Apache2
tls_conf.h
Go to the documentation of this file.
1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2  * contributor license agreements. See the NOTICE file distributed with
3  * this work for additional information regarding copyright ownership.
4  * The ASF licenses this file to You under the Apache License, Version 2.0
5  * (the "License"); you may not use this file except in compliance with
6  * the License. You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 #ifndef tls_conf_h
17 #define tls_conf_h
18 
19 /* Configuration flags */
20 #define TLS_FLAG_UNSET (-1)
21 #define TLS_FLAG_FALSE (0)
22 #define TLS_FLAG_TRUE (1)
23 
24 struct tls_proto_conf_t;
25 struct tls_cert_reg_t;
26 struct tls_cert_root_stores_t;
27 struct tls_cert_verifiers_t;
28 struct ap_socache_instance_t;
29 struct ap_socache_provider_t;
30 struct apr_global_mutex_t;
31 
32 
33 /* disabled, since rustls support is lacking
34  * - x.509 retrieval of certificate fields and extensions
35  * - certificate revocation lists (CRL)
36  * - x.509 access to issuer of trust chain in x.509 CA store:
37  * server CA has ca1, ca2, ca3
38  * client present certA
39  * rustls verifies that it is signed by *one of* ca* certs
40  * OCSP check needs (certA, issuing cert) for query
41  */
42 #define TLS_CLIENT_CERTS 0
43 
44 /* support for this exists as PR <https://github.com/rustls/rustls-ffi/pull/128>
45  */
46 #define TLS_MACHINE_CERTS 1
47 
48 
49 typedef enum {
50  TLS_CLIENT_AUTH_UNSET,
51  TLS_CLIENT_AUTH_NONE,
52  TLS_CLIENT_AUTH_REQUIRED,
53  TLS_CLIENT_AUTH_OPTIONAL,
54 } tls_client_auth_t;
55 
56 typedef enum {
57  TLS_CONF_ST_INIT,
58  TLS_CONF_ST_INCOMING_DONE,
59  TLS_CONF_ST_OUTGOING_DONE,
60  TLS_CONF_ST_DONE,
61 } tls_conf_status_t;
62 
63 /* The global module configuration, created after post-config
64  * and then readonly.
65  */
66 typedef struct {
67  server_rec *ap_server; /* the global server we initialized on */
68  const char *module_version;
69  const char *crustls_version;
70 
71  tls_conf_status_t status;
72  int mod_proxy_post_config_done; /* if mod_proxy did its post-config things */
73 
74  server_addr_rec *tls_addresses; /* the addresses/ports our engine is enabled on */
75  apr_array_header_t *proxy_configs; /* tls_conf_proxy_t* collected from everywhere */
76 
77  struct tls_proto_conf_t *proto; /* TLS protocol/rustls specific globals */
78  apr_hash_t *var_lookups; /* variable lookup functions by var name */
79  struct tls_cert_reg_t *cert_reg; /* all certified keys loaded */
80  struct tls_cert_root_stores_t *stores; /* loaded certificate stores */
81  struct tls_cert_verifiers_t *verifiers; /* registry of certificate verifiers */
82 
83  const char *session_cache_spec; /* how the session cache was specified */
84  const struct ap_socache_provider_t *session_cache_provider; /* provider used for session cache */
85  struct ap_socache_instance_t *session_cache; /* session cache instance */
86  struct apr_global_mutex_t *session_cache_mutex; /* global mutex for access to session cache */
87 
88  const rustls_server_config *rustls_hello_config; /* used for initial client hello parsing */
89 } tls_conf_global_t;
90 
91 /* The module configuration for a server (vhost).
92  * Populated during config parsing, merged and completed
93  * in the post config phase. Readonly after that.
