source: mod_gnutls/include/mod_gnutls.h.in @ b26a792

debian/masterdebian/stretch-backportsupstream mod_gnutls/0.8.0-beta
Last change on this file since b26a792 was b888e8b, checked in by Thomas Klute <thomas2.klute@…>, 3 years ago

New directive GnuTLSOCSPCheckNonce

Some CAs refuse to send nonces in their OCSP responses, probably
because that way they can cache responses. This makes nonce
verification fail, so give the user an option disable it.

  • Property mode set to 100644
File size: 14.5 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2015-2016 Thomas Klute
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 *
18 */
19
20/* Apache Runtime Headers */
21#include "httpd.h"
22#include "http_config.h"
23#include "http_protocol.h"
24#include "http_connection.h"
25#include "http_request.h"
26#include "http_core.h"
27#include "http_log.h"
28#include "apr_buckets.h"
29#include "apr_strings.h"
30#include "apr_tables.h"
31#include "ap_release.h"
32#include "apr_fnmatch.h"
33/* GnuTLS Library Headers */
34#include <gnutls/gnutls.h>
35#include <gnutls/abstract.h>
36#include <gnutls/openpgp.h>
37#include <gnutls/x509.h>
38
39#ifndef __mod_gnutls_h_inc
40#define __mod_gnutls_h_inc
41
42#define HAVE_APR_MEMCACHE    @have_apr_memcache@
43
44extern module AP_MODULE_DECLARE_DATA gnutls_module;
45
46/* IO Filter names */
47#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
48#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
49/* GnuTLS Constants */
50#define GNUTLS_ENABLED_FALSE 0
51#define GNUTLS_ENABLED_TRUE  1
52#define GNUTLS_ENABLED_UNSET  2
53/* Current module version */
54#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
55
56/* Module Debug Mode */
57#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
58
59/* mod_gnutls Cache Types */
60typedef enum {
61        /* No Cache */
62    mgs_cache_none,
63        /* Use Old Berkley DB */
64    mgs_cache_dbm,
65        /* Use Gnu's version of Berkley DB */
66    mgs_cache_gdbm,
67#if HAVE_APR_MEMCACHE
68        /* Use Memcache */
69    mgs_cache_memcache,
70#endif
71    mgs_cache_unset
72} mgs_cache_e;
73
74/* Internal cache data, defined in gnutls_cache.h */
75typedef struct mgs_cache* mgs_cache_t;
76
77typedef enum {
78    mgs_cvm_unset,
79    mgs_cvm_cartel,
80    mgs_cvm_msva
81} mgs_client_verification_method_e;
82
83
84/* Directory Configuration Record */
85typedef struct {
86    int client_verify_mode;
87} mgs_dirconf_rec;
88
89
90/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
91typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
92
93
94/* The maximum number of certificates to send in a chain */
95#define MAX_CHAIN_SIZE 8
96/* The maximum number of SANs to read from a x509 certificate */
97#define MAX_CERT_SAN 5
98
99/* Server Configuration Record */
100typedef struct {
101    /* --- Configuration values --- */
102        /* Is the module enabled? */
103    int enabled;
104        /* Is mod_proxy enabled? */
105    int proxy_enabled;
106        /* A Plain HTTP request */
107    int non_ssl_request;
108
109    /* List of PKCS #11 provider modules to load, only valid in the
110     * base config, ignored in virtual hosts */
111    apr_array_header_t *p11_modules;
112
113    /* PIN used for PKCS #11 operations */
114    char *pin;
115
116    /* the SRK PIN used in TPM operations */
117    char *srk_pin;
118
119    char *x509_cert_file;
120    char *x509_key_file;
121    char *x509_ca_file;
122
123    char *pgp_cert_file;
124    char *pgp_key_file;
125    char *pgp_ring_file;
126
127    char *dh_file;
128
129    char *priorities_str;
130    char *proxy_priorities_str;
131
132    const char* srp_tpasswd_file;
133    const char* srp_tpasswd_conf_file;
134
135        /* Cache timeout value */
136    int cache_timeout;
137        /* Chose Cache Type */
138    mgs_cache_e cache_type;
139    const char* cache_config;
140    /* Internal cache data */
141    mgs_cache_t cache;
142
143        /* GnuTLS uses Session Tickets */
144    int tickets;
145
146    /* --- Things initialized at _child_init --- */
147
148    /* x509 Certificate Structure */
149    gnutls_certificate_credentials_t certs;
150    /* x509 credentials for proxy connections */
151    gnutls_certificate_credentials_t proxy_x509_creds;
152    /* trust list for proxy_x509_creds */
153    gnutls_x509_trust_list_t proxy_x509_tl;
154    const char* proxy_x509_key_file;
155    const char* proxy_x509_cert_file;
156    const char* proxy_x509_ca_file;
157    const char* proxy_x509_crl_file;
158    /* GnuTLS priorities for proxy connections */
159    gnutls_priority_t proxy_priorities;
160    /* SRP Certificate Structure*/
161    gnutls_srp_server_credentials_t srp_creds;
162    /* Anonymous Certificate Structure */
163    gnutls_anon_server_credentials_t anon_creds;
164    /* Anonymous Client Certificate Structure, used for proxy
165     * connections */
166    gnutls_anon_client_credentials_t anon_client_creds;
167        /* Current x509 Certificate CN [Common Name] */
168    char* cert_cn;
169        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
170    char* cert_san[MAX_CERT_SAN];
171        /* An x509 Certificate Chain */
172    gnutls_pcert_st *certs_x509_chain;
173    gnutls_x509_crt_t *certs_x509_crt_chain;
174        /* Number of Certificates in Chain */
175    unsigned int certs_x509_chain_num;
176
177        /* Current x509 Certificate Private Key */
178    gnutls_privkey_t privkey_x509;
179
180        /* OpenPGP Certificate */
181    gnutls_pcert_st *cert_pgp;
182    gnutls_openpgp_crt_t *cert_crt_pgp;
183
184        /* OpenPGP Certificate Private Key */
185    gnutls_privkey_t privkey_pgp;
186#if GNUTLS_VERSION_NUMBER < 0x030312
187    /* Internal structure for the OpenPGP private key, used in the
188     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
189     * frees memory that is still needed. DO NOT USE for any other
190     * purpose. */
191    gnutls_openpgp_privkey_t privkey_pgp_internal;
192#endif
193
194    /* Export full certificates to CGI environment: */
195    int export_certificates_size;
196        /* GnuTLS Priorities */
197    gnutls_priority_t priorities;
198        /* GnuTLS DH Parameters */
199    gnutls_dh_params_t dh_params;
200        /* A list of CA Certificates */
201    gnutls_x509_crt_t *ca_list;
202        /* OpenPGP Key Ring */
203    gnutls_openpgp_keyring_t pgp_list;
204        /* CA Certificate list size */
205    unsigned int ca_list_size;
206        /* Client Certificate Verification Mode */
207    int client_verify_mode;
208        /* Client Certificate Verification Method */
209    mgs_client_verification_method_e client_verify_method;
210        /* Last Cache timestamp */
211    apr_time_t last_cache_check;
212
213    /* Enable OCSP stapling */
214    unsigned char ocsp_staple;
215    /* Check nonce in OCSP responses? */
216    unsigned char ocsp_check_nonce;
217    /* Read OCSP response for stapling from this file instead of
218     * sending a request over HTTP */
219    char *ocsp_response_file;
220    /* Internal OCSP data for this server */
221    mgs_ocsp_data_t ocsp;
222    /* Mutex to prevent parallel OCSP requests */
223    apr_global_mutex_t *ocsp_mutex;
224    /* Cached OCSP responses expire this long before their validity
225     * period expires. This way mod_gnutls does not staple barely
226     * valid responses. */
227    apr_interval_time_t ocsp_grace_time;
228    /* If an OCSP request fails wait this long before trying again. */
229    apr_interval_time_t ocsp_failure_timeout;
230    /* Socket timeout for OCSP requests */
231    apr_interval_time_t ocsp_socket_timeout;
232} mgs_srvconf_rec;
233
234/* Character Buffer */
235typedef struct {
236    int length;
237    char *value;
238} mgs_char_buffer_t;
239
240/* GnuTLS Handle */
241typedef struct {
242        /* Server configuration record */
243    mgs_srvconf_rec *sc;
244        /* Connection record */
245    conn_rec* c;
246        /* Is TLS enabled for this connection? */
247    int enabled;
248    /* Is this a proxy connection? */
249    int is_proxy;
250        /* GnuTLS Session handle */
251    gnutls_session_t session;
252        /* module input status */
253    apr_status_t input_rc;
254        /* Input filter */
255    ap_filter_t *input_filter;
256        /* Input Bucket Brigade */
257    apr_bucket_brigade *input_bb;
258        /* Input Read Type */
259    apr_read_type_e input_block;
260        /* Input Mode */
261    ap_input_mode_t input_mode;
262        /* Input Character Buffer */
263    mgs_char_buffer_t input_cbuf;
264        /* Input Character Array */
265    char input_buffer[AP_IOBUFSIZE];
266        /* module Output status */
267    apr_status_t output_rc;
268        /* Output filter */
269    ap_filter_t *output_filter;
270        /* Output Bucket Brigade */
271    apr_bucket_brigade *output_bb;
272        /* Output character array */
273    char output_buffer[AP_IOBUFSIZE];
274        /* Output buffer length */
275    apr_size_t output_blen;
276        /* Output length */
277    apr_size_t output_length;
278        /* General Status */
279    int status;
280} mgs_handle_t;
281
282
283
284/** Functions in gnutls_io.c **/
285
286/* apr_signal_block() for blocking SIGPIPE */
287apr_status_t apr_signal_block(int signum);
288
289 /* Proxy Support */
290/* An optional function which returns non-zero if the given connection
291is using SSL/TLS. */
292APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
293/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
294 * are used by mod_proxy to enable use of SSL for outgoing
295 * connections. */
296APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
297APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
298int ssl_is_https(conn_rec *c);
299int ssl_proxy_enable(conn_rec *c);
300int ssl_engine_disable(conn_rec *c);
301const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
302                                 const int arg);
303apr_status_t mgs_cleanup_pre_config(void *data);
304
305/**
306 * mgs_filter_input will filter the input data
307 * by decrypting it using GnuTLS and passes it cleartext.
308 *
309 * @param f     the filter info record
310 * @param bb    the bucket brigade, where to store the result to
311 * @param mode  what shall we read?
312 * @param block a block index we shall read from?
313 * @return result status
314 */
315apr_status_t mgs_filter_input(ap_filter_t * f,
316                                     apr_bucket_brigade * bb,
317                                     ap_input_mode_t mode,
318                                     apr_read_type_e block,
319                                     apr_off_t readbytes);
320
321/**
322 * mgs_filter_output will filter the encrypt
323 * the incoming bucket using GnuTLS and passes it onto the next filter.
324 *
325 * @param f     the filter info record
326 * @param bb    the bucket brigade, where to store the result to
327 * @return result status
328 */
329apr_status_t mgs_filter_output(ap_filter_t * f,
330                                      apr_bucket_brigade * bb);
331
332
333/**
334 * mgs_transport_read is called from GnuTLS to provide encrypted
335 * data from the client.
336 *
337 * @param ptr     pointer to the filter context
338 * @param buffer  place to put data
339 * @param len     maximum size
340 * @return size   length of the data stored in buffer
341 */
342ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
343                                  void *buffer, size_t len);
344
345/**
346 * mgs_transport_write is called from GnuTLS to
347 * write data to the client.
348 *
349 * @param ptr     pointer to the filter context
350 * @param buffer  buffer to write to the client
351 * @param len     size of the buffer
352 * @return size   length of the data written
353 */
354ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
355                                   const void *buffer, size_t len);
356
357
358int mgs_rehandshake(mgs_handle_t * ctxt);
359
360
361
362/**
363 * Perform any reinitialization required in PKCS #11
364 */
365int mgs_pkcs11_reinit(server_rec * s);
366
367
368
369/* Configuration Functions */
370
371/* Loads all files set in the configuration */
372int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
373    __attribute__((nonnull));
374
375const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
376                                        const char *arg);
377const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
378                                        const char *arg);
379const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
380                                        const char *arg);
381const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
382                                        const char *arg);
383
384const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
385                             const char *arg);
386
387const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
388                                        const char *arg);
389
390const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
391                             const char *arg);
392
393const char *mgs_set_cache(cmd_parms * parms, void *dummy,
394                          const char *type, const char* arg);
395
396const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
397
398const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
399                                  const char *arg);
400
401const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
402                                         const char *arg);
403
404const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
405                                   const char *arg);
406
407const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
408                               const char *arg);
409
410const char *mgs_set_pin(cmd_parms * parms, void *dummy,
411                                   const char *arg);
412
413const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
414                                   const char *arg);
415
416const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
417                                   const char *arg);
418
419const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
420                            const int arg);
421const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
422                            const char *arg);
423const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
424                            const char *arg);
425const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
426                            const int arg);
427
428const char *mgs_set_require_section(cmd_parms *cmd,
429                                    void *mconfig, const char *arg);
430void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
431void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
432
433void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
434
435void *mgs_config_dir_create(apr_pool_t *p, char *dir);
436
437const char *mgs_set_require_bytecode(cmd_parms *cmd,
438                                    void *mconfig, const char *arg);
439
440mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
441
442const char *mgs_store_cred_path(cmd_parms * parms,
443                                void *dummy __attribute__((unused)),
444                                const char *arg);
445
446/* mod_gnutls Hooks. */
447
448int mgs_hook_pre_config(apr_pool_t * pconf,
449                        apr_pool_t * plog, apr_pool_t * ptemp);
450
451int mgs_hook_post_config(apr_pool_t *pconf,
452                         apr_pool_t *plog,
453                         apr_pool_t *ptemp,
454                         server_rec *base_server);
455
456void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
457
458const char *mgs_hook_http_scheme(const request_rec * r);
459
460apr_port_t mgs_hook_default_port(const request_rec * r);
461
462int mgs_hook_pre_connection(conn_rec * c, void *csd);
463
464int mgs_hook_fixups(request_rec *r);
465
466int mgs_hook_authz(request_rec *r);
467
468#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.