diff options
Diffstat (limited to 'modules/arch/netware/mod_nw_ssl.c')
-rw-r--r-- | modules/arch/netware/mod_nw_ssl.c | 1285 |
1 files changed, 1285 insertions, 0 deletions
diff --git a/modules/arch/netware/mod_nw_ssl.c b/modules/arch/netware/mod_nw_ssl.c new file mode 100644 index 0000000..298554a --- /dev/null +++ b/modules/arch/netware/mod_nw_ssl.c @@ -0,0 +1,1285 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * based on mod_tls.c - Apache SSL/TLS module for NetWare by Mike Gardiner. + * + * This module gives Apache the ability to do SSL/TLS with a minimum amount + * of effort. All of the SSL/TLS logic is already on NetWare versions 5 and + * above and is interfaced through WinSock on NetWare. As you can see in + * the code below SSL/TLS sockets can be created with three WinSock calls. + * + * To load, simply place the module in the modules directory under the main + * apache tree. Then add a "SecureListen" with two arguments. The first + * argument is an address and/or port. The second argument is the key pair + * name as created in ConsoleOne. + * + * Examples: + * + * SecureListen 443 "SSL CertificateIP" + * SecureListen 123.45.67.89:443 mycert + * + * The module also supports RFC 2817 / TLS Upgrade for HTTP 1.1. + * For this add a "NWSSLUpgradeable" with two arguments. The first + * argument is an address and/or port. The second argument is the key pair + * name as created in ConsoleOne. + * + * Examples: + * + * NWSSLUpgradeable 8080 "SSL CertificateIP" + * NWSSLUpgradeable 123.45.67.89:8080 mycert + * + */ + +#define WS_SSL + +#define MAX_ADDRESS 512 +#define MAX_KEY 80 + + +#include "httpd.h" +#include "http_config.h" +#include "http_connection.h" +#include "http_core.h" +#include "http_log.h" +#include "http_protocol.h" +#include "http_request.h" +#include "ap_listen.h" +#include "apr_strings.h" +#include "apr_portable.h" +#include "apr_optional.h" + +#include <unilib.h> + +#ifndef SO_TLS_UNCLEAN_SHUTDOWN +#define SO_TLS_UNCLEAN_SHUTDOWN 0 +#endif + +/* The ssl_var_lookup() optional function retrieves SSL environment + * variables. */ +APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, + (apr_pool_t *, server_rec *, + conn_rec *, request_rec *, + char *)); + +/* An optional function which returns non-zero if the given connection + * is using SSL/TLS. */ +APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); + +/* The ssl_proxy_enable() and ssl_engine_disable() optional functions + * are used by mod_proxy to enable use of SSL for outgoing + * connections. */ +APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); +APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); + +#define strEQ(s1,s2) (strcmp(s1,s2) == 0) +#define strNE(s1,s2) (strcmp(s1,s2) != 0) +#define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0) +#define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0) + +#define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0) +#define strcNE(s1,s2) (strcasecmp(s1,s2) != 0) +#define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0) +#define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0) + +#define strIsEmpty(s) (s == NULL || s[0] == NUL) + + +module AP_MODULE_DECLARE_DATA nwssl_module; + +typedef struct NWSSLSrvConfigRec NWSSLSrvConfigRec; +typedef struct seclisten_rec seclisten_rec; +typedef struct seclistenup_rec seclistenup_rec; +typedef struct secsocket_data secsocket_data; + +struct seclisten_rec { + seclisten_rec *next; + struct sockaddr_in local_addr; /* local IP address and port */ + int fd; + int used; /* Only used during restart */ + char key[MAX_KEY]; + int mutual; + char *addr; + apr_port_t port; +}; + +struct seclistenup_rec { + seclistenup_rec *next; + char key[MAX_KEY]; + char *addr; + apr_port_t port; +}; + +struct NWSSLSrvConfigRec { + apr_table_t *sltable; + apr_table_t *slutable; + apr_pool_t *pPool; +}; + +struct secsocket_data { + apr_socket_t* csd; + int is_secure; +}; + +static apr_array_header_t *certlist = NULL; +static unicode_t** certarray = NULL; +static int numcerts = 0; +static seclisten_rec* ap_seclisteners = NULL; +static seclistenup_rec* ap_seclistenersup = NULL; + +static ap_listen_rec *nw_old_listeners; + +#define get_nwssl_cfg(srv) (NWSSLSrvConfigRec *) ap_get_module_config(srv->module_config, &nwssl_module) + + +static void build_cert_list(apr_pool_t *p) +{ + int i; + char **rootcerts = (char **)certlist->elts; + + numcerts = certlist->nelts; + certarray = apr_palloc(p, sizeof(unicode_t*)*numcerts); + + for (i = 0; i < numcerts; ++i) { + unicode_t *unistr; + unistr = (unicode_t*)apr_palloc(p, strlen(rootcerts[i])*4); + loc2uni (UNI_LOCAL_DEFAULT, unistr, rootcerts[i], 0, 2); + certarray[i] = unistr; + } +} + +/* + * Parses a host of the form <address>[:port] + * :port is permitted if 'port' is not NULL + */ +static unsigned long parse_addr(const char *w, unsigned short *ports) +{ + struct hostent *hep; + unsigned long my_addr; + char *p; + + p = strchr(w, ':'); + if (ports != NULL) { + *ports = 0; + if (p != NULL && strcmp(p + 1, "*") != 0) + *ports = atoi(p + 1); + } + + if (p != NULL) + *p = '\0'; + if (strcmp(w, "*") == 0) { + if (p != NULL) + *p = ':'; + return htonl(INADDR_ANY); + } + + my_addr = apr_inet_addr((char *)w); + if (my_addr != INADDR_NONE) { + if (p != NULL) + *p = ':'; + return my_addr; + } + + hep = gethostbyname(w); + + if ((!hep) || (hep->h_addrtype != AF_INET || !hep->h_addr_list[0])) { + /* XXX Should be echoing by h_errno the actual failure, no? + * ap_log_error would be good here. Better yet - APRize. + */ + fprintf(stderr, "Cannot resolve host name %s --- exiting!\n", w); + exit(1); + } + + if (hep->h_addr_list[1]) { + fprintf(stderr, "Host %s has multiple addresses ---\n", w); + fprintf(stderr, "you must choose one explicitly for use as\n"); + fprintf(stderr, "a secure port. Exiting!!!\n"); + exit(1); + } + + if (p != NULL) + *p = ':'; + + return ((struct in_addr *) (hep->h_addr))->s_addr; +} + +static int find_secure_listener(seclisten_rec *lr) +{ + seclisten_rec *sl; + + for (sl = ap_seclisteners; sl; sl = sl->next) { + if (!memcmp(&sl->local_addr, &lr->local_addr, sizeof(sl->local_addr))) { + sl->used = 1; + return sl->fd; + } + } + return -1; +} + +static char *get_port_key(conn_rec *c) +{ + seclistenup_rec *sl; + + for (sl = ap_seclistenersup; sl; sl = sl->next) { + if ((sl->port == (c->local_addr)->port) && + ((strcmp(sl->addr, "0.0.0.0") == 0) || + (strcmp(sl->addr, c->local_ip) == 0))) { + return sl->key; + } + } + return NULL; +} + +static int make_secure_socket(apr_pool_t *pconf, + const struct sockaddr_in *server, + char* key, int mutual, server_rec *sconf) +{ + int s; + char addr[MAX_ADDRESS]; + struct sslserveropts opts; + unsigned int optParam; + WSAPROTOCOL_INFO SecureProtoInfo; + + if (server->sin_addr.s_addr != htonl(INADDR_ANY)) + apr_snprintf(addr, sizeof(addr), "address %s port %d", + inet_ntoa(server->sin_addr), ntohs(server->sin_port)); + else + apr_snprintf(addr, sizeof(addr), "port %d", ntohs(server->sin_port)); + + /* note that because we're about to slack we don't use psocket */ + memset(&SecureProtoInfo, 0, sizeof(WSAPROTOCOL_INFO)); + + SecureProtoInfo.iAddressFamily = AF_INET; + SecureProtoInfo.iSocketType = SOCK_STREAM; + SecureProtoInfo.iProtocol = IPPROTO_TCP; + SecureProtoInfo.iSecurityScheme = SECURITY_PROTOCOL_SSL; + + s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, + (LPWSAPROTOCOL_INFO)&SecureProtoInfo, 0, 0); + + if (s == INVALID_SOCKET) { + ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, + APLOGNO(02120) + "make_secure_socket: failed to get a socket for %s", + addr); + return -1; + } + + if (!mutual) { + optParam = SO_SSL_ENABLE | SO_SSL_SERVER; + + if (WSAIoctl(s, SO_SSL_SET_FLAGS, (char *)&optParam, + sizeof(optParam), NULL, 0, NULL, NULL, NULL)) { + ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, + APLOGNO(02121) + "make_secure_socket: for %s, WSAIoctl: " + "(SO_SSL_SET_FLAGS)", addr); + return -1; + } + } + + opts.cert = key; + opts.certlen = strlen(key); + opts.sidtimeout = 0; + opts.sidentries = 0; + opts.siddir = NULL; + + if (WSAIoctl(s, SO_SSL_SET_SERVER, (char *)&opts, sizeof(opts), + NULL, 0, NULL, NULL, NULL) != 0) { + ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, + APLOGNO(02122) + "make_secure_socket: for %s, WSAIoctl: " + "(SO_SSL_SET_SERVER)", addr); + return -1; + } + + if (mutual) { + optParam = 0x07; /* SO_SSL_AUTH_CLIENT */ + + if (WSAIoctl(s, SO_SSL_SET_FLAGS, (char*)&optParam, sizeof(optParam), + NULL, 0, NULL, NULL, NULL)) { + ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, + APLOGNO(02123) + "make_secure_socket: for %s, WSAIoctl: " + "(SO_SSL_SET_FLAGS)", addr); + return -1; + } + } + + optParam = SO_TLS_UNCLEAN_SHUTDOWN; + WSAIoctl(s, SO_SSL_SET_FLAGS, (char *)&optParam, sizeof(optParam), + NULL, 