Apache HTTPD
h2_protocol.c
Go to the documentation of this file.
1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <assert.h>
18
19#include <apr_strings.h>
20#include <apr_optional.h>
21#include <apr_optional_hooks.h>
22
23#include <httpd.h>
24#include <http_core.h>
25#include <http_config.h>
26#include <http_connection.h>
27#include <http_protocol.h>
28#include <http_request.h>
29#include <http_ssl.h>
30#include <http_log.h>
31
32#include "mod_http2.h"
33#include "h2_private.h"
34
35#include "h2_bucket_beam.h"
36#include "h2_stream.h"
37#include "h2_c2.h"
38#include "h2_config.h"
39#include "h2_conn_ctx.h"
40#include "h2_c1.h"
41#include "h2_request.h"
42#include "h2_headers.h"
43#include "h2_session.h"
44#include "h2_util.h"
45#include "h2_protocol.h"
46#include "mod_http2.h"
47
48const char *h2_protocol_ids_tls[] = {
49 "h2", NULL
50};
51
52const char *h2_protocol_ids_clear[] = {
53 "h2c", NULL
54};
55
56const char *H2_MAGIC_TOKEN = "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n";
57
58/*******************************************************************************
59 * HTTP/2 error stuff
60 */
61static const char *h2_err_descr[] = {
62 "no error", /* 0x0 */
63 "protocol error",
64 "internal error",
65 "flow control error",
66 "settings timeout",
67 "stream closed", /* 0x5 */
68 "frame size error",
69 "refused stream",
70 "cancel",
71 "compression error",
72 "connect error", /* 0xa */
73 "enhance your calm",
74 "inadequate security",
75 "http/1.1 required",
76};
77
78const char *h2_protocol_err_description(unsigned int h2_error)
79{
80 if (h2_error < (sizeof(h2_err_descr)/sizeof(h2_err_descr[0]))) {
81 return h2_err_descr[h2_error];
82 }
83 return "unknown http/2 error code";
84}
85
86/*******************************************************************************
87 * Check connection security requirements of RFC 7540
88 */
89
90/*
91 * Black Listed Ciphers from RFC 7549 Appendix A
92 *
93 */
94static const char *RFC7540_names[] = {
95 /* ciphers with NULL encrpytion */
96 "NULL-MD5", /* TLS_NULL_WITH_NULL_NULL */
97 /* same */ /* TLS_RSA_WITH_NULL_MD5 */
98 "NULL-SHA", /* TLS_RSA_WITH_NULL_SHA */
99 "NULL-SHA256", /* TLS_RSA_WITH_NULL_SHA256 */
100 "PSK-NULL-SHA", /* TLS_PSK_WITH_NULL_SHA */
101 "DHE-PSK-NULL-SHA", /* TLS_DHE_PSK_WITH_NULL_SHA */
102 "RSA-PSK-NULL-SHA", /* TLS_RSA_PSK_WITH_NULL_SHA */
103 "PSK-NULL-SHA256", /* TLS_PSK_WITH_NULL_SHA256 */
104 "PSK-NULL-SHA384", /* TLS_PSK_WITH_NULL_SHA384 */
105 "DHE-PSK-NULL-SHA256", /* TLS_DHE_PSK_WITH_NULL_SHA256 */
106 "DHE-PSK-NULL-SHA384", /* TLS_DHE_PSK_WITH_NULL_SHA384 */
107 "RSA-PSK-NULL-SHA256", /* TLS_RSA_PSK_WITH_NULL_SHA256 */
108 "RSA-PSK-NULL-SHA384", /* TLS_RSA_PSK_WITH_NULL_SHA384 */
109 "ECDH-ECDSA-NULL-SHA", /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
110 "ECDHE-ECDSA-NULL-SHA", /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
111 "ECDH-RSA-NULL-SHA", /* TLS_ECDH_RSA_WITH_NULL_SHA */
112 "ECDHE-RSA-NULL-SHA", /* TLS_ECDHE_RSA_WITH_NULL_SHA */
113 "AECDH-NULL-SHA", /* TLS_ECDH_anon_WITH_NULL_SHA */
114 "ECDHE-PSK-NULL-SHA", /* TLS_ECDHE_PSK_WITH_NULL_SHA */
115 "ECDHE-PSK-NULL-SHA256", /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
116 "ECDHE-PSK-NULL-SHA384", /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
117
118 /* DES/3DES ciphers */
119 "PSK-3DES-EDE-CBC-SHA", /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
120 "DHE-PSK-3DES-EDE-CBC-SHA", /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
121 "RSA-PSK-3DES-EDE-CBC-SHA", /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
122 "ECDH-ECDSA-DES-CBC3-SHA", /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
123 "ECDHE-ECDSA-DES-CBC3-SHA", /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
124 "ECDH-RSA-DES-CBC3-SHA", /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
125 "ECDHE-RSA-DES-CBC3-SHA", /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
126 "AECDH-DES-CBC3-SHA", /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
127 "SRP-3DES-EDE-CBC-SHA", /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
128 "SRP-RSA-3DES-EDE-CBC-SHA", /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
129 "SRP-DSS-3DES-EDE-CBC-SHA", /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
130 "ECDHE-PSK-3DES-EDE-CBC-SHA", /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
131 "DES-CBC-SHA", /* TLS_RSA_WITH_DES_CBC_SHA */
132 "DES-CBC3-SHA", /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
133 "DHE-DSS-DES-CBC3-SHA", /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
134 "DHE-RSA-DES-CBC-SHA", /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
135 "DHE-RSA-DES-CBC3-SHA", /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
136 "ADH-DES-CBC-SHA", /* TLS_DH_anon_WITH_DES_CBC_SHA */
137 "ADH-DES-CBC3-SHA", /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
138 "EXP-DH-DSS-DES-CBC-SHA", /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
139 "DH-DSS-DES-CBC-SHA", /* TLS_DH_DSS_WITH_DES_CBC_SHA */
140 "DH-DSS-DES-CBC3-SHA", /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
141 "EXP-DH-RSA-DES-CBC-SHA", /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
142 "DH-RSA-DES-CBC-SHA", /* TLS_DH_RSA_WITH_DES_CBC_SHA */
143 "DH-RSA-DES-CBC3-SHA", /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
144
145 /* blacklisted EXPORT ciphers */
146 "EXP-RC4-MD5", /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
147 "EXP-RC2-CBC-MD5", /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
148 "EXP-DES-CBC-SHA", /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
149 "EXP-DHE-DSS-DES-CBC-SHA", /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
150 "EXP-DHE-RSA-DES-CBC-SHA", /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
151 "EXP-ADH-DES-CBC-SHA", /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
152 "EXP-ADH-RC4-MD5", /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
153
154 /* blacklisted RC4 encryption */
155 "RC4-MD5", /* TLS_RSA_WITH_RC4_128_MD5 */
156 "RC4-SHA", /* TLS_RSA_WITH_RC4_128_SHA */
157 "ADH-RC4-MD5", /* TLS_DH_anon_WITH_RC4_128_MD5 */
158 "KRB5-RC4-SHA", /* TLS_KRB5_WITH_RC4_128_SHA */
159 "KRB5-RC4-MD5", /* TLS_KRB5_WITH_RC4_128_MD5 */
160 "EXP-KRB5-RC4-SHA", /* TLS_KRB5_EXPORT_WITH_RC4_40_SHA */
161 "EXP-KRB5-RC4-MD5", /* TLS_KRB5_EXPORT_WITH_RC4_40_MD5 */
162 "PSK-RC4-SHA", /* TLS_PSK_WITH_RC4_128_SHA */
163 "DHE-PSK-RC4-SHA", /* TLS_DHE_PSK_WITH_RC4_128_SHA */
164 "RSA-PSK-RC4-SHA", /* TLS_RSA_PSK_WITH_RC4_128_SHA */
165 "ECDH-ECDSA-RC4-SHA", /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
166 "ECDHE-ECDSA-RC4-SHA", /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
167 "ECDH-RSA-RC4-SHA", /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
168 "ECDHE-RSA-RC4-SHA", /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
169 "AECDH-RC4-SHA", /* TLS_ECDH_anon_WITH_RC4_128_SHA */
170 "ECDHE-PSK-RC4-SHA", /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
171
172 /* blacklisted AES128 encrpytion ciphers */
173 "AES128-SHA256", /* TLS_RSA_WITH_AES_128_CBC_SHA */
174 "DH-DSS-AES128-SHA", /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
175 "DH-RSA-AES128-SHA", /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
176 "DHE-DSS-AES128-SHA", /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
177 "DHE-RSA-AES128-SHA", /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
178 "ADH-AES128-SHA", /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
179 "AES128-SHA256", /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
180 "DH-DSS-AES128-SHA256", /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
181 "DH-RSA-AES128-SHA256", /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
182 "DHE-DSS-AES128-SHA256", /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
183 "DHE-RSA-AES128-SHA256", /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
184 "ECDH-ECDSA-AES128-SHA", /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
185 "ECDHE-ECDSA-AES128-SHA", /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
186 "ECDH-RSA-AES128-SHA", /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
187 "ECDHE-RSA-AES128-SHA", /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
188 "AECDH-AES128-SHA", /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
189 "ECDHE-ECDSA-AES128-SHA256", /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
190 "ECDH-ECDSA-AES128-SHA256", /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
191 "ECDHE-RSA-AES128-SHA256", /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
192 "ECDH-RSA-AES128-SHA256", /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
193 "ADH-AES128-SHA256", /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
194 "PSK-AES128-CBC-SHA", /* TLS_PSK_WITH_AES_128_CBC_SHA */
195 "DHE-PSK-AES128-CBC-SHA", /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
196 "RSA-PSK-AES128-CBC-SHA", /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
197 "PSK-AES128-CBC-SHA256", /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
198 "DHE-PSK-AES128-CBC-SHA256", /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
199 "RSA-PSK-AES128-CBC-SHA256", /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
200 "ECDHE-PSK-AES128-CBC-SHA", /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
201 "ECDHE-PSK-AES128-CBC-SHA256", /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
202 "AES128-CCM", /* TLS_RSA_WITH_AES_128_CCM */
203 "AES128-CCM8", /* TLS_RSA_WITH_AES_128_CCM_8 */
204 "PSK-AES128-CCM", /* TLS_PSK_WITH_AES_128_CCM */
205 "PSK-AES128-CCM8", /* TLS_PSK_WITH_AES_128_CCM_8 */
206 "AES128-GCM-SHA256", /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
207 "DH-RSA-AES128-GCM-SHA256", /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
208 "DH-DSS-AES128-GCM-SHA256", /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
209 "ADH-AES128-GCM-SHA256", /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
210 "PSK-AES128-GCM-SHA256", /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
211 "RSA-PSK-AES128-GCM-SHA256", /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
212 "ECDH-ECDSA-AES128-GCM-SHA256", /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
213 "ECDH-RSA-AES128-GCM-SHA256", /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
214 "SRP-AES-128-CBC-SHA", /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
215 "SRP-RSA-AES-128-CBC-SHA", /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
216 "SRP-DSS-AES-128-CBC-SHA", /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
217
218 /* blacklisted AES256 encrpytion ciphers */
219 "AES256-SHA", /* TLS_RSA_WITH_AES_256_CBC_SHA */
220 "DH-DSS-AES256-SHA", /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
221 "DH-RSA-AES256-SHA", /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
222 "DHE-DSS-AES256-SHA", /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
223 "DHE-RSA-AES256-SHA", /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
224 "ADH-AES256-SHA", /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
225 "AES256-SHA256", /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
226 "DH-DSS-AES256-SHA256", /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
227 "DH-RSA-AES256-SHA256", /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
228 "DHE-DSS-AES256-SHA256", /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
229 "DHE-RSA-AES256-SHA256", /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
230 "ADH-AES256-SHA256", /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
231 "ECDH-ECDSA-AES256-SHA", /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
232 "ECDHE-ECDSA-AES256-SHA", /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
233 "ECDH-RSA-AES256-SHA", /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
