1/* Licensed to the Apache Software Foundation (ASF) under one or more 2 * contributor license agreements. See the NOTICE file distributed with 3 * this work for additional information regarding copyright ownership. 4 * The ASF licenses this file to You under the Apache License, Version 2.0 5 * (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#ifndef SSL_PRIVATE_H 18#define SSL_PRIVATE_H 19 20/** 21 * @file ssl_private.h 22 * @brief Internal interfaces private to mod_ssl. 23 * 24 * @defgroup MOD_SSL_PRIVATE Private 25 * @ingroup MOD_SSL 26 * @{ 27 */ 28 29/** Apache headers */ 30#include "httpd.h" 31#include "http_config.h" 32#include "http_core.h" 33#include "http_log.h" 34#include "http_main.h" 35#include "http_connection.h" 36#include "http_request.h" 37#include "http_protocol.h" 38#include "http_vhost.h" 39#include "util_script.h" 40#include "util_filter.h" 41#include "util_ebcdic.h" 42#include "util_mutex.h" 43#include "apr.h" 44#include "apr_strings.h" 45#define APR_WANT_STRFUNC 46#define APR_WANT_MEMFUNC 47#include "apr_want.h" 48#include "apr_tables.h" 49#include "apr_lib.h" 50#include "apr_fnmatch.h" 51#include "apr_strings.h" 52#include "apr_global_mutex.h" 53#include "apr_optional.h" 54#include "ap_socache.h" 55#include "mod_auth.h" 56 57/* The #ifdef macros are only defined AFTER including the above 58 * therefore we cannot include these system files at the top :-( 59 */ 60#ifdef APR_HAVE_STDLIB_H 61#include <stdlib.h> 62#endif 63#if APR_HAVE_SYS_TIME_H 64#include <sys/time.h> 65#endif 66#if APR_HAVE_UNISTD_H 67#include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */ 68#endif 69 70#ifndef FALSE 71#define FALSE 0 72#endif 73 74#ifndef TRUE 75#define TRUE !FALSE 76#endif 77 78#ifndef BOOL 79#define BOOL unsigned int 80#endif 81 82#include "ap_expr.h" 83 84/* OpenSSL headers */ 85#include <openssl/opensslv.h> 86#if (OPENSSL_VERSION_NUMBER >= 0x10001000) 87/* must be defined before including ssl.h */ 88#define OPENSSL_NO_SSL_INTERN 89#endif 90#include <openssl/ssl.h> 91#include <openssl/err.h> 92#include <openssl/x509.h> 93#include <openssl/pem.h> 94#include <openssl/crypto.h> 95#include <openssl/evp.h> 96#include <openssl/rand.h> 97#include <openssl/x509v3.h> 98#include <openssl/x509_vfy.h> 99#include <openssl/ocsp.h> 100 101/* Avoid tripping over an engine build installed globally and detected 102 * when the user points at an explicit non-engine flavor of OpenSSL 103 */ 104#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) 105#include <openssl/engine.h> 106#endif 107 108#if (OPENSSL_VERSION_NUMBER < 0x0090801f) 109#error mod_ssl requires OpenSSL 0.9.8a or later 110#endif 111 112/** 113 * ...shifting sands of OpenSSL... 114 * Note: when adding support for new OpenSSL features, avoid explicit 115 * version number checks whenever possible, and use "feature-based" 116 * detection instead (check for definitions of constants or functions) 117 */ 118#if (OPENSSL_VERSION_NUMBER >= 0x10000000) 119#define MODSSL_SSL_CIPHER_CONST const 120#define MODSSL_SSL_METHOD_CONST const 121#else 122#define MODSSL_SSL_CIPHER_CONST 123#define MODSSL_SSL_METHOD_CONST 124#endif 125 126#if defined(OPENSSL_FIPS) 127#define HAVE_FIPS 128#endif 129 130#if defined(SSL_OP_NO_TLSv1_2) 131#define HAVE_TLSV1_X 132#endif 133 134#if defined(SSL_CONF_FLAG_FILE) 135#define HAVE_SSL_CONF_CMD 136#endif 137 138/** 139 * The following features all depend on TLS extension support. 140 * Within this block, check again for features (not version numbers). 141 */ 142#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) 143 144#define HAVE_TLSEXT 145 146/* ECC: make sure we have at least 1.0.0 */ 147#if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) 148#define HAVE_ECC 149#endif 150 151/* OCSP stapling */ 152#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) 153#define HAVE_OCSP_STAPLING 154#ifndef sk_OPENSSL_STRING_pop 155#define sk_OPENSSL_STRING_pop sk_pop 156#endif 157#endif 158 159/* TLS session tickets */ 160#if defined(SSL_CTX_set_tlsext_ticket_key_cb) 161#define HAVE_TLS_SESSION_TICKETS 162#define TLSEXT_TICKET_KEY_LEN 48 163#ifndef tlsext_tick_md 164#ifdef OPENSSL_NO_SHA256 165#define tlsext_tick_md EVP_sha1 166#else 167#define tlsext_tick_md EVP_sha256 168#endif 169#endif 170#endif 171 172/* Secure Remote Password */ 173#if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB) 