source: mod_gnutls/include/mod_gnutls.h.in @ 333bbc7

debian/masterdebian/stretch-backportsproxy-ticketupstream
Last change on this file since 333bbc7 was 333bbc7, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Configurable OCSP socket timeout

Stalled OCSP requests must time out after a while to prevent stalling
the server too much. However, if the timeout is too short requests may
fail with a slow OCSP responder or high latency network
connection. Using the new GnuTLSOCSPFailureTimeout parameter users can
adjust the timeout if necessary.

All macros defining default values for OCSP related times are now
collected in gnutls_ocsp.h.

  • Property mode set to 100644
File size: 14.4 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2015-2016 Thomas Klute
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 *
18 */
19
20/* Apache Runtime Headers */
21#include "httpd.h"
22#include "http_config.h"
23#include "http_protocol.h"
24#include "http_connection.h"
25#include "http_request.h"
26#include "http_core.h"
27#include "http_log.h"
28#include "apr_buckets.h"
29#include "apr_strings.h"
30#include "apr_tables.h"
31#include "ap_release.h"
32#include "apr_fnmatch.h"
33/* GnuTLS Library Headers */
34#include <gnutls/gnutls.h>
35#include <gnutls/abstract.h>
36#include <gnutls/openpgp.h>
37#include <gnutls/x509.h>
38
39#ifndef __mod_gnutls_h_inc
40#define __mod_gnutls_h_inc
41
42#define HAVE_APR_MEMCACHE    @have_apr_memcache@
43
44extern module AP_MODULE_DECLARE_DATA gnutls_module;
45
46/* IO Filter names */
47#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
48#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
49/* GnuTLS Constants */
50#define GNUTLS_ENABLED_FALSE 0
51#define GNUTLS_ENABLED_TRUE  1
52#define GNUTLS_ENABLED_UNSET  2
53/* Current module version */
54#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
55
56/* Module Debug Mode */
57#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
58
59/* mod_gnutls Cache Types */
60typedef enum {
61        /* No Cache */
62    mgs_cache_none,
63        /* Use Old Berkley DB */
64    mgs_cache_dbm,
65        /* Use Gnu's version of Berkley DB */
66    mgs_cache_gdbm,
67#if HAVE_APR_MEMCACHE
68        /* Use Memcache */
69    mgs_cache_memcache,
70#endif
71    mgs_cache_unset
72} mgs_cache_e;
73
74/* Internal cache data, defined in gnutls_cache.h */
75typedef struct mgs_cache* mgs_cache_t;
76
77typedef enum {
78    mgs_cvm_unset,
79    mgs_cvm_cartel,
80    mgs_cvm_msva
81} mgs_client_verification_method_e;
82
83
84/* Directory Configuration Record */
85typedef struct {
86    int client_verify_mode;
87} mgs_dirconf_rec;
88
89
90/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
91typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
92
93
94/* The maximum number of certificates to send in a chain */
95#define MAX_CHAIN_SIZE 8
96/* The maximum number of SANs to read from a x509 certificate */
97#define MAX_CERT_SAN 5
98
99/* Server Configuration Record */
100typedef struct {
101    /* --- Configuration values --- */
102        /* Is the module enabled? */
103    int enabled;
104        /* Is mod_proxy enabled? */
105    int proxy_enabled;
106        /* A Plain HTTP request */
107    int non_ssl_request;
108
109    /* List of PKCS #11 provider modules to load, only valid in the
110     * base config, ignored in virtual hosts */
111    apr_array_header_t *p11_modules;
112
113    /* PIN used for PKCS #11 operations */
114    char *pin;
115
116    /* the SRK PIN used in TPM operations */
117    char *srk_pin;
118
119    char *x509_cert_file;
120    char *x509_key_file;
121    char *x509_ca_file;
122
123    char *pgp_cert_file;
124    char *pgp_key_file;
125    char *pgp_ring_file;
126
127    char *dh_file;
128
129    char *priorities_str;
130    char *proxy_priorities_str;
131
132    const char* srp_tpasswd_file;
133    const char* srp_tpasswd_conf_file;
134
135        /* Cache timeout value */
136    int cache_timeout;
137        /* Chose Cache Type */
138    mgs_cache_e cache_type;
139    const char* cache_config;
140    /* Internal cache data */
141    mgs_cache_t cache;
142
143        /* GnuTLS uses Session Tickets */
144    int tickets;
145
146    /* --- Things initialized at _child_init --- */
147
148    /* x509 Certificate Structure */
149    gnutls_certificate_credentials_t certs;
150    /* x509 credentials for proxy connections */
151    gnutls_certificate_credentials_t proxy_x509_creds;
152    /* trust list for proxy_x509_creds */
153    gnutls_x509_trust_list_t proxy_x509_tl;
154    const char* proxy_x509_key_file;
155    const char* proxy_x509_cert_file;
156    const char* proxy_x509_ca_file;
157    const char* proxy_x509_crl_file;
158    /* GnuTLS priorities for proxy connections */
159    gnutls_priority_t proxy_priorities;
160    /* SRP Certificate Structure*/
161    gnutls_srp_server_credentials_t srp_creds;
162    /* Anonymous Certificate Structure */
163    gnutls_anon_server_credentials_t anon_creds;
164    /* Anonymous Client Certificate Structure, used for proxy
165     * connections */
166    gnutls_anon_client_credentials_t anon_client_creds;
167        /* Current x509 Certificate CN [Common Name] */
168    char* cert_cn;
169        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
170    char* cert_san[MAX_CERT_SAN];
171        /* An x509 Certificate Chain */
172    gnutls_pcert_st *certs_x509_chain;
173    gnutls_x509_crt_t *certs_x509_crt_chain;
174        /* Number of Certificates in Chain */
175    unsigned int certs_x509_chain_num;
176
177        /* Current x509 Certificate Private Key */
178    gnutls_privkey_t privkey_x509;
179
180        /* OpenPGP Certificate */
181    gnutls_pcert_st *cert_pgp;
182    gnutls_openpgp_crt_t *cert_crt_pgp;
183
184        /* OpenPGP Certificate Private Key */
185    gnutls_privkey_t privkey_pgp;
186#if GNUTLS_VERSION_NUMBER < 0x030312
187    /* Internal structure for the OpenPGP private key, used in the
188     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
189     * frees memory that is still needed. DO NOT USE for any other
190     * purpose. */
191    gnutls_openpgp_privkey_t privkey_pgp_internal;
192#endif
193
194    /* Export full certificates to CGI environment: */
195    int export_certificates_size;
196        /* GnuTLS Priorities */
197    gnutls_priority_t priorities;
198        /* GnuTLS DH Parameters */
199    gnutls_dh_params_t dh_params;
200        /* A list of CA Certificates */
201    gnutls_x509_crt_t *ca_list;
202        /* OpenPGP Key Ring */
203    gnutls_openpgp_keyring_t pgp_list;
204        /* CA Certificate list size */
205    unsigned int ca_list_size;
206        /* Client Certificate Verification Mode */
207    int client_verify_mode;
208        /* Client Certificate Verification Method */
209    mgs_client_verification_method_e client_verify_method;
210        /* Last Cache timestamp */
211    apr_time_t last_cache_check;
212
213    /* EXPERIMENTAL: Enable OCSP stapling */
214    unsigned char ocsp_staple;
215    /* EXPERIMENTAL: Read OCSP response for stapling from this file
216     * instead of sending a request over HTTP */
217    char *ocsp_response_file;
218    /* Internal OCSP data for this server */
219    mgs_ocsp_data_t ocsp;
220    /* Mutex to prevent parallel OCSP requests */
221    apr_global_mutex_t *ocsp_mutex;
222    /* Cached OCSP responses expire this long before their validity
223     * period expires. This way mod_gnutls does not staple barely
224     * valid responses. */
225    apr_time_t ocsp_grace_time;
226    /* If an OCSP request fails wait this long before trying again. */
227    apr_time_t ocsp_failure_timeout;
228    /* Socket timeout for OCSP requests */
229    apr_interval_time_t ocsp_socket_timeout;
230} mgs_srvconf_rec;
231
232/* Character Buffer */
233typedef struct {
234    int length;
235    char *value;
236} mgs_char_buffer_t;
237
238/* GnuTLS Handle */
239typedef struct {
240        /* Server configuration record */
241    mgs_srvconf_rec *sc;
242        /* Connection record */
243    conn_rec* c;
244        /* Is TLS enabled for this connection? */
245    int enabled;
246    /* Is this a proxy connection? */
247    int is_proxy;
248        /* GnuTLS Session handle */
249    gnutls_session_t session;
250        /* module input status */
251    apr_status_t input_rc;
252        /* Input filter */
253    ap_filter_t *input_filter;
254        /* Input Bucket Brigade */
255    apr_bucket_brigade *input_bb;
256        /* Input Read Type */
257    apr_read_type_e input_block;
258        /* Input Mode */
259    ap_input_mode_t input_mode;
260        /* Input Character Buffer */
261    mgs_char_buffer_t input_cbuf;
262        /* Input Character Array */
263    char input_buffer[AP_IOBUFSIZE];
264        /* module Output status */
265    apr_status_t output_rc;
266        /* Output filter */
267    ap_filter_t *output_filter;
268        /* Output Bucket Brigade */
269    apr_bucket_brigade *output_bb;
270        /* Output character array */
271    char output_buffer[AP_IOBUFSIZE];
272        /* Output buffer length */
273    apr_size_t output_blen;
274        /* Output length */
275    apr_size_t output_length;
276        /* General Status */
277    int status;
278} mgs_handle_t;
279
280
281
282/** Functions in gnutls_io.c **/
283
284/* apr_signal_block() for blocking SIGPIPE */
285apr_status_t apr_signal_block(int signum);
286
287 /* Proxy Support */
288/* An optional function which returns non-zero if the given connection
289is using SSL/TLS. */
290APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
291/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
292 * are used by mod_proxy to enable use of SSL for outgoing
293 * connections. */
294APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
295APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
296int ssl_is_https(conn_rec *c);
297int ssl_proxy_enable(conn_rec *c);
298int ssl_engine_disable(conn_rec *c);
299const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
300                                 const int arg);
301apr_status_t mgs_cleanup_pre_config(void *data);
302
303/**
304 * mgs_filter_input will filter the input data
305 * by decrypting it using GnuTLS and passes it cleartext.
306 *
307 * @param f     the filter info record
308 * @param bb    the bucket brigade, where to store the result to
309 * @param mode  what shall we read?
310 * @param block a block index we shall read from?
311 * @return result status
312 */
313apr_status_t mgs_filter_input(ap_filter_t * f,
314                                     apr_bucket_brigade * bb,
315                                     ap_input_mode_t mode,
316                                     apr_read_type_e block,
317                                     apr_off_t readbytes);
318
319/**
320 * mgs_filter_output will filter the encrypt
321 * the incoming bucket using GnuTLS and passes it onto the next filter.
322 *
323 * @param f     the filter info record
324 * @param bb    the bucket brigade, where to store the result to
325 * @return result status
326 */
327apr_status_t mgs_filter_output(ap_filter_t * f,
328                                      apr_bucket_brigade * bb);
329
330
331/**
332 * mgs_transport_read is called from GnuTLS to provide encrypted
333 * data from the client.
334 *
335 * @param ptr     pointer to the filter context
336 * @param buffer  place to put data
337 * @param len     maximum size
338 * @return size   length of the data stored in buffer
339 */
340ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
341                                  void *buffer, size_t len);
342
343/**
344 * mgs_transport_write is called from GnuTLS to
345 * write data to the client.
346 *
347 * @param ptr     pointer to the filter context
348 * @param buffer  buffer to write to the client
349 * @param len     size of the buffer
350 * @return size   length of the data written
351 */
352ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
353                                   const void *buffer, size_t len);
354
355
356int mgs_rehandshake(mgs_handle_t * ctxt);
357
358
359
360/**
361 * Perform any reinitialization required in PKCS #11
362 */
363int mgs_pkcs11_reinit(server_rec * s);
364
365
366
367/* Configuration Functions */
368
369/* Loads all files set in the configuration */
370int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
371    __attribute__((nonnull));
372
373const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
374                                        const char *arg);
375const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
376                                        const char *arg);
377const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
378                                        const char *arg);
379const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
380                                        const char *arg);
381
382const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
383                             const char *arg);
384
385const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
386                                        const char *arg);
387
388const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
389                             const char *arg);
390
391const char *mgs_set_cache(cmd_parms * parms, void *dummy,
392                          const char *type, const char* arg);
393
394const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
395
396const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
397                                  const char *arg);
398
399const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
400                                         const char *arg);
401
402const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
403                                   const char *arg);
404
405const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
406                               const char *arg);
407
408const char *mgs_set_pin(cmd_parms * parms, void *dummy,
409                                   const char *arg);
410
411const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
412                                   const char *arg);
413
414const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
415                                   const char *arg);
416
417const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
418                            const int arg);
419const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
420                            const char *arg);
421const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
422                            const char *arg);
423const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
424                            const int arg);
425
426const char *mgs_set_require_section(cmd_parms *cmd,
427                                    void *mconfig, const char *arg);
428void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
429void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
430
431void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
432
433void *mgs_config_dir_create(apr_pool_t *p, char *dir);
434
435const char *mgs_set_require_bytecode(cmd_parms *cmd,
436                                    void *mconfig, const char *arg);
437
438mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
439
440const char *mgs_store_cred_path(cmd_parms * parms,
441                                void *dummy __attribute__((unused)),
442                                const char *arg);
443
444/* mod_gnutls Hooks. */
445
446int mgs_hook_pre_config(apr_pool_t * pconf,
447                        apr_pool_t * plog, apr_pool_t * ptemp);
448
449int mgs_hook_post_config(apr_pool_t *pconf,
450                         apr_pool_t *plog,
451                         apr_pool_t *ptemp,
452                         server_rec *base_server);
453
454void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
455
456const char *mgs_hook_http_scheme(const request_rec * r);
457
458apr_port_t mgs_hook_default_port(const request_rec * r);
459
460int mgs_hook_pre_connection(conn_rec * c, void *csd);
461
462int mgs_hook_fixups(request_rec *r);
463
464int mgs_hook_authz(request_rec *r);
465
466#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.