234 "ECDHE-RSA-AES256-SHA", /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
235 "AECDH-AES256-SHA", /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
236 "ECDHE-ECDSA-AES256-SHA384", /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
237 "ECDH-ECDSA-AES256-SHA384", /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
238 "ECDHE-RSA-AES256-SHA384", /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
239 "ECDH-RSA-AES256-SHA384", /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
240 "PSK-AES256-CBC-SHA", /* TLS_PSK_WITH_AES_256_CBC_SHA */
241 "DHE-PSK-AES256-CBC-SHA", /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
242 "RSA-PSK-AES256-CBC-SHA", /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
243 "PSK-AES256-CBC-SHA384", /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
244 "DHE-PSK-AES256-CBC-SHA384", /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
245 "RSA-PSK-AES256-CBC-SHA384", /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
246 "ECDHE-PSK-AES256-CBC-SHA", /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
247 "ECDHE-PSK-AES256-CBC-SHA384", /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
248 "SRP-AES-256-CBC-SHA", /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
249 "SRP-RSA-AES-256-CBC-SHA", /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
250 "SRP-DSS-AES-256-CBC-SHA", /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
251 "AES256-CCM", /* TLS_RSA_WITH_AES_256_CCM */
252 "AES256-CCM8", /* TLS_RSA_WITH_AES_256_CCM_8 */
253 "PSK-AES256-CCM", /* TLS_PSK_WITH_AES_256_CCM */
254 "PSK-AES256-CCM8", /* TLS_PSK_WITH_AES_256_CCM_8 */
255 "AES256-GCM-SHA384", /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
256 "DH-RSA-AES256-GCM-SHA384", /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
257 "DH-DSS-AES256-GCM-SHA384", /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
258 "ADH-AES256-GCM-SHA384", /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
259 "PSK-AES256-GCM-SHA384", /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
260 "RSA-PSK-AES256-GCM-SHA384", /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
261 "ECDH-ECDSA-AES256-GCM-SHA384", /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
262 "ECDH-RSA-AES256-GCM-SHA384", /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
263
264 /* blacklisted CAMELLIA128 encrpytion ciphers */
265 "CAMELLIA128-SHA", /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
266 "DH-DSS-CAMELLIA128-SHA", /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
267 "DH-RSA-CAMELLIA128-SHA", /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
268 "DHE-DSS-CAMELLIA128-SHA", /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
269 "DHE-RSA-CAMELLIA128-SHA", /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
270 "ADH-CAMELLIA128-SHA", /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
271 "ECDHE-ECDSA-CAMELLIA128-SHA256", /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
272 "ECDH-ECDSA-CAMELLIA128-SHA256", /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
273 "ECDHE-RSA-CAMELLIA128-SHA256", /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
274 "ECDH-RSA-CAMELLIA128-SHA256", /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
275 "PSK-CAMELLIA128-SHA256", /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
276 "DHE-PSK-CAMELLIA128-SHA256", /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
277 "RSA-PSK-CAMELLIA128-SHA256", /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
278 "ECDHE-PSK-CAMELLIA128-SHA256", /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
279 "CAMELLIA128-GCM-SHA256", /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
280 "DH-RSA-CAMELLIA128-GCM-SHA256", /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
281 "DH-DSS-CAMELLIA128-GCM-SHA256", /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
282 "ADH-CAMELLIA128-GCM-SHA256", /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
283 "ECDH-ECDSA-CAMELLIA128-GCM-SHA256",/* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
284 "ECDH-RSA-CAMELLIA128-GCM-SHA256", /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
285 "PSK-CAMELLIA128-GCM-SHA256", /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
286 "RSA-PSK-CAMELLIA128-GCM-SHA256", /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
287 "CAMELLIA128-SHA256", /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
288 "DH-DSS-CAMELLIA128-SHA256", /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
289 "DH-RSA-CAMELLIA128-SHA256", /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
290 "DHE-DSS-CAMELLIA128-SHA256", /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
291 "DHE-RSA-CAMELLIA128-SHA256", /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
292 "ADH-CAMELLIA128-SHA256", /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
293
294 /* blacklisted CAMELLIA256 encrpytion ciphers */
295 "CAMELLIA256-SHA", /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
296 "DH-RSA-CAMELLIA256-SHA", /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
297 "DH-DSS-CAMELLIA256-SHA", /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
298 "DHE-DSS-CAMELLIA256-SHA", /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
299 "DHE-RSA-CAMELLIA256-SHA", /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
300 "ADH-CAMELLIA256-SHA", /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
301 "ECDHE-ECDSA-CAMELLIA256-SHA384", /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
302 "ECDH-ECDSA-CAMELLIA256-SHA384", /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
303 "ECDHE-RSA-CAMELLIA256-SHA384", /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
304 "ECDH-RSA-CAMELLIA256-SHA384", /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
305 "PSK-CAMELLIA256-SHA384", /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
306 "DHE-PSK-CAMELLIA256-SHA384", /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
307 "RSA-PSK-CAMELLIA256-SHA384", /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
308 "ECDHE-PSK-CAMELLIA256-SHA384", /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
309 "CAMELLIA256-SHA256", /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
310 "DH-DSS-CAMELLIA256-SHA256", /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
311 "DH-RSA-CAMELLIA256-SHA256", /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
312 "DHE-DSS-CAMELLIA256-SHA256", /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
313 "DHE-RSA-CAMELLIA256-SHA256", /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
314 "ADH-CAMELLIA256-SHA256", /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
315 "CAMELLIA256-GCM-SHA384", /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
316 "DH-RSA-CAMELLIA256-GCM-SHA384", /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
317 "DH-DSS-CAMELLIA256-GCM-SHA384", /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
318 "ADH-CAMELLIA256-GCM-SHA384", /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
319 "ECDH-ECDSA-CAMELLIA256-GCM-SHA384",/* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
320 "ECDH-RSA-CAMELLIA256-GCM-SHA384", /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
321 "PSK-CAMELLIA256-GCM-SHA384", /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
322 "RSA-PSK-CAMELLIA256-GCM-SHA384", /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
323
324 /* The blacklisted ARIA encrpytion ciphers */
325 "ARIA128-SHA256", /* TLS_RSA_WITH_ARIA_128_CBC_SHA256 */
326 "ARIA256-SHA384", /* TLS_RSA_WITH_ARIA_256_CBC_SHA384 */
327 "DH-DSS-ARIA128-SHA256", /* TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 */
328 "DH-DSS-ARIA256-SHA384", /* TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 */
329 "DH-RSA-ARIA128-SHA256", /* TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 */
330 "DH-RSA-ARIA256-SHA384", /* TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 */
331 "DHE-DSS-ARIA128-SHA256", /* TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 */
332 "DHE-DSS-ARIA256-SHA384", /* TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 */
333 "DHE-RSA-ARIA128-SHA256", /* TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 */
334 "DHE-RSA-ARIA256-SHA384", /* TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 */
335 "ADH-ARIA128-SHA256", /* TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 */
336 "ADH-ARIA256-SHA384", /* TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 */
337 "ECDHE-ECDSA-ARIA128-SHA256", /* TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 */
338 "ECDHE-ECDSA-ARIA256-SHA384", /* TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 */
339 "ECDH-ECDSA-ARIA128-SHA256", /* TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 */
340 "ECDH-ECDSA-ARIA256-SHA384", /* TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 */
341 "ECDHE-RSA-ARIA128-SHA256", /* TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 */
342 "ECDHE-RSA-ARIA256-SHA384", /* TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 */
343 "ECDH-RSA-ARIA128-SHA256", /* TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 */
344 "ECDH-RSA-ARIA256-SHA384", /* TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 */
345 "ARIA128-GCM-SHA256", /* TLS_RSA_WITH_ARIA_128_GCM_SHA256 */
346 "ARIA256-GCM-SHA384", /* TLS_RSA_WITH_ARIA_256_GCM_SHA384 */
347 "DH-DSS-ARIA128-GCM-SHA256", /* TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 */
348 "DH-DSS-ARIA256-GCM-SHA384", /* TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 */
349 "DH-RSA-ARIA128-GCM-SHA256", /* TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 */
350 "DH-RSA-ARIA256-GCM-SHA384", /* TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 */
351 "ADH-ARIA128-GCM-SHA256", /* TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 */
352 "ADH-ARIA256-GCM-SHA384", /* TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 */
353 "ECDH-ECDSA-ARIA128-GCM-SHA256", /* TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 */
354 "ECDH-ECDSA-ARIA256-GCM-SHA384", /* TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 */
355 "ECDH-RSA-ARIA128-GCM-SHA256", /* TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 */
356 "ECDH-RSA-ARIA256-GCM-SHA384", /* TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 */
357 "PSK-ARIA128-SHA256", /* TLS_PSK_WITH_ARIA_128_CBC_SHA256 */
358 "PSK-ARIA256-SHA384", /* TLS_PSK_WITH_ARIA_256_CBC_SHA384 */
359 "DHE-PSK-ARIA128-SHA256", /* TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 */
360 "DHE-PSK-ARIA256-SHA384", /* TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 */
361 "RSA-PSK-ARIA128-SHA256", /* TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 */
362 "RSA-PSK-ARIA256-SHA384", /* TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 */
363 "ARIA128-GCM-SHA256", /* TLS_PSK_WITH_ARIA_128_GCM_SHA256 */
364 "ARIA256-GCM-SHA384", /* TLS_PSK_WITH_ARIA_256_GCM_SHA384 */
365 "RSA-PSK-ARIA128-GCM-SHA256", /* TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 */
366 "RSA-PSK-ARIA256-GCM-SHA384", /* TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 */
367 "ECDHE-PSK-ARIA128-SHA256", /* TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 */
368 "ECDHE-PSK-ARIA256-SHA384", /* TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 */
369
370 /* blacklisted SEED encryptions */
371 "SEED-SHA", /*TLS_RSA_WITH_SEED_CBC_SHA */
372 "DH-DSS-SEED-SHA", /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
373 "DH-RSA-SEED-SHA", /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
374 "DHE-DSS-SEED-SHA", /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
375 "DHE-RSA-SEED-SHA", /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
376 "ADH-SEED-SHA", /* TLS_DH_anon_WITH_SEED_CBC_SHA */
377
378 /* blacklisted KRB5 ciphers */
379 "KRB5-DES-CBC-SHA", /* TLS_KRB5_WITH_DES_CBC_SHA */
380 "KRB5-DES-CBC3-SHA", /* TLS_KRB5_WITH_3DES_EDE_CBC_SHA */
381 "KRB5-IDEA-CBC-SHA", /* TLS_KRB5_WITH_IDEA_CBC_SHA */
382 "KRB5-DES-CBC-MD5", /* TLS_KRB5_WITH_DES_CBC_MD5 */
383 "KRB5-DES-CBC3-MD5", /* TLS_KRB5_WITH_3DES_EDE_CBC_MD5 */
384 "KRB5-IDEA-CBC-MD5", /* TLS_KRB5_WITH_IDEA_CBC_MD5 */
385 "EXP-KRB5-DES-CBC-SHA", /* TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA */
386 "EXP-KRB5-DES-CBC-MD5", /* TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 */
387 "EXP-KRB5-RC2-CBC-SHA", /* TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA */
388 "EXP-KRB5-RC2-CBC-MD5", /* TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 */
389
390 /* blacklisted exoticas */
391 "DHE-DSS-CBC-SHA", /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
392 "IDEA-CBC-SHA", /* TLS_RSA_WITH_IDEA_CBC_SHA */
393
394 /* not really sure if the following names are correct */
395 "SSL3_CK_SCSV", /* TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
396 "SSL3_CK_FALLBACK_SCSV"
397};
398static size_t RFC7540_names_LEN = sizeof(RFC7540_names)/sizeof(RFC7540_names[0]);
399
400
401static apr_hash_t *BLCNames;
402
403static void cipher_init(apr_pool_t *pool)
404{
405 apr_hash_t *hash = apr_hash_make(pool);
406 const char *source;
407 unsigned int i;
408
409 source = "rfc7540";
410 for (i = 0; i < RFC7540_names_LEN; ++i) {
411 apr_hash_set(hash, RFC7540_names[i], APR_HASH_KEY_STRING, source);
412 }
413
414 BLCNames = hash;
415}
416
417static int cipher_is_blacklisted(const char *cipher, const char **psource)
418{
419 *psource = apr_hash_get(BLCNames, cipher, APR_HASH_KEY_STRING);
420 return !!*psource;
421}
422
423apr_status_t h2_protocol_init(apr_pool_t *pool, server_rec *s)
424{
425 (void)pool;
426 ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "h2_h2, child_init");
427 cipher_init(pool);
428
429 return APR_SUCCESS;
430}
431
432int h2_protocol_is_acceptable_c1(conn_rec *c, request_rec *r, int require_all)
433{
434 int is_tls = ap_ssl_conn_is_ssl(c);
435
436 if (is_tls && h2_config_cgeti(c, H2_CONF_MODERN_TLS_ONLY) > 0) {
437 /* Check TLS connection for modern TLS parameters, as defined in
438 * RFC 7540 and https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
439 */
440 apr_pool_t *pool = c->pool;
441 server_rec *s = c->base_server;
442 const char *val;
443
444 /* Need Tlsv1.2 or higher, rfc 7540, ch. 9.2
445 */
446 val = ap_ssl_var_lookup(pool, s, c, NULL, "SSL_PROTOCOL");
447 if (val && *val) {
448 if (strncmp("TLS", val, 3)
449 || !strcmp("TLSv1", val)
450 || !strcmp("TLSv1.1", val)) {
451 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(03050)
452 "h2_h2(%ld): tls protocol not suitable: %s",
453 (long)c->id, val);
454 return 0;
455 }
456 }
457 else if (require_all) {
458 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(03051)
459 "h2_h2(%ld): tls protocol is indetermined", (long)c->id);
460 return 0;
461 }
462
463 if (val && !strcmp("TLSv1.2", val)) {
464 /* Check TLS cipher blacklist, defined pre-TLSv1.3, so only
465 * checking for 1.2 */
466 val = ap_ssl_var_lookup(pool, s, c, NULL, "SSL_CIPHER");
467 if (val && *val) {
468 const char *source;
469 if (cipher_is_blacklisted(val, &source)) {
470 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(03052)
471 "h2_h2(%ld): tls cipher %s blacklisted by %s",
472 (long)c->id, val, source);
473 return 0;
474 }
475 }
476 else if (require_all) {
477 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(03053)
478 "h2_h2(%ld): tls cipher is indetermined", (long)c->id);
479 return 0;
480 }
481 }
482 }
483 return 1;
484}
485
apr_optional.h
APR-UTIL registration of functions exported by modules.
apr_optional_hooks.h
Apache optional hook functions.
hash
#define hash(h, r, b, n)
Definition apr_random.c:51
apr_strings.h
APR Strings library.
r
request_rec * r
Definition http_config.h:1168
APLOGNO
#define APLOGNO(n)
Definition http_log.h:117
ap_log_error
#define ap_log_error
Definition http_log.h:370
ap_log_cerror
#define ap_log_cerror
Definition http_log.h:498
APLOG_MARK
#define APLOG_MARK
Definition http_log.h:283
APLOG_TRACE1
#define APLOG_TRACE1
Definition http_log.h:72
APLOG_DEBUG
#define APLOG_DEBUG
Definition http_log.h:71
ap_ssl_var_lookup
const char * ap_ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name)
Definition ssl.c:186
ap_ssl_conn_is_ssl
int ap_ssl_conn_is_ssl(conn_rec *c)
Definition ssl.c:90
size
apr_size_t size
Definition apr_allocator.h:115
val
apr_uint32_t val
Definition apr_atomic.h:66
pool
const char int apr_pool_t * pool
Definition apr_cstr.h:84
APR_SUCCESS
#define APR_SUCCESS
Definition apr_errno.h:225
apr_status_t
int apr_status_t
Definition apr_errno.h:44
APR_HASH_KEY_STRING
#define APR_HASH_KEY_STRING
Definition apr_hash.h:47
c
apr_vformatter_buff_t * c
Definition apr_lib.h:175
source
apr_sockaddr_t apr_sockaddr_t apr_sockaddr_t * source
Definition apr_network_io.h:900
s
const char * s
Definition apr_strings.h:95
h2_bucket_beam.h
h2_c1.h
h2_c2.h
h2_config_cgeti
int h2_config_cgeti(conn_rec *c, h2_config_var_t var)
Definition h2_config.c:496
h2_config.h
H2_CONF_MODERN_TLS_ONLY
@ H2_CONF_MODERN_TLS_ONLY
Definition h2_config.h:34
h2_conn_ctx.h
h2_headers.h
h2_private.h
h2_protocol_ids_tls
const char * h2_protocol_ids_tls[]
Definition h2_protocol.c:48
BLCNames
static apr_hash_t * BLCNames
Definition h2_protocol.c:401
h2_protocol_init
apr_status_t h2_protocol_init(apr_pool_t *pool, server_rec *s)
Definition h2_protocol.c:423
h2_protocol_is_acceptable_c1
int h2_protocol_is_acceptable_c1(conn_rec *c, request_rec *r, int require_all)
Definition h2_protocol.c:432
h2_err_descr
static const char * h2_err_descr[]
Definition h2_protocol.c:61
RFC7540_names_LEN
static size_t RFC7540_names_LEN
Definition h2_protocol.c:398
h2_protocol_err_description
const char * h2_protocol_err_description(unsigned int h2_error)
Definition h2_protocol.c:78
cipher_is_blacklisted
static int cipher_is_blacklisted(const char *cipher, const char **psource)
Definition h2_protocol.c:417
cipher_init
static void cipher_init(apr_pool_t *pool)
Definition h2_protocol.c:403
RFC7540_names
static const char * RFC7540_names[]
Definition h2_protocol.c:94
H2_MAGIC_TOKEN
const char * H2_MAGIC_TOKEN
Definition h2_protocol.c:56
h2_protocol_ids_clear
const char * h2_protocol_ids_clear[]
Definition h2_protocol.c:52
h2_protocol.h
h2_request.h
h2_session.h
h2_stream.h
h2_util.h
http_config.h
Apache Configuration.
http_connection.h
Apache connection library.
http_core.h
CORE HTTP Daemon.
http_log.h
Apache Logging library.
http_protocol.h
HTTP protocol handling.
http_request.h
Apache Request library.
http_ssl.h
SSL protocol handling.
httpd.h
HTTP Daemon routines.
mod_http2.h
NULL
return NULL
Definition mod_so.c:359
i
int i
Definition mod_so.c:347
apr_hash_t
Definition apr_hash.c:75
apr_pool_t
Definition apr_pools.c:562
conn_rec
Structure to store things which are per connection.
Definition httpd.h:1152
request_rec
A structure that represents the current request.
Definition httpd.h:845
server_rec
A structure to store information for each virtual server.
Definition httpd.h:1322
Generated by doxygen 1.9.8