0, NULL, NULL, NULL); + + return s; +} + +static int convert_secure_socket(conn_rec *c, apr_socket_t *csd) +{ + int rcode; + struct tlsclientopts sWS2Opts; + struct nwtlsopts sNWTLSOpts; + struct sslserveropts opts; + unsigned long ulFlags; + SOCKET sock; + unicode_t keyFileName[60]; + + apr_os_sock_get(&sock, csd); + + /* zero out buffers */ + memset((char *)&sWS2Opts, 0, sizeof(struct tlsclientopts)); + memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts)); + + /* turn on ssl for the socket */ + ulFlags = (numcerts ? SO_TLS_ENABLE : SO_TLS_ENABLE | SO_TLS_BLIND_ACCEPT); + rcode = WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long), + NULL, 0, NULL, NULL, NULL); + if (SOCKET_ERROR == rcode) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, APLOGNO(02124) + "Error: %d with WSAIoctl(flag SO_TLS_ENABLE)", + WSAGetLastError()); + return rcode; + } + + ulFlags = SO_TLS_UNCLEAN_SHUTDOWN; + WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long), + NULL, 0, NULL, NULL, NULL); + + /* setup the socket for SSL */ + memset (&sWS2Opts, 0, sizeof(sWS2Opts)); + memset (&sNWTLSOpts, 0, sizeof(sNWTLSOpts)); + sWS2Opts.options = &sNWTLSOpts; + + if (numcerts) { + sNWTLSOpts.walletProvider = WAL_PROV_DER; /* the wallet provider defined in wdefs.h */ + sNWTLSOpts.TrustedRootList = certarray; /* array of certs in UNICODE format */ + sNWTLSOpts.numElementsInTRList = numcerts; /* number of certs in TRList */ + } + else { + /* setup the socket for SSL */ + unicpy(keyFileName, L"SSL CertificateIP"); + sWS2Opts.wallet = keyFileName; /* no client certificate */ + sWS2Opts.walletlen = unilen(keyFileName); + + sNWTLSOpts.walletProvider = WAL_PROV_KMO; /* the wallet provider defined in wdefs.h */ + } + + /* make the IOCTL call */ + rcode = WSAIoctl(sock, SO_TLS_SET_CLIENT, &sWS2Opts, + sizeof(struct tlsclientopts), NULL, 0, NULL, + NULL, NULL); + + /* make sure that it was successful */ + if (SOCKET_ERROR == rcode ) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, APLOGNO(02125) + "Error: %d with WSAIoctl(SO_TLS_SET_CLIENT)", + WSAGetLastError()); + } + return rcode; +} + +static int SSLize_Socket(SOCKET socketHnd, char *key, request_rec *r) +{ + int rcode; + struct tlsserveropts sWS2Opts; + struct nwtlsopts sNWTLSOpts; + unicode_t SASKey[512]; + unsigned long ulFlag; + + memset((char *)&sWS2Opts, 0, sizeof(struct tlsserveropts)); + memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts)); + + ulFlag = SO_TLS_ENABLE; + rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag, + sizeof(unsigned long), NULL, 0, NULL, NULL, NULL); + if (rcode) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02126) + "Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_ENABLE)", + WSAGetLastError()); + goto ERR; + } + + + ulFlag = SO_TLS_SERVER; + rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag, + sizeof(unsigned long),NULL, 0, NULL, NULL, NULL); + + if (rcode) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02127) + "Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_SERVER)", + WSAGetLastError()); + goto ERR; + } + + loc2uni(UNI_LOCAL_DEFAULT, SASKey, key, 0, 0); + + /* setup the tlsserveropts struct */ + sWS2Opts.wallet = SASKey; + sWS2Opts.walletlen = unilen(SASKey); + sWS2Opts.sidtimeout = 0; + sWS2Opts.sidentries = 0; + sWS2Opts.siddir = NULL; + sWS2Opts.options = &sNWTLSOpts; + + /* setup the nwtlsopts structure */ + + sNWTLSOpts.walletProvider = WAL_PROV_KMO; + sNWTLSOpts.keysList = NULL; + sNWTLSOpts.numElementsInKeyList = 0; + sNWTLSOpts.reservedforfutureuse = NULL; + sNWTLSOpts.reservedforfutureCRL = NULL; + sNWTLSOpts.reservedforfutureCRLLen = 0; + sNWTLSOpts.reserved1 = NULL; + sNWTLSOpts.reserved2 = NULL; + sNWTLSOpts.reserved3 = NULL; + + rcode = WSAIoctl(socketHnd, + SO_TLS_SET_SERVER, + &sWS2Opts, + sizeof(struct tlsserveropts), + NULL, + 0, + NULL, + NULL, + NULL); + if (SOCKET_ERROR == rcode) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02128) + "Error: %d with WSAIoctl(SO_TLS_SET_SERVER)", WSAGetLastError()); + goto ERR; + } + +ERR: + return rcode; +} + +static const char *set_secure_listener(cmd_parms *cmd, void *dummy, + const char *ips, const char* key, + const char* mutual) +{ + NWSSLSrvConfigRec* sc = get_nwssl_cfg(cmd->server); + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + char *ports, *addr; + unsigned short port; + seclisten_rec *new; + ap_listen_rec **walk; + apr_sockaddr_t *sa; + int found_listener = 0; + + + if (err != NULL) + return err; + + ports = strchr(ips, ':'); + + if (ports != NULL) { + if (ports == ips) + return "Missing IP address"; + else if (ports[1] == '\0') + return "Address must end in :<port-number>"; + + *(ports++) = '\0'; + } + else { + ports = (char*)ips; + } + + new = apr_pcalloc(cmd->server->process->pool, sizeof(seclisten_rec)); + new->local_addr.sin_family = AF_INET; + + if (ports == ips) { + new->local_addr.sin_addr.s_addr = htonl(INADDR_ANY); + addr = apr_pstrdup(cmd->server->process->pool, "0.0.0.0"); + } + else { + new->local_addr.sin_addr.s_addr = parse_addr(ips, NULL); + addr = apr_pstrdup(cmd->server->process->pool, ips); + } + + port = atoi(ports); + + if (!port) + return "Port must be numeric"; + + /* If the specified addr:port was created previously, put the listen + socket record back on the ap_listeners list so that the socket + will be reused rather than recreated */ + for (walk = &nw_old_listeners; *walk;) { + sa = (*walk)->bind_addr; + if (sa) { + ap_listen_rec *new; + apr_port_t oldport; + + oldport = sa->port; + /* If both ports are equivalent, then if their names are equivalent, + * then we will re-use the existing record. + */ + if (port == oldport && + ((!addr && !sa->hostname) || + ((addr && sa->hostname) && !strcmp(sa->hostname, addr)))) { + new = *walk; + *walk = new->next; + new->next = ap_listeners; + ap_listeners = new; + found_listener = 1; + continue; + } + } + + walk = &(*walk)->next; + } + + apr_table_add(sc->sltable, ports, addr); + + /* If we found a pre-existing listen socket record, then there + is no need to create a new secure listen socket record. */ + if (found_listener) { + return NULL; + } + + new->local_addr.sin_port = htons(port); + new->fd = -1; + new->used = 0; + new->next = ap_seclisteners; + strcpy(new->key, key); + new->mutual = (mutual) ? 1 : 0; + new->addr = addr; + new->port = port; + ap_seclisteners = new; + return NULL; +} + +static const char *set_secure_upgradeable_listener(cmd_parms *cmd, void *dummy, + const char *ips, const char* key) +{ + NWSSLSrvConfigRec* sc = get_nwssl_cfg(cmd->server); + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + char *ports, *addr; + unsigned short port; + seclistenup_rec *new; + + if (err != NULL) + return err; + + ports = strchr(ips, ':'); + + if (ports != NULL) { + if (ports == ips) + return "Missing IP address"; + else if (ports[1] == '\0') + return "Address must end in :<port-number>"; + + *(ports++) = '\0'; + } + else { + ports = (char*)ips; + } + + if (ports == ips) { + addr = apr_pstrdup(cmd->pool, "0.0.0.0"); + } + else { + addr = apr_pstrdup(cmd->pool, ips); + } + + port = atoi(ports); + + if (!port) + return "Port must be numeric"; + + apr_table_set(sc->slutable, ports, addr); + + new = apr_pcalloc(cmd->pool, sizeof(seclistenup_rec)); + new->next = ap_seclistenersup; + strcpy(new->key, key); + new->addr = addr; + new->port = port; + ap_seclistenersup = new; + + return err; +} + +static apr_status_t nwssl_socket_cleanup(void *data) +{ + ap_listen_rec* slr = (ap_listen_rec*)data; + ap_listen_rec* lr; + + /* Remove our secure listener from the listener list */ + for (lr = ap_listeners; lr; lr = lr->next) { + /* slr is at the head of the list */ + if (lr == slr) { + ap_listeners = slr->next; + break; + } + /* slr is somewhere in between or at the end*/ + if (lr->next == slr) { + lr->next = slr->next; + break; + } + } + return APR_SUCCESS; +} + +static const char *set_trusted_certs(cmd_parms *cmd, void *dummy, char *arg) +{ + char **ptr = (char **)apr_array_push(certlist); + + *ptr = arg; + return NULL; +} + +static int nwssl_pre_config(apr_pool_t *pconf, apr_pool_t *plog, + apr_pool_t *ptemp) +{ + seclisten_rec* ap_old_seclisteners; + ap_listen_rec **walk; + seclisten_rec **secwalk; + apr_sockaddr_t *sa; + int found; + + /* Pull all of the listeners that were created by mod_nw_ssl out of the + ap_listeners list so that the normal listen socket processing does + automatically close them */ + nw_old_listeners = NULL; + ap_old_seclisteners = NULL; + + for (secwalk = &ap_seclisteners; *secwalk;) { + found = 0; + for (walk = &ap_listeners; *walk;) { + sa = (*walk)->bind_addr; + if (sa) { + ap_listen_rec *new; + seclisten_rec *secnew; + apr_port_t oldport; + + oldport = sa->port; + /* If both ports are equivalent, then if their names are equivalent, + * then we will re-use the existing record. + */ + if ((*secwalk)->port == oldport && + ((!