/* * Copyright 2004-2005 Paul Querna * Copyright 2014 Nikos Mavrogiannopoulos * Copyright 2015-2020 Fiona Klute * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* Apache Runtime Headers */ #include "httpd.h" #include "http_config.h" #include "http_protocol.h" #include "http_connection.h" #include "http_request.h" #include "http_core.h" #include "http_log.h" #include "apr_buckets.h" #include "apr_tables.h" #include "ap_release.h" /* GnuTLS Library Headers */ #include #include #include #ifndef __mod_gnutls_h_inc #define __mod_gnutls_h_inc extern module AP_MODULE_DECLARE_DATA gnutls_module; /* IO Filter names */ #define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter" #define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter" /* GnuTLS Constants */ #define GNUTLS_ENABLED_FALSE 0 #define GNUTLS_ENABLED_TRUE 1 #define GNUTLS_ENABLED_UNSET 2 /* Current module version */ #define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@" /* Module Debug Mode */ #define MOD_GNUTLS_DEBUG @MOD_GNUTLS_DEBUG@ /** Name of the module-wide singleton watchdog */ #define MGS_SINGLETON_WATCHDOG "_mod_gnutls_singleton_" /* Internal cache data, defined in gnutls_cache.h */ typedef struct mgs_cache* mgs_cache_t; typedef enum { mgs_cvm_unset, mgs_cvm_cartel, mgs_cvm_msva } mgs_client_verification_method_e; /* Directory Configuration Record */ typedef struct { int client_verify_mode; } mgs_dirconf_rec; /* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */ typedef struct mgs_ocsp_data* mgs_ocsp_data_t; /* The maximum number of certificates to send in a chain */ #define MAX_CHAIN_SIZE 8 /** Server Configuration Record */ typedef struct { /** Server this mod_gnutls configuration is for */ server_rec* s; /* --- Configuration values --- */ /* Is the module enabled? */ int enabled; /* Is mod_proxy enabled? */ int proxy_enabled; /* List of PKCS #11 provider modules to load, only valid in the * base config, ignored in virtual hosts */ apr_array_header_t *p11_modules; /* PIN used for PKCS #11 operations */ char *pin; /* the SRK PIN used in TPM operations */ char *srk_pin; char *x509_cert_file; char *x509_key_file; char *x509_ca_file; char *dh_file; char *priorities_str; char *proxy_priorities_str; const char* srp_tpasswd_file; const char* srp_tpasswd_conf_file; /* Cache timeout value */ int cache_timeout; /* Enable cache */ unsigned char cache_enable : 2; /* Internal cache data */ mgs_cache_t cache; /* GnuTLS uses Session Tickets */ int tickets; /* x509 Certificate Structure */ gnutls_certificate_credentials_t certs; /* x509 credentials for proxy connections */ gnutls_certificate_credentials_t proxy_x509_creds; /* trust list for proxy_x509_creds */ gnutls_x509_trust_list_t proxy_x509_tl; const char* proxy_x509_key_file; const char* proxy_x509_cert_file; const char* proxy_x509_ca_file; const char* proxy_x509_crl_file; /* GnuTLS priorities for proxy connections */ gnutls_priority_t proxy_priorities; /* SRP Certificate Structure*/ gnutls_srp_server_credentials_t srp_creds; /* Anonymous Certificate Structure */ gnutls_anon_server_credentials_t anon_creds; /* Anonymous Client Certificate Structure, used for proxy * connections */ gnutls_anon_client_credentials_t anon_client_creds; /* An x509 Certificate Chain */ gnutls_pcert_st *certs_x509_chain; gnutls_x509_crt_t *certs_x509_crt_chain; /* Number of Certificates in Chain */ unsigned int certs_x509_chain_num; /* Current x509 Certificate Private Key */ gnutls_privkey_t privkey_x509; /* Export full certificates to CGI environment: */ int export_certificates_size; /* GnuTLS Priorities */ gnutls_priority_t priorities; /* GnuTLS DH Parameters */ gnutls_dh_params_t dh_params; /* A list of CA Certificates */ gnutls_x509_crt_t *ca_list; /* CA Certificate list size */ unsigned int ca_list_size; /* Client Certificate Verification Mode */ int client_verify_mode; /* Client Certificate Verification Method */ mgs_client_verification_method_e client_verify_method; /* Enable OCSP stapling */ unsigned char ocsp_staple; /* Automatically refresh cached OCSP response? */ unsigned char ocsp_auto_refresh; /* Check nonce in OCSP responses? */ unsigned char ocsp_check_nonce; /* Read OCSP response for stapling from this file instead of * sending a request over HTTP */ char **ocsp_response_file; /* Number of configured OCSP response files */ int ocsp_response_file_num; /* Internal OCSP data for this server */ mgs_ocsp_data_t *ocsp; /* Number of successfully configured OCSP data sets */ unsigned int ocsp_num; /* Mutex to prevent parallel OCSP requests */ apr_global_mutex_t *ocsp_mutex; /* Internal OCSP cache data */ mgs_cache_t ocsp_cache; /* Cache timeout for OCSP responses. Note that the nextUpdate * field of the response takes precedence if shorter. */ apr_interval_time_t ocsp_cache_time; /* If an OCSP request fails wait this long before trying again. */ apr_interval_time_t