diff options
| -rw-r--r-- | CMakeLists.txt | 1 | ||||
| -rw-r--r-- | build/nw_export.inc | 1 | ||||
| -rw-r--r-- | changes-entries/core_httpd_ssl.txt | 2 | ||||
| -rw-r--r-- | include/ap_mmn.h | 3 | ||||
| -rw-r--r-- | include/http_protocol.h | 156 | ||||
| -rw-r--r-- | include/http_ssl.h | 199 | ||||
| -rw-r--r-- | libhttpd.dsp | 8 | ||||
| -rw-r--r-- | modules/filters/mod_deflate.c | 1 | ||||
| -rw-r--r-- | modules/http2/h2_alt_svc.c | 1 | ||||
| -rw-r--r-- | modules/http2/h2_conn_io.c | 1 | ||||
| -rw-r--r-- | modules/http2/h2_h2.c | 1 | ||||
| -rw-r--r-- | modules/http2/h2_switch.c | 1 | ||||
| -rw-r--r-- | modules/loggers/mod_log_json.c | 1 | ||||
| -rw-r--r-- | modules/mappers/mod_rewrite.c | 1 | ||||
| -rw-r--r-- | modules/md/mod_md.c | 1 | ||||
| -rw-r--r-- | modules/metadata/mod_headers.c | 1 | ||||
| -rw-r--r-- | modules/proxy/mod_proxy.h | 1 | ||||
| -rw-r--r-- | modules/ssl/ssl_private.h | 1 | ||||
| -rw-r--r-- | server/Makefile.in | 2 | ||||
| -rw-r--r-- | server/core.c | 1 | ||||
| -rw-r--r-- | server/protocol.c | 103 | ||||
| -rw-r--r-- | server/ssl.c | 164 | ||||
| -rw-r--r-- | server/util_expr_eval.c | 1 |
23 files changed, 391 insertions, 261 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index fe1fe09e5d..b8259109fb 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -712,6 +712,7 @@ SET(LIBHTTPD_SOURCES server/protocol.c server/provider.c server/request.c + server/ssl.c server/scoreboard.c server/util.c server/util_cfgtree.c diff --git a/build/nw_export.inc b/build/nw_export.inc index 0319465b4d..af8d8fe80a 100644 --- a/build/nw_export.inc +++ b/build/nw_export.inc @@ -54,6 +54,7 @@ #include "http_main.h" #include "http_protocol.h" #include "http_request.h" +#include "http_ssl.h" #include "http_vhost.h" #include "mpm_common.h" #include "ap_regex.h" diff --git a/changes-entries/core_httpd_ssl.txt b/changes-entries/core_httpd_ssl.txt new file mode 100644 index 0000000000..4b1494daad --- /dev/null +++ b/changes-entries/core_httpd_ssl.txt @@ -0,0 +1,2 @@ + *) core: provide ap_ssl_* functions in new http_ssl.h header file. + [Stefan Eissing] diff --git a/include/ap_mmn.h b/include/ap_mmn.h index 1106c2f37e..d1435ff9a7 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -666,6 +666,7 @@ * 20201214.0 (2.5.1-dev) Axe struct core_net_rec * 20201214.1 (2.5.1-dev) Add ap_ssl_conn_is_ssl()/ap_ssl_var_lookup() and hooks * 20201214.2 (2.5.1-dev) Add ap_ssl_add_cert_files, ap_ssl_add_fallback_cert_files + * 20201214.3 (2.5.1-dev) Move ap_ssl_* into new http_ssl.h header file */ #define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */ @@ -673,7 +674,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20201214 #endif -#define MODULE_MAGIC_NUMBER_MINOR 2 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 3 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/include/http_protocol.h b/include/http_protocol.h index 30faa131a9..9c9cb952b2 100644 --- a/include/http_protocol.h +++ b/include/http_protocol.h @@ -1048,162 +1048,6 @@ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub_r); AP_DECLARE(void) ap_send_interim_response(request_rec *r, int send_headers); -/** - * Setup optional functions for ssl related queries so that functions - * registered by old-style SSL module functions are interrogated by the - * the new ap_is_ssl() and friends. Installs own optional functions, so that - * old modules looking for these find one and get the correct results (shadowing). - * - * Needs to run in core's very early POST_CONFIG hook. - * Modules providing such functions register their own optionals during - * register_hooks(). Modules using such functions retrieve them often - * in their own post-config or in the even later retrieval hook. When shadowing - * other modules functions, core's early post-config is a good time. - * @param pool The pool to use for allocations - */ -AP_DECLARE(void) ap_setup_ssl_optional_fns(apr_pool_t *pool); - -/** - * This hook allows modules that manage SSL connection to register their - * inquiry function for checking if a connection is using SSL from them. - * @param c The current connection - * @return OK if the connection is using SSL, DECLINED if not. - * @ingroup hooks - */ -AP_DECLARE_HOOK(int,ssl_conn_is_ssl,(conn_rec *c)) - -/** - * This hook allows modules to look up SSL related variables for a - * server/connection/request, depending on what they inquire. Some - * variables will only be available for a connection/request, for example. - * @param p The pool to allocate a returned value in, MUST be provided - * @param s The server to inquire a value for, maybe NULL - * @param c The current connection, maybe NULL - * @param r The current request, maybe NULL - * @param name The name of the variable to retrieve, MUST be provided - * @return value or the variable or NULL if not provided/available - * @ingroup hooks - */ -AP_DECLARE_HOOK(const char *,ssl_var_lookup, - (apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name)) - -/** - * Return != 0 iff the connection is encrypted with SSL. - * @param c the connection - */ -AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c); - -/** - * Lookup an SSL related variable for the server/connection/request or a global - * value when all those parameters are set to NULL. Pool and name must always be - * provided and the returned value (if not NULL) will be allocated fromt he pool. - * @param p The pool to allocate a returned value in, MUST be provided - * @param s The server to inquire a value for, maybe NULL - * @param c The current connection, maybe NULL - * @param r The current request, maybe NULL - * @param name The name of the variable to retrieve, MUST be provided - * @return value or the variable or NULL if not provided/available - */ -AP_DECLARE(const char *) ap_ssl_var_lookup(apr_pool_t *p, server_rec *s, - conn_rec *c, request_rec *r, - const char *name); - -/** - * Register to provide certificate/key files for servers. Certificate files are - * exepcted to contain the certificate chain, beginning with the server's certificate, - * excluding the trust anchor, in PEM format. - * They must be accompanied by a private key file, also in PEM format. - * - * @param s the server certificates are collected for - * @param p the pool to use for allocations - * @param cert_file and array of const char* with the path to the certificate chain - * @param key_file and array of const char* with the path to the private key file - * @return OK if files were added, DECLINED if not, or other for error. - */ - -AP_DECLARE_HOOK(int, ssl_add_cert_files, (server_rec *s, apr_pool_t *p, - apr_array_header_t *cert_files, - apr_array_header_t *key_files)) - -/** - * Collect certificate/key files from all providers registered. This includes - * providers registered at the global 'ssl_add_cert_files', as well as those - * installed in the OPTIONAL 'ssl_add_cert_files' hook as may be provided by - * ssl modules. - * - * @param s the server certificates are collected for - * @param p the pool to use for allocations - * @param cert_file and array of const char* with the path to the certificate chain - * @param key_file and array of const char* with the path to the private key file - */ -AP_DECLARE(apr_status_t) ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p, - apr_array_header_t *cert_files, - apr_array_header_t *key_files); - - -/** - * Register to provide 'fallback' certificates in case no 'real' certificates - * have been configured/added by other providers. Modules using these certificates - * are encouraged to answer requests to this server with a 503 response code. - * - * @param s the server certificates are collected for - * @param p the pool to use for allocations - * @param cert_file and array of const char* with the path to the certificate chain - * @param key_file and array of const char* with the path to the private key file - * @return OK if files were added, DECLINED if not, or other for error. - */ -AP_DECLARE_HOOK(int, ssl_add_fallback_cert_files, (server_rec *s, apr_pool_t *p, - apr_array_header_t *cert_files, - apr_array_header_t *key_files)) - -/** - * Collect 'fallback' certificate/key files from all registered providers, either - * in the global 'ssl_add_fallback_cert_files' hook or the optional one of similar - * name as provided by mod_ssl and sorts. - * Certificates obtained this way