📄 ssl_engine_kernel.c
字号:
ssl_requires = (ssl_require_t *)requires->elts; for (i = 0; i < requires->nelts; i++) { ssl_require_t *req = &ssl_requires[i]; ok = ssl_expr_exec(r, req->mpExpr); if (ok < 0) { cp = apr_psprintf(r->pool, "Failed to execute " "SSL requirement expression: %s", ssl_expr_get_error()); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "access to %s failed, reason: %s", r->filename, cp); /* remember forbidden access for strict require option */ apr_table_setn(r->notes, "ssl-access-forbidden", "1"); return HTTP_FORBIDDEN; } if (ok != 1) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Access to %s denied for %s " "(requirement expression not fulfilled)", r->filename, r->connection->remote_ip); ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Failed expression: %s", req->cpExpr); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "access to %s failed, reason: %s", r->filename, "SSL requirement expression not fulfilled " "(see SSL logfile for more details)"); /* remember forbidden access for strict require option */ apr_table_setn(r->notes, "ssl-access-forbidden", "1"); return HTTP_FORBIDDEN; } } /* * Else access is granted from our point of view (except vendor * handlers override). But we have to return DECLINED here instead * of OK, because mod_auth and other modules still might want to * deny access. */ return DECLINED;}/* * Authentication Handler: * Fake a Basic authentication from the X509 client certificate. * * This must be run fairly early on to prevent a real authentication from * occuring, in particular it must be run before anything else that * authenticates a user. This means that the Module statement for this * module should be LAST in the Configuration file. */int ssl_hook_UserCheck(request_rec *r){ SSLConnRec *sslconn = myConnConfig(r->connection); SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLDirConfigRec *dc = myDirConfig(r); char *clientdn; const char *auth_line, *username, *password; /* * Additionally forbid access (again) * when strict require option is used. */ if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) && (apr_table_get(r->notes, "ssl-access-forbidden"))) { return HTTP_FORBIDDEN; } /* * We decline when we are in a subrequest. The Authorization header * would already be present if it was added in the main request. */ if (!ap_is_initial_req(r)) { return DECLINED; } /* * Make sure the user is not able to fake the client certificate * based authentication by just entering an X.509 Subject DN * ("/XX=YYY/XX=YYY/..") as the username and "password" as the * password. */ if ((auth_line = apr_table_get(r->headers_in, "Authorization"))) { if (strcEQ(ap_getword(r->pool, &auth_line, ' '), "Basic")) { while ((*auth_line == ' ') || (*auth_line == '\t')) { auth_line++; } auth_line = ap_pbase64decode(r->pool, auth_line); username = ap_getword_nulls(r->pool, &auth_line, ':'); password = auth_line; if ((username[0] == '/') && strEQ(password, "password")) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Encountered FakeBasicAuth spoof: %s", username); return HTTP_FORBIDDEN; } } } /* * We decline operation in various situations... * - SSLOptions +FakeBasicAuth not configured * - r->user already authenticated * - ssl not enabled * - client did not present a certificate */ if (!((sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) && sslconn && sslconn->ssl && sslconn->client_cert) || !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user) { return DECLINED; } if (!sslconn->client_dn) { X509_NAME *name = X509_get_subject_name(sslconn->client_cert); char *cp = X509_NAME_oneline(name, NULL, 0); sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); modssl_free(cp); } clientdn = (char *)sslconn->client_dn; /* * Fake a password - which one would be immaterial, as, it seems, an empty * password in the users file would match ALL incoming passwords, if only * we were using the standard crypt library routine. Unfortunately, OpenSSL * "fixes" a "bug" in crypt and thus prevents blank passwords from * working. (IMHO what they really fix is a bug in the users of the code * - failing to program correctly for shadow passwords). We need, * therefore, to provide a password. This password can be matched by * adding the string "xxj31ZMTZzkVA" as the password in the user file. * This is just the crypted variant of the word "password" ;-) */ auth_line = apr_pstrcat(r->pool, "Basic ", ap_pbase64encode(r->pool, apr_pstrcat(r->pool, clientdn, ":password", NULL)), NULL); apr_table_set(r->headers_in, "Authorization", auth_line); ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "Faking HTTP Basic Auth header: \"Authorization: %s\"", auth_line); return DECLINED;}/* authorization phase */int ssl_hook_Auth(request_rec *r){ SSLDirConfigRec *dc = myDirConfig(r); /* * Additionally forbid access (again) * when strict require option is used. */ if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) && (apr_table_get(r->notes, "ssl-access-forbidden"))) { return HTTP_FORBIDDEN; } return DECLINED;}/* * Fixup Handler */static const char *ssl_hook_Fixup_vars[] = { "SSL_VERSION_INTERFACE", "SSL_VERSION_LIBRARY", "SSL_PROTOCOL", "SSL_COMPRESS_METHOD", "SSL_CIPHER", "SSL_CIPHER_EXPORT", "SSL_CIPHER_USEKEYSIZE", "SSL_CIPHER_ALGKEYSIZE", "SSL_CLIENT_VERIFY", "SSL_CLIENT_M_VERSION", "SSL_CLIENT_M_SERIAL", "SSL_CLIENT_V_START", "SSL_CLIENT_V_END", "SSL_CLIENT_V_REMAIN", "SSL_CLIENT_S_DN", "SSL_CLIENT_S_DN_C", "SSL_CLIENT_S_DN_ST", "SSL_CLIENT_S_DN_L", "SSL_CLIENT_S_DN_O", "SSL_CLIENT_S_DN_OU", "SSL_CLIENT_S_DN_CN", "SSL_CLIENT_S_DN_T", "SSL_CLIENT_S_DN_I", "SSL_CLIENT_S_DN_G", "SSL_CLIENT_S_DN_S", "SSL_CLIENT_S_DN_D", "SSL_CLIENT_S_DN_UID", "SSL_CLIENT_S_DN_Email", "SSL_CLIENT_I_DN", "SSL_CLIENT_I_DN_C", "SSL_CLIENT_I_DN_ST", "SSL_CLIENT_I_DN_L", "SSL_CLIENT_I_DN_O", "SSL_CLIENT_I_DN_OU", "SSL_CLIENT_I_DN_CN", "SSL_CLIENT_I_DN_T", "SSL_CLIENT_I_DN_I", "SSL_CLIENT_I_DN_G", "SSL_CLIENT_I_DN_S", "SSL_CLIENT_I_DN_D", "SSL_CLIENT_I_DN_UID", "SSL_CLIENT_I_DN_Email", "SSL_CLIENT_A_KEY", "SSL_CLIENT_A_SIG", "SSL_SERVER_M_VERSION", "SSL_SERVER_M_SERIAL", "SSL_SERVER_V_START", "SSL_SERVER_V_END", "SSL_SERVER_S_DN", "SSL_SERVER_S_DN_C", "SSL_SERVER_S_DN_ST", "SSL_SERVER_S_DN_L", "SSL_SERVER_S_DN_O", "SSL_SERVER_S_DN_OU", "SSL_SERVER_S_DN_CN", "SSL_SERVER_S_DN_T", "SSL_SERVER_S_DN_I", "SSL_SERVER_S_DN_G", "SSL_SERVER_S_DN_S", "SSL_SERVER_S_DN_D", "SSL_SERVER_S_DN_UID", "SSL_SERVER_S_DN_Email", "SSL_SERVER_I_DN", "SSL_SERVER_I_DN_C", "SSL_SERVER_I_DN_ST", "SSL_SERVER_I_DN_L", "SSL_SERVER_I_DN_O", "SSL_SERVER_I_DN_OU", "SSL_SERVER_I_DN_CN", "SSL_SERVER_I_DN_T", "SSL_SERVER_I_DN_I", "SSL_SERVER_I_DN_G", "SSL_SERVER_I_DN_S", "SSL_SERVER_I_DN_D", "SSL_SERVER_I_DN_UID", "SSL_SERVER_I_DN_Email", "SSL_SERVER_A_KEY", "SSL_SERVER_A_SIG", "SSL_SESSION_ID", NULL};int ssl_hook_Fixup(request_rec *r){ SSLConnRec *sslconn = myConnConfig(r->connection); SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLDirConfigRec *dc = myDirConfig(r); apr_table_t *env = r->subprocess_env; char *var, *val = ""; STACK_OF(X509) *peer_certs; SSL *ssl; int i; if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl)) { apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); } /* * Check to see if SSL is on */ if (!(((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) { return DECLINED; } /* * Annotate the SSI/CGI environment with standard SSL information */ /* the always present HTTPS (=HTTP over SSL) flag! */ apr_table_setn(env, "HTTPS", "on"); /* standard SSL environment variables */ if (dc->nOptions & SSL_OPT_STDENVVARS) { for (i = 0; ssl_hook_Fixup_vars[i]; i++) { var = (char *)ssl_hook_Fixup_vars[i]; val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); if (!strIsEmpty(val)) { apr_table_setn(env, var, val); } } } /* * On-demand bloat up the SSI/CGI environment with certificate data */ if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) { val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_SERVER_CERT"); apr_table_setn(env, "SSL_SERVER_CERT", val); val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT"); apr_table_setn(env, "SSL_CLIENT_CERT", val); if ((peer_certs = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl))) { for (i = 0; i < sk_X509_num(peer_certs); i++) { var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i); val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); if (val) { apr_table_setn(env, var, val); } } } } return DECLINED;}/* _________________________________________________________________**** OpenSSL Callback Functions** _________________________________________________________________*//* * Handle out temporary RSA private keys on demand * * The background of this as the TLSv1 standard explains it: * * | D.1. Temporary RSA keys * | * | US Export restrictions limit RSA keys used for encryption to 512 * | bits, but do not place any limit on lengths of RSA keys used for * | signing operations. Certificates often need to be larger than 512 * | bits, since 512-bit RSA keys are not secure enough for high-value * | transactions or for applications requiring long-term security. Some * | certificates are also designated signing-only, in which case they * | cannot be used for key exchange. * | * | When the public key in the certificate cannot be used for encryption, * | the server signs a temporary RSA key, which is then exchanged. In * | exportable applications, the temporary RSA key should be the maximum * | allowable length (i.e., 512 bits). Because 512-bit RSA keys are * | relatively insecure, they should be changed often. For typical * | electronic commerce applications, it is suggested that keys be * | changed daily or every 500 transactions, and more often if possible. * | Note that while it is acceptable to use the same temporary key for⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -