#include <assert.h>
#include <apr_lib.h>
#include <apr_strings.h>
#include <apr_network_io.h>
#include <httpd.h>
#include <http_core.h>
#include <http_log.h>
#include <http_protocol.h>
#include <http_ssl.h>
#include <http_vhost.h>
#include <http_main.h>
#include <ap_socache.h>
#include <rustls.h>
#include "tls_proto.h"
#include "tls_cert.h"
#include "tls_conf.h"
#include "tls_core.h"
#include "tls_ocsp.h"
#include "tls_util.h"
#include "tls_cache.h"
#include "tls_var.h"
Go to the source code of this file.
|
| tls_conf_conn_t * | tls_conf_conn_get (conn_rec *c) |
| |
| void | tls_conf_conn_set (conn_rec *c, tls_conf_conn_t *cc) |
| |
| int | tls_conn_check_ssl (conn_rec *c) |
| |
| static int | we_listen_on (tls_conf_global_t *gc, server_rec *s, tls_conf_server_t *sc) |
| |
| static apr_status_t | tls_core_free (void *data) |
| |
| static apr_status_t | load_certified_keys (apr_array_header_t *keys, server_rec *s, apr_array_header_t *cert_specs, tls_cert_reg_t *cert_reg) |
| |
| static apr_status_t | use_local_key (conn_rec *c, const char *cert_pem, const char *pkey_pem) |
| |
| static void | add_file_specs (apr_array_header_t *certificates, apr_pool_t *p, apr_array_header_t *cert_files, apr_array_header_t *key_files) |
| |
| static apr_status_t | calc_ciphers (apr_pool_t *pool, server_rec *s, tls_conf_global_t *gc, const char *proxy, apr_array_header_t *pref_ciphers, apr_array_header_t *supp_ciphers, const apr_array_header_t **pciphers) |
| |
| static apr_status_t | get_server_ciphersuites (const apr_array_header_t **pciphersuites, apr_pool_t *pool, tls_conf_server_t *sc) |
| |
| static apr_array_header_t * | complete_cert_specs (apr_pool_t *p, tls_conf_server_t *sc) |
| |
| static const rustls_certified_key * | select_certified_key (void *userdata, const rustls_client_hello *hello) |
| |
| static apr_status_t | server_conf_setup (apr_pool_t *p, apr_pool_t *ptemp, tls_conf_server_t *sc, tls_conf_global_t *gc) |
| |
| static apr_status_t | get_proxy_ciphers (const apr_array_header_t **pciphersuites, apr_pool_t *pool, tls_conf_proxy_t *pc) |
| |
| static apr_status_t | proxy_conf_setup (apr_pool_t *p, apr_pool_t *ptemp, tls_conf_proxy_t *pc, tls_conf_global_t *gc) |
| |
| static const rustls_certified_key * | extract_client_hello_values (void *userdata, const rustls_client_hello *hello) |
| |
| static apr_status_t | setup_hello_config (apr_pool_t *p, server_rec *base_server, tls_conf_global_t *gc) |
| |
| static apr_status_t | init_incoming (apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server) |
| |
| static apr_status_t | init_outgoing (apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server) |
| |
| apr_status_t | tls_core_init (apr_pool_t *p, apr_pool_t *ptemp, server_rec *base_server) |
| |
| static apr_status_t | tls_core_conn_free (void *data) |
| |
| static tls_conf_conn_t * | cc_get_or_make (conn_rec *c) |
| |
| void | tls_core_conn_disable (conn_rec *c) |
| |
| void | tls_core_conn_bind (conn_rec *c, ap_conf_vector_t *dir_conf) |
| |
| static apr_status_t | init_outgoing_connection (conn_rec *c) |
| |
| int | tls_core_pre_conn_init (conn_rec *c) |
| |
| apr_status_t | tls_core_conn_init (conn_rec *c) |
| |
| static int | find_vhost (void *sni_hostname, conn_rec *c, server_rec *s) |
| |
| static apr_status_t | select_application_protocol (conn_rec *c, server_rec *s, rustls_server_config_builder *builder) |
| |
| static apr_status_t | build_server_connection (rustls_connection **pconnection, const rustls_server_config **pconfig, conn_rec *c) |
| |
| apr_status_t | tls_core_conn_seen_client_hello (conn_rec *c) |
| |
| apr_status_t | tls_core_conn_post_handshake (conn_rec *c) |
| |
| static int | tls_conn_compatible_for (tls_conf_conn_t *cc, server_rec *other) |
| |
| int | tls_core_request_check (request_rec *r) |
| |
| apr_status_t | tls_core_error (conn_rec *c, rustls_result rr, const char **perrstr) |
| |
| int | tls_core_setup_outgoing (conn_rec *c) |
| |
◆ add_file_specs()
◆ build_server_connection()
◆ calc_ciphers()
◆ cc_get_or_make()
◆ complete_cert_specs()
◆ extract_client_hello_values()
◆ find_vhost()
◆ get_proxy_ciphers()
◆ get_server_ciphersuites()
◆ init_incoming()
◆ init_outgoing()
◆ init_outgoing_connection()
◆ load_certified_keys()
◆ proxy_conf_setup()
◆ select_application_protocol()
◆ select_certified_key()
◆ server_conf_setup()
◆ setup_hello_config()
◆ tls_conf_conn_get()
◆ tls_conf_conn_set()
◆ tls_conn_check_ssl()
< Module has handled this stage.
< Module declines to handle
Definition at line 55 of file tls_core.c.
◆ tls_conn_compatible_for()
Return != 0, if a connection also serve requests for server <other>.
Definition at line 1314 of file tls_core.c.
◆ tls_core_conn_bind()
Supply a directory configuration for the connection to work with. This maybe NULL. This can be called several times during the lifetime of a connection and must not change the current TLS state.
- Parameters
-
| c | the connection |
| dir_conf | optional directory configuration that applies |
Definition at line 754 of file tls_core.c.
◆ tls_core_conn_disable()
| void tls_core_conn_disable |
( |
conn_rec * |
c | ) |
|
Disable TLS on a new connection. Will do nothing on already initialized connections.
- Parameters
-
Definition at line 745 of file tls_core.c.
◆ tls_core_conn_free()
◆ tls_core_conn_init()
Initialize the module for a TLS enabled connection.
- Parameters
-
Definition at line 934 of file tls_core.c.
◆ tls_core_conn_post_handshake()
The TLS handshake for the connection has been successfully performed. This means that TLS related properties, such as TLS version and cipher, are known and the props in tls_conf_conn_t of the connection can be set.
Definition at line 1257 of file tls_core.c.
◆ tls_core_conn_seen_client_hello()
Called when the ClientHello has been received and values from it have been extracted into the tls_conf_conn_t of the connection.
Decides:
- which
server_rec this connection is for (SNI)
- which application protocol to use (ALPN) This may be unsuccessful for several reasons. The SNI from the client may not be known or the selected server has not certificates available. etc. On success, a proper
rustls_connection will have been created and set in the tls_conf_conn_t of the connection.
Definition at line 1186 of file tls_core.c.
◆ tls_core_error()
A Rustls error happened while processing the connection. Look up an error description, determine the apr_status_t to use for it and remember this as the last error at tls_conf_conn_t.
Definition at line 1384 of file tls_core.c.
◆ tls_core_free()
◆ tls_core_init()
Initialize the module's global and server specific settings. This runs in Apache's "post-config" phase, meaning the configuration has been read and checked for syntactic and other easily verifiable errors and now it is time to load everything in and make it ready for traffic.
a memory pool staying with us the whole time until the server stops/reloads. <ptemp> a temporary pool as a scratch buffer that will be destroyed shortly after. <base_server> the server for the global configuration which links -> next to all contained virtual hosts configured.
Definition at line 665 of file tls_core.c.
◆ tls_core_pre_conn_init()
Initialize the tls_conf_connt_t for the connection and decide if TLS is enabled or not.
- Returns
- OK if enabled, DECLINED otherwise
< Module has handled this stage.
< Module declines to handle
Definition at line 904 of file tls_core.c.
◆ tls_core_request_check()
After a request has been read, but before processing is started, we check if everything looks good to us:
- was an SNI hostname provided by the client when we have vhosts to choose from? if not, we deny it.
- if the SNI hostname and request host are not the same, are they - from TLS point of view - 'compatible' enough? For example, if one server requires client certificates and the other not (or with different settings), such a request will also be denied. returns DECLINED if everything is ok, otherwise an HTTP response code to generate an error page for.
< Module declines to handle
Definition at line 1348 of file tls_core.c.
◆ tls_core_setup_outgoing()
Determine if we handle the TLS for an outgoing connection or not.
- Parameters
-
- Returns
- OK if we handle the TLS, DECLINED otherwise.
< Module declines to handle
< Module has handled this stage.
< Module has handled this stage.
< Module has handled this stage.
Definition at line 1397 of file tls_core.c.
◆ use_local_key()
◆ we_listen_on()
◆ aplog_module_index
| int* const aplog_module_index = &( tls_module.module_index) |
|
static |
