tls_core.h

Go to the documentation of this file.

/* Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#ifndef tls_core_h
#define tls_core_h
 
/* The module's state handling of a connection in normal chronological order,
 */
typedef enum {
    TLS_CONN_ST_INIT,             /* being initialized */
    TLS_CONN_ST_DISABLED,         /* TLS is disabled here */
    TLS_CONN_ST_CLIENT_HELLO,    /* TLS is enabled, prep handshake */
    TLS_CONN_ST_HANDSHAKE,        /* TLS is enabled, handshake ongonig */
    TLS_CONN_ST_TRAFFIC,          /* TLS is enabled, handshake done */
    TLS_CONN_ST_NOTIFIED,         /* TLS is enabled, notification to end sent */
    TLS_CONN_ST_DONE,             /* TLS is enabled, TLS has shut down */
} tls_conn_state_t;
 
#define TLS_CONN_ST_IS_ENABLED(cc)  (cc && cc->state >= TLS_CONN_ST_CLIENT_HELLO)
 
struct tls_filter_ctx_t;
 
/* The modules configuration for a connection. Created at connection
 * start and mutable during the lifetime of the connection.
 * (A conn_rec is only ever processed by one thread at a time.)
 */
typedef struct {
    server_rec *server;               /* the server_rec selected for this connection,
                                       * initially c->base_server, to be negotiated via SNI. */
    tls_conf_dir_t *dc;               /* directory config applying here */
    tls_conn_state_t state;
    int outgoing;                     /* != 0 iff outgoing connection (redundant once c->outgoing is everywhere) */
    int service_unavailable;          /* we 503 all requests on this connection */
    tls_client_auth_t client_auth;    /* how client authentication with certificates is used */
    int client_hello_seen;            /* the client hello has been inspected */
 
    rustls_connection *rustls_connection; /* the session used on this connection or NULL */
    const rustls_server_config *rustls_server_config; /* the config made for this connection (incoming) or NULL */
    const rustls_client_config *rustls_client_config; /* the config made for this connection (outgoing) or NULL */
    struct tls_filter_ctx_t *filter_ctx; /* the context used by this connection's tls filters */
 
    apr_array_header_t *local_keys;   /* rustls_certified_key* array of connection specific keys */
    const rustls_certified_key *key;  /* the key selected for the session */
    int key_cloned;                   /* != 0 iff the key is a unique clone, to be freed */
    apr_array_header_t *peer_certs;   /* handshaked peer ceritificates or NULL */
    const char *sni_hostname;         /* the SNI value from the client hello, or NULL */
    const apr_array_header_t *alpn;   /* the protocols proposed via ALPN by the client */
    const char *application_protocol;    /* the ALPN selected protocol or NULL */
 
    int session_id_cache_hit;         /* if a submitted session id was found in our cache */
 
    apr_uint16_t tls_protocol_id;      /* the TLS version negotiated */
    const char *tls_protocol_name;     /* the name of the TLS version negotiated */
    apr_uint16_t tls_cipher_id;       /* the TLS cipher suite negotiated */
    const char *tls_cipher_name;      /* the name of TLS cipher suite negotiated */
 
    const char *user_name;            /* != NULL if we derived a TLSUserName from the client_cert */
    apr_table_t *subprocess_env;      /* common TLS variables for this connection */
 
    rustls_result last_error;
    const char *last_error_descr;
 
} tls_conf_conn_t;
 
/* Get the connection specific module configuration. */
tls_conf_conn_t *tls_conf_conn_get(conn_rec *c);
 
/* Set the module configuration for a connection. */
void tls_conf_conn_set(conn_rec *c, tls_conf_conn_t *cc);
 
/* Return OK iff this connection is a TSL connection (or a secondary on a TLS connection). */
int tls_conn_check_ssl(conn_rec *c);
 
apr_status_t tls_core_init(apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server);
 
apr_status_t tls_core_init_outgoing(apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server);
 
void tls_core_conn_bind(conn_rec *c, ap_conf_vector_t *dir_conf);
 
void tls_core_conn_disable(conn_rec *c);
 
int tls_core_pre_conn_init(conn_rec *c);
 
apr_status_t tls_core_conn_init(conn_rec *c);
 
apr_status_t tls_core_conn_seen_client_hello(conn_rec *c);
 
apr_status_t tls_core_conn_post_handshake(conn_rec *c);
 
int tls_core_request_check(request_rec *r);
 
apr_status_t tls_core_error(conn_rec *c, rustls_result rr, const char **perrstr);
 
int tls_core_setup_outgoing(conn_rec *c);
 
#endif /* tls_core_h */