source: mod_gnutls/include/mod_gnutls.h.in @ 10b3370

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 10b3370 was beb14d9, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

Proof of concept: Support for proxy back end connections using TLS

This commit enables TLS on proxy back end connections if requested from
mod_proxy. Since mod_gnutls acts as client instead of server on proxy
back end connections, TLS session setup is quite different.

Note that this implementation is not finished, in particular the proxy
back end connection is hard coded to use the same X.509 credentials as
the server side, which severely restricts usable certificate
combinations.

Some typos in comments and an error message related to TLS handshake are
fixed as well.

  • Property mode set to 100644
File size: 12.6 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 *
16 */
17
18/* Apache Runtime Headers */
19#include "httpd.h"
20#include "http_config.h"
21#include "http_protocol.h"
22#include "http_connection.h"
23#include "http_request.h"
24#include "http_core.h"
25#include "http_log.h"
26#include "apr_buckets.h"
27#include "apr_strings.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30#include "apr_fnmatch.h"
31/* GnuTLS Library Headers */
32#include <gnutls/gnutls.h>
33#if GNUTLS_VERSION_MAJOR == 2
34#include <gnutls/extra.h>
35#endif
36#include <gnutls/openpgp.h>
37#include <gnutls/x509.h>
38
39#ifndef __mod_gnutls_h_inc
40#define __mod_gnutls_h_inc
41
42#define HAVE_APR_MEMCACHE    @have_apr_memcache@
43
44extern module AP_MODULE_DECLARE_DATA gnutls_module;
45
46/* IO Filter names */
47#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
48#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
49/* GnuTLS Constants */
50#define GNUTLS_ENABLED_FALSE 0
51#define GNUTLS_ENABLED_TRUE  1
52#define GNUTLS_ENABLED_UNSET  2
53/* Current module version */
54#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
55
56/* Module Debug Mode */
57#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
58
59/*
60 * Recent Versions of 2.1 renamed several hooks.
61 * This allows us to compile on 2.0.xx
62 */
63#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
64        #define USING_2_1_RECENT 1
65#else
66        #define USING_2_1_RECENT 0
67#endif
68
69/* mod_gnutls Cache Types */
70typedef enum {
71        /* No Cache */
72    mgs_cache_none,
73        /* Use Old Berkley DB */
74    mgs_cache_dbm,
75        /* Use Gnu's version of Berkley DB */
76    mgs_cache_gdbm,
77#if HAVE_APR_MEMCACHE
78        /* Use Memcache */
79    mgs_cache_memcache,
80#endif
81    mgs_cache_unset
82} mgs_cache_e;
83
84typedef enum {
85    mgs_cvm_unset,
86    mgs_cvm_cartel,
87    mgs_cvm_msva
88} mgs_client_verification_method_e;
89
90
91/* Directory Configuration Record */
92typedef struct {
93    int client_verify_mode;
94    const char* lua_bytecode;
95    apr_size_t lua_bytecode_len;
96} mgs_dirconf_rec;
97
98
99/* The maximum number of certificates to send in a chain */
100#define MAX_CHAIN_SIZE 8
101/* The maximum number of SANs to read from a x509 certificate */
102#define MAX_CERT_SAN 5
103
104/* Server Configuration Record */
105typedef struct {
106        /* x509 Certificate Structure */
107    gnutls_certificate_credentials_t certs;
108        /* SRP Certificate Structure*/
109    gnutls_srp_server_credentials_t srp_creds;
110    /* Anonymous Certificate Structure */
111    gnutls_anon_server_credentials_t anon_creds;
112    /* Anonymous Client Certificate Structure, used for proxy
113     * connections */
114    gnutls_anon_client_credentials_t anon_client_creds;
115        /* Current x509 Certificate CN [Common Name] */
116    char* cert_cn;
117        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
118        char* cert_san[MAX_CERT_SAN];
119        /* A x509 Certificate Chain */
120    gnutls_x509_crt_t *certs_x509_chain;
121        /* Current x509 Certificate Private Key */
122    gnutls_x509_privkey_t privkey_x509;
123        /* OpenPGP Certificate */
124    gnutls_openpgp_crt_t cert_pgp;
125        /* OpenPGP Certificate Private Key */
126    gnutls_openpgp_privkey_t privkey_pgp;
127        /* Number of Certificates in Chain */
128    unsigned int certs_x509_chain_num;
129        /* Is the module enabled? */
130    int enabled;
131    /* Export full certificates to CGI environment: */
132    int export_certificates_size;
133        /* GnuTLS Priorities */
134    gnutls_priority_t priorities;
135        /* GnuTLS DH Parameters */
136    gnutls_dh_params_t dh_params;
137        /* Cache timeout value */
138    int cache_timeout;
139        /* Chose Cache Type */
140    mgs_cache_e cache_type;
141    const char* cache_config;
142    const char* srp_tpasswd_file;
143    const char* srp_tpasswd_conf_file;
144        /* A list of CA Certificates */
145    gnutls_x509_crt_t *ca_list;
146        /* OpenPGP Key Ring */
147    gnutls_openpgp_keyring_t pgp_list;
148        /* CA Certificate list size */
149    unsigned int ca_list_size;
150        /* Client Certificate Verification Mode */
151    int client_verify_mode;
152        /* Client Certificate Verification Method */
153    mgs_client_verification_method_e client_verify_method;
154        /* Last Cache timestamp */
155    apr_time_t last_cache_check;
156        /* GnuTLS uses Session Tickets */
157    int tickets;
158        /* Is mod_proxy enabled? */
159    int proxy_enabled;
160        /* A Plain HTTP request */
161    int non_ssl_request;
162} mgs_srvconf_rec;
163
164/* Character Buffer */
165typedef struct {
166    int length;
167    char *value;
168} mgs_char_buffer_t;
169
170/* GnuTLS Handle */
171typedef struct {
172        /* Server configuration record */
173    mgs_srvconf_rec *sc;
174        /* Connection record */
175    conn_rec* c;
176        /* Is TLS enabled for this connection? */
177    int enabled;
178    /* Is this a proxy connection? */
179    int is_proxy;
180        /* GnuTLS Session handle */
181    gnutls_session_t session;
182        /* module input status */
183    apr_status_t input_rc;
184        /* Input filter */
185    ap_filter_t *input_filter;
186        /* Input Bucket Brigade */
187    apr_bucket_brigade *input_bb;
188        /* Input Read Type */
189    apr_read_type_e input_block;
190        /* Input Mode */
191    ap_input_mode_t input_mode;
192        /* Input Character Buffer */
193    mgs_char_buffer_t input_cbuf;
194        /* Input Character Array */
195    char input_buffer[AP_IOBUFSIZE];
196        /* module Output status */
197    apr_status_t output_rc;
198        /* Output filter */
199    ap_filter_t *output_filter;
200        /* Output Bucket Brigade */
201    apr_bucket_brigade *output_bb;
202        /* Output character array */
203    char output_buffer[AP_IOBUFSIZE];
204        /* Output buffer length */
205    apr_size_t output_blen;
206        /* Output length */
207    apr_size_t output_length;
208        /* General Status */
209    int status;
210} mgs_handle_t;
211
212
213
214/** Functions in gnutls_io.c **/
215
216/* apr_signal_block() for blocking SIGPIPE */
217apr_status_t apr_signal_block(int signum);
218
219 /* Proxy Support */
220/* An optional function which returns non-zero if the given connection
221is using SSL/TLS. */
222APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
223/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
224 * are used by mod_proxy to enable use of SSL for outgoing
225 * connections. */
226APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
227APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
228int ssl_is_https(conn_rec *c);
229int ssl_proxy_enable(conn_rec *c);
230int ssl_engine_disable(conn_rec *c);
231const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
232    const char *arg);
233apr_status_t mgs_cleanup_pre_config(void *data);
234
235/**
236 * mgs_filter_input will filter the input data
237 * by decrypting it using GnuTLS and passes it cleartext.
238 *
239 * @param f     the filter info record
240 * @param bb    the bucket brigade, where to store the result to
241 * @param mode  what shall we read?
242 * @param block a block index we shall read from?
243 * @return result status
244 */
245apr_status_t mgs_filter_input(ap_filter_t * f,
246                                     apr_bucket_brigade * bb,
247                                     ap_input_mode_t mode,
248                                     apr_read_type_e block,
249                                     apr_off_t readbytes);
250
251/**
252 * mgs_filter_output will filter the encrypt
253 * the incoming bucket using GnuTLS and passes it onto the next filter.
254 *
255 * @param f     the filter info record
256 * @param bb    the bucket brigade, where to store the result to
257 * @return result status
258 */
259apr_status_t mgs_filter_output(ap_filter_t * f,
260                                      apr_bucket_brigade * bb);
261
262
263/**
264 * mgs_transport_read is called from GnuTLS to provide encrypted
265 * data from the client.
266 *
267 * @param ptr     pointer to the filter context
268 * @param buffer  place to put data
269 * @param len     maximum size
270 * @return size   length of the data stored in buffer
271 */
272ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
273                                  void *buffer, size_t len);
274
275/**
276 * mgs_transport_write is called from GnuTLS to
277 * write data to the client.
278 *
279 * @param ptr     pointer to the filter context
280 * @param buffer  buffer to write to the client
281 * @param len     size of the buffer
282 * @return size   length of the data written
283 */
284ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
285                                   const void *buffer, size_t len);
286
287
288int mgs_rehandshake(mgs_handle_t * ctxt);
289
290
291
292/**
293 * Init the Cache after Configuration is done
294 */
295int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
296                                 mgs_srvconf_rec *sc);
297/**
298 * Init the Cache inside each Process
299 */
300int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
301                                mgs_srvconf_rec *sc);
302/**
303 * Setup the Session Caching
304 */
305int mgs_cache_session_init(mgs_handle_t *ctxt);
306
307#define GNUTLS_SESSION_ID_STRING_LEN \
308    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
309
310/**
311 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
312 * @param id raw SSL Session ID
313 * @param idlen Length of the raw Session ID
314 * @param str Location to store the Hex Encoded String
315 * @param strsize The Maximum Length that can be stored in str
316 */
317char *mgs_session_id2sz(unsigned char *id, int idlen,
318                                char *str, int strsize);
319
320/**
321 * Convert a time_t into a Null Terminated String
322 * @param t time_t time
323 * @param str Location to store the Hex Encoded String
324 * @param strsize The Maximum Length that can be stored in str
325 */
326char *mgs_time2sz(time_t t, char *str, int strsize);
327
328
329/* Configuration Functions */
330
331const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
332                                        const char *arg);
333const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
334                                        const char *arg);
335const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
336                                        const char *arg);
337const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
338                                        const char *arg);
339
340const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
341                             const char *arg);
342
343const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
344                                        const char *arg);
345
346const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
347                             const char *arg);
348
349const char *mgs_set_cache(cmd_parms * parms, void *dummy,
350                          const char *type, const char* arg);
351
352const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
353                                  const char *arg);
354
355const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
356                                  const char *arg);
357
358const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
359                                         const char *arg);
360
361const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
362                                   const char *arg);
363
364const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
365                                   const char *arg);
366
367const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
368                            const char *arg);
369const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
370                            const char *arg);
371const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
372                            const char *arg);
373const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
374                            const char *arg);
375
376const char *mgs_set_require_section(cmd_parms *cmd,
377                                    void *mconfig, const char *arg);
378void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
379void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
380
381void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
382
383void *mgs_config_dir_create(apr_pool_t *p, char *dir);
384
385const char *mgs_set_require_bytecode(cmd_parms *cmd,
386                                    void *mconfig, const char *arg);
387
388mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
389
390/* mod_gnutls Hooks. */
391
392int mgs_hook_pre_config(apr_pool_t * pconf,
393                        apr_pool_t * plog, apr_pool_t * ptemp);
394
395int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
396                         apr_pool_t * ptemp,
397                         server_rec * base_server);
398
399void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
400
401const char *mgs_hook_http_scheme(const request_rec * r);
402
403apr_port_t mgs_hook_default_port(const request_rec * r);
404
405int mgs_hook_pre_connection(conn_rec * c, void *csd);
406
407int mgs_hook_fixups(request_rec *r);
408
409int mgs_hook_authz(request_rec *r);
410
411#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.