source: mod_gnutls/include/mod_gnutls.h.in @ 2cde026d

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 2cde026d was 2cde026d, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Merge branch 'new-gnutls-api'

Merge my TLS proxy implementation with Nikos Mavrogiannopoulos' changes
to use the new GnuTLS key handling API. Some conflicts had to be
resolved.

In Nikos' branch, structures for credentials and priorities are
allocated in mgs_load_files (gnutls_config.c), rather than during server
config structure creation as before. This makes sense, but his patch
doesn't consider the proxy credentials because they didn't exist at the
time.

To minimize additional changes during the merge, proxy credentials are
now allocated in load_proxy_x509_credentials (gnutls_hooks.c), and
mgs_set_priorities (gnutls_config.c) treats proxy and front end
credentials differently (value of GnuTLSPriorities is stored for
mgs_load_files, GnuTLSProxyPriorities is parsed immediately).

Unified handling of priority strings in mgs_set_priorities should be
restored later (towards parsing in post config), handling front end and
proxy credentials separately makes sense because the latter need only be
loaded when TLS proxy operation is enabled and there are some
differences between client (proxy back end) and server (front end)
operation.

  • Property mode set to 100644
File size: 14.5 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 *
16 */
17
18/* Apache Runtime Headers */
19#include "httpd.h"
20#include "http_config.h"
21#include "http_protocol.h"
22#include "http_connection.h"
23#include "http_request.h"
24#include "http_core.h"
25#include "http_log.h"
26#include "apr_buckets.h"
27#include "apr_strings.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30#include "apr_fnmatch.h"
31/* GnuTLS Library Headers */
32#include <gnutls/gnutls.h>
33#if GNUTLS_VERSION_MAJOR == 2
34#include <gnutls/extra.h>
35#endif
36#include <gnutls/abstract.h>
37#include <gnutls/openpgp.h>
38#include <gnutls/x509.h>
39
40#ifndef __mod_gnutls_h_inc
41#define __mod_gnutls_h_inc
42
43#define HAVE_APR_MEMCACHE    @have_apr_memcache@
44
45extern module AP_MODULE_DECLARE_DATA gnutls_module;
46
47/* IO Filter names */
48#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
49#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
50/* GnuTLS Constants */
51#define GNUTLS_ENABLED_FALSE 0
52#define GNUTLS_ENABLED_TRUE  1
53#define GNUTLS_ENABLED_UNSET  2
54/* Current module version */
55#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
56
57/* Module Debug Mode */
58#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
59
60/*
61 * Recent Versions of 2.1 renamed several hooks.
62 * This allows us to compile on 2.0.xx
63 */
64#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
65        #define USING_2_1_RECENT 1
66#else
67        #define USING_2_1_RECENT 0
68#endif
69
70/* mod_gnutls Cache Types */
71typedef enum {
72        /* No Cache */
73    mgs_cache_none,
74        /* Use Old Berkley DB */
75    mgs_cache_dbm,
76        /* Use Gnu's version of Berkley DB */
77    mgs_cache_gdbm,
78#if HAVE_APR_MEMCACHE
79        /* Use Memcache */
80    mgs_cache_memcache,
81#endif
82    mgs_cache_unset
83} mgs_cache_e;
84
85typedef enum {
86    mgs_cvm_unset,
87    mgs_cvm_cartel,
88    mgs_cvm_msva
89} mgs_client_verification_method_e;
90
91
92/* Directory Configuration Record */
93typedef struct {
94    int client_verify_mode;
95    const char* lua_bytecode;
96    apr_size_t lua_bytecode_len;
97} mgs_dirconf_rec;
98
99
100/* The maximum number of certificates to send in a chain */
101#define MAX_CHAIN_SIZE 8
102/* The maximum number of SANs to read from a x509 certificate */
103#define MAX_CERT_SAN 5
104
105/* Server Configuration Record */
106typedef struct {
107    /* --- Configuration values --- */
108        /* Is the module enabled? */
109    int enabled;
110        /* Is mod_proxy enabled? */
111    int proxy_enabled;
112        /* A Plain HTTP request */
113    int non_ssl_request;
114
115    /* PIN used for PKCS #11 operations */
116    char *pin;
117
118    /* the SRK PIN used in TPM operations */
119    char *srk_pin;
120
121    char *x509_cert_file;
122    char *x509_key_file;
123    char *x509_ca_file;
124
125    char *pgp_cert_file;
126    char *pgp_key_file;
127    char *pgp_ring_file;
128
129    char *dh_file;
130
131    char *priorities_str;
132
133    const char* srp_tpasswd_file;
134    const char* srp_tpasswd_conf_file;
135
136        /* Cache timeout value */
137    int cache_timeout;
138        /* Chose Cache Type */
139    mgs_cache_e cache_type;
140    const char* cache_config;
141
142        /* GnuTLS uses Session Tickets */
143    int tickets;
144
145    /* --- Things initialized at _child_init --- */
146
147    /* x509 Certificate Structure */
148    gnutls_certificate_credentials_t certs;
149    /* x509 credentials for proxy connections */
150    gnutls_certificate_credentials_t proxy_x509_creds;
151    /* trust list for proxy_x509_creds */
152    gnutls_x509_trust_list_t proxy_x509_tl;
153    const char* proxy_x509_key_file;
154    const char* proxy_x509_cert_file;
155    const char* proxy_x509_ca_file;
156    const char* proxy_x509_crl_file;
157    /* GnuTLS priorities for proxy connections */
158    gnutls_priority_t proxy_priorities;
159    /* SRP Certificate Structure*/
160    gnutls_srp_server_credentials_t srp_creds;
161    /* Anonymous Certificate Structure */
162    gnutls_anon_server_credentials_t anon_creds;
163    /* Anonymous Client Certificate Structure, used for proxy
164     * connections */
165    gnutls_anon_client_credentials_t anon_client_creds;
166        /* Current x509 Certificate CN [Common Name] */
167    char* cert_cn;
168        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
169    char* cert_san[MAX_CERT_SAN];
170        /* An x509 Certificate Chain */
171    gnutls_pcert_st *certs_x509_chain;
172    gnutls_x509_crt_t *certs_x509_crt_chain;
173        /* Number of Certificates in Chain */
174    unsigned int certs_x509_chain_num;
175
176        /* Current x509 Certificate Private Key */
177    gnutls_privkey_t privkey_x509;
178
179        /* OpenPGP Certificate */
180    gnutls_pcert_st *cert_pgp;
181    gnutls_openpgp_crt_t *cert_crt_pgp;
182
183        /* OpenPGP Certificate Private Key */
184    gnutls_privkey_t privkey_pgp;
185#if GNUTLS_VERSION_NUMBER < 0x030312
186    /* Internal structure for the OpenPGP private key, used in the
187     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
188     * frees memory that is still needed. DO NOT USE for any other
189     * purpose. */
190    gnutls_openpgp_privkey_t privkey_pgp_internal;
191#endif
192
193    /* Export full certificates to CGI environment: */
194    int export_certificates_size;
195        /* GnuTLS Priorities */
196    gnutls_priority_t priorities;
197        /* GnuTLS DH Parameters */
198    gnutls_dh_params_t dh_params;
199        /* A list of CA Certificates */
200    gnutls_x509_crt_t *ca_list;
201        /* OpenPGP Key Ring */
202    gnutls_openpgp_keyring_t pgp_list;
203        /* CA Certificate list size */
204    unsigned int ca_list_size;
205        /* Client Certificate Verification Mode */
206    int client_verify_mode;
207        /* Client Certificate Verification Method */
208    mgs_client_verification_method_e client_verify_method;
209        /* Last Cache timestamp */
210    apr_time_t last_cache_check;
211} mgs_srvconf_rec;
212
213/* Character Buffer */
214typedef struct {
215    int length;
216    char *value;
217} mgs_char_buffer_t;
218
219/* GnuTLS Handle */
220typedef struct {
221        /* Server configuration record */
222    mgs_srvconf_rec *sc;
223        /* Connection record */
224    conn_rec* c;
225        /* Is TLS enabled for this connection? */
226    int enabled;
227    /* Is this a proxy connection? */
228    int is_proxy;
229        /* GnuTLS Session handle */
230    gnutls_session_t session;
231        /* module input status */
232    apr_status_t input_rc;
233        /* Input filter */
234    ap_filter_t *input_filter;
235        /* Input Bucket Brigade */
236    apr_bucket_brigade *input_bb;
237        /* Input Read Type */
238    apr_read_type_e input_block;
239        /* Input Mode */
240    ap_input_mode_t input_mode;
241        /* Input Character Buffer */
242    mgs_char_buffer_t input_cbuf;
243        /* Input Character Array */
244    char input_buffer[AP_IOBUFSIZE];
245        /* module Output status */
246    apr_status_t output_rc;
247        /* Output filter */
248    ap_filter_t *output_filter;
249        /* Output Bucket Brigade */
250    apr_bucket_brigade *output_bb;
251        /* Output character array */
252    char output_buffer[AP_IOBUFSIZE];
253        /* Output buffer length */
254    apr_size_t output_blen;
255        /* Output length */
256    apr_size_t output_length;
257        /* General Status */
258    int status;
259} mgs_handle_t;
260
261
262
263/** Functions in gnutls_io.c **/
264
265/* apr_signal_block() for blocking SIGPIPE */
266apr_status_t apr_signal_block(int signum);
267
268 /* Proxy Support */
269/* An optional function which returns non-zero if the given connection
270is using SSL/TLS. */
271APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
272/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
273 * are used by mod_proxy to enable use of SSL for outgoing
274 * connections. */
275APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
276APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
277int ssl_is_https(conn_rec *c);
278int ssl_proxy_enable(conn_rec *c);
279int ssl_engine_disable(conn_rec *c);
280const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
281    const char *arg);
282apr_status_t mgs_cleanup_pre_config(void *data);
283
284/**
285 * mgs_filter_input will filter the input data
286 * by decrypting it using GnuTLS and passes it cleartext.
287 *
288 * @param f     the filter info record
289 * @param bb    the bucket brigade, where to store the result to
290 * @param mode  what shall we read?
291 * @param block a block index we shall read from?
292 * @return result status
293 */
294apr_status_t mgs_filter_input(ap_filter_t * f,
295                                     apr_bucket_brigade * bb,
296                                     ap_input_mode_t mode,
297                                     apr_read_type_e block,
298                                     apr_off_t readbytes);
299
300/**
301 * mgs_filter_output will filter the encrypt
302 * the incoming bucket using GnuTLS and passes it onto the next filter.
303 *
304 * @param f     the filter info record
305 * @param bb    the bucket brigade, where to store the result to
306 * @return result status
307 */
308apr_status_t mgs_filter_output(ap_filter_t * f,
309                                      apr_bucket_brigade * bb);
310
311
312/**
313 * mgs_transport_read is called from GnuTLS to provide encrypted
314 * data from the client.
315 *
316 * @param ptr     pointer to the filter context
317 * @param buffer  place to put data
318 * @param len     maximum size
319 * @return size   length of the data stored in buffer
320 */
321ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
322                                  void *buffer, size_t len);
323
324/**
325 * mgs_transport_write is called from GnuTLS to
326 * write data to the client.
327 *
328 * @param ptr     pointer to the filter context
329 * @param buffer  buffer to write to the client
330 * @param len     size of the buffer
331 * @return size   length of the data written
332 */
333ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
334                                   const void *buffer, size_t len);
335
336
337int mgs_rehandshake(mgs_handle_t * ctxt);
338
339
340
341/**
342 * Init the Cache after Configuration is done
343 */
344int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
345                                 mgs_srvconf_rec *sc);
346/**
347 * Init the Cache inside each Process
348 */
349int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
350                                mgs_srvconf_rec *sc);
351/**
352 * Setup the Session Caching
353 */
354int mgs_cache_session_init(mgs_handle_t *ctxt);
355
356#define GNUTLS_SESSION_ID_STRING_LEN \
357    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
358
359/**
360 * Perform any reinitialization required in PKCS #11
361 */
362int mgs_pkcs11_reinit(server_rec * s);
363
364/**
365 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
366 * @param id raw SSL Session ID
367 * @param idlen Length of the raw Session ID
368 * @param str Location to store the Hex Encoded String
369 * @param strsize The Maximum Length that can be stored in str
370 */
371char *mgs_session_id2sz(unsigned char *id, int idlen,
372                                char *str, int strsize);
373
374/**
375 * Convert a time_t into a Null Terminated String
376 * @param t time_t time
377 * @param str Location to store the Hex Encoded String
378 * @param strsize The Maximum Length that can be stored in str
379 */
380char *mgs_time2sz(time_t t, char *str, int strsize);
381
382
383/* Configuration Functions */
384
385/* Loads all files set in the configuration */
386int mgs_load_files(apr_pool_t * p, server_rec * s);
387
388const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
389                                        const char *arg);
390const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
391                                        const char *arg);
392const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
393                                        const char *arg);
394const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
395                                        const char *arg);
396
397const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
398                             const char *arg);
399
400const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
401                                        const char *arg);
402
403const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
404                             const char *arg);
405
406const char *mgs_set_cache(cmd_parms * parms, void *dummy,
407                          const char *type, const char* arg);
408
409const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
410                                  const char *arg);
411
412const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
413                                  const char *arg);
414
415const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
416                                         const char *arg);
417
418const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
419                                   const char *arg);
420const char *mgs_set_pin(cmd_parms * parms, void *dummy,
421                                   const char *arg);
422
423const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
424                                   const char *arg);
425
426const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
427                                   const char *arg);
428
429const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
430                            const char *arg);
431const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
432                            const char *arg);
433const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
434                            const char *arg);
435const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
436                            const char *arg);
437
438const char *mgs_set_require_section(cmd_parms *cmd,
439                                    void *mconfig, const char *arg);
440void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
441void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
442
443void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
444
445void *mgs_config_dir_create(apr_pool_t *p, char *dir);
446
447const char *mgs_set_require_bytecode(cmd_parms *cmd,
448                                    void *mconfig, const char *arg);
449
450mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
451
452const char *mgs_store_cred_path(cmd_parms * parms,
453                                void *dummy __attribute__((unused)),
454                                const char *arg);
455
456/* mod_gnutls Hooks. */
457
458int mgs_hook_pre_config(apr_pool_t * pconf,
459                        apr_pool_t * plog, apr_pool_t * ptemp);
460
461int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
462                         apr_pool_t * ptemp,
463                         server_rec * base_server);
464
465void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
466
467const char *mgs_hook_http_scheme(const request_rec * r);
468
469apr_port_t mgs_hook_default_port(const request_rec * r);
470
471int mgs_hook_pre_connection(conn_rec * c, void *csd);
472
473int mgs_hook_fixups(request_rec *r);
474
475int mgs_hook_authz(request_rec *r);
476
477#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.