Apache HTTPD
tls_core.c
Go to the documentation of this file.
1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16#include <assert.h>
17#include <apr_lib.h>
18#include <apr_strings.h>
19#include <apr_network_io.h>
20
21#include <httpd.h>
22#include <http_core.h>
23#include <http_log.h>
24#include <http_protocol.h>
25#include <http_ssl.h>
26#include <http_vhost.h>
27#include <http_main.h>
28#include <ap_socache.h>
29
30#include <rustls.h>
31
32#include "tls_proto.h"
33#include "tls_cert.h"
34#include "tls_conf.h"
35#include "tls_core.h"
36#include "tls_ocsp.h"
37#include "tls_util.h"
38#include "tls_cache.h"
39#include "tls_var.h"
40
41
42extern module AP_MODULE_DECLARE_DATA tls_module;
43APLOG_USE_MODULE(tls);
44
45tls_conf_conn_t *tls_conf_conn_get(conn_rec *c)
46{
47 return ap_get_module_config(c->conn_config, &tls_module);
48}
49
50void tls_conf_conn_set(conn_rec *c, tls_conf_conn_t *cc)
51{
52 ap_set_module_config(c->conn_config, &tls_module, cc);
53}
54
55int tls_conn_check_ssl(conn_rec *c)
56{
57 tls_conf_conn_t *cc = tls_conf_conn_get(c->master? c->master : c);
58 if (TLS_CONN_ST_IS_ENABLED(cc)) {
59 return OK;
60 }
61 return DECLINED;
62}
63
64static int we_listen_on(tls_conf_global_t *gc, server_rec *s, tls_conf_server_t *sc)
65{
66 server_addr_rec *sa, *la;
67
68 if (gc->tls_addresses && sc->base_server) {
69 /* The base server listens to every port and may be selected via SNI */
70 return 1;
71 }
72 for (la = gc->tls_addresses; la; la = la->next) {
73 for (sa = s->addrs; sa; sa = sa->next) {
74 if (la->host_port == sa->host_port
75 && la->host_addr->ipaddr_len == sa->host_addr->ipaddr_len
76 && !memcmp(la->host_addr->ipaddr_ptr,
77 la->host_addr->ipaddr_ptr, (size_t)la->host_addr->ipaddr_len)) {
78 /* exact match */
79 return 1;
80 }
81 }
82 }
83 return 0;
84}
85
86static apr_status_t tls_core_free(void *data)
87{
88 server_rec *base_server = (server_rec *)data;
89 tls_conf_server_t *sc = tls_conf_server_get(base_server);
90
91 if (sc && sc->global && sc->global->rustls_hello_config) {
92 rustls_server_config_free(sc->global->rustls_hello_config);
93 sc->global->rustls_hello_config = NULL;
94 }
95 tls_cache_free(base_server);
96 return APR_SUCCESS;
97}
98
99static apr_status_t load_certified_keys(
100 apr_array_header_t *keys, server_rec *s,
101 apr_array_header_t *cert_specs,
102 tls_cert_reg_t *cert_reg)
103{
104 apr_status_t rv = APR_SUCCESS;
105 const rustls_certified_key *ckey;
106 tls_cert_spec_t *spec;
107 int i;
108
109 if (cert_specs && cert_specs->nelts > 0) {
110 for (i = 0; i < cert_specs->nelts; ++i) {
111 spec = APR_ARRAY_IDX(cert_specs, i, tls_cert_spec_t*);
112 rv = tls_cert_reg_get_certified_key(cert_reg, s, spec, &ckey);
113 if (APR_SUCCESS != rv) {
114 ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10318)
115 "Failed to load certificate %d[cert=%s(%d), key=%s(%d)] for %s",
116 i, spec->cert_file, (int)(spec->cert_pem? strlen(spec->cert_pem) : 0),
117 spec->pkey_file, (int)(spec->pkey_pem? strlen(spec->pkey_pem) : 0),
118 s->server_hostname);
119 goto cleanup;
120 }
121 assert(ckey);
122 APR_ARRAY_PUSH(keys, const rustls_certified_key*) = ckey;
123 }
124 }
125cleanup:
126 return rv;
127}
128
129static apr_status_t use_local_key(
130 conn_rec *c, const char *cert_pem, const char *pkey_pem)
131{
132 tls_conf_conn_t *cc = tls_conf_conn_get(c);
133 const rustls_certified_key *ckey = NULL;
134 tls_cert_spec_t spec;
135 apr_status_t rv = APR_SUCCESS;
136
137 memset(&spec, 0, sizeof(spec));
138 spec.cert_pem = cert_pem;
139 spec.pkey_pem = pkey_pem;
140 rv = tls_cert_load_cert_key(c->pool, &spec, NULL, &ckey);
141 if (APR_SUCCESS != rv) goto cleanup;
142
143 cc->local_keys = apr_array_make(c->pool, 2, sizeof(const rustls_certified_key*));
144 APR_ARRAY_PUSH(cc->local_keys, const rustls_certified_key*) = ckey;
145 ckey = NULL;
146
147cleanup:
148 if (ckey != NULL) rustls_certified_key_free(ckey);
149 return rv;
150}
151
152static void add_file_specs(
153 apr_array_header_t *certificates,
154 apr_pool_t *p,
155 apr_array_header_t *cert_files,
156 apr_array_header_t *key_files)
157{
158 tls_cert_spec_t *spec;
159 int i;
160
161 for (i = 0; i < cert_files->nelts; ++i) {
162 spec = apr_pcalloc(p, sizeof(*spec));
163 spec->cert_file = APR_ARRAY_IDX(cert_files, i, const char*);
164 spec->pkey_file = (i < key_files->nelts)? APR_ARRAY_IDX(key_files, i, const char*) : NULL;
165 *(const tls_cert_spec_t**)apr_array_push(certificates) = spec;
166 }
167}
168
169static apr_status_t calc_ciphers(
170 apr_pool_t *pool,
171 server_rec *s,
172 tls_conf_global_t *gc,
173 const char *proxy,
174 apr_array_header_t *pref_ciphers,
175 apr_array_header_t *supp_ciphers,
176 const apr_array_header_t **pciphers)
177{
178 apr_array_header_t *ordered_ciphers;
179 const apr_array_header_t *ciphers;
180 apr_array_header_t *unsupported = NULL;
181 rustls_result rr = RUSTLS_RESULT_OK;
182 apr_status_t rv = APR_SUCCESS;
183 apr_uint16_t id;
184 int i;
185
186
187 /* remove all suppressed ciphers from the ones supported by rustls */
188 ciphers = tls_util_array_uint16_remove(pool, gc->proto->supported_cipher_ids, supp_ciphers);
189 ordered_ciphers = NULL;
190 /* if preferred ciphers are actually still present in allowed_ciphers, put
191 * them into `ciphers` in this order */
192 for (i = 0; i < pref_ciphers->nelts; ++i) {
193 id = APR_ARRAY_IDX(pref_ciphers, i, apr_uint16_t);
194 ap_log_error(APLOG_MARK, APLOG_TRACE4, rv, s,
195 "checking preferred cipher %s: %d",
196 s->server_hostname, id);
197 if (tls_util_array_uint16_contains(ciphers, id)) {
198 ap_log_error(APLOG_MARK, APLOG_TRACE4, rv, s,
199 "checking preferred cipher %s: %d is known",
200 s->server_hostname, id);
201 if (ordered_ciphers == NULL) {
202 ordered_ciphers = apr_array_make(pool, ciphers->nelts, sizeof(apr_uint16_t));
203 }
204 APR_ARRAY_PUSH(ordered_ciphers, apr_uint16_t) = id;
205 }
206 else if (!tls_proto_is_cipher_supported(gc->proto, id)) {
207 ap_log_error(APLOG_MARK, APLOG_TRACE4, rv, s,
208 "checking preferred cipher %s: %d is unsupported",
209 s->server_hostname, id);
210 if (!unsupported) unsupported = apr_array_make(pool, 5, sizeof(apr_uint16_t));
211 APR_ARRAY_PUSH(unsupported, apr_uint16_t) = id;
212 }
213 }
214 /* if we found ciphers with preference among allowed_ciphers,
215 * append all other allowed ciphers. */
216 if (ordered_ciphers) {
217 for (i = 0; i < ciphers->nelts; ++i) {
218 id = APR_ARRAY_IDX(ciphers, i, apr_uint16_t);
219 if (!tls_util_array_uint16_contains(ordered_ciphers, id)) {
220 APR_ARRAY_PUSH(ordered_ciphers, apr_uint16_t) = id;
221 }
222 }
223 ciphers = ordered_ciphers;
224 }
225
226 if (ciphers == gc->proto->supported_cipher_ids) {
227 ciphers = NULL;
228 }
229
230 if (unsupported && unsupported->nelts) {
231 ap_log_error(APLOG_MARK, APLOG_WARNING, rv, s, APLOGNO(10319)
232 "Server '%s' has TLS%sCiphersPrefer configured that are not "
233 "supported by rustls. These will not have an effect: %s",
234 s->server_hostname, proxy,
235 tls_proto_get_cipher_names(gc->proto, unsupported, pool));
236 }
237
238 if (RUSTLS_RESULT_OK != rr) {
239 const char *err_descr;
240 rv = tls_util_rustls_error(pool, rr, &err_descr);
241 ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10320)
242 "Failed to configure ciphers %s: [%d] %s",
243 s->server_hostname, (int)rr, err_descr);
244 }
245 *pciphers = (APR_SUCCESS == rv)? ciphers : NULL;
246 return rv;
247}
248
249static apr_status_t get_server_ciphersuites(
250 const apr_array_header_t **pciphersuites,
251 apr_pool_t *pool, tls_conf_server_t *sc)
252{
253 const apr_array_header_t *ciphers, *suites = NULL;
254 apr_status_t rv = APR_SUCCESS;
255
256 rv = calc_ciphers(pool, sc->server, sc->global,
257 "", sc->tls_pref_ciphers, sc->tls_supp_ciphers,
258 &ciphers);
259 if (APR_SUCCESS != rv) goto cleanup;
260
261 if (ciphers) {
262 suites = tls_proto_get_rustls_suites(
263 sc->global->proto, ciphers, pool);
264 if (APLOGtrace2(sc->server)) {
265 tls_proto_conf_t *conf = sc->global->proto;
266 ap_log_error(APLOG_MARK, APLOG_TRACE2, 0, sc->server,
267 "tls ciphers configured[%s]: %s",
268 sc->server->server_hostname,
269 tls_proto_get_cipher_names(conf, ciphers, pool));
270 }
271 }
272
273cleanup:
274 *pciphersuites = (APR_SUCCESS == rv)? suites : NULL;
275 return rv;
276}
277
278static apr_array_header_t *complete_cert_specs(
279 apr_pool_t *p, tls_conf_server_t *sc)
280{
281 apr_array_header_t *cert_adds, *key_adds, *specs;
282
283 /* Take the configured certificate specifications and ask
284 * around for other modules to add specifications to this server.
