Apache2
ssl_private.h
Go to the documentation of this file.
1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2  * contributor license agreements. See the NOTICE file distributed with
3  * this work for additional information regarding copyright ownership.
4  * The ASF licenses this file to You under the Apache License, Version 2.0
5  * (the "License"); you may not use this file except in compliance with
6  * the License. You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SSL_PRIVATE_H
18 #define SSL_PRIVATE_H
19 
30 #include "ap_config.h"
31 #include "httpd.h"
32 #include "http_config.h"
33 #include "http_core.h"
34 #include "http_log.h"
35 #include "http_main.h"
36 #include "http_connection.h"
37 #include "http_request.h"
38 #include "http_protocol.h"
39 #include "http_ssl.h"
40 #include "http_vhost.h"
41 #include "util_script.h"
42 #include "util_filter.h"
43 #include "util_ebcdic.h"
44 #include "util_mutex.h"
45 #include "apr.h"
46 #include "apr_strings.h"
47 #define APR_WANT_STRFUNC
48 #define APR_WANT_MEMFUNC
49 #include "apr_want.h"
50 #include "apr_tables.h"
51 #include "apr_lib.h"
52 #include "apr_fnmatch.h"
53 #include "apr_strings.h"
54 #include "apr_global_mutex.h"
55 #include "apr_optional.h"
56 #include "ap_socache.h"
57 #include "mod_auth.h"
58 
59 /* The #ifdef macros are only defined AFTER including the above
60  * therefore we cannot include these system files at the top :-(
61  */
62 #if APR_HAVE_STDLIB_H
63 #include <stdlib.h>
64 #endif
65 #if APR_HAVE_SYS_TIME_H
66 #include <sys/time.h>
67 #endif
68 #if APR_HAVE_UNISTD_H
69 #include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
70 #endif
71 
72 #ifndef FALSE
73 #define FALSE 0
74 #endif
75 
76 #ifndef TRUE
77 #define TRUE !FALSE
78 #endif
79 
80 #ifndef BOOL
81 #define BOOL unsigned int
82 #endif
83 
84 #include "ap_expr.h"
85 
86 /* keep first for compat API */
87 #ifndef OPENSSL_API_COMPAT
88 #define OPENSSL_API_COMPAT 0x10101000 /* for ENGINE_ API */
89 #endif
90 #include "mod_ssl_openssl.h"
91 
92 /* OpenSSL headers */
93 #include <openssl/err.h>
94 #include <openssl/x509.h>
95 #include <openssl/pem.h>
96 #include <openssl/crypto.h>
97 #include <openssl/evp.h>
98 #include <openssl/rand.h>
99 #include <openssl/x509v3.h>
100 #include <openssl/x509_vfy.h>
101 #include <openssl/ocsp.h>
102 #include <openssl/dh.h>
103 #if OPENSSL_VERSION_NUMBER >= 0x30000000
104 #include <openssl/core_names.h>
105 #endif
106 
107 /* Avoid tripping over an engine build installed globally and detected
108  * when the user points at an explicit non-engine flavor of OpenSSL
109  */
110 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) \
111  && (OPENSSL_VERSION_NUMBER < 0x30000000 \
112  || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \
113  && !defined(OPENSSL_NO_ENGINE)
114 #include <openssl/engine.h>
115 #define MODSSL_HAVE_ENGINE_API 1
116 #endif
117 #ifndef MODSSL_HAVE_ENGINE_API
118 #define MODSSL_HAVE_ENGINE_API 0
119 #endif
120 
121 /* Use OpenSSL 3.x STORE for loading URI keys and certificates starting with
122  * OpenSSL 3.0
123  */
124 #if OPENSSL_VERSION_NUMBER >= 0x30000000
125 #define MODSSL_HAVE_OPENSSL_STORE 1
126 #else
127 #define MODSSL_HAVE_OPENSSL_STORE 0
128 #endif
129 
130 #if (OPENSSL_VERSION_NUMBER < 0x0090801f)
131 #error mod_ssl requires OpenSSL 0.9.8a or later
132 #endif
133 
140 #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
141 #define MODSSL_SSL_CIPHER_CONST const
142 #define MODSSL_SSL_METHOD_CONST const
143 #else
144 #define MODSSL_SSL_CIPHER_CONST
145 #define MODSSL_SSL_METHOD_CONST
146 #endif
147 
148 #if defined(LIBRESSL_VERSION_NUMBER)
149 /* Missing from LibreSSL */
150 #if LIBRESSL_VERSION_NUMBER < 0x2060000f
151 #define SSL_CTRL_SET_MIN_PROTO_VERSION 123
152 #define SSL_CTRL_SET_MAX_PROTO_VERSION 124
153 #define SSL_CTX_set_min_proto_version(ctx, version) \
154  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
155 #define SSL_CTX_set_max_proto_version(ctx, version) \
156  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
157 #endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
158 /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
159  * include most changes from OpenSSL >= 1.1 (new functions, macros,
160  * deprecations, ...), so we have to work around this...
161  */
162 #if LIBRESSL_VERSION_NUMBER < 0x2070000f
163 #define MODSSL_USE_OPENSSL_PRE_1_1_API 1
164 #else
165 #define MODSSL_USE_OPENSSL_PRE_1_1_API 0
166 #endif
167 #else /* defined(LIBRESSL_VERSION_NUMBER) */
168 #if OPENSSL_VERSION_NUMBER < 0x10100000L
169 #define MODSSL_USE_OPENSSL_PRE_1_1_API 1
170 #else
171 #define MODSSL_USE_OPENSSL_PRE_1_1_API 0
172 #endif
173 #endif /* defined(LIBRESSL_VERSION_NUMBER) */
174 
175 #if OPENSSL_VERSION_NUMBER < 0x10101000
176 #define MODSSL_USE_SSLRAND
177 #endif
178 
179 #if defined(OPENSSL_FIPS) || OPENSSL_VERSION_NUMBER >= 0x30000000L
180 #define HAVE_FIPS
181 #endif
182 
183 #if defined(SSL_OP_NO_TLSv1_2)
184 #define HAVE_TLSV1_X
185 #endif
186 
187 #if defined(SSL_CONF_FLAG_FILE)
188 #define HAVE_SSL_CONF_CMD
189 #endif
190 
191 /* session id constness */
192 #if MODSSL_USE_OPENSSL_PRE_1_1_API
193 #define IDCONST
194 #else
195 #define IDCONST const
196 #endif
197 
202 #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
203 
204 #define HAVE_TLSEXT
205 
206 /* ECC: make sure we have at least 1.0.0 */
207 #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
208 #define HAVE_ECC
209 #endif
210 
211 /* OCSP stapling */
212 #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
213 #define HAVE_OCSP_STAPLING
214 /* All exist but are no longer macros since OpenSSL 1.1.0 */
215 #if OPENSSL_VERSION_NUMBER < 0x10100000L
216 /* backward compatibility with OpenSSL < 1.0 */
217 #ifndef sk_OPENSSL_STRING_num
218 #define sk_OPENSSL_STRING_num sk_num
219 #endif
220 #ifndef sk_OPENSSL_STRING_value
221 #define sk_OPENSSL_STRING_value sk_value
222 #endif
223 #ifndef sk_OPENSSL_STRING_pop
224 #define sk_OPENSSL_STRING_pop sk_pop
225 #endif
226 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
227 #endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */
228 
229 /* TLS session tickets */
230 #if defined(SSL_CTX_set_tlsext_ticket_key_cb)
231 #define HAVE_TLS_SESSION_TICKETS
232 #define TLSEXT_TICKET_KEY_LEN 48
233 #ifndef tlsext_tick_md
234 #ifdef OPENSSL_NO_SHA256
235 #define tlsext_tick_md EVP_sha1
236 #else
237 #define tlsext_tick_md EVP_sha256
238 #endif
239 #endif
240 #endif
241 
242 /* Secure Remote Password */
243 #if !defined(OPENSSL_NO_SRP) \
244  && (OPENSSL_VERSION_NUMBER < 0x30000000L \
245  || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \
246  && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
247 #define HAVE_SRP
248 #include <openssl/srp.h>
249 #endif
250 
251 /* ALPN Protocol Negotiation */
252 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
253 #define HAVE_TLS_ALPN
254 #endif
255 
256 #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
257 
258 #if MODSSL_USE_OPENSSL_PRE_1_1_API
259 #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
260 #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
261 #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
262 #define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048
263 #define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072
264 #define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
265 #define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
266 #define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
267 #define BIO_set_init(x,v) (x->init=v)
268 #define BIO_get_data(x) (x->ptr)
269 #define BIO_set_data(x,v) (x->ptr=v)
270 #define BIO_get_shutdown(x) (x->shutdown)
271 #define BIO_set_shutdown(x,v) (x->shutdown=v)
272 #define DH_bits(x) (BN_num_bits(x->p))
273 #define X509_up_ref(x) (CRYPTO_add(&(x)->references, +1, CRYPTO_LOCK_X509))
274 #define EVP_PKEY_up_ref(pk) (CRYPTO_add(&(pk)->references, +1, CRYPTO_LOCK_EVP_PKEY))
275 #else
276 void init_bio_methods(void);
277 void free_bio_methods(void);
278 #endif
279 
280 #if OPENSSL_VERSION_NUMBER < 0x10002000L || \
281  (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
282 #define X509_STORE_CTX_get0_store(x) (x->ctx)
283 #endif
284 
285 #if OPENSSL_VERSION_NUMBER < 0x10000000L
286 #ifndef X509_STORE_CTX_get0_current_issuer
287 #define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)
288 #endif
289 #endif
290 
291 /* those may be deprecated */
292 #ifndef X509_get_notBefore
293 #define X509_get_notBefore X509_getm_notBefore
294 #endif
295 #ifndef X509_get_notAfter
296 #define X509_get_notAfter X509_getm_notAfter
297 #endif
298 
299 /* The SSL_CTX_set_keylog_callback() API is present in 1.1.1+.
