source: mod_gnutls/include/mod_gnutls.h.in @ c6dda6d

debian/masterdebian/stretch-backportsupstream
Last change on this file since c6dda6d was c6dda6d, checked in by Thomas Klute <thomas2.klute@…>, 3 years ago

Rate limit OCSP requests

Retries after failed OCSP requests must be rate limited. If the
responder is overloaded or buggy we don't want to add too much more
load, and if a MITM is messing with requests a repetition loop might
end up being a self-inflicted denial of service.

The minimum time to wait between retries can be configured using the
GnuTLSOCSPFailureTimeout directive.

  • Property mode set to 100644
File size: 14.3 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2015-2016 Thomas Klute
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 *
18 */
19
20/* Apache Runtime Headers */
21#include "httpd.h"
22#include "http_config.h"
23#include "http_protocol.h"
24#include "http_connection.h"
25#include "http_request.h"
26#include "http_core.h"
27#include "http_log.h"
28#include "apr_buckets.h"
29#include "apr_strings.h"
30#include "apr_tables.h"
31#include "ap_release.h"
32#include "apr_fnmatch.h"
33/* GnuTLS Library Headers */
34#include <gnutls/gnutls.h>
35#include <gnutls/abstract.h>
36#include <gnutls/openpgp.h>
37#include <gnutls/x509.h>
38
39#ifndef __mod_gnutls_h_inc
40#define __mod_gnutls_h_inc
41
42#define HAVE_APR_MEMCACHE    @have_apr_memcache@
43
44extern module AP_MODULE_DECLARE_DATA gnutls_module;
45
46/* IO Filter names */
47#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
48#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
49/* GnuTLS Constants */
50#define GNUTLS_ENABLED_FALSE 0
51#define GNUTLS_ENABLED_TRUE  1
52#define GNUTLS_ENABLED_UNSET  2
53/* Current module version */
54#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
55
56/* Module Debug Mode */
57#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
58
59/* mod_gnutls Cache Types */
60typedef enum {
61        /* No Cache */
62    mgs_cache_none,
63        /* Use Old Berkley DB */
64    mgs_cache_dbm,
65        /* Use Gnu's version of Berkley DB */
66    mgs_cache_gdbm,
67#if HAVE_APR_MEMCACHE
68        /* Use Memcache */
69    mgs_cache_memcache,
70#endif
71    mgs_cache_unset
72} mgs_cache_e;
73
74/* Internal cache data, defined in gnutls_cache.h */
75typedef struct mgs_cache* mgs_cache_t;
76
77typedef enum {
78    mgs_cvm_unset,
79    mgs_cvm_cartel,
80    mgs_cvm_msva
81} mgs_client_verification_method_e;
82
83
84/* Directory Configuration Record */
85typedef struct {
86    int client_verify_mode;
87} mgs_dirconf_rec;
88
89
90/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
91typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
92
93
94/* The maximum number of certificates to send in a chain */
95#define MAX_CHAIN_SIZE 8
96/* The maximum number of SANs to read from a x509 certificate */
97#define MAX_CERT_SAN 5
98
99/* Server Configuration Record */
100typedef struct {
101    /* --- Configuration values --- */
102        /* Is the module enabled? */
103    int enabled;
104        /* Is mod_proxy enabled? */
105    int proxy_enabled;
106        /* A Plain HTTP request */
107    int non_ssl_request;
108
109    /* List of PKCS #11 provider modules to load, only valid in the
110     * base config, ignored in virtual hosts */
111    apr_array_header_t *p11_modules;
112
113    /* PIN used for PKCS #11 operations */
114    char *pin;
115
116    /* the SRK PIN used in TPM operations */
117    char *srk_pin;
118
119    char *x509_cert_file;
120    char *x509_key_file;
121    char *x509_ca_file;
122
123    char *pgp_cert_file;
124    char *pgp_key_file;
125    char *pgp_ring_file;
126
127    char *dh_file;
128
129    char *priorities_str;
130    char *proxy_priorities_str;
131
132    const char* srp_tpasswd_file;
133    const char* srp_tpasswd_conf_file;
134
135        /* Cache timeout value */
136    int cache_timeout;
137        /* Chose Cache Type */
138    mgs_cache_e cache_type;
139    const char* cache_config;
140    /* Internal cache data */
141    mgs_cache_t cache;
142
143        /* GnuTLS uses Session Tickets */
144    int tickets;
145
146    /* --- Things initialized at _child_init --- */
147
148    /* x509 Certificate Structure */
149    gnutls_certificate_credentials_t certs;
150    /* x509 credentials for proxy connections */
151    gnutls_certificate_credentials_t proxy_x509_creds;
152    /* trust list for proxy_x509_creds */
153    gnutls_x509_trust_list_t proxy_x509_tl;
154    const char* proxy_x509_key_file;
155    const char* proxy_x509_cert_file;
156    const char* proxy_x509_ca_file;
157    const char* proxy_x509_crl_file;
158    /* GnuTLS priorities for proxy connections */
159    gnutls_priority_t proxy_priorities;
160    /* SRP Certificate Structure*/
161    gnutls_srp_server_credentials_t srp_creds;
162    /* Anonymous Certificate Structure */
163    gnutls_anon_server_credentials_t anon_creds;
164    /* Anonymous Client Certificate Structure, used for proxy
165     * connections */
166    gnutls_anon_client_credentials_t anon_client_creds;
167        /* Current x509 Certificate CN [Common Name] */
168    char* cert_cn;
169        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
170    char* cert_san[MAX_CERT_SAN];
171        /* An x509 Certificate Chain */
172    gnutls_pcert_st *certs_x509_chain;
173    gnutls_x509_crt_t *certs_x509_crt_chain;
174        /* Number of Certificates in Chain */
175    unsigned int certs_x509_chain_num;
176
177        /* Current x509 Certificate Private Key */
178    gnutls_privkey_t privkey_x509;
179
180        /* OpenPGP Certificate */
181    gnutls_pcert_st *cert_pgp;
182    gnutls_openpgp_crt_t *cert_crt_pgp;
183
184        /* OpenPGP Certificate Private Key */
185    gnutls_privkey_t privkey_pgp;
186#if GNUTLS_VERSION_NUMBER < 0x030312
187    /* Internal structure for the OpenPGP private key, used in the
188     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
189     * frees memory that is still needed. DO NOT USE for any other
190     * purpose. */
191    gnutls_openpgp_privkey_t privkey_pgp_internal;
192#endif
193
194    /* Export full certificates to CGI environment: */
195    int export_certificates_size;
196        /* GnuTLS Priorities */
197    gnutls_priority_t priorities;
198        /* GnuTLS DH Parameters */
199    gnutls_dh_params_t dh_params;
200        /* A list of CA Certificates */
201    gnutls_x509_crt_t *ca_list;
202        /* OpenPGP Key Ring */
203    gnutls_openpgp_keyring_t pgp_list;
204        /* CA Certificate list size */
205    unsigned int ca_list_size;
206        /* Client Certificate Verification Mode */
207    int client_verify_mode;
208        /* Client Certificate Verification Method */
209    mgs_client_verification_method_e client_verify_method;
210        /* Last Cache timestamp */
211    apr_time_t last_cache_check;
212
213    /* EXPERIMENTAL: Enable OCSP stapling */
214    unsigned char ocsp_staple;
215    /* EXPERIMENTAL: Read OCSP response for stapling from this file
216     * instead of sending a request over HTTP */
217    char *ocsp_response_file;
218    /* Internal OCSP data for this server */
219    mgs_ocsp_data_t ocsp;
220    /* Mutex to prevent parallel OCSP requests */
221    apr_global_mutex_t *ocsp_mutex;
222    /* Cached OCSP responses expire this long before their validity
223     * period expires. This way mod_gnutls does not staple barely
224     * valid responses. */
225    apr_time_t ocsp_grace_time;
226    /* If an OCSP request fails wait this long before trying again. */
227    apr_time_t ocsp_failure_timeout;
228} mgs_srvconf_rec;
229
230/* Character Buffer */
231typedef struct {
232    int length;
233    char *value;
234} mgs_char_buffer_t;
235
236/* GnuTLS Handle */
237typedef struct {
238        /* Server configuration record */
239    mgs_srvconf_rec *sc;
240        /* Connection record */
241    conn_rec* c;
242        /* Is TLS enabled for this connection? */
243    int enabled;
244    /* Is this a proxy connection? */
245    int is_proxy;
246        /* GnuTLS Session handle */
247    gnutls_session_t session;
248        /* module input status */
249    apr_status_t input_rc;
250        /* Input filter */
251    ap_filter_t *input_filter;
252        /* Input Bucket Brigade */
253    apr_bucket_brigade *input_bb;
254        /* Input Read Type */
255    apr_read_type_e input_block;
256        /* Input Mode */
257    ap_input_mode_t input_mode;
258        /* Input Character Buffer */
259    mgs_char_buffer_t input_cbuf;
260        /* Input Character Array */
261    char input_buffer[AP_IOBUFSIZE];
262        /* module Output status */
263    apr_status_t output_rc;
264        /* Output filter */
265    ap_filter_t *output_filter;
266        /* Output Bucket Brigade */
267    apr_bucket_brigade *output_bb;
268        /* Output character array */
269    char output_buffer[AP_IOBUFSIZE];
270        /* Output buffer length */
271    apr_size_t output_blen;
272        /* Output length */
273    apr_size_t output_length;
274        /* General Status */
275    int status;
276} mgs_handle_t;
277
278
279
280/** Functions in gnutls_io.c **/
281
282/* apr_signal_block() for blocking SIGPIPE */
283apr_status_t apr_signal_block(int signum);
284
285 /* Proxy Support */
286/* An optional function which returns non-zero if the given connection
287is using SSL/TLS. */
288APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
289/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
290 * are used by mod_proxy to enable use of SSL for outgoing
291 * connections. */
292APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
293APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
294int ssl_is_https(conn_rec *c);
295int ssl_proxy_enable(conn_rec *c);
296int ssl_engine_disable(conn_rec *c);
297const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
298                                 const int arg);
299apr_status_t mgs_cleanup_pre_config(void *data);
300
301/**
302 * mgs_filter_input will filter the input data
303 * by decrypting it using GnuTLS and passes it cleartext.
304 *
305 * @param f     the filter info record
306 * @param bb    the bucket brigade, where to store the result to
307 * @param mode  what shall we read?
308 * @param block a block index we shall read from?
309 * @return result status
310 */
311apr_status_t mgs_filter_input(ap_filter_t * f,
312                                     apr_bucket_brigade * bb,
313                                     ap_input_mode_t mode,
314                                     apr_read_type_e block,
315                                     apr_off_t readbytes);
316
317/**
318 * mgs_filter_output will filter the encrypt
319 * the incoming bucket using GnuTLS and passes it onto the next filter.
320 *
321 * @param f     the filter info record
322 * @param bb    the bucket brigade, where to store the result to
323 * @return result status
324 */
325apr_status_t mgs_filter_output(ap_filter_t * f,
326                                      apr_bucket_brigade * bb);
327
328
329/**
330 * mgs_transport_read is called from GnuTLS to provide encrypted
331 * data from the client.
332 *
333 * @param ptr     pointer to the filter context
334 * @param buffer  place to put data
335 * @param len     maximum size
336 * @return size   length of the data stored in buffer
337 */
338ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
339                                  void *buffer, size_t len);
340
341/**
342 * mgs_transport_write is called from GnuTLS to
343 * write data to the client.
344 *
345 * @param ptr     pointer to the filter context
346 * @param buffer  buffer to write to the client
347 * @param len     size of the buffer
348 * @return size   length of the data written
349 */
350ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
351                                   const void *buffer, size_t len);
352
353
354int mgs_rehandshake(mgs_handle_t * ctxt);
355
356
357
358/**
359 * Perform any reinitialization required in PKCS #11
360 */
361int mgs_pkcs11_reinit(server_rec * s);
362
363
364
365/* Configuration Functions */
366
367/* Loads all files set in the configuration */
368int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
369    __attribute__((nonnull));
370
371const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
372                                        const char *arg);
373const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
374                                        const char *arg);
375const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
376                                        const char *arg);
377const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
378                                        const char *arg);
379
380const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
381                             const char *arg);
382
383const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
384                                        const char *arg);
385
386const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
387                             const char *arg);
388
389const char *mgs_set_cache(cmd_parms * parms, void *dummy,
390                          const char *type, const char* arg);
391
392const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
393
394const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
395                                  const char *arg);
396
397const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
398                                         const char *arg);
399
400const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
401                                   const char *arg);
402
403const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
404                               const char *arg);
405
406const char *mgs_set_pin(cmd_parms * parms, void *dummy,
407                                   const char *arg);
408
409const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
410                                   const char *arg);
411
412const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
413                                   const char *arg);
414
415const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
416                            const int arg);
417const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
418                            const char *arg);
419const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
420                            const char *arg);
421const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
422                            const int arg);
423
424const char *mgs_set_require_section(cmd_parms *cmd,
425                                    void *mconfig, const char *arg);
426void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
427void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
428
429void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
430
431void *mgs_config_dir_create(apr_pool_t *p, char *dir);
432
433const char *mgs_set_require_bytecode(cmd_parms *cmd,
434                                    void *mconfig, const char *arg);
435
436mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
437
438const char *mgs_store_cred_path(cmd_parms * parms,
439                                void *dummy __attribute__((unused)),
440                                const char *arg);
441
442/* mod_gnutls Hooks. */
443
444int mgs_hook_pre_config(apr_pool_t * pconf,
445                        apr_pool_t * plog, apr_pool_t * ptemp);
446
447int mgs_hook_post_config(apr_pool_t *pconf,
448                         apr_pool_t *plog,
449                         apr_pool_t *ptemp,
450                         server_rec *base_server);
451
452void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
453
454const char *mgs_hook_http_scheme(const request_rec * r);
455
456apr_port_t mgs_hook_default_port(const request_rec * r);
457
458int mgs_hook_pre_connection(conn_rec * c, void *csd);
459
460int mgs_hook_fixups(request_rec *r);
461
462int mgs_hook_authz(request_rec *r);
463
464#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.