1 /* Licensed to the Apache Software Foundation (ASF) under one or more 2 * contributor license agreements. See the NOTICE file distributed with 3 * this work for additional information regarding copyright ownership. 4 * The ASF licenses this file to You under the Apache License, Version 2.0 5 * (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef SSL_PRIVATE_H 18 #define SSL_PRIVATE_H 19 20 /** 21 * @file ssl_private.h 22 * @brief Internal interfaces private to mod_ssl. 23 * 24 * @defgroup MOD_SSL_PRIVATE Private 25 * @ingroup MOD_SSL 26 * @{ 27 */ 28 29 /** Apache headers */ 30 #include "ap_config.h" 31 #include "httpd.h" 32 #include "http_config.h" 33 #include "http_core.h" 34 #include "http_log.h" 35 #include "http_main.h" 36 #include "http_connection.h" 37 #include "http_request.h" 38 #include "http_protocol.h" 39 #include "http_ssl.h" 40 #include "http_vhost.h" 41 #include "util_script.h" 42 #include "util_filter.h" 43 #include "util_ebcdic.h" 44 #include "util_mutex.h" 45 #include "apr.h" 46 #include "apr_strings.h" 47 #define APR_WANT_STRFUNC 48 #define APR_WANT_MEMFUNC 49 #include "apr_want.h" 50 #include "apr_tables.h" 51 #include "apr_lib.h" 52 #include "apr_fnmatch.h" 53 #include "apr_strings.h" 54 #include "apr_global_mutex.h" 55 #include "apr_optional.h" 56 #include "ap_socache.h" 57 #include "mod_auth.h" 58 59 /* The #ifdef macros are only defined AFTER including the above 60 * therefore we cannot include these system files at the top :-( 61 */ 62 #if APR_HAVE_STDLIB_H 63 #include <stdlib.h> 64 #endif 65 #if APR_HAVE_SYS_TIME_H 66 #include <sys/time.h> 67 #endif 68 #if APR_HAVE_UNISTD_H 69 #include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */ 70 #endif 71 72 #ifndef FALSE 73 #define FALSE 0 74 #endif 75 76 #ifndef TRUE 77 #define TRUE !FALSE 78 #endif 79 80 #ifndef BOOL 81 #define BOOL unsigned int 82 #endif 83 84 #include "ap_expr.h" 85 86 /* OpenSSL headers */ 87 #include <openssl/opensslv.h> 88 #if (OPENSSL_VERSION_NUMBER >= 0x10001000) 89 /* must be defined before including ssl.h */ 90 #define OPENSSL_NO_SSL_INTERN 91 #endif 92 #if OPENSSL_VERSION_NUMBER >= 0x30000000 93 #include <openssl/core_names.h> 94 #endif 95 #include <openssl/ssl.h> 96 #include <openssl/err.h> 97 #include <openssl/x509.h> 98 #include <openssl/pem.h> 99 #include <openssl/crypto.h> 100 #include <openssl/evp.h> 101 #include <openssl/rand.h> 102 #include <openssl/x509v3.h> 103 #include <openssl/x509_vfy.h> 104 #include <openssl/ocsp.h> 105 106 /* Avoid tripping over an engine build installed globally and detected 107 * when the user points at an explicit non-engine flavor of OpenSSL 108 */ 109 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) 110 #include <openssl/engine.h> 111 #endif 112 113 #if (OPENSSL_VERSION_NUMBER < 0x0090801f) 114 #error mod_ssl requires OpenSSL 0.9.8a or later 115 #endif 116 117 /** 118 * ...shifting sands of OpenSSL... 119 * Note: when adding support for new OpenSSL features, avoid explicit 120 * version number checks whenever possible, and use "feature-based" 121 * detection instead (check for definitions of constants or functions) 122 */ 123 #if (OPENSSL_VERSION_NUMBER >= 0x10000000) 124 #define MODSSL_SSL_CIPHER_CONST const 125 #define MODSSL_SSL_METHOD_CONST const 126 #else 127 #define MODSSL_SSL_CIPHER_CONST 128 #define MODSSL_SSL_METHOD_CONST 129 #endif 130 131 #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L 132 /* Missing from LibreSSL */ 133 #if LIBRESSL_VERSION_NUMBER < 0x2060000f 134 #define SSL_CTRL_SET_MIN_PROTO_VERSION 123 135 #define SSL_CTRL_SET_MAX_PROTO_VERSION 124 136 #define SSL_CTX_set_min_proto_version(ctx, version) \ 137 SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) 138 #define SSL_CTX_set_max_proto_version(ctx, version) \ 139 SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) 140 #endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ 141 /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not 142 * include most changes from OpenSSL >= 1.1 (new functions, macros, 143 * deprecations, ...), so we have to work around this... 144 */ 145 #define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f) 146 #else /* defined(LIBRESSL_VERSION_NUMBER) */ 147 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) 148 #endif 149 150 #if defined(OPENSSL_FIPS) 151 #define HAVE_FIPS 152 #endif 153 154 #if defined(SSL_OP_NO_TLSv1_2) 155 #define HAVE_TLSV1_X 156 #endif 157 158 #if defined(SSL_CONF_FLAG_FILE) 159 #define HAVE_SSL_CONF_CMD 160 #endif 161 162 /* session id constness */ 163 #if MODSSL_USE_OPENSSL_PRE_1_1_API 164 #define IDCONST 165 #else 166 #define IDCONST const 167 #endif 168 169 /** 170 * The following features all depend on TLS extension support. 171 * Within this block, check again for features (not version numbers). 172 */ 173 #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) 174 175 #define HAVE_TLSEXT 176 177 /* ECC: make sure we have at least 1.0.0 */ 178 #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) 179 #define HAVE_ECC 180 #endif 181 182 /* OCSP stapling */ 183 #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) 184 #define HAVE_OCSP_STAPLING 185 /* All exist but are no longer macros since OpenSSL 1.1.0 */ 186 #if OPENSSL_VERSION_NUMBER < 0x10100000L 187 /* backward compatibility with OpenSSL < 1.0 */ 188 #ifndef sk_OPENSSL_STRING_num 189 #define sk_OPENSSL_STRING_num sk_num 190 #endif 191 #ifndef sk_OPENSSL_STRING_value 192 #define sk_OPENSSL_STRING_value sk_value 193 #endif 194 #ifndef sk_OPENSSL_STRING_pop 195 #define sk_OPENSSL_STRING_pop sk_pop 196 #endif 197 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ 198 #endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */ 199 200 /* TLS session tickets */ 201 #if defined(SSL_CTX_set_tlsext_ticket_key_cb) 202 #define HAVE_TLS_SESSION_TICKETS 203 #define TLSEXT_TICKET_KEY_LEN 48 204 #ifndef tlsext_tick_md 205 #ifdef OPENSSL_NO_SHA256 206 #define tlsext_tick_md EVP_sha1 207 #else 208 #define tlsext_tick_md EVP_sha256 209 #endif 210 #endif 211 #endif 212 213 /* Secure Remote Password */ 214 #if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB) 215 #define HAVE_SRP 216 #include <openssl/srp.h> 217 #endif 218 219 /* ALPN Protocol Negotiation */ 220 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) 221 #define HAVE_TLS_ALPN 222 #endif 223 224 #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ 225 226 #if MODSSL_USE_OPENSSL_PRE_1_1_API 227 #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768 228 #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024 229 #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536 230 #define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048 231 #define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072 232 #define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096 233 #define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144 234 #define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192 235 #define BIO_set_init(x,v) (x->init=v) 236 #define BIO_get_data(x) (x->ptr) 237 #define BIO_set_data(x,v) (x->ptr=v) 238 #define BIO_get_shutdown(x) (x->shutdown) 239 #define BIO_set_shutdown(x,v) (x->shutdown=v) 240 #define DH_bits(x) (BN_num_bits(x->p)) 241 #else 242 void init_bio_methods(void); 243 void free_bio_methods(void); 244 #endif 245 246 #if OPENSSL_VERSION_NUMBER < 0x10002000L || \ 247 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f) 248 #define X509_STORE_CTX_get0_store(x) (x->ctx) 249 #endif 250 251 #if OPENSSL_VERSION_NUMBER < 0x10000000L 252 #ifndef X509_STORE_CTX_get0_current_issuer 253 #define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer) 254 #endif 255 #endif 256 257 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) 258 #define HAVE_OPENSSL_KEYLOG 259 #endif 260 261 /* mod_ssl headers */ 262 #include "ssl_util_ssl.h" 263 264 APLOG_USE_MODULE(ssl); 265 266 /* 267 * Provide reasonable default for some defines 268 */ 269 #ifndef PFALSE 270 #define PFALSE ((void *)FALSE) 271 #endif 272 #ifndef PTRUE 273 #define PTRUE ((void *)TRUE) 274 #endif 275 #ifndef UNSET 276 #define UNSET (-1) 277 #endif 278 #ifndef NUL 279 #define NUL '\0' 280 #endif 281 #ifndef RAND_MAX 282 #include <limits.h> 283 #define RAND_MAX INT_MAX 284 #endif 285 286 /** 287 * Provide reasonable defines for some types 288 */ 289 #ifndef UCHAR 290 #define UCHAR unsigned char 291 #endif 292 293 /** 294 * Provide useful shorthands 295 */ 296 #define strEQ(s1,s2) (strcmp(s1,s2) == 0) 297 #define strNE(s1,s2) (strcmp(s1,s2) != 0) 298 #define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0) 299 #define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0) 300 301 #define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0) 302 #define strcNE(s1,s2) (strcasecmp(s1,s2) != 0) 303 #define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0) 304 #define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0) 305 306 #define strIsEmpty(s) (s == NULL || s[0] == NUL) 307 308 #define myConnConfig(c) \ 309 ((SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module)) 310 #define myConnConfigSet(c, val) \ 311 ap_set_module_config(c->conn_config, &ssl_module, val) 312 #define mySrvConfig(srv) \ 313 ((SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module)) 314 #define myDirConfig(req) \ 315 ((SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)) 316 #define myConnCtxConfig(c, sc) \ 317 (c->outgoing ? myConnConfig(c)->dc->proxy : sc->server) 318 #define myModConfig(srv) mySrvConfig((srv))->mc 319 #define mySrvFromConn(c) myConnConfig(c)->server 320 #define myDirConfigFromConn(c) myConnConfig(c)->dc 321 #define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c)) 322 #define myModConfigFromConn(c) myModConfig(mySrvFromConn(c)) 323 324 /** 325 * Defaults for the configuration 326 */ 327 #ifndef SSL_SESSION_CACHE_TIMEOUT 328 #define SSL_SESSION_CACHE_TIMEOUT 300 329 #endif 330 331 /* Default setting for per-dir reneg buffer. */ 332 #ifndef DEFAULT_RENEG_BUFFER_SIZE 333 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024) 334 #endif 335 336 /* Default for OCSP response validity */ 337 #ifndef DEFAULT_OCSP_MAX_SKEW 338 #define DEFAULT_OCSP_MAX_SKEW (60 * 5) 339 #endif 340 341 /* Default timeout for OCSP queries */ 342 #ifndef DEFAULT_OCSP_TIMEOUT 343 #define DEFAULT_OCSP_TIMEOUT 10 344 #endif 345 346 /* 347 * For better backwards compatibility with the SSLCertificate[Key]File 348 * and SSLPassPhraseDialog ("exec" type) directives in 2.4.7 and earlier 349 */ 350 #ifdef HAVE_ECC 351 #define CERTKEYS_IDX_MAX 2 352 #else 353 #define CERTKEYS_IDX_MAX 1 354 #endif 355 356 /** 357 * Define the SSL options 358 */ 359 #define SSL_OPT_NONE (0) 360 #define SSL_OPT_RELSET (1<<0) 361 #define SSL_OPT_STDENVVARS (1<<1) 362 #define SSL_OPT_EXPORTCERTDATA (1<<3) 363 #define SSL_OPT_FAKEBASICAUTH (1<<4) 364 #define SSL_OPT_STRICTREQUIRE (1<<5) 365 #define SSL_OPT_OPTRENEGOTIATE (1<<6) 366 #define SSL_OPT_LEGACYDNFORMAT (1<<7) 367 typedef int ssl_opt_t; 368 369 /** 370 * Define the SSL Protocol options 371 */ 372 #define SSL_PROTOCOL_NONE (0) 373 #ifndef OPENSSL_NO_SSL3 374 #define SSL_PROTOCOL_SSLV3 (1<<1) 375 #endif 376 #define SSL_PROTOCOL_TLSV1 (1<<2) 377 #ifndef OPENSSL_NO_SSL3 378 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) 379 #else 380 #define SSL_PROTOCOL_BASIC (SSL_PROTOCOL_TLSV1) 381 #endif 382 #ifdef HAVE_TLSV1_X 383 #define SSL_PROTOCOL_TLSV1_1 (1<<3) 384 #define SSL_PROTOCOL_TLSV1_2 (1<<4) 385 #define SSL_PROTOCOL_TLSV1_3 (1<<5) 386 387 #ifdef SSL_OP_NO_TLSv1_3 388 #define SSL_HAVE_PROTOCOL_TLSV1_3 (1) 389 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \ 390 SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2|SSL_PROTOCOL_TLSV1_3) 391 #else 392 #define SSL_HAVE_PROTOCOL_TLSV1_3 (0) 393 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC| \ 394 SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) 395 #endif 396 #else 397 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_BASIC) 398 #endif 399 #ifndef OPENSSL_NO_SSL3 400 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3) 401 #else 402 #define SSL_PROTOCOL_DEFAULT (SSL_PROTOCOL_ALL) 403 #endif 404 typedef int ssl_proto_t; 405 406 /** 407 * Define the SSL verify levels 408 */ 409 typedef enum { 410 SSL_CVERIFY_UNSET = UNSET, 411 SSL_CVERIFY_NONE = 0, 412 SSL_CVERIFY_OPTIONAL = 1, 413 SSL_CVERIFY_REQUIRE = 2, 414 SSL_CVERIFY_OPTIONAL_NO_CA = 3 415 } ssl_verify_t; 416 417 #define SSL_VERIFY_PEER_STRICT \ 418 (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT) 419 420 #define ssl_verify_error_is_optional(errnum) \ 421 ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ 422 || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ 423 || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ 424 || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ 425 || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) 426 427 /** 428 * CRL checking mask (mode | flags) 429 */ 430 typedef enum { 431 SSL_CRLCHECK_NONE = (0), 432 SSL_CRLCHECK_LEAF = (1 << 0), 433 SSL_CRLCHECK_CHAIN = (1 << 1), 434 435 #define SSL_CRLCHECK_FLAGS (~0x3) 436 SSL_CRLCHECK_NO_CRL_FOR_CERT_OK = (1 << 2) 437 } ssl_crlcheck_t; 438 439 /** 440 * OCSP checking mask (mode | flags) 441 */ 442 typedef enum { 443 SSL_OCSPCHECK_NONE = (0), 444 SSL_OCSPCHECK_LEAF = (1 << 0), 445 SSL_OCSPCHECK_CHAIN = (1 << 1), 446 SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK = (1 << 2) 447 } ssl_ocspcheck_t; 448 449 /** 450 * Define the SSL pass phrase dialog types 451 */ 452 typedef enum { 453 SSL_PPTYPE_UNSET = UNSET, 454 SSL_PPTYPE_BUILTIN = 0, 455 SSL_PPTYPE_FILTER = 1, 456 SSL_PPTYPE_PIPE = 2 457 } ssl_pphrase_t; 458 459 /** 460 * Define the Path Checking modes 461 */ 462 #define SSL_PCM_EXISTS 1 463 #define SSL_PCM_ISREG 2 464 #define SSL_PCM_ISDIR 4 465 #define SSL_PCM_ISNONZERO 8 466 typedef unsigned int ssl_pathcheck_t; 467 468 /** 469 * Define the SSL enabled state 470 */ 471 typedef enum { 472 SSL_ENABLED_UNSET = UNSET, 473 SSL_ENABLED_FALSE = 0, 474 SSL_ENABLED_TRUE = 1, 475 SSL_ENABLED_OPTIONAL = 3 476 } ssl_enabled_t; 477 478 /** 479 * Define the SSL requirement structure 480 */ 481 typedef struct { 482 const char *cpExpr; 483 ap_expr_info_t *mpExpr; 484 } ssl_require_t; 485 486 /** 487 * Define the SSL random number generator seeding source 488 */ 489 typedef enum { 490 SSL_RSCTX_STARTUP = 1, 491 SSL_RSCTX_CONNECT = 2 492 } ssl_rsctx_t; 493 typedef enum { 494 SSL_RSSRC_BUILTIN = 1, 495 SSL_RSSRC_FILE = 2, 496 SSL_RSSRC_EXEC = 3, 497 SSL_RSSRC_EGD = 4 498 } ssl_rssrc_t; 499 typedef struct { 500 ssl_rsctx_t nCtx; 501 ssl_rssrc_t nSrc; 502 char *cpPath; 503 int nBytes; 504 } ssl_randseed_t; 505 506 /** 507 * Define the structure of an ASN.1 anything 508 */ 509 typedef struct { 510 long int nData; 511 unsigned char *cpData; 512 apr_time_t source_mtime; 513 } ssl_asn1_t; 514 515 /** 516 * Define the mod_ssl per-module configuration structure 517 * (i.e. the global configuration for each httpd process) 518 */ 519 520 typedef struct SSLSrvConfigRec SSLSrvConfigRec; 521 typedef struct SSLDirConfigRec SSLDirConfigRec; 522 523 typedef enum { 524 SSL_SHUTDOWN_TYPE_UNSET, 525 SSL_SHUTDOWN_TYPE_STANDARD, 526 SSL_SHUTDOWN_TYPE_UNCLEAN, 527 SSL_SHUTDOWN_TYPE_ACCURATE 528 } ssl_shutdown_type_e; 529 530 typedef struct { 531 SSL *ssl; 532 const char *client_dn; 533 X509 *client_cert; 534 ssl_shutdown_type_e shutdown_type; 535 const char *verify_info; 536 const char *verify_error; 537 int verify_depth; 538 int disabled; 539 enum { 540 NON_SSL_OK = 0, /* is SSL request, or error handling completed */ 541 NON_SSL_SEND_REQLINE, /* Need to send the fake request line */ 542 NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */ 543 NON_SSL_SET_ERROR_MSG /* Need to set the error message */ 544 } non_ssl_request; 545 546 /* Track the handshake/renegotiation state for the connection so 547 * that all client-initiated renegotiations can be rejected, as a 548 * partial fix for CVE-2009-3555. */ 549 enum { 550 RENEG_INIT = 0, /* Before initial handshake */ 551 RENEG_REJECT, /* After initial handshake; any client-initiated 552 * renegotiation should be rejected */ 553 RENEG_ALLOW, /* A server-initiated renegotiation is taking 554 * place (as dictated by configuration) */ 555 RENEG_ABORT /* Renegotiation initiated by client, abort the 556 * connection */ 557 } reneg_state; 558 559 server_rec *server; 560 SSLDirConfigRec *dc; 561 562 const char *cipher_suite; /* cipher suite used in last reneg */ 563 int service_unavailable; /* thouugh we negotiate SSL, no requests will be served */ 564 int vhost_found; /* whether we found vhost from SNI already */ 565 } SSLConnRec; 566 567 /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is 568 * allocated out of the "process" pool and only a single such 569 * structure is created and used for the lifetime of the process. 570 * (The process pool is s->process->pool and is stored in the .pPool 571 * field.) Most members of this structure are likewise allocated out 572 * of the process pool, but notably sesscache and sesscache_context 573 * are not. 574 * 575 * The structure is treated as mostly immutable after a single config 576 * parse has completed; the post_config hook (ssl_init_Module) flips 577 * the bFixed flag to true and subsequent invocations of the config 578 * callbacks hence do nothing. 579 * 580 * This odd lifetime strategy is used so that encrypted private keys 581 * can be decrypted once at startup and continue to be used across 582 * subsequent server reloads where the interactive password prompt is 583 * not possible. 584 585 * It is really an ABI nightmare waiting to happen since DSOs are 586 * reloaded across restarts, and nothing prevents the struct type 587 * changing across such reloads, yet the cached structure will be 588 * assumed to match regardless. 589 * 590 * This should really be fixed using a smaller structure which only 591 * stores that which is absolutely necessary (the private keys, maybe 592 * the random seed), and have that structure be strictly ABI-versioned 593 * for safety. 594 */ 595 typedef struct { 596 pid_t pid; 597 apr_pool_t *pPool; 598 BOOL bFixed; 599 600 /* OpenSSL SSL_SESS_CACHE_* flags: */ 601 long sesscache_mode; 602 603 /* The configured provider, and associated private data 604 * structure. */ 605 const ap_socache_provider_t *sesscache; 606 ap_socache_instance_t *sesscache_context; 607 608 apr_global_mutex_t *pMutex; 609 apr_array_header_t *aRandSeed; 610 apr_hash_t *tVHostKeys; 611 612 /* A hash table of pointers to ssl_asn1_t structures. The structures 613 * are used to store private keys in raw DER format (serialized OpenSSL 614 * PrivateKey structures). The table is indexed by (vhost-id, 615 * index), for example the string "vhost.example.com:443:0". */ 616 apr_hash_t *tPrivateKey; 617 618 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) 619 const char *szCryptoDevice; 620 #endif 621 622 #ifdef HAVE_OCSP_STAPLING 623 const ap_socache_provider_t *stapling_cache; 624 ap_socache_instance_t *stapling_cache_context; 625 apr_global_mutex_t *stapling_cache_mutex; 626 apr_global_mutex_t *stapling_refresh_mutex; 627 #endif 628 #ifdef HAVE_OPENSSL_KEYLOG 629 /* Used for logging if SSLKEYLOGFILE is set at startup. */ 630 apr_file_t *keylog_file; 631 #endif 632 } SSLModConfigRec; 633 634 /** Structure representing configured filenames for certs and keys for 635 * a given vhost */ 636 typedef struct { 637 /* Lists of configured certs and keys for this server */ 638 apr_array_header_t *cert_files; 639 apr_array_header_t *key_files; 640 641 /** Certificates which specify the set of CA names which should be 642 * sent in the CertificateRequest message: */ 643 const char *ca_name_path; 644 const char *ca_name_file; 645 646 /* TLS service for this server is suspended */ 647 int service_unavailable; 648 } modssl_pk_server_t; 649 650 typedef struct { 651 /** proxy can have any number of cert/key pairs */ 652 const char *cert_file; 653 const char *cert_path; 654 const char *ca_cert_file; 655 /* certs is a stack of configured cert, key pairs. */ 656 STACK_OF(X509_INFO) *certs; 657 /* ca_certs contains ONLY chain certs for each item in certs. 658 * ca_certs[n] is a pointer to the (STACK_OF(X509) *) stack which 659 * holds the cert chain for the 'n'th cert in the certs stack, or 660 * NULL if no chain is configured. */ 661 STACK_OF(X509) **ca_certs; 662 } modssl_pk_proxy_t; 663 664 /** stuff related to authentication that can also be per-dir */ 665 typedef struct { 666 /** known/trusted CAs */ 667 const char *ca_cert_path; 668 const char *ca_cert_file; 669 670 const char *cipher_suite; 671 672 /** for client or downstream server authentication */ 673 int verify_depth; 674 ssl_verify_t verify_mode; 675 676 /** TLSv1.3 has its separate cipher list, separate from the 677 settings for older TLS protocol versions. Since which one takes 678 effect is a matter of negotiation, we need separate settings */ 679 const char *tls13_ciphers; 680 } modssl_auth_ctx_t; 681 682 #ifdef HAVE_TLS_SESSION_TICKETS 683 typedef struct { 684 const char *file_path; 685 unsigned char key_name[16]; 686 #if OPENSSL_VERSION_NUMBER < 0x30000000L 687 unsigned char hmac_secret[16]; 688 #else 689 OSSL_PARAM mac_params[3]; 690 #endif 691 unsigned char aes_key[16]; 692 } modssl_ticket_key_t; 693 #endif 694 695 #ifdef HAVE_SSL_CONF_CMD 696 typedef struct { 697 const char *name; 698 const char *value; 699 } ssl_ctx_param_t; 700 #endif 701 702 typedef struct { 703 SSLSrvConfigRec *sc; /** pointer back to server config */ 704 SSL_CTX *ssl_ctx; 705 706 /** we are one or the other */ 707 modssl_pk_server_t *pks; 708 modssl_pk_proxy_t *pkp; 709 710 #ifdef HAVE_TLS_SESSION_TICKETS 711 modssl_ticket_key_t *ticket_key; 712 #endif 713 714 ssl_proto_t protocol; 715 int protocol_set; 716 717 /** config for handling encrypted keys */ 718 ssl_pphrase_t pphrase_dialog_type; 719 const char *pphrase_dialog_path; 720 721 const char *cert_chain; 722 723 /** certificate revocation list */ 724 const char *crl_path; 725 const char *crl_file; 726 int crl_check_mask; 727 728 #ifdef HAVE_OCSP_STAPLING 729 /** OCSP stapling options */ 730 BOOL stapling_enabled; 731 long stapling_resptime_skew; 732 long stapling_resp_maxage; 733 int stapling_cache_timeout; 734 BOOL stapling_return_errors; 735 BOOL stapling_fake_trylater; 736 int stapling_errcache_timeout; 737 apr_interval_time_t stapling_responder_timeout; 738 const char *stapling_force_url; 739 #endif 740 741 #ifdef HAVE_SRP 742 char *srp_vfile; 743 char *srp_unknown_user_seed; 744 SRP_VBASE *srp_vbase; 745 #endif 746 747 modssl_auth_ctx_t auth; 748 749 int ocsp_mask; 750 BOOL ocsp_force_default; /* true if the default responder URL is 751 * used regardless of per-cert URL */ 752 const char *ocsp_responder; /* default responder URL */ 753 long ocsp_resptime_skew; 754 long ocsp_resp_maxage; 755 apr_interval_time_t ocsp_responder_timeout; 756 BOOL ocsp_use_request_nonce; 757 apr_uri_t *proxy_uri; 758 759 BOOL ocsp_noverify; /* true if skipping OCSP certification verification like openssl -noverify */ 760 /* Declare variables for using OCSP Responder Certs for OCSP verification */ 761 int ocsp_verify_flags; /* Flags to use when verifying OCSP response */ 762 const char *ocsp_certs_file; /* OCSP other certificates filename */ 763 STACK_OF(X509) *ocsp_certs; /* OCSP other certificates */ 764 765 #ifdef HAVE_SSL_CONF_CMD 766 SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */ 767 apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */ 768 #endif 769 770 BOOL ssl_check_peer_cn; 771 BOOL ssl_check_peer_name; 772 BOOL ssl_check_peer_expire; 773 } modssl_ctx_t; 774 775 struct SSLSrvConfigRec { 776 SSLModConfigRec *mc; 777 ssl_enabled_t enabled; 778 const char *vhost_id; 779 int vhost_id_len; 780 int session_cache_timeout; 781 BOOL cipher_server_pref; 782 BOOL insecure_reneg; 783 modssl_ctx_t *server; 784 #ifdef HAVE_TLSEXT 785 ssl_enabled_t strict_sni_vhost_check; 786 #endif 787 #ifdef HAVE_FIPS 788 BOOL fips; 789 #endif 790 #ifndef OPENSSL_NO_COMP 791 BOOL compression; 792 #endif 793 BOOL session_tickets; 794 }; 795 796 /** 797 * Define the mod_ssl per-directory configuration structure 798 * (i.e. the local configuration for all <Directory> 799 * and .htaccess contexts) 800 */ 801 struct SSLDirConfigRec { 802 BOOL bSSLRequired; 803 apr_array_header_t *aRequirement; 804 ssl_opt_t nOptions; 805 ssl_opt_t nOptionsAdd; 806 ssl_opt_t nOptionsDel; 807 const char *szCipherSuite; 808 ssl_verify_t nVerifyClient; 809 int nVerifyDepth; 810 const char *szUserName; 811 apr_size_t nRenegBufferSize; 812 813 modssl_ctx_t *proxy; 814 BOOL proxy_enabled; 815 BOOL proxy_post_config; 816 }; 817 818 /** 819 * function prototypes 820 */ 821 822 /** API glue structures */ 823 extern module AP_MODULE_DECLARE_DATA ssl_module; 824 825 /** configuration handling */ 826 SSLModConfigRec *ssl_config_global_create(server_rec *); 827 void ssl_config_global_fix(SSLModConfigRec *); 828 BOOL ssl_config_global_isfixed(SSLModConfigRec *); 829 void *ssl_config_server_create(apr_pool_t *, server_rec *); 830 void *ssl_config_server_merge(apr_pool_t *, void *, void *); 831 void *ssl_config_perdir_create(apr_pool_t *, char *); 832 void *ssl_config_perdir_merge(apr_pool_t *, void *, void *); 833 void ssl_config_proxy_merge(apr_pool_t *, 834 SSLDirConfigRec *, SSLDirConfigRec *); 835 const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *); 836 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); 837 const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); 838 const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); 839 const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *, const char *); 840 const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); 841 const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); 842 const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); 843 const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *); 844 const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *); 845 const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *); 846 const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *); 847 const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); 848 const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); 849 const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *); 850 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); 851 const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); 852 const char *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag); 853 const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); 854 const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); 855 const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); 856 const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *); 857 const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *); 858 const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *); 859 const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *); 860 const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *); 861 const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *); 862 const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); 863 const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); 864 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag); 865 866 const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); 867 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); 868 const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *, const char *); 869 const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *); 870 const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *); 871 const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *); 872 const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *); 873 const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *); 874 const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *); 875 const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *, void *, const char *); 876 const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *); 877 const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *); 878 const char *ssl_cmd_SSLProxyMachineCertificateChainFile(cmd_parms *, void *, const char *); 879 #ifdef HAVE_TLS_SESSION_TICKETS 880 const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, void *dcfg, const char *arg); 881 #endif 882 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag); 883 const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); 884 const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag); 885 886 const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag); 887 const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg); 888 const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg); 889 const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg); 890 const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); 891 const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag); 892 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg); 893 const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg); 894 895 /* Declare OCSP Responder Certificate Verification Directive */ 896 const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag); 897 /* Declare OCSP Responder Certificate File Directive */ 898 const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg); 899 900 #ifdef HAVE_SSL_CONF_CMD 901 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2); 902 #endif 903 904 #ifdef HAVE_SRP 905 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); 906 const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); 907 #endif 908 909 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag); 910 911 /** module initialization */ 912 apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); 913 apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *); 914 apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, 915 apr_array_header_t *); 916 apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *); 917 int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, 918 apr_pool_t *ptemp, server_rec *s, 919 ap_conf_vector_t *section_config); 920 STACK_OF(X509_NAME) 921 *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); 922 void ssl_init_Child(apr_pool_t *, server_rec *); 923 apr_status_t ssl_init_ModuleKill(void *data); 924 925 /** Apache API hooks */ 926 int ssl_hook_Auth(request_rec *); 927 int ssl_hook_UserCheck(request_rec *); 928 int ssl_hook_Access(request_rec *); 929 int ssl_hook_Fixup(request_rec *); 930 int ssl_hook_ReadReq(request_rec *); 931 int ssl_hook_Upgrade(request_rec *); 932 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s); 933 934 /** Apache authz provisders */ 935 extern const authz_provider ssl_authz_provider_require_ssl; 936 extern const authz_provider ssl_authz_provider_verify_client; 937 938 /** OpenSSL callbacks */ 939 DH *ssl_callback_TmpDH(SSL *, int, int); 940 int ssl_callback_SSLVerify(int, X509_STORE_CTX *); 941 int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); 942 int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); 943 int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); 944 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *); 945 void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); 946 void ssl_callback_Info(const SSL *, int, int); 947 #ifdef HAVE_TLSEXT 948 int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); 949 #endif 950 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) 951 int ssl_callback_ClientHello(SSL *, int *, void *); 952 #endif 953 #ifdef HAVE_TLS_SESSION_TICKETS 954 int ssl_callback_SessionTicket(SSL *ssl, 955 unsigned char *keyname, 956 unsigned char *iv, 957 EVP_CIPHER_CTX *cipher_ctx, 958 #if OPENSSL_VERSION_NUMBER < 0x30000000L 959 HMAC_CTX *hmac_ctx, 960 #else 961 EVP_MAC_CTX *mac_ctx, 962 #endif 963 int mode); 964 #endif 965 966 #ifdef HAVE_TLS_ALPN 967 int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out, 968 unsigned char *outlen, const unsigned char *in, 969 unsigned int inlen, void *arg); 970 #endif 971 972 /** Session Cache Support */ 973 apr_status_t ssl_scache_init(server_rec *, apr_pool_t *); 974 void ssl_scache_status_register(apr_pool_t *p); 975 void ssl_scache_kill(server_rec *); 976 BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int, 977 apr_time_t, SSL_SESSION *, apr_pool_t *); 978 SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *); 979 void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int, 980 apr_pool_t *); 981 982 /** OCSP Stapling Support */ 983 #ifdef HAVE_OCSP_STAPLING 984 const char *ssl_cmd_SSLStaplingCache(cmd_parms *, void *, const char *); 985 const char *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int); 986 const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *); 987 const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *); 988 const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *); 989 const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *); 990 const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int); 991 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int); 992 const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *); 993 const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *); 994 apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *); 995 void ssl_stapling_certinfo_hash_init(apr_pool_t *); 996 int ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *, 997 modssl_ctx_t *, X509 *); 998 #endif 999 #ifdef HAVE_SRP 1000 int ssl_callback_SRPServerParams(SSL *, int *, void *); 1001 #endif 1002 1003 #ifdef HAVE_OPENSSL_KEYLOG 1004 /* Callback used with SSL_CTX_set_keylog_callback. */ 1005 void modssl_callback_keylog(const SSL *ssl, const char *line); 1006 #endif 1007 1008 /** I/O */ 1009 void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *); 1010 void ssl_io_filter_register(apr_pool_t *); 1011 long ssl_io_data_cb(BIO *, int, const char *, int, long, long); 1012 1013 /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request 1014 * to allow an SSL renegotiation to take place. */ 1015 int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen); 1016 1017 /** PRNG */ 1018 int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *); 1019 1020 /** Utility Functions */ 1021 char *ssl_util_vhostid(apr_pool_t *, server_rec *); 1022 apr_file_t *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *, 1023 const char * const *); 1024 void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *); 1025 char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, 1026 const char * const *); 1027 BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); 1028 #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API 1029 void ssl_util_thread_setup(apr_pool_t *); 1030 void ssl_util_thread_id_setup(apr_pool_t *); 1031 #endif 1032 int ssl_init_ssl_connection(conn_rec *c, request_rec *r); 1033 1034 BOOL ssl_util_vhost_matches(const char *servername, server_rec *s); 1035 1036 /** Pass Phrase Support */ 1037 apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int, 1038 const char *, apr_array_header_t **); 1039 1040 /* Load public and/or private key from the configured ENGINE. Private 1041 * key returned as *pkey. certid can be NULL, in which case *pubkey 1042 * is not altered. Errors logged on failure. */ 1043 apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, 1044 const char *vhostid, 1045 const char *certid, const char *keyid, 1046 X509 **pubkey, EVP_PKEY **privkey); 1047 1048 /** Diffie-Hellman Parameter Support */ 1049 DH *ssl_dh_GetParamFromFile(const char *); 1050 #ifdef HAVE_ECC 1051 EC_GROUP *ssl_ec_GetParamFromFile(const char *); 1052 #endif 1053 1054 /* Store the EVP_PKEY key (serialized into DER) in the hash table with 1055 * key, returning the ssl_asn1_t structure pointer. */ 1056 ssl_asn1_t *ssl_asn1_table_set(apr_hash_t *table, const char *key, 1057 EVP_PKEY *pkey); 1058 /* Retrieve the ssl_asn1_t structure with given key from the hash. */ 1059 ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table, const char *key); 1060 /* Remove and free the ssl_asn1_t structure with given key. */ 1061 void ssl_asn1_table_unset(apr_hash_t *table, const char *key); 1062 1063 /** Mutex Support */ 1064 int ssl_mutex_init(server_rec *, apr_pool_t *); 1065 int ssl_mutex_reinit(server_rec *, apr_pool_t *); 1066 int ssl_mutex_on(server_rec *); 1067 int ssl_mutex_off(server_rec *); 1068 1069 int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *); 1070 1071 /* mutex type names for Mutex directive */ 1072 #define SSL_CACHE_MUTEX_TYPE "ssl-cache" 1073 #define SSL_STAPLING_CACHE_MUTEX_TYPE "ssl-stapling" 1074 #define SSL_STAPLING_REFRESH_MUTEX_TYPE "ssl-stapling-refresh" 1075 1076 apr_status_t ssl_die(server_rec *); 1077 1078 /** Logfile Support */ 1079 void ssl_log_ssl_error(const char *, int, int, server_rec *); 1080 1081 /* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the 1082 * respective ap_log_*error functions and take a certificate as an 1083 * additional argument (whose details are appended to the log message). 1084 * The other arguments are interpreted exactly as with their ap_log_*error 1085 * counterparts. */ 1086 void ssl_log_xerror(const char *file, int line, int level, 1087 apr_status_t rv, apr_pool_t *p, server_rec *s, 1088 X509 *cert, const char *format, ...) 1089 __attribute__((format(printf,8,9))); 1090 1091 void ssl_log_cxerror(const char *file, int line, int level, 1092 apr_status_t rv, conn_rec *c, X509 *cert, 1093 const char *format, ...) 1094 __attribute__((format(printf,7,8))); 1095 1096 void ssl_log_rxerror(const char *file, int line, int level, 1097 apr_status_t rv, request_rec *r, X509 *cert, 1098 const char *format, ...) 1099 __attribute__((format(printf,7,8))); 1100 1101 #define SSLLOG_MARK __FILE__,__LINE__ 1102 1103 /** Variables */ 1104 1105 /* Register variables for the lifetime of the process pool 'p'. */ 1106 void ssl_var_register(apr_pool_t *p); 1107 char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); 1108 apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension); 1109 1110 void ssl_var_log_config_register(apr_pool_t *p); 1111 1112 /* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl', 1113 * allocating from 'p': */ 1114 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p); 1115 1116 /* Extract SSL_*_SAN_* variables (subjectAltName entries) into table 't' 1117 * from SSL object 'ssl', allocating from 'p'. */ 1118 void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p); 1119 1120 #ifndef OPENSSL_NO_OCSP 1121 /* Perform OCSP validation of the current cert in the given context. 1122 * Returns non-zero on success or zero on failure. On failure, the 1123 * context error code is set. */ 1124 int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, 1125 server_rec *s, conn_rec *c, apr_pool_t *pool); 1126 1127 /* OCSP helper interface; dispatches the given OCSP request to the 1128 * responder at the given URI. Returns the decoded OCSP response 1129 * object, or NULL on error (in which case, errors will have been 1130 * logged). Pool 'p' is used for temporary allocations. */ 1131 OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri, 1132 apr_interval_time_t timeout, 1133 OCSP_REQUEST *request, 1134 conn_rec *c, apr_pool_t *p); 1135 1136 /* Initialize OCSP trusted certificate list */ 1137 void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx); 1138 1139 #endif 1140 1141 #if MODSSL_USE_OPENSSL_PRE_1_1_API 1142 /* Retrieve DH parameters for given key length. Return value should 1143 * be treated as unmutable, since it is stored in process-global 1144 * memory. */ 1145 DH *modssl_get_dh_params(unsigned keylen); 1146 #endif 1147 1148 /* Returns non-zero if the request was made over SSL/TLS. If sslconn 1149 * is non-NULL and the request is using SSL/TLS, sets *sslconn to the 1150 * corresponding SSLConnRec structure for the connection. */ 1151 int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn); 1152 1153 int ssl_is_challenge(conn_rec *c, const char *servername, 1154 X509 **pcert, EVP_PKEY **pkey, 1155 const char **pcert_file, const char **pkey_file); 1156 1157 /* Returns non-zero if the cert/key filename should be handled through 1158 * the configured ENGINE. */ 1159 int modssl_is_engine_id(const char *name); 1160 1161 #endif /* SSL_PRIVATE_H */ 1162 /** @} */ 1163 1164