300  *
301  * OpenSSL 3.5+ also provides optional native handling of
302  * $SSLKEYLOGFILE inside libssl, which duplicates the mod_ssl support.
303  * The mod_ssl support is hence disabled for 3.5+, unless that OpenSSL
304  * feature is itself disabled (and OPENSSL_NO_SSLKEYLOG is defined).
305  */
306 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) \
307  && (OPENSSL_VERSION_NUMBER <= 0x30500000L || defined(OPENSSL_NO_SSLKEYLOG))
308 #define HAVE_OPENSSL_KEYLOG
309 #endif
310 
311 #ifdef HAVE_FIPS
312 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
313 #define modssl_fips_is_enabled() EVP_default_properties_is_fips_enabled(NULL)
314 #define modssl_fips_enable(to) EVP_default_properties_enable_fips(NULL, (to))
315 #else
316 #define modssl_fips_is_enabled() FIPS_mode()
317 #define modssl_fips_enable(to) FIPS_mode_set((to))
318 #endif
319 #endif /* HAVE_FIPS */
320 
321 /* mod_ssl headers */
322 #include "ssl_util_ssl.h"
323 
324 APLOG_USE_MODULE(ssl);
325 
326 /*
327  * Provide reasonable default for some defines
328  */
329 #ifndef UNSET
330 #define UNSET (-1)
331 #endif
332 #ifndef NUL
333 #define NUL '\0'
334 #endif
335 #ifndef RAND_MAX
336 #include <limits.h>
337 #define RAND_MAX INT_MAX
338 #endif
339 
343 #ifndef UCHAR
344 #define UCHAR unsigned char
345 #endif
346 
350 #define strEQ(s1,s2) (strcmp(s1,s2) == 0)
351 #define strNE(s1,s2) (strcmp(s1,s2) != 0)
352 #define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0)
353 #define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0)
354 
355 #define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0)
356 #define strcNE(s1,s2) (strcasecmp(s1,s2) != 0)
357 #define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
358 #define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)
359 
360 #define strIsEmpty(s) (s == NULL || s[0] == NUL)
361 
362 #define myConnConfig(c) \
363  ((SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module))
364 #define myConnConfigSet(c, val) \
365  ap_set_module_config(c->conn_config, &ssl_module, val)
366 #define mySrvConfig(srv) \
367  ((SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module))
368 #define myDirConfig(req) \
369  ((SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module))
370 #define myConnCtxConfig(c, sc) \
371  (c->outgoing ? myConnConfig(c)->dc->proxy : sc->server)
372 #define myModConfig(srv) mySrvConfig((srv))->mc
373 #define mySrvFromConn(c) myConnConfig(c)->server
374 #define myDirConfigFromConn(c) myConnConfig(c)->dc
375 #define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
376 #define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
377 
381 #ifndef SSL_SESSION_CACHE_TIMEOUT
382 #define SSL_SESSION_CACHE_TIMEOUT 300
383 #endif
384 
385 /* Default setting for per-dir reneg buffer. */
386 #ifndef DEFAULT_RENEG_BUFFER_SIZE
387 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
388 #endif
389 
390 /* Default for OCSP response validity */
391 #ifndef DEFAULT_OCSP_MAX_SKEW
392 #define DEFAULT_OCSP_MAX_SKEW (60 * 5)
393 #endif
394 
395 /* Default timeout for OCSP queries */
396 #ifndef DEFAULT_OCSP_TIMEOUT
397 #define DEFAULT_OCSP_TIMEOUT 10
398 #endif
399 
403 #define SSL_OPT_NONE (0)
404 #define SSL_OPT_RELSET (1<<0)
405 #define SSL_OPT_STDENVVARS (1<<1)
406 #define SSL_OPT_EXPORTCERTDATA (1<<3)
407 #define SSL_OPT_FAKEBASICAUTH (1<<4)
408 #define SSL_OPT_STRICTREQUIRE (1<<5)
409 #define SSL_OPT_OPTRENEGOTIATE (1<<6)
410 #define SSL_OPT_LEGACYDNFORMAT (1<<7)
411 #define SSL_OPT_EXPORTCB64DATA (1<<8)
412 typedef int ssl_opt_t;
413 
417 #define SSL_PROTOCOL_NONE (0)
418 #ifndef OPENSSL_NO_SSL3
419 #define SSL_PROTOCOL_SSLV3 (1<<1)
420 #endif
421 #define SSL_PROTOCOL_TLSV1 (1<<2)
422 #ifndef OPENSSL_NO_SSL3
423 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
424 #else
425 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_TLSV1)
426 #endif
427 #ifdef HAVE_TLSV1_X
428 #define SSL_PROTOCOL_TLSV1_1 (1<<3)
429 #define SSL_PROTOCOL_TLSV1_2 (1<<4)
430 #define SSL_PROTOCOL_TLSV1_3 (1<<5)
431 
432 #ifdef SSL_OP_NO_TLSv1_3
433 #define SSL_HAVE_PROTOCOL_TLSV1_3 (1)
434 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
435  SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
436 #else
437 #define SSL_HAVE_PROTOCOL_TLSV1_3 (0)
438 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
439  SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
440 #endif
441 #else
442 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
443 #endif
444 #ifndef OPENSSL_NO_SSL3
445 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3)
446 #else
447 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL)
448 #endif
449 typedef int ssl_proto_t;
450 
454 typedef enum {
455  SSL_CVERIFY_UNSET = UNSET,
456  SSL_CVERIFY_NONE = 0,
457  SSL_CVERIFY_OPTIONAL = 1,
458  SSL_CVERIFY_REQUIRE = 2,
459  SSL_CVERIFY_OPTIONAL_NO_CA = 3
460 } ssl_verify_t;
461 
462 #define SSL_VERIFY_PEER_STRICT \
463  (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
464 
465 #define ssl_verify_error_is_optional(errnum) \
466  ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
467  || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
468  || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
469  || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
470  || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) \
471  || (errnum == X509_V_ERR_CERT_HAS_EXPIRED))
472 
476 typedef enum {
477  SSL_CRLCHECK_NONE = (0),
478  SSL_CRLCHECK_LEAF = (1 << 0),
479  SSL_CRLCHECK_CHAIN = (1 << 1),
480 
481 #define SSL_CRLCHECK_FLAGS (~0x3)
482  SSL_CRLCHECK_NO_CRL_FOR_CERT_OK = (1 << 2)
483 } ssl_crlcheck_t;
484 
488 typedef enum {
489  SSL_OCSPCHECK_NONE = (0),
490  SSL_OCSPCHECK_LEAF = (1 << 0),
491  SSL_OCSPCHECK_CHAIN = (1 << 1),
492  SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK = (1 << 2)
493 } ssl_ocspcheck_t;
494 
498 typedef enum {
499  SSL_PPTYPE_UNSET = UNSET,
500  SSL_PPTYPE_BUILTIN = 0,
501  SSL_PPTYPE_FILTER = 1,
502  SSL_PPTYPE_PIPE = 2
503 } ssl_pphrase_t;
504 
508 #define SSL_PCM_EXISTS 1
509 #define SSL_PCM_ISREG 2
510 #define SSL_PCM_ISDIR 4
511 #define SSL_PCM_ISNONZERO 8
512 typedef unsigned int ssl_pathcheck_t;
513 
517 typedef enum {
518  SSL_ENABLED_UNSET = UNSET,
519  SSL_ENABLED_FALSE = 0,
520  SSL_ENABLED_TRUE = 1,
521  SSL_ENABLED_OPTIONAL = 3
522 } ssl_enabled_t;
523 
527 typedef struct {
528  const char *cpExpr;
529  ap_expr_info_t *mpExpr;
530 } ssl_require_t;
531 
535 typedef enum {
536  SSL_RSCTX_STARTUP = 1,
537  SSL_RSCTX_CONNECT = 2
538 } ssl_rsctx_t;
539 typedef enum {
540  SSL_RSSRC_BUILTIN = 1,
541  SSL_RSSRC_FILE = 2,
542  SSL_RSSRC_EXEC = 3,
543  SSL_RSSRC_EGD = 4
544 } ssl_rssrc_t;
545 typedef struct {
546  ssl_rsctx_t nCtx;
547  ssl_rssrc_t nSrc;
548  char *cpPath;
549  int nBytes;
550 } ssl_randseed_t;
551 
555 typedef struct {
556  long int nData;
557  unsigned char *cpData;
558  apr_time_t source_mtime;
559 } ssl_asn1_t;
560 
561 typedef enum {
562  RENEG_INIT = 0, /* Before initial handshake */
563  RENEG_REJECT, /* After initial handshake; any client-initiated
564  * renegotiation should be rejected */
565  RENEG_ALLOW, /* A server-initiated renegotiation is taking
566  * place (as dictated by configuration) */
567  RENEG_ABORT /* Renegotiation initiated by client, abort the
568  * connection */
569 } modssl_reneg_state;
570 
576 typedef struct SSLSrvConfigRec SSLSrvConfigRec;
577 typedef struct SSLDirConfigRec SSLDirConfigRec;
578 
579 typedef enum {
580  SSL_SHUTDOWN_TYPE_UNSET,
581  SSL_SHUTDOWN_TYPE_STANDARD,
582  SSL_SHUTDOWN_TYPE_UNCLEAN,
583  SSL_SHUTDOWN_TYPE_ACCURATE
584 } ssl_shutdown_type_e;
585 
590 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
591 typedef struct {
592  unsigned int version;
593  apr_size_t ciphers_len;
594  const unsigned char *ciphers_data;
595  apr_size_t extids_len;
596  const int *extids_data;
597  apr_size_t ecgroups_len;
598  const unsigned char *ecgroups_data;
599  apr_size_t ecformats_len;
600  const unsigned char *ecformats_data;
601  apr_size_t sigalgos_len;
602  const unsigned char *sigalgos_data;
603  apr_size_t alpn_len;
604  const unsigned char *alpn_data;
605  apr_size_t versions_len;
606  const unsigned char *versions_data;
607 } modssl_clienthello_vars;
608 #endif
609 
610 typedef struct {
611  SSL *ssl;
612  const char *client_dn;
613  X509 *client_cert;
614  ssl_shutdown_type_e shutdown_type;
615  const char *verify_info;
616  const char *verify_error;
617  int verify_depth;
618  int disabled;
619  enum {
620  NON_SSL_OK = 0, /* is SSL request, or error handling completed */
621  NON_SSL_SEND_REQLINE, /* Need to send the fake request line */
622  NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */
623  NON_SSL_SET_ERROR_MSG /* Need to set the error message */
624  } non_ssl_request;
625 
626 #ifndef SSL_OP_NO_RENEGOTIATION
627  /* For OpenSSL < 1.1.1, track the handshake/renegotiation state
628  * for the connection to block client-initiated renegotiations.
