Apache2
ssl_private.h
Go to the documentation of this file.
1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2  * contributor license agreements. See the NOTICE file distributed with
3  * this work for additional information regarding copyright ownership.
4  * The ASF licenses this file to You under the Apache License, Version 2.0
5  * (the "License"); you may not use this file except in compliance with
6  * the License. You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SSL_PRIVATE_H
18 #define SSL_PRIVATE_H
19 
30 #include "ap_config.h"
31 #include "httpd.h"
32 #include "http_config.h"
33 #include "http_core.h"
34 #include "http_log.h"
35 #include "http_main.h"
36 #include "http_connection.h"
37 #include "http_request.h"
38 #include "http_protocol.h"
39 #include "http_ssl.h"
40 #include "http_vhost.h"
41 #include "util_script.h"
42 #include "util_filter.h"
43 #include "util_ebcdic.h"
44 #include "util_mutex.h"
45 #include "apr.h"
46 #include "apr_strings.h"
47 #define APR_WANT_STRFUNC
48 #define APR_WANT_MEMFUNC
49 #include "apr_want.h"
50 #include "apr_tables.h"
51 #include "apr_lib.h"
52 #include "apr_fnmatch.h"
53 #include "apr_strings.h"
54 #include "apr_global_mutex.h"
55 #include "apr_optional.h"
56 #include "ap_socache.h"
57 #include "mod_auth.h"
58 
59 /* The #ifdef macros are only defined AFTER including the above
60  * therefore we cannot include these system files at the top :-(
61  */
62 #if APR_HAVE_STDLIB_H
63 #include <stdlib.h>
64 #endif
65 #if APR_HAVE_SYS_TIME_H
66 #include <sys/time.h>
67 #endif
68 #if APR_HAVE_UNISTD_H
69 #include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
70 #endif
71 
72 #ifndef FALSE
73 #define FALSE 0
74 #endif
75 
76 #ifndef TRUE
77 #define TRUE !FALSE
78 #endif
79 
80 #ifndef BOOL
81 #define BOOL unsigned int
82 #endif
83 
84 #include "ap_expr.h"
85 
86 /* OpenSSL headers */
87 #include <openssl/opensslv.h>
88 #if (OPENSSL_VERSION_NUMBER >= 0x10001000)
89 /* must be defined before including ssl.h */
90 #define OPENSSL_NO_SSL_INTERN
91 #endif
92 #if OPENSSL_VERSION_NUMBER >= 0x30000000
93 #include <openssl/core_names.h>
94 #endif
95 #include <openssl/ssl.h>
96 #include <openssl/err.h>
97 #include <openssl/x509.h>
98 #include <openssl/pem.h>
99 #include <openssl/crypto.h>
100 #include <openssl/evp.h>
101 #include <openssl/rand.h>
102 #include <openssl/x509v3.h>
103 #include <openssl/x509_vfy.h>
104 #include <openssl/ocsp.h>
105 
106 /* Avoid tripping over an engine build installed globally and detected
107  * when the user points at an explicit non-engine flavor of OpenSSL
108  */
109 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
110 #include <openssl/engine.h>
111 #endif
112 
113 #if (OPENSSL_VERSION_NUMBER < 0x0090801f)
114 #error mod_ssl requires OpenSSL 0.9.8a or later
115 #endif
116 
123 #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
124 #define MODSSL_SSL_CIPHER_CONST const
125 #define MODSSL_SSL_METHOD_CONST const
126 #else
127 #define MODSSL_SSL_CIPHER_CONST
128 #define MODSSL_SSL_METHOD_CONST
129 #endif
130 
131 #if defined(LIBRESSL_VERSION_NUMBER)
132 /* Missing from LibreSSL */
133 #if LIBRESSL_VERSION_NUMBER < 0x2060000f
134 #define SSL_CTRL_SET_MIN_PROTO_VERSION 123
135 #define SSL_CTRL_SET_MAX_PROTO_VERSION 124
136 #define SSL_CTX_set_min_proto_version(ctx, version) \
137  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
138 #define SSL_CTX_set_max_proto_version(ctx, version) \
139  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
140 #elif LIBRESSL_VERSION_NUMBER < 0x2070000f
141 /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
142  * include most changes from OpenSSL >= 1.1 (new functions, macros,
143  * deprecations, ...), so we have to work around this...
144  */
145 #define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
146 #endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
147 #else /* defined(LIBRESSL_VERSION_NUMBER) */
148 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
149 #endif
150 
151 #if OPENSSL_VERSION_NUMBER < 0x10101000
152 #define MODSSL_USE_SSLRAND
153 #endif
154 
155 #if defined(OPENSSL_FIPS)
156 #define HAVE_FIPS
157 #endif
158 
159 #if defined(SSL_OP_NO_TLSv1_2)
160 #define HAVE_TLSV1_X
161 #endif
162 
163 #if defined(SSL_CONF_FLAG_FILE)
164 #define HAVE_SSL_CONF_CMD
165 #endif
166 
167 /* session id constness */
168 #if MODSSL_USE_OPENSSL_PRE_1_1_API
169 #define IDCONST
170 #else
171 #define IDCONST const
172 #endif
173 
178 #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
179 
180 #define HAVE_TLSEXT
181 
182 /* ECC: make sure we have at least 1.0.0 */
183 #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
184 #define HAVE_ECC
185 #endif
186 
187 /* OCSP stapling */
188 #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
189 #define HAVE_OCSP_STAPLING
190 /* All exist but are no longer macros since OpenSSL 1.1.0 */
191 #if OPENSSL_VERSION_NUMBER < 0x10100000L
192 /* backward compatibility with OpenSSL < 1.0 */
193 #ifndef sk_OPENSSL_STRING_num
194 #define sk_OPENSSL_STRING_num sk_num
195 #endif
196 #ifndef sk_OPENSSL_STRING_value
197 #define sk_OPENSSL_STRING_value sk_value
198 #endif
199 #ifndef sk_OPENSSL_STRING_pop
200 #define sk_OPENSSL_STRING_pop sk_pop
201 #endif
202 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
203 #endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */
204 
205 /* TLS session tickets */
206 #if defined(SSL_CTX_set_tlsext_ticket_key_cb)
207 #define HAVE_TLS_SESSION_TICKETS
208 #define TLSEXT_TICKET_KEY_LEN 48
209 #ifndef tlsext_tick_md
210 #ifdef OPENSSL_NO_SHA256
211 #define tlsext_tick_md EVP_sha1
212 #else
213 #define tlsext_tick_md EVP_sha256
214 #endif
215 #endif
216 #endif
217 
