tls_filter.h

Go to the documentation of this file.

/* Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#ifndef tls_filter_h
#define tls_filter_h
 
#define TLS_FILTER_RAW    "TLS raw"
 
typedef struct tls_filter_ctx_t tls_filter_ctx_t;
 
struct tls_filter_ctx_t {
    conn_rec *c;                         /* connection this context is for */
    tls_conf_conn_t *cc;                 /* tls module configuration of connection */
 
    ap_filter_t *fin_ctx;                /* Apache's entry into the input filter chain */
    apr_bucket_brigade *fin_tls_bb;      /* TLS encrypted, incoming network data */
    apr_bucket_brigade *fin_tls_buffer_bb; /* TLS encrypted, incoming network data buffering */
    apr_bucket_brigade *fin_plain_bb;    /* decrypted, incoming traffic data */
    apr_off_t fin_bytes_in_rustls;       /* # of input TLS bytes in rustls_connection */
    apr_read_type_e fin_block;           /* Do we block on input reads or not? */
 
    ap_filter_t *fout_ctx;               /* Apache's entry into the output filter chain */
    char *fout_buf_plain;                /* a buffer to collect plain bytes for output */
    apr_size_t fout_buf_plain_len;       /* the amount of bytes in the buffer */
    apr_size_t fout_buf_plain_size;      /* the total size of the buffer */
    apr_bucket_brigade *fout_tls_bb;     /* TLS encrypted, outgoing network data */
    apr_off_t fout_bytes_in_rustls;      /* # of output plain bytes in rustls_connection */
    apr_off_t fout_bytes_in_tls_bb;      /* # of output tls bytes in our brigade */
 
    apr_size_t fin_max_in_rustls;         /* how much tls we like to read into rustls */
    apr_size_t fout_max_in_rustls;        /* how much plain bytes we like in rustls */
    apr_size_t fout_max_bucket_size;      /* how large bucket chunks we handle before splitting */
    apr_size_t fout_auto_flush_size;      /* on much outoing TLS data we flush to network */
};
 
void tls_filter_register(apr_pool_t *pool);
 
int tls_filter_pre_conn_init(conn_rec *c);
 
void tls_filter_conn_init(conn_rec *c);
 
/*
 * <https://tools.ietf.org/html/rfc8449> says:
 * "For large data transfers, small record sizes can materially affect performance."
 * and
 * "For TLS 1.2 and earlier, that limit is 2^14 octets. TLS 1.3 uses a limit of
 * 2^14+1 octets."
 * Maybe future TLS versions will raise that value, but for now these limits stand.
 * Given the choice, we would like rustls to provide traffic data in those chunks.
 */
#define TLS_PREF_PLAIN_CHUNK_SIZE       (16384)
 
/*
 * When retrieving TLS chunks for rustls, or providing it a buffer
 * to pass out TLS chunks (which are then bucketed and written to the
 * network filters), we ideally would do that in multiples of TLS
 * messages sizes.
 * That would be TLS_PREF_WRITE_SIZE + TLS Message Overhead, such as
 * MAC and padding. But these vary with protocol and ciphers chosen, so
 * we define something which should be "large enough", but not overly so.
 */
#define TLS_REC_EXTRA             (1024)
#define TLS_REC_MAX_SIZE   (TLS_PREF_PLAIN_CHUNK_SIZE + TLS_REC_EXTRA)
 
#endif /* tls_filter_h */