1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements.  See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License.  You may obtain a copy of the License at
7 *
8 *     http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef SSL_PRIVATE_H
18#define SSL_PRIVATE_H
19
20/**
21 * @file  ssl_private.h
22 * @brief Internal interfaces private to mod_ssl.
23 *
24 * @defgroup MOD_SSL_PRIVATE Private
25 * @ingroup MOD_SSL
26 * @{
27 */
28
29/** Apache headers */
30#include "httpd.h"
31#include "http_config.h"
32#include "http_core.h"
33#include "http_log.h"
34#include "http_main.h"
35#include "http_connection.h"
36#include "http_request.h"
37#include "http_protocol.h"
38#include "http_vhost.h"
39#include "util_script.h"
40#include "util_filter.h"
41#include "util_ebcdic.h"
42#include "util_mutex.h"
43#include "apr.h"
44#include "apr_strings.h"
45#define APR_WANT_STRFUNC
46#define APR_WANT_MEMFUNC
47#include "apr_want.h"
48#include "apr_tables.h"
49#include "apr_lib.h"
50#include "apr_fnmatch.h"
51#include "apr_strings.h"
52#include "apr_global_mutex.h"
53#include "apr_optional.h"
54#include "ap_socache.h"
55#include "mod_auth.h"
56
57/* The #ifdef macros are only defined AFTER including the above
58 * therefore we cannot include these system files at the top  :-(
59 */
60#ifdef APR_HAVE_STDLIB_H
61#include <stdlib.h>
62#endif
63#if APR_HAVE_SYS_TIME_H
64#include <sys/time.h>
65#endif
66#if APR_HAVE_UNISTD_H
67#include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
68#endif
69
70#ifndef FALSE
71#define FALSE 0
72#endif
73
74#ifndef TRUE
75#define TRUE !FALSE
76#endif
77
78#ifndef BOOL
79#define BOOL unsigned int
80#endif
81
82#include "ap_expr.h"
83
84/* OpenSSL headers */
85#include <openssl/opensslv.h>
86#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
87/* must be defined before including ssl.h */
88#define OPENSSL_NO_SSL_INTERN
89#endif
90#include <openssl/ssl.h>
91#include <openssl/err.h>
92#include <openssl/x509.h>
93#include <openssl/pem.h>
94#include <openssl/crypto.h>
95#include <openssl/evp.h>
96#include <openssl/rand.h>
97#include <openssl/x509v3.h>
98#include <openssl/x509_vfy.h>
99#include <openssl/ocsp.h>
100
101/* Avoid tripping over an engine build installed globally and detected
102 * when the user points at an explicit non-engine flavor of OpenSSL
103 */
104#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
105#include <openssl/engine.h>
106#endif
107
108#if (OPENSSL_VERSION_NUMBER < 0x0090801f)
109#error mod_ssl requires OpenSSL 0.9.8a or later
110#endif
111
112/**
113 * ...shifting sands of OpenSSL...
114 * Note: when adding support for new OpenSSL features, avoid explicit
115 * version number checks whenever possible, and use "feature-based"
116 * detection instead (check for definitions of constants or functions)
117 */
118#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
119#define MODSSL_SSL_CIPHER_CONST const
120#define MODSSL_SSL_METHOD_CONST const
121#else
122#define MODSSL_SSL_CIPHER_CONST
123#define MODSSL_SSL_METHOD_CONST
124#endif
125
126#if defined(OPENSSL_FIPS)
127#define HAVE_FIPS
128#endif
129
130#if defined(SSL_OP_NO_TLSv1_2)
131#define HAVE_TLSV1_X
132#endif
133
134#if defined(SSL_CONF_FLAG_FILE)
135#define HAVE_SSL_CONF_CMD
136#endif
137
138/**
139  * The following features all depend on TLS extension support.
140  * Within this block, check again for features (not version numbers).
141  */
142#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
143
144#define HAVE_TLSEXT
145
146/* ECC: make sure we have at least 1.0.0 */
147#if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
148#define HAVE_ECC
149#endif
150
151/* OCSP stapling */
152#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
153#define HAVE_OCSP_STAPLING
154#ifndef sk_OPENSSL_STRING_pop
155#define sk_OPENSSL_STRING_pop sk_pop
156#endif
157#endif
158
159/* TLS session tickets */
160#if defined(SSL_CTX_set_tlsext_ticket_key_cb)
161#define HAVE_TLS_SESSION_TICKETS
162#define TLSEXT_TICKET_KEY_LEN 48
163#ifndef tlsext_tick_md
164#ifdef OPENSSL_NO_SHA256
165#define tlsext_tick_md EVP_sha1
166#else
167#define tlsext_tick_md EVP_sha256
168#endif
169#endif
170#endif
171
172/* Secure Remote Password */
173#if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
174#define HAVE_SRP
175#include <openssl/srp.h>
176#endif
177
178#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
179
180/* mod_ssl headers */
181#include "ssl_util_ssl.h"
182
183APLOG_USE_MODULE(ssl);
184
185/*
186 * Provide reasonable default for some defines
187 */
188#ifndef PFALSE
189#define PFALSE ((void *)FALSE)
190#endif
191#ifndef PTRUE
192#define PTRUE ((void *)TRUE)
193#endif
194#ifndef UNSET
195#define UNSET (-1)
196#endif
197#ifndef NUL
198#define NUL '\0'
199#endif
200#ifndef RAND_MAX
201#include <limits.h>
202#define RAND_MAX INT_MAX
203#endif
204
205/**
206 * Provide reasonable defines for some types
207 */
208#ifndef UCHAR
209#define UCHAR unsigned char
210#endif
211
212/**
213 * Provide useful shorthands
214 */
215#define strEQ(s1,s2)     (strcmp(s1,s2)        == 0)
216#define strNE(s1,s2)     (strcmp(s1,s2)        != 0)
217#define strEQn(s1,s2,n)  (strncmp(s1,s2,n)     == 0)
218#define strNEn(s1,s2,n)  (strncmp(s1,s2,n)     != 0)
219
220#define strcEQ(s1,s2)    (strcasecmp(s1,s2)    == 0)
221#define strcNE(s1,s2)    (strcasecmp(s1,s2)    != 0)
222#define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
223#define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)
224
225#define strIsEmpty(s)    (s == NULL || s[0] == NUL)
226
227#define myConnConfig(c) \
228(SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module)
229#define myCtxConfig(sslconn, sc) (sslconn->is_proxy ? sc->proxy : sc->server)
230#define myConnConfigSet(c, val) \
231ap_set_module_config(c->conn_config, &ssl_module, val)
232#define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config,  &ssl_module)
233#define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)
234#define myModConfig(srv) (mySrvConfig((srv)))->mc
235#define mySrvFromConn(c) (myConnConfig(c))->server
236#define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
237#define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
238
239/**
240 * Defaults for the configuration
241 */
242#ifndef SSL_SESSION_CACHE_TIMEOUT
243#define SSL_SESSION_CACHE_TIMEOUT  300
244#endif
245
246/* Default setting for per-dir reneg buffer. */
247#ifndef DEFAULT_RENEG_BUFFER_SIZE
248#define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
249#endif
250
251/* Default for OCSP response validity */
252#ifndef DEFAULT_OCSP_MAX_SKEW
253#define DEFAULT_OCSP_MAX_SKEW (60 * 5)
254#endif
255
256/* Default timeout for OCSP queries */
257#ifndef DEFAULT_OCSP_TIMEOUT
258#define DEFAULT_OCSP_TIMEOUT 10
259#endif
260
261/**
262 * Define the SSL options
263 */
264#define SSL_OPT_NONE           (0)
265#define SSL_OPT_RELSET         (1<<0)
266#define SSL_OPT_STDENVVARS     (1<<1)
267#define SSL_OPT_EXPORTCERTDATA (1<<3)
268#define SSL_OPT_FAKEBASICAUTH  (1<<4)
269#define SSL_OPT_STRICTREQUIRE  (1<<5)
270#define SSL_OPT_OPTRENEGOTIATE (1<<6)
271#define SSL_OPT_LEGACYDNFORMAT (1<<7)
272typedef int ssl_opt_t;
273
274/**
275 * Define the SSL Protocol options
276 */
277#define SSL_PROTOCOL_NONE  (0)
278#define SSL_PROTOCOL_SSLV2 (1<<0)
279#define SSL_PROTOCOL_SSLV3 (1<<1)
280#define SSL_PROTOCOL_TLSV1 (1<<2)
281#ifdef HAVE_TLSV1_X
282#define SSL_PROTOCOL_TLSV1_1 (1<<3)
283#define SSL_PROTOCOL_TLSV1_2 (1<<4)
284#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \
285                            SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
286#else
287#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
288#endif
289typedef int ssl_proto_t;
290
291/**
292 * Define the SSL verify levels
293 */
294typedef enum {
295    SSL_CVERIFY_UNSET           = UNSET,
296    SSL_CVERIFY_NONE            = 0,
297    SSL_CVERIFY_OPTIONAL        = 1,
298    SSL_CVERIFY_REQUIRE         = 2,
299    SSL_CVERIFY_OPTIONAL_NO_CA  = 3
300} ssl_verify_t;
301
302#define SSL_VERIFY_PEER_STRICT \
303     (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
304
305#define ssl_verify_error_is_optional(errnum) \
306   ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
307    || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
308    || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
309    || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
310    || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
311
312/**
313  * CRL checking modes
314  */
315typedef enum {
316    SSL_CRLCHECK_UNSET = UNSET,
317    SSL_CRLCHECK_NONE  = 0,
318    SSL_CRLCHECK_LEAF  = 1,
319    SSL_CRLCHECK_CHAIN = 2
320} ssl_crlcheck_t;
321
322/**
323 * Define the SSL pass phrase dialog types
324 */
325typedef enum {
326    SSL_PPTYPE_UNSET   = UNSET,
327    SSL_PPTYPE_BUILTIN = 0,
328    SSL_PPTYPE_FILTER  = 1,
329    SSL_PPTYPE_PIPE    = 2
330} ssl_pphrase_t;
331
332/**
333 * Define the Path Checking modes
334 */
335#define SSL_PCM_EXISTS     1
336#define SSL_PCM_ISREG      2
337#define SSL_PCM_ISDIR      4
338#define SSL_PCM_ISNONZERO  8
339typedef unsigned int ssl_pathcheck_t;
340
341/**
342 * Define the SSL enabled state
343 */
344typedef enum {
345    SSL_ENABLED_UNSET    = UNSET,
346    SSL_ENABLED_FALSE    = 0,
347    SSL_ENABLED_TRUE     = 1,
348    SSL_ENABLED_OPTIONAL = 3
349} ssl_enabled_t;
350
351/**
352 * Define the SSL requirement structure
353 */
354typedef struct {
355    char           *cpExpr;
356    ap_expr_info_t *mpExpr;
357} ssl_require_t;
358
359/**
360 * Define the SSL random number generator seeding source
361 */
362typedef enum {
363    SSL_RSCTX_STARTUP = 1,
364    SSL_RSCTX_CONNECT = 2
365} ssl_rsctx_t;
366typedef enum {
367    SSL_RSSRC_BUILTIN = 1,
368    SSL_RSSRC_FILE    = 2,
369    SSL_RSSRC_EXEC    = 3,
370    SSL_RSSRC_EGD     = 4
371} ssl_rssrc_t;
372typedef struct {
373    ssl_rsctx_t  nCtx;
374    ssl_rssrc_t  nSrc;
375    char        *cpPath;
376    int          nBytes;
377} ssl_randseed_t;
378
379/**
380 * Define the structure of an ASN.1 anything
381 */
382typedef struct {
383    long int       nData;
384    unsigned char *cpData;
385    apr_time_t     source_mtime;
386} ssl_asn1_t;
387
388/**
389 * Define the mod_ssl per-module configuration structure
390 * (i.e. the global configuration for each httpd process)
391 */
392
393typedef enum {
394    SSL_SHUTDOWN_TYPE_UNSET,
395    SSL_SHUTDOWN_TYPE_STANDARD,
396    SSL_SHUTDOWN_TYPE_UNCLEAN,
397    SSL_SHUTDOWN_TYPE_ACCURATE
398} ssl_shutdown_type_e;
399
400typedef struct {
401    SSL *ssl;
402    const char *client_dn;
403    X509 *client_cert;
404    ssl_shutdown_type_e shutdown_type;
405    const char *verify_info;
406    const char *verify_error;
407    int verify_depth;
408    int is_proxy;
409    int disabled;
410    enum {
411        NON_SSL_OK = 0,        /* is SSL request, or error handling completed */
412        NON_SSL_SEND_HDR_SEP,  /* Need to send the header separator */
413        NON_SSL_SET_ERROR_MSG  /* Need to set the error message */
414    } non_ssl_request;
415
416    /* Track the handshake/renegotiation state for the connection so
417     * that all client-initiated renegotiations can be rejected, as a
418     * partial fix for CVE-2009-3555. */
419    enum {
420        RENEG_INIT = 0, /* Before initial handshake */
421        RENEG_REJECT, /* After initial handshake; any client-initiated
422                       * renegotiation should be rejected */
423        RENEG_ALLOW, /* A server-initated renegotiation is taking
424                      * place (as dictated by configuration) */
425        RENEG_ABORT /* Renegotiation initiated by client, abort the
426                     * connection */
427    } reneg_state;
428
429    server_rec *server;
430} SSLConnRec;
431
432/* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is
433 * allocated out of the "process" pool and only a single such
434 * structure is created and used for the lifetime of the process.
435 * (The process pool is s->process->pool and is stored in the .pPool
436 * field.)  Most members of this structure are likewise allocated out
437 * of the process pool, but notably sesscache and sesscache_context
438 * are not.
439 *
440 * The structure is treated as mostly immutable after a single config
441 * parse has completed; the post_config hook (ssl_init_Module) flips
442 * the bFixed flag to true and subsequent invocations of the config
443 * callbacks hence do nothing.
444 *
445 * This odd lifetime strategy is used so that encrypted private keys
446 * can be decrypted once at startup and continue to be used across
447 * subsequent server reloads where the interactive password prompt is
448 * not possible.
449
450 * It is really an ABI nightmare waiting to happen since DSOs are
451 * reloaded across restarts, and nothing prevents the struct type
452 * changing across such reloads, yet the cached structure will be
453 * assumed to match regardless.
454 *
455 * This should really be fixed using a smaller structure which only
456 * stores that which is absolutely necessary (the private keys, maybe
457 * the random seed), and have that structure be strictly ABI-versioned
458 * for safety.
459 */
460typedef struct {
461    pid_t           pid;
462    apr_pool_t     *pPool;
463    BOOL            bFixed;
464
465    /* OpenSSL SSL_SESS_CACHE_* flags: */
466    long            sesscache_mode;
467
468    /* The configured provider, and associated private data
469     * structure. */
470    const ap_socache_provider_t *sesscache;
471    ap_socache_instance_t *sesscache_context;
472
473    apr_global_mutex_t   *pMutex;
474    apr_array_header_t   *aRandSeed;
475    apr_hash_t     *tVHostKeys;
476
477    /* A hash table of pointers to ssl_asn1_t structures.  The structures
478     * are used to store private keys in raw DER format (serialized OpenSSL
479     * PrivateKey structures).  The table is indexed by (vhost-id,
480     * index), for example the string "vhost.example.com:443:0". */
481    apr_hash_t     *tPrivateKey;
482
483#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
484    const char     *szCryptoDevice;
485#endif
486
487#ifdef HAVE_OCSP_STAPLING
488    const ap_socache_provider_t *stapling_cache;
489    ap_socache_instance_t *stapling_cache_context;
490    apr_global_mutex_t   *stapling_mutex;
491#endif
492} SSLModConfigRec;
493
494/** Structure representing configured filenames for certs and keys for
495 * a given vhost */
496typedef struct {
497    /* Lists of configured certs and keys for this server */
498    apr_array_header_t *cert_files;
499    apr_array_header_t *key_files;
500
501    /** Certificates which specify the set of CA names which should be
502     * sent in the CertificateRequest message: */
503    const char  *ca_name_path;
504    const char  *ca_name_file;
505} modssl_pk_server_t;
506
507typedef struct {
508    /** proxy can have any number of cert/key pairs */
509    const char  *cert_file;
510    const char  *cert_path;
511    const char  *ca_cert_file;
512    STACK_OF(X509_INFO) *certs; /* Contains End Entity certs */
513    STACK_OF(X509) **ca_certs; /* Contains ONLY chain certs for
514                                * each item in certs.
515                                * (ptr to array of ptrs) */
516} modssl_pk_proxy_t;
517
518/** stuff related to authentication that can also be per-dir */
519typedef struct {
520    /** known/trusted CAs */
521    const char  *ca_cert_path;
522    const char  *ca_cert_file;
523
524    const char  *cipher_suite;
525
526    /** for client or downstream server authentication */
527    int          verify_depth;
528    ssl_verify_t verify_mode;
529} modssl_auth_ctx_t;
530
531#ifdef HAVE_TLS_SESSION_TICKETS
532typedef struct {
533    const char *file_path;
534    unsigned char key_name[16];
535    unsigned char hmac_secret[16];
536    unsigned char aes_key[16];
537} modssl_ticket_key_t;
538#endif
539
540#ifdef HAVE_SSL_CONF_CMD
541typedef struct {
542    const char *name;
543    const char *value;
544} ssl_ctx_param_t;
545#endif
546
547typedef struct SSLSrvConfigRec SSLSrvConfigRec;
548
549typedef struct {
550    SSLSrvConfigRec *sc; /** pointer back to server config */
551    SSL_CTX *ssl_ctx;
552
553    /** we are one or the other */
554    modssl_pk_server_t *pks;
555    modssl_pk_proxy_t  *pkp;
556
557#ifdef HAVE_TLS_SESSION_TICKETS
558    modssl_ticket_key_t *ticket_key;
559#endif
560
561    ssl_proto_t  protocol;
562
563    /** config for handling encrypted keys */
564    ssl_pphrase_t pphrase_dialog_type;
565    const char   *pphrase_dialog_path;
566
567    const char  *cert_chain;
568
569    /** certificate revocation list */
570    const char    *crl_path;
571    const char    *crl_file;
572    ssl_crlcheck_t crl_check_mode;
573
574#ifdef HAVE_OCSP_STAPLING
575    /** OCSP stapling options */
576    BOOL        stapling_enabled;
577    long        stapling_resptime_skew;
578    long        stapling_resp_maxage;
579    int         stapling_cache_timeout;
580    BOOL        stapling_return_errors;
581    BOOL        stapling_fake_trylater;
582    int         stapling_errcache_timeout;
583    apr_interval_time_t stapling_responder_timeout;
584    const char *stapling_force_url;
585#endif
586
587#ifdef HAVE_SRP
588    char *srp_vfile;
589    char *srp_unknown_user_seed;
590    SRP_VBASE  *srp_vbase;
591#endif
592
593    modssl_auth_ctx_t auth;
594
595    BOOL ocsp_enabled; /* true if OCSP verification enabled */
596    BOOL ocsp_force_default; /* true if the default responder URL is
597                              * used regardless of per-cert URL */
598    const char *ocsp_responder; /* default responder URL */
599    long ocsp_resptime_skew;
600    long ocsp_resp_maxage;
601    apr_interval_time_t ocsp_responder_timeout;
602#ifdef HAVE_SSL_CONF_CMD
603    SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
604    apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
605#endif
606} modssl_ctx_t;
607
608struct SSLSrvConfigRec {
609    SSLModConfigRec *mc;
610    ssl_enabled_t    enabled;
611    BOOL             proxy_enabled;
612    const char      *vhost_id;
613    int              vhost_id_len;
614    int              session_cache_timeout;
615    BOOL             cipher_server_pref;
616    BOOL             insecure_reneg;
617    modssl_ctx_t    *server;
618    modssl_ctx_t    *proxy;
619    ssl_enabled_t    proxy_ssl_check_peer_expire;
620    ssl_enabled_t    proxy_ssl_check_peer_cn;
621    ssl_enabled_t    proxy_ssl_check_peer_name;
622#ifdef HAVE_TLSEXT
623    ssl_enabled_t    strict_sni_vhost_check;
624#endif
625#ifdef HAVE_FIPS
626    BOOL             fips;
627#endif
628    BOOL             allow_empty_fragments;
629#ifndef OPENSSL_NO_COMP
630    BOOL             compression;
631#endif
632};
633
634/**
635 * Define the mod_ssl per-directory configuration structure
636 * (i.e. the local configuration for all &lt;Directory>
637 *  and .htaccess contexts)
638 */
639typedef struct {
640    BOOL          bSSLRequired;
641    apr_array_header_t *aRequirement;
642    ssl_opt_t     nOptions;
643    ssl_opt_t     nOptionsAdd;
644    ssl_opt_t     nOptionsDel;
645    const char   *szCipherSuite;
646    ssl_verify_t  nVerifyClient;
647    int           nVerifyDepth;
648    const char   *szCACertificatePath;
649    const char   *szCACertificateFile;
650    const char   *szUserName;
651    apr_size_t    nRenegBufferSize;
652} SSLDirConfigRec;
653
654/**
655 *  function prototypes
656 */
657
658/**  API glue structures  */
659extern module AP_MODULE_DECLARE_DATA ssl_module;
660
661/**  configuration handling   */
662SSLModConfigRec *ssl_config_global_create(server_rec *);
663void         ssl_config_global_fix(SSLModConfigRec *);
664BOOL         ssl_config_global_isfixed(SSLModConfigRec *);
665void        *ssl_config_server_create(apr_pool_t *, server_rec *);
666void        *ssl_config_server_merge(apr_pool_t *, void *, void *);
667void        *ssl_config_perdir_create(apr_pool_t *, char *);
668void        *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
669const char  *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
670const char  *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
671const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
672const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
673const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
674const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
675const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
676const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
677const char  *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
678const char  *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
679const char  *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
680const char  *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
681const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
682const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
683const char  *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
684const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
685const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
686const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
687const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
688const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
689const char  *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
690const char  *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
691const char  *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
692const char  *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
693const char  *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
694const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
695const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
696const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
697const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
698
699const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
700const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
701const char  *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
702const char  *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
703const char  *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
704const char  *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
705const char  *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *);
706const char  *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *);
707const char  *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *);
708const char  *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *);
709const char  *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *);
710const char  *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *);
711const char  *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *);
712#ifdef HAVE_TLS_SESSION_TICKETS
713const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, void *dcfg, const char *arg);
714#endif
715const char  *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
716const char  *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
717const char  *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag);
718
719const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
720const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
721const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
722const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
723const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
724const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
725
726#ifdef HAVE_SSL_CONF_CMD
727const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
728#endif
729
730#ifdef HAVE_SRP
731const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
732const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
733#endif
734
735const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
736const char *ssl_cmd_SSLAllowEmptyFragments(cmd_parms *cmd, void *dcfg, int flag);
737
738/**  module initialization  */
739apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
740apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *);
741apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *,
742                                      apr_array_header_t *);
743apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *);
744STACK_OF(X509_NAME)
745            *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
746void         ssl_init_Child(apr_pool_t *, server_rec *);
747apr_status_t ssl_init_ModuleKill(void *data);
748
749/**  Apache API hooks  */
750int          ssl_hook_Auth(request_rec *);
751int          ssl_hook_UserCheck(request_rec *);
752int          ssl_hook_Access(request_rec *);
753int          ssl_hook_Fixup(request_rec *);
754int          ssl_hook_ReadReq(request_rec *);
755int          ssl_hook_Upgrade(request_rec *);
756void         ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s);
757
758/** Apache authz provisders */
759extern const authz_provider ssl_authz_provider_require_ssl;
760extern const authz_provider ssl_authz_provider_verify_client;
761
762/**  OpenSSL callbacks */
763DH          *ssl_callback_TmpDH(SSL *, int, int);
764int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
765int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
766int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
767int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
768SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
769void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
770void         ssl_callback_Info(const SSL *, int, int);
771#ifdef HAVE_TLSEXT
772int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
773#endif
774#ifdef HAVE_TLS_SESSION_TICKETS
775int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
776                                       EVP_CIPHER_CTX *, HMAC_CTX *, int);
777#endif
778
779/**  Session Cache Support  */
780apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);
781void         ssl_scache_status_register(apr_pool_t *p);
782void         ssl_scache_kill(server_rec *);
783BOOL         ssl_scache_store(server_rec *, UCHAR *, int,
784                              apr_time_t, SSL_SESSION *, apr_pool_t *);
785SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *);
786void         ssl_scache_remove(server_rec *, UCHAR *, int,
787                               apr_pool_t *);
788
789/** Proxy Support */
790int ssl_proxy_enable(conn_rec *c);
791int ssl_engine_disable(conn_rec *c);
792
793/** OCSP Stapling Support */
794#ifdef HAVE_OCSP_STAPLING
795const char *ssl_cmd_SSLStaplingCache(cmd_parms *, void *, const char *);
796const char *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int);
797const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *);
798const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *);
799const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *);
800const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *);
801const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int);
802const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);
803const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
804const char  *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
805apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
806void         ssl_stapling_ex_init(void);
807int          ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
808#endif
809#ifdef HAVE_SRP
810int          ssl_callback_SRPServerParams(SSL *, int *, void *);
811#endif
812
813/**  I/O  */
814void         ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
815void         ssl_io_filter_register(apr_pool_t *);
816long         ssl_io_data_cb(BIO *, int, const char *, int, long, long);
817
818/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
819 * to allow an SSL renegotiation to take place. */
820int          ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen);
821
822/**  PRNG  */
823int          ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
824
825/**  Utility Functions  */
826char        *ssl_util_vhostid(apr_pool_t *, server_rec *);
827apr_file_t  *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *,
828                             const char * const *);
829void         ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
830char        *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
831                                 const char * const *);
832BOOL         ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
833void         ssl_util_thread_setup(apr_pool_t *);
834int          ssl_init_ssl_connection(conn_rec *c, request_rec *r);
835
836/**  Pass Phrase Support  */
837apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int,
838                                     const char *, apr_array_header_t **);
839
840/**  Diffie-Hellman Parameter Support  */
841DH           *ssl_dh_GetParamFromFile(const char *);
842#ifdef HAVE_ECC
843EC_GROUP     *ssl_ec_GetParamFromFile(const char *);
844#endif
845
846unsigned char *ssl_asn1_table_set(apr_hash_t *table,
847                                  const char *key,
848                                  long int length);
849
850ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table,
851                               const char *key);
852
853void ssl_asn1_table_unset(apr_hash_t *table,
854                          const char *key);
855
856/**  Mutex Support  */
857int          ssl_mutex_init(server_rec *, apr_pool_t *);
858int          ssl_mutex_reinit(server_rec *, apr_pool_t *);
859int          ssl_mutex_on(server_rec *);
860int          ssl_mutex_off(server_rec *);
861
862int          ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *);
863
864/* mutex type names for Mutex directive */
865#define SSL_CACHE_MUTEX_TYPE    "ssl-cache"
866#define SSL_STAPLING_MUTEX_TYPE "ssl-stapling"
867
868apr_status_t ssl_die(server_rec *);
869
870/**  Logfile Support  */
871void         ssl_log_ssl_error(const char *, int, int, server_rec *);
872
873/* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the
874 * respective ap_log_*error functions and take a certificate as an
875 * additional argument (whose details are appended to the log message).
876 * The other arguments are interpreted exactly as with their ap_log_*error
877 * counterparts. */
878void ssl_log_xerror(const char *file, int line, int level,
879                    apr_status_t rv, apr_pool_t *p, server_rec *s,
880                    X509 *cert, const char *format, ...)
881    __attribute__((format(printf,8,9)));
882
883void ssl_log_cxerror(const char *file, int line, int level,
884                     apr_status_t rv, conn_rec *c, X509 *cert,
885                     const char *format, ...)
886    __attribute__((format(printf,7,8)));
887
888void ssl_log_rxerror(const char *file, int line, int level,
889                     apr_status_t rv, request_rec *r, X509 *cert,
890                     const char *format, ...)
891    __attribute__((format(printf,7,8)));
892
893#define SSLLOG_MARK              __FILE__,__LINE__
894
895/**  Variables  */
896
897/* Register variables for the lifetime of the process pool 'p'. */
898void         ssl_var_register(apr_pool_t *p);
899char        *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
900apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension);
901
902void         ssl_var_log_config_register(apr_pool_t *p);
903
904/* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl',
905 * allocating from 'p': */
906void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
907
908#ifndef OPENSSL_NO_OCSP
909/* Perform OCSP validation of the current cert in the given context.
910 * Returns non-zero on success or zero on failure.  On failure, the
911 * context error code is set. */
912int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
913                       server_rec *s, conn_rec *c, apr_pool_t *pool);
914
915/* OCSP helper interface; dispatches the given OCSP request to the
916 * responder at the given URI.  Returns the decoded OCSP response
917 * object, or NULL on error (in which case, errors will have been
918 * logged).  Pool 'p' is used for temporary allocations. */
919OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
920                                            apr_interval_time_t timeout,
921                                            OCSP_REQUEST *request,
922                                            conn_rec *c, apr_pool_t *p);
923#endif
924
925#endif /* SSL_PRIVATE_H */
926/** @} */
927
928