1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
22 * @brief Internal interfaces private to mod_ssl.
24 * @defgroup MOD_SSL_PRIVATE Private
31 #include "http_config.h"
32 #include "http_core.h"
34 #include "http_main.h"
35 #include "http_connection.h"
36 #include "http_request.h"
37 #include "http_protocol.h"
38 #include "http_vhost.h"
39 #include "util_script.h"
40 #include "util_filter.h"
41 #include "util_ebcdic.h"
42 #include "util_mutex.h"
44 #include "apr_strings.h"
45 #define APR_WANT_STRFUNC
47 #include "apr_tables.h"
49 #include "apr_fnmatch.h"
50 #include "apr_strings.h"
51 #include "apr_global_mutex.h"
52 #include "apr_optional.h"
53 #include "ap_socache.h"
56 #define MOD_SSL_VERSION AP_SERVER_BASEREVISION
59 #include "ssl_toolkit_compat.h"
61 #include "ssl_util_ssl.h"
63 /* The #ifdef macros are only defined AFTER including the above
64 * therefore we cannot include these system files at the top :-(
66 #if APR_HAVE_SYS_TIME_H
70 #include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
73 APLOG_USE_MODULE(ssl);
76 * Provide reasonable default for some defines
85 #define PFALSE ((void *)FALSE)
88 #define PTRUE ((void *)TRUE)
98 #define RAND_MAX INT_MAX
102 * Provide reasonable defines for some types
105 #define BOOL unsigned int
108 #define UCHAR unsigned char
112 * Provide useful shorthands
114 #define strEQ(s1,s2) (strcmp(s1,s2) == 0)
115 #define strNE(s1,s2) (strcmp(s1,s2) != 0)
116 #define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0)
117 #define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0)
119 #define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0)
120 #define strcNE(s1,s2) (strcasecmp(s1,s2) != 0)
121 #define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
122 #define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)
124 #define strIsEmpty(s) (s == NULL || s[0] == NUL)
126 #define myConnConfig(c) \
127 (SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module)
128 #define myCtxConfig(sslconn, sc) (sslconn->is_proxy ? sc->proxy : sc->server)
129 #define myConnConfigSet(c, val) \
130 ap_set_module_config(c->conn_config, &ssl_module, val)
131 #define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module)
132 #define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)
133 #define myModConfig(srv) (mySrvConfig((srv)))->mc
134 #define mySrvFromConn(c) (myConnConfig(c))->server
135 #define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
136 #define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
138 #define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val
139 #define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num)
142 * Defaults for the configuration
144 #ifndef SSL_SESSION_CACHE_TIMEOUT
145 #define SSL_SESSION_CACHE_TIMEOUT 300
148 /* Default setting for per-dir reneg buffer. */
149 #ifndef DEFAULT_RENEG_BUFFER_SIZE
150 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
154 * Support for MM library
156 #define SSL_MM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD )
159 * Define the certificate algorithm types
162 typedef int ssl_algo_t;
164 #define SSL_ALGO_UNKNOWN (0)
165 #define SSL_ALGO_RSA (1<<0)
166 #define SSL_ALGO_DSA (1<<1)
167 #ifndef OPENSSL_NO_EC
168 #define SSL_ALGO_ECC (1<<2)
169 #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC)
171 #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA)
172 #endif /* SSL_LIBRARY_VERSION */
174 #define SSL_AIDX_RSA (0)
175 #define SSL_AIDX_DSA (1)
176 #ifndef OPENSSL_NO_EC
177 #define SSL_AIDX_ECC (2)
178 #define SSL_AIDX_MAX (3)
180 #define SSL_AIDX_MAX (2)
181 #endif /* SSL_LIBRARY_VERSION */
185 * Define IDs for the temporary RSA keys and DH params
188 #define SSL_TMP_KEY_RSA_512 (0)
189 #define SSL_TMP_KEY_RSA_1024 (1)
190 #define SSL_TMP_KEY_DH_512 (2)
191 #define SSL_TMP_KEY_DH_1024 (3)
192 #define SSL_TMP_KEY_MAX (4)
195 * Define the SSL options
197 #define SSL_OPT_NONE (0)
198 #define SSL_OPT_RELSET (1<<0)
199 #define SSL_OPT_STDENVVARS (1<<1)
200 #define SSL_OPT_EXPORTCERTDATA (1<<3)
201 #define SSL_OPT_FAKEBASICAUTH (1<<4)
202 #define SSL_OPT_STRICTREQUIRE (1<<5)
203 #define SSL_OPT_OPTRENEGOTIATE (1<<6)
204 #define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE)
205 typedef int ssl_opt_t;
208 * Define the SSL Protocol options
210 #define SSL_PROTOCOL_NONE (0)
211 #define SSL_PROTOCOL_SSLV2 (1<<0)
212 #define SSL_PROTOCOL_SSLV3 (1<<1)
213 #define SSL_PROTOCOL_TLSV1 (1<<2)
214 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
215 typedef int ssl_proto_t;
218 * Define the SSL verify levels
221 SSL_CVERIFY_UNSET = UNSET,
222 SSL_CVERIFY_NONE = 0,
223 SSL_CVERIFY_OPTIONAL = 1,
224 SSL_CVERIFY_REQUIRE = 2,
225 SSL_CVERIFY_OPTIONAL_NO_CA = 3
228 #define SSL_VERIFY_PEER_STRICT \
229 (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
231 #ifndef X509_V_ERR_CERT_UNTRUSTED
232 #define X509_V_ERR_CERT_UNTRUSTED 27
235 #define ssl_verify_error_is_optional(errnum) \
236 ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
237 || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
238 || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
239 || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
240 || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
243 * Define the SSL pass phrase dialog types
246 SSL_PPTYPE_UNSET = UNSET,
247 SSL_PPTYPE_BUILTIN = 0,
248 SSL_PPTYPE_FILTER = 1,
253 * Define the Path Checking modes
255 #define SSL_PCM_EXISTS 1
256 #define SSL_PCM_ISREG 2
257 #define SSL_PCM_ISDIR 4
258 #define SSL_PCM_ISNONZERO 8
259 typedef unsigned int ssl_pathcheck_t;
262 * Define the SSL enabled state
265 SSL_ENABLED_UNSET = UNSET,
266 SSL_ENABLED_FALSE = 0,
267 SSL_ENABLED_TRUE = 1,
268 SSL_ENABLED_OPTIONAL = 3
272 * Define the SSL requirement structure
280 * Define the SSL random number generator seeding source
283 SSL_RSCTX_STARTUP = 1,
284 SSL_RSCTX_CONNECT = 2
287 SSL_RSSRC_BUILTIN = 1,
300 * Define the structure of an ASN.1 anything
304 unsigned char *cpData;
305 apr_time_t source_mtime;
309 * Define the mod_ssl per-module configuration structure
310 * (i.e. the global configuration for each httpd process)
314 SSL_SHUTDOWN_TYPE_UNSET,
315 SSL_SHUTDOWN_TYPE_STANDARD,
316 SSL_SHUTDOWN_TYPE_UNCLEAN,
317 SSL_SHUTDOWN_TYPE_ACCURATE
318 } ssl_shutdown_type_e;
322 const char *client_dn;
324 ssl_shutdown_type_e shutdown_type;
325 const char *verify_info;
326 const char *verify_error;
332 /* Track the handshake/renegotiation state for the connection so
333 * that all client-initiated renegotiations can be rejected, as a
334 * partial fix for CVE-2009-3555. */
336 RENEG_INIT = 0, /* Before initial handshake */
337 RENEG_REJECT, /* After initial handshake; any client-initiated
338 * renegotiation should be rejected */
339 RENEG_ALLOW, /* A server-initated renegotiation is taking
340 * place (as dictated by configuration) */
341 RENEG_ABORT /* Renegotiation initiated by client, abort the
348 /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is
349 * allocated out of the "process" pool and only a single such
350 * structure is created and used for the lifetime of the process.
351 * (The process pool is s->process->pool and is stored in the .pPool
352 * field.) Most members of this structure are likewise allocated out
353 * of the process pool, but notably sesscache and sesscache_context
356 * The structure is treated as mostly immutable after a single config
357 * parse has completed; the post_config hook (ssl_init_Module) flips
358 * the bFixed flag to true and subsequent invocations of the config
359 * callbacks hence do nothing.
361 * This odd lifetime strategy is used so that encrypted private keys
362 * can be decrypted once at startup and continue to be used across
363 * subsequent server reloads where the interactive password prompt is
366 * It is really an ABI nightmare waiting to happen since DSOs are
367 * reloaded across restarts, and nothing prevents the struct type
368 * changing across such reloads, yet the cached structure will be
369 * assumed to match regardless.
371 * This should really be fixed using a smaller structure which only
372 * stores that which is absolutely necessary (the private keys, maybe
373 * the random seed), and have that structure be strictly ABI-versioned
381 /* OpenSSL SSL_SESS_CACHE_* flags: */
384 /* The configured provider, and associated private data
386 const ap_socache_provider_t *sesscache;
387 ap_socache_instance_t *sesscache_context;
389 apr_global_mutex_t *pMutex;
390 apr_array_header_t *aRandSeed;
391 apr_hash_t *tVHostKeys;
392 void *pTmpKeys[SSL_TMP_KEY_MAX];
393 apr_hash_t *tPublicCert;
394 apr_hash_t *tPrivateKey;
395 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
396 const char *szCryptoDevice;
399 #ifdef HAVE_OCSP_STAPLING
400 const ap_socache_provider_t *stapling_cache;
401 ap_socache_instance_t *stapling_cache_context;
402 apr_global_mutex_t *stapling_mutex;
406 void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
410 /** public cert/private key */
413 * server only has 1-2 certs/keys
416 const char *cert_files[SSL_AIDX_MAX];
417 const char *key_files[SSL_AIDX_MAX];
418 X509 *certs[SSL_AIDX_MAX];
419 EVP_PKEY *keys[SSL_AIDX_MAX];
421 /** Certificates which specify the set of CA names which should be
422 * sent in the CertificateRequest message: */
423 const char *ca_name_path;
424 const char *ca_name_file;
425 } modssl_pk_server_t;
428 /** proxy can have any number of cert/key pairs */
429 const char *cert_file;
430 const char *cert_path;
431 STACK_OF(X509_INFO) *certs;
434 /** stuff related to authentication that can also be per-dir */
436 /** known/trusted CAs */
437 const char *ca_cert_path;
438 const char *ca_cert_file;
440 const char *cipher_suite;
442 /** for client or downstream server authentication */
444 ssl_verify_t verify_mode;
447 typedef struct SSLSrvConfigRec SSLSrvConfigRec;
450 SSLSrvConfigRec *sc; /** pointer back to server config */
453 /** we are one or the other */
454 modssl_pk_server_t *pks;
455 modssl_pk_proxy_t *pkp;
457 ssl_proto_t protocol;
459 /** config for handling encrypted keys */
460 ssl_pphrase_t pphrase_dialog_type;
461 const char *pphrase_dialog_path;
463 const char *cert_chain;
466 /** certificate revocation list */
467 const char *crl_path;
468 const char *crl_file;
471 #ifdef HAVE_OCSP_STAPLING
472 /** OCSP stapling options */
473 BOOL stapling_enabled;
474 long stapling_resptime_skew;
475 long stapling_resp_maxage;
476 int stapling_cache_timeout;
477 BOOL stapling_return_errors;
478 BOOL stapling_fake_trylater;
479 int stapling_errcache_timeout;
480 apr_interval_time_t stapling_responder_timeout;
481 const char *stapling_force_url;
484 modssl_auth_ctx_t auth;
486 BOOL ocsp_enabled; /* true if OCSP verification enabled */
487 BOOL ocsp_force_default; /* true if the default responder URL is
488 * used regardless of per-cert URL */
489 const char *ocsp_responder; /* default responder URL */
493 struct SSLSrvConfigRec {
495 ssl_enabled_t enabled;
497 const char *vhost_id;
499 int session_cache_timeout;
500 BOOL cipher_server_pref;
502 modssl_ctx_t *server;
504 ssl_enabled_t proxy_ssl_check_peer_expire;
505 ssl_enabled_t proxy_ssl_check_peer_cn;
506 #ifndef OPENSSL_NO_TLSEXT
507 ssl_enabled_t strict_sni_vhost_check;
515 * Define the mod_ssl per-directory configuration structure
516 * (i.e. the local configuration for all <Directory>
517 * and .htaccess contexts)
521 apr_array_header_t *aRequirement;
523 ssl_opt_t nOptionsAdd;
524 ssl_opt_t nOptionsDel;
525 const char *szCipherSuite;
526 ssl_verify_t nVerifyClient;
528 const char *szCACertificatePath;
529 const char *szCACertificateFile;
530 const char *szUserName;
531 apr_size_t nRenegBufferSize;
535 * function prototypes
538 /** API glue structures */
539 extern module AP_MODULE_DECLARE_DATA ssl_module;
541 /** configuration handling */
542 SSLModConfigRec *ssl_config_global_create(server_rec *);
543 void ssl_config_global_fix(SSLModConfigRec *);
544 BOOL ssl_config_global_isfixed(SSLModConfigRec *);
545 void *ssl_config_server_create(apr_pool_t *, server_rec *);
546 void *ssl_config_server_merge(apr_pool_t *, void *, void *);
547 void *ssl_config_perdir_create(apr_pool_t *, char *);
548 void *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
549 const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
550 const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
551 const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
552 const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
553 const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
554 const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
555 const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
556 const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
557 const char *ssl_cmd_SSLPKCS7CertificateFile(cmd_parms *, void *, const char *);
558 const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
559 const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
560 const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
561 const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
562 const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
563 const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
564 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
565 const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
566 const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
567 const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
568 const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
569 const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
570 const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
571 const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
572 const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
573 const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
574 const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
575 const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
576 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
578 const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
579 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
580 const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
581 const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
582 const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
583 const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
584 const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *);
585 const char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *);
586 const char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *);
587 const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *);
588 const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *);
589 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
590 const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
592 const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
593 const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
594 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
596 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
598 /** module initialization */
599 int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
600 void ssl_init_Engine(server_rec *, apr_pool_t *);
601 void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
602 void ssl_init_CheckServers(server_rec *, apr_pool_t *);
604 *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
605 void ssl_init_Child(apr_pool_t *, server_rec *);
606 apr_status_t ssl_init_ModuleKill(void *data);
608 /** Apache API hooks */
609 int ssl_hook_Auth(request_rec *);
610 int ssl_hook_UserCheck(request_rec *);
611 int ssl_hook_Access(request_rec *);
612 int ssl_hook_Fixup(request_rec *);
613 int ssl_hook_ReadReq(request_rec *);
614 int ssl_hook_Upgrade(request_rec *);
615 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s);
617 /** Apache authz provisders */
618 extern const authz_provider ssl_authz_provider_require_ssl;
619 extern const authz_provider ssl_authz_provider_verify_client;
620 extern const authz_provider ssl_authz_provider_sslrequire;
622 /** OpenSSL callbacks */
623 RSA *ssl_callback_TmpRSA(SSL *, int, int);
624 DH *ssl_callback_TmpDH(SSL *, int, int);
625 #ifndef OPENSSL_NO_EC
626 EC_KEY *ssl_callback_TmpECDH(SSL *, int, int);
627 #endif /* SSL_LIBRARY_VERSION */
628 int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
629 int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
630 int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
631 int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
632 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
633 void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
634 void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int);
635 #ifndef OPENSSL_NO_TLSEXT
636 int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
639 /** Session Cache Support */
640 void ssl_scache_init(server_rec *, apr_pool_t *);
641 void ssl_scache_status_register(apr_pool_t *p);
642 void ssl_scache_kill(server_rec *);
643 BOOL ssl_scache_store(server_rec *, UCHAR *, int,
644 apr_time_t, SSL_SESSION *, apr_pool_t *);
645 SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *);
646 void ssl_scache_remove(server_rec *, UCHAR *, int,
650 int ssl_proxy_enable(conn_rec *c);
651 int ssl_engine_disable(conn_rec *c);
653 /** OCSP Stapling Support */
654 #ifdef HAVE_OCSP_STAPLING
655 const char *ssl_cmd_SSLStaplingCache(cmd_parms *, void *, const char *);
656 const char *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int);
657 const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *);
658 const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *);
659 const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *);
660 const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *);
661 const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int);
662 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);
663 const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
664 const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
665 void modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
666 void ssl_stapling_ex_init(void);
667 int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
671 void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
672 void ssl_io_filter_register(apr_pool_t *);
673 long ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long);
675 /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
676 * to allow an SSL renegotiation to take place. */
677 int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen);
680 int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
682 /** Utility Functions */
683 char *ssl_util_vhostid(apr_pool_t *, server_rec *);
684 apr_file_t *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *,
685 const char * const *);
686 void ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
687 char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
688 const char * const *);
689 BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
690 ssl_algo_t ssl_util_algotypeof(X509 *, EVP_PKEY *);
691 char *ssl_util_algotypestr(ssl_algo_t);
692 void ssl_util_thread_setup(apr_pool_t *);
693 int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
695 /** Pass Phrase Support */
696 void ssl_pphrase_Handle(server_rec *, apr_pool_t *);
698 /** Diffie-Hellman Parameter Support */
699 DH *ssl_dh_GetTmpParam(int);
700 DH *ssl_dh_GetParamFromFile(char *);
702 unsigned char *ssl_asn1_table_set(apr_hash_t *table,
706 ssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table,
709 void ssl_asn1_table_unset(apr_hash_t *table,
712 const char *ssl_asn1_keystr(int keytype);
714 const char *ssl_asn1_table_keyfmt(apr_pool_t *p,
718 STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7);
721 int ssl_mutex_init(server_rec *, apr_pool_t *);
722 int ssl_mutex_reinit(server_rec *, apr_pool_t *);
723 int ssl_mutex_on(server_rec *);
724 int ssl_mutex_off(server_rec *);
726 int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *);
728 /* mutex type names for Mutex directive */
729 #define SSL_CACHE_MUTEX_TYPE "ssl-cache"
730 #define SSL_STAPLING_MUTEX_TYPE "ssl-stapling"
732 /** Logfile Support */
734 void ssl_log_ssl_error(const char *, int, int, server_rec *);
736 /* ssl_log_cxerror is a wrapper for ap_log_cerror which takes a
737 * certificate as an additional argument and appends details of that
738 * cert to the log message. All other arguments interpreted exactly
739 * as ap_log_cerror. */
740 void ssl_log_cxerror(const char *file, int line, int level,
741 apr_status_t rv, conn_rec *c, X509 *cert,
742 const char *format, ...)
743 __attribute__((format(printf,7,8)));
745 #define SSLLOG_MARK __FILE__,__LINE__
749 /* Register variables for the lifetime of the process pool 'p'. */
750 void ssl_var_register(apr_pool_t *p);
751 char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
752 apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension);
754 void ssl_var_log_config_register(apr_pool_t *p);
756 /* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl',
757 * allocating from 'p': */
758 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
761 /* Perform OCSP validation of the current cert in the given context.
762 * Returns non-zero on success or zero on failure. On failure, the
763 * context error code is set. */
764 int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
765 server_rec *s, conn_rec *c, apr_pool_t *pool);
767 /* OCSP helper interface; dispatches the given OCSP request to the
768 * responder at the given URI. Returns the decoded OCSP response
769 * object, or NULL on error (in which case, errors will have been
770 * logged). Pool 'p' is used for temporary allocations. */
771 OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
772 apr_interval_time_t timeout,
773 OCSP_REQUEST *request,
774 conn_rec *c, apr_pool_t *p);
777 #endif /* SSL_PRIVATE_H */