Apache2
ssl_private.h
Go to the documentation of this file.
1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2  * contributor license agreements. See the NOTICE file distributed with
3  * this work for additional information regarding copyright ownership.
4  * The ASF licenses this file to You under the Apache License, Version 2.0
5  * (the "License"); you may not use this file except in compliance with
6  * the License. You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SSL_PRIVATE_H
18 #define SSL_PRIVATE_H
19 
30 #include "ap_config.h"
31 #include "httpd.h"
32 #include "http_config.h"
33 #include "http_core.h"
34 #include "http_log.h"
35 #include "http_main.h"
36 #include "http_connection.h"
37 #include "http_request.h"
38 #include "http_protocol.h"
39 #include "http_ssl.h"
40 #include "http_vhost.h"
41 #include "util_script.h"
42 #include "util_filter.h"
43 #include "util_ebcdic.h"
44 #include "util_mutex.h"
45 #include "apr.h"
46 #include "apr_strings.h"
47 #define APR_WANT_STRFUNC
48 #define APR_WANT_MEMFUNC
49 #include "apr_want.h"
50 #include "apr_tables.h"
51 #include "apr_lib.h"
52 #include "apr_fnmatch.h"
53 #include "apr_strings.h"
54 #include "apr_global_mutex.h"
55 #include "apr_optional.h"
56 #include "ap_socache.h"
57 #include "mod_auth.h"
58 
59 /* The #ifdef macros are only defined AFTER including the above
60  * therefore we cannot include these system files at the top :-(
61  */
62 #if APR_HAVE_STDLIB_H
63 #include <stdlib.h>
64 #endif
65 #if APR_HAVE_SYS_TIME_H
66 #include <sys/time.h>
67 #endif
68 #if APR_HAVE_UNISTD_H
69 #include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
70 #endif
71 
72 #ifndef FALSE
73 #define FALSE 0
74 #endif
75 
76 #ifndef TRUE
77 #define TRUE !FALSE
78 #endif
79 
80 #ifndef BOOL
81 #define BOOL unsigned int
82 #endif
83 
84 #include "ap_expr.h"
85 
86 /* OpenSSL headers */
87 #include <openssl/opensslv.h>
88 #if (OPENSSL_VERSION_NUMBER >= 0x10001000)
89 /* must be defined before including ssl.h */
90 #define OPENSSL_NO_SSL_INTERN
91 #endif
92 #if OPENSSL_VERSION_NUMBER >= 0x30000000
93 #include <openssl/core_names.h>
94 #endif
95 #include <openssl/ssl.h>
96 #include <openssl/err.h>
97 #include <openssl/x509.h>
98 #include <openssl/pem.h>
99 #include <openssl/crypto.h>
100 #include <openssl/evp.h>
101 #include <openssl/rand.h>
102 #include <openssl/x509v3.h>
103 #include <openssl/x509_vfy.h>
104 #include <openssl/ocsp.h>
105 
106 /* Avoid tripping over an engine build installed globally and detected
107  * when the user points at an explicit non-engine flavor of OpenSSL
108  */
109 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
110 #include <openssl/engine.h>
111 #endif
112 
113 #if (OPENSSL_VERSION_NUMBER < 0x0090801f)
114 #error mod_ssl requires OpenSSL 0.9.8a or later
115 #endif
116 
123 #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
124 #define MODSSL_SSL_CIPHER_CONST const
125 #define MODSSL_SSL_METHOD_CONST const
126 #else
127 #define MODSSL_SSL_CIPHER_CONST
128 #define MODSSL_SSL_METHOD_CONST
129 #endif
130 
131 #if defined(LIBRESSL_VERSION_NUMBER)
132 /* Missing from LibreSSL */
133 #if LIBRESSL_VERSION_NUMBER < 0x2060000f
134 #define SSL_CTRL_SET_MIN_PROTO_VERSION 123
135 #define SSL_CTRL_SET_MAX_PROTO_VERSION 124
136 #define SSL_CTX_set_min_proto_version(ctx, version) \
137  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
138 #define SSL_CTX_set_max_proto_version(ctx, version) \
139  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
140 #endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
141 /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
142  * include most changes from OpenSSL >= 1.1 (new functions, macros,
143  * deprecations, ...), so we have to work around this...
144  */
145 #define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
146 #else /* defined(LIBRESSL_VERSION_NUMBER) */
147 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
148 #endif
149 
150 #if OPENSSL_VERSION_NUMBER < 0x10101000
151 #define MODSSL_USE_SSLRAND
152 #endif
153 
154 #if defined(OPENSSL_FIPS)
155 #define HAVE_FIPS
156 #endif
157 
158 #if defined(SSL_OP_NO_TLSv1_2)
159 #define HAVE_TLSV1_X
160 #endif
161 
162 #if defined(SSL_CONF_FLAG_FILE)
163 #define HAVE_SSL_CONF_CMD
164 #endif
165 
166 /* session id constness */
167 #if MODSSL_USE_OPENSSL_PRE_1_1_API
168 #define IDCONST
169 #else
170 #define IDCONST const
171 #endif
172 
177 #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
178 
179 #define HAVE_TLSEXT
180 
181 /* ECC: make sure we have at least 1.0.0 */
182 #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
183 #define HAVE_ECC
184 #endif
185 
186 /* OCSP stapling */
187 #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
188 #define HAVE_OCSP_STAPLING
189 /* All exist but are no longer macros since OpenSSL 1.1.0 */
190 #if OPENSSL_VERSION_NUMBER < 0x10100000L
191 /* backward compatibility with OpenSSL < 1.0 */
192 #ifndef sk_OPENSSL_STRING_num
193 #define sk_OPENSSL_STRING_num sk_num
194 #endif
195 #ifndef sk_OPENSSL_STRING_value
196 #define sk_OPENSSL_STRING_value sk_value
197 #endif
198 #ifndef sk_OPENSSL_STRING_pop
199 #define sk_OPENSSL_STRING_pop sk_pop
200 #endif
201 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
202 #endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */
203 
204 /* TLS session tickets */
205 #if defined(SSL_CTX_set_tlsext_ticket_key_cb)
206 #define HAVE_TLS_SESSION_TICKETS
207 #define TLSEXT_TICKET_KEY_LEN 48
208 #ifndef tlsext_tick_md
209 #ifdef OPENSSL_NO_SHA256
210 #define tlsext_tick_md EVP_sha1
211 #else
212 #define tlsext_tick_md EVP_sha256
213 #endif
214 #endif
215 #endif
216 
217 /* Secure Remote Password */
218 #if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
219 #define HAVE_SRP
220 #include <openssl/srp.h>
221 #endif
222 
223 /* ALPN Protocol Negotiation */
224 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
225 #define HAVE_TLS_ALPN
226 #endif
227 
228 #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
229 
230 #if MODSSL_USE_OPENSSL_PRE_1_1_API
231 #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
232 #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
233 #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
234 #define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048
235 #define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072
236 #define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
237 #define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
238 #define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
239 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
240 #define BIO_set_init(x,v) (x->init=v)
241 #define BIO_get_data(x) (x->ptr)
242 #define BIO_set_data(x,v) (x->ptr=v)
243 #endif
244 #define BIO_get_shutdown(x) (x->shutdown)
245 #define BIO_set_shutdown(x,v) (x->shutdown=v)
246 #define DH_bits(x) (BN_num_bits(x->p))
247 #define X509_up_ref(x) (CRYPTO_add(&(x)->references, +1, CRYPTO_LOCK_X509))
248 #define EVP_PKEY_up_ref(pk) (CRYPTO_add(&(pk)->references, +1, CRYPTO_LOCK_EVP_PKEY))
249 #else
250 void init_bio_methods(void);
251 void free_bio_methods(void);
252 #endif
253 
254 #if OPENSSL_VERSION_NUMBER < 0x10002000L || \
255  (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
256 #define X509_STORE_CTX_get0_store(x) (x->ctx)
257 #endif
258 
259 #if OPENSSL_VERSION_NUMBER < 0x10000000L
260 #ifndef X509_STORE_CTX_get0_current_issuer
261 #define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)
262 #endif
263 #endif
264 
265 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
266 #define HAVE_OPENSSL_KEYLOG
267 #endif
268 
269 /* mod_ssl headers */
270 #include "ssl_util_ssl.h"
271 
272 APLOG_USE_MODULE(ssl);
273 
274 /*
275  * Provide reasonable default for some defines
276  */
277 #ifndef UNSET
278 #define UNSET (-1)
279 #endif
280 #ifndef NUL
281 #define NUL '\0'
282 #endif
283 #ifndef RAND_MAX
284 #include <limits.h>
285 #define RAND_MAX INT_MAX
286 #endif
287 
291 #ifndef UCHAR
292 #define UCHAR unsigned char
293 #endif
294 
298 #define strEQ(s1,s2) (strcmp(s1,s2) == 0)
299 #define strNE(s1,s2) (strcmp(s1,s2) != 0)
300 #define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0)
301 #define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0)
302 
303 #define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0)
304 #define strcNE(s1,s2) (strcasecmp(s1,s2) != 0)
305 #define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
306 #define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)
307 
308 #define strIsEmpty(s) (s == NULL || s[0] == NUL)
309 
310 #define myConnConfig(c) \
311  ((SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module))
312 #define myConnConfigSet(c, val) \
313  ap_set_module_config(c->conn_config, &ssl_module, val)
314 #define mySrvConfig(srv) \
315  ((SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module))
316 #define myDirConfig(req) \
317  ((SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module))
318 #define myConnCtxConfig(c, sc) \
319  (c->outgoing ? myConnConfig(c)->dc->proxy : sc->server)
320 #define myModConfig(srv) mySrvConfig((srv))->mc
321 #define mySrvFromConn(c) myConnConfig(c)->server
322 #define myDirConfigFromConn(c) myConnConfig(c)->dc
323 #define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
324 #define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
325 
329 #ifndef SSL_SESSION_CACHE_TIMEOUT
330 #define SSL_SESSION_CACHE_TIMEOUT 300
331 #endif
332 
333 /* Default setting for per-dir reneg buffer. */
334 #ifndef DEFAULT_RENEG_BUFFER_SIZE
335 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
336 #endif
337 
338 /* Default for OCSP response validity */
339 #ifndef DEFAULT_OCSP_MAX_SKEW
340 #define DEFAULT_OCSP_MAX_SKEW (60 * 5)
341 #endif
342 
343 /* Default timeout for OCSP queries */
344 #ifndef DEFAULT_OCSP_TIMEOUT
345 #define DEFAULT_OCSP_TIMEOUT 10
346 #endif
347 
351 #define SSL_OPT_NONE (0)
352 #define SSL_OPT_RELSET (1<<0)
353 #define SSL_OPT_STDENVVARS (1<<1)
354 #define SSL_OPT_EXPORTCERTDATA (1<<3)
355 #define SSL_OPT_FAKEBASICAUTH (1<<4)
356 #define SSL_OPT_STRICTREQUIRE (1<<5)
357 #define SSL_OPT_OPTRENEGOTIATE (1<<6)
358 #define SSL_OPT_LEGACYDNFORMAT (1<<7)
359 #define SSL_OPT_EXPORTCB64DATA (1<<8)
360 typedef int ssl_opt_t;
361 
365 #define SSL_PROTOCOL_NONE (0)
366 #ifndef OPENSSL_NO_SSL3
367 #define SSL_PROTOCOL_SSLV3 (1<<1)
368 #endif
369 #define SSL_PROTOCOL_TLSV1 (1<<2)
370 #ifndef OPENSSL_NO_SSL3
371 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
372 #else
373 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_TLSV1)
374 #endif
375 #ifdef HAVE_TLSV1_X
376 #define SSL_PROTOCOL_TLSV1_1 (1<<3)
377 #define SSL_PROTOCOL_TLSV1_2 (1<<4)
378 #define SSL_PROTOCOL_TLSV1_3 (1<<5)
379 
380 #ifdef SSL_OP_NO_TLSv1_3
381 #define SSL_HAVE_PROTOCOL_TLSV1_3 (1)
382 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
383  SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3)
384 #else
385 #define SSL_HAVE_PROTOCOL_TLSV1_3 (0)
386 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \
387  SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
388 #endif
389 #else
390 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC)
391 #endif
392 #ifndef OPENSSL_NO_SSL3
393 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3)
394 #else
395 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL)
396 #endif
397 typedef int ssl_proto_t;
398 
402 typedef enum {
408 } ssl_verify_t;
409 
410 #define SSL_VERIFY_PEER_STRICT \
411  (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
412 
413 #define ssl_verify_error_is_optional(errnum) \
414  ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
415  || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
416  || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
417  || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
418  || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
419 
423 typedef enum {
425  SSL_CRLCHECK_LEAF = (1 << 0),
426  SSL_CRLCHECK_CHAIN = (1 << 1),
427 
428 #define SSL_CRLCHECK_FLAGS (~0x3)
431 
435 typedef enum {
437  SSL_OCSPCHECK_LEAF = (1 << 0),
441 
445 typedef enum {
450 } ssl_pphrase_t;
451 
455 #define SSL_PCM_EXISTS 1
456 #define SSL_PCM_ISREG 2
457 #define SSL_PCM_ISDIR 4
458 #define SSL_PCM_ISNONZERO 8
459 typedef unsigned int ssl_pathcheck_t;
460 
464 typedef enum {
469 } ssl_enabled_t;
470 
474 typedef struct {
475  const char *cpExpr;
477 } ssl_require_t;
478 
482 typedef enum {
485 } ssl_rsctx_t;
486 typedef enum {
491 } ssl_rssrc_t;
492 typedef struct {
495  char *cpPath;
496  int nBytes;
498 
502 typedef struct {
503  long int nData;
504  unsigned char *cpData;
506 } ssl_asn1_t;
507 
508 typedef enum {
509  RENEG_INIT = 0, /* Before initial handshake */
510  RENEG_REJECT, /* After initial handshake; any client-initiated
511  * renegotiation should be rejected */
512  RENEG_ALLOW, /* A server-initiated renegotiation is taking
513  * place (as dictated by configuration) */
514  RENEG_ABORT /* Renegotiation initiated by client, abort the
515  * connection */
517 
525 
526 typedef enum {
532 
533 typedef struct {
534  SSL *ssl;
535  const char *client_dn;
536  X509 *client_cert;
537  ssl_shutdown_type_e shutdown_type;
538  const char *verify_info;
539  const char *verify_error;
541  int disabled;
542  enum {
543  NON_SSL_OK = 0, /* is SSL request, or error handling completed */
544  NON_SSL_SEND_REQLINE, /* Need to send the fake request line */
545  NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */
546  NON_SSL_SET_ERROR_MSG /* Need to set the error message */
547  } non_ssl_request;
548 
549 #ifndef SSL_OP_NO_RENEGOTIATION
550  /* For OpenSSL < 1.1.1, track the handshake/renegotiation state
551  * for the connection to block client-initiated renegotiations.
552  * For OpenSSL >=1.1.1, the SSL_OP_NO_RENEGOTIATION flag is used in
553  * the SSL * options state with equivalent effect. */
554  modssl_reneg_state reneg_state;
555 #endif
556 
559 
560  const char *cipher_suite; /* cipher suite used in last reneg */
561  int service_unavailable; /* thouugh we negotiate SSL, no requests will be served */
562  int vhost_found; /* whether we found vhost from SNI already */
563 } SSLConnRec;
564 
565 /* Private keys are retained across reloads, since decryption
566  * passphrases can only be entered during startup (before detaching
567  * from a terminal). This structure is stored via the ap_retained_*
568  * API and retrieved on later module reloads. If the structure
569  * changes, the key name must be changed by increasing the digit at
570  * the end, to avoid an updated version of mod_ssl loading retained
571  * data with a different struct definition.
572  *
573  * All objects used here must be allocated from the process pool
574  * (s->process->pool) so they also survives restarts. */
575 #define MODSSL_RETAINED_KEY "mod_ssl-retained-1"
576 
577 typedef struct {
578  /* A hash table of vhost key-IDs used to index the privkeys hash,
579  * for example the string "vhost.example.com:443:0". For each
580  * (key, value) pair the value is the same as the key, allowing
581  * the keys to be retrieved on subsequent reloads rather than
582  * rellocated. ### This optimisation seems to be of dubious
583  * value. Allocating the vhost-key-ids from pconf and duping them
584  * when storing them in ->privkeys would be simpler. */
586 
587  /* A hash table of pointers to ssl_asn1_t structures. The
588  * structures are used to store private keys in raw DER format
589  * (serialized OpenSSL PrivateKey structures). The table is
590  * indexed by key-IDs from the key_ids hash table. */
592 
593  /* Do NOT add fields here without changing the key name, as above. */
595 
596 typedef struct {
598 
599  /* OpenSSL SSL_SESS_CACHE_* flags: */
601 
602  /* Data retained across reloads. */
604 
605  /* The configured provider, and associated private data
606  * structure. */
609 
611 
612 #ifdef MODSSL_USE_SSLRAND
613  pid_t pid; /* used for seeding after fork() */
615 #endif
616 
617 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
618  const char *szCryptoDevice;
619 #endif
620 
621 #ifdef HAVE_OCSP_STAPLING
622  const ap_socache_provider_t *stapling_cache;
623  ap_socache_instance_t *stapling_cache_context;
624  apr_global_mutex_t *stapling_cache_mutex;
625  apr_global_mutex_t *stapling_refresh_mutex;
626 #endif
627 
628 #ifdef HAVE_OPENSSL_KEYLOG
629  /* Used for logging if SSLKEYLOGFILE is set at startup. */
630  apr_file_t *keylog_file;
631 #endif
632 
633 #ifdef HAVE_FIPS
634  BOOL fips;
635 #endif
637 
640 typedef struct {
641  /* Lists of configured certs and keys for this server */
644 
647  const char *ca_name_path;
648  const char *ca_name_file;
649 
650  /* TLS service for this server is suspended */
653 
654 typedef struct {
656  const char *cert_file;
657  const char *cert_path;
658  const char *ca_cert_file;
659  /* certs is a stack of configured cert, key pairs. */
660  STACK_OF(X509_INFO) *certs;
661  /* ca_certs contains ONLY chain certs for each item in certs.
662  * ca_certs[n] is a pointer to the (STACK_OF(X509) *) stack which
663  * holds the cert chain for the 'n'th cert in the certs stack, or
664  * NULL if no chain is configured. */
665  STACK_OF(X509) **ca_certs;
667 
669 typedef struct {
671  const char *ca_cert_path;
672  const char *ca_cert_file;
673 
674  const char *cipher_suite;
675 
679 
683  const char *tls13_ciphers;
685 
686 #ifdef HAVE_TLS_SESSION_TICKETS
687 typedef struct {
688  const char *file_path;
689  unsigned char key_name[16];
690 #if OPENSSL_VERSION_NUMBER < 0x30000000L
691  unsigned char hmac_secret[16];
692 #else
693  OSSL_PARAM mac_params[3];
694 #endif
695  unsigned char aes_key[16];
696 } modssl_ticket_key_t;
697 #endif
698 
699 #ifdef HAVE_SSL_CONF_CMD
700 typedef struct {
701  const char *name;
702  const char *value;
703 } ssl_ctx_param_t;
704 #endif
705 
706 typedef struct {
708  SSL_CTX *ssl_ctx;
709 
713 
714 #ifdef HAVE_TLS_SESSION_TICKETS
715  modssl_ticket_key_t *ticket_key;
716 #endif
717 
720 
723  const char *pphrase_dialog_path;
724 
725  const char *cert_chain;
726 
728  const char *crl_path;
729  const char *crl_file;
731 
732 #ifdef HAVE_OCSP_STAPLING
733 
734  BOOL stapling_enabled;
735  long stapling_resptime_skew;
736  long stapling_resp_maxage;
737  int stapling_cache_timeout;
738  BOOL stapling_return_errors;
739  BOOL stapling_fake_trylater;
740  int stapling_errcache_timeout;
741  apr_interval_time_t stapling_responder_timeout;
742  const char *stapling_force_url;
743 #endif
744 
745 #ifdef HAVE_SRP
746  char *srp_vfile;
747  char *srp_unknown_user_seed;
748  SRP_VBASE *srp_vbase;
749 #endif
750 
752 
754  BOOL ocsp_force_default; /* true if the default responder URL is
755  * used regardless of per-cert URL */
756  const char *ocsp_responder; /* default responder URL */
762 
763  BOOL ocsp_noverify; /* true if skipping OCSP certification verification like openssl -noverify */
764  /* Declare variables for using OCSP Responder Certs for OCSP verification */
765  int ocsp_verify_flags; /* Flags to use when verifying OCSP response */
766  const char *ocsp_certs_file; /* OCSP other certificates filename */
767  STACK_OF(X509) *ocsp_certs; /* OCSP other certificates */
768 
769 #ifdef HAVE_SSL_CONF_CMD
770  SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
771  apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
772 #endif
773 
777 } modssl_ctx_t;
778 
782  const char *vhost_id;
783  const unsigned char *vhost_md5; /* = ap_md5_binary(vhost_id, ...) */
788 #ifdef HAVE_TLSEXT
789  ssl_enabled_t strict_sni_vhost_check;
790 #endif
791 #ifndef OPENSSL_NO_COMP
793 #endif
795 
796 };
797 
809  const char *szCipherSuite;
812  const char *szUserName;
814 
818 };
819 
821 
828 
833 void *ssl_config_server_merge(apr_pool_t *, void *, void *);
834 void *ssl_config_perdir_create(apr_pool_t *, char *);
835 void *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
838 const char *ssl_cmd_SSLPolicyApply(cmd_parms *, void *, const char *);
839 const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
840 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
841 const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
842 const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
843 const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *);
844 const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
845 const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
846 const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
847 const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
848 const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
849 const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
850 const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
851 const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
852 const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
853 const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
854 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
855 const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
856 const char *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
857 const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
858 const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
859 const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
860 const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
861 const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
862 const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
863 const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
864 const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
865 const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
866 const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
867 const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
868 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
869 
870 const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
871 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
872 const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *);
873 const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
874 const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
875 const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
876 const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *);
877 const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *);
878 const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *);
879 const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *);
880 const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *);
881 const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *);
882 const char *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *);
883 #ifdef HAVE_TLS_SESSION_TICKETS
884 const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, void *dcfg, const char *arg);
885 #endif
886 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
887 const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
888 const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag);
889 
890 const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
891 const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
892 const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
893 const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
894 const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
895 const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
896 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg);
897 const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
898 
899 /* Declare OCSP Responder Certificate Verification Directive */
900 const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag);
901 /* Declare OCSP Responder Certificate File Directive */
902 const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg);
903 
904 #ifdef HAVE_SSL_CONF_CMD
905 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
906 #endif