94  */
95 typedef struct {
96  server_rec *server; /* server this config belongs to */
97  tls_conf_global_t *global; /* global module config, singleton */
98 
99  int enabled; /* TLS_FLAG_TRUE if mod_tls is active on this server */
100  apr_array_header_t *cert_specs; /* array of (tls_cert_spec_t*) of configured certificates */
101  int tls_protocol_min; /* the minimum TLS protocol version to use */
102  apr_array_header_t *tls_pref_ciphers; /* List of apr_uint16_t cipher ids to prefer */
103  apr_array_header_t *tls_supp_ciphers; /* List of apr_uint16_t cipher ids to suppress */
104  const apr_array_header_t *ciphersuites; /* Computed post-config, ordered list of rustls cipher suites */
105  int honor_client_order; /* honor client cipher ordering */
106  int strict_sni;
107 
108  const char *client_ca; /* PEM file with trust anchors for client certs */
109  tls_client_auth_t client_auth; /* how client authentication with certificates is used */
110  const char *var_user_name; /* which SSL variable to use as user name */
111 
112  apr_array_header_t *certified_keys; /* rustls_certified_key list configured */
113  int base_server; /* != 0 iff this is the base server */
114  int service_unavailable; /* TLS not trustworthy configured, return 503s */
115 } tls_conf_server_t;
116 
117 typedef struct {
118  server_rec *defined_in; /* the server/host defining this dir_conf */
119  tls_conf_global_t *global; /* global module config, singleton */
120  const char *proxy_ca; /* PEM file with trust anchors for proxied remote server certs */
121  int proxy_protocol_min; /* the minimum TLS protocol version to use for proxy connections */
122  apr_array_header_t *proxy_pref_ciphers; /* List of apr_uint16_t cipher ids to prefer */
123  apr_array_header_t *proxy_supp_ciphers; /* List of apr_uint16_t cipher ids to suppress */
124  apr_array_header_t *machine_cert_specs; /* configured machine certificates specs */
125  apr_array_header_t *machine_certified_keys; /* rustls_certified_key list */
126  const rustls_client_config *rustls_config;
127 } tls_conf_proxy_t;
128 
129 typedef struct {
130  int std_env_vars;
131  int export_cert_vars;
132  int proxy_enabled; /* TLS_FLAG_TRUE if mod_tls is active on outgoing connections */
133  const char *proxy_ca; /* PEM file with trust anchors for proxied remote server certs */
134  int proxy_protocol_min; /* the minimum TLS protocol version to use for proxy connections */
135  apr_array_header_t *proxy_pref_ciphers; /* List of apr_uint16_t cipher ids to prefer */
136  apr_array_header_t *proxy_supp_ciphers; /* List of apr_uint16_t cipher ids to suppress */
137  apr_array_header_t *proxy_machine_cert_specs; /* configured machine certificates specs */
138 
139  tls_conf_proxy_t *proxy_config;
140 } tls_conf_dir_t;
141 
142 /* our static registry of configuration directives. */
143 extern const command_rec tls_conf_cmds[];
144 
145 /* create the modules configuration for a server_rec. */
146 void *tls_conf_create_svr(apr_pool_t *pool, server_rec *s);
147 
148 /* merge (inherit) server configurations for the module.
149  * Settings in 'add' overwrite the ones in 'base' and unspecified
150  * settings shine through. */
151 void *tls_conf_merge_svr(apr_pool_t *pool, void *basev, void *addv);
152 
153 /* create the modules configuration for a directory. */
154 void *tls_conf_create_dir(apr_pool_t *pool, char *dir);
155 
156 /* merge (inherit) directory configurations for the module.
157  * Settings in 'add' overwrite the ones in 'base' and unspecified
158  * settings shine through. */
159 void *tls_conf_merge_dir(apr_pool_t *pool, void *basev, void *addv);
160 
161 
162 /* Get the server specific module configuration. */
163 tls_conf_server_t *tls_conf_server_get(server_rec *s);
164 
165 /* Get the directory specific module configuration for the request. */
166 tls_conf_dir_t *tls_conf_dir_get(request_rec *r);
167 
168 /* Get the directory specific module configuration for the server. */
169 tls_conf_dir_t *tls_conf_dir_server_get(server_rec *s);
170 
171 /* If any configuration values are unset, supply the global server defaults. */
172 apr_status_t tls_conf_server_apply_defaults(tls_conf_server_t *sc, apr_pool_t *p);
173 
174 /* If any configuration values are unset, supply the global dir defaults. */
175 apr_status_t tls_conf_dir_apply_defaults(tls_conf_dir_t *dc, apr_pool_t *p);
176 
177 /* create a new proxy configuration from directory config in server */
178 tls_conf_proxy_t *tls_conf_proxy_make(
179  apr_pool_t *p, tls_conf_dir_t *dc, tls_conf_global_t *gc, server_rec *s);
180 
181 int tls_proxy_section_post_config(
182  apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s,
183  ap_conf_vector_t *section_config);
184 
185 #endif /* tls_conf_h */
ap_conf_vector_t
struct ap_conf_vector_t ap_conf_vector_t
Definition: http_config.h:512
ap_socache_instance_t
struct ap_socache_instance_t ap_socache_instance_t
Definition: ap_socache.h:49
r
request_rec * r
Definition: mod_dav.h:518
s
const char * s
Definition: mod_dav.h:1327
pool
apr_bucket_brigade request_rec apr_pool_t * pool
Definition: mod_dav.h:557
apr_status_t
int apr_status_t
Definition: apr_errno.h:44
apr_hash_t
struct apr_hash_t apr_hash_t
Definition: apr_hash.h:52
apr_pool_t
struct apr_pool_t apr_pool_t
Definition: apr_pools.h:60
ap_socache_provider_t
Definition: ap_socache.h:89
apr_array_header_t
Definition: apr_tables.h:62
apr_global_mutex_t
Definition: apr_arch_global_mutex.h:23
command_struct
Definition: http_config.h:204
request_rec
A structure that represents the current request.
