssl_config_perdir_create, /* create per-dir config structures */
ssl_config_perdir_merge, /* merge per-dir config structures */
ssl_config_server_create, /* create per-server config structures */
ssl_config_server_merge, /* merge per-server config structures */
ssl_config_cmds, /* table of configuration directives */
ssl_register_hooks /* register hooks */
};
Reference in New Issue View Git Blame Copy Permalink