Apache2
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ssl_private.h
Go to the documentation of this file.
1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2  * contributor license agreements. See the NOTICE file distributed with
3  * this work for additional information regarding copyright ownership.
4  * The ASF licenses this file to You under the Apache License, Version 2.0
5  * (the "License"); you may not use this file except in compliance with
6  * the License. You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SSL_PRIVATE_H
18 #define SSL_PRIVATE_H
19 
30 #include "ap_config.h"
31 #include "httpd.h"
32 #include "http_config.h"
33 #include "http_core.h"
34 #include "http_log.h"
35 #include "http_main.h"
36 #include "http_connection.h"
37 #include "http_request.h"
38 #include "http_protocol.h"
39 #include "http_vhost.h"
40 #include "util_script.h"
41 #include "util_filter.h"
42 #include "util_ebcdic.h"
43 #include "util_mutex.h"
44 #include "apr.h"
45 #include "apr_strings.h"
46 #define APR_WANT_STRFUNC
47 #define APR_WANT_MEMFUNC
48 #include "apr_want.h"
49 #include "apr_tables.h"
50 #include "apr_lib.h"
51 #include "apr_fnmatch.h"
52 #include "apr_strings.h"
53 #include "apr_global_mutex.h"
54 #include "apr_optional.h"
55 #include "ap_socache.h"
56 #include "mod_auth.h"
57 
58 /* The #ifdef macros are only defined AFTER including the above
59  * therefore we cannot include these system files at the top :-(
60  */
61 #if APR_HAVE_STDLIB_H
62 #include <stdlib.h>
63 #endif
64 #if APR_HAVE_SYS_TIME_H
65 #include <sys/time.h>
66 #endif
67 #if APR_HAVE_UNISTD_H
68 #include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
69 #endif
70 
71 #ifndef FALSE
72 #define FALSE 0
73 #endif
74 
75 #ifndef TRUE
76 #define TRUE !FALSE
77 #endif
78 
79 #ifndef BOOL
80 #define BOOL unsigned int
81 #endif
82 
83 #include "ap_expr.h"
84 
85 /* OpenSSL headers */
86 #include <openssl/opensslv.h>
87 #if (OPENSSL_VERSION_NUMBER >= 0x10001000)
88 /* must be defined before including ssl.h */
89 #define OPENSSL_NO_SSL_INTERN
90 #endif
91 #if OPENSSL_VERSION_NUMBER >= 0x30000000
92 #include <openssl/core_names.h>
93 #endif
94 #include <openssl/ssl.h>
95 #include <openssl/err.h>
96 #include <openssl/x509.h>
97 #include <openssl/pem.h>
98 #include <openssl/crypto.h>
99 #include <openssl/evp.h>
100 #include <openssl/rand.h>
101 #include <openssl/x509v3.h>
102 #include <openssl/x509_vfy.h>
103 #include <openssl/ocsp.h>
104 
105 /* Avoid tripping over an engine build installed globally and detected
106  * when the user points at an explicit non-engine flavor of OpenSSL
107  */
108 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
109 #include <openssl/engine.h>
110 #endif
111 
112 #if (OPENSSL_VERSION_NUMBER < 0x0090801f)
113 #error mod_ssl requires OpenSSL 0.9.8a or later
114 #endif
115 
122 #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
123 #define MODSSL_SSL_CIPHER_CONST const
124 #define MODSSL_SSL_METHOD_CONST const
125 #else
126 #define MODSSL_SSL_CIPHER_CONST
127 #define MODSSL_SSL_METHOD_CONST
128 #endif
129 
130 #if defined(LIBRESSL_VERSION_NUMBER)
131 /* Missing from LibreSSL */
132 #if LIBRESSL_VERSION_NUMBER < 0x2060000f
133 #define SSL_CTRL_SET_MIN_PROTO_VERSION 123
134 #define SSL_CTRL_SET_MAX_PROTO_VERSION 124
135 #define SSL_CTX_set_min_proto_version(ctx, version) \
136  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
137 #define SSL_CTX_set_max_proto_version(ctx, version) \
138  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
139 #elif LIBRESSL_VERSION_NUMBER < 0x2070000f
140 /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
141  * include most changes from OpenSSL >= 1.1 (new functions, macros,
142  * deprecations, ...), so we have to work around this...
