lighttpd 1.4.x https://www.lighttpd.net/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

3583 lines
132 KiB

/*
* mod_nss - Network Security Services (NSS) support for lighttpd
*
* Copyright(c) 2020 Glenn Strauss gstrauss()gluelogic.com All rights reserved
* License: BSD 3-clause (same as lighttpd)
*
* Portions supporting mod_nss_ssl_conf_ciphersuites() (see end of file)
* Copyright 2001-2004 The Apache Software Foundation
*/
/*
* WARNING: EXPERIMENTAL code sketch; mod_nss is INCOMPLETE and UNTESTED
*
* NSS docs: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
*
* NSS documentation is seriously lacking and man pages exist only for apps;
* be prepared to slog through organic piles of NSS library code
*
* Note: If session tickets are -not- disabled with
* ssl.openssl.ssl-conf-cmd = ("Options" => "-SessionTicket")
* NSS never rotates server ticket encryption key (STEK) while running.
* Therefore, if session tickets are enabled, lighttpd server should be
* restarted (by an external job) at least every 24 hours. Restarting
* lighttpd generates a new key that is shared by lighttpd workers. There
* is no mechanism implemented in lighttpd mod_nss to share STEK between
* independent lighttpd servers. ssl.stek-file is not used in mod_nss.
*
* NSS provides SSL_SetSessionTicketKeyPair(pubKey, privKey) to set RSA keys.
* However, to match behavior of other lighttpd TLS modules, it seems we want
* to set the private struct ssl_self_encrypt_keys in lib/ssl/sslsnce.c
* instead of the private struct ssl_self_encrypt_key_pair.
* sslSelfEncryptKeys ssl_self_encrypt_keys contains:
* PRUint8 keyName[SELF_ENCRYPT_KEY_NAME_LEN];
* PK11SymKey *encKey;
* PK11SymKey *macKey;
* (see lib/ssl/sslsnce.c:GenerateSelfEncryptKeys())
* PK11SymKey *masterSecret in ssl3CipherSpec in ssl3State in sslSessionID
* is private in lib/ssl/ssl3con.c
*
* XXX: due to limitations, consider disabling session tickets in mod_nss
*
* not implemented:
* - session ticket rotation (see comments above)
* - OCSP Must Staple detection
* - ssl.honor-cipher-order
* - ssl.verifyclient.depth
* - ssl.dh-file
* - ssl.ec-curve
* - ssl.openssl.ssl-conf-cmd Ciphersuite
*
* future:
* - consider SSL_AlertReceivedCallback() to set SSLAlertCallback
* in order to (optionally) log alerts, and to abort connection if fatal alert
* - consider using experimental API for cipher suite choice in lib/ssl/sslexp.h
* SSL_CipherSuiteOrderGet
* SSL_CipherSuiteOrderSet
* - detect CLOSE_NOTIFY from client
* - feature options
* - SSL_ENABLE_FALSE_START
* - SSL_ENABLE_DELEGATED_CREDENTIALS
* - SSL_ENABLE_0RTT_DATA
* - SSL_SUPPRESS_END_OF_EARLY_DATA
* - crypto option using FreeBL
* "A core element of NSS is FreeBL, a base library providing hash functions,
* big number calculations, and cryptographic algorithms."
* "Softoken is an NSS module that exposes most FreeBL functionality as a
* PKCS#11 module."
* "PR_GetRandomNoise - Produces a random value for use as a seed value for
* another random number generator."
*/
#include "first.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdio.h> /* vsnprintf() */
#include <string.h>
#include <unistd.h>
#if defined(__CYGWIN__)
#include <nspr/nspr.h>
#include <nspr/private/pprio.h> /* see mod_nss_io_ctor() comments */
#include <nss/nss.h>
#include <nss/nssb64.h>
#include <nss/pk11pub.h>
#include <nss/secder.h>
#include <nss/secerr.h>
#include <nss/ssl.h>
#include <nss/sslproto.h>
#else
#include <nspr4/nspr.h>
#include <nspr4/private/pprio.h> /* see mod_nss_io_ctor() comments */
#include <nss3/nss.h>
#include <nss3/nssb64.h>
#include <nss3/pk11pub.h>
#include <nss3/secder.h>
#include <nss3/secerr.h>
#include <nss3/ssl.h>
#include <nss3/sslproto.h>
#endif
#include "base.h"
#include "fdevent.h"
#include "http_header.h"
#include "log.h"
#include "plugin.h"
#include "safe_memclear.h"
typedef struct {
/* SNI per host: with COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
char must_staple;
CERTCertificate *ssl_pemfile_x509;
SECKEYPrivateKey *ssl_pemfile_pkey;
SSLExtraServerCertData ssl_credex;
const buffer *ssl_stapling_file;
time_t ssl_stapling_loadts;
