source: mod_gnutls/include/mod_gnutls.h.in @ d04f7da

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since d04f7da was d04f7da, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

Version guards for gnutls_privkey_import_openpgp_raw workaround

The invalid free bug in gnutls_privkey_import_openpgp_raw should be
fixed in GnuTLS 3.3.12 [1], so add appropriate version guards and use
the workaround only with older versions.

[1] https://github.com/nmav/mod_gnutls/commit/031acac9c6541034777f8917633164b51f6bd10a#commitcomment-10581365

  • Property mode set to 100644
File size: 13.7 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 *
16 */
17
18/* Apache Runtime Headers */
19#include "httpd.h"
20#include "http_config.h"
21#include "http_protocol.h"
22#include "http_connection.h"
23#include "http_request.h"
24#include "http_core.h"
25#include "http_log.h"
26#include "apr_buckets.h"
27#include "apr_strings.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30#include "apr_fnmatch.h"
31/* GnuTLS Library Headers */
32#include <gnutls/gnutls.h>
33#if GNUTLS_VERSION_MAJOR == 2
34#include <gnutls/extra.h>
35#endif
36#include <gnutls/abstract.h>
37#include <gnutls/openpgp.h>
38#include <gnutls/x509.h>
39
40#ifndef __mod_gnutls_h_inc
41#define __mod_gnutls_h_inc
42
43#define HAVE_APR_MEMCACHE    @have_apr_memcache@
44
45extern module AP_MODULE_DECLARE_DATA gnutls_module;
46
47/* IO Filter names */
48#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
49#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
50/* GnuTLS Constants */
51#define GNUTLS_ENABLED_FALSE 0
52#define GNUTLS_ENABLED_TRUE  1
53#define GNUTLS_ENABLED_UNSET  2
54/* Current module version */
55#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
56
57/* Module Debug Mode */
58#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
59
60/*
61 * Recent Versions of 2.1 renamed several hooks.
62 * This allows us to compile on 2.0.xx
63 */
64#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
65        #define USING_2_1_RECENT 1
66#else
67        #define USING_2_1_RECENT 0
68#endif
69
70/* mod_gnutls Cache Types */
71typedef enum {
72        /* No Cache */
73    mgs_cache_none,
74        /* Use Old Berkley DB */
75    mgs_cache_dbm,
76        /* Use Gnu's version of Berkley DB */
77    mgs_cache_gdbm,
78#if HAVE_APR_MEMCACHE
79        /* Use Memcache */
80    mgs_cache_memcache,
81#endif
82    mgs_cache_unset
83} mgs_cache_e;
84
85typedef enum {
86    mgs_cvm_unset,
87    mgs_cvm_cartel,
88    mgs_cvm_msva
89} mgs_client_verification_method_e;
90
91
92/* Directory Configuration Record */
93typedef struct {
94    int client_verify_mode;
95    const char* lua_bytecode;
96    apr_size_t lua_bytecode_len;
97} mgs_dirconf_rec;
98
99
100/* The maximum number of certificates to send in a chain */
101#define MAX_CHAIN_SIZE 8
102/* The maximum number of SANs to read from a x509 certificate */
103#define MAX_CERT_SAN 5
104
105/* Server Configuration Record */
106typedef struct {
107    /* --- Configuration values --- */
108        /* Is the module enabled? */
109    int enabled;
110        /* Is mod_proxy enabled? */
111    int proxy_enabled;
112        /* A Plain HTTP request */
113    int non_ssl_request;
114
115    /* PIN used for PKCS #11 operations */
116    char *pin;
117
118    /* the SRK PIN used in TPM operations */
119    char *srk_pin;
120
121    char *x509_cert_file;
122    char *x509_key_file;
123    char *x509_ca_file;
124
125    char *pgp_cert_file;
126    char *pgp_key_file;
127    char *pgp_ring_file;
128
129    char *dh_file;
130
131    char *priorities_str;
132
133    const char* srp_tpasswd_file;
134    const char* srp_tpasswd_conf_file;
135
136        /* Cache timeout value */
137    int cache_timeout;
138        /* Chose Cache Type */
139    mgs_cache_e cache_type;
140    const char* cache_config;
141
142        /* GnuTLS uses Session Tickets */
143    int tickets;
144
145    /* --- Things initialized at _child_init --- */
146
147        /* x509 Certificate Structure */
148    gnutls_certificate_credentials_t certs;
149        /* SRP Certificate Structure*/
150    gnutls_srp_server_credentials_t srp_creds;
151        /* Annonymous Certificate Structure */
152    gnutls_anon_server_credentials_t anon_creds;
153        /* Current x509 Certificate CN [Common Name] */
154    char* cert_cn;
155        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
156    char* cert_san[MAX_CERT_SAN];
157        /* An x509 Certificate Chain */
158    gnutls_pcert_st *certs_x509_chain;
159    gnutls_x509_crt_t *certs_x509_crt_chain;
160        /* Number of Certificates in Chain */
161    unsigned int certs_x509_chain_num;
162
163        /* Current x509 Certificate Private Key */
164    gnutls_privkey_t privkey_x509;
165
166        /* OpenPGP Certificate */
167    gnutls_pcert_st *cert_pgp;
168    gnutls_openpgp_crt_t *cert_crt_pgp;
169
170        /* OpenPGP Certificate Private Key */
171    gnutls_privkey_t privkey_pgp;
172#if GNUTLS_VERSION_NUMBER < 0x030312
173    /* Internal structure for the OpenPGP private key, used in the
174     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
175     * frees memory that is still needed. DO NOT USE for any other
176     * purpose. */
177    gnutls_openpgp_privkey_t privkey_pgp_internal;
178#endif
179
180    /* Export full certificates to CGI environment: */
181    int export_certificates_size;
182        /* GnuTLS Priorities */
183    gnutls_priority_t priorities;
184        /* GnuTLS DH Parameters */
185    gnutls_dh_params_t dh_params;
186        /* A list of CA Certificates */
187    gnutls_x509_crt_t *ca_list;
188        /* OpenPGP Key Ring */
189    gnutls_openpgp_keyring_t pgp_list;
190        /* CA Certificate list size */
191    unsigned int ca_list_size;
192        /* Client Certificate Verification Mode */
193    int client_verify_mode;
194        /* Client Certificate Verification Method */
195    mgs_client_verification_method_e client_verify_method;
196        /* Last Cache timestamp */
197    apr_time_t last_cache_check;
198} mgs_srvconf_rec;
199
200/* Character Buffer */
201typedef struct {
202    int length;
203    char *value;
204} mgs_char_buffer_t;
205
206/* GnuTLS Handle */
207typedef struct {
208        /* Server configuration record */
209    mgs_srvconf_rec *sc;
210        /* Connection record */
211    conn_rec* c;
212        /* Is TLS enabled for this connection? */
213    int enabled;
214        /* GnuTLS Session handle */
215    gnutls_session_t session;
216        /* module input status */
217    apr_status_t input_rc;
218        /* Input filter */
219    ap_filter_t *input_filter;
220        /* Input Bucket Brigade */
221    apr_bucket_brigade *input_bb;
222        /* Input Read Type */
223    apr_read_type_e input_block;
224        /* Input Mode */
225    ap_input_mode_t input_mode;
226        /* Input Character Buffer */
227    mgs_char_buffer_t input_cbuf;
228        /* Input Character Array */
229    char input_buffer[AP_IOBUFSIZE];
230        /* module Output status */
231    apr_status_t output_rc;
232        /* Output filter */
233    ap_filter_t *output_filter;
234        /* Output Bucket Brigade */
235    apr_bucket_brigade *output_bb;
236        /* Output character array */
237    char output_buffer[AP_IOBUFSIZE];
238        /* Output buffer length */
239    apr_size_t output_blen;
240        /* Output length */
241    apr_size_t output_length;
242        /* General Status */
243    int status;
244} mgs_handle_t;
245
246
247
248/** Functions in gnutls_io.c **/
249
250/* apr_signal_block() for blocking SIGPIPE */
251apr_status_t apr_signal_block(int signum);
252
253 /* Proxy Support */
254/* An optional function which returns non-zero if the given connection
255is using SSL/TLS. */
256APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
257/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
258 * are used by mod_proxy to enable use of SSL for outgoing
259 * connections. */
260APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
261APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
262int ssl_is_https(conn_rec *c);
263int ssl_proxy_enable(conn_rec *c);
264int ssl_engine_disable(conn_rec *c);
265const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
266    const char *arg);
267apr_status_t mgs_cleanup_pre_config(void *data);
268
269/**
270 * mgs_filter_input will filter the input data
271 * by decrypting it using GnuTLS and passes it cleartext.
272 *
273 * @param f     the filter info record
274 * @param bb    the bucket brigade, where to store the result to
275 * @param mode  what shall we read?
276 * @param block a block index we shall read from?
277 * @return result status
278 */
279apr_status_t mgs_filter_input(ap_filter_t * f,
280                                     apr_bucket_brigade * bb,
281                                     ap_input_mode_t mode,
282                                     apr_read_type_e block,
283                                     apr_off_t readbytes);
284
285/**
286 * mgs_filter_output will filter the encrypt
287 * the incoming bucket using GnuTLS and passes it onto the next filter.
288 *
289 * @param f     the filter info record
290 * @param bb    the bucket brigade, where to store the result to
291 * @return result status
292 */
293apr_status_t mgs_filter_output(ap_filter_t * f,
294                                      apr_bucket_brigade * bb);
295
296
297/**
298 * mgs_transport_read is called from GnuTLS to provide encrypted
299 * data from the client.
300 *
301 * @param ptr     pointer to the filter context
302 * @param buffer  place to put data
303 * @param len     maximum size
304 * @return size   length of the data stored in buffer
305 */
306ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
307                                  void *buffer, size_t len);
308
309/**
310 * mgs_transport_write is called from GnuTLS to
311 * write data to the client.
312 *
313 * @param ptr     pointer to the filter context
314 * @param buffer  buffer to write to the client
315 * @param len     size of the buffer
316 * @return size   length of the data written
317 */
318ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
319                                   const void *buffer, size_t len);
320
321
322int mgs_rehandshake(mgs_handle_t * ctxt);
323
324
325
326/**
327 * Init the Cache after Configuration is done
328 */
329int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
330                                 mgs_srvconf_rec *sc);
331/**
332 * Init the Cache inside each Process
333 */
334int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
335                                mgs_srvconf_rec *sc);
336/**
337 * Setup the Session Caching
338 */
339int mgs_cache_session_init(mgs_handle_t *ctxt);
340
341#define GNUTLS_SESSION_ID_STRING_LEN \
342    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
343
344/**
345 * Perform any reinitialization required in PKCS #11
346 */
347int mgs_pkcs11_reinit(server_rec * s);
348
349/**
350 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
351 * @param id raw SSL Session ID
352 * @param idlen Length of the raw Session ID
353 * @param str Location to store the Hex Encoded String
354 * @param strsize The Maximum Length that can be stored in str
355 */
356char *mgs_session_id2sz(unsigned char *id, int idlen,
357                                char *str, int strsize);
358
359/**
360 * Convert a time_t into a Null Terminated String
361 * @param t time_t time
362 * @param str Location to store the Hex Encoded String
363 * @param strsize The Maximum Length that can be stored in str
364 */
365char *mgs_time2sz(time_t t, char *str, int strsize);
366
367
368/* Configuration Functions */
369
370/* Loads all files set in the configuration */
371int mgs_load_files(apr_pool_t * p, server_rec * s);
372
373const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
374                                        const char *arg);
375const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
376                                        const char *arg);
377const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
378                                        const char *arg);
379const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
380                                        const char *arg);
381
382const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
383                             const char *arg);
384
385const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
386                                        const char *arg);
387
388const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
389                             const char *arg);
390
391const char *mgs_set_cache(cmd_parms * parms, void *dummy,
392                          const char *type, const char* arg);
393
394const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
395                                  const char *arg);
396
397const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
398                                  const char *arg);
399
400const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
401                                         const char *arg);
402
403const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
404                                   const char *arg);
405const char *mgs_set_pin(cmd_parms * parms, void *dummy,
406                                   const char *arg);
407
408const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
409                                   const char *arg);
410
411const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
412                                   const char *arg);
413
414const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
415                            const char *arg);
416const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
417                            const char *arg);
418const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
419                            const char *arg);
420const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
421                            const char *arg);
422
423const char *mgs_set_require_section(cmd_parms *cmd,
424                                    void *mconfig, const char *arg);
425void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
426void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
427
428void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
429
430void *mgs_config_dir_create(apr_pool_t *p, char *dir);
431
432const char *mgs_set_require_bytecode(cmd_parms *cmd,
433                                    void *mconfig, const char *arg);
434
435mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
436
437/* mod_gnutls Hooks. */
438
439int mgs_hook_pre_config(apr_pool_t * pconf,
440                        apr_pool_t * plog, apr_pool_t * ptemp);
441
442int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
443                         apr_pool_t * ptemp,
444                         server_rec * base_server);
445
446void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
447
448const char *mgs_hook_http_scheme(const request_rec * r);
449
450apr_port_t mgs_hook_default_port(const request_rec * r);
451
452int mgs_hook_pre_connection(conn_rec * c, void *csd);
453
454int mgs_hook_fixups(request_rec *r);
455
456int mgs_hook_authz(request_rec *r);
457
458#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.