Context Navigation

mod_gnutls.h.in @ fad7695

Visit:

asynciodebian/masterdebian/stretch-backportsmainproxy-ticketupstream

Last change on this file since fad7695 was fad7695, checked in by Thomas Klute <thomas2.klute@…>, 7 years ago

Store OCSP trust list in server config

This avoids recreating the trust list whenever an OCSP response has to
be verified.

Property mode set to 100644

File size: 15.2 KB

Line
1	/**
2	* Copyright 2004-2005 Paul Querna
3	* Copyright 2014 Nikos Mavrogiannopoulos
4	* Copyright 2015 Thomas Klute
5	*
6	* Licensed under the Apache License, Version 2.0 (the "License");
7	* you may not use this file except in compliance with the License.
8	* You may obtain a copy of the License at
9	*
10	* http://www.apache.org/licenses/LICENSE-2.0
11	*
12	* Unless required by applicable law or agreed to in writing, software
13	* distributed under the License is distributed on an "AS IS" BASIS,
14	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15	* See the License for the specific language governing permissions and
16	* limitations under the License.
17	*
18	*/
19
20	/* Apache Runtime Headers */
21	#include "httpd.h"
22	#include "http_config.h"
23	#include "http_protocol.h"
24	#include "http_connection.h"
25	#include "http_request.h"
26	#include "http_core.h"
27	#include "http_log.h"
28	#include "apr_buckets.h"
29	#include "apr_strings.h"
30	#include "apr_tables.h"
31	#include "ap_release.h"
32	#include "apr_fnmatch.h"
33	/* GnuTLS Library Headers */
34	#include <gnutls/gnutls.h>
35	#if GNUTLS_VERSION_MAJOR == 2
36	#include <gnutls/extra.h>
37	#endif
38	#include <gnutls/abstract.h>
39	#include <gnutls/openpgp.h>
40	#include <gnutls/x509.h>
41
42	#ifndef __mod_gnutls_h_inc
43	#define __mod_gnutls_h_inc
44
45	#define HAVE_APR_MEMCACHE @have_apr_memcache@
46
47	extern module AP_MODULE_DECLARE_DATA gnutls_module;
48
49	/* IO Filter names */
50	#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
51	#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
52	/* GnuTLS Constants */
53	#define GNUTLS_ENABLED_FALSE 0
54	#define GNUTLS_ENABLED_TRUE 1
55	#define GNUTLS_ENABLED_UNSET 2
56	/* Current module version */
57	#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
58
59	/* Module Debug Mode */
60	#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
61
62	/*
63	* Recent Versions of 2.1 renamed several hooks.
64	* This allows us to compile on 2.0.xx
65	*/
66	#if AP_SERVER_MINORVERSION_NUMBER >= 2 \|\| (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
67	#define USING_2_1_RECENT 1
68	#else
69	#define USING_2_1_RECENT 0
70	#endif
71
72	/* mod_gnutls Cache Types */
73	typedef enum {
74	/* No Cache */
75	mgs_cache_none,
76	/* Use Old Berkley DB */
77	mgs_cache_dbm,
78	/* Use Gnu's version of Berkley DB */
79	mgs_cache_gdbm,
80	#if HAVE_APR_MEMCACHE
81	/* Use Memcache */
82	mgs_cache_memcache,
83	#endif
84	mgs_cache_unset
85	} mgs_cache_e;
86
87	typedef enum {
88	mgs_cvm_unset,
89	mgs_cvm_cartel,
90	mgs_cvm_msva
91	} mgs_client_verification_method_e;
92
93
94	/* Directory Configuration Record */
95	typedef struct {
96	int client_verify_mode;
97	const char* lua_bytecode;
98	apr_size_t lua_bytecode_len;
99	} mgs_dirconf_rec;
100
101
102	/* The maximum number of certificates to send in a chain */
103	#define MAX_CHAIN_SIZE 8
104	/* The maximum number of SANs to read from a x509 certificate */
105	#define MAX_CERT_SAN 5
106
107	/* Server Configuration Record */
108	typedef struct {
109	/* --- Configuration values --- */
110	/* Is the module enabled? */
111	int enabled;
112	/* Is mod_proxy enabled? */
113	int proxy_enabled;
114	/* A Plain HTTP request */
115	int non_ssl_request;
116
117	/* List of PKCS #11 provider modules to load, only valid in the
118	* base config, ignored in virtual hosts */
119	apr_array_header_t *p11_modules;
120
121	/* PIN used for PKCS #11 operations */
122	char *pin;
123
124	/* the SRK PIN used in TPM operations */
125	char *srk_pin;