285 * This is the way mod_md provides certificates.
286 *
287 * If the server then still has no cert specifications, ask
288 * around for `fallback` certificates which are commonly self-signed,
289 * temporary ones which let the server startup in order to
290 * obtain the `real` certificates from sources like ACME.
291 * Servers will fallbacks will answer all requests with 503.
292 */
293 specs = apr_array_copy(p, sc->cert_specs);
294 cert_adds = apr_array_make(p, 2, sizeof(const char*));
295 key_adds = apr_array_make(p, 2, sizeof(const char*));
296
297 ap_ssl_add_cert_files(sc->server, p, cert_adds, key_adds);
298 ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, sc->server,
299 "init server: complete_cert_specs added %d certs", cert_adds->nelts);
300 add_file_specs(specs, p, cert_adds, key_adds);
301
302 if (apr_is_empty_array(specs)) {
303 ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, sc->server,
304 "init server: no certs configured, looking for fallback");
305 ap_ssl_add_fallback_cert_files(sc->server, p, cert_adds, key_adds);
306 if (cert_adds->nelts > 0) {
307 add_file_specs(specs, p, cert_adds, key_adds);
308 sc->service_unavailable = 1;
309 ap_log_error(APLOG_MARK, APLOG_INFO, 0, sc->server, APLOGNO(10321)
310 "Init: %s will respond with '503 Service Unavailable' for now. There "
311 "are no SSL certificates configured and no other module contributed any.",
312 sc->server->server_hostname);
313 }
314 else if (!sc->base_server) {
315 ap_log_error(APLOG_MARK, APLOG_ERR, 0, sc->server, APLOGNO(10322)
316 "Init: %s has no certificates configured. Use 'TLSCertificate' to "
317 "configure a certificate and key file.",
318 sc->server->server_hostname);
319 }
320 }
321 return specs;
322}
323
324static const rustls_certified_key *select_certified_key(
325 void* userdata, const rustls_client_hello *hello)
326{
327 conn_rec *c = userdata;
328 tls_conf_conn_t *cc;
329 tls_conf_server_t *sc;
330 apr_array_header_t *keys;
331 const rustls_certified_key *clone;
332 rustls_result rr = RUSTLS_RESULT_OK;
333 apr_status_t rv;
334
335 ap_assert(c);
336 cc = tls_conf_conn_get(c);
337 ap_assert(cc);
338 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "client hello select certified key");
339 if (!cc || !cc->server) goto cleanup;
340 sc = tls_conf_server_get(cc->server);
341 if (!sc) goto cleanup;
342
343 cc->key = NULL;
344 cc->key_cloned = 0;
345 if (cc->local_keys && cc->local_keys->nelts > 0) {
346 keys = cc->local_keys;
347 }
348 else {
349 keys = sc->certified_keys;
350 }
351 if (!keys || keys->nelts <= 0) goto cleanup;
352
353 rr = rustls_client_hello_select_certified_key(hello,
354 (const rustls_certified_key**)keys->elts, (size_t)keys->nelts, &cc->key);
355 if (RUSTLS_RESULT_OK != rr) goto cleanup;
356
357 if (APR_SUCCESS == tls_ocsp_update_key(c, cc->key, &clone)) {
358 /* got OCSP response data for it, meaning the key was cloned and we need to remember */
359 cc->key_cloned = 1;
360 cc->key = clone;
361 }
362 if (APLOGctrace2(c)) {
363 const char *key_id = tls_cert_reg_get_id(sc->global->cert_reg, cc->key);
364 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, APLOGNO(10323)
365 "client hello selected key: %s", key_id? key_id : "unknown");
366 }
367 return cc->key;
368
369cleanup:
370 if (RUSTLS_RESULT_OK != rr) {
371 const char *err_descr;
372 rv = tls_util_rustls_error(c->pool, rr, &err_descr);
373 ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(10324)
374 "Failed to select certified key: [%d] %s", (int)rr, err_descr);
375 }
376 return NULL;
377}
378
379static apr_status_t server_conf_setup(
380 apr_pool_t *p, apr_pool_t *ptemp, tls_conf_server_t *sc, tls_conf_global_t *gc)
381{
382 apr_array_header_t *cert_specs;
383 apr_status_t rv = APR_SUCCESS;
384
385 /* TODO: most code has been stripped here with the changes in rustls-ffi v0.8.0
386 * and this means that any errors are only happening at connection setup, which
387 * is too late.
388 */
389 (void)p;
390 ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, sc->server,
391 "init server: %s", sc->server->server_hostname);
392
393 if (sc->client_auth != TLS_CLIENT_AUTH_NONE && !sc->client_ca) {
394 ap_log_error(APLOG_MARK, APLOG_ERR, 0, sc->server, APLOGNO(10325)
395 "TLSClientAuthentication is enabled for %s, but no client CA file is set. "
396 "Use 'TLSClientCA <file>' to specify the trust anchors.",
397 sc->server->server_hostname);
398 rv = APR_EINVAL; goto cleanup;
399 }
400
401 cert_specs = complete_cert_specs(ptemp, sc);
402 sc->certified_keys = apr_array_make(p, 3, sizeof(rustls_certified_key *));
403 rv = load_certified_keys(sc->certified_keys, sc->server, cert_specs, gc->cert_reg);
404 if (APR_SUCCESS != rv) goto cleanup;
405
406 rv = get_server_ciphersuites(&sc->ciphersuites, p, sc);
407 if (APR_SUCCESS != rv) goto cleanup;
408
409 ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, sc->server,
410 "init server: %s with %d certificates loaded",
411 sc->server->server_hostname, sc->certified_keys->nelts);
412cleanup:
413 return rv;
414}
415
416static apr_status_t get_proxy_ciphers(const apr_array_header_t **pciphersuites,
417 apr_pool_t *pool, tls_conf_proxy_t *pc)
418{
419 const apr_array_header_t *ciphers, *suites = NULL;
420 apr_status_t rv = APR_SUCCESS;
421
422 rv = calc_ciphers(pool, pc->defined_in, pc->global,
423 "", pc->proxy_pref_ciphers, pc->proxy_supp_ciphers, &ciphers);
424 if (APR_SUCCESS != rv) goto cleanup;
425
426 if (ciphers) {
427 suites = tls_proto_get_rustls_suites(pc->global->proto, ciphers, pool);
428 /* this changed the default rustls ciphers, configure it. */
429 if (APLOGtrace2(pc->defined_in)) {
430 tls_proto_conf_t *conf = pc->global->proto;
431 ap_log_error(APLOG_MARK, APLOG_TRACE2, 0, pc->defined_in,
432 "tls proxy ciphers configured[%s]: %s",
433 pc->defined_in->server_hostname,
434 tls_proto_get_cipher_names(conf, ciphers, pool));
435 }
436 }
437
438cleanup:
439 *pciphersuites = (APR_SUCCESS == rv)? suites : NULL;
440 return rv;
441}
442
443static apr_status_t proxy_conf_setup(
444 apr_pool_t *p, apr_pool_t *ptemp, tls_conf_proxy_t *pc, tls_conf_global_t *gc)
445{
446 apr_status_t rv = APR_SUCCESS;
447
448 (void)p; (void)ptemp;
449 ap_assert(pc->defined_in);
450 pc->global = gc;
451
452 if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
453 ap_log_error(APLOG_MARK, APLOG_TRACE2, rv, pc->defined_in,
454 "proxy: will use roots in %s from %s",
455 pc->defined_in->server_hostname, pc->proxy_ca);
456 }
457 else {
458 ap_log_error(APLOG_MARK, APLOG_WARNING, rv, pc->defined_in,
459 "proxy: there is no TLSProxyCA configured in %s which means "
460 "the certificates of remote servers contacted from here will not be trusted.",
461 pc->defined_in->server_hostname);
462 }
463
464 if (pc->proxy_protocol_min > 0) {
465 apr_array_header_t *tls_versions;
466
467 ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, pc->defined_in,
468 "init server: set proxy protocol min version %04x", pc->proxy_protocol_min);
469 tls_versions = tls_proto_create_versions_plus(
470 gc->proto, (apr_uint16_t)pc->proxy_protocol_min, ptemp);
471 if (tls_versions->nelts > 0) {
472 if (pc->proxy_protocol_min != APR_ARRAY_IDX(tls_versions, 0, apr_uint16_t)) {
473 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, pc->defined_in, APLOGNO(10326)
474 "Init: the minimum proxy protocol version configured for %s (%04x) "
475 "is not supported and version %04x was selected instead.",
476 pc->defined_in->server_hostname, pc->proxy_protocol_min,
477 APR_ARRAY_IDX(tls_versions, 0, apr_uint16_t));
478 }
479 }
480 else {
481 ap_log_error(APLOG_MARK, APLOG_ERR, 0, pc->defined_in, APLOGNO(10327)
482 "Unable to configure the proxy protocol version for %s: "
483 "neither the configured minimum version (%04x), nor any higher one is "
484 "available.", pc->defined_in->server_hostname, pc->proxy_protocol_min);
485 rv = APR_ENOTIMPL; goto cleanup;
486 }
487 }
488
489#if TLS_MACHINE_CERTS
490 rv = load_certified_keys(pc->machine_certified_keys, pc->defined_in,
491 pc->machine_cert_specs, gc->cert_reg);
492 if (APR_SUCCESS != rv) goto cleanup;
493#endif
494
495cleanup:
496 return rv;
497}
498
499static const rustls_certified_key *extract_client_hello_values(
500 void* userdata, const rustls_client_hello *hello)
501{
502 conn_rec *c = userdata;
503 tls_conf_conn_t *cc = tls_conf_conn_get(c);
504 size_t i, len;
505 unsigned short n;
506
507 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "extract client hello values");
508 if (!cc) goto cleanup;
509 cc->client_hello_seen = 1;
510 if (hello->server_name.len > 0) {
511 cc->sni_hostname = apr_pstrndup(c->pool, hello->server_name.data, hello->server_name.len);