629  * For OpenSSL >=1.1.1, the SSL_OP_NO_RENEGOTIATION flag is used in
630  * the SSL * options state with equivalent effect. */
631  modssl_reneg_state reneg_state;
632 #endif
633 
634  server_rec *server;
635  SSLDirConfigRec *dc;
636 
637  const char *cipher_suite; /* cipher suite used in last reneg */
638  int service_unavailable; /* thouugh we negotiate SSL, no requests will be served */
639  int vhost_found; /* whether we found vhost from SNI already */
640 
641 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
642  modssl_clienthello_vars *clienthello_vars; /* info from clienthello callback */
643 #endif
644 } SSLConnRec;
645 
646 /* Private keys are retained across reloads, since decryption
647  * passphrases can only be entered during startup (before detaching
648  * from a terminal). This structure is stored via the ap_retained_*
649  * API and retrieved on later module reloads. If the structure
650  * changes, the key name must be changed by increasing the digit at
651  * the end, to avoid an updated version of mod_ssl loading retained
652  * data with a different struct definition.
653  *
654  * All objects used here must be allocated from the process pool
655  * (s->process->pool) so they also survives restarts. */
656 #define MODSSL_RETAINED_KEY "mod_ssl-retained-1"
657 
658 typedef struct {
659  /* A hash table of vhost key-IDs used to index the privkeys hash,
660  * for example the string "vhost.example.com:443:0". For each
661  * (key, value) pair the value is the same as the key, allowing
662  * the keys to be retrieved on subsequent reloads rather than
663  * rellocated. ### This optimisation seems to be of dubious
664  * value. Allocating the vhost-key-ids from pconf and duping them
665  * when storing them in ->privkeys would be simpler. */
666  apr_hash_t *key_ids;
667 
668  /* A hash table of pointers to ssl_asn1_t structures. The
669  * structures are used to store private keys in raw DER format
670  * (serialized OpenSSL PrivateKey structures). The table is
671  * indexed by key-IDs from the key_ids hash table. */
672  apr_hash_t *privkeys;
673 
674  /* Do NOT add fields here without changing the key name, as above. */
675 } modssl_retained_data_t;
676 
677 typedef struct {
678  BOOL bFixed;
679 
680  /* OpenSSL SSL_SESS_CACHE_* flags: */
681  long sesscache_mode;
682 
683  /* Data retained across reloads. */
684  modssl_retained_data_t *retained;
685 
686  /* The configured provider, and associated private data
687  * structure. */
688  const ap_socache_provider_t *sesscache;
689  ap_socache_instance_t *sesscache_context;
690 
691  apr_global_mutex_t *pMutex;
692 
693 #ifdef MODSSL_USE_SSLRAND
694  pid_t pid; /* used for seeding after fork() */
695  apr_array_header_t *aRandSeed;
696 #endif
697 
698  const char *szCryptoDevice; /* ENGINE device (if available) */
699 
700 #ifdef HAVE_OCSP_STAPLING
701  const ap_socache_provider_t *stapling_cache;
702  ap_socache_instance_t *stapling_cache_context;
703  apr_global_mutex_t *stapling_cache_mutex;
704  apr_global_mutex_t *stapling_refresh_mutex;
705 #endif
706 
707 #ifdef HAVE_OPENSSL_KEYLOG
708  /* Used for logging if SSLKEYLOGFILE is set at startup. */
709  apr_file_t *keylog_file;
710 #endif
711 
712 #ifdef HAVE_FIPS
713  BOOL fips;
714 #endif
715 } SSLModConfigRec;
716 
719 typedef struct {
720  /* Lists of configured certs and keys for this server */
721  apr_array_header_t *cert_files;
722  apr_array_header_t *key_files;
723 
726  const char *ca_name_path;
727  const char *ca_name_file;
728 
729  /* TLS service for this server is suspended */
730  int service_unavailable;
731 } modssl_pk_server_t;
732 
733 typedef struct {
735  const char *cert_file;
736  const char *cert_path;
737  const char *ca_cert_file;
738  /* certs is a stack of configured cert, key pairs. */
739  STACK_OF(X509_INFO) *certs;
740  /* ca_certs contains ONLY chain certs for each item in certs.
741  * ca_certs[n] is a pointer to the (STACK_OF(X509) *) stack which
742  * holds the cert chain for the 'n'th cert in the certs stack, or
743  * NULL if no chain is configured. */
744  STACK_OF(X509) **ca_certs;
745 } modssl_pk_proxy_t;
746 
748 typedef struct {
750  const char *ca_cert_path;
751  const char *ca_cert_file;
752 
753  const char *cipher_suite;
754 
756  int verify_depth;
757  ssl_verify_t verify_mode;
758 
762  const char *tls13_ciphers;
763 } modssl_auth_ctx_t;
764 
765 #ifdef HAVE_TLS_SESSION_TICKETS
766 typedef struct {
767  const char *file_path;
768  unsigned char key_name[16];
769 #if OPENSSL_VERSION_NUMBER < 0x30000000L
770  unsigned char hmac_secret[16];
771 #else
772  OSSL_PARAM mac_params[3];
773 #endif
774  unsigned char aes_key[16];
775 } modssl_ticket_key_t;
776 #endif
777 
778 #ifdef HAVE_SSL_CONF_CMD
779 typedef struct {
780  const char *name;
781  const char *value;
782 } ssl_ctx_param_t;
783 #endif
784 
785 typedef struct {
786  SSLSrvConfigRec *sc;
787  SSL_CTX *ssl_ctx;
788 
790  modssl_pk_server_t *pks;
791  modssl_pk_proxy_t *pkp;
792 
793 #ifdef HAVE_TLS_SESSION_TICKETS
794  modssl_ticket_key_t *ticket_key;
795 #endif
796 
797  ssl_proto_t protocol;
798  int protocol_set;
799 
801  ssl_pphrase_t pphrase_dialog_type;
802  const char *pphrase_dialog_path;
803 
804  const char *cert_chain;
805 
807  const char *crl_path;
808  const char *crl_file;
809  int crl_check_mask;
810 
811 #ifdef HAVE_OCSP_STAPLING
813  BOOL stapling_enabled;
814  long stapling_resptime_skew;
815  long stapling_resp_maxage;
816  int stapling_cache_timeout;
817  BOOL stapling_return_errors;
818  BOOL stapling_fake_trylater;
819  int stapling_errcache_timeout;
820  apr_interval_time_t stapling_responder_timeout;
821  const char *stapling_force_url;
822 #endif
823 
824 #ifdef HAVE_SRP
825  char *srp_vfile;
826  char *srp_unknown_user_seed;
827  SRP_VBASE *srp_vbase;
828 #endif
829 
830  modssl_auth_ctx_t auth;
831 
832  int ocsp_mask;
833  BOOL ocsp_force_default; /* true if the default responder URL is
834  * used regardless of per-cert URL */
835  const char *ocsp_responder; /* default responder URL */
836  long ocsp_resptime_skew;
837  long ocsp_resp_maxage;
838  apr_interval_time_t ocsp_responder_timeout;
839  BOOL ocsp_use_request_nonce;
840  apr_uri_t *proxy_uri;
841 
842  BOOL ocsp_noverify; /* true if skipping OCSP certification verification like openssl -noverify */
843  /* Declare variables for using OCSP Responder Certs for OCSP verification */
844  int ocsp_verify_flags; /* Flags to use when verifying OCSP response */
845  const char *ocsp_certs_file; /* OCSP other certificates filename */
846  STACK_OF(X509) *ocsp_certs; /* OCSP other certificates */
847 
848 #ifdef HAVE_SSL_CONF_CMD
849  SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
850  apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
851 #endif
852 
853  BOOL ssl_check_peer_cn;
854  BOOL ssl_check_peer_name;
855  BOOL ssl_check_peer_expire;
856 } modssl_ctx_t;
857 
858 struct SSLSrvConfigRec {
859  SSLModConfigRec *mc;
860  ssl_enabled_t enabled;
861  const char *vhost_id;
862  const unsigned char *vhost_md5; /* = ap_md5_binary(vhost_id, ...) */
863  int session_cache_timeout;
864  BOOL cipher_server_pref;
865  modssl_ctx_t *server;
866 #ifdef HAVE_TLSEXT
867  ssl_enabled_t strict_sni_vhost_check;
868 #endif
869 #ifndef OPENSSL_NO_COMP
870  BOOL compression;
871 #endif
872  BOOL session_tickets;
873  BOOL clienthello_vars;
874 };
875 
881 struct SSLDirConfigRec {
882  BOOL bSSLRequired;
883  apr_array_header_t *aRequirement;
884  ssl_opt_t nOptions;
885  ssl_opt_t nOptionsAdd;
886  ssl_opt_t nOptionsDel;
887  const char *szCipherSuite;
888  ssl_verify_t nVerifyClient;
889  int nVerifyDepth;
890  const char *szUserName;
891  apr_size_t nRenegBufferSize;
892 
893  modssl_ctx_t *proxy;
894  BOOL proxy_enabled;
895  BOOL proxy_post_config;
896 };
897 
898 SSLSrvConfigRec *ssl_policy_lookup(apr_pool_t *pool, const char *name);
899 
905 extern module AP_MODULE_DECLARE_DATA ssl_module;
906 
908 void ssl_config_global_fix(SSLModConfigRec *);
909 BOOL ssl_config_global_isfixed(SSLModConfigRec *);
910 void *ssl_config_server_create(apr_pool_t *, server_rec *);
911 void *ssl_config_server_merge(apr_pool_t *, void *, void *);
912 void *ssl_config_perdir_create(apr_pool_t *, char *);
913 void *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
914 void ssl_config_proxy_merge(apr_pool_t *,
915  SSLDirConfigRec *, SSLDirConfigRec *);
916 const char *ssl_cmd_SSLPolicyApply(cmd_parms *, void *, const char *);
917 const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
918 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
919 const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
920 const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
921 const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *);
922 const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
923 const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
924 const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
925 const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
926 const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
927 const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
928 const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
929 const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
930 const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
931 const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
932 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
933 const char *ssl_cmd_SSLClientHelloVars(cmd_parms *, void *, int flag);
934 const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
935 const char *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
936 const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
937 const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
938 const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
939 const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
