lighttpd 1.4.x https://www.lighttpd.net/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

3695 lines
142 KiB

/*
* mod_mbedtls - mbedTLS support for lighttpd
*
* Copyright(c) 2020 Glenn Strauss gstrauss()gluelogic.com All rights reserved
* License: BSD 3-clause (same as lighttpd)
*/
/*
* reference:
* https://tls.mbed.org/high-level-design
* https://tls.mbed.org/tech-updates/blog/mbedtls-2.0-defaults-best-practices
* mbedTLS header files (mbedtls/ssl.h and others) are extremely well-documented
* https://tls.mbed.org/api/ (generated from mbedTLS headers and code)
*
* mbedTLS limitations:
* - mbedTLS does not currently support TLSv1.3
* - mbedTLS does not currently support OCSP
* https://tls.mbed.org/discussions/feature-request/ocsp-stapling
* TLS/DTLS: OCSP Stapling support #880
* https://github.com/ARMmbed/mbedtls/issues/880
* Add support for writing OCSP requests and parsing OCSP responses #1197
* https://github.com/ARMmbed/mbedtls/issues/1197
*
* future possible enhancements to lighttpd mod_mbedtls:
* - session cache (though session tickets are implemented)
* sample code in mbedtls:programs/ssl/ssl_server2.c
* (and do not enable unless server.feature-flags ssl.session-cache enabled)
*
* Note: If session tickets are -not- disabled with
* ssl.openssl.ssl-conf-cmd = ("Options" => "-SessionTicket")
* mbedtls rotates the session ticket key according to 2x timeout set with
* mbedtls_ssl_ticket_setup() (currently 43200 s, so 24 hour ticket lifetime)
* This is fine for use with a single lighttpd instance, but with multiple
* lighttpd workers, no coordinated STEK (server ticket encryption key)
* rotation occurs unless ssl.stek-file is defined and maintained (preferred),
* or if some external job restarts lighttpd. Restarting lighttpd generates a
* new key that is shared by lighttpd workers for the lifetime of the new key.
* If the rotation period expires and lighttpd has not been restarted, and if
* ssl.stek-file is not in use, then lighttpd workers will generate new
* independent keys, making session tickets less effective for session
* resumption, since clients have a lower chance for future connections to
* reach the same lighttpd worker. However, things will still work, and a new
* session will be created if session resumption fails. Admins should plan to
* restart lighttpd at least every 12 hours if session tickets are enabled and
* multiple lighttpd workers are configured. Since that is likely disruptive,
* if multiple lighttpd workers are configured, ssl.stek-file should be
* defined and the file maintained externally.
*/
#include "first.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdio.h> /* vsnprintf() */
#include <string.h>
#include <mbedtls/config.h>
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/dhm.h>
#include <mbedtls/error.h>
#include <mbedtls/entropy.h>
#include <mbedtls/oid.h>
#include <mbedtls/pem.h>
#include <mbedtls/ssl.h>
#include <mbedtls/ssl_internal.h> /* struct mbedtls_ssl_transform */
#include <mbedtls/x509.h>
#include <mbedtls/x509_crt.h>
#include <mbedtls/version.h>
#include <mbedtls/platform_util.h> /* mbedtls_platform_zeroize() */
#if MBEDTLS_VERSION_NUMBER >= 0x02040000 /* mbedtls 2.04.0 */
#include <mbedtls/net_sockets.h>
#else
#include <mbedtls/net.h>
#endif
#if defined(MBEDTLS_SSL_TICKET_C)
#include <mbedtls/ssl_ticket.h>
#endif
#ifndef MBEDTLS_X509_CRT_PARSE_C
#error "lighttpd requires that mbedtls be built with MBEDTLS_X509_CRT_PARSE_C"
#endif
#include "base.h"
#include "fdevent.h"
#include "http_header.h"
#include "http_kv.h"
#include "log.h"
#include "plugin.h"
#include "safe_memclear.h"
typedef struct {
/* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
mbedtls_pk_context ssl_pemfile_pkey;/* parsed private key structure */
mbedtls_x509_crt ssl_pemfile_x509; /* parsed public key structure */
const buffer *ssl_pemfile;
const buffer *ssl_privkey;
int8_t need_chain;
} plugin_cert;
typedef struct {
mbedtls_ssl_config *ssl_ctx; /* context shared between mbedtls_ssl_CONTEXT structures */
int *ciphersuites;
mbedtls_ecp_group_id *curves;
