Apache2
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ssl_private.h
Go to the documentation of this file.
1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2  * contributor license agreements. See the NOTICE file distributed with
3  * this work for additional information regarding copyright ownership.
4  * The ASF licenses this file to You under the Apache License, Version 2.0
5  * (the "License"); you may not use this file except in compliance with
6  * the License. You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SSL_PRIVATE_H
18 #define SSL_PRIVATE_H
19 
30 #include "ap_config.h"
31 #include "httpd.h"
32 #include "http_config.h"
33 #include "http_core.h"
34 #include "http_log.h"
35 #include "http_main.h"
36 #include "http_connection.h"
37 #include "http_request.h"
38 #include "http_protocol.h"
39 #include "http_vhost.h"
40 #include "util_script.h"
41 #include "util_filter.h"
42 #include "util_ebcdic.h"
43 #include "util_mutex.h"
44 #include "apr.h"
45 #include "apr_strings.h"
46 #define APR_WANT_STRFUNC
47 #define APR_WANT_MEMFUNC
48 #include "apr_want.h"
49 #include "apr_tables.h"
50 #include "apr_lib.h"
51 #include "apr_fnmatch.h"
52 #include "apr_strings.h"
53 #include "apr_global_mutex.h"
54 #include "apr_optional.h"
55 #include "ap_socache.h"
56 #include "mod_auth.h"
57 
58 /* The #ifdef macros are only defined AFTER including the above
59  * therefore we cannot include these system files at the top :-(
60  */
61 #if APR_HAVE_STDLIB_H
62 #include <stdlib.h>
63 #endif
64 #if APR_HAVE_SYS_TIME_H
65 #include <sys/time.h>
66 #endif
67 #if APR_HAVE_UNISTD_H
68 #include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
69 #endif
70 
71 #ifndef FALSE
72 #define FALSE 0
73 #endif
74 
75 #ifndef TRUE
76 #define TRUE !FALSE
77 #endif
78 
79 #ifndef BOOL
80 #define BOOL unsigned int
81 #endif
82 
83 #include "ap_expr.h"
84 
85 /* OpenSSL headers */
86 #include <openssl/opensslv.h>
87 #if (OPENSSL_VERSION_NUMBER >= 0x10001000)
88 /* must be defined before including ssl.h */
89 #define OPENSSL_NO_SSL_INTERN
90 #endif
91 #if OPENSSL_VERSION_NUMBER >= 0x30000000
92 #include <openssl/core_names.h>
93 #endif
94 #include <openssl/ssl.h>
95 #include <openssl/err.h>
96 #include <openssl/x509.h>
97 #include <openssl/pem.h>
98 #include <openssl/crypto.h>
99 #include <openssl/evp.h>
100 #include <openssl/rand.h>
101 #include <openssl/x509v3.h>
102 #include <openssl/x509_vfy.h>
103 #include <openssl/ocsp.h>
104 
105 /* Avoid tripping over an engine build installed globally and detected
106  * when the user points at an explicit non-engine flavor of OpenSSL
107  */
108 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
109 #include <openssl/engine.h>
110 #endif
111 
112 #if (OPENSSL_VERSION_NUMBER < 0x0090801f)
113 #error mod_ssl requires OpenSSL 0.9.8a or later
114 #endif
115 
122 #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
123 #define MODSSL_SSL_CIPHER_CONST const
124 #define MODSSL_SSL_METHOD_CONST const
125 #else
126 #define MODSSL_SSL_CIPHER_CONST
127 #define MODSSL_SSL_METHOD_CONST
128 #endif
129 
130 #if defined(LIBRESSL_VERSION_NUMBER)
131 /* Missing from LibreSSL */
132 #if LIBRESSL_VERSION_NUMBER < 0x2060000f
133 #define SSL_CTRL_SET_MIN_PROTO_VERSION 123
134 #define SSL_CTRL_SET_MAX_PROTO_VERSION 124
135 #define SSL_CTX_set_min_proto_version(ctx, version) \
136  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
137 #define SSL_CTX_set_max_proto_version(ctx, version) \
138  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
139 #elif LIBRESSL_VERSION_NUMBER < 0x2070000f
140 /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
141  * include most changes from OpenSSL >= 1.1 (new functions, macros,
142  * deprecations, ...), so we have to work around this...
143  */
144 #define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
145 #endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
146 #else /* defined(LIBRESSL_VERSION_NUMBER) */
147 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
148 #endif
149 
150 #if OPENSSL_VERSION_NUMBER < 0x10101000
151 #define MODSSL_USE_SSLRAND
152 #endif
153 
154 #if defined(OPENSSL_FIPS)
155 #define HAVE_FIPS
156 #endif
157 
158 #if defined(SSL_OP_NO_TLSv1_2)
159 #define HAVE_TLSV1_X
160 #endif
161 
162 #if defined(SSL_CONF_FLAG_FILE)
163 #define HAVE_SSL_CONF_CMD
164 #endif
165 
166 /* session id constness */
167 #if MODSSL_USE_OPENSSL_PRE_1_1_API
168 #define IDCONST
169 #else
170 #define IDCONST const
171 #endif
172 
177 #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
178 
179 #define HAVE_TLSEXT
180 
181 /* ECC: make sure we have at least 1.0.0 */
182 #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
183 #define HAVE_ECC
184 #endif
185 
186 /* OCSP stapling */
187 #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
188 #define HAVE_OCSP_STAPLING
189 /* All exist but are no longer macros since OpenSSL 1.1.0 */
190 #if OPENSSL_VERSION_NUMBER < 0x10100000L
191 /* backward compatibility with OpenSSL < 1.0 */
192 #ifndef sk_OPENSSL_STRING_num
193 #define sk_OPENSSL_STRING_num sk_num
194 #endif
195 #ifndef sk_OPENSSL_STRING_value
196 #define sk_OPENSSL_STRING_value sk_value
197 #endif
198 #ifndef sk_OPENSSL_STRING_pop
199 #define sk_OPENSSL_STRING_pop sk_pop
200 #endif
201 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
202 #endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */
203 
204 /* TLS session tickets */
205 #if defined(SSL_CTX_set_tlsext_ticket_key_cb)
206 #define HAVE_TLS_SESSION_TICKETS
207 #define TLSEXT_TICKET_KEY_LEN 48
208 #ifndef tlsext_tick_md
209 #ifdef OPENSSL_NO_SHA256
210 #define tlsext_tick_md EVP_sha1
211 #else
212 #define tlsext_tick_md EVP_sha256
213 #endif
214 #endif
215 #endif
216 
217 /* Secure Remote Password */
218 #if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
219 #define HAVE_SRP
220 #include <openssl/srp.h>
221 #endif
222 
223 /* ALPN Protocol Negotiation */
224 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
225 #define HAVE_TLS_ALPN
226 #endif
227 
228 #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
229 
230 #if MODSSL_USE_OPENSSL_PRE_1_1_API
231 #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
232 #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
233 #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
234 #define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048
235 #define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072
236 #define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
237 #define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
238 #define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
239 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
240 #define BIO_set_init(x,v) (x->init=v)
241 #define BIO_get_data(x) (x->ptr)
242 #define BIO_set_data(x,v) (x->ptr=v)
243 #endif
244 #define BIO_get_shutdown(x) (x->shutdown)
245 #define BIO_set_shutdown(x,v) (x->shutdown=v)
246 #define DH_bits(x) (BN_num_bits(x->p))
247 #define X509_up_ref(x) (CRYPTO_add(&(x)->references, +1, CRYPTO_LOCK_X509))
248 #define EVP_PKEY_up_ref(pk) (CRYPTO_add(&(pk)->references, +1, CRYPTO_LOCK_X509_PKEY))
249 #else
250 void init_bio_methods(void);
251 void free_bio_methods(void);
252 #endif
253 
254 #if OPENSSL_VERSION_NUMBER < 0x10002000L || \
255  (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
256 #define X509_STORE_CTX_get0_store(x) (x->ctx)
257 #endif
258 
259 #if OPENSSL_VERSION_NUMBER < 0x10000000L
260 #ifndef X509_STORE_CTX_get0_current_issuer
261 #define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)
262 #endif
263 #endif
264 
265 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
266 #define HAVE_OPENSSL_KEYLOG
267 #endif
268 
269 /* mod_ssl headers */
270 #include "ssl_util_ssl.h"
271 
272 APLOG_USE_MODULE(ssl);
273 
274 /*
275  * Provide reasonable default for some defines
276  */
277 #ifndef UNSET
278 #define UNSET (-1)
279 #endif
280 #ifndef NUL
281 #define NUL '\0'
282 #endif
283 #ifndef RAND_MAX
284 #include <limits.h>
285 #define RAND_MAX INT_MAX
286 #endif
287 
291 #ifndef UCHAR
292 #define UCHAR unsigned char
293 #endif
294 
298 #define strEQ(s1,s2) (strcmp(s1,s2) == 0)
299 #define strNE(s1,s2) (strcmp(s1,s2) != 0)
300 #define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0)
301 #define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0)
302 
303 #define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0)
304 #define strcNE(s1,s2) (strcasecmp(s1,s2) != 0)
305 #define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
306 #define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)
307 
308 #define strIsEmpty(s) (s == NULL || s[0] == NUL)
309 
310 #define myConnConfig(c) \
311  ((SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module))
312 #define myConnConfigSet(c, val) \
313  ap_set_module_config(c->conn_config, &ssl_module, val)
314 #define mySrvConfig(srv) \
315  ((SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module))
316 #define myDirConfig(req) \
317  ((SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module))
318 #define myCtxConfig(sslconn, sc) \
319  (sslconn->is_proxy ? sslconn->dc->proxy : sc->server)
320 #define myModConfig(srv) mySrvConfig((srv))->mc
321 #define mySrvFromConn(c) myConnConfig(c)->server
322 #define myDirConfigFromConn(c) myConnConfig(c)->dc
323 #define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
324 #define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
325 
329 #ifndef SSL_SESSION_CACHE_TIMEOUT
330 #define SSL_SESSION_CACHE_TIMEOUT 300
331 #endif
332 
333 /* Default setting for per-dir reneg buffer. */
334 #ifndef DEFAULT_RENEG_BUFFER_SIZE
335 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
336 #endif
337 
338 /* Default for OCSP response validity */
339 #ifndef DEFAULT_OCSP_MAX_SKEW
340 #define DEFAULT_OCSP_MAX_SKEW (60 * 5)
341 #endif
342 
343 /* Default timeout for OCSP queries */
344 #ifndef DEFAULT_OCSP_TIMEOUT
345 #define DEFAULT_OCSP_TIMEOUT 10
346 #endif
347 
351 #define SSL_OPT_NONE (0)
352 #define SSL_OPT_RELSET (1<<0)
353 #define SSL_OPT_STDENVVARS (1<<1)
354 #define SSL_OPT_EXPORTCERTDATA (1<<3)
355 #define SSL_OPT_FAKEBASICAUTH (1<<4)
356 #define SSL_OPT_STRICTREQUIRE (1<<5)
357 #define SSL_OPT_OPTRENEGOTIATE (1<<6)
358 #define SSL_OPT_LEGACYDNFORMAT (1<<7)
359 typedef int ssl_opt_t;
360 
364 #define SSL_PROTOCOL_NONE (0)
365 #ifndef OPENSSL_NO_SSL3
366 #define SSL_PROTOCOL_SSLV3 (1<<1)
367 #endif
368 #define SSL_PROTOCOL_TLSV1 (1<<2)
369 #ifndef OPENSSL_NO_SSL3
370 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
371 #else
372 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_TLSV1)
373 #endif
374 #ifdef HAVE_TLSV1_X
375 #define SSL_PROTOCOL_TLSV1_1 (1<<3)
376 #define SSL_PROTOCOL_TLSV1_2 (1<<4)
377 #define SSL_PROTOCOL_TLSV1_3 (1<<5)
378 
379 #ifdef SSL_OP_NO_TLSv1_3
380 #define SSL_HAVE_PROTOCOL_TLSV1_3 (1)
381 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
382  SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
383 #else
384 #define SSL_HAVE_PROTOCOL_TLSV1_3 (0)
385 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
386  SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
387 #endif
388 #else
389 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
390 #endif
391 #ifndef OPENSSL_NO_SSL3
392 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3)
393 #else
394 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL)
395 #endif
396 typedef int ssl_proto_t;
397 
401 typedef enum {
402  SSL_CVERIFY_UNSET = UNSET,
403  SSL_CVERIFY_NONE = 0,
404  SSL_CVERIFY_OPTIONAL = 1,
405  SSL_CVERIFY_REQUIRE = 2,
406  SSL_CVERIFY_OPTIONAL_NO_CA = 3
407 } ssl_verify_t;
408 
409 #define SSL_VERIFY_PEER_STRICT \
410  (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
411 
412 #define ssl_verify_error_is_optional(errnum) \
413  ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
414  || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
415  || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
416  || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
417  || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
418 
422 typedef enum {
423  SSL_CRLCHECK_NONE = (0),
424  SSL_CRLCHECK_LEAF = (1 << 0),
425  SSL_CRLCHECK_CHAIN = (1 << 1),
426 
427 #define SSL_CRLCHECK_FLAGS (~0x3)
428  SSL_CRLCHECK_NO_CRL_FOR_CERT_OK = (1 << 2)
429 } ssl_crlcheck_t;
430 
434 typedef enum {
435  SSL_OCSPCHECK_NONE = (0),
436  SSL_OCSPCHECK_LEAF = (1 << 0),
437  SSL_OCSPCHECK_CHAIN = (1 << 1),
438  SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK = (1 << 2)
439 } ssl_ocspcheck_t;
440 
444 typedef enum {
445  SSL_PPTYPE_UNSET = UNSET,
446  SSL_PPTYPE_BUILTIN = 0,
447  SSL_PPTYPE_FILTER = 1,
448  SSL_PPTYPE_PIPE = 2
449 } ssl_pphrase_t;
450 
454 #define SSL_PCM_EXISTS 1
455 #define SSL_PCM_ISREG 2
456 #define SSL_PCM_ISDIR 4
457 #define SSL_PCM_ISNONZERO 8
458 typedef unsigned int ssl_pathcheck_t;
459 
463 typedef enum {
464  SSL_ENABLED_UNSET = UNSET,
465  SSL_ENABLED_FALSE = 0,
466  SSL_ENABLED_TRUE = 1,
467  SSL_ENABLED_OPTIONAL = 3
468 } ssl_enabled_t;
469 
473 typedef struct {
474  const char *cpExpr;
475  ap_expr_info_t *mpExpr;
476 } ssl_require_t;
477 
481 typedef enum {
482  SSL_RSCTX_STARTUP = 1,
483  SSL_RSCTX_CONNECT = 2
484 } ssl_rsctx_t;
485 typedef enum {
486  SSL_RSSRC_BUILTIN = 1,
487  SSL_RSSRC_FILE = 2,
488  SSL_RSSRC_EXEC = 3,
489  SSL_RSSRC_EGD = 4
490 } ssl_rssrc_t;
491 typedef struct {
492  ssl_rsctx_t nCtx;
493  ssl_rssrc_t nSrc;
494  char *cpPath;
495  int nBytes;
496 } ssl_randseed_t;
497 
501 typedef struct {
502  long int nData;
503  unsigned char *cpData;
504  apr_time_t source_mtime;
505 } ssl_asn1_t;
506 
507 typedef enum {
508  RENEG_INIT = 0, /* Before initial handshake */
509  RENEG_REJECT, /* After initial handshake; any client-initiated
510  * renegotiation should be rejected */
511  RENEG_ALLOW, /* A server-initiated renegotiation is taking
512  * place (as dictated by configuration) */
513  RENEG_ABORT /* Renegotiation initiated by client, abort the
514  * connection */
515 } modssl_reneg_state;
516 
522 typedef struct SSLSrvConfigRec SSLSrvConfigRec;
523 typedef struct SSLDirConfigRec SSLDirConfigRec;
524 
525 typedef enum {
526  SSL_SHUTDOWN_TYPE_UNSET,
527  SSL_SHUTDOWN_TYPE_STANDARD,
528  SSL_SHUTDOWN_TYPE_UNCLEAN,
529  SSL_SHUTDOWN_TYPE_ACCURATE
530 } ssl_shutdown_type_e;
531 
532 typedef struct {
533  SSL *ssl;
534  const char *client_dn;
535  X509 *client_cert;
536  ssl_shutdown_type_e shutdown_type;
537  const char *verify_info;
538  const char *verify_error;
539  int verify_depth;
540  int is_proxy;
541  int disabled;
542  enum {
543  NON_SSL_OK = 0, /* is SSL request, or error handling completed */
544  NON_SSL_SEND_REQLINE, /* Need to send the fake request line */
545  NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */
546  NON_SSL_SET_ERROR_MSG /* Need to set the error message */
547  } non_ssl_request;
548 
549 #ifndef SSL_OP_NO_RENEGOTIATION
550  /* For OpenSSL < 1.1.1, track the handshake/renegotiation state
551  * for the connection to block client-initiated renegotiations.
552  * For OpenSSL >=1.1.1, the SSL_OP_NO_RENEGOTIATION flag is used in
553  * the SSL * options state with equivalent effect. */
554  modssl_reneg_state reneg_state;
555 #endif
556 
557  server_rec *server;
558  SSLDirConfigRec *dc;
559 
560  const char *cipher_suite; /* cipher suite used in last reneg */
561  int service_unavailable; /* thouugh we negotiate SSL, no requests will be served */
562  int vhost_found; /* whether we found vhost from SNI already */
563 } SSLConnRec;
564 
565 /* Private keys are retained across reloads, since decryption
566  * passphrases can only be entered during startup (before detaching
567  * from a terminal). This structure is stored via the ap_retained_*
568  * API and retrieved on later module reloads. If the structure
569  * changes, the key name must be changed by increasing the digit at
570  * the end, to avoid an updated version of mod_ssl loading retained
571  * data with a different struct definition.
572  *
573  * All objects used here must be allocated from the process pool
574  * (s->process->pool) so they also survives restarts. */
575 #define MODSSL_RETAINED_KEY "mod_ssl-retained-1"
576 
577 typedef struct {
578  /* A hash table of vhost key-IDs used to index the privkeys hash,
579  * for example the string "vhost.example.com:443:0". For each
580  * (key, value) pair the value is the same as the key, allowing
581  * the keys to be retrieved on subsequent reloads rather than
582  * rellocated. ### This optimisation seems to be of dubious
583  * value. Allocating the vhost-key-ids from pconf and duping them
584  * when storing them in ->privkeys would be simpler. */
585  apr_hash_t *key_ids;
586 
587  /* A hash table of pointers to ssl_asn1_t structures. The
588  * structures are used to store private keys in raw DER format
589  * (serialized OpenSSL PrivateKey structures). The table is
590  * indexed by key-IDs from the key_ids hash table. */
591  apr_hash_t *privkeys;
592 
593  /* Do NOT add fields here without changing the key name, as above. */
594 } modssl_retained_data_t;
595 
596 typedef struct {
597  BOOL bFixed;
598 
599  /* OpenSSL SSL_SESS_CACHE_* flags: */
600  long sesscache_mode;
601 
602  /* Data retained across reloads. */
603  modssl_retained_data_t *retained;
604 
605  /* The configured provider, and associated private data
606  * structure. */
607  const ap_socache_provider_t *sesscache;
608  ap_socache_instance_t *sesscache_context;
609 
610  apr_global_mutex_t *pMutex;
611 
612 #ifdef MODSSL_USE_SSLRAND
613  pid_t pid; /* used for seeding after fork() */
614  apr_array_header_t *aRandSeed;
615 #endif
616 
617 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
618  const char *szCryptoDevice;
619 #endif
620 
621 #ifdef HAVE_OCSP_STAPLING
622  const ap_socache_provider_t *stapling_cache;
623  ap_socache_instance_t *stapling_cache_context;
624  apr_global_mutex_t *stapling_cache_mutex;
625  apr_global_mutex_t *stapling_refresh_mutex;
626 #endif
627 
628 #ifdef HAVE_OPENSSL_KEYLOG
629  /* Used for logging if SSLKEYLOGFILE is set at startup. */
630  apr_file_t *keylog_file;
631 #endif
632 
633 #ifdef HAVE_FIPS
634  BOOL fips;
635 #endif
636 } SSLModConfigRec;
637 
640 typedef struct {
641  /* Lists of configured certs and keys for this server */
642  apr_array_header_t *cert_files;
643  apr_array_header_t *key_files;
644 
647  const char *ca_name_path;
648  const char *ca_name_file;
649 
650  /* TLS service for this server is suspended */
651  int service_unavailable;
652 } modssl_pk_server_t;
653 
654 typedef struct {
656  const char *cert_file;
657  const char *cert_path;
658  const char *ca_cert_file;
659  STACK_OF(X509_INFO) *certs; /* Contains End Entity certs */
660  STACK_OF(X509) **ca_certs; /* Contains ONLY chain certs for
661  * each item in certs.
662  * (ptr to array of ptrs) */
663 } modssl_pk_proxy_t;
664 
666 typedef struct {
668  const char *ca_cert_path;
669  const char *ca_cert_file;
670 
671  const char *cipher_suite;
672 
674  int verify_depth;
675  ssl_verify_t verify_mode;
676 
680  const char *tls13_ciphers;
681 } modssl_auth_ctx_t;
682 
683 #ifdef HAVE_TLS_SESSION_TICKETS
684 typedef struct {
685  const char *file_path;
686  unsigned char key_name[16];
687 #if OPENSSL_VERSION_NUMBER < 0x30000000L
688  unsigned char hmac_secret[16];
689 #else
690  OSSL_PARAM mac_params[3];
691 #endif
692  unsigned char aes_key[16];
693 } modssl_ticket_key_t;
694 #endif
695 
696 #ifdef HAVE_SSL_CONF_CMD
697 typedef struct {
698  const char *name;
699  const char *value;
700 } ssl_ctx_param_t;
701 #endif
702 
703 typedef struct {
704  SSLSrvConfigRec *sc;
705  SSL_CTX *ssl_ctx;
706 
708  modssl_pk_server_t *pks;
709  modssl_pk_proxy_t *pkp;
710 
711 #ifdef HAVE_TLS_SESSION_TICKETS
712  modssl_ticket_key_t *ticket_key;
713 #endif
714 
715  ssl_proto_t protocol;
716  int protocol_set;
717 
719  ssl_pphrase_t pphrase_dialog_type;
720  const char *pphrase_dialog_path;
721 
722  const char *cert_chain;
723 
725  const char *crl_path;
726  const char *crl_file;
727  int crl_check_mask;
728 
729 #ifdef HAVE_OCSP_STAPLING
730 
731  BOOL stapling_enabled;
732  long stapling_resptime_skew;
733  long stapling_resp_maxage;
734  int stapling_cache_timeout;
735  BOOL stapling_return_errors;
736  BOOL stapling_fake_trylater;
737  int stapling_errcache_timeout;
738  apr_interval_time_t stapling_responder_timeout;
739  const char *stapling_force_url;
740 #endif
741 
742 #ifdef HAVE_SRP
743  char *srp_vfile;
744  char *srp_unknown_user_seed;
745  SRP_VBASE *srp_vbase;
746 #endif
747 
748  modssl_auth_ctx_t auth;
749 
750  int ocsp_mask;
751  BOOL ocsp_force_default; /* true if the default responder URL is
752  * used regardless of per-cert URL */
753  const char *ocsp_responder; /* default responder URL */
754  long ocsp_resptime_skew;
755  long ocsp_resp_maxage;
756  apr_interval_time_t ocsp_responder_timeout;
757  BOOL ocsp_use_request_nonce;
758  apr_uri_t *proxy_uri;
759 
760  BOOL ocsp_noverify; /* true if skipping OCSP certification verification like openssl -noverify */
761  /* Declare variables for using OCSP Responder Certs for OCSP verification */
762  int ocsp_verify_flags; /* Flags to use when verifying OCSP response */
763  const char *ocsp_certs_file; /* OCSP other certificates filename */
764  STACK_OF(X509) *ocsp_certs; /* OCSP other certificates */
765 
766 #ifdef HAVE_SSL_CONF_CMD
767  SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
768  apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
769 #endif
770 
771  BOOL ssl_check_peer_cn;
772  BOOL ssl_check_peer_name;
773  BOOL ssl_check_peer_expire;
774 } modssl_ctx_t;
775 
776 struct SSLSrvConfigRec {
777  SSLModConfigRec *mc;
778  ssl_enabled_t enabled;
779  const char *vhost_id;
780  const unsigned char *vhost_md5; /* = ap_md5_binary(vhost_id, ...) */
781  int session_cache_timeout;
782  BOOL cipher_server_pref;
783  BOOL insecure_reneg;
784  modssl_ctx_t *server;
785 #ifdef HAVE_TLSEXT
786  ssl_enabled_t strict_sni_vhost_check;
787 #endif
788 #ifndef OPENSSL_NO_COMP
789  BOOL compression;
790 #endif
791  BOOL session_tickets;
792 
793 };
794 
800 struct SSLDirConfigRec {
801  BOOL bSSLRequired;
802  apr_array_header_t *aRequirement;
803  ssl_opt_t nOptions;
804  ssl_opt_t nOptionsAdd;
805  ssl_opt_t nOptionsDel;
806  const char *szCipherSuite;
807  ssl_verify_t nVerifyClient;
808  int nVerifyDepth;
809  const char *szUserName;
810  apr_size_t nRenegBufferSize;
811 
812  modssl_ctx_t *proxy;
813  BOOL proxy_enabled;
814  BOOL proxy_post_config;
815 };
816 
817 SSLSrvConfigRec *ssl_policy_lookup(apr_pool_t *pool, const char *name);
818 
824 extern module AP_MODULE_DECLARE_DATA ssl_module;
825 
827 void ssl_config_global_fix(SSLModConfigRec *);
828 BOOL ssl_config_global_isfixed(SSLModConfigRec *);
829 void *ssl_config_server_create(apr_pool_t *, server_rec *);
830 void *ssl_config_server_merge(apr_pool_t *, void *, void *);
831 void *ssl_config_perdir_create(apr_pool_t *, char *);
832 void *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
833 void ssl_config_proxy_merge(apr_pool_t *,
834  SSLDirConfigRec *, SSLDirConfigRec *);
835 const char *ssl_cmd_SSLPolicyApply(cmd_parms *, void *, const char *);
836 const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
837 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
838 const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
839 const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
840 const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *);
841 const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
842 const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
843 const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
844 const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
845 const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
846 const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
847 const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
848 const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
849 const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
850 const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
851 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
852 const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
853 const char *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
854 const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
855 const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
856 const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
857 const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
858 const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
859 const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
860 const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
861 const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
862 const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
863 const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
864 const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
865 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
866 
867 const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
868 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
869 const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *);
870 const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
871 const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
872 const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
873 const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *);
874 const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *);
875 const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *);
876 const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *);
877 const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *);
878 const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *);
879 const char *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *);
880 #ifdef HAVE_TLS_SESSION_TICKETS
881 const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, void *dcfg, const char *arg);
882 #endif
883 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
884 const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
885 const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag);
886 
887 const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
888 const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
889 const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
890 const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
891 const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
892 const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
893 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg);
894 const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
895 
896 /* Declare OCSP Responder Certificate Verification Directive */
897 const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag);
898 /* Declare OCSP Responder Certificate File Directive */
899 const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg);
900 
901 #ifdef HAVE_SSL_CONF_CMD
902 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
903 #endif
904 
905 #ifdef HAVE_SRP
906 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
907 const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
908 #endif
909 
910 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
911 
913 apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
914 apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *);
915 apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *,
916  apr_array_header_t *);
917 apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *);
918 int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog,
919  apr_pool_t *ptemp, server_rec *s,
920  ap_conf_vector_t *section_config);
921 STACK_OF(X509_NAME)
922  *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
923 void ssl_init_Child(apr_pool_t *, server_rec *);
924 apr_status_t ssl_init_ModuleKill(void *data);
925 
927 int ssl_hook_Auth(request_rec *);
928 int ssl_hook_UserCheck(request_rec *);
929 int ssl_hook_Access(request_rec *);
930 int ssl_hook_Fixup(request_rec *);
931 int ssl_hook_ReadReq(request_rec *);
932 int ssl_hook_Upgrade(request_rec *);
933 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s);
934 
936 extern const authz_provider ssl_authz_provider_require_ssl;
937 extern const authz_provider ssl_authz_provider_verify_client;
938 
940 DH *ssl_callback_TmpDH(SSL *, int, int);
941 int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
942 int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
943 int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
944 int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
945 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *);
946 void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
947 void ssl_callback_Info(const SSL *, int, int);
948 #ifdef HAVE_TLSEXT
949 int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
950 #endif
951 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
952 int ssl_callback_ClientHello(SSL *, int *, void *);
953 #endif
954 #ifdef HAVE_TLS_SESSION_TICKETS
955 int ssl_callback_SessionTicket(SSL *ssl,
956  unsigned char *keyname,
957  unsigned char *iv,
958  EVP_CIPHER_CTX *cipher_ctx,
959 #if OPENSSL_VERSION_NUMBER < 0x30000000L
960  HMAC_CTX *hmac_ctx,
961 #else
962  EVP_MAC_CTX *mac_ctx,
963 #endif
964  int mode);
965 #endif
966 
967 #ifdef HAVE_TLS_ALPN
968 int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out,
969  unsigned char *outlen, const unsigned char *in,
970  unsigned int inlen, void *arg);
971 #endif
972 
974 apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);
975 void ssl_scache_status_register(apr_pool_t *p);
976 void ssl_scache_kill(server_rec *);
977 BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int,
978  apr_time_t, SSL_SESSION *, apr_pool_t *);
979 SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *);
980 void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int,
981  apr_pool_t *);
982 
984 #ifdef HAVE_OCSP_STAPLING
985 const char *ssl_cmd_SSLStaplingCache(cmd_parms *, void *, const char *);
986 const char *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int);
987 const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *);
988 const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *);
989 const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *);
990 const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *);
991 const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int);
992 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);
993 const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
994 const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
995 apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
996 void ssl_stapling_certinfo_hash_init(apr_pool_t *);
997 int ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *,
998  modssl_ctx_t *, X509 *);
999 #endif
1000 #ifdef HAVE_SRP
1001 int ssl_callback_SRPServerParams(SSL *, int *, void *);
1002 #endif
1003 
1004 #ifdef HAVE_OPENSSL_KEYLOG
1005 /* Callback used with SSL_CTX_set_keylog_callback. */
1006 void modssl_callback_keylog(const SSL *ssl, const char *line);
1007 #endif
1008 
1010 void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
1011 void ssl_io_filter_register(apr_pool_t *);
1012 long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
1013 
1014 /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
1015  * to allow an SSL renegotiation to take place. */
1016 int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen);
1017 
1018 #ifdef MODSSL_USE_SSLRAND
1019 
1020 void ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
1021 #else
1022 #define ssl_rand_seed(s, p, ctx, c) /* noop */
1023 #endif
1024 
1026 char *ssl_util_vhostid(apr_pool_t *, server_rec *);
1027 apr_file_t *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *,
1028  const char * const *);
1029 void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
1030 char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
1031  const char * const *);
1032 BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
1033 #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
1034 void ssl_util_thread_setup(apr_pool_t *);
1035 void ssl_util_thread_id_setup(apr_pool_t *);
1036 #endif
1037 int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
1038 
1039 BOOL ssl_util_vhost_matches(const char *servername, server_rec *s);
1040 
1042 apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int,
1043  const char *, apr_array_header_t **);
1044 
1045 /* Load public and/or private key from the configured ENGINE. Private
1046  * key returned as *pkey. certid can be NULL, in which case *pubkey
1047  * is not altered. Errors logged on failure. */
1048 apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
1049  const char *vhostid,
1050  const char *certid, const char *keyid,
1051  X509 **pubkey, EVP_PKEY **privkey);
1052 
1054 DH *ssl_dh_GetParamFromFile(const char *);
1055 #ifdef HAVE_ECC
1056 EC_GROUP *ssl_ec_GetParamFromFile(const char *);
1057 #endif
1058 
1059 /* Store the EVP_PKEY key (serialized into DER) in the hash table with
1060  * key, returning the ssl_asn1_t structure pointer. */
1061 ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
1062  EVP_PKEY *pkey);
1063 /* Retrieve the ssl_asn1_t structure with given key from the hash. */
1064 ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table, const char *key);
1065 
1067 int ssl_mutex_init(server_rec *, apr_pool_t *);
1068 int ssl_mutex_reinit(server_rec *, apr_pool_t *);
1069 int ssl_mutex_on(server_rec *);
1070 int ssl_mutex_off(server_rec *);
1071 
1072 int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *);
1073 
1074 /* mutex type names for Mutex directive */
1075 #define SSL_CACHE_MUTEX_TYPE "ssl-cache"
1076 #define SSL_STAPLING_CACHE_MUTEX_TYPE "ssl-stapling"
1077 #define SSL_STAPLING_REFRESH_MUTEX_TYPE "ssl-stapling-refresh"
1078 
1079 apr_status_t ssl_die(server_rec *);
1080 
1082 void ssl_log_ssl_error(const char *, int, int, server_rec *);
1083 
1084 /* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the
1085  * respective ap_log_*error functions and take a certificate as an
1086  * additional argument (whose details are appended to the log message).
