source: mod_gnutls/include/mod_gnutls.h.in @ f030883

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since f030883 was f030883, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Set GnuTLS priorities for proxy connections separately

Until now, proxy connections were configured with the same priorities as
the server side. This commit introduces the new configuration option
"GnuTLSProxyPriorities" to set the priorities for proxy connections
separately. Note that GnuTLSProxyPriorities MUST be set when
SSLProxyEngine is enabled.

Since the parameters to GnuTLSPriorities and GnuTLSProxyPriorities need
the same processing, mgs_set_priorities has been rewritten to select the
priority cache to write to based on the option name, rather than adding
a new function to handle GnuTLSProxyPriorities.

  • Property mode set to 100644
File size: 13.2 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 *
16 */
17
18/* Apache Runtime Headers */
19#include "httpd.h"
20#include "http_config.h"
21#include "http_protocol.h"
22#include "http_connection.h"
23#include "http_request.h"
24#include "http_core.h"
25#include "http_log.h"
26#include "apr_buckets.h"
27#include "apr_strings.h"
28#include "apr_tables.h"
29#include "ap_release.h"
30#include "apr_fnmatch.h"
31/* GnuTLS Library Headers */
32#include <gnutls/gnutls.h>
33#if GNUTLS_VERSION_MAJOR == 2
34#include <gnutls/extra.h>
35#endif
36#include <gnutls/openpgp.h>
37#include <gnutls/x509.h>
38
39#ifndef __mod_gnutls_h_inc
40#define __mod_gnutls_h_inc
41
42#define HAVE_APR_MEMCACHE    @have_apr_memcache@
43
44extern module AP_MODULE_DECLARE_DATA gnutls_module;
45
46/* IO Filter names */
47#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
48#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
49/* GnuTLS Constants */
50#define GNUTLS_ENABLED_FALSE 0
51#define GNUTLS_ENABLED_TRUE  1
52#define GNUTLS_ENABLED_UNSET  2
53/* Current module version */
54#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
55
56/* Module Debug Mode */
57#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
58
59/*
60 * Recent Versions of 2.1 renamed several hooks.
61 * This allows us to compile on 2.0.xx
62 */
63#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
64        #define USING_2_1_RECENT 1
65#else
66        #define USING_2_1_RECENT 0
67#endif
68
69/* mod_gnutls Cache Types */
70typedef enum {
71        /* No Cache */
72    mgs_cache_none,
73        /* Use Old Berkley DB */
74    mgs_cache_dbm,
75        /* Use Gnu's version of Berkley DB */
76    mgs_cache_gdbm,
77#if HAVE_APR_MEMCACHE
78        /* Use Memcache */
79    mgs_cache_memcache,
80#endif
81    mgs_cache_unset
82} mgs_cache_e;
83
84typedef enum {
85    mgs_cvm_unset,
86    mgs_cvm_cartel,
87    mgs_cvm_msva
88} mgs_client_verification_method_e;
89
90
91/* Directory Configuration Record */
92typedef struct {
93    int client_verify_mode;
94    const char* lua_bytecode;
95    apr_size_t lua_bytecode_len;
96} mgs_dirconf_rec;
97
98
99/* The maximum number of certificates to send in a chain */
100#define MAX_CHAIN_SIZE 8
101/* The maximum number of SANs to read from a x509 certificate */
102#define MAX_CERT_SAN 5
103
104/* Server Configuration Record */
105typedef struct {
106    /* x509 Certificate Structure */
107    gnutls_certificate_credentials_t certs;
108    /* x509 credentials for proxy connections */
109    gnutls_certificate_credentials_t proxy_x509_creds;
110    /* trust list for proxy_x509_creds */
111    gnutls_x509_trust_list_t proxy_x509_tl;
112    const char* proxy_x509_key_file;
113    const char* proxy_x509_cert_file;
114    const char* proxy_x509_ca_file;
115    const char* proxy_x509_crl_file;
116    /* GnuTLS priorities for proxy connections */
117    gnutls_priority_t proxy_priorities;
118    /* SRP Certificate Structure*/
119    gnutls_srp_server_credentials_t srp_creds;
120    /* Anonymous Certificate Structure */
121    gnutls_anon_server_credentials_t anon_creds;
122    /* Anonymous Client Certificate Structure, used for proxy
123     * connections */
124    gnutls_anon_client_credentials_t anon_client_creds;
125        /* Current x509 Certificate CN [Common Name] */
126    char* cert_cn;
127        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
128        char* cert_san[MAX_CERT_SAN];
129        /* A x509 Certificate Chain */
