source: mod_gnutls/include/mod_gnutls.h.in @ a3e0f7b

proxy-ticket
Last change on this file since a3e0f7b was a3e0f7b, checked in by Fiona Klute <fiona.klute@…>, 8 months ago

Support a list of files for the GnuTLSOCSPResponseFile option

This allows users to specify multiple responses for multi-staple. Note
that mod_gnutls will try to send its own requests for certificates
without a matching response.

  • Property mode set to 100644
File size: 14.3 KB
Line 
1/*
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2015-2020 Fiona Klute
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 */
18
19/* Apache Runtime Headers */
20#include "httpd.h"
21#include "http_config.h"
22#include "http_protocol.h"
23#include "http_connection.h"
24#include "http_request.h"
25#include "http_core.h"
26#include "http_log.h"
27#include "apr_buckets.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30/* GnuTLS Library Headers */
31#include <gnutls/gnutls.h>
32#include <gnutls/abstract.h>
33#include <gnutls/x509.h>
34
35#ifndef __mod_gnutls_h_inc
36#define __mod_gnutls_h_inc
37
38extern module AP_MODULE_DECLARE_DATA gnutls_module;
39
40/* IO Filter names */
41#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
42#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
43/* GnuTLS Constants */
44#define GNUTLS_ENABLED_FALSE 0
45#define GNUTLS_ENABLED_TRUE  1
46#define GNUTLS_ENABLED_UNSET  2
47/* Current module version */
48#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
49
50/* Module Debug Mode */
51#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
52
53/* Compile support for early SNI? */
54#if @ENABLE_EARLY_SNI@ == 1
55#define ENABLE_EARLY_SNI
56#endif
57
58/** Name of the module-wide singleton watchdog */
59#define MGS_SINGLETON_WATCHDOG "_mod_gnutls_singleton_"
60
61
62/* Internal cache data, defined in gnutls_cache.h */
63typedef struct mgs_cache* mgs_cache_t;
64
65typedef enum {
66    mgs_cvm_unset,
67    mgs_cvm_cartel,
68    mgs_cvm_msva
69} mgs_client_verification_method_e;
70
71
72/* Directory Configuration Record */
73typedef struct {
74    int client_verify_mode;
75} mgs_dirconf_rec;
76
77
78/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
79typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
80
81
82/* The maximum number of certificates to send in a chain */
83#define MAX_CHAIN_SIZE 8
84
85/** Server Configuration Record */
86typedef struct {
87    /** Server this mod_gnutls configuration is for */
88    server_rec* s;
89
90    /* --- Configuration values --- */
91        /* Is the module enabled? */
92    int enabled;
93        /* Is mod_proxy enabled? */
94    int proxy_enabled;
95
96    /* List of PKCS #11 provider modules to load, only valid in the
97     * base config, ignored in virtual hosts */
98    apr_array_header_t *p11_modules;
99
100    /* PIN used for PKCS #11 operations */
101    char *pin;
102
103    /* the SRK PIN used in TPM operations */
104    char *srk_pin;
105
106    char *x509_cert_file;
107    char *x509_key_file;
108    char *x509_ca_file;
109
110    char *dh_file;
111
112    char *priorities_str;
113    char *proxy_priorities_str;
114
115    const char* srp_tpasswd_file;
116    const char* srp_tpasswd_conf_file;
117
118        /* Cache timeout value */
119    int cache_timeout;
120    /* Enable cache */
121    unsigned char cache_enable : 2;
122    /* Internal cache data */
123    mgs_cache_t cache;
124
125        /* GnuTLS uses Session Tickets */
126    int tickets;
127
128    /* x509 Certificate Structure */
129    gnutls_certificate_credentials_t certs;
130    /* x509 credentials for proxy connections */
131    gnutls_certificate_credentials_t proxy_x509_creds;
132    /* trust list for proxy_x509_creds */
133    gnutls_x509_trust_list_t proxy_x509_tl;
134    const char* proxy_x509_key_file;
135    const char* proxy_x509_cert_file;
136    const char* proxy_x509_ca_file;
137    const char* proxy_x509_crl_file;
138    /* GnuTLS priorities for proxy connections */
139    gnutls_priority_t proxy_priorities;
140    /* SRP Certificate Structure*/
141    gnutls_srp_server_credentials_t srp_creds;
142    /* Anonymous Certificate Structure */
143    gnutls_anon_server_credentials_t anon_creds;
144    /* Anonymous Client Certificate Structure, used for proxy
145     * connections */
146    gnutls_anon_client_credentials_t anon_client_creds;
147        /* An x509 Certificate Chain */
148    gnutls_pcert_st *certs_x509_chain;
149    gnutls_x509_crt_t *certs_x509_crt_chain;
150        /* Number of Certificates in Chain */
151    unsigned int certs_x509_chain_num;
152
153        /* Current x509 Certificate Private Key */
154    gnutls_privkey_t privkey_x509;
155
156    /* Export full certificates to CGI environment: */
157    int export_certificates_size;
158        /* GnuTLS Priorities */
159    gnutls_priority_t priorities;
160        /* GnuTLS DH Parameters */
161    gnutls_dh_params_t dh_params;
162        /* A list of CA Certificates */
163    gnutls_x509_crt_t *ca_list;
164        /* CA Certificate list size */
165    unsigned int ca_list_size;
166        /* Client Certificate Verification Mode */
167    int client_verify_mode;
168        /* Client Certificate Verification Method */
169    mgs_client_verification_method_e client_verify_method;
170
171    /* Enable OCSP stapling */
172    unsigned char ocsp_staple;
173    /* Automatically refresh cached OCSP response? */
174    unsigned char ocsp_auto_refresh;
175    /* Check nonce in OCSP responses? */
176    unsigned char ocsp_check_nonce;
177    /* Read OCSP response for stapling from this file instead of
178     * sending a request over HTTP */
179    char **ocsp_response_file;
180    /* Number of configured OCSP response files */
181    int ocsp_response_file_num;
182    /* Internal OCSP data for this server */
183    mgs_ocsp_data_t *ocsp;
184    /* Number of successfully configured OCSP data sets */
185    unsigned int ocsp_num;
186    /* Mutex to prevent parallel OCSP requests */
187    apr_global_mutex_t *ocsp_mutex;
188    /* Internal OCSP cache data */
189    mgs_cache_t ocsp_cache;
190    /* Cache timeout for OCSP responses. Note that the nextUpdate
191     * field of the response takes precedence if shorter. */
192    apr_interval_time_t ocsp_cache_time;
193    /* If an OCSP request fails wait this long before trying again. */
194    apr_interval_time_t ocsp_failure_timeout;
195    /** How long before a cached OCSP response expires should it be
196     * updated? During configuration parsing this is set to the
197     * maximum, during post configuration the value will be set to
198     * half that. After each update the interval to for the next one
199     * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time *
200     * RANDOM` with `0 <= RANDOM <= 1`. */
201    apr_interval_time_t ocsp_fuzz_time;
202    /* Socket timeout for OCSP requests */
203    apr_interval_time_t ocsp_socket_timeout;
204
205    /** This module's singleton watchdog, used for async OCSP cache
206     * updates. */
207    struct mgs_watchdog *singleton_wd;
208} mgs_srvconf_rec;
209
210/* Character Buffer */
211typedef struct {
212    int length;
213    char *value;
214} mgs_char_buffer_t;
215
216/** GnuTLS connection handle */
217typedef struct {
218        /* Server configuration record */
219    mgs_srvconf_rec *sc;
220        /* Connection record */
221    conn_rec* c;
222        /* Is TLS enabled for this connection? */
223    int enabled;
224    /* Is this a proxy connection? */
225    int is_proxy;
226        /* GnuTLS Session handle */
227    gnutls_session_t session;
228    /** Server name requested via SNI if any, or NULL. */
229    const char *sni_name;
230        /* module input status */
231    apr_status_t input_rc;
232        /* Input filter */
233    ap_filter_t *input_filter;
234        /* Input Bucket Brigade */
235    apr_bucket_brigade *input_bb;
236        /* Input Read Type */
237    apr_read_type_e input_block;
238        /* Input Mode */
239    ap_input_mode_t input_mode;
240        /* Input Character Buffer */
241    mgs_char_buffer_t input_cbuf;
242        /* Input Character Array */
243    char input_buffer[AP_IOBUFSIZE];
244        /* module Output status */
245    apr_status_t output_rc;
246        /* Output filter */
247    ap_filter_t *output_filter;
248        /* Output Bucket Brigade */
249    apr_bucket_brigade *output_bb;
250        /* Output character array */
251    char output_buffer[AP_IOBUFSIZE];
252        /* Output buffer length */
253    apr_size_t output_blen;
254        /* Output length */
255    apr_size_t output_length;
256    /** Connection status: 0 before (re-)handshake, 1 when up, -1 on
257     * error (checks use status < 0 or status > 0) */
258    int status;
259} mgs_handle_t;
260
261
262
263/** Functions in gnutls_io.c **/
264
265/* apr_signal_block() for blocking SIGPIPE */
266apr_status_t apr_signal_block(int signum);
267
268/* Proxy Support */
269/* An optional function which returns non-zero if the given connection
270is using SSL/TLS. */
271APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
272/* The ssl_var_lookup() optional function retrieves SSL environment
273 * variables. */
274APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
275                        (apr_pool_t *, server_rec *,
276                         conn_rec *, request_rec *,
277                         char *));
278/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
279 * are used by mod_proxy to enable use of SSL for outgoing
280 * connections. */
281APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
282APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
283APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
284                                              ap_conf_vector_t *,
285                                              int proxy, int enable));
286mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c);
287int ssl_is_https(conn_rec *c);
288char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c,
289                     request_rec *r, char *var);
290int ssl_proxy_enable(conn_rec *c);
291int ssl_engine_disable(conn_rec *c);
292const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
293                                 const int arg);
294apr_status_t mgs_cleanup_pre_config(void *data);
295
296/**
297 * mgs_filter_input will filter the input data
298 * by decrypting it using GnuTLS and passes it cleartext.
299 *
300 * @param f     the filter info record
301 * @param bb    the bucket brigade, where to store the result to
302 * @param mode  what shall we read?
303 * @param block a block index we shall read from?
304 * @return result status
305 */
306apr_status_t mgs_filter_input(ap_filter_t * f,
307                                     apr_bucket_brigade * bb,
308                                     ap_input_mode_t mode,
309                                     apr_read_type_e block,
310                                     apr_off_t readbytes);
311
312/**
313 * mgs_filter_output will filter the encrypt
314 * the incoming bucket using GnuTLS and passes it onto the next filter.
315 *
316 * @param f     the filter info record
317 * @param bb    the bucket brigade, where to store the result to
318 * @return result status
319 */
320apr_status_t mgs_filter_output(ap_filter_t * f,
321                                      apr_bucket_brigade * bb);
322
323
324/**
325 * mgs_transport_read is called from GnuTLS to provide encrypted
326 * data from the client.
327 *
328 * @param ptr     pointer to the filter context
329 * @param buffer  place to put data
330 * @param len     maximum size
331 * @return size   length of the data stored in buffer
332 */
333ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
334                                  void *buffer, size_t len);
335
336/**
337 * mgs_transport_write is called from GnuTLS to
338 * write data to the client.
339 *
340 * @param ptr     pointer to the filter context
341 * @param buffer  buffer to write to the client
342 * @param len     size of the buffer
343 * @return size   length of the data written
344 */
345ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
346                                   const void *buffer, size_t len);
347
348
349int mgs_rehandshake(mgs_handle_t * ctxt);
350
351
352
353/**
354 * Perform any reinitialization required in PKCS #11
355 */
356int mgs_pkcs11_reinit(server_rec * s);
357
358
359
360/* Configuration Functions */
361
362/* Loads all files set in the configuration */
363int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
364    __attribute__((nonnull));
365
366const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
367                                        const char *arg);
368const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
369                                        const char *arg);
370const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
371                                        const char *arg);
372const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
373                                        const char *arg);
374
375const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
376                             const char *arg);
377
378const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
379
380const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
381                                  const char *arg);
382
383const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
384                                         const char *arg);
385
386const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
387                                   const char *arg);
388
389const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
390                               const char *arg);
391
392const char *mgs_set_pin(cmd_parms * parms, void *dummy,
393                                   const char *arg);
394
395const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
396                                   const char *arg);
397
398const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
399                            const int arg);
400const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
401                            const char *arg);
402const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
403                            const char *arg);
404const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
405                            const int arg);
406
407void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
408void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
409
410void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
411
412void *mgs_config_dir_create(apr_pool_t *p, char *dir);
413
414const char *mgs_store_cred_path(cmd_parms * parms,
415                                void *dummy __attribute__((unused)),
416                                const char *arg);
417
418/* mod_gnutls Hooks. */
419
420int mgs_hook_pre_config(apr_pool_t * pconf,
421                        apr_pool_t * plog, apr_pool_t * ptemp);
422
423int mgs_hook_post_config(apr_pool_t *pconf,
424                         apr_pool_t *plog,
425                         apr_pool_t *ptemp,
426                         server_rec *base_server);
427
428void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
429
430const char *mgs_hook_http_scheme(const request_rec * r);
431
432apr_port_t mgs_hook_default_port(const request_rec * r);
433
434int mgs_hook_pre_connection(conn_rec * c, void *csd);
435
436int mgs_hook_process_connection(conn_rec* c);
437
438int mgs_hook_fixups(request_rec *r);
439
440/** Post request hook, checks if TLS connection and vhost match */
441int mgs_req_vhost_check(request_rec *r);
442
443int mgs_hook_authz(request_rec *r);
444
445#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.