143  */
144 #define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
145 #endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
146 #else /* defined(LIBRESSL_VERSION_NUMBER) */
147 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
148 #endif
149 
150 #if OPENSSL_VERSION_NUMBER < 0x10101000
151 #define MODSSL_USE_SSLRAND
152 #endif
153 
154 #if defined(OPENSSL_FIPS)
155 #define HAVE_FIPS
156 #endif
157 
158 #if defined(SSL_OP_NO_TLSv1_2)
159 #define HAVE_TLSV1_X
160 #endif
161 
162 #if defined(SSL_CONF_FLAG_FILE)
163 #define HAVE_SSL_CONF_CMD
164 #endif
165 
166 /* session id constness */
167 #if MODSSL_USE_OPENSSL_PRE_1_1_API
168 #define IDCONST
169 #else
170 #define IDCONST const
171 #endif
172 
177 #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
178 
179 #define HAVE_TLSEXT
180 
181 /* ECC: make sure we have at least 1.0.0 */
182 #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
183 #define HAVE_ECC
184 #endif
185 
186 /* OCSP stapling */
187 #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
188 #define HAVE_OCSP_STAPLING
189 /* All exist but are no longer macros since OpenSSL 1.1.0 */
190 #if OPENSSL_VERSION_NUMBER < 0x10100000L
191 /* backward compatibility with OpenSSL < 1.0 */
192 #ifndef sk_OPENSSL_STRING_num
193 #define sk_OPENSSL_STRING_num sk_num
194 #endif
195 #ifndef sk_OPENSSL_STRING_value
196 #define sk_OPENSSL_STRING_value sk_value
197 #endif
198 #ifndef sk_OPENSSL_STRING_pop
199 #define sk_OPENSSL_STRING_pop sk_pop
200 #endif
201 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
202 #endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */
203 
204 /* TLS session tickets */
205 #if defined(SSL_CTX_set_tlsext_ticket_key_cb)
206 #define HAVE_TLS_SESSION_TICKETS
207 #define TLSEXT_TICKET_KEY_LEN 48
208 #ifndef tlsext_tick_md
209 #ifdef OPENSSL_NO_SHA256
210 #define tlsext_tick_md EVP_sha1
211 #else
212 #define tlsext_tick_md EVP_sha256
213 #endif
214 #endif
215 #endif
216 
217 /* Secure Remote Password */
218 #if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
219 #define HAVE_SRP
220 #include <openssl/srp.h>
221 #endif
222 
223 /* ALPN Protocol Negotiation */
224 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
225 #define HAVE_TLS_ALPN
226 #endif
227 
228 #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
229 
230 #if MODSSL_USE_OPENSSL_PRE_1_1_API
231 #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
232 #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
233 #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
234 #define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048
235 #define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072
236 #define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
237 #define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
238 #define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
239 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
240 #define BIO_set_init(x,v) (x->init=v)
241 #define BIO_get_data(x) (x->ptr)
242 #define BIO_set_data(x,v) (x->ptr=v)
243 #endif
244 #define BIO_get_shutdown(x) (x->shutdown)
245 #define BIO_set_shutdown(x,v) (x->shutdown=v)
246 #define DH_bits(x) (BN_num_bits(x->p))
247 #define X509_up_ref(x) (CRYPTO_add(&(x)->references, +1, CRYPTO_LOCK_X509))
248 #define EVP_PKEY_up_ref(pk) (CRYPTO_add(&(pk)->references, +1, CRYPTO_LOCK_X509_PKEY))
249 #else
250 void init_bio_methods(void);
251 void free_bio_methods(void);
252 #endif
253 
254 #if OPENSSL_VERSION_NUMBER < 0x10002000L || \
255  (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
256 #define X509_STORE_CTX_get0_store(x) (x->ctx)
257 #endif
258 
259 #if OPENSSL_VERSION_NUMBER < 0x10000000L
260 #ifndef X509_STORE_CTX_get0_current_issuer
261 #define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)
262 #endif
263 #endif
264 
265 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
266 #define HAVE_OPENSSL_KEYLOG
267 #endif
268 
269 /* mod_ssl headers */
270 #include "ssl_util_ssl.h"
271 
272 APLOG_USE_MODULE(ssl);
273 
274 /*
275  * Provide reasonable default for some defines
276  */
277 #ifndef UNSET
278 #define UNSET (-1)
279 #endif
280 #ifndef NUL
281 #define NUL '\0'
282 #endif
283 #ifndef RAND_MAX
284 #include <limits.h>
285 #define RAND_MAX INT_MAX
286 #endif
287 
291 #ifndef UCHAR
292 #define UCHAR unsigned char
293 #endif
294 
298 #define strEQ(s1,s2) (strcmp(s1,s2) == 0)
299 #define strNE(s1,s2) (strcmp(s1,s2) != 0)
300 #define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0)
301 #define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0)
302 
303 #define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0)
304 #define strcNE(s1,s2) (strcasecmp(s1,s2) != 0)
305 #define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
306 #define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)
307 
308 #define strIsEmpty(s) (s == NULL || s[0] == NUL)
309 
310 #define myConnConfig(c) \
311  ((SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module))
312 #define myConnConfigSet(c, val) \
313  ap_set_module_config(c->conn_config, &ssl_module, val)
314 #define mySrvConfig(srv) \
315  ((SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module))
316 #define myDirConfig(req) \
317  ((SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module))
318 #define myCtxConfig(sslconn, sc) \
319  (sslconn->is_proxy ? sslconn->dc->proxy : sc->server)
320 #define myModConfig(srv) mySrvConfig((srv))->mc
321 #define mySrvFromConn(c) myConnConfig(c)->server
322 #define myDirConfigFromConn(c) myConnConfig(c)->dc
323 #define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
324 #define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
325 
329 #ifndef SSL_SESSION_CACHE_TIMEOUT
330 #define SSL_SESSION_CACHE_TIMEOUT 300
331 #endif
332 
333 /* Default setting for per-dir reneg buffer. */
334 #ifndef DEFAULT_RENEG_BUFFER_SIZE
335 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
336 #endif
337 
338 /* Default for OCSP response validity */
339 #ifndef DEFAULT_OCSP_MAX_SKEW
340 #define DEFAULT_OCSP_MAX_SKEW (60 * 5)
341 #endif
342 
343 /* Default timeout for OCSP queries */
344 #ifndef DEFAULT_OCSP_TIMEOUT
345 #define DEFAULT_OCSP_TIMEOUT 10
346 #endif
347 
351 #define SSL_OPT_NONE (0)
352 #define SSL_OPT_RELSET (1<<0)
353 #define SSL_OPT_STDENVVARS (1<<1)
354 #define SSL_OPT_EXPORTCERTDATA (1<<3)
355 #define SSL_OPT_FAKEBASICAUTH (1<<4)
356 #define SSL_OPT_STRICTREQUIRE (1<<5)
357 #define SSL_OPT_OPTRENEGOTIATE (1<<6)
358 #define SSL_OPT_LEGACYDNFORMAT (1<<7)
359 typedef int ssl_opt_t;
360 
364 #define SSL_PROTOCOL_NONE (0)
365 #ifndef OPENSSL_NO_SSL3
