1 /* Licensed to the Apache Software Foundation (ASF) under one or more 2 * contributor license agreements. See the NOTICE file distributed with 3 * this work for additional information regarding copyright ownership. 4 * The ASF licenses this file to You under the Apache License, Version 2.0 5 * (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef SSL_PRIVATE_H 18 #define SSL_PRIVATE_H 19 20 /** 21 * @file ssl_private.h 22 * @brief Internal interfaces private to mod_ssl. 23 * 24 * @defgroup MOD_SSL_PRIVATE Private 25 * @ingroup MOD_SSL 26 * @{ 27 */ 28 29 /** Apache headers */ 30 #include "httpd.h" 31 #include "http_config.h" 32 #include "http_core.h" 33 #include "http_log.h" 34 #include "http_main.h" 35 #include "http_connection.h" 36 #include "http_request.h" 37 #include "http_protocol.h" 38 #include "http_vhost.h" 39 #include "util_script.h" 40 #include "util_filter.h" 41 #include "util_ebcdic.h" 42 #include "util_mutex.h" 43 #include "apr.h" 44 #include "apr_strings.h" 45 #define APR_WANT_STRFUNC 46 #define APR_WANT_MEMFUNC 47 #include "apr_want.h" 48 #include "apr_tables.h" 49 #include "apr_lib.h" 50 #include "apr_fnmatch.h" 51 #include "apr_strings.h" 52 #include "apr_global_mutex.h" 53 #include "apr_optional.h" 54 #include "ap_socache.h" 55 #include "mod_auth.h" 56 57 /* The #ifdef macros are only defined AFTER including the above 58 * therefore we cannot include these system files at the top :-( 59 */ 60 #ifdef APR_HAVE_STDLIB_H 61 #include <stdlib.h> 62 #endif 63 #if APR_HAVE_SYS_TIME_H 64 #include <sys/time.h> 65 #endif 66 #if APR_HAVE_UNISTD_H 67 #include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */ 68 #endif 69 70 #ifndef FALSE 71 #define FALSE 0 72 #endif 73 74 #ifndef TRUE 75 #define TRUE !FALSE 76 #endif 77 78 #ifndef BOOL 79 #define BOOL unsigned int 80 #endif 81 82 #include "ap_expr.h" 83 84 /* OpenSSL headers */ 85 #include <openssl/opensslv.h> 86 #if (OPENSSL_VERSION_NUMBER >= 0x10001000) 87 /* must be defined before including ssl.h */ 88 #define OPENSSL_NO_SSL_INTERN 89 #endif 90 #include <openssl/ssl.h> 91 #include <openssl/err.h> 92 #include <openssl/x509.h> 93 #include <openssl/pem.h> 94 #include <openssl/crypto.h> 95 #include <openssl/evp.h> 96 #include <openssl/rand.h> 97 #include <openssl/x509v3.h> 98 #include <openssl/x509_vfy.h> 99 #include <openssl/ocsp.h> 100 101 /* Avoid tripping over an engine build installed globally and detected 102 * when the user points at an explicit non-engine flavor of OpenSSL 103 */ 104 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) 105 #include <openssl/engine.h> 106 #endif 107 108 #if (OPENSSL_VERSION_NUMBER < 0x0090700f) 109 #error mod_ssl requires OpenSSL 0.9.7 or later 110 #endif 111 112 /* ...shifting sands of OpenSSL... */ 113 #if (OPENSSL_VERSION_NUMBER >= 0x0090707f) 114 #define MODSSL_D2I_SSL_SESSION_CONST const 115 #else 116 #define MODSSL_D2I_SSL_SESSION_CONST 117 #endif 118 119 #if (OPENSSL_VERSION_NUMBER >= 0x00908000) 120 #define HAVE_GENERATE_EX 121 #define MODSSL_D2I_ASN1_type_bytes_CONST const 122 #define MODSSL_D2I_PrivateKey_CONST const 123 #define MODSSL_D2I_X509_CONST const 124 #else 125 #define MODSSL_D2I_ASN1_type_bytes_CONST 126 #define MODSSL_D2I_PrivateKey_CONST 127 #define MODSSL_D2I_X509_CONST 128 #endif 129 130 #if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \ 131 && !defined(OPENSSL_NO_TLSEXT) 132 #define HAVE_OCSP_STAPLING 133 #if (OPENSSL_VERSION_NUMBER < 0x10000000) 134 #define sk_OPENSSL_STRING_pop sk_pop 135 #endif 136 #endif 137 138 #if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS) 139 #define HAVE_FIPS 140 #endif 141 142 #if (OPENSSL_VERSION_NUMBER >= 0x10000000) 143 #define MODSSL_SSL_CIPHER_CONST const 144 #define MODSSL_SSL_METHOD_CONST const 145 #else 146 #define MODSSL_SSL_CIPHER_CONST 147 #define MODSSL_SSL_METHOD_CONST 148 /* ECC support came along in OpenSSL 1.0.0 */ 149 #define OPENSSL_NO_EC 150 #endif 151 152 #ifndef PEM_F_DEF_CALLBACK 153 #ifdef PEM_F_PEM_DEF_CALLBACK 154 /** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */ 155 #define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK 156 #endif 157 #endif 158 159 #ifndef OPENSSL_NO_TLSEXT 160 #ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME 161 #define OPENSSL_NO_TLSEXT 162 #endif 163 #endif 164 165 #ifndef OPENSSL_NO_TLSEXT 166 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 167 #define HAVE_TLS_SESSION_TICKETS 168 #define TLSEXT_TICKET_KEY_LEN 48 169 #ifndef tlsext_tick_md 170 #ifdef OPENSSL_NO_SHA256 171 #define tlsext_tick_md EVP_sha1 172 #else 173 #define tlsext_tick_md EVP_sha256 174 #endif 175 #endif 176 #endif 177 #endif 178 179 #ifdef SSL_OP_NO_TLSv1_2 180 #define HAVE_TLSV1_X 181 #endif 182 183 #if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ 184 && OPENSSL_VERSION_NUMBER < 0x00908000L 185 #define OPENSSL_NO_COMP 186 #endif 187 188 /* SRP support came in OpenSSL 1.0.1 */ 189 #ifndef OPENSSL_NO_SRP 190 #ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 191 #include <openssl/srp.h> 192 #else 193 #define OPENSSL_NO_SRP 194 #endif 195 #endif 196 197 /* mod_ssl headers */ 198 #include "ssl_util_ssl.h" 199 200 APLOG_USE_MODULE(ssl); 201 202 /* 203 * Provide reasonable default for some defines 204 */ 205 #ifndef PFALSE 206 #define PFALSE ((void *)FALSE) 207 #endif 208 #ifndef PTRUE 209 #define PTRUE ((void *)TRUE) 210 #endif 211 #ifndef UNSET 212 #define UNSET (-1) 213 #endif 214 #ifndef NUL 215 #define NUL '\0' 216 #endif 217 #ifndef RAND_MAX 218 #include <limits.h> 219 #define RAND_MAX INT_MAX 220 #endif 221 222 /** 223 * Provide reasonable defines for some types 224 */ 225 #ifndef UCHAR 226 #define UCHAR unsigned char 227 #endif 228 229 /** 230 * Provide useful shorthands 231 */ 232 #define strEQ(s1,s2) (strcmp(s1,s2) == 0) 233 #define strNE(s1,s2) (strcmp(s1,s2) != 0) 234 #define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0) 235 #define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0) 236 237 #define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0) 238 #define strcNE(s1,s2) (strcasecmp(s1,s2) != 0) 239 #define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0) 240 #define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0) 241 242 #define strIsEmpty(s) (s == NULL || s[0] == NUL) 243 244 #define myConnConfig(c) \ 245 (SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module) 246 #define myCtxConfig(sslconn, sc) (sslconn->is_proxy ? sc->proxy : sc->server) 247 #define myConnConfigSet(c, val) \ 248 ap_set_module_config(c->conn_config, &ssl_module, val) 249 #define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module) 250 #define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module) 251 #define myModConfig(srv) (mySrvConfig((srv)))->mc 252 #define mySrvFromConn(c) (myConnConfig(c))->server 253 #define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c)) 254 #define myModConfigFromConn(c) myModConfig(mySrvFromConn(c)) 255 256 #define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val 257 #define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num) 258 259 /** 260 * Defaults for the configuration 261 */ 262 #ifndef SSL_SESSION_CACHE_TIMEOUT 263 #define SSL_SESSION_CACHE_TIMEOUT 300 264 #endif 265 266 /* Default setting for per-dir reneg buffer. */ 267 #ifndef DEFAULT_RENEG_BUFFER_SIZE 268 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024) 269 #endif 270 271 /* Default for OCSP response validity */ 272 #ifndef DEFAULT_OCSP_MAX_SKEW 273 #define DEFAULT_OCSP_MAX_SKEW (60 * 5) 274 #endif 275 276 /* Default timeout for OCSP queries */ 277 #ifndef DEFAULT_OCSP_TIMEOUT 278 #define DEFAULT_OCSP_TIMEOUT 10 279 #endif 280 281 /** 282 * Define the certificate algorithm types 283 */ 284 285 typedef int ssl_algo_t; 286 287 #define SSL_ALGO_UNKNOWN (0) 288 #define SSL_ALGO_RSA (1<<0) 289 #define SSL_ALGO_DSA (1<<1) 290 #ifndef OPENSSL_NO_EC 291 #define SSL_ALGO_ECC (1<<2) 292 #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC) 293 #else 294 #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA) 295 #endif 296 297 #define SSL_AIDX_RSA (0) 298 #define SSL_AIDX_DSA (1) 299 #ifndef OPENSSL_NO_EC 300 #define SSL_AIDX_ECC (2) 301 #define SSL_AIDX_MAX (3) 302 #else 303 #define SSL_AIDX_MAX (2) 304 #endif 305 306 307 /** 308 * Define IDs for the temporary RSA keys and DH params 309 */ 310 311 #define SSL_TMP_KEY_RSA_512 (0) 312 #define SSL_TMP_KEY_RSA_1024 (1) 313 #define SSL_TMP_KEY_DH_512 (2) 314 #define SSL_TMP_KEY_DH_1024 (3) 315 #ifndef OPENSSL_NO_EC 316 #define SSL_TMP_KEY_EC_256 (4) 317 #define SSL_TMP_KEY_MAX (5) 318 #else 319 #define SSL_TMP_KEY_MAX (4) 320 #endif 321 322 /** 323 * Define the SSL options 324 */ 325 #define SSL_OPT_NONE (0) 326 #define SSL_OPT_RELSET (1<<0) 327 #define SSL_OPT_STDENVVARS (1<<1) 328 #define SSL_OPT_EXPORTCERTDATA (1<<3) 329 #define SSL_OPT_FAKEBASICAUTH (1<<4) 330 #define SSL_OPT_STRICTREQUIRE (1<<5) 331 #define SSL_OPT_OPTRENEGOTIATE (1<<6) 332 #define SSL_OPT_LEGACYDNFORMAT (1<<7) 333 typedef int ssl_opt_t; 334 335 /** 336 * Define the SSL Protocol options 337 */ 338 #define SSL_PROTOCOL_NONE (0) 339 #define SSL_PROTOCOL_SSLV2 (1<<0) 340 #define SSL_PROTOCOL_SSLV3 (1<<1) 341 #define SSL_PROTOCOL_TLSV1 (1<<2) 342 #ifdef HAVE_TLSV1_X 343 #define SSL_PROTOCOL_TLSV1_1 (1<<3) 344 #define SSL_PROTOCOL_TLSV1_2 (1<<4) 345 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1| \ 346 SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) 347 #else 348 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) 349 #endif 350 typedef int ssl_proto_t; 351 352 /** 353 * Define the SSL verify levels 354 */ 355 typedef enum { 356 SSL_CVERIFY_UNSET = UNSET, 357 SSL_CVERIFY_NONE = 0, 358 SSL_CVERIFY_OPTIONAL = 1, 359 SSL_CVERIFY_REQUIRE = 2, 360 SSL_CVERIFY_OPTIONAL_NO_CA = 3 361 } ssl_verify_t; 362 363 #define SSL_VERIFY_PEER_STRICT \ 364 (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT) 365 366 #define ssl_verify_error_is_optional(errnum) \ 367 ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ 368 || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ 369 || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ 370 || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ 371 || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) 372 373 /** 374 * CRL checking modes 375 */ 376 typedef enum { 377 SSL_CRLCHECK_UNSET = UNSET, 378 SSL_CRLCHECK_NONE = 0, 379 SSL_CRLCHECK_LEAF = 1, 380 SSL_CRLCHECK_CHAIN = 2 381 } ssl_crlcheck_t; 382 383 /** 384 * Define the SSL pass phrase dialog types 385 */ 386 typedef enum { 387 SSL_PPTYPE_UNSET = UNSET, 388 SSL_PPTYPE_BUILTIN = 0, 389 SSL_PPTYPE_FILTER = 1, 390 SSL_PPTYPE_PIPE = 2 391 } ssl_pphrase_t; 392 393 /** 394 * Define the Path Checking modes 395 */ 396 #define SSL_PCM_EXISTS 1 397 #define SSL_PCM_ISREG 2 398 #define SSL_PCM_ISDIR 4 399 #define SSL_PCM_ISNONZERO 8 400 typedef unsigned int ssl_pathcheck_t; 401 402 /** 403 * Define the SSL enabled state 404 */ 405 typedef enum { 406 SSL_ENABLED_UNSET = UNSET, 407 SSL_ENABLED_FALSE = 0, 408 SSL_ENABLED_TRUE = 1, 409 SSL_ENABLED_OPTIONAL = 3 410 } ssl_enabled_t; 411 412 /** 413 * Define the SSL requirement structure 414 */ 415 typedef struct { 416 char *cpExpr; 417 ap_expr_info_t *mpExpr; 418 } ssl_require_t; 419 420 /** 421 * Define the SSL random number generator seeding source 422 */ 423 typedef enum { 424 SSL_RSCTX_STARTUP = 1, 425 SSL_RSCTX_CONNECT = 2 426 } ssl_rsctx_t; 427 typedef enum { 428 SSL_RSSRC_BUILTIN = 1, 429 SSL_RSSRC_FILE = 2, 430 SSL_RSSRC_EXEC = 3, 431 SSL_RSSRC_EGD = 4 432 } ssl_rssrc_t; 433 typedef struct { 434 ssl_rsctx_t nCtx; 435 ssl_rssrc_t nSrc; 436 char *cpPath; 437 int nBytes; 438 } ssl_randseed_t; 439 440 /** 441 * Define the structure of an ASN.1 anything 442 */ 443 typedef struct { 444 long int nData; 445 unsigned char *cpData; 446 apr_time_t source_mtime; 447 } ssl_asn1_t; 448 449 /** 450 * Define the mod_ssl per-module configuration structure 451 * (i.e. the global configuration for each httpd process) 452 */ 453 454 typedef enum { 455 SSL_SHUTDOWN_TYPE_UNSET, 456 SSL_SHUTDOWN_TYPE_STANDARD, 457 SSL_SHUTDOWN_TYPE_UNCLEAN, 458 SSL_SHUTDOWN_TYPE_ACCURATE 459 } ssl_shutdown_type_e; 460 461 typedef struct { 462 SSL *ssl; 463 const char *client_dn; 464 X509 *client_cert; 465 ssl_shutdown_type_e shutdown_type; 466 const char *verify_info; 467 const char *verify_error; 468 int verify_depth; 469 int is_proxy; 470 int disabled; 471 enum { 472 NON_SSL_OK = 0, /* is SSL request, or error handling completed */ 473 NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */ 474 NON_SSL_SET_ERROR_MSG /* Need to set the error message */ 475 } non_ssl_request; 476 477 /* Track the handshake/renegotiation state for the connection so 478 * that all client-initiated renegotiations can be rejected, as a 479 * partial fix for CVE-2009-3555. */ 480 enum { 481 RENEG_INIT = 0, /* Before initial handshake */ 482 RENEG_REJECT, /* After initial handshake; any client-initiated 483 * renegotiation should be rejected */ 484 RENEG_ALLOW, /* A server-initated renegotiation is taking 485 * place (as dictated by configuration) */ 486 RENEG_ABORT /* Renegotiation initiated by client, abort the 487 * connection */ 488 } reneg_state; 489 490 server_rec *server; 491 } SSLConnRec; 492 493 /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is 494 * allocated out of the "process" pool and only a single such 495 * structure is created and used for the lifetime of the process. 496 * (The process pool is s->process->pool and is stored in the .pPool 497 * field.) Most members of this structure are likewise allocated out 498 * of the process pool, but notably sesscache and sesscache_context 499 * are not. 500 * 501 * The structure is treated as mostly immutable after a single config 502 * parse has completed; the post_config hook (ssl_init_Module) flips 503 * the bFixed flag to true and subsequent invocations of the config 504 * callbacks hence do nothing. 505 * 506 * This odd lifetime strategy is used so that encrypted private keys 507 * can be decrypted once at startup and continue to be used across 508 * subsequent server reloads where the interactive password prompt is 509 * not possible. 510 511 * It is really an ABI nightmare waiting to happen since DSOs are 512 * reloaded across restarts, and nothing prevents the struct type 513 * changing across such reloads, yet the cached structure will be 514 * assumed to match regardless. 515 * 516 * This should really be fixed using a smaller structure which only 517 * stores that which is absolutely necessary (the private keys, maybe 518 * the random seed), and have that structure be strictly ABI-versioned 519 * for safety. 520 */ 521 typedef struct { 522 pid_t pid; 523 apr_pool_t *pPool; 524 BOOL bFixed; 525 526 /* OpenSSL SSL_SESS_CACHE_* flags: */ 527 long sesscache_mode; 528 529 /* The configured provider, and associated private data 530 * structure. */ 531 const ap_socache_provider_t *sesscache; 532 ap_socache_instance_t *sesscache_context; 533 534 apr_global_mutex_t *pMutex; 535 apr_array_header_t *aRandSeed; 536 apr_hash_t *tVHostKeys; 537 void *pTmpKeys[SSL_TMP_KEY_MAX]; 538 539 /* Two hash tables of pointers to ssl_asn1_t structures. The 540 * structures are used to store certificates and private keys 541 * respectively, in raw DER format (serialized OpenSSL X509 and 542 * PrivateKey structures). The tables are indexed by (vhost-id, 543 * algorithm type) using the function ssl_asn1_table_keyfmt(); for 544 * example the string "vhost.example.com:443:RSA". */ 545 apr_hash_t *tPublicCert; 546 apr_hash_t *tPrivateKey; 547 548 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) 549 const char *szCryptoDevice; 550 #endif 551 552 #ifdef HAVE_OCSP_STAPLING 553 const ap_socache_provider_t *stapling_cache; 554 ap_socache_instance_t *stapling_cache_context; 555 apr_global_mutex_t *stapling_mutex; 556 #endif 557 558 struct { 559 void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; 560 } rCtx; 561 } SSLModConfigRec; 562 563 /** Structure representing configured filenames for certs and keys for 564 * a given vhost, and the corresponding in-memory structures once the 565 * files are parsed. */ 566 typedef struct { 567 /* Lists of configured certs and keys for this server; from index 568 * 0 up to SSL_AIDX_MAX-1 or the first NULL pointer. Note that 569 * these arrays are NOT indexed by algorithm type, they are simply 570 * unordered lists. */ 571 const char *cert_files[SSL_AIDX_MAX]; 572 const char *key_files[SSL_AIDX_MAX]; 573 /* Loaded certs and keys; these arrays ARE indexed by the 574 * algorithm type, i.e. keys[SSL_AIDX_RSA] maps to the RSA 575 * private key. */ 576 X509 *certs[SSL_AIDX_MAX]; 577 EVP_PKEY *keys[SSL_AIDX_MAX]; 578 579 /** Certificates which specify the set of CA names which should be 580 * sent in the CertificateRequest message: */ 581 const char *ca_name_path; 582 const char *ca_name_file; 583 } modssl_pk_server_t; 584 585 typedef struct { 586 /** proxy can have any number of cert/key pairs */ 587 const char *cert_file; 588 const char *cert_path; 589 const char *ca_cert_file; 590 STACK_OF(X509_INFO) *certs; /* Contains End Entity certs */ 591 STACK_OF(X509) **ca_certs; /* Contains ONLY chain certs for 592 * each item in certs. 593 * (ptr to array of ptrs) */ 594 } modssl_pk_proxy_t; 595 596 /** stuff related to authentication that can also be per-dir */ 597 typedef struct { 598 /** known/trusted CAs */ 599 const char *ca_cert_path; 600 const char *ca_cert_file; 601 602 const char *cipher_suite; 603 604 /** for client or downstream server authentication */ 605 int verify_depth; 606 ssl_verify_t verify_mode; 607 } modssl_auth_ctx_t; 608 609 #ifdef HAVE_TLS_SESSION_TICKETS 610 typedef struct { 611 const char *file_path; 612 unsigned char key_name[16]; 613 unsigned char hmac_secret[16]; 614 unsigned char aes_key[16]; 615 } modssl_ticket_key_t; 616 #endif 617 618 typedef struct SSLSrvConfigRec SSLSrvConfigRec; 619 620 typedef struct { 621 SSLSrvConfigRec *sc; /** pointer back to server config */ 622 SSL_CTX *ssl_ctx; 623 624 /** we are one or the other */ 625 modssl_pk_server_t *pks; 626 modssl_pk_proxy_t *pkp; 627 628 #ifdef HAVE_TLS_SESSION_TICKETS 629 modssl_ticket_key_t *ticket_key; 630 #endif 631 632 ssl_proto_t protocol; 633 634 /** config for handling encrypted keys */ 635 ssl_pphrase_t pphrase_dialog_type; 636 const char *pphrase_dialog_path; 637 638 const char *cert_chain; 639 const char *pkcs7; 640 641 /** certificate revocation list */ 642 const char *crl_path; 643 const char *crl_file; 644 ssl_crlcheck_t crl_check_mode; 645 646 #ifdef HAVE_OCSP_STAPLING 647 /** OCSP stapling options */ 648 BOOL stapling_enabled; 649 long stapling_resptime_skew; 650 long stapling_resp_maxage; 651 int stapling_cache_timeout; 652 BOOL stapling_return_errors; 653 BOOL stapling_fake_trylater; 654 int stapling_errcache_timeout; 655 apr_interval_time_t stapling_responder_timeout; 656 const char *stapling_force_url; 657 #endif 658 659 #ifndef OPENSSL_NO_SRP 660 char *srp_vfile; 661 char *srp_unknown_user_seed; 662 SRP_VBASE *srp_vbase; 663 #endif 664 665 modssl_auth_ctx_t auth; 666 667 BOOL ocsp_enabled; /* true if OCSP verification enabled */ 668 BOOL ocsp_force_default; /* true if the default responder URL is 669 * used regardless of per-cert URL */ 670 const char *ocsp_responder; /* default responder URL */ 671 long ocsp_resptime_skew; 672 long ocsp_resp_maxage; 673 apr_interval_time_t ocsp_responder_timeout; 674 675 } modssl_ctx_t; 676 677 struct SSLSrvConfigRec { 678 SSLModConfigRec *mc; 679 ssl_enabled_t enabled; 680 BOOL proxy_enabled; 681 const char *vhost_id; 682 int vhost_id_len; 683 int session_cache_timeout; 684 BOOL cipher_server_pref; 685 BOOL insecure_reneg; 686 modssl_ctx_t *server; 687 modssl_ctx_t *proxy; 688 ssl_enabled_t proxy_ssl_check_peer_expire; 689 ssl_enabled_t proxy_ssl_check_peer_cn; 690 ssl_enabled_t proxy_ssl_check_peer_name; 691 #ifndef OPENSSL_NO_TLSEXT 692 ssl_enabled_t strict_sni_vhost_check; 693 #endif 694 #ifdef HAVE_FIPS 695 BOOL fips; 696 #endif 697 #ifndef OPENSSL_NO_COMP 698 BOOL compression; 699 #endif 700 }; 701 702 /** 703 * Define the mod_ssl per-directory configuration structure 704 * (i.e. the local configuration for all <Directory> 705 * and .htaccess contexts) 706 */ 707 typedef struct { 708 BOOL bSSLRequired; 709 apr_array_header_t *aRequirement; 710 ssl_opt_t nOptions; 711 ssl_opt_t nOptionsAdd; 712 ssl_opt_t nOptionsDel; 713 const char *szCipherSuite; 714 ssl_verify_t nVerifyClient; 715 int nVerifyDepth; 716 const char *szCACertificatePath; 717 const char *szCACertificateFile; 718 const char *szUserName; 719 apr_size_t nRenegBufferSize; 720 } SSLDirConfigRec; 721 722 /** 723 * function prototypes 724 */ 725 726 /** API glue structures */ 727 extern module AP_MODULE_DECLARE_DATA ssl_module; 728 729 /** configuration handling */ 730 SSLModConfigRec *ssl_config_global_create(server_rec *); 731 void ssl_config_global_fix(SSLModConfigRec *); 732 BOOL ssl_config_global_isfixed(SSLModConfigRec *); 733 void *ssl_config_server_create(apr_pool_t *, server_rec *); 734 void *ssl_config_server_merge(apr_pool_t *, void *, void *); 735 void *ssl_config_perdir_create(apr_pool_t *, char *); 736 void *ssl_config_perdir_merge(apr_pool_t *, void *, void *); 737 const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *); 738 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); 739 const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); 740 const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); 741 const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); 742 const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); 743 const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); 744 const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); 745 const char *ssl_cmd_SSLPKCS7CertificateFile(cmd_parms *, void *, const char *); 746 const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *); 747 const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *); 748 const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *); 749 const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *); 750 const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); 751 const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); 752 const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *); 753 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); 754 const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); 755 const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); 756 const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); 757 const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); 758 const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *); 759 const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *); 760 const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *); 761 const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *); 762 const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *); 763 const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *); 764 const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); 765 const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); 766 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag); 767 768 const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); 769 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); 770 const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *); 771 const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *); 772 const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *); 773 const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *); 774 const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *); 775 const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *); 776 const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *); 777 const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *); 778 const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *); 779 const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *); 780 const char *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *); 781 #ifdef HAVE_TLS_SESSION_TICKETS 782 const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, void *dcfg, const char *arg); 783 #endif 784 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag); 785 const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); 786 const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag); 787 788 const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag); 789 const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg); 790 const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg); 791 const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg); 792 const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); 793 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); 794 795 #ifndef OPENSSL_NO_SRP 796 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); 797 const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); 798 #endif 799 800 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag); 801 802 /** module initialization */ 803 int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); 804 void ssl_init_Engine(server_rec *, apr_pool_t *); 805 void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); 806 void ssl_init_CheckServers(server_rec *, apr_pool_t *); 807 STACK_OF(X509_NAME) 808 *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); 809 void ssl_init_Child(apr_pool_t *, server_rec *); 810 apr_status_t ssl_init_ModuleKill(void *data); 811 812 /** Apache API hooks */ 813 int ssl_hook_Auth(request_rec *); 814 int ssl_hook_UserCheck(request_rec *); 815 int ssl_hook_Access(request_rec *); 816 int ssl_hook_Fixup(request_rec *); 817 int ssl_hook_ReadReq(request_rec *); 818 int ssl_hook_Upgrade(request_rec *); 819 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s); 820 821 /** Apache authz provisders */ 822 extern const authz_provider ssl_authz_provider_require_ssl; 823 extern const authz_provider ssl_authz_provider_verify_client; 824 825 /** OpenSSL callbacks */ 826 RSA *ssl_callback_TmpRSA(SSL *, int, int); 827 DH *ssl_callback_TmpDH(SSL *, int, int); 828 #ifndef OPENSSL_NO_EC 829 EC_KEY *ssl_callback_TmpECDH(SSL *, int, int); 830 #endif 831 int ssl_callback_SSLVerify(int, X509_STORE_CTX *); 832 int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); 833 int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); 834 int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); 835 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); 836 void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); 837 void ssl_callback_Info(const SSL *, int, int); 838 #ifndef OPENSSL_NO_TLSEXT 839 int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); 840 #endif 841 #ifdef HAVE_TLS_SESSION_TICKETS 842 int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, 843 EVP_CIPHER_CTX *, HMAC_CTX *, int); 844 #endif 845 846 /** Session Cache Support */ 847 void ssl_scache_init(server_rec *, apr_pool_t *); 848 void ssl_scache_status_register(apr_pool_t *p); 849 void ssl_scache_kill(server_rec *); 850 BOOL ssl_scache_store(server_rec *, UCHAR *, int, 851 apr_time_t, SSL_SESSION *, apr_pool_t *); 852 SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *); 853 void ssl_scache_remove(server_rec *, UCHAR *, int, 854 apr_pool_t *); 855 856 /** Proxy Support */ 857 int ssl_proxy_enable(conn_rec *c); 858 int ssl_engine_disable(conn_rec *c); 859 860 /** OCSP Stapling Support */ 861 #ifdef HAVE_OCSP_STAPLING 862 const char *ssl_cmd_SSLStaplingCache(cmd_parms *, void *, const char *); 863 const char *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int); 864 const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *); 865 const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *); 866 const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *); 867 const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *); 868 const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int); 869 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int); 870 const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *); 871 const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *); 872 void modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *); 873 void ssl_stapling_ex_init(void); 874 int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x); 875 #endif 876 #ifndef OPENSSL_NO_SRP 877 int ssl_callback_SRPServerParams(SSL *, int *, void *); 878 #endif 879 880 /** I/O */ 881 void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *); 882 void ssl_io_filter_register(apr_pool_t *); 883 long ssl_io_data_cb(BIO *, int, const char *, int, long, long); 884 885 /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request 886 * to allow an SSL renegotiation to take place. */ 887 int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen); 888 889 /** PRNG */ 890 int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *); 891 892 /** Utility Functions */ 893 char *ssl_util_vhostid(apr_pool_t *, server_rec *); 894 apr_file_t *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *, 895 const char * const *); 896 void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); 897 char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, 898 const char * const *); 899 BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); 900 ssl_algo_t ssl_util_algotypeof(X509 *, EVP_PKEY *); 901 char *ssl_util_algotypestr(ssl_algo_t); 902 void ssl_util_thread_setup(apr_pool_t *); 903 int ssl_init_ssl_connection(conn_rec *c, request_rec *r); 904 905 /** Pass Phrase Support */ 906 void ssl_pphrase_Handle(server_rec *, apr_pool_t *); 907 908 /** Diffie-Hellman Parameter Support */ 909 DH *ssl_dh_GetTmpParam(int); 910 DH *ssl_dh_GetParamFromFile(char *); 911 912 unsigned char *ssl_asn1_table_set(apr_hash_t *table, 913 const char *key, 914 long int length); 915 916 ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table, 917 const char *key); 918 919 void ssl_asn1_table_unset(apr_hash_t *table, 920 const char *key); 921 922 const char *ssl_asn1_keystr(int keytype); 923 924 const char *ssl_asn1_table_keyfmt(apr_pool_t *p, 925 const char *id, 926 int keytype); 927 928 STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7); 929 930 /** Mutex Support */ 931 int ssl_mutex_init(server_rec *, apr_pool_t *); 932 int ssl_mutex_reinit(server_rec *, apr_pool_t *); 933 int ssl_mutex_on(server_rec *); 934 int ssl_mutex_off(server_rec *); 935 936 int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *); 937 938 /* mutex type names for Mutex directive */ 939 #define SSL_CACHE_MUTEX_TYPE "ssl-cache" 940 #define SSL_STAPLING_MUTEX_TYPE "ssl-stapling" 941 942 /** Logfile Support */ 943 void ssl_die(server_rec *); 944 void ssl_log_ssl_error(const char *, int, int, server_rec *); 945 946 /* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the 947 * respective ap_log_*error functions and take a certificate as an 948 * additional argument (whose details are appended to the log message). 949 * The other arguments are interpreted exactly as with their ap_log_*error 950 * counterparts. */ 951 void ssl_log_xerror(const char *file, int line, int level, 952 apr_status_t rv, apr_pool_t *p, server_rec *s, 953 X509 *cert, const char *format, ...) 954 __attribute__((format(printf,8,9))); 955 956 void ssl_log_cxerror(const char *file, int line, int level, 957 apr_status_t rv, conn_rec *c, X509 *cert, 958 const char *format, ...) 959 __attribute__((format(printf,7,8))); 960 961 void ssl_log_rxerror(const char *file, int line, int level, 962 apr_status_t rv, request_rec *r, X509 *cert, 963 const char *format, ...) 964 __attribute__((format(printf,7,8))); 965 966 #define SSLLOG_MARK __FILE__,__LINE__ 967 968 /** Variables */ 969 970 /* Register variables for the lifetime of the process pool 'p'. */ 971 void ssl_var_register(apr_pool_t *p); 972 char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); 973 apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension); 974 975 void ssl_var_log_config_register(apr_pool_t *p); 976 977 /* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl', 978 * allocating from 'p': */ 979 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p); 980 981 #ifndef OPENSSL_NO_OCSP 982 /* Perform OCSP validation of the current cert in the given context. 983 * Returns non-zero on success or zero on failure. On failure, the 984 * context error code is set. */ 985 int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, 986 server_rec *s, conn_rec *c, apr_pool_t *pool); 987 988 /* OCSP helper interface; dispatches the given OCSP request to the 989 * responder at the given URI. Returns the decoded OCSP response 990 * object, or NULL on error (in which case, errors will have been 991 * logged). Pool 'p' is used for temporary allocations. */ 992 OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri, 993 apr_interval_time_t timeout, 994 OCSP_REQUEST *request, 995 conn_rec *c, apr_pool_t *p); 996 #endif 997 998 #endif /* SSL_PRIVATE_H */ 999 /** @} */ 1000 1001