tls_filter.c File Reference

#include <assert.h>
#include <apr_lib.h>
#include <apr_strings.h>
#include <httpd.h>
#include <http_connection.h>
#include <http_core.h>
#include <http_request.h>
#include <http_log.h>
#include <ap_socache.h>
#include <rustls.h>
#include "tls_proto.h"
#include "tls_conf.h"
#include "tls_core.h"
#include "tls_filter.h"
#include "tls_util.h"

Go to the source code of this file.

Macros
#define	TLS_WRITE_VECTORED   1
#define	TLS_FILE_CHUNK_SIZE   4 * TLS_PREF_PLAIN_CHUNK_SIZE

Functions
static rustls_io_result	tls_read_callback (void *userdata, unsigned char *buf, size_t n, size_t *out_n)
static apr_status_t	read_tls_to_rustls (tls_filter_ctx_t *fctx, apr_size_t len, apr_read_type_e block, int errors_expected)
static apr_status_t	fout_pass_tls_to_net (tls_filter_ctx_t *fctx)
static apr_status_t	fout_pass_all_to_net (tls_filter_ctx_t *fctx, int flush)
static apr_status_t	filter_abort (tls_filter_ctx_t *fctx)
static apr_status_t	filter_recv_client_hello (tls_filter_ctx_t *fctx)
static apr_status_t	filter_send_client_hello (tls_filter_ctx_t *fctx)
static apr_status_t	filter_do_handshake (tls_filter_ctx_t *fctx)
static apr_status_t	progress_tls_atleast_to (tls_filter_ctx_t *fctx, tls_conn_state_t state)
static apr_status_t	filter_conn_input (ap_filter_t *f, apr_bucket_brigade *bb, ap_input_mode_t mode, apr_read_type_e block, apr_off_t readbytes)
static rustls_io_result	tls_write_callback (void *userdata, const unsigned char *buf, size_t n, size_t *out_n)
static rustls_io_result	tls_write_vectored_callback (void *userdata, const rustls_iovec *riov, size_t count, size_t *out_n)
static apr_status_t	fout_pass_rustls_to_tls (tls_filter_ctx_t *fctx)
static apr_status_t	fout_pass_buf_to_rustls (tls_filter_ctx_t *fctx, const char *buf, apr_size_t len)
static apr_status_t	fout_pass_all_to_tls (tls_filter_ctx_t *fctx)
static apr_status_t	fout_add_bucket_to_plain (tls_filter_ctx_t *fctx, apr_bucket *b)
static apr_status_t	fout_add_bucket_to_tls (tls_filter_ctx_t *fctx, apr_bucket *b)
static apr_status_t	fout_append_plain (tls_filter_ctx_t *fctx, apr_bucket *b)
static apr_status_t	filter_conn_output (ap_filter_t *f, apr_bucket_brigade *bb)
int	tls_filter_pre_conn_init (conn_rec *c)
void	tls_filter_conn_init (conn_rec *c)
void	tls_filter_register (apr_pool_t *pool)

Variables
static int *const	aplog_module_index = &( tls_module.module_index)

Macro Definition Documentation

TLS_FILE_CHUNK_SIZE

#define TLS_FILE_CHUNK_SIZE   4 * TLS_PREF_PLAIN_CHUNK_SIZE

TLS_WRITE_VECTORED

#define TLS_WRITE_VECTORED   1

Definition at line 569 of file tls_filter.c.

Function Documentation

filter_abort()

static apr_status_t filter_abort ( tls_filter_ctx_t *  fctx )

static

Definition at line 181 of file tls_filter.c.

filter_conn_input()

static apr_status_t filter_conn_input ( ap_filter_t *  f, apr_bucket_brigade *  bb, ap_input_mode_t  mode, apr_read_type_e  block, apr_off_t  readbytes  )

static

The connection filter converting TLS encrypted network data into plain, unencrpyted traffic data to be processed by filters above it in the filter chain.

Unfortunately, Apache's filter infrastructure places a heavy implementation complexity on its input filters for the various use cases its HTTP/1.x parser (mainly) finds convenient:

<bb> the bucket brigade to place the data into. <mode> one of

• AP_MODE_READBYTES: just add up to <readbytes> data into <bb>
• AP_MODE_GETLINE: make a best effort to get data up to and including a CRLF. it can be less, but not more t than that.
• AP_MODE_EATCRLF: never used, we puke on it.
• AP_MODE_SPECULATIVE: read data without consuming it.
• AP_MODE_EXHAUSTIVE: never used, we puke on it.
• AP_MODE_INIT: called once on a connection. needs to pass down the filter chain, giving every filter the change to "INIT". <block> do blocking or non-blocking reads <readbytes> max amount of data to add to <bb>, seems to be 0 for GETLINE

Definition at line 380 of file tls_filter.c.

filter_conn_output()

static apr_status_t filter_conn_output ( ap_filter_t *  f, apr_bucket_brigade *  bb  )

static

The connection filter converting plain, unencrypted traffic data into TLS encrypted bytes and send the down the Apache filter chain out to the network.

<bb> the data to send, including "meta data" such as FLUSH indicators to force filters to write any data set aside (an apache term for 'buffering'). The buckets in <bb> need to be completely consumed, e.g. <bb> will be empty on a successful return. but unless FLUSHed, filters may hold buckets back internally, for various reasons. However they always need to be processed in the order they arrive.

Definition at line 872 of file tls_filter.c.

filter_do_handshake()

static apr_status_t filter_do_handshake ( tls_filter_ctx_t *  fctx )

static

While <fctx->cc->rustls_connection> indicates that a handshake is ongoing, write TLS data from and read network TLS data to the server session.

Returns

APR_SUCCESS when the handshake is completed

Definition at line 274 of file tls_filter.c.

filter_recv_client_hello()

static apr_status_t filter_recv_client_hello ( tls_filter_ctx_t *  fctx )

static

Definition at line 198 of file tls_filter.c.

filter_send_client_hello()

static apr_status_t filter_send_client_hello ( tls_filter_ctx_t *  fctx )

static

Definition at line 248 of file tls_filter.c.

fout_add_bucket_to_plain()

static apr_status_t fout_add_bucket_to_plain ( tls_filter_ctx_t *  fctx, apr_bucket *  b  )

static

Definition at line 687 of file tls_filter.c.

fout_add_bucket_to_tls()

static apr_status_t fout_add_bucket_to_tls ( tls_filter_ctx_t *  fctx, apr_bucket *  b  )

static

Definition at line 720 of file tls_filter.c.

fout_append_plain()

static apr_status_t fout_append_plain ( tls_filter_ctx_t *  fctx, apr_bucket *  b  )

static

Definition at line 738 of file tls_filter.c.

fout_pass_all_to_net()

static apr_status_t fout_pass_all_to_net ( tls_filter_ctx_t *  fctx, int  flush  )

static

Definition at line 672 of file tls_filter.c.

fout_pass_all_to_tls()

static apr_status_t fout_pass_all_to_tls ( tls_filter_ctx_t *  fctx )

static

Definition at line 654 of file tls_filter.c.

fout_pass_buf_to_rustls()

static apr_status_t fout_pass_buf_to_rustls ( tls_filter_ctx_t *  fctx, const char *  buf, apr_size_t  len  )

static

Definition at line 614 of file tls_filter.c.

fout_pass_rustls_to_tls()

static apr_status_t fout_pass_rustls_to_tls ( tls_filter_ctx_t *  fctx )

static

Read TLS encrypted data from <fctx->cc->rustls_connection> and pass it down Apache's filter chain to the network.

For now, we always FLUSH the data, since that is what we need during handshakes.

Definition at line 576 of file tls_filter.c.

fout_pass_tls_to_net()

static apr_status_t fout_pass_tls_to_net ( tls_filter_ctx_t *  fctx )

static

Definition at line 163 of file tls_filter.c.

progress_tls_atleast_to()

static apr_status_t progress_tls_atleast_to ( tls_filter_ctx_t *  fctx, tls_conn_state_t  state  )

static

Definition at line 314 of file tls_filter.c.

read_tls_to_rustls()

static apr_status_t read_tls_to_rustls ( tls_filter_ctx_t *  fctx, apr_size_t  len, apr_read_type_e  block, int  errors_expected  )

static

Provide TLS encrypted data to the rustls server_session in <fctx->cc->rustls_connection>.

If <fctx->fin_tls_bb> holds data, take it from there. Otherwise perform a read via the network filters below us into that brigade.

<fctx->fin_block> determines if we do a blocking read inititally or not. If the first read did to not produce enough data, any secondary read is done non-blocking.

Had any data been added to <fctx->cc->rustls_connection>, call its "processing" function to handle the added data before leaving.

Definition at line 63 of file tls_filter.c.

tls_filter_conn_init()

void tls_filter_conn_init

(

conn_rec *

c

)

Initialize the connection for use, perform the TLS handshake.

Any failure will lead to the connection becoming aborted.

Definition at line 989 of file tls_filter.c.

tls_filter_pre_conn_init()

int tls_filter_pre_conn_init

(

conn_rec *

c

)

Initialize the pre_connection state. Install all filters.

Returns

OK if TLS on connection is enabled, DECLINED otherwise

< Module has handled this stage.

< Module declines to handle

< Module has handled this stage.

Definition at line 927 of file tls_filter.c.

tls_filter_register()

void tls_filter_register

(

apr_pool_t *

pool

)

Register the in-/output filters for converting TLS to application data and vice versa.

Definition at line 1011 of file tls_filter.c.

tls_read_callback()

static rustls_io_result tls_read_callback ( void *  userdata, unsigned char *  buf, size_t  n, size_t *  out_n  )

static

Definition at line 40 of file tls_filter.c.

tls_write_callback()

static rustls_io_result tls_write_callback ( void *  userdata, const unsigned char *  buf, size_t  n, size_t *  out_n  )

static

Definition at line 522 of file tls_filter.c.

tls_write_vectored_callback()

static rustls_io_result tls_write_vectored_callback ( void *  userdata, const rustls_iovec *  riov, size_t  count, size_t *  out_n  )

static

Definition at line 547 of file tls_filter.c.

Variable Documentation

aplog_module_index

int* const aplog_module_index = &( tls_module.module_index)

static

Definition at line 37 of file tls_filter.c.