218 /* Secure Remote Password */
219 #if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
220 #define HAVE_SRP
221 #include <openssl/srp.h>
222 #endif
223 
224 /* ALPN Protocol Negotiation */
225 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
226 #define HAVE_TLS_ALPN
227 #endif
228 
229 #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
230 
231 #if MODSSL_USE_OPENSSL_PRE_1_1_API
232 #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
233 #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
234 #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
235 #define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048
236 #define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072
237 #define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
238 #define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
239 #define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
240 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
241 #define BIO_set_init(x,v) (x->init=v)
242 #define BIO_get_data(x) (x->ptr)
243 #define BIO_set_data(x,v) (x->ptr=v)
244 #endif
245 #define BIO_get_shutdown(x) (x->shutdown)
246 #define BIO_set_shutdown(x,v) (x->shutdown=v)
247 #define DH_bits(x) (BN_num_bits(x->p))
248 #define X509_up_ref(x) (CRYPTO_add(&(x)->references, +1, CRYPTO_LOCK_X509))
249 #define EVP_PKEY_up_ref(pk) (CRYPTO_add(&(pk)->references, +1, CRYPTO_LOCK_EVP_PKEY))
250 #else
251 void init_bio_methods(void);
252 void free_bio_methods(void);
253 #endif
254 
255 #if OPENSSL_VERSION_NUMBER < 0x10002000L || \
256  (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
257 #define X509_STORE_CTX_get0_store(x) (x->ctx)
258 #endif
259 
260 #if OPENSSL_VERSION_NUMBER < 0x10000000L
261 #ifndef X509_STORE_CTX_get0_current_issuer
262 #define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)
263 #endif
264 #endif
265 
266 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
267 #define HAVE_OPENSSL_KEYLOG
268 #endif
269 
270 /* mod_ssl headers */
271 #include "ssl_util_ssl.h"
272 
273 APLOG_USE_MODULE(ssl);
274 
275 /*
276  * Provide reasonable default for some defines
277  */
278 #ifndef UNSET
279 #define UNSET (-1)
280 #endif
281 #ifndef NUL
282 #define NUL '\0'
283 #endif
284 #ifndef RAND_MAX
285 #include <limits.h>
286 #define RAND_MAX INT_MAX
287 #endif
288 
292 #ifndef UCHAR
293 #define UCHAR unsigned char
294 #endif
295 
299 #define strEQ(s1,s2) (strcmp(s1,s2) == 0)
300 #define strNE(s1,s2) (strcmp(s1,s2) != 0)
301 #define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0)
302 #define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0)
303 
304 #define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0)
305 #define strcNE(s1,s2) (strcasecmp(s1,s2) != 0)
306 #define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
307 #define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)
308 
309 #define strIsEmpty(s) (s == NULL || s[0] == NUL)
310 
311 #define myConnConfig(c) \
312  ((SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module))
313 #define myConnConfigSet(c, val) \
314  ap_set_module_config(c->conn_config, &ssl_module, val)
315 #define mySrvConfig(srv) \
316  ((SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module))
317 #define myDirConfig(req) \
318  ((SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module))
319 #define myCtxConfig(sslconn, sc) \
320  (sslconn->is_proxy ? sslconn->dc->proxy : sc->server)
321 #define myModConfig(srv) mySrvConfig((srv))->mc
322 #define mySrvFromConn(c) myConnConfig(c)->server
323 #define myDirConfigFromConn(c) myConnConfig(c)->dc
324 #define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
325 #define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
326 
330 #ifndef SSL_SESSION_CACHE_TIMEOUT
331 #define SSL_SESSION_CACHE_TIMEOUT 300
332 #endif
333 
334 /* Default setting for per-dir reneg buffer. */
335 #ifndef DEFAULT_RENEG_BUFFER_SIZE
336 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
337 #endif
338 
339 /* Default for OCSP response validity */
340 #ifndef DEFAULT_OCSP_MAX_SKEW
341 #define DEFAULT_OCSP_MAX_SKEW (60 * 5)
342 #endif
343 
344 /* Default timeout for OCSP queries */
345 #ifndef DEFAULT_OCSP_TIMEOUT
346 #define DEFAULT_OCSP_TIMEOUT 10
347 #endif
348 
352 #define SSL_OPT_NONE (0)
353 #define SSL_OPT_RELSET (1<<0)
354 #define SSL_OPT_STDENVVARS (1<<1)
355 #define SSL_OPT_EXPORTCERTDATA (1<<3)
356 #define SSL_OPT_FAKEBASICAUTH (1<<4)
357 #define SSL_OPT_STRICTREQUIRE (1<<5)
358 #define SSL_OPT_OPTRENEGOTIATE (1<<6)
359 #define SSL_OPT_LEGACYDNFORMAT (1<<7)
360 #define SSL_OPT_EXPORTCB64DATA (1<<8)
361 typedef int ssl_opt_t;
362 
366 #define SSL_PROTOCOL_NONE (0)
367 #ifndef OPENSSL_NO_SSL3
368 #define SSL_PROTOCOL_SSLV3 (1<<1)
369 #endif
370 #define SSL_PROTOCOL_TLSV1 (1<<2)
371 #ifndef OPENSSL_NO_SSL3
372 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
373 #else
374 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_TLSV1)
375 #endif
376 #ifdef HAVE_TLSV1_X
377 #define SSL_PROTOCOL_TLSV1_1 (1<<3)
378 #define SSL_PROTOCOL_TLSV1_2 (1<<4)
379 #define SSL_PROTOCOL_TLSV1_3 (1<<5)
380 
381 #ifdef SSL_OP_NO_TLSv1_3
382 #define SSL_HAVE_PROTOCOL_TLSV1_3 (1)
383 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
384  SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
385 #else
386 #define SSL_HAVE_PROTOCOL_TLSV1_3 (0)
387 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
388  SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
389 #endif
390 #else
391 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
392 #endif
393 #ifndef OPENSSL_NO_SSL3
394 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3)
395 #else
396 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL)