174#define HAVE_SRP 175#include <openssl/srp.h> 176#endif 177 178#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ 179 180/* mod_ssl headers */ 181#include "ssl_util_ssl.h" 182 183APLOG_USE_MODULE(ssl); 184 185/* 186 * Provide reasonable default for some defines 187 */ 188#ifndef PFALSE 189#define PFALSE ((void *)FALSE) 190#endif 191#ifndef PTRUE 192#define PTRUE ((void *)TRUE) 193#endif 194#ifndef UNSET 195#define UNSET (-1) 196#endif 197#ifndef NUL 198#define NUL '\0' 199#endif 200#ifndef RAND_MAX 201#include <limits.h> 202#define RAND_MAX INT_MAX 203#endif 204 205/** 206 * Provide reasonable defines for some types 207 */ 208#ifndef UCHAR 209#define UCHAR unsigned char 210#endif 211 212/** 213 * Provide useful shorthands 214 */ 215#define strEQ(s1,s2) (strcmp(s1,s2) == 0) 216#define strNE(s1,s2) (strcmp(s1,s2) != 0) 217#define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0) 218#define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0) 219 220#define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0) 221#define strcNE(s1,s2) (strcasecmp(s1,s2) != 0) 222#define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0) 223#define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0) 224 225#define strIsEmpty(s) (s == NULL || s[0] == NUL) 226 227#define myConnConfig(c) \ 228(SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module) 229#define myCtxConfig(sslconn, sc) (sslconn->is_proxy ? sc->proxy : sc->server) 230#define myConnConfigSet(c, val) \ 231ap_set_module_config(c->conn_config, &ssl_module, val) 232#define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module) 233#define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module) 234#define myModConfig(srv) (mySrvConfig((srv)))->mc 235#define mySrvFromConn(c) (myConnConfig(c))->server 236#define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c)) 237#define myModConfigFromConn(c) myModConfig(mySrvFromConn(c)) 238 239/** 240 * Defaults for the configuration 241 */ 242#ifndef SSL_SESSION_CACHE_TIMEOUT 243#define SSL_SESSION_CACHE_TIMEOUT 300 244#endif 245 246/* Default setting for per-dir reneg buffer. */ 247#ifndef DEFAULT_RENEG_BUFFER_SIZE 248#define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024) 249#endif 250 251/* Default for OCSP response validity */ 252#ifndef DEFAULT_OCSP_MAX_SKEW 253#define DEFAULT_OCSP_MAX_SKEW (60 * 5) 254#endif 255 256/* Default timeout for OCSP queries */ 257#ifndef DEFAULT_OCSP_TIMEOUT 258#define DEFAULT_OCSP_TIMEOUT 10 259#endif 260 261/** 262 * Define the SSL options 263 */ 264#define SSL_OPT_NONE (0) 265#define SSL_OPT_RELSET (1<<0) 266#define SSL_OPT_STDENVVARS (1<<1) 267#define SSL_OPT_EXPORTCERTDATA (1<<3) 268#define SSL_OPT_FAKEBASICAUTH (1<<4) 269#define SSL_OPT_STRICTREQUIRE (1<<5) 270#define SSL_OPT_OPTRENEGOTIATE (1<<6) 271#define SSL_OPT_LEGACYDNFORMAT (1<<7) 272typedef int ssl_opt_t; 273 274/** 275 * Define the SSL Protocol options 276 */ 277#define SSL_PROTOCOL_NONE (0) 278#define SSL_PROTOCOL_SSLV2 (1<<0) 279#define SSL_PROTOCOL_SSLV3 (1<<1) 280#define SSL_PROTOCOL_TLSV1 (1<<2) 281#ifdef HAVE_TLSV1_X 282#define SSL_PROTOCOL_TLSV1_1 (1<<3) 283#define SSL_PROTOCOL_TLSV1_2 (1<<4) 284#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \ 285 SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) 286#else 287#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) 288#endif 289typedef int ssl_proto_t; 290 291/** 292 * Define the SSL verify levels 293 */ 294typedef enum { 295 SSL_CVERIFY_UNSET = UNSET, 296 SSL_CVERIFY_NONE = 0, 297 SSL_CVERIFY_OPTIONAL = 1, 298 SSL_CVERIFY_REQUIRE = 2, 299 SSL_CVERIFY_OPTIONAL_NO_CA = 3 300} ssl_verify_t; 301 302#define SSL_VERIFY_PEER_STRICT \ 303 (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT) 304 305#define ssl_verify_error_is_optional(errnum) \ 306 ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ 307 || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ 308 || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ 309 || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ 310 || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) 311 312/** 313 * CRL checking modes 314 */ 315typedef enum { 316 SSL_CRLCHECK_UNSET = UNSET, 317 SSL_CRLCHECK_NONE = 0, 318 SSL_CRLCHECK_LEAF = 1, 319 SSL_CRLCHECK_CHAIN = 2 320} ssl_crlcheck_t; 321 322/** 323 * Define