diff options
Diffstat (limited to 'modules/tls/tls_conf.c')
| -rw-r--r-- | modules/tls/tls_conf.c | 780 |
1 files changed, 780 insertions, 0 deletions
diff --git a/modules/tls/tls_conf.c b/modules/tls/tls_conf.c new file mode 100644 index 0000000..a9f27de --- /dev/null +++ b/modules/tls/tls_conf.c @@ -0,0 +1,780 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include <assert.h> +#include <apr_lib.h> +#include <apr_strings.h> +#include <apr_version.h> + +#include <httpd.h> +#include <http_core.h> +#include <http_config.h> +#include <http_log.h> +#include <http_main.h> +#include <ap_socache.h> + +#include <rustls.h> + +#include "tls_cert.h" +#include "tls_proto.h" +#include "tls_conf.h" +#include "tls_util.h" +#include "tls_var.h" +#include "tls_cache.h" + + +extern module AP_MODULE_DECLARE_DATA tls_module; +APLOG_USE_MODULE(tls); + +static tls_conf_global_t *conf_global_get_or_make(apr_pool_t *pool, server_rec *s) +{ + tls_conf_global_t *gconf; + + /* we create this only once for apache's one ap_server_conf. + * If this gets called for another server, we should already have + * done it for ap_server_conf. */ + if (ap_server_conf && s != ap_server_conf) { + tls_conf_server_t *sconf = tls_conf_server_get(ap_server_conf); + ap_assert(sconf); + ap_assert(sconf->global); + return sconf->global; + } + + gconf = apr_pcalloc(pool, sizeof(*gconf)); + gconf->ap_server = ap_server_conf; + gconf->status = TLS_CONF_ST_INIT; + gconf->proto = tls_proto_init(pool, s); + gconf->proxy_configs = apr_array_make(pool, 10, sizeof(tls_conf_proxy_t*)); + + gconf->var_lookups = apr_hash_make(pool); + tls_var_init_lookup_hash(pool, gconf->var_lookups); + gconf->session_cache_spec = "default"; + + return gconf; +} + +tls_conf_server_t *tls_conf_server_get(server_rec *s) +{ + tls_conf_server_t *sc = ap_get_module_config(s->module_config, &tls_module); + ap_assert(sc); + return sc; +} + + +#define CONF_S_NAME(s) (s && s->server_hostname? s->server_hostname : "default") + +void *tls_conf_create_svr(apr_pool_t *pool, server_rec *s) +{ + tls_conf_server_t *conf; + + conf = apr_pcalloc(pool, sizeof(*conf)); + conf->global = conf_global_get_or_make(pool, s); + conf->server = s; + + conf->enabled = TLS_FLAG_UNSET; + conf->cert_specs = apr_array_make(pool, 3, sizeof(tls_cert_spec_t*)); + conf->honor_client_order = TLS_FLAG_UNSET; + conf->strict_sni = TLS_FLAG_UNSET; + conf->tls_protocol_min = TLS_FLAG_UNSET; + conf->tls_pref_ciphers = apr_array_make(pool, 3, sizeof(apr_uint16_t));; + conf->tls_supp_ciphers = apr_array_make(pool, 3, sizeof(apr_uint16_t));; + return conf; +} + +#define MERGE_INT(base, add, field) \ + (add->field == TLS_FLAG_UNSET)? base->field : add->field; + +void *tls_conf_merge_svr(apr_pool_t *pool, void *basev, void *addv) +{ + tls_conf_server_t *base = basev; + tls_conf_server_t *add = addv; + tls_conf_server_t *nconf; + + nconf = apr_pcalloc(pool, sizeof(*nconf)); + nconf->server = add->server; + nconf->global = add->global? add->global : base->global; + + nconf->enabled = MERGE_INT(base, add, enabled); + nconf->cert_specs = apr_array_append(pool, base->cert_specs, add->cert_specs); + nconf->tls_protocol_min = MERGE_INT(base, add, tls_protocol_min); + nconf->tls_pref_ciphers = add->tls_pref_ciphers->nelts? + add->tls_pref_ciphers : base->tls_pref_ciphers; + nconf->tls_supp_ciphers = add->tls_supp_ciphers->nelts? + add->tls_supp_ciphers : base->tls_supp_ciphers; + nconf->honor_client_order = MERGE_INT(base, add, honor_client_order); + nconf->client_ca = add->client_ca? add->client_ca : base->client_ca; + nconf->client_auth = (add->client_auth != TLS_CLIENT_AUTH_UNSET)? + add->client_auth : base->client_auth; + nconf->var_user_name = add->var_user_name? add->var_user_name : base->var_user_name; + return nconf; +} + +tls_conf_dir_t *tls_conf_dir_get(request_rec *r) +{ + tls_conf_dir_t *dc = ap_get_module_config(r->per_dir_config, &tls_module); + ap_assert(dc); + return dc; +} + +tls_conf_dir_t *tls_conf_dir_server_get(server_rec *s) +{ + tls_conf_dir_t *dc = ap_get_module_config(s->lookup_defaults, &tls_module); + ap_assert(dc); + return dc; +} + +void *tls_conf_create_dir(apr_pool_t *pool, char *dir) +{ + tls_conf_dir_t *conf; + + (void)dir; + conf = apr_pcalloc(pool, sizeof(*conf)); + conf->std_env_vars = TLS_FLAG_UNSET; + conf->proxy_enabled = TLS_FLAG_UNSET; + conf->proxy_protocol_min = TLS_FLAG_UNSET; + conf->proxy_pref_ciphers = apr_array_make(pool, 3, sizeof(apr_uint16_t));; + conf->proxy_supp_ciphers = apr_array_make(pool, 3, sizeof(apr_uint16_t));; + conf->proxy_machine_cert_specs = apr_array_make(pool, 3, sizeof(tls_cert_spec_t*)); + return conf; +} + + +static int same_proxy_settings(tls_conf_dir_t *a, tls_conf_dir_t *b) +{ + return a->proxy_ca == b->proxy_ca; +} + +static void dir_assign_merge( + tls_conf_dir_t *dest, apr_pool_t *pool, tls_conf_dir_t *base, tls_conf_dir_t *add) +{ + tls_conf_dir_t local; + + memset(&local, 0, sizeof(local)); + local.std_env_vars = MERGE_INT(base, add, std_env_vars); + local.export_cert_vars = MERGE_INT(base, add, export_cert_vars); + local.proxy_enabled = MERGE_INT(base, add, proxy_enabled); + local.proxy_ca = add->proxy_ca? add->proxy_ca : base->proxy_ca; + local.proxy_protocol_min = MERGE_INT(base, add, proxy_protocol_min); + local.proxy_pref_ciphers = add->proxy_pref_ciphers->nelts? + add->proxy_pref_ciphers : base->proxy_pref_ciphers; + local.proxy_supp_ciphers = add->proxy_supp_ciphers->nelts? + add->proxy_supp_ciphers : base->proxy_supp_ciphers; + local.proxy_machine_cert_specs = apr_array_append(pool, + base->proxy_machine_cert_specs, add->proxy_machine_cert_specs); + if (local.proxy_enabled == TLS_FLAG_TRUE) { + if (add->proxy_config) { + local.proxy_config = same_proxy_settings(&local, add)? add->proxy_config : NULL; + } + else if (base->proxy_config) { + local.proxy_config = same_proxy_settings(&local, base)? add->proxy_config : NULL; + } + } + memcpy(dest, &local, sizeof(*dest)); +} + +void *tls_conf_merge_dir(apr_pool_t *pool, void *basev, void *addv) +{ + tls_conf_dir_t *base = basev; + tls_conf_dir_t *add = addv; + tls_conf_dir_t *nconf = apr_pcalloc(pool, sizeof(*nconf)); + dir_assign_merge(nconf, pool, base, add); + return nconf; +} + +static void tls_conf_dir_set_options_defaults(apr_pool_t *pool, tls_conf_dir_t *dc) +{ + (void)pool; + dc->std_env_vars = TLS_FLAG_FALSE; + dc->export_cert_vars = TLS_FLAG_FALSE; +} + +apr_status_t tls_conf_server_apply_defaults(tls_conf_server_t *sc, apr_pool_t *p) +{ + (void)p; + if (sc->enabled == TLS_FLAG_UNSET) sc->enabled = TLS_FLAG_FALSE; + if (sc->tls_protocol_min == TLS_FLAG_UNSET) sc->tls_protocol_min = 0; + if (sc->honor_client_order == TLS_FLAG_UNSET) sc->honor_client_order = TLS_FLAG_TRUE; + if (sc->strict_sni == TLS_FLAG_UNSET) sc->strict_sni = TLS_FLAG_TRUE; + if (sc->client_auth == TLS_CLIENT_AUTH_UNSET) sc->client_auth = TLS_CLIENT_AUTH_NONE; + return APR_SUCCESS; +} + +apr_status_t tls_conf_dir_apply_defaults(tls_conf_dir_t *dc, apr_pool_t *p) +{ + (void)p; + if (dc->std_env_vars == TLS_FLAG_UNSET) dc->std_env_vars = TLS_FLAG_FALSE; + if (dc->export_cert_vars == TLS_FLAG_UNSET) dc->export_cert_vars = TLS_FLAG_FALSE; + if (dc->proxy_enabled == TLS_FLAG_UNSET) dc->proxy_enabled = TLS_FLAG_FALSE; + return APR_SUCCESS; +} + +tls_conf_proxy_t *tls_conf_proxy_make( + apr_pool_t *p, tls_conf_dir_t *dc, tls_conf_global_t *gc, server_rec *s) +{ + tls_conf_proxy_t *pc = apr_pcalloc(p, sizeof(*pc)); + pc->defined_in = s; + pc->global = gc; + pc->proxy_ca = dc->proxy_ca; + pc->proxy_protocol_min = dc->proxy_protocol_min; + pc->proxy_pref_ciphers = dc->proxy_pref_ciphers; + pc->proxy_supp_ciphers = dc->proxy_supp_ciphers; + pc->machine_cert_specs = dc->proxy_machine_cert_specs; + pc->machine_certified_keys = apr_array_make(p, 3, sizeof(const rustls_certified_key*)); + return pc; +} + +int tls_proxy_section_post_config( + apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s, + ap_conf_vector_t *section_config) +{ + tls_conf_dir_t *proxy_dc, *server_dc; + tls_conf_server_t *sc; + + /* mod_proxy collects the <Proxy>...</Proxy> sections per server (base server or virtualhost) + * and in its post_config hook, calls our function registered at its hook for each with + * s - the server they were define in + * section_config - the set of dir_configs for a <Proxy> section + * + * If none of _our_ config directives had been used, here or in the server, we get a NULL. + * Which means we have to do nothing. Otherwise, we add to `proxy_dc` the + * settings from `server_dc` - since this is not automagically done by apache. + * + * `proxy_dc` is then complete and tells us if we handle outgoing connections + * here and with what parameter settings. + */ + (void)ptemp; (void)plog; + ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, + "%s: tls_proxy_section_post_config called", s->server_hostname); + proxy_dc = ap_get_module_config(section_config, &tls_module); + if (!proxy_dc) goto cleanup; + server_dc = ap_get_module_config(s->lookup_defaults, &tls_module); + ap_assert(server_dc); + dir_assign_merge(proxy_dc, p, server_dc, proxy_dc); + tls_conf_dir_apply_defaults(proxy_dc, p); + if (proxy_dc->proxy_enabled && !proxy_dc->proxy_config) { + /* remember `proxy_dc` for subsequent configuration of outoing TLS setups */ + sc = tls_conf_server_get(s); + proxy_dc->proxy_config = tls_conf_proxy_make(p, proxy_dc, sc->global, s); + ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, + "%s: adding proxy_conf to globals in proxy_post_config_section", + s->server_hostname); + APR_ARRAY_PUSH(sc->global->proxy_configs, tls_conf_proxy_t*) = proxy_dc->proxy_config; + } +cleanup: + return OK; +} + +static const char *cmd_check_file(cmd_parms *cmd, const char *fpath) +{ + char *real_path; + + /* just a dump of the configuration, dont resolve/check */ + if (ap_state_query(AP_SQ_RUN_MODE) == AP_SQ_RM_CONFIG_DUMP) { + return NULL; + } + real_path = ap_server_root_relative(cmd->pool, fpath); + if (!real_path) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + ": Invalid file path ", fpath, NULL); + } + if (!tls_util_is_file(cmd->pool, real_path)) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + ": file '", real_path, + "' does not exist or is empty", NULL); + } + return NULL; +} + +static const char *tls_conf_add_engine(cmd_parms *cmd, void *dc, const char*v) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + tls_conf_global_t *gc = sc->global; + const char *err = NULL; + char *host, *scope_id; + apr_port_t port; + apr_sockaddr_t *sa; + server_addr_rec *sar; + apr_status_t rv; + + (void)dc; + /* Example of use: + * TLSEngine 443 + * TLSEngine hostname:443 + * TLSEngine 91.0.0.1:443 + * TLSEngine [::0]:443 + */ + rv = apr_parse_addr_port(&host, &scope_id, &port, v, cmd->pool); + if (APR_SUCCESS != rv) { + err = apr_pstrcat(cmd->pool, cmd->cmd->name, + ": invalid address/port in '", v, "'", NULL); + goto cleanup; + } + + /* translate host/port to a sockaddr that we can match with incoming connections */ + rv = apr_sockaddr_info_get(&sa, host, APR_UNSPEC, port, 0, cmd->pool); + if (APR_SUCCESS != rv) { + err = apr_pstrcat(cmd->pool, cmd->cmd->name, + ": unable to get sockaddr for '", host, "'", NULL); + goto cleanup; + } + + if (scope_id) { +#if APR_VERSION_AT_LEAST(1,7,0) + rv = apr_sockaddr_zone_set(sa, scope_id); + if (APR_SUCCESS != rv) { + err = apr_pstrcat(cmd->pool, cmd->cmd->name, + ": error setting ipv6 scope id: '", scope_id, "'", NULL); + goto cleanup; + } +#else + err = apr_pstrcat(cmd->pool, cmd->cmd->name, + ": IPv6 scopes not supported by your APR: '", scope_id, "'", NULL); + goto cleanup; +#endif + } + + sar = apr_pcalloc(cmd->pool, sizeof(*sar)); + sar->host_addr = sa; + sar->virthost = host; + sar->host_port = port; + + sar->next = gc->tls_addresses; + gc->tls_addresses = sar; +cleanup: + return err; +} + +static int flag_value( + const char *arg) +{ + if (!strcasecmp(arg, "On")) { + return TLS_FLAG_TRUE; + } + else if (!strcasecmp(arg, "Off")) { + return TLS_FLAG_FALSE; + } + return TLS_FLAG_UNSET; +} + +static const char *flag_err( + cmd_parms *cmd, const char *v) +{ + return apr_pstrcat(cmd->pool, cmd->cmd->name, + ": value must be 'On' or 'Off': '", v, "'", NULL); +} + +static const char *tls_conf_add_certificate( + cmd_parms *cmd, void *dc, const char *cert_file, const char *pkey_file) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + const char *err = NULL, *fpath; + tls_cert_spec_t *cert; + + (void)dc; + if (NULL != (err = cmd_check_file(cmd, cert_file))) goto cleanup; + /* key file may be NULL, in which case cert_file must contain the key PEM */ + if (pkey_file && NULL != (err = cmd_check_file(cmd, pkey_file))) goto cleanup; + + cert = apr_pcalloc(cmd->pool, sizeof(*cert)); + fpath = ap_server_root_relative(cmd->pool, cert_file); + if (!tls_util_is_file(cmd->pool, fpath)) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + ": unable to find certificate file: '", fpath, "'", NULL); + } + cert->cert_file = cert_file; + if (pkey_file) { + fpath = ap_server_root_relative(cmd->pool, pkey_file); + if (!tls_util_is_file(cmd->pool, fpath)) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + ": unable to find certificate key file: '", fpath, "'", NULL); + } + } + cert->pkey_file = pkey_file; + *(const tls_cert_spec_t **)apr_array_push(sc->cert_specs) = cert; + +cleanup: + return err; +} + +static const char *parse_ciphers( + cmd_parms *cmd, + tls_conf_global_t *gc, + const char *nop_name, + int argc, char *const argv[], + apr_array_header_t *ciphers) +{ + apr_array_clear(ciphers); + if (argc > 1 || apr_strnatcasecmp(nop_name, argv[0])) { + apr_uint16_t cipher; + int i; + + for (i = 0; i < argc; ++i) { + char *name, *last = NULL; + const char *value = argv[i]; + + name = apr_strtok(apr_pstrdup(cmd->pool, value), ":", &last); + while (name) { + if (tls_proto_get_cipher_by_name(gc->proto, name, &cipher) != APR_SUCCESS) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + ": cipher not recognized '", name, "'", NULL); + } + APR_ARRAY_PUSH(ciphers, apr_uint16_t) = cipher; + name = apr_strtok(NULL, ":", &last); + } + } + } + return NULL; +} + +static const char *tls_conf_set_preferred_ciphers( + cmd_parms *cmd, void *dc, int argc, char *const argv[]) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + const char *err = NULL; + + (void)dc; + if (!argc) { + err = "specify the TLS ciphers to prefer or 'default' for the rustls default ordering."; + goto