512 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "sni detected: %s", cc->sni_hostname);
513 }
514 else {
515 cc->sni_hostname = NULL;
516 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "no sni from client");
517 }
518 if (APLOGctrace4(c) && hello->signature_schemes.len > 0) {
519 for (i = 0; i < hello->signature_schemes.len; ++i) {
520 n = hello->signature_schemes.data[i];
521 ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, c,
522 "client supports signature scheme: %x", (int)n);
523 }
524 }
525 if ((len = rustls_slice_slice_bytes_len(hello->alpn)) > 0) {
526 apr_array_header_t *alpn = apr_array_make(c->pool, 5, sizeof(const char*));
527 const char *protocol;
528 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "ALPN: client proposes %d protocols", (int)len);
529 for (i = 0; i < len; ++i) {
530 rustls_slice_bytes rs = rustls_slice_slice_bytes_get(hello->alpn, i);
531 protocol = apr_pstrndup(c->pool, (const char*)rs.data, rs.len);
532 APR_ARRAY_PUSH(alpn, const char*) = protocol;
533 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,
534 "ALPN: client proposes %d: `%s`", (int)i, protocol);
535 }
536 cc->alpn = alpn;
537 }
538 else {
539 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "ALPN: no alpn proposed by client");
540 }
541cleanup:
542 return NULL;
543}
544
545static apr_status_t setup_hello_config(apr_pool_t *p, server_rec *base_server, tls_conf_global_t *gc)
546{
547 rustls_server_config_builder *builder;
548 rustls_result rr = RUSTLS_RESULT_OK;
549 apr_status_t rv = APR_SUCCESS;
550
551 builder = rustls_server_config_builder_new();
552 if (!builder) {
553 rr = RUSTLS_RESULT_PANIC; goto cleanup;
554 }
555 rustls_server_config_builder_set_hello_callback(builder, extract_client_hello_values);
556 gc->rustls_hello_config = rustls_server_config_builder_build(builder);
557 if (!gc->rustls_hello_config) {
558 rr = RUSTLS_RESULT_PANIC; goto cleanup;
559 }
560
561cleanup:
562 if (RUSTLS_RESULT_OK != rr) {
563 const char *err_descr = NULL;
564 rv = tls_util_rustls_error(p, rr, &err_descr);
565 ap_log_error(APLOG_MARK, APLOG_ERR, rv, base_server, APLOGNO(10328)
566 "Failed to init generic hello config: [%d] %s", (int)rr, err_descr);
567 goto cleanup;
568 }
569 return rv;
570}
571
572static apr_status_t init_incoming(apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server)
573{
574 tls_conf_server_t *sc = tls_conf_server_get(base_server);
575 tls_conf_global_t *gc = sc->global;
576 server_rec *s;
577 apr_status_t rv = APR_ENOMEM;
578
579 ap_log_error(APLOG_MARK, APLOG_TRACE2, 0, base_server, "tls_core_init incoming");
580 apr_pool_cleanup_register(p, base_server, tls_core_free,
581 apr_pool_cleanup_null);
582
583 rv = tls_proto_post_config(p, ptemp, base_server);
584 if (APR_SUCCESS != rv) goto cleanup;
585
586 for (s = base_server; s; s = s->next) {
587 sc = tls_conf_server_get(s);
588 assert(sc);
589 ap_assert(sc->global == gc);
590
591 /* If 'TLSEngine' has been configured, use those addresses to
592 * decide if we are enabled on this server. */
593 sc->base_server = (s == base_server);
594 sc->enabled = we_listen_on(gc, s, sc)? TLS_FLAG_TRUE : TLS_FLAG_FALSE;
595 }
596
597 rv = tls_cache_post_config(p, ptemp, base_server);
598 if (APR_SUCCESS != rv) goto cleanup;
599
600 rv = setup_hello_config(p, base_server, gc);
601 if (APR_SUCCESS != rv) goto cleanup;
602
603 /* Setup server configs and collect all certificates we use. */
604 gc->cert_reg = tls_cert_reg_make(p);
605 gc->stores = tls_cert_root_stores_make(p);
606 gc->verifiers = tls_cert_verifiers_make(p, gc->stores);
607 for (s = base_server; s; s = s->next) {
608 sc = tls_conf_server_get(s);
609 rv = tls_conf_server_apply_defaults(sc, p);
610 if (APR_SUCCESS != rv) goto cleanup;
611 if (sc->enabled != TLS_FLAG_TRUE) continue;
612 rv = server_conf_setup(p, ptemp, sc, gc);
613 if (APR_SUCCESS != rv) {
614 ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, "server setup failed: %s",
615 s->server_hostname);
616 goto cleanup;
617 }
618 }
619
620cleanup:
621 if (APR_SUCCESS != rv) {
622 ap_log_error(APLOG_MARK, APLOG_ERR, rv, base_server, "error during post_config");
623 }
624 return rv;
625}
626
627static apr_status_t init_outgoing(apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server)
628{
629 tls_conf_server_t *sc = tls_conf_server_get(base_server);
630 tls_conf_global_t *gc = sc->global;
631 tls_conf_dir_t *dc;
632 tls_conf_proxy_t *pc;
633 server_rec *s;
634 apr_status_t rv = APR_SUCCESS;
635 int i;
636
637 (void)p; (void)ptemp;
638 (void)gc;
639 ap_log_error(APLOG_MARK, APLOG_TRACE2, 0, base_server, "tls_core_init outgoing");
640 ap_assert(gc->mod_proxy_post_config_done);
641 /* Collect all proxy'ing default server dir configs.
642 * All <Proxy> section dir_configs should already be there - if there were any. */
643 for (s = base_server; s; s = s->next) {
644 dc = tls_conf_dir_server_get(s);
645 rv = tls_conf_dir_apply_defaults(dc, p);
646 if (APR_SUCCESS != rv) goto cleanup;
647 if (dc->proxy_enabled != TLS_FLAG_TRUE) continue;
648 dc->proxy_config = tls_conf_proxy_make(p, dc, gc, s);
649 ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, "%s: adding proxy_conf to globals",
650 s->server_hostname);
651 APR_ARRAY_PUSH(gc->proxy_configs, tls_conf_proxy_t*) = dc->proxy_config;
652 }
653 /* Now gc->proxy_configs contains all configurations we need to possibly
654 * act on for outgoing connections. */
655 for (i = 0; i < gc->proxy_configs->nelts; ++i) {
656 pc = APR_ARRAY_IDX(gc->proxy_configs, i, tls_conf_proxy_t*);
657 rv = proxy_conf_setup(p, ptemp, pc, gc);
658 if (APR_SUCCESS != rv) goto cleanup;
659 }
660
661cleanup:
662 return rv;
663}
664
665apr_status_t tls_core_init(apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server)
666{
667 tls_conf_server_t *sc = tls_conf_server_get(base_server);
668 tls_conf_global_t *gc = sc->global;
669 apr_status_t rv = APR_SUCCESS;
670
671 ap_assert(gc);
672 if (TLS_CONF_ST_INIT == gc->status) {
673 rv = init_incoming(p, ptemp, base_server);
674 if (APR_SUCCESS != rv) goto cleanup;
675 gc->status = TLS_CONF_ST_INCOMING_DONE;
676 }
677 if (TLS_CONF_ST_INCOMING_DONE == gc->status) {
678 if (!gc->mod_proxy_post_config_done) goto cleanup;
679
680 rv = init_outgoing(p, ptemp, base_server);
681 if (APR_SUCCESS != rv) goto cleanup;
682 gc->status = TLS_CONF_ST_OUTGOING_DONE;
683 }
684 if (TLS_CONF_ST_OUTGOING_DONE == gc->status) {
685 /* register all loaded certificates for OCSP stapling */
686 rv = tls_ocsp_prime_certs(gc, p, base_server);
687 if (APR_SUCCESS != rv) goto cleanup;
688
689 if (gc->verifiers) tls_cert_verifiers_clear(gc->verifiers);
690 if (gc->stores) tls_cert_root_stores_clear(gc->stores);
691 gc->status = TLS_CONF_ST_DONE;
692 }
693cleanup:
694 return rv;
695}
696
697static apr_status_t tls_core_conn_free(void *data)
698{
699 tls_conf_conn_t *cc = data;
700
701 /* free all rustls things we are owning. */
702 if (cc->rustls_connection) {
703 rustls_connection_free(cc->rustls_connection);
704 cc->rustls_connection = NULL;
705 }
706 if (cc->rustls_server_config) {
707 rustls_server_config_free(cc->rustls_server_config);
708 cc->rustls_server_config = NULL;
709 }
710 if (cc->rustls_client_config) {
711 rustls_client_config_free(cc->rustls_client_config);
712 cc->rustls_client_config = NULL;
713 }
714 if (cc->key_cloned && cc->key) {
715 rustls_certified_key_free(cc->key);
716 cc->key = NULL;
717 }
718 if (cc->local_keys) {
719 const rustls_certified_key *key;
720 int i;
721
722 for (i = 0; i < cc->local_keys->nelts; ++i) {
723 key = APR_ARRAY_IDX(cc->local_keys, i, const rustls_certified_key*);
724 rustls_certified_key_free(key);
725 }
726 apr_array_clear(cc->local_keys);
727 }
728 return APR_SUCCESS;
729}
730
731static tls_conf_conn_t *cc_get_or_make(conn_rec *c)
732{
733 tls_conf_conn_t *cc = tls_conf_conn_get(c);
734 if (!cc) {
735 cc = apr_pcalloc(c->pool, sizeof(*cc));
736 cc->server = c->base_server;
737 cc->state = TLS_CONN_ST_INIT;
738 tls_conf_conn_set(c, cc);
739 apr_pool_cleanup_register(c->pool, cc, tls_core_conn_free,
740 apr_pool_cleanup_null);
741 }
742 return cc;
743}
744
745void tls_core_conn_disable(conn_rec *c)
746{
747 tls_conf_conn_t *cc;
748 cc = cc_get_or_make(c);
749 if (cc->state == TLS_CONN_ST_INIT) {
750 cc->state = TLS_CONN_ST_DISABLED;
751 }
752}
753
759
760
761static apr_status_t init_outgoing_connection(conn_rec *c)
762{
763 tls_conf_conn_t *cc = tls_conf_conn_get(c);
764 tls_conf_proxy_t *pc;
765 const apr_array_header_t *ciphersuites = NULL;
766 apr_array_header_t *tls_versions = NULL;
767 rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
768 struct rustls_server_cert_verifier *verifier = NULL;