Definition: httpd.h:856
server_addr_rec
A structure to be used for Per-vhost config.
Definition: httpd.h:1361
server_rec
A structure to store information for each virtual server.
Definition: httpd.h:1382
tls_cert_reg_t
Definition: tls_cert.h:63
tls_cert_root_stores_t
Definition: tls_cert.h:134
tls_cert_verifiers_t
Definition: tls_cert.h:163
tls_conf_dir_t
Definition: tls_conf.h:129
tls_conf_dir_t::proxy_machine_cert_specs
apr_array_header_t * proxy_machine_cert_specs
Definition: tls_conf.h:137
tls_conf_dir_t::proxy_ca
const char * proxy_ca
Definition: tls_conf.h:133
tls_conf_dir_t::proxy_supp_ciphers
apr_array_header_t * proxy_supp_ciphers
Definition: tls_conf.h:136
tls_conf_dir_t::proxy_enabled
int proxy_enabled
Definition: tls_conf.h:132
tls_conf_dir_t::proxy_pref_ciphers
apr_array_header_t * proxy_pref_ciphers
Definition: tls_conf.h:135
tls_conf_dir_t::proxy_protocol_min
int proxy_protocol_min
Definition: tls_conf.h:134
tls_conf_dir_t::std_env_vars
int std_env_vars
Definition: tls_conf.h:130
tls_conf_dir_t::proxy_config
tls_conf_proxy_t * proxy_config
Definition: tls_conf.h:139
tls_conf_dir_t::export_cert_vars
int export_cert_vars
Definition: tls_conf.h:131
tls_conf_global_t
Definition: tls_conf.h:66
tls_conf_global_t::session_cache_provider
const struct ap_socache_provider_t * session_cache_provider
Definition: tls_conf.h:84
tls_conf_global_t::session_cache_spec
const char * session_cache_spec
Definition: tls_conf.h:83
tls_conf_global_t::module_version
const char * module_version
Definition: tls_conf.h:68
tls_conf_global_t::mod_proxy_post_config_done
int mod_proxy_post_config_done
Definition: tls_conf.h:72
tls_conf_global_t::proxy_configs
apr_array_header_t * proxy_configs
Definition: tls_conf.h:75
tls_conf_global_t::status
tls_conf_status_t status
Definition: tls_conf.h:71
tls_conf_global_t::tls_addresses
server_addr_rec * tls_addresses
Definition: tls_conf.h:74
tls_conf_global_t::cert_reg
struct tls_cert_reg_t * cert_reg
Definition: tls_conf.h:79
tls_conf_global_t::stores
struct tls_cert_root_stores_t * stores
Definition: tls_conf.h:80
tls_conf_global_t::verifiers
struct tls_cert_verifiers_t * verifiers
Definition: tls_conf.h:81
tls_conf_global_t::session_cache_mutex
struct apr_global_mutex_t * session_cache_mutex
Definition: tls_conf.h:86
tls_conf_global_t::session_cache
struct ap_socache_instance_t * session_cache
Definition: tls_conf.h:85
tls_conf_global_t::proto
struct tls_proto_conf_t * proto
Definition: tls_conf.h:77
tls_conf_global_t::var_lookups
apr_hash_t * var_lookups
Definition: tls_conf.h:78
tls_conf_global_t::crustls_version
const char * crustls_version
Definition: tls_conf.h:69
tls_conf_global_t::ap_server
server_rec * ap_server
Definition: tls_conf.h:67
tls_conf_global_t::rustls_hello_config
const rustls_server_config * rustls_hello_config
Definition: tls_conf.h:88
tls_conf_proxy_t
Definition: tls_conf.h:117
tls_conf_proxy_t::rustls_config
const rustls_client_config * rustls_config
Definition: tls_conf.h:126
tls_conf_proxy_t::proxy_supp_ciphers
apr_array_header_t * proxy_supp_ciphers
Definition: tls_conf.h:123
tls_conf_proxy_t::proxy_pref_ciphers
apr_array_header_t * proxy_pref_ciphers
Definition: tls_conf.h:122
tls_conf_proxy_t::machine_certified_keys
apr_array_header_t * machine_certified_keys
Definition: tls_conf.h:125
tls_conf_proxy_t::defined_in
server_rec * defined_in
Definition: tls_conf.h:118
tls_conf_proxy_t::machine_cert_specs
apr_array_header_t * machine_cert_specs
Definition: tls_conf.h:124