cleanup; + } + err = parse_ciphers(cmd, sc->global, "default", argc, argv, sc->tls_pref_ciphers); +cleanup: + return err; +} + +static const char *tls_conf_set_suppressed_ciphers( + cmd_parms *cmd, void *dc, int argc, char *const argv[]) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + const char *err = NULL; + + (void)dc; + if (!argc) { + err = "specify the TLS ciphers to never use or 'none'."; + goto cleanup; + } + err = parse_ciphers(cmd, sc->global, "none", argc, argv, sc->tls_supp_ciphers); +cleanup: + return err; +} + +static const char *tls_conf_set_honor_client_order( + cmd_parms *cmd, void *dc, const char *v) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + int flag = flag_value(v); + + (void)dc; + if (TLS_FLAG_UNSET == flag) return flag_err(cmd, v); + sc->honor_client_order = flag; + return NULL; +} + +static const char *tls_conf_set_strict_sni( + cmd_parms *cmd, void *dc, const char *v) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + int flag = flag_value(v); + + (void)dc; + if (TLS_FLAG_UNSET == flag) return flag_err(cmd, v); + sc->strict_sni = flag; + return NULL; +} + +static const char *get_min_protocol( + cmd_parms *cmd, const char *v, int *pmin) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + const char *err = NULL; + + if (!apr_strnatcasecmp("default", v)) { + *pmin = 0; + } + else if (*v && v[strlen(v)-1] == '+') { + char *name = apr_pstrdup(cmd->pool, v); + name[strlen(name)-1] = '\0'; + *pmin = tls_proto_get_version_by_name(sc->global->proto, name); + if (!*pmin) { + err = apr_pstrcat(cmd->pool, cmd->cmd->name, + ": unrecognized protocol version specifier (try TLSv1.2+ or TLSv1.3+): '", v, "'", NULL); + goto cleanup; + } + } + else { + err = apr_pstrcat(cmd->pool, cmd->cmd->name, + ": value must be 'default', 'TLSv1.2+' or 'TLSv1.3+': '", v, "'", NULL); + goto cleanup; + } +cleanup: + return err; +} + +static const char *tls_conf_set_protocol( + cmd_parms *cmd, void *dc, const char *v) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + (void)dc; + return get_min_protocol(cmd, v, &sc->tls_protocol_min); +} + +static const char *tls_conf_set_options( + cmd_parms *cmd, void *dcv, int argc, char *const argv[]) +{ + tls_conf_dir_t *dc = dcv; + const char *err = NULL, *option; + int i, val; + + /* Are we only having deltas (+/-) or do we reset the options? */ + for (i = 0; i < argc; ++i) { + if (argv[i][0] != '+' && argv[i][0] != '-') { + tls_conf_dir_set_options_defaults(cmd->pool, dc); + break; + } + } + + for (i = 0; i < argc; ++i) { + option = argv[i]; + if (!apr_strnatcasecmp("Defaults", option)) { + dc->std_env_vars = TLS_FLAG_FALSE; + dc->export_cert_vars = TLS_FLAG_FALSE; + } + else { + val = TLS_FLAG_TRUE; + if (*option == '+' || *option == '-') { + val = (*option == '+')? TLS_FLAG_TRUE : TLS_FLAG_FALSE; + ++option; + } + + if (!apr_strnatcasecmp("StdEnvVars", option)) { + dc->std_env_vars = val; + } + else if (!apr_strnatcasecmp("ExportCertData", option)) { + dc->export_cert_vars = val; + } + else { + err = apr_pstrcat(cmd->pool, cmd->cmd->name, + ": unknown option '", option, "'", NULL); + goto cleanup; + } + } + } +cleanup: + return err; +} + +static const char *tls_conf_set_session_cache( + cmd_parms *cmd, void *dc, const char *value) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + const char *err = NULL; + + (void)dc; + if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) goto cleanup; + + err = tls_cache_set_specification(value, sc->global, cmd->pool, cmd->temp_pool); +cleanup: + return err; +} + +static const char *tls_conf_set_proxy_engine(cmd_parms *cmd, void *dir_conf, int flag) +{ + tls_conf_dir_t *dc = dir_conf; + (void)cmd; + dc->proxy_enabled = flag ? TLS_FLAG_TRUE : TLS_FLAG_FALSE; + return NULL; +} + +static const char *tls_conf_set_proxy_ca( + cmd_parms *cmd, void *dir_conf, const char *proxy_ca) +{ + tls_conf_dir_t *dc = dir_conf; + const char *err = NULL; + + if (strcasecmp(proxy_ca, "default") && NULL != (err = cmd_check_file(cmd, proxy_ca))) goto cleanup; + dc->proxy_ca = proxy_ca; +cleanup: + return err; +} + +static const char *tls_conf_set_proxy_protocol( + cmd_parms *cmd, void *dir_conf, const char *v) +{ + tls_conf_dir_t *dc = dir_conf; + return get_min_protocol(cmd, v, &dc->proxy_protocol_min); +} + +static const char *tls_conf_set_proxy_preferred_ciphers( + cmd_parms *cmd, void *dir_conf, int argc, char *const argv[]) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + tls_conf_dir_t *dc = dir_conf; + const char *err = NULL; + + if (!argc) { + err = "specify the proxy TLS ciphers to prefer or 'default' for the rustls default ordering."; + goto cleanup; + } + err = parse_ciphers(cmd, sc->global, "default", argc, argv, dc->proxy_pref_ciphers); +cleanup: + return err; +} + +static const char *tls_conf_set_proxy_suppressed_ciphers( + cmd_parms *cmd, void *dir_conf, int argc, char *const argv[]) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + tls_conf_dir_t *dc = dir_conf; + const char *err = NULL; + + if (!argc) { + err = "specify the proxy TLS ciphers to never use or 'none'."; + goto cleanup; + } + err = parse_ciphers(cmd, sc->global, "none", argc, argv, dc->proxy_supp_ciphers); +cleanup: + return err; +} + +#if TLS_CLIENT_CERTS + +static const char *tls_conf_set_client_ca( + cmd_parms *cmd, void *dc, const char *client_ca) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + const char *err; + + (void)dc; + if (NULL != (err = cmd_check_file(cmd, client_ca))) goto cleanup; + sc->client_ca = client_ca; +cleanup: + return err; +} + +static const char *tls_conf_set_client_auth( + cmd_parms *cmd, void *dc, const char *mode) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + const char *err = NULL; + (void)dc; + if (!strcasecmp(mode, "required")) { + sc->client_auth = TLS_CLIENT_AUTH_REQUIRED; + } + else if (!strcasecmp(mode, "optional")) { + sc->client_auth = TLS_CLIENT_AUTH_OPTIONAL; + } + else if (!strcasecmp(mode, "none")) { + sc->client_auth = TLS_CLIENT_AUTH_NONE; + } + else { + err = apr_pstrcat(cmd->pool, cmd->cmd->name, + ": unknown value: '", mode, "', use required/optional/none.", NULL); + } + return err; +} + +static const char *tls_conf_set_user_name( + cmd_parms *cmd, void *dc, const char *var_user_name) +{ + tls_conf_server_t *sc = tls_conf_server_get(cmd->server); + (void)dc; + sc->var_user_name = var_user_name; + return NULL; +} + +#endif /* if TLS_CLIENT_CERTS */ + +#if TLS_MACHINE_CERTS + +static const char *tls_conf_add_proxy_machine_certificate( + cmd_parms *cmd, void *dir_conf, const char *cert_file, const char *pkey_file) +{ + tls_conf_dir_t *dc = dir_conf; + const char *err = NULL, *fpath; + tls_cert_spec_t *cert; + + (void)dc; + if (NULL != (err = cmd_check_file(cmd, cert_file))) goto cleanup; + /* key file may be NULL, in which case cert_file must contain the key PEM */ + if (pkey_file && NULL != (err = cmd_check_file(cmd, pkey_file))) goto cleanup; + + cert = apr_pcalloc(cmd->pool, sizeof(*cert)); + fpath = ap_server_root_relative(cmd->pool, cert_file); + if (!tls_util_is_file(cmd->pool, fpath)) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + ": unable to find certificate file: '", fpath, "'", NULL); + } + cert->cert_file = cert_file; + if (pkey_file) { + fpath = ap_server_root_relative(cmd->pool, pkey_file); + if (!tls_util_is_file(cmd->pool, fpath)) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, + ": unable to find certificate key file: '", fpath, "'", NULL); + } + } + cert->pkey_file = pkey_file; + *(const tls_cert_spec_t **)apr_array_push(dc->proxy_machine_cert_specs) = cert; + +cleanup: + return err; +} + +#endif /* if TLS_MACHINE_CERTS */ + +const command_rec tls_conf_cmds[] = { + AP_INIT_TAKE12("TLSCertificate", tls_conf_add_certificate, NULL, RSRC_CONF, + "Add a certificate to the server by specifying a file containing the " + "certificate PEM, followed by its chain PEMs. The PEM of the key must " + "either also be there or can be given as a separate file."), + AP_INIT_TAKE_ARGV("TLSCiphersPrefer", tls_conf_set_preferred_ciphers, NULL, RSRC_CONF, + "Set the TLS ciphers to prefer when negotiating with a client."), + AP_INIT_TAKE_ARGV("TLSCiphersSuppress", tls_conf_set_suppressed_ciphers, NULL, RSRC_CONF, + "Set the TLS ciphers to never use when negotiating with a client."), + AP_INIT_TAKE1("TLSHonorClientOrder", tls_conf_set_honor_client_order, NULL, RSRC_CONF, + "Set 'on' to have the server honor client preferences in cipher suites, default off."), + AP_INIT_TAKE1("TLSEngine", tls_conf_add_engine, NULL, RSRC_CONF, + "Specify an address+port where the module shall handle incoming TLS connections."), + AP_INIT_TAKE_ARGV("TLSOptions", tls_conf_set_options, NULL, OR_OPTIONS, + "En-/disables optional features in the module."), + AP_INIT_TAKE1("TLSProtocol", tls_conf_set_protocol, NULL, RSRC_CONF, + "Set the minimum TLS protocol version to use."), + AP_INIT_TAKE1("TLSStrictSNI", tls_conf_set_strict_sni, NULL, RSRC_CONF, + "Set strictness of client server name (SNI) check against hosts, default on."), + AP_INIT_TAKE1("TLSSessionCache", tls_conf_set_session_cache, NULL, RSRC_CONF, + "Set which cache to use for TLS sessions."), + AP_INIT_FLAG("TLSProxyEngine", tls_conf_set_proxy_engine, NULL, RSRC_CONF|PROXY_CONF, + "Enable TLS encryption of outgoing connections in this location/server."), + AP_INIT_TAKE1("TLSProxyCA", tls_conf_set_proxy_ca, NULL, RSRC_CONF|PROXY_CONF, + "Set the trust anchors for certificates from proxied backend servers from a PEM file."), + AP_INIT_TAKE1("TLSProxyProtocol", tls_conf_set_proxy_protocol, NULL, RSRC_CONF|PROXY_CONF, + "Set the minimum TLS protocol version to use for proxy connections."), + AP_INIT_TAKE_ARGV("TLSProxyCiphersPrefer", tls_conf_set_proxy_preferred_ciphers, NULL, RSRC_CONF|PROXY_CONF, + "Set the TLS ciphers to prefer when negotiating a proxy connection."), + AP_INIT_TAKE_ARGV("TLSProxyCiphersSuppress", tls_conf_set_proxy_suppressed_ciphers, NULL, RSRC_CONF|PROXY_CONF, + "Set the TLS ciphers to never use when negotiating a proxy connection."), +#if TLS_CLIENT_CERTS + AP_INIT_TAKE1("TLSClientCA", tls_conf_set_client_ca, NULL, RSRC_CONF, + "Set the trust anchors for client certificates from a PEM file."), + AP_INIT_TAKE1("TLSClientCertificate", tls_conf_set_client_auth, NULL, RSRC_CONF, + "If TLS client authentication is 'required', 'optional' or 'none'."), + AP_INIT_TAKE1("TLSUserName", tls_conf_set_user_name, NULL, RSRC_CONF, + "Set the SSL variable to be used as user name."), +#endif /* if TLS_CLIENT_CERTS */ +#if TLS_MACHINE_CERTS + AP_INIT_TAKE12("TLSProxyMachineCertificate", tls_conf_add_proxy_machine_certificate, NULL, RSRC_CONF|PROXY_CONF, + "Add a certificate to be used as client certificate on a proxy connection. "), +#endif /* if TLS_MACHINE_CERTS */ + AP_INIT_TAKE1(NULL, NULL, NULL, RSRC_CONF, NULL) +}; |