769 rustls_client_config_builder *builder = NULL;
770 const rustls_root_cert_store *ca_store = NULL;
771 const char *hostname = NULL, *alpn_note = NULL;
772 rustls_result rr = RUSTLS_RESULT_OK;
773 apr_status_t rv = APR_SUCCESS;
774
775 ap_assert(cc->outgoing);
776 ap_assert(cc->dc);
777 pc = cc->dc->proxy_config;
778 ap_assert(pc);
779
780 hostname = apr_table_get(c->notes, "proxy-request-hostname");
781 alpn_note = apr_table_get(c->notes, "proxy-request-alpn-protos");
782 ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, c->base_server,
783 "setup_outgoing: to %s [ALPN: %s] from configuration in %s"
784 " using CA %s", hostname, alpn_note, pc->defined_in->server_hostname, pc->proxy_ca);
785
786 rv = get_proxy_ciphers(&ciphersuites, c->pool, pc);
787 if (APR_SUCCESS != rv) goto cleanup;
788
789 if (pc->proxy_protocol_min > 0) {
790 tls_versions = tls_proto_create_versions_plus(
791 pc->global->proto, (apr_uint16_t)pc->proxy_protocol_min, c->pool);
792 }
793
794 if (ciphersuites && ciphersuites->nelts > 0
795 && tls_versions && tls_versions->nelts >= 0) {
796 rr = rustls_client_config_builder_new_custom(
797 (const struct rustls_supported_ciphersuite *const *)ciphersuites->elts,
798 (size_t)ciphersuites->nelts,
799 (const uint16_t *)tls_versions->elts, (size_t)tls_versions->nelts,
800 &builder);
801 if (RUSTLS_RESULT_OK != rr) goto cleanup;
802 }
803 else {
804 builder = rustls_client_config_builder_new();
805 if (NULL == builder) {
806 rv = APR_ENOMEM;
807 goto cleanup;
808 }
809 }
810
811 if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
812 rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store);
813 if (APR_SUCCESS != rv) goto cleanup;
814 verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store);
815 rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier);
816 if (RUSTLS_RESULT_OK != rr) goto cleanup;
817 rustls_client_config_builder_set_server_verifier(builder, verifier);
818 }
819
820#if TLS_MACHINE_CERTS
821 if (pc->machine_certified_keys->nelts > 0) {
822 ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, c->base_server,
823 "setup_outgoing: adding %d client certificate", (int)pc->machine_certified_keys->nelts);
824 rr = rustls_client_config_builder_set_certified_key(
825 builder, (const rustls_certified_key**)pc->machine_certified_keys->elts,
826 (size_t)pc->machine_certified_keys->nelts);
827 if (RUSTLS_RESULT_OK != rr) goto cleanup;
828 }
829#endif
830
831 if (hostname) {
832 rustls_client_config_builder_set_enable_sni(builder, true);
833 }
834 else {
835 hostname = "unknown.proxy.local";
836 rustls_client_config_builder_set_enable_sni(builder, false);
837 }
838
839 if (alpn_note) {
840 apr_array_header_t *alpn_proposed = NULL;
841 char *p, *last;
842 apr_size_t len;
843
844 alpn_proposed = apr_array_make(c->pool, 3, sizeof(const char*));
845 p = apr_pstrdup(c->pool, alpn_note);
846 while ((p = apr_strtok(p, ", ", &last))) {
847 len = (apr_size_t)(last - p - (*last? 1 : 0));
848 if (len > 255) {
849 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(10329)
850 "ALPN proxy protocol identifier too long: %s", p);
851 rv = APR_EGENERAL;
852 goto cleanup;
853 }
854 APR_ARRAY_PUSH(alpn_proposed, const char*) = apr_pstrndup(c->pool, p, len);
855 p = NULL;
856 }
857 if (alpn_proposed->nelts > 0) {
858 apr_array_header_t *rustls_protocols;
859 const char* proto;
860 rustls_slice_bytes bytes;
861 int i;
862
863 rustls_protocols = apr_array_make(c->pool, alpn_proposed->nelts, sizeof(rustls_slice_bytes));
864 for (i = 0; i < alpn_proposed->nelts; ++i) {
865 proto = APR_ARRAY_IDX(alpn_proposed, i, const char*);
866 bytes.data = (const unsigned char*)proto;
867 bytes.len = strlen(proto);
868 APR_ARRAY_PUSH(rustls_protocols, rustls_slice_bytes) = bytes;
869 }
870
871 rr = rustls_client_config_builder_set_alpn_protocols(builder,
872 (rustls_slice_bytes*)rustls_protocols->elts, (size_t)rustls_protocols->nelts);
873 if (RUSTLS_RESULT_OK != rr) goto cleanup;
874
875 ap_log_error(APLOG_MARK, APLOG_TRACE2, 0, c->base_server,
876 "setup_outgoing: to %s, added %d ALPN protocols from %s",
877 hostname, rustls_protocols->nelts, alpn_note);
878 }
879 }
880
881 cc->rustls_client_config = rustls_client_config_builder_build(builder);
882 builder = NULL;
883
884 rr = rustls_client_connection_new(cc->rustls_client_config, hostname, &cc->rustls_connection);
885 if (RUSTLS_RESULT_OK != rr) goto cleanup;
886 rustls_connection_set_userdata(cc->rustls_connection, c);
887
888cleanup:
889 if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
890 if (builder != NULL) rustls_client_config_builder_free(builder);
891 if (RUSTLS_RESULT_OK != rr) {
892 const char *err_descr = NULL;
893 rv = tls_util_rustls_error(c->pool, rr, &err_descr);
894 ap_log_error(APLOG_MARK, APLOG_ERR, rv, cc->server, APLOGNO(10330)
895 "Failed to init pre_session for outgoing %s to %s: [%d] %s",
896 cc->server->server_hostname, hostname, (int)rr, err_descr);
897 c->aborted = 1;
898 cc->state = TLS_CONN_ST_DISABLED;
899 goto cleanup;
900 }
901 return rv;
902}
903
904int tls_core_pre_conn_init(conn_rec *c)
905{
906 tls_conf_server_t *sc = tls_conf_server_get(c->base_server);
907 tls_conf_conn_t *cc;
908
909 cc = cc_get_or_make(c);
910 if (cc->state == TLS_CONN_ST_INIT) {
911 /* Need to decide if we TLS this connection or not */
912 int enabled =
913#if AP_MODULE_MAGIC_AT_LEAST(20120211, 109)
914 !c->outgoing &&
915#endif
916 sc->enabled == TLS_FLAG_TRUE;
917 cc->state = enabled? TLS_CONN_ST_CLIENT_HELLO : TLS_CONN_ST_DISABLED;
918 cc->client_auth = sc->client_auth;
919 ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, c->base_server,
920 "tls_core_conn_init: %s for tls: %s",
921 enabled? "enabled" : "disabled", c->base_server->server_hostname);
922 }
923 else if (cc->state == TLS_CONN_ST_DISABLED) {
924 ap_log_error(APLOG_MARK, APLOG_TRACE4, 0, c->base_server,
925 "tls_core_conn_init, not our connection: %s",
926 c->base_server->server_hostname);
927 goto cleanup;
928 }
929
930cleanup:
931 return TLS_CONN_ST_IS_ENABLED(cc)? OK : DECLINED;
932}
933
934apr_status_t tls_core_conn_init(conn_rec *c)
935{
936 tls_conf_server_t *sc = tls_conf_server_get(c->base_server);
937 tls_conf_conn_t *cc;
938 rustls_result rr = RUSTLS_RESULT_OK;
939 apr_status_t rv = APR_SUCCESS;
940
941 cc = tls_conf_conn_get(c);
942 if (cc && TLS_CONN_ST_IS_ENABLED(cc) && !cc->rustls_connection) {
943 if (cc->outgoing) {
944 rv = init_outgoing_connection(c);
945 if (APR_SUCCESS != rv) goto cleanup;
946 }
947 else {
948 /* Use a generic rustls_connection with its defaults, which we feed
949 * the first TLS bytes from the client. Its Hello message will trigger
950 * our callback where we can inspect the (possibly) supplied SNI and
951 * select another server.
952 */
953 rr = rustls_server_connection_new(sc->global->rustls_hello_config, &cc->rustls_connection);
954 if (RUSTLS_RESULT_OK != rr) goto cleanup;
955 /* we might refuse requests on this connection, e.g. ACME challenge */
956 cc->service_unavailable = sc->service_unavailable;
957 }
958 rustls_connection_set_userdata(cc->rustls_connection, c);
959 }
960
961cleanup:
962 if (RUSTLS_RESULT_OK != rr) {
963 const char *err_descr = NULL;
964 rv = tls_util_rustls_error(c->pool, rr, &err_descr);
965 ap_log_error(APLOG_MARK, APLOG_ERR, rv, sc->server, APLOGNO(10331)
966 "Failed to init TLS connection for server %s: [%d] %s",
967 sc->server->server_hostname, (int)rr, err_descr);
968 c->aborted = 1;
969 cc->state = TLS_CONN_ST_DISABLED;
970 goto cleanup;
971 }
972 return rv;
973}
974
975static int find_vhost(void *sni_hostname, conn_rec *c, server_rec *s)
976{
977 if (tls_util_name_matches_server(sni_hostname, s)) {
978 tls_conf_conn_t *cc = tls_conf_conn_get(c);
979 cc->server = s;
980 return 1;
981 }
982 return 0;
983}
984
985static apr_status_t select_application_protocol(
986 conn_rec *c, server_rec *s, rustls_server_config_builder *builder)
987{
988 tls_conf_conn_t *cc = tls_conf_conn_get(c);
989 const char *proposed;
990 rustls_result rr = RUSTLS_RESULT_OK;
991 apr_status_t rv = APR_SUCCESS;
992
993 /* The server always has a protocol it uses, normally "http/1.1".
994 * if the client, via ALPN, proposes protocols, they are in
995 * order of preference.
996 * We propose those to modules registered in the server and
997 * get the protocol back that someone is willing to run on this
998 * connection.
999 * If this is different from what the connection already does,
1000 * we tell the server (and all protocol modules) to switch.
1001 * If successful, we announce that protocol back to the client as
1002 * our only ALPN protocol and then do the 'real' handshake.
