source: mod_gnutls/include/mod_gnutls.h.in @ 407ca6e

proxy-ticket
Last change on this file since 407ca6e was b22def6, checked in by Fiona Klute <fiona.klute@…>, 6 months ago

Remove SIGPIPE signal block

There's no discernible reason to keep this, the main HTTPD code
doesn't use it at all, and the proxy code with which it was originally
added in 33826c53d7991024eeed255f860e9818188e2bcb works fine without
it.

  • Property mode set to 100644
File size: 12.4 KB
Line 
1/*
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2015-2020 Fiona Klute
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 */
18
19/* Apache Runtime Headers */
20#include "httpd.h"
21#include "http_config.h"
22#include "http_protocol.h"
23#include "http_connection.h"
24#include "http_request.h"
25#include "http_core.h"
26#include "http_log.h"
27#include "apr_buckets.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30/* GnuTLS Library Headers */
31#include <gnutls/gnutls.h>
32#include <gnutls/abstract.h>
33#include <gnutls/x509.h>
34
35#ifndef __mod_gnutls_h_inc
36#define __mod_gnutls_h_inc
37
38extern module AP_MODULE_DECLARE_DATA gnutls_module;
39
40/* IO Filter names */
41#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
42#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
43/* GnuTLS Constants */
44#define GNUTLS_ENABLED_FALSE 0
45#define GNUTLS_ENABLED_TRUE  1
46#define GNUTLS_ENABLED_UNSET  2
47/* Current module version */
48#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
49
50/* Module Debug Mode */
51#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
52
53/* Compile support for early SNI? */
54#if @ENABLE_EARLY_SNI@ == 1
55#define ENABLE_EARLY_SNI
56#endif
57
58/** Name of the module-wide singleton watchdog */
59#define MGS_SINGLETON_WATCHDOG "_mod_gnutls_singleton_"
60
61
62/* Internal cache data, defined in gnutls_cache.h */
63typedef struct mgs_cache* mgs_cache_t;
64
65typedef enum {
66    mgs_cvm_unset,
67    mgs_cvm_cartel,
68    mgs_cvm_msva
69} mgs_client_verification_method_e;
70
71
72/* Directory Configuration Record */
73typedef struct {
74    int client_verify_mode;
75} mgs_dirconf_rec;
76
77
78/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
79typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
80
81
82/* The maximum number of certificates to send in a chain */
83#define MAX_CHAIN_SIZE 8
84
85/** Server Configuration Record */
86typedef struct {
87    /** Server this mod_gnutls configuration is for */
88    server_rec* s;
89
90    /* --- Configuration values --- */
91        /* Is the module enabled? */
92    int enabled;
93        /* Is mod_proxy enabled? */
94    int proxy_enabled;
95
96    /* List of PKCS #11 provider modules to load, only valid in the
97     * base config, ignored in virtual hosts */
98    apr_array_header_t *p11_modules;
99
100    /* PIN used for PKCS #11 operations */
101    char *pin;
102
103    /* the SRK PIN used in TPM operations */
104    char *srk_pin;
105
106    char *x509_cert_file;
107    char *x509_key_file;
108    char *x509_ca_file;
109
110    char *dh_file;
111
112    char *priorities_str;
113    char *proxy_priorities_str;
114
115    const char* srp_tpasswd_file;
116    const char* srp_tpasswd_conf_file;
117
118        /* Cache timeout value */
119    int cache_timeout;
120    /* Enable cache */
121    unsigned char cache_enable : 2;
122    /* Internal cache data */
123    mgs_cache_t cache;
124
125        /* GnuTLS uses Session Tickets */
126    int tickets;
127
128    /* x509 Certificate Structure */
129    gnutls_certificate_credentials_t certs;
130    /* x509 credentials for proxy connections */
131    gnutls_certificate_credentials_t proxy_x509_creds;
132    /* trust list for proxy_x509_creds */
133    gnutls_x509_trust_list_t proxy_x509_tl;
134    const char* proxy_x509_key_file;
135    const char* proxy_x509_cert_file;
136    const char* proxy_x509_ca_file;
137    const char* proxy_x509_crl_file;
138    /* GnuTLS priorities for proxy connections */
139    gnutls_priority_t proxy_priorities;
140    /* SRP Certificate Structure*/
141    gnutls_srp_server_credentials_t srp_creds;
142    /* Anonymous Certificate Structure */
143    gnutls_anon_server_credentials_t anon_creds;
144    /* Anonymous Client Certificate Structure, used for proxy
145     * connections */
146    gnutls_anon_client_credentials_t anon_client_creds;
147        /* An x509 Certificate Chain */
148    gnutls_pcert_st *certs_x509_chain;
149    gnutls_x509_crt_t *certs_x509_crt_chain;
150        /* Number of Certificates in Chain */
151    unsigned int certs_x509_chain_num;
152
153        /* Current x509 Certificate Private Key */
154    gnutls_privkey_t privkey_x509;
155
156    /* Export full certificates to CGI environment: */
157    int export_certificates_size;
158        /* GnuTLS Priorities */
159    gnutls_priority_t priorities;
160        /* GnuTLS DH Parameters */
161    gnutls_dh_params_t dh_params;
162        /* A list of CA Certificates */
163    gnutls_x509_crt_t *ca_list;
164        /* CA Certificate list size */
165    unsigned int ca_list_size;
166        /* Client Certificate Verification Mode */
167    int client_verify_mode;
168        /* Client Certificate Verification Method */
169    mgs_client_verification_method_e client_verify_method;
170
171    /* Enable OCSP stapling */
172    unsigned char ocsp_staple;
173    /* Automatically refresh cached OCSP response? */
174    unsigned char ocsp_auto_refresh;
175    /* Check nonce in OCSP responses? */
176    unsigned char ocsp_check_nonce;
177    /* Read OCSP response for stapling from this file instead of
178     * sending a request over HTTP */
179    char **ocsp_response_file;
180    /* Number of configured OCSP response files */
181    int ocsp_response_file_num;
182    /* Internal OCSP data for this server */
183    mgs_ocsp_data_t *ocsp;
184    /* Number of successfully configured OCSP data sets */
185    unsigned int ocsp_num;
186    /* Mutex to prevent parallel OCSP requests */
187    apr_global_mutex_t *ocsp_mutex;
188    /* Internal OCSP cache data */
189    mgs_cache_t ocsp_cache;
190    /* Cache timeout for OCSP responses. Note that the nextUpdate
191     * field of the response takes precedence if shorter. */
192    apr_interval_time_t ocsp_cache_time;
193    /* If an OCSP request fails wait this long before trying again. */
194    apr_interval_time_t ocsp_failure_timeout;
195    /** How long before a cached OCSP response expires should it be
196     * updated? During configuration parsing this is set to the
197     * maximum, during post configuration the value will be set to
198     * half that. After each update the interval to for the next one
199     * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time *
200     * RANDOM` with `0 <= RANDOM <= 1`. */
201    apr_interval_time_t ocsp_fuzz_time;
202    /* Socket timeout for OCSP requests */
203    apr_interval_time_t ocsp_socket_timeout;
204
205    /** This module's singleton watchdog, used for async OCSP cache
206     * updates. */
207    struct mgs_watchdog *singleton_wd;
208} mgs_srvconf_rec;
209
210/* Character Buffer */
211typedef struct {
212    int length;
213    char *value;
214} mgs_char_buffer_t;
215
216/** GnuTLS connection handle */
217typedef struct {
218        /* Server configuration record */
219    mgs_srvconf_rec *sc;
220        /* Connection record */
221    conn_rec* c;
222        /* Is TLS enabled for this connection? */
223    int enabled;
224    /* Is this a proxy connection? */
225    int is_proxy;
226        /* GnuTLS Session handle */
227    gnutls_session_t session;
228    /** Server name requested via SNI if any, or NULL. */
229    const char *sni_name;
230        /* module input status */
231    apr_status_t input_rc;
232        /* Input filter */
233    ap_filter_t *input_filter;
234        /* Input Bucket Brigade */
235    apr_bucket_brigade *input_bb;
236        /* Input Read Type */
237    apr_read_type_e input_block;
238        /* Input Mode */
239    ap_input_mode_t input_mode;
240        /* Input Character Buffer */
241    mgs_char_buffer_t input_cbuf;
242        /* Input Character Array */
243    char input_buffer[AP_IOBUFSIZE];
244        /* module Output status */
245    apr_status_t output_rc;
246        /* Output filter */
247    ap_filter_t *output_filter;
248        /* Output Bucket Brigade */
249    apr_bucket_brigade *output_bb;
250        /* Output character array */
251    char output_buffer[AP_IOBUFSIZE];
252        /* Output buffer length */
253    apr_size_t output_blen;
254        /* Output length */
255    apr_size_t output_length;
256    /** Connection status: 0 before (re-)handshake, 1 when up, -1 on
257     * error (checks use status < 0 or status > 0) */
258    int status;
259} mgs_handle_t;
260
261
262
263/* Proxy Support */
264/* An optional function which returns non-zero if the given connection
265is using SSL/TLS. */
266APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
267/* The ssl_var_lookup() optional function retrieves SSL environment
268 * variables. */
269APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
270                        (apr_pool_t *, server_rec *,
271                         conn_rec *, request_rec *,
272                         char *));
273/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
274 * are used by mod_proxy to enable use of SSL for outgoing
275 * connections. */
276APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
277APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
278APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
279                                              ap_conf_vector_t *,
280                                              int proxy, int enable));
281mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c);
282int ssl_is_https(conn_rec *c);
283char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c,
284                     request_rec *r, char *var);
285int ssl_proxy_enable(conn_rec *c);
286int ssl_engine_disable(conn_rec *c);
287const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
288                                 const int arg);
289apr_status_t mgs_cleanup_pre_config(void *data);
290
291
292
293/**
294 * Perform any reinitialization required in PKCS #11
295 */
296int mgs_pkcs11_reinit(server_rec * s);
297
298
299
300/* Configuration Functions */
301
302/* Loads all files set in the configuration */
303int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
304    __attribute__((nonnull));
305
306const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
307                                        const char *arg);
308const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
309                                        const char *arg);
310const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
311                                        const char *arg);
312const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
313                                        const char *arg);
314
315const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
316                             const char *arg);
317
318const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
319
320const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
321                                  const char *arg);
322
323const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
324                                         const char *arg);
325
326const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
327                                   const char *arg);
328
329const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
330                               const char *arg);
331
332const char *mgs_set_pin(cmd_parms * parms, void *dummy,
333                                   const char *arg);
334
335const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
336                                   const char *arg);
337
338const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
339                            const int arg);
340const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
341                            const char *arg);
342const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
343                            const char *arg);
344const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
345                            const int arg);
346
347void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
348void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
349
350void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
351
352void *mgs_config_dir_create(apr_pool_t *p, char *dir);
353
354const char *mgs_store_cred_path(cmd_parms * parms,
355                                void *dummy __attribute__((unused)),
356                                const char *arg);
357
358/* mod_gnutls Hooks. */
359
360int mgs_hook_pre_config(apr_pool_t * pconf,
361                        apr_pool_t * plog, apr_pool_t * ptemp);
362
363int mgs_hook_post_config(apr_pool_t *pconf,
364                         apr_pool_t *plog,
365                         apr_pool_t *ptemp,
366                         server_rec *base_server);
367
368void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
369
370const char *mgs_hook_http_scheme(const request_rec * r);
371
372apr_port_t mgs_hook_default_port(const request_rec * r);
373
374int mgs_hook_pre_connection(conn_rec * c, void *csd);
375
376int mgs_hook_process_connection(conn_rec* c);
377
378int mgs_hook_fixups(request_rec *r);
379
380/** Post request hook, checks if TLS connection and vhost match */
381int mgs_req_vhost_check(request_rec *r);
382
383int mgs_hook_authz(request_rec *r);
384
385#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.