source: mod_gnutls/include/mod_gnutls.h.in @ 932b68e

debian/masterdebian/stretch-backportsjessie-backportsmsvaupstream
Last change on this file since 932b68e was 040387c, checked in by Daniel Kahn Gillmor <dkg@…>, 7 years ago

server-wide settings should be defaults unless overridden in a vhost

Previously, there was no merging possible; so if any directives were
set in a vhost, all other directives set from the server config would
be thrown away.

  • Property mode set to 100644
File size: 12.1 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 *
16 */
17
18/* Apache Runtime Headers */
19#include "httpd.h"
20#include "http_config.h"
21#include "http_protocol.h"
22#include "http_connection.h"
23#include "http_request.h"
24#include "http_core.h"
25#include "http_log.h"
26#include "apr_buckets.h"
27#include "apr_strings.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30#include "apr_fnmatch.h"
31/* GnuTLS Library Headers */
32#include <gnutls/gnutls.h>
33#if GNUTLS_VERSION_MAJOR == 2
34#include <gnutls/extra.h>
35#endif
36#include <gnutls/openpgp.h>
37#include <gnutls/x509.h>
38
39#ifndef __mod_gnutls_h_inc
40#define __mod_gnutls_h_inc
41
42#define HAVE_APR_MEMCACHE    @have_apr_memcache@
43
44extern module AP_MODULE_DECLARE_DATA gnutls_module;
45
46/* IO Filter names */
47#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
48#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
49/* GnuTLS Constants */
50#define GNUTLS_ENABLED_FALSE 0
51#define GNUTLS_ENABLED_TRUE  1
52#define GNUTLS_ENABLED_UNSET  2
53/* Current module version */
54#define MOD_GNUTLS_VERSION "0.5.10"
55/* Module Debug Mode */
56#define MOD_GNUTLS_DEBUG 1
57
58/*
59 * Recent Versions of 2.1 renamed several hooks.
60 * This allows us to compile on 2.0.xx 
61 */
62#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
63        #define USING_2_1_RECENT 1
64#else
65        #define USING_2_1_RECENT 0
66#endif
67
68/* mod_gnutls Cache Types */
69typedef enum {
70        /* No Cache */
71    mgs_cache_none,
72        /* Use Old Berkley DB */
73    mgs_cache_dbm,
74        /* Use Gnu's version of Berkley DB */
75    mgs_cache_gdbm,
76#if HAVE_APR_MEMCACHE
77        /* Use Memcache */
78    mgs_cache_memcache,
79#endif
80    mgs_cache_unset
81} mgs_cache_e;
82
83/* Directory Configuration Record */
84typedef struct {
85    int client_verify_mode;
86    const char* lua_bytecode;
87    apr_size_t lua_bytecode_len;
88} mgs_dirconf_rec;
89
90
91/* The maximum number of certificates to send in a chain */
92#define MAX_CHAIN_SIZE 8
93/* The maximum number of SANs to read from a x509 certificate */
94#define MAX_CERT_SAN 5
95
96/* Server Configuration Record */
97typedef struct {
98        /* x509 Certificate Structure */
99    gnutls_certificate_credentials_t certs;
100        /* SRP Certificate Structure*/
101    gnutls_srp_server_credentials_t srp_creds;
102        /* Annonymous Certificate Structure */
103    gnutls_anon_server_credentials_t anon_creds;
104        /* Current x509 Certificate CN [Common Name] */
105    char* cert_cn;
106        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
107        char* cert_san[MAX_CERT_SAN];
108        /* A x509 Certificate Chain */
109    gnutls_x509_crt_t *certs_x509_chain;
110        /* Current x509 Certificate Private Key */
111    gnutls_x509_privkey_t privkey_x509;
112        /* OpenPGP Certificate */
113    gnutls_openpgp_crt_t cert_pgp;
114        /* OpenPGP Certificate Private Key */
115    gnutls_openpgp_privkey_t privkey_pgp;
116        /* Number of Certificates in Chain */
117    unsigned int certs_x509_chain_num;
118        /* Is the module enabled? */
119    int enabled;
120        /* GnuTLS Priorities */
121    gnutls_priority_t priorities;
122        /* GnuTLS RSA Parameters [Obselete] */
123    gnutls_rsa_params_t rsa_params;
124        /* GnuTLS DH Parameters */
125    gnutls_dh_params_t dh_params;
126        /* Cache timeout value */
127    int cache_timeout;
128        /* Chose Cache Type */
129    mgs_cache_e cache_type;
130    const char* cache_config;
131    const char* srp_tpasswd_file;
132    const char* srp_tpasswd_conf_file;
133        /* A list of CA Certificates */
134    gnutls_x509_crt_t *ca_list;
135        /* OpenPGP Key Ring */
136    gnutls_openpgp_keyring_t pgp_list;
137        /* CA Certificate list size */
138    unsigned int ca_list_size;
139        /* Client Certificate Verification Mode */
140    int client_verify_mode;
141        /* Last Cache timestamp */
142    apr_time_t last_cache_check;
143        /* GnuTLS uses Session Tickets */
144    int tickets;
145        /* Is mod_proxy enabled? */
146    int proxy_enabled;
147        /* A Plain HTTP request */
148    int non_ssl_request;
149} mgs_srvconf_rec;
150
151/* Character Buffer */
152typedef struct {
153    int length;
154    char *value;
155} mgs_char_buffer_t;
156
157/* GnuTLS Handle */
158typedef struct {
159        /* Server configuration record */
160    mgs_srvconf_rec *sc;
161        /* Connection record */
162    conn_rec* c;
163        /* GnuTLS Session handle */
164    gnutls_session_t session;
165        /* module input status */
166    apr_status_t input_rc;
167        /* Input filter */
168    ap_filter_t *input_filter;
169        /* Input Bucket Brigade */
170    apr_bucket_brigade *input_bb;
171        /* Input Read Type */
172    apr_read_type_e input_block;
173        /* Input Mode */
174    ap_input_mode_t input_mode;
175        /* Input Character Buffer */
176    mgs_char_buffer_t input_cbuf;
177        /* Input Character Array */
178    char input_buffer[AP_IOBUFSIZE];
179        /* module Output status */
180    apr_status_t output_rc;
181        /* Output filter */
182    ap_filter_t *output_filter;
183        /* Output Bucket Brigade */
184    apr_bucket_brigade *output_bb;
185        /* Output character array */
186    char output_buffer[AP_IOBUFSIZE];
187        /* Output buffer length */
188    apr_size_t output_blen;
189        /* Output length */
190    apr_size_t output_length;
191        /* General Status */
192    int status;
193} mgs_handle_t;
194
195
196
197/** Functions in gnutls_io.c **/
198
199/* apr_signal_block() for blocking SIGPIPE */
200apr_status_t apr_signal_block(int signum);
201
202 /* Proxy Support */
203/* An optional function which returns non-zero if the given connection
204is using SSL/TLS. */
205APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
206/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
207 * are used by mod_proxy to enable use of SSL for outgoing
208 * connections. */
209APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
210APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
211int ssl_is_https(conn_rec *c);
212int ssl_proxy_enable(conn_rec *c);
213int ssl_engine_disable(conn_rec *c);
214const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
215    const char *arg);
216apr_status_t mgs_cleanup_pre_config(void *data);
217
218/**
219 * mgs_filter_input will filter the input data
220 * by decrypting it using GnuTLS and passes it cleartext.
221 *
222 * @param f     the filter info record
223 * @param bb    the bucket brigade, where to store the result to
224 * @param mode  what shall we read?
225 * @param block a block index we shall read from?
226 * @return result status
227 */
228apr_status_t mgs_filter_input(ap_filter_t * f,
229                                     apr_bucket_brigade * bb,
230                                     ap_input_mode_t mode,
231                                     apr_read_type_e block,
232                                     apr_off_t readbytes);
233
234/**
235 * mgs_filter_output will filter the encrypt
236 * the incoming bucket using GnuTLS and passes it onto the next filter.
237 *
238 * @param f     the filter info record
239 * @param bb    the bucket brigade, where to store the result to
240 * @return result status
241 */
242apr_status_t mgs_filter_output(ap_filter_t * f,
243                                      apr_bucket_brigade * bb);
244
245
246/**
247 * mgs_transport_read is called from GnuTLS to provide encrypted
248 * data from the client.
249 *
250 * @param ptr     pointer to the filter context
251 * @param buffer  place to put data
252 * @param len     maximum size
253 * @return size   length of the data stored in buffer
254 */
255ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
256                                  void *buffer, size_t len);
257
258/**
259 * mgs_transport_write is called from GnuTLS to
260 * write data to the client.
261 *
262 * @param ptr     pointer to the filter context
263 * @param buffer  buffer to write to the client
264 * @param len     size of the buffer
265 * @return size   length of the data written
266 */
267ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
268                                   const void *buffer, size_t len);
269
270
271int mgs_rehandshake(mgs_handle_t * ctxt);
272
273
274
275/**
276 * Init the Cache after Configuration is done
277 */
278int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
279                                 mgs_srvconf_rec *sc);
280/**
281 * Init the Cache inside each Process
282 */
283int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
284                                mgs_srvconf_rec *sc);
285/**
286 * Setup the Session Caching
287 */
288int mgs_cache_session_init(mgs_handle_t *ctxt);
289
290#define GNUTLS_SESSION_ID_STRING_LEN \
291    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
292   
293/**
294 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
295 * @param id raw SSL Session ID
296 * @param idlen Length of the raw Session ID
297 * @param str Location to store the Hex Encoded String
298 * @param strsize The Maximum Length that can be stored in str
299 */
300char *mgs_session_id2sz(unsigned char *id, int idlen,
301                                char *str, int strsize);
302
303/**
304 * Convert a time_t into a Null Terminated String
305 * @param t time_t time
306 * @param str Location to store the Hex Encoded String
307 * @param strsize The Maximum Length that can be stored in str
308 */
309char *mgs_time2sz(time_t t, char *str, int strsize);
310
311
312/* Configuration Functions */
313
314const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
315                                        const char *arg);
316const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
317                                        const char *arg);
318const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
319                                        const char *arg);
320const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
321                                        const char *arg);
322
323const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
324                             const char *arg);
325
326const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
327                                        const char *arg);
328
329const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
330                             const char *arg);
331
332const char *mgs_set_cache(cmd_parms * parms, void *dummy,
333                          const char *type, const char* arg);
334
335const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
336                                  const char *arg);
337
338const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
339                                  const char *arg);
340
341const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
342                                   const char *arg);
343
344const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
345                                   const char *arg);
346
347const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
348                            const char *arg);
349const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy,
350                            const char *arg);
351const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
352                            const char *arg);
353const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
354                            const char *arg);
355                           
356const char *mgs_set_require_section(cmd_parms *cmd,
357                                    void *mconfig, const char *arg);
358void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
359void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
360
361void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
362
363void *mgs_config_dir_create(apr_pool_t *p, char *dir);
364
365const char *mgs_set_require_bytecode(cmd_parms *cmd,
366                                    void *mconfig, const char *arg);
367
368mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
369
370/* mod_gnutls Hooks. */
371
372int mgs_hook_pre_config(apr_pool_t * pconf,
373                        apr_pool_t * plog, apr_pool_t * ptemp);
374
375int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
376                         apr_pool_t * ptemp,
377                         server_rec * base_server);
378
379void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
380
381const char *mgs_hook_http_scheme(const request_rec * r);
382
383apr_port_t mgs_hook_default_port(const request_rec * r);
384
385int mgs_hook_pre_connection(conn_rec * c, void *csd);
386
387int mgs_hook_fixups(request_rec *r);
388
389int mgs_hook_authz(request_rec *r);
390
391#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.