907 
908 #ifdef HAVE_SRP
909 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
910 const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
911 #endif
912 
913 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
914 
922  apr_pool_t *ptemp, server_rec *s,
923  ap_conf_vector_t *section_config);
924 STACK_OF(X509_NAME)
925  *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
928 
936 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s);
937 
941 
943 DH *ssl_callback_TmpDH(SSL *, int, int);
944 int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
945 int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
946 int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
947 int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
948 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *);
949 void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
950 void ssl_callback_Info(const SSL *, int, int);
951 #ifdef HAVE_TLSEXT
952 int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
953 #endif
954 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
955 int ssl_callback_ClientHello(SSL *, int *, void *);
956 #endif
957 #ifdef HAVE_TLS_SESSION_TICKETS
958 int ssl_callback_SessionTicket(SSL *ssl,
959  unsigned char *keyname,
960  unsigned char *iv,
961  EVP_CIPHER_CTX *cipher_ctx,
962 #if OPENSSL_VERSION_NUMBER < 0x30000000L
963  HMAC_CTX *hmac_ctx,
964 #else
965  EVP_MAC_CTX *mac_ctx,
966 #endif
967  int mode);
968 #endif
969 
970 #ifdef HAVE_TLS_ALPN
971 int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out,
972  unsigned char *outlen, const unsigned char *in,
973  unsigned int inlen, void *arg);
974 #endif
975 
981  apr_time_t, SSL_SESSION *, apr_pool_t *);
982 SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *);
984  apr_pool_t *);
985 
987 #ifdef HAVE_OCSP_STAPLING
988 const char *ssl_cmd_SSLStaplingCache(cmd_parms *, void *, const char *);
989 const char *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int);
990 const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *);
991 const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *);
992 const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *);
993 const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *);
994 const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int);
995 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);
996 const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
997 const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
998 apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
999 void ssl_stapling_certinfo_hash_init(apr_pool_t *);
1000 int ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *,
1001  modssl_ctx_t *, X509 *);
1002 #endif
1003 #ifdef HAVE_SRP
1004 int ssl_callback_SRPServerParams(SSL *, int *, void *);
1005 #endif
1006 
1007 #ifdef HAVE_OPENSSL_KEYLOG
1008 /* Callback used with SSL_CTX_set_keylog_callback. */
1009 void modssl_callback_keylog(const SSL *ssl, const char *line);
1010 #endif
1011 
1013 void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
1015 long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
1016 
1017 /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
1018  * to allow an SSL renegotiation to take place. */
1020 
1021 #ifdef MODSSL_USE_SSLRAND
1022 
1023 void ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
1024 #else
1025 #define ssl_rand_seed(s, p, ctx, c) /* noop */
1026 #endif
1027 
1030 apr_file_t *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *,
1031  const char * const *);
1033 char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
1034  const char * const *);
1035 BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
1036 #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
1039 #endif
1041 
1042 BOOL ssl_util_vhost_matches(const char *servername, server_rec *s);
1043 
1046  const char *, apr_array_header_t **);
1047 
1048 /* Load public and/or private key from the configured ENGINE. Private
1049  * key returned as *pkey. certid can be NULL, in which case *pubkey
1050  * is not altered. Errors logged on failure. */
1052  const char *vhostid,
1053  const char *certid, const char *keyid,
1054  X509 **pubkey, EVP_PKEY **privkey);
1055 
1057 DH *ssl_dh_GetParamFromFile(const char *);
1058 #ifdef HAVE_ECC
1059 EC_GROUP *ssl_ec_GetParamFromFile(const char *);
1060 #endif
1061 
1062 /* Store the EVP_PKEY key (serialized into DER) in the hash table with
1063  * key, returning the ssl_asn1_t structure pointer. */
1064 ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key,
1065  EVP_PKEY *pkey);
1066 /* Retrieve the ssl_asn1_t structure with given key from the hash. */
1067 ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table, const char *key);
1068 
1072 int ssl_mutex_on(server_rec *);
1073 int ssl_mutex_off(server_rec *);
1074 
1076 
1077 /* mutex type names for Mutex directive */
1078 #define SSL_CACHE_MUTEX_TYPE "ssl-cache"
1079 #define SSL_STAPLING_CACHE_MUTEX_TYPE "ssl-stapling"
1080 #define SSL_STAPLING_REFRESH_MUTEX_TYPE "ssl-stapling-refresh"
1081 
1083 
1085 void ssl_log_ssl_error(const char *, int, int, server_rec *);
1086 
1087 /* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the
1088  * respective ap_log_*error functions and take a certificate as an
1089  * additional argument (whose details are appended to the log message).
1090  * The other arguments are interpreted exactly as with their ap_log_*error
1091  * counterparts. */
1092 void ssl_log_xerror(const char *file, int line, int level,
1094  X509 *cert, const char *format, ...)
1095  __attribute__((format(printf,8,9)));
1096 
1097 void ssl_log_cxerror(const char *file, int line, int level,
1098  apr_status_t rv, conn_rec *c, X509 *cert,
1099  const char *format, ...)
1100  __attribute__((format(printf,7,8)));
1101 
1102 void ssl_log_rxerror(const char *file, int line, int level,
1103  apr_status_t rv, request_rec *r, X509 *cert,
1104  const char *format, ...)
1105  __attribute__((format(printf,7,8)));
1106 
1107 #define SSLLOG_MARK __FILE__,__LINE__
1108 
1111 /* Register variables for the lifetime of the process pool 'p'. */
1112 void ssl_var_register(apr_pool_t *p);
1113 
1114 /* Matches optional function of the same name in the public API. The
1115  * pool in which to allocate the return value must be non-NULL; c
1116  * and/or r may be NULL. */
1117 const char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
1118  const char *name)
1120 apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension);
1121 
1122 /* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl',
1123  * allocating from 'p': */
1124 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
1125 
1126 /* Extract SSL_*_SAN_* variables (subjectAltName entries) into table 't'
1127  * from SSL object 'ssl', allocating from 'p'. */
1129 
1130 #ifndef OPENSSL_NO_OCSP
1131 /* Perform OCSP validation of the current cert in the given context.
