source: mod_gnutls/include/mod_gnutls.h.in @ 64470ce

debian/masterproxy-ticket
Last change on this file since 64470ce was d4c1a4e, checked in by Fiona Klute <fiona.klute@…>, 21 months ago

Add a reference from mod_gnutls server settings back to the server_rec

During the TLS handshake conn_rec.base_server isn't set to the right
virtual host yet because the HTTP request hasn't been received and
parsed. After selecting the virtual host based on SNI we can use the
new reference instead.

  • Property mode set to 100644
File size: 14.2 KB
Line 
1/*
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2015-2018 Fiona Klute
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 */
18
19/* Apache Runtime Headers */
20#include "httpd.h"
21#include "http_config.h"
22#include "http_protocol.h"
23#include "http_connection.h"
24#include "http_request.h"
25#include "http_core.h"
26#include "http_log.h"
27#include "apr_buckets.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30/* GnuTLS Library Headers */
31#include <gnutls/gnutls.h>
32#include <gnutls/abstract.h>
33#include <gnutls/x509.h>
34
35#ifndef __mod_gnutls_h_inc
36#define __mod_gnutls_h_inc
37
38extern module AP_MODULE_DECLARE_DATA gnutls_module;
39
40/* IO Filter names */
41#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
42#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
43/* GnuTLS Constants */
44#define GNUTLS_ENABLED_FALSE 0
45#define GNUTLS_ENABLED_TRUE  1
46#define GNUTLS_ENABLED_UNSET  2
47/* Current module version */
48#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
49
50/* Module Debug Mode */
51#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
52
53/** Name of the module-wide singleton watchdog */
54#define MGS_SINGLETON_WATCHDOG "_mod_gnutls_singleton_"
55
56
57/* Internal cache data, defined in gnutls_cache.h */
58typedef struct mgs_cache* mgs_cache_t;
59
60typedef enum {
61    mgs_cvm_unset,
62    mgs_cvm_cartel,
63    mgs_cvm_msva
64} mgs_client_verification_method_e;
65
66
67/* Directory Configuration Record */
68typedef struct {
69    int client_verify_mode;
70} mgs_dirconf_rec;
71
72
73/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
74typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
75
76
77/* The maximum number of certificates to send in a chain */
78#define MAX_CHAIN_SIZE 8
79
80/** Server Configuration Record */
81typedef struct {
82    /** Server this mod_gnutls configuration is for */
83    server_rec* s;
84
85    /* --- Configuration values --- */
86        /* Is the module enabled? */
87    int enabled;
88        /* Is mod_proxy enabled? */
89    int proxy_enabled;
90
91    /* List of PKCS #11 provider modules to load, only valid in the
92     * base config, ignored in virtual hosts */
93    apr_array_header_t *p11_modules;
94
95    /* PIN used for PKCS #11 operations */
96    char *pin;
97
98    /* the SRK PIN used in TPM operations */
99    char *srk_pin;
100
101    char *x509_cert_file;
102    char *x509_key_file;
103    char *x509_ca_file;
104
105    char *dh_file;
106
107    char *priorities_str;
108    char *proxy_priorities_str;
109
110    const char* srp_tpasswd_file;
111    const char* srp_tpasswd_conf_file;
112
113        /* Cache timeout value */
114    int cache_timeout;
115    /* Enable cache */
116    unsigned char cache_enable : 2;
117    /* Internal cache data */
118    mgs_cache_t cache;
119
120        /* GnuTLS uses Session Tickets */
121    int tickets;
122
123    /* x509 Certificate Structure */
124    gnutls_certificate_credentials_t certs;
125    /* x509 credentials for proxy connections */
126    gnutls_certificate_credentials_t proxy_x509_creds;
127    /* trust list for proxy_x509_creds */
128    gnutls_x509_trust_list_t proxy_x509_tl;
129    const char* proxy_x509_key_file;
130    const char* proxy_x509_cert_file;
131    const char* proxy_x509_ca_file;
132    const char* proxy_x509_crl_file;
133    /* GnuTLS priorities for proxy connections */
134    gnutls_priority_t proxy_priorities;
135    /* SRP Certificate Structure*/
136    gnutls_srp_server_credentials_t srp_creds;
137    /* Anonymous Certificate Structure */
138    gnutls_anon_server_credentials_t anon_creds;
139    /* Anonymous Client Certificate Structure, used for proxy
140     * connections */
141    gnutls_anon_client_credentials_t anon_client_creds;
142        /* An x509 Certificate Chain */
143    gnutls_pcert_st *certs_x509_chain;
144    gnutls_x509_crt_t *certs_x509_crt_chain;
145        /* Number of Certificates in Chain */
146    unsigned int certs_x509_chain_num;
147
148        /* Current x509 Certificate Private Key */
149    gnutls_privkey_t privkey_x509;
150
151    /* Export full certificates to CGI environment: */
152    int export_certificates_size;
153        /* GnuTLS Priorities */
154    gnutls_priority_t priorities;
155        /* GnuTLS DH Parameters */
156    gnutls_dh_params_t dh_params;
157        /* A list of CA Certificates */
158    gnutls_x509_crt_t *ca_list;
159        /* CA Certificate list size */
160    unsigned int ca_list_size;
161        /* Client Certificate Verification Mode */
162    int client_verify_mode;
163        /* Client Certificate Verification Method */
164    mgs_client_verification_method_e client_verify_method;
165
166    /* Enable OCSP stapling */
167    unsigned char ocsp_staple;
168    /* Automatically refresh cached OCSP response? */
169    unsigned char ocsp_auto_refresh;
170    /* Check nonce in OCSP responses? */
171    unsigned char ocsp_check_nonce;
172    /* Read OCSP response for stapling from this file instead of
173     * sending a request over HTTP */
174    char *ocsp_response_file;
175    /* Internal OCSP data for this server */
176    mgs_ocsp_data_t ocsp;
177    /* Mutex to prevent parallel OCSP requests */
178    apr_global_mutex_t *ocsp_mutex;
179    /* Internal OCSP cache data */
180    mgs_cache_t ocsp_cache;
181    /* Cache timeout for OCSP responses. Note that the nextUpdate
182     * field of the response takes precedence if shorter. */
183    apr_interval_time_t ocsp_cache_time;
184    /* If an OCSP request fails wait this long before trying again. */
185    apr_interval_time_t ocsp_failure_timeout;
186    /** How long before a cached OCSP response expires should it be
187     * updated? During configuration parsing this is set to the
188     * maximum, during post configuration the value will be set to
189     * half that. After each update the interval to for the next one
190     * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time *
191     * RANDOM` with `0 <= RANDOM <= 1`. */
192    apr_interval_time_t ocsp_fuzz_time;
193    /* Socket timeout for OCSP requests */
194    apr_interval_time_t ocsp_socket_timeout;
195
196    /** This module's singleton watchdog, used for async OCSP cache
197     * updates. */
198    struct mgs_watchdog *singleton_wd;
199} mgs_srvconf_rec;
200
201/* Character Buffer */
202typedef struct {
203    int length;
204    char *value;
205} mgs_char_buffer_t;
206
207/** GnuTLS connection handle */
208typedef struct {
209        /* Server configuration record */
210    mgs_srvconf_rec *sc;
211        /* Connection record */
212    conn_rec* c;
213        /* Is TLS enabled for this connection? */
214    int enabled;
215    /* Is this a proxy connection? */
216    int is_proxy;
217        /* GnuTLS Session handle */
218    gnutls_session_t session;
219    /** Server name requested via SNI if any, or NULL. */
220    const char *sni_name;
221        /* module input status */
222    apr_status_t input_rc;
223        /* Input filter */
224    ap_filter_t *input_filter;
225        /* Input Bucket Brigade */
226    apr_bucket_brigade *input_bb;
227        /* Input Read Type */
228    apr_read_type_e input_block;
229        /* Input Mode */
230    ap_input_mode_t input_mode;
231        /* Input Character Buffer */
232    mgs_char_buffer_t input_cbuf;
233        /* Input Character Array */
234    char input_buffer[AP_IOBUFSIZE];
235        /* module Output status */
236    apr_status_t output_rc;
237        /* Output filter */
238    ap_filter_t *output_filter;
239        /* Output Bucket Brigade */
240    apr_bucket_brigade *output_bb;
241        /* Output character array */
242    char output_buffer[AP_IOBUFSIZE];
243        /* Output buffer length */
244    apr_size_t output_blen;
245        /* Output length */
246    apr_size_t output_length;
247    /** Connection status: 0 before (re-)handshake, 1 when up, -1 on
248     * error (checks use status < 0 or status > 0) */
249    int status;
250} mgs_handle_t;
251
252
253
254/** Functions in gnutls_io.c **/
255
256/* apr_signal_block() for blocking SIGPIPE */
257apr_status_t apr_signal_block(int signum);
258
259/* Proxy Support */
260/** mod_proxy adds a note with this key to the connection->notes table
261 * for client connections */
262#define PROXY_SNI_NOTE "proxy-request-hostname"
263/* An optional function which returns non-zero if the given connection
264is using SSL/TLS. */
265APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
266/* The ssl_var_lookup() optional function retrieves SSL environment
267 * variables. */
268APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
269                        (apr_pool_t *, server_rec *,
270                         conn_rec *, request_rec *,
271                         char *));
272/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
273 * are used by mod_proxy to enable use of SSL for outgoing
274 * connections. */
275APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
276APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
277APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
278                                              ap_conf_vector_t *,
279                                              int proxy, int enable));
280mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c);
281int ssl_is_https(conn_rec *c);
282char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c,
283                     request_rec *r, char *var);
284int ssl_proxy_enable(conn_rec *c);
285int ssl_engine_disable(conn_rec *c);
286const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
287                                 const int arg);
288apr_status_t mgs_cleanup_pre_config(void *data);
289
290/**
291 * mgs_filter_input will filter the input data
292 * by decrypting it using GnuTLS and passes it cleartext.
293 *
294 * @param f     the filter info record
295 * @param bb    the bucket brigade, where to store the result to
296 * @param mode  what shall we read?
297 * @param block a block index we shall read from?
298 * @return result status
299 */
300apr_status_t mgs_filter_input(ap_filter_t * f,
301                                     apr_bucket_brigade * bb,
302                                     ap_input_mode_t mode,
303                                     apr_read_type_e block,
304                                     apr_off_t readbytes);
305
306/**
307 * mgs_filter_output will filter the encrypt
308 * the incoming bucket using GnuTLS and passes it onto the next filter.
309 *
310 * @param f     the filter info record
311 * @param bb    the bucket brigade, where to store the result to
312 * @return result status
313 */
314apr_status_t mgs_filter_output(ap_filter_t * f,
315                                      apr_bucket_brigade * bb);
316
317
318/**
319 * mgs_transport_read is called from GnuTLS to provide encrypted
320 * data from the client.
321 *
322 * @param ptr     pointer to the filter context
323 * @param buffer  place to put data
324 * @param len     maximum size
325 * @return size   length of the data stored in buffer
326 */
327ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
328                                  void *buffer, size_t len);
329
330/**
331 * mgs_transport_write is called from GnuTLS to
332 * write data to the client.
333 *
334 * @param ptr     pointer to the filter context
335 * @param buffer  buffer to write to the client
336 * @param len     size of the buffer
337 * @return size   length of the data written
338 */
339ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
340                                   const void *buffer, size_t len);
341
342
343int mgs_rehandshake(mgs_handle_t * ctxt);
344
345
346
347/**
348 * Perform any reinitialization required in PKCS #11
349 */
350int mgs_pkcs11_reinit(server_rec * s);
351
352
353
354/* Configuration Functions */
355
356/* Loads all files set in the configuration */
357int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
358    __attribute__((nonnull));
359
360const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
361                                        const char *arg);
362const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
363                                        const char *arg);
364const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
365                                        const char *arg);
366const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
367                                        const char *arg);
368
369const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
370                             const char *arg);
371
372const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
373
374const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
375                                  const char *arg);
376
377const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
378                                         const char *arg);
379
380const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
381                                   const char *arg);
382
383const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
384                               const char *arg);
385
386const char *mgs_set_pin(cmd_parms * parms, void *dummy,
387                                   const char *arg);
388
389const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
390                                   const char *arg);
391
392const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
393                            const int arg);
394const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
395                            const char *arg);
396const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
397                            const char *arg);
398const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
399                            const int arg);
400
401void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
402void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
403
404void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
405
406void *mgs_config_dir_create(apr_pool_t *p, char *dir);
407
408const char *mgs_store_cred_path(cmd_parms * parms,
409                                void *dummy __attribute__((unused)),
410                                const char *arg);
411
412/* mod_gnutls Hooks. */
413
414int mgs_hook_pre_config(apr_pool_t * pconf,
415                        apr_pool_t * plog, apr_pool_t * ptemp);
416
417int mgs_hook_post_config(apr_pool_t *pconf,
418                         apr_pool_t *plog,
419                         apr_pool_t *ptemp,
420                         server_rec *base_server);
421
422void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
423
424const char *mgs_hook_http_scheme(const request_rec * r);
425
426apr_port_t mgs_hook_default_port(const request_rec * r);
427
428int mgs_hook_pre_connection(conn_rec * c, void *csd);
429
430int mgs_hook_process_connection(conn_rec* c);
431
432int mgs_hook_fixups(request_rec *r);
433
434/** Post request hook, checks if TLS connection and vhost match */
435int mgs_req_vhost_check(request_rec *r);
436
437int mgs_hook_authz(request_rec *r);
438
439#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.