397 #endif
398 typedef int ssl_proto_t;
399 
403 typedef enum {
409 } ssl_verify_t;
410 
411 #define SSL_VERIFY_PEER_STRICT \
412  (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
413 
414 #define ssl_verify_error_is_optional(errnum) \
415  ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
416  || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
417  || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
418  || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
419  || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
420 
424 typedef enum {
426  SSL_CRLCHECK_LEAF = (1 << 0),
427  SSL_CRLCHECK_CHAIN = (1 << 1),
428 
429 #define SSL_CRLCHECK_FLAGS (~0x3)
432 
436 typedef enum {
438  SSL_OCSPCHECK_LEAF = (1 << 0),
442 
446 typedef enum {
451 } ssl_pphrase_t;
452 
456 #define SSL_PCM_EXISTS 1
457 #define SSL_PCM_ISREG 2
458 #define SSL_PCM_ISDIR 4
459 #define SSL_PCM_ISNONZERO 8
460 typedef unsigned int ssl_pathcheck_t;
461 
465 typedef enum {
470 } ssl_enabled_t;
471 
475 typedef struct {
476  const char *cpExpr;
478 } ssl_require_t;
479 
483 typedef enum {
486 } ssl_rsctx_t;
487 typedef enum {
492 } ssl_rssrc_t;
493 typedef struct {
496  char *cpPath;
497  int nBytes;
499 
503 typedef struct {
504  long int nData;
505  unsigned char *cpData;
507 } ssl_asn1_t;
508 
509 typedef enum {
510  RENEG_INIT = 0, /* Before initial handshake */
511  RENEG_REJECT, /* After initial handshake; any client-initiated
512  * renegotiation should be rejected */
513  RENEG_ALLOW, /* A server-initiated renegotiation is taking
514  * place (as dictated by configuration) */
515  RENEG_ABORT /* Renegotiation initiated by client, abort the
516  * connection */
518 
526 
527 typedef enum {
533 
534 typedef struct {
535  SSL *ssl;
536  const char *client_dn;
537  X509 *client_cert;
538  ssl_shutdown_type_e shutdown_type;
539  const char *verify_info;
540  const char *verify_error;
542  int is_proxy;
543  int disabled;
544  enum {
545  NON_SSL_OK = 0, /* is SSL request, or error handling completed */
546  NON_SSL_SEND_REQLINE, /* Need to send the fake request line */
547  NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */
548  NON_SSL_SET_ERROR_MSG /* Need to set the error message */
549  } non_ssl_request;
550 
551 #ifndef SSL_OP_NO_RENEGOTIATION
552  /* For OpenSSL < 1.1.1, track the handshake/renegotiation state
553  * for the connection to block client-initiated renegotiations.
554  * For OpenSSL >=1.1.1, the SSL_OP_NO_RENEGOTIATION flag is used in
555  * the SSL * options state with equivalent effect. */
556  modssl_reneg_state reneg_state;
557 #endif
558 
561 
562  const char *cipher_suite; /* cipher suite used in last reneg */
563  int service_unavailable; /* thouugh we negotiate SSL, no requests will be served */
564  int vhost_found; /* whether we found vhost from SNI already */
565 } SSLConnRec;
566 
567 /* Private keys are retained across reloads, since decryption
568  * passphrases can only be entered during startup (before detaching
569  * from a terminal). This structure is stored via the ap_retained_*
570  * API and retrieved on later module reloads. If the structure
571  * changes, the key name must be changed by increasing the digit at
572  * the end, to avoid an updated version of mod_ssl loading retained
573  * data with a different struct definition.
574  *
575  * All objects used here must be allocated from the process pool
576  * (s->process->pool) so they also survives restarts. */
577 #define MODSSL_RETAINED_KEY "mod_ssl-retained-1"
578 
579 typedef struct {
580  /* A hash table of vhost key-IDs used to index the privkeys hash,
581  * for example the string "vhost.example.com:443:0". For each
582  * (key, value) pair the value is the same as the key, allowing
583  * the keys to be retrieved on subsequent reloads rather than
584  * rellocated. ### This optimisation seems to be of dubious
585  * value. Allocating the vhost-key-ids from pconf and duping them
586  * when storing them in ->privkeys would be simpler. */
588 
589  /* A hash table of pointers to ssl_asn1_t structures. The
590  * structures are used to store private keys in raw DER format
591  * (serialized OpenSSL PrivateKey structures). The table is
592  * indexed by key-IDs from the key_ids hash table. */
594 
595  /* Do NOT add fields here without changing the key name, as above. */
597 
598 typedef struct {
600 
601  /* OpenSSL SSL_SESS_CACHE_* flags: */
603 
604  /* Data retained across reloads. */
606 
607  /* The configured provider, and associated private data
608  * structure. */
611 
613 
614 #ifdef MODSSL_USE_SSLRAND
615  pid_t pid; /* used for seeding after fork() */
617 #endif
618 
619 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
620  const char *szCryptoDevice;
621 #endif
622 
623 #ifdef HAVE_OCSP_STAPLING
624  const ap_socache_provider_t *stapling_cache;
625  ap_socache_instance_t *stapling_cache_context;
626  apr_global_mutex_t *stapling_cache_mutex;
627  apr_global_mutex_t *stapling_refresh_mutex;
628 #endif
629 
630 #ifdef HAVE_OPENSSL_KEYLOG
631  /* Used for logging if SSLKEYLOGFILE is set at startup. */
632  apr_file_t *keylog_file;
633 #endif
634 
635 #ifdef HAVE_FIPS
636  BOOL fips;
637 #endif
639 
642 typedef struct {
643  /* Lists of configured certs and keys for this server */
646 
649  const char *ca_name_path;
650  const char *ca_name_file;
651 
652  /* TLS service for this server is suspended */
655 
656 typedef struct {
658  const char *cert_file;
659  const char *cert_path;
660  const char *ca_cert_file;
661  /* certs is a stack of configured cert, key pairs. */
662  STACK_OF(X509_INFO) *certs;
663  /* ca_certs contains ONLY chain certs for each item in certs.