1132  * Returns non-zero on success or zero on failure. On failure, the
1133  * context error code is set. */
1134 int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
1135  server_rec *s, conn_rec *c, apr_pool_t *pool);
1136 
1137 /* OCSP helper interface; dispatches the given OCSP request to the
1138  * responder at the given URI. Returns the decoded OCSP response
1139  * object, or NULL on error (in which case, errors will have been
1140  * logged). Pool 'p' is used for temporary allocations. */
1141 OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
1142  apr_interval_time_t timeout,
1143  OCSP_REQUEST *request,
1144  conn_rec *c, apr_pool_t *p);
1145 
1146 /* Initialize OCSP trusted certificate list */
1148 
1149 #endif
1150 
1151 #if MODSSL_USE_OPENSSL_PRE_1_1_API
1152 /* Retrieve DH parameters for given key length. Return value should
1153  * be treated as unmutable, since it is stored in process-global
1154  * memory. */
1155 DH *modssl_get_dh_params(unsigned keylen);
1156 #endif
1157 
1158 /* Returns non-zero if the request was made over SSL/TLS. If sslconn
1159  * is non-NULL and the request is using SSL/TLS, sets *sslconn to the
1160  * corresponding SSLConnRec structure for the connection. */
1161 int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn);
1162 
1163 /* Returns non-zero if the cert/key filename should be handled through
1164  * the configured ENGINE. */
1165 int modssl_is_engine_id(const char *name);
1166 
1167 #if HAVE_VALGRIND
1168 extern int ssl_running_on_valgrind;
1169 #endif
1170 
1171 int ssl_is_challenge(conn_rec *c, const char *servername,
1172  X509 **pcert, EVP_PKEY **pkey,
1173  const char **pcert_file, const char **pkey_file);
1174 
1175 /* Set the renegotation state for connection. */
1176 void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state);
1177 
1178 #endif /* SSL_PRIVATE_H */
1179 
Definition: ssl_private.h:487
const char * ssl_cmd_SSLRequire(cmd_parms *, void *, const char *)
Definition: ap_socache.h:89
ssl_rsctx_t nCtx
Definition: ssl_private.h:493
Definition: ssl_private.h:407
Definition: ssl_private.h:429
ssl_proto_t protocol
Definition: ssl_private.h:718
size_t apr_size_t
Definition: apr.h:393
const char * ca_name_path
Definition: ssl_private.h:647
Definition: ssl_private.h:447
const char * cpExpr
Definition: ssl_private.h:475
Definition: ssl_private.h:405
apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, const char *vhostid, const char *certid, const char *keyid, X509 **pubkey, EVP_PKEY **privkey)
Definition: ssl_private.h:426
const char * ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)
const char * ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *)
void ssl_init_Child(apr_pool_t *, server_rec *)
Definition: ssl_private.h:654
server_rec * server
Definition: ssl_private.h:557
apr_array_header_t * aRandSeed
Definition: ssl_private.h:614
SSL_SESSION * ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *)
int ssl_hook_Upgrade(request_rec *)
int verify_depth
Definition: ssl_private.h:540
DH * ssl_dh_GetParamFromFile(const char *)
Apache Configuration.
const unsigned char * vhost_md5
Definition: ssl_private.h:783
const char * ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *)
const char * ocsp_responder
Definition: ssl_private.h:756
int ssl_callback_SSLVerify(int, X509_STORE_CTX *)
const char * ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *)
modssl_ctx_t * proxy
Definition: ssl_private.h:815
#define IDCONST
Definition: ssl_private.h:168
Definition: ssl_private.h:425
const char * ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *)
ssl_opt_t nOptions
Definition: ssl_private.h:806
const char * ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *)
Definition: apr_arch_file_io.h:107
const char * ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
Definition: apr_tables.h:62
module AP_MODULE_DECLARE_DATA ssl_module
const char * ca_cert_file
Definition: ssl_private.h:658
ssl_enabled_t enabled
Definition: ssl_private.h:781
const ap_socache_provider_t * sesscache
Definition: ssl_private.h:607
Definition: ap_expr.h:41
Definition: ssl_private.h:465
const char * ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
void * ssl_config_perdir_merge(apr_pool_t *, void *, void *)
apr_size_t nRenegBufferSize
Definition: ssl_private.h:813
Definition: ssl_private.h:577
Definition: ssl_private.h:449
Definition: ssl_private.h:438
ap_socache_instance_t * sesscache_context
Definition: ssl_private.h:608
const char * ssl_cmd_SSLPolicyApply(cmd_parms *, void *, const char *)
const char * ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *)
const char * cert_chain
Definition: ssl_private.h:725
apr_bucket_brigade request_rec apr_pool_t * pool
Definition: mod_dav.h:555
ssl_verify_t nVerifyClient
Definition: ssl_private.h:810
long ssl_io_data_cb(BIO *, int, const char *, int, long, long)
void ssl_config_global_fix(SSLModConfigRec *)
long ocsp_resp_maxage
Definition: ssl_private.h:758
BOOL insecure_reneg
Definition: ssl_private.h:786
const char * ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag)
ssl_verify_t verify_mode
Definition: ssl_private.h:678
const char * ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *)
long int nData
Definition: ssl_private.h:503
const dav_resource dav_lockdb dav_lock * request
Definition: mod_dav.h:1438
const char * ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag)
const char * ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg)
BOOL compression
Definition: ssl_private.h:792
BOOL proxy_post_config
Definition: ssl_private.h:817
const char * ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
const char * verify_info
Definition: ssl_private.h:538
SSLSrvConfigRec * sc
Definition: ssl_private.h:707
apr_status_t ssl_die(server_rec *)
int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn)
Definition: ssl_private.h:446
void ssl_var_register(apr_pool_t *p)
apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *)
SSL * ssl
Definition: ssl_private.h:534
const char * ocsp_certs_file
Definition: ssl_private.h:766
void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *)
const char * ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg)
AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT
APR Standard Headers Support.
apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, apr_array_header_t *)
const char * crl_path
Definition: ssl_private.h:728
modssl_ctx_t * server
Definition: ssl_private.h:787
CORE HTTP Daemon.
ssl_asn1_t * ssl_asn1_table_get(apr_hash_t *table, const char *key)
ssl_shutdown_type_e shutdown_type
Definition: ssl_private.h:537
int nVerifyDepth
Definition: ssl_private.h:811
Apache connection library.
const char * ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *)
int ssl_hook_Auth(request_rec *)
Utilities for EBCDIC conversion.
const char * ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *)
const char * szCipherSuite
Definition: ssl_private.h:809
apr_array_header_t * key_files
Definition: ssl_private.h:643
const char const char * uri
Definition: mod_dav.h:631
Definition: mod_auth.h:104
const char * ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name) AP_FN_ATTR_NONNULL((1
Definition: ssl_private.h:490
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *)
const char * ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *)
const char * ca_name_file
Definition: ssl_private.h:648
Definition: ssl_private.h:803
apr_int64_t apr_interval_time_t
Definition: apr_time.h:55
void void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv, conn_rec *c, X509 *cert, const char *format,...) __attribute__((format(printf
BOOL ocsp_noverify
Definition: ssl_private.h:763
void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p)
int modssl_is_engine_id(const char *name)
Structure to store things which are per connection.
