modules/tls/tls_core.h - httpd - Git at Google

 /* Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 #ifndef tls_core_h
 #define tls_core_h

 /* The module's state handling of a connection in normal chronological order,
  */
 typedef enum {
     TLS_CONN_ST_INIT,             /* being initialized */
     TLS_CONN_ST_DISABLED,         /* TLS is disabled here */
     TLS_CONN_ST_CLIENT_HELLO,    /* TLS is enabled, prep handshake */
     TLS_CONN_ST_HANDSHAKE,        /* TLS is enabled, handshake ongonig */
     TLS_CONN_ST_TRAFFIC,          /* TLS is enabled, handshake done */
     TLS_CONN_ST_NOTIFIED,         /* TLS is enabled, notification to end sent */
     TLS_CONN_ST_DONE,             /* TLS is enabled, TLS has shut down */
 } tls_conn_state_t;

 #define TLS_CONN_ST_IS_ENABLED(cc)  (cc && cc->state >= TLS_CONN_ST_CLIENT_HELLO)

 struct tls_filter_ctx_t;

 /* The modules configuration for a connection. Created at connection
  * start and mutable during the lifetime of the connection.
  * (A conn_rec is only ever processed by one thread at a time.)
  */
 typedef struct {
     server_rec *server;               /* the server_rec selected for this connection,
                                        * initially c->base_server, to be negotiated via SNI. */
     tls_conf_dir_t *dc;               /* directory config applying here */
     tls_conn_state_t state;
     int outgoing;                     /* != 0 iff outgoing connection (redundant once c->outgoing is everywhere) */
     int service_unavailable;          /* we 503 all requests on this connection */
     tls_client_auth_t client_auth;    /* how client authentication with certificates is used */
     int client_hello_seen;            /* the client hello has been inspected */

     rustls_connection *rustls_connection; /* the session used on this connection or NULL */
     const rustls_server_config *rustls_server_config; /* the config made for this connection (incoming) or NULL */
     const rustls_client_config *rustls_client_config; /* the config made for this connection (outgoing) or NULL */
     struct tls_filter_ctx_t *filter_ctx; /* the context used by this connection's tls filters */

     apr_array_header_t *local_keys;   /* rustls_certified_key* array of connection specific keys */
     const rustls_certified_key *key;  /* the key selected for the session */
     int key_cloned;                   /* != 0 iff the key is a unique clone, to be freed */
     apr_array_header_t *peer_certs;   /* handshaked peer ceritificates or NULL */
     const char *sni_hostname;         /* the SNI value from the client hello, or NULL */
     const apr_array_header_t *alpn;   /* the protocols proposed via ALPN by the client */
     const char *application_protocol;    /* the ALPN selected protocol or NULL */

     int session_id_cache_hit;         /* if a submitted session id was found in our cache */

     apr_uint16_t tls_protocol_id;      /* the TLS version negotiated */
     const char *tls_protocol_name;     /* the name of the TLS version negotiated */
     apr_uint16_t tls_cipher_id;       /* the TLS cipher suite negotiated */
     const char *tls_cipher_name;      /* the name of TLS cipher suite negotiated */

     const char *user_name;            /* != NULL if we derived a TLSUserName from the client_cert */
     apr_table_t *subprocess_env;      /* common TLS variables for this connection */

     rustls_result last_error;
     const char *last_error_descr;

 } tls_conf_conn_t;

 /* Get the connection specific module configuration. */
 tls_conf_conn_t *tls_conf_conn_get(conn_rec *c);

 /* Set the module configuration for a connection. */
 void tls_conf_conn_set(conn_rec *c, tls_conf_conn_t *cc);

 /* Return OK iff this connection is a TSL connection (or a secondary on a TLS connection). */
 int tls_conn_check_ssl(conn_rec *c);

 /**
  * Initialize the module's global and server specific settings. This runs
  * in Apache's "post-config" phase, meaning the configuration has been read
  * and checked for syntactic and other easily verifiable errors and now
  * it is time to load everything in and make it ready for traffic.
  * <p>      a memory pool staying with us the whole time until the server stops/reloads.
  * <ptemp>  a temporary pool as a scratch buffer that will be destroyed shortly after.
  * <base_server> the server for the global configuration which links -> next to
  *          all contained virtual hosts configured.
  */
 apr_status_t tls_core_init(apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server);

 /**
  * Initialize the module's outgoing connection settings. This runs
  * in Apache's "post-config" phase after mod_proxy.
  */
 apr_status_t tls_core_init_outgoing(apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server);

 /**
  * Supply a directory configuration for the connection to work with. This
  * maybe NULL. This can be called several times during the lifetime of a
  * connection and must not change the current TLS state.
  * @param c the connection
  * @param dir_conf optional directory configuration that applies
  */
 void tls_core_conn_bind(conn_rec *c, ap_conf_vector_t *dir_conf);

