Newer
Older
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
* create the various trace messages
*/
if (where & SSL_CB_HANDSHAKE_START) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Handshake: start", MODSSL_LIBRARY_NAME);
}
else if (where & SSL_CB_HANDSHAKE_DONE) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Handshake: done", MODSSL_LIBRARY_NAME);
}
else if (where & SSL_CB_LOOP) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Loop: %s",
MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (where & SSL_CB_READ) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Read: %s",
MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (where & SSL_CB_WRITE) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Write: %s",
MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (where & SSL_CB_ALERT) {
char *str = (where & SSL_CB_READ) ? "read" : "write";
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Alert: %s:%s:%s",
MODSSL_LIBRARY_NAME, str,
SSL_alert_type_string_long(rc),
SSL_alert_desc_string_long(rc));
}
else if (where & SSL_CB_EXIT) {
if (rc == 0) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Exit: failed in %s",
MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (rc < 0) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Exit: error in %s",
MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
}
/*
* Because SSL renegotiations can happen at any time (not only after
* SSL_accept()), the best way to log the current connection details is
* right after a finished handshake.
*/
if (where & SSL_CB_HANDSHAKE_DONE) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02041)
"Protocol: %s, Cipher: %s (%s/%s bits)",
ssl_var_lookup(NULL, s, c, NULL, "SSL_PROTOCOL"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE"));
}
}
/*
* This callback function is executed while OpenSSL processes the SSL
* handshake and does SSL record layer stuff. It's used to trap
* client-initiated renegotiations, and for dumping everything to the
* log.
*/
void ssl_callback_Info(const SSL *ssl, int where, int rc)
{
conn_rec *c;
server_rec *s;
SSLConnRec *scr;
/* Retrieve the conn_rec and the associated SSLConnRec. */
if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
return;
}
if ((scr = myConnConfig(c)) == NULL) {
return;
}
/* If the reneg state is to reject renegotiations, check the SSL
* state machine and move to ABORT if a Client Hello is being
* read. */
if (!scr->is_proxy &&
(where & SSL_CB_HANDSHAKE_START) &&
scr->reneg_state == RENEG_REJECT) {
scr->reneg_state = RENEG_ABORT;
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
"rejecting client initiated renegotiation");
}
/* If the first handshake is complete, change state to reject any
* subsequent client-initiated renegotiation. */
else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
scr->reneg_state = RENEG_REJECT;
}
s = mySrvFromConn(c);
if (s && APLOGdebug(s)) {
log_tracing_state(ssl, c, s, where, rc);
}
}
#ifdef HAVE_TLSEXT
/*
* This function sets the virtual host from an extended
* client hello with a server name indication extension ("SNI", cf. RFC 6066).
*/
static apr_status_t init_vhost(conn_rec *c, SSL *ssl)
{
const char *servername;
if (c) {
SSLConnRec *sslcon = myConnConfig(c);
if (sslcon->server != c->base_server) {
/* already found the vhost */
return APR_SUCCESS;
}
servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
if (servername) {
if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
(void *)servername)) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02043)
"SSL virtual host for servername %s found",
servername);
return APR_SUCCESS;
}
else {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044)
"No matching SSL virtual host for servername "
"%s found (using default/first virtual host)",
servername);
/*
* RFC 6066 section 3 says "It is NOT RECOMMENDED to send
* a warning-level unrecognized_name(112) alert, because
* the client's behavior in response to warning-level alerts
* is unpredictable."
*
* To maintain backwards compatibility in mod_ssl, we
* no longer send any alert (neither warning- nor fatal-level),
* i.e. we take the second action suggested in RFC 6066:
* "If the server understood the ClientHello extension but
* does not recognize the server name, the server SHOULD take
* one of two actions: either abort the handshake by sending
* a fatal-level unrecognized_name(112) alert or continue
* the handshake."
*/
}
}
else {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02645)
"Server name not provided via TLS extension "
"(using default/first virtual host)");
}
}
return APR_NOTFOUND;
}
/*
* This callback function is executed when OpenSSL encounters an extended
* client hello with a server name indication extension ("SNI", cf. RFC 6066).
*/
int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
apr_status_t status = init_vhost(c, ssl);
return (status == APR_SUCCESS)? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_NOACK;
}
/*
* Find a (name-based) SSL virtual host where either the ServerName
* or one of the ServerAliases matches the supplied name (to be used
* with ap_vhost_iterate_given_conn())
*/
static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
{
SSLSrvConfigRec *sc;
SSL *ssl;
BOOL found;
SSLConnRec *sslcon;
found = ssl_util_vhost_matches(servername, s);
/* set SSL_CTX (if matched) */
sslcon = myConnConfig(c);
if (found && (ssl = sslcon->ssl) &&
(sc = mySrvConfig(s))) {
SSL_CTX *ctx = SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
/*
* SSL_set_SSL_CTX() only deals with the server cert,
* so we need to duplicate a few additional settings
* from the ctx by hand
*/
SSL_set_options(ssl, SSL_CTX_get_options(ctx));
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {
/*
* Only initialize the verification settings from the ctx
* if they are not yet set, or if we're called when a new
* SSL connection is set up (num_renegotiations == 0).
* Otherwise, we would possibly reset a per-directory
* configuration which was put into effect by ssl_hook_Access.
*/
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
SSL_CTX_get_verify_callback(ctx));
}
/*
* Adjust the session id context. ssl_init_ssl_connection()
* always picks the configuration of the first vhost when
* calling SSL_new(), but we want to tie the session to the
* vhost we have just switched to. Again, we have to make sure
* that we're not overwriting a session id context which was
* possibly set in ssl_hook_Access(), before triggering
* a renegotiation.
*/
if (SSL_num_renegotiations(ssl) == 0) {
unsigned char *sid_ctx =
(unsigned char *)ap_md5_binary(c->pool,
(unsigned char *)sc->vhost_id,
sc->vhost_id_len);
SSL_set_session_id_context(ssl, sid_ctx, APR_MD5_DIGESTSIZE*2);
}
/*
* Save the found server into our SSLConnRec for later
* retrieval
*/
sslcon->server = s;
sslcon->cipher_suite = sc->server->auth.cipher_suite;
ap_update_child_status_from_server(c->sbh, SERVER_BUSY_READ, c, s);
/*
* There is one special filter callback, which is set
* very early depending on the base_server's log level.
* If this is not the first vhost we're now selecting
* (and the first vhost doesn't use APLOG_TRACE4), then
* we need to set that callback here.
*/
if (APLOGtrace4(s)) {
BIO *rbio = SSL_get_rbio(ssl),
*wbio = SSL_get_wbio(ssl);
BIO_set_callback(rbio, ssl_io_data_cb);
BIO_set_callback_arg(rbio, (void *)ssl);
if (wbio && wbio != rbio) {
BIO_set_callback(wbio, ssl_io_data_cb);
BIO_set_callback_arg(wbio, (void *)ssl);
}
}
return 1;
}
return 0;
}
#endif /* HAVE_TLSEXT */
#ifdef HAVE_TLS_SESSION_TICKETS
/*
* This callback function is executed when OpenSSL needs a key for encrypting/
* decrypting a TLS session ticket (RFC 5077) and a ticket key file has been
* configured through SSLSessionTicketKeyFile.