Definition: httpd.h:1183
Definition: ssl_private.h:488
modssl_reneg_state reneg_state
Definition: ssl_private.h:554
int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, server_rec *s, conn_rec *c, apr_pool_t *pool)
APLOG_USE_MODULE(ssl)
const char * ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
Virtual Host package.
APR-UTIL registration of functions exported by modules.
const char * ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *)
modssl_pk_proxy_t * pkp
Definition: ssl_private.h:712
const char * cert_file
Definition: ssl_private.h:656
int verify_depth
Definition: ssl_private.h:677
Symbol export macros and hook functions.
const char * ssl_cmd_SSLOptions(cmd_parms *, void *, const char *)
Definition: ssl_private.h:510
Definition: ssl_private.h:406
ssl_rssrc_t
Definition: ssl_private.h:486
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *)
apr_file_t * ssl_util_ppopen(server_rec *, apr_pool_t *, const char *, const char *const *)
Definition: ssl_private.h:404
BOOL ssl_util_vhost_matches(const char *servername, server_rec *s)
apr_global_mutex_t * pMutex
Definition: ssl_private.h:610
Definition: ssl_private.h:484
Definition: apr_arch_global_mutex.h:23
Definition: ssl_private.h:528
const char * ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *)
void * ssl_config_perdir_create(apr_pool_t *, char *)
const char * ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *)
BOOL proxy_enabled
Definition: ssl_private.h:816
Apache Logging library.
const char * ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *)
Definition: http_config.h:295
Apache script tools.
apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int, const char *, apr_array_header_t **)
apr_int64_t apr_time_t
Definition: apr_time.h:45
const char * ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *)
Expression parser.
Command line options.
void ssl_util_thread_setup(apr_pool_t *)
ssl_enabled_t
Definition: ssl_private.h:464
APR Global Locking Routines.
Definition: ssl_private.h:527
ssl_rssrc_t nSrc
Definition: ssl_private.h:494
void ssl_config_proxy_merge(apr_pool_t *, SSLDirConfigRec *, SSLDirConfigRec *)
apr_array_header_t * aRequirement
Definition: ssl_private.h:805
HTTP Daemon routines.
const char * cipher_suite
Definition: ssl_private.h:560
modssl_auth_ctx_t auth
Definition: ssl_private.h:751
Definition: ssl_private.h:466
int ssl_opt_t
Definition: ssl_private.h:360
Definition: ssl_private.h:669
const char * ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *)
int ocsp_verify_flags
Definition: ssl_private.h:765
ssl_shutdown_type_e
Definition: ssl_private.h:526
modssl_pk_server_t * pks
Definition: ssl_private.h:711
SSLModConfigRec * mc
Definition: ssl_private.h:780
A structure to store information for each virtual server.
Definition: httpd.h:1372
const char * ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg)
const char * ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg)
const char * ca_cert_file
Definition: ssl_private.h:672
const char * ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *)
int protocol_set
Definition: ssl_private.h:719
Definition: ssl_private.h:530
const char * ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
Definition: ssl_private.h:640
BOOL session_tickets
Definition: ssl_private.h:794
const char * ssl_cmd_SSLEngine(cmd_parms *, void *, const char *)
int service_unavailable
Definition: ssl_private.h:561
int nBytes
Definition: ssl_private.h:496
void ssl_util_thread_id_setup(apr_pool_t *)
const char * verify_error
Definition: ssl_private.h:539
const char * tls13_ciphers
Definition: ssl_private.h:683
const char * ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *)
const char * ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *)
int ssl_hook_Access(request_rec *)
BOOL bFixed
Definition: ssl_private.h:597
int ssl_hook_Fixup(request_rec *)
APR Table library.
Definition: ssl_private.h:544
pid_t pid
Definition: ssl_private.h:613
Small object cache provider interface.
char * cpPath
Definition: ssl_private.h:495
modssl_retained_data_t * retained
Definition: ssl_private.h:603
const char * ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg)
Definition: ssl_private.h:483
Definition: ssl_private.h:437
ssl_verify_t
Definition: ssl_private.h:402
DH * ssl_callback_TmpDH(SSL *, int, int)
APR FNMatch Functions.
const char * ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *)
BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *)
Definition: ssl_private.h:489
X509 * client_cert
Definition: ssl_private.h:536
APR Platform Definitions.
void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
Definition: ssl_private.h:706
const authz_provider ssl_authz_provider_verify_client
void ssl_callback_Info(const SSL *, int, int)
apr_uri_t * proxy_uri
Definition: ssl_private.h:761
APR general purpose library routines.
const char * ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *)
SSLDirConfigRec * dc
Definition: ssl_private.h:558
OCSP_RESPONSE * modssl_dispatch_ocsp_request(const apr_uri_t *uri, apr_interval_time_t timeout, OCSP_REQUEST *request, conn_rec *c, apr_pool_t *p)
const char * ssl_cmd_SSLRequireSSL(cmd_parms *, void *)
#define BOOL
Definition: ssl_private.h:81
int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *)
Authentication and Authorization Extension for Apache.
const char * ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *)
BOOL cipher_server_pref
Definition: ssl_private.h:785
char * ssl_util_vhostid(apr_pool_t *, server_rec *)
const char * pphrase_dialog_path
Definition: ssl_private.h:723
apr_hash_t * privkeys
Definition: ssl_private.h:591
struct apr_hash_t apr_hash_t
Definition: apr_hash.h:52
HTTP protocol handling.
BOOL ssl_config_global_isfixed(SSLModConfigRec *)
int disabled
Definition: ssl_private.h:541
const char * szUserName
Definition: ssl_private.h:812
apr_time_t source_mtime
Definition: ssl_private.h:505
Definition: apr_uri.h:85
Definition: ssl_private.h:545
void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state)
Definition: ssl_private.h:514
const char * ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *)
char * ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, const char *const *)
const char * ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
Definition: ssl_private.h:439
apr_pool_t * p
apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *)
int ssl_proto_t
Definition: ssl_private.h:397
const char * ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
ssl_opt_t nOptionsDel
Definition: ssl_private.h:808
* ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *)
ssl_crlcheck_t
Definition: ssl_private.h:423
Apache Mutex support library.
const char * ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)
long ocsp_resptime_skew
Definition: ssl_private.h:757
ssl_asn1_t * ssl_asn1_table_set(apr_hash_t *table, const char *key, EVP_PKEY *pkey)
void ssl_io_filter_register(apr_pool_t *)
void * ssl_config_server_create(apr_pool_t *, server_rec *)
const char * ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg)
#define SSL_CRLCHECK_FLAGS
Definition: ssl_private.h:428
#define AP_MODULE_DECLARE_DATA
Definition: macros.h:16
Definition: ssl_private.h:529
Definition: ssl_private.h:502
int ssl_mutex_init(server_rec *, apr_pool_t *)
SSLSrvConfigRec * ssl_policy_lookup(apr_pool_t *pool, const char *name)
const char * client_dn
Definition: ssl_private.h:535
apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *)
const char * ssl_cmd_SSLCompression(cmd_parms *, void *, int flag)
unsigned char * cpData
Definition: ssl_private.h:504
const char * ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *)
#define UCHAR
Definition: ssl_private.h:292
Apache Request library.
A structure that represents the current request.
Definition: httpd.h:860
apr_array_header_t * cert_files
Definition: ssl_private.h:642
void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p)
Definition: ssl_private.h:467
const char * cert_path
Definition: ssl_private.h:657
Apache filter library.
long sesscache_mode
Definition: ssl_private.h:600
apr_interval_time_t ocsp_responder_timeout
Definition: ssl_private.h:759
Definition: ssl_private.h:779
APR Strings library.
int ssl_mutex_off(server_rec *)
apr_status_t ssl_init_ModuleKill(void *data)
int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s, ap_conf_vector_t *section_config)
ap_expr_info_t * mpExpr
Definition: ssl_private.h:476
BOOL ocsp_force_default
Definition: ssl_private.h:754
const char * ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg)
apr_hash_t * key_ids
Definition: ssl_private.h:585
BOOL ssl_check_peer_name
Definition: ssl_private.h:775
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
Definition: ssl_private.h:596
const char * ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *)
void ssl_scache_status_register(apr_pool_t *p)
apr_array_header_t * ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension)
struct apr_table_t apr_table_t
Definition: apr_tables.h:56
BOOL ssl_check_peer_expire
Definition: ssl_private.h:776
#define __attribute__(__x)
Definition: apr.h:63
const char * name
Definition: mod_dav.h:805
int service_unavailable
Definition: ssl_private.h:651
Definition: ssl_private.h:424
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
const char * vhost_id
Definition: ssl_private.h:782
struct apr_pool_t apr_pool_t
Definition: apr_pools.h:60
const char * ca_cert_path
Definition: ssl_private.h:671
Definition: http_config.h:355
int ssl_is_challenge(conn_rec *c, const char *servername, X509 **pcert, EVP_PKEY **pkey, const char **pcert_file, const char **pkey_file)
apr_status_t ssl_scache_init(server_rec *, apr_pool_t *)
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *)
const char * ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *)
BOOL ssl_check_peer_cn
Definition: ssl_private.h:774
int apr_status_t
Definition: apr_errno.h:44
ssl_opt_t nOptionsAdd
Definition: ssl_private.h:807
const authz_provider ssl_authz_provider_require_ssl
request_rec * r
Definition: mod_dav.h:518
ssl_ocspcheck_t
Definition: ssl_private.h:435
BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int, apr_time_t, SSL_SESSION *, apr_pool_t *)
int ssl_hook_ReadReq(request_rec *)
void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv, apr_pool_t *p, server_rec *s, X509 *cert, const char *format,...) __attribute__((format(printf
const char * ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *)
const char * ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *)
void void void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv, request_rec *r, X509 *cert, const char *format,...) __attribute__((format(printf
void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int, apr_pool_t *)
SSL_CTX * ssl_ctx
Definition: ssl_private.h:708
void ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *)
SSL_SESSION * ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *)
int crl_check_mask
Definition: ssl_private.h:730
const char * ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *)
Additional Utility Functions for OpenSSL.
void ssl_scache_kill(server_rec *)
const char * ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *)
Definition: ssl_private.h:448
Definition: ssl_private.h:512
struct ap_conf_vector_t ap_conf_vector_t
Definition: http_config.h:519
Definition: ssl_private.h:468
Definition: ssl_private.h:436
const char * ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *)
const char * crl_file
Definition: ssl_private.h:729
modssl_reneg_state
Definition: ssl_private.h:508
const char * ssl_cmd_SSLUserName(cmd_parms *, void *, const char *)
const char AP_FN_ATTR_WARN_UNUSED_RESULT
Definition: ssl_private.h:1119
void ssl_log_ssl_error(const char *, int, int, server_rec *)
Definition: ssl_private.h:509
const char * cipher_suite
Definition: ssl_private.h:674
int ssl_hook_UserCheck(request_rec *)
int vhost_found
Definition: ssl_private.h:562
void * ssl_config_server_merge(apr_pool_t *, void *, void *)
int ssl_mutex_on(server_rec *)
unsigned int ssl_pathcheck_t
Definition: ssl_private.h:459
int ssl_mutex_reinit(server_rec *, apr_pool_t *)
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
int ocsp_mask
Definition: ssl_private.h:753
DH * modssl_get_dh_params(unsigned keylen)
ssl_pphrase_t
Definition: ssl_private.h:445
int session_cache_timeout
Definition: ssl_private.h:784
Definition: ssl_private.h:474
BOOL ocsp_use_request_nonce
Definition: ssl_private.h:760
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *)
Definition: ssl_private.h:492
ssl_rsctx_t
Definition: ssl_private.h:482
const char * ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
#define UNSET
Definition: ssl_private.h:278
BOOL bSSLRequired
Definition: ssl_private.h:804
SSL protocol handling.
ssl_pphrase_t pphrase_dialog_type
Definition: ssl_private.h:722
int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen)
Definition: ssl_private.h:403
#define STACK_OF(x)
Definition: macros.h:26
struct ap_socache_instance_t ap_socache_instance_t
Definition: ap_socache.h:49
Definition: ssl_private.h:533
const char * ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag)