1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
|
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef tls_conf_h
#define tls_conf_h
/* Configuration flags */
#define TLS_FLAG_UNSET (-1)
#define TLS_FLAG_FALSE (0)
#define TLS_FLAG_TRUE (1)
struct tls_proto_conf_t;
struct tls_cert_reg_t;
struct tls_cert_root_stores_t;
struct tls_cert_verifiers_t;
struct ap_socache_instance_t;
struct ap_socache_provider_t;
struct apr_global_mutex_t;
/* disabled, since rustls support is lacking
* - x.509 retrieval of certificate fields and extensions
* - certificate revocation lists (CRL)
* - x.509 access to issuer of trust chain in x.509 CA store:
* server CA has ca1, ca2, ca3
* client present certA
* rustls verifies that it is signed by *one of* ca* certs
* OCSP check needs (certA, issuing cert) for query
*/
#define TLS_CLIENT_CERTS 0
/* support for this exists as PR <https://github.com/rustls/rustls-ffi/pull/128>
*/
#define TLS_MACHINE_CERTS 1
typedef enum {
TLS_CLIENT_AUTH_UNSET,
TLS_CLIENT_AUTH_NONE,
TLS_CLIENT_AUTH_REQUIRED,
TLS_CLIENT_AUTH_OPTIONAL,
} tls_client_auth_t;
typedef enum {
TLS_CONF_ST_INIT,
TLS_CONF_ST_INCOMING_DONE,
TLS_CONF_ST_OUTGOING_DONE,
TLS_CONF_ST_DONE,
} tls_conf_status_t;
/* The global module configuration, created after post-config
* and then readonly.
*/
typedef struct {
server_rec *ap_server; /* the global server we initialized on */
const char *module_version;
const char *crustls_version;
tls_conf_status_t status;
int mod_proxy_post_config_done; /* if mod_proxy did its post-config things */
server_addr_rec *tls_addresses; /* the addresses/ports our engine is enabled on */
apr_array_header_t *proxy_configs; /* tls_conf_proxy_t* collected from everywhere */
struct tls_proto_conf_t *proto; /* TLS protocol/rustls specific globals */
apr_hash_t *var_lookups; /* variable lookup functions by var name */
struct tls_cert_reg_t *cert_reg; /* all certified keys loaded */
struct tls_cert_root_stores_t *stores; /* loaded certificate stores */
struct tls_cert_verifiers_t *verifiers; /* registry of certificate verifiers */
const char *session_cache_spec; /* how the session cache was specified */
const struct ap_socache_provider_t *session_cache_provider; /* provider used for session cache */
struct ap_socache_instance_t *session_cache; /* session cache instance */
struct apr_global_mutex_t *session_cache_mutex; /* global mutex for access to session cache */
const rustls_server_config *rustls_hello_config; /* used for initial client hello parsing */
} tls_conf_global_t;
/* The module configuration for a server (vhost).
* Populated during config parsing, merged and completed
* in the post config phase. Readonly after that.
*/
typedef struct {
server_rec *server; /* server this config belongs to */
tls_conf_global_t *global; /* global module config, singleton */
int enabled; /* TLS_FLAG_TRUE if mod_tls is active on this server */
apr_array_header_t *cert_specs; /* array of (tls_cert_spec_t*) of configured certificates */
int tls_protocol_min; /* the minimum TLS protocol version to use */
apr_array_header_t *tls_pref_ciphers; /* List of apr_uint16_t cipher ids to prefer */
apr_array_header_t *tls_supp_ciphers; /* List of apr_uint16_t cipher ids to suppress */
const apr_array_header_t *ciphersuites; /* Computed post-config, ordered list of rustls cipher suites */
int honor_client_order; /* honor client cipher ordering */
int strict_sni;
const char *client_ca; /* PEM file with trust anchors for client certs */
tls_client_auth_t client_auth; /* how client authentication with certificates is used */
const char *var_user_name; /* which SSL variable to use as user name */
apr_array_header_t *certified_keys; /* rustls_certified_key list configured */
int base_server; /* != 0 iff this is the base server */
int service_unavailable; /* TLS not trustworthy configured, return 503s */
} tls_conf_server_t;
typedef struct {
server_rec *defined_in; /* the server/host defining this dir_conf */
tls_conf_global_t *global; /* global module config, singleton */
const char *proxy_ca; /* PEM file with trust anchors for proxied remote server certs */
int proxy_protocol_min; /* the minimum TLS protocol version to use for proxy connections */
apr_array_header_t *proxy_pref_ciphers; /* List of apr_uint16_t cipher ids to prefer */
apr_array_header_t *proxy_supp_ciphers; /* List of apr_uint16_t cipher ids to suppress */
apr_array_header_t *machine_cert_specs; /* configured machine certificates specs */
apr_array_header_t *machine_certified_keys; /* rustls_certified_key list */
const rustls_client_config *rustls_config;
} tls_conf_proxy_t;
typedef struct {
int std_env_vars;
int export_cert_vars;
int proxy_enabled; /* TLS_FLAG_TRUE if mod_tls is active on outgoing connections */
const char *proxy_ca; /* PEM file with trust anchors for proxied remote server certs */
int proxy_protocol_min; /* the minimum TLS protocol version to use for proxy connections */
apr_array_header_t *proxy_pref_ciphers; /* List of apr_uint16_t cipher ids to prefer */
apr_array_header_t *proxy_supp_ciphers; /* List of apr_uint16_t cipher ids to suppress */
apr_array_header_t *proxy_machine_cert_specs; /* configured machine certificates specs */
tls_conf_proxy_t *proxy_config;
} tls_conf_dir_t;
/* our static registry of configuration directives. */
extern const command_rec tls_conf_cmds[];
/* create the modules configuration for a server_rec. */
void *tls_conf_create_svr(apr_pool_t *pool, server_rec *s);
/* merge (inherit) server configurations for the module.
* Settings in 'add' overwrite the ones in 'base' and unspecified
* settings shine through. */
void *tls_conf_merge_svr(apr_pool_t *pool, void *basev, void *addv);
/* create the modules configuration for a directory. */
void *tls_conf_create_dir(apr_pool_t *pool, char *dir);
/* merge (inherit) directory configurations for the module.
* Settings in 'add' overwrite the ones in 'base' and unspecified
* settings shine through. */
void *tls_conf_merge_dir(apr_pool_t *pool, void *basev, void *addv);
/* Get the server specific module configuration. */
tls_conf_server_t *tls_conf_server_get(server_rec *s);
/* Get the directory specific module configuration for the request. */
tls_conf_dir_t *tls_conf_dir_get(request_rec *r);
/* Get the directory specific module configuration for the server. */
tls_conf_dir_t *tls_conf_dir_server_get(server_rec *s);
/* If any configuration values are unset, supply the global server defaults. */
apr_status_t tls_conf_server_apply_defaults(tls_conf_server_t *sc, apr_pool_t *p);
/* If any configuration values are unset, supply the global dir defaults. */
apr_status_t tls_conf_dir_apply_defaults(tls_conf_dir_t *dc, apr_pool_t *p);
/* create a new proxy configuration from directory config in server */
tls_conf_proxy_t *tls_conf_proxy_make(
apr_pool_t *p, tls_conf_dir_t *dc, tls_conf_global_t *gc, server_rec *s);
int tls_proxy_section_post_config(
apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s,
ap_conf_vector_t *section_config);
#endif /* tls_conf_h */
|