source: mod_gnutls/include/mod_gnutls.h.in

mod_gnutls/0.10.0
Last change on this file was e819f13, checked in by Fiona Klute <fiona.klute@…>, 2 months ago

Unconditionally enable early SNI parsing

All supported GnuTLS versions provide gnutls_ext_raw_parse(), so
there's no more need to provide a fallback for older versions.

  • Property mode set to 100644
File size: 12.3 KB
Line 
1/*
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2015-2020 Fiona Klute
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 */
18
19/* Apache Runtime Headers */
20#include "httpd.h"
21#include "http_config.h"
22#include "http_protocol.h"
23#include "http_connection.h"
24#include "http_request.h"
25#include "http_core.h"
26#include "http_log.h"
27#include "apr_buckets.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30/* GnuTLS Library Headers */
31#include <gnutls/gnutls.h>
32#include <gnutls/abstract.h>
33#include <gnutls/x509.h>
34
35#ifndef __mod_gnutls_h_inc
36#define __mod_gnutls_h_inc
37
38extern module AP_MODULE_DECLARE_DATA gnutls_module;
39
40/* IO Filter names */
41#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
42#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
43/* GnuTLS Constants */
44#define GNUTLS_ENABLED_FALSE 0
45#define GNUTLS_ENABLED_TRUE  1
46#define GNUTLS_ENABLED_UNSET  2
47/* Current module version */
48#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
49
50/* Module Debug Mode */
51#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
52
53/** Name of the module-wide singleton watchdog */
54#define MGS_SINGLETON_WATCHDOG "_mod_gnutls_singleton_"
55
56
57/* Internal cache data, defined in gnutls_cache.h */
58typedef struct mgs_cache* mgs_cache_t;
59
60typedef enum {
61    mgs_cvm_unset,
62    mgs_cvm_cartel,
63    mgs_cvm_msva
64} mgs_client_verification_method_e;
65
66
67/* Directory Configuration Record */
68typedef struct {
69    int client_verify_mode;
70} mgs_dirconf_rec;
71
72
73/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
74typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
75
76
77/* The maximum number of certificates to send in a chain */
78#define MAX_CHAIN_SIZE 8
79
80/** Server Configuration Record */
81typedef struct {
82    /** Server this mod_gnutls configuration is for */
83    server_rec* s;
84
85    /* --- Configuration values --- */
86        /* Is the module enabled? */
87    int enabled;
88        /* Is mod_proxy enabled? */
89    int proxy_enabled;
90
91    /* List of PKCS #11 provider modules to load, only valid in the
92     * base config, ignored in virtual hosts */
93    apr_array_header_t *p11_modules;
94
95    /* PIN used for PKCS #11 operations */
96    char *pin;
97
98    /* the SRK PIN used in TPM operations */
99    char *srk_pin;
100
101    char *x509_cert_file;
102    char *x509_key_file;
103    char *x509_ca_file;
104
105    char *dh_file;
106
107    char *priorities_str;
108    char *proxy_priorities_str;
109
110    const char* srp_tpasswd_file;
111    const char* srp_tpasswd_conf_file;
112
113        /* Cache timeout value */
114    int cache_timeout;
115    /* Enable cache */
116    unsigned char cache_enable : 2;
117    /* Internal cache data */
118    mgs_cache_t cache;
119
120        /* GnuTLS uses Session Tickets */
121    int tickets;
122
123    /* x509 Certificate Structure */
124    gnutls_certificate_credentials_t certs;
125    /* x509 credentials for proxy connections */
126    gnutls_certificate_credentials_t proxy_x509_creds;
127    /* trust list for proxy_x509_creds */
128    gnutls_x509_trust_list_t proxy_x509_tl;
129    const char* proxy_x509_key_file;
130    const char* proxy_x509_cert_file;
131    const char* proxy_x509_ca_file;
132    const char* proxy_x509_crl_file;
133    /* GnuTLS priorities for proxy connections */
134    gnutls_priority_t proxy_priorities;
135    /* SRP Certificate Structure*/
136    gnutls_srp_server_credentials_t srp_creds;
137    /* Anonymous Certificate Structure */
138    gnutls_anon_server_credentials_t anon_creds;
139    /* Anonymous Client Certificate Structure, used for proxy
140     * connections */
141    gnutls_anon_client_credentials_t anon_client_creds;
142        /* An x509 Certificate Chain */
143    gnutls_pcert_st *certs_x509_chain;
144    gnutls_x509_crt_t *certs_x509_crt_chain;
145        /* Number of Certificates in Chain */
146    unsigned int certs_x509_chain_num;
147
148        /* Current x509 Certificate Private Key */
149    gnutls_privkey_t privkey_x509;
150
151    /* Export full certificates to CGI environment: */
152    int export_certificates_size;
153        /* GnuTLS Priorities */
154    gnutls_priority_t priorities;
155        /* GnuTLS DH Parameters */
156    gnutls_dh_params_t dh_params;
157        /* A list of CA Certificates */
158    gnutls_x509_crt_t *ca_list;
159        /* CA Certificate list size */
160    unsigned int ca_list_size;
161        /* Client Certificate Verification Mode */
162    int client_verify_mode;
163        /* Client Certificate Verification Method */
164    mgs_client_verification_method_e client_verify_method;
165
166    /* Enable OCSP stapling */
167    unsigned char ocsp_staple;
168    /* Automatically refresh cached OCSP response? */
169    unsigned char ocsp_auto_refresh;
170    /* Check nonce in OCSP responses? */
171    unsigned char ocsp_check_nonce;
172    /* Read OCSP response for stapling from this file instead of
173     * sending a request over HTTP */
174    char **ocsp_response_file;
175    /* Number of configured OCSP response files */
176    int ocsp_response_file_num;
177    /* Internal OCSP data for this server */
178    mgs_ocsp_data_t *ocsp;
179    /* Number of successfully configured OCSP data sets */
180    unsigned int ocsp_num;
181    /* Mutex to prevent parallel OCSP requests */
182    apr_global_mutex_t *ocsp_mutex;
183    /* Internal OCSP cache data */
184    mgs_cache_t ocsp_cache;
185    /* Cache timeout for OCSP responses. Note that the nextUpdate
186     * field of the response takes precedence if shorter. */
187    apr_interval_time_t ocsp_cache_time;
188    /* If an OCSP request fails wait this long before trying again. */
189    apr_interval_time_t ocsp_failure_timeout;
190    /** How long before a cached OCSP response expires should it be
191     * updated? During configuration parsing this is set to the
192     * maximum, during post configuration the value will be set to
193     * half that. After each update the interval to for the next one
194     * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time *
195     * RANDOM` with `0 <= RANDOM <= 1`. */
196    apr_interval_time_t ocsp_fuzz_time;
197    /* Socket timeout for OCSP requests */
198    apr_interval_time_t ocsp_socket_timeout;
199
200    /** This module's singleton watchdog, used for async OCSP cache
201     * updates. */
202    struct mgs_watchdog *singleton_wd;
203} mgs_srvconf_rec;
204
205/* Character Buffer */
206typedef struct {
207    int length;
208    char *value;
209} mgs_char_buffer_t;
210
211/** GnuTLS connection handle */
212typedef struct {
213        /* Server configuration record */
214    mgs_srvconf_rec *sc;
215        /* Connection record */
216    conn_rec* c;
217        /* Is TLS enabled for this connection? */
218    int enabled;
219    /* Is this a proxy connection? */
220    int is_proxy;
221        /* GnuTLS Session handle */
222    gnutls_session_t session;
223    /** Server name requested via SNI if any, or NULL. */
224    const char *sni_name;
225        /* module input status */
226    apr_status_t input_rc;
227        /* Input filter */
228    ap_filter_t *input_filter;
229        /* Input Bucket Brigade */
230    apr_bucket_brigade *input_bb;
231        /* Input Read Type */
232    apr_read_type_e input_block;
233        /* Input Mode */
234    ap_input_mode_t input_mode;
235        /* Input Character Buffer */
236    mgs_char_buffer_t input_cbuf;
237        /* Input Character Array */
238    char input_buffer[AP_IOBUFSIZE];
239        /* module Output status */
240    apr_status_t output_rc;
241        /* Output filter */
242    ap_filter_t *output_filter;
243        /* Output Bucket Brigade */
244    apr_bucket_brigade *output_bb;
245        /* Output character array */
246    char output_buffer[AP_IOBUFSIZE];
247        /* Output buffer length */
248    apr_size_t output_blen;
249        /* Output length */
250    apr_size_t output_length;
251    /** Connection status: 0 before (re-)handshake, 1 when up, -1 on
252     * error (checks use status < 0 or status > 0) */
253    int status;
254} mgs_handle_t;
255
256
257
258/* Proxy Support */
259/* An optional function which returns non-zero if the given connection
260is using SSL/TLS. */
261APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
262/* The ssl_var_lookup() optional function retrieves SSL environment
263 * variables. */
264APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
265                        (apr_pool_t *, server_rec *,
266                         conn_rec *, request_rec *,
267                         char *));
268/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
269 * are used by mod_proxy to enable use of SSL for outgoing
270 * connections. */
271APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
272APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
273APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
274                                              ap_conf_vector_t *,
275                                              int proxy, int enable));
276mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c);
277int ssl_is_https(conn_rec *c);
278char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c,
279                     request_rec *r, char *var);
280int ssl_proxy_enable(conn_rec *c);
281int ssl_engine_disable(conn_rec *c);
282const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
283                                 const int arg);
284apr_status_t mgs_cleanup_pre_config(void *data);
285
286
287
288/**
289 * Perform any reinitialization required in PKCS #11
290 */
291int mgs_pkcs11_reinit(server_rec * s);
292
293
294
295/* Configuration Functions */
296
297/* Loads all files set in the configuration */
298int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
299    __attribute__((nonnull));
300
301const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
302                                        const char *arg);
303const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
304                                        const char *arg);
305const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
306                                        const char *arg);
307const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
308                                        const char *arg);
309
310const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
311                             const char *arg);
312
313const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
314
315const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
316                                  const char *arg);
317
318const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
319                                         const char *arg);
320
321const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
322                                   const char *arg);
323
324const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
325                               const char *arg);
326
327const char *mgs_set_pin(cmd_parms * parms, void *dummy,
328                                   const char *arg);
329
330const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
331                                   const char *arg);
332
333const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
334                            const int arg);
335const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
336                            const char *arg);
337const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
338                            const char *arg);
339const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
340                            const int arg);
341
342void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
343void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
344
345void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
346
347void *mgs_config_dir_create(apr_pool_t *p, char *dir);
348
349const char *mgs_store_cred_path(cmd_parms * parms,
350                                void *dummy __attribute__((unused)),
351                                const char *arg);
352
353/* mod_gnutls Hooks. */
354
355int mgs_hook_pre_config(apr_pool_t * pconf,
356                        apr_pool_t * plog, apr_pool_t * ptemp);
357
358int mgs_hook_post_config(apr_pool_t *pconf,
359                         apr_pool_t *plog,
360                         apr_pool_t *ptemp,
361                         server_rec *base_server);
362
363void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
364
365const char *mgs_hook_http_scheme(const request_rec * r);
366
367apr_port_t mgs_hook_default_port(const request_rec * r);
368
369int mgs_hook_pre_connection(conn_rec * c, void *csd);
370
371int mgs_hook_process_connection(conn_rec* c);
372
373int mgs_hook_fixups(request_rec *r);
374
375/** Post request hook, checks if TLS connection and vhost match */
376int mgs_req_vhost_check(request_rec *r);
377
378int mgs_hook_authz(request_rec *r);
379
380#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.