Apache HTTPD
ssl.c
Go to the documentation of this file.
1/* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/*
18 * ssl.c --- routines for SSL/TLS server infrastructure.
19 *
20 */
21
22#include "apr.h"
23#include "apr_strings.h"
24#include "apr_buckets.h"
25#include "apr_lib.h"
26#include "apr_signal.h"
27#include "apr_strmatch.h"
28
29#define APR_WANT_STDIO /* for sscanf */
30#define APR_WANT_STRFUNC
31#define APR_WANT_MEMFUNC
32#include "apr_want.h"
33
34#include "util_filter.h"
35#include "ap_config.h"
36#include "httpd.h"
37#include "http_config.h"
38#include "http_core.h"
39#include "http_connection.h"
40#include "http_protocol.h"
41#include "http_request.h"
42#include "http_main.h"
43#include "http_ssl.h"
44#include "http_log.h" /* For errors detected in basic auth common
45 * support code... */
46#include "mod_core.h"
47
48
49#if APR_HAVE_STDARG_H
50#include <stdarg.h>
51#endif
52#if APR_HAVE_UNISTD_H
53#include <unistd.h>
54#endif
55
56/* we know core's module_index is 0 */
57#undef APLOG_MODULE_INDEX
58#define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX
59
60APR_HOOK_STRUCT(
61 APR_HOOK_LINK(ssl_conn_is_ssl)
62 APR_HOOK_LINK(ssl_var_lookup)
63 APR_HOOK_LINK(ssl_add_cert_files)
64 APR_HOOK_LINK(ssl_add_fallback_cert_files)
65 APR_HOOK_LINK(ssl_answer_challenge)
66 APR_HOOK_LINK(ssl_ocsp_prime_hook)
67 APR_HOOK_LINK(ssl_ocsp_get_resp_hook)
68 APR_HOOK_LINK(ssl_bind_outgoing)
69)
70
71APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
72static APR_OPTIONAL_FN_TYPE(ssl_is_https) *module_ssl_is_https;
73APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
74static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *module_ssl_proxy_enable;
75APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
76static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *module_ssl_engine_disable;
77APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
78 ap_conf_vector_t *,
79 int proxy, int enable));
80static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *module_ssl_engine_set;
81
82
83static int ssl_is_https(conn_rec *c)
84{
85 /* Someone retrieved the optional function., not knowing about the
86 * new API. We redirect them to what they should have invoked. */
87 return ap_ssl_conn_is_ssl(c);
88}
89
90AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c)
91{
92 int r = (ap_run_ssl_conn_is_ssl(c) == OK);
93 if (r == 0 && module_ssl_is_https) {
94 r = module_ssl_is_https(c);
95 }
96 return r;
97}
98
99static int ssl_engine_set(conn_rec *c,
100 ap_conf_vector_t *per_dir_config,
101 int proxy, int enable)
102{
103 if (proxy) {
104 return ap_ssl_bind_outgoing(c, per_dir_config, enable) == OK;
105 }
106 else if (module_ssl_engine_set) {
107 return module_ssl_engine_set(c, per_dir_config, 0, enable);
108 }
109 else if (enable && module_ssl_proxy_enable) {
110 return module_ssl_proxy_enable(c);
111 }
112 else if (!enable && module_ssl_engine_disable) {
113 return module_ssl_engine_disable(c);
114 }
115 return 0;
116}
117
118static int ssl_proxy_enable(conn_rec *c)
119{
120 return ap_ssl_bind_outgoing(c, NULL, 1);
121}
122
123static int ssl_engine_disable(conn_rec *c)
124{
125 return ap_ssl_bind_outgoing(c, NULL, 0);
126}
127
128AP_DECLARE(int) ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf,
129 int enable_ssl)
130{
131 int rv, enabled = 0;
132
133 c->outgoing = 1;
134 rv = ap_run_ssl_bind_outgoing(c, dir_conf, enable_ssl);
135 enabled = (rv == OK);
136 if (enable_ssl && !enabled) {
137 /* the hooks did not take over. Is there an old skool optional that will? */
138 if (module_ssl_engine_set) {
139 enabled = module_ssl_engine_set(c, dir_conf, 1, 1);
140 }
141 else if (module_ssl_proxy_enable) {
142 enabled = module_ssl_proxy_enable(c);
143 }
144 }
145 else {
146 /* !enable_ssl || enabled
147 * any existing optional funcs need to not enable here */
148 if (module_ssl_engine_set) {
149 module_ssl_engine_set(c, dir_conf, 1, 0);
150 }
151 else if (module_ssl_engine_disable) {
152 module_ssl_engine_disable(c);
153 }
154 }
155 if (enable_ssl && !enabled) {
156 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0,
