source: mod_gnutls/include/mod_gnutls.h.in @ 6d8c00c

debian/master
Last change on this file since 6d8c00c was 6d8c00c, checked in by Fiona Klute <fiona.klute@…>, 13 months ago

Include apr_strings.h only where needed

  • Property mode set to 100644
File size: 14.2 KB
Line 
1/*
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2015-2018 Fiona Klute
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 */
18
19/* Apache Runtime Headers */
20#include "httpd.h"
21#include "http_config.h"
22#include "http_protocol.h"
23#include "http_connection.h"
24#include "http_request.h"
25#include "http_core.h"
26#include "http_log.h"
27#include "apr_buckets.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30#include "apr_fnmatch.h"
31/* GnuTLS Library Headers */
32#include <gnutls/gnutls.h>
33#include <gnutls/abstract.h>
34#include <gnutls/x509.h>
35
36#ifndef __mod_gnutls_h_inc
37#define __mod_gnutls_h_inc
38
39extern module AP_MODULE_DECLARE_DATA gnutls_module;
40
41/* IO Filter names */
42#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
43#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
44/* GnuTLS Constants */
45#define GNUTLS_ENABLED_FALSE 0
46#define GNUTLS_ENABLED_TRUE  1
47#define GNUTLS_ENABLED_UNSET  2
48/* Current module version */
49#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
50
51/* Module Debug Mode */
52#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
53
54/** Name of the module-wide singleton watchdog */
55#define MGS_SINGLETON_WATCHDOG "_mod_gnutls_singleton_"
56
57
58/* Internal cache data, defined in gnutls_cache.h */
59typedef struct mgs_cache* mgs_cache_t;
60
61typedef enum {
62    mgs_cvm_unset,
63    mgs_cvm_cartel,
64    mgs_cvm_msva
65} mgs_client_verification_method_e;
66
67
68/* Directory Configuration Record */
69typedef struct {
70    int client_verify_mode;
71} mgs_dirconf_rec;
72
73
74/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
75typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
76
77
78/* The maximum number of certificates to send in a chain */
79#define MAX_CHAIN_SIZE 8
80
81/** Server Configuration Record */
82typedef struct {
83    /* --- Configuration values --- */
84        /* Is the module enabled? */
85    int enabled;
86        /* Is mod_proxy enabled? */
87    int proxy_enabled;
88
89    /* List of PKCS #11 provider modules to load, only valid in the
90     * base config, ignored in virtual hosts */
91    apr_array_header_t *p11_modules;
92
93    /* PIN used for PKCS #11 operations */
94    char *pin;
95
96    /* the SRK PIN used in TPM operations */
97    char *srk_pin;
98
99    char *x509_cert_file;
100    char *x509_key_file;
101    char *x509_ca_file;
102
103    char *dh_file;
104
105    char *priorities_str;
106    char *proxy_priorities_str;
107
108    const char* srp_tpasswd_file;
109    const char* srp_tpasswd_conf_file;
110
111        /* Cache timeout value */
112    int cache_timeout;
113    /* Enable cache */
114    unsigned char cache_enable : 2;
115    /* Internal cache data */
116    mgs_cache_t cache;
117
118        /* GnuTLS uses Session Tickets */
119    int tickets;
120
121    /* x509 Certificate Structure */
122    gnutls_certificate_credentials_t certs;
123    /* x509 credentials for proxy connections */
124    gnutls_certificate_credentials_t proxy_x509_creds;
125    /* trust list for proxy_x509_creds */
126    gnutls_x509_trust_list_t proxy_x509_tl;
127    const char* proxy_x509_key_file;
128    const char* proxy_x509_cert_file;
129    const char* proxy_x509_ca_file;
130    const char* proxy_x509_crl_file;
131    /* GnuTLS priorities for proxy connections */
132    gnutls_priority_t proxy_priorities;
133    /* SRP Certificate Structure*/
134    gnutls_srp_server_credentials_t srp_creds;
135    /* Anonymous Certificate Structure */
136    gnutls_anon_server_credentials_t anon_creds;
137    /* Anonymous Client Certificate Structure, used for proxy
138     * connections */
139    gnutls_anon_client_credentials_t anon_client_creds;
140        /* An x509 Certificate Chain */
141    gnutls_pcert_st *certs_x509_chain;
142    gnutls_x509_crt_t *certs_x509_crt_chain;
143        /* Number of Certificates in Chain */
144    unsigned int certs_x509_chain_num;
145
146        /* Current x509 Certificate Private Key */
147    gnutls_privkey_t privkey_x509;
148
149    /* Export full certificates to CGI environment: */
150    int export_certificates_size;
151        /* GnuTLS Priorities */
152    gnutls_priority_t priorities;
153        /* GnuTLS DH Parameters */
154    gnutls_dh_params_t dh_params;
155        /* A list of CA Certificates */
156    gnutls_x509_crt_t *ca_list;
157        /* CA Certificate list size */
158    unsigned int ca_list_size;
159        /* Client Certificate Verification Mode */
160    int client_verify_mode;
161        /* Client Certificate Verification Method */
162    mgs_client_verification_method_e client_verify_method;
163
164    /* Enable OCSP stapling */
165    unsigned char ocsp_staple;
166    /* Automatically refresh cached OCSP response? */
167    unsigned char ocsp_auto_refresh;
168    /* Check nonce in OCSP responses? */
169    unsigned char ocsp_check_nonce;
170    /* Read OCSP response for stapling from this file instead of
171     * sending a request over HTTP */
172    char *ocsp_response_file;
173    /* Internal OCSP data for this server */
174    mgs_ocsp_data_t ocsp;
175    /* Mutex to prevent parallel OCSP requests */
176    apr_global_mutex_t *ocsp_mutex;
177    /* Internal OCSP cache data */
178    mgs_cache_t ocsp_cache;
179    /* Cache timeout for OCSP responses. Note that the nextUpdate
180     * field of the response takes precedence if shorter. */
181    apr_interval_time_t ocsp_cache_time;
182    /* If an OCSP request fails wait this long before trying again. */
183    apr_interval_time_t ocsp_failure_timeout;
184    /** How long before a cached OCSP response expires should it be
185     * updated? During configuration parsing this is set to the
186     * maximum, during post configuration the value will be set to
187     * half that. After each update the interval to for the next one
188     * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time *
189     * RANDOM` with `0 <= RANDOM <= 1`. */
190    apr_interval_time_t ocsp_fuzz_time;
191    /* Socket timeout for OCSP requests */
192    apr_interval_time_t ocsp_socket_timeout;
193
194    /** This module's singleton watchdog, used for async OCSP cache
195     * updates. */
196    struct mgs_watchdog *singleton_wd;
197} mgs_srvconf_rec;
198
199/* Character Buffer */
200typedef struct {
201    int length;
202    char *value;
203} mgs_char_buffer_t;
204
205/** GnuTLS connection handle */
206typedef struct {
207        /* Server configuration record */
208    mgs_srvconf_rec *sc;
209        /* Connection record */
210    conn_rec* c;
211        /* Is TLS enabled for this connection? */
212    int enabled;
213    /* Is this a proxy connection? */
214    int is_proxy;
215        /* GnuTLS Session handle */
216    gnutls_session_t session;
217    /** Server name requested via SNI if any, or NULL. */
218    const char *sni_name;
219        /* module input status */
220    apr_status_t input_rc;
221        /* Input filter */
222    ap_filter_t *input_filter;
223        /* Input Bucket Brigade */
224    apr_bucket_brigade *input_bb;
225        /* Input Read Type */
226    apr_read_type_e input_block;
227        /* Input Mode */
228    ap_input_mode_t input_mode;
229        /* Input Character Buffer */
230    mgs_char_buffer_t input_cbuf;
231        /* Input Character Array */
232    char input_buffer[AP_IOBUFSIZE];
233        /* module Output status */
234    apr_status_t output_rc;
235        /* Output filter */
236    ap_filter_t *output_filter;
237        /* Output Bucket Brigade */
238    apr_bucket_brigade *output_bb;
239        /* Output character array */
240    char output_buffer[AP_IOBUFSIZE];
241        /* Output buffer length */
242    apr_size_t output_blen;
243        /* Output length */
244    apr_size_t output_length;
245    /** Connection status: 0 before (re-)handshake, 1 when up, -1 on
246     * error (checks use status < 0 or status > 0) */
247    int status;
248} mgs_handle_t;
249
250
251
252/** Functions in gnutls_io.c **/
253
254/* apr_signal_block() for blocking SIGPIPE */
255apr_status_t apr_signal_block(int signum);
256
257/* Proxy Support */
258/** mod_proxy adds a note with this key to the connection->notes table
259 * for client connections */
260#define PROXY_SNI_NOTE "proxy-request-hostname"
261/* An optional function which returns non-zero if the given connection
262is using SSL/TLS. */
263APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
264/* The ssl_var_lookup() optional function retrieves SSL environment
265 * variables. */
266APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
267                        (apr_pool_t *, server_rec *,
268                         conn_rec *, request_rec *,
269                         char *));
270/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
271 * are used by mod_proxy to enable use of SSL for outgoing
272 * connections. */
273APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
274APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
275APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
276                                              ap_conf_vector_t *,
277                                              int proxy, int enable));
278mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c);
279int ssl_is_https(conn_rec *c);
280char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c,
281                     request_rec *r, char *var);
282int ssl_proxy_enable(conn_rec *c);
283int ssl_engine_disable(conn_rec *c);
284const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
285                                 const int arg);
286apr_status_t mgs_cleanup_pre_config(void *data);
287
288/**
289 * mgs_filter_input will filter the input data
290 * by decrypting it using GnuTLS and passes it cleartext.
291 *
292 * @param f     the filter info record
293 * @param bb    the bucket brigade, where to store the result to
294 * @param mode  what shall we read?
295 * @param block a block index we shall read from?
296 * @return result status
297 */
298apr_status_t mgs_filter_input(ap_filter_t * f,
299                                     apr_bucket_brigade * bb,
300                                     ap_input_mode_t mode,
301                                     apr_read_type_e block,
302                                     apr_off_t readbytes);
303
304/**
305 * mgs_filter_output will filter the encrypt
306 * the incoming bucket using GnuTLS and passes it onto the next filter.
307 *
308 * @param f     the filter info record
309 * @param bb    the bucket brigade, where to store the result to
310 * @return result status
311 */
312apr_status_t mgs_filter_output(ap_filter_t * f,
313                                      apr_bucket_brigade * bb);
314
315
316/**
317 * mgs_transport_read is called from GnuTLS to provide encrypted
318 * data from the client.
319 *
320 * @param ptr     pointer to the filter context
321 * @param buffer  place to put data
322 * @param len     maximum size
323 * @return size   length of the data stored in buffer
324 */
325ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
326                                  void *buffer, size_t len);
327
328/**
329 * mgs_transport_write is called from GnuTLS to
330 * write data to the client.
331 *
332 * @param ptr     pointer to the filter context
333 * @param buffer  buffer to write to the client
334 * @param len     size of the buffer
335 * @return size   length of the data written
336 */
337ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
338                                   const void *buffer, size_t len);
339
340
341int mgs_rehandshake(mgs_handle_t * ctxt);
342
343
344
345/**
346 * Perform any reinitialization required in PKCS #11
347 */
348int mgs_pkcs11_reinit(server_rec * s);
349
350
351
352/* Configuration Functions */
353
354/* Loads all files set in the configuration */
355int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
356    __attribute__((nonnull));
357
358const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
359                                        const char *arg);
360const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
361                                        const char *arg);
362const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
363                                        const char *arg);
364const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
365                                        const char *arg);
366
367const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
368                             const char *arg);
369
370const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
371
372const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
373                                  const char *arg);
374
375const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
376                                         const char *arg);
377
378const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
379                                   const char *arg);
380
381const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
382                               const char *arg);
383
384const char *mgs_set_pin(cmd_parms * parms, void *dummy,
385                                   const char *arg);
386
387const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
388                                   const char *arg);
389
390const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
391                            const int arg);
392const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
393                            const char *arg);
394const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
395                            const char *arg);
396const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
397                            const int arg);
398
399void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
400void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
401
402void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
403
404void *mgs_config_dir_create(apr_pool_t *p, char *dir);
405
406mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
407
408const char *mgs_store_cred_path(cmd_parms * parms,
409                                void *dummy __attribute__((unused)),
410                                const char *arg);
411
412/* mod_gnutls Hooks. */
413
414int mgs_hook_pre_config(apr_pool_t * pconf,
415                        apr_pool_t * plog, apr_pool_t * ptemp);
416
417int mgs_hook_post_config(apr_pool_t *pconf,
418                         apr_pool_t *plog,
419                         apr_pool_t *ptemp,
420                         server_rec *base_server);
421
422void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
423
424const char *mgs_hook_http_scheme(const request_rec * r);
425
426apr_port_t mgs_hook_default_port(const request_rec * r);
427
428int mgs_hook_pre_connection(conn_rec * c, void *csd);
429
430int mgs_hook_process_connection(conn_rec* c);
431
432int mgs_hook_fixups(request_rec *r);
433
434/** Post request hook, checks if TLS connection and vhost match */
435int mgs_req_vhost_check(request_rec *r);
436
437int mgs_hook_authz(request_rec *r);
438
439#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.