ssl_engine_ext.c

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

/*                      _             _
**  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
** | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
** | | | | | | (_) | (_| |   \__ \__ \ |  www.modssl.org
** |_| |_| |_|\___/ \__,_|___|___/___/_|  ftp.modssl.org
**                      |_____|
**  ssl_engine_ext.c
**  Extensions to other Apache parts
*/

/* ====================================================================
 * Copyright (c) 1998-2006 Ralf S. Engelschall. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following
 *    disclaimer in the documentation and/or other materials
 *    provided with the distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by
 *     Ralf S. Engelschall <rse@engelschall.com> for use in the
 *     mod_ssl project (http://www.modssl.org/)."
 *
 * 4. The names "mod_ssl" must not be used to endorse or promote
 *    products derived from this software without prior written
 *    permission. For written permission, please contact
 *    rse@engelschall.com.
 *
 * 5. Products derived from this software may not be called "mod_ssl"
 *    nor may "mod_ssl" appear in their names without prior
 *    written permission of Ralf S. Engelschall.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by
 *     Ralf S. Engelschall <rse@engelschall.com> for use in the
 *     mod_ssl project (http://www.modssl.org/)."
 *
 * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL RALF S. ENGELSCHALL OR
 * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */
                             /* ``Only those who attempt the absurd
                                  can achieve the impossible.''
                                           -- Unknown             */
#include "mod_ssl.h"


/*  _________________________________________________________________
**
**  SSL Extensions
**  _________________________________________________________________
*/

static void  ssl_ext_mlc_register(void);
static void  ssl_ext_mlc_unregister(void);
static void  ssl_ext_mr_register(void);
static void  ssl_ext_mr_unregister(void);
static void  ssl_ext_mp_register(void);
static void  ssl_ext_mp_unregister(void);
static void  ssl_ext_ms_register(void);
static void  ssl_ext_ms_unregister(void);

void ssl_ext_register(void)
{
    ssl_ext_mlc_register();
    ssl_ext_mr_register();
    ssl_ext_mp_register();
    ssl_ext_ms_register();
    return;
}

void ssl_ext_unregister(void)
{
    ssl_ext_mlc_unregister();
    ssl_ext_mr_unregister();
    ssl_ext_mp_unregister();
    ssl_ext_ms_unregister();
    return;
}

/*  _________________________________________________________________
**
**  SSL Extension to mod_log_config
**  _________________________________________________________________
*/

static char *ssl_ext_mlc_log_c(request_rec *r, char *a);
static char *ssl_ext_mlc_log_x(request_rec *r, char *a);

/*
 * register us for the mod_log_config function registering phase
 * to establish %{...}c and to be able to expand %{...}x variables.
 */
static void ssl_ext_mlc_register(void)
{
    ap_hook_register("ap::mod_log_config::log_c",
                     ssl_ext_mlc_log_c, AP_HOOK_NOCTX);
    ap_hook_register("ap::mod_log_config::log_x",
                     ssl_ext_mlc_log_x, AP_HOOK_NOCTX);
    return;
}

static void ssl_ext_mlc_unregister(void)
{
    ap_hook_unregister("ap::mod_log_config::log_c",
                       ssl_ext_mlc_log_c);
    ap_hook_unregister("ap::mod_log_config::log_x",
                       ssl_ext_mlc_log_x);
    return;
}

/*
 * implement the %{..}c log function
 * (we are the only function)
 */
static char *ssl_ext_mlc_log_c(request_rec *r, char *a)
{
    char *result;

    if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL)
        return NULL;
    result = NULL;
    if (strEQ(a, "version"))
        result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_PROTOCOL");
    else if (strEQ(a, "cipher"))
        result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CIPHER");
    else if (strEQ(a, "subjectdn") || strEQ(a, "clientcert"))
        result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_S_DN");
    else if (strEQ(a, "issuerdn") || strEQ(a, "cacert"))
        result = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_I_DN");
    else if (strEQ(a, "errcode"))
        result = "-";
    else if (strEQ(a, "errstr"))
        result = ap_ctx_get(r->connection->client->ctx, "ssl::verify::error");
    if (result != NULL && result[0] == NUL)
        result = NULL;
    return result;
}

/*
 * extend the implementation of the %{..}x log function
 * (there can be more functions)
 */
static char *ssl_ext_mlc_log_x(request_rec *r, char *a)
{
    char *result;

    result = NULL;
    if (ap_ctx_get(r->connection->client->ctx, "ssl") != NULL)
        result = ssl_var_lookup(r->pool, r->server, r->connection, r, a);
    if (result != NULL && result[0] == NUL)
        result = NULL;
    return result;
}

/*  _________________________________________________________________
**
**  SSL Extension to mod_rewrite
**  _________________________________________________________________
*/

static char *ssl_ext_mr_lookup_variable(request_rec *r, char *var);