130    gnutls_x509_crt_t *certs_x509_chain;
131        /* Current x509 Certificate Private Key */
132    gnutls_x509_privkey_t privkey_x509;
133        /* OpenPGP Certificate */
134    gnutls_openpgp_crt_t cert_pgp;
135        /* OpenPGP Certificate Private Key */
136    gnutls_openpgp_privkey_t privkey_pgp;
137        /* Number of Certificates in Chain */
138    unsigned int certs_x509_chain_num;
139        /* Is the module enabled? */
140    int enabled;
141    /* Export full certificates to CGI environment: */
142    int export_certificates_size;
143        /* GnuTLS Priorities */
144    gnutls_priority_t priorities;
145        /* GnuTLS DH Parameters */
146    gnutls_dh_params_t dh_params;
147        /* Cache timeout value */
148    int cache_timeout;
149        /* Chose Cache Type */
150    mgs_cache_e cache_type;
151    const char* cache_config;
152    const char* srp_tpasswd_file;
153    const char* srp_tpasswd_conf_file;
154        /* A list of CA Certificates */
155    gnutls_x509_crt_t *ca_list;
156        /* OpenPGP Key Ring */
157    gnutls_openpgp_keyring_t pgp_list;
158        /* CA Certificate list size */
159    unsigned int ca_list_size;
160        /* Client Certificate Verification Mode */
161    int client_verify_mode;
162        /* Client Certificate Verification Method */
163    mgs_client_verification_method_e client_verify_method;
164        /* Last Cache timestamp */
165    apr_time_t last_cache_check;
166        /* GnuTLS uses Session Tickets */
167    int tickets;
168        /* Is mod_proxy enabled? */
169    int proxy_enabled;
170        /* A Plain HTTP request */
171    int non_ssl_request;
172} mgs_srvconf_rec;
173
174/* Character Buffer */
175typedef struct {
176    int length;
177    char *value;
178} mgs_char_buffer_t;
179
180/* GnuTLS Handle */
181typedef struct {
182        /* Server configuration record */
183    mgs_srvconf_rec *sc;
184        /* Connection record */
185    conn_rec* c;
186        /* Is TLS enabled for this connection? */
187    int enabled;
188    /* Is this a proxy connection? */
189    int is_proxy;
190        /* GnuTLS Session handle */
191    gnutls_session_t session;
192        /* module input status */
193    apr_status_t input_rc;
194        /* Input filter */
195    ap_filter_t *input_filter;
196        /* Input Bucket Brigade */
197    apr_bucket_brigade *input_bb;
198        /* Input Read Type */
199    apr_read_type_e input_block;
200        /* Input Mode */
201    ap_input_mode_t input_mode;
202        /* Input Character Buffer */
203    mgs_char_buffer_t input_cbuf;
204        /* Input Character Array */
205    char input_buffer[AP_IOBUFSIZE];
206        /* module Output status */
207    apr_status_t output_rc;
208        /* Output filter */
209    ap_filter_t *output_filter;
210        /* Output Bucket Brigade */
211    apr_bucket_brigade *output_bb;
212        /* Output character array */
213    char output_buffer[AP_IOBUFSIZE];
214        /* Output buffer length */
215    apr_size_t output_blen;
216        /* Output length */
217    apr_size_t output_length;
218        /* General Status */
219    int status;
220} mgs_handle_t;
221
222
223
224/** Functions in gnutls_io.c **/
225
226/* apr_signal_block() for blocking SIGPIPE */
227apr_status_t apr_signal_block(int signum);
228
229 /* Proxy Support */
230/* An optional function which returns non-zero if the given connection
231is using SSL/TLS. */
232APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
233/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
234 * are used by mod_proxy to enable use of SSL for outgoing
235 * connections. */
236APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
237APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
238int ssl_is_https(conn_rec *c);
239int ssl_proxy_enable(conn_rec *c);
240int ssl_engine_disable(conn_rec *c);
241const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
242    const char *arg);
243apr_status_t mgs_cleanup_pre_config(void *data);
244
245/**
246 * mgs_filter_input will filter the input data
247 * by decrypting it using GnuTLS and passes it cleartext.
248 *
249 * @param f     the filter info record
250 * @param bb    the bucket brigade, where to store the result to
251 * @param mode  what shall we read?
252 * @param block a block index we shall read from?