366 #define SSL_PROTOCOL_SSLV3 (1<<1)
367 #endif
368 #define SSL_PROTOCOL_TLSV1 (1<<2)
369 #ifndef OPENSSL_NO_SSL3
370 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
371 #else
372 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_TLSV1)
373 #endif
374 #ifdef HAVE_TLSV1_X
375 #define SSL_PROTOCOL_TLSV1_1 (1<<3)
376 #define SSL_PROTOCOL_TLSV1_2 (1<<4)
377 #define SSL_PROTOCOL_TLSV1_3 (1<<5)
378 
379 #ifdef SSL_OP_NO_TLSv1_3
380 #define SSL_HAVE_PROTOCOL_TLSV1_3 (1)
381 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
382  SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
383 #else
384 #define SSL_HAVE_PROTOCOL_TLSV1_3 (0)
385 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
386  SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
387 #endif
388 #else
389 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
390 #endif
391 #ifndef OPENSSL_NO_SSL3
392 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3)
393 #else
394 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL)
395 #endif
396 typedef int ssl_proto_t;
397 
401 typedef enum {
407 } ssl_verify_t;
408 
409 #define SSL_VERIFY_PEER_STRICT \
410  (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
411 
412 #define ssl_verify_error_is_optional(errnum) \
413  ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
414  || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
415  || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
416  || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
417  || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
418 
422 typedef enum {
424  SSL_CRLCHECK_LEAF = (1 << 0),
425  SSL_CRLCHECK_CHAIN = (1 << 1),
426 
427 #define SSL_CRLCHECK_FLAGS (~0x3)
430 
434 typedef enum {
436  SSL_OCSPCHECK_LEAF = (1 << 0),
440 
444 typedef enum {
449 } ssl_pphrase_t;
450 
454 #define SSL_PCM_EXISTS 1
455 #define SSL_PCM_ISREG 2
456 #define SSL_PCM_ISDIR 4
457 #define SSL_PCM_ISNONZERO 8
458 typedef unsigned int ssl_pathcheck_t;
459 
463 typedef enum {
468 } ssl_enabled_t;
469 
473 typedef struct {
474  const char *cpExpr;
476 } ssl_require_t;
477 
481 typedef enum {
484 } ssl_rsctx_t;
485 typedef enum {
490 } ssl_rssrc_t;
491 typedef struct {
494  char *cpPath;
495  int nBytes;
497 
501 typedef struct {
502  long int nData;
503  unsigned char *cpData;
505 } ssl_asn1_t;
506 
507 typedef enum {
508  RENEG_INIT = 0, /* Before initial handshake */
509  RENEG_REJECT, /* After initial handshake; any client-initiated
510  * renegotiation should be rejected */
511  RENEG_ALLOW, /* A server-initiated renegotiation is taking
512  * place (as dictated by configuration) */
513  RENEG_ABORT /* Renegotiation initiated by client, abort the
514  * connection */
516 
524 
525 typedef enum {
531 
532 typedef struct {
533  SSL *ssl;
534  const char *client_dn;
535  X509 *client_cert;
537  const char *verify_info;
538  const char *verify_error;
540  int is_proxy;
541  int disabled;
542  enum {
543  NON_SSL_OK = 0, /* is SSL request, or error handling completed */
544  NON_SSL_SEND_REQLINE, /* Need to send the fake request line */
545  NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */
546  NON_SSL_SET_ERROR_MSG /* Need to set the error message */
547  } non_ssl_request;
548 
549 #ifndef SSL_OP_NO_RENEGOTIATION
550  /* For OpenSSL < 1.1.1, track the handshake/renegotiation state
551  * for the connection to block client-initiated renegotiations.
552  * For OpenSSL >=1.1.1, the SSL_OP_NO_RENEGOTIATION flag is used in
553  * the SSL * options state with equivalent effect. */
555 #endif
556 
559 
560  const char *cipher_suite; /* cipher suite used in last reneg */
561  int service_unavailable; /* thouugh we negotiate SSL, no requests will be served */
562  int vhost_found; /* whether we found vhost from SNI already */
563 } SSLConnRec;
564 
565 /* Private keys are retained across reloads, since decryption
566  * passphrases can only be entered during startup (before detaching
567  * from a terminal). This structure is stored via the ap_retained_*
568  * API and retrieved on later module reloads. If the structure
569  * changes, the key name must be changed by increasing the digit at
570  * the end, to avoid an updated version of mod_ssl loading retained
571  * data with a different struct definition.
572  *
573  * All objects used here must be allocated from the process pool
574  * (s->process->pool) so they also survives restarts. */
575 #define MODSSL_RETAINED_KEY "mod_ssl-retained-1"
576 
577 typedef struct {
578  /* A hash table of vhost key-IDs used to index the privkeys hash,
579  * for example the string "vhost.example.com:443:0". For each
580  * (key, value) pair the value is the same as the key, allowing
581  * the keys to be retrieved on subsequent reloads rather than
582  * rellocated. ### This optimisation seems to be of dubious
583  * value. Allocating the vhost-key-ids from pconf and duping them
584  * when storing them in ->privkeys would be simpler. */
586 
587  /* A hash table of pointers to ssl_asn1_t structures. The
588  * structures are used to store private keys in raw DER format
589  * (serialized OpenSSL PrivateKey structures). The table is
590  * indexed by key-IDs from the key_ids hash table. */
592 
593  /* Do NOT add fields here without changing the key name, as above. */
595 
596 typedef struct {
598 
599  /* OpenSSL SSL_SESS_CACHE_* flags: */
601 
602  /* Data retained across reloads. */
604 
605  /* The configured provider, and associated private data
606  * structure. */
609 
611 
612 #ifdef MODSSL_USE_SSLRAND
613  pid_t pid; /* used for seeding after fork() */
615 #endif
616 
617 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
618  const char *szCryptoDevice;
619 #endif
620 
621 #ifdef HAVE_OCSP_STAPLING
622  const ap_socache_provider_t *stapling_cache;
623  ap_socache_instance_t *stapling_cache_context;
624  apr_global_mutex_t *stapling_cache_mutex;
625  apr_global_mutex_t *stapling_refresh_mutex;
626 #endif
627 
628 #ifdef HAVE_OPENSSL_KEYLOG
629  /* Used for logging if SSLKEYLOGFILE is set at startup. */
630  apr_file_t *keylog_file;
631 #endif
632 
633 #ifdef HAVE_FIPS
634  BOOL fips;
635 #endif
637 
640 typedef struct {
641  /* Lists of configured certs and keys for this server */
644 
647  const char *ca_name_path;
648  const char *ca_name_file;
649 
650  /* TLS service for this server is suspended */
653 
654 typedef struct {
656  const char *cert_file;
657  const char *cert_path;
658  const char *ca_cert_file;
659  STACK_OF(X509_INFO) *certs; /* Contains End Entity certs */
660  STACK_OF(X509) **ca_certs; /* Contains ONLY chain certs for
661  * each item in certs.
662  * (ptr to array of ptrs) */
664 
666 typedef struct {
668  const char *ca_cert_path;
669  const char *ca_cert_file;
670 
671  const char *cipher_suite;
672 
676 
680  const char *tls13_ciphers;
682 
683 #ifdef HAVE_TLS_SESSION_TICKETS
684 typedef struct {
685  const char *file_path;
686  unsigned char key_name[16];
687 #if OPENSSL_VERSION_NUMBER < 0x30000000L
688  unsigned char hmac_secret[16];
689 #else
690  OSSL_PARAM mac_params[3];
691 #endif
692  unsigned char aes_key[16];
693 } modssl_ticket_key_t;
694 #endif
695 
696 #ifdef HAVE_SSL_CONF_CMD
697 typedef struct {
698  const char *name;
699  const char *value;
700 } ssl_ctx_param_t;
701 #endif
702 
703 typedef struct {
705  SSL_CTX *ssl_ctx;
706 
710 
711 #ifdef HAVE_TLS_SESSION_TICKETS
712  modssl_ticket_key_t *ticket_key;
713 #endif
714 
717 
720  const char *pphrase_dialog_path;
721 
722  const char *cert_chain;
723 
725  const char *crl_path;
726  const char *crl_file;
728 
729 #ifdef HAVE_OCSP_STAPLING
730 
731  BOOL stapling_enabled;
732  long stapling_resptime_skew;
733  long stapling_resp_maxage;
734  int stapling_cache_timeout;
735  BOOL stapling_return_errors;
736  BOOL stapling_fake_trylater;
737  int stapling_errcache_timeout;
738  apr_interval_time_t stapling_responder_timeout;
739  const char *stapling_force_url;
740 #endif
741 
742 #ifdef HAVE_SRP
743  char *srp_vfile;
744  char *srp_unknown_user_seed;
745  SRP_VBASE *srp_vbase;
746 #endif
747 
749 
751  BOOL ocsp_force_default; /* true if the default responder URL is
752  * used regardless of per-cert URL */
753  const char *ocsp_responder; /* default responder URL */
759 
760  BOOL ocsp_noverify; /* true if skipping OCSP certification verification like openssl -noverify */
761  /* Declare variables for using OCSP Responder Certs for OCSP verification */
762  int ocsp_verify_flags; /* Flags to use when verifying OCSP response */
763  const char *ocsp_certs_file; /* OCSP other certificates filename */
764  STACK_OF(X509) *ocsp_certs; /* OCSP other certificates */
765 
766 #ifdef HAVE_SSL_CONF_CMD
767  SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
768  apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
769 #endif
770 
774 } modssl_ctx_t;
775 
779  const char *vhost_id;
780  const unsigned char *vhost_md5; /* = ap_md5_binary(vhost_id, ...) */
785 #ifdef HAVE_TLSEXT
786  ssl_enabled_t strict_sni_vhost_check;
787 #endif
788 #ifndef OPENSSL_NO_COMP
790 #endif
792 
793 };
794 
806  const char *szCipherSuite;
809  const char *szUserName;
811 
815 };
816 
818 
825 
830 void *ssl_config_server_merge(apr_pool_t *, void *, void *);
831 void *ssl_config_perdir_create(apr_pool_t *, char *);
832 void *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
835 const char *ssl_cmd_SSLPolicyApply(cmd_parms *, void *, const char *);
836 const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
837 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
838 const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
839 const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
840 const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *);
841 const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
842 const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
843 const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
844 const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
845 const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
846 const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
847 const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
848 const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
849 const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
850 const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
851 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
852 const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
853 const char *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
854 const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
855 const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
856 const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
857 const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
858 const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
859 const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
860 const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
861 const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
862 const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
863 const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
864 const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
865 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
866 
867 const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
868 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
869 const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *);
870 const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
871 const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
872 const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
873 const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *);
874 const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *);
875 const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *);
876 const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *);
877 const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *);
878 const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *);
879 const char *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *);
880 #ifdef HAVE_TLS_SESSION_TICKETS
881 const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, void *dcfg, const char *arg);
882 #endif
883 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
884 const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
885 const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag);
886 
887 const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
888 const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
889 const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
890 const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
891 const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
892 const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
893 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg);
894 const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
895 
896 /* Declare OCSP Responder Certificate Verification Directive */
897 const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag);
898 /* Declare OCSP Responder Certificate File Directive */
899 const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg);
900 
901 #ifdef HAVE_SSL_CONF_CMD
902 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
903 #endif
904 
905 #ifdef HAVE_SRP
906 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
907 const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
908 #endif
909 
910 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
911 
919  apr_pool_t *ptemp, server_rec *s,
920  ap_conf_vector_t *section_config);
921 STACK_OF(X509_NAME)
922  *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
925 
933 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s);
934 
938 
940 DH *ssl_callback_TmpDH(SSL *, int, int);
941 int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
942 int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
943 int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
944 int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
945 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *);
946 void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
947 void ssl_callback_Info(const SSL *, int, int);
948 #ifdef HAVE_TLSEXT
949 int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
950 #endif
951 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
952 int ssl_callback_ClientHello(SSL *, int *, void *);
953 #endif
954 #ifdef HAVE_TLS_SESSION_TICKETS
955 int ssl_callback_SessionTicket(SSL *ssl,
956  unsigned char *keyname,
957  unsigned char *iv,
958  EVP_CIPHER_CTX *cipher_ctx,
959 #if OPENSSL_VERSION_NUMBER < 0x30000000L
960  HMAC_CTX *hmac_ctx,
961 #else
962  EVP_MAC_CTX *mac_ctx,
963 #endif
964  int mode);
965 #endif
966 
967 #ifdef HAVE_TLS_ALPN
968 int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out,
969  unsigned char *outlen, const unsigned char *in,
970  unsigned int inlen, void *arg);
971 #endif
972 
978  apr_time_t, SSL_SESSION *, apr_pool_t *);
979 SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *);
981  apr_pool_t *);
982 
984 #ifdef HAVE_OCSP_STAPLING
985 const char *ssl_cmd_SSLStaplingCache(cmd_parms *, void *, const char *);
986 const char *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int);
987 const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *);
988 const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *);
989 const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *);
990 const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *);
991 const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int);
992 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);
993 const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
994 const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
995 apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
996 void ssl_stapling_certinfo_hash_init(apr_pool_t *);
997 int ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *,
998  modssl_ctx_t *, X509 *);
999 #endif
1000 #ifdef HAVE_SRP
1001 int ssl_callback_SRPServerParams(SSL *, int *, void *);
1002 #endif
1003 
1004 #ifdef HAVE_OPENSSL_KEYLOG
1005 /* Callback used with SSL_CTX_set_keylog_callback. */
1006 void modssl_callback_keylog(const SSL *ssl, const char *line);
1007 #endif
1008 
1010 void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
1012 long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
1013 
1014 /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
1015  * to allow an SSL renegotiation to take place. */
1017 
1018 #ifdef MODSSL_USE_SSLRAND
1019 
1020 void ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
1021 #else
1022 #define ssl_rand_seed(s, p, ctx, c) /* noop */
1023 #endif
1024 
1027 apr_file_t *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *,
1028  const char * const *);
1030 char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
1031  const char * const *);
1032 BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
1033 #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
1036 #endif
1038 
1039 BOOL ssl_util_vhost_matches(const char *servername, server_rec *s);
1040 
1043  const char *, apr_array_header_t **);
1044 
1045 /* Load public and/or private key from the configured ENGINE. Private
1046  * key returned as *pkey. certid can be NULL, in which case *pubkey
1047  * is not altered. Errors logged on failure. */
1049  const char *vhostid,
1050  const char *certid, const char *keyid,
1051  X509 **pubkey, EVP_PKEY **privkey);
1052 
1054 DH *ssl_dh_GetParamFromFile(const char *);
1055 #ifdef HAVE_ECC
1056 EC_GROUP *ssl_ec_GetParamFromFile(const char *);
1057 #endif
1058 
1059 /* Store the EVP_PKEY key (serialized into DER) in the hash table with
1060  * key, returning the ssl_asn1_t structure pointer. */
1061 ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
1062  EVP_PKEY *pkey);
1063 /* Retrieve the ssl_asn1_t structure with given key from the hash. */
1064 ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table, const char *key);
1065 
1069 int ssl_mutex_on(server_rec *);
1070 int ssl_mutex_off(server_rec *);
1071 
1073 
1074 /* mutex type names for Mutex directive */
1075 #define SSL_CACHE_MUTEX_TYPE "ssl-cache"
1076 #define SSL_STAPLING_CACHE_MUTEX_TYPE "ssl-stapling"
1077 #define SSL_STAPLING_REFRESH_MUTEX_TYPE "ssl-stapling-refresh"
1078 
1080 
1082 void ssl_log_ssl_error(const char *, int, int, server_rec *);
1083 
1084 /* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the
1085  * respective ap_log_*error functions and take a certificate as an
1086  * additional argument (whose details are appended to the log message).
1087  * The other arguments are interpreted exactly as with their ap_log_*error
1088  * counterparts. */
1089 void ssl_log_xerror(const char *file, int line, int level,
1091  X509 *cert, const char *format, ...)
1092  __attribute__((format(printf,8,9)));
1093 
1094 void ssl_log_cxerror(const char *file, int line, int level,
1095  apr_status_t rv, conn_rec *c, X509 *cert,
1096  const char *format, ...)
1097  __attribute__((format(printf,7,8)));
1098 
1099 void ssl_log_rxerror(const char *file, int line, int level,
1100  apr_status_t rv, request_rec *r, X509 *cert,
1101  const char *format, ...)
1102  __attribute__((format(printf,7,8)));
1103 
1104 #define SSLLOG_MARK __FILE__,__LINE__
1105 
1108 /* Register variables for the lifetime of the process pool 'p'. */
1109 void ssl_var_register(apr_pool_t *p);
1110 
1111 /* Matches optional function of the same name in the public API. The
1112  * pool in which to allocate the return value must be non-NULL; c
1113  * and/or r may be NULL. */
1114 const char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
1115  const char *name)
1117 apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension);
1118 
1120 
1121 /* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl',
1122  * allocating from 'p': */
1123 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
1124 
1125 /* Extract SSL_*_SAN_* variables (subjectAltName entries) into table 't'
1126  * from SSL object 'ssl', allocating from 'p'. */
1128 
1129 #ifndef OPENSSL_NO_OCSP
1130 /* Perform OCSP validation of the current cert in the given context.
1131  * Returns non-zero on success or zero on failure. On failure, the
1132  * context error code is set. */
1133 int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
1134  server_rec *s, conn_rec *c, apr_pool_t *pool);
1135 
1136 /* OCSP helper interface; dispatches the given OCSP request to the
1137  * responder at the given URI. Returns the decoded OCSP response
1138  * object, or NULL on error (in which case, errors will have been
1139  * logged). Pool 'p' is used for temporary allocations. */
1140 OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
1141  apr_interval_time_t timeout,
1142  OCSP_REQUEST *request,
1143  conn_rec *c, apr_pool_t *p);
1144 
1145 /* Initialize OCSP trusted certificate list */
1147 
1148 #endif
1149 
1150 /* Retrieve DH parameters for given key length. Return value should
1151  * be treated as unmutable, since it is stored in process-global
1152  * memory. */
1153 DH *modssl_get_dh_params(unsigned keylen);
1154 
1155 /* Returns non-zero if the request was made over SSL/TLS. If sslconn
1156  * is non-NULL and the request is using SSL/TLS, sets *sslconn to the
1157  * corresponding SSLConnRec structure for the connection. */
1158 int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn);
1159 
1160 /* Returns non-zero if the cert/key filename should be handled through
1161  * the configured ENGINE. */
1162 int modssl_is_engine_id(const char *name);
1163 
1164 #if HAVE_VALGRIND
1165 extern int ssl_running_on_valgrind;
1166 #endif
1167 
1168 int ssl_is_challenge(conn_rec *c, const char *servername,
1169  X509 **pcert, EVP_PKEY **pkey);
1170 
1171 /* Set the renegotation state for connection. */
1173 
1174 #endif /* SSL_PRIVATE_H */
1175 
Definition: ssl_private.h:486
const char * ssl_cmd_SSLRequire(cmd_parms *, void *, const char *)
Definition: ap_socache.h:89
ssl_rsctx_t nCtx
Definition: ssl_private.h:492
Definition: ssl_private.h:406
Definition: ssl_private.h:428
ssl_proto_t protocol
Definition: ssl_private.h:715
size_t apr_size_t
Definition: apr.h:397
const char * ca_name_path
Definition: ssl_private.h:647
Definition: ssl_private.h:446
const char * cpExpr
Definition: ssl_private.h:474
Definition: ssl_private.h:404
apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, const char *vhostid, const char *certid, const char *keyid, X509 **pubkey, EVP_PKEY **privkey)
Definition: ssl_private.h:425
const char * ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)
const char * ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *)
void ssl_init_Child(apr_pool_t *, server_rec *)
Definition: ssl_private.h:654
server_rec * server
Definition: ssl_private.h:557
apr_array_header_t * aRandSeed
Definition: ssl_private.h:614
SSL_SESSION * ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *)
int ssl_hook_Upgrade(request_rec *)
int verify_depth
Definition: ssl_private.h:539
int is_proxy
Definition: ssl_private.h:540
DH * ssl_dh_GetParamFromFile(const char *)
Apache Configuration.
const unsigned char * vhost_md5
Definition: ssl_private.h:780
const char * ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *)
const char * ocsp_responder
Definition: ssl_private.h:753
int ssl_callback_SSLVerify(int, X509_STORE_CTX *)
const char * ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *)
modssl_ctx_t * proxy
Definition: ssl_private.h:812
#define IDCONST
Definition: ssl_private.h:168
Definition: ssl_private.h:424
const char * ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *)
ssl_opt_t nOptions
Definition: ssl_private.h:803
const char * ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *)
Definition: apr_arch_file_io.h:107
const char * ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
Definition: apr_tables.h:62
module AP_MODULE_DECLARE_DATA ssl_module
const char * ca_cert_file
Definition: ssl_private.h:658
ssl_enabled_t enabled
Definition: ssl_private.h:778
const ap_socache_provider_t * sesscache
Definition: ssl_private.h:607
Definition: ap_expr.h:41
Definition: ssl_private.h:464
const char * ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
void * ssl_config_perdir_merge(apr_pool_t *, void *, void *)
int ssl_is_challenge(conn_rec *c, const char *servername, X509 **pcert, EVP_PKEY **pkey)
apr_size_t nRenegBufferSize
Definition: ssl_private.h:810
Definition: ssl_private.h:577
Definition: ssl_private.h:448
Definition: ssl_private.h:437
ap_socache_instance_t * sesscache_context
Definition: ssl_private.h:608
const char * ssl_cmd_SSLPolicyApply(cmd_parms *, void *, const char *)
const char * ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *)
const char * cert_chain
Definition: ssl_private.h:722
apr_bucket_brigade request_rec apr_pool_t * pool
Definition: mod_dav.h:552
ssl_verify_t nVerifyClient
Definition: ssl_private.h:807
long ssl_io_data_cb(BIO *, int, const char *, int, long, long)
void ssl_config_global_fix(SSLModConfigRec *)
long ocsp_resp_maxage
Definition: ssl_private.h:755
BOOL insecure_reneg
Definition: ssl_private.h:783
const char * ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag)
ssl_verify_t verify_mode
Definition: ssl_private.h:675
const char * ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *)
long int nData
Definition: ssl_private.h:502
const dav_resource dav_lockdb dav_lock * request
Definition: mod_dav.h:1332
const char * ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag)
const char * ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg)
BOOL compression
Definition: ssl_private.h:789
BOOL proxy_post_config
Definition: ssl_private.h:814
const char * ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
const char * verify_info
Definition: ssl_private.h:537
SSLSrvConfigRec * sc
Definition: ssl_private.h:704
apr_status_t ssl_die(server_rec *)
int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn)
Definition: ssl_private.h:445
void ssl_var_register(apr_pool_t *p)
apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *)
SSL * ssl
Definition: ssl_private.h:533
const char * ocsp_certs_file
Definition: ssl_private.h:763
void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *)
const char * ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg)
AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT
APR Standard Headers Support.
apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, apr_array_header_t *)
const char * crl_path
Definition: ssl_private.h:725
modssl_ctx_t * server
Definition: ssl_private.h:784
CORE HTTP Daemon.
ssl_asn1_t * ssl_asn1_table_get(apr_hash_t *table, const char *key)
ssl_shutdown_type_e shutdown_type
Definition: ssl_private.h:536
int nVerifyDepth
Definition: ssl_private.h:808
Apache connection library.
const char * ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *)
int ssl_hook_Auth(request_rec *)
Utilities for EBCDIC conversion.
const char * ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *)
const char * szCipherSuite
Definition: ssl_private.h:806
apr_array_header_t * key_files
Definition: ssl_private.h:643
const char const char * uri
Definition: mod_dav.h:614
Definition: mod_auth.h:104
const char * ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name) AP_FN_ATTR_NONNULL((1
Definition: ssl_private.h:489
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *)
const char * ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *)
const char * ca_name_file
Definition: ssl_private.h:648
Definition: ssl_private.h:800
apr_int64_t apr_interval_time_t
Definition: apr_time.h:55
void void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, conn_rec *c, X509 *cert, const char *format,...) __attribute__((format(printf
BOOL ocsp_noverify
Definition: ssl_private.h:760
void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p)
int modssl_is_engine_id(const char *name)
Structure to store things which are per connection.
Definition: httpd.h:1137
Definition: ssl_private.h:487
modssl_reneg_state reneg_state
Definition: ssl_private.h:554
int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, server_rec *s, conn_rec *c, apr_pool_t *pool)
APLOG_USE_MODULE(ssl)
const char * ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
Virtual Host package.
APR-UTIL registration of functions exported by modules.
const char * ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *)
modssl_pk_proxy_t * pkp
Definition: ssl_private.h:709
const char * cert_file
Definition: ssl_private.h:656
int verify_depth
Definition: ssl_private.h:674
Symbol export macros and hook functions.
const char * ssl_cmd_SSLOptions(cmd_parms *, void *, const char *)
Definition: ssl_private.h:509
Definition: ssl_private.h:405
ssl_rssrc_t
Definition: ssl_private.h:485
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *)
apr_file_t * ssl_util_ppopen(server_rec *, apr_pool_t *, const char *, const char *const *)
Definition: ssl_private.h:403
BOOL ssl_util_vhost_matches(const char *servername, server_rec *s)
apr_global_mutex_t * pMutex
Definition: ssl_private.h:610
Definition: ssl_private.h:483
Definition: apr_arch_global_mutex.h:23
Definition: ssl_private.h:527
const char * ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *)
void * ssl_config_perdir_create(apr_pool_t *, char *)
const char * ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *)
BOOL proxy_enabled
Definition: ssl_private.h:813
Apache Logging library.
const char * ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *)
Definition: http_config.h:295
Apache script tools.
apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int, const char *, apr_array_header_t **)
apr_int64_t apr_time_t
Definition: apr_time.h:45
const char * ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *)
Expression parser.
Command line options.
void ssl_util_thread_setup(apr_pool_t *)
ssl_enabled_t
Definition: ssl_private.h:463
APR Global Locking Routines.
Definition: ssl_private.h:526
ssl_rssrc_t nSrc
Definition: ssl_private.h:493
void ssl_config_proxy_merge(apr_pool_t *, SSLDirConfigRec *, SSLDirConfigRec *)
apr_array_header_t * aRequirement
Definition: ssl_private.h:802
HTTP Daemon routines.
const char * cipher_suite
Definition: ssl_private.h:560
modssl_auth_ctx_t auth
Definition: ssl_private.h:748
Definition: ssl_private.h:465
int ssl_opt_t
Definition: ssl_private.h:359
Definition: ssl_private.h:666
const char * ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *)
int ocsp_verify_flags
Definition: ssl_private.h:762
ssl_shutdown_type_e
Definition: ssl_private.h:525
modssl_pk_server_t * pks
Definition: ssl_private.h:708
SSLModConfigRec * mc
Definition: ssl_private.h:777
A structure to store information for each virtual server.
Definition: httpd.h:1324
const char * ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg)
const char * ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg)
const char * ca_cert_file
Definition: ssl_private.h:669
const char * ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *)
int protocol_set
Definition: ssl_private.h:716
Definition: ssl_private.h:529
const char * ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
Definition: ssl_private.h:640
BOOL session_tickets
Definition: ssl_private.h:791
void ssl_var_log_config_register(apr_pool_t *p)
const char * ssl_cmd_SSLEngine(cmd_parms *, void *, const char *)
int service_unavailable
Definition: ssl_private.h:561
int nBytes
Definition: ssl_private.h:495
void ssl_util_thread_id_setup(apr_pool_t *)
const char * verify_error
Definition: ssl_private.h:538
const char * tls13_ciphers
Definition: ssl_private.h:680
const char * ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *)
const char * ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *)
int ssl_hook_Access(request_rec *)
BOOL bFixed
Definition: ssl_private.h:597
int ssl_hook_Fixup(request_rec *)
APR Table library.
Definition: ssl_private.h:544
pid_t pid
Definition: ssl_private.h:613
Small object cache provider interface.
char * cpPath
Definition: ssl_private.h:494
modssl_retained_data_t * retained
Definition: ssl_private.h:603
const char * ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg)
Definition: ssl_private.h:482
Definition: ssl_private.h:436
ssl_verify_t
Definition: ssl_private.h:401
DH * ssl_callback_TmpDH(SSL *, int, int)
APR FNMatch Functions.
const char * ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *)
BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *)
Definition: ssl_private.h:488
X509 * client_cert
Definition: ssl_private.h:535
APR Platform Definitions.
void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
Definition: ssl_private.h:703
const authz_provider ssl_authz_provider_verify_client
void ssl_callback_Info(const SSL *, int, int)
apr_uri_t * proxy_uri
Definition: ssl_private.h:758
APR general purpose library routines.
const char * ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *)
SSLDirConfigRec * dc
Definition: ssl_private.h:558
OCSP_RESPONSE * modssl_dispatch_ocsp_request(const apr_uri_t *uri, apr_interval_time_t timeout, OCSP_REQUEST *request, conn_rec *c, apr_pool_t *p)
const char * ssl_cmd_SSLRequireSSL(cmd_parms *, void *)
#define BOOL
Definition: ssl_private.h:80
int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *)
Authentication and Authorization Extension for Apache.
const char * ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *)
BOOL cipher_server_pref
Definition: ssl_private.h:782
char * ssl_util_vhostid(apr_pool_t *, server_rec *)
const char * pphrase_dialog_path
Definition: ssl_private.h:720
apr_hash_t * privkeys
Definition: ssl_private.h:591
struct apr_hash_t apr_hash_t
Definition: apr_hash.h:52
HTTP protocol handling.
BOOL ssl_config_global_isfixed(SSLModConfigRec *)
int disabled
Definition: ssl_private.h:541
const char * szUserName
Definition: ssl_private.h:809
apr_time_t source_mtime
Definition: ssl_private.h:504
Definition: apr_uri.h:85
Definition: ssl_private.h:545
void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state)
Definition: ssl_private.h:513
const char * ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *)
char * ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, const char *const *)
const char * ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
Definition: ssl_private.h:438
apr_pool_t * p
apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *)
int ssl_proto_t
Definition: ssl_private.h:396
const char * ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
ssl_opt_t nOptionsDel
Definition: ssl_private.h:805
* ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *)
ssl_crlcheck_t
Definition: ssl_private.h:422
Apache Mutex support library.
const char * ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)
long ocsp_resptime_skew
Definition: ssl_private.h:754
ssl_asn1_t * ssl_asn1_table_set(apr_hash_t *table, const char *key, EVP_PKEY *pkey)
void ssl_io_filter_register(apr_pool_t *)
void * ssl_config_server_create(apr_pool_t *, server_rec *)
const char * ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg)
#define SSL_CRLCHECK_FLAGS
Definition: ssl_private.h:427
#define AP_MODULE_DECLARE_DATA
Definition: macros.h:16
Definition: ssl_private.h:528
Definition: ssl_private.h:501
int ssl_mutex_init(server_rec *, apr_pool_t *)
SSLSrvConfigRec * ssl_policy_lookup(apr_pool_t *pool, const char *name)
const char * client_dn
Definition: ssl_private.h:534
apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *)
const char * ssl_cmd_SSLCompression(cmd_parms *, void *, int flag)
unsigned char * cpData
Definition: ssl_private.h:503
const char * ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *)
#define UCHAR
Definition: ssl_private.h:292
Apache Request library.
A structure that represents the current request.
Definition: httpd.h:819
apr_array_header_t * cert_files
Definition: ssl_private.h:642
void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p)
Definition: ssl_private.h:466
const char * cert_path
Definition: ssl_private.h:657
Apache filter library.
long sesscache_mode
Definition: ssl_private.h:600
apr_interval_time_t ocsp_responder_timeout
Definition: ssl_private.h:756
Definition: ssl_private.h:776
APR Strings library.
int ssl_mutex_off(server_rec *)
apr_status_t ssl_init_ModuleKill(void *data)
int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s, ap_conf_vector_t *section_config)
ap_expr_info_t * mpExpr
Definition: ssl_private.h:475
BOOL ocsp_force_default
Definition: ssl_private.h:751
const char * ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg)
apr_hash_t * key_ids
Definition: ssl_private.h:585
BOOL ssl_check_peer_name
Definition: ssl_private.h:772
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
Definition: ssl_private.h:596
const char * ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *)
void ssl_scache_status_register(apr_pool_t *p)
apr_array_header_t * ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension)
struct apr_table_t apr_table_t
Definition: apr_tables.h:56
BOOL ssl_check_peer_expire
Definition: ssl_private.h:773
#define __attribute__(__x)
Definition: apr.h:63
const char * name
Definition: mod_dav.h:726
int service_unavailable
Definition: ssl_private.h:651
Definition: ssl_private.h:423
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
const char * vhost_id
Definition: ssl_private.h:779
struct apr_pool_t apr_pool_t
Definition: apr_pools.h:60
const char * ca_cert_path
Definition: ssl_private.h:668
Definition: http_config.h:355
apr_status_t ssl_scache_init(server_rec *, apr_pool_t *)
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *)
const char * ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *)
BOOL ssl_check_peer_cn
Definition: ssl_private.h:771
int apr_status_t
Definition: apr_errno.h:44
ssl_opt_t nOptionsAdd
Definition: ssl_private.h:804
const authz_provider ssl_authz_provider_require_ssl
request_rec * r
Definition: mod_dav.h:515
ssl_ocspcheck_t
Definition: ssl_private.h:434
BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int, apr_time_t, SSL_SESSION *, apr_pool_t *)
int ssl_hook_ReadReq(request_rec *)
void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, apr_pool_t *p, server_rec *s, X509 *cert, const char *format,...) __attribute__((format(printf
const char * ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *)
const char * ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *)
void void void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv, request_rec *r, X509 *cert, const char *format,...) __attribute__((format(printf
void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int, apr_pool_t *)
SSL_CTX * ssl_ctx
Definition: ssl_private.h:705
void ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *)
SSL_SESSION * ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *)
int crl_check_mask
Definition: ssl_private.h:727
const char * ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *)
Additional Utility Functions for OpenSSL.
void ssl_scache_kill(server_rec *)
const char * ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *)
Definition: ssl_private.h:447
Definition: ssl_private.h:511
struct ap_conf_vector_t ap_conf_vector_t
Definition: http_config.h:519
Definition: ssl_private.h:467
Definition: ssl_private.h:435
const char * ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *)
const char * crl_file
Definition: ssl_private.h:726
modssl_reneg_state
Definition: ssl_private.h:507
const char * ssl_cmd_SSLUserName(cmd_parms *, void *, const char *)
const char AP_FN_ATTR_WARN_UNUSED_RESULT
Definition: ssl_private.h:1116
void ssl_log_ssl_error(const char *, int, int, server_rec *)
Definition: ssl_private.h:508
const char * cipher_suite
Definition: ssl_private.h:671
int ssl_hook_UserCheck(request_rec *)
int vhost_found
Definition: ssl_private.h:562
void * ssl_config_server_merge(apr_pool_t *, void *, void *)
int ssl_mutex_on(server_rec *)
unsigned int ssl_pathcheck_t
Definition: ssl_private.h:458
int ssl_mutex_reinit(server_rec *, apr_pool_t *)
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
int ocsp_mask
Definition: ssl_private.h:750
DH * modssl_get_dh_params(unsigned keylen)
ssl_pphrase_t
Definition: ssl_private.h:444
int session_cache_timeout
Definition: ssl_private.h:781
Definition: ssl_private.h:473
BOOL ocsp_use_request_nonce
Definition: ssl_private.h:757
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *)
Definition: ssl_private.h:491
ssl_rsctx_t
Definition: ssl_private.h:481
const char * ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
#define UNSET
Definition: ssl_private.h:278
BOOL bSSLRequired
Definition: ssl_private.h:801
ssl_pphrase_t pphrase_dialog_type
Definition: ssl_private.h:719
int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen)
Definition: ssl_private.h:402
#define STACK_OF(x)
Definition: macros.h:26
struct ap_socache_instance_t ap_socache_instance_t
Definition: ap_socache.h:49
Definition: ssl_private.h:532
const char * ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag)