/** * Copyright 2004-2005 Paul Querna * Copyright 2014 Nikos Mavrogiannopoulos * Copyright 2015-2016 Thomas Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ /* Apache Runtime Headers */ #include "httpd.h" #include "http_config.h" #include "http_protocol.h" #include "http_connection.h" #include "http_request.h" #include "http_core.h" #include "http_log.h" #include "apr_buckets.h" #include "apr_strings.h" #include "apr_tables.h" #include "ap_release.h" #include "apr_fnmatch.h" /* GnuTLS Library Headers */ #include #if GNUTLS_VERSION_MAJOR == 2 #include #endif #include #include #include #ifndef __mod_gnutls_h_inc #define __mod_gnutls_h_inc #define HAVE_APR_MEMCACHE @have_apr_memcache@ extern module AP_MODULE_DECLARE_DATA gnutls_module; /* IO Filter names */ #define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter" #define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter" /* GnuTLS Constants */ #define GNUTLS_ENABLED_FALSE 0 #define GNUTLS_ENABLED_TRUE 1 #define GNUTLS_ENABLED_UNSET 2 /* Current module version */ #define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@" /* Module Debug Mode */ #define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@ /* mod_gnutls Cache Types */ typedef enum { /* No Cache */ mgs_cache_none, /* Use Old Berkley DB */ mgs_cache_dbm, /* Use Gnu's version of Berkley DB */ mgs_cache_gdbm, #if HAVE_APR_MEMCACHE /* Use Memcache */ mgs_cache_memcache, #endif mgs_cache_unset } mgs_cache_e; typedef enum { mgs_cvm_unset, mgs_cvm_cartel, mgs_cvm_msva } mgs_client_verification_method_e; /* Directory Configuration Record */ typedef struct { int client_verify_mode; const char* lua_bytecode; apr_size_t lua_bytecode_len; } mgs_dirconf_rec; /* The maximum number of certificates to send in a chain */ #define MAX_CHAIN_SIZE 8 /* The maximum number of SANs to read from a x509 certificate */ #define MAX_CERT_SAN 5 /* Server Configuration Record */ typedef struct { /* --- Configuration values --- */ /* Is the module enabled? */ int enabled; /* Is mod_proxy enabled? */ int proxy_enabled; /* A Plain HTTP request */ int non_ssl_request; /* List of PKCS #11 provider modules to load, only valid in the * base config, ignored in virtual hosts */ apr_array_header_t *p11_modules; /* PIN used for PKCS #11 operations */ char *pin; /* the SRK PIN used in TPM operations */ char *srk_pin; char *x509_cert_file; char *x509_key_file; char *x509_ca_file; char *pgp_cert_file; char *pgp_key_file; char *pgp_ring_file; char *dh_file; char *priorities_str; char *proxy_priorities_str; const char* srp_tpasswd_file; const char* srp_tpasswd_conf_file; /* Cache timeout value */ int cache_timeout; /* Chose Cache Type */ mgs_cache_e cache_type; const char* cache_config; /* GnuTLS uses Session Tickets */ int tickets; /* --- Things initialized at _child_init --- */ /* x509 Certificate Structure */ gnutls_certificate_credentials_t certs; /* x509 credentials for proxy connections */ gnutls_certificate_credentials_t proxy_x509_creds; /* trust list for proxy_x509_creds */ gnutls_x509_trust_list_t proxy_x509_tl; const char* proxy_x509_key_file; const char* proxy_x509_cert_file; const char* proxy_x509_ca_file; const char* proxy_x509_crl_file; /* GnuTLS priorities for proxy connections */ gnutls_priority_t proxy_priorities; /* SRP Certificate Structure*/ gnutls_srp_server_credentials_t srp_creds; /* Anonymous Certificate Structure */ gnutls_anon_server_credentials_t anon_creds; /* Anonymous Client Certificate Structure, used for proxy * connections */ gnutls_anon_client_credentials_t anon_client_creds; /* Current x509 Certificate CN [Common Name] */ char* cert_cn; /* Current x509 Certificate SAN [Subject Alternate Name]s*/ char* cert_san[MAX_CERT_SAN]; /* An x509 Certificate Chain */ gnutls_pcert_st *certs_x509_chain; gnutls_x509_crt_t *certs_x509_crt_chain; /* Number of Certificates in Chain */ unsigned int certs_x509_chain_num; /* Current x509 Certificate Private Key */ gnutls_privkey_t privkey_x509; /* OpenPGP Certificate */ gnutls_pcert_st *cert_pgp; gnutls_openpgp_crt_t *cert_crt_pgp; /* OpenPGP Certificate Private Key */ gnutls_privkey_t privkey_pgp; #if GNUTLS_VERSION_NUMBER < 0x030312 /* Internal structure for the OpenPGP private key, used in the * workaround for a bug in gnutls_privkey_import_openpgp_raw that * frees memory that is still needed. DO NOT USE for any other * purpose. */ gnutls_openpgp_privkey_t privkey_pgp_internal; #endif /* Export full certificates to CGI environment: */ int export_certificates_size; /* GnuTLS Priorities */ gnutls_priority_t priorities; /* GnuTLS DH Parameters */ gnutls_dh_params_t dh_params; /* A list of CA Certificates */ gnutls_x509_crt_t *ca_list; /* OpenPGP Key Ring */ gnutls_openpgp_keyring_t pgp_list; /* CA Certificate list size */ unsigned int ca_list_size; /* Client Certificate Verification Mode */ int client_verify_mode; /* Client Certificate Verification Method */ mgs_client_verification_method_e client_verify_method; /* Last Cache timestamp */ apr_time_t last_cache_check; /* EXPERIMENTAL: OCSP response file for stapling, will go away * once sending OCSP requests is implemented */ char *ocsp_response_file; /* OCSP URI extracted from the server certificate. NULL if * unset. */ apr_uri_t *ocsp_uri; /* Trust list to verify OCSP responses for stapling. Should * usually only contain the CA that signed the server * certificate. */ gnutls_x509_trust_list_t *ocsp_trust; } mgs_srvconf_rec; /* Character Buffer */ typedef struct { int length; char *value; } mgs_char_buffer_t; /* GnuTLS Handle */ typedef struct { /* Server configuration record */ mgs_srvconf_rec *sc; /* Connection record */ conn_rec* c; /* Is TLS enabled for this connection? */ int enabled; /* Is this a proxy connection? */ int is_proxy; /* GnuTLS Session handle */ gnutls_session_t session; /* module input status */ apr_status_t input_rc; /* Input filter */ ap_filter_t *input_filter; /* Input Bucket Brigade */ apr_bucket_brigade *input_bb; /* Input Read Type */ apr_read_type_e input_block; /* Input Mode */ ap_input_mode_t input_mode; /* Input Character Buffer */ mgs_char_buffer_t input_cbuf; /* Input Character Array */ char input_buffer[AP_IOBUFSIZE]; /* module Output status */ apr_status_t output_rc; /* Output filter */ ap_filter_t *output_filter; /* Output Bucket Brigade */ apr_bucket_brigade *output_bb; /* Output character array */ char output_buffer[AP_IOBUFSIZE]; /* Output buffer length */ apr_size_t output_blen; /* Output length */ apr_size_t output_length; /* General Status */ int status; } mgs_handle_t; /** Functions in gnutls_io.c **/ /* apr_signal_block() for blocking SIGPIPE */ apr_status_t apr_signal_block(int signum); /* Proxy Support */ /* An optional function which returns non-zero if the given connection is using SSL/TLS. */ APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); /* The ssl_proxy_enable() and ssl_engine_disable() optional functions * are used by mod_proxy to enable use of SSL for outgoing * connections. */ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); int ssl_is_https(conn_rec *c); int ssl_proxy_enable(conn_rec *c); int ssl_engine_disable(conn_rec *c); const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy, const int arg); apr_status_t mgs_cleanup_pre_config(void *data); /** * mgs_filter_input will filter the input data * by decrypting it using GnuTLS and passes it cleartext. * * @param f the filter info record * @param bb the bucket brigade, where to store the result to * @param mode what shall we read? * @param block a block index we shall read from? * @return result status */ apr_status_t mgs_filter_input(ap_filter_t * f, apr_bucket_brigade * bb, ap_input_mode_t mode, apr_read_type_e block, apr_off_t readbytes); /** * mgs_filter_output will filter the encrypt * the incoming bucket using GnuTLS and passes it onto the next filter. * * @param f the filter info record * @param bb the bucket brigade, where to store the result to * @return result status */ apr_status_t mgs_filter_output(ap_filter_t * f, apr_bucket_brigade * bb); /** * mgs_transport_read is called from GnuTLS to provide encrypted * data from the client. * * @param ptr pointer to the filter context * @param buffer place to put data * @param len maximum size * @return size length of the data stored in buffer */ ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr, void *buffer, size_t len); /** * mgs_transport_write is called from GnuTLS to * write data to the client. * * @param ptr pointer to the filter context * @param buffer buffer to write to the client * @param len size of the buffer * @return size length of the data written */ ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr, const void *buffer, size_t len); int mgs_rehandshake(mgs_handle_t * ctxt); /** * Init the Cache after Configuration is done */ int mgs_cache_post_config(apr_pool_t *p, server_rec *s, mgs_srvconf_rec *sc); /** * Init the Cache inside each Process */ int mgs_cache_child_init(apr_pool_t *p, server_rec *s, mgs_srvconf_rec *sc); /** * Setup the Session Caching */ int mgs_cache_session_init(mgs_handle_t *ctxt); #define GNUTLS_SESSION_ID_STRING_LEN \ ((GNUTLS_MAX_SESSION_ID + 1) * 2) /** * Perform any reinitialization required in PKCS #11 */ int mgs_pkcs11_reinit(server_rec * s); /** * Convert a SSL Session ID into a Null Terminated Hex Encoded String * @param id raw SSL Session ID * @param idlen Length of the raw Session ID * @param str Location to store the Hex Encoded String * @param strsize The Maximum Length that can be stored in str */ char *mgs_session_id2sz(unsigned char *id, int idlen, char *str, int strsize); /** * Convert a time_t into a Null Terminated String * @param t time_t time * @param str Location to store the Hex Encoded String * @param strsize The Maximum Length that can be stored in str */ char *mgs_time2sz(time_t t, char *str, int strsize); /* Configuration Functions */ /* Loads all files set in the configuration */ int mgs_load_files(apr_pool_t * p, server_rec * s); const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_dh_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_cert_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_key_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_pgpcert_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_cache(cmd_parms * parms, void *dummy, const char *type, const char* arg); const char *mgs_set_cache_timeout(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_client_verify(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_p11_module(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_pin(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_keyring_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_enabled(cmd_parms * parms, void *dummy, const int arg); const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_tickets(cmd_parms * parms, void *dummy, const int arg); const char *mgs_set_require_section(cmd_parms *cmd, void *mconfig, const char *arg); void *mgs_config_server_create(apr_pool_t * p, server_rec * s); void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD); void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv); void *mgs_config_dir_create(apr_pool_t *p, char *dir); const char *mgs_set_require_bytecode(cmd_parms *cmd, void *mconfig, const char *arg); mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session); const char *mgs_store_cred_path(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg); /* mod_gnutls Hooks. */ int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog, apr_pool_t * ptemp); int mgs_hook_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *base_server); void mgs_hook_child_init(apr_pool_t *p, server_rec *s); const char *mgs_hook_http_scheme(const request_rec * r); apr_port_t mgs_hook_default_port(const request_rec * r); int mgs_hook_pre_connection(conn_rec * c, void *csd); int mgs_hook_fixups(request_rec *r); int mgs_hook_authz(request_rec *r); #endif /* __mod_gnutls_h_inc */