} plugin_ssl_ctx;
typedef struct {
mbedtls_ssl_config *ssl_ctx; /* output from network_init_ssl() */
int *ciphersuites; /* output from network_init_ssl() */
mbedtls_ecp_group_id *curves; /* output from network_init_ssl() */
/*(used only during startup; not patched)*/
unsigned char ssl_enabled; /* only interesting for setting up listening sockets. don't use at runtime */
unsigned char ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
unsigned char ssl_empty_fragments;
unsigned char ssl_use_sslv2;
unsigned char ssl_use_sslv3;
const buffer *ssl_cipher_list;
const buffer *ssl_dh_file;
const buffer *ssl_ec_curve;
const buffer *ssl_acme_tls_1;
array *ssl_conf_cmd;
/*(copied from plugin_data for socket ssl_ctx config)*/
plugin_cert *pc;
mbedtls_pk_context *ssl_pemfile_pkey; /* parsed private key structure */
mbedtls_x509_crt *ssl_pemfile_x509; /* parsed public key structure */
mbedtls_x509_crt *ssl_ca_file;
const buffer *ssl_pemfile;
const buffer *ssl_privkey;
unsigned char ssl_session_ticket;
unsigned char ssl_verifyclient;
unsigned char ssl_verifyclient_enforce;
unsigned char ssl_verifyclient_depth;
} plugin_config_socket; /*(used at startup during configuration)*/
typedef struct {
/* SNI per host: w/ COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
plugin_cert *pc;
mbedtls_pk_context *ssl_pemfile_pkey; /* parsed private key structure */
mbedtls_x509_crt *ssl_pemfile_x509; /* parsed public key structure */
const buffer *ssl_pemfile;
mbedtls_x509_crt *ssl_ca_file;
mbedtls_x509_crt *ssl_ca_dn_file;
mbedtls_x509_crl *ssl_ca_crl_file;
unsigned char ssl_verifyclient;
unsigned char ssl_verifyclient_enforce;
unsigned char ssl_verifyclient_depth;
unsigned char ssl_verifyclient_export_cert;
unsigned char ssl_read_ahead;
unsigned char ssl_log_noise;
unsigned char ssl_disable_client_renegotiation;
const buffer *ssl_verifyclient_username;
const buffer *ssl_acme_tls_1;
} plugin_config;
typedef struct {
PLUGIN_DATA;
plugin_ssl_ctx *ssl_ctxs;
plugin_config defaults;
server *srv;
/* NIST counter-mode deterministic random byte generator */
mbedtls_ctr_drbg_context ctr_drbg;
/* entropy collection and state management */
mbedtls_entropy_context entropy;
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_ticket_context ticket_ctx;
const char *ssl_stek_file;
#endif
} plugin_data;
static int ssl_is_init;
/* need assigned p->id for deep access of module handler_ctx for connection
* i.e. handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id]; */
static plugin_data *plugin_data_singleton;
#define LOCAL_SEND_BUFSIZE MBEDTLS_SSL_MAX_CONTENT_LEN
static char *local_send_buffer;
typedef struct {
mbedtls_ssl_context ssl; /* mbedtls request/connection context */
request_st *r;
connection *con;
int8_t close_notify;
unsigned short alpn;
int handshake_done;
size_t pending_write;
plugin_config conf;
buffer *tmp_buf;
log_error_st *errh;
mbedtls_pk_context *acme_tls_1_pkey;
mbedtls_x509_crt *acme_tls_1_x509;
} handler_ctx;
static handler_ctx *
handler_ctx_init (void)
{
handler_ctx *hctx = calloc(1, sizeof(*hctx));
force_assert(hctx);
return hctx;
}
static void
handler_ctx_free (handler_ctx *hctx)
{
mbedtls_ssl_free(&hctx->ssl);
if (hctx->acme_tls_1_pkey) {
mbedtls_pk_free(hctx->acme_tls_1_pkey);
free(hctx->acme_tls_1_pkey);
}
if (hctx->acme_tls_1_x509) {
mbedtls_x509_crt_free(hctx->acme_tls_1_x509);
free(hctx->acme_tls_1_x509);
}
free(hctx);
}
#ifdef MBEDTLS_ERROR_C
__attribute_cold__
static void elog(log_error_st * const errh,
const char * const file, const int line,
const int rc, const char * const msg)
{
/* error logging convenience function that decodes mbedtls result codes */
char buf[256];
mbedtls_strerror(rc, buf, sizeof(buf));
log_error(errh, file, line, "MTLS: %s: %s (-0x%04x)", msg, buf, -rc);
}
#else
#define elog(errh, file, line, rc, msg) \
log_error((errh), (file), (line), "MTLS: %s: (-0x%04x)", (msg), -(rc))
#endif
__attribute_cold__
__attribute_format__((__printf__, 5, 6))
static void elogf(log_error_st * const errh,
const char * const file, const int line,
const int rc, const char * const fmt, ...)