940 const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
941 const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
942 const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
943 const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
944 const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
945 const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
946 const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
947 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
948 
949 const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
950 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
951 const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *);
952 const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
953 const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
954 const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
955 const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *);
956 const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *);
957 const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *);
958 const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *);
959 const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *);
960 const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *);
961 const char *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *);
962 #ifdef HAVE_TLS_SESSION_TICKETS
963 const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, void *dcfg, const char *arg);
964 #endif
965 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
966 const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
967 const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag);
968 
969 const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
970 const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
971 const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
972 const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
973 const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
974 const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
975 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg);
976 const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
977 
978 /* Declare OCSP Responder Certificate Verification Directive */
979 const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag);
980 /* Declare OCSP Responder Certificate File Directive */
981 const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg);
982 
983 #ifdef HAVE_SSL_CONF_CMD
984 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
985 #endif
986 
987 #ifdef HAVE_SRP
988 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
989 const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
990 #endif
991 
992 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
993 
995 apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
996 apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *);
997 apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *,
998  apr_array_header_t *);
999 apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *);
1000 int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog,
1001  apr_pool_t *ptemp, server_rec *s,
1002  ap_conf_vector_t *section_config);
1003 STACK_OF(X509_NAME)
1004  *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
1005 void ssl_init_Child(apr_pool_t *, server_rec *);
1006 apr_status_t ssl_init_ModuleKill(void *data);
1007 
1009 int ssl_hook_Auth(request_rec *);
1010 int ssl_hook_UserCheck(request_rec *);
1011 int ssl_hook_Access(request_rec *);
1012 int ssl_hook_Fixup(request_rec *);
1013 int ssl_hook_ReadReq(request_rec *);
1014 int ssl_hook_Upgrade(request_rec *);
1015 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s);
1016 
1018 extern const authz_provider ssl_authz_provider_require_ssl;
1019 extern const authz_provider ssl_authz_provider_verify_client;
1020 
1022 DH *ssl_callback_TmpDH(SSL *, int, int);
1023 int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
1024 int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
1025 int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
1026 int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
1027 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *);
1028 void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
1029 void ssl_callback_Info(const SSL *, int, int);
1030 #ifdef HAVE_TLSEXT
1031 int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
1032 #endif
1033 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
1034 int ssl_callback_ClientHello(SSL *, int *, void *);
1035 #endif
1036 #ifdef HAVE_TLS_SESSION_TICKETS
1037 int ssl_callback_SessionTicket(SSL *ssl,
1038  unsigned char *keyname,
1039  unsigned char *iv,
1040  EVP_CIPHER_CTX *cipher_ctx,
1041 #if OPENSSL_VERSION_NUMBER < 0x30000000L
1042  HMAC_CTX *hmac_ctx,
1043 #else
1044  EVP_MAC_CTX *mac_ctx,
1045 #endif
1046  int mode);
1047 #endif
1048 
1049 #ifdef HAVE_TLS_ALPN
1050 int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out,
1051  unsigned char *outlen, const unsigned char *in,
1052  unsigned int inlen, void *arg);
1053 #endif
1054 
1056 apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);
1057 void ssl_scache_status_register(apr_pool_t *p);
1058 void ssl_scache_kill(server_rec *);
1059 BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int,
1060  apr_time_t, SSL_SESSION *, apr_pool_t *);
1061 SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *);
1062 void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int,
1063  apr_pool_t *);
1064 
1066 #ifdef HAVE_OCSP_STAPLING
1067 const char *ssl_cmd_SSLStaplingCache(cmd_parms *, void *, const char *);
1068 const char *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int);
1069 const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *);
1070 const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *);
1071 const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *);
1072 const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *);
1073 const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int);
1074 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);
1075 const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
1076 const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
1077 apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
1078 void ssl_stapling_certinfo_hash_init(apr_pool_t *);
1079 int ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *,
1080  modssl_ctx_t *, X509 *);
1081 #endif
1082 #ifdef HAVE_SRP
1083 int ssl_callback_SRPServerParams(SSL *, int *, void *);
1084 #endif
1085 
1086 #ifdef HAVE_OPENSSL_KEYLOG
1087 /* Callback used with SSL_CTX_set_keylog_callback. */
1088 void modssl_callback_keylog(const SSL *ssl, const char *line);
1089 #endif
1090 
1092 apr_status_t ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
1093 void ssl_io_filter_register(apr_pool_t *);
1094 void modssl_set_io_callbacks(SSL *ssl, conn_rec *c, server_rec *s);
1095 
1096 /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
1097  * to allow an SSL renegotiation to take place. */
1098 int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen);
1099 
1100 #ifdef MODSSL_USE_SSLRAND
1102 void ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
1103 #else
1104 #define ssl_rand_seed(s, p, ctx, c) /* noop */
1105 #endif
1106 
1108 char *ssl_util_vhostid(apr_pool_t *, server_rec *);
1109 apr_file_t *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *,
1110  const char * const *);
1111 void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
1112 char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
1113  const char * const *);
1114 BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
1115 #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
1116 void ssl_util_thread_setup(apr_pool_t *);
1117 void ssl_util_thread_id_setup(apr_pool_t *);
1118 #endif
1119 int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
1120 
1121 BOOL ssl_util_vhost_matches(const char *servername, server_rec *s);
1122 
1124 apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int,
1125  const char *, apr_array_header_t **);
1126 
1127 /* Load public and/or private key from the configured ENGINE. Private
1128  * key returned as *pkey. certid can be NULL, in which case *pubkey
1129  * is not altered. Errors logged on failure. */
1130 apr_status_t modssl_load_engine_keypair(server_rec *s,
1131  apr_pool_t *pconf, apr_pool_t *ptemp,
1132  const char *vhostid,
1133  const char *certid, const char *keyid,
1134  X509 **pubkey, EVP_PKEY **privkey);
1135 
1137 #if OPENSSL_VERSION_NUMBER < 0x30000000L
1138 DH *modssl_dh_from_file(const char *);
1139 #else
1140 EVP_PKEY *modssl_dh_pkey_from_file(const char *);
1141 #endif
1142 #ifdef HAVE_ECC
1143 EC_GROUP *modssl_ec_group_from_file(const char *);
1144 #endif
1145 
1146 /* Store the EVP_PKEY key (serialized into DER) in the hash table with
1147  * key, returning the ssl_asn1_t structure pointer. */
1148 ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
1149  EVP_PKEY *pkey);
1150 /* Retrieve the ssl_asn1_t structure with given key from the hash. */
1151 ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table, const char *key);
1152 
1154 int ssl_mutex_init(server_rec *, apr_pool_t *);
1155 int ssl_mutex_reinit(server_rec *, apr_pool_t *);
1156 int ssl_mutex_on(server_rec *);
1157 int ssl_mutex_off(server_rec *);
1158 
1159 int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *);
1160 
1161 /* mutex type names for Mutex directive */
1162 #define SSL_CACHE_MUTEX_TYPE "ssl-cache"
1163 #define SSL_STAPLING_CACHE_MUTEX_TYPE "ssl-stapling"
1164 #define SSL_STAPLING_REFRESH_MUTEX_TYPE "ssl-stapling-refresh"
1165 
1166 apr_status_t ssl_die(server_rec *);
1167 
1169 void ssl_log_ssl_error(const char *, int, int, server_rec *);
1170 
1171 /* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the
1172  * respective ap_log_*error functions and take a certificate as an
1173  * additional argument (whose details are appended to the log message).
1174  * The other arguments are interpreted exactly as with their ap_log_*error
1175  * counterparts. */
1176 void ssl_log_xerror(const char *file, int line, int level,
1177  apr_status_t rv, apr_pool_t *p, server_rec *s,
1178  X509 *cert, const char *format, ...)
1179  __attribute__((format(printf,8,9)));
1180 
1181 void ssl_log_cxerror(const char *file, int line, int level,
1182  apr_status_t rv, conn_rec *c, X509 *cert,
1183  const char *format, ...)
1184  __attribute__((format(printf,7,8)));
1185 
1186 void ssl_log_rxerror(const char *file, int line, int level,
1187  apr_status_t rv, request_rec *r, X509 *cert,
1188  const char *format, ...)
1189  __attribute__((format(printf,7,8)));
1190 
1191 #define SSLLOG_MARK __FILE__,__LINE__
1192 
1195 /* Register variables for the lifetime of the process pool 'p'. */
1196 void ssl_var_register(apr_pool_t *p);
1197 
1198 /* Matches optional function of the same name in the public API. The
1199  * pool in which to allocate the return value must be non-NULL; c
1200  * and/or r may be NULL. */
1201 const char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
1202  const char *name)
1203  AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT;
1204 apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension);
1205 
1206 /* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl',
1207  * allocating from 'p': */
1208 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
1209 
1210 /* Extract SSL_*_SAN_* variables (subjectAltName entries) into table 't'
1211  * from SSL object 'ssl', allocating from 'p'. */
1212 void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p);
1213 
1214 #ifndef OPENSSL_NO_OCSP
1215 /* Perform OCSP validation of the current cert in the given context.
1216  * Returns non-zero on success or zero on failure. On failure, the
1217  * context error code is set. */
1218 int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
1219  server_rec *s, conn_rec *c, apr_pool_t *pool);
1220 
1221 /* OCSP helper interface; dispatches the given OCSP request to the
1222  * responder at the given URI. Returns the decoded OCSP response
1223  * object, or NULL on error (in which case, errors will have been
1224  * logged). Pool 'p' is used for temporary allocations. */
1225 OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
1226  apr_interval_time_t timeout,
1227  OCSP_REQUEST *request,
1228  conn_rec *c, apr_pool_t *p);
1229 
1230 /* Initialize OCSP trusted certificate list */
1231 void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
1232 
1233 #endif
1234 
1235 #if MODSSL_USE_OPENSSL_PRE_1_1_API
1236 /* Retrieve DH parameters for given key length. Return value should
1237  * be treated as unmutable, since it is stored in process-global
1238  * memory. */
1239 DH *modssl_get_dh_params(unsigned keylen);
1240 #endif
1241 
1242 /* Returns non-zero if the request was made over SSL/TLS. If sslconn
1243  * is non-NULL and the request is using SSL/TLS, sets *sslconn to the
1244  * corresponding SSLConnRec structure for the connection. */
1245 int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn);
1246 
1247 /* Returns non-zero if the cert/key filename should be handled through
1248  * the configured ENGINE. */
1249 int modssl_is_engine_id(const char *name);
1250 
1251 #if HAVE_VALGRIND
1252 extern int ssl_running_on_valgrind;
1253 #endif
1254 
1255 int ssl_is_challenge(conn_rec *c, const char *servername,
1256  X509 **pcert, EVP_PKEY **pkey,
1257  const char **pcert_file, const char **pkey_file);
1258 
1259 /* Set the renegotiation state for connection. */
1260 void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state);
1261 
1262 #endif /* SSL_PRIVATE_H */
ap_config.h
Symbol export macros and hook functions.
ap_expr.h
Expression parser.
ap_socache.h
Small object cache provider interface.
apr.h
APR Platform Definitions.
apr_fnmatch.h
APR FNMatch Functions.
apr_global_mutex.h
APR Global Locking Routines.
apr_lib.h
APR general purpose library routines.
apr_optional.h
APR-UTIL registration of functions exported by modules.
apr_strings.h
APR Strings library.
apr_tables.h
APR Table library.
apr_want.h
APR Standard Headers Support.
ap_conf_vector_t
struct ap_conf_vector_t ap_conf_vector_t
Definition: http_config.h:512
timeout
apr_ldap_t apr_interval_time_t timeout
Definition: apr_ldap.h:1230
data
apr_ldap_t const char apr_buffer_t * data
Definition: apr_ldap.h:2210
ctx
apr_ldap_t const char const char const apr_buffer_t apr_array_header_t apr_array_header_t apr_interval_time_t apr_ldap_compare_cb void * ctx
Definition: apr_ldap.h:1566
ap_socache_instance_t
struct ap_socache_instance_t ap_socache_instance_t
Definition: ap_socache.h:49
r
request_rec * r
Definition: mod_dav.h:523
s
const char * s
Definition: mod_dav.h:1332
mode
apr_bucket_brigade ap_input_mode_t mode
Definition: mod_dav.h:2667
request
const dav_resource dav_lockdb dav_lock * request
Definition: mod_dav.h:1446
pool
apr_bucket_brigade request_rec apr_pool_t * pool
Definition: mod_dav.h:562
uri
const char const char * uri
Definition: mod_dav.h:636
name
const char * name
Definition: mod_dav.h:810
modssl_reneg_state
modssl_reneg_state
Definition: ssl_private.h:561
ssl_cmd_SSLProxyVerify
const char * ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *)
ssl_authz_provider_require_ssl
const authz_provider ssl_authz_provider_require_ssl
ssl_cmd_SSLProxyCARevocationFile
const char * ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *)
ssl_cmd_SSLCADNRequestPath
const char * ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *)
ssl_cmd_SSLSessionCacheTimeout
const char * ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *)
ssl_callback_NewSessionCacheEntry
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *)
ssl_cmd_SSLProxyMachineCertificateChainFile
const char * ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *)
ssl_die
apr_status_t ssl_die(server_rec *)
modssl_request_is_tls
int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn)
ssl_scache_kill
void ssl_scache_kill(server_rec *)
modssl_is_engine_id
int modssl_is_engine_id(const char *name)
ssl_cmd_SSLCARevocationCheck
const char * ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *)
ssl_cmd_SSLEngine
const char * ssl_cmd_SSLEngine(cmd_parms *, void *, const char *)
ssl_log_xerror
void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, apr_pool_t *p, server_rec *s, X509 *cert, const char *format,...) __attribute__((format(printf
ssl_init_CheckServers
apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *)
ssl_cmd_SSLProxyCheckPeerName
const char * ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag)
ssl_cmd_SSLCARevocationPath
const char * ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *)
ssl_module
module AP_MODULE_DECLARE_DATA ssl_module
ssl_cmd_SSLOCSPOverrideResponder
const char * ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)
ssl_ext_list
apr_array_header_t * ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension)
ssl_var_lookup
const char * ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name) AP_FN_ATTR_NONNULL((1
ssl_ocspcheck_t
ssl_ocspcheck_t
Definition: ssl_private.h:488
ssl_cmd_SSLCertificateChainFile
const char * ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *)
ssl_cmd_SSLFIPS
const char * ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
ssl_hook_Fixup
int ssl_hook_Fixup(request_rec *)
modssl_load_engine_keypair
apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *pconf, apr_pool_t *ptemp, const char *vhostid, const char *certid, const char *keyid, X509 **pubkey, EVP_PKEY **privkey)
modssl_dh_from_file
DH * modssl_dh_from_file(const char *)
ssl_enabled_t
ssl_enabled_t
Definition: ssl_private.h:517
ssl_cmd_SSLVerifyClient
const char * ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *)
ssl_cmd_SSLProxyEngine
const char * ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
ssl_cmd_SSLOCSPResponseTimeSkew
const char * ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg)
ssl_policy_lookup
SSLSrvConfigRec * ssl_policy_lookup(apr_pool_t *pool, const char *name)
ssl_cmd_SSLCADNRequestFile
const char * ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *)
ssl_callback_TmpDH
DH * ssl_callback_TmpDH(SSL *, int, int)
ssl_scache_store
BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int, apr_time_t, SSL_SESSION *, apr_pool_t *)
ssl_hook_Auth
int ssl_hook_Auth(request_rec *)
ssl_cmd_SSLOCSPDefaultResponder
const char * ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg)
ssl_cmd_SSLProxyCACertificateFile
const char * ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *)
ssl_rsctx_t
ssl_rsctx_t
Definition: ssl_private.h:535
ssl_cmd_SSLRenegBufferSize
const char * ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg)
ssl_cmd_SSLSessionTickets
const char * ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag)
ssl_init_FindCAList
* ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *)
modssl_set_io_callbacks
void modssl_set_io_callbacks(SSL *ssl, conn_rec *c, server_rec *s)
ssl_cmd_SSLProtocol
const char * ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *)