the SSL pass phrase dialog types 324 */ 325typedef enum { 326 SSL_PPTYPE_UNSET = UNSET, 327 SSL_PPTYPE_BUILTIN = 0, 328 SSL_PPTYPE_FILTER = 1, 329 SSL_PPTYPE_PIPE = 2 330} ssl_pphrase_t; 331 332/** 333 * Define the Path Checking modes 334 */ 335#define SSL_PCM_EXISTS 1 336#define SSL_PCM_ISREG 2 337#define SSL_PCM_ISDIR 4 338#define SSL_PCM_ISNONZERO 8 339typedef unsigned int ssl_pathcheck_t; 340 341/** 342 * Define the SSL enabled state 343 */ 344typedef enum { 345 SSL_ENABLED_UNSET = UNSET, 346 SSL_ENABLED_FALSE = 0, 347 SSL_ENABLED_TRUE = 1, 348 SSL_ENABLED_OPTIONAL = 3 349} ssl_enabled_t; 350 351/** 352 * Define the SSL requirement structure 353 */ 354typedef struct { 355 char *cpExpr; 356 ap_expr_info_t *mpExpr; 357} ssl_require_t; 358 359/** 360 * Define the SSL random number generator seeding source 361 */ 362typedef enum { 363 SSL_RSCTX_STARTUP = 1, 364 SSL_RSCTX_CONNECT = 2 365} ssl_rsctx_t; 366typedef enum { 367 SSL_RSSRC_BUILTIN = 1, 368 SSL_RSSRC_FILE = 2, 369 SSL_RSSRC_EXEC = 3, 370 SSL_RSSRC_EGD = 4 371} ssl_rssrc_t; 372typedef struct { 373 ssl_rsctx_t nCtx; 374 ssl_rssrc_t nSrc; 375 char *cpPath; 376 int nBytes; 377} ssl_randseed_t; 378 379/** 380 * Define the structure of an ASN.1 anything 381 */ 382typedef struct { 383 long int nData; 384 unsigned char *cpData; 385 apr_time_t source_mtime; 386} ssl_asn1_t; 387 388/** 389 * Define the mod_ssl per-module configuration structure 390 * (i.e. the global configuration for each httpd process) 391 */ 392 393typedef enum { 394 SSL_SHUTDOWN_TYPE_UNSET, 395 SSL_SHUTDOWN_TYPE_STANDARD, 396 SSL_SHUTDOWN_TYPE_UNCLEAN, 397 SSL_SHUTDOWN_TYPE_ACCURATE 398} ssl_shutdown_type_e; 399 400typedef struct { 401 SSL *ssl; 402 const char *client_dn; 403 X509 *client_cert; 404 ssl_shutdown_type_e shutdown_type; 405 const char *verify_info; 406 const char *verify_error; 407 int verify_depth; 408 int is_proxy; 409 int disabled; 410 enum { 411 NON_SSL_OK = 0, /* is SSL request, or error handling completed */ 412 NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */ 413 NON_SSL_SET_ERROR_MSG /* Need to set the error message */ 414 } non_ssl_request; 415 416 /* Track the handshake/renegotiation state for the connection so 417 * that all client-initiated renegotiations can be rejected, as a 418 * partial fix for CVE-2009-3555. */ 419 enum { 420 RENEG_INIT = 0, /* Before initial handshake */ 421 RENEG_REJECT, /* After initial handshake; any client-initiated 422 * renegotiation should be rejected */ 423 RENEG_ALLOW, /* A server-initated renegotiation is taking 424 * place (as dictated by configuration) */ 425 RENEG_ABORT /* Renegotiation initiated by client, abort the 426 * connection */ 427 } reneg_state; 428 429 server_rec *server; 430} SSLConnRec; 431 432/* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is 433 * allocated out of the "process" pool and only a single such 434 * structure is created and used for the lifetime of the process. 435 * (The process pool is s->process->pool and is stored in the .pPool 436 * field.) Most members of this structure are likewise allocated out 437 * of the process pool, but notably sesscache and sesscache_context 438 * are not. 439 * 440 * The structure is treated as mostly immutable after a single config 441 * parse has completed; the post_config hook (ssl_init_Module) flips 442 * the bFixed flag to true and subsequent invocations of the config 443 * callbacks hence do nothing. 444 * 445 * This odd lifetime strategy is used so that encrypted private keys 446 * can be decrypted once at startup and continue to be used across 447 * subsequent server reloads where the interactive password prompt is 448 * not possible. 449 450 * It is really an ABI nightmare waiting to happen since DSOs are 451 * reloaded across restarts, and nothing prevents the struct type 452 * changing across such reloads, yet the cached structure will be 453 * assumed to match regardless. 454 * 455 * This should really be fixed using a smaller structure which only 456 * stores that which is absolutely necessary (the private keys, maybe 457 * the random seed), and have that structure be strictly ABI-versioned 458 * for safety. 459 */ 460typedef struct { 461 pid_t pid; 462 apr_pool_t *pPool; 463 BOOL bFixed; 464 465 /* OpenSSL SSL_SESS_CACHE_* flags: */ 466 long sesscache_mode; 467 468 /* The configured provider, and associated private data 469 * structure. */ 470 const ap_socache_provider_t *sesscache; 471 ap_socache_instance_t *sesscache_context; 472 473 apr_global_mutex_t *pMutex; 474 apr_array_header_t *aRandSeed; 475 apr_hash_t *tVHostKeys; 476 477 /* A hash table of pointers to ssl_asn1_t structures. The structures 478 * are used to store private keys in raw DER format (serialized OpenSSL 479 * PrivateKey structures). The table is indexed by (vhost-id, 480 * index), for example the string "vhost.example.com:443:0". */ 481 apr_hash_t *tPrivateKey; 482 483#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) 484 const char *szCryptoDevice; 485#endif 486 487#ifdef HAVE_OCSP_STAPLING 488 const ap_socache_provider_t *stapling_cache; 489 ap_socache_instance_t *stapling_cache_context; 490 apr_global_mutex_t *stapling_mutex; 491#endif 492} SSLModConfigRec; 493 494/** Structure representing configured filenames for certs and keys for 495 * a given vhost */ 496typedef struct { 497 /* Lists of configured certs and keys for this server */ 498 apr_array_header_t *cert_files; 499 apr_array_header_t *key_files; 500 501 /** Certificates which specify the set of CA names which should be 502 * sent in the CertificateRequest message: */ 503 const char *ca_name_path; 504 const char *ca_name_file; 505} modssl_pk_server_t; 506 507typedef struct { 508 /** proxy can have any number of cert/key pairs */ 509 const char *cert_file; 510 const char *cert_path; 511 const char *ca_cert_file; 512 STACK_OF(X509_INFO) *certs; /* Contains End Entity certs */ 513 STACK_OF(X509) **ca_certs; /* Contains ONLY chain certs for 514 * each item in certs. 515 * (ptr to array of ptrs) */ 516} modssl_pk_proxy_t; 517 518/** stuff related to authentication that can also be per-dir */ 519typedef struct { 520 /** known/trusted CAs */ 521 const char *ca_cert_path; 522 const char *ca_cert_file; 523 524 const char *cipher_suite; 525 526 /** for client or downstream server authentication */ 527 int verify_depth; 528 ssl_verify_t verify_mode; 529} modssl_auth_ctx_t; 530 531#ifdef HAVE_TLS_SESSION_TICKETS 532typedef struct { 533 const char *file_path; 534 unsigned char key_name[16]; 535 unsigned char hmac_secret[16]; 536 unsigned char aes_key[16]; 537} modssl_ticket_key_t; 538#endif 539 540#ifdef HAVE_SSL_CONF_CMD 541typedef struct { 542 const char *name; 543 const char *value; 544} ssl_ctx_param_t; 545#endif 546 547typedef struct SSLSrvConfigRec SSLSrvConfigRec; 548 549typedef struct { 550 SSLSrvConfigRec *sc; /** pointer back to server config */ 551 SSL_CTX *ssl_ctx; 552 553 /** we are one or the other */ 554 modssl_pk_server_t *pks; 555 modssl_pk_proxy_t *pkp; 556 557#ifdef HAVE_TLS_SESSION_TICKETS 558 modssl_ticket_key_t *ticket_key; 559#endif 560 561 ssl_proto_t protocol; 562 563 /** config for handling encrypted keys */ 564 ssl_pphrase_t pphrase_dialog_type; 565 const char *pphrase_dialog_path; 566 567 const char *cert_chain; 568 569 /** certificate revocation list */ 570 const char *crl_path; 571 const char *crl_file; 572 ssl_crlcheck_t crl_check_mode; 573 574#ifdef HAVE_OCSP_STAPLING 575 /** OCSP stapling options */ 576 BOOL stapling_enabled; 577 long stapling_resptime_skew; 578 long stapling_resp_maxage; 579 int stapling_cache_timeout; 580 BOOL stapling_return_errors; 581 BOOL stapling_fake_trylater; 582 int stapling_errcache_timeout; 583 apr_interval_time_t stapling_responder_timeout; 584 const char *stapling_force_url; 585#endif 586 587#ifdef HAVE_SRP 588 char *srp_vfile; 589 char *srp_unknown_user_seed; 590 SRP_VBASE *srp_vbase; 591#endif 592 593 modssl_auth_ctx_t auth; 594 595 BOOL ocsp_enabled; /* true if OCSP verification enabled */ 596 BOOL ocsp_force_default; /* true if the default responder URL is 597 * used regardless of per-cert URL */ 598 const char *ocsp_responder; /* default responder URL */ 599 long ocsp_resptime_skew; 600 long ocsp_resp_maxage; 601 apr_interval_time_t ocsp_responder_timeout; 602#ifdef HAVE_SSL_CONF_CMD 603 SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */ 604 apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */ 605#endif 606} modssl_ctx_t; 607 608struct SSLSrvConfigRec { 609 SSLModConfigRec *mc; 610 ssl_enabled_t enabled; 611 BOOL proxy_enabled; 612 const char *vhost_id; 613 int vhost_id_len; 614 int session_cache_timeout; 615 BOOL cipher_server_pref; 616 BOOL insecure_reneg; 617 modssl_ctx_t *server; 618 modssl_ctx_t *proxy; 619 ssl_enabled_t proxy_ssl_check_peer_expire; 620 ssl_enabled_t proxy_ssl_check_peer_cn; 621 ssl_enabled_t proxy_ssl_check_peer_name; 622#ifdef HAVE_TLSEXT 623 ssl_enabled_t strict_sni_vhost_check; 624#endif 625#ifdef HAVE_FIPS 626 BOOL fips; 627#endif 628 BOOL allow_empty_fragments; 629#ifndef OPENSSL_NO_COMP 630 BOOL compression; 631#endif 632}; 633 634/** 635 * Define the mod_ssl per-directory configuration structure 636 * (i.e. the local configuration for all <Directory> 637 * and .htaccess contexts) 638 */ 639typedef struct { 640 BOOL bSSLRequired; 641 apr_array_header_t *aRequirement; 642 ssl_opt_t nOptions; 643 ssl_opt_t nOptionsAdd; 644 ssl_opt_t nOptionsDel; 645 const char *szCipherSuite; 646 ssl_verify_t nVerifyClient; 647 int nVerifyDepth; 648 const char *szCACertificatePath; 649 const char *szCACertificateFile; 650 const char *szUserName; 651 apr_size_t nRenegBufferSize; 652} SSLDirConfigRec; 653 654/** 655 * function prototypes 656 */ 657 658/** API glue structures */ 659extern module AP_MODULE_DECLARE_DATA ssl_module; 660 661/** configuration handling */ 662SSLModConfigRec *ssl_config_global_create(server_rec *); 663void ssl_config_global_fix(SSLModConfigRec *); 664BOOL ssl_config_global_isfixed(SSLModConfigRec *); 665void *ssl_config_server_create(apr_pool_t *, server_rec *); 666void *ssl_config_server_merge(apr_pool_t *, void *, void *); 667void *ssl_config_perdir_create(apr_pool_t *, char *); 668void *ssl_config_perdir_merge(apr_pool_t *, void *, void *); 669const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *); 670const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); 671const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); 672const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); 673const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); 674const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); 675const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); 676const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); 677const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *); 678const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *); 679const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *); 680const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *); 681const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); 682const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); 683const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *); 684const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); 685const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); 686const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); 687const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); 688const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); 689const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *); 690const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *); 691const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *); 692const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *); 693const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *); 694const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *); 695const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); 696const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); 697const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag); 698 699const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); 700const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); 701const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *); 702const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *); 703const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *); 704const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *); 705const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *); 706const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *); 707const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *); 708const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *); 709const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *); 710const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *); 711const char *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *); 712#ifdef HAVE_TLS_SESSION_TICKETS 713const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, void *dcfg, const char *arg); 714#endif 715const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag); 716const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); 717const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag); 718 719const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag); 720const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg); 721const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg); 722const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg); 723const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); 724const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); 725 726#ifdef HAVE_SSL_CONF_CMD 727const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2); 728#endif 729 730#ifdef HAVE_SRP 731const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); 732const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); 733#endif 734 735const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag); 736const char *ssl_cmd_SSLAllowEmptyFragments(cmd_parms *cmd, void *dcfg, int flag); 737 738/** module initialization */ 739apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); 740apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *); 741apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, 742 apr_array_header_t *); 743apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *); 744STACK_OF(X509_NAME) 745 *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); 746void ssl_init_Child(apr_pool_t *, server_rec *); 747apr_status_t ssl_init_ModuleKill(void *data); 748 749/** Apache API hooks */ 750int ssl_hook_Auth(request_rec *); 751int ssl_hook_UserCheck(request_rec *); 752int ssl_hook_Access(request_rec *); 753int ssl_hook_Fixup(request_rec *); 754int ssl_hook_ReadReq(request_rec *); 755int ssl_hook_Upgrade(request_rec *); 756void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s); 757 758/** Apache authz provisders */ 759extern const authz_provider ssl_authz_provider_require_ssl; 760extern const authz_provider ssl_authz_provider_verify_client; 761 762/** OpenSSL callbacks */ 763DH *ssl_callback_TmpDH(SSL *, int, int); 764int ssl_callback_SSLVerify(int, X509_STORE_CTX *); 765int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); 766int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); 767int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); 768SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); 769void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); 770void ssl_callback_Info(const SSL *, int, int); 771#ifdef HAVE_TLSEXT 772int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); 773#endif 774#ifdef HAVE_TLS_SESSION_TICKETS 775int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, 776 EVP_CIPHER_CTX *, HMAC_CTX *, int); 777#endif 778 779/** Session Cache Support */ 780apr_status_t ssl_scache_init(server_rec *, apr_pool_t *); 781void ssl_scache_status_register(apr_pool_t *p); 782void ssl_scache_kill(server_rec *); 783BOOL ssl_scache_store(server_rec *, UCHAR *, int, 784 apr_time_t, SSL_SESSION *, apr_pool_t *); 785SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *); 786void ssl_scache_remove(server_rec *, UCHAR *, int, 787 apr_pool_t *); 788 789/** Proxy Support */ 790int ssl_proxy_enable(conn_rec *c); 791int ssl_engine_disable(conn_rec *c); 792 793/** OCSP Stapling Support */ 794#ifdef HAVE_OCSP_STAPLING 795const char *ssl_cmd_SSLStaplingCache(cmd_parms *, void *, const char *); 796const char *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int); 797const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *); 798const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *); 799const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *); 800const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *); 801const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int); 802const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int); 803const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *); 804const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *); 805apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *); 806void ssl_stapling_ex_init(void); 807int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x); 808#endif 809#ifdef HAVE_SRP 810int ssl_callback_SRPServerParams(SSL *, int *, void *); 811#endif 812 813/** I/O */ 814void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *); 815void ssl_io_filter_register(apr_pool_t *); 816long ssl_io_data_cb(BIO *, int, const char *, int, long, long); 817 818/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request 819 * to allow an SSL renegotiation to take place. */ 820int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen); 821 822/** PRNG */ 823int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *); 824 825/** Utility Functions */ 826char *ssl_util_vhostid(apr_pool_t *, server_rec *); 827apr_file_t *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *, 828 const char * const *); 829void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); 830char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, 831 const char * const *); 832BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); 833void ssl_util_thread_setup(apr_pool_t *); 834int ssl_init_ssl_connection(conn_rec *c, request_rec *r); 835 836/** Pass Phrase Support */ 837apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int, 838 const char *, apr_array_header_t **); 839 840/** Diffie-Hellman Parameter Support */ 841DH *ssl_dh_GetParamFromFile(const char *); 842#ifdef HAVE_ECC 843EC_GROUP *ssl_ec_GetParamFromFile(const char *); 844#endif 845 846unsigned char *ssl_asn1_table_set(apr_hash_t *table, 847 const char *key, 848 long int length); 849 850ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table, 851 const char *key); 852 853void ssl_asn1_table_unset(apr_hash_t *table, 854 const char *key); 855 856/** Mutex Support */ 857int ssl_mutex_init(server_rec *, apr_pool_t *); 858int ssl_mutex_reinit(server_rec *, apr_pool_t *); 859int ssl_mutex_on(server_rec *); 860int ssl_mutex_off(server_rec *); 861 862int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *); 863 864/* mutex type names for Mutex directive */ 865#define SSL_CACHE_MUTEX_TYPE "ssl-cache" 866#define SSL_STAPLING_MUTEX_TYPE "ssl-stapling" 867 868apr_status_t ssl_die(server_rec *); 869 870/** Logfile Support */ 871void ssl_log_ssl_error(const char *, int, int, server_rec *); 872 873/* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the 874 * respective ap_log_*error functions and take a certificate as an 875 * additional argument (whose details are appended to the log message). 876 * The other arguments are interpreted exactly as with their ap_log_*error 877 * counterparts. */ 878void ssl_log_xerror(const char *file, int line, int level, 879 apr_status_t rv, apr_pool_t *p, server_rec *s, 880 X509 *cert, const char *format, ...) 881 __attribute__((format(printf,8,9))); 882 883void ssl_log_cxerror(const char *file, int line, int level, 884 apr_status_t rv, conn_rec *c, X509 *cert, 885 const char *format, ...) 886 __attribute__((format(printf,7,8))); 887 888void ssl_log_rxerror(const char *file, int line, int level, 889 apr_status_t rv, request_rec *r, X509 *cert, 890 const char *format, ...) 891 __attribute__((format(printf,7,8))); 892 893#define SSLLOG_MARK __FILE__,__LINE__ 894 895/** Variables */ 896 897/* Register variables for the lifetime of the process pool 'p'. */ 898void ssl_var_register(apr_pool_t *p); 899char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); 900apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension); 901 902void ssl_var_log_config_register(apr_pool_t *p); 903 904/* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl', 905 * allocating from 'p': */ 906void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p); 907 908#ifndef OPENSSL_NO_OCSP 909/* Perform OCSP validation of the current cert in the given context. 910 * Returns non-zero on success or zero on failure. On failure, the 911 * context error code is set. */ 912int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, 913 server_rec *s, conn_rec *c, apr_pool_t *pool); 914 915/* OCSP helper interface; dispatches the given OCSP request to the 916 * responder at the given URI. Returns the decoded OCSP response 917 * object, or NULL on error (in which case, errors will have been 918 * logged). Pool 'p' is used for temporary allocations. */ 919OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri, 920 apr_interval_time_t timeout, 921 OCSP_REQUEST *request, 922 conn_rec *c, apr_pool_t *p); 923#endif 924 925#endif /* SSL_PRIVATE_H */ 926/** @} */ 927 928