126
127	char *x509_cert_file;
128	char *x509_key_file;
129	char *x509_ca_file;
130
131	char *pgp_cert_file;
132	char *pgp_key_file;
133	char *pgp_ring_file;
134
135	char *dh_file;
136
137	char *priorities_str;
138	char *proxy_priorities_str;
139
140	const char* srp_tpasswd_file;
141	const char* srp_tpasswd_conf_file;
142
143	/* Cache timeout value */
144	int cache_timeout;
145	/* Chose Cache Type */
146	mgs_cache_e cache_type;
147	const char* cache_config;
148
149	/* GnuTLS uses Session Tickets */
150	int tickets;
151
152	/* --- Things initialized at _child_init --- */
153
154	/* x509 Certificate Structure */
155	gnutls_certificate_credentials_t certs;
156	/* x509 credentials for proxy connections */
157	gnutls_certificate_credentials_t proxy_x509_creds;
158	/* trust list for proxy_x509_creds */
159	gnutls_x509_trust_list_t proxy_x509_tl;
160	const char* proxy_x509_key_file;
161	const char* proxy_x509_cert_file;
162	const char* proxy_x509_ca_file;
163	const char* proxy_x509_crl_file;
164	/* GnuTLS priorities for proxy connections */
165	gnutls_priority_t proxy_priorities;
166	/* SRP Certificate Structure*/
167	gnutls_srp_server_credentials_t srp_creds;
168	/* Anonymous Certificate Structure */
169	gnutls_anon_server_credentials_t anon_creds;
170	/* Anonymous Client Certificate Structure, used for proxy
171	* connections */
172	gnutls_anon_client_credentials_t anon_client_creds;
173	/* Current x509 Certificate CN [Common Name] */
174	char* cert_cn;
175	/* Current x509 Certificate SAN [Subject Alternate Name]s*/
176	char* cert_san[MAX_CERT_SAN];
177	/* An x509 Certificate Chain */
178	gnutls_pcert_st *certs_x509_chain;
179	gnutls_x509_crt_t *certs_x509_crt_chain;
180	/* Number of Certificates in Chain */
181	unsigned int certs_x509_chain_num;
182
183	/* Current x509 Certificate Private Key */
184	gnutls_privkey_t privkey_x509;
185
186	/* OpenPGP Certificate */
187	gnutls_pcert_st *cert_pgp;
188	gnutls_openpgp_crt_t *cert_crt_pgp;
189
190	/* OpenPGP Certificate Private Key */
191	gnutls_privkey_t privkey_pgp;
192	#if GNUTLS_VERSION_NUMBER < 0x030312
193	/* Internal structure for the OpenPGP private key, used in the
194	* workaround for a bug in gnutls_privkey_import_openpgp_raw that
195	* frees memory that is still needed. DO NOT USE for any other
196	* purpose. */
197	gnutls_openpgp_privkey_t privkey_pgp_internal;
198	#endif
199
200	/* Export full certificates to CGI environment: */
201	int export_certificates_size;
202	/* GnuTLS Priorities */
203	gnutls_priority_t priorities;
204	/* GnuTLS DH Parameters */
205	gnutls_dh_params_t dh_params;
206	/* A list of CA Certificates */
207	gnutls_x509_crt_t *ca_list;
208	/* OpenPGP Key Ring */
209	gnutls_openpgp_keyring_t pgp_list;
210	/* CA Certificate list size */
211	unsigned int ca_list_size;
212	/* Client Certificate Verification Mode */
213	int client_verify_mode;
214	/* Client Certificate Verification Method */
215	mgs_client_verification_method_e client_verify_method;
216	/* Last Cache timestamp */
217	apr_time_t last_cache_check;
218
219	/* EXPERIMENTAL: OCSP response file for stapling, will go away
220	* once sending OCSP requests is implemented */
221	char *ocsp_response_file;
222	/* Trust list to verify OCSP responses for stapling. Should
223	* usually only contain the CA that signed the server
224	* certificate. */
225	gnutls_x509_trust_list_t *ocsp_trust;
226	} mgs_srvconf_rec;
227
228	/* Character Buffer */
229	typedef struct {
230	int length;
231	char *value;
232	} mgs_char_buffer_t;
233
234	/* GnuTLS Handle */
235	typedef struct {
236	/* Server configuration record */
237	mgs_srvconf_rec *sc;
238	/* Connection record */
239	conn_rec* c;
240	/* Is TLS enabled for this connection? */
241	int enabled;
242	/* Is this a proxy connection? */
243	int is_proxy;
244	/* GnuTLS Session handle */
245	gnutls_session_t session;
246	/* module input status */
247	apr_status_t input_rc;
248	/* Input filter */