1087  * The other arguments are interpreted exactly as with their ap_log_*error
1088  * counterparts. */
1089 void ssl_log_xerror(const char *file, int line, int level,
1090  apr_status_t rv, apr_pool_t *p, server_rec *s,
1091  X509 *cert, const char *format, ...)
1092  __attribute__((format(printf,8,9)));
1093 
1094 void ssl_log_cxerror(const char *file, int line, int level,
1095  apr_status_t rv, conn_rec *c, X509 *cert,
1096  const char *format, ...)
1097  __attribute__((format(printf,7,8)));
1098 
1099 void ssl_log_rxerror(const char *file, int line, int level,
1100  apr_status_t rv, request_rec *r, X509 *cert,
1101  const char *format, ...)
1102  __attribute__((format(printf,7,8)));
1103 
1104 #define SSLLOG_MARK __FILE__,__LINE__
1105 
1108 /* Register variables for the lifetime of the process pool 'p'. */
1109 void ssl_var_register(apr_pool_t *p);
1110 
1111 /* Matches optional function of the same name in the public API. The
1112  * pool in which to allocate the return value must be non-NULL; c
1113  * and/or r may be NULL. */
1114 const char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
1115  const char *name)
1116  AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT;
1117 apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension);
1118 
1119 void ssl_var_log_config_register(apr_pool_t *p);
1120 
1121 /* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl',
1122  * allocating from 'p': */
1123 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
1124 
1125 /* Extract SSL_*_SAN_* variables (subjectAltName entries) into table 't'
1126  * from SSL object 'ssl', allocating from 'p'. */
1127 void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p);
1128 
1129 #ifndef OPENSSL_NO_OCSP
1130 /* Perform OCSP validation of the current cert in the given context.
1131  * Returns non-zero on success or zero on failure. On failure, the
1132  * context error code is set. */
1133 int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
1134  server_rec *s, conn_rec *c, apr_pool_t *pool);
1135 
1136 /* OCSP helper interface; dispatches the given OCSP request to the
1137  * responder at the given URI. Returns the decoded OCSP response
1138  * object, or NULL on error (in which case, errors will have been
1139  * logged). Pool 'p' is used for temporary allocations. */
1140 OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
1141  apr_interval_time_t timeout,
1142  OCSP_REQUEST *request,
1143  conn_rec *c, apr_pool_t *p);
1144 
1145 /* Initialize OCSP trusted certificate list */
1146 void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
1147 
1148 #endif
1149 
1150 /* Retrieve DH parameters for given key length. Return value should
1151  * be treated as unmutable, since it is stored in process-global
1152  * memory. */
1153 DH *modssl_get_dh_params(unsigned keylen);
1154 
1155 /* Returns non-zero if the request was made over SSL/TLS. If sslconn
1156  * is non-NULL and the request is using SSL/TLS, sets *sslconn to the
1157  * corresponding SSLConnRec structure for the connection. */
1158 int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn);
1159 
1160 /* Returns non-zero if the cert/key filename should be handled through
1161  * the configured ENGINE. */
1162 int modssl_is_engine_id(const char *name);
1163 
1164 #if HAVE_VALGRIND
1165 extern int ssl_running_on_valgrind;
1166 #endif
1167 
1168 int ssl_is_challenge(conn_rec *c, const char *servername,
1169  X509 **pcert, EVP_PKEY **pkey);
1170 
1171 /* Set the renegotation state for connection. */
1172 void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state);
1173 
1174 #endif /* SSL_PRIVATE_H */
1175 
SSL_RSSRC_BUILTIN
Definition: ssl_private.h:486
ssl_cmd_SSLRequire
const char * ssl_cmd_SSLRequire(cmd_parms *, void *, const char *)
ap_socache_provider_t
Definition: ap_socache.h:89
ssl_randseed_t::nCtx
ssl_rsctx_t nCtx
Definition: ssl_private.h:492
SSL_CVERIFY_OPTIONAL_NO_CA
Definition: ssl_private.h:406
SSL_CRLCHECK_NO_CRL_FOR_CERT_OK
Definition: ssl_private.h:428
modssl_ctx_t::protocol
ssl_proto_t protocol
Definition: ssl_private.h:715
apr_size_t
size_t apr_size_t
Definition: apr.h:397
modssl_pk_server_t::ca_name_path
const char * ca_name_path
Definition: ssl_private.h:647
SSL_PPTYPE_BUILTIN
Definition: ssl_private.h:446
ssl_require_t::cpExpr
const char * cpExpr
Definition: ssl_private.h:474
SSL_CVERIFY_OPTIONAL
Definition: ssl_private.h:404
modssl_load_engine_keypair
apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, const char *vhostid, const char *certid, const char *keyid, X509 **pubkey, EVP_PKEY **privkey)
SSL_CRLCHECK_CHAIN
Definition: ssl_private.h:425
ssl_cmd_SSLOCSPEnable
const char * ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)
ssl_cmd_SSLSessionCache
const char * ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *)
ssl_init_Child
void ssl_init_Child(apr_pool_t *, server_rec *)
modssl_pk_proxy_t
Definition: ssl_private.h:654
SSLConnRec::server
server_rec * server
Definition: ssl_private.h:557
SSLModConfigRec::aRandSeed
apr_array_header_t * aRandSeed
Definition: ssl_private.h:614
ssl_scache_retrieve
SSL_SESSION * ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *)
ssl_hook_Upgrade
int ssl_hook_Upgrade(request_rec *)
SSLConnRec::verify_depth
int verify_depth
Definition: ssl_private.h:539
SSLConnRec::is_proxy
int is_proxy
Definition: ssl_private.h:540
ssl_dh_GetParamFromFile
DH * ssl_dh_GetParamFromFile(const char *)
http_config.h
Apache Configuration.
SSLSrvConfigRec::vhost_md5
const unsigned char * vhost_md5
Definition: ssl_private.h:780
ssl_cmd_SSLProxyProtocol
const char * ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *)
modssl_ctx_t::ocsp_responder
const char * ocsp_responder
Definition: ssl_private.h:753
ssl_callback_SSLVerify
int ssl_callback_SSLVerify(int, X509_STORE_CTX *)
ssl_cmd_SSLCADNRequestFile
const char * ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *)
SSLDirConfigRec::proxy
modssl_ctx_t * proxy
Definition: ssl_private.h:812
IDCONST
#define IDCONST
Definition: ssl_private.h:168
SSL_CRLCHECK_LEAF
Definition: ssl_private.h:424
ssl_cmd_SSLProxyCACertificatePath
const char * ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *)
SSLDirConfigRec::nOptions
ssl_opt_t nOptions
Definition: ssl_private.h:803
ssl_cmd_SSLProxyMachineCertificateFile
const char * ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *)
apr_file_t
Definition: apr_arch_file_io.h:107
ssl_cmd_SSLProxyCheckPeerCN
const char * ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
apr_array_header_t
Definition: apr_tables.h:62
ssl_module
module AP_MODULE_DECLARE_DATA ssl_module
modssl_pk_proxy_t::ca_cert_file
const char * ca_cert_file
Definition: ssl_private.h:658
SSLSrvConfigRec::enabled
ssl_enabled_t enabled
Definition: ssl_private.h:778
SSLModConfigRec::sesscache
const ap_socache_provider_t * sesscache
Definition: ssl_private.h:607
ap_expr_info_t
Definition: ap_expr.h:41
SSL_ENABLED_UNSET
Definition: ssl_private.h:464
ssl_cmd_SSLFIPS
const char * ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
ssl_config_perdir_merge
void * ssl_config_perdir_merge(apr_pool_t *, void *, void *)
ssl_is_challenge
int ssl_is_challenge(conn_rec *c, const char *servername, X509 **pcert, EVP_PKEY **pkey)
SSLDirConfigRec::nRenegBufferSize
apr_size_t nRenegBufferSize
Definition: ssl_private.h:810
modssl_retained_data_t
Definition: ssl_private.h:577
SSL_PPTYPE_PIPE
Definition: ssl_private.h:448
SSL_OCSPCHECK_CHAIN
Definition: ssl_private.h:437
SSLModConfigRec::sesscache_context
ap_socache_instance_t * sesscache_context
Definition: ssl_private.h:608
ssl_cmd_SSLPolicyApply
const char * ssl_cmd_SSLPolicyApply(cmd_parms *, void *, const char *)
ssl_cmd_SSLCryptoDevice
const char * ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *)
modssl_ctx_t::cert_chain
const char * cert_chain
Definition: ssl_private.h:722
pool
apr_bucket_brigade request_rec apr_pool_t * pool
Definition: mod_dav.h:552
SSLDirConfigRec::nVerifyClient
ssl_verify_t nVerifyClient
Definition: ssl_private.h:807
ssl_io_data_cb
long ssl_io_data_cb(BIO *, int, const char *, int, long, long)
ssl_config_global_fix
void ssl_config_global_fix(SSLModConfigRec *)
modssl_ctx_t::ocsp_resp_maxage
long ocsp_resp_maxage
Definition: ssl_private.h:755
SSLSrvConfigRec::insecure_reneg
BOOL insecure_reneg
Definition: ssl_private.h:783
ssl_cmd_SSLOCSPNoVerify
const char * ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag)
modssl_auth_ctx_t::verify_mode
ssl_verify_t verify_mode
Definition: ssl_private.h:675
ssl_cmd_SSLCertificateChainFile
const char * ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *)
ssl_asn1_t::nData
long int nData
Definition: ssl_private.h:502
request
const dav_resource dav_lockdb dav_lock * request
Definition: mod_dav.h:1332
ssl_cmd_SSLSessionTickets
const char * ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag)
ssl_cmd_SSLOCSPResponseTimeSkew
const char * ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg)
SSLSrvConfigRec::compression
BOOL compression
Definition: ssl_private.h:789
SSLDirConfigRec::proxy_post_config
BOOL proxy_post_config
Definition: ssl_private.h:814
ssl_cmd_SSLHonorCipherOrder
const char * ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
SSLConnRec::verify_info
const char * verify_info
Definition: ssl_private.h:537
modssl_ctx_t::sc
SSLSrvConfigRec * sc
Definition: ssl_private.h:704
ssl_die
apr_status_t ssl_die(server_rec *)
modssl_request_is_tls
int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn)
SSL_PPTYPE_UNSET
Definition: ssl_private.h:445
ssl_var_register
void ssl_var_register(apr_pool_t *p)
ssl_init_Engine
apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *)
SSLConnRec::ssl
SSL * ssl
Definition: ssl_private.h:533
modssl_ctx_t::ocsp_certs_file
const char * ocsp_certs_file
Definition: ssl_private.h:763
ssl_util_ppclose
void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *)
ssl_cmd_SSLOCSPResponderTimeout
const char * ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg)
AP_FN_ATTR_NONNULL
AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT
apr_want.h
APR Standard Headers Support.
ssl_init_ConfigureServer
apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, apr_array_header_t *)
modssl_ctx_t::crl_path
const char * crl_path
Definition: ssl_private.h:725
SSLSrvConfigRec::server
modssl_ctx_t * server
Definition: ssl_private.h:784
http_core.h
CORE HTTP Daemon.
ssl_asn1_table_get
ssl_asn1_t * ssl_asn1_table_get(apr_hash_t *table, const char *key)
SSLConnRec::shutdown_type
ssl_shutdown_type_e shutdown_type
Definition: ssl_private.h:536
SSLDirConfigRec::nVerifyDepth
int nVerifyDepth
Definition: ssl_private.h:808
http_connection.h
Apache connection library.
ssl_cmd_SSLProxyCipherSuite
const char * ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *)
ssl_hook_Auth
int ssl_hook_Auth(request_rec *)
util_ebcdic.h
Utilities for EBCDIC conversion.
ssl_cmd_SSLProxyVerify
const char * ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *)
SSLDirConfigRec::szCipherSuite
const char * szCipherSuite
Definition: ssl_private.h:806
modssl_pk_server_t::key_files
apr_array_header_t * key_files
Definition: ssl_private.h:643
uri
const char const char * uri
Definition: mod_dav.h:614
authz_provider
Definition: mod_auth.h:104
ssl_var_lookup
const char * ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name) AP_FN_ATTR_NONNULL((1
SSL_RSSRC_EGD
Definition: ssl_private.h:489
ssl_callback_DelSessionCacheEntry
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *)
ssl_cmd_SSLSessionCacheTimeout
const char * ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *)
modssl_pk_server_t::ca_name_file
const char * ca_name_file
Definition: ssl_private.h:648
SSLDirConfigRec
Definition: ssl_private.h:800
apr_interval_time_t
apr_int64_t apr_interval_time_t
Definition: apr_time.h:55
ssl_log_cxerror
void void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, conn_rec *c, X509 *cert, const char *format,...) __attribute__((format(printf
modssl_ctx_t::ocsp_noverify
BOOL ocsp_noverify
Definition: ssl_private.h:760
modssl_var_extract_dns
void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p)
modssl_is_engine_id
int modssl_is_engine_id(const char *name)
conn_rec
Structure to store things which are per connection.
Definition: httpd.h:1137
SSL_RSSRC_FILE
Definition: ssl_private.h:487
SSLConnRec::reneg_state
modssl_reneg_state reneg_state
Definition: ssl_private.h:554
modssl_verify_ocsp
int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, server_rec *s, conn_rec *c, apr_pool_t *pool)
APLOG_USE_MODULE
APLOG_USE_MODULE(ssl)
ssl_cmd_SSLInsecureRenegotiation
const char * ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
http_vhost.h
Virtual Host package.
apr_optional.h
APR-UTIL registration of functions exported by modules.
ssl_cmd_SSLCertificateFile
const char * ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *)
modssl_ctx_t::pkp
modssl_pk_proxy_t * pkp
Definition: ssl_private.h:709
modssl_pk_proxy_t::cert_file
const char * cert_file
Definition: ssl_private.h:656
modssl_auth_ctx_t::verify_depth
int verify_depth
Definition: ssl_private.h:674
ap_config.h
Symbol export macros and hook functions.
ssl_cmd_SSLOptions
const char * ssl_cmd_SSLOptions(cmd_parms *, void *, const char *)
RENEG_REJECT
Definition: ssl_private.h:509
SSL_CVERIFY_REQUIRE
Definition: ssl_private.h:405
ssl_rssrc_t
ssl_rssrc_t
Definition: ssl_private.h:485
ssl_io_filter_init
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *)
ssl_util_ppopen
apr_file_t * ssl_util_ppopen(server_rec *, apr_pool_t *, const char *, const char *const *)
SSL_CVERIFY_NONE
Definition: ssl_private.h:403
ssl_util_vhost_matches
BOOL ssl_util_vhost_matches(const char *servername, server_rec *s)
SSLModConfigRec::pMutex
apr_global_mutex_t * pMutex
Definition: ssl_private.h:610
SSL_RSCTX_CONNECT
Definition: ssl_private.h:483
apr_global_mutex_t
Definition: apr_arch_global_mutex.h:23
SSL_SHUTDOWN_TYPE_STANDARD
Definition: ssl_private.h:527
ssl_cmd_SSLProxyCARevocationPath
const char * ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *)
ssl_config_perdir_create
void * ssl_config_perdir_create(apr_pool_t *, char *)
ssl_cmd_SSLCARevocationFile
const char * ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *)
SSLDirConfigRec::proxy_enabled
BOOL proxy_enabled
Definition: ssl_private.h:813
http_log.h
Apache Logging library.
ssl_cmd_SSLCADNRequestPath
const char * ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *)
cmd_parms_struct
Definition: http_config.h:295
util_script.h
Apache script tools.
ssl_load_encrypted_pkey
apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int, const char *, apr_array_header_t **)
apr_time_t
apr_int64_t apr_time_t
Definition: apr_time.h:45
ssl_cmd_SSLProtocol
const char * ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *)
ap_expr.h
Expression parser.
http_main.h
Command line options.
ssl_util_thread_setup
void ssl_util_thread_setup(apr_pool_t *)
ssl_enabled_t
ssl_enabled_t
Definition: ssl_private.h:463
apr_global_mutex.h
APR Global Locking Routines.
SSL_SHUTDOWN_TYPE_UNSET
Definition: ssl_private.h:526
ssl_randseed_t::nSrc
ssl_rssrc_t nSrc
Definition: ssl_private.h:493
ssl_config_proxy_merge
void ssl_config_proxy_merge(apr_pool_t *, SSLDirConfigRec *, SSLDirConfigRec *)
SSLDirConfigRec::aRequirement
apr_array_header_t * aRequirement
Definition: ssl_private.h:802
httpd.h
HTTP Daemon routines.
SSLConnRec::cipher_suite
const char * cipher_suite
Definition: ssl_private.h:560
modssl_ctx_t::auth
modssl_auth_ctx_t auth
Definition: ssl_private.h:748
SSL_ENABLED_FALSE
Definition: ssl_private.h:465
ssl_opt_t
int ssl_opt_t
Definition: ssl_private.h:359
modssl_auth_ctx_t
Definition: ssl_private.h:666
ssl_cmd_SSLCARevocationPath
const char * ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *)
modssl_ctx_t::ocsp_verify_flags
int ocsp_verify_flags
Definition: ssl_private.h:762
ssl_shutdown_type_e
ssl_shutdown_type_e
Definition: ssl_private.h:525
modssl_ctx_t::pks
modssl_pk_server_t * pks
Definition: ssl_private.h:708
SSLSrvConfigRec::mc
SSLModConfigRec * mc
Definition: ssl_private.h:777
server_rec
A structure to store information for each virtual server.
Definition: httpd.h:1324
ssl_cmd_SSLOCSPDefaultResponder
const char * ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg)
ssl_cmd_SSLOCSPResponseMaxAge
const char * ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg)
modssl_auth_ctx_t::ca_cert_file
const char * ca_cert_file
Definition: ssl_private.h:669
ssl_cmd_SSLRandomSeed
const char * ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *)
modssl_ctx_t::protocol_set
int protocol_set
Definition: ssl_private.h:716
SSL_SHUTDOWN_TYPE_ACCURATE
Definition: ssl_private.h:529
ssl_cmd_SSLStrictSNIVHostCheck
const char * ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
modssl_pk_server_t
Definition: ssl_private.h:640
SSLSrvConfigRec::session_tickets
BOOL session_tickets
Definition: ssl_private.h:791
ssl_var_log_config_register
void ssl_var_log_config_register(apr_pool_t *p)
ssl_cmd_SSLEngine
const char * ssl_cmd_SSLEngine(cmd_parms *, void *, const char *)
SSLConnRec::service_unavailable
int service_unavailable
Definition: ssl_private.h:561
ssl_randseed_t::nBytes
int nBytes
Definition: ssl_private.h:495
ssl_util_thread_id_setup
void ssl_util_thread_id_setup(apr_pool_t *)
SSLConnRec::verify_error
const char * verify_error
Definition: ssl_private.h:538
modssl_auth_ctx_t::tls13_ciphers
const char * tls13_ciphers
Definition: ssl_private.h:680
ssl_cmd_SSLProxyCARevocationFile
const char * ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *)
ssl_cmd_SSLVerifyClient
const char * ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *)
ssl_hook_Access
int ssl_hook_Access(request_rec *)
SSLModConfigRec::bFixed
BOOL bFixed
Definition: ssl_private.h:597
ssl_hook_Fixup
int ssl_hook_Fixup(request_rec *)
apr_tables.h
APR Table library.
SSLConnRec::NON_SSL_SEND_REQLINE
Definition: ssl_private.h:544
SSLModConfigRec::pid
pid_t pid
Definition: ssl_private.h:613
ap_socache.h
Small object cache provider interface.
ssl_randseed_t::cpPath
char * cpPath
Definition: ssl_private.h:494
SSLModConfigRec::retained
modssl_retained_data_t * retained
Definition: ssl_private.h:603
ssl_cmd_SSLRenegBufferSize
const char * ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg)
SSL_RSCTX_STARTUP
Definition: ssl_private.h:482
SSL_OCSPCHECK_LEAF
Definition: ssl_private.h:436
ssl_verify_t
ssl_verify_t
Definition: ssl_private.h:401
ssl_callback_TmpDH
DH * ssl_callback_TmpDH(SSL *, int, int)
apr_fnmatch.h
APR FNMatch Functions.
ssl_cmd_SSLPassPhraseDialog
const char * ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *)
ssl_util_path_check
BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *)
SSL_RSSRC_EXEC
Definition: ssl_private.h:488
SSLConnRec::client_cert
X509 * client_cert
Definition: ssl_private.h:535
apr.h
APR Platform Definitions.
ssl_init_ocsp_certificates
void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
modssl_ctx_t
Definition: ssl_private.h:703
ssl_authz_provider_verify_client
const authz_provider ssl_authz_provider_verify_client
ssl_callback_Info
void ssl_callback_Info(const SSL *, int, int)
modssl_ctx_t::proxy_uri
apr_uri_t * proxy_uri
Definition: ssl_private.h:758
apr_lib.h
APR general purpose library routines.
ssl_cmd_SSLCARevocationCheck
const char * ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *)
SSLConnRec::dc
SSLDirConfigRec * dc
Definition: ssl_private.h:558
modssl_dispatch_ocsp_request
OCSP_RESPONSE * modssl_dispatch_ocsp_request(const apr_uri_t *uri, apr_interval_time_t timeout, OCSP_REQUEST *request, conn_rec *c, apr_pool_t *p)
ssl_cmd_SSLRequireSSL
const char * ssl_cmd_SSLRequireSSL(cmd_parms *, void *)
BOOL
#define BOOL
Definition: ssl_private.h:80
ssl_stapling_mutex_reinit
int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *)
mod_auth.h
Authentication and Authorization Extension for Apache.
ssl_cmd_SSLProxyVerifyDepth
const char * ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *)
SSLSrvConfigRec::cipher_server_pref
BOOL cipher_server_pref
Definition: ssl_private.h:782
ssl_util_vhostid
char * ssl_util_vhostid(apr_pool_t *, server_rec *)
modssl_ctx_t::pphrase_dialog_path
const char * pphrase_dialog_path
Definition: ssl_private.h:720
modssl_retained_data_t::privkeys
apr_hash_t * privkeys
Definition: ssl_private.h:591
apr_hash_t
struct apr_hash_t apr_hash_t
Definition: apr_hash.h:52
http_protocol.h
HTTP protocol handling.
ssl_config_global_isfixed
BOOL ssl_config_global_isfixed(SSLModConfigRec *)
SSLConnRec::disabled
int disabled
Definition: ssl_private.h:541
SSLDirConfigRec::szUserName
const char * szUserName
Definition: ssl_private.h:809
ssl_asn1_t::source_mtime
apr_time_t source_mtime
Definition: ssl_private.h:504
apr_uri_t
Definition: apr_uri.h:85
SSLConnRec::NON_SSL_SEND_HDR_SEP
Definition: ssl_private.h:545
modssl_set_reneg_state
void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state)
RENEG_ABORT
Definition: ssl_private.h:513
ssl_cmd_SSLProxyCARevocationCheck
const char * ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *)
ssl_util_readfilter
char * ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, const char *const *)
ssl_cmd_SSLProxyCheckPeerExpire
const char * ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK
Definition: ssl_private.h:438
p
apr_pool_t * p
ssl_init_CheckServers
apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *)
ssl_proto_t
int ssl_proto_t
Definition: ssl_private.h:396
ssl_cmd_SSLOCSPUseRequestNonce
const char * ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
SSLDirConfigRec::nOptionsDel
ssl_opt_t nOptionsDel
Definition: ssl_private.h:805
ssl_init_FindCAList
* ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *)
ssl_crlcheck_t
ssl_crlcheck_t
Definition: ssl_private.h:422
util_mutex.h
Apache Mutex support library.
ssl_cmd_SSLOCSPOverrideResponder
const char * ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)
modssl_ctx_t::ocsp_resptime_skew
long ocsp_resptime_skew
Definition: ssl_private.h:754
ssl_asn1_table_set
ssl_asn1_t * ssl_asn1_table_set(apr_hash_t *table, const char *key, EVP_PKEY *pkey)
ssl_io_filter_register
void ssl_io_filter_register(apr_pool_t *)
ssl_config_server_create
void * ssl_config_server_create(apr_pool_t *, server_rec *)
ssl_cmd_SSLOCSPProxyURL
const char * ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg)
SSL_CRLCHECK_FLAGS
#define SSL_CRLCHECK_FLAGS
Definition: ssl_private.h:427
AP_MODULE_DECLARE_DATA
#define AP_MODULE_DECLARE_DATA
Definition: macros.h:16
SSL_SHUTDOWN_TYPE_UNCLEAN
Definition: ssl_private.h:528
ssl_asn1_t
Definition: ssl_private.h:501
ssl_mutex_init
int ssl_mutex_init(server_rec *, apr_pool_t *)
ssl_policy_lookup
SSLSrvConfigRec * ssl_policy_lookup(apr_pool_t *pool, const char *name)
SSLConnRec::client_dn
const char * client_dn
Definition: ssl_private.h:534
ssl_init_Module
apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *)
ssl_cmd_SSLCompression
const char * ssl_cmd_SSLCompression(cmd_parms *, void *, int flag)
ssl_asn1_t::cpData
unsigned char * cpData
Definition: ssl_private.h:503
ssl_cmd_SSLCACertificatePath
const char * ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *)
UCHAR
#define UCHAR
Definition: ssl_private.h:292
http_request.h
Apache Request library.
request_rec
A structure that represents the current request.
Definition: httpd.h:819
modssl_pk_server_t::cert_files
apr_array_header_t * cert_files
Definition: ssl_private.h:642
modssl_var_extract_san_entries
void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p)
SSL_ENABLED_TRUE
Definition: ssl_private.h:466
modssl_pk_proxy_t::cert_path
const char * cert_path
Definition: ssl_private.h:657
util_filter.h
Apache filter library.
SSLModConfigRec::sesscache_mode
long sesscache_mode
Definition: ssl_private.h:600
modssl_ctx_t::ocsp_responder_timeout
apr_interval_time_t ocsp_responder_timeout
Definition: ssl_private.h:756
SSLSrvConfigRec
Definition: ssl_private.h:776
apr_strings.h
APR Strings library.
ssl_mutex_off
int ssl_mutex_off(server_rec *)
ssl_init_ModuleKill
apr_status_t ssl_init_ModuleKill(void *data)
ssl_proxy_section_post_config
int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s, ap_conf_vector_t *section_config)
ssl_require_t::mpExpr
ap_expr_info_t * mpExpr
Definition: ssl_private.h:475
modssl_ctx_t::ocsp_force_default
BOOL ocsp_force_default
Definition: ssl_private.h:751
ssl_cmd_SSLOCSPResponderCertificateFile
const char * ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg)
modssl_retained_data_t::key_ids
apr_hash_t * key_ids
Definition: ssl_private.h:585
modssl_ctx_t::ssl_check_peer_name
BOOL ssl_check_peer_name
Definition: ssl_private.h:772
ssl_callback_proxy_cert
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
SSLModConfigRec
Definition: ssl_private.h:596
ssl_cmd_SSLCACertificateFile
const char * ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *)
ssl_scache_status_register
void ssl_scache_status_register(apr_pool_t *p)
ssl_ext_list
apr_array_header_t * ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension)
apr_table_t
struct apr_table_t apr_table_t
Definition: apr_tables.h:56
modssl_ctx_t::ssl_check_peer_expire
BOOL ssl_check_peer_expire
Definition: ssl_private.h:773
__attribute__
#define __attribute__(__x)
Definition: apr.h:63
name
const char * name
Definition: mod_dav.h:726
modssl_pk_server_t::service_unavailable
int service_unavailable
Definition: ssl_private.h:651
SSL_CRLCHECK_NONE
Definition: ssl_private.h:423
ssl_hook_ConfigTest
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
SSLSrvConfigRec::vhost_id
const char * vhost_id
Definition: ssl_private.h:779
apr_pool_t
struct apr_pool_t apr_pool_t
Definition: apr_pools.h:60
modssl_auth_ctx_t::ca_cert_path
const char * ca_cert_path
Definition: ssl_private.h:668
module_struct
Definition: http_config.h:355
ssl_scache_init
apr_status_t ssl_scache_init(server_rec *, apr_pool_t *)
ssl_callback_NewSessionCacheEntry
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *)
ssl_cmd_SSLCertificateKeyFile
const char * ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *)
modssl_ctx_t::ssl_check_peer_cn
BOOL ssl_check_peer_cn
Definition: ssl_private.h:771
apr_status_t
int apr_status_t
Definition: apr_errno.h:44
SSLDirConfigRec::nOptionsAdd
ssl_opt_t nOptionsAdd
Definition: ssl_private.h:804
ssl_authz_provider_require_ssl
const authz_provider ssl_authz_provider_require_ssl
r
request_rec * r
Definition: mod_dav.h:515
ssl_ocspcheck_t
ssl_ocspcheck_t
Definition: ssl_private.h:434
ssl_scache_store
BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int, apr_time_t, SSL_SESSION *, apr_pool_t *)
ssl_hook_ReadReq
int ssl_hook_ReadReq(request_rec *)
ssl_log_xerror
void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, apr_pool_t *p, server_rec *s, X509 *cert, const char *format,...) __attribute__((format(printf
ssl_cmd_SSLVerifyDepth
const char * ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *)
ssl_cmd_SSLProxyCACertificateFile
const char * ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *)
ssl_log_rxerror
void void void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv, request_rec *r, X509 *cert, const char *format,...) __attribute__((format(printf
ssl_scache_remove
void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int, apr_pool_t *)
modssl_ctx_t::ssl_ctx
SSL_CTX * ssl_ctx
Definition: ssl_private.h:705
ssl_rand_seed
void ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *)
ssl_callback_GetSessionCacheEntry
SSL_SESSION * ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *)
modssl_ctx_t::crl_check_mask
int crl_check_mask
Definition: ssl_private.h:727
ssl_cmd_SSLProxyMachineCertificateChainFile
const char * ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *)
ssl_util_ssl.h
Additional Utility Functions for OpenSSL.
ssl_scache_kill
void ssl_scache_kill(server_rec *)
ssl_cmd_SSLProxyMachineCertificatePath
const char * ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *)
SSL_PPTYPE_FILTER
Definition: ssl_private.h:447
RENEG_ALLOW
Definition: ssl_private.h:511
ap_conf_vector_t
struct ap_conf_vector_t ap_conf_vector_t
Definition: http_config.h:519
SSL_ENABLED_OPTIONAL
Definition: ssl_private.h:467
SSL_OCSPCHECK_NONE
Definition: ssl_private.h:435
ssl_cmd_SSLCipherSuite
const char * ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *)
modssl_ctx_t::crl_file
const char * crl_file
Definition: ssl_private.h:726
modssl_reneg_state
modssl_reneg_state
Definition: ssl_private.h:507
ssl_cmd_SSLUserName
const char * ssl_cmd_SSLUserName(cmd_parms *, void *, const char *)
AP_FN_ATTR_WARN_UNUSED_RESULT
const char AP_FN_ATTR_WARN_UNUSED_RESULT
Definition: ssl_private.h:1116
ssl_log_ssl_error
void ssl_log_ssl_error(const char *, int, int, server_rec *)
RENEG_INIT
Definition: ssl_private.h:508
modssl_auth_ctx_t::cipher_suite
const char * cipher_suite
Definition: ssl_private.h:671
ssl_hook_UserCheck
int ssl_hook_UserCheck(request_rec *)
SSLConnRec::vhost_found
int vhost_found
Definition: ssl_private.h:562
ssl_config_server_merge
void * ssl_config_server_merge(apr_pool_t *, void *, void *)
ssl_mutex_on
int ssl_mutex_on(server_rec *)
ssl_pathcheck_t
unsigned int ssl_pathcheck_t
Definition: ssl_private.h:458
ssl_mutex_reinit
int ssl_mutex_reinit(server_rec *, apr_pool_t *)
ssl_init_ssl_connection
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
modssl_ctx_t::ocsp_mask
int ocsp_mask
Definition: ssl_private.h:750
modssl_get_dh_params
DH * modssl_get_dh_params(unsigned keylen)
ssl_pphrase_t
ssl_pphrase_t
Definition: ssl_private.h:444
SSLSrvConfigRec::session_cache_timeout
int session_cache_timeout
Definition: ssl_private.h:781
ssl_require_t
Definition: ssl_private.h:473
modssl_ctx_t::ocsp_use_request_nonce
BOOL ocsp_use_request_nonce
Definition: ssl_private.h:757
ssl_callback_SSLVerify_CRL
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *)
ssl_randseed_t
Definition: ssl_private.h:491
ssl_rsctx_t
ssl_rsctx_t
Definition: ssl_private.h:481
ssl_cmd_SSLProxyEngine
const char * ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
UNSET
#define UNSET
Definition: ssl_private.h:278
SSLDirConfigRec::bSSLRequired
BOOL bSSLRequired
Definition: ssl_private.h:801
modssl_ctx_t::pphrase_dialog_type
ssl_pphrase_t pphrase_dialog_type
Definition: ssl_private.h:719
ssl_io_buffer_fill
int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen)
SSL_CVERIFY_UNSET
Definition: ssl_private.h:402
STACK_OF
#define STACK_OF(x)
Definition: macros.h:26
ap_socache_instance_t
struct ap_socache_instance_t ap_socache_instance_t
Definition: ap_socache.h:49
SSLConnRec
Definition: ssl_private.h:532
ssl_cmd_SSLProxyCheckPeerName
const char * ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag)