source: mod_gnutls/include/mod_gnutls.h.in @ e391197

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since e391197 was e391197, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Update copyright headers for C source

  • Property mode set to 100644
File size: 14.8 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2015 Thomas Klute
4 *
5 *  Licensed under the Apache License, Version 2.0 (the "License");
6 *  you may not use this file except in compliance with the License.
7 *  You may obtain a copy of the License at
8 *
9 *      http://www.apache.org/licenses/LICENSE-2.0
10 *
11 *  Unless required by applicable law or agreed to in writing, software
12 *  distributed under the License is distributed on an "AS IS" BASIS,
13 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 *  See the License for the specific language governing permissions and
15 *  limitations under the License.
16 *
17 */
18
19/* Apache Runtime Headers */
20#include "httpd.h"
21#include "http_config.h"
22#include "http_protocol.h"
23#include "http_connection.h"
24#include "http_request.h"
25#include "http_core.h"
26#include "http_log.h"
27#include "apr_buckets.h"
28#include "apr_strings.h"
29#include "apr_tables.h"
30#include "ap_release.h"
31#include "apr_fnmatch.h"
32/* GnuTLS Library Headers */
33#include <gnutls/gnutls.h>
34#if GNUTLS_VERSION_MAJOR == 2
35#include <gnutls/extra.h>
36#endif
37#include <gnutls/abstract.h>
38#include <gnutls/openpgp.h>
39#include <gnutls/x509.h>
40
41#ifndef __mod_gnutls_h_inc
42#define __mod_gnutls_h_inc
43
44#define HAVE_APR_MEMCACHE    @have_apr_memcache@
45
46extern module AP_MODULE_DECLARE_DATA gnutls_module;
47
48/* IO Filter names */
49#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
50#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
51/* GnuTLS Constants */
52#define GNUTLS_ENABLED_FALSE 0
53#define GNUTLS_ENABLED_TRUE  1
54#define GNUTLS_ENABLED_UNSET  2
55/* Current module version */
56#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
57
58/* Module Debug Mode */
59#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
60
61/*
62 * Recent Versions of 2.1 renamed several hooks.
63 * This allows us to compile on 2.0.xx
64 */
65#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
66        #define USING_2_1_RECENT 1
67#else
68        #define USING_2_1_RECENT 0
69#endif
70
71/* mod_gnutls Cache Types */
72typedef enum {
73        /* No Cache */
74    mgs_cache_none,
75        /* Use Old Berkley DB */
76    mgs_cache_dbm,
77        /* Use Gnu's version of Berkley DB */
78    mgs_cache_gdbm,
79#if HAVE_APR_MEMCACHE
80        /* Use Memcache */
81    mgs_cache_memcache,
82#endif
83    mgs_cache_unset
84} mgs_cache_e;
85
86typedef enum {
87    mgs_cvm_unset,
88    mgs_cvm_cartel,
89    mgs_cvm_msva
90} mgs_client_verification_method_e;
91
92
93/* Directory Configuration Record */
94typedef struct {
95    int client_verify_mode;
96    const char* lua_bytecode;
97    apr_size_t lua_bytecode_len;
98} mgs_dirconf_rec;
99
100
101/* The maximum number of certificates to send in a chain */
102#define MAX_CHAIN_SIZE 8
103/* The maximum number of SANs to read from a x509 certificate */
104#define MAX_CERT_SAN 5
105
106/* Server Configuration Record */
107typedef struct {
108    /* --- Configuration values --- */
109        /* Is the module enabled? */
110    int enabled;
111        /* Is mod_proxy enabled? */
112    int proxy_enabled;
113        /* A Plain HTTP request */
114    int non_ssl_request;
115
116    /* Additional PKCS #11 provider module to load, only valid in the
117     * base config, ignored in virtual hosts */
118    char *p11_module;
119
120    /* PIN used for PKCS #11 operations */
121    char *pin;
122
123    /* the SRK PIN used in TPM operations */
124    char *srk_pin;
125
126    char *x509_cert_file;
127    char *x509_key_file;
128    char *x509_ca_file;
129
130    char *pgp_cert_file;
131    char *pgp_key_file;
132    char *pgp_ring_file;
133
134    char *dh_file;
135
136    char *priorities_str;
137    char *proxy_priorities_str;
138
139    const char* srp_tpasswd_file;
140    const char* srp_tpasswd_conf_file;
141
142        /* Cache timeout value */
143    int cache_timeout;
144        /* Chose Cache Type */
145    mgs_cache_e cache_type;
146    const char* cache_config;
147
148        /* GnuTLS uses Session Tickets */
149    int tickets;
150
151    /* --- Things initialized at _child_init --- */
152
153    /* x509 Certificate Structure */
154    gnutls_certificate_credentials_t certs;
155    /* x509 credentials for proxy connections */
156    gnutls_certificate_credentials_t proxy_x509_creds;
157    /* trust list for proxy_x509_creds */
158    gnutls_x509_trust_list_t proxy_x509_tl;
159    const char* proxy_x509_key_file;
160    const char* proxy_x509_cert_file;
161    const char* proxy_x509_ca_file;
162    const char* proxy_x509_crl_file;
163    /* GnuTLS priorities for proxy connections */
164    gnutls_priority_t proxy_priorities;
165    /* SRP Certificate Structure*/
166    gnutls_srp_server_credentials_t srp_creds;
167    /* Anonymous Certificate Structure */
168    gnutls_anon_server_credentials_t anon_creds;
169    /* Anonymous Client Certificate Structure, used for proxy
170     * connections */
171    gnutls_anon_client_credentials_t anon_client_creds;
172        /* Current x509 Certificate CN [Common Name] */
173    char* cert_cn;
174        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
175    char* cert_san[MAX_CERT_SAN];
176        /* An x509 Certificate Chain */
177    gnutls_pcert_st *certs_x509_chain;
178    gnutls_x509_crt_t *certs_x509_crt_chain;
179        /* Number of Certificates in Chain */
180    unsigned int certs_x509_chain_num;
181
182        /* Current x509 Certificate Private Key */
183    gnutls_privkey_t privkey_x509;
184
185        /* OpenPGP Certificate */
186    gnutls_pcert_st *cert_pgp;
187    gnutls_openpgp_crt_t *cert_crt_pgp;
188
189        /* OpenPGP Certificate Private Key */
190    gnutls_privkey_t privkey_pgp;
191#if GNUTLS_VERSION_NUMBER < 0x030312
192    /* Internal structure for the OpenPGP private key, used in the
193     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
194     * frees memory that is still needed. DO NOT USE for any other
195     * purpose. */
196    gnutls_openpgp_privkey_t privkey_pgp_internal;
197#endif
198
199    /* Export full certificates to CGI environment: */
200    int export_certificates_size;
201        /* GnuTLS Priorities */
202    gnutls_priority_t priorities;
203        /* GnuTLS DH Parameters */
204    gnutls_dh_params_t dh_params;
205        /* A list of CA Certificates */
206    gnutls_x509_crt_t *ca_list;
207        /* OpenPGP Key Ring */
208    gnutls_openpgp_keyring_t pgp_list;
209        /* CA Certificate list size */
210    unsigned int ca_list_size;
211        /* Client Certificate Verification Mode */
212    int client_verify_mode;
213        /* Client Certificate Verification Method */
214    mgs_client_verification_method_e client_verify_method;
215        /* Last Cache timestamp */
216    apr_time_t last_cache_check;
217} mgs_srvconf_rec;
218
219/* Character Buffer */
220typedef struct {
221    int length;
222    char *value;
223} mgs_char_buffer_t;
224
225/* GnuTLS Handle */
226typedef struct {
227        /* Server configuration record */
228    mgs_srvconf_rec *sc;
229        /* Connection record */
230    conn_rec* c;
231        /* Is TLS enabled for this connection? */
232    int enabled;
233    /* Is this a proxy connection? */
234    int is_proxy;
235        /* GnuTLS Session handle */
236    gnutls_session_t session;
237        /* module input status */
238    apr_status_t input_rc;
239        /* Input filter */
240    ap_filter_t *input_filter;
241        /* Input Bucket Brigade */
242    apr_bucket_brigade *input_bb;
243        /* Input Read Type */
244    apr_read_type_e input_block;
245        /* Input Mode */
246    ap_input_mode_t input_mode;
247        /* Input Character Buffer */
248    mgs_char_buffer_t input_cbuf;
249        /* Input Character Array */
250    char input_buffer[AP_IOBUFSIZE];
251        /* module Output status */
252    apr_status_t output_rc;
253        /* Output filter */
254    ap_filter_t *output_filter;
255        /* Output Bucket Brigade */
256    apr_bucket_brigade *output_bb;
257        /* Output character array */
258    char output_buffer[AP_IOBUFSIZE];
259        /* Output buffer length */
260    apr_size_t output_blen;
261        /* Output length */
262    apr_size_t output_length;
263        /* General Status */
264    int status;
265} mgs_handle_t;
266
267
268
269/** Functions in gnutls_io.c **/
270
271/* apr_signal_block() for blocking SIGPIPE */
272apr_status_t apr_signal_block(int signum);
273
274 /* Proxy Support */
275/* An optional function which returns non-zero if the given connection
276is using SSL/TLS. */
277APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
278/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
279 * are used by mod_proxy to enable use of SSL for outgoing
280 * connections. */
281APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
282APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
283int ssl_is_https(conn_rec *c);
284int ssl_proxy_enable(conn_rec *c);
285int ssl_engine_disable(conn_rec *c);
286const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
287    const char *arg);
288apr_status_t mgs_cleanup_pre_config(void *data);
289
290/**
291 * mgs_filter_input will filter the input data
292 * by decrypting it using GnuTLS and passes it cleartext.
293 *
294 * @param f     the filter info record
295 * @param bb    the bucket brigade, where to store the result to
296 * @param mode  what shall we read?
297 * @param block a block index we shall read from?
298 * @return result status
299 */
300apr_status_t mgs_filter_input(ap_filter_t * f,
301                                     apr_bucket_brigade * bb,
302                                     ap_input_mode_t mode,
303                                     apr_read_type_e block,
304                                     apr_off_t readbytes);
305
306/**
307 * mgs_filter_output will filter the encrypt
308 * the incoming bucket using GnuTLS and passes it onto the next filter.
309 *
310 * @param f     the filter info record
311 * @param bb    the bucket brigade, where to store the result to
312 * @return result status
313 */
314apr_status_t mgs_filter_output(ap_filter_t * f,
315                                      apr_bucket_brigade * bb);
316
317
318/**
319 * mgs_transport_read is called from GnuTLS to provide encrypted
320 * data from the client.
321 *
322 * @param ptr     pointer to the filter context
323 * @param buffer  place to put data
324 * @param len     maximum size
325 * @return size   length of the data stored in buffer
326 */
327ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
328                                  void *buffer, size_t len);
329
330/**
331 * mgs_transport_write is called from GnuTLS to
332 * write data to the client.
333 *
334 * @param ptr     pointer to the filter context
335 * @param buffer  buffer to write to the client
336 * @param len     size of the buffer
337 * @return size   length of the data written
338 */
339ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
340                                   const void *buffer, size_t len);
341
342
343int mgs_rehandshake(mgs_handle_t * ctxt);
344
345
346
347/**
348 * Init the Cache after Configuration is done
349 */
350int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
351                                 mgs_srvconf_rec *sc);
352/**
353 * Init the Cache inside each Process
354 */
355int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
356                                mgs_srvconf_rec *sc);
357/**
358 * Setup the Session Caching
359 */
360int mgs_cache_session_init(mgs_handle_t *ctxt);
361
362#define GNUTLS_SESSION_ID_STRING_LEN \
363    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
364
365/**
366 * Perform any reinitialization required in PKCS #11
367 */
368int mgs_pkcs11_reinit(server_rec * s);
369
370/**
371 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
372 * @param id raw SSL Session ID
373 * @param idlen Length of the raw Session ID
374 * @param str Location to store the Hex Encoded String
375 * @param strsize The Maximum Length that can be stored in str
376 */
377char *mgs_session_id2sz(unsigned char *id, int idlen,
378                                char *str, int strsize);
379
380/**
381 * Convert a time_t into a Null Terminated String
382 * @param t time_t time
383 * @param str Location to store the Hex Encoded String
384 * @param strsize The Maximum Length that can be stored in str
385 */
386char *mgs_time2sz(time_t t, char *str, int strsize);
387
388
389/* Configuration Functions */
390
391/* Loads all files set in the configuration */
392int mgs_load_files(apr_pool_t * p, server_rec * s);
393
394const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
395                                        const char *arg);
396const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
397                                        const char *arg);
398const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
399                                        const char *arg);
400const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
401                                        const char *arg);
402
403const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
404                             const char *arg);
405
406const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
407                                        const char *arg);
408
409const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
410                             const char *arg);
411
412const char *mgs_set_cache(cmd_parms * parms, void *dummy,
413                          const char *type, const char* arg);
414
415const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
416                                  const char *arg);
417
418const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
419                                  const char *arg);
420
421const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
422                                         const char *arg);
423
424const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
425                                   const char *arg);
426
427const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
428                               const char *arg);
429
430const char *mgs_set_pin(cmd_parms * parms, void *dummy,
431                                   const char *arg);
432
433const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
434                                   const char *arg);
435
436const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
437                                   const char *arg);
438
439const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
440                            const char *arg);
441const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
442                            const char *arg);
443const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
444                            const char *arg);
445const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
446                            const char *arg);
447
448const char *mgs_set_require_section(cmd_parms *cmd,
449                                    void *mconfig, const char *arg);
450void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
451void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
452
453void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
454
455void *mgs_config_dir_create(apr_pool_t *p, char *dir);
456
457const char *mgs_set_require_bytecode(cmd_parms *cmd,
458                                    void *mconfig, const char *arg);
459
460mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
461
462const char *mgs_store_cred_path(cmd_parms * parms,
463                                void *dummy __attribute__((unused)),
464                                const char *arg);
465
466/* mod_gnutls Hooks. */
467
468int mgs_hook_pre_config(apr_pool_t * pconf,
469                        apr_pool_t * plog, apr_pool_t * ptemp);
470
471int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
472                         apr_pool_t * ptemp,
473                         server_rec * base_server);
474
475void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
476
477const char *mgs_hook_http_scheme(const request_rec * r);
478
479apr_port_t mgs_hook_default_port(const request_rec * r);
480
481int mgs_hook_pre_connection(conn_rec * c, void *csd);
482
483int mgs_hook_fixups(request_rec *r);
484
485int mgs_hook_authz(request_rec *r);
486
487#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.