source: mod_gnutls/include/mod_gnutls.h.in @ 809c422

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 809c422 was 809c422, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

TLS proxy: Add support for CRLs to back end server verification

When configured as a TLS proxy, mod_gnutls can now use CRLs to check if
the certificate provided by a back end server is still valid. The CRL
file must be provided externally, the new configuration option
"GnuTLSProxyCRLFile" is used to load it.

  • Property mode set to 100644
File size: 13.1 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 *
16 */
17
18/* Apache Runtime Headers */
19#include "httpd.h"
20#include "http_config.h"
21#include "http_protocol.h"
22#include "http_connection.h"
23#include "http_request.h"
24#include "http_core.h"
25#include "http_log.h"
26#include "apr_buckets.h"
27#include "apr_strings.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30#include "apr_fnmatch.h"
31/* GnuTLS Library Headers */
32#include <gnutls/gnutls.h>
33#if GNUTLS_VERSION_MAJOR == 2
34#include <gnutls/extra.h>
35#endif
36#include <gnutls/openpgp.h>
37#include <gnutls/x509.h>
38
39#ifndef __mod_gnutls_h_inc
40#define __mod_gnutls_h_inc
41
42#define HAVE_APR_MEMCACHE    @have_apr_memcache@
43
44extern module AP_MODULE_DECLARE_DATA gnutls_module;
45
46/* IO Filter names */
47#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
48#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
49/* GnuTLS Constants */
50#define GNUTLS_ENABLED_FALSE 0
51#define GNUTLS_ENABLED_TRUE  1
52#define GNUTLS_ENABLED_UNSET  2
53/* Current module version */
54#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
55
56/* Module Debug Mode */
57#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
58
59/*
60 * Recent Versions of 2.1 renamed several hooks.
61 * This allows us to compile on 2.0.xx
62 */
63#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
64        #define USING_2_1_RECENT 1
65#else
66        #define USING_2_1_RECENT 0
67#endif
68
69/* mod_gnutls Cache Types */
70typedef enum {
71        /* No Cache */
72    mgs_cache_none,
73        /* Use Old Berkley DB */
74    mgs_cache_dbm,
75        /* Use Gnu's version of Berkley DB */
76    mgs_cache_gdbm,
77#if HAVE_APR_MEMCACHE
78        /* Use Memcache */
79    mgs_cache_memcache,
80#endif
81    mgs_cache_unset
82} mgs_cache_e;
83
84typedef enum {
85    mgs_cvm_unset,
86    mgs_cvm_cartel,
87    mgs_cvm_msva
88} mgs_client_verification_method_e;
89
90
91/* Directory Configuration Record */
92typedef struct {
93    int client_verify_mode;
94    const char* lua_bytecode;
95    apr_size_t lua_bytecode_len;
96} mgs_dirconf_rec;
97
98
99/* The maximum number of certificates to send in a chain */
100#define MAX_CHAIN_SIZE 8
101/* The maximum number of SANs to read from a x509 certificate */
102#define MAX_CERT_SAN 5
103
104/* Server Configuration Record */
105typedef struct {
106    /* x509 Certificate Structure */
107    gnutls_certificate_credentials_t certs;
108    /* x509 credentials for proxy connections */
109    gnutls_certificate_credentials_t proxy_x509_creds;
110    /* trust list for proxy_x509_creds */
111    gnutls_x509_trust_list_t proxy_x509_tl;
112    const char* proxy_x509_key_file;
113    const char* proxy_x509_cert_file;
114    const char* proxy_x509_ca_file;
115    const char* proxy_x509_crl_file;
116    /* SRP Certificate Structure*/
117    gnutls_srp_server_credentials_t srp_creds;
118    /* Anonymous Certificate Structure */
119    gnutls_anon_server_credentials_t anon_creds;
120    /* Anonymous Client Certificate Structure, used for proxy
121     * connections */
122    gnutls_anon_client_credentials_t anon_client_creds;
123        /* Current x509 Certificate CN [Common Name] */
124    char* cert_cn;
125        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
126        char* cert_san[MAX_CERT_SAN];
127        /* A x509 Certificate Chain */
128    gnutls_x509_crt_t *certs_x509_chain;
129        /* Current x509 Certificate Private Key */
130    gnutls_x509_privkey_t privkey_x509;
131        /* OpenPGP Certificate */
132    gnutls_openpgp_crt_t cert_pgp;
133        /* OpenPGP Certificate Private Key */
134    gnutls_openpgp_privkey_t privkey_pgp;
135        /* Number of Certificates in Chain */
136    unsigned int certs_x509_chain_num;
137        /* Is the module enabled? */
138    int enabled;
139    /* Export full certificates to CGI environment: */
140    int export_certificates_size;
141        /* GnuTLS Priorities */
142    gnutls_priority_t priorities;
143        /* GnuTLS DH Parameters */
144    gnutls_dh_params_t dh_params;
145        /* Cache timeout value */
146    int cache_timeout;
147        /* Chose Cache Type */
148    mgs_cache_e cache_type;
149    const char* cache_config;
150    const char* srp_tpasswd_file;
151    const char* srp_tpasswd_conf_file;
152        /* A list of CA Certificates */
153    gnutls_x509_crt_t *ca_list;
154        /* OpenPGP Key Ring */
155    gnutls_openpgp_keyring_t pgp_list;
156        /* CA Certificate list size */
157    unsigned int ca_list_size;
158        /* Client Certificate Verification Mode */
159    int client_verify_mode;
160        /* Client Certificate Verification Method */
161    mgs_client_verification_method_e client_verify_method;
162        /* Last Cache timestamp */
163    apr_time_t last_cache_check;
164        /* GnuTLS uses Session Tickets */
165    int tickets;
166        /* Is mod_proxy enabled? */
167    int proxy_enabled;
168        /* A Plain HTTP request */
169    int non_ssl_request;
170} mgs_srvconf_rec;
171
172/* Character Buffer */
173typedef struct {
174    int length;
175    char *value;
176} mgs_char_buffer_t;
177
178/* GnuTLS Handle */
179typedef struct {
180        /* Server configuration record */
181    mgs_srvconf_rec *sc;
182        /* Connection record */
183    conn_rec* c;
184        /* Is TLS enabled for this connection? */
185    int enabled;
186    /* Is this a proxy connection? */
187    int is_proxy;
188        /* GnuTLS Session handle */
189    gnutls_session_t session;
190        /* module input status */
191    apr_status_t input_rc;
192        /* Input filter */
193    ap_filter_t *input_filter;
194        /* Input Bucket Brigade */
195    apr_bucket_brigade *input_bb;
196        /* Input Read Type */
197    apr_read_type_e input_block;
198        /* Input Mode */
199    ap_input_mode_t input_mode;
200        /* Input Character Buffer */
201    mgs_char_buffer_t input_cbuf;
202        /* Input Character Array */
203    char input_buffer[AP_IOBUFSIZE];
204        /* module Output status */
205    apr_status_t output_rc;
206        /* Output filter */
207    ap_filter_t *output_filter;
208        /* Output Bucket Brigade */
209    apr_bucket_brigade *output_bb;
210        /* Output character array */
211    char output_buffer[AP_IOBUFSIZE];
212        /* Output buffer length */
213    apr_size_t output_blen;
214        /* Output length */
215    apr_size_t output_length;
216        /* General Status */
217    int status;
218} mgs_handle_t;
219
220
221
222/** Functions in gnutls_io.c **/
223
224/* apr_signal_block() for blocking SIGPIPE */
225apr_status_t apr_signal_block(int signum);
226
227 /* Proxy Support */
228/* An optional function which returns non-zero if the given connection
229is using SSL/TLS. */
230APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
231/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
232 * are used by mod_proxy to enable use of SSL for outgoing
233 * connections. */
234APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
235APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
236int ssl_is_https(conn_rec *c);
237int ssl_proxy_enable(conn_rec *c);
238int ssl_engine_disable(conn_rec *c);
239const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
240    const char *arg);
241apr_status_t mgs_cleanup_pre_config(void *data);
242
243/**
244 * mgs_filter_input will filter the input data
245 * by decrypting it using GnuTLS and passes it cleartext.
246 *
247 * @param f     the filter info record
248 * @param bb    the bucket brigade, where to store the result to
249 * @param mode  what shall we read?
250 * @param block a block index we shall read from?
251 * @return result status
252 */
253apr_status_t mgs_filter_input(ap_filter_t * f,
254                                     apr_bucket_brigade * bb,
255                                     ap_input_mode_t mode,
256                                     apr_read_type_e block,
257                                     apr_off_t readbytes);
258
259/**
260 * mgs_filter_output will filter the encrypt
261 * the incoming bucket using GnuTLS and passes it onto the next filter.
262 *
263 * @param f     the filter info record
264 * @param bb    the bucket brigade, where to store the result to
265 * @return result status
266 */
267apr_status_t mgs_filter_output(ap_filter_t * f,
268                                      apr_bucket_brigade * bb);
269
270
271/**
272 * mgs_transport_read is called from GnuTLS to provide encrypted
273 * data from the client.
274 *
275 * @param ptr     pointer to the filter context
276 * @param buffer  place to put data
277 * @param len     maximum size
278 * @return size   length of the data stored in buffer
279 */
280ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
281                                  void *buffer, size_t len);
282
283/**
284 * mgs_transport_write is called from GnuTLS to
285 * write data to the client.
286 *
287 * @param ptr     pointer to the filter context
288 * @param buffer  buffer to write to the client
289 * @param len     size of the buffer
290 * @return size   length of the data written
291 */
292ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
293                                   const void *buffer, size_t len);
294
295
296int mgs_rehandshake(mgs_handle_t * ctxt);
297
298
299
300/**
301 * Init the Cache after Configuration is done
302 */
303int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
304                                 mgs_srvconf_rec *sc);
305/**
306 * Init the Cache inside each Process
307 */
308int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
309                                mgs_srvconf_rec *sc);
310/**
311 * Setup the Session Caching
312 */
313int mgs_cache_session_init(mgs_handle_t *ctxt);
314
315#define GNUTLS_SESSION_ID_STRING_LEN \
316    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
317
318/**
319 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
320 * @param id raw SSL Session ID
321 * @param idlen Length of the raw Session ID
322 * @param str Location to store the Hex Encoded String
323 * @param strsize The Maximum Length that can be stored in str
324 */
325char *mgs_session_id2sz(unsigned char *id, int idlen,
326                                char *str, int strsize);
327
328/**
329 * Convert a time_t into a Null Terminated String
330 * @param t time_t time
331 * @param str Location to store the Hex Encoded String
332 * @param strsize The Maximum Length that can be stored in str
333 */
334char *mgs_time2sz(time_t t, char *str, int strsize);
335
336
337/* Configuration Functions */
338
339const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
340                                        const char *arg);
341const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
342                                        const char *arg);
343const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
344                                        const char *arg);
345const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
346                                        const char *arg);
347
348const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
349                             const char *arg);
350
351const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
352                                        const char *arg);
353
354const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
355                             const char *arg);
356
357const char *mgs_set_cache(cmd_parms * parms, void *dummy,
358                          const char *type, const char* arg);
359
360const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
361                                  const char *arg);
362
363const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
364                                  const char *arg);
365
366const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
367                                         const char *arg);
368
369const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
370                                   const char *arg);
371
372const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
373                                   const char *arg);
374
375const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
376                            const char *arg);
377const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
378                            const char *arg);
379const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
380                            const char *arg);
381const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
382                            const char *arg);
383
384const char *mgs_set_require_section(cmd_parms *cmd,
385                                    void *mconfig, const char *arg);
386void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
387void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
388
389void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
390
391void *mgs_config_dir_create(apr_pool_t *p, char *dir);
392
393const char *mgs_set_require_bytecode(cmd_parms *cmd,
394                                    void *mconfig, const char *arg);
395
396mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
397
398const char *mgs_store_cred_path(cmd_parms * parms,
399                                void *dummy __attribute__((unused)),
400                                const char *arg);
401
402/* mod_gnutls Hooks. */
403
404int mgs_hook_pre_config(apr_pool_t * pconf,
405                        apr_pool_t * plog, apr_pool_t * ptemp);
406
407int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
408                         apr_pool_t * ptemp,
409                         server_rec * base_server);
410
411void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
412
413const char *mgs_hook_http_scheme(const request_rec * r);
414
415apr_port_t mgs_hook_default_port(const request_rec * r);
416
417int mgs_hook_pre_connection(conn_rec * c, void *csd);
418
419int mgs_hook_fixups(request_rec *r);
420
421int mgs_hook_authz(request_rec *r);
422
423#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.