 /**
  * Disable TLS on a new connection. Will do nothing on already initialized
  * connections.
  * @param c a new connection
  */
 void tls_core_conn_disable(conn_rec *c);

 /**
  * Initialize the tls_conf_connt_t for the connection
  * and decide if TLS is enabled or not.
  * @return OK if enabled, DECLINED otherwise
  */
 int tls_core_pre_conn_init(conn_rec *c);

 /**
  * Initialize the module for a TLS enabled connection.
  * @param c a new connection
  */
 apr_status_t tls_core_conn_init(conn_rec *c);

 /**
  * Called when the ClientHello has been received and values from it
  * have been extracted into the `tls_conf_conn_t` of the connection.
  *
  * Decides:
  * - which `server_rec` this connection is for (SNI)
  * - which application protocol to use (ALPN)
  * This may be unsuccessful for several reasons. The SNI
  * from the client may not be known or the selected server
  * has not certificates available. etc.
  * On success, a proper `rustls_connection` will have been
  * created and set in the `tls_conf_conn_t` of the connection.
  */
 apr_status_t tls_core_conn_seen_client_hello(conn_rec *c);

 /**
  * The TLS handshake for the connection has been successfully performed.
  * This means that TLS related properties, such as TLS version and cipher,
  * are known and the props in `tls_conf_conn_t` of the connection
  * can be set.
  */
 apr_status_t tls_core_conn_post_handshake(conn_rec *c);

 /**
  * After a request has been read, but before processing is started, we
  * check if everything looks good to us:
  * - was an SNI hostname provided by the client when we have vhosts to choose from?
  *   if not, we deny it.
  * - if the SNI hostname and request host are not the same, are they - from TLS
  *   point of view - 'compatible' enough? For example, if one server requires
  *   client certificates and the other not (or with different settings), such
  *   a request will also be denied.
  * returns DECLINED if everything is ok, otherwise an HTTP response code to
  *   generate an error page for.
  */
 int tls_core_request_check(request_rec *r);

 /**
  * A Rustls error happened while processing the connection. Look up an
  * error description, determine the apr_status_t to use for it and remember
  * this as the last error at tls_conf_conn_t.
  */
 apr_status_t tls_core_error(conn_rec *c, rustls_result rr, const char **perrstr);

 /**
  * Determine if we handle the TLS for an outgoing connection or not.
  * @param c the connection
  * @return OK if we handle the TLS, DECLINED otherwise.
  */
 int tls_core_setup_outgoing(conn_rec *c);

 #endif /* tls_core_h */
	/* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	#ifndef tls_core_h
	#define tls_core_h

	/* The module's state handling of a connection in normal chronological order,
	*/
	typedef enum {
	TLS_CONN_ST_INIT, /* being initialized */
	TLS_CONN_ST_DISABLED, /* TLS is disabled here */
	TLS_CONN_ST_CLIENT_HELLO, /* TLS is enabled, prep handshake */
	TLS_CONN_ST_HANDSHAKE, /* TLS is enabled, handshake ongonig */
	TLS_CONN_ST_TRAFFIC, /* TLS is enabled, handshake done */
	TLS_CONN_ST_NOTIFIED, /* TLS is enabled, notification to end sent */
	TLS_CONN_ST_DONE, /* TLS is enabled, TLS has shut down */
	} tls_conn_state_t;

	#define TLS_CONN_ST_IS_ENABLED(cc) (cc && cc->state >= TLS_CONN_ST_CLIENT_HELLO)

	struct tls_filter_ctx_t;

	/* The modules configuration for a connection. Created at connection
	* start and mutable during the lifetime of the connection.
	* (A conn_rec is only ever processed by one thread at a time.)
	*/
	typedef struct {
	server_rec server; / the server_rec selected for this connection,
	* initially c->base_server, to be negotiated via SNI. */
	tls_conf_dir_t dc; / directory config applying here */
	tls_conn_state_t state;
	int outgoing; /* != 0 iff outgoing connection (redundant once c->outgoing is everywhere) */
	int service_unavailable; /* we 503 all requests on this connection */
	tls_client_auth_t client_auth; /* how client authentication with certificates is used */
	int client_hello_seen; /* the client hello has been inspected */

	rustls_connection rustls_connection; / the session used on this connection or NULL */
	const rustls_server_config rustls_server_config; / the config made for this connection (incoming) or NULL */
	const rustls_client_config rustls_client_config; / the config made for this connection (outgoing) or NULL */
	struct tls_filter_ctx_t filter_ctx; / the context used by this connection's tls filters */

	apr_array_header_t local_keys; / rustls_certified_key* array of connection specific keys */
	const rustls_certified_key key; / the key selected for the session */
	int key_cloned; /* != 0 iff the key is a unique clone, to be freed */
	apr_array_header_t peer_certs; / handshaked peer ceritificates or NULL */
	const char sni_hostname; / the SNI value from the client hello, or NULL */
	const apr_array_header_t alpn; / the protocols proposed via ALPN by the client */
	const char application_protocol; / the ALPN selected protocol or NULL */

	int session_id_cache_hit; /* if a submitted session id was found in our cache */

	apr_uint16_t tls_protocol_id; /* the TLS version negotiated */
	const char tls_protocol_name; / the name of the TLS version negotiated */
	apr_uint16_t tls_cipher_id; /* the TLS cipher suite negotiated */
	const char tls_cipher_name; / the name of TLS cipher suite negotiated */

	const char user_name; / != NULL if we derived a TLSUserName from the client_cert */
	apr_table_t subprocess_env; / common TLS variables for this connection */

	rustls_result last_error;
	const char *last_error_descr;

	} tls_conf_conn_t;

	/* Get the connection specific module configuration. */
	tls_conf_conn_t tls_conf_conn_get(conn_rec c);

	/* Set the module configuration for a connection. */
	void tls_conf_conn_set(conn_rec c, tls_conf_conn_t cc);

	/* Return OK iff this connection is a TSL connection (or a secondary on a TLS connection). */
	int tls_conn_check_ssl(conn_rec *c);

	/**
	* Initialize the module's global and server specific settings. This runs
	* in Apache's "post-config" phase, meaning the configuration has been read
	* and checked for syntactic and other easily verifiable errors and now
	* it is time to load everything in and make it ready for traffic.
	* <p> a memory pool staying with us the whole time until the server stops/reloads.
	* <ptemp> a temporary pool as a scratch buffer that will be destroyed shortly after.
	* <base_server> the server for the global configuration which links -> next to
	* all contained virtual hosts configured.
	*/
	apr_status_t tls_core_init(apr_pool_t p, apr_pool_t ptemp, server_rec *base_server);

	/**
	* Initialize the module's outgoing connection settings. This runs
	* in Apache's "post-config" phase after mod_proxy.
	*/
	apr_status_t tls_core_init_outgoing(apr_pool_t p, apr_pool_t ptemp, server_rec *base_server);

	/**
	* Supply a directory configuration for the connection to work with. This
	* maybe NULL. This can be called several times during the lifetime of a
	* connection and must not change the current TLS state.
	* @param c the connection
	* @param dir_conf optional directory configuration that applies
	*/
	void tls_core_conn_bind(conn_rec c, ap_conf_vector_t dir_conf);

	/**
	* Disable TLS on a new connection. Will do nothing on already initialized
	* connections.
	* @param c a new connection
	*/
	void tls_core_conn_disable(conn_rec *c);

	/**
	* Initialize the tls_conf_connt_t for the connection
	* and decide if TLS is enabled or not.
	* @return OK if enabled, DECLINED otherwise
	*/
	int tls_core_pre_conn_init(conn_rec *c);

	/**
	* Initialize the module for a TLS enabled connection.
	* @param c a new connection
	*/
	apr_status_t tls_core_conn_init(conn_rec *c);

	/**
	* Called when the ClientHello has been received and values from it
	* have been extracted into the `tls_conf_conn_t` of the connection.
	*
	* Decides:
	* - which `server_rec` this connection is for (SNI)
	* - which application protocol to use (ALPN)
	* This may be unsuccessful for several reasons. The SNI
	* from the client may not be known or the selected server
	* has not certificates available. etc.
	* On success, a proper `rustls_connection` will have been
	* created and set in the `tls_conf_conn_t` of the connection.
	*/
	apr_status_t tls_core_conn_seen_client_hello(conn_rec *c);

	/**
	* The TLS handshake for the connection has been successfully performed.
	* This means that TLS related properties, such as TLS version and cipher,
	* are known and the props in `tls_conf_conn_t` of the connection
	* can be set.
	*/
	apr_status_t tls_core_conn_post_handshake(conn_rec *c);

	/**
	* After a request has been read, but before processing is started, we
	* check if everything looks good to us:
	* - was an SNI hostname provided by the client when we have vhosts to choose from?
	* if not, we deny it.
	* - if the SNI hostname and request host are not the same, are they - from TLS
	* point of view - 'compatible' enough? For example, if one server requires
	* client certificates and the other not (or with different settings), such
	* a request will also be denied.
	* returns DECLINED if everything is ok, otherwise an HTTP response code to
	* generate an error page for.
	*/
	int tls_core_request_check(request_rec *r);

	/**
	* A Rustls error happened while processing the connection. Look up an
	* error description, determine the apr_status_t to use for it and remember
	* this as the last error at tls_conf_conn_t.
	*/
	apr_status_t tls_core_error(conn_rec c, rustls_result rr, const char *perrstr);

	/**
	* Determine if we handle the TLS for an outgoing connection or not.
	* @param c the connection
	* @return OK if we handle the TLS, DECLINED otherwise.
	*/
	int tls_core_setup_outgoing(conn_rec *c);

	#endif /* tls_core_h */