are commonly self signed, temporary crutches. - * To be used to the time it takes to retrieve a 'read', trusted certificate. - * A module using fallbacks is encouraged to answer all requests with a 503. - * - * @param s the server certificates are collected for - * @param p the pool to use for allocations - * @param cert_file and array of const char* with the path to the certificate chain - * @param key_file and array of const char* with the path to the private key file - */ -AP_DECLARE(apr_status_t) ap_ssl_add_fallback_cert_files(server_rec *s, apr_pool_t *p, - apr_array_header_t *cert_files, - apr_array_header_t *key_files); - - -/** - * On TLS connections that do not relate to a configured virtual host - * allow modules to provide a certificate and key to be used on the connection. - * - * A Certificate PEM added must be accompanied by a private key PEM. The private - * key PEM may be given by a NULL pointer, in which case it is expected to be found in - * the certificate PEM string. - */ -AP_DECLARE_HOOK(int, ssl_answer_challenge, (conn_rec *c, const char *server_name, - const char **pcert_pem, const char **pkey_pem)) - -/** - * Returns != 0 iff the connection is a challenge to the server, for example - * as defined in RFC 8555 for the 'tls-alpn-01' domain verification, and needs - * a specific certificate as answer in the handshake. - * - * ALPN protocol negotiation via the hooks 'protocol_propose' and 'protocol_switch' - * need to have run before this call is made. - * - * Certificate PEMs added must be accompanied by a private key PEM. The private - * key PEM may be given by a NULL pointer, in which case it is expected to be found in - * the certificate PEM string. - * - * A certificate provided this way needs to replace any other certificates selected - * by configuration or 'ssl_add_cert_pems` on this connection. - */ -AP_DECLARE(int) ap_ssl_answer_challenge(conn_rec *c, const char *server_name, - const char **pcert_pem, const char **pkey_pem); - - #ifdef __cplusplus } #endif diff --git a/include/http_ssl.h b/include/http_ssl.h new file mode 100644 index 0000000000..90d672eda2 --- /dev/null +++ b/include/http_ssl.h @@ -0,0 +1,199 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * @file http_ssl.h + * @brief SSL protocol handling + * + * @defgroup APACHE_CORE_PROTO SSL Protocol Handling + * @ingroup APACHE_CORE + * @{ + */ + +#ifndef APACHE_HTTP_SSL_H +#define APACHE_HTTP_SSL_H + +#include "httpd.h" +#include "apr_portable.h" +#include "apr_mmap.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * This hook allows modules that manage SSL connection to register their + * inquiry function for checking if a connection is using SSL from them. + * @param c The current connection + * @return OK if the connection is using SSL, DECLINED if not. + * @ingroup hooks + */ +AP_DECLARE_HOOK(int,ssl_conn_is_ssl,(conn_rec *c)) + +/** + * Return != 0 iff the connection is encrypted with SSL. + * @param c the connection + */ +AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c); + +/** + * This hook allows modules to look up SSL related variables for a + * server/connection/request, depending on what they inquire. Some + * variables will only be available for a connection/request, for example. + * @param p The pool to allocate a returned value in, MUST be provided + * @param s The server to inquire a value for, maybe NULL + * @param c The current connection, maybe NULL + * @param r The current request, maybe NULL + * @param name The name of the variable to retrieve, MUST be provided + * @return value or the variable or NULL if not provided/available + * @ingroup hooks + */ +AP_DECLARE_HOOK(const char *,ssl_var_lookup, + (apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name)) + +/** + * Lookup an SSL related variable for the server/connection/request or a global + * value when all those parameters are set to NULL. Pool and name must always be + * provided and the returned value (if not NULL) will be allocated fromt he pool. + * @param p The pool to allocate a returned value in, MUST be provided + * @param s The server to inquire a value for, maybe NULL + * @param c The current connection, maybe