source: mod_gnutls/include/mod_gnutls.h.in @ de3fad3

debian/master
Last change on this file since de3fad3 was de3fad3, checked in by Fiona Klute <fiona.klute@…>, 11 months ago

Require handshake and request to use the same server

The new check prevents clients from establishing a TLS connection to
one virtual host and then requesting data from another. This is
particularly important for servers using TLS client authentication as
the only means of access control, because the server context for
certificate validation is selected based on the TLS connection.

  • Property mode set to 100644
File size: 14.1 KB
Line 
1/*
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2015-2018 Fiona Klute
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 */
18
19/* Apache Runtime Headers */
20#include "httpd.h"
21#include "http_config.h"
22#include "http_protocol.h"
23#include "http_connection.h"
24#include "http_request.h"
25#include "http_core.h"
26#include "http_log.h"
27#include "apr_buckets.h"
28#include "apr_strings.h"
29#include "apr_tables.h"
30#include "ap_release.h"
31#include "apr_fnmatch.h"
32/* GnuTLS Library Headers */
33#include <gnutls/gnutls.h>
34#include <gnutls/abstract.h>
35#include <gnutls/x509.h>
36
37#ifndef __mod_gnutls_h_inc
38#define __mod_gnutls_h_inc
39
40extern module AP_MODULE_DECLARE_DATA gnutls_module;
41
42/* IO Filter names */
43#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
44#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
45/* GnuTLS Constants */
46#define GNUTLS_ENABLED_FALSE 0
47#define GNUTLS_ENABLED_TRUE  1
48#define GNUTLS_ENABLED_UNSET  2
49/* Current module version */
50#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
51
52/* Module Debug Mode */
53#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
54
55/** Name of the module-wide singleton watchdog */
56#define MGS_SINGLETON_WATCHDOG "_mod_gnutls_singleton_"
57
58
59/* Internal cache data, defined in gnutls_cache.h */
60typedef struct mgs_cache* mgs_cache_t;
61
62typedef enum {
63    mgs_cvm_unset,
64    mgs_cvm_cartel,
65    mgs_cvm_msva
66} mgs_client_verification_method_e;
67
68
69/* Directory Configuration Record */
70typedef struct {
71    int client_verify_mode;
72} mgs_dirconf_rec;
73
74
75/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
76typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
77
78
79/* The maximum number of certificates to send in a chain */
80#define MAX_CHAIN_SIZE 8
81
82/** Server Configuration Record */
83typedef struct {
84    /* --- Configuration values --- */
85        /* Is the module enabled? */
86    int enabled;
87        /* Is mod_proxy enabled? */
88    int proxy_enabled;
89
90    /* List of PKCS #11 provider modules to load, only valid in the
91     * base config, ignored in virtual hosts */
92    apr_array_header_t *p11_modules;
93
94    /* PIN used for PKCS #11 operations */
95    char *pin;
96
97    /* the SRK PIN used in TPM operations */
98    char *srk_pin;
99
100    char *x509_cert_file;
101    char *x509_key_file;
102    char *x509_ca_file;
103
104    char *dh_file;
105
106    char *priorities_str;
107    char *proxy_priorities_str;
108
109    const char* srp_tpasswd_file;
110    const char* srp_tpasswd_conf_file;
111
112        /* Cache timeout value */
113    int cache_timeout;
114    /* Enable cache */
115    unsigned char cache_enable : 2;
116    /* Internal cache data */
117    mgs_cache_t cache;
118
119        /* GnuTLS uses Session Tickets */
120    int tickets;
121
122    /* x509 Certificate Structure */
123    gnutls_certificate_credentials_t certs;
124    /* x509 credentials for proxy connections */
125    gnutls_certificate_credentials_t proxy_x509_creds;
126    /* trust list for proxy_x509_creds */
127    gnutls_x509_trust_list_t proxy_x509_tl;
128    const char* proxy_x509_key_file;
129    const char* proxy_x509_cert_file;
130    const char* proxy_x509_ca_file;
131    const char* proxy_x509_crl_file;
132    /* GnuTLS priorities for proxy connections */
133    gnutls_priority_t proxy_priorities;
134    /* SRP Certificate Structure*/
135    gnutls_srp_server_credentials_t srp_creds;
136    /* Anonymous Certificate Structure */
137    gnutls_anon_server_credentials_t anon_creds;
138    /* Anonymous Client Certificate Structure, used for proxy
139     * connections */
140    gnutls_anon_client_credentials_t anon_client_creds;
141        /* An x509 Certificate Chain */
142    gnutls_pcert_st *certs_x509_chain;
143    gnutls_x509_crt_t *certs_x509_crt_chain;
144        /* Number of Certificates in Chain */
145    unsigned int certs_x509_chain_num;
146
147        /* Current x509 Certificate Private Key */
148    gnutls_privkey_t privkey_x509;
149
150    /* Export full certificates to CGI environment: */
151    int export_certificates_size;
152        /* GnuTLS Priorities */
153    gnutls_priority_t priorities;
154        /* GnuTLS DH Parameters */
155    gnutls_dh_params_t dh_params;
156        /* A list of CA Certificates */
157    gnutls_x509_crt_t *ca_list;
158        /* CA Certificate list size */
159    unsigned int ca_list_size;
160        /* Client Certificate Verification Mode */
161    int client_verify_mode;
162        /* Client Certificate Verification Method */
163    mgs_client_verification_method_e client_verify_method;
164
165    /* Enable OCSP stapling */
166    unsigned char ocsp_staple;
167    /* Automatically refresh cached OCSP response? */
168    unsigned char ocsp_auto_refresh;
169    /* Check nonce in OCSP responses? */
170    unsigned char ocsp_check_nonce;
171    /* Read OCSP response for stapling from this file instead of
172     * sending a request over HTTP */
173    char *ocsp_response_file;
174    /* Internal OCSP data for this server */
175    mgs_ocsp_data_t ocsp;
176    /* Mutex to prevent parallel OCSP requests */
177    apr_global_mutex_t *ocsp_mutex;
178    /* Internal OCSP cache data */
179    mgs_cache_t ocsp_cache;
180    /* Cache timeout for OCSP responses. Note that the nextUpdate
181     * field of the response takes precedence if shorter. */
182    apr_interval_time_t ocsp_cache_time;
183    /* If an OCSP request fails wait this long before trying again. */
184    apr_interval_time_t ocsp_failure_timeout;
185    /** How long before a cached OCSP response expires should it be
186     * updated? During configuration parsing this is set to the
187     * maximum, during post configuration the value will be set to
188     * half that. After each update the interval to for the next one
189     * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time *
190     * RANDOM` with `0 <= RANDOM <= 1`. */
191    apr_interval_time_t ocsp_fuzz_time;
192    /* Socket timeout for OCSP requests */
193    apr_interval_time_t ocsp_socket_timeout;
194
195    /** This module's singleton watchdog, used for async OCSP cache
196     * updates. */
197    struct mgs_watchdog *singleton_wd;
198} mgs_srvconf_rec;
199
200/* Character Buffer */
201typedef struct {
202    int length;
203    char *value;
204} mgs_char_buffer_t;
205
206/** GnuTLS connection handle */
207typedef struct {
208        /* Server configuration record */
209    mgs_srvconf_rec *sc;
210        /* Connection record */
211    conn_rec* c;
212        /* Is TLS enabled for this connection? */
213    int enabled;
214    /* Is this a proxy connection? */
215    int is_proxy;
216        /* GnuTLS Session handle */
217    gnutls_session_t session;
218        /* module input status */
219    apr_status_t input_rc;
220        /* Input filter */
221    ap_filter_t *input_filter;
222        /* Input Bucket Brigade */
223    apr_bucket_brigade *input_bb;
224        /* Input Read Type */
225    apr_read_type_e input_block;
226        /* Input Mode */
227    ap_input_mode_t input_mode;
228        /* Input Character Buffer */
229    mgs_char_buffer_t input_cbuf;
230        /* Input Character Array */
231    char input_buffer[AP_IOBUFSIZE];
232        /* module Output status */
233    apr_status_t output_rc;
234        /* Output filter */
235    ap_filter_t *output_filter;
236        /* Output Bucket Brigade */
237    apr_bucket_brigade *output_bb;
238        /* Output character array */
239    char output_buffer[AP_IOBUFSIZE];
240        /* Output buffer length */
241    apr_size_t output_blen;
242        /* Output length */
243    apr_size_t output_length;
244    /** Connection status: 0 before (re-)handshake, 1 when up, -1 on
245     * error (checks use status < 0 or status > 0) */
246    int status;
247} mgs_handle_t;
248
249
250
251/** Functions in gnutls_io.c **/
252
253/* apr_signal_block() for blocking SIGPIPE */
254apr_status_t apr_signal_block(int signum);
255
256/* Proxy Support */
257/** mod_proxy adds a note with this key to the connection->notes table
258 * for client connections */
259#define PROXY_SNI_NOTE "proxy-request-hostname"
260/* An optional function which returns non-zero if the given connection
261is using SSL/TLS. */
262APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
263/* The ssl_var_lookup() optional function retrieves SSL environment
264 * variables. */
265APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
266                        (apr_pool_t *, server_rec *,
267                         conn_rec *, request_rec *,
268                         char *));
269/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
270 * are used by mod_proxy to enable use of SSL for outgoing
271 * connections. */
272APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
273APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
274APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
275                                              ap_conf_vector_t *,
276                                              int proxy, int enable));
277mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c);
278int ssl_is_https(conn_rec *c);
279char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c,
280                     request_rec *r, char *var);
281int ssl_proxy_enable(conn_rec *c);
282int ssl_engine_disable(conn_rec *c);
283const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
284                                 const int arg);
285apr_status_t mgs_cleanup_pre_config(void *data);
286
287/**
288 * mgs_filter_input will filter the input data
289 * by decrypting it using GnuTLS and passes it cleartext.
