source: mod_gnutls/include/mod_gnutls.h.in @ fd6bb19

debian/masterdebian/stretch-backportsupstream
Last change on this file since fd6bb19 was fd6bb19, checked in by Thomas Klute <thomas2.klute@…>, 3 years ago

Extract OCSP access URI from the server certificate

  • Property mode set to 100644
File size: 15.3 KB
Line 
1/**
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2015 Thomas Klute
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 *
18 */
19
20/* Apache Runtime Headers */
21#include "httpd.h"
22#include "http_config.h"
23#include "http_protocol.h"
24#include "http_connection.h"
25#include "http_request.h"
26#include "http_core.h"
27#include "http_log.h"
28#include "apr_buckets.h"
29#include "apr_strings.h"
30#include "apr_tables.h"
31#include "ap_release.h"
32#include "apr_fnmatch.h"
33/* GnuTLS Library Headers */
34#include <gnutls/gnutls.h>
35#if GNUTLS_VERSION_MAJOR == 2
36#include <gnutls/extra.h>
37#endif
38#include <gnutls/abstract.h>
39#include <gnutls/openpgp.h>
40#include <gnutls/x509.h>
41
42#ifndef __mod_gnutls_h_inc
43#define __mod_gnutls_h_inc
44
45#define HAVE_APR_MEMCACHE    @have_apr_memcache@
46
47extern module AP_MODULE_DECLARE_DATA gnutls_module;
48
49/* IO Filter names */
50#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
51#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
52/* GnuTLS Constants */
53#define GNUTLS_ENABLED_FALSE 0
54#define GNUTLS_ENABLED_TRUE  1
55#define GNUTLS_ENABLED_UNSET  2
56/* Current module version */
57#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
58
59/* Module Debug Mode */
60#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
61
62/*
63 * Recent Versions of 2.1 renamed several hooks.
64 * This allows us to compile on 2.0.xx
65 */
66#if AP_SERVER_MINORVERSION_NUMBER >= 2 || (AP_SERVER_MINORVERSION_NUMBER == 1 && AP_SERVER_PATCHLEVEL_NUMBER >= 3)
67        #define USING_2_1_RECENT 1
68#else
69        #define USING_2_1_RECENT 0
70#endif
71
72/* mod_gnutls Cache Types */
73typedef enum {
74        /* No Cache */
75    mgs_cache_none,
76        /* Use Old Berkley DB */
77    mgs_cache_dbm,
78        /* Use Gnu's version of Berkley DB */
79    mgs_cache_gdbm,
80#if HAVE_APR_MEMCACHE
81        /* Use Memcache */
82    mgs_cache_memcache,
83#endif
84    mgs_cache_unset
85} mgs_cache_e;
86
87typedef enum {
88    mgs_cvm_unset,
89    mgs_cvm_cartel,
90    mgs_cvm_msva
91} mgs_client_verification_method_e;
92
93
94/* Directory Configuration Record */
95typedef struct {
96    int client_verify_mode;
97    const char* lua_bytecode;
98    apr_size_t lua_bytecode_len;
99} mgs_dirconf_rec;
100
101
102/* The maximum number of certificates to send in a chain */
103#define MAX_CHAIN_SIZE 8
104/* The maximum number of SANs to read from a x509 certificate */
105#define MAX_CERT_SAN 5
106
107/* Server Configuration Record */
108typedef struct {
109    /* --- Configuration values --- */
110        /* Is the module enabled? */
111    int enabled;
112        /* Is mod_proxy enabled? */
113    int proxy_enabled;
114        /* A Plain HTTP request */
115    int non_ssl_request;
116
117    /* List of PKCS #11 provider modules to load, only valid in the
118     * base config, ignored in virtual hosts */
119    apr_array_header_t *p11_modules;
120
121    /* PIN used for PKCS #11 operations */
122    char *pin;
123
124    /* the SRK PIN used in TPM operations */
125    char *srk_pin;
126
127    char *x509_cert_file;
128    char *x509_key_file;
129    char *x509_ca_file;
130
131    char *pgp_cert_file;
132    char *pgp_key_file;
133    char *pgp_ring_file;
134
135    char *dh_file;
136
137    char *priorities_str;
138    char *proxy_priorities_str;
139
140    const char* srp_tpasswd_file;
141    const char* srp_tpasswd_conf_file;
142
143        /* Cache timeout value */
144    int cache_timeout;
145        /* Chose Cache Type */
146    mgs_cache_e cache_type;
147    const char* cache_config;
148
149        /* GnuTLS uses Session Tickets */
150    int tickets;
151
152    /* --- Things initialized at _child_init --- */
153
154    /* x509 Certificate Structure */
155    gnutls_certificate_credentials_t certs;
156    /* x509 credentials for proxy connections */
157    gnutls_certificate_credentials_t proxy_x509_creds;
158    /* trust list for proxy_x509_creds */
159    gnutls_x509_trust_list_t proxy_x509_tl;
160    const char* proxy_x509_key_file;
161    const char* proxy_x509_cert_file;
162    const char* proxy_x509_ca_file;
163    const char* proxy_x509_crl_file;
164    /* GnuTLS priorities for proxy connections */
165    gnutls_priority_t proxy_priorities;
166    /* SRP Certificate Structure*/
167    gnutls_srp_server_credentials_t srp_creds;
168    /* Anonymous Certificate Structure */
169    gnutls_anon_server_credentials_t anon_creds;
170    /* Anonymous Client Certificate Structure, used for proxy
171     * connections */
172    gnutls_anon_client_credentials_t anon_client_creds;
173        /* Current x509 Certificate CN [Common Name] */
174    char* cert_cn;
175        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
176    char* cert_san[MAX_CERT_SAN];
177        /* An x509 Certificate Chain */
178    gnutls_pcert_st *certs_x509_chain;
179    gnutls_x509_crt_t *certs_x509_crt_chain;
180        /* Number of Certificates in Chain */
181    unsigned int certs_x509_chain_num;
182
183        /* Current x509 Certificate Private Key */
184    gnutls_privkey_t privkey_x509;
185
186        /* OpenPGP Certificate */
187    gnutls_pcert_st *cert_pgp;
188    gnutls_openpgp_crt_t *cert_crt_pgp;
189
190        /* OpenPGP Certificate Private Key */
191    gnutls_privkey_t privkey_pgp;
192#if GNUTLS_VERSION_NUMBER < 0x030312
193    /* Internal structure for the OpenPGP private key, used in the
194     * workaround for a bug in gnutls_privkey_import_openpgp_raw that
195     * frees memory that is still needed. DO NOT USE for any other
196     * purpose. */
197    gnutls_openpgp_privkey_t privkey_pgp_internal;
198#endif
199
200    /* Export full certificates to CGI environment: */
201    int export_certificates_size;
202        /* GnuTLS Priorities */
203    gnutls_priority_t priorities;
204        /* GnuTLS DH Parameters */
205    gnutls_dh_params_t dh_params;
206        /* A list of CA Certificates */
207    gnutls_x509_crt_t *ca_list;
208        /* OpenPGP Key Ring */
209    gnutls_openpgp_keyring_t pgp_list;
210        /* CA Certificate list size */
211    unsigned int ca_list_size;
212        /* Client Certificate Verification Mode */
213    int client_verify_mode;
214        /* Client Certificate Verification Method */
215    mgs_client_verification_method_e client_verify_method;
216        /* Last Cache timestamp */
217    apr_time_t last_cache_check;
218
219    /* EXPERIMENTAL: OCSP response file for stapling, will go away
220     * once sending OCSP requests is implemented */
221    char *ocsp_response_file;
222    /* OCSP URI extracted from the server certificate. NULL if
223     * unset. */
224    apr_uri_t *ocsp_uri;
225    /* Trust list to verify OCSP responses for stapling. Should
226     * usually only contain the CA that signed the server
227     * certificate. */
228    gnutls_x509_trust_list_t *ocsp_trust;
229} mgs_srvconf_rec;
230
231/* Character Buffer */
232typedef struct {
233    int length;
234    char *value;
235} mgs_char_buffer_t;
236
237/* GnuTLS Handle */
238typedef struct {
239        /* Server configuration record */
240    mgs_srvconf_rec *sc;