{
char msg[1024];
va_list ap;
va_start(ap, fmt);
vsnprintf(msg, sizeof(msg), fmt, ap);
va_end(ap);
elog(errh, file, line, rc, msg);
}
#ifdef MBEDTLS_SSL_SESSION_TICKETS
#define TLSEXT_KEYNAME_LENGTH 16
#define TLSEXT_TICK_KEY_LENGTH 32
/* construct our own session ticket encryption key structure
* to store keys that are not yet active
* (mirror from mod_openssl, even though not all bits are used here) */
typedef struct tlsext_ticket_key_st {
time_t active_ts; /* tickets not issued w/ key until activation timestamp */
time_t expire_ts; /* key not valid after expiration timestamp */
unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH];
unsigned char tick_hmac_key[TLSEXT_TICK_KEY_LENGTH];
unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
} tlsext_ticket_key_t;
static tlsext_ticket_key_t session_ticket_keys[1]; /* temp store until active */
static time_t stek_rotate_ts;
static int
mod_mbedtls_session_ticket_key_file (const char *fn)
{
/* session ticket encryption key (STEK)
*
* STEK file should be stored in non-persistent storage,
* e.g. /dev/shm/lighttpd/stek-file (in memory)
* with appropriate permissions set to keep stek-file from being
* read by other users. Where possible, systems should also be
* configured without swap.
*
* admin should schedule an independent job to periodically
* generate new STEK up to 3 times during key lifetime
* (lighttpd stores up to 3 keys)
*
* format of binary file is:
* 4-byte - format version (always 0; for use if format changes)
* 4-byte - activation timestamp
* 4-byte - expiration timestamp
* 16-byte - session ticket key name
* 32-byte - session ticket HMAC encrpytion key
* 32-byte - session ticket AES encrpytion key
*
* STEK file can be created with a command such as:
* dd if=/dev/random bs=1 count=80 status=none | \
* perl -e 'print pack("iii",0,time()+300,time()+86400),<>' \
* > STEK-file.$$ && mv STEK-file.$$ STEK-file
*
* The above delays activation time by 5 mins (+300 sec) to allow file to
* be propagated to other machines. (admin must handle this independently)
* If STEK generation is performed immediately prior to starting lighttpd,
* admin should activate keys immediately (without +300).
*/
int buf[23]; /* 92 bytes */
int rc = 0; /*(will retry on next check interval upon any error)*/
if (0 != fdevent_load_file_bytes((char *)buf,(off_t)sizeof(buf),0,fn,NULL))
return rc;
if (buf[0] == 0) { /*(format version 0)*/
session_ticket_keys[0].active_ts = buf[1];
session_ticket_keys[0].expire_ts = buf[2];
#ifndef __COVERITY__
memcpy(&session_ticket_keys[0].tick_key_name, buf+3, 80);
#else
memcpy(&session_ticket_keys[0].tick_key_name,
buf+3, TLSEXT_KEYNAME_LENGTH);
memcpy(&session_ticket_keys[0].tick_hmac_key,
buf+7, TLSEXT_TICK_KEY_LENGTH);
memcpy(&session_ticket_keys[0].tick_aes_key,
buf+15, TLSEXT_TICK_KEY_LENGTH);
#endif
rc = 1;
}
mbedtls_platform_zeroize(buf, sizeof(buf));
return rc;
}
static void
mod_mbedtls_session_ticket_key_check (plugin_data *p, const time_t cur_ts)
{
if (NULL == p->ssl_stek_file) return;
struct stat st;
if (0 == stat(p->ssl_stek_file, &st) && st.st_mtime > stek_rotate_ts
&& mod_mbedtls_session_ticket_key_file(p->ssl_stek_file)) {
stek_rotate_ts = cur_ts;
}
tlsext_ticket_key_t *stek = session_ticket_keys;
if (stek->active_ts != 0 && stek->active_ts - 63 <= cur_ts) {
/* expect to get newer ssl.stek-file prior to mbedtls detecting
* expiration and internally generating a new key. If not, then
* lifetime may be up to 2x specified lifetime until overwritten
* by mbedtls, but original key will be overwritten and discarded */
mbedtls_ssl_ticket_context *ctx = &p->ticket_ctx;
ctx->ticket_lifetime = stek->expire_ts - stek->active_ts;
ctx->active = 1 - ctx->active;
mbedtls_ssl_ticket_key *key = ctx->keys + ctx->active;
/* set generation_time to cur_ts instead of stek->active_ts
* since ctx->active was updated */
key->generation_time = cur_ts;
memcpy(key->name, stek->tick_key_name, sizeof(key->name));
/* With GCM and CCM, same context can encrypt & decrypt */
int rc = mbedtls_cipher_setkey(&key->ctx, stek->tick_aes_key,
mbedtls_cipher_get_key_bitlen(&key->ctx),
MBEDTLS_ENCRYPT);
if (0 != rc) { /* expire key immediately if error occurs */
key->generation_time = cur_ts - ctx->ticket_lifetime - 1;
ctx->active = 1 - ctx->active;
}
mbedtls_platform_zeroize(stek, sizeof(tlsext_ticket_key_t));
}
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
INIT_FUNC(mod_mbedtls_init)
{
plugin_data_singleton = (plugin_data *)calloc(1, sizeof(plugin_data));
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_ticket_init(&plugin_data_singleton->ticket_ctx);
#endif
return plugin_data_singleton;
}
static int mod_mbedtls_init_once_mbedtls (server *srv)
{
if (ssl_is_init) return 1;
ssl_is_init = 1;
plugin_data * const p = plugin_data_singleton;
mbedtls_ctr_drbg_init(&p->ctr_drbg); /* init empty NSIT random num gen */
mbedtls_entropy_init(&p->entropy); /* init empty entropy collection struct
.. could add sources here too */
int rc = /* init RNG */
mbedtls_ctr_drbg_seed(&p->ctr_drbg, /* random number generator */
mbedtls_entropy_func, /* default entropy func */
&p->entropy, /* entropy context */
NULL, 0); /* no personalization data */
if (0 != rc) {
elog(srv->errh, __FILE__,__LINE__, rc,
"Init of random number generator failed");
return 0;
}
local_send_buffer = malloc(LOCAL_SEND_BUFSIZE);
force_assert(NULL != local_send_buffer);
return 1;
}
static void mod_mbedtls_free_mbedtls (void)
{
if (!ssl_is_init) return;
#ifdef MBEDTLS_SSL_SESSION_TICKETS
mbedtls_platform_zeroize(session_ticket_keys, sizeof(session_ticket_keys));
stek_rotate_ts = 0;
#endif
plugin_data * const p = plugin_data_singleton;
mbedtls_ctr_drbg_free(&p->ctr_drbg);
mbedtls_entropy_free(&p->entropy);
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_ticket_free(&p->ticket_ctx);
#endif
free(local_send_buffer);
ssl_is_init = 0;
}
static void
mod_mbedtls_free_config (server *srv, plugin_data * const p)
{
if (NULL != p->ssl_ctxs) {
mbedtls_ssl_config * const ssl_ctx_global_scope = p->ssl_ctxs->ssl_ctx;
/* free ssl_ctx from $SERVER["socket"] (if not copy of global scope) */
for (uint32_t i = 1; i < srv->config_context->used; ++i) {
plugin_ssl_ctx * const s = p->ssl_ctxs + i;
if (s->ssl_ctx && s->ssl_ctx != ssl_ctx_global_scope) {
mbedtls_ssl_config_free(s->ssl_ctx);
free(s->ciphersuites);
free(s->curves);
}
}
/* free ssl_ctx from global scope */
if (ssl_ctx_global_scope) {
mbedtls_ssl_config_free(ssl_ctx_global_scope);
free(p->ssl_ctxs[0].ciphersuites);
free(p->ssl_ctxs[0].curves);
}
free(p->ssl_ctxs);
}
if (NULL == p->cvlist) return;
/* (init i to 0 if global context; to 1 to skip empty global context) */
for (int i = !p->cvlist[0].v.u2[1], used = p->nconfig; i < used; ++i) {
config_plugin_value_t *cpv = p->cvlist + p->cvlist[i].v.u2[0];
for (; -1 != cpv->k_id; ++cpv) {
switch (cpv->k_id) {
case 0: /* ssl.pemfile */
if (cpv->vtype == T_CONFIG_LOCAL) {
plugin_cert *pc = cpv->v.v;
mbedtls_pk_free(&pc->ssl_pemfile_pkey);
mbedtls_x509_crt_free(&pc->ssl_pemfile_x509);
free(pc);
}
break;
case 2: /* ssl.ca-file */
case 3: /* ssl.ca-dn-file */
if (cpv->vtype == T_CONFIG_LOCAL) {
mbedtls_x509_crt *cacert = cpv->v.v;
mbedtls_x509_crt_free(cacert);
free(cacert);
}
break;
case 4: /* ssl.ca-dn-file */
if (cpv->vtype == T_CONFIG_LOCAL) {
mbedtls_x509_crl *crl = cpv->v.v;
mbedtls_x509_crl_free(crl);
free(crl);
}
break;
default:
break;
}
}
}
}
FREE_FUNC(mod_mbedtls_free)
{
plugin_data *p = p_d;
if (NULL == p->srv) return;
mod_mbedtls_free_config(p->srv, p);
mod_mbedtls_free_mbedtls();
}
static void
mod_mbedtls_merge_config_cpv (plugin_config * const pconf, const config_plugin_value_t * const cpv)
{
switch (cpv->k_id) { /* index into static config_plugin_keys_t cpk[] */
case 0: /* ssl.pemfile */
if (cpv->vtype == T_CONFIG_LOCAL)
pconf->pc = cpv->v.v;
break;
case 1: /* ssl.privkey */
break;
case 2: /* ssl.ca-file */
if (cpv->vtype == T_CONFIG_LOCAL)
pconf->ssl_ca_file = cpv->v.v;
break;
case 3: /* ssl.ca-dn-file */
if (cpv->vtype == T_CONFIG_LOCAL)
pconf->ssl_ca_dn_file = cpv->v.v;
break;
case 4: /* ssl.ca-crl-file */
if (cpv->vtype == T_CONFIG_LOCAL)
pconf->ssl_ca_dn_file = cpv->v.v;
break;
case 5: /* ssl.read-ahead */
pconf->ssl_read_ahead = (0 != cpv->v.u);
break;
case 6: /* ssl.disable-client-renegotiation */
pconf->ssl_disable_client_renegotiation = (0 != cpv->v.u);
break;
case 7: /* ssl.verifyclient.activate */
pconf->ssl_verifyclient = (0 != cpv->v.u);
break;
case 8: /* ssl.verifyclient.enforce */
pconf->ssl_verifyclient_enforce = (0 != cpv->v.u);
break;
case 9: /* ssl.verifyclient.depth */
pconf->ssl_verifyclient_depth = (unsigned char)cpv->v.shrt;
break;
case 10:/* ssl.verifyclient.username */
pconf->ssl_verifyclient_username = cpv->v.b;
break;
case 11:/* ssl.verifyclient.exportcert */
pconf->ssl_verifyclient_export_cert = (0 != cpv->v.u);
break;
case 12:/* ssl.acme-tls-1 */
pconf->ssl_acme_tls_1 = cpv->v.b;
break;
case 13:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (unsigned char)cpv->v.shrt;
break;
default:/* should not happen */
return;
}
}
static void
mod_mbedtls_merge_config(plugin_config * const pconf, const config_plugin_value_t *cpv)
{
do {
mod_mbedtls_merge_config_cpv(pconf, cpv);
} while ((++cpv)->k_id != -1);
}
static void
mod_mbedtls_patch_config (request_st * const r, plugin_config * const pconf)
{
plugin_data * const p = plugin_data_singleton;
memcpy(pconf, &p->defaults, sizeof(plugin_config));
for (int i = 1, used = p->nconfig; i < used; ++i) {
if (config_check_cond(r, (uint32_t)p->cvlist[i].k_id))
mod_mbedtls_merge_config(pconf, p->cvlist + p->cvlist[i].v.u2[0]);
}
}
__attribute_pure__
static int
mod_mbedtls_crt_is_self_issued (const mbedtls_x509_crt * const crt)
{
const mbedtls_x509_buf * const issuer = &crt->issuer_raw;
const mbedtls_x509_buf * const subject = &crt->subject_raw;
return subject->len == issuer->len
&& 0 == memcmp(issuer->p, subject->p, subject->len);
}
static int
mod_mbedtls_construct_crt_chain (mbedtls_x509_crt *leaf, mbedtls_x509_crt *store, log_error_st *errh)
{
/* Historically, openssl will use the cert chain in (SSL_CTX *) if a cert
* does not have a chain configured in (SSL *). While similar behavior
* could be achieved with mbedtls_x509_crt_parse_file(crt, ssl_ca_file->ptr)
* instead attempt to do better and build a proper, ordered cert chain. */
if (leaf->next) return 0; /*(presume chain has already been provided)*/
if (store == NULL) return 0;/*(unable to proceed; chain may be incomplete)*/
/* attempt to construct certificate chain from certificate store */
for (mbedtls_x509_crt *crt = leaf; crt; ) {
const mbedtls_x509_buf * const issuer = &crt->issuer_raw;
/*(walk entire store in case certs are not properly sorted)*/
for (crt = store; crt; crt = crt->next) {
/* The raw issuer/subject data (DER) is used for quick comparison */
/* (see comments in mod_mbedtls_verify_cb())*/
const mbedtls_x509_buf * const subject = &crt->subject_raw;
if (issuer->len != subject->len
|| 0 != memcmp(subject->p, issuer->p, issuer->len)) continue;
/* root cert is end condition; omit from chain of intermediates */
if (mod_mbedtls_crt_is_self_issued(crt))
return 0;
int rc =
#if MBEDTLS_VERSION_NUMBER >= 0x02110000 /* mbedtls 2.17.0 */
/* save memory by eliding copy of already-loaded raw DER */
mbedtls_x509_crt_parse_der_nocopy(leaf, crt->raw.p, crt->raw.len);
#else
mbedtls_x509_crt_parse_der(leaf, crt->raw.p, crt->raw.len);
#endif
if (0 != rc) { /*(failure not unexpected since already parsed)*/
elog(errh, __FILE__, __LINE__, rc, "cert copy failed");
return rc;
}
break;
}
}
return 0; /*(no error, though cert chain may or may not be complete)*/
}
static int
mod_mbedtls_verify_cb (void *arg, mbedtls_x509_crt *crt, int depth, uint32_t *flags)
{
handler_ctx * const hctx = (handler_ctx *)arg;
if (depth > hctx->conf.ssl_verifyclient_depth) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"MTLS: client cert chain too long");
*flags |= MBEDTLS_X509_BADCERT_OTHER; /* cert chain too long */
}
else if (0 == depth && NULL != hctx->conf.ssl_ca_dn_file) {
/* verify that client cert is issued by CA in ssl.ca-dn-file
* if both ssl.ca-dn-file and ssl.ca-file were configured */
/* The raw issuer/subject data (DER) is used for quick comparison. */
const size_t len = crt->issuer_raw.len;
mbedtls_x509_crt *chain = hctx->conf.ssl_ca_dn_file;
do {
#if 0 /* x509_name_cmp() is not a public func in mbedtls */
if (0 == x509_name_cmp(&crt->issuer, &chain->subject))
break;
#else
if (len == chain->subject_raw.len
&& 0 == memcmp(chain->subject_raw.p, crt->issuer_raw.p, len))
break;
#endif
} while ((chain = chain->next));
if (NULL == chain)
*flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
}
if (*flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"MTLS: client cert not trusted");
}
return 0;
}
#ifdef MBEDTLS_SSL_SERVER_NAME_INDICATION
static int
mod_mbedtls_SNI (void *arg, mbedtls_ssl_context *ssl, const unsigned char *servername, size_t len)
{
handler_ctx * const hctx = (handler_ctx *) arg;
buffer_copy_string(&hctx->r->uri.scheme, "https");
request_st * const r = hctx->r;
if (len >= 1024) { /*(expecting < 256; TLSEXT_MAXLEN_host_name is 255)*/
log_error(r->conf.errh, __FILE__, __LINE__,
"MTLS: SNI name too long %.*s", (int)len, servername);
return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
}
/* use SNI to patch mod_mbedtls config and then reset COMP_HTTP_HOST */
buffer_copy_string_len(&r->uri.authority, (const char *)servername, len);
buffer_to_lower(&r->uri.authority);
#if 0
/*(r->uri.authority used below for configuration before request read;
* revisit for h2)*/
if (0 != http_request_host_policy(&r->uri.authority,
r->conf.http_parseopts, 443))
return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
#endif
const buffer * const ssl_pemfile = hctx->conf.pc->ssl_pemfile;
r->conditional_is_valid |= (1 << COMP_HTTP_SCHEME)
| (1 << COMP_HTTP_HOST);
mod_mbedtls_patch_config(r, &hctx->conf);
/* reset COMP_HTTP_HOST so that conditions re-run after request hdrs read */
/*(done in configfile-glue.c:config_cond_cache_reset() after request hdrs read)*/
/*config_cond_cache_reset_item(r, COMP_HTTP_HOST);*/
/*buffer_clear(&r->uri.authority);*/
/*(compare strings as ssl.pemfile might repeat same file in lighttpd.conf
* and mod_mbedtls does not attempt to de-dup)*/
if (!buffer_is_equal(hctx->conf.pc->ssl_pemfile, ssl_pemfile)) {
/* if needed, attempt to construct certificate chain for server cert */
if (hctx->conf.pc->need_chain) {
hctx->conf.pc->need_chain = 0; /*(attempt once to complete chain)*/
mbedtls_x509_crt *ssl_cred = &hctx->conf.pc->ssl_pemfile_x509;
mbedtls_x509_crt *store = hctx->conf.ssl_ca_file;
if (!mod_mbedtls_construct_crt_chain(ssl_cred, store, r->conf.errh))
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
/* reconfigure to use SNI-specific cert */
int rc =
mbedtls_ssl_set_hs_own_cert(ssl,
&hctx->conf.pc->ssl_pemfile_x509,
&hctx->conf.pc->ssl_pemfile_pkey);
if (0 != rc) {
elogf(r->conf.errh, __FILE__, __LINE__, rc,
"failed to set SNI certificate for TLS server name %s",
r->uri.authority.ptr);
return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
}
}
return 0;
}
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
static int
mod_mbedtls_conf_verify (handler_ctx *hctx, mbedtls_ssl_config *ssl_ctx)
{
if (NULL == hctx->conf.ssl_ca_file) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"MTLS: can't verify client without ssl.ca-file "
"for TLS server name %s",
hctx->r->uri.authority.ptr);
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
/* send ssl_ca_dn_file (if set) in client certificate request
* (later changed to ssl_ca_file before client certificate verification) */
mbedtls_x509_crt *ca_certs = hctx->conf.ssl_ca_dn_file
? hctx->conf.ssl_ca_dn_file
: hctx->conf.ssl_ca_file;
mbedtls_ssl_context * const ssl = &hctx->ssl;
mbedtls_ssl_set_hs_ca_chain(ssl, ca_certs, hctx->conf.ssl_ca_crl_file);
#if MBEDTLS_VERSION_NUMBER >= 0x02120000 /* mbedtls 2.18.0 */
UNUSED(ssl_ctx);
mbedtls_ssl_set_verify(ssl, mod_mbedtls_verify_cb, hctx);
#else
mbedtls_ssl_conf_verify(ssl_ctx, mod_mbedtls_verify_cb, hctx);
#endif
return 0;
}
/* mbedTLS interfaces are generally excellent. mbedTLS convenience interfaces
* to read CRLs, X509 certs, and private keys are uniformly paranoid about
* clearing memory. At the moment, stdio routines fopen(), fread(), fclose()
* are used for portability, but without setvbuf(stream, NULL, _IOLBF, 0),
* again for portability, since setvbuf() is not necessarily available. Since
* stdio buffers by default, use our own funcs to read files without buffering.
* mbedtls_pk_load_file() includes trailing '\0' in size when contents in PEM
* format, so do the same with the value returned from fdevent_load_file().
*/
static int
mod_mbedtls_x509_crl_parse_file (mbedtls_x509_crl *chain, const char *fn)
{
int rc = MBEDTLS_ERR_X509_FILE_IO_ERROR;
off_t dlen = 512*1024*1024;/*(arbitrary limit: 512 MB file; expect < 1 MB)*/
char *data = fdevent_load_file(fn, &dlen, NULL, malloc, free);
if (NULL == data) return rc;
rc = mbedtls_x509_crl_parse(chain, (unsigned char *)data, (size_t)dlen+1);
if (dlen) safe_memclear(data, (size_t)dlen);
free(data);
return rc;
}
static int
mod_mbedtls_x509_crt_parse_file (mbedtls_x509_crt *chain, const char *fn)
{
int rc = MBEDTLS_ERR_X509_FILE_IO_ERROR;
off_t dlen = 512*1024*1024;/*(arbitrary limit: 512 MB file; expect < 1 MB)*/
char *data = fdevent_load_file(fn, &dlen, NULL, malloc, free);
if (NULL == data) return rc;
rc = mbedtls_x509_crt_parse(chain, (unsigned char *)data, (size_t)dlen+1);
if (dlen) safe_memclear(data, (size_t)dlen);
free(data);
return rc;
}
static int
mod_mbedtls_pk_parse_keyfile (mbedtls_pk_context *ctx, const char *fn, const char *pwd)
{
int rc = MBEDTLS_ERR_PK_FILE_IO_ERROR;
off_t dlen = 512*1024*1024;/*(arbitrary limit: 512 MB file; expect < 1 MB)*/
char *data = fdevent_load_file(fn, &dlen, NULL, malloc, free);
if (NULL == data) return rc;
rc = mbedtls_pk_parse_key(ctx, (unsigned char *)data, (size_t)dlen+1,
(const unsigned char *)pwd,
pwd ? strlen(pwd) : 0);
if (dlen) safe_memclear(data, (size_t)dlen);
free(data);
return rc;
}
static void *
network_mbedtls_load_pemfile (server *srv, const buffer *pemfile, const buffer *privkey)
{
mbedtls_x509_crt ssl_pemfile_x509; /* parsed public key structure */
mbedtls_pk_context ssl_pemfile_pkey; /* parsed private key structure */
int rc;
mbedtls_x509_crt_init(&ssl_pemfile_x509); /* init cert structure */
rc = mod_mbedtls_x509_crt_parse_file(&ssl_pemfile_x509, pemfile->ptr);
if (0 != rc) {
elogf(srv->errh, __FILE__, __LINE__, rc,
"PEM file cert read failed (%s)", pemfile->ptr);
return NULL;
}
mbedtls_pk_init(&ssl_pemfile_pkey); /* init private key context */
rc = mod_mbedtls_pk_parse_keyfile(&ssl_pemfile_pkey, privkey->ptr, NULL);
if (0 != rc) {
elogf(srv->errh, __FILE__, __LINE__, rc,
"PEM file private key read failed %s", privkey->ptr);
mbedtls_x509_crt_free(&ssl_pemfile_x509);
return NULL;
}
rc = mbedtls_pk_check_pair(&ssl_pemfile_x509.pk, &ssl_pemfile_pkey);
if (0 != rc) {
elogf(srv->errh, __FILE__, __LINE__, rc,
"PEM cert and private key did not verify (%s) (%s)",
pemfile->ptr, privkey->ptr);
mbedtls_pk_free(&ssl_pemfile_pkey);
mbedtls_x509_crt_free(&ssl_pemfile_x509);
return NULL;
}
plugin_cert *pc = malloc(sizeof(plugin_cert));
force_assert(pc);
pc->ssl_pemfile_pkey = ssl_pemfile_pkey;
pc->ssl_pemfile_x509 = ssl_pemfile_x509;
pc->ssl_pemfile = pemfile;
pc->ssl_privkey = privkey;
pc->need_chain = (ssl_pemfile_x509.next == NULL
&& !mod_mbedtls_crt_is_self_issued(&ssl_pemfile_x509));
mbedtls_platform_zeroize(&ssl_pemfile_pkey, sizeof(ssl_pemfile_pkey));
return pc;
}
#ifdef MBEDTLS_SSL_ALPN
static int
mod_mbedtls_acme_tls_1 (handler_ctx *hctx)
{
buffer * const b = hctx->tmp_buf;
const buffer * const name = &hctx->r->uri.authority;
log_error_st * const errh = hctx->r->conf.errh;
mbedtls_x509_crt *ssl_pemfile_x509 = NULL;
mbedtls_pk_context *ssl_pemfile_pkey = NULL;
size_t len;
int rc = MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
/* check if acme-tls/1 protocol is enabled (path to dir of cert(s) is set)*/
if (buffer_string_is_empty(hctx->conf.ssl_acme_tls_1))
return 0; /*(should not happen)*/
/* check if SNI set server name (required for acme-tls/1 protocol)
* and perform simple path checks for no '/'
* and no leading '.' (e.g. ignore "." or ".." or anything beginning '.') */
if (buffer_string_is_empty(name)) return rc;
if (NULL != strchr(name->ptr, '/')) return rc;
if (name->ptr[0] == '.') return rc;
#if 0
if (0 != http_request_host_policy(name,hctx->r->conf.http_parseopts,443))
return rc;
#endif
buffer_copy_buffer(b, hctx->conf.ssl_acme_tls_1);
buffer_append_path_len(b, CONST_BUF_LEN(name));
len = buffer_string_length(b);
do {
buffer_append_string_len(b, CONST_STR_LEN(".crt.pem"));
ssl_pemfile_x509 = malloc(sizeof(*ssl_pemfile_x509));
force_assert(ssl_pemfile_x509);
mbedtls_x509_crt_init(ssl_pemfile_x509); /* init cert structure */
rc = mod_mbedtls_x509_crt_parse_file(ssl_pemfile_x509, b->ptr);
if (0 != rc) {
elogf(errh, __FILE__, __LINE__, rc,
"Failed to load acme-tls/1 pemfile: %s", b->ptr);
break;
}
buffer_string_set_length(b, len); /*(remove ".crt.pem")*/
buffer_append_string_len(b, CONST_STR_LEN(".key.pem"));
ssl_pemfile_pkey = malloc(sizeof(*ssl_pemfile_pkey));
force_assert(ssl_pemfile_pkey);
mbedtls_pk_init(ssl_pemfile_pkey); /* init private key context */
rc = mod_mbedtls_pk_parse_keyfile(ssl_pemfile_pkey, b->ptr, NULL);
if (0 != rc) {
elogf(errh, __FILE__, __LINE__, rc,
"Failed to load acme-tls/1 pemfile: %s", b->ptr);
break;
}
rc = mbedtls_ssl_set_hs_own_cert(&hctx->ssl,
ssl_pemfile_x509, ssl_pemfile_pkey);
if (0 != rc) {
elogf(errh, __FILE__, __LINE__, rc,
"failed to set acme-tls/1 certificate for TLS server "
"name %s", name->ptr);
break;
}
hctx->acme_tls_1_pkey = ssl_pemfile_pkey; /* save ptr and free later */
hctx->acme_tls_1_x509 = ssl_pemfile_x509; /* save ptr and free later */
return 0;
} while (0);
if (ssl_pemfile_pkey) {
mbedtls_pk_free(ssl_pemfile_pkey);
free(ssl_pemfile_pkey);
}
if (ssl_pemfile_x509) {
mbedtls_x509_crt_free(ssl_pemfile_x509);
free(ssl_pemfile_x509);
}
return rc;
}
enum {
MOD_MBEDTLS_ALPN_HTTP11 = 1
,MOD_MBEDTLS_ALPN_HTTP10 = 2
,MOD_MBEDTLS_ALPN_H2 = 3
,MOD_MBEDTLS_ALPN_ACME_TLS_1 = 4
};
static int
mod_mbedtls_alpn_select_cb (handler_ctx *hctx, const char *in)
{
const int n = (int)strlen(in);
const int i = 0;
unsigned short proto;
switch (n) {
case 2: /* "h2" */
if (in[i] == 'h' && in[i+1] == '2') {
proto = MOD_MBEDTLS_ALPN_H2;
hctx->r->http_version = HTTP_VERSION_2;
break;
}
return 0;
case 8: /* "http/1.1" "http/1.0" */
if (0 == memcmp(in+i, "http/1.", 7)) {
if (in[i+7] == '1') {
proto = MOD_MBEDTLS_ALPN_HTTP11;
break;
}
if (in[i+7] == '0') {
proto = MOD_MBEDTLS_ALPN_HTTP10;
break;
}
}