NULL + * @param r The current request, maybe NULL + * @param name The name of the variable to retrieve, MUST be provided + * @return value or the variable or NULL if not provided/available + */ +AP_DECLARE(const char *) ap_ssl_var_lookup(apr_pool_t *p, server_rec *s, + conn_rec *c, request_rec *r, + const char *name); + +/** + * Register to provide certificate/key files for servers. Certificate files are + * exepcted to contain the certificate chain, beginning with the server's certificate, + * excluding the trust anchor, in PEM format. + * They must be accompanied by a private key file, also in PEM format. + * + * @param s the server certificates are collected for + * @param p the pool to use for allocations + * @param cert_file and array of const char* with the path to the certificate chain + * @param key_file and array of const char* with the path to the private key file + * @return OK if files were added, DECLINED if not, or other for error. + */ + +AP_DECLARE_HOOK(int, ssl_add_cert_files, (server_rec *s, apr_pool_t *p, + apr_array_header_t *cert_files, + apr_array_header_t *key_files)) + +/** + * Collect certificate/key files from all providers registered. This includes + * providers registered at the global 'ssl_add_cert_files', as well as those + * installed in the OPTIONAL 'ssl_add_cert_files' hook as may be provided by + * ssl modules. + * + * @param s the server certificates are collected for + * @param p the pool to use for allocations + * @param cert_file and array of const char* with the path to the certificate chain + * @param key_file and array of const char* with the path to the private key file + */ +AP_DECLARE(apr_status_t) ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p, + apr_array_header_t *cert_files, + apr_array_header_t *key_files); + + +/** + * Register to provide 'fallback' certificates in case no 'real' certificates + * have been configured/added by other providers. Modules using these certificates + * are encouraged to answer requests to this server with a 503 response code. + * + * @param s the server certificates are collected for + * @param p the pool to use for allocations + * @param cert_file and array of const char* with the path to the certificate chain + * @param key_file and array of const char* with the path to the private key file + * @return OK if files were added, DECLINED if not, or other for error. + */ +AP_DECLARE_HOOK(int, ssl_add_fallback_cert_files, (server_rec *s, apr_pool_t *p, + apr_array_header_t *cert_files, + apr_array_header_t *key_files)) + +/** + * Collect 'fallback' certificate/key files from all registered providers, either + * in the global 'ssl_add_fallback_cert_files' hook or the optional one of similar + * name as provided by mod_ssl and sorts. + * Certificates obtained this way are commonly self signed, temporary crutches. + * To be used to the time it takes to retrieve a 'read', trusted certificate. + * A module using fallbacks is encouraged to answer all requests with a 503. + * + * @param s the server certificates are collected for + * @param p the pool to use for allocations + * @param cert_file and array of const char* with the path to the certificate chain + * @param key_file and array of const char* with the path to the private key file + */ +AP_DECLARE(apr_status_t) ap_ssl_add_fallback_cert_files(server_rec *s, apr_pool_t *p, + apr_array_header_t *cert_files, + apr_array_header_t *key_files); + + +/** + * On TLS connections that do not relate to a configured virtual host + * allow modules to provide a certificate and key to be used on the connection. + * + * A Certificate PEM added must be accompanied by a private key PEM. The private + * key PEM may be given by a NULL pointer, in which case it is expected to be found in + * the certificate PEM string. + */ +AP_DECLARE_HOOK(int, ssl_answer_challenge, (conn_rec *c, const char *server_name, + const char **pcert_pem, const char **pkey_pem)) + +/** + * Returns != 0 iff the connection is a challenge to the server, for example + * as defined in RFC 8555 for the 'tls-alpn-01' domain verification, and needs + * a specific certificate as answer in the handshake. + * + * ALPN