ssl_init_ssl_connection
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
ssl_cmd_SSLCARevocationFile
const char * ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *)
ssl_cmd_SSLInsecureRenegotiation
const char * ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
ssl_util_vhostid
char * ssl_util_vhostid(apr_pool_t *, server_rec *)
ssl_cmd_SSLProxyCACertificatePath
const char * ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *)
ssl_cmd_SSLPassPhraseDialog
const char * ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *)
AP_FN_ATTR_WARN_UNUSED_RESULT
const char AP_FN_ATTR_WARN_UNUSED_RESULT
Definition: ssl_private.h:1203
ssl_callback_GetSessionCacheEntry
SSL_SESSION * ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *)
ssl_init_Module
apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *)
ssl_proto_t
int ssl_proto_t
Definition: ssl_private.h:449
ssl_scache_init
apr_status_t ssl_scache_init(server_rec *, apr_pool_t *)
ssl_asn1_table_get
ssl_asn1_t * ssl_asn1_table_get(apr_hash_t *table, const char *key)
ssl_callback_SSLVerify_CRL
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *)
ssl_cmd_SSLHonorCipherOrder
const char * ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
ssl_verify_t
ssl_verify_t
Definition: ssl_private.h:454
modssl_verify_ocsp
int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, server_rec *s, conn_rec *c, apr_pool_t *pool)
ssl_cmd_SSLProxyCARevocationPath
const char * ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *)
ssl_crlcheck_t
ssl_crlcheck_t
Definition: ssl_private.h:476
ssl_load_encrypted_pkey
apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int, const char *, apr_array_header_t **)
ssl_cmd_SSLOCSPResponderTimeout
const char * ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg)
ssl_init_ModuleKill
apr_status_t ssl_init_ModuleKill(void *data)
ssl_scache_remove
void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int, apr_pool_t *)
ssl_cmd_SSLProxyMachineCertificatePath
const char * ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *)
ssl_util_thread_id_setup
void ssl_util_thread_id_setup(apr_pool_t *)
ssl_config_server_create
void * ssl_config_server_create(apr_pool_t *, server_rec *)
ssl_util_readfilter
char * ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, const char *const *)
ssl_cmd_SSLClientHelloVars
const char * ssl_cmd_SSLClientHelloVars(cmd_parms *, void *, int flag)
ssl_util_vhost_matches
BOOL ssl_util_vhost_matches(const char *servername, server_rec *s)
ssl_cmd_SSLStrictSNIVHostCheck
const char * ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
ssl_config_perdir_merge
void * ssl_config_perdir_merge(apr_pool_t *, void *, void *)
ssl_cmd_SSLUserName
const char * ssl_cmd_SSLUserName(cmd_parms *, void *, const char *)
ssl_log_cxerror
void void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, conn_rec *c, X509 *cert, const char *format,...) __attribute__((format(printf
modssl_set_reneg_state
void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state)
ssl_io_filter_register
void ssl_io_filter_register(apr_pool_t *)
ssl_cmd_SSLVerifyDepth
const char * ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *)
IDCONST
#define IDCONST
Definition: ssl_private.h:193
ssl_config_global_isfixed
BOOL ssl_config_global_isfixed(SSLModConfigRec *)
modssl_get_dh_params
DH * modssl_get_dh_params(unsigned keylen)
ssl_proxy_section_post_config
int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s, ap_conf_vector_t *section_config)
ssl_cmd_SSLOCSPEnable
const char * ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)
ssl_config_proxy_merge
void ssl_config_proxy_merge(apr_pool_t *, SSLDirConfigRec *, SSLDirConfigRec *)
ssl_scache_status_register
void ssl_scache_status_register(apr_pool_t *p)
ssl_cmd_SSLProxyMachineCertificateFile
const char * ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *)
ssl_scache_retrieve
SSL_SESSION * ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *)
ssl_cmd_SSLCACertificatePath
const char * ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *)
ssl_cmd_SSLProxyCARevocationCheck
const char * ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *)
ssl_cmd_SSLProxyProtocol
const char * ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *)
ssl_io_filter_init
apr_status_t ssl_io_filter_init(conn_rec *, request_rec *r, SSL *)
ssl_cmd_SSLCompression
const char * ssl_cmd_SSLCompression(cmd_parms *, void *, int flag)
ssl_opt_t
int ssl_opt_t
Definition: ssl_private.h:412
ssl_rssrc_t
ssl_rssrc_t
Definition: ssl_private.h:539
ssl_mutex_off
int ssl_mutex_off(server_rec *)
ssl_hook_Upgrade
int ssl_hook_Upgrade(request_rec *)
ssl_cmd_SSLRequire
const char * ssl_cmd_SSLRequire(cmd_parms *, void *, const char *)
ssl_cmd_SSLRandomSeed
const char * ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *)
UCHAR
#define UCHAR
Definition: ssl_private.h:344
ssl_log_ssl_error
void ssl_log_ssl_error(const char *, int, int, server_rec *)
ssl_pathcheck_t
unsigned int ssl_pathcheck_t
Definition: ssl_private.h:512
ssl_cmd_SSLCryptoDevice
const char * ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *)
ssl_is_challenge
int ssl_is_challenge(conn_rec *c, const char *servername, X509 **pcert, EVP_PKEY **pkey, const char **pcert_file, const char **pkey_file)
ssl_util_path_check
BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *)
ssl_cmd_SSLOCSPResponseMaxAge
const char * ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg)
ssl_cmd_SSLOCSPResponderCertificateFile
const char * ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg)
ssl_cmd_SSLCACertificateFile
const char * ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *)
ssl_stapling_mutex_reinit
int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *)
ssl_callback_Info
void ssl_callback_Info(const SSL *, int, int)
ssl_rand_seed
void ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *)
UNSET
#define UNSET
Definition: ssl_private.h:330
ssl_cmd_SSLCipherSuite
const char * ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *)
ssl_cmd_SSLOCSPNoVerify
const char * ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag)
ssl_cmd_SSLRequireSSL
const char * ssl_cmd_SSLRequireSSL(cmd_parms *, void *)
ssl_cmd_SSLSessionCache
const char * ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *)
ssl_hook_ReadReq
int ssl_hook_ReadReq(request_rec *)
ssl_log_rxerror
void void void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv, request_rec *r, X509 *cert, const char *format,...) __attribute__((format(printf
ssl_callback_DelSessionCacheEntry
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *)
ssl_init_Engine
apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *)
ssl_cmd_SSLOCSPUseRequestNonce
const char * ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
ssl_config_perdir_create
void * ssl_config_perdir_create(apr_pool_t *, char *)
ssl_authz_provider_verify_client
const authz_provider ssl_authz_provider_verify_client
ssl_util_thread_setup
void ssl_util_thread_setup(apr_pool_t *)
ssl_cmd_SSLCertificateKeyFile
const char * ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *)
ssl_cmd_SSLProxyCheckPeerExpire
const char * ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
ssl_init_ConfigureServer
apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, apr_array_header_t *)
ssl_hook_UserCheck
int ssl_hook_UserCheck(request_rec *)
ssl_hook_Access
int ssl_hook_Access(request_rec *)
ssl_cmd_SSLCertificateFile
const char * ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *)
ssl_pphrase_t
ssl_pphrase_t
Definition: ssl_private.h:498
ssl_cmd_SSLOptions
const char * ssl_cmd_SSLOptions(cmd_parms *, void *, const char *)
ssl_mutex_init
int ssl_mutex_init(server_rec *, apr_pool_t *)
modssl_var_extract_dns
void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p)
ssl_cmd_SSLProxyCheckPeerCN
const char * ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
ssl_init_Child
void ssl_init_Child(apr_pool_t *, server_rec *)
BOOL
#define BOOL
Definition: ssl_private.h:81
APLOG_USE_MODULE
APLOG_USE_MODULE(ssl)
ssl_io_buffer_fill
int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen)
ssl_config_server_merge
void * ssl_config_server_merge(apr_pool_t *, void *, void *)
ssl_util_ppopen
apr_file_t * ssl_util_ppopen(server_rec *, apr_pool_t *, const char *, const char *const *)
ssl_cmd_SSLProxyVerifyDepth
const char * ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *)
ssl_mutex_reinit
int ssl_mutex_reinit(server_rec *, apr_pool_t *)
ssl_cmd_SSLPolicyApply
const char * ssl_cmd_SSLPolicyApply(cmd_parms *, void *, const char *)
ssl_callback_proxy_cert
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
ssl_mutex_on
int ssl_mutex_on(server_rec *)
ssl_shutdown_type_e
ssl_shutdown_type_e
Definition: ssl_private.h:579
ssl_asn1_table_set
ssl_asn1_t * ssl_asn1_table_set(apr_hash_t *table, const char *key, EVP_PKEY *pkey)
ssl_cmd_SSLProxyCipherSuite
const char * ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *)
ssl_var_register
void ssl_var_register(apr_pool_t *p)
ssl_cmd_SSLOCSPProxyURL
const char * ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg)
ssl_init_ocsp_certificates
void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
ssl_hook_ConfigTest
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
modssl_var_extract_san_entries
void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p)
ssl_config_global_fix
void ssl_config_global_fix(SSLModConfigRec *)
modssl_dispatch_ocsp_request
OCSP_RESPONSE * modssl_dispatch_ocsp_request(const apr_uri_t *uri, apr_interval_time_t timeout, OCSP_REQUEST *request, conn_rec *c, apr_pool_t *p)
ssl_util_ppclose
void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *)
ssl_callback_SSLVerify
int ssl_callback_SSLVerify(int, X509_STORE_CTX *)
RENEG_INIT
@ RENEG_INIT
Definition: ssl_private.h:562
RENEG_ALLOW
@ RENEG_ALLOW
Definition: ssl_private.h:565
RENEG_ABORT
@ RENEG_ABORT
Definition: ssl_private.h:567
RENEG_REJECT
@ RENEG_REJECT
Definition: ssl_private.h:563
SSL_OCSPCHECK_CHAIN
@ SSL_OCSPCHECK_CHAIN
Definition: ssl_private.h:491
SSL_OCSPCHECK_LEAF
@ SSL_OCSPCHECK_LEAF
Definition: ssl_private.h:490
SSL_OCSPCHECK_NONE
@ SSL_OCSPCHECK_NONE
Definition: ssl_private.h:489
SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK
@ SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK
Definition: ssl_private.h:492
SSL_ENABLED_TRUE
@ SSL_ENABLED_TRUE
Definition: ssl_private.h:520
SSL_ENABLED_UNSET
@ SSL_ENABLED_UNSET
Definition: ssl_private.h:518
SSL_ENABLED_FALSE
@ SSL_ENABLED_FALSE
Definition: ssl_private.h:519
SSL_ENABLED_OPTIONAL
@ SSL_ENABLED_OPTIONAL
Definition: ssl_private.h:521
SSL_RSCTX_CONNECT
@ SSL_RSCTX_CONNECT
Definition: ssl_private.h:537
SSL_RSCTX_STARTUP
@ SSL_RSCTX_STARTUP
Definition: ssl_private.h:536
SSL_CVERIFY_OPTIONAL
@ SSL_CVERIFY_OPTIONAL
Definition: ssl_private.h:457
SSL_CVERIFY_OPTIONAL_NO_CA
@ SSL_CVERIFY_OPTIONAL_NO_CA
Definition: ssl_private.h:459
SSL_CVERIFY_UNSET
@ SSL_CVERIFY_UNSET
Definition: ssl_private.h:455
SSL_CVERIFY_NONE
@ SSL_CVERIFY_NONE
Definition: ssl_private.h:456
SSL_CVERIFY_REQUIRE
@ SSL_CVERIFY_REQUIRE
Definition: ssl_private.h:458
SSL_CRLCHECK_NO_CRL_FOR_CERT_OK
@ SSL_CRLCHECK_NO_CRL_FOR_CERT_OK
Definition: ssl_private.h:482
SSL_CRLCHECK_LEAF
@ SSL_CRLCHECK_LEAF
Definition: ssl_private.h:478
SSL_CRLCHECK_NONE
@ SSL_CRLCHECK_NONE
Definition: ssl_private.h:477
SSL_CRLCHECK_CHAIN
@ SSL_CRLCHECK_CHAIN
Definition: ssl_private.h:479
SSL_RSSRC_EGD
@ SSL_RSSRC_EGD
Definition: ssl_private.h:543
SSL_RSSRC_BUILTIN
@ SSL_RSSRC_BUILTIN
Definition: ssl_private.h:540
SSL_RSSRC_FILE
@ SSL_RSSRC_FILE
Definition: ssl_private.h:541
SSL_RSSRC_EXEC
@ SSL_RSSRC_EXEC
Definition: ssl_private.h:542
SSL_PPTYPE_PIPE
@ SSL_PPTYPE_PIPE
Definition: ssl_private.h:502
SSL_PPTYPE_BUILTIN
@ SSL_PPTYPE_BUILTIN
Definition: ssl_private.h:500
SSL_PPTYPE_FILTER
@ SSL_PPTYPE_FILTER
Definition: ssl_private.h:501
SSL_PPTYPE_UNSET
@ SSL_PPTYPE_UNSET
Definition: ssl_private.h:499
SSL_SHUTDOWN_TYPE_STANDARD
@ SSL_SHUTDOWN_TYPE_STANDARD
Definition: ssl_private.h:581
SSL_SHUTDOWN_TYPE_UNCLEAN
@ SSL_SHUTDOWN_TYPE_UNCLEAN
Definition: ssl_private.h:582
SSL_SHUTDOWN_TYPE_ACCURATE
@ SSL_SHUTDOWN_TYPE_ACCURATE
Definition: ssl_private.h:583
SSL_SHUTDOWN_TYPE_UNSET
@ SSL_SHUTDOWN_TYPE_UNSET
Definition: ssl_private.h:580
AP_FN_ATTR_NONNULL
AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT
apr_status_t
int apr_status_t
Definition: apr_errno.h:44
apr_hash_t
struct apr_hash_t apr_hash_t
Definition: apr_hash.h:52
__attribute__
#define __attribute__(__x)
Definition: apr.h:72
apr_size_t
size_t apr_size_t
Definition: apr.h:401
apr_pool_t
struct apr_pool_t apr_pool_t
Definition: apr_pools.h:60
apr_table_t
struct apr_table_t apr_table_t
Definition: apr_tables.h:56
apr_interval_time_t
apr_int64_t apr_interval_time_t
Definition: apr_time.h:55
apr_time_t
apr_int64_t apr_time_t
Definition: apr_time.h:45
http_config.h
Apache Configuration.
http_connection.h
Apache connection library.
http_core.h
CORE HTTP Daemon.
http_log.h
Apache Logging library.
http_main.h
Command line options.
http_protocol.h
HTTP protocol handling.
http_request.h
Apache Request library.
http_ssl.h
SSL protocol handling.
http_vhost.h
Virtual Host package.
httpd.h
HTTP Daemon routines.
STACK_OF
#define STACK_OF(x)
Definition: macros.h:26
AP_MODULE_DECLARE_DATA
#define AP_MODULE_DECLARE_DATA
Definition: macros.h:16
mod_auth.h
Authentication and Authorization Extension for Apache.
mod_ssl_openssl.h
Interface to OpenSSL-specific APIs provided by mod_ssl.
SSL_CRLCHECK_FLAGS
#define SSL_CRLCHECK_FLAGS
Definition: ssl_private.h:481
ssl_util_ssl.h
Additional Utility Functions for OpenSSL.
SSLConnRec
Definition: ssl_private.h:610
SSLConnRec::service_unavailable
int service_unavailable
Definition: ssl_private.h:638
SSLConnRec::reneg_state
modssl_reneg_state reneg_state
Definition: ssl_private.h:631
SSLConnRec::verify_error
const char * verify_error
Definition: ssl_private.h:616
SSLConnRec::verify_info
const char * verify_info
Definition: ssl_private.h:615
SSLConnRec::client_dn
const char * client_dn
Definition: ssl_private.h:612
SSLConnRec::disabled
int disabled
Definition: ssl_private.h:618
SSLConnRec::NON_SSL_SEND_REQLINE
@ NON_SSL_SEND_REQLINE
Definition: ssl_private.h:621
SSLConnRec::NON_SSL_SEND_HDR_SEP
@ NON_SSL_SEND_HDR_SEP
Definition: ssl_private.h:622
SSLConnRec::shutdown_type
ssl_shutdown_type_e shutdown_type
Definition: ssl_private.h:614
SSLConnRec::verify_depth
int verify_depth
Definition: ssl_private.h:617
SSLConnRec::dc
SSLDirConfigRec * dc
Definition: ssl_private.h:635
SSLConnRec::client_cert
X509 * client_cert
Definition: ssl_private.h:613
SSLConnRec::vhost_found
int vhost_found
Definition: ssl_private.h:639
SSLConnRec::server
server_rec * server
Definition: ssl_private.h:634
SSLConnRec::ssl
SSL * ssl
Definition: ssl_private.h:611
SSLConnRec::cipher_suite
const char * cipher_suite
Definition: ssl_private.h:637
SSLDirConfigRec
Definition: ssl_private.h:881
SSLDirConfigRec::bSSLRequired
BOOL bSSLRequired
Definition: ssl_private.h:882
SSLDirConfigRec::nVerifyClient
ssl_verify_t nVerifyClient
Definition: ssl_private.h:888
SSLDirConfigRec::nOptionsAdd
ssl_opt_t nOptionsAdd
Definition: ssl_private.h:885
SSLDirConfigRec::szCipherSuite
const char * szCipherSuite
Definition: ssl_private.h:887
SSLDirConfigRec::nOptions
ssl_opt_t nOptions
Definition: ssl_private.h:884
SSLDirConfigRec::nRenegBufferSize
apr_size_t nRenegBufferSize
Definition: ssl_private.h:891
SSLDirConfigRec::nVerifyDepth
int nVerifyDepth
Definition: ssl_private.h:889
SSLDirConfigRec::proxy_enabled
BOOL proxy_enabled
Definition: ssl_private.h:894
SSLDirConfigRec::proxy_post_config
BOOL proxy_post_config
Definition: ssl_private.h:895
SSLDirConfigRec::aRequirement
apr_array_header_t * aRequirement
Definition: ssl_private.h:883
SSLDirConfigRec::nOptionsDel
ssl_opt_t nOptionsDel
Definition: ssl_private.h:886
SSLDirConfigRec::proxy
modssl_ctx_t * proxy
Definition: ssl_private.h:893
SSLDirConfigRec::szUserName
const char * szUserName
Definition: ssl_private.h:890
SSLModConfigRec
Definition: ssl_private.h:677
SSLModConfigRec::aRandSeed
apr_array_header_t * aRandSeed
Definition: ssl_private.h:695
SSLModConfigRec::szCryptoDevice
const char * szCryptoDevice
Definition: ssl_private.h:698
SSLModConfigRec::pid
pid_t pid
Definition: ssl_private.h:694
SSLModConfigRec::sesscache_context
ap_socache_instance_t * sesscache_context
Definition: ssl_private.h:689
SSLModConfigRec::pMutex
apr_global_mutex_t * pMutex
Definition: ssl_private.h:691
SSLModConfigRec::bFixed
BOOL bFixed
Definition: ssl_private.h:678
SSLModConfigRec::retained
modssl_retained_data_t * retained
Definition: ssl_private.h:684
SSLModConfigRec::sesscache_mode
long sesscache_mode
Definition: ssl_private.h:681
SSLModConfigRec::sesscache
const ap_socache_provider_t * sesscache
Definition: ssl_private.h:688
SSLSrvConfigRec
Definition: ssl_private.h:858
SSLSrvConfigRec::vhost_id
const char * vhost_id
Definition: ssl_private.h:861
SSLSrvConfigRec::vhost_md5
const unsigned char * vhost_md5
Definition: ssl_private.h:862
SSLSrvConfigRec::mc
SSLModConfigRec * mc
Definition: ssl_private.h:859
SSLSrvConfigRec::clienthello_vars
BOOL clienthello_vars
Definition: ssl_private.h:873
SSLSrvConfigRec::server
modssl_ctx_t * server
Definition: ssl_private.h:865
SSLSrvConfigRec::enabled
ssl_enabled_t enabled
Definition: ssl_private.h:860
SSLSrvConfigRec::cipher_server_pref
BOOL cipher_server_pref
Definition: ssl_private.h:864
SSLSrvConfigRec::session_tickets
BOOL session_tickets
Definition: ssl_private.h:872
SSLSrvConfigRec::compression
BOOL compression
Definition: ssl_private.h:870
SSLSrvConfigRec::session_cache_timeout
int session_cache_timeout
Definition: ssl_private.h:863
ap_expr_info_t
Definition: ap_expr.h:41
ap_socache_provider_t
Definition: ap_socache.h:89
apr_array_header_t
Definition: apr_tables.h:62
apr_file_t
Definition: apr_arch_file_io.h:107
apr_global_mutex_t
Definition: apr_arch_global_mutex.h:23
apr_uri_t
Definition: apr_uri.h:85
authz_provider
Definition: mod_auth.h:141
cmd_parms_struct
Definition: http_config.h:288
conn_rec
Structure to store things which are per connection.
Definition: httpd.h:1200
modssl_auth_ctx_t
Definition: ssl_private.h:748
modssl_auth_ctx_t::verify_mode
ssl_verify_t verify_mode
Definition: ssl_private.h:757
modssl_auth_ctx_t::cipher_suite
const char * cipher_suite
Definition: ssl_private.h:753
modssl_auth_ctx_t::ca_cert_file
const char * ca_cert_file
Definition: ssl_private.h:751
modssl_auth_ctx_t::verify_depth
int verify_depth
Definition: ssl_private.h:756
modssl_auth_ctx_t::ca_cert_path
const char * ca_cert_path
Definition: ssl_private.h:750
modssl_auth_ctx_t::tls13_ciphers
const char * tls13_ciphers
Definition: ssl_private.h:762
modssl_ctx_t
Definition: ssl_private.h:785
modssl_ctx_t::ocsp_resp_maxage
long ocsp_resp_maxage
Definition: ssl_private.h:837
modssl_ctx_t::crl_check_mask
int crl_check_mask
Definition: ssl_private.h:809
modssl_ctx_t::pphrase_dialog_type
ssl_pphrase_t pphrase_dialog_type
Definition: ssl_private.h:801
modssl_ctx_t::ocsp_force_default
BOOL ocsp_force_default
Definition: ssl_private.h:833
modssl_ctx_t::ocsp_responder
const char * ocsp_responder
Definition: ssl_private.h:835
modssl_ctx_t::ocsp_mask
int ocsp_mask
Definition: ssl_private.h:832
modssl_ctx_t::protocol
ssl_proto_t protocol
Definition: ssl_private.h:797
modssl_ctx_t::sc
SSLSrvConfigRec * sc
Definition: ssl_private.h:786
modssl_ctx_t::auth
modssl_auth_ctx_t auth
Definition: ssl_private.h:830
modssl_ctx_t::ssl_ctx
SSL_CTX * ssl_ctx
Definition: ssl_private.h:787
modssl_ctx_t::ocsp_resptime_skew
long ocsp_resptime_skew
Definition: ssl_private.h:836
modssl_ctx_t::ssl_check_peer_name
BOOL ssl_check_peer_name
Definition: ssl_private.h:854
modssl_ctx_t::protocol_set
int protocol_set
Definition: ssl_private.h:798
modssl_ctx_t::crl_path
const char * crl_path
Definition: ssl_private.h:807
modssl_ctx_t::STACK_OF
STACK_OF(X509) *ocsp_certs
modssl_ctx_t::ssl_check_peer_cn
BOOL ssl_check_peer_cn
Definition: ssl_private.h:853
modssl_ctx_t::ocsp_verify_flags
int ocsp_verify_flags
Definition: ssl_private.h:844
modssl_ctx_t::ocsp_use_request_nonce
BOOL ocsp_use_request_nonce
Definition: ssl_private.h:839
modssl_ctx_t::pphrase_dialog_path
const char * pphrase_dialog_path
Definition: ssl_private.h:802
modssl_ctx_t::ocsp_noverify
BOOL ocsp_noverify
Definition: ssl_private.h:842
modssl_ctx_t::ocsp_certs_file
const char * ocsp_certs_file
Definition: ssl_private.h:845
modssl_ctx_t::pkp
modssl_pk_proxy_t * pkp
Definition: ssl_private.h:791
modssl_ctx_t::pks
modssl_pk_server_t * pks
Definition: ssl_private.h:790
modssl_ctx_t::ssl_check_peer_expire
BOOL ssl_check_peer_expire
Definition: ssl_private.h:855
modssl_ctx_t::crl_file
const char * crl_file
Definition: ssl_private.h:808
modssl_ctx_t::cert_chain
const char * cert_chain
Definition: ssl_private.h:804
modssl_ctx_t::ocsp_responder_timeout
apr_interval_time_t ocsp_responder_timeout
Definition: ssl_private.h:838
modssl_ctx_t::proxy_uri
apr_uri_t * proxy_uri
Definition: ssl_private.h:840
modssl_pk_proxy_t
Definition: ssl_private.h:733
modssl_pk_proxy_t::cert_file
const char * cert_file
Definition: ssl_private.h:735
modssl_pk_proxy_t::ca_cert_file
const char * ca_cert_file
Definition: ssl_private.h:737
modssl_pk_proxy_t::STACK_OF
STACK_OF(X509_INFO) *certs
modssl_pk_proxy_t::cert_path
const char * cert_path
Definition: ssl_private.h:736
modssl_pk_proxy_t::STACK_OF
STACK_OF(X509) **ca_certs
modssl_pk_server_t
Definition: ssl_private.h:719
modssl_pk_server_t::key_files
apr_array_header_t * key_files
Definition: ssl_private.h:722
modssl_pk_server_t::cert_files
apr_array_header_t * cert_files
Definition: ssl_private.h:721
modssl_pk_server_t::service_unavailable
int service_unavailable
Definition: ssl_private.h:730
modssl_pk_server_t::ca_name_path
const char * ca_name_path
Definition: ssl_private.h:726
modssl_pk_server_t::ca_name_file
const char * ca_name_file
Definition: ssl_private.h:727
modssl_retained_data_t
Definition: ssl_private.h:658
modssl_retained_data_t::key_ids
apr_hash_t * key_ids
Definition: ssl_private.h:666
modssl_retained_data_t::privkeys
apr_hash_t * privkeys
Definition: ssl_private.h:672
module_struct
Definition: http_config.h:348
request_rec
A structure that represents the current request.
Definition: httpd.h:863
server_rec
A structure to store information for each virtual server.
Definition: httpd.h:1398
ssl_asn1_t
Definition: ssl_private.h:555
ssl_asn1_t::source_mtime
apr_time_t source_mtime
Definition: ssl_private.h:558
ssl_asn1_t::nData
long int nData
Definition: ssl_private.h:556
ssl_asn1_t::cpData
unsigned char * cpData
Definition: ssl_private.h:557
ssl_randseed_t
Definition: ssl_private.h:545
ssl_randseed_t::cpPath
char * cpPath
Definition: ssl_private.h:548
ssl_randseed_t::nBytes
int nBytes
Definition: ssl_private.h:549
ssl_randseed_t::nSrc
ssl_rssrc_t nSrc
Definition: ssl_private.h:547
ssl_randseed_t::nCtx
ssl_rsctx_t nCtx
Definition: ssl_private.h:546
ssl_require_t
Definition: ssl_private.h:527
ssl_require_t::cpExpr
const char * cpExpr
Definition: ssl_private.h:528
ssl_require_t::mpExpr
ap_expr_info_t * mpExpr
Definition: ssl_private.h:529
p
apr_pool_t * p
util_ebcdic.h
Utilities for EBCDIC conversion.
util_filter.h
Apache filter library.
util_mutex.h
Apache Mutex support library.
util_script.h
Apache script tools.