source: mod_gnutls/include/mod_gnutls.h.in @ 2aaf4f5

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 2aaf4f5 was 2aaf4f5, checked in by Daniel Kahn Gillmor <dkg@…>, 5 years ago

implement GnuTLSExportCertificates control over max exported cert size

This patchset implements the proposed modification to
GnuTLSExportCertificates, allowing server administrators to choose the
maximum size of the exported certs.

Some advantages:

  • avoids large buffers on the stack
  • more configurable for server admins who expect to use larger certs
  • better visibilty for users when a too-large-cert is encountered

This also increases the default maximum exported size from 10KiB to
16KiB.

  • Property mode set to 100644
File size: 12.4 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 *
16 */
17
18/* Apache Runtime Headers */
19#include "httpd.h"
20#include "http_config.h"
21#include "http_protocol.h"
22#include "http_connection.h"
23#include "http_request.h"
24#include "http_core.h"
25#include "http_log.h"
26#include "apr_buckets.h"
27#include "apr_strings.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30#include "apr_fnmatch.h"
31/* GnuTLS Library Headers */
32#include <gnutls/gnutls.h>
33#if GNUTLS_VERSION_MAJOR == 2
34#include <gnutls/extra.h>
35#endif
36#include <gnutls/openpgp.h>
37#include <gnutls/x509.h>
38
39#ifndef __mod_gnutls_h_inc
40#define __mod_gnutls_h_inc
41
42#define HAVE_APR_MEMCACHE    @have_apr_memcache@
43
44extern module AP_MODULE_DECLARE_DATA gnutls_module;
45
46/* IO Filter names */
47#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
48#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
49/* GnuTLS Constants */
50#define GNUTLS_ENABLED_FALSE 0
51#define GNUTLS_ENABLED_TRUE  1
52#define GNUTLS_ENABLED_UNSET  2
53/* Current module version */
54#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
55
56/* Module Debug Mode */
57#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
58
59/*
60 * Recent Versions of 2.1 renamed several hooks.
61 * This allows us to compile on 2.0.xx
62 */
63#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
64        #define USING_2_1_RECENT 1
65#else
66        #define USING_2_1_RECENT 0
67#endif
68
69/* mod_gnutls Cache Types */
70typedef enum {
71        /* No Cache */
72    mgs_cache_none,
73        /* Use Old Berkley DB */
74    mgs_cache_dbm,
75        /* Use Gnu's version of Berkley DB */
76    mgs_cache_gdbm,
77#if HAVE_APR_MEMCACHE
78        /* Use Memcache */
79    mgs_cache_memcache,
80#endif
81    mgs_cache_unset
82} mgs_cache_e;
83
84typedef enum {
85    mgs_cvm_unset,
86    mgs_cvm_cartel,
87    mgs_cvm_msva
88} mgs_client_verification_method_e;
89
90
91/* Directory Configuration Record */
92typedef struct {
93    int client_verify_mode;
94    const char* lua_bytecode;
95    apr_size_t lua_bytecode_len;
96} mgs_dirconf_rec;
97
98
99/* The maximum number of certificates to send in a chain */
100#define MAX_CHAIN_SIZE 8
101/* The maximum number of SANs to read from a x509 certificate */
102#define MAX_CERT_SAN 5
103
104/* Server Configuration Record */
105typedef struct {
106        /* x509 Certificate Structure */
107    gnutls_certificate_credentials_t certs;
108        /* SRP Certificate Structure*/
109    gnutls_srp_server_credentials_t srp_creds;
110        /* Annonymous Certificate Structure */
111    gnutls_anon_server_credentials_t anon_creds;
112        /* Current x509 Certificate CN [Common Name] */
113    char* cert_cn;
114        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
115        char* cert_san[MAX_CERT_SAN];
116        /* A x509 Certificate Chain */
117    gnutls_x509_crt_t *certs_x509_chain;
118        /* Current x509 Certificate Private Key */
119    gnutls_x509_privkey_t privkey_x509;
120        /* OpenPGP Certificate */
121    gnutls_openpgp_crt_t cert_pgp;
122        /* OpenPGP Certificate Private Key */
123    gnutls_openpgp_privkey_t privkey_pgp;
124        /* Number of Certificates in Chain */
125    unsigned int certs_x509_chain_num;
126        /* Is the module enabled? */
127    int enabled;
128    /* Export full certificates to CGI environment: */
129    int export_certificates_size;
130        /* GnuTLS Priorities */
131    gnutls_priority_t priorities;
132        /* GnuTLS DH Parameters */
133    gnutls_dh_params_t dh_params;
134        /* Cache timeout value */
135    int cache_timeout;
136        /* Chose Cache Type */
137    mgs_cache_e cache_type;
138    const char* cache_config;
139    const char* srp_tpasswd_file;
140    const char* srp_tpasswd_conf_file;
141        /* A list of CA Certificates */
142    gnutls_x509_crt_t *ca_list;
143        /* OpenPGP Key Ring */
144    gnutls_openpgp_keyring_t pgp_list;
145        /* CA Certificate list size */
146    unsigned int ca_list_size;
147        /* Client Certificate Verification Mode */
148    int client_verify_mode;
149        /* Client Certificate Verification Method */
150    mgs_client_verification_method_e client_verify_method;
151        /* Last Cache timestamp */
152    apr_time_t last_cache_check;
153        /* GnuTLS uses Session Tickets */
154    int tickets;
155        /* Is mod_proxy enabled? */
156    int proxy_enabled;
157        /* A Plain HTTP request */
158    int non_ssl_request;
159} mgs_srvconf_rec;
160
161/* Character Buffer */
162typedef struct {
163    int length;
164    char *value;
165} mgs_char_buffer_t;
166
167/* GnuTLS Handle */
168typedef struct {
169        /* Server configuration record */
170    mgs_srvconf_rec *sc;
171        /* Connection record */
172    conn_rec* c;
173        /* GnuTLS Session handle */
174    gnutls_session_t session;
175        /* module input status */
176    apr_status_t input_rc;
177        /* Input filter */
178    ap_filter_t *input_filter;
179        /* Input Bucket Brigade */
180    apr_bucket_brigade *input_bb;
181        /* Input Read Type */
182    apr_read_type_e input_block;
183        /* Input Mode */
184    ap_input_mode_t input_mode;
185        /* Input Character Buffer */
186    mgs_char_buffer_t input_cbuf;
187        /* Input Character Array */
188    char input_buffer[AP_IOBUFSIZE];
189        /* module Output status */
190    apr_status_t output_rc;
191        /* Output filter */
192    ap_filter_t *output_filter;
193        /* Output Bucket Brigade */
194    apr_bucket_brigade *output_bb;
195        /* Output character array */
196    char output_buffer[AP_IOBUFSIZE];
197        /* Output buffer length */
198    apr_size_t output_blen;
199        /* Output length */
200    apr_size_t output_length;
201        /* General Status */
202    int status;
203} mgs_handle_t;
204
205
206
207/** Functions in gnutls_io.c **/
208
209/* apr_signal_block() for blocking SIGPIPE */
210apr_status_t apr_signal_block(int signum);
211
212 /* Proxy Support */
213/* An optional function which returns non-zero if the given connection
214is using SSL/TLS. */
215APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
216/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
217 * are used by mod_proxy to enable use of SSL for outgoing
218 * connections. */
219APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
220APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
221int ssl_is_https(conn_rec *c);
222int ssl_proxy_enable(conn_rec *c);
223int ssl_engine_disable(conn_rec *c);
224const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
225    const char *arg);
226apr_status_t mgs_cleanup_pre_config(void *data);
227
228/**
229 * mgs_filter_input will filter the input data
230 * by decrypting it using GnuTLS and passes it cleartext.
231 *
232 * @param f     the filter info record
233 * @param bb    the bucket brigade, where to store the result to
234 * @param mode  what shall we read?
235 * @param block a block index we shall read from?
236 * @return result status
237 */
238apr_status_t mgs_filter_input(ap_filter_t * f,
239                                     apr_bucket_brigade * bb,
240                                     ap_input_mode_t mode,
241                                     apr_read_type_e block,
242                                     apr_off_t readbytes);
243
244/**
245 * mgs_filter_output will filter the encrypt
246 * the incoming bucket using GnuTLS and passes it onto the next filter.
247 *
248 * @param f     the filter info record
249 * @param bb    the bucket brigade, where to store the result to
250 * @return result status
251 */
252apr_status_t mgs_filter_output(ap_filter_t * f,
253                                      apr_bucket_brigade * bb);
254
255
256/**
257 * mgs_transport_read is called from GnuTLS to provide encrypted
258 * data from the client.
259 *
260 * @param ptr     pointer to the filter context
261 * @param buffer  place to put data
262 * @param len     maximum size
263 * @return size   length of the data stored in buffer
264 */
265ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
266                                  void *buffer, size_t len);
267
268/**
269 * mgs_transport_write is called from GnuTLS to
270 * write data to the client.
271 *
272 * @param ptr     pointer to the filter context
273 * @param buffer  buffer to write to the client
274 * @param len     size of the buffer
275 * @return size   length of the data written
276 */
277ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
278                                   const void *buffer, size_t len);
279
280
281int mgs_rehandshake(mgs_handle_t * ctxt);
282
283
284
285/**
286 * Init the Cache after Configuration is done
287 */
288int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
289                                 mgs_srvconf_rec *sc);
290/**
291 * Init the Cache inside each Process
292 */
293int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
294                                mgs_srvconf_rec *sc);
295/**
296 * Setup the Session Caching
297 */
298int mgs_cache_session_init(mgs_handle_t *ctxt);
299
300#define GNUTLS_SESSION_ID_STRING_LEN \
301    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
302
303/**
304 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
305 * @param id raw SSL Session ID
306 * @param idlen Length of the raw Session ID
307 * @param str Location to store the Hex Encoded String
308 * @param strsize The Maximum Length that can be stored in str
309 */
310char *mgs_session_id2sz(unsigned char *id, int idlen,
311                                char *str, int strsize);
312
313/**
314 * Convert a time_t into a Null Terminated String
315 * @param t time_t time
316 * @param str Location to store the Hex Encoded String
317 * @param strsize The Maximum Length that can be stored in str
318 */
319char *mgs_time2sz(time_t t, char *str, int strsize);
320
321
322/* Configuration Functions */
323
324const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
325                                        const char *arg);
326const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
327                                        const char *arg);
328const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
329                                        const char *arg);
330const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
331                                        const char *arg);
332
333const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
334                             const char *arg);
335
336const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
337                                        const char *arg);
338
339const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
340                             const char *arg);
341
342const char *mgs_set_cache(cmd_parms * parms, void *dummy,
343                          const char *type, const char* arg);
344
345const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
346                                  const char *arg);
347
348const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
349                                  const char *arg);
350
351const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
352                                         const char *arg);
353
354const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
355                                   const char *arg);
356
357const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
358                                   const char *arg);
359
360const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
361                            const char *arg);
362const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
363                            const char *arg);
364const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
365                            const char *arg);
366const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
367                            const char *arg);
368
369const char *mgs_set_require_section(cmd_parms *cmd,
370                                    void *mconfig, const char *arg);
371void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
372void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
373
374void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
375
376void *mgs_config_dir_create(apr_pool_t *p, char *dir);
377
378const char *mgs_set_require_bytecode(cmd_parms *cmd,
379                                    void *mconfig, const char *arg);
380
381mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
382
383/* mod_gnutls Hooks. */
384
385int mgs_hook_pre_config(apr_pool_t * pconf,
386                        apr_pool_t * plog, apr_pool_t * ptemp);
387
388int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
389                         apr_pool_t * ptemp,
390                         server_rec * base_server);
391
392void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
393
394const char *mgs_hook_http_scheme(const request_rec * r);
395
396apr_port_t mgs_hook_default_port(const request_rec * r);
397
398int mgs_hook_pre_connection(conn_rec * c, void *csd);
399
400int mgs_hook_fixups(request_rec *r);
401
402int mgs_hook_authz(request_rec *r);
403
404#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.