Apache HTTPD
tls_conf.h
Go to the documentation of this file.
1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16#ifndef tls_conf_h
17#define tls_conf_h
18
19/* Configuration flags */
20#define TLS_FLAG_UNSET (-1)
21#define TLS_FLAG_FALSE (0)
22#define TLS_FLAG_TRUE (1)
23
24struct tls_proto_conf_t;
25struct tls_cert_reg_t;
26struct tls_cert_root_stores_t;
27struct tls_cert_verifiers_t;
28struct ap_socache_instance_t;
29struct ap_socache_provider_t;
30struct apr_global_mutex_t;
31
32
33/* disabled, since rustls support is lacking
34 * - x.509 retrieval of certificate fields and extensions
35 * - certificate revocation lists (CRL)
36 * - x.509 access to issuer of trust chain in x.509 CA store:
37 * server CA has ca1, ca2, ca3
38 * client present certA
39 * rustls verifies that it is signed by *one of* ca* certs
40 * OCSP check needs (certA, issuing cert) for query
41 */
42#define TLS_CLIENT_CERTS 0
43
44/* support for this exists as PR <https://github.com/rustls/rustls-ffi/pull/128>
45 */
46#define TLS_MACHINE_CERTS 1
47
48
55
62
63/* The global module configuration, created after post-config
64 * and then readonly.
65 */
66typedef struct {
67 server_rec *ap_server; /* the global server we initialized on */
68 const char *module_version;
69 const char *crustls_version;
70
71 tls_conf_status_t status;
72 int mod_proxy_post_config_done; /* if mod_proxy did its post-config things */
73
74 server_addr_rec *tls_addresses; /* the addresses/ports our engine is enabled on */
75 apr_array_header_t *proxy_configs; /* tls_conf_proxy_t* collected from everywhere */
76
77 struct tls_proto_conf_t *proto; /* TLS protocol/rustls specific globals */
78 apr_hash_t *var_lookups; /* variable lookup functions by var name */
79 struct tls_cert_reg_t *cert_reg; /* all certified keys loaded */
80 struct tls_cert_root_stores_t *stores; /* loaded certificate stores */
81 struct tls_cert_verifiers_t *verifiers; /* registry of certificate verifiers */
82
83 const char *session_cache_spec; /* how the session cache was specified */
84 const struct ap_socache_provider_t *session_cache_provider; /* provider used for session cache */
85 struct ap_socache_instance_t *session_cache; /* session cache instance */
86 struct apr_global_mutex_t *session_cache_mutex; /* global mutex for access to session cache */
87
88 const rustls_server_config *rustls_hello_config; /* used for initial client hello parsing */
89} tls_conf_global_t;
90
91/* The module configuration for a server (vhost).
92 * Populated during config parsing, merged and completed
93 * in the post config phase. Readonly after that.
94 */
95typedef struct {
96 server_rec *server; /* server this config belongs to */
97 tls_conf_global_t *global; /* global module config, singleton */
98
99 int enabled; /* TLS_FLAG_TRUE if mod_tls is active on this server */
100 apr_array_header_t *cert_specs; /* array of (tls_cert_spec_t*) of configured certificates */
101 int tls_protocol_min; /* the minimum TLS protocol version to use */
102 apr_array_header_t *tls_pref_ciphers; /* List of apr_uint16_t cipher ids to prefer */
103 apr_array_header_t *tls_supp_ciphers; /* List of apr_uint16_t cipher ids to suppress */
104 const apr_array_header_t *ciphersuites; /* Computed post-config, ordered list of rustls cipher suites */
105 int honor_client_order; /* honor client cipher ordering */
106 int strict_sni;
107
108 const char *client_ca; /* PEM file with trust anchors for client certs */
109 tls_client_auth_t client_auth; /* how client authentication with certificates is used */
110 const char *var_user_name; /* which SSL variable to use as user name */
111
112 apr_array_header_t *certified_keys; /* rustls_certified_key list configured */
113 int base_server; /* != 0 iff this is the base server */
114 int service_unavailable; /* TLS not trustworthy configured, return 503s */
115} tls_conf_server_t;
116
117typedef struct {
118 server_rec *defined_in; /* the server/host defining this dir_conf */
119 tls_conf_global_t *global; /* global module config, singleton */
120 const char *proxy_ca; /* PEM file with trust anchors for proxied remote server certs */
121 int proxy_protocol_min; /* the minimum TLS protocol version to use for proxy connections */
122 apr_array_header_t *proxy_pref_ciphers; /* List of apr_uint16_t cipher ids to prefer */
123 apr_array_header_t *proxy_supp_ciphers; /* List of apr_uint16_t cipher ids to suppress */
124 apr_array_header_t *machine_cert_specs; /* configured machine certificates specs */
125 apr_array_header_t *machine_certified_keys; /* rustls_certified_key list */
126 const rustls_client_config *rustls_config;
127} tls_conf_proxy_t;
128
129typedef struct {
130 int std_env_vars;
131 int export_cert_vars;
132 int proxy_enabled; /* TLS_FLAG_TRUE if mod_tls is active on outgoing connections */
133 const char *proxy_ca; /* PEM file with trust anchors for proxied remote server certs */
134 int proxy_protocol_min; /* the minimum TLS protocol version to use for proxy connections */
135 apr_array_header_t *proxy_pref_ciphers; /* List of apr_uint16_t cipher ids to prefer */
136 apr_array_header_t *proxy_supp_ciphers; /* List of apr_uint16_t cipher ids to suppress */
137 apr_array_header_t *proxy_machine_cert_specs; /* configured machine certificates specs */
138
139 tls_conf_proxy_t *proxy_config;
140} tls_conf_dir_t;
141
142/* our static registry of configuration directives. */
143extern const command_rec tls_conf_cmds[];
144
145/* create the modules configuration for a server_rec. */
146void *tls_conf_create_svr(apr_pool_t *pool, server_rec *s);
147
148/* merge (inherit) server configurations for the module.
149 * Settings in 'add' overwrite the ones in 'base' and unspecified
150 * settings shine through. */
151void *tls_conf_merge_svr(apr_pool_t *pool, void *basev, void *addv);
152
153/* create the modules configuration for a directory. */
154void *tls_conf_create_dir(apr_pool_t *pool, char *dir);
155
156/* merge (inherit) directory configurations for the module.
157 * Settings in 'add' overwrite the ones in 'base' and unspecified
158 * settings shine through. */
159void *tls_conf_merge_dir(apr_pool_t *pool, void *basev, void *addv);
160
161
162/* Get the server specific module configuration. */
163tls_conf_server_t *tls_conf_server_get(server_rec *s);
164
165/* Get the directory specific module configuration for the request. */
166tls_conf_dir_t *tls_conf_dir_get(request_rec *r);
167
168/* Get the directory specific module configuration for the server. */
169tls_conf_dir_t *tls_conf_dir_server_get(server_rec *s);
170
171/* If any configuration values are unset, supply the global server defaults. */
172apr_status_t tls_conf_server_apply_defaults(tls_conf_server_t *sc, apr_pool_t *p);
173
174/* If any configuration values are unset, supply the global dir defaults. */
175apr_status_t tls_conf_dir_apply_defaults(tls_conf_dir_t *dc, apr_pool_t *p);
176
177/* create a new proxy configuration from directory config in server */
178tls_conf_proxy_t *tls_conf_proxy_make(
179 apr_pool_t *p, tls_conf_dir_t *dc, tls_conf_global_t *gc, server_rec *s);
180
181int tls_proxy_section_post_config(
182 apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s,
183 ap_conf_vector_t *section_config);
184
185#endif /* tls_conf_h */
ap_conf_vector_t
struct ap_conf_vector_t ap_conf_vector_t
Definition http_config.h:509
r
request_rec * r
Definition http_config.h:1168
size
apr_size_t size
Definition apr_allocator.h:115
pool
const char int apr_pool_t * pool
Definition apr_cstr.h:84
apr_status_t
int apr_status_t
Definition apr_errno.h:44
dir
apr_dir_t * dir
Definition apr_portable.h:240
s
const char * s
Definition apr_strings.h:95
p
apr_pool_t * p
Definition md_event.c:32
gc
static long gc(server_rec *s)
Definition mod_auth_digest.c:806
ap_socache_instance_t
Definition mod_socache_dbm.c:44
ap_socache_provider_t
Definition ap_socache.h:89
apr_array_header_t
Definition apr_tables.h:62
apr_global_mutex_t
Definition apr_arch_global_mutex.h:23
apr_hash_t
Definition apr_hash.c:75
apr_pool_t
Definition apr_pools.c:562
command_struct
Definition http_config.h:204
request_rec
A structure that represents the current request.
Definition httpd.h:845
server_addr_rec
A structure to be used for Per-vhost config.
Definition httpd.h:1301
server_rec
A structure to store information for each virtual server.
Definition httpd.h:1322
tls_cert_reg_t
Definition tls_cert.h:63
tls_cert_root_stores_t
Definition tls_cert.h:134
tls_cert_verifiers_t
Definition tls_cert.h:163
tls_conf_dir_t
Definition tls_conf.h:129
tls_conf_dir_t::proxy_machine_cert_specs
apr_array_header_t * proxy_machine_cert_specs
Definition tls_conf.h:137
tls_conf_dir_t::proxy_ca
const char * proxy_ca
Definition tls_conf.h:133
tls_conf_dir_t::proxy_supp_ciphers
apr_array_header_t * proxy_supp_ciphers
Definition tls_conf.h:136
tls_conf_dir_t::proxy_enabled
int proxy_enabled
Definition tls_conf.h:132
tls_conf_dir_t::proxy_pref_ciphers
apr_array_header_t * proxy_pref_ciphers
Definition tls_conf.h:135
tls_conf_dir_t::proxy_protocol_min
int proxy_protocol_min
Definition tls_conf.h:134
tls_conf_dir_t::std_env_vars
int std_env_vars
Definition tls_conf.h:130
tls_conf_dir_t::proxy_config
tls_conf_proxy_t * proxy_config
Definition tls_conf.h:139
tls_conf_dir_t::export_cert_vars
int export_cert_vars
Definition tls_conf.h:131
tls_conf_global_t
Definition tls_conf.h:66
tls_conf_global_t::session_cache_provider
const struct ap_socache_provider_t * session_cache_provider
Definition tls_conf.h:84
tls_conf_global_t::session_cache_spec
const char * session_cache_spec
Definition tls_conf.h:83
tls_conf_global_t::module_version
const char * module_version
Definition tls_conf.h:68
tls_conf_global_t::mod_proxy_post_config_done
int mod_proxy_post_config_done
Definition tls_conf.h:72
tls_conf_global_t::proxy_configs
apr_array_header_t * proxy_configs
Definition tls_conf.h:75
tls_conf_global_t::status
tls_conf_status_t status
Definition tls_conf.h:71
tls_conf_global_t::tls_addresses
server_addr_rec * tls_addresses
Definition tls_conf.h:74
tls_conf_global_t::cert_reg
struct tls_cert_reg_t * cert_reg
Definition tls_conf.h:79
tls_conf_global_t::stores
struct tls_cert_root_stores_t * stores
Definition tls_conf.h:80
tls_conf_global_t::verifiers
struct tls_cert_verifiers_t * verifiers
Definition tls_conf.h:81
tls_conf_global_t::session_cache_mutex
struct apr_global_mutex_t * session_cache_mutex
Definition tls_conf.h:86
tls_conf_global_t::session_cache
struct ap_socache_instance_t * session_cache
Definition tls_conf.h:85
tls_conf_global_t::proto
struct tls_proto_conf_t * proto
Definition tls_conf.h:77
tls_conf_global_t::var_lookups
apr_hash_t * var_lookups
Definition tls_conf.h:78
tls_conf_global_t::crustls_version
const char * crustls_version
Definition tls_conf.h:69
tls_conf_global_t::ap_server
server_rec * ap_server
Definition tls_conf.h:67
tls_conf_global_t::rustls_hello_config
const rustls_server_config * rustls_hello_config
Definition tls_conf.h:88
tls_conf_proxy_t
Definition tls_conf.h:117
tls_conf_proxy_t::rustls_config
const rustls_client_config * rustls_config
Definition tls_conf.h:126
tls_conf_proxy_t::proxy_supp_ciphers
apr_array_header_t * proxy_supp_ciphers
Definition tls_conf.h:123
tls_conf_proxy_t::proxy_pref_ciphers
apr_array_header_t * proxy_pref_ciphers
Definition tls_conf.h:122
tls_conf_proxy_t::machine_certified_keys
apr_array_header_t * machine_certified_keys
Definition tls_conf.h:125
tls_conf_proxy_t::defined_in
server_rec * defined_in
Definition tls_conf.h:118
tls_conf_proxy_t::machine_cert_specs
apr_array_header_t * machine_cert_specs
Definition tls_conf.h:124
tls_conf_proxy_t::proxy_ca
const char * proxy_ca
Definition tls_conf.h:120
tls_conf_proxy_t::proxy_protocol_min
int proxy_protocol_min
Definition tls_conf.h:121
tls_conf_proxy_t::global
tls_conf_global_t * global
Definition tls_conf.h:119
tls_conf_server_t
Definition tls_conf.h:95
tls_conf_server_t::certified_keys
apr_array_header_t * certified_keys
Definition tls_conf.h:112
tls_conf_server_t::strict_sni
int strict_sni
Definition tls_conf.h:106
tls_conf_server_t::client_ca
const char * client_ca
Definition tls_conf.h:108
tls_conf_server_t::client_auth
tls_client_auth_t client_auth
Definition tls_conf.h:109
tls_conf_server_t::tls_supp_ciphers
apr_array_header_t * tls_supp_ciphers
Definition tls_conf.h:103
tls_conf_server_t::tls_pref_ciphers
apr_array_header_t * tls_pref_ciphers
Definition tls_conf.h:102
tls_conf_server_t::enabled
int enabled
Definition tls_conf.h:99
tls_conf_server_t::server
server_rec * server
Definition tls_conf.h:96
tls_conf_server_t::cert_specs
apr_array_header_t * cert_specs
Definition tls_conf.h:100
tls_conf_server_t::var_user_name
const char * var_user_name
Definition tls_conf.h:110
tls_conf_server_t::honor_client_order
int honor_client_order
Definition tls_conf.h:105
tls_conf_server_t::service_unavailable
int service_unavailable
Definition tls_conf.h:114
tls_conf_server_t::ciphersuites
const apr_array_header_t * ciphersuites
Definition tls_conf.h:104
tls_conf_server_t::tls_protocol_min
int tls_protocol_min
Definition tls_conf.h:101
tls_conf_server_t::global
tls_conf_global_t * global
Definition tls_conf.h:97
tls_conf_server_t::base_server
int base_server
Definition tls_conf.h:113
tls_proto_conf_t
Definition tls_proto.h:40
tls_conf_status_t
tls_conf_status_t
Definition tls_conf.h:56
TLS_CONF_ST_DONE
@ TLS_CONF_ST_DONE
Definition tls_conf.h:60
TLS_CONF_ST_INIT
@ TLS_CONF_ST_INIT
Definition tls_conf.h:57
TLS_CONF_ST_OUTGOING_DONE
@ TLS_CONF_ST_OUTGOING_DONE
Definition tls_conf.h:59
TLS_CONF_ST_INCOMING_DONE
@ TLS_CONF_ST_INCOMING_DONE
Definition tls_conf.h:58
tls_conf_merge_svr
void * tls_conf_merge_svr(apr_pool_t *pool, void *basev, void *addv)
Definition tls_conf.c:99
tls_conf_create_dir
void * tls_conf_create_dir(apr_pool_t *pool, char *dir)
Definition tls_conf.c:138
tls_conf_cmds
const command_rec tls_conf_cmds[]
Definition tls_conf.c:736
tls_client_auth_t
tls_client_auth_t
Definition tls_conf.h:49
TLS_CLIENT_AUTH_REQUIRED
@ TLS_CLIENT_AUTH_REQUIRED
Definition tls_conf.h:52
TLS_CLIENT_AUTH_OPTIONAL
@ TLS_CLIENT_AUTH_OPTIONAL
Definition tls_conf.h:53
TLS_CLIENT_AUTH_NONE
@ TLS_CLIENT_AUTH_NONE
Definition tls_conf.h:51
TLS_CLIENT_AUTH_UNSET
@ TLS_CLIENT_AUTH_UNSET
Definition tls_conf.h:50
tls_conf_dir_apply_defaults
apr_status_t tls_conf_dir_apply_defaults(tls_conf_dir_t *dc, apr_pool_t *p)
Definition tls_conf.c:214
tls_proxy_section_post_config
int tls_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s, ap_conf_vector_t *section_config)
Definition tls_conf.c:238
tls_conf_merge_dir
void * tls_conf_merge_dir(apr_pool_t *pool, void *basev, void *addv)
Definition tls_conf.c:187
tls_conf_create_svr
void * tls_conf_create_svr(apr_pool_t *pool, server_rec *s)
Definition tls_conf.c:78
tls_conf_proxy_make
tls_conf_proxy_t * tls_conf_proxy_make(apr_pool_t *p, tls_conf_dir_t *dc, tls_conf_global_t *gc, server_rec *s)
Definition tls_conf.c:223
tls_conf_server_get
tls_conf_server_t * tls_conf_server_get(server_rec *s)
Definition tls_conf.c:68
tls_conf_server_apply_defaults
apr_status_t tls_conf_server_apply_defaults(tls_conf_server_t *sc, apr_pool_t *p)
Definition tls_conf.c:203
tls_conf_dir_get
tls_conf_dir_t * tls_conf_dir_get(request_rec *r)
Definition tls_conf.c:124
tls_conf_dir_server_get
tls_conf_dir_t * tls_conf_dir_server_get(server_rec *s)
Definition tls_conf.c:131
Generated by doxygen 1.9.8