1
/* Licensed to the Apache Software Foundation (ASF) under one or more
2
* contributor license agreements. See the NOTICE file distributed with
3
* this work for additional information regarding copyright ownership.
4
* The ASF licenses this file to You under the Apache License, Version 2.0
5
* (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
8
* http://www.apache.org/licenses/LICENSE-2.0
10
* Unless required by applicable law or agreed to in writing, software
11
* distributed under the License is distributed on an "AS IS" BASIS,
12
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
* See the License for the specific language governing permissions and
14
* limitations under the License.
18
* mod_tls.c - Apache SSL/TLS module for NetWare by Mike Gardiner.
20
* This module gives Apache the ability to do SSL/TLS with a minimum amount
21
* of effort. All of the SSL/TLS logic is already on NetWare versions 5 and
22
* above and is interfaced through WinSock on NetWare. As you can see in
23
* the code below SSL/TLS sockets can be created with three WinSock calls.
25
* To load, simply place the module in the modules directory under the main
26
* apache tree. Then add a "SecureListen" with two arguments. The first
27
* argument is an address and/or port. The second argument is the key pair
28
* name as created in ConsoleOne.
32
* SecureListen 443 "SSL CertificateIP"
33
* SecureListen 123.45.67.89:443 mycert
38
#define MAX_ADDRESS 512
43
#include "http_config.h"
45
#include "http_protocol.h"
46
#include "http_core.h"
47
#include "ap_listen.h"
48
#include "apr_strings.h"
49
#include "apr_portable.h"
50
#include "apr_optional.h"
54
#ifndef SO_TLS_UNCLEAN_SHUTDOWN
55
#define SO_TLS_UNCLEAN_SHUTDOWN 0
58
/* The ssl_var_lookup() optional function retrieves SSL environment
60
APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
61
(apr_pool_t *, server_rec *,
62
conn_rec *, request_rec *,
65
/* An optional function which returns non-zero if the given connection
66
* is using SSL/TLS. */
67
APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
69
/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
70
* are used by mod_proxy to enable use of SSL for outgoing
72
APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
73
APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
75
#define strEQ(s1,s2) (strcmp(s1,s2) == 0)
76
#define strNE(s1,s2) (strcmp(s1,s2) != 0)
77
#define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0)
78
#define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0)
80
#define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0)
81
#define strcNE(s1,s2) (strcasecmp(s1,s2) != 0)
82
#define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
83
#define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)
85
#define strIsEmpty(s) (s == NULL || s[0] == NUL)
88
module AP_MODULE_DECLARE_DATA nwssl_module;
90
typedef struct NWSSLSrvConfigRec NWSSLSrvConfigRec;
91
typedef struct seclisten_rec seclisten_rec;
92
typedef struct seclistenup_rec seclistenup_rec;
93
typedef struct secsocket_data secsocket_data;
95
struct seclisten_rec {
97
struct sockaddr_in local_addr; /* local IP address and port */
99
int used; /* Only used during restart */
106
struct seclistenup_rec {
107
seclistenup_rec *next;
113
struct NWSSLSrvConfigRec {
114
apr_table_t *sltable;
115
apr_table_t *slutable;
119
struct secsocket_data {
124
static apr_array_header_t *certlist = NULL;
125
static unicode_t** certarray = NULL;
126
static int numcerts = 0;
127
static seclisten_rec* ap_seclisteners = NULL;
128
static seclistenup_rec* ap_seclistenersup = NULL;
130
static ap_listen_rec *nw_old_listeners;
132
#define get_nwssl_cfg(srv) (NWSSLSrvConfigRec *) ap_get_module_config(srv->module_config, &nwssl_module)
135
static void build_cert_list (apr_pool_t *p)
138
char **rootcerts = (char **)certlist->elts;
140
numcerts = certlist->nelts;
141
certarray = apr_palloc(p, sizeof(unicode_t*)*numcerts);
143
for (i = 0; i < numcerts; ++i) {
145
unistr = (unicode_t*)apr_palloc(p, strlen(rootcerts[i])*4);
146
loc2uni (UNI_LOCAL_DEFAULT, unistr, rootcerts[i], 0, 2);
147
certarray[i] = unistr;
152
* Parses a host of the form <address>[:port]
153
* :port is permitted if 'port' is not NULL
155
static unsigned long parse_addr(const char *w, unsigned short *ports)
158
unsigned long my_addr;
164
if (p != NULL && strcmp(p + 1, "*") != 0)
165
*ports = atoi(p + 1);
170
if (strcmp(w, "*") == 0) {
173
return htonl(INADDR_ANY);
176
my_addr = apr_inet_addr((char *)w);
177
if (my_addr != INADDR_NONE) {
183
hep = gethostbyname(w);
185
if ((!hep) || (hep->h_addrtype != AF_INET || !hep->h_addr_list[0])) {
186
/* XXX Should be echoing by h_errno the actual failure, no?
187
* ap_log_error would be good here. Better yet - APRize.
189
fprintf(stderr, "Cannot resolve host name %s --- exiting!\n", w);
193
if (hep->h_addr_list[1]) {
194
fprintf(stderr, "Host %s has multiple addresses ---\n", w);
195
fprintf(stderr, "you must choose one explicitly for use as\n");
196
fprintf(stderr, "a secure port. Exiting!!!\n");
203
return ((struct in_addr *) (hep->h_addr))->s_addr;
206
static int find_secure_listener(seclisten_rec *lr)
210
for (sl = ap_seclisteners; sl; sl = sl->next) {
211
if (!memcmp(&sl->local_addr, &lr->local_addr, sizeof(sl->local_addr))) {
219
static char *get_port_key(conn_rec *c)
223
for (sl = ap_seclistenersup; sl; sl = sl->next) {
224
if ((sl->port == (c->local_addr)->port) &&
225
((strcmp(sl->addr, "0.0.0.0") == 0) || (strcmp(sl->addr, c->local_ip) == 0))) {
232
static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *server,
233
char* key, int mutual, server_rec *sconf)
237
char addr[MAX_ADDRESS];
238
struct sslserveropts opts;
239
unsigned int optParam;
240
WSAPROTOCOL_INFO SecureProtoInfo;
243
if (server->sin_addr.s_addr != htonl(INADDR_ANY))
244
apr_snprintf(addr, sizeof(addr), "address %s port %d",
245
inet_ntoa(server->sin_addr), ntohs(server->sin_port));
247
apr_snprintf(addr, sizeof(addr), "port %d", ntohs(server->sin_port));
249
/* note that because we're about to slack we don't use psocket */
250
memset(&SecureProtoInfo, 0, sizeof(WSAPROTOCOL_INFO));
252
SecureProtoInfo.iAddressFamily = AF_INET;
253
SecureProtoInfo.iSocketType = SOCK_STREAM;
254
SecureProtoInfo.iProtocol = IPPROTO_TCP;
255
SecureProtoInfo.iSecurityScheme = SECURITY_PROTOCOL_SSL;
257
s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP,
258
(LPWSAPROTOCOL_INFO)&SecureProtoInfo, 0, 0);
260
if (s == INVALID_SOCKET) {
261
ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
262
"make_secure_socket: failed to get a socket for %s",
268
optParam = SO_SSL_ENABLE | SO_SSL_SERVER;
270
if (WSAIoctl(s, SO_SSL_SET_FLAGS, (char *)&optParam,
271
sizeof(optParam), NULL, 0, NULL, NULL, NULL)) {
272
ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
273
"make_secure_socket: for %s, WSAIoctl: "
274
"(SO_SSL_SET_FLAGS)", addr);
280
opts.certlen = strlen(key);
285
if (WSAIoctl(s, SO_SSL_SET_SERVER, (char *)&opts, sizeof(opts),
286
NULL, 0, NULL, NULL, NULL) != 0) {
287
ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
288
"make_secure_socket: for %s, WSAIoctl: "
289
"(SO_SSL_SET_SERVER)", addr);
294
optParam = 0x07; // SO_SSL_AUTH_CLIENT
296
if(WSAIoctl(s, SO_SSL_SET_FLAGS, (char*)&optParam,
297
sizeof(optParam), NULL, 0, NULL, NULL, NULL)) {
298
ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
299
"make_secure_socket: for %s, WSAIoctl: "
300
"(SO_SSL_SET_FLAGS)", addr);
305
optParam = SO_TLS_UNCLEAN_SHUTDOWN;
306
WSAIoctl(s, SO_SSL_SET_FLAGS, (char *)&optParam, sizeof(optParam),
307
NULL, 0, NULL, NULL, NULL);
312
int convert_secure_socket(conn_rec *c, apr_socket_t *csd)
315
struct tlsclientopts sWS2Opts;
316
struct nwtlsopts sNWTLSOpts;
317
struct sslserveropts opts;
318
unsigned long ulFlags;
320
unicode_t keyFileName[60];
322
apr_os_sock_get(&sock, csd);
324
/* zero out buffers */
325
memset((char *)&sWS2Opts, 0, sizeof(struct tlsclientopts));
326
memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts));
328
/* turn on ssl for the socket */
329
ulFlags = (numcerts ? SO_TLS_ENABLE : SO_TLS_ENABLE | SO_TLS_BLIND_ACCEPT);
330
rcode = WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long),
331
NULL, 0, NULL, NULL, NULL);
332
if (SOCKET_ERROR == rcode)
334
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
335
"Error: %d with ioctlsocket(flag SO_TLS_ENABLE)", WSAGetLastError());
339
ulFlags = SO_TLS_UNCLEAN_SHUTDOWN;
340
WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long),
341
NULL, 0, NULL, NULL, NULL);
343
/* setup the socket for SSL */
344
memset (&sWS2Opts, 0, sizeof(sWS2Opts));
345
memset (&sNWTLSOpts, 0, sizeof(sNWTLSOpts));
346
sWS2Opts.options = &sNWTLSOpts;
349
sNWTLSOpts.walletProvider = WAL_PROV_DER; //the wallet provider defined in wdefs.h
350
sNWTLSOpts.TrustedRootList = certarray; //array of certs in UNICODE format
351
sNWTLSOpts.numElementsInTRList = numcerts; //number of certs in TRList
354
/* setup the socket for SSL */
355
unicpy(keyFileName, L"SSL CertificateIP");
356
sWS2Opts.wallet = keyFileName; /* no client certificate */
357
sWS2Opts.walletlen = unilen(keyFileName);
359
sNWTLSOpts.walletProvider = WAL_PROV_KMO; //the wallet provider defined in wdefs.h
362
/* make the IOCTL call */
363
rcode = WSAIoctl(sock, SO_TLS_SET_CLIENT, &sWS2Opts,
364
sizeof(struct tlsclientopts), NULL, 0, NULL,
367
/* make sure that it was successfull */
368
if(SOCKET_ERROR == rcode ){
369
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
370
"Error: %d with ioctl (SO_TLS_SET_CLIENT)", WSAGetLastError());
375
int SSLize_Socket(SOCKET socketHnd, char *key, request_rec *r)
378
struct tlsserveropts sWS2Opts;
379
struct nwtlsopts sNWTLSOpts;
380
unicode_t SASKey[512];
381
unsigned long ulFlag;
383
memset((char *)&sWS2Opts, 0, sizeof(struct tlsserveropts));
384
memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts));
387
ulFlag = SO_TLS_ENABLE;
388
rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag, sizeof(unsigned long), NULL, 0, NULL, NULL, NULL);
391
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
392
"Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_ENABLE)", WSAGetLastError());
397
ulFlag = SO_TLS_SERVER;
398
rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag, sizeof(unsigned long),NULL, 0, NULL, NULL, NULL);
402
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
403
"Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_SERVER)", WSAGetLastError());
407
loc2uni(UNI_LOCAL_DEFAULT, SASKey, key, 0, 0);
409
//setup the tlsserveropts struct
410
sWS2Opts.wallet = SASKey;
411
sWS2Opts.walletlen = unilen(SASKey);
412
sWS2Opts.sidtimeout = 0;
413
sWS2Opts.sidentries = 0;
414
sWS2Opts.siddir = NULL;
415
sWS2Opts.options = &sNWTLSOpts;
417
//setup the nwtlsopts structure
419
sNWTLSOpts.walletProvider = WAL_PROV_KMO;
420
sNWTLSOpts.keysList = NULL;
421
sNWTLSOpts.numElementsInKeyList = 0;
422
sNWTLSOpts.reservedforfutureuse = NULL;
423
sNWTLSOpts.reservedforfutureCRL = NULL;
424
sNWTLSOpts.reservedforfutureCRLLen = 0;
425
sNWTLSOpts.reserved1 = NULL;
426
sNWTLSOpts.reserved2 = NULL;
427
sNWTLSOpts.reserved3 = NULL;
430
rcode = WSAIoctl(socketHnd,
433
sizeof(struct tlsserveropts),
439
if(SOCKET_ERROR == rcode) {
440
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
441
"Error: %d with WSAIoctl(SO_TLS_SET_SERVER)", WSAGetLastError());
449
static const char *set_secure_listener(cmd_parms *cmd, void *dummy,
450
const char *ips, const char* key,
453
NWSSLSrvConfigRec* sc = get_nwssl_cfg(cmd->server);
454
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
458
ap_listen_rec **walk;
460
int found_listener = 0;
466
ports = strchr(ips, ':');
470
return "Missing IP address";
471
else if (ports[1] == '\0')
472
return "Address must end in :<port-number>";
480
new = apr_pcalloc(cmd->server->process->pool, sizeof(seclisten_rec));
481
new->local_addr.sin_family = AF_INET;
484
new->local_addr.sin_addr.s_addr = htonl(INADDR_ANY);
485
addr = apr_pstrdup(cmd->server->process->pool, "0.0.0.0");
488
new->local_addr.sin_addr.s_addr = parse_addr(ips, NULL);
489
addr = apr_pstrdup(cmd->server->process->pool, ips);
495
return "Port must be numeric";
497
/* If the specified addr:port was created previously, put the listen
498
socket record back on the ap_listeners list so that the socket
499
will be reused rather than recreated */
500
for (walk = &nw_old_listeners; *walk;) {
501
sa = (*walk)->bind_addr;
507
/* If both ports are equivalent, then if their names are equivalent,
508
* then we will re-use the existing record.