157 c, APLOGNO(01961) " failed to enable ssl support "
158 "[Hint: if using mod_ssl, see SSLProxyEngine]");
159 return DECLINED;
160 }
161 return OK;
162}
163
170
171APR_DECLARE_OPTIONAL_FN(const char *, ssl_var_lookup,
172 (apr_pool_t *p, server_rec *s,
173 conn_rec *c, request_rec *r,
174 const char *name));
175static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *module_ssl_var_lookup;
176
177static const char *ssl_var_lookup(apr_pool_t *p, server_rec *s,
178 conn_rec *c, request_rec *r,
179 const char *name)
180{
181 /* Someone retrieved the optional function., not knowing about the
182 * new API. We redirect them to what they should have invoked. */
183 return ap_ssl_var_lookup(p, s, c, r, name);
184}
185
186AP_DECLARE(const char *) ap_ssl_var_lookup(apr_pool_t *p, server_rec *s,
187 conn_rec *c, request_rec *r,
188 const char *name)
189{
190 const char *val = ap_run_ssl_var_lookup(p, s, c, r, name);
191 if (val == NULL && module_ssl_var_lookup) {
192 val = module_ssl_var_lookup(p, s, c, r, name);
193 }
194 return val;
195}
196
222
223AP_DECLARE(apr_status_t) ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p,
224 apr_array_header_t *cert_files,
225 apr_array_header_t *key_files)
226{
227 int rv = ap_run_ssl_add_cert_files(s, p, cert_files, key_files);
228 return (rv == OK || rv == DECLINED)? APR_SUCCESS : APR_EGENERAL;
229}
230
231AP_DECLARE(apr_status_t) ap_ssl_add_fallback_cert_files(server_rec *s, apr_pool_t *p,
232 apr_array_header_t *cert_files,
233 apr_array_header_t *key_files)
234{
235 int rv = ap_run_ssl_add_fallback_cert_files(s, p, cert_files, key_files);
236 return (rv == OK || rv == DECLINED)? APR_SUCCESS : APR_EGENERAL;
237}
238
239AP_DECLARE(int) ap_ssl_answer_challenge(conn_rec *c, const char *server_name,
240 const char **pcert_pem, const char **pkey_pem)
241{
242 return (ap_run_ssl_answer_challenge(c, server_name, pcert_pem, pkey_pem) == OK);
243}
244
245AP_DECLARE(apr_status_t) ap_ssl_ocsp_prime(server_rec *s, apr_pool_t *p,
246 const char *id, apr_size_t id_len,
247 const char *pem)
248{
249 int rv = ap_run_ssl_ocsp_prime_hook(s, p, id, id_len, pem);
250 return rv == OK? APR_SUCCESS : (rv == DECLINED? APR_ENOENT : APR_EGENERAL);
251}
252
253AP_DECLARE(apr_status_t) ap_ssl_ocsp_get_resp(server_rec *s, conn_rec *c,
254 const char *id, apr_size_t id_len,
255 ap_ssl_ocsp_copy_resp *cb, void *userdata)
256{
257 int rv = ap_run_ssl_ocsp_get_resp_hook(s, c, id, id_len, cb, userdata);
258 return rv == OK? APR_SUCCESS : (rv == DECLINED? APR_ENOENT : APR_EGENERAL);
259}
260
261AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_conn_is_ssl,
262 (conn_rec *c), (c), DECLINED)
263AP_IMPLEMENT_HOOK_RUN_FIRST(const char *,ssl_var_lookup,
264 (apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name),
265 (p, s, c, r, name), NULL)
266AP_IMPLEMENT_HOOK_RUN_ALL(int, ssl_add_cert_files,
267 (server_rec *s, apr_pool_t *p,
268 apr_array_header_t *cert_files, apr_array_header_t *key_files),
269 (s, p, cert_files, key_files), OK, DECLINED)
270AP_IMPLEMENT_HOOK_RUN_ALL(int, ssl_add_fallback_cert_files,
271 (server_rec *s, apr_pool_t *p,
272 apr_array_header_t *cert_files, apr_array_header_t *key_files),
273 (s, p, cert_files, key_files), OK, DECLINED)
274AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_answer_challenge,
275 (conn_rec *c, const char *server_name, const char **pcert_pem, const char **pkey_pem),
276 (c, server_name, pcert_pem, pkey_pem), DECLINED)
277AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_ocsp_prime_hook,
278 (server_rec *s, apr_pool_t *p, const char *id, apr_size_t id_len, const char *pem),
279 (s, p, id, id_len, pem), DECLINED)
280AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_ocsp_get_resp_hook,
281 (server_rec *s, conn_rec *c, const char *id, apr_size_t id_len,
282 ap_ssl_ocsp_copy_resp *cb, void *userdata),
283 (s, c, id, id_len, cb, userdata), DECLINED)
284AP_IMPLEMENT_HOOK_RUN_FIRST(int,ssl_bind_outgoing,(conn_rec *c, ap_conf_vector_t *dir_conf, int require_ssl),
285 (c, dir_conf, require_ssl), DECLINED)
ap_config.h
Symbol export macros and hook functions.
AP_DECLARE
#define AP_DECLARE(type)
Definition ap_config.h:67
AP_IMPLEMENT_HOOK_RUN_ALL
#define AP_IMPLEMENT_HOOK_RUN_ALL(ret, name, args_decl, args_use, ok, decline)
Definition ap_hooks.h:117
AP_IMPLEMENT_HOOK_RUN_FIRST
#define AP_IMPLEMENT_HOOK_RUN_FIRST(ret, name, args_decl, args_use, decline)
Definition ap_hooks.h:137
apr_buckets.h
APR-UTIL Buckets/Bucket Brigades.
apr_lib.h
APR general purpose library routines.
apr_signal.h
APR Signal Handling.
apr_strings.h
APR Strings library.
apr_strmatch.h
APR-UTIL string matching routines.
apr_want.h
APR Standard Headers Support.
ap_conf_vector_t
struct ap_conf_vector_t ap_conf_vector_t
Definition http_config.h:509
r
request_rec * r
Definition http_config.h:1168
DECLINED
#define DECLINED
Definition httpd.h:457
OK
#define OK
Definition httpd.h:456
APLOGNO
#define APLOGNO(n)
Definition http_log.h:117
APLOG_ERR
#define APLOG_ERR
Definition http_log.h:67
ap_log_cerror
#define ap_log_cerror
Definition http_log.h:498
APLOG_MARK
#define APLOG_MARK
Definition http_log.h:283
ap_hook_get_ssl_bind_outgoing
apr_array_header_t * ap_hook_get_ssl_bind_outgoing(void)
Definition ssl.c:285
ap_ssl_ocsp_get_resp
apr_status_t ap_ssl_ocsp_get_resp(server_rec *s, conn_rec *c, const char *id, apr_size_t id_len, ap_ssl_ocsp_copy_resp *cb, void *userdata)
Definition ssl.c:253
ap_run_ssl_conn_is_ssl
int ap_run_ssl_conn_is_ssl(conn_rec *c)
Definition ssl.c:262
ap_run_ssl_var_lookup
const char * ap_run_ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name)
Definition ssl.c:265
ap_ssl_answer_challenge
int ap_ssl_answer_challenge(conn_rec *c, const char *server_name, const char **pcert_pem, const char **pkey_pem)
Definition ssl.c:239
ap_ssl_bind_outgoing
int ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf, int enable_ssl)
Definition ssl.c:128
ap_run_ssl_add_cert_files
int ap_run_ssl_add_cert_files(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
Definition ssl.c:269
ap_run_ssl_ocsp_get_resp_hook
int ap_run_ssl_ocsp_get_resp_hook(server_rec *s, conn_rec *c, const char *id, apr_size_t id_len, ap_ssl_ocsp_copy_resp *cb, void *userdata)
Definition ssl.c:283
ap_ssl_add_cert_files
apr_status_t ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
Definition ssl.c:223
ap_setup_ssl_optional_fns
void ap_setup_ssl_optional_fns(apr_pool_t *pool)
Definition ssl.c:197
ap_run_ssl_add_fallback_cert_files
int ap_run_ssl_add_fallback_cert_files(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
Definition ssl.c:273
ap_ssl_var_lookup
const char * ap_ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name)
Definition ssl.c:186
ap_run_ssl_bind_outgoing
int ap_run_ssl_bind_outgoing(conn_rec *c, ap_conf_vector_t *dir_conf, int require_ssl)
Definition ssl.c:285
ap_run_ssl_answer_challenge
int ap_run_ssl_answer_challenge(conn_rec *c, const char *server_name, const char **pcert_pem, const char **pkey_pem)
Definition ssl.c:276
ap_run_ssl_ocsp_prime_hook
int ap_run_ssl_ocsp_prime_hook(server_rec *s, apr_pool_t *p, const char *id, apr_size_t id_len, const char *pem)
Definition ssl.c:279
ap_ssl_ocsp_prime
apr_status_t ap_ssl_ocsp_prime(server_rec *s, apr_pool_t *p, const char *id, apr_size_t id_len, const char *pem)
Definition ssl.c:245
ap_ssl_add_fallback_cert_files
apr_status_t ap_ssl_add_fallback_cert_files(server_rec *s, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files)
Definition ssl.c:231
ap_ssl_ocsp_copy_resp
void ap_ssl_ocsp_copy_resp(const unsigned char *der, apr_size_t der_len, void *userdata)
Definition http_ssl.h:271
ap_ssl_has_outgoing_handlers
int ap_ssl_has_outgoing_handlers(void)
Definition ssl.c:164
ap_ssl_conn_is_ssl
int ap_ssl_conn_is_ssl(conn_rec *c)
Definition ssl.c:90
APR_EGENERAL
#define APR_EGENERAL
Definition apr_errno.h:313
APR_ENOENT
#define APR_ENOENT
Definition apr_errno.h:662
enabled
int enabled
Definition apr_buckets.h:1580
APR_HOOK_LINK
#define APR_HOOK_LINK(name)
Definition apr_hooks.h:139
APR_HOOK_STRUCT
#define APR_HOOK_STRUCT(members)
Definition apr_hooks.h:135
APR_RETRIEVE_OPTIONAL_FN
#define APR_RETRIEVE_OPTIONAL_FN(name)
Definition apr_optional.h:84
APR_OPTIONAL_FN_TYPE
#define APR_OPTIONAL_FN_TYPE(name)
Definition apr_optional.h:42
APR_REGISTER_OPTIONAL_FN
#define APR_REGISTER_OPTIONAL_FN(name)
Definition apr_optional.h:70
APR_DECLARE_OPTIONAL_FN
#define APR_DECLARE_OPTIONAL_FN(ret, name, args)
Definition apr_optional.h:50
size
apr_size_t size
Definition apr_allocator.h:115
val
apr_uint32_t val
Definition apr_atomic.h:66
pool
const char int apr_pool_t * pool
Definition apr_cstr.h:84
APR_SUCCESS
#define APR_SUCCESS
Definition apr_errno.h:225
apr_status_t
int apr_status_t
Definition apr_errno.h:44
c
apr_vformatter_buff_t * c
Definition apr_lib.h:175
s
const char * s
Definition apr_strings.h:95
http_config.h
Apache Configuration.
http_connection.h
Apache connection library.
http_core.h
CORE HTTP Daemon.
http_log.h
Apache Logging library.
http_main.h
Command line options.
http_protocol.h
HTTP protocol handling.
http_request.h
Apache Request library.
http_ssl.h
SSL protocol handling.
httpd.h
HTTP Daemon routines.
p
apr_pool_t * p
Definition md_event.c:32
mod_core.h
mod_core private header file
hooks
static const char *const hooks[]
Definition mod_log_debug.c:39
NULL
return NULL
Definition mod_so.c:359
ssl_engine_set
static int ssl_engine_set(conn_rec *c, ap_conf_vector_t *per_dir_config, int proxy, int enable)
Definition ssl.c:99
module_ssl_is_https
static apr_OFN_ssl_is_https_t * module_ssl_is_https
Definition ssl.c:72
ssl_is_https
static int ssl_is_https(conn_rec *c)
Definition ssl.c:83
ssl_var_lookup
static const char * ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name)
Definition ssl.c:177
module_ssl_engine_set
static apr_OFN_ssl_engine_set_t * module_ssl_engine_set
Definition ssl.c:80
module_ssl_proxy_enable
static apr_OFN_ssl_proxy_enable_t * module_ssl_proxy_enable
Definition ssl.c:74
ssl_engine_disable
static int ssl_engine_disable(conn_rec *c)
Definition ssl.c:123
module_ssl_engine_disable
static apr_OFN_ssl_engine_disable_t * module_ssl_engine_disable
Definition ssl.c:76
ssl_proxy_enable
static int ssl_proxy_enable(conn_rec *c)
Definition ssl.c:118
module_ssl_var_lookup
static apr_OFN_ssl_var_lookup_t * module_ssl_var_lookup
Definition ssl.c:175
name
char * name
Definition ssl_engine_vars.c:563
ssl_conn_is_ssl
static int ssl_conn_is_ssl(conn_rec *c)
Definition ssl_engine_vars.c:68
apr_array_header_t
Definition apr_tables.h:62
apr_pool_t
Definition apr_pools.c:562
conn_rec
Structure to store things which are per connection.
Definition httpd.h:1152
request_rec
A structure that represents the current request.
Definition httpd.h:845
server_rec
A structure to store information for each virtual server.
Definition httpd.h:1322
util_filter.h
Apache filter library.
Generated by doxygen 1.9.8