664  * ca_certs[n] is a pointer to the (STACK_OF(X509) *) stack which
665  * holds the cert chain for the 'n'th cert in the certs stack, or
666  * NULL if no chain is configured. */
667  STACK_OF(X509) **ca_certs;
669 
671 typedef struct {
673  const char *ca_cert_path;
674  const char *ca_cert_file;
675 
676  const char *cipher_suite;
677 
681 
685  const char *tls13_ciphers;
687 
688 #ifdef HAVE_TLS_SESSION_TICKETS
689 typedef struct {
690  const char *file_path;
691  unsigned char key_name[16];
692 #if OPENSSL_VERSION_NUMBER < 0x30000000L
693  unsigned char hmac_secret[16];
694 #else
695  OSSL_PARAM mac_params[3];
696 #endif
697  unsigned char aes_key[16];
698 } modssl_ticket_key_t;
699 #endif
700 
701 #ifdef HAVE_SSL_CONF_CMD
702 typedef struct {
703  const char *name;
704  const char *value;
705 } ssl_ctx_param_t;
706 #endif
707 
708 typedef struct {
710  SSL_CTX *ssl_ctx;
711 
715 
716 #ifdef HAVE_TLS_SESSION_TICKETS
717  modssl_ticket_key_t *ticket_key;
718 #endif
719 
722 
725  const char *pphrase_dialog_path;
726 
727  const char *cert_chain;
728 
730  const char *crl_path;
731  const char *crl_file;
733 
734 #ifdef HAVE_OCSP_STAPLING
735 
736  BOOL stapling_enabled;
737  long stapling_resptime_skew;
738  long stapling_resp_maxage;
739  int stapling_cache_timeout;
740  BOOL stapling_return_errors;
741  BOOL stapling_fake_trylater;
742  int stapling_errcache_timeout;
743  apr_interval_time_t stapling_responder_timeout;
744  const char *stapling_force_url;
745 #endif
746 
747 #ifdef HAVE_SRP
748  char *srp_vfile;
749  char *srp_unknown_user_seed;
750  SRP_VBASE *srp_vbase;
751 #endif
752 
754 
756  BOOL ocsp_force_default; /* true if the default responder URL is
757  * used regardless of per-cert URL */
758  const char *ocsp_responder; /* default responder URL */
764 
765  BOOL ocsp_noverify; /* true if skipping OCSP certification verification like openssl -noverify */
766  /* Declare variables for using OCSP Responder Certs for OCSP verification */
767  int ocsp_verify_flags; /* Flags to use when verifying OCSP response */
768  const char *ocsp_certs_file; /* OCSP other certificates filename */
769  STACK_OF(X509) *ocsp_certs; /* OCSP other certificates */
770 
771 #ifdef HAVE_SSL_CONF_CMD
772  SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
773  apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
774 #endif
775 
779 } modssl_ctx_t;
780 
784  const char *vhost_id;
785  const unsigned char *vhost_md5; /* = ap_md5_binary(vhost_id, ...) */
790 #ifdef HAVE_TLSEXT
791  ssl_enabled_t strict_sni_vhost_check;
792 #endif
793 #ifndef OPENSSL_NO_COMP
795 #endif
797 
798 };
799 
811  const char *szCipherSuite;
814  const char *szUserName;
816 
820 };
821 
823 
830 
835 void *ssl_config_server_merge(apr_pool_t *, void *, void *);
836 void *ssl_config_perdir_create(apr_pool_t *, char *);
837 void *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
840 const char *ssl_cmd_SSLPolicyApply(cmd_parms *, void *, const char *);
841 const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
842 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
843 const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
844 const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
845 const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *);
846 const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
847 const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
848 const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
849 const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
850 const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
851 const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
852 const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
853 const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
854 const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
855 const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
856 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
857 const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
858 const char *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
859 const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
860 const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
861 const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
862 const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
863 const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
864 const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
865 const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
866 const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
867 const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
868 const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
869 const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
870 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
871 
872 const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
873 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
874 const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *);
875 const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
876 const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
877 const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
878 const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *);
879 const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *);
880 const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *);
881 const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *);
882 const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *);
883 const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *);
884 const char *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *);
885 #ifdef HAVE_TLS_SESSION_TICKETS
886 const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, void *dcfg, const char *arg);
887 #endif
888 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
889 const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
890 const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag);
891 
892 const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
893 const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
894 const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
895 const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
896 const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
897 const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
898 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg);
899 const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
900 
901 /* Declare OCSP Responder Certificate Verification Directive */
902 const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag);
903 /* Declare OCSP Responder Certificate File Directive */
904 const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg);
905 
906 #ifdef HAVE_SSL_CONF_CMD
907 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
908 #endif
909 
910 #ifdef HAVE_SRP
911 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
912 const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
913 #endif
914 
915 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
916 
924  apr_pool_t *ptemp, server_rec *s,
925  ap_conf_vector_t *section_config);
926 STACK_OF(X509_NAME)
927  *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
930 
938 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s);
939 
943 
945 DH *ssl_callback_TmpDH(SSL *, int, int);
946 int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
947 int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
948 int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
949 int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
950 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *);
951 void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
952 void ssl_callback_Info(const SSL *, int, int);
953 #ifdef HAVE_TLSEXT
954 int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
955 #endif
956 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
957 int ssl_callback_ClientHello(SSL *, int *, void *);
958 #endif
959 #ifdef HAVE_TLS_SESSION_TICKETS
960 int ssl_callback_SessionTicket(SSL *ssl,
961  unsigned char *keyname,
962  unsigned char *iv,
963  EVP_CIPHER_CTX *cipher_ctx,
964 #if OPENSSL_VERSION_NUMBER < 0x30000000L
965  HMAC_CTX *hmac_ctx,
966 #else
967  EVP_MAC_CTX *mac_ctx,
968 #endif
969  int mode);
970 #endif
971 
972 #ifdef HAVE_TLS_ALPN
973 int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out,
974  unsigned char *outlen, const unsigned char *in,
975  unsigned int inlen, void *arg);
976 #endif
977 
983  apr_time_t, SSL_SESSION *, apr_pool_t *);
984 SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *);
986  apr_pool_t *);
987 
989 #ifdef HAVE_OCSP_STAPLING
990 const char *ssl_cmd_SSLStaplingCache(cmd_parms *, void *, const char *);
991 const char *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int);
992 const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *);
993 const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *);
994 const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *);
995 const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *);
996 const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int);
997 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);
998 const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
999 const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
1000 apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
1001 void ssl_stapling_certinfo_hash_init(apr_pool_t *);
1002 int ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *,
1003  modssl_ctx_t *, X509 *);
1004 #endif
1005 #ifdef HAVE_SRP
1006 int ssl_callback_SRPServerParams(SSL *, int *, void *);
1007 #endif
1008 
1009 #ifdef HAVE_OPENSSL_KEYLOG
1010 /* Callback used with SSL_CTX_set_keylog_callback. */
1011 void modssl_callback_keylog(const SSL *ssl, const char *line);
1012 #endif
1013 
1015 void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
1017 long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
1018 
1019 /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
1020  * to allow an SSL renegotiation to take place. */
1022 
1023 #ifdef MODSSL_USE_SSLRAND
1024 
1025 void ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
1026 #else
1027 #define ssl_rand_seed(s, p, ctx, c) /* noop */
1028 #endif
1029 
1032 apr_file_t *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *,
1033  const char * const *);
1035 char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
1036  const char * const *);
1037 BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
1038 #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
1041 #endif
1043 
1044 BOOL ssl_util_vhost_matches(const char *servername, server_rec *s);
1045 
1048  const char *, apr_array_header_t **);
1049 
1050 /* Load public and/or private key from the configured ENGINE. Private
1051  * key returned as *pkey. certid can be NULL, in which case *pubkey
1052  * is not altered. Errors logged on failure. */
1054  const char *vhostid,
1055  const char *certid, const char *keyid,
1056  X509 **pubkey, EVP_PKEY **privkey);
1057 
1059 DH *ssl_dh_GetParamFromFile(const char *);
1060 #ifdef HAVE_ECC
1061 EC_GROUP *ssl_ec_GetParamFromFile(const char *);
1062 #endif
1063 
1064 /* Store the EVP_PKEY key (serialized into DER) in the hash table with
1065  * key, returning the ssl_asn1_t structure pointer. */
1066 ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
1067  EVP_PKEY *pkey);
1068 /* Retrieve the ssl_asn1_t structure with given key from the hash. */
1069 ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table, const char *key);
1070 
1074 int ssl_mutex_on(server_rec *);
1075 int ssl_mutex_off(server_rec *);
1076 
1078 
1079 /* mutex type names for Mutex directive */
1080 #define SSL_CACHE_MUTEX_TYPE "ssl-cache"
1081 #define SSL_STAPLING_CACHE_MUTEX_TYPE "ssl-stapling"
1082 #define SSL_STAPLING_REFRESH_MUTEX_TYPE "ssl-stapling-refresh"
1083 
1085 
1087 void ssl_log_ssl_error(const char *, int, int, server_rec *);
1088 
1089 /* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the
1090  * respective ap_log_*error functions and take a certificate as an
1091  * additional argument (whose details are appended to the log message).
1092  * The other arguments are interpreted exactly as with their ap_log_*error
1093  * counterparts. */
1094 void ssl_log_xerror(const char *file, int line, int level,
1096  X509 *cert, const char *format, ...)
1097  __attribute__((format(printf,8,9)));
1098 
1099 void ssl_log_cxerror(const char *file, int line, int level,
1100  apr_status_t rv, conn_rec *c, X509 *cert,
1101  const char *format, ...)
1102  __attribute__((format(printf,7,8)));
1103 
1104 void ssl_log_rxerror(const char *file, int line, int level,
1105  apr_status_t rv, request_rec *r, X509 *cert,
1106  const char *format, ...)
1107  __attribute__((format(printf,7,8)));
1108 
1109 #define SSLLOG_MARK __FILE__,__LINE__
1110 
1113 /* Register variables for the lifetime of the process pool 'p'. */
1114 void ssl_var_register(apr_pool_t *p);
1115 
1116 /* Matches optional function of the same name in the public API. The
1117  * pool in which to allocate the return value must be non-NULL; c
1118  * and/or r may be NULL. */
1119 const char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
1120  const char *name)
1122 apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension);
1123 
1125 
1126 /* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl',
1127  * allocating from 'p': */
1128 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
1129 
1130 /* Extract SSL_*_SAN_* variables (subjectAltName entries) into table 't'
1131  * from SSL object 'ssl', allocating from 'p'. */
1133 
1134 #ifndef OPENSSL_NO_OCSP
1135 /* Perform OCSP validation of the current cert in the given context.