510
if (port == oldport &&
511
((!addr && !sa->hostname) ||
512
((addr && sa->hostname) && !strcmp(sa->hostname, addr)))) {
515
new->next = ap_listeners;
522
walk = &(*walk)->next;
525
apr_table_add(sc->sltable, ports, addr);
527
/* If we found a pre-existing listen socket record, then there
528
is no need to create a new secure listen socket record. */
529
if (found_listener) {
533
new->local_addr.sin_port = htons(port);
536
new->next = ap_seclisteners;
537
strcpy(new->key, key);
538
new->mutual = (mutual) ? 1 : 0;
541
ap_seclisteners = new;
545
static const char *set_secure_upgradeable_listener(cmd_parms *cmd, void *dummy,
546
const char *ips, const char* key)
548
NWSSLSrvConfigRec* sc = get_nwssl_cfg(cmd->server);
549
seclistenup_rec *listen_node;
550
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
553
seclistenup_rec *new;
558
ports = strchr(ips, ':');
562
return "Missing IP address";
563
else if (ports[1] == '\0')
564
return "Address must end in :<port-number>";
573
addr = apr_pstrdup(cmd->pool, "0.0.0.0");
576
addr = apr_pstrdup(cmd->pool, ips);
582
return "Port must be numeric";
584
apr_table_set(sc->slutable, ports, addr);
586
new = apr_pcalloc(cmd->pool, sizeof(seclistenup_rec));
587
new->next = ap_seclistenersup;
588
strcpy(new->key, key);
591
ap_seclistenersup = new;
596
static apr_status_t nwssl_socket_cleanup(void *data)
598
ap_listen_rec* slr = (ap_listen_rec*)data;
601
/* Remove our secure listener from the listener list */
602
for (lr = ap_listeners; lr; lr = lr->next) {
603
/* slr is at the head of the list */
605
ap_listeners = slr->next;
608
/* slr is somewhere in between or at the end*/
609
if (lr->next == slr) {
610
lr->next = slr->next;
617
static const char *set_trusted_certs(cmd_parms *cmd, void *dummy, char *arg)
619
char **ptr = (char **)apr_array_push(certlist);
621
*ptr = apr_pstrdup(cmd->pool, arg);
625
static int nwssl_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
628
seclisten_rec* ap_old_seclisteners;
631
ap_listen_rec **walk;
632
seclisten_rec **secwalk;
636
/* Pull all of the listeners that were created by mod_nw_ssl out of the
637
ap_listeners list so that the normal listen socket processing does
638
automatically close them */
639
nw_old_listeners = NULL;
640
ap_old_seclisteners = NULL;
642
for (secwalk = &ap_seclisteners; *secwalk;) {
644
for (walk = &ap_listeners; *walk;) {
645
sa = (*walk)->bind_addr;
648
seclisten_rec *secnew;
652
/* If both ports are equivalent, then if their names are equivalent,
653
* then we will re-use the existing record.
655
if ((*secwalk)->port == oldport &&
656
((!(*secwalk)->addr && !sa->hostname) ||
657
(((*secwalk)->addr && sa->hostname) && !strcmp(sa->hostname, (*secwalk)->addr)))) {
658
/* Move the listen socket from ap_listeners to nw_old_listeners */
661
new->next = nw_old_listeners;
662
nw_old_listeners = new;
664
/* Move the secure socket record to ap_old_seclisterners */
666
*secwalk = secnew->next;
667
secnew->next = ap_old_seclisteners;
668
ap_old_seclisteners = secnew;
674
walk = &(*walk)->next;
676
if (!found && &(*secwalk)->next) {
677
secwalk = &(*secwalk)->next;
681
/* Restore the secure socket records list so that the post config can
682
process all of the sockets normally */
683
ap_seclisteners = ap_old_seclisteners;
684
ap_seclistenersup = NULL;
685
certlist = apr_array_make(pconf, 1, sizeof(char *));
687
/* Now that we have removed all of the mod_nw_ssl created socket records,
688
allow the normal listen socket handling to occur.
689
NOTE: If for any reason mod_nw_ssl is removed as a built-in module,
690
the following call must be put back into the pre-config handler of the
691
MPM. It is only here to ensure that mod_nw_ssl fixes up the listen
692
socket list before anything else looks at it. */
693
ap_listen_pre_config();
698
static int nwssl_pre_connection(conn_rec *c, void *csd)
701
if (apr_table_get(c->notes, "nwconv-ssl")) {
702
convert_secure_socket(c, (apr_socket_t*)csd);
705
secsocket_data *csd_data = apr_palloc(c->pool, sizeof(secsocket_data));
707
csd_data->csd = (apr_socket_t*)csd;
708
csd_data->is_secure = 0;
709
ap_set_module_config(c->conn_config, &nwssl_module, (void*)csd_data);
715
static int nwssl_post_config(apr_pool_t *pconf, apr_pool_t *plog,
716
apr_pool_t *ptemp, server_rec *s)
722
seclistenup_rec *slu;
725
seclisten_rec *secwalk, *lastsecwalk;
727
int found_listener = 0;
729
/* Walk the old listeners list and compare it to the secure
730
listeners list and remove any secure listener records that
731
are not being reused */
732
for (walk = nw_old_listeners; walk; walk = walk->next) {
733
sa = walk->bind_addr;
739
for (secwalk = ap_seclisteners, lastsecwalk = ap_seclisteners; secwalk; secwalk = lastsecwalk->next) {
740
unsigned short port = secwalk->port;
741
char *addr = secwalk->addr;
742
/* If both ports are equivalent, then if their names are equivalent,
743
* then we will re-use the existing record.
745
if (port == oldport &&
746
((!addr && !sa->hostname) ||
747
((addr && sa->hostname) && !strcmp(sa->hostname, addr)))) {
748
if (secwalk == ap_seclisteners) {
749
ap_seclisteners = secwalk->next;
752
lastsecwalk->next = secwalk->next;
754
apr_socket_close(walk->sd);
759
lastsecwalk = secwalk;
765
for (sl = ap_seclisteners; sl != NULL; sl = sl->next) {
766
/* If we find a pre-existing listen socket and it has already been
767
created, then no neeed to go any further, just reuse it. */
768
if (((sl->fd = find_secure_listener(sl)) >= 0) && (sl->used)) {
773
sl->fd = make_secure_socket(s->process->pool, &sl->local_addr, sl->key, sl->mutual, s);
776
apr_os_sock_info_t sock_info;
778
sock_info.os_sock = &(sl->fd);
779
sock_info.local = (struct sockaddr*)&(sl->local_addr);
780
sock_info.remote = NULL;
781
sock_info.family = APR_INET;
782
sock_info.type = SOCK_STREAM;
784
apr_os_sock_make(&sd, &sock_info, s->process->pool);
786
lr = apr_pcalloc(s->process->pool, sizeof(ap_listen_rec));
790
if ((status = apr_sockaddr_info_get(&lr->bind_addr, sl->addr, APR_UNSPEC, sl->port, 0,
791
s->process->pool)) != APR_SUCCESS) {
792
ap_log_perror(APLOG_MARK, APLOG_CRIT, status, pconf,
793
"alloc_listener: failed to set up sockaddr for %s:%d", sl->addr, sl->port);
794
return HTTP_INTERNAL_SERVER_ERROR;
796
lr->next = ap_listeners;
798
apr_pool_cleanup_register(s->process->pool, lr, nwssl_socket_cleanup, apr_pool_cleanup_null);
801
return HTTP_INTERNAL_SERVER_ERROR;
805
for (slu = ap_seclistenersup; slu; slu = slu->next) {
806
/* Check the listener list for a matching upgradeable listener */
808
for (lr = ap_listeners; lr; lr = lr->next) {
809
if (slu->port == lr->bind_addr->port) {
815
ap_log_perror(APLOG_MARK, APLOG_WARNING, 0, plog,
816
"No Listen directive found for upgradeable listener %s:%d", slu->addr, slu->port);
820
build_cert_list(s->process->pool);
825
static void *nwssl_config_server_create(apr_pool_t *p, server_rec *s)
827
NWSSLSrvConfigRec *new = apr_palloc(p, sizeof(NWSSLSrvConfigRec));
828
new->sltable = apr_table_make(p, 5);
829
new->slutable = apr_table_make(p, 5);
833
static void *nwssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
835
NWSSLSrvConfigRec *base = (NWSSLSrvConfigRec *)basev;
836
NWSSLSrvConfigRec *add = (NWSSLSrvConfigRec *)addv;
837
NWSSLSrvConfigRec *merged = (NWSSLSrvConfigRec *)apr_palloc(p, sizeof(NWSSLSrvConfigRec));
841
static int compare_ipports(void *rec, const char *key, const char *value)
843
conn_rec *c = (conn_rec*)rec;
846
((strcmp(value, "0.0.0.0") == 0) || (strcmp(value, c->local_ip) == 0)))
853
static int isSecureConnEx (const server_rec *s, const conn_rec *c, const apr_table_t *t)
857
itoa((c->local_addr)->port, port, 10);
858
if (!apr_table_do(compare_ipports, (void*)c, t, port, NULL))
866
static int isSecureConn (const server_rec *s, const conn_rec *c)
868
NWSSLSrvConfigRec *sc = get_nwssl_cfg(s);
870
return isSecureConnEx (s, c, sc->sltable);
873
static int isSecureConnUpgradeable (const server_rec *s, const conn_rec *c)
875
NWSSLSrvConfigRec *sc = get_nwssl_cfg(s);
877
return isSecureConnEx (s, c, sc->slutable);
880
static int isSecure (const request_rec *r)
882
return isSecureConn (r->server, r->connection);
885
static int isSecureUpgradeable (const request_rec *r)
887
return isSecureConnUpgradeable (r->server, r->connection);
890
static int isSecureUpgraded (const request_rec *r)
892
secsocket_data *csd_data = (secsocket_data*)ap_get_module_config(r->connection->conn_config, &nwssl_module);
894
return csd_data->is_secure;
897
static int nwssl_hook_Fixup(request_rec *r)
901
if (!isSecure(r) && !isSecureUpgraded(r))
904
apr_table_set(r->subprocess_env, "HTTPS", "on");
909
static const char *nwssl_hook_http_scheme(const request_rec *r)
911
if (isSecure(r) && !isSecureUpgraded(r))
917
static apr_port_t nwssl_hook_default_port(const request_rec *r)
920
return DEFAULT_HTTPS_PORT;
925
int ssl_proxy_enable(conn_rec *c)
927
apr_table_set(c->notes, "nwconv-ssl", "Y");
932
int ssl_engine_disable(conn_rec *c)
937
static int ssl_is_https(conn_rec *c)
939
secsocket_data *csd_data = (secsocket_data*)ap_get_module_config(c->conn_config, &nwssl_module);
941
return isSecureConn (c->base_server, c) || (csd_data && csd_data->is_secure);
944
/* This function must remain safe to use for a non-SSL connection. */
945
char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var)
947
NWSSLSrvConfigRec *mc = get_nwssl_cfg(s);
956
* When no pool is given try to find one
968
* Request dependent stuff
974
if (strcEQ(var, "HTTP_USER_AGENT"))
975
result = apr_table_get(r->headers_in, "User-Agent");
976
else if (strcEQ(var, "HTTP_REFERER"))
977
result = apr_table_get(r->headers_in, "Referer");
978
else if (strcEQ(var, "HTTP_COOKIE"))
979
result = apr_table_get(r->headers_in, "Cookie");
980
else if (strcEQ(var, "HTTP_FORWARDED"))
981
result = apr_table_get(r->headers_in, "Forwarded");
982
else if (strcEQ(var, "HTTP_HOST"))
983
result = apr_table_get(r->headers_in, "Host");
984
else if (strcEQ(var, "HTTP_PROXY_CONNECTION"))
985
result = apr_table_get(r->headers_in, "Proxy-Connection");
986
else if (strcEQ(var, "HTTP_ACCEPT"))
987
result = apr_table_get(r->headers_in, "Accept");
988
else if (strcEQ(var, "HTTPS")) {
989
if (isSecure(r) || isSecureUpgraded(r))
994
else if (strlen(var) > 5 && strcEQn(var, "HTTP:", 5))
995
/* all other headers from which we are still not know about */
996
result = apr_table_get(r->headers_in, var+5);
1001
if (strcEQ(var, "REQUEST_METHOD"))
1003
else if (strcEQ(var, "REQUEST_SCHEME"))
1004
result = ap_http_scheme(r);
1005
else if (strcEQ(var, "REQUEST_URI"))
1007
else if (strcEQ(var, "REQUEST_FILENAME"))
1008
result = r->filename;
1009
else if (strcEQ(var, "REMOTE_HOST"))
1010
result = ap_get_remote_host(r->connection, r->per_dir_config,
1012
else if (strcEQ(var, "REMOTE_IDENT"))
1013
result = ap_get_remote_logname(r);
1014
else if (strcEQ(var, "REMOTE_USER"))
1020
if (strcEQn(var, "SSL", 3)) break; /* shortcut common case */
1022
if (strcEQ(var, "SERVER_ADMIN"))
1023
result = r->server->server_admin;
1024
else if (strcEQ(var, "SERVER_NAME"))
1025
result = ap_get_server_name(r);
1026
else if (strcEQ(var, "SERVER_PORT"))
1027
result = apr_psprintf(p, "%u", ap_get_server_port(r));
1028
else if (strcEQ(var, "SERVER_PROTOCOL"))
1029
result = r->protocol;
1030
else if (strcEQ(var, "SCRIPT_FILENAME"))
1031
result = r->filename;
1035
if (strcEQ(var, "PATH_INFO"))
1036
result = r->path_info;
1037
else if (strcEQ(var, "QUERY_STRING"))
1039
else if (strcEQ(var, "IS_SUBREQ"))
1040
result = (r->main != NULL ? "true" : "false");
1041
else if (strcEQ(var, "DOCUMENT_ROOT"))
1042
result = ap_document_root(r);
1043
else if (strcEQ(var, "AUTH_TYPE"))
1044
result = r->ap_auth_type;
1045
else if (strcEQ(var, "THE_REQUEST"))
1046
result = r->the_request;
1054
if (result == NULL && c != NULL) {
1056
/* XXX-Can't get specific SSL info from NetWare */
1057
/* SSLConnRec *sslconn = myConnConfig(c);
1058
if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
1059
&& sslconn && sslconn->ssl)
1060
result = ssl_var_lookup_ssl(p, c, var+4);*/
1062
if (strlen(var) > 4 && strcEQn(var, "SSL_", 4))
1064
else if (strcEQ(var, "REMOTE_ADDR"))
1065
result = c->remote_ip;
1069
* Totally independent stuff
1071
if (result == NULL) {
1072
if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
1074
/* XXX-Can't get specific SSL info from NetWare */
1075
/*result = ssl_var_lookup_ssl_version(p, var+12);*/
1076
else if (strcEQ(var, "SERVER_SOFTWARE"))
1077
result = ap_get_server_version();
1078
else if (strcEQ(var, "API_VERSION")) {
1079
result = apr_itoa(p, MODULE_MAGIC_NUMBER);
1082
else if (strcEQ(var, "TIME_YEAR")) {
1083
apr_time_exp_lt(&tm, apr_time_now());
1084
result = apr_psprintf(p, "%02d%02d",
1085
(tm.tm_year / 100) + 19, tm.tm_year % 100);
1088
#define MKTIMESTR(format, tmfield) \
1089
apr_time_exp_lt(&tm, apr_time_now()); \
1090
result = apr_psprintf(p, format, tm.tmfield); \
1092
else if (strcEQ(var, "TIME_MON")) {
1093
MKTIMESTR("%02d", tm_mon+1)
1095
else if (strcEQ(var, "TIME_DAY")) {
1096
MKTIMESTR("%02d", tm_mday)
1098
else if (strcEQ(var, "TIME_HOUR")) {
1099
MKTIMESTR("%02d", tm_hour)
1101
else if (strcEQ(var, "TIME_MIN")) {
1102
MKTIMESTR("%02d", tm_min)
1104
else if (strcEQ(var, "TIME_SEC")) {
1105
MKTIMESTR("%02d", tm_sec)
1107
else if (strcEQ(var, "TIME_WDAY")) {
1108
MKTIMESTR("%d", tm_wday)
1110
else if (strcEQ(var, "TIME")) {
1111
apr_time_exp_lt(&tm, apr_time_now());
1112
result = apr_psprintf(p,
1113
"%02d%02d%02d%02d%02d%02d%02d", (tm.tm_year / 100) + 19,
1114
(tm.tm_year % 100), tm.tm_mon+1, tm.tm_mday,
1115
tm.tm_hour, tm.tm_min, tm.tm_sec);
1118
/* all other env-variables from the parent Apache process */
1119
else if (strlen(var) > 4 && strcEQn(var, "ENV:", 4)) {
1120
result = apr_table_get(r->notes, var+4);
1122
result = apr_table_get(r->subprocess_env, var+4);
1124
result = getenv(var+4);
1128
if (result != NULL && resdup)
1129
result = apr_pstrdup(p, result);
1132
return (char *)result;
1135
#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols"
1136
#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1"
1137
#define CONNECTION_HEADER "Connection: Upgrade"
1139
static apr_status_t ssl_io_filter_Upgrade(ap_filter_t *f,
1140
apr_bucket_brigade *bb)
1143
const char *upgrade;
1144
apr_bucket_brigade *upgradebb;
1145
request_rec *r = f->r;
1146
apr_socket_t *csd = NULL;
1149
secsocket_data *csd_data;
1153
/* Just remove the filter, if it doesn't work the first time, it won't
1154
* work at all for this request.
1156
ap_remove_output_filter(f);
1158
/* No need to ensure that this is a server with optional SSL, the filter
1159
* is only inserted if that is true.
1162
upgrade = apr_table_get(r->headers_in, "Upgrade");
1164
|| strcmp(ap_getword(r->pool, &upgrade, ','), "TLS/1.0")) {
1165
/* "Upgrade: TLS/1.0, ..." header not found, don't do Upgrade */
1166
return ap_pass_brigade(f->next, bb);
1169
apr_table_unset(r->headers_out, "Upgrade");
1172
csd_data = (secsocket_data*)ap_get_module_config(r->connection->conn_config, &nwssl_module);
1173
csd = csd_data->csd;
1176
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
1177
"Unable to get upgradeable socket handle");
1178
return ap_pass_brigade(f->next, bb);
1182
/* Send the interim 101 response. */
1183
upgradebb = apr_brigade_create(r->pool, f->c->bucket_alloc);
1185
ap_fputstrs(f->next, upgradebb, SWITCH_STATUS_LINE, CRLF,
1186
UPGRADE_HEADER, CRLF, CONNECTION_HEADER, CRLF, CRLF, NULL);
1188
b = apr_bucket_flush_create(f->c->bucket_alloc);
1189
APR_BRIGADE_INSERT_TAIL(upgradebb, b);
1191
rv = ap_pass_brigade(f->next, upgradebb);
1193
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
1194
"could not send interim 101 Upgrade response");
1195
return AP_FILTER_ERROR;
1198
key = get_port_key(r->connection);
1202
apr_os_sock_get(&sockdes, csd);
1205
ret = SSLize_Socket(sockdes, key, r);
1207
csd_data->is_secure = 1;
1211
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
1212
"Upgradeable socket handle not found");
1213
return AP_FILTER_ERROR;
1216
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
1217
"Awaiting re-negotiation handshake");
1219
/* Now that we have initialized the ssl connection which added the ssl_io_filter,
1220
pass the brigade off to the connection based output filters so that the
1221
request can complete encrypted */
1222
return ap_pass_brigade(f->c->output_filters, bb);
1225
static void ssl_hook_Insert_Filter(request_rec *r)
1227
NWSSLSrvConfigRec *sc = get_nwssl_cfg(r->server);
1229
if (isSecureUpgradeable (r)) {
1230
ap_add_output_filter("UPGRADE_FILTER", NULL, r, r->connection);
1234
static const command_rec nwssl_module_cmds[] =
1236
AP_INIT_TAKE23("SecureListen", set_secure_listener, NULL, RSRC_CONF,
1237
"specify an address and/or port with a key pair name.\n"
1238
"Optional third parameter of MUTUAL configures the port for mutual authentication."),
1239
AP_INIT_TAKE2("NWSSLUpgradeable", set_secure_upgradeable_listener, NULL, RSRC_CONF,
1240
"specify an address and/or port with a key pair name, that can be upgraded to an SSL connection.\n"
1241
"The address and/or port must have already be defined using a Listen directive."),
1242
AP_INIT_ITERATE("NWSSLTrustedCerts", set_trusted_certs, NULL, RSRC_CONF,
1243
"Adds trusted certificates that are used to create secure connections to proxied servers"),
1247
static void register_hooks(apr_pool_t *p)
1249
ap_register_output_filter ("UPGRADE_FILTER", ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
1251
ap_hook_pre_config(nwssl_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
1252
ap_hook_pre_connection(nwssl_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
1253
ap_hook_post_config(nwssl_post_config, NULL, NULL, APR_HOOK_MIDDLE);
1254
ap_hook_fixups(nwssl_hook_Fixup, NULL, NULL, APR_HOOK_MIDDLE);
1255
ap_hook_http_scheme(nwssl_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
1256
ap_hook_default_port(nwssl_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
1257
ap_hook_insert_filter(ssl_hook_Insert_Filter, NULL, NULL, APR_HOOK_MIDDLE);
1259
APR_REGISTER_OPTIONAL_FN(ssl_is_https);
1260
APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
1262
APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
1263
APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
1266
module AP_MODULE_DECLARE_DATA nwssl_module =
1268
STANDARD20_MODULE_STUFF,
1269
NULL, /* dir config creater */
1270
NULL, /* dir merger --- default is to override */
1271
nwssl_config_server_create, /* server config */
1272
nwssl_config_server_merge, /* merge server config */
1273
nwssl_module_cmds, /* command apr_table_t */