source: mod_gnutls/include/mod_gnutls.h.in @ 0de1839

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 0de1839 was 0de1839, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Support X.509 auth for TLS proxy connections

This commit adds support for X.509 certificate based authentication for
TLS proxy back end connections, including both server certificate
checking and (optionally) TLS client authentication. Some functions used
for this require GnuTLS 3.1.4 or later, so requirements change
accordingly.

Three new configuration parameters are added:

GnuTLSProxyCAFile FILEPATH

The given file must contain trusted CA certificates for server
verification. Required.

GnuTLSProxyKeyFile FILEPATH
GnuTLSProxyCertificateFile FILEPATH

Key and certificate for TLS client auth towards TLS back end servers. If
not set, TLS client auth is disabled.

  • Property mode set to 100644
File size: 13.0 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 *
16 */
17
18/* Apache Runtime Headers */
19#include "httpd.h"
20#include "http_config.h"
21#include "http_protocol.h"
22#include "http_connection.h"
23#include "http_request.h"
24#include "http_core.h"
25#include "http_log.h"
26#include "apr_buckets.h"
27#include "apr_strings.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30#include "apr_fnmatch.h"
31/* GnuTLS Library Headers */
32#include <gnutls/gnutls.h>
33#if GNUTLS_VERSION_MAJOR == 2
34#include <gnutls/extra.h>
35#endif
36#include <gnutls/openpgp.h>
37#include <gnutls/x509.h>
38
39#ifndef __mod_gnutls_h_inc
40#define __mod_gnutls_h_inc
41
42#define HAVE_APR_MEMCACHE    @have_apr_memcache@
43
44extern module AP_MODULE_DECLARE_DATA gnutls_module;
45
46/* IO Filter names */
47#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
48#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
49/* GnuTLS Constants */
50#define GNUTLS_ENABLED_FALSE 0
51#define GNUTLS_ENABLED_TRUE  1
52#define GNUTLS_ENABLED_UNSET  2
53/* Current module version */
54#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
55
56/* Module Debug Mode */
57#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
58
59/*
60 * Recent Versions of 2.1 renamed several hooks.
61 * This allows us to compile on 2.0.xx
62 */
63#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
64        #define USING_2_1_RECENT 1
65#else
66        #define USING_2_1_RECENT 0
67#endif
68
69/* mod_gnutls Cache Types */
70typedef enum {
71        /* No Cache */
72    mgs_cache_none,
73        /* Use Old Berkley DB */
74    mgs_cache_dbm,
75        /* Use Gnu's version of Berkley DB */
76    mgs_cache_gdbm,
77#if HAVE_APR_MEMCACHE
78        /* Use Memcache */
79    mgs_cache_memcache,
80#endif
81    mgs_cache_unset
82} mgs_cache_e;
83
84typedef enum {
85    mgs_cvm_unset,
86    mgs_cvm_cartel,
87    mgs_cvm_msva
88} mgs_client_verification_method_e;
89
90
91/* Directory Configuration Record */
92typedef struct {
93    int client_verify_mode;
94    const char* lua_bytecode;
95    apr_size_t lua_bytecode_len;
96} mgs_dirconf_rec;
97
98
99/* The maximum number of certificates to send in a chain */
100#define MAX_CHAIN_SIZE 8
101/* The maximum number of SANs to read from a x509 certificate */
102#define MAX_CERT_SAN 5
103
104/* Server Configuration Record */
105typedef struct {
106    /* x509 Certificate Structure */
107    gnutls_certificate_credentials_t certs;
108    /* x509 credentials for proxy connections */
109    gnutls_certificate_credentials_t proxy_x509_creds;
110    const char* proxy_x509_key_file;
111    const char* proxy_x509_cert_file;
112    const char* proxy_x509_ca_file;
113    /* SRP Certificate Structure*/
114    gnutls_srp_server_credentials_t srp_creds;
115    /* Anonymous Certificate Structure */
116    gnutls_anon_server_credentials_t anon_creds;
117    /* Anonymous Client Certificate Structure, used for proxy
118     * connections */
119    gnutls_anon_client_credentials_t anon_client_creds;
120        /* Current x509 Certificate CN [Common Name] */
121    char* cert_cn;
122        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
123        char* cert_san[MAX_CERT_SAN];
124        /* A x509 Certificate Chain */
125    gnutls_x509_crt_t *certs_x509_chain;
126        /* Current x509 Certificate Private Key */
127    gnutls_x509_privkey_t privkey_x509;
128        /* OpenPGP Certificate */
129    gnutls_openpgp_crt_t cert_pgp;
130        /* OpenPGP Certificate Private Key */
131    gnutls_openpgp_privkey_t privkey_pgp;
132        /* Number of Certificates in Chain */
133    unsigned int certs_x509_chain_num;
134        /* Is the module enabled? */
135    int enabled;
136    /* Export full certificates to CGI environment: */
137    int export_certificates_size;
138        /* GnuTLS Priorities */
139    gnutls_priority_t priorities;
140        /* GnuTLS DH Parameters */
141    gnutls_dh_params_t dh_params;
142        /* Cache timeout value */
143    int cache_timeout;
144        /* Chose Cache Type */
145    mgs_cache_e cache_type;
146    const char* cache_config;
147    const char* srp_tpasswd_file;
148    const char* srp_tpasswd_conf_file;
149        /* A list of CA Certificates */
150    gnutls_x509_crt_t *ca_list;
151        /* OpenPGP Key Ring */
152    gnutls_openpgp_keyring_t pgp_list;
153        /* CA Certificate list size */
154    unsigned int ca_list_size;
155        /* Client Certificate Verification Mode */
156    int client_verify_mode;
157        /* Client Certificate Verification Method */
158    mgs_client_verification_method_e client_verify_method;
159        /* Last Cache timestamp */
160    apr_time_t last_cache_check;
161        /* GnuTLS uses Session Tickets */
162    int tickets;
163        /* Is mod_proxy enabled? */
164    int proxy_enabled;
165        /* A Plain HTTP request */
166    int non_ssl_request;
167} mgs_srvconf_rec;
168
169/* Character Buffer */
170typedef struct {
171    int length;
172    char *value;
173} mgs_char_buffer_t;
174
175/* GnuTLS Handle */
176typedef struct {
177        /* Server configuration record */
178    mgs_srvconf_rec *sc;
179        /* Connection record */
180    conn_rec* c;
181        /* Is TLS enabled for this connection? */
182    int enabled;
183    /* Is this a proxy connection? */
184    int is_proxy;
185        /* GnuTLS Session handle */
186    gnutls_session_t session;
187        /* module input status */
188    apr_status_t input_rc;
189        /* Input filter */
190    ap_filter_t *input_filter;
191        /* Input Bucket Brigade */
192    apr_bucket_brigade *input_bb;
193        /* Input Read Type */
194    apr_read_type_e input_block;
195        /* Input Mode */
196    ap_input_mode_t input_mode;
197        /* Input Character Buffer */
198    mgs_char_buffer_t input_cbuf;
199        /* Input Character Array */
200    char input_buffer[AP_IOBUFSIZE];
201        /* module Output status */
202    apr_status_t output_rc;
203        /* Output filter */
204    ap_filter_t *output_filter;
205        /* Output Bucket Brigade */
206    apr_bucket_brigade *output_bb;
207        /* Output character array */
208    char output_buffer[AP_IOBUFSIZE];
209        /* Output buffer length */
210    apr_size_t output_blen;
211        /* Output length */
212    apr_size_t output_length;
213        /* General Status */
214    int status;
215} mgs_handle_t;
216
217
218
219/** Functions in gnutls_io.c **/
220
221/* apr_signal_block() for blocking SIGPIPE */
222apr_status_t apr_signal_block(int signum);
223
224 /* Proxy Support */
225/* An optional function which returns non-zero if the given connection
226is using SSL/TLS. */
227APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
228/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
229 * are used by mod_proxy to enable use of SSL for outgoing
230 * connections. */
231APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
232APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
233int ssl_is_https(conn_rec *c);
234int ssl_proxy_enable(conn_rec *c);
235int ssl_engine_disable(conn_rec *c);
236const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
237    const char *arg);
238apr_status_t mgs_cleanup_pre_config(void *data);
239
240/**
241 * mgs_filter_input will filter the input data
242 * by decrypting it using GnuTLS and passes it cleartext.
243 *
244 * @param f     the filter info record
245 * @param bb    the bucket brigade, where to store the result to
246 * @param mode  what shall we read?
247 * @param block a block index we shall read from?
248 * @return result status
249 */
250apr_status_t mgs_filter_input(ap_filter_t * f,
251                                     apr_bucket_brigade * bb,
252                                     ap_input_mode_t mode,
253                                     apr_read_type_e block,
254                                     apr_off_t readbytes);
255
256/**
257 * mgs_filter_output will filter the encrypt
258 * the incoming bucket using GnuTLS and passes it onto the next filter.
259 *
260 * @param f     the filter info record
261 * @param bb    the bucket brigade, where to store the result to
262 * @return result status
263 */
264apr_status_t mgs_filter_output(ap_filter_t * f,
265                                      apr_bucket_brigade * bb);
266
267
268/**
269 * mgs_transport_read is called from GnuTLS to provide encrypted
270 * data from the client.
271 *
272 * @param ptr     pointer to the filter context
273 * @param buffer  place to put data
274 * @param len     maximum size
275 * @return size   length of the data stored in buffer
276 */
277ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
278                                  void *buffer, size_t len);
279
280/**
281 * mgs_transport_write is called from GnuTLS to
282 * write data to the client.
283 *
284 * @param ptr     pointer to the filter context
285 * @param buffer  buffer to write to the client
286 * @param len     size of the buffer
287 * @return size   length of the data written
288 */
289ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
290                                   const void *buffer, size_t len);
291
292
293int mgs_rehandshake(mgs_handle_t * ctxt);
294
295
296
297/**
298 * Init the Cache after Configuration is done
299 */
300int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
301                                 mgs_srvconf_rec *sc);
302/**
303 * Init the Cache inside each Process
304 */
305int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
306                                mgs_srvconf_rec *sc);
307/**
308 * Setup the Session Caching
309 */
310int mgs_cache_session_init(mgs_handle_t *ctxt);
311
312#define GNUTLS_SESSION_ID_STRING_LEN \
313    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
314
315/**
316 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
317 * @param id raw SSL Session ID
318 * @param idlen Length of the raw Session ID
319 * @param str Location to store the Hex Encoded String
320 * @param strsize The Maximum Length that can be stored in str
321 */
322char *mgs_session_id2sz(unsigned char *id, int idlen,
323                                char *str, int strsize);
324
325/**
326 * Convert a time_t into a Null Terminated String
327 * @param t time_t time
328 * @param str Location to store the Hex Encoded String
329 * @param strsize The Maximum Length that can be stored in str
330 */
331char *mgs_time2sz(time_t t, char *str, int strsize);
332
333
334/* Configuration Functions */
335
336const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
337                                        const char *arg);
338const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
339                                        const char *arg);
340const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
341                                        const char *arg);
342const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
343                                        const char *arg);
344
345const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
346                             const char *arg);
347
348const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
349                                        const char *arg);
350
351const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
352                             const char *arg);
353
354const char *mgs_set_cache(cmd_parms * parms, void *dummy,
355                          const char *type, const char* arg);
356
357const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
358                                  const char *arg);
359
360const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
361                                  const char *arg);
362
363const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
364                                         const char *arg);
365
366const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
367                                   const char *arg);
368
369const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
370                                   const char *arg);
371
372const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
373                            const char *arg);
374const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
375                            const char *arg);
376const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
377                            const char *arg);
378const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
379                            const char *arg);
380
381const char *mgs_set_require_section(cmd_parms *cmd,
382                                    void *mconfig, const char *arg);
383void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
384void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
385
386void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
387
388void *mgs_config_dir_create(apr_pool_t *p, char *dir);
389
390const char *mgs_set_require_bytecode(cmd_parms *cmd,
391                                    void *mconfig, const char *arg);
392
393mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
394
395const char *mgs_store_cred_path(cmd_parms * parms,
396                                void *dummy __attribute__((unused)),
397                                const char *arg);
398
399/* mod_gnutls Hooks. */
400
401int mgs_hook_pre_config(apr_pool_t * pconf,
402                        apr_pool_t * plog, apr_pool_t * ptemp);
403
404int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
405                         apr_pool_t * ptemp,
406                         server_rec * base_server);
407
408void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
409
410const char *mgs_hook_http_scheme(const request_rec * r);
411
412apr_port_t mgs_hook_default_port(const request_rec * r);
413
414int mgs_hook_pre_connection(conn_rec * c, void *csd);
415
416int mgs_hook_fixups(request_rec *r);
417
418int mgs_hook_authz(request_rec *r);
419
420#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.