1/* Licensed to the Apache Software Foundation (ASF) under one or more 2 * contributor license agreements. See the NOTICE file distributed with 3 * this work for additional information regarding copyright ownership. 4 * The ASF licenses this file to You under the Apache License, Version 2.0 5 * (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#ifndef SSL_PRIVATE_H 18#define SSL_PRIVATE_H 19 20/** 21 * @file ssl_private.h 22 * @brief Internal interfaces private to mod_ssl. 23 * 24 * @defgroup MOD_SSL_PRIVATE Private 25 * @ingroup MOD_SSL 26 * @{ 27 */ 28 29/** Apache headers */ 30#include "httpd.h" 31#include "http_config.h" 32#include "http_core.h" 33#include "http_log.h" 34#include "http_main.h" 35#include "http_connection.h" 36#include "http_request.h" 37#include "http_protocol.h" 38#include "http_vhost.h" 39#include "util_script.h" 40#include "util_filter.h" 41#include "util_ebcdic.h" 42#include "mpm.h" 43#include "apr.h" 44#include "apr_strings.h" 45#define APR_WANT_STRFUNC 46#include "apr_want.h" 47#include "apr_tables.h" 48#include "apr_lib.h" 49#include "apr_fnmatch.h" 50#include "apr_strings.h" 51#include "apr_dbm.h" 52#include "apr_rmm.h" 53#include "apr_shm.h" 54#include "apr_global_mutex.h" 55#include "apr_optional.h" 56 57#define MOD_SSL_VERSION AP_SERVER_BASEREVISION 58 59/** mod_ssl headers */ 60#include "ssl_toolkit_compat.h" 61#include "ssl_expr.h" 62 63#ifdef SSL_OP_NO_TLSv1_2 64#define HAVE_TLSV1_X 65#endif 66 67#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ 68 && OPENSSL_VERSION_NUMBER < 0x00908000L 69#define OPENSSL_NO_COMP 70#endif 71 72#include "ssl_util_ssl.h" 73 74/** The #ifdef macros are only defined AFTER including the above 75 * therefore we cannot include these system files at the top :-( 76 */ 77#if APR_HAVE_SYS_TIME_H 78#include <sys/time.h> 79#endif 80#if APR_HAVE_UNISTD_H 81#include <unistd.h> /** needed for STDIN_FILENO et.al., at least on FreeBSD */ 82#endif 83 84/** 85 * Provide reasonable default for some defines 86 */ 87#ifndef FALSE 88#define FALSE (0) 89#endif 90#ifndef TRUE 91#define TRUE (!FALSE) 92#endif 93#ifndef PFALSE 94#define PFALSE ((void *)FALSE) 95#endif 96#ifndef PTRUE 97#define PTRUE ((void *)TRUE) 98#endif 99#ifndef UNSET 100#define UNSET (-1) 101#endif 102#ifndef NUL 103#define NUL '\0' 104#endif 105#ifndef RAND_MAX 106#include <limits.h> 107#define RAND_MAX INT_MAX 108#endif 109 110/** 111 * Provide reasonable defines for some types 112 */ 113#ifndef BOOL 114#define BOOL unsigned int 115#endif 116#ifndef UCHAR 117#define UCHAR unsigned char 118#endif 119 120/** 121 * Provide useful shorthands 122 */ 123#define strEQ(s1,s2) (strcmp(s1,s2) == 0) 124#define strNE(s1,s2) (strcmp(s1,s2) != 0) 125#define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0) 126#define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0) 127 128#define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0) 129#define strcNE(s1,s2) (strcasecmp(s1,s2) != 0) 130#define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0) 131#define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0) 132 133#define strIsEmpty(s) (s == NULL || s[0] == NUL) 134 135#define myConnConfig(c) \ 136(SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module) 137#define myCtxConfig(sslconn, sc) (sslconn->is_proxy ? sc->proxy : sc->server) 138#define myConnConfigSet(c, val) \ 139ap_set_module_config(c->conn_config, &ssl_module, val) 140#define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module) 141#define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module) 142#define myModConfig(srv) (mySrvConfig((srv)))->mc 143#define mySrvFromConn(c) (myConnConfig(c))->server 144#define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c)) 145#define myModConfigFromConn(c) myModConfig(mySrvFromConn(c)) 146 147#define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val 148#define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num) 149 150/** 151 * Defaults for the configuration 152 */ 153#ifndef SSL_SESSION_CACHE_TIMEOUT 154#define SSL_SESSION_CACHE_TIMEOUT 300 155#endif 156 157/* Default setting for per-dir reneg buffer. */ 158#ifndef DEFAULT_RENEG_BUFFER_SIZE 159#define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024) 160#endif 161 162/** 163 * Support for MM library 164 */ 165#define SSL_MM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD ) 166 167/** 168 * Support for DBM library 169 */ 170#define SSL_DBM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD ) 171 172#if !defined(SSL_DBM_FILE_SUFFIX_DIR) && !defined(SSL_DBM_FILE_SUFFIX_PAG) 173#if defined(DBM_SUFFIX) 174#define SSL_DBM_FILE_SUFFIX_DIR DBM_SUFFIX 175#define SSL_DBM_FILE_SUFFIX_PAG DBM_SUFFIX 176#elif defined(__FreeBSD__) || (defined(DB_LOCK) && defined(DB_SHMEM)) 177#define SSL_DBM_FILE_SUFFIX_DIR ".db" 178#define SSL_DBM_FILE_SUFFIX_PAG ".db" 179#else 180#define SSL_DBM_FILE_SUFFIX_DIR ".dir" 181#define SSL_DBM_FILE_SUFFIX_PAG ".pag" 182#endif 183#endif 184 185/** 186 * Define the certificate algorithm types 187 */ 188 189typedef int ssl_algo_t; 190 191#define SSL_ALGO_UNKNOWN (0) 192#define SSL_ALGO_RSA (1<<0) 193#define SSL_ALGO_DSA (1<<1) 194#ifndef OPENSSL_NO_EC 195#define SSL_ALGO_ECC (1<<2) 196#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC) 197#else 198#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA) 199#endif 200 201#define SSL_AIDX_RSA (0) 202#define SSL_AIDX_DSA (1) 203#ifndef OPENSSL_NO_EC 204#define SSL_AIDX_ECC (2) 205#define SSL_AIDX_MAX (3) 206#else 207#define SSL_AIDX_MAX (2) 208#endif 209 210 211/** 212 * Define IDs for the temporary RSA keys and DH params 213 */ 214 215#define SSL_TMP_KEY_RSA_512 (0) 216#define SSL_TMP_KEY_RSA_1024 (1) 217#define SSL_TMP_KEY_DH_512 (2) 218#define SSL_TMP_KEY_DH_1024 (3) 219#ifndef OPENSSL_NO_EC 220#define SSL_TMP_KEY_EC_256 (4) 221#define SSL_TMP_KEY_MAX (5) 222#else 223#define SSL_TMP_KEY_MAX (4) 224#endif 225 226/** 227 * Define the SSL options 228 */ 229#define SSL_OPT_NONE (0) 230#define SSL_OPT_RELSET (1<<0) 231#define SSL_OPT_STDENVVARS (1<<1) 232#define SSL_OPT_EXPORTCERTDATA (1<<3) 233#define SSL_OPT_FAKEBASICAUTH (1<<4) 234#define SSL_OPT_STRICTREQUIRE (1<<5) 235#define SSL_OPT_OPTRENEGOTIATE (1<<6) 236#define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE) 237typedef int ssl_opt_t; 238 239/** 240 * Define the SSL Protocol options 241 */ 242#define SSL_PROTOCOL_NONE (0) 243#ifndef OPENSSL_NO_SSL2 244#define SSL_PROTOCOL_SSLV2 (1<<0) 245#endif 246#define SSL_PROTOCOL_SSLV3 (1<<1) 247#define SSL_PROTOCOL_TLSV1 (1<<2) 248#ifdef OPENSSL_NO_SSL2 249#define SSL_MOST_ALL SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1 250#else 251#define SSL_MOST_ALL SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1 252#endif 253#ifdef HAVE_TLSV1_X 254#define SSL_PROTOCOL_TLSV1_1 (1<<3) 255#define SSL_PROTOCOL_TLSV1_2 (1<<4) 256#define SSL_PROTOCOL_ALL (SSL_MOST_ALL|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) 257#else 258#define SSL_PROTOCOL_ALL (SSL_MOST_ALL) 259#endif 260typedef int ssl_proto_t; 261 262/** 263 * Define the SSL verify levels 264 */ 265typedef enum { 266 SSL_CVERIFY_UNSET = UNSET, 267 SSL_CVERIFY_NONE = 0, 268 SSL_CVERIFY_OPTIONAL = 1, 269 SSL_CVERIFY_REQUIRE = 2, 270 SSL_CVERIFY_OPTIONAL_NO_CA = 3 271} ssl_verify_t; 272 273#define SSL_VERIFY_PEER_STRICT \ 274 (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT) 275 276#ifndef X509_V_ERR_CERT_UNTRUSTED 277#define X509_V_ERR_CERT_UNTRUSTED 27 278#endif 279 280#define ssl_verify_error_is_optional(errnum) \ 281 ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ 282 || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ 283 || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ 284 || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ 285 || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) 286 287/** 288 * Define the SSL pass phrase dialog types 289 */ 290typedef enum { 291 SSL_PPTYPE_UNSET = UNSET, 292 SSL_PPTYPE_BUILTIN = 0, 293 SSL_PPTYPE_FILTER = 1, 294 SSL_PPTYPE_PIPE = 2 295} ssl_pphrase_t; 296 297/** 298 * Define the Path Checking modes 299 */ 300#define SSL_PCM_EXISTS 1 301#define SSL_PCM_ISREG 2 302#define SSL_PCM_ISDIR 4 303#define SSL_PCM_ISNONZERO 8 304typedef unsigned int ssl_pathcheck_t; 305 306/** 307 * Define the SSL session cache modes and structures 308 */ 309typedef enum { 310 SSL_SCMODE_UNSET = UNSET, 311 SSL_SCMODE_NONE = 0, 312 SSL_SCMODE_DBM = 1, 313 SSL_SCMODE_SHMCB = 3, 314 SSL_SCMODE_DC = 4, 315 SSL_SCMODE_NONE_NOT_NULL = 5 316} ssl_scmode_t; 317 318/** 319 * Define the SSL mutex modes 320 */ 321typedef enum { 322 SSL_MUTEXMODE_UNSET = UNSET, 323 SSL_MUTEXMODE_NONE = 0, 324 SSL_MUTEXMODE_USED = 1 325} ssl_mutexmode_t; 326 327/** 328 * Define the SSL enabled state 329 */ 330typedef enum { 331 SSL_ENABLED_UNSET = UNSET, 332 SSL_ENABLED_FALSE = 0, 333 SSL_ENABLED_TRUE = 1, 334 SSL_ENABLED_OPTIONAL = 3 335} ssl_enabled_t; 336 337/** 338 * Define the SSL requirement structure 339 */ 340typedef struct { 341 char *cpExpr; 342 ssl_expr *mpExpr; 343} ssl_require_t; 344 345/** 346 * Define the SSL random number generator seeding source 347 */ 348typedef enum { 349 SSL_RSCTX_STARTUP = 1, 350 SSL_RSCTX_CONNECT = 2 351} ssl_rsctx_t; 352typedef enum { 353 SSL_RSSRC_BUILTIN = 1, 354 SSL_RSSRC_FILE = 2, 355 SSL_RSSRC_EXEC = 3, 356 SSL_RSSRC_EGD = 4 357} ssl_rssrc_t; 358typedef struct { 359 ssl_rsctx_t nCtx; 360 ssl_rssrc_t nSrc; 361 char *cpPath; 362 int nBytes; 363} ssl_randseed_t; 364 365/** 366 * Define the structure of an ASN.1 anything 367 */ 368typedef struct { 369 long int nData; 370 unsigned char *cpData; 371 apr_time_t source_mtime; 372} ssl_asn1_t; 373 374/** 375 * Define the mod_ssl per-module configuration structure 376 * (i.e. the global configuration for each httpd process) 377 */ 378 379typedef enum { 380 SSL_SHUTDOWN_TYPE_UNSET, 381 SSL_SHUTDOWN_TYPE_STANDARD, 382 SSL_SHUTDOWN_TYPE_UNCLEAN, 383 SSL_SHUTDOWN_TYPE_ACCURATE 384} ssl_shutdown_type_e; 385 386typedef struct { 387 SSL *ssl; 388 const char *client_dn; 389 X509 *client_cert; 390 ssl_shutdown_type_e shutdown_type; 391 const char *verify_info; 392 const char *verify_error; 393 int verify_depth; 394 int is_proxy; 395 int disabled; 396 enum { 397 NON_SSL_OK = 0, /* is SSL request, or error handling completed */ 398 NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */ 399 NON_SSL_SET_ERROR_MSG /* Need to set the error message */ 400 } non_ssl_request; 401 402 /* Track the handshake/renegotiation state for the connection so 403 * that all client-initiated renegotiations can be rejected, as a 404 * partial fix for CVE-2009-3555. */ 405 enum { 406 RENEG_INIT = 0, /* Before initial handshake */ 407 RENEG_REJECT, /* After initial handshake; any client-initiated 408 * renegotiation should be rejected */ 409 RENEG_ALLOW, /* A server-initated renegotiation is taking 410 * place (as dictated by configuration) */ 411 RENEG_ABORT /* Renegotiation initiated by client, abort the 412 * connection */ 413 } reneg_state; 414 415 server_rec *server; 416} SSLConnRec; 417 418typedef struct { 419 pid_t pid; 420 apr_pool_t *pPool; 421 BOOL bFixed; 422 int nSessionCacheMode; 423 char *szSessionCacheDataFile; 424 int nSessionCacheDataSize; 425 apr_shm_t *pSessionCacheDataMM; 426 apr_rmm_t *pSessionCacheDataRMM; 427 void *tSessionCacheDataTable; 428 ssl_mutexmode_t nMutexMode; 429 apr_lockmech_e nMutexMech; 430 const char *szMutexFile; 431 apr_global_mutex_t *pMutex; 432 apr_array_header_t *aRandSeed; 433 apr_hash_t *tVHostKeys; 434 void *pTmpKeys[SSL_TMP_KEY_MAX]; 435 apr_hash_t *tPublicCert; 436 apr_hash_t *tPrivateKey; 437#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) 438 const char *szCryptoDevice; 439#endif 440 struct { 441 void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; 442 } rCtx; 443} SSLModConfigRec; 444 445/** public cert/private key */ 446typedef struct { 447 /** 448 * server only has 1-2 certs/keys 449 * 1 RSA and/or 1 DSA 450 */ 451 const char *cert_files[SSL_AIDX_MAX]; 452 const char *key_files[SSL_AIDX_MAX]; 453 X509 *certs[SSL_AIDX_MAX]; 454 EVP_PKEY *keys[SSL_AIDX_MAX]; 455 456 /** Certificates which specify the set of CA names which should be 457 * sent in the CertificateRequest message: */ 458 const char *ca_name_path; 459 const char *ca_name_file; 460} modssl_pk_server_t; 461 462typedef struct { 463 /** proxy can have any number of cert/key pairs */ 464 const char *cert_file; 465 const char *cert_path; 466 const char *ca_cert_file; 467 STACK_OF(X509_INFO) *certs; /* Contains End Entity certs */ 468 STACK_OF(X509) **ca_certs; /* Contains ONLY chain certs for 469 * each item in certs. 470 * (ptr to array of ptrs) */ 471} modssl_pk_proxy_t; 472 473/** stuff related to authentication that can also be per-dir */ 474typedef struct { 475 /** known/trusted CAs */ 476 const char *ca_cert_path; 477 const char *ca_cert_file; 478 479 const char *cipher_suite; 480 481 /** for client or downstream server authentication */ 482 int verify_depth; 483 ssl_verify_t verify_mode; 484} modssl_auth_ctx_t; 485 486typedef struct SSLSrvConfigRec SSLSrvConfigRec; 487 488typedef struct { 489 SSLSrvConfigRec *sc; /** pointer back to server config */ 490 SSL_CTX *ssl_ctx; 491 492 /** we are one or the other */ 493 modssl_pk_server_t *pks; 494 modssl_pk_proxy_t *pkp; 495 496 ssl_proto_t protocol; 497 498 /** config for handling encrypted keys */ 499 ssl_pphrase_t pphrase_dialog_type; 500 const char *pphrase_dialog_path; 501 502 const char *cert_chain; 503 504 /** certificate revocation list */ 505 const char *crl_path; 506 const char *crl_file; 507 X509_STORE *crl; 508 509 modssl_auth_ctx_t auth; 510} modssl_ctx_t; 511 512struct SSLSrvConfigRec { 513 SSLModConfigRec *mc; 514 ssl_enabled_t enabled; 515 BOOL proxy_enabled; 516 const char *vhost_id; 517 int vhost_id_len; 518 int session_cache_timeout; 519 BOOL cipher_server_pref; 520 BOOL insecure_reneg; 521 modssl_ctx_t *server; 522 modssl_ctx_t *proxy; 523 ssl_enabled_t proxy_ssl_check_peer_expire; 524 ssl_enabled_t proxy_ssl_check_peer_cn; 525#ifndef OPENSSL_NO_TLSEXT 526 ssl_enabled_t strict_sni_vhost_check; 527#endif 528#ifdef HAVE_FIPS 529 BOOL fips; 530#endif 531#ifndef OPENSSL_NO_COMP 532 BOOL compression; 533#endif 534}; 535 536/** 537 * Define the mod_ssl per-directory configuration structure 538 * (i.e. the local configuration for all <Directory> 539 * and .htaccess contexts) 540 */ 541typedef struct { 542 BOOL bSSLRequired; 543 apr_array_header_t *aRequirement; 544 ssl_opt_t nOptions; 545 ssl_opt_t nOptionsAdd; 546 ssl_opt_t nOptionsDel; 547 const char *szCipherSuite; 548 ssl_verify_t nVerifyClient; 549 int nVerifyDepth; 550 const char *szCACertificatePath; 551 const char *szCACertificateFile; 552 const char *szUserName; 553 apr_size_t nRenegBufferSize; 554} SSLDirConfigRec; 555 556/** 557 * function prototypes 558 */ 559 560/** API glue structures */ 561extern module AP_MODULE_DECLARE_DATA ssl_module; 562 563/** "global" stuff */ 564extern const char ssl_valid_ssl_mutex_string[]; 565 566/** configuration handling */ 567SSLModConfigRec *ssl_config_global_create(server_rec *); 568void ssl_config_global_fix(SSLModConfigRec *); 569BOOL ssl_config_global_isfixed(SSLModConfigRec *); 570void *ssl_config_server_create(apr_pool_t *, server_rec *); 571void *ssl_config_server_merge(apr_pool_t *, void *, void *); 572void *ssl_config_perdir_create(apr_pool_t *, char *); 573void *ssl_config_perdir_merge(apr_pool_t *, void *, void *); 574const char *ssl_cmd_SSLMutex(cmd_parms *, void *, const char *); 575const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *); 576const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); 577const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); 578const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); 579const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); 580const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); 581const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); 582const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); 583const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *); 584const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *); 585const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *); 586const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *); 587const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); 588const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); 589const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); 590const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); 591const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); 592const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); 593const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); 594const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *); 595const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *); 596const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *); 597const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *); 598const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *); 599const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *); 600const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); 601const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); 602const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag); 603 604const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); 605const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); 606const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *); 607const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *); 608const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *); 609const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *); 610const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *); 611const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *); 612const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *); 613const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *); 614const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *); 615const char *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *); 616const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag); 617const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); 618 619const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag); 620 621/** module initialization */ 622int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); 623void ssl_init_Engine(server_rec *, apr_pool_t *); 624void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); 625void ssl_init_CheckServers(server_rec *, apr_pool_t *); 626STACK_OF(X509_NAME) 627 *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); 628void ssl_init_Child(apr_pool_t *, server_rec *); 629apr_status_t ssl_init_ModuleKill(void *data); 630 631/** Apache API hooks */ 632int ssl_hook_Auth(request_rec *); 633int ssl_hook_UserCheck(request_rec *); 634int ssl_hook_Access(request_rec *); 635int ssl_hook_Fixup(request_rec *); 636int ssl_hook_ReadReq(request_rec *); 637int ssl_hook_Upgrade(request_rec *); 638void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s); 639 640/** OpenSSL callbacks */ 641RSA *ssl_callback_TmpRSA(SSL *, int, int); 642DH *ssl_callback_TmpDH(SSL *, int, int); 643#ifndef OPENSSL_NO_EC 644EC_KEY *ssl_callback_TmpECDH(SSL *, int, int); 645#endif 646int ssl_callback_SSLVerify(int, X509_STORE_CTX *); 647int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); 648int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey); 649int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); 650SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); 651void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); 652void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int); 653#ifndef OPENSSL_NO_TLSEXT 654int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); 655#endif 656 657/** Session Cache Support */ 658void ssl_scache_init(server_rec *, apr_pool_t *); 659void ssl_scache_status_register(apr_pool_t *p); 660void ssl_scache_kill(server_rec *); 661BOOL ssl_scache_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *); 662SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int); 663void ssl_scache_remove(server_rec *, UCHAR *, int); 664 665char *ssl_scache_id2sz(UCHAR *, int); 666void ssl_scache_dbm_init(server_rec *, apr_pool_t *); 667void ssl_scache_dbm_kill(server_rec *); 668BOOL ssl_scache_dbm_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *); 669SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *, UCHAR *, int); 670void ssl_scache_dbm_remove(server_rec *, UCHAR *, int); 671void ssl_scache_dbm_status(request_rec *r, int flags, apr_pool_t *pool); 672 673void ssl_scache_shmcb_init(server_rec *, apr_pool_t *); 674void ssl_scache_shmcb_kill(server_rec *); 675BOOL ssl_scache_shmcb_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *); 676SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *, UCHAR *, int); 677void ssl_scache_shmcb_remove(server_rec *, UCHAR *, int); 678void ssl_scache_shmcb_status(request_rec *r, int flags, apr_pool_t *pool); 679 680void ssl_scache_dc_init(server_rec *, apr_pool_t *); 681void ssl_scache_dc_kill(server_rec *); 682BOOL ssl_scache_dc_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *); 683SSL_SESSION *ssl_scache_dc_retrieve(server_rec *, UCHAR *, int); 684void ssl_scache_dc_remove(server_rec *, UCHAR *, int); 685void ssl_scache_dc_status(request_rec *r, int flags, apr_pool_t *pool); 686 687/** Proxy Support */ 688int ssl_proxy_enable(conn_rec *c); 689int ssl_engine_disable(conn_rec *c); 690 691/** I/O */ 692void ssl_io_filter_init(conn_rec *, SSL *); 693void ssl_io_filter_register(apr_pool_t *); 694long ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long); 695 696/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request 697 * to allow an SSL renegotiation to take place. */ 698int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen); 699 700/* PRNG */ 701int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *); 702 703/** Utility Functions */ 704char *ssl_util_vhostid(apr_pool_t *, server_rec *); 705apr_file_t *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *, 706 const char * const *); 707void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); 708char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, 709 const char * const *); 710BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); 711ssl_algo_t ssl_util_algotypeof(X509 *, EVP_PKEY *); 712char *ssl_util_algotypestr(ssl_algo_t); 713void ssl_util_thread_setup(apr_pool_t *); 714int ssl_init_ssl_connection(conn_rec *c); 715 716/** Pass Phrase Support */ 717void ssl_pphrase_Handle(server_rec *, apr_pool_t *); 718 719/** Diffie-Hellman Parameter Support */ 720DH *ssl_dh_GetTmpParam(int); 721DH *ssl_dh_GetParamFromFile(char *); 722 723unsigned char *ssl_asn1_table_set(apr_hash_t *table, 724 const char *key, 725 long int length); 726 727ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table, 728 const char *key); 729 730void ssl_asn1_table_unset(apr_hash_t *table, 731 const char *key); 732 733const char *ssl_asn1_keystr(int keytype); 734 735const char *ssl_asn1_table_keyfmt(apr_pool_t *p, 736 const char *id, 737 int keytype); 738/** Mutex Support */ 739int ssl_mutex_init(server_rec *, apr_pool_t *); 740int ssl_mutex_reinit(server_rec *, apr_pool_t *); 741int ssl_mutex_on(server_rec *); 742int ssl_mutex_off(server_rec *); 743 744/** Logfile Support */ 745void ssl_die(void); 746void ssl_log_ssl_error(const char *, int, int, server_rec *); 747 748/** Variables */ 749 750/* Register variables for the lifetime of the process pool 'p'. */ 751void ssl_var_register(apr_pool_t *p); 752char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); 753const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const char *oid); 754 755extern apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const char *oidstr); 756 757void ssl_var_log_config_register(apr_pool_t *p); 758 759/* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl', 760 * allocating from 'p': */ 761void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p); 762 763#define APR_SHM_MAXSIZE (64 * 1024 * 1024) 764 765#endif /* SSL_PRIVATE_H */ 766/** @} */ 767 768