241        /* Connection record */
242    conn_rec* c;
243        /* Is TLS enabled for this connection? */
244    int enabled;
245    /* Is this a proxy connection? */
246    int is_proxy;
247        /* GnuTLS Session handle */
248    gnutls_session_t session;
249        /* module input status */
250    apr_status_t input_rc;
251        /* Input filter */
252    ap_filter_t *input_filter;
253        /* Input Bucket Brigade */
254    apr_bucket_brigade *input_bb;
255        /* Input Read Type */
256    apr_read_type_e input_block;
257        /* Input Mode */
258    ap_input_mode_t input_mode;
259        /* Input Character Buffer */
260    mgs_char_buffer_t input_cbuf;
261        /* Input Character Array */
262    char input_buffer[AP_IOBUFSIZE];
263        /* module Output status */
264    apr_status_t output_rc;
265        /* Output filter */
266    ap_filter_t *output_filter;
267        /* Output Bucket Brigade */
268    apr_bucket_brigade *output_bb;
269        /* Output character array */
270    char output_buffer[AP_IOBUFSIZE];
271        /* Output buffer length */
272    apr_size_t output_blen;
273        /* Output length */
274    apr_size_t output_length;
275        /* General Status */
276    int status;
277} mgs_handle_t;
278
279
280
281/** Functions in gnutls_io.c **/
282
283/* apr_signal_block() for blocking SIGPIPE */
284apr_status_t apr_signal_block(int signum);
285
286 /* Proxy Support */
287/* An optional function which returns non-zero if the given connection
288is using SSL/TLS. */
289APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
290/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
291 * are used by mod_proxy to enable use of SSL for outgoing
292 * connections. */
293APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
294APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
295int ssl_is_https(conn_rec *c);
296int ssl_proxy_enable(conn_rec *c);
297int ssl_engine_disable(conn_rec *c);
298const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
299                                 const int arg);
300apr_status_t mgs_cleanup_pre_config(void *data);
301
302/**
303 * mgs_filter_input will filter the input data
304 * by decrypting it using GnuTLS and passes it cleartext.
305 *
306 * @param f     the filter info record
307 * @param bb    the bucket brigade, where to store the result to
308 * @param mode  what shall we read?
309 * @param block a block index we shall read from?
310 * @return result status
311 */
312apr_status_t mgs_filter_input(ap_filter_t * f,
313                                     apr_bucket_brigade * bb,
314                                     ap_input_mode_t mode,
315                                     apr_read_type_e block,
316                                     apr_off_t readbytes);
317
318/**
319 * mgs_filter_output will filter the encrypt
320 * the incoming bucket using GnuTLS and passes it onto the next filter.
321 *
322 * @param f     the filter info record
323 * @param bb    the bucket brigade, where to store the result to
324 * @return result status
325 */
326apr_status_t mgs_filter_output(ap_filter_t * f,
327                                      apr_bucket_brigade * bb);
328
329
330/**
331 * mgs_transport_read is called from GnuTLS to provide encrypted
332 * data from the client.
333 *
334 * @param ptr     pointer to the filter context
335 * @param buffer  place to put data
336 * @param len     maximum size
337 * @return size   length of the data stored in buffer
338 */
339ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
340                                  void *buffer, size_t len);
341
342/**
343 * mgs_transport_write is called from GnuTLS to
344 * write data to the client.