protocol negotiation via the hooks 'protocol_propose' and 'protocol_switch' + * need to have run before this call is made. + * + * Certificate PEMs added must be accompanied by a private key PEM. The private + * key PEM may be given by a NULL pointer, in which case it is expected to be found in + * the certificate PEM string. + * + * A certificate provided this way needs to replace any other certificates selected + * by configuration or 'ssl_add_cert_pems` on this connection. + */ +AP_DECLARE(int) ap_ssl_answer_challenge(conn_rec *c, const char *server_name, + const char **pcert_pem, const char **pkey_pem); + + +/** + * Setup optional functions for ssl related queries so that functions + * registered by old-style SSL module functions are interrogated by the + * the new ap_is_ssl() and friends. Installs own optional functions, so that + * old modules looking for these find one and get the correct results (shadowing). + * + * Needs to run in core's very early POST_CONFIG hook. + * Modules providing such functions register their own optionals during + * register_hooks(). Modules using such functions retrieve them often + * in their own post-config or in the even later retrieval hook. When shadowing + * other modules functions, core's early post-config is a good time. + * @param pool The pool to use for allocations + */ +AP_DECLARE(void) ap_setup_ssl_optional_fns(apr_pool_t *pool); + + +#ifdef __cplusplus +} +#endif + +#endif /* !APACHE_HTTP_SSL_H */ +/** @} */ diff --git a/libhttpd.dsp b/libhttpd.dsp index d3720c5a3b..f9a656ee3a 100644 --- a/libhttpd.dsp +++ b/libhttpd.dsp @@ -193,6 +193,10 @@ SOURCE=.\include\http_request.h # End Source File # Begin Source File +SOURCE=.\include\http_ssl.h +# End Source File +# Begin Source File + SOURCE=.\include\http_vhost.h # End Source File # Begin Source File @@ -477,6 +481,10 @@ SOURCE=.\server\request.c # End Source File # Begin Source File +SOURCE=.\server\ssl.c +# End Source File +# Begin Source File + SOURCE=.\server\vhost.c # End Source File # End Group diff --git a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c index d1a2c558e5..207617b352 100644 --- a/modules/filters/mod_deflate.c +++ b/modules/filters/mod_deflate.c @@ -45,6 +45,7 @@ #include "apr_buckets.h" #include "http_protocol.h" #include "http_request.h" +#include "http_ssl.h" #define APR_WANT_STRFUNC #include "apr_want.h" diff --git a/modules/http2/h2_alt_svc.c b/modules/http2/h2_alt_svc.c index 0e7bc30f7f..383e266b9d 100644 --- a/modules/http2/h2_alt_svc.c +++ b/modules/http2/h2_alt_svc.c @@ -19,6 +19,7 @@ #include <http_core.h> #include <http_connection.h> #include <http_protocol.h> +#include <http_ssl.h> #include <http_log.h> #include "h2_private.h" diff --git a/modules/http2/h2_conn_io.c b/modules/http2/h2_conn_io.c index b6f56e4df9..f506c14e61 100644 --- a/modules/http2/h2_conn_io.c +++ b/modules/http2/h2_conn_io.c @@ -24,6 +24,7 @@ #include <http_connection.h> #include <http_protocol.h> #include <http_request.h> +#include <http_ssl.h> #include "h2_private.h" #include "h2_bucket_eos.h" diff --git a/modules/http2/h2_h2.c b/modules/http2/h2_h2.c index 3c5d045d52..1827788eac 100644 --- a/modules/http2/h2_h2.c +++ b/modules/http2/h2_h2.c @@ -26,6 +26,7 @@ #include <http_connection.h> #include <http_protocol.h> #include <http_request.h> +#include <http_ssl.h> #include <http_log.h> #include "mod_http2.h" diff --git a/modules/http2/h2_switch.c b/modules/http2/h2_switch.c index bbc1472e33..eb050150c9 100644 --- a/modules/http2/h2_switch.c +++ b/modules/http2/h2_switch.c @@ -25,6 +25,7 @@ #include <http_config.h> #include <http_connection.h> #include <http_protocol.h> +#include <http_ssl.h> #include <http_log.h> #include "h2_private.h" diff --git a/modules/loggers/mod_log_json.c b/modules/loggers/mod_log_json.c index f25be19c92..f83dadbd1f 100644 --- a/modules/loggers/mod_log_json.c +++ b/modules/loggers/mod_log_json.c @@ -20,6 +20,7 @@ #include "http_log.h" #include "http_protocol.h" #include "http_request.h" +#include "http_ssl.h" #include "mod_log_config.h" diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index b8ffb9fcbe..35978b5ca8 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -82,6 +82,7 @@ #include "http_core.h" #include "http_log.h" #include "http_protocol.h" +#include "http_ssl.h" #include "http_vhost.h" #include "util_mutex.h" diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c index 59098560e9..ac3ff6fb35 100644 --- a/modules/md/mod_md.c +++ b/modules/md/mod_md.c @@ -23,6 +23,7 @@ #include <http_core.h> #include <http_protocol.h> #include <http_request.h> +#include <http_ssl.h> #include <http_log.h> #include <http_vhost.h> #include <ap_listen.h> diff --git a/modules/metadata/mod_headers.c b/modules/metadata/mod_headers.c index 8caa550a64..b837a446a4 100644 --- a/modules/metadata/mod_headers.c +++ b/modules/metadata/mod_headers.c @@ -78,6 +78,7 @@ #include "httpd.h" #include "http_config.h" #include "http_request.h" +#include "http_ssl.h" #include "http_log.h" #include "util_filter.h" #include "http_protocol.h" diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h index 74d7102952..0e398a5bb2 100644 --- a/modules/proxy/mod_proxy.h +++ b/modules/proxy/mod_proxy.h @@ -58,6 +58,7 @@ #include "http_main.h" #include "http_log.h" #include "http_connection.h" +#include "http_ssl.h" #include "util_filter.h" #include "util_ebcdic.h" #include "ap_provider.h" diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index f662f8b971..83706982ca 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -36,6 +36,7 @@ #include "http_connection.h" #include "http_request.h" #include "http_protocol.h" +#include "http_ssl.h" #include "http_vhost.h" #include "util_script.h" #include "util_filter.h" diff --git a/server/Makefile.in b/server/Makefile.in index 7786f656be..ea11546632 100644 --- a/server/Makefile.in +++ b/server/Makefile.in @@ -13,7 +13,7 @@ LTLIBRARY_SOURCES = \ mpm_common.c mpm_unix.c mpm_fdqueue.c \ util_charset.c util_cookies.c util_debug.c util_xml.c \ util_filter.c util_pcre.c util_regex.c $(EXPORTS_DOT_C) \ - scoreboard.c error_bucket.c protocol.c core.c request.c provider.c \ + scoreboard.c error_bucket.c protocol.c core.c request.c ssl.c provider.c \ eoc_bucket.c eor_bucket.c core_filters.c \ util_expr_parse.c util_expr_scan.c util_expr_eval.c \ apreq_cookie.c apreq_error.c apreq_module.c \ diff --git a/server/core.c b/server/core.c index 44d832b07a..4d777b9b8e 100644 --- a/server/core.c +++ b/server/core.c @@ -38,6 +38,7 @@ #include "http_core.h" #include "http_protocol.h" /* For index_of_response(). Grump. */ #include "http_request.h" +#include "http_ssl.h" #include "http_vhost.h" #include "http_main.h" /* For the default_handler below... */ #include "http_log.h" diff --git a/server/protocol.c b/server/protocol.c index 4eac201e04..7add84a77a 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -2636,92 +2636,6 @@ AP_DECLARE(int) ap_is_allowed_protocol(conn_rec *c, request_rec *r, return !strcmp(AP_PROTOCOL_HTTP1, protocol); } -APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); -static APR_OPTIONAL_FN_TYPE(ssl_is_https) *module_ssl_is_https; - -static int ssl_is_https(conn_rec *c) -{ - /* Someone retrieved the optional function., not knowning about the - * new API. We redirect them to what they should have inoked. */ - return ap_ssl_conn_is_ssl(c); -} - -AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c) -{ - int r = (ap_run_ssl_conn_is_ssl(c) == OK); - if (r == 0 && module_ssl_is_https) { - r = module_ssl_is_https(c); - } - return r; -} - -APR_DECLARE_OPTIONAL_FN(const char *, ssl_var_lookup, - (apr_pool_t *p, server_rec *s, - conn_rec *c, request_rec *r, - const char *name)) - AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT; -static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *module_ssl_var_lookup; - -static const char *ssl_var_lookup(apr_pool_t *p, server_rec *s, - conn_rec *c, request_rec *r, - const char *name) -{ - /* Someone retrieved the optional function., not knowning about the - * new API. We redirect them to what they should have inoked. */ - return ap_ssl_var_lookup(p, s, c, r, name); -} - -AP_DECLARE(const char *) ap_ssl_var_lookup(apr_pool_t *p, server_rec *s, - conn_rec *c, request_rec *r, - const char *name) -{ - const char *val = ap_run_ssl_var_lookup(p, s, c, r, name); - if (val == NULL && module_ssl_is_https) { - val = module_ssl_var_lookup(p, s, c, r, name); - } - return val; -} - -AP_DECLARE(void) ap_setup_ssl_optional_fns(apr_pool_t *pool) -{ - /* Run as core's very early 'post config' hook, check for any already - * installed optional functions related to SSL and save them. Install - * our own instances that invoke the new hooks. */ - APR_OPTIONAL_FN_TYPE(ssl_is_https) *fn_is_https; - APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *fn_ssl_var_lookup; - - fn_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); - module_ssl_is_https = (fn_is_https - && fn_is_https != ssl_is_https)? fn_is_https : NULL; - APR_REGISTER_OPTIONAL_FN(ssl_is_https); - - fn_ssl_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); - module_ssl_var_lookup = (fn_ssl_var_lookup - && fn_ssl_var_lookup != ssl_var_lookup)? fn_ssl_var_lookup : NULL; - APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); -} - -AP_DECLARE(apr_status_t) ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p, - apr_array_header_t *cert_files, - apr_array_header_t *key_files) -{ - int rv = ap_run_ssl_add_cert_files(s, p, cert_files, key_files); - return (rv == OK || rv == DECLINED)? APR_SUCCESS : APR_EGENERAL; -} - -AP_DECLARE(apr_status_t) ap_ssl_add_fallback_cert_files(server_rec *s, apr_pool_t *p, - apr_array_header_t *cert_files, - apr_array_header_t *key_files) -{ - int rv = ap_run_ssl_add_fallback_cert_files(s, p, cert_files, key_files); - return (rv == OK || rv == DECLINED)? APR_SUCCESS : APR_EGENERAL; -} - -AP_DECLARE(int) ap_ssl_answer_challenge(conn_rec *c, const char *server_name, - const char **pcert_pem, const char **pkey_pem) -{ - return (ap_run_ssl_answer_challenge(c, server_name, pcert_pem, pkey_pem) == OK); -} AP_IMPLEMENT_HOOK_VOID(pre_read_request, (request_rec *r, conn_rec *c), @@ -2748,20 +2662,3 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(int,protocol_switch, (c, r, s, protocol), DECLINED) AP_IMPLEMENT_HOOK_RUN_FIRST(const char *,protocol_get, (const conn_rec *c), (c), NULL) -AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_conn_is_ssl, - (conn_rec *c), (c), DECLINED) -AP_IMPLEMENT_HOOK_RUN_FIRST(const char *,ssl_var_lookup, - (apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name), - (p, s, c, r, name), NULL) -AP_IMPLEMENT_HOOK_RUN_ALL(int, ssl_add_cert_files, - (server_rec *s, apr_pool_t *p, - apr_array_header_t *cert_files, apr_array_header_t *key_files), - (s, p, cert_files, key_files), OK, DECLINED) -AP_IMPLEMENT_HOOK_RUN_ALL(int, ssl_add_fallback_cert_files, - (server_rec *s, apr_pool_t *p, - apr_array_header_t *cert_files, apr_array_header_t *key_files), - (s, p, cert_files, key_files), OK, DECLINED) -AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_answer_challenge, - (conn_rec *c, const char *server_name, const char **pcert_pem, const char **pkey_pem), - (c, server_name, pcert_pem, pkey_pem), DECLINED) - diff --git a/server/ssl.c b/server/ssl.c new file mode 100644 index 0000000000..eddd5303dc --- /dev/null +++ b/server/ssl.c @@ -0,0 +1,164 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * ssl.c --- routines for SSL/TLS server infrastructure. + * + */ + +#include "apr.h" +#include "apr_strings.h" +#include "apr_lib.h" +#include "apr_signal.h" +#include "apr_strmatch.h" + +#define APR_WANT_STRFUNC +#define APR_WANT_MEMFUNC +#include "apr_want.h" + +#include "ap_config.h" +#include "httpd.h" +#include "http_core.h" +#include "http_protocol.h" +#include "http_request.h" +#include "http_ssl.h" +#include "http_log.h" /* For errors detected in basic auth common + * support code... */ +#include "mod_core.h" + +#if APR_HAVE_STDARG_H +#include <stdarg.h> +#endif +#if APR_HAVE_UNISTD_H +#include <unistd.h> +#endif + +/* we know core's module_index is 0 */ +#undef APLOG_MODULE_INDEX +#define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX + +APR_HOOK_STRUCT( + APR_HOOK_LINK(ssl_conn_is_ssl) + APR_HOOK_LINK(ssl_var_lookup) + APR_HOOK_LINK(ssl_add_cert_files) + APR_HOOK_LINK(ssl_add_fallback_cert_files) + APR_HOOK_LINK(ssl_answer_challenge) +) + +APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); +static APR_OPTIONAL_FN_TYPE(ssl_is_https) *module_ssl_is_https; + +static