gbucchino/cve-2024-38477
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
cve-2024-38477/httpd-2.4.59/modules/arch/netware/mod_nw_ssl.c
gbucchino 86ef235216 First commit
2025-06-05 15:09:30 +02:00

1286 lines
40 KiB
C
Raw Permalink Blame History

/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* based on mod_tls.c - Apache SSL/TLS module for NetWare by Mike Gardiner.
*
* This module gives Apache the ability to do SSL/TLS with a minimum amount
* of effort. All of the SSL/TLS logic is already on NetWare versions 5 and
* above and is interfaced through WinSock on NetWare. As you can see in
* the code below SSL/TLS sockets can be created with three WinSock calls.
*
* To load, simply place the module in the modules directory under the main
* apache tree. Then add a "SecureListen" with two arguments. The first
* argument is an address and/or port. The second argument is the key pair
* name as created in ConsoleOne.
*
* Examples:
*
* SecureListen 443 "SSL CertificateIP"
* SecureListen 123.45.67.89:443 mycert
*
* The module also supports RFC 2817 / TLS Upgrade for HTTP 1.1.
* For this add a "NWSSLUpgradeable" with two arguments. The first
* argument is an address and/or port. The second argument is the key pair
* name as created in ConsoleOne.
*
* Examples:
*
* NWSSLUpgradeable 8080 "SSL CertificateIP"
* NWSSLUpgradeable 123.45.67.89:8080 mycert
*
*/
#define WS_SSL
#define MAX_ADDRESS 512
#define MAX_KEY 80
#include "httpd.h"
#include "http_config.h"
#include "http_connection.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include "http_request.h"
#include "ap_listen.h"
#include "apr_strings.h"
#include "apr_portable.h"
#include "apr_optional.h"
#include <unilib.h>
#ifndef SO_TLS_UNCLEAN_SHUTDOWN
#define SO_TLS_UNCLEAN_SHUTDOWN 0
#endif
/* The ssl_var_lookup() optional function retrieves SSL environment
* variables. */
APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
(apr_pool_t *, server_rec *,
conn_rec *, request_rec *,
char *));
/* An optional function which returns non-zero if the given connection
* is using SSL/TLS. */
APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
* are used by mod_proxy to enable use of SSL for outgoing
* connections. */
APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
#define strEQ(s1,s2) (strcmp(s1,s2) == 0)
#define strNE(s1,s2) (strcmp(s1,s2) != 0)
#define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0)
#define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0)
#define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0)
#define strcNE(s1,s2) (strcasecmp(s1,s2) != 0)
#define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
#define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)
#define strIsEmpty(s) (s == NULL || s[0] == NUL)
module AP_MODULE_DECLARE_DATA nwssl_module;
typedef struct NWSSLSrvConfigRec NWSSLSrvConfigRec;
typedef struct seclisten_rec seclisten_rec;
typedef struct seclistenup_rec seclistenup_rec;
typedef struct secsocket_data secsocket_data;
struct seclisten_rec {
seclisten_rec *next;
struct sockaddr_in local_addr; /* local IP address and port */
int fd;
int used; /* Only used during restart */
char key[MAX_KEY];
int mutual;
char *addr;
apr_port_t port;
};
struct seclistenup_rec {
seclistenup_rec *next;
char key[MAX_KEY];
char *addr;
apr_port_t port;
};
struct NWSSLSrvConfigRec {
apr_table_t *sltable;
apr_table_t *slutable;
apr_pool_t *pPool;
};
struct secsocket_data {
apr_socket_t* csd;
int is_secure;
};
static apr_array_header_t *certlist = NULL;
static unicode_t** certarray = NULL;
static int numcerts = 0;
static seclisten_rec* ap_seclisteners = NULL;
static seclistenup_rec* ap_seclistenersup = NULL;
static ap_listen_rec *nw_old_listeners;
#define get_nwssl_cfg(srv) (NWSSLSrvConfigRec *) ap_get_module_config(srv->module_config, &nwssl_module)
static void build_cert_list(apr_pool_t *p)
{
int i;
char **rootcerts = (char **)certlist->elts;
numcerts = certlist->nelts;
certarray = apr_palloc(p, sizeof(unicode_t*)*numcerts);
for (i = 0; i < numcerts; ++i) {
unicode_t *unistr;
unistr = (unicode_t*)apr_palloc(p, strlen(rootcerts[i])*4);
loc2uni (UNI_LOCAL_DEFAULT, unistr, rootcerts[i], 0, 2);
certarray[i] = unistr;
}
}
/*
* Parses a host of the form <address>[:port]
* :port is permitted if 'port' is not NULL
*/
static unsigned long parse_addr(const char *w, unsigned short *ports)
{
struct hostent *hep;
unsigned long my_addr;
char *p;
p = strchr(w, ':');
if (ports != NULL) {
*ports = 0;
if (p != NULL && strcmp(p + 1, "*") != 0)
*ports = atoi(p + 1);
}
if (p != NULL)
*p = '\0';
if (strcmp(w, "*") == 0) {
if (p != NULL)
*p = ':';
return htonl(INADDR_ANY);
}
my_addr = apr_inet_addr((char *)w);
if (my_addr != INADDR_NONE) {
if (p != NULL)
*p = ':';
return my_addr;
}
hep = gethostbyname(w);
if ((!hep) || (hep->h_addrtype != AF_INET || !hep->h_addr_list[0])) {
/* XXX Should be echoing by h_errno the actual failure, no?
* ap_log_error would be good here. Better yet - APRize.
*/
fprintf(stderr, "Cannot resolve host name %s --- exiting!\n", w);
exit(1);
}
if (hep->h_addr_list[1]) {
fprintf(stderr, "Host %s has multiple addresses ---\n", w);
fprintf(stderr, "you must choose one explicitly for use as\n");
fprintf(stderr, "a secure port. Exiting!!!\n");
exit(1);
}
if (p != NULL)
*p = ':';
return ((struct in_addr *) (hep->h_addr))->s_addr;
}
static int find_secure_listener(seclisten_rec *lr)
{
seclisten_rec *sl;
for (sl = ap_seclisteners; sl; sl = sl->next) {
if (!memcmp(&sl->local_addr, &lr->local_addr, sizeof(sl->local_addr))) {
sl->used = 1;
return sl->fd;
}
}
return -1;
}
static char *get_port_key(conn_rec *c)
{
seclistenup_rec *sl;
for (sl = ap_seclistenersup; sl; sl = sl->next) {
if ((sl->port == (c->local_addr)->port) &&
((strcmp(sl->addr, "0.0.0.0") == 0) ||
(strcmp(sl->addr, c->local_ip) == 0))) {
return sl->key;
}
}
return NULL;
}
static int make_secure_socket(apr_pool_t *pconf,
const struct sockaddr_in *server,
char* key, int mutual, server_rec *sconf)
{
int s;
char addr[MAX_ADDRESS];
struct sslserveropts opts;
unsigned int optParam;
WSAPROTOCOL_INFO SecureProtoInfo;
if (server->sin_addr.s_addr != htonl(INADDR_ANY))
apr_snprintf(addr, sizeof(addr), "address %s port %d",
inet_ntoa(server->sin_addr), ntohs(server->sin_port));
else
apr_snprintf(addr, sizeof(addr), "port %d", ntohs(server->sin_port));
/* note that because we're about to slack we don't use psocket */
memset(&SecureProtoInfo, 0, sizeof(WSAPROTOCOL_INFO));
SecureProtoInfo.iAddressFamily = AF_INET;
SecureProtoInfo.iSocketType = SOCK_STREAM;
SecureProtoInfo.iProtocol = IPPROTO_TCP;
SecureProtoInfo.iSecurityScheme = SECURITY_PROTOCOL_SSL;
s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP,
(LPWSAPROTOCOL_INFO)&SecureProtoInfo, 0, 0);
if (s == INVALID_SOCKET) {
ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
APLOGNO(02120)
"make_secure_socket: failed to get a socket for %s",
addr);
return -1;
}
if (!mutual) {
optParam = SO_SSL_ENABLE | SO_SSL_SERVER;
if (WSAIoctl(s, SO_SSL_SET_FLAGS, (char *)&optParam,
sizeof(optParam), NULL, 0, NULL, NULL, NULL)) {
ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
APLOGNO(02121)
"make_secure_socket: for %s, WSAIoctl: "
"(SO_SSL_SET_FLAGS)", addr);
return -1;
}
}
opts.cert = key;
opts.certlen = strlen(key);
opts.sidtimeout = 0;
opts.sidentries = 0;
opts.siddir = NULL;
if (WSAIoctl(s, SO_SSL_SET_SERVER, (char *)&opts, sizeof(opts),
NULL, 0, NULL, NULL, NULL) != 0) {
ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
APLOGNO(02122)
"make_secure_socket: for %s, WSAIoctl: "
"(SO_SSL_SET_SERVER)", addr);
return -1;
}
if (mutual) {
optParam = 0x07; /* SO_SSL_AUTH_CLIENT */
if (WSAIoctl(s, SO_SSL_SET_FLAGS, (char*)&optParam, sizeof(optParam),
NULL, 0, NULL, NULL, NULL)) {
ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
APLOGNO(02123)
"make_secure_socket: for %s, WSAIoctl: "
"(SO_SSL_SET_FLAGS)", addr);
return -1;
}
}
optParam = SO_TLS_UNCLEAN_SHUTDOWN;
WSAIoctl(s, SO_SSL_SET_FLAGS, (char *)&optParam, sizeof(optParam),
NULL, 0, NULL, NULL, NULL);
return s;
}
static int convert_secure_socket(conn_rec *c, apr_socket_t *csd)
{
int rcode;
struct tlsclientopts sWS2Opts;
struct nwtlsopts sNWTLSOpts;
struct sslserveropts opts;
unsigned long ulFlags;
SOCKET sock;
unicode_t keyFileName[60];
apr_os_sock_get(&sock, csd);
/* zero out buffers */
memset((char *)&sWS2Opts, 0, sizeof(struct tlsclientopts));
memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts));
/* turn on ssl for the socket */
ulFlags = (numcerts ? SO_TLS_ENABLE : SO_TLS_ENABLE | SO_TLS_BLIND_ACCEPT);
rcode = WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long),
NULL, 0, NULL, NULL, NULL);
if (SOCKET_ERROR == rcode) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, APLOGNO(02124)
"Error: %d with WSAIoctl(flag SO_TLS_ENABLE)",
WSAGetLastError());
return rcode;
}
ulFlags = SO_TLS_UNCLEAN_SHUTDOWN;
WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long),
NULL, 0, NULL, NULL, NULL);
/* setup the socket for SSL */
memset (&sWS2Opts, 0, sizeof(sWS2Opts));
memset (&sNWTLSOpts, 0, sizeof(sNWTLSOpts));
sWS2Opts.options = &sNWTLSOpts;
if (numcerts) {
sNWTLSOpts.walletProvider = WAL_PROV_DER; /* the wallet provider defined in wdefs.h */
sNWTLSOpts.TrustedRootList = certarray; /* array of certs in UNICODE format */
sNWTLSOpts.numElementsInTRList = numcerts; /* number of certs in TRList */
}
else {
/* setup the socket for SSL */
unicpy(keyFileName, L"SSL CertificateIP");
sWS2Opts.wallet = keyFileName; /* no client certificate */
sWS2Opts.walletlen = unilen(keyFileName);
sNWTLSOpts.walletProvider = WAL_PROV_KMO; /* the wallet provider defined in wdefs.h */
}
/* make the IOCTL call */
rcode = WSAIoctl(sock, SO_TLS_SET_CLIENT, &sWS2Opts,
sizeof(struct tlsclientopts), NULL, 0, NULL,
NULL, NULL);
/* make sure that it was successful */
if (SOCKET_ERROR == rcode ) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, APLOGNO(02125)
"Error: %d with WSAIoctl(SO_TLS_SET_CLIENT)",
WSAGetLastError());
}
return rcode;
}
static int SSLize_Socket(SOCKET socketHnd, char *key, request_rec *r)
{
int rcode;
struct tlsserveropts sWS2Opts;
struct nwtlsopts sNWTLSOpts;
unicode_t SASKey[512];
unsigned long ulFlag;
memset((char *)&sWS2Opts, 0, sizeof(struct tlsserveropts));
memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts));
ulFlag = SO_TLS_ENABLE;
rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag,
sizeof(unsigned long), NULL, 0, NULL, NULL, NULL);
if (rcode) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02126)
"Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_ENABLE)",
WSAGetLastError());
goto ERR;
}
ulFlag = SO_TLS_SERVER;
rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag,
sizeof(unsigned long),NULL, 0, NULL, NULL, NULL);
if (rcode) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02127)
"Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_SERVER)",
WSAGetLastError());
goto ERR;
}
loc2uni(UNI_LOCAL_DEFAULT, SASKey, key, 0, 0);
/* setup the tlsserveropts struct */
sWS2Opts.wallet = SASKey;
sWS2Opts.walletlen = unilen(SASKey);
sWS2Opts.sidtimeout = 0;
sWS2Opts.sidentries = 0;
sWS2Opts.siddir = NULL;
sWS2Opts.options = &sNWTLSOpts;
/* setup the nwtlsopts structure */
sNWTLSOpts.walletProvider = WAL_PROV_KMO;
sNWTLSOpts.keysList = NULL;
sNWTLSOpts.numElementsInKeyList = 0;
sNWTLSOpts.reservedforfutureuse = NULL;
sNWTLSOpts.reservedforfutureCRL = NULL;
sNWTLSOpts.reservedforfutureCRLLen = 0;
sNWTLSOpts.reserved1 = NULL;
sNWTLSOpts.reserved2 = NULL;
sNWTLSOpts.reserved3 = NULL;
rcode = WSAIoctl(socketHnd,
SO_TLS_SET_SERVER,
&sWS2Opts,
sizeof(struct tlsserveropts),
NULL,
0,
NULL,
NULL,
NULL);
if (SOCKET_ERROR == rcode) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02128)
"Error: %d with WSAIoctl(SO_TLS_SET_SERVER)", WSAGetLastError());
goto ERR;
}
ERR:
return rcode;
}
static const char *set_secure_listener(cmd_parms *cmd, void *dummy,
const char *ips, const char* key,
const char* mutual)
{
NWSSLSrvConfigRec* sc = get_nwssl_cfg(cmd->server);
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
char *ports, *addr;
unsigned short port;
seclisten_rec *new;
ap_listen_rec **walk;
apr_sockaddr_t *sa;
int found_listener = 0;
if (err != NULL)
return err;
ports = strchr(ips, ':');
if (ports != NULL) {
if (ports == ips)
return "Missing IP address";
else if (ports[1] == '\0')
return "Address must end in :<port-number>";
*(ports++) = '\0';
}
else {
ports = (char*)ips;
}
new = apr_pcalloc(cmd->server->process->pool, sizeof(seclisten_rec));
new->local_addr.sin_family = AF_INET;
if (ports == ips) {
new->local_addr.sin_addr.s_addr = htonl(INADDR_ANY);
addr = apr_pstrdup(cmd->server->process->pool, "0.0.0.0");
}
else {
new->local_addr.sin_addr.s_addr = parse_addr(ips, NULL);
addr = apr_pstrdup(cmd->server->process->pool, ips);
}
port = atoi(ports);
if (!port)
return "Port must be numeric";
/* If the specified addr:port was created previously, put the listen
socket record back on the ap_listeners list so that the socket
will be reused rather than recreated */
for (walk = &nw_old_listeners; *walk;) {
sa = (*walk)->bind_addr;
if (sa) {
ap_listen_rec *new;
apr_port_t oldport;
oldport = sa->port;
/* If both ports are equivalent, then if their names are equivalent,
* then we will re-use the existing record.
*/
if (port == oldport &&
((!addr && !sa->hostname) ||
((addr && sa->hostname) && !strcmp(sa->hostname, addr)))) {
new = *walk;
*walk = new->next;
new->next = ap_listeners;
ap_listeners = new;
found_listener = 1;
continue;
}
}
walk = &(*walk)->next;
}
apr_table_add(sc->sltable, ports, addr);
/* If we found a pre-existing listen socket record, then there
is no need to create a new secure listen socket record. */
if (found_listener) {
return NULL;
}
new->local_addr.sin_port = htons(port);
new->fd = -1;
new->used = 0;
new->next = ap_seclisteners;
strcpy(new->key, key);
new->mutual = (mutual) ? 1 : 0;
new->addr = addr;
new->port = port;
ap_seclisteners = new;
return NULL;
}
static const char *set_secure_upgradeable_listener(cmd_parms *cmd, void *dummy,
const char *ips, const char* key)
{
NWSSLSrvConfigRec* sc = get_nwssl_cfg(cmd->server);
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
char *ports, *addr;
unsigned short port;
seclistenup_rec *new;
if (err != NULL)
return err;
ports = strchr(ips, ':');
if (ports != NULL) {
if (ports == ips)
return "Missing IP address";
else if (ports[1] == '\0')
return "Address must end in :<port-number>";
*(ports++) = '\0';
}
else {
ports = (char*)ips;
}
if (ports == ips) {
addr = apr_pstrdup(cmd->pool, "0.0.0.0");
}
else {
addr = apr_pstrdup(cmd->pool, ips);
}
port = atoi(ports);
if (!port)
return "Port must be numeric";
apr_table_set(sc->slutable, ports, addr);
new = apr_pcalloc(cmd->pool, sizeof(seclistenup_rec));
new->next = ap_seclistenersup;
strcpy(new->key, key);
new->addr = addr;
new->port = port;
ap_seclistenersup = new;
return err;
}
static apr_status_t nwssl_socket_cleanup(void *data)
{
ap_listen_rec* slr = (ap_listen_rec*)data;
ap_listen_rec* lr;
/* Remove our secure listener from the listener list */
for (lr = ap_listeners; lr; lr = lr->next) {
/* slr is at the head of the list */
if (lr == slr) {
ap_listeners = slr->next;
break;
}
/* slr is somewhere in between or at the end*/
if (lr->next == slr) {
lr->next = slr->next;
break;
}
}
return APR_SUCCESS;
}
static const char *set_trusted_certs(cmd_parms *cmd, void *dummy, char *arg)
{
char **ptr = (char **)apr_array_push(certlist);
*ptr = arg;
return NULL;
}
static int nwssl_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp)
{
seclisten_rec* ap_old_seclisteners;
ap_listen_rec **walk;
seclisten_rec **secwalk;
apr_sockaddr_t *sa;
int found;
/* Pull all of the listeners that were created by mod_nw_ssl out of the
ap_listeners list so that the normal listen socket processing does
automatically close them */
nw_old_listeners = NULL;
ap_old_seclisteners = NULL;
for (secwalk = &ap_seclisteners; *secwalk;) {
found = 0;
for (walk = &ap_listeners; *walk;) {
sa = (*walk)->bind_addr;
if (sa) {
ap_listen_rec *new;
seclisten_rec *secnew;
apr_port_t oldport;
oldport = sa->port;
/* If both ports are equivalent, then if their names are equivalent,
* then we will re-use the existing record.
*/
if ((*secwalk)->port == oldport &&
((!(*secwalk)->addr && !sa->hostname) ||
(((*secwalk)->addr && sa->hostname) && !strcmp(sa->hostname, (*secwalk)->addr)))) {
/* Move the listen socket from ap_listeners to nw_old_listeners */
new = *walk;
*walk = new->next;
new->next = nw_old_listeners;
nw_old_listeners = new;
/* Move the secure socket record to ap_old_seclisterners */
secnew = *secwalk;
*secwalk = secnew->next;
secnew->next = ap_old_seclisteners;
ap_old_seclisteners = secnew;
found = 1;
break;
}
}
walk = &(*walk)->next;
}
if (!found && &(*secwalk)->next) {
secwalk = &(*secwalk)->next;
}
}
/* Restore the secure socket records list so that the post config can
process all of the sockets normally */
ap_seclisteners = ap_old_seclisteners;
ap_seclistenersup = NULL;
certlist = apr_array_make(pconf, 1, sizeof(char *));
/* Now that we have removed all of the mod_nw_ssl created socket records,
allow the normal listen socket handling to occur.
NOTE: If for any reason mod_nw_ssl is removed as a built-in module,
the following call must be put back into the pre-config handler of the
MPM. It is only here to ensure that mod_nw_ssl fixes up the listen
socket list before anything else looks at it. */
ap_listen_pre_config();
return OK;
}
static int nwssl_pre_connection(conn_rec *c, void *csd)
{
if (apr_table_get(c->notes, "nwconv-ssl")) {
convert_secure_socket(c, (apr_socket_t*)csd);
}
else {
secsocket_data *csd_data = apr_palloc(c->pool, sizeof(secsocket_data));
csd_data->csd = (apr_socket_t*)csd;
csd_data->is_secure = 0;
ap_set_module_config(c->conn_config, &nwssl_module, (void*)csd_data);
}
return OK;
}
static int nwssl_post_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *s)
{
seclisten_rec* sl;
ap_listen_rec* lr;
apr_socket_t* sd;
apr_status_t status;
seclistenup_rec *slu;
int found;
ap_listen_rec *walk;
seclisten_rec *secwalk, *lastsecwalk;
apr_sockaddr_t *sa;
/* Walk the old listeners list and compare it to the secure
listeners list and remove any secure listener records that
are not being reused */
for (walk = nw_old_listeners; walk; walk = walk->next) {
sa = walk->bind_addr;
if (sa) {
ap_listen_rec *new;
apr_port_t oldport;
oldport = sa->port;
for (secwalk = ap_seclisteners, lastsecwalk = ap_seclisteners; secwalk; secwalk = lastsecwalk->next) {
unsigned short port = secwalk->port;
char *addr = secwalk->addr;
/* If both ports are equivalent, then if their names are equivalent,
* then we will re-use the existing record.
*/
if (port == oldport &&
((!addr && !sa->hostname) ||
((addr && sa->hostname) && !strcmp(sa->hostname, addr)))) {
if (secwalk == ap_seclisteners) {
ap_seclisteners = secwalk->next;
}
else {
lastsecwalk->next = secwalk->next;
}
apr_socket_close(walk->sd);
walk->active = 0;
break;
}
else {
lastsecwalk = secwalk;
}
}
}
}
for (sl = ap_seclisteners; sl != NULL; sl = sl->next) {
/* If we find a pre-existing listen socket and it has already been
created, then no need to go any further, just reuse it. */
if (((sl->fd = find_secure_listener(sl)) >= 0) && (sl->used)) {
continue;
}
if (sl->fd < 0)
sl->fd = make_secure_socket(s->process->pool, &sl->local_addr, sl->key, sl->mutual, s);
if (sl->fd >= 0) {
apr_os_sock_info_t sock_info;
sock_info.os_sock = &(sl->fd);
sock_info.local = (struct sockaddr*)&(sl->local_addr);
sock_info.remote = NULL;
sock_info.family = APR_INET;
sock_info.type = SOCK_STREAM;
apr_os_sock_make(&sd, &sock_info, s->process->pool);
lr = apr_pcalloc(s->process->pool, sizeof(ap_listen_rec));
if (lr) {
lr->sd = sd;
if ((status = apr_sockaddr_info_get(&lr->bind_addr, sl->addr, APR_UNSPEC, sl->port, 0,
s->process->pool)) != APR_SUCCESS) {
ap_log_perror(APLOG_MARK, APLOG_CRIT, status, pconf, APLOGNO(02129)
"alloc_listener: failed to set up sockaddr for %s:%d", sl->addr, sl->port);
return HTTP_INTERNAL_SERVER_ERROR;
}
lr->next = ap_listeners;
ap_listeners = lr;
apr_pool_cleanup_register(s->process->pool, lr, nwssl_socket_cleanup, apr_pool_cleanup_null);
}
} else {
return HTTP_INTERNAL_SERVER_ERROR;
}
}
for (slu = ap_seclistenersup; slu; slu = slu->next) {
/* Check the listener list for a matching upgradeable listener */
found = 0;
for (lr = ap_listeners; lr; lr = lr->next) {
if (slu->port == lr->bind_addr->port) {
found = 1;
break;
}
}
if (!found) {
ap_log_perror(APLOG_MARK, APLOG_WARNING, 0, plog, APLOGNO(02130)
"No Listen directive found for upgradeable listener %s:%d", slu->addr, slu->port);
}
}
build_cert_list(s->process->pool);
return OK;
}
static void *nwssl_config_server_create(apr_pool_t *p, server_rec *s)
{
NWSSLSrvConfigRec *new = apr_palloc(p, sizeof(NWSSLSrvConfigRec));
new->sltable = apr_table_make(p, 5);
new->slutable = apr_table_make(p, 5);
return new;
}
static void *nwssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
{
NWSSLSrvConfigRec *base = (NWSSLSrvConfigRec *)basev;
NWSSLSrvConfigRec *add = (NWSSLSrvConfigRec *)addv;
NWSSLSrvConfigRec *merged = (NWSSLSrvConfigRec *)apr_palloc(p, sizeof(NWSSLSrvConfigRec));
return merged;
}
static int compare_ipports(void *rec, const char *key, const char *value)
{
conn_rec *c = (conn_rec*)rec;
if (value &&
((strcmp(value, "0.0.0.0") == 0) || (strcmp(value, c->local_ip) == 0)))
{
return 0;
}
return 1;
}
static int isSecureConnEx (const server_rec *s, const conn_rec *c, const apr_table_t *t)
{
char port[8];
itoa((c->local_addr)->port, port, 10);
if (!apr_table_do(compare_ipports, (void*)c, t, port, NULL)) {
return 1;
}
return 0;
}
static int isSecureConn (const server_rec *s, const conn_rec *c)
{
NWSSLSrvConfigRec *sc = get_nwssl_cfg(s);
return isSecureConnEx (s, c, sc->sltable);
}
static int isSecureConnUpgradeable (const server_rec *s, const conn_rec *c)
{
NWSSLSrvConfigRec *sc = get_nwssl_cfg(s);
return isSecureConnEx (s, c, sc->slutable);
}
static int isSecure (const request_rec *r)
{
return isSecureConn (r->server, r->connection);
}
static int isSecureUpgradeable (const request_rec *r)
{
return isSecureConnUpgradeable (r->server, r->connection);
}
static int isSecureUpgraded (const request_rec *r)
{
secsocket_data *csd_data = (secsocket_data*)ap_get_module_config(r->connection->conn_config, &nwssl_module);
return csd_data->is_secure;
}
static int nwssl_hook_Fixup(request_rec *r)
{
if (!isSecure(r) && !isSecureUpgraded(r))
return DECLINED;
apr_table_setn(r->subprocess_env, "HTTPS", "on");
return DECLINED;
}
static const char *nwssl_hook_http_scheme(const request_rec *r)
{
if (isSecure(r) && !isSecureUpgraded(r))
return "https";
return NULL;
}
static apr_port_t nwssl_hook_default_port(const request_rec *r)
{
if (isSecure(r))
return DEFAULT_HTTPS_PORT;
return 0;
}
int ssl_proxy_enable(conn_rec *c)
{
apr_table_setn(c->notes, "nwconv-ssl", "Y");
return 1;
}
int ssl_engine_disable(conn_rec *c)
{
return 1;
}
static int ssl_is_https(conn_rec *c)
{
secsocket_data *csd_data = (secsocket_data*)ap_get_module_config(c->conn_config, &nwssl_module);
return isSecureConn (c->base_server, c) || (csd_data && csd_data->is_secure);
}
/* This function must remain safe to use for a non-SSL connection. */
char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var)
{
NWSSLSrvConfigRec *mc = get_nwssl_cfg(s);
const char *result;
BOOL resdup;
apr_time_exp_t tm;
result = NULL;
resdup = TRUE;
/*
* When no pool is given try to find one
*/
if (p == NULL) {
if (r != NULL)
p = r->pool;
else if (c != NULL)
p = c->pool;
else
p = mc->pPool;
}
/*
* Request dependent stuff
*/
if (r != NULL) {
switch (var[0]) {
case 'H':
case 'h':
if (strcEQ(var, "HTTP_USER_AGENT"))
result = apr_table_get(r->headers_in, "User-Agent");
else if (strcEQ(var, "HTTP_REFERER"))
result = apr_table_get(r->headers_in, "Referer");
else if (strcEQ(var, "HTTP_COOKIE"))
result = apr_table_get(r->headers_in, "Cookie");
else if (strcEQ(var, "HTTP_FORWARDED"))
result = apr_table_get(r->headers_in, "Forwarded");
else if (strcEQ(var, "HTTP_HOST"))
result = apr_table_get(r->headers_in, "Host");
else if (strcEQ(var, "HTTP_PROXY_CONNECTION"))
result = apr_table_get(r->headers_in, "Proxy-Connection");
else if (strcEQ(var, "HTTP_ACCEPT"))
result = apr_table_get(r->headers_in, "Accept");
else if (strcEQ(var, "HTTPS")) {
if (isSecure(r) || isSecureUpgraded(r))
result = "on";
else
result = "off";
}
else if (strlen(var) > 5 && strcEQn(var, "HTTP:", 5))
/* all other headers from which we are still not know about */
result = apr_table_get(r->headers_in, var+5);
break;
case 'R':
case 'r':
if (strcEQ(var, "REQUEST_METHOD"))
result = r->method;
else if (strcEQ(var, "REQUEST_SCHEME"))
result = ap_http_scheme(r);
else if (strcEQ(var, "REQUEST_URI"))
result = r->uri;
else if (strcEQ(var, "REQUEST_FILENAME"))
result = r->filename;
else if (strcEQ(var, "REMOTE_ADDR"))
result = r->useragent_ip;
else if (strcEQ(var, "REMOTE_HOST"))
result = ap_get_useragent_host(r, REMOTE_NAME, NULL);
else if (strcEQ(var, "REMOTE_IDENT"))
result = ap_get_remote_logname(r);
else if (strcEQ(var, "REMOTE_USER"))
result = r->user;
break;
case 'S':
case 's':
if (strcEQn(var, "SSL", 3)) break; /* shortcut common case */
if (strcEQ(var, "SERVER_ADMIN"))
result = r->server->server_admin;
else if (strcEQ(var, "SERVER_NAME"))
result = ap_get_server_name_for_url(r);
else if (strcEQ(var, "SERVER_PORT"))
result = apr_psprintf(p, "%u", ap_get_server_port(r));
else if (strcEQ(var, "SERVER_PROTOCOL"))
result = r->protocol;
else if (strcEQ(var, "SCRIPT_FILENAME"))
result = r->filename;
break;
default:
if (strcEQ(var, "PATH_INFO"))
result = r->path_info;
else if (strcEQ(var, "QUERY_STRING"))
result = r->args;
else if (strcEQ(var, "IS_SUBREQ"))
result = (r->main != NULL ? "true" : "false");
else if (strcEQ(var, "DOCUMENT_ROOT"))
result = ap_document_root(r);
else if (strcEQ(var, "AUTH_TYPE"))
result = r->ap_auth_type;
else if (strcEQ(var, "THE_REQUEST"))
result = r->the_request;
break;
}
}
/*
* Connection stuff
*/
if (result == NULL && c != NULL) {
/* XXX-Can't get specific SSL info from NetWare */
/* SSLConnRec *sslconn = myConnConfig(c);
if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
&& sslconn && sslconn->ssl)
result = ssl_var_lookup_ssl(p, c, var+4);*/
if (strlen(var) > 4 && strcEQn(var, "SSL_", 4))
result = NULL;
}
/*
* Totally independent stuff
*/
if (result == NULL) {
if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
result = NULL;
/* XXX-Can't get specific SSL info from NetWare */
/*result = ssl_var_lookup_ssl_version(p, var+12);*/
else if (strcEQ(var, "SERVER_SOFTWARE"))
result = ap_get_server_banner();
else if (strcEQ(var, "API_VERSION")) {
result = apr_itoa(p, MODULE_MAGIC_NUMBER_MAJOR);
resdup = FALSE;
}
else if (strcEQ(var, "TIME_YEAR")) {
apr_time_exp_lt(&tm, apr_time_now());
result = apr_psprintf(p, "%02d%02d",
(tm.tm_year / 100) + 19, tm.tm_year % 100);
resdup = FALSE;
}
#define MKTIMESTR(format, tmfield) \
apr_time_exp_lt(&tm, apr_time_now()); \
result = apr_psprintf(p, format, tm.tmfield); \
resdup = FALSE;
else if (strcEQ(var, "TIME_MON")) {
MKTIMESTR("%02d", tm_mon+1)
}
else if (strcEQ(var, "TIME_DAY")) {
MKTIMESTR("%02d", tm_mday)
}
else if (strcEQ(var, "TIME_HOUR")) {
MKTIMESTR("%02d", tm_hour)
}
else if (strcEQ(var, "TIME_MIN")) {
MKTIMESTR("%02d", tm_min)
}
else if (strcEQ(var, "TIME_SEC")) {
MKTIMESTR("%02d", tm_sec)
}
else if (strcEQ(var, "TIME_WDAY")) {
MKTIMESTR("%d", tm_wday)
}
else if (strcEQ(var, "TIME")) {
apr_time_exp_lt(&tm, apr_time_now());
result = apr_psprintf(p,
"%02d%02d%02d%02d%02d%02d%02d", (tm.tm_year / 100) + 19,
(tm.tm_year % 100), tm.tm_mon+1, tm.tm_mday,
tm.tm_hour, tm.tm_min, tm.tm_sec);
resdup = FALSE;
}
/* all other env-variables from the parent Apache process */
else if (strlen(var) > 4 && strcEQn(var, "ENV:", 4)) {
result = apr_table_get(r->notes, var+4);
if (result == NULL)
result = apr_table_get(r->subprocess_env, var+4);
if (result == NULL)
result = getenv(var+4);
}
}
if (result != NULL && resdup)
result = apr_pstrdup(p, result);
if (result == NULL)
result = "";
return (char *)result;
}
#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols"
#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1"
#define CONNECTION_HEADER "Connection: Upgrade"
static apr_status_t ssl_io_filter_Upgrade(ap_filter_t *f,
apr_bucket_brigade *bb)
{
const char *upgrade;
apr_bucket_brigade *upgradebb;
request_rec *r = f->r;
apr_socket_t *csd = NULL;
char *key;
int ret;
secsocket_data *csd_data;
apr_bucket *b;
apr_status_t rv;
/* Just remove the filter, if it doesn't work the first time, it won't
* work at all for this request.
*/
ap_remove_output_filter(f);
if (!r) {
/*
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02131)
"Unable to get upgradeable socket handle");
*/
return ap_pass_brigade(f->next, bb);
}
/* No need to ensure that this is a server with optional SSL, the filter
* is only inserted if that is true.
*/
upgrade = apr_table_get(r->headers_in, "Upgrade");
if (upgrade == NULL
|| strcmp(ap_getword(r->pool, &upgrade, ','), "TLS/1.0")) {
/* "Upgrade: TLS/1.0, ..." header not found, don't do Upgrade */
return ap_pass_brigade(f->next, bb);
}
apr_table_unset(r->headers_out, "Upgrade");
csd_data = (secsocket_data*)ap_get_module_config(r->connection->conn_config, &nwssl_module);
csd = csd_data->csd;
/* Send the interim 101 response. */
upgradebb = apr_brigade_create(r->pool, f->c->bucket_alloc);
ap_fputs(f->next, upgradebb, SWITCH_STATUS_LINE CRLF
UPGRADE_HEADER CRLF CONNECTION_HEADER CRLF CRLF);
b = apr_bucket_flush_create(f->c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(upgradebb, b);
rv = ap_pass_brigade(f->next, upgradebb);
if (rv) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02132)
"could not send interim 101 Upgrade response");
return AP_FILTER_ERROR;
}
key = get_port_key(r->connection);
if (csd && key) {
int sockdes;
apr_os_sock_get(&sockdes, csd);
ret = SSLize_Socket(sockdes, key, r);
if (!ret) {
csd_data->is_secure = 1;
}
}
else {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02133)
"Upgradeable socket handle not found");
return AP_FILTER_ERROR;
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, APLOGNO(02134)
"Awaiting re-negotiation handshake");
/* Now that we have initialized the ssl connection which added the ssl_io_filter,
pass the brigade off to the connection based output filters so that the
request can complete encrypted */
return ap_pass_brigade(f->c->output_filters, bb);
}
static void ssl_hook_Insert_Filter(request_rec *r)
{
NWSSLSrvConfigRec *sc = get_nwssl_cfg(r->server);
if (isSecureUpgradeable (r)) {
ap_add_output_filter("UPGRADE_FILTER", NULL, r, r->connection);
}
}
static const command_rec nwssl_module_cmds[] =
{
AP_INIT_TAKE23("SecureListen", set_secure_listener, NULL, RSRC_CONF,
"specify an address and/or port with a key pair name.\n"
"Optional third parameter of MUTUAL configures the port for mutual authentication."),
AP_INIT_TAKE2("NWSSLUpgradeable", set_secure_upgradeable_listener, NULL, RSRC_CONF,
"specify an address and/or port with a key pair name, that can be upgraded to an SSL connection.\n"
"The address and/or port must have already be defined using a Listen directive."),
AP_INIT_ITERATE("NWSSLTrustedCerts", set_trusted_certs, NULL, RSRC_CONF,
"Adds trusted certificates that are used to create secure connections to proxied servers"),
{NULL}
};
static void register_hooks(apr_pool_t *p)
{
ap_register_output_filter ("UPGRADE_FILTER", ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
ap_hook_pre_config(nwssl_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_pre_connection(nwssl_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(nwssl_post_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_fixups(nwssl_hook_Fixup, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_http_scheme(nwssl_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_default_port(nwssl_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_insert_filter(ssl_hook_Insert_Filter, NULL, NULL, APR_HOOK_MIDDLE);
APR_REGISTER_OPTIONAL_FN(ssl_is_https);
APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
}
AP_DECLARE_MODULE(nwssl) =
{
STANDARD20_MODULE_STUFF,
NULL, /* dir config creater */
NULL, /* dir merger --- default is to override */
nwssl_config_server_create, /* server config */
nwssl_config_server_merge, /* merge server config */
nwssl_module_cmds, /* command apr_table_t */
register_hooks
};
Reference in New Issue View Git Blame Copy Permalink