(*secwalk)->addr && !sa->hostname) || + (((*secwalk)->addr && sa->hostname) && !strcmp(sa->hostname, (*secwalk)->addr)))) { + /* Move the listen socket from ap_listeners to nw_old_listeners */ + new = *walk; + *walk = new->next; + new->next = nw_old_listeners; + nw_old_listeners = new; + + /* Move the secure socket record to ap_old_seclisterners */ + secnew = *secwalk; + *secwalk = secnew->next; + secnew->next = ap_old_seclisteners; + ap_old_seclisteners = secnew; + found = 1; + break; + } + } + + walk = &(*walk)->next; + } + if (!found && &(*secwalk)->next) { + secwalk = &(*secwalk)->next; + } + } + + /* Restore the secure socket records list so that the post config can + process all of the sockets normally */ + ap_seclisteners = ap_old_seclisteners; + ap_seclistenersup = NULL; + certlist = apr_array_make(pconf, 1, sizeof(char *)); + + /* Now that we have removed all of the mod_nw_ssl created socket records, + allow the normal listen socket handling to occur. + NOTE: If for any reason mod_nw_ssl is removed as a built-in module, + the following call must be put back into the pre-config handler of the + MPM. It is only here to ensure that mod_nw_ssl fixes up the listen + socket list before anything else looks at it. */ + ap_listen_pre_config(); + + return OK; +} + +static int nwssl_pre_connection(conn_rec *c, void *csd) +{ + + if (apr_table_get(c->notes, "nwconv-ssl")) { + convert_secure_socket(c, (apr_socket_t*)csd); + } + else { + secsocket_data *csd_data = apr_palloc(c->pool, sizeof(secsocket_data)); + + csd_data->csd = (apr_socket_t*)csd; + csd_data->is_secure = 0; + ap_set_module_config(c->conn_config, &nwssl_module, (void*)csd_data); + } + + return OK; +} + +static int nwssl_post_config(apr_pool_t *pconf, apr_pool_t *plog, + apr_pool_t *ptemp, server_rec *s) +{ + seclisten_rec* sl; + ap_listen_rec* lr; + apr_socket_t* sd; + apr_status_t status; + seclistenup_rec *slu; + int found; + ap_listen_rec *walk; + seclisten_rec *secwalk, *lastsecwalk; + apr_sockaddr_t *sa; + + /* Walk the old listeners list and compare it to the secure + listeners list and remove any secure listener records that + are not being reused */ + for (walk = nw_old_listeners; walk; walk = walk->next) { + sa = walk->bind_addr; + if (sa) { + ap_listen_rec *new; + apr_port_t oldport; + + oldport = sa->port; + for (secwalk = ap_seclisteners, lastsecwalk = ap_seclisteners; secwalk; secwalk = lastsecwalk->next) { + unsigned short port = secwalk->port; + char *addr = secwalk->addr; + /* If both ports are equivalent, then if their names are equivalent, + * then we will re-use the existing record. + */ + if (port == oldport && + ((!addr && !sa->hostname) || + ((addr && sa->hostname) && !strcmp(sa->hostname, addr)))) { + if (secwalk == ap_seclisteners) { + ap_seclisteners = secwalk->next; + } + else { + lastsecwalk->next = secwalk->next; + } + apr_socket_close(walk->sd); + walk->active = 0; + break; + } + else { + lastsecwalk = secwalk; + } + } + } + } + + for (sl = ap_seclisteners; sl != NULL; sl = sl->next) { + /* If we find a pre-existing listen socket and it has already been + created, then no need to go any further, just reuse it. */ + if (((sl->fd = find_secure_listener(sl)) >= 0) && (sl->used)) { + continue; + } + + if (sl->fd < 0) + sl->fd = make_secure_socket(s->process->pool, &sl->local_addr, sl->key, sl->mutual, s); + + if (sl->fd >= 0) { + apr_os_sock_info_t sock_info; + + sock_info.os_sock = &(sl->fd); + sock_info.local = (struct sockaddr*)&(sl->local_addr); + sock_info.remote = NULL; + sock_info.family = APR_INET; + sock_info.type = SOCK_STREAM; + + apr_os_sock_make(&sd, &sock_info, s->process->pool); + + lr = apr_pcalloc(s->process->pool, sizeof(ap_listen_rec)); + + if (lr) { + lr->sd = sd; + if ((status = apr_sockaddr_info_get(&lr->bind_addr, sl->addr, APR_UNSPEC, sl->port, 0, + s->process->pool)) != APR_SUCCESS) { + ap_log_perror(APLOG_MARK, APLOG_CRIT, status, pconf, APLOGNO(02129) + "alloc_listener: failed to set up sockaddr for %s:%d", sl->addr, sl->port); + return HTTP_INTERNAL_SERVER_ERROR; + } + lr->next = ap_listeners; + ap_listeners = lr; + apr_pool_cleanup_register(s->process->pool, lr, nwssl_socket_cleanup, apr_pool_cleanup_null); + } + } else { + return HTTP_INTERNAL_SERVER_ERROR; + } + } + + for (slu = ap_seclistenersup; slu; slu = slu->next) { + /* Check the listener list for a matching upgradeable listener */ + found = 0; + for (lr = ap_listeners; lr; lr = lr->next) { + if (slu->port == lr->bind_addr->port) { + found = 1; + break; + } + } + if (!found) { + ap_log_perror(APLOG_MARK, APLOG_WARNING, 0, plog, APLOGNO(02130) + "No Listen directive found for upgradeable listener %s:%d", slu->addr, slu->port); + } + } + + build_cert_list(s->process->pool); + + return OK; +} + +static void *nwssl_config_server_create(apr_pool_t *p, server_rec *s) +{ + NWSSLSrvConfigRec *new = apr_palloc(p, sizeof(NWSSLSrvConfigRec)); + new->sltable = apr_table_make(p, 5); + new->slutable = apr_table_make(p, 5); + return new; +} + +static void *nwssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) +{ + NWSSLSrvConfigRec *base = (NWSSLSrvConfigRec *)basev; + NWSSLSrvConfigRec *add = (NWSSLSrvConfigRec *)addv; + NWSSLSrvConfigRec *merged = (NWSSLSrvConfigRec *)apr_palloc(p, sizeof(NWSSLSrvConfigRec)); + return merged; +} + +static int compare_ipports(void *rec, const char *key, const char *value) +{ + conn_rec *c = (conn_rec*)rec; + + if (value && + ((strcmp(value, "0.0.0.0") == 0) || (strcmp(value, c->local_ip) == 0))) + { + return 0; + } + return 1; +} + +static int isSecureConnEx (const server_rec *s, const conn_rec *c, const apr_table_t *t) +{ + char port[8]; + + itoa((c->local_addr)->port, port, 10); + if (!apr_table_do(compare_ipports, (void*)c, t, port, NULL)) { + return 1; + } + + return 0; +} + +static int isSecureConn (const server_rec *s, const conn_rec *c) +{ + NWSSLSrvConfigRec *sc = get_nwssl_cfg(s); + + return isSecureConnEx (s, c, sc->sltable); +} + +static int isSecureConnUpgradeable (const server_rec *s, const conn_rec *c) +{ + NWSSLSrvConfigRec *sc = get_nwssl_cfg(s); + + return isSecureConnEx (s, c, sc->slutable); +} + +static int isSecure (const request_rec *r) +{ + return isSecureConn (r->server, r->connection); +} + +static int isSecureUpgradeable (const request_rec *r) +{ + return isSecureConnUpgradeable (r->server, r->connection); +} + +static int isSecureUpgraded (const request_rec *r) +{ + secsocket_data *csd_data = (secsocket_data*)ap_get_module_config(r->connection->conn_config, &nwssl_module); + + return csd_data->is_secure; +} + +static int nwssl_hook_Fixup(request_rec *r) +{ + if (!isSecure(r) && !isSecureUpgraded(r)) + return DECLINED; + + apr_table_setn(r->subprocess_env, "HTTPS", "on"); + + return DECLINED; +} + +static const char *nwssl_hook_http_scheme(const request_rec *r) +{ + if (isSecure(r) && !isSecureUpgraded(r)) + return "https"; + + return NULL; +} + +static apr_port_t nwssl_hook_default_port(const request_rec *r) +{ + if (isSecure(r)) + return DEFAULT_HTTPS_PORT; + + return 0; +} + +int ssl_proxy_enable(conn_rec *c) +{ + apr_table_setn(c->notes, "nwconv-ssl", "Y"); + + return 1; +} + +int ssl_engine_disable(conn_rec *c) +{ + return 1; +} + +static int ssl_is_https(conn_rec *c) +{ + secsocket_data *csd_data = (secsocket_data*)ap_get_module_config(c->conn_config, &nwssl_module); + + return isSecureConn (c->base_server, c) || (csd_data && csd_data->is_secure); +} + +/* This function must remain safe to use for a non-SSL connection. */ +char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) +{ + NWSSLSrvConfigRec *mc = get_nwssl_cfg(s); + const char *result; + BOOL resdup; + apr_time_exp_t tm; + + result = NULL; + resdup = TRUE; + + /* + * When no pool is given try to find one + */ + if (p == NULL) { + if (r != NULL) + p = r->pool; + else if (c != NULL) + p = c->pool; + else + p = mc->pPool; + } + + /* + * Request dependent stuff + */ + if (r != NULL) { + switch (var[0]) { + case 'H': + case 'h': + if (strcEQ(var, "HTTP_USER_AGENT")) + result = apr_table_get(r->headers_in, "User-Agent"); + else if (strcEQ(var, "HTTP_REFERER")) + result = apr_table_get(r->headers_in, "Referer"); + else if (strcEQ(var, "HTTP_COOKIE")) + result = apr_table_get(r->headers_in, "Cookie"); + else if (strcEQ(var, "HTTP_FORWARDED")) + result = apr_table_get(r->headers_in, "Forwarded"); + else if (strcEQ(var, "HTTP_HOST")) + result = apr_table_get(r->headers_in, "Host"); + else if (strcEQ(var, "HTTP_PROXY_CONNECTION")) + result = apr_table_get(r->headers_in, "Proxy-Connection"); + else if (strcEQ(var, "HTTP_ACCEPT")) + result = apr_table_get(r->headers_in, "Accept"); + else if (strcEQ(var, "HTTPS")) { + if (isSecure(r) || isSecureUpgraded(r)) + result = "on"; + else + result = "off"; + } + else if (strlen(var) > 5 && strcEQn(var, "HTTP:", 5)) + /* all other headers from which we are still not know about */ + result = apr_table_get(r->headers_in, var+5); + break; + + case 'R': + case 'r': + if (strcEQ(var, "REQUEST_METHOD")) + result = r->method; + else if (strcEQ(var, "REQUEST_SCHEME")) + result = ap_http_scheme(r); + else if (strcEQ(var, "REQUEST_URI")) + result = r->uri; + else if (strcEQ(var, "REQUEST_FILENAME")) + result = r->filename; + else if (strcEQ(var, "REMOTE_ADDR")) + result = r->useragent_ip; + else if (strcEQ(var, "REMOTE_HOST")) + result = ap_get_useragent_host(r, REMOTE_NAME, NULL); + else if (strcEQ(var, "REMOTE_IDENT")) + result = ap_get_remote_logname(r); + else if (strcEQ(var, "REMOTE_USER")) + result = r->user; + break; + + case 'S': + case 's': + if (strcEQn(var, "SSL", 3)) break; /* shortcut common case */ + + if (strcEQ(var, "SERVER_ADMIN")) + result = r->server->server_admin; + else if (strcEQ(var, "SERVER_NAME")) + result = ap_get_server_name_for_url(r); + else if (strcEQ(var, "SERVER_PORT")) + result = apr_psprintf(p, "%u", ap_get_server_port(r)); + else if (strcEQ(var, "SERVER_PROTOCOL")) + result = r->protocol; + else if (strcEQ(var, "SCRIPT_FILENAME")) + result = r->filename; + break; + + default: + if (strcEQ(var, "PATH_INFO")) + result = r->path_info; + else if (strcEQ(var, "QUERY_STRING")) + result = r->args; + else if (strcEQ(var, "IS_SUBREQ")) + result = (r->main != NULL ? "true" : "false"); + else if (strcEQ(var, "DOCUMENT_ROOT")) + result = ap_document_root(r); + else if (strcEQ(var, "AUTH_TYPE")) + result = r->ap_auth_type; + else if (strcEQ(var, "THE_REQUEST")) + result = r->the_request; + break; + } + } + + /* + * Connection stuff + */ + if (result == NULL && c != NULL) { + /* XXX-Can't get specific SSL info from NetWare */ + /* SSLConnRec *sslconn = myConnConfig(c); + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) + && sslconn && sslconn->ssl) + result = ssl_var_lookup_ssl(p, c, var+4);*/ + + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)) + result = NULL; + } + + /* + * Totally independent stuff + */ + if (result == NULL) { + if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12)) + result = NULL; + /* XXX-Can't get specific SSL info from NetWare */ + /*result = ssl_var_lookup_ssl_version(p, var+12);*/ + else if (strcEQ(var, "SERVER_SOFTWARE")) + result = ap_get_server_banner(); + else if (strcEQ(var, "API_VERSION")) { + result = apr_itoa(p, MODULE_MAGIC_NUMBER_MAJOR); + resdup = FALSE; + } + else if (strcEQ(var, "TIME_YEAR")) { + apr_time_exp_lt(&tm, apr_time_now()); + result = apr_psprintf(p, "%02d%02d", + (tm.tm_year / 100) + 19, tm.tm_year % 100); + resdup = FALSE; + } +#define MKTIMESTR(format, tmfield) \ + apr_time_exp_lt(&tm, apr_time_now()); \ + result = apr_psprintf(p, format, tm.tmfield); \ + resdup = FALSE; + else if (strcEQ(var, "TIME_MON")) { + MKTIMESTR("%02d", tm_mon+1) + } + else if (strcEQ(var, "TIME_DAY")) { + MKTIMESTR("%02d", tm_mday) + } + else if (strcEQ(var, "TIME_HOUR")) { + MKTIMESTR("%02d", tm_hour) + } + else if (strcEQ(var, "TIME_MIN")) { + MKTIMESTR("%02d", tm_min) + } + else if (strcEQ(var, "TIME_SEC")) { + MKTIMESTR("%02d", tm_sec) + } + else if (strcEQ(var, "TIME_WDAY")) { + MKTIMESTR("%d", tm_wday) + } + else if (strcEQ(var, "TIME")) { + apr_time_exp_lt(&tm, apr_time_now()); + result = apr_psprintf(p, + "%02d%02d%02d%02d%02d%02d%02d", (tm.tm_year / 100) + 19, + (tm.tm_year % 100), tm.tm_mon+1, tm.tm_mday, + tm.tm_hour, tm.tm_min, tm.tm_sec); + resdup = FALSE; + } + /* all other env-variables from the parent Apache process */ + else if (strlen(var) > 4 && strcEQn(var, "ENV:", 4)) { + result = apr_table_get(r->notes, var+4); + if (result == NULL) + result = apr_table_get(r->subprocess_env, var+4); + if (result == NULL) + result = getenv(var+4); + } + } + + if (result != NULL && resdup) + result = apr_pstrdup(p, result); + if (result == NULL) + result = ""; + return (char *)result; +} + +#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols" +#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1" +#define CONNECTION_HEADER "Connection: Upgrade" + +static apr_status_t ssl_io_filter_Upgrade(ap_filter_t *f, + apr_bucket_brigade *bb) + +{ + const char *upgrade; + apr_bucket_brigade *upgradebb; + request_rec *r = f->r; + apr_socket_t *csd = NULL; + char *key; + int ret; + secsocket_data *csd_data; + apr_bucket *b; + apr_status_t rv; + + /* Just remove the filter, if it doesn't work the first time, it won't + * work at all for this request. + */ + ap_remove_output_filter(f); + + if (!r) { + /* + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02131) + "Unable to get upgradeable socket handle"); + */ + return ap_pass_brigade(f->next, bb); + } + + /* No need to ensure that this is a server with optional SSL, the filter + * is only inserted if that is true. + */ + + upgrade = apr_table_get(r->headers_in, "Upgrade"); + if (upgrade == NULL + || strcmp(ap_getword(r->pool, &upgrade, ','), "TLS/1.0")) { + /* "Upgrade: TLS/1.0, ..." header not found, don't do Upgrade */ + return ap_pass_brigade(f->next, bb); + } + + apr_table_unset(r->headers_out, "Upgrade"); + + csd_data = (secsocket_data*)ap_get_module_config(r->connection->conn_config, &nwssl_module); + csd = csd_data->csd; + + /* Send the interim 101 response. */ + upgradebb = apr_brigade_create(r->pool, f->c->bucket_alloc); + + ap_fputs(f->next, upgradebb, SWITCH_STATUS_LINE CRLF + UPGRADE_HEADER CRLF CONNECTION_HEADER CRLF CRLF); + + b = apr_bucket_flush_create(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(upgradebb, b); + + rv = ap_pass_brigade(f->next, upgradebb); + if (rv) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02132) + "could not send interim 101 Upgrade response"); + return AP_FILTER_ERROR; + } + + key = get_port_key(r->connection); + + if (csd && key) { + int sockdes; + apr_os_sock_get(&sockdes, csd); + + + ret = SSLize_Socket(sockdes, key, r); + if (!ret) { + csd_data->is_secure = 1; + } + } + else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02133) + "Upgradeable socket handle not found"); + return AP_FILTER_ERROR; + } + + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, APLOGNO(02134) + "Awaiting re-negotiation handshake"); + + /* Now that we have initialized the ssl connection which added the ssl_io_filter, + pass the brigade off to the connection based output filters so that the + request can complete encrypted */ + return ap_pass_brigade(f->c->output_filters, bb); +} + +static void ssl_hook_Insert_Filter(request_rec *r) +{ + NWSSLSrvConfigRec *sc = get_nwssl_cfg(r->server); + + if (isSecureUpgradeable (r)) { + ap_add_output_filter("UPGRADE_FILTER", NULL, r, r->connection); + } +} + +static const command_rec nwssl_module_cmds[] = +{ + AP_INIT_TAKE23("SecureListen", set_secure_listener, NULL, RSRC_CONF, + "specify an address and/or port with a key pair name.\n" + "Optional third parameter of MUTUAL configures the port for mutual authentication."), + AP_INIT_TAKE2("NWSSLUpgradeable", set_secure_upgradeable_listener, NULL, RSRC_CONF, + "specify an address and/or port with a key pair name, that can be upgraded to an SSL connection.\n" + "The address and/or port must have already be defined using a Listen directive."), + AP_INIT_ITERATE("NWSSLTrustedCerts", set_trusted_certs, NULL, RSRC_CONF, + "Adds trusted certificates that are used to create secure connections to proxied servers"), + {NULL} +}; + +static void register_hooks(apr_pool_t *p) +{ + ap_register_output_filter ("UPGRADE_FILTER", ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5); + + ap_hook_pre_config(nwssl_pre_config, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_pre_connection(nwssl_pre_connection, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_post_config(nwssl_post_config, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_fixups(nwssl_hook_Fixup, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_http_scheme(nwssl_hook_http_scheme, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_default_port(nwssl_hook_default_port, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_insert_filter(ssl_hook_Insert_Filter, NULL, NULL, APR_HOOK_MIDDLE); + + APR_REGISTER_OPTIONAL_FN(ssl_is_https); + APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); + + APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); + APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); +} + +AP_DECLARE_MODULE(nwssl) = +{ + STANDARD20_MODULE_STUFF, + NULL, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + nwssl_config_server_create, /* server config */ + nwssl_config_server_merge, /* merge server config */ + nwssl_module_cmds, /* command apr_table_t */ + register_hooks +}; + |