253 * @return result status
254 */
255apr_status_t mgs_filter_input(ap_filter_t * f,
256                                     apr_bucket_brigade * bb,
257                                     ap_input_mode_t mode,
258                                     apr_read_type_e block,
259                                     apr_off_t readbytes);
260
261/**
262 * mgs_filter_output will filter the encrypt
263 * the incoming bucket using GnuTLS and passes it onto the next filter.
264 *
265 * @param f     the filter info record
266 * @param bb    the bucket brigade, where to store the result to
267 * @return result status
268 */
269apr_status_t mgs_filter_output(ap_filter_t * f,
270                                      apr_bucket_brigade * bb);
271
272
273/**
274 * mgs_transport_read is called from GnuTLS to provide encrypted
275 * data from the client.
276 *
277 * @param ptr     pointer to the filter context
278 * @param buffer  place to put data
279 * @param len     maximum size
280 * @return size   length of the data stored in buffer
281 */
282ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
283                                  void *buffer, size_t len);
284
285/**
286 * mgs_transport_write is called from GnuTLS to
287 * write data to the client.
288 *
289 * @param ptr     pointer to the filter context
290 * @param buffer  buffer to write to the client
291 * @param len     size of the buffer
292 * @return size   length of the data written
293 */
294ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
295                                   const void *buffer, size_t len);
296
297
298int mgs_rehandshake(mgs_handle_t * ctxt);
299
300
301
302/**
303 * Init the Cache after Configuration is done
304 */
305int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
306                                 mgs_srvconf_rec *sc);
307/**
308 * Init the Cache inside each Process
309 */
310int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
311                                mgs_srvconf_rec *sc);
312/**
313 * Setup the Session Caching
314 */
315int mgs_cache_session_init(mgs_handle_t *ctxt);
316
317#define GNUTLS_SESSION_ID_STRING_LEN \
318    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
319
320/**
321 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
322 * @param id raw SSL Session ID
323 * @param idlen Length of the raw Session ID
324 * @param str Location to store the Hex Encoded String
325 * @param strsize The Maximum Length that can be stored in str
326 */
327char *mgs_session_id2sz(unsigned char *id, int idlen,
328                                char *str, int strsize);
329
330/**
331 * Convert a time_t into a Null Terminated String
332 * @param t time_t time
333 * @param str Location to store the Hex Encoded String
334 * @param strsize The Maximum Length that can be stored in str
335 */
336char *mgs_time2sz(time_t t, char *str, int strsize);
337
338
339/* Configuration Functions */
340
341const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
342                                        const char *arg);
343const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
344                                        const char *arg);
345const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
346                                        const char *arg);
347const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
348                                        const char *arg);
349
350const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
351                             const char *arg);
352
353const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
354                                        const char *arg);
355
356const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
357                             const char *arg);
358
359const char *mgs_set_cache(cmd_parms * parms, void *dummy,
360                          const char *type, const char* arg);
361
362const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
363                                  const char *arg);
364
365const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
366                                  const char *arg);
367
368const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
369                                         const char *arg);
370
371const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
372                                   const char *arg);
373
374const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
375                                   const char *arg);
376
377const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
378                            const char *arg);
379const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
380                            const char *arg);
381const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
382                            const char *arg);
383const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
384                            const char *arg);
385
386const char *mgs_set_require_section(cmd_parms *cmd,
387                                    void *mconfig, const char *arg);
388void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
389void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
390
391void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
392
393void *mgs_config_dir_create(apr_pool_t *p, char *dir);
394
395const char *mgs_set_require_bytecode(cmd_parms *cmd,
396                                    void *mconfig, const char *arg);
397
398mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
399
400const char *mgs_store_cred_path(cmd_parms * parms,
401                                void *dummy __attribute__((unused)),
402                                const char *arg);
403
404/* mod_gnutls Hooks. */
405
406int mgs_hook_pre_config(apr_pool_t * pconf,
407                        apr_pool_t * plog, apr_pool_t * ptemp);
408
409int mgs_hook_post_config(apr_pool_t * p, apr_pool_t * plog,
410                         apr_pool_t * ptemp,
411                         server_rec * base_server);
412
413void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
414
415const char *mgs_hook_http_scheme(const request_rec * r);
416
417apr_port_t mgs_hook_default_port(const request_rec * r);
418
419int mgs_hook_pre_connection(conn_rec * c, void *csd);
420
421int mgs_hook_fixups(request_rec *r);
422
423int mgs_hook_authz(request_rec *r);
424
425#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.