249	ap_filter_t *input_filter;
250	/* Input Bucket Brigade */
251	apr_bucket_brigade *input_bb;
252	/* Input Read Type */
253	apr_read_type_e input_block;
254	/* Input Mode */
255	ap_input_mode_t input_mode;
256	/* Input Character Buffer */
257	mgs_char_buffer_t input_cbuf;
258	/* Input Character Array */
259	char input_buffer[AP_IOBUFSIZE];
260	/* module Output status */
261	apr_status_t output_rc;
262	/* Output filter */
263	ap_filter_t *output_filter;
264	/* Output Bucket Brigade */
265	apr_bucket_brigade *output_bb;
266	/* Output character array */
267	char output_buffer[AP_IOBUFSIZE];
268	/* Output buffer length */
269	apr_size_t output_blen;
270	/* Output length */
271	apr_size_t output_length;
272	/* General Status */
273	int status;
274	} mgs_handle_t;
275
276
277
278	/ Functions in gnutls_io.c /
279
280	/* apr_signal_block() for blocking SIGPIPE */
281	apr_status_t apr_signal_block(int signum);
282
283	/* Proxy Support */
284	/* An optional function which returns non-zero if the given connection
285	is using SSL/TLS. */
286	APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
287	/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
288	* are used by mod_proxy to enable use of SSL for outgoing
289	* connections. */
290	APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
291	APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
292	int ssl_is_https(conn_rec *c);
293	int ssl_proxy_enable(conn_rec *c);
294	int ssl_engine_disable(conn_rec *c);
295	const char mgs_set_proxy_engine(cmd_parms parms, void *dummy,
296	const int arg);
297	apr_status_t mgs_cleanup_pre_config(void *data);
298
299	/**
300	* mgs_filter_input will filter the input data
301	* by decrypting it using GnuTLS and passes it cleartext.
302	*
303	* @param f the filter info record
304	* @param bb the bucket brigade, where to store the result to
305	* @param mode what shall we read?
306	* @param block a block index we shall read from?
307	* @return result status
308	*/
309	apr_status_t mgs_filter_input(ap_filter_t * f,
310	apr_bucket_brigade * bb,
311	ap_input_mode_t mode,
312	apr_read_type_e block,
313	apr_off_t readbytes);
314
315	/**
316	* mgs_filter_output will filter the encrypt
317	* the incoming bucket using GnuTLS and passes it onto the next filter.
318	*
319	* @param f the filter info record
320	* @param bb the bucket brigade, where to store the result to
321	* @return result status
322	*/
323	apr_status_t mgs_filter_output(ap_filter_t * f,
324	apr_bucket_brigade * bb);
325
326
327	/**
328	* mgs_transport_read is called from GnuTLS to provide encrypted
329	* data from the client.
330	*
331	* @param ptr pointer to the filter context
332	* @param buffer place to put data
333	* @param len maximum size
334	* @return size length of the data stored in buffer
335	*/
336	ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
337	void *buffer, size_t len);
338
339	/**
340	* mgs_transport_write is called from GnuTLS to
341	* write data to the client.
342	*
343	* @param ptr pointer to the filter context
344	* @param buffer buffer to write to the client
345	* @param len size of the buffer
346	* @return size length of the data written
347	*/
348	ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
349	const void *buffer, size_t len);
350
351
352	int mgs_rehandshake(mgs_handle_t * ctxt);
353
354
355
356	/**
357	* Init the Cache after Configuration is done
358	*/
359	int mgs_cache_post_config(apr_pool_t p, server_rec s,
360	mgs_srvconf_rec *sc);
361	/**
362	* Init the Cache inside each Process
363	*/
364	int mgs_cache_child_init(apr_pool_t p, server_rec s,
365	mgs_srvconf_rec *sc);
366	/**
367	* Setup the Session Caching
368	*/
369	int mgs_cache_session_init(mgs_handle_t *ctxt);
370
371	#define GNUTLS_SESSION_ID_STRING_LEN \
372	((GNUTLS_MAX_SESSION_ID + 1) * 2)
373
374	/**
375	* Perform any reinitialization required in PKCS #11
376	*/
377	int mgs_pkcs11_reinit(server_rec * s);
378
379	/**
380	* Convert a SSL Session ID into a Null Terminated Hex Encoded String
381	* @param id raw SSL Session ID
382	* @param idlen Length of the raw Session ID
383	* @param str Location to store the Hex Encoded String
384	* @param strsize The Maximum Length that can be stored in str
385	*/
386	char mgs_session_id2sz(unsigned char id, int idlen,
387	char *str, int strsize);
388
389	/**
390	* Convert a time_t into a Null Terminated String
391	* @param t time_t time
392	* @param str Location to store the Hex Encoded String
393	* @param strsize The Maximum Length that can be stored in str
394	*/
395	char mgs_time2sz(time_t t, char str, int strsize);
396
397
398	/* Configuration Functions */
399
400	/* Loads all files set in the configuration */
401	int mgs_load_files(apr_pool_t * p, server_rec * s);
402
403	const char mgs_set_srp_tpasswd_conf_file(cmd_parms parms, void *dummy,
404	const char *arg);
405	const char mgs_set_srp_tpasswd_file(cmd_parms parms, void *dummy,
406	const char *arg);
407	const char mgs_set_dh_file(cmd_parms parms, void *dummy,
408	const char *arg);
409	const char mgs_set_cert_file(cmd_parms parms, void *dummy,
410	const char *arg);
411
412	const char mgs_set_key_file(cmd_parms parms, void *dummy,
413	const char *arg);
414
415	const char mgs_set_pgpcert_file(cmd_parms parms, void *dummy,
416	const char *arg);
417
418	const char mgs_set_pgpkey_file(cmd_parms parms, void *dummy,
419	const char *arg);
420
421	const char mgs_set_cache(cmd_parms parms, void *dummy,
422	const char type, const char arg);
423
424	const char mgs_set_cache_timeout(cmd_parms parms, void *dummy,
425	const char *arg);
426
427	const char mgs_set_client_verify(cmd_parms parms, void *dummy,
428	const char *arg);
429
430	const char mgs_set_client_verify_method(cmd_parms parms, void *dummy,
431	const char *arg);
432
433	const char mgs_set_client_ca_file(cmd_parms parms, void *dummy,
434	const char *arg);
435
436	const char mgs_set_p11_module(cmd_parms parms, void *dummy,
437	const char *arg);
438
439	const char mgs_set_pin(cmd_parms parms, void *dummy,
440	const char *arg);
441
442	const char mgs_set_srk_pin(cmd_parms parms, void *dummy,
443	const char *arg);
444
445	const char mgs_set_keyring_file(cmd_parms parms, void *dummy,
446	const char *arg);
447
448	const char mgs_set_enabled(cmd_parms parms, void *dummy,
449	const int arg);
450	const char mgs_set_export_certificates_size(cmd_parms parms, void *dummy,
451	const char *arg);
452	const char mgs_set_priorities(cmd_parms parms, void *dummy,
453	const char *arg);
454	const char mgs_set_tickets(cmd_parms parms, void *dummy,
455	const int arg);
456
457	const char mgs_set_require_section(cmd_parms cmd,
458	void mconfig, const char arg);
459	void mgs_config_server_create(apr_pool_t p, server_rec * s);
460	void mgs_config_server_merge(apr_pool_t p, void BASE, void ADD);
461
462	void mgs_config_dir_merge(apr_pool_t p, void basev, void addv);
463
464	void mgs_config_dir_create(apr_pool_t p, char *dir);
465
466	const char mgs_set_require_bytecode(cmd_parms cmd,
467	void mconfig, const char arg);
468
469	mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
470
471	const char mgs_store_cred_path(cmd_parms parms,
472	void *dummy __attribute__((unused)),
473	const char *arg);
474
475	/* mod_gnutls Hooks. */
476
477	int mgs_hook_pre_config(apr_pool_t * pconf,
478	apr_pool_t * plog, apr_pool_t * ptemp);
479
480	int mgs_hook_post_config(apr_pool_t *pconf,
481	apr_pool_t *plog,
482	apr_pool_t *ptemp,
483	server_rec *base_server);
484
485	void mgs_hook_child_init(apr_pool_t p, server_rec s);
486
487	const char mgs_hook_http_scheme(const request_rec r);
488
489	apr_port_t mgs_hook_default_port(const request_rec * r);
490
491	int mgs_hook_pre_connection(conn_rec * c, void *csd);
492
493	int mgs_hook_fixups(request_rec *r);
494
495	int mgs_hook_authz(request_rec *r);
496
497	#endif /* __mod_gnutls_h_inc */

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format