1003 */
1004 cc->application_protocol = ap_get_protocol(c);
1005 if (cc->alpn && cc->alpn->nelts > 0) {
1006 rustls_slice_bytes rsb;
1007
1008 proposed = ap_select_protocol(c, NULL, s, cc->alpn);
1009 if (!proposed) {
1010 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, rv, c,
1011 "ALPN: no protocol selected in server");
1012 goto cleanup;
1013 }
1014
1015 if (strcmp(proposed, cc->application_protocol)) {
1016 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, rv, c,
1017 "ALPN: switching protocol from `%s` to `%s`", cc->application_protocol, proposed);
1018 rv = ap_switch_protocol(c, NULL, cc->server, proposed);
1019 if (APR_SUCCESS != rv) goto cleanup;
1020 }
1021
1022 rsb.data = (const unsigned char*)proposed;
1023 rsb.len = strlen(proposed);
1024 rr = rustls_server_config_builder_set_alpn_protocols(builder, &rsb, 1);
1025 if (RUSTLS_RESULT_OK != rr) goto cleanup;
1026
1027 cc->application_protocol = proposed;
1028 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, rv, c,
1029 "ALPN: using connection protocol `%s`", cc->application_protocol);
1030
1031 /* protocol was switched, this could be a challenge protocol
1032 * such as "acme-tls/1". Give handlers the opportunity to
1033 * override the certificate for this connection. */
1034 if (strcmp("h2", proposed) && strcmp("http/1.1", proposed)) {
1035 const char *cert_pem = NULL, *key_pem = NULL;
1036 if (ap_ssl_answer_challenge(c, cc->sni_hostname, &cert_pem, &key_pem)) {
1037 /* With ACME we can have challenge connections to a unknown domains
1038 * that need to be answered with a special certificate and will
1039 * otherwise not answer any requests. See RFC 8555 */
1040 rv = use_local_key(c, cert_pem, key_pem);
1041 if (APR_SUCCESS != rv) goto cleanup;
1042
1043 cc->service_unavailable = 1;
1044 cc->client_auth = TLS_CLIENT_AUTH_NONE;
1045 }
1046 }
1047 }
1048
1049cleanup:
1050 if (rr != RUSTLS_RESULT_OK) {
1051 const char *err_descr = NULL;
1052 rv = tls_util_rustls_error(c->pool, rr, &err_descr);
1053 ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10332)
1054 "Failed to init session for server %s: [%d] %s",
1055 s->server_hostname, (int)rr, err_descr);
1056 c->aborted = 1;
1057 goto cleanup;
1058 }
1059 return rv;
1060}
1061
1062static apr_status_t build_server_connection(rustls_connection **pconnection,
1063 const rustls_server_config **pconfig,
1064 conn_rec *c)
1065{
1066 tls_conf_conn_t *cc = tls_conf_conn_get(c);
1067 tls_conf_server_t *sc;
1068 const apr_array_header_t *tls_versions = NULL;
1069 rustls_server_config_builder *builder = NULL;
1070 const rustls_server_config *config = NULL;
1071 rustls_connection *rconnection = NULL;
1072 rustls_result rr = RUSTLS_RESULT_OK;
1073 apr_status_t rv = APR_SUCCESS;
1074
1075 sc = tls_conf_server_get(cc->server);
1076
1077 if (sc->tls_protocol_min > 0) {
1078 ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, sc->server,
1079 "init server: set protocol min version %04x", sc->tls_protocol_min);
1080 tls_versions = tls_proto_create_versions_plus(
1081 sc->global->proto, (apr_uint16_t)sc->tls_protocol_min, c->pool);
1082 if (tls_versions->nelts > 0) {
1083 if (sc->tls_protocol_min != APR_ARRAY_IDX(tls_versions, 0, apr_uint16_t)) {
1084 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, sc->server, APLOGNO(10333)
1085 "Init: the minimum protocol version configured for %s (%04x) "
1086 "is not supported and version %04x was selected instead.",
1087 sc->server->server_hostname, sc->tls_protocol_min,
1088 APR_ARRAY_IDX(tls_versions, 0, apr_uint16_t));
1089 }
1090 }
1091 else {
1092 ap_log_error(APLOG_MARK, APLOG_ERR, 0, sc->server, APLOGNO(10334)
1093 "Unable to configure the protocol version for %s: "
1094 "neither the configured minimum version (%04x), nor any higher one is "
1095 "available.", sc->server->server_hostname, sc->tls_protocol_min);
1096 rv = APR_ENOTIMPL; goto cleanup;
1097 }
1098 }
1099 else if (sc->ciphersuites && sc->ciphersuites->nelts > 0) {
1100 /* FIXME: rustls-ffi current has not way to make a builder with ALL_PROTOCOL_VERSIONS */
1101 tls_versions = tls_proto_create_versions_plus(sc->global->proto, 0, c->pool);
1102 }
1103
1104 if (sc->ciphersuites && sc->ciphersuites->nelts > 0
1105 && tls_versions && tls_versions->nelts >= 0) {
1106 rr = rustls_server_config_builder_new_custom(
1107 (const struct rustls_supported_ciphersuite *const *)sc->ciphersuites->elts,
1108 (size_t)sc->ciphersuites->nelts,
1109 (const uint16_t *)tls_versions->elts, (size_t)tls_versions->nelts,
1110 &builder);
1111 if (RUSTLS_RESULT_OK != rr) goto cleanup;
1112 }
1113 else {
1114 builder = rustls_server_config_builder_new();
1115 if (NULL == builder) {
1116 rv = APR_ENOMEM;
1117 goto cleanup;
1118 }
1119 }
1120
1121 /* decide on the application protocol, this may change other
1122 * settings like client_auth. */
1123 rv = select_application_protocol(c, cc->server, builder);
1124
1125 if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
1126 ap_assert(sc->client_ca); /* checked in server_setup */
1127 if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
1128 const rustls_client_cert_verifier *verifier;
1129 rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
1130 if (APR_SUCCESS != rv) goto cleanup;
1131 rustls_server_config_builder_set_client_verifier(builder, verifier);
1132 }
1133 else {
1134 const rustls_client_cert_verifier *verifier;
1135 rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
1136 if (APR_SUCCESS != rv) goto cleanup;
1137 rustls_server_config_builder_set_client_verifier(builder, verifier);
1138 }
1139 }
1140
1141 rustls_server_config_builder_set_hello_callback(builder, select_certified_key);
1142
1143 rr = rustls_server_config_builder_set_ignore_client_order(
1144 builder, sc->honor_client_order == TLS_FLAG_FALSE);
1145 if (RUSTLS_RESULT_OK != rr) goto cleanup;
1146
1147 rv = tls_cache_init_server(builder, sc->server);
1148 if (APR_SUCCESS != rv) goto cleanup;
1149
1150 config = rustls_server_config_builder_build(builder);
1151 builder = NULL;
1152 if (!config) {
1153 rv = APR_ENOMEM; goto cleanup;
1154 }
1155
1156 rr = rustls_server_connection_new(config, &rconnection);
1157 if (RUSTLS_RESULT_OK != rr) goto cleanup;
1158 rustls_connection_set_userdata(rconnection, c);
1159
1160cleanup:
1161 if (rr != RUSTLS_RESULT_OK) {
1162 const char *err_descr = NULL;
1163 rv = tls_util_rustls_error(c->pool, rr, &err_descr);
1164 ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, sc->server, APLOGNO(10335)
1165 "Failed to init session for server %s: [%d] %s",
1166 sc->server->server_hostname, (int)rr, err_descr);
1167 }
1168 if (APR_SUCCESS == rv) {
1169 *pconfig = config;
1170 *pconnection = rconnection;
1171 ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, sc->server,
1172 "tls_core_conn_server_init done: %s",
1173 sc->server->server_hostname);
1174 }
1175 else {
1176 ap_log_error(APLOG_MARK, APLOG_ERR, rv, sc->server, APLOGNO(10336)
1177 "Failed to init session for server %s",
1178 sc->server->server_hostname);
1179 c->aborted = 1;
1180 if (config) rustls_server_config_free(config);
1181 if (builder) rustls_server_config_builder_free(builder);
1182 }
1183 return rv;
1184}
1185
1186apr_status_t tls_core_conn_seen_client_hello(conn_rec *c)
1187{
1188 tls_conf_conn_t *cc = tls_conf_conn_get(c);
1189 tls_conf_server_t *sc;
1190 apr_status_t rv = APR_SUCCESS;
1191 int sni_match = 0;
1192
1193 /* The initial rustls generic session has been fed the client hello and
1194 * we have extracted SNI and ALPN values (so present).
1195 * Time to select the actual server_rec and application protocol that
1196 * will be used on this connection. */
1197 ap_assert(cc);
1198 sc = tls_conf_server_get(cc->server);
1199 if (!cc->client_hello_seen) goto cleanup;
1200
1201 if (cc->sni_hostname) {
1202 if (ap_vhost_iterate_given_conn(c, find_vhost, (void*)cc->sni_hostname)) {
1203 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c, APLOGNO(10337)
1204 "vhost_init: virtual host found for SNI '%s'", cc->sni_hostname);
1205 sni_match = 1;
1206 }
1207 else if (tls_util_name_matches_server(cc->sni_hostname, ap_server_conf)) {
1208 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c, APLOGNO(10338)
1209 "vhost_init: virtual host NOT found, but base server[%s] matches SNI '%s'",
1210 ap_server_conf->server_hostname, cc->sni_hostname);
1211 cc->server = ap_server_conf;
1212 sni_match = 1;
1213 }
1214 else if (sc->strict_sni == TLS_FLAG_FALSE) {
1215 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c, APLOGNO(10339)
1216 "vhost_init: no virtual host found, relaxed SNI checking enabled, SNI '%s'",
1217 cc->sni_hostname);
1218 }
1219 else {
1220 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c, APLOGNO(10340)
1221 "vhost_init: no virtual host, nor base server[%s] matches SNI '%s'",
1222 c->base_server->server_hostname, cc->sni_hostname);
1223 cc->server = sc->global->ap_server;
1224 rv = APR_NOTFOUND; goto cleanup;
1225 }
1226 }
1227 else {
1228 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(10341)
1229 "vhost_init: no SNI hostname provided by client");
1230 }
1231
1232 /* reinit, we might have a new server selected */
1233 sc = tls_conf_server_get(cc->server);
1234 /* on relaxed SNI matches, we do not enforce the 503 of fallback
1235 * certificates. */
1236 if (!cc->service_unavailable) {
1237 cc->service_unavailable = sni_match? sc->service_unavailable : 0;
1238 }
1239
1240 /* if found or not, cc->server will be the server we use now to do
1241 * the real handshake and, if successful, the traffic after that.
1242 * Free the current session and create the real one for the
1243 * selected server. */
1244 if (cc->rustls_server_config) {
1245 rustls_server_config_free(cc->rustls_server_config);
1246 cc->rustls_server_config = NULL;
1247 }
1248 rustls_connection_free(cc->rustls_connection);
1249 cc->rustls_connection = NULL;
1250
1251 rv = build_server_connection(&cc->rustls_connection, &cc->rustls_server_config, c);
1252
1253cleanup:
1254 return rv;
1255}
1256
1257apr_status_t tls_core_conn_post_handshake(conn_rec *c)
1258{
1259 tls_conf_conn_t *cc = tls_conf_conn_get(c);
1260 tls_conf_server_t *sc = tls_conf_server_get(cc->server);
1261 const rustls_supported_ciphersuite *rsuite;
1262 const rustls_certificate *cert;
1263 apr_status_t rv = APR_SUCCESS;
1264
1265 if (rustls_connection_is_handshaking(cc->rustls_connection)) {
1266 rv = APR_EGENERAL;
1267 ap_log_error(APLOG_MARK, APLOG_ERR, rv, cc->server, APLOGNO(10342)
1268 "post handshake, but rustls claims to still be handshaking: %s",
1269 cc->server->server_hostname);
1270 goto cleanup;
1271 }
1272
1273 cc->tls_protocol_id = rustls_connection_get_protocol_version(cc->rustls_connection);
1274 cc->tls_protocol_name = tls_proto_get_version_name(sc->global->proto,
1275 cc->tls_protocol_id, c->pool);
1276 rsuite = rustls_connection_get_negotiated_ciphersuite(cc->rustls_connection);
1277 if (!rsuite) {
1278 rv = APR_EGENERAL;
1279 ap_log_error(APLOG_MARK, APLOG_ERR, rv, cc->server, APLOGNO(10343)
1280 "post handshake, but rustls does not report negotiated cipher suite: %s",
1281 cc->server->server_hostname);
1282 goto cleanup;
1283 }
1284 cc->tls_cipher_id = rustls_supported_ciphersuite_get_suite(rsuite);
1285 cc->tls_cipher_name = tls_proto_get_cipher_name(sc->global->proto,
1286 cc->tls_cipher_id, c->pool);
1287 ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "post_handshake %s: %s [%s]",
1288 cc->server->server_hostname, cc->tls_protocol_name, cc->tls_cipher_name);
1289
1290 cert = rustls_connection_get_peer_certificate(cc->rustls_connection, 0);
1291 if (cert) {
1292 size_t i = 0;
1293
1294 cc->peer_certs = apr_array_make(c->pool, 5, sizeof(const rustls_certificate*));
1295 while (cert) {
1296 APR_ARRAY_PUSH(cc->peer_certs, const rustls_certificate*) = cert;
1297 cert = rustls_connection_get_peer_certificate(cc->rustls_connection, ++i);
1298 }
1299 }
1300 if (!cc->peer_certs && sc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
1301 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(10344)
1302 "A client certificate is required, but no acceptable certificate was presented.");
1303 rv = APR_ECONNABORTED;
1304 }
1305
1306 rv = tls_var_handshake_done(c);
1307cleanup:
1308 return rv;
1309}
1310
1314static int tls_conn_compatible_for(tls_conf_conn_t *cc, server_rec *other)
1315{
1316 tls_conf_server_t *oc, *sc;
1317 const rustls_certified_key *sk, *ok;
1318 int i;
1319
1320 /* - differences in certificates are the responsibility of the client.
1321 * if it thinks the SNI server works for r->server, we are fine with that.
1322 * - if there are differences in requirements to client certificates, we
1323 * need to deny the request.
1324 */
1325 if (!cc->server || !other) return 0;
1326 if (cc->server == other) return 1;
1327 oc = tls_conf_server_get(other);
1328 if (!oc) return 0;
1329 sc = tls_conf_server_get(cc->server);
1330 if (!sc) return 0;
1331
1332 /* same certified keys used? */
1333 if (sc->certified_keys->nelts != oc->certified_keys->nelts) return 0;
1334 for (i = 0; i < sc->certified_keys->nelts; ++i) {
1335 sk = APR_ARRAY_IDX(sc->certified_keys, i, const rustls_certified_key*);
1336 ok = APR_ARRAY_IDX(oc->certified_keys, i, const rustls_certified_key*);
1337 if (sk != ok) return 0;
1338 }
1339
1340 /* If the connection TLS version is below other other min one, no */
1341 if (oc->tls_protocol_min > 0 && cc->tls_protocol_id < oc->tls_protocol_min) return 0;
1342 /* If the connection TLS cipher is listed as suppressed by other, no */
1343 if (oc->tls_supp_ciphers && tls_util_array_uint16_contains(
1344 oc->tls_supp_ciphers, cc->tls_cipher_id)) return 0;
1345 return 1;
1346}
1347
1348int tls_core_request_check(request_rec *r)
1349{
1350 conn_rec *c = r->connection;
1351 tls_conf_conn_t *cc = tls_conf_conn_get(c->master? c->master : c);
1352 int rv = DECLINED; /* do not object to the request */
1353
1354 /* If we are not enabled on this connection, leave. We are not renegotiating.
1355 * Otherwise:
1356 * - service is unavailable when we have only a fallback certificate or
1357 * when a challenge protocol is active (ACME tls-alpn-01 for example).
1358 * - with vhosts configured and no SNI from the client, deny access.
1359 * - are servers compatible for connection sharing?
1360 */
1361 if (!TLS_CONN_ST_IS_ENABLED(cc)) goto cleanup;
1362
1363 ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
1364 "tls_core_request_check[%s, %d]: %s", r->hostname,
1365 cc? cc->service_unavailable : 2, r->the_request);
1366 if (cc->service_unavailable) {
1367 rv = HTTP_SERVICE_UNAVAILABLE; goto cleanup;
1368 }
1369 if (!cc->sni_hostname && r->connection->vhost_lookup_data) {
1370 rv = HTTP_FORBIDDEN; goto cleanup;
1371 }
1372 if (!tls_conn_compatible_for(cc, r->server)) {
1373 rv = HTTP_MISDIRECTED_REQUEST;
1374 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10345)
1375 "Connection host %s, selected via SNI, and request host %s"
1376 " have incompatible TLS configurations.",
1377 cc->server->server_hostname, r->hostname);
1378 goto cleanup;
1379 }
1380cleanup:
1381 return rv;
1382}
1383
1384apr_status_t tls_core_error(conn_rec *c, rustls_result rr, const char **perrstr)
1385{
1386 tls_conf_conn_t *cc = tls_conf_conn_get(c);
1387 apr_status_t rv;
1388
1389 rv = tls_util_rustls_error(c->pool, rr, perrstr);
1390 if (cc) {
1391 cc->last_error = rr;
1392 cc->last_error_descr = *perrstr;
1393 }
1394 return rv;
1395}
1396
1397int tls_core_setup_outgoing(conn_rec *c)
1398{
1399 tls_conf_conn_t *cc;
1400 int rv = DECLINED;
1401
1402 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
1403 "tls_core_setup_outgoing called");
1404#if AP_MODULE_MAGIC_AT_LEAST(20120211, 109)
1405 if (!c->outgoing) goto cleanup;
1406#endif
1407 cc = cc_get_or_make(c);
1408 if (cc->state == TLS_CONN_ST_DISABLED) {
1409 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
1410 "tls_core_setup_outgoing: already disabled");
1411 goto cleanup;
1412 }
1413 if (TLS_CONN_ST_IS_ENABLED(cc)) {
1414 /* we already handle it, allow repeated calls */
1415 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
1416 "tls_core_setup_outgoing: already enabled");
1417 rv = OK; goto cleanup;
1418 }
1419 cc->outgoing = 1;
1420 if (!cc->dc) {
1421 /* In case there is not dir_conf bound for this connection, we fallback
1422 * to the defaults in the base server (we have no virtual host config to use) */
1423 cc->dc = ap_get_module_config(c->base_server->lookup_defaults, &tls_module);
1424 }
1425 if (cc->dc->proxy_enabled != TLS_FLAG_TRUE) {
1426 cc->state = TLS_CONN_ST_DISABLED;
1427 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
1428 "tls_core_setup_outgoing: TLSProxyEngine not configured");
1429 goto cleanup;
1430 }
1431 /* we handle this connection */
1432 cc->state = TLS_CONN_ST_CLIENT_HELLO;
1433 rv = OK;
1434
1435cleanup:
1436 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
1437 "tls_core_setup_outgoing returns %s", rv == OK? "OK" : "DECLINED");
1438 return rv;
1439}
n
int n
Definition ap_regex.h:278
len
const char apr_size_t len
Definition ap_regex.h:187
ap_socache.h
Small object cache provider interface.
apr_lib.h
APR general purpose library routines.
apr_network_io.h
APR Network library.
apr_strings.h
APR Strings library.
APLOG_USE_MODULE
#define APLOG_USE_MODULE(foo)
Definition http_config.h:453
ap_get_module_config
#define ap_get_module_config(v, m)
Definition http_config.h:550
ap_conf_vector_t
struct ap_conf_vector_t ap_conf_vector_t
Definition http_config.h:509
ap_set_module_config
#define ap_set_module_config(v, m, val)
Definition http_config.h:552
hostname
const char * hostname
Definition http_config.h:1184
r
request_rec * r
Definition http_config.h:1168
DECLINED
#define DECLINED
Definition httpd.h:457
OK
#define OK
Definition httpd.h:456
APLOGNO
#define APLOGNO(n)
Definition http_log.h:117
APLOGctrace2
#define APLOGctrace2(c)
Definition http_log.h:258
APLOG_TRACE4
#define APLOG_TRACE4
Definition http_log.h:75
APLOG_INFO
#define APLOG_INFO
Definition http_log.h:70
ap_log_rerror
#define ap_log_rerror
Definition http_log.h:454
APLOG_ERR
#define APLOG_ERR
Definition http_log.h:67
APLOG_TRACE3
#define APLOG_TRACE3
Definition http_log.h:74
ap_log_error
#define ap_log_error
Definition http_log.h:370
ap_log_cerror
#define ap_log_cerror
Definition http_log.h:498
APLOGctrace4
#define APLOGctrace4(c)
Definition http_log.h:260
APLOG_MARK
#define APLOG_MARK
Definition http_log.h:283
APLOG_WARNING
#define APLOG_WARNING
Definition http_log.h:68
APLOG_TRACE2
#define APLOG_TRACE2
Definition http_log.h:73
APLOG_TRACE1
#define APLOG_TRACE1
Definition http_log.h:72
APLOGtrace2
#define APLOGtrace2(s)
Definition http_log.h:236
APLOG_DEBUG
#define APLOG_DEBUG
Definition http_log.h:71
ap_server_conf
server_rec * ap_server_conf
Definition config.c:62
ap_ssl_answer_challenge
int ap_ssl_answer_challenge(conn_rec *c, const char *server_name, const char **pcert_pem, const char **pkey_pem)
Definition ssl.c:239
ap_switch_protocol
apr_status_t ap_switch_protocol(conn_rec *c, request_rec *r, server_rec *s, const char *protocol)
Definition protocol.c:2532
ap_get_protocol
const char * ap_get_protocol(conn_rec *c)
Definition protocol.c:2397
ap_ssl_add_cert_files
apr_status_t ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
Definition ssl.c:223
ap_select_protocol
const char * ap_select_protocol(conn_rec *c, request_rec *r, server_rec *s, const apr_array_header_t *choices)
Definition protocol.c:2444
ap_ssl_add_fallback_cert_files
apr_status_t ap_ssl_add_fallback_cert_files(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
Definition ssl.c:231
APR_EGENERAL
#define APR_EGENERAL
Definition apr_errno.h:313
APR_ENOMEM
#define APR_ENOMEM
Definition apr_errno.h:683
APR_ENOTIMPL
#define APR_ENOTIMPL
Definition apr_errno.h:476
APR_ECONNABORTED
#define APR_ECONNABORTED
Definition apr_errno.h:769
APR_NOTFOUND
#define APR_NOTFOUND
Definition apr_errno.h:463
APR_EINVAL
#define APR_EINVAL
Definition apr_errno.h:711
enabled
int enabled
Definition apr_buckets.h:1580
rs
apr_redis_server_t * rs
Definition apr_redis.h:205
HTTP_SERVICE_UNAVAILABLE
#define HTTP_SERVICE_UNAVAILABLE
Definition httpd.h:538
HTTP_FORBIDDEN
#define HTTP_FORBIDDEN
Definition httpd.h:511
HTTP_MISDIRECTED_REQUEST
#define HTTP_MISDIRECTED_REQUEST
Definition httpd.h:526
ap_assert
#define ap_assert(exp)
Definition httpd.h:2271
size
apr_size_t size
Definition apr_allocator.h:115
pool
const char int apr_pool_t * pool
Definition apr_cstr.h:84
APR_SUCCESS
#define APR_SUCCESS
Definition apr_errno.h:225
apr_status_t
int apr_status_t
Definition apr_errno.h:44
key
const char * key
Definition apr_file_io.h:822
data
void * data
Definition apr_file_io.h:832
cleanup
void const char apr_status_t(* cleanup)(void *))
Definition apr_file_io.h:834
strcasecmp
int strcasecmp(const char *a, const char *b)
Definition apr_cpystrn.c:248
c
apr_vformatter_buff_t * c
Definition apr_lib.h:175
sa
apr_sockaddr_t * sa
Definition apr_network_io.h:352
protocol
int int int protocol
Definition apr_network_io.h:319
id
const char apr_uint32_t * id
Definition apr_network_io.h:468
apr_pcalloc
#define apr_pcalloc(p, size)
Definition apr_pools.h:465
bytes
const void apr_size_t bytes
Definition apr_random.h:91
last
const char char ** last
Definition apr_strings.h:247
s
const char * s
Definition apr_strings.h:95
APR_ARRAY_PUSH
#define APR_ARRAY_PUSH(ary, type)
Definition apr_tables.h:150
APR_ARRAY_IDX
#define APR_ARRAY_IDX(ary, i, type)
Definition apr_tables.h:141
http_core.h
CORE HTTP Daemon.
http_log.h
Apache Logging library.
http_main.h
Command line options.
http_protocol.h
HTTP protocol handling.
http_ssl.h
SSL protocol handling.
http_vhost.h
Virtual Host package.
httpd.h
HTTP Daemon routines.
p
apr_pool_t * p
Definition md_event.c:32
gc
static long gc(server_rec *s)
Definition mod_auth_digest.c:806
NULL
return NULL
Definition mod_so.c:359
i
int i
Definition mod_so.c:347
apr_array_header_t
Definition apr_tables.h:62
apr_array_header_t::nelts
int nelts
Definition apr_tables.h:68
apr_array_header_t::elts
char * elts
Definition apr_tables.h:72
apr_pool_t
Definition apr_pools.c:562
apr_sockaddr_t::next
apr_sockaddr_t * next
Definition apr_network_io.h:262
apr_sockaddr_t::ipaddr_len
int ipaddr_len
Definition apr_network_io.h:253
conn_rec
Structure to store things which are per connection.
Definition httpd.h:1152
conn_rec::vhost_lookup_data
void * vhost_lookup_data
Definition httpd.h:1158
request_rec
A structure that represents the current request.
Definition httpd.h:845
request_rec::hostname
const char * hostname
Definition httpd.h:883
request_rec::the_request
char * the_request
Definition httpd.h:866
request_rec::connection
conn_rec * connection
Definition httpd.h:849
request_rec::server
server_rec * server
Definition httpd.h:851
server_addr_rec
A structure to be used for Per-vhost config.
Definition httpd.h:1301
server_rec
A structure to store information for each virtual server.
Definition httpd.h:1322
server_rec::next
server_rec * next
Definition httpd.h:1326
server_rec::server_hostname
char * server_hostname
Definition httpd.h:1365
tls_cert_reg_t
Definition tls_cert.h:63
tls_cert_spec_t
Definition tls_cert.h:32
tls_cert_spec_t::cert_file
const char * cert_file
Definition tls_cert.h:33
tls_cert_spec_t::pkey_pem
const char * pkey_pem
Definition tls_cert.h:36
tls_cert_spec_t::pkey_file
const char * pkey_file
Definition tls_cert.h:34
tls_cert_spec_t::cert_pem
const char * cert_pem
Definition tls_cert.h:35
tls_conf_conn_t
Definition tls_core.h:39
tls_conf_conn_t::rustls_connection
rustls_connection * rustls_connection
Definition tls_core.h:49
tls_conf_conn_t::sni_hostname
const char * sni_hostname
Definition tls_core.h:58
tls_conf_conn_t::application_protocol
const char * application_protocol
Definition tls_core.h:60
tls_conf_conn_t::tls_protocol_name
const char * tls_protocol_name
Definition tls_core.h:65
tls_conf_conn_t::client_auth
tls_client_auth_t client_auth
Definition tls_core.h:46
tls_conf_conn_t::server
server_rec * server
Definition tls_core.h:40
tls_conf_conn_t::tls_protocol_id
apr_uint16_t tls_protocol_id
Definition tls_core.h:64
tls_conf_conn_t::rustls_server_config
const rustls_server_config * rustls_server_config
Definition tls_core.h:50
tls_conf_conn_t::rustls_client_config
const rustls_client_config * rustls_client_config
Definition tls_core.h:51
tls_conf_conn_t::client_hello_seen
int client_hello_seen
Definition tls_core.h:47
tls_conf_conn_t::dc
tls_conf_dir_t * dc
Definition tls_core.h:42
tls_conf_conn_t::last_error_descr
const char * last_error_descr
Definition tls_core.h:73
tls_conf_conn_t::tls_cipher_id
apr_uint16_t tls_cipher_id
Definition tls_core.h:66
tls_conf_conn_t::peer_certs
apr_array_header_t * peer_certs
Definition tls_core.h:57
tls_conf_conn_t::service_unavailable
int service_unavailable
Definition tls_core.h:45
tls_conf_conn_t::state
tls_conn_state_t state
Definition tls_core.h:43
tls_conf_conn_t::local_keys
apr_array_header_t * local_keys
Definition tls_core.h:54
tls_conf_conn_t::alpn
const apr_array_header_t * alpn
Definition tls_core.h:59
tls_conf_conn_t::tls_cipher_name
const char * tls_cipher_name
Definition tls_core.h:67
tls_conf_conn_t::key
const rustls_certified_key * key
Definition tls_core.h:55
tls_conf_conn_t::key_cloned
int key_cloned
Definition tls_core.h:56
tls_conf_conn_t::outgoing
int outgoing
Definition tls_core.h:44
tls_conf_conn_t::last_error
rustls_result last_error
Definition tls_core.h:72
tls_conf_dir_t
Definition tls_conf.h:129
tls_conf_dir_t::proxy_enabled
int proxy_enabled
Definition tls_conf.h:132
tls_conf_dir_t::proxy_config
tls_conf_proxy_t * proxy_config
Definition tls_conf.h:139
tls_conf_global_t
Definition tls_conf.h:66
tls_conf_global_t::cert_reg
struct tls_cert_reg_t * cert_reg
Definition tls_conf.h:79
tls_conf_global_t::verifiers
struct tls_cert_verifiers_t * verifiers
Definition tls_conf.h:81
tls_conf_global_t::proto
struct tls_proto_conf_t * proto
Definition tls_conf.h:77
tls_conf_global_t::ap_server
server_rec * ap_server
Definition tls_conf.h:67
tls_conf_global_t::rustls_hello_config
const rustls_server_config * rustls_hello_config
Definition tls_conf.h:88
tls_conf_proxy_t
Definition tls_conf.h:117
tls_conf_server_t
Definition tls_conf.h:95
tls_conf_server_t::certified_keys
apr_array_header_t * certified_keys
Definition tls_conf.h:112
tls_conf_server_t::strict_sni
int strict_sni
Definition tls_conf.h:106
tls_conf_server_t::client_ca
const char * client_ca
Definition tls_conf.h:108
tls_conf_server_t::client_auth
tls_client_auth_t client_auth
Definition tls_conf.h:109
tls_conf_server_t::tls_supp_ciphers
apr_array_header_t * tls_supp_ciphers
Definition tls_conf.h:103
tls_conf_server_t::tls_pref_ciphers
apr_array_header_t * tls_pref_ciphers
Definition tls_conf.h:102
tls_conf_server_t::enabled
int enabled
Definition tls_conf.h:99
tls_conf_server_t::server
server_rec * server
Definition tls_conf.h:96
tls_conf_server_t::cert_specs
apr_array_header_t * cert_specs
Definition tls_conf.h:100
tls_conf_server_t::honor_client_order
int honor_client_order
Definition tls_conf.h:105
tls_conf_server_t::service_unavailable
int service_unavailable
Definition tls_conf.h:114
tls_conf_server_t::ciphersuites
const apr_array_header_t * ciphersuites
Definition tls_conf.h:104
tls_conf_server_t::tls_protocol_min
int tls_protocol_min
Definition tls_conf.h:101
tls_conf_server_t::global
tls_conf_global_t * global
Definition tls_conf.h:97
tls_conf_server_t::base_server
int base_server
Definition tls_conf.h:113
tls_proto_conf_t
Definition tls_proto.h:40
hello
static const char hello[]
Definition testbuckets.c:442
tls_cache_free
void tls_cache_free(server_rec *s)
Definition tls_cache.c:189
tls_cache_init_server
apr_status_t tls_cache_init_server(rustls_server_config_builder *builder, server_rec *s)
Definition tls_cache.c:299
tls_cache_post_config
apr_status_t tls_cache_post_config(apr_pool_t *p, apr_pool_t *ptemp, server_rec *s)
Definition tls_cache.c:137
tls_cache.h
tls_cert_client_verifiers_get_optional
apr_status_t tls_cert_client_verifiers_get_optional(tls_cert_verifiers_t *verifiers, const char *store_file, const rustls_client_cert_verifier **pverifier)
Definition tls_cert.c:577
tls_cert_root_stores_get
apr_status_t tls_cert_root_stores_get(tls_cert_root_stores_t *stores, const char *store_file, const rustls_root_cert_store **pstore)
Definition tls_cert.c:428
tls_cert_verifiers_clear
void tls_cert_verifiers_clear(tls_cert_verifiers_t *verifiers)
Definition tls_cert.c:498
tls_cert_reg_get_certified_key
apr_status_t tls_cert_reg_get_certified_key(tls_cert_reg_t *reg, server_rec *s, const tls_cert_spec_t *spec, const rustls_certified_key **pckey)
Definition tls_cert.c:266
tls_cert_root_stores_clear
void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores)
Definition tls_cert.c:420
tls_cert_load_cert_key
apr_status_t tls_cert_load_cert_key(apr_pool_t *p, const tls_cert_spec_t *spec, const char **pcert_pem, const rustls_certified_key **pckey)
Definition tls_cert.c:177
tls_cert_reg_get_id
const char * tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key *certified_key)
Definition tls_cert.c:325
tls_cert_verifiers_make
tls_cert_verifiers_t * tls_cert_verifiers_make(apr_pool_t *p, tls_cert_root_stores_t *stores)
Definition tls_cert.c:485
tls_cert_reg_make
tls_cert_reg_t * tls_cert_reg_make(apr_pool_t *p)
Definition tls_cert.c:242
tls_cert_client_verifiers_get
apr_status_t tls_cert_client_verifiers_get(tls_cert_verifiers_t *verifiers, const char *store_file, const rustls_client_cert_verifier **pverifier)
Definition tls_cert.c:569
tls_cert_root_stores_make
tls_cert_root_stores_t * tls_cert_root_stores_make(apr_pool_t *p)
Definition tls_cert.c:409
tls_cert.h
tls_conf_dir_apply_defaults
apr_status_t tls_conf_dir_apply_defaults(tls_conf_dir_t *dc, apr_pool_t *p)
Definition tls_conf.c:214
tls_conf_proxy_make
tls_conf_proxy_t * tls_conf_proxy_make(apr_pool_t *p, tls_conf_dir_t *dc, tls_conf_global_t *gc, server_rec *s)
Definition tls_conf.c:223
tls_conf_server_get
tls_conf_server_t * tls_conf_server_get(server_rec *s)
Definition tls_conf.c:68
tls_conf_server_apply_defaults
apr_status_t tls_conf_server_apply_defaults(tls_conf_server_t *sc, apr_pool_t *p)
Definition tls_conf.c:203
tls_conf_dir_server_get
tls_conf_dir_t * tls_conf_dir_server_get(server_rec *s)
Definition tls_conf.c:131
tls_conf.h
TLS_FLAG_FALSE
#define TLS_FLAG_FALSE
Definition tls_conf.h:21
TLS_CONF_ST_DONE
@ TLS_CONF_ST_DONE
Definition tls_conf.h:60
TLS_CONF_ST_INIT
@ TLS_CONF_ST_INIT
Definition tls_conf.h:57
TLS_CONF_ST_OUTGOING_DONE
@ TLS_CONF_ST_OUTGOING_DONE
Definition tls_conf.h:59
TLS_CONF_ST_INCOMING_DONE
@ TLS_CONF_ST_INCOMING_DONE
Definition tls_conf.h:58
TLS_CLIENT_AUTH_REQUIRED
@ TLS_CLIENT_AUTH_REQUIRED
Definition tls_conf.h:52
TLS_CLIENT_AUTH_NONE
@ TLS_CLIENT_AUTH_NONE
Definition tls_conf.h:51
TLS_FLAG_TRUE
#define TLS_FLAG_TRUE
Definition tls_conf.h:22
load_certified_keys
static apr_status_t load_certified_keys(apr_array_header_t *keys, server_rec *s, apr_array_header_t *cert_specs, tls_cert_reg_t *cert_reg)
Definition tls_core.c:99
build_server_connection
static apr_status_t build_server_connection(rustls_connection **pconnection, const rustls_server_config **pconfig, conn_rec *c)
Definition tls_core.c:1062
tls_core_conn_post_handshake
apr_status_t tls_core_conn_post_handshake(conn_rec *c)
Definition tls_core.c:1257
tls_core_free
static apr_status_t tls_core_free(void *data)
Definition tls_core.c:86
use_local_key
static apr_status_t use_local_key(conn_rec *c, const char *cert_pem, const char *pkey_pem)
Definition tls_core.c:129
tls_core_conn_init
apr_status_t tls_core_conn_init(conn_rec *c)
Definition tls_core.c:934
tls_core_init
apr_status_t tls_core_init(apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server)
Definition tls_core.c:665
extract_client_hello_values
static const rustls_certified_key * extract_client_hello_values(void *userdata, const rustls_client_hello *hello)
Definition tls_core.c:499
tls_core_setup_outgoing
int tls_core_setup_outgoing(conn_rec *c)
Definition tls_core.c:1397
we_listen_on
static int we_listen_on(tls_conf_global_t *gc, server_rec *s, tls_conf_server_t *sc)
Definition tls_core.c:64
calc_ciphers
static apr_status_t calc_ciphers(apr_pool_t *pool, server_rec *s, tls_conf_global_t *gc, const char *proxy, apr_array_header_t *pref_ciphers, apr_array_header_t *supp_ciphers, const apr_array_header_t **pciphers)
Definition tls_core.c:169
tls_conn_compatible_for
static int tls_conn_compatible_for(tls_conf_conn_t *cc, server_rec *other)
Definition tls_core.c:1314
init_outgoing_connection
static apr_status_t init_outgoing_connection(conn_rec *c)
Definition tls_core.c:761
tls_core_conn_bind
void tls_core_conn_bind(conn_rec *c, ap_conf_vector_t *dir_conf)
Definition tls_core.c:754
add_file_specs
static void add_file_specs(apr_array_header_t *certificates, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
Definition tls_core.c:152
cc_get_or_make
static tls_conf_conn_t * cc_get_or_make(conn_rec *c)
Definition tls_core.c:731
setup_hello_config
static apr_status_t setup_hello_config(apr_pool_t *p, server_rec *base_server, tls_conf_global_t *gc)
Definition tls_core.c:545
tls_core_error
apr_status_t tls_core_error(conn_rec *c, rustls_result rr, const char **perrstr)
Definition tls_core.c:1384
tls_core_conn_disable
void tls_core_conn_disable(conn_rec *c)
Definition tls_core.c:745
select_application_protocol
static apr_status_t select_application_protocol(conn_rec *c, server_rec *s, rustls_server_config_builder *builder)
Definition tls_core.c:985
server_conf_setup
static apr_status_t server_conf_setup(apr_pool_t *p, apr_pool_t *ptemp, tls_conf_server_t *sc, tls_conf_global_t *gc)
Definition tls_core.c:379
init_outgoing
static apr_status_t init_outgoing(apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server)
Definition tls_core.c:627
tls_conn_check_ssl
int tls_conn_check_ssl(conn_rec *c)
Definition tls_core.c:55
tls_core_request_check
int tls_core_request_check(request_rec *r)
Definition tls_core.c:1348
proxy_conf_setup
static apr_status_t proxy_conf_setup(apr_pool_t *p, apr_pool_t *ptemp, tls_conf_proxy_t *pc, tls_conf_global_t *gc)
Definition tls_core.c:443
find_vhost
static int find_vhost(void *sni_hostname, conn_rec *c, server_rec *s)
Definition tls_core.c:975
get_server_ciphersuites
static apr_status_t get_server_ciphersuites(const apr_array_header_t **pciphersuites, apr_pool_t *pool, tls_conf_server_t *sc)
Definition tls_core.c:249
tls_core_pre_conn_init
int tls_core_pre_conn_init(conn_rec *c)
Definition tls_core.c:904
tls_conf_conn_set
void tls_conf_conn_set(conn_rec *c, tls_conf_conn_t *cc)
Definition tls_core.c:50
tls_core_conn_free
static apr_status_t tls_core_conn_free(void *data)
Definition tls_core.c:697
get_proxy_ciphers
static apr_status_t get_proxy_ciphers(const apr_array_header_t **pciphersuites, apr_pool_t *pool, tls_conf_proxy_t *pc)
Definition tls_core.c:416
complete_cert_specs
static apr_array_header_t * complete_cert_specs(apr_pool_t *p, tls_conf_server_t *sc)
Definition tls_core.c:278
select_certified_key
static const rustls_certified_key * select_certified_key(void *userdata, const rustls_client_hello *hello)
Definition tls_core.c:324
tls_conf_conn_get
tls_conf_conn_t * tls_conf_conn_get(conn_rec *c)
Definition tls_core.c:45
init_incoming
static apr_status_t init_incoming(apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server)
Definition tls_core.c:572
tls_core_conn_seen_client_hello
apr_status_t tls_core_conn_seen_client_hello(conn_rec *c)
Definition tls_core.c:1186
tls_core.h
TLS_CONN_ST_IS_ENABLED
#define TLS_CONN_ST_IS_ENABLED(cc)
Definition tls_core.h:31
TLS_CONN_ST_INIT
@ TLS_CONN_ST_INIT
Definition tls_core.h:22
TLS_CONN_ST_DISABLED
@ TLS_CONN_ST_DISABLED
Definition tls_core.h:23
TLS_CONN_ST_CLIENT_HELLO
@ TLS_CONN_ST_CLIENT_HELLO
Definition tls_core.h:24
tls_ocsp_prime_certs
apr_status_t tls_ocsp_prime_certs(tls_conf_global_t *gc, apr_pool_t *p, server_rec *s)
Definition tls_ocsp.c:52
tls_ocsp_update_key
apr_status_t tls_ocsp_update_key(conn_rec *c, const rustls_certified_key *certified_key, const rustls_certified_key **pkey_out)
Definition tls_ocsp.c:88
tls_ocsp.h
tls_proto_get_cipher_names
const char * tls_proto_get_cipher_names(tls_proto_conf_t *conf, const apr_array_header_t *ciphers, apr_pool_t *pool)
Definition tls_proto.c:464
tls_proto_is_cipher_supported
int tls_proto_is_cipher_supported(tls_proto_conf_t *conf, apr_uint16_t cipher)
Definition tls_proto.c:560
tls_proto_get_version_name
const char * tls_proto_get_version_name(tls_proto_conf_t *conf, apr_uint16_t id, apr_pool_t *pool)
Definition tls_proto.c:530
tls_proto_create_versions_plus
apr_array_header_t * tls_proto_create_versions_plus(tls_proto_conf_t *conf, apr_uint16_t min_version, apr_pool_t *pool)
Definition tls_proto.c:544
tls_proto_get_rustls_suites
apr_array_header_t * tls_proto_get_rustls_suites(tls_proto_conf_t *conf, const apr_array_header_t *ids, apr_pool_t *pool)
Definition tls_proto.c:586
tls_proto_post_config
apr_status_t tls_proto_post_config(apr_pool_t *pool, apr_pool_t *ptemp, server_rec *s)
Definition tls_proto.c:485
tls_proto_get_cipher_name
const char * tls_proto_get_cipher_name(tls_proto_conf_t *conf, apr_uint16_t id, apr_pool_t *pool)
Definition tls_proto.c:576
tls_proto.h
tls_util_name_matches_server
int tls_util_name_matches_server(const char *name, server_rec *s)
Definition tls_util.c:292
tls_util_rustls_error
apr_status_t tls_util_rustls_error(apr_pool_t *p, rustls_result rr, const char **perr_descr)
Definition tls_util.c:66
tls_util_array_uint16_remove
const apr_array_header_t * tls_util_array_uint16_remove(apr_pool_t *pool, const apr_array_header_t *from, const apr_array_header_t *others)
Definition tls_util.c:150
tls_util_array_uint16_contains
int tls_util_array_uint16_contains(const apr_array_header_t *a, apr_uint16_t n)
Definition tls_util.c:141
tls_util.h
tls_var_handshake_done
apr_status_t tls_var_handshake_done(conn_rec *c)
Definition tls_var.c:358
tls_var.h
ap_vhost_iterate_given_conn
int ap_vhost_iterate_given_conn(conn_rec *conn, ap_vhost_iterate_conn_cb func_cb, void *baton)
Definition vhost.c:1229
Generated by doxygen 1.9.8