time_t ssl_stapling_nextts;
SECItemArray OCSPResponses;
SECItem OCSPResponse;
} plugin_cert;
typedef struct {
PRFileDesc *model;
SSLVersionRange protos;
PRBool ssl_compression;
int8_t ssl_session_ticket;
} plugin_ssl_ctx;
typedef struct {
plugin_cert *pc;
/*(used only during startup; not patched)*/
unsigned char ssl_enabled; /* only interesting for setting up listening sockets. don't use at runtime */
unsigned char ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
unsigned char ssl_empty_fragments;
unsigned char ssl_use_sslv2;
unsigned char ssl_use_sslv3;
const buffer *ssl_cipher_list;
const buffer *ssl_ec_curve;
array *ssl_conf_cmd;
/*(copied from plugin_data for socket ssl_ctx config)*/
unsigned char ssl_session_ticket;
unsigned char ssl_verifyclient;
unsigned char ssl_verifyclient_enforce;
unsigned char ssl_verifyclient_depth;
PRFileDesc *model;
SSLVersionRange protos;
PRBool ssl_compression;
} plugin_config_socket; /*(used at startup during configuration)*/
typedef struct {
/* SNI per host: w/ COMP_SERVER_SOCKET, COMP_HTTP_SCHEME, COMP_HTTP_HOST */
plugin_cert *pc;
CERTCertList *ssl_ca_file;
CERTCertList *ssl_ca_dn_file;
unsigned char ssl_verifyclient;
unsigned char ssl_verifyclient_enforce;
unsigned char ssl_verifyclient_depth;
unsigned char ssl_verifyclient_export_cert;
unsigned char ssl_read_ahead;
unsigned char ssl_log_noise;
unsigned char ssl_disable_client_renegotiation;
const buffer *ssl_verifyclient_username;
const buffer *ssl_acme_tls_1;
} plugin_config;
typedef struct {
PLUGIN_DATA;
plugin_ssl_ctx *ssl_ctxs;
plugin_config defaults;
server *srv;
} plugin_data;
static int ssl_is_init;
/* need assigned p->id for deep access of module handler_ctx for connection
* i.e. handler_ctx *hctx = r->plugin_ctx[plugin_data_singleton->id]; */
static plugin_data *plugin_data_singleton;
#define LOCAL_SEND_BUFSIZE 16384 /* DEFAULT_MAX_RECORD_SIZE */
static char *local_send_buffer;
typedef struct {
PRFileDesc *ssl;
request_st *r;
connection *con;
int8_t request_env_patched;
int8_t close_notify;
uint8_t alpn;
int8_t ssl_session_ticket;
int handshake;
size_t pending_write;
plugin_config conf;
int verify_status;
buffer *tmp_buf;
} handler_ctx;
static handler_ctx *
handler_ctx_init (void)
{
handler_ctx *hctx = calloc(1, sizeof(*hctx));
force_assert(hctx);
return hctx;
}
static void mod_nss_io_dtor (PRFileDesc *ssl);
static void
handler_ctx_free (handler_ctx *hctx)
{
mod_nss_io_dtor(hctx->ssl);
free(hctx);
}
__attribute_cold__
static void elog(log_error_st * const errh,
const char * const file, const int line,
const char * const msg)
{
/* error logging convenience function that decodes gnutls result codes */
const PRErrorCode rc = PR_GetError();
const char *s = PR_ErrorToName(rc);
log_error(errh, file, line, "NSS: %s: (%s) %s",
msg, s ? s : "", PR_ErrorToString(rc, 0));
}
__attribute_cold__
__attribute_format__((__printf__, 4, 5))
static void elogf(log_error_st * const errh,
const char * const file, const int line,
const char * const fmt, ...)
{
char msg[1024];
va_list ap;
va_start(ap, fmt);
vsnprintf(msg, sizeof(msg), fmt, ap);
va_end(ap);
elog(errh, file, line, msg);
}
static PRFileDesc *
mod_nss_io_ctor (int fd, PRFileDesc *model, log_error_st *errh)
{
/* WTH? Why not a public PR_ImportTCPSocket() interface from NSPR?
* (and PR_GetInheritedFD() is not a great replacement interface to
* fudge NSPR_INHERIT_FDS in environment for each connection)
*
* #include <nspr4/private/pprio.h>
* Use internal routines to set up PRFileDesc. Perform actions underlying
* PR_ImportTCPSocket() to avoid excess work done by PR_ImportTCPSocket(),
* which includes closing the fd if there is a failure. Could pass 0 as fd
* to PR_AllocFileDesc() to avoid NSPR setting O_NONBLOCK since already set.
* Instead, employ simpler PR_CreateSocketPollFd() and change methods table,
* which handles _PR_ImplicitInitialization() (PR_AllocFileDesc() does not).
* (WTH?: PR_AllocFileDesc() has limit fd < FD_SETSIZE when XP_UNIX defined)
* Note: since bypassing PR_ImportTCPSocket() this might not work on Windows
* which expects prfd->secret->af to be set to AF_INET.
