From 2faa747e2303ee774a4b4aace961188e950e185a Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Mon, 8 Apr 2024 21:09:22 +0200
Subject: Adding upstream version 2.4.58.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 modules/tls/tls_filter.h | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 modules/tls/tls_filter.h

(limited to 'modules/tls/tls_filter.h')

diff --git a/modules/tls/tls_filter.h b/modules/tls/tls_filter.h
new file mode 100644
index 0000000..4f3d38b
--- /dev/null
+++ b/modules/tls/tls_filter.h
@@ -0,0 +1,90 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef tls_filter_h
+#define tls_filter_h
+
+#define TLS_FILTER_RAW    "TLS raw"
+
+typedef struct tls_filter_ctx_t tls_filter_ctx_t;
+
+struct tls_filter_ctx_t {
+    conn_rec *c;                         /* connection this context is for */
+    tls_conf_conn_t *cc;                 /* tls module configuration of connection */
+
+    ap_filter_t *fin_ctx;                /* Apache's entry into the input filter chain */
+    apr_bucket_brigade *fin_tls_bb;      /* TLS encrypted, incoming network data */
+    apr_bucket_brigade *fin_tls_buffer_bb; /* TLS encrypted, incoming network data buffering */
+    apr_bucket_brigade *fin_plain_bb;    /* decrypted, incoming traffic data */
+    apr_off_t fin_bytes_in_rustls;       /* # of input TLS bytes in rustls_connection */
+    apr_read_type_e fin_block;           /* Do we block on input reads or not? */
+
+    ap_filter_t *fout_ctx;               /* Apache's entry into the output filter chain */
+    char *fout_buf_plain;                /* a buffer to collect plain bytes for output */
+    apr_size_t fout_buf_plain_len;       /* the amount of bytes in the buffer */
+    apr_size_t fout_buf_plain_size;      /* the total size of the buffer */
+    apr_bucket_brigade *fout_tls_bb;     /* TLS encrypted, outgoing network data */
+    apr_off_t fout_bytes_in_rustls;      /* # of output plain bytes in rustls_connection */
+    apr_off_t fout_bytes_in_tls_bb;      /* # of output tls bytes in our brigade */
+
+    apr_size_t fin_max_in_rustls;         /* how much tls we like to read into rustls */
+    apr_size_t fout_max_in_rustls;        /* how much plain bytes we like in rustls */
+    apr_size_t fout_max_bucket_size;      /* how large bucket chunks we handle before splitting */
+    apr_size_t fout_auto_flush_size;      /* on much outoing TLS data we flush to network */
+};
+
+/**
+ * Register the in-/output filters for converting TLS to application data and vice versa.
+ */
+void tls_filter_register(apr_pool_t *pool);
+
+/**
+ * Initialize the pre_connection state. Install all filters.
+ *
+ * @return OK if TLS on connection is enabled, DECLINED otherwise
+ */
+int tls_filter_pre_conn_init(conn_rec *c);
+
+/**
+ * Initialize the connection for use, perform the TLS handshake.
+ *
+ * Any failure will lead to the connection becoming aborted.
+ */
+void tls_filter_conn_init(conn_rec *c);
+
+/*
+ * <https://tools.ietf.org/html/rfc8449> says:
+ * "For large data transfers, small record sizes can materially affect performance."
+ * and
+ * "For TLS 1.2 and earlier, that limit is 2^14 octets. TLS 1.3 uses a limit of
+ * 2^14+1 octets."
+ * Maybe future TLS versions will raise that value, but for now these limits stand.
+ * Given the choice, we would like rustls to provide traffic data in those chunks.
+ */
+#define TLS_PREF_PLAIN_CHUNK_SIZE       (16384)
+
+/*
+ * When retrieving TLS chunks for rustls, or providing it a buffer
+ * to pass out TLS chunks (which are then bucketed and written to the
+ * network filters), we ideally would do that in multiples of TLS
+ * messages sizes.
+ * That would be TLS_PREF_WRITE_SIZE + TLS Message Overhead, such as
+ * MAC and padding. But these vary with protocol and ciphers chosen, so
+ * we define something which should be "large enough", but not overly so.
+ */
+#define TLS_REC_EXTRA             (1024)
+#define TLS_REC_MAX_SIZE   (TLS_PREF_PLAIN_CHUNK_SIZE + TLS_REC_EXTRA)
+
+#endif /* tls_filter_h */
\ No newline at end of file
-- 
cgit v1.2.3