*/
int ssl_callback_SessionTicket(SSL *ssl,
unsigned char *keyname,
unsigned char *iv,
EVP_CIPHER_CTX *cipher_ctx,
HMAC_CTX *hctx,
int mode)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
SSLConnRec *sslconn = myConnConfig(c);
modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
modssl_ticket_key_t *ticket_key = mctx->ticket_key;
if (mode == 1) {
/*
* OpenSSL is asking for a key for encrypting a ticket,
* see s3_srvr.c:ssl3_send_newsession_ticket()
*/
if (ticket_key == NULL) {
/* should never happen, but better safe than sorry */
return -1;
}
memcpy(keyname, ticket_key->key_name, 16);
RAND_bytes(iv, EVP_MAX_IV_LENGTH);
EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
ticket_key->aes_key, iv);
HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
"TLS session ticket key for %s successfully set, "
"creating new session ticket", sc->vhost_id);
return 1;
}
else if (mode == 0) {
/*
* OpenSSL is asking for the decryption key,
* see t1_lib.c:tls_decrypt_ticket()
*/
/* check key name */
if (ticket_key == NULL || memcmp(keyname, ticket_key->key_name, 16)) {
return 0;
}
EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
ticket_key->aes_key, iv);
HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
"TLS session ticket key for %s successfully set, "
"decrypting existing session ticket", sc->vhost_id);
return 1;
}
/* OpenSSL is not expected to call us with modes other than 1 or 0 */
return -1;
}
#endif /* HAVE_TLS_SESSION_TICKETS */
#ifdef HAVE_TLS_ALPN
/*
* This callback function is executed when the TLS Application-Layer
* Protocol Negotiation Extension (ALPN, RFC 7301) is triggered by the Client
* Hello, giving a list of desired protocol names (in descending preference)
* to the server.
* The callback has to select a protocol name or return an error if none of
* the clients preferences is supported.
* The selected protocol does not have to be on the client list, according
* to RFC 7301, so no checks are performed.
* The client protocol list is serialized as length byte followed by ASCII
* characters (not null-terminated), followed by the next protocol name.
*/
int ssl_callback_alpn_select(SSL *ssl,
const unsigned char **out, unsigned char *outlen,
const unsigned char *in, unsigned int inlen,
void *arg)
{
conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
SSLConnRec *sslconn = myConnConfig(c);
apr_array_header_t *client_protos;
const char *proposed;
size_t len;
int i;
/* If the connection object is not available,
* then there's nothing for us to do. */
if (c == NULL) {
return SSL_TLSEXT_ERR_OK;
}
if (inlen == 0) {
/* someone tries to trick us? */
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02837)
"ALPN client protocol list empty");
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
client_protos = apr_array_make(c->pool, 0, sizeof(char *));
for (i = 0; i < inlen; /**/) {
unsigned int plen = in[i++];
if (plen + i > inlen) {
/* someone tries to trick us? */
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02838)
"ALPN protocol identifier too long");
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
APR_ARRAY_PUSH(client_protos, char *) =
apr_pstrndup(c->pool, (const char *)in+i, plen);
i += plen;
}
/* The order the callbacks are invoked from TLS extensions is, unfortunately
* not defined and older openssl versions do call ALPN selection before
* they callback the SNI. We need to make sure that we know which vhost
* we are dealing with so we respect the correct protocols.
*/
init_vhost(c, ssl);
proposed = ap_select_protocol(c, NULL, sslconn->server, client_protos);
if (!proposed) {
proposed = ap_get_protocol(c);
}
len = strlen(proposed);
if (len > 255) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02840)
"ALPN negotiated protocol name too long");
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
*out = (const unsigned char *)proposed;
*outlen = (unsigned char)len;
if (strcmp(proposed, ap_get_protocol(c))) {
apr_status_t status;
status = ap_switch_protocol(c, NULL, sslconn->server, proposed);
if (status != APR_SUCCESS) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, status, c,
APLOGNO(02908) "protocol switch to '%s' failed",
proposed);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
}
return SSL_TLSEXT_ERR_OK;
}
#endif /* HAVE_TLS_ALPN */
#ifdef HAVE_SRP
int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
{
modssl_ctx_t *mctx = (modssl_ctx_t *)arg;
char *username = SSL_get_srp_username(ssl);
SRP_user_pwd *u;
if (username == NULL
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|| (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
#else
|| (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) {
#endif
*ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
return SSL3_AL_FATAL;
}
if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
SRP_user_pwd_free(u);
#endif
*ad = SSL_AD_INTERNAL_ERROR;
return SSL3_AL_FATAL;
}
/* reset all other options */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
SRP_user_pwd_free(u);
#endif
SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
return SSL_ERROR_NONE;
}
#endif /* HAVE_SRP */