290 *
291 * @param f     the filter info record
292 * @param bb    the bucket brigade, where to store the result to
293 * @param mode  what shall we read?
294 * @param block a block index we shall read from?
295 * @return result status
296 */
297apr_status_t mgs_filter_input(ap_filter_t * f,
298                                     apr_bucket_brigade * bb,
299                                     ap_input_mode_t mode,
300                                     apr_read_type_e block,
301                                     apr_off_t readbytes);
302
303/**
304 * mgs_filter_output will filter the encrypt
305 * the incoming bucket using GnuTLS and passes it onto the next filter.
306 *
307 * @param f     the filter info record
308 * @param bb    the bucket brigade, where to store the result to
309 * @return result status
310 */
311apr_status_t mgs_filter_output(ap_filter_t * f,
312                                      apr_bucket_brigade * bb);
313
314
315/**
316 * mgs_transport_read is called from GnuTLS to provide encrypted
317 * data from the client.
318 *
319 * @param ptr     pointer to the filter context
320 * @param buffer  place to put data
321 * @param len     maximum size
322 * @return size   length of the data stored in buffer
323 */
324ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
325                                  void *buffer, size_t len);
326
327/**
328 * mgs_transport_write is called from GnuTLS to
329 * write data to the client.
330 *
331 * @param ptr     pointer to the filter context
332 * @param buffer  buffer to write to the client
333 * @param len     size of the buffer
334 * @return size   length of the data written
335 */
336ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
337                                   const void *buffer, size_t len);
338
339
340int mgs_rehandshake(mgs_handle_t * ctxt);
341
342
343
344/**
345 * Perform any reinitialization required in PKCS #11
346 */
347int mgs_pkcs11_reinit(server_rec * s);
348
349
350
351/* Configuration Functions */
352
353/* Loads all files set in the configuration */
354int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
355    __attribute__((nonnull));
356
357const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
358                                        const char *arg);
359const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
360                                        const char *arg);
361const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
362                                        const char *arg);
363const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
364                                        const char *arg);
365
366const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
367                             const char *arg);
368
369const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
370
371const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
372                                  const char *arg);
373
374const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
375                                         const char *arg);
376
377const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
378                                   const char *arg);
379
380const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
381                               const char *arg);
382
383const char *mgs_set_pin(cmd_parms * parms, void *dummy,
384                                   const char *arg);
385
386const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
387                                   const char *arg);
388
389const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
390                            const int arg);
391const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
392                            const char *arg);
393const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
394                            const char *arg);
395const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
396                            const int arg);
397
398void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
399void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
400
401void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
402
403void *mgs_config_dir_create(apr_pool_t *p, char *dir);
404
405mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
406
407const char *mgs_store_cred_path(cmd_parms * parms,
408                                void *dummy __attribute__((unused)),
409                                const char *arg);
410
411/* mod_gnutls Hooks. */
412
413int mgs_hook_pre_config(apr_pool_t * pconf,
414                        apr_pool_t * plog, apr_pool_t * ptemp);
415
416int mgs_hook_post_config(apr_pool_t *pconf,
417                         apr_pool_t *plog,
418                         apr_pool_t *ptemp,
419                         server_rec *base_server);
420
421void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
422
423const char *mgs_hook_http_scheme(const request_rec * r);
424
425apr_port_t mgs_hook_default_port(const request_rec * r);
426
427int mgs_hook_pre_connection(conn_rec * c, void *csd);
428
429int mgs_hook_process_connection(conn_rec* c);
430
431int mgs_hook_fixups(request_rec *r);
432
433/** Post request hook, checks if TLS connection and vhost match */
434int mgs_req_vhost_check(request_rec *r);
435
436int mgs_hook_authz(request_rec *r);
437
438#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.