source: mod_gnutls/include/mod_gnutls.h.in @ 87f1ed2

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 87f1ed2 was 87f1ed2, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Allow loading of an additional PKCS #11 provider library

When using PKCS #11, it may not be desirable to add the PKCS #11 module
to be used by mod_gnutls to the system wide config, and we definitely
cannot demand it for tests.

To work around such problems, add the new configuration parameter
"GnuTLSP11Module", which may contain the path of a library to load. Note
that the value is only used if present in the base server configuration
(not a virtual host), and that the library is used in addition to
system defaults (if any).

  • Property mode set to 100644
File size: 14.7 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 *
16 */
17
18/* Apache Runtime Headers */
19#include "httpd.h"
20#include "http_config.h"
21#include "http_protocol.h"
22#include "http_connection.h"
23#include "http_request.h"
24#include "http_core.h"
25#include "http_log.h"
26#include "apr_buckets.h"
27#include "apr_strings.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30#include "apr_fnmatch.h"
31/* GnuTLS Library Headers */
32#include <gnutls/gnutls.h>
33#if GNUTLS_VERSION_MAJOR == 2
34#include <gnutls/extra.h>
35#endif
36#include <gnutls/abstract.h>
37#include <gnutls/openpgp.h>
38#include <gnutls/x509.h>
39
40#ifndef __mod_gnutls_h_inc
41#define __mod_gnutls_h_inc
42
43#define HAVE_APR_MEMCACHE    @have_apr_memcache@
44
45extern module AP_MODULE_DECLARE_DATA gnutls_module;
46
47/* IO Filter names */
48#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
49#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
50/* GnuTLS Constants */
51#define GNUTLS_ENABLED_FALSE 0
52#define GNUTLS_ENABLED_TRUE  1
53#define GNUTLS_ENABLED_UNSET  2
54/* Current module version */
55#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
56
57/* Module Debug Mode */
58#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
59
60/*
61 * Recent Versions of 2.1 renamed several hooks.
62 * This allows us to compile on 2.0.xx
63 */
64#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
65        #define USING_2_1_RECENT 1
66#else
67        #define USING_2_1_RECENT 0
68#endif
69
70/* mod_gnutls Cache Types */
71typedef enum {
72        /* No Cache */
73    mgs_cache_none,
74        /* Use Old Berkley DB */
75    mgs_cache_dbm,
76        /* Use Gnu's version of Berkley DB */
77    mgs_cache_gdbm,
78#if HAVE_APR_MEMCACHE
79        /* Use Memcache */
80    mgs_cache_memcache,
81#endif
82    mgs_cache_unset
83} mgs_cache_e;
84
85typedef enum {
86    mgs_cvm_unset,
87    mgs_cvm_cartel,
88    mgs_cvm_msva
89} mgs_client_verification_method_e;
90
91
92/* Directory Configuration Record */
93typedef struct {
94    int client_verify_mode;
95    const char* lua_bytecode;
96    apr_size_t lua_bytecode_len;
97} mgs_dirconf_rec;
98
99
100/* The maximum number of certificates to send in a chain */
101#define MAX_CHAIN_SIZE 8
102/* The maximum number of SANs to read from a x509 certificate */
103#define MAX_CERT_SAN 5
104
105/* Server Configuration Record */
106typedef struct {
107    /* --- Configuration values --- */
108        /* Is the module enabled? */
109    int enabled;
110        /* Is mod_proxy enabled? */
111    int proxy_enabled;
112        /* A Plain HTTP request */
113    int non_ssl_request;
114
115    /* Additional PKCS #11 provider module to load, only valid in the
116     * base config, ignored in virtual hosts */
117    char *p11_module;
118
119    /* PIN used for PKCS #11 operations */
120    char *pin;
121
122    /* the SRK PIN used in TPM operations */
123    char *srk_pin;
124
125    char *x509_cert_file;
126    char *x509_key_file;
127    char *x509_ca_file;
128
129    char *pgp_cert_file;
130    char *pgp_key_file;
131    char *pgp_ring_file;
132
133    char *dh_file;
134
135    char *priorities_str;
136    char *proxy_priorities_str;
137
138    const char* srp_tpasswd_file;
139    const char* srp_tpasswd_conf_file;
140
141        /* Cache timeout value */
142    int cache_timeout;
143        /* Chose Cache Type */
144    mgs_cache_e cache_type;
145    const char* cache_config;
146
147        /* GnuTLS uses Session Tickets */
148    int tickets;
149
150    /* --- Things initialized at _child_init --- */
151
152    /* x509 Certificate Structure */
153    gnutls_certificate_credentials_t certs;
154    /* x509 credentials for proxy connections */
155    gnutls_certificate_credentials_t proxy_x509_creds;
156    /* trust list for proxy_x509_creds */
157    gnutls_x509_trust_list_t proxy_x509_tl;
158    const char* proxy_x509_key_file;
159    const char* proxy_x509_cert_file;
160    const char* proxy_x509_ca_file;
161    const char* proxy_x509_crl_file;
162    /* GnuTLS priorities for proxy connections */
163    gnutls_priority_t proxy_priorities;
164    /* SRP Certificate Structure*/
165    gnutls_srp_server_credentials_t srp_creds;
166    /* Anonymous Certificate Structure */
167    gnutls_anon_server_credentials_t anon_creds;
168    /* Anonymous Client Certificate Structure, used for proxy
169     * connections */
170    gnutls_anon_client_credentials_t anon_client_creds;
171        /* Current x509 Certificate CN [Common Name] */
172    char* cert_cn;
173        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
174    char* cert_san[MAX_CERT_SAN];
175        /* An x509 Certificate Chain */
176    gnutls_pcert_st *certs_x509_chain;
177    gnutls_x509_crt_t *certs_x509_crt_chain;
178        /* Number of Certificates in Chain */
179    unsigned int certs_x509_chain_num;
180
181        /* Current x509 Certificate Private Key */
182    gnutls_privkey_t privkey_x509;
183
184        /* OpenPGP Certificate */
185    gnutls_pcert_st *cert_pgp;
186    gnutls_openpgp_crt_t *cert_crt_pgp;
187
188        /* OpenPGP Certificate Private Key */
189    gnutls_privkey_t privkey_pgp;
190#if GNUTLS_VERSION_NUMBER < 0x030312
191    /* Internal structure for the OpenPGP private key, used in the
192     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
193     * frees memory that is still needed. DO NOT USE for any other
194     * purpose. */
195    gnutls_openpgp_privkey_t privkey_pgp_internal;
196#endif
197
198    /* Export full certificates to CGI environment: */
199    int export_certificates_size;
200        /* GnuTLS Priorities */
201    gnutls_priority_t priorities;
202        /* GnuTLS DH Parameters */
203    gnutls_dh_params_t dh_params;
204        /* A list of CA Certificates */
205    gnutls_x509_crt_t *ca_list;
206        /* OpenPGP Key Ring */
207    gnutls_openpgp_keyring_t pgp_list;
208        /* CA Certificate list size */
209    unsigned int ca_list_size;
210        /* Client Certificate Verification Mode */
211    int client_verify_mode;
212        /* Client Certificate Verification Method */
213    mgs_client_verification_method_e client_verify_method;
214        /* Last Cache timestamp */
215    apr_time_t last_cache_check;
216} mgs_srvconf_rec;
217
218/* Character Buffer */
219typedef struct {
220    int length;
221    char *value;
222} mgs_char_buffer_t;
223
224/* GnuTLS Handle */
225typedef struct {
226        /* Server configuration record */
227    mgs_srvconf_rec *sc;
228        /* Connection record */
229    conn_rec* c;
230        /* Is TLS enabled for this connection? */
231    int enabled;
232    /* Is this a proxy connection? */
233    int is_proxy;
234        /* GnuTLS Session handle */
235    gnutls_session_t session;
236        /* module input status */
237    apr_status_t input_rc;
238        /* Input filter */
239    ap_filter_t *input_filter;
240        /* Input Bucket Brigade */
241    apr_bucket_brigade *input_bb;
242        /* Input Read Type */
243    apr_read_type_e input_block;
244        /* Input Mode */
245    ap_input_mode_t input_mode;
246        /* Input Character Buffer */
247    mgs_char_buffer_t input_cbuf;
248        /* Input Character Array */
249    char input_buffer[AP_IOBUFSIZE];
250        /* module Output status */
251    apr_status_t output_rc;
252        /* Output filter */
253    ap_filter_t *output_filter;
254        /* Output Bucket Brigade */
255    apr_bucket_brigade *output_bb;
256        /* Output character array */
257    char output_buffer[AP_IOBUFSIZE];
258        /* Output buffer length */
259    apr_size_t output_blen;
260        /* Output length */
261    apr_size_t output_length;
262        /* General Status */
263    int status;
264} mgs_handle_t;
265
266
267
268/** Functions in gnutls_io.c **/
269
270/* apr_signal_block() for blocking SIGPIPE */
271apr_status_t apr_signal_block(int signum);
272
273 /* Proxy Support */
274/* An optional function which returns non-zero if the given connection
275is using SSL/TLS. */
276APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
277/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
278 * are used by mod_proxy to enable use of SSL for outgoing
279 * connections. */
280APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
281APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
282int ssl_is_https(conn_rec *c);
283int ssl_proxy_enable(conn_rec *c);
284int ssl_engine_disable(conn_rec *c);
285const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
286    const char *arg);
287apr_status_t mgs_cleanup_pre_config(void *data);
288
289/**
290 * mgs_filter_input will filter the input data
291 * by decrypting it using GnuTLS and passes it cleartext.
292 *
293 * @param f     the filter info record
294 * @param bb    the bucket brigade, where to store the result to
295 * @param mode  what shall we read?
296 * @param block a block index we shall read from?
297 * @return result status
298 */
299apr_status_t mgs_filter_input(ap_filter_t * f,
300                                     apr_bucket_brigade * bb,
301                                     ap_input_mode_t mode,
302                                     apr_read_type_e block,
303                                     apr_off_t readbytes);
304
305/**
306 * mgs_filter_output will filter the encrypt
307 * the incoming bucket using GnuTLS and passes it onto the next filter.
308 *
309 * @param f     the filter info record
310 * @param bb    the bucket brigade, where to store the result to
311 * @return result status
312 */
313apr_status_t mgs_filter_output(ap_filter_t * f,
314                                      apr_bucket_brigade * bb);
315
316
317/**
318 * mgs_transport_read is called from GnuTLS to provide encrypted
319 * data from the client.
320 *
321 * @param ptr     pointer to the filter context
322 * @param buffer  place to put data
323 * @param len     maximum size
324 * @return size   length of the data stored in buffer
325 */
326ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
327                                  void *buffer, size_t len);
328
329/**
330 * mgs_transport_write is called from GnuTLS to
331 * write data to the client.
332 *
333 * @param ptr     pointer to the filter context
334 * @param buffer  buffer to write to the client
335 * @param len     size of the buffer
336 * @return size   length of the data written
337 */
338ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
339                                   const void *buffer, size_t len);
340
341
342int mgs_rehandshake(mgs_handle_t * ctxt);
343
344
345
346/**
347 * Init the Cache after Configuration is done
348 */
349int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
350                                 mgs_srvconf_rec *sc);
351/**
352 * Init the Cache inside each Process
353 */
354int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
355                                mgs_srvconf_rec *sc);
356/**
357 * Setup the Session Caching
358 */
359int mgs_cache_session_init(mgs_handle_t *ctxt);
360
361#define GNUTLS_SESSION_ID_STRING_LEN \
362    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
363
364/**
365 * Perform any reinitialization required in PKCS #11
366 */
367int mgs_pkcs11_reinit(server_rec * s);
368
369/**
370 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
371 * @param id raw SSL Session ID
372 * @param idlen Length of the raw Session ID
373 * @param str Location to store the Hex Encoded String
374 * @param strsize The Maximum Length that can be stored in str
375 */
376char *mgs_session_id2sz(unsigned char *id, int idlen,
377                                char *str, int strsize);
378
379/**
380 * Convert a time_t into a Null Terminated String
381 * @param t time_t time
382 * @param str Location to store the Hex Encoded String
383 * @param strsize The Maximum Length that can be stored in str
384 */
385char *mgs_time2sz(time_t t, char *str, int strsize);
386
387
388/* Configuration Functions */
389
390/* Loads all files set in the configuration */
391int mgs_load_files(apr_pool_t * p, server_rec * s);
392
393const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
394                                        const char *arg);
395const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
396                                        const char *arg);
397const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
398                                        const char *arg);
399const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
400                                        const char *arg);
401
402const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
403                             const char *arg);
404
405const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
406                                        const char *arg);
407
408const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
409                             const char *arg);
410
411const char *mgs_set_cache(cmd_parms * parms, void *dummy,
412                          const char *type, const char* arg);
413
414const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
415                                  const char *arg);
416
417const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
418                                  const char *arg);
419
420const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
421                                         const char *arg);
422
423const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
424                                   const char *arg);
425
426const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
427                               const char *arg);
428
429const char *mgs_set_pin(cmd_parms * parms, void *dummy,
430                                   const char *arg);
431
432const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
433                                   const char *arg);
434
435const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
436                                   const char *arg);
437
438const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
439                            const char *arg);
440const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
441                            const char *arg);
442const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
443                            const char *arg);
444const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
445                            const char *arg);
446
447const char *mgs_set_require_section(cmd_parms *cmd,
448                                    void *mconfig, const char *arg);
449void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
450void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
451
452void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
453
454void *mgs_config_dir_create(apr_pool_t *p, char *dir);
455
456const char *mgs_set_require_bytecode(cmd_parms *cmd,
457                                    void *mconfig, const char *arg);
458
459mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
460
461const char *mgs_store_cred_path(cmd_parms * parms,
462                                void *dummy __attribute__((unused)),
463                                const char *arg);
464
465/* mod_gnutls Hooks. */
466
467int mgs_hook_pre_config(apr_pool_t * pconf,
468                        apr_pool_t * plog, apr_pool_t * ptemp);
469
470int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
471                         apr_pool_t * ptemp,
472                         server_rec * base_server);
473
474void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
475
476const char *mgs_hook_http_scheme(const request_rec * r);
477
478apr_port_t mgs_hook_default_port(const request_rec * r);
479
480int mgs_hook_pre_connection(conn_rec * c, void *csd);
481
482int mgs_hook_fixups(request_rec *r);
483
484int mgs_hook_authz(request_rec *r);
485
486#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.