int ssl_is_https(conn_rec *c) +{ + /* Someone retrieved the optional function., not knowning about the + * new API. We redirect them to what they should have inoked. */ + return ap_ssl_conn_is_ssl(c); +} + +AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c) +{ + int r = (ap_run_ssl_conn_is_ssl(c) == OK); + if (r == 0 && module_ssl_is_https) { + r = module_ssl_is_https(c); + } + return r; +} + +APR_DECLARE_OPTIONAL_FN(const char *, ssl_var_lookup, + (apr_pool_t *p, server_rec *s, + conn_rec *c, request_rec *r, + const char *name)) + AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT; +static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *module_ssl_var_lookup; + +static const char *ssl_var_lookup(apr_pool_t *p, server_rec *s, + conn_rec *c, request_rec *r, + const char *name) +{ + /* Someone retrieved the optional function., not knowning about the + * new API. We redirect them to what they should have inoked. */ + return ap_ssl_var_lookup(p, s, c, r, name); +} + +AP_DECLARE(const char *) ap_ssl_var_lookup(apr_pool_t *p, server_rec *s, + conn_rec *c, request_rec *r, + const char *name) +{ + const char *val = ap_run_ssl_var_lookup(p, s, c, r, name); + if (val == NULL && module_ssl_is_https) { + val = module_ssl_var_lookup(p, s, c, r, name); + } + return val; +} + +AP_DECLARE(void) ap_setup_ssl_optional_fns(apr_pool_t *pool) +{ + /* Run as core's very early 'post config' hook, check for any already + * installed optional functions related to SSL and save them. Install + * our own instances that invoke the new hooks. */ + APR_OPTIONAL_FN_TYPE(ssl_is_https) *fn_is_https; + APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *fn_ssl_var_lookup; + + fn_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); + module_ssl_is_https = (fn_is_https + && fn_is_https != ssl_is_https)? fn_is_https : NULL; + APR_REGISTER_OPTIONAL_FN(ssl_is_https); + + fn_ssl_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); + module_ssl_var_lookup = (fn_ssl_var_lookup + && fn_ssl_var_lookup != ssl_var_lookup)? fn_ssl_var_lookup : NULL; + APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); +} + +AP_DECLARE(apr_status_t) ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p, + apr_array_header_t *cert_files, + apr_array_header_t *key_files) +{ + int rv = ap_run_ssl_add_cert_files(s, p, cert_files, key_files); + return (rv == OK || rv == DECLINED)? APR_SUCCESS : APR_EGENERAL; +} + +AP_DECLARE(apr_status_t) ap_ssl_add_fallback_cert_files(server_rec *s, apr_pool_t *p, + apr_array_header_t *cert_files, + apr_array_header_t *key_files) +{ + int rv = ap_run_ssl_add_fallback_cert_files(s, p, cert_files, key_files); + return (rv == OK || rv == DECLINED)? APR_SUCCESS : APR_EGENERAL; +} + +AP_DECLARE(int) ap_ssl_answer_challenge(conn_rec *c, const char *server_name, + const char **pcert_pem, const char **pkey_pem) +{ + return (ap_run_ssl_answer_challenge(c, server_name, pcert_pem, pkey_pem) == OK); +} + +AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_conn_is_ssl, + (conn_rec *c), (c), DECLINED) +AP_IMPLEMENT_HOOK_RUN_FIRST(const char *,ssl_var_lookup, + (apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *name), + (p, s, c, r, name), NULL) +AP_IMPLEMENT_HOOK_RUN_ALL(int, ssl_add_cert_files, + (server_rec *s, apr_pool_t *p, + apr_array_header_t *cert_files, apr_array_header_t *key_files), + (s, p, cert_files, key_files), OK, DECLINED) +AP_IMPLEMENT_HOOK_RUN_ALL(int, ssl_add_fallback_cert_files, + (server_rec *s, apr_pool_t *p, + apr_array_header_t *cert_files, apr_array_header_t *key_files), + (s, p, cert_files, key_files), OK, DECLINED) +AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_answer_challenge, + (conn_rec *c, const char *server_name, const char **pcert_pem, const char **pkey_pem), + (c, server_name, pcert_pem, pkey_pem), DECLINED) + diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c index ccf13b7cb8..83741345ef 100644 --- a/server/util_expr_eval.c +++ b/server/util_expr_eval.c @@ -23,6 +23,7 @@ #include "http_core.h" #include "http_protocol.h" #include "http_request.h" +#include "http_ssl.h" #include "ap_provider.h" #include "util_varbuf.h" #include "util_expr_private.h" |