ocsp_failure_timeout; /** How long before a cached OCSP response expires should it be * updated? During configuration parsing this is set to the * maximum, during post configuration the value will be set to * half that. After each update the interval to for the next one * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time * * RANDOM` with `0 <= RANDOM <= 1`. */ apr_interval_time_t ocsp_fuzz_time; /* Socket timeout for OCSP requests */ apr_interval_time_t ocsp_socket_timeout; /** This module's singleton watchdog, used for async OCSP cache * updates. */ struct mgs_watchdog *singleton_wd; } mgs_srvconf_rec; /* Character Buffer */ typedef struct { int length; char *value; } mgs_char_buffer_t; /** GnuTLS connection handle */ typedef struct { /* Server configuration record */ mgs_srvconf_rec *sc; /* Connection record */ conn_rec* c; /* Is TLS enabled for this connection? */ int enabled; /* Is this a proxy connection? */ int is_proxy; /* GnuTLS Session handle */ gnutls_session_t session; /** Server name requested via SNI if any, or NULL. */ const char *sni_name; /* module input status */ apr_status_t input_rc; /* Input filter */ ap_filter_t *input_filter; /* Input Bucket Brigade */ apr_bucket_brigade *input_bb; /* Input Read Type */ apr_read_type_e input_block; /* Input Mode */ ap_input_mode_t input_mode; /* Input Character Buffer */ mgs_char_buffer_t input_cbuf; /* Input Character Array */ char input_buffer[AP_IOBUFSIZE]; /* module Output status */ apr_status_t output_rc; /* Output filter */ ap_filter_t *output_filter; /* Output Bucket Brigade */ apr_bucket_brigade *output_bb; /* Output character array */ char output_buffer[AP_IOBUFSIZE]; /* Output buffer length */ apr_size_t output_blen; /* Output length */ apr_size_t output_length; /** Connection status: 0 before (re-)handshake, 1 when up, -1 on * error (checks use status < 0 or status > 0) */ int status; /** For proxy connections: cache key to store/retrieve session * tickets */ gnutls_datum_t proxy_ticket_key; } mgs_handle_t; /* Proxy Support */ /* An optional function which returns non-zero if the given connection is using SSL/TLS. */ APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); /* The ssl_var_lookup() optional function retrieves SSL environment * variables. */ APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, (apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *)); /* The ssl_proxy_enable() and ssl_engine_disable() optional functions * are used by mod_proxy to enable use of SSL for outgoing * connections. */ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *, ap_conf_vector_t *, int proxy, int enable)); mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c); int ssl_is_https(conn_rec *c); char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var); int ssl_proxy_enable(conn_rec *c); int ssl_engine_disable(conn_rec *c); const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy, const int arg); apr_status_t mgs_cleanup_pre_config(void *data); /** * Perform any reinitialization required in PKCS #11 */ int mgs_pkcs11_reinit(server_rec * s); /* Configuration Functions */ /* Loads all files set in the configuration */ int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s) __attribute__((nonnull)); const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_dh_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_cert_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_key_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg); const char *mgs_set_client_verify(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_p11_module(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_pin(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_enabled(cmd_parms * parms, void *dummy, const int arg); const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_tickets(cmd_parms * parms, void *dummy, const int arg); void *mgs_config_server_create(apr_pool_t * p, server_rec * s); void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD); void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv); void *mgs_config_dir_create(apr_pool_t *p, char *dir); const char *mgs_store_cred_path(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg); /* mod_gnutls Hooks. */ int mgs_hook_pre_config(apr_pool_t * pconf, apr_pool_t * plog, apr_pool_t * ptemp); int mgs_hook_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *base_server); void mgs_hook_child_init(apr_pool_t *p, server_rec *s); const char *mgs_hook_http_scheme(const request_rec * r); apr_port_t mgs_hook_default_port(const request_rec * r); int mgs_hook_pre_connection(conn_rec * c, void *csd); int mgs_hook_process_connection(conn_rec* c); int mgs_hook_fixups(request_rec *r); /** Post request hook, checks if TLS connection and vhost match */ int mgs_req_vhost_check(request_rec *r); int mgs_hook_authz(request_rec *r); #endif /* __mod_gnutls_h_inc */