/*
 * register us for the mod_rewrite lookup_variable() function
 */
static void ssl_ext_mr_register(void)
{
    ap_hook_register("ap::mod_rewrite::lookup_variable",
                     ssl_ext_mr_lookup_variable, AP_HOOK_NOCTX);
    return;
}

static void ssl_ext_mr_unregister(void)
{
    ap_hook_unregister("ap::mod_rewrite::lookup_variable",
                       ssl_ext_mr_lookup_variable);
    return;
}

static char *ssl_ext_mr_lookup_variable(request_rec *r, char *var)
{
    char *val;

    val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
    if (val[0] == NUL)
        val = NULL;
    return val;
}

/*  _________________________________________________________________
**
**  SSL Extension to mod_proxy
**  _________________________________________________________________
*/

static int   ssl_ext_mp_canon(request_rec *, char *);
static int   ssl_ext_mp_handler(request_rec *, void *, char *, char *, int, char *);
static int   ssl_ext_mp_set_destport(request_rec *);
static char *ssl_ext_mp_new_connection(request_rec *, BUFF *, char *);
static void  ssl_ext_mp_close_connection(void *);
static int   ssl_ext_mp_write_host_header(request_rec *, BUFF *, char *, int, char *);
#ifdef SSL_EXPERIMENTAL_PROXY
static void  ssl_ext_mp_init(server_rec *, pool *);
static int   ssl_ext_mp_verify_cb(int, X509_STORE_CTX *);
static int   ssl_ext_mp_clientcert_cb(SSL *, X509 **, EVP_PKEY **);
#endif

/*
 * register us ...
 */
static void ssl_ext_mp_register(void)
{
#ifdef SSL_EXPERIMENTAL_PROXY
    ap_hook_register("ap::mod_proxy::init",
                     ssl_ext_mp_init, AP_HOOK_NOCTX);
#endif
    ap_hook_register("ap::mod_proxy::canon",
                     ssl_ext_mp_canon, AP_HOOK_NOCTX);
    ap_hook_register("ap::mod_proxy::handler",
                     ssl_ext_mp_handler, AP_HOOK_NOCTX);
    ap_hook_register("ap::mod_proxy::http::handler::set_destport",
                     ssl_ext_mp_set_destport, AP_HOOK_NOCTX);
    ap_hook_register("ap::mod_proxy::http::handler::new_connection",
                     ssl_ext_mp_new_connection, AP_HOOK_NOCTX);
    ap_hook_register("ap::mod_proxy::http::handler::write_host_header",
                     ssl_ext_mp_write_host_header, AP_HOOK_NOCTX);
    return;
}

static void ssl_ext_mp_unregister(void)
{
#ifdef SSL_EXPERIMENTAL_PROXY
    ap_hook_unregister("ap::mod_proxy::init", ssl_ext_mp_init);
#endif
    ap_hook_unregister("ap::mod_proxy::canon", ssl_ext_mp_canon);
    ap_hook_unregister("ap::mod_proxy::handler", ssl_ext_mp_handler);
    ap_hook_unregister("ap::mod_proxy::http::handler::set_destport",
                       ssl_ext_mp_set_destport);
    ap_hook_unregister("ap::mod_proxy::http::handler::new_connection",
                       ssl_ext_mp_new_connection);
    ap_hook_unregister("ap::mod_proxy::http::handler::write_host_header",
                       ssl_ext_mp_write_host_header);
    return;
}

/*
 * SSL proxy initialization
 */
#ifdef SSL_EXPERIMENTAL_PROXY
static void ssl_ext_mp_init(server_rec *s, pool *p)
{
    SSLSrvConfigRec *sc;
    char *cpVHostID;
    int nVerify;
    SSL_CTX *ctx;
    char *cp;
    STACK_OF(X509_INFO) *sk;

    /*
     * Initialize each virtual server 
     */
    ERR_clear_error();
    for (; s != NULL; s = s->next) {
        sc = mySrvConfig(s);
        cpVHostID = ssl_util_vhostid(p, s);
        
        if (sc->bProxyVerify == UNSET)
            sc->bProxyVerify = FALSE;

        /*
         *  Create new SSL context and configure callbacks
         */
        if (sc->nProxyProtocol == SSL_PROTOCOL_NONE) {
            ssl_log(s, SSL_LOG_ERROR,
                    "Init: (%s) No Proxy SSL protocols available [hint: SSLProxyProtocol]",
                    cpVHostID);
            ssl_die();
        }
        cp = ap_pstrcat(p, (sc->nProxyProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""), 
                           (sc->nProxyProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), 
                           (sc->nProxyProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL);
        cp[strlen(cp)-2] = NUL;
        ssl_log(s, SSL_LOG_TRACE, 
                "Init: (%s) Creating new proxy SSL context (protocols: %s)", 
                cpVHostID, cp);
        if (sc->nProxyProtocol == SSL_PROTOCOL_SSLV2)
            ctx = SSL_CTX_new(SSLv2_client_method());  /* only SSLv2 is left */ 
        else
            ctx = SSL_CTX_new(SSLv23_client_method()); /* be more flexible */
        if (ctx == NULL) {
            ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                    "Init: (%s) Unable to create SSL Proxy context", cpVHostID);
            ssl_die();
        }
        sc->pSSLProxyCtx = ctx;
        SSL_CTX_set_options(ctx, SSL_OP_ALL);
        if (!(sc->nProxyProtocol & SSL_PROTOCOL_SSLV2))
            SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
        if (!(sc->nProxyProtocol & SSL_PROTOCOL_SSLV3))
            SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
        if (!(sc->nProxyProtocol & SSL_PROTOCOL_TLSV1)) 
            SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);

        if (sc->szProxyClientCertificateFile || sc->szProxyClientCertificatePath) {
            sk = sk_X509_INFO_new_null();
            if (sc->szProxyClientCertificateFile) 
                SSL_load_CrtAndKeyInfo_file(p, sk, sc->szProxyClientCertificateFile);
            if (sc->szProxyClientCertificatePath)
                SSL_load_CrtAndKeyInfo_path(p, sk, sc->szProxyClientCertificatePath);
            ssl_log(s, SSL_LOG_TRACE, "Init: (%s) loaded %d client certs for SSL proxy",
                    cpVHostID, sk_X509_INFO_num(sk));
            if (sk_X509_INFO_num(sk) > 0) {
                SSL_CTX_set_client_cert_cb(ctx, ssl_ext_mp_clientcert_cb);
                sc->skProxyClientCerts = sk;
            }
        }

        /*
         * Calculate OpenSSL verify type for verifying the remote server
         * certificate. We either verify it against our list of CA's, or don't
         * bother at all.
         */
        nVerify = SSL_VERIFY_NONE;
        if (sc->bProxyVerify)
            nVerify |= SSL_VERIFY_PEER;
        if (   nVerify & SSL_VERIFY_PEER 
            && sc->szProxyCACertificateFile == NULL 
            && sc->szProxyCACertificatePath == NULL) {
            ssl_log(s, SSL_LOG_ERROR,
                    "Init: (%s) SSLProxyVerify set to On but no CA certificates configured",
                    cpVHostID);
            ssl_die();
        }
        if (   nVerify & SSL_VERIFY_NONE
            && (   sc->szProxyCACertificateFile != NULL
                || sc->szProxyCACertificatePath != NULL)) {
            ssl_log(s, SSL_LOG_WARN, 
                    "init: (%s) CA certificates configured but ignored because SSLProxyVerify is Off",
                    cpVHostID);
        }
        SSL_CTX_set_verify(ctx, nVerify, ssl_ext_mp_verify_cb);

        /*
         * Enable session caching. We can safely use the same cache
         * as used for communicating with the other clients.
         */
        SSL_CTX_sess_set_new_cb(sc->pSSLProxyCtx,    ssl_callback_NewSessionCacheEntry);
        SSL_CTX_sess_set_get_cb(sc->pSSLProxyCtx,    ssl_callback_GetSessionCacheEntry);
        SSL_CTX_sess_set_remove_cb(sc->pSSLProxyCtx, ssl_callback_DelSessionCacheEntry);

        /*
         *  Configure SSL Cipher Suite
         */
        ssl_log(s, SSL_LOG_TRACE,
                "Init: (%s) Configuring permitted SSL ciphers for SSL proxy", cpVHostID);
        if (sc->szProxyCipherSuite != NULL) {
            if (!SSL_CTX_set_cipher_list(sc->pSSLProxyCtx, sc->szProxyCipherSuite)) {
                ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                        "Init: (%s) Unable to configure permitted SSL ciphers for SSL Proxy",
                        cpVHostID);
                ssl_die();
            }
        }

        /*
         * Configure Client Authentication details
         */
        if (sc->szProxyCACertificateFile != NULL || sc->szProxyCACertificatePath != NULL) {
             ssl_log(s, SSL_LOG_DEBUG, 
                     "Init: (%s) Configuring client verification locations for SSL Proxy", 
                     cpVHostID);
             if (!SSL_CTX_load_verify_locations(sc->pSSLProxyCtx,
                                                sc->szProxyCACertificateFile,
                                                sc->szProxyCACertificatePath)) {
                 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, 
                         "Init: (%s) Unable to configure SSL verify locations for SSL proxy",
                         cpVHostID);
                 ssl_die();
             }
        }
    }
    return;
}
#endif /* SSL_EXPERIMENTAL_PROXY */