tls_conf_proxy_t::proxy_ca
const char * proxy_ca
Definition: tls_conf.h:120
tls_conf_proxy_t::proxy_protocol_min
int proxy_protocol_min
Definition: tls_conf.h:121
tls_conf_proxy_t::global
tls_conf_global_t * global
Definition: tls_conf.h:119
tls_conf_server_t
Definition: tls_conf.h:95
tls_conf_server_t::certified_keys
apr_array_header_t * certified_keys
Definition: tls_conf.h:112
tls_conf_server_t::strict_sni
int strict_sni
Definition: tls_conf.h:106
tls_conf_server_t::client_ca
const char * client_ca
Definition: tls_conf.h:108
tls_conf_server_t::client_auth
tls_client_auth_t client_auth
Definition: tls_conf.h:109
tls_conf_server_t::tls_supp_ciphers
apr_array_header_t * tls_supp_ciphers
Definition: tls_conf.h:103
tls_conf_server_t::tls_pref_ciphers
apr_array_header_t * tls_pref_ciphers
Definition: tls_conf.h:102
tls_conf_server_t::enabled
int enabled
Definition: tls_conf.h:99
tls_conf_server_t::server
server_rec * server
Definition: tls_conf.h:96
tls_conf_server_t::cert_specs
apr_array_header_t * cert_specs
Definition: tls_conf.h:100
tls_conf_server_t::var_user_name
const char * var_user_name
Definition: tls_conf.h:110
tls_conf_server_t::honor_client_order
int honor_client_order
Definition: tls_conf.h:105
tls_conf_server_t::service_unavailable
int service_unavailable
Definition: tls_conf.h:114
tls_conf_server_t::ciphersuites
const apr_array_header_t * ciphersuites
Definition: tls_conf.h:104
tls_conf_server_t::tls_protocol_min
int tls_protocol_min
Definition: tls_conf.h:101
tls_conf_server_t::global
tls_conf_global_t * global
Definition: tls_conf.h:97
tls_conf_server_t::base_server
int base_server
Definition: tls_conf.h:113
tls_proto_conf_t
Definition: tls_proto.h:40
p
apr_pool_t * p
tls_conf_server_get
tls_conf_server_t * tls_conf_server_get(server_rec *s)
tls_conf_status_t
tls_conf_status_t
Definition: tls_conf.h:56
TLS_CONF_ST_DONE
@ TLS_CONF_ST_DONE
Definition: tls_conf.h:60
TLS_CONF_ST_INIT
@ TLS_CONF_ST_INIT
Definition: tls_conf.h:57
TLS_CONF_ST_OUTGOING_DONE
@ TLS_CONF_ST_OUTGOING_DONE
Definition: tls_conf.h:59
TLS_CONF_ST_INCOMING_DONE
@ TLS_CONF_ST_INCOMING_DONE
Definition: tls_conf.h:58
tls_conf_dir_server_get
tls_conf_dir_t * tls_conf_dir_server_get(server_rec *s)
tls_conf_create_svr
void * tls_conf_create_svr(apr_pool_t *pool, server_rec *s)
tls_conf_create_dir
void * tls_conf_create_dir(apr_pool_t *pool, char *dir)
tls_conf_cmds
const command_rec tls_conf_cmds[]
tls_conf_merge_svr
void * tls_conf_merge_svr(apr_pool_t *pool, void *basev, void *addv)
tls_client_auth_t
tls_client_auth_t
Definition: tls_conf.h:49
TLS_CLIENT_AUTH_REQUIRED
@ TLS_CLIENT_AUTH_REQUIRED
Definition: tls_conf.h:52
TLS_CLIENT_AUTH_OPTIONAL
@ TLS_CLIENT_AUTH_OPTIONAL
Definition: tls_conf.h:53
TLS_CLIENT_AUTH_NONE
@ TLS_CLIENT_AUTH_NONE
Definition: tls_conf.h:51
TLS_CLIENT_AUTH_UNSET
@ TLS_CLIENT_AUTH_UNSET
Definition: tls_conf.h:50
tls_conf_dir_apply_defaults
apr_status_t tls_conf_dir_apply_defaults(tls_conf_dir_t *dc, apr_pool_t *p)
tls_proxy_section_post_config
int tls_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s, ap_conf_vector_t *section_config)
tls_conf_dir_get
tls_conf_dir_t * tls_conf_dir_get(request_rec *r)
tls_conf_proxy_make
tls_conf_proxy_t * tls_conf_proxy_make(apr_pool_t *p, tls_conf_dir_t *dc, tls_conf_global_t *gc, server_rec *s)
tls_conf_server_apply_defaults
apr_status_t tls_conf_server_apply_defaults(tls_conf_server_t *sc, apr_pool_t *p)
tls_conf_merge_dir
void * tls_conf_merge_dir(apr_pool_t *pool, void *basev, void *addv)