345 *
346 * @param ptr     pointer to the filter context
347 * @param buffer  buffer to write to the client
348 * @param len     size of the buffer
349 * @return size   length of the data written
350 */
351ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
352                                   const void *buffer, size_t len);
353
354
355int mgs_rehandshake(mgs_handle_t * ctxt);
356
357
358
359/**
360 * Init the Cache after Configuration is done
361 */
362int mgs_cache_post_config(apr_pool_t *p, server_rec *s,
363                                 mgs_srvconf_rec *sc);
364/**
365 * Init the Cache inside each Process
366 */
367int mgs_cache_child_init(apr_pool_t *p, server_rec *s,
368                                mgs_srvconf_rec *sc);
369/**
370 * Setup the Session Caching
371 */
372int mgs_cache_session_init(mgs_handle_t *ctxt);
373
374#define GNUTLS_SESSION_ID_STRING_LEN \
375    ((GNUTLS_MAX_SESSION_ID + 1) * 2)
376
377/**
378 * Perform any reinitialization required in PKCS #11
379 */
380int mgs_pkcs11_reinit(server_rec * s);
381
382/**
383 * Convert a SSL Session ID into a Null Terminated Hex Encoded String
384 * @param id raw SSL Session ID
385 * @param idlen Length of the raw Session ID
386 * @param str Location to store the Hex Encoded String
387 * @param strsize The Maximum Length that can be stored in str
388 */
389char *mgs_session_id2sz(unsigned char *id, int idlen,
390                                char *str, int strsize);
391
392/**
393 * Convert a time_t into a Null Terminated String
394 * @param t time_t time
395 * @param str Location to store the Hex Encoded String
396 * @param strsize The Maximum Length that can be stored in str
397 */
398char *mgs_time2sz(time_t t, char *str, int strsize);
399
400
401/* Configuration Functions */
402
403/* Loads all files set in the configuration */
404int mgs_load_files(apr_pool_t * p, server_rec * s);
405
406const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
407                                        const char *arg);
408const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
409                                        const char *arg);
410const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
411                                        const char *arg);
412const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
413                                        const char *arg);
414
415const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
416                             const char *arg);
417
418const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy,
419                                        const char *arg);
420
421const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy,
422                             const char *arg);
423
424const char *mgs_set_cache(cmd_parms * parms, void *dummy,
425                          const char *type, const char* arg);
426
427const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy,
428                                  const char *arg);
429
430const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
431                                  const char *arg);
432
433const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
434                                         const char *arg);
435
436const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
437                                   const char *arg);
438
439const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
440                               const char *arg);
441
442const char *mgs_set_pin(cmd_parms * parms, void *dummy,
443                                   const char *arg);
444
445const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
446                                   const char *arg);
447
448const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy,
449                                   const char *arg);
450
451const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
452                            const int arg);
453const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
454                            const char *arg);
455const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
456                            const char *arg);
457const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
458                            const int arg);
459
460const char *mgs_set_require_section(cmd_parms *cmd,
461                                    void *mconfig, const char *arg);
462void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
463void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
464
465void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
466
467void *mgs_config_dir_create(apr_pool_t *p, char *dir);
468
469const char *mgs_set_require_bytecode(cmd_parms *cmd,
470                                    void *mconfig, const char *arg);
471
472mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
473
474const char *mgs_store_cred_path(cmd_parms * parms,
475                                void *dummy __attribute__((unused)),
476                                const char *arg);
477
478/* mod_gnutls Hooks. */
479
480int mgs_hook_pre_config(apr_pool_t * pconf,
481                        apr_pool_t * plog, apr_pool_t * ptemp);
482
483int mgs_hook_post_config(apr_pool_t *pconf,
484                         apr_pool_t *plog,
485                         apr_pool_t *ptemp,
486                         server_rec *base_server);
487
488void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
489
490const char *mgs_hook_http_scheme(const request_rec * r);
491
492apr_port_t mgs_hook_default_port(const request_rec * r);
493
494int mgs_hook_pre_connection(conn_rec * c, void *csd);
495
496int mgs_hook_fixups(request_rec *r);
497
498int mgs_hook_authz(request_rec *r);
499
500#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.