*/
#if defined(_WIN32) && !defined(__CYGWIN__)
PRFileDesc *prfd = PR_ImportTCPSocket(fd);
if (NULL == prfd) {
elog(errh, __FILE__, __LINE__, "PR_ImportTCPSocket()");
return NULL;
}
#else
/*PRFileDesc *prfd = PR_AllocFileDesc(0, PR_GetTCPMethods());*/
PRFileDesc *prfd = PR_CreateSocketPollFd(fd);
if (NULL == prfd) {
elog(errh, __FILE__, __LINE__, "PR_CreateSocketPollFd()");
return NULL;
}
/*PR_ChangeFileDescNativeHandle(prfd, fd);*/
prfd->methods = PR_GetTCPMethods();
/*prfd->dtor = PR_FreeFileDesc();*/ /* PR_FreeFileDesc() is private */
#endif
/* set prfd->secret->nonblocking flag */
PRSocketOptionData data;
data.option = PR_SockOpt_Nonblocking;
data.value.non_blocking = PR_TRUE;
if (PR_SetSocketOption(prfd, &data) != PR_SUCCESS) {
elog(errh, __FILE__, __LINE__, "PR_SocketSetSocketOption()");
PR_DestroySocketPollFd(prfd); /* PR_FreeFileDesc() is private */
return NULL;
}
PRFileDesc *ssl = SSL_ImportFD(model, prfd);
if (NULL == ssl) {
elog(errh, __FILE__, __LINE__, "SSL_ImportFD()");
PR_DestroySocketPollFd(prfd); /* PR_FreeFileDesc() is private */
return NULL;
}
return ssl;
}
static void
mod_nss_io_detach (PRFileDesc *ssl)
{
#if 0 /* PR_PopIOLayer() forbids pop of PR_NSPR_IO_LAYER */
PRFileDesc *prfd = PR_PopIOLayer(ssl, PR_NSPR_IO_LAYER);
if (prfd) {
PR_ChangeFileDescNativeHandle(prfd, -1);
PR_DestroySocketPollFd(prfd); /* PR_FreeFileDesc() is private */
}
#else
/*(results in close(-1) and EBADF from PR_Close() in mod_nss_io_dtor())*/
PRFileDesc *prfd = PR_GetIdentitiesLayer(ssl, PR_NSPR_IO_LAYER);
if (prfd)
PR_ChangeFileDescNativeHandle(prfd, -1);
#endif
}
static void
mod_nss_io_dtor (PRFileDesc *ssl)
{
if (NULL == ssl) return;
mod_nss_io_detach(ssl);
PR_Close(ssl);
}
static int
mod_nss_load_file (const char * const fn, SECItem * const d, log_error_st *errh)
{
off_t dlen = 512*1024*1024;/*(arbitrary limit: 512 MB file; expect < 1 MB)*/
char *data = fdevent_load_file(fn, &dlen, errh, PORT_Alloc, PORT_Free);
if (NULL == data) return -1;
d->type = siBuffer;
d->data = (unsigned char *)data;
d->len = (unsigned int)dlen;
return 0;
}
static void
mod_nss_secitem_wipe (SECItem * const d)
{
/* safer than SECITEM_ZfreeItem() */
if (NULL == d) return;
if (d->data) {
if (d->len) safe_memclear(d->data, d->len); /*safer than PORT_Memset()*/
PORT_Free(d->data); /* safe_memclear() is safer than PORT_ZFree() */
d->data = NULL;
}
d->len = 0;
}
INIT_FUNC(mod_nss_init)
{
plugin_data_singleton = (plugin_data *)calloc(1, sizeof(plugin_data));
return plugin_data_singleton;
}
static int mod_nss_init_once_nss (void)
{
if (ssl_is_init) return 1;
ssl_is_init = 1;
/*PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);*//*implicit on first use*/
if (NSS_NoDB_Init(NULL) < 0)
return 0;
if (SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE) < 0)
return 0;
if (SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_FALSE) < 0)
return 0;
/* XXX: lighttpd is single threaded and so SSL_NO_LOCKS is desirable,
* but NSS crashes if SSL_NO_LOCKS option is set to PR_TRUE.
* (Crash in SSL3_SendAlert() call to PR_GetMonitorEntryCount()
* with NULL ptr to monitor (mon))
* NSS lib/ssl/sslimpl.h macros such as ssl_HaveSSL3HandshakeLock(ss),
* plus some other .c files use macros without first checking if
* (!ss->opt.noLocks): PZ_InMonitor() PZ_InMonitor() PZ_InMonitor() */
/*if (SSL_OptionSetDefault(SSL_NO_LOCKS, PR_TRUE) < 0)*/
if (SSL_OptionSetDefault(SSL_NO_LOCKS, PR_FALSE) < 0)
return 0;
if (SSL_OptionSetDefault(SSL_NO_CACHE, PR_TRUE) < 0)
return 0;
if (SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, PR_TRUE) < 0)
return 0;
if (SSL_OptionSetDefault(SSL_ENABLE_ALPN, PR_TRUE) < 0)
return 0;
if (SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
SSL_RENEGOTIATE_NEVER) < 0)
return 0;
if (NSS_SetDomesticPolicy() < 0)
return 0;
local_send_buffer = malloc(LOCAL_SEND_BUFSIZE);
force_assert(NULL != local_send_buffer);
return 1;
}
static void mod_nss_free_nss (void)
{
if (!ssl_is_init) return;
NSS_Shutdown();
free(local_send_buffer);
ssl_is_init = 0;
}
#define PEM_BEGIN "-----BEGIN "
#define PEM_END "-----END "
#define PEM_BEGIN_CERT "-----BEGIN CERTIFICATE-----"
#define PEM_END_CERT "-----END CERTIFICATE-----"
#define PEM_BEGIN_TRUSTED_CERT "-----BEGIN TRUSTED CERTIFICATE-----"
#define PEM_END_TRUSTED_CERT "-----END TRUSTED CERTIFICATE-----"
#define PEM_BEGIN_PKEY "-----BEGIN PRIVATE KEY-----"
#define PEM_END_PKEY "-----END PRIVATE KEY-----"
#define PEM_BEGIN_EC_PKEY "-----BEGIN EC PRIVATE KEY-----"
#define PEM_END_EC_PKEY "-----END EC PRIVATE KEY-----"
#define PEM_BEGIN_RSA_PKEY "-----BEGIN RSA PRIVATE KEY-----"
#define PEM_END_RSA_PKEY "-----END RSA PRIVATE KEY-----"
#define PEM_BEGIN_DSA_PKEY "-----BEGIN DSA PRIVATE KEY-----"
#define PEM_END_DSA_PKEY "-----END DSA PRIVATE KEY-----"
#define PEM_BEGIN_ANY_PKEY "-----BEGIN ANY PRIVATE KEY-----"
#define PEM_END_ANY_PKEY "-----END ANY PRIVATE KEY-----"
/* (not implemented: support to get password from user for encrypted key) */
#define PEM_BEGIN_ENCRYPTED_PKEY "-----BEGIN ENCRYPTED PRIVATE KEY-----"
#define PEM_END_ENCRYPTED_PKEY "-----END ENCRYPTED PRIVATE KEY-----"
#define PEM_BEGIN_X509_CRL "-----BEGIN X509 CRL-----"
#define PEM_END_X509_CRL "-----END X509 CRL-----"
static CERTCertificateList *
mod_nss_load_pem_file (const char *fn, log_error_st *errh)
{
if (!mod_nss_init_once_nss()) return NULL;
SECItem f;
int rc = mod_nss_load_file(fn, &f, errh);
if (rc < 0) return NULL;
rc = -1;
CERTCertificateList *chain = NULL;
do {
int count = 0;
char *b = (char *)f.data;
for (; (b = strstr(b, PEM_BEGIN_CERT)); b += sizeof(PEM_BEGIN_CERT)-1)
++count;
b = (char *)f.data;
for (; (b = strstr(b, PEM_BEGIN_TRUSTED_CERT));
b += sizeof(PEM_BEGIN_TRUSTED_CERT)-1)
++count;
if (0 == count) {
rc = 0;
break;
}
PLArenaPool *arena = PORT_NewArena(4096);
if (NULL == arena)
break;
chain = (CERTCertificateList *)
PORT_ArenaAlloc(arena, sizeof(CERTCertificateList));
if (NULL == chain) {
PORT_FreeArena(arena, PR_FALSE);
break;
}
chain->arena = arena;
chain->len = count;
chain->certs = (SECItem *)PORT_ArenaAlloc(arena, count*sizeof(SECItem));
if (NULL == chain->certs)
break;
int i = 0;
for (char *e = (char *)f.data; (b = strstr(e, PEM_BEGIN_CERT)); ++i) {
b += sizeof(PEM_BEGIN_CERT)-1;
if (*b == '\r') ++b;
if (*b == '\n') ++b;
e = strstr(b, PEM_END_CERT);
if (NULL == e) break;
uint32_t len = (uint32_t)(e - b);
e += sizeof(PEM_END_CERT)-1;
chain->certs[i].type = 0;
chain->certs[i].data = NULL;
chain->certs[i].len = 0;
if (NULL == NSSBase64_DecodeBuffer(arena, chain->certs+i, b, len))
break;
}
for (char *e=(char *)f.data; (b=strstr(e,PEM_BEGIN_TRUSTED_CERT)); ++i){
b += sizeof(PEM_BEGIN_TRUSTED_CERT)-1;
if (*b == '\r') ++b;
if (*b == '\n') ++b;
e = strstr(b, PEM_END_TRUSTED_CERT);
if (NULL == e) break;
uint32_t len = (uint32_t)(e - b);
e += sizeof(PEM_END_TRUSTED_CERT)-1;
chain->certs[i].type = 0;
chain->certs[i].data = NULL;
chain->certs[i].len = 0;
if (NULL == NSSBase64_DecodeBuffer(arena, chain->certs+i, b, len))
break;
}
if (i == count)
rc = 0;
else
PORT_SetError(SEC_ERROR_IO);
} while (0);
mod_nss_secitem_wipe(&f);
if (rc < 0) {
elogf(errh, __FILE__, __LINE__, "error loading %s", fn);
if (chain)
CERT_DestroyCertificateList(chain);
return NULL;
}
return chain;
}
static CERTCertificate *
mod_nss_load_pem_crts (const char *fn, log_error_st *errh, CERTCertificateList **pchain)
{
*pchain = mod_nss_load_pem_file(fn, errh);
if (NULL == *pchain) return NULL;
CERTCertificate *cert = CERT_NewTempCertificate(NULL, (*pchain)->certs+0,
NULL, PR_FALSE, PR_TRUE);
if (NULL == cert) {
CERT_DestroyCertificateList(*pchain);
*pchain = NULL;
}
return cert;
}
static CERTCertList *
mod_nss_cert_list (CERTCertificateList *crts)
{
SECStatus rc = SECFailure;
CERTCertificate *cert = NULL;
CERTCertList *clist = CERT_NewCertList();
if (NULL != clist) {
for (int i = 0; i < crts->len; ++i) {
cert = CERT_NewTempCertificate(NULL, crts->certs+i,
NULL, PR_FALSE, PR_TRUE);
if (NULL == cert) break;
rc = CERT_AddCertToListTail(clist, cert);
if (rc < 0) break;
}
}
if (rc < 0 || NULL == cert) {
if (cert) CERT_DestroyCertificate(cert);
if (clist) CERT_DestroyCertList(clist);
PORT_SetError(SEC_ERROR_NO_MEMORY);
return NULL;
}
return clist;
}
static CERTCertList *
mod_nss_load_config_crts (const char *fn, log_error_st *errh)
{
CERTCertificateList *crts = mod_nss_load_pem_file(fn, errh);
if (NULL == crts) return NULL;
CERTCertList *clist = NULL;
SECStatus rc =
CERT_ImportCAChainTrusted(crts->certs,crts->len,certUsageUserCertImport);
if (rc == SECSuccess)
clist = mod_nss_cert_list(crts);
else {
elogf(errh, __FILE__, __LINE__, "CERT_ImportCAChainTrusted() %s", fn);
CERT_DestroyCertificateList(crts);
return NULL;
}
CERT_DestroyCertificateList(crts);
return clist;
}
static CERTCertList *
mod_nss_load_config_dncrts (const char *fn, log_error_st *errh)
{
CERTCertificateList *crts = mod_nss_load_pem_file(fn, errh);
if (NULL == crts) return NULL;
CERTCertList *clist = mod_nss_cert_list(crts);
CERT_DestroyCertificateList(crts);
return clist;
}
static void
mod_nss_free_config_crls (CERTCertificateList *crls)
{
if (NULL == crls) return;
CERTCertDBHandle * const dbhandle = CERT_GetDefaultCertDB();
for (int i = 0; i < crls->len; ++i)
CERT_UncacheCRL(dbhandle, crls->certs+i);
CERT_DestroyCertificateList(crls);
}
static CERTCertificateList *
mod_nss_load_config_crls (const char *fn, log_error_st *errh)
{
/*(similar start to other mod_nss_load_config_*())*/
if (!mod_nss_init_once_nss()) return NULL;
SECItem f;
int rc = mod_nss_load_file(fn, &f, errh);
if (rc < 0) return NULL;
rc = -1;
CERTCertificateList *chain = NULL;
CERTCertDBHandle * const dbhandle = CERT_GetDefaultCertDB();
do {
int count = 0;
char *b = (char *)f.data;
for (; (b = strstr(b, PEM_BEGIN_X509_CRL));
b += sizeof(PEM_BEGIN_X509_CRL)-1)
++count;
if (0 == count) {
rc = 0;
break;
}
PLArenaPool *arena = PORT_NewArena(4096);
if (NULL == arena)
break;
chain = (CERTCertificateList *)
PORT_ArenaAlloc(arena, sizeof(CERTCertificateList));
if (NULL == chain) {
PORT_FreeArena(arena, PR_FALSE);
break;
}
chain->arena = arena;
chain->len = count;
chain->certs = (SECItem *)PORT_ArenaAlloc(arena, count*sizeof(SECItem));
if (NULL == chain->certs)
break;
int i = 0;
for (char *e = (char *)f.data; (b = strstr(e,PEM_BEGIN_X509_CRL)); ++i){
b += sizeof(PEM_BEGIN_X509_CRL)-1;
if (*b == '\r') ++b;
if (*b == '\n') ++b;
e = strstr(b, PEM_END_X509_CRL);
if (NULL == e) break;
uint32_t len = (uint32_t)(e - b);
e += sizeof(PEM_END_X509_CRL)-1;
chain->certs[i].type = 0;
chain->certs[i].data = NULL;
chain->certs[i].len = 0;
if (NULL == NSSBase64_DecodeBuffer(arena, chain->certs+i, b, len))
break;
/* using ephemeral db, so cache CRL instead of CERT_ImportCRL() */
if (CERT_CacheCRL(dbhandle, chain->certs+i) < 0)
break;
}
if (i == count)
rc = 0;
else
PORT_SetError(SEC_ERROR_IO);
} while (0);
mod_nss_secitem_wipe(&f);
if (rc < 0) {
elogf(errh, __FILE__, __LINE__, "error loading %s", fn);
if (chain)
CERT_DestroyCertificateList(chain);
return NULL;
}
return chain;
}
static SECItem *
mod_nss_cert_get_publicValue (SECKEYPublicKey *pubKey)
{
/*(lib/pkcs12/p12d.c:sec_pkcs12_get_public_value_and_type() private)*/
/*(lib/pk11wrap/pk11akey.c:pk11_MakeIDFromPublicKey() private, hashes)*/
/*(lib/crmf/crmfcont.c:crmf_get_public_value() public but incomplete)*/
switch (pubKey->keyType) {
case dsaKey: return &pubKey->u.dsa.publicValue;
case dhKey: return &pubKey->u.dh.publicValue;
case rsaKey: return &pubKey->u.rsa.modulus;
case ecKey: return &pubKey->u.ec.publicValue;
default: return NULL;
}
}
static SECKEYPrivateKey *
mod_nss_load_config_pkey (const char *fn, CERTCertificate *cert, log_error_st *errh)
{
/* NSS does not provide convenient mechanisms to read PEM or DER private key
* instead expecting PKCS12-format, which is not the convention used by many
* other TLS modules */
/*(similar start to other mod_nss_load_config_*())*/
if (!mod_nss_init_once_nss()) return NULL;
SECItem f;
int rc = mod_nss_load_file(fn, &f, errh);
if (rc < 0) return NULL;
SECItem der = { 0, NULL, 0 };
PK11SlotInfo *slot = NULL;
SECKEYPrivateKey *pkey = NULL;
SECStatus src = SECFailure;
do {
/*(expecting single private key in file, so first match)*/
char *b, *e;
if ((b = strstr((char *)f.data, PEM_BEGIN_PKEY))
&& (e = strstr(b, PEM_END_PKEY)))
b += sizeof(PEM_BEGIN_PKEY)-1;
else if ((b = strstr((char *)f.data, PEM_BEGIN_EC_PKEY))
&& (e = strstr(b, PEM_END_EC_PKEY)))
b += sizeof(PEM_BEGIN_EC_PKEY)-1;
else if ((b = strstr((char *)f.data, PEM_BEGIN_RSA_PKEY))
&& (e = strstr(b, PEM_END_RSA_PKEY)))
b += sizeof(PEM_BEGIN_RSA_PKEY)-1;
else if ((b = strstr((char *)f.data, PEM_BEGIN_DSA_PKEY))
&& (e = strstr(b, PEM_END_DSA_PKEY)))
b += sizeof(PEM_BEGIN_DSA_PKEY)-1;
else if ((b = strstr((char *)f.data, PEM_BEGIN_ANY_PKEY))
&& (e = strstr(b, PEM_END_ANY_PKEY)))
b += sizeof(PEM_BEGIN_ANY_PKEY)-1;
else
break;
if (*b == '\r') ++b;
if (*b == '\n') ++b;
if (NULL == NSSBase64_DecodeBuffer(NULL, &der, b, (uint32_t)(e - b)))
break;
slot = PK11_GetInternalKeySlot();
if (NULL == slot) break;
SECItem nickname = { 0, NULL, strlen(fn) };
*(const unsigned char **)&nickname.data = (unsigned char *)fn;
unsigned int keyUsage = KU_ALL; /* XXX: limit to fewer flags? */
PRBool isPerm = PR_FALSE;
PRBool isPrivate = PR_TRUE;
SECKEYPublicKey *pubKey = CERT_ExtractPublicKey(cert);
SECItem *pubValue = mod_nss_cert_get_publicValue(pubKey);
src =
PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, &der, &nickname,
pubValue, isPerm, isPrivate,
keyUsage, &pkey, NULL);
/* nickname attribute has reference taken to data;
* data must persist longer than SECKEYPrivateKey */
/* (pubValue data is of decoded type SEC_ASN1_INTEGER and is copied) */
SECKEY_DestroyPublicKey(pubKey);
} while (0);
if (slot) PK11_FreeSlot(slot);
if (der.data) {
mod_nss_secitem_wipe(&der);
PORT_Free(der.data);
}
mod_nss_secitem_wipe(&f);
if (src < 0) {
elogf(errh, __FILE__, __LINE__,
"PK11_ImportDERPrivateKeyInfoAndReturnKey() %s", fn);
return NULL;
}
return pkey;
}
static void
mod_nss_free_config (server *srv, plugin_data * const p)
{
if (NULL != p->ssl_ctxs) {
PRFileDesc *global_model = p->ssl_ctxs->model;
/* free from $SERVER["socket"] (if not copy of global scope) */
for (uint32_t i = 1; i < srv->config_context->used; ++i) {
plugin_ssl_ctx * const s = p->ssl_ctxs + i;
if (s->model && s->model != global_model)
PR_Close(s->model);
}
/* free from global scope */
if (global_model)
PR_Close(global_model);
free(p->ssl_ctxs);
}
if (NULL == p->cvlist) return;
/* (init i to 0 if global context; to 1 to skip empty global context) */
for (int i = !p->cvlist[0].v.u2[1], used = p->nconfig; i < used; ++i) {
config_plugin_value_t *cpv = p->cvlist + p->cvlist[i].v.u2[0];
for (; -1 != cpv->k_id; ++cpv) {
switch (cpv->k_id) {
case 0: /* ssl.pemfile */
if (cpv->vtype == T_CONFIG_LOCAL) {
plugin_cert *pc = cpv->v.v;
CERT_DestroyCertificate(pc->ssl_pemfile_x509);
SECKEY_DestroyPrivateKey(pc->ssl_pemfile_pkey);
CERTCertificateList *certChain;
*(const CERTCertificateList **)&certChain =
pc->ssl_credex.certChain;
CERT_DestroyCertificateList(certChain);
PORT_Free(pc->OCSPResponse.data);
//CERT_Destroy...(pc->ssl_credex.signedCertTimestamps);
//CERT_Destroy...(pc->ssl_credex.delegCred);
//CERT_Destroy...(pc->ssl_credex.delegCredPrivKey);
free(pc);
}
break;
case 2: /* ssl.ca-file */
case 3: /* ssl.ca-dn-file */
if (cpv->vtype == T_CONFIG_LOCAL)
CERT_DestroyCertList(cpv->v.v);
break;
case 4: /* ssl.ca-crl-file */
if (cpv->vtype == T_CONFIG_LOCAL)
mod_nss_free_config_crls(cpv->v.v);
break;
default:
break;
}
}
}
}
FREE_FUNC(mod_nss_free)
{
plugin_data *p = p_d;
if (NULL == p->srv) return;
mod_nss_free_config(p->srv, p);
mod_nss_free_nss();
}
static void
mod_nss_merge_config_cpv (plugin_config * const pconf, const config_plugin_value_t * const cpv)
{
switch (cpv->k_id) { /* index into static config_plugin_keys_t cpk[] */
case 0: /* ssl.pemfile */
if (cpv->vtype == T_CONFIG_LOCAL)
pconf->pc = cpv->v.v;
break;
case 1: /* ssl.privkey */
break;
case 2: /* ssl.ca-file */
if (cpv->vtype == T_CONFIG_LOCAL)
pconf->ssl_ca_file = cpv->v.v;
break;
case 3: /* ssl.ca-dn-file */
if (cpv->vtype == T_CONFIG_LOCAL)
pconf->ssl_ca_dn_file = cpv->v.v;
break;
case 4: /* ssl.ca-crl-file */
break;
case 5: /* ssl.read-ahead */
pconf->ssl_read_ahead = (0 != cpv->v.u);
break;
case 6: /* ssl.disable-client-renegotiation */
pconf->ssl_disable_client_renegotiation = (0 != cpv->v.u);
break;
case 7: /* ssl.verifyclient.activate */
pconf->ssl_verifyclient = (0 != cpv->v.u);
break;
case 8: /* ssl.verifyclient.enforce */
pconf->ssl_verifyclient_enforce = (0 != cpv->v.u);
break;
case 9: /* ssl.verifyclient.depth */
pconf->ssl_verifyclient_depth = (unsigned char)cpv->v.shrt;
break;
case 10:/* ssl.verifyclient.username */
pconf->ssl_verifyclient_username = cpv->v.b;
break;
case 11:/* ssl.verifyclient.exportcert */
pconf->ssl_verifyclient_export_cert = (0 != cpv->v.u);
break;
case 12:/* ssl.acme-tls-1 */
pconf->ssl_acme_tls_1 = cpv->v.b;
break;
case 13:/* ssl.stapling-file */
break;
case 14:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (unsigned char)cpv->v.shrt;
break;
default:/* should not happen */
return;
}
}
static void
mod_nss_merge_config(plugin_config * const pconf, const config_plugin_value_t *cpv)
{
do {
mod_nss_merge_config_cpv(pconf, cpv);
} while ((++cpv)->k_id != -1);
}
static void
mod_nss_patch_config (request_st * const r, plugin_config * const pconf)
{
plugin_data * const p = plugin_data_singleton;
memcpy(pconf, &p->defaults, sizeof(plugin_config));
for (int i = 1, used = p->nconfig; i < used; ++i) {
if (config_check_cond(r, (uint32_t)p->cvlist[i].k_id))
mod_nss_merge_config(pconf, p->cvlist + p->cvlist[i].v.u2[0]);
}
}
static SECStatus
mod_nss_verify_cb (void *arg, PRFileDesc *ssl, PRBool checkSig, PRBool isServer)
{
handler_ctx * const hctx = arg;
if (!hctx->conf.ssl_verifyclient) return SECSuccess;
/* Notes
* trusted CAs in ssl.ca-file were loaded into default cert db at startup
* OCSP checking (querying OCSP Responder) is disabled by default
* CERT_EnableOCSPChecking()
* CERT_DisableOCSPChecking()
* cert_VerifyCertWithFlags() is not public,
* so unable to use CERT_VERIFYCERT_SKIP_OCSP
* hctx->verify_status is set here; not setting SSL_BadCertHook()
* XXX: not implemented (yet) here: hctx->conf.ssl_verifyclient_depth)
*/
CERTCertificate *peer = NULL;
#if 0
peer = SSL_PeerCertificate(ssl);
if (NULL == peer)
return (PORT_GetError() == SSL_ERROR_NO_CERTIFICATE)
? SECSuccess
: SECFailure;
if (CERT_VerifyCert(CERT_GetDefaultCertDB(), peer, PR_TRUE,
certUsageSSLClient, (PRInt64)log_epoch_secs * 1000000,
SSL_RevealPinArg(ssl), NULL) < 0)
#else
if (SSL_AuthCertificate((void *)CERT_GetDefaultCertDB(),
ssl, checkSig, isServer) < 0)
#endif
{
hctx->verify_status = PORT_GetError();
if (0 == hctx->verify_status)
hctx->verify_status = SEC_ERROR_UNTRUSTED_CERT;
}
if (hctx->verify_status == 0 && hctx->conf.ssl_ca_dn_file) {
/* verify that client cert is issued by CA in ssl.ca-dn-file
* if both ssl.ca-dn-file and ssl.ca-file were configured */
if (NULL == peer) peer = SSL_PeerCertificate(ssl);
if (peer) {
CERTCertList * const certList = hctx->conf.ssl_ca_dn_file;
SECItem * const derIssuer = &peer->derIssuer;
CERTCertListNode *node = CERT_LIST_HEAD(certList);
for (; !CERT_LIST_END(node, certList); node = CERT_LIST_NEXT(node)){
SECItem * const derSubject = &node->cert->derSubject;
if (SECITEM_CompareItem(derIssuer, derSubject) == SECEqual)
break;
}
if (CERT_LIST_END(node, certList))
hctx->verify_status = SEC_ERROR_UNTRUSTED_CERT;
}
}
if (peer) CERT_DestroyCertificate(peer);
if (hctx->verify_status != 0 && hctx->conf.ssl_verifyclient_enforce) {
PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
return SECFailure;
}
return SECSuccess;
}
static int
mod_nss_reload_stapling_file (server *srv, plugin_cert *pc, const time_t cur_ts)
{
SECItem f;
int rc = mod_nss_load_file(pc->ssl_stapling_file->ptr, &f, srv->errh);
if (rc < 0) return rc;
/* NSS has the ability to include multiple OCSP responses for
* certificate chain as allowed in TLSv1.3, but that is not utilized here.
* If implemented, it will probably operate on a new directive,
* e.g. ssl.stapling-pemfile
*/
/* Note that the credentials structure should be read-only when in
* use, thus when reloading, either the credentials structure must not
* be in use by any sessions, or a new credentials structure should be
* allocated for new sessions.
* XXX: lighttpd is not threaded, so this is probably not an issue (?)
*/
PORT_Free(pc->OCSPResponse.data);
pc->OCSPResponse.data = f.data;
pc->OCSPResponse.len = f.len;
pc->OCSPResponses.items = &pc->OCSPResponse;
pc->OCSPResponses.len = 1;
pc->ssl_credex.stapledOCSPResponses = &pc->OCSPResponses;
/* NSS does not expose CERTOCSPSingleResponse member nextUpdate
* to allow getting (PRTime) of nextUpdate from the OCSP response.
* (PRTime is (PRInt64) of microseconds since epoch)
* e.g. DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate);
* XXX: *not* implementing our own ASN.1 DER decoder for OCSP response
* ssl.stapling-file will be reloaded hourly
*/
time_t nextupd = (time_t)-1;
pc->ssl_stapling_loadts = cur_ts;
pc->ssl_stapling_nextts = nextupd;
if (pc->ssl_stapling_nextts == (time_t)-1) {
/* "Next Update" might not be provided by OCSP responder
* Use 3600 sec (1 hour) in that case. */
/* retry in 1 hour if unable to determine Next Update */
pc->ssl_stapling_nextts = cur_ts + 3600;
pc->ssl_stapling_loadts = 0;
}
return 0;
}
static int
mod_nss_refresh_stapling_file (server *srv, plugin_cert *pc, const time_t cur_ts)
{
if (pc->ssl_stapling_nextts >= 256
&& pc->ssl_stapling_nextts - 256 > cur_ts)
return 0; /* skip check for refresh unless close to expire */
struct stat st;
if (0 != stat(pc->ssl_stapling_file->ptr, &st)
|| st.st_mtime <= pc->ssl_stapling_loadts) {
if (pc->ssl_stapling_nextts < cur_ts) {
/* discard expired OCSP stapling response */
pc->ssl_credex.stapledOCSPResponses = NULL;
if (pc->must_staple) {
log_error(srv->errh, __FILE__, __LINE__,
"certificate marked OCSP Must-Staple, "
"but OCSP response expired from ssl.stapling-file %s",
pc->ssl_stapling_file->ptr);
}
}
return 0;
}
re