1136  * Returns non-zero on success or zero on failure. On failure, the
1137  * context error code is set. */
1138 int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
1139  server_rec *s, conn_rec *c, apr_pool_t *pool);
1140 
1141 /* OCSP helper interface; dispatches the given OCSP request to the
1142  * responder at the given URI. Returns the decoded OCSP response
1143  * object, or NULL on error (in which case, errors will have been
1144  * logged). Pool 'p' is used for temporary allocations. */
1145 OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
1146  apr_interval_time_t timeout,
1147  OCSP_REQUEST *request,
1148  conn_rec *c, apr_pool_t *p);
1149 
1150 /* Initialize OCSP trusted certificate list */
1152 
1153 #endif
1154 
1155 /* Retrieve DH parameters for given key length. Return value should
1156  * be treated as unmutable, since it is stored in process-global
1157  * memory. */
1158 DH *modssl_get_dh_params(unsigned keylen);
1159 
1160 /* Returns non-zero if the request was made over SSL/TLS. If sslconn
1161  * is non-NULL and the request is using SSL/TLS, sets *sslconn to the
1162  * corresponding SSLConnRec structure for the connection. */
1163 int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn);
1164 
1165 /* Returns non-zero if the cert/key filename should be handled through
1166  * the configured ENGINE. */
1167 int modssl_is_engine_id(const char *name);
1168 
1169 #if HAVE_VALGRIND
1170 extern int ssl_running_on_valgrind;
1171 #endif
1172 
1173 int ssl_is_challenge(conn_rec *c, const char *servername,
1174  X509 **pcert, EVP_PKEY **pkey,
1175  const char **pcert_file, const char **pkey_file);
1176 
1177 /* Set the renegotation state for connection. */
1178 void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state);
1179 
1180 #endif /* SSL_PRIVATE_H */
1181 
Definition: ssl_private.h:488
const char * ssl_cmd_SSLRequire(cmd_parms *, void *, const char *)
Definition: ap_socache.h:89
ssl_rsctx_t nCtx
Definition: ssl_private.h:494
Definition: ssl_private.h:408
Definition: ssl_private.h:430
ssl_proto_t protocol
Definition: ssl_private.h:720
size_t apr_size_t
Definition: apr.h:393
const char * ca_name_path
Definition: ssl_private.h:649
Definition: ssl_private.h:448
const char * cpExpr
Definition: ssl_private.h:476
Definition: ssl_private.h:406
apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, const char *vhostid, const char *certid, const char *keyid, X509 **pubkey, EVP_PKEY **privkey)
Definition: ssl_private.h:427
const char * ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)
const char * ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *)
void ssl_init_Child(apr_pool_t *, server_rec *)
Definition: ssl_private.h:656
server_rec * server
Definition: ssl_private.h:559
apr_array_header_t * aRandSeed
Definition: ssl_private.h:616
SSL_SESSION * ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *)
int ssl_hook_Upgrade(request_rec *)
int verify_depth
Definition: ssl_private.h:541
int is_proxy
Definition: ssl_private.h:542
DH * ssl_dh_GetParamFromFile(const char *)
Apache Configuration.
const unsigned char * vhost_md5
Definition: ssl_private.h:785
const char * ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *)
const char * ocsp_responder
Definition: ssl_private.h:758
int ssl_callback_SSLVerify(int, X509_STORE_CTX *)
const char * ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *)
modssl_ctx_t * proxy
Definition: ssl_private.h:817
#define IDCONST
Definition: ssl_private.h:169
Definition: ssl_private.h:426
const char * ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *)
ssl_opt_t nOptions
Definition: ssl_private.h:808
const char * ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *)
Definition: apr_arch_file_io.h:107
const char * ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
Definition: apr_tables.h:62
module AP_MODULE_DECLARE_DATA ssl_module
const char * ca_cert_file
Definition: ssl_private.h:660
ssl_enabled_t enabled
Definition: ssl_private.h:783
const ap_socache_provider_t * sesscache
Definition: ssl_private.h:609
Definition: ap_expr.h:41
Definition: ssl_private.h:466
const char * ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
void * ssl_config_perdir_merge(apr_pool_t *, void *, void *)
apr_size_t nRenegBufferSize
Definition: ssl_private.h:815
Definition: ssl_private.h:579
Definition: ssl_private.h:450
Definition: ssl_private.h:439
ap_socache_instance_t * sesscache_context
Definition: ssl_private.h:610
const char * ssl_cmd_SSLPolicyApply(cmd_parms *, void *, const char *)
const char * ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *)
const char * cert_chain
Definition: ssl_private.h:727
apr_bucket_brigade request_rec apr_pool_t * pool
Definition: mod_dav.h:555
ssl_verify_t nVerifyClient
Definition: ssl_private.h:812
long ssl_io_data_cb(BIO *, int, const char *, int, long, long)
void ssl_config_global_fix(SSLModConfigRec *)
long ocsp_resp_maxage
Definition: ssl_private.h:760
BOOL insecure_reneg
Definition: ssl_private.h:788
const char * ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag)
ssl_verify_t verify_mode
Definition: ssl_private.h:680
const char * ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *)
long int nData
Definition: ssl_private.h:504
const dav_resource dav_lockdb dav_lock * request
Definition: mod_dav.h:1438
const char * ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag)
const char * ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg)
BOOL compression
Definition: ssl_private.h:794
BOOL proxy_post_config
Definition: ssl_private.h:819
const char * ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
const char * verify_info
Definition: ssl_private.h:539
SSLSrvConfigRec * sc
Definition: ssl_private.h:709
apr_status_t ssl_die(server_rec *)
int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn)
Definition: ssl_private.h:447
void ssl_var_register(apr_pool_t *p)
apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *)
SSL * ssl
Definition: ssl_private.h:535
const char * ocsp_certs_file
Definition: ssl_private.h:768
void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *)
const char * ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg)
AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT
APR Standard Headers Support.
apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, apr_array_header_t *)
const char * crl_path
Definition: ssl_private.h:730
modssl_ctx_t * server
Definition: ssl_private.h:789
CORE HTTP Daemon.
ssl_asn1_t * ssl_asn1_table_get(apr_hash_t *table, const char *key)
ssl_shutdown_type_e shutdown_type
Definition: ssl_private.h:538
int nVerifyDepth
Definition: ssl_private.h:813
Apache connection library.
const char * ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *)
int ssl_hook_Auth(request_rec *)
Utilities for EBCDIC conversion.
const char * ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *)
const char * szCipherSuite
Definition: ssl_private.h:811
apr_array_header_t * key_files
Definition: ssl_private.h:645
const char const char * uri
Definition: mod_dav.h:631
Definition: mod_auth.h:104
const char * ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name) AP_FN_ATTR_NONNULL((1
Definition: ssl_private.h:491
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *)
const char * ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *)
const char * ca_name_file
Definition: ssl_private.h:650
Definition: ssl_private.h:805
apr_int64_t apr_interval_time_t
Definition: apr_time.h:55
void void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, conn_rec *c, X509 *cert, const char *format,...) __attribute__((format(printf
BOOL ocsp_noverify
Definition: ssl_private.h:765
void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p)
int modssl_is_engine_id(const char *name)
Structure to store things which are per connection.
Definition: httpd.h:1183
Definition: ssl_private.h:489
modssl_reneg_state reneg_state
Definition: ssl_private.h:556
int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, server_rec *s, conn_rec *c, apr_pool_t *pool)
APLOG_USE_MODULE(ssl)
const char * ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
Virtual Host package.
APR-UTIL registration of functions exported by modules.
const char * ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *)
modssl_pk_proxy_t * pkp
Definition: ssl_private.h:714
const char * cert_file
Definition: ssl_private.h:658
int verify_depth
Definition: ssl_private.h:679
Symbol export macros and hook functions.
const char * ssl_cmd_SSLOptions(cmd_parms *, void *, const char *)
Definition: ssl_private.h:511
Definition: ssl_private.h:407
ssl_rssrc_t
Definition: ssl_private.h:487
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *)
apr_file_t * ssl_util_ppopen(server_rec *, apr_pool_t *, const char *, const char *const *)
Definition: ssl_private.h:405
BOOL ssl_util_vhost_matches(const char *servername, server_rec *s)
apr_global_mutex_t * pMutex
Definition: ssl_private.h:612
Definition: ssl_private.h:485
Definition: apr_arch_global_mutex.h:23
Definition: ssl_private.h:529
const char * ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *)
void * ssl_config_perdir_create(apr_pool_t *, char *)
const char * ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *)
BOOL proxy_enabled
Definition: ssl_private.h:818
Apache Logging library.
const char * ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *)
Definition: http_config.h:295
Apache script tools.
apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int, const char *, apr_array_header_t **)
apr_int64_t apr_time_t
Definition: apr_time.h:45
const char * ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *)
Expression parser.
Command line options.
void ssl_util_thread_setup(apr_pool_t *)
ssl_enabled_t
Definition: ssl_private.h:465
APR Global Locking Routines.
Definition: ssl_private.h:528
ssl_rssrc_t nSrc
Definition: ssl_private.h:495
void ssl_config_proxy_merge(apr_pool_t *, SSLDirConfigRec *, SSLDirConfigRec *)
apr_array_header_t * aRequirement
Definition: ssl_private.h:807
HTTP Daemon routines.
const char * cipher_suite
Definition: ssl_private.h:562
modssl_auth_ctx_t auth
Definition: ssl_private.h:753
Definition: ssl_private.h:467
int ssl_opt_t
Definition: ssl_private.h:361
Definition: ssl_private.h:671
const char * ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *)
int ocsp_verify_flags
Definition: ssl_private.h:767
ssl_shutdown_type_e
Definition: ssl_private.h:527
modssl_pk_server_t * pks
Definition: ssl_private.h:713
SSLModConfigRec * mc
Definition: ssl_private.h:782
A structure to store information for each virtual server.
Definition: httpd.h:1370
const char * ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg)
const char * ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg)
const char * ca_cert_file
Definition: ssl_private.h:674
const char * ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *)
int protocol_set
Definition: ssl_private.h:721
Definition: ssl_private.h:531
const char * ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
Definition: ssl_private.h:642
BOOL session_tickets
Definition: ssl_private.h:796
void ssl_var_log_config_register(apr_pool_t *p)
const char * ssl_cmd_SSLEngine(cmd_parms *, void *, const char *)
int service_unavailable
Definition: ssl_private.h:563
int nBytes
Definition: ssl_private.h:497
void ssl_util_thread_id_setup(apr_pool_t *)
const char * verify_error
Definition: ssl_private.h:540
const char * tls13_ciphers
Definition: ssl_private.h:685
const char * ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *)
const char * ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *)
int ssl_hook_Access(request_rec *)
BOOL bFixed
Definition: ssl_private.h:599
int ssl_hook_Fixup(request_rec *)
APR Table library.
Definition: ssl_private.h:546
pid_t pid
Definition: ssl_private.h:615
Small object cache provider interface.
char * cpPath
Definition: ssl_private.h:496
modssl_retained_data_t * retained
Definition: ssl_private.h:605
const char * ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg)
Definition: ssl_private.h:484
Definition: ssl_private.h:438
ssl_verify_t
Definition: ssl_private.h:403
DH * ssl_callback_TmpDH(SSL *, int, int)
APR FNMatch Functions.
const char * ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *)
BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *)
Definition: ssl_private.h:490
X509 * client_cert
Definition: ssl_private.h:537
APR Platform Definitions.
void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
Definition: ssl_private.h:708
const authz_provider ssl_authz_provider_verify_client
void ssl_callback_Info(const SSL *, int, int)
apr_uri_t * proxy_uri
Definition: ssl_private.h:763
APR general purpose library routines.
const char * ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *)
SSLDirConfigRec * dc
Definition: ssl_private.h:560
OCSP_RESPONSE * modssl_dispatch_ocsp_request(const apr_uri_t *uri, apr_interval_time_t timeout, OCSP_REQUEST *request, conn_rec *c, apr_pool_t *p)
const char * ssl_cmd_SSLRequireSSL(cmd_parms *, void *)
#define BOOL
Definition: ssl_private.h:81
int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *)
Authentication and Authorization Extension for Apache.
const char * ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *)
BOOL cipher_server_pref
Definition: ssl_private.h:787
char * ssl_util_vhostid(apr_pool_t *, server_rec *)
const char * pphrase_dialog_path
Definition: ssl_private.h:725
apr_hash_t * privkeys
Definition: ssl_private.h:593
struct apr_hash_t apr_hash_t
Definition: apr_hash.h:52
HTTP protocol handling.
BOOL ssl_config_global_isfixed(SSLModConfigRec *)
int disabled
Definition: ssl_private.h:543
const char * szUserName
Definition: ssl_private.h:814
apr_time_t source_mtime
Definition: ssl_private.h:506
Definition: apr_uri.h:85
Definition: ssl_private.h:547
void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state)
Definition: ssl_private.h:515
const char * ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *)
char * ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, const char *const *)
const char * ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
Definition: ssl_private.h:440
apr_pool_t * p
apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *)
int ssl_proto_t
Definition: ssl_private.h:398
const char * ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
ssl_opt_t nOptionsDel
Definition: ssl_private.h:810
* ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *)
ssl_crlcheck_t
Definition: ssl_private.h:424
Apache Mutex support library.
const char * ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)
long ocsp_resptime_skew
Definition: ssl_private.h:759
ssl_asn1_t * ssl_asn1_table_set(apr_hash_t *table, const char *key, EVP_PKEY *pkey)
void ssl_io_filter_register(apr_pool_t *)
void * ssl_config_server_create(apr_pool_t *, server_rec *)
const char * ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg)
#define SSL_CRLCHECK_FLAGS
Definition: ssl_private.h:429
#define AP_MODULE_DECLARE_DATA
Definition: macros.h:16
Definition: ssl_private.h:530
Definition: ssl_private.h:503
int ssl_mutex_init(server_rec *, apr_pool_t *)
SSLSrvConfigRec * ssl_policy_lookup(apr_pool_t *pool, const char *name)
const char * client_dn
Definition: ssl_private.h:536
apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *)
const char * ssl_cmd_SSLCompression(cmd_parms *, void *, int flag)
unsigned char * cpData
Definition: ssl_private.h:505
const char * ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *)
#define UCHAR
Definition: ssl_private.h:293
Apache Request library.
A structure that represents the current request.
Definition: httpd.h:860
apr_array_header_t * cert_files
Definition: ssl_private.h:644
void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p)
Definition: ssl_private.h:468
const char * cert_path
Definition: ssl_private.h:659
Apache filter library.
long sesscache_mode
Definition: ssl_private.h:602
apr_interval_time_t ocsp_responder_timeout
Definition: ssl_private.h:761
Definition: ssl_private.h:781
APR Strings library.
int ssl_mutex_off(server_rec *)
apr_status_t ssl_init_ModuleKill(void *data)
int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s, ap_conf_vector_t *section_config)
ap_expr_info_t * mpExpr
Definition: ssl_private.h:477
BOOL ocsp_force_default
Definition: ssl_private.h:756
const char * ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg)
apr_hash_t * key_ids
Definition: ssl_private.h:587
BOOL ssl_check_peer_name
Definition: ssl_private.h:777
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
Definition: ssl_private.h:598
const char * ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *)
void ssl_scache_status_register(apr_pool_t *p)
apr_array_header_t * ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension)
struct apr_table_t apr_table_t
Definition: apr_tables.h:56
BOOL ssl_check_peer_expire
Definition: ssl_private.h:778
#define __attribute__(__x)
Definition: apr.h:63
const char * name
Definition: mod_dav.h:805
int service_unavailable
Definition: ssl_private.h:653
Definition: ssl_private.h:425
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
const char * vhost_id
Definition: ssl_private.h:784
struct apr_pool_t apr_pool_t
Definition: apr_pools.h:60
const char * ca_cert_path
Definition: ssl_private.h:673
Definition: http_config.h:355
int ssl_is_challenge(conn_rec *c, const char *servername, X509 **pcert, EVP_PKEY **pkey, const char **pcert_file, const char **pkey_file)
apr_status_t ssl_scache_init(server_rec *, apr_pool_t *)
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *)
const char * ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *)
BOOL ssl_check_peer_cn
Definition: ssl_private.h:776
int apr_status_t
Definition: apr_errno.h:44
ssl_opt_t nOptionsAdd
Definition: ssl_private.h:809
const authz_provider ssl_authz_provider_require_ssl
request_rec * r
Definition: mod_dav.h:518
ssl_ocspcheck_t
Definition: ssl_private.h:436
BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int, apr_time_t, SSL_SESSION *, apr_pool_t *)
int ssl_hook_ReadReq(request_rec *)
void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, apr_pool_t *p, server_rec *s, X509 *cert, const char *format,...) __attribute__((format(printf
const char * ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *)
const char * ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *)
void void void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv, request_rec *r, X509 *cert, const char *format,...) __attribute__((format(printf
void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int, apr_pool_t *)
SSL_CTX * ssl_ctx
Definition: ssl_private.h:710
void ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *)
SSL_SESSION * ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *)
int crl_check_mask
Definition: ssl_private.h:732
const char * ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *)
Additional Utility Functions for OpenSSL.
void ssl_scache_kill(server_rec *)
const char * ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *)
Definition: ssl_private.h:449
Definition: ssl_private.h:513
struct ap_conf_vector_t ap_conf_vector_t
Definition: http_config.h:519
Definition: ssl_private.h:469
Definition: ssl_private.h:437
const char * ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *)
const char * crl_file
Definition: ssl_private.h:731
modssl_reneg_state
Definition: ssl_private.h:509
const char * ssl_cmd_SSLUserName(cmd_parms *, void *, const char *)
const char AP_FN_ATTR_WARN_UNUSED_RESULT
Definition: ssl_private.h:1121
void ssl_log_ssl_error(const char *, int, int, server_rec *)
Definition: ssl_private.h:510
const char * cipher_suite
Definition: ssl_private.h:676
int ssl_hook_UserCheck(request_rec *)
int vhost_found
Definition: ssl_private.h:564
void * ssl_config_server_merge(apr_pool_t *, void *, void *)
int ssl_mutex_on(server_rec *)
unsigned int ssl_pathcheck_t
Definition: ssl_private.h:460
int ssl_mutex_reinit(server_rec *, apr_pool_t *)
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
int ocsp_mask
Definition: ssl_private.h:755
DH * modssl_get_dh_params(unsigned keylen)
ssl_pphrase_t
Definition: ssl_private.h:446
int session_cache_timeout
Definition: ssl_private.h:786
Definition: ssl_private.h:475
BOOL ocsp_use_request_nonce
Definition: ssl_private.h:762
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *)
Definition: ssl_private.h:493
ssl_rsctx_t
Definition: ssl_private.h:483
const char * ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
#define UNSET
Definition: ssl_private.h:279
BOOL bSSLRequired
Definition: ssl_private.h:806
SSL protocol handling.
ssl_pphrase_t pphrase_dialog_type
Definition: ssl_private.h:724
int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen)
Definition: ssl_private.h:404
#define STACK_OF(x)
Definition: macros.h:26
struct ap_socache_instance_t ap_socache_instance_t
Definition: ap_socache.h:49
Definition: ssl_private.h:534
const char * ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag)