mod_ssl.c revision 2c038bf2465bf2150c396f4e67f68ebc5bb9e6e9
/* _ _
** _ __ ___ ___ __| | ___ ___| | mod_ssl
** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
** |_____|
** mod_ssl.c
** Apache API interface structures
*/
/* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2000-2003 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Apache" and "Apache Software Foundation" must
* not be used to endorse or promote products derived from this
* software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache",
* nor may "Apache" appear in their name, without prior written
* permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*/
#include "mod_ssl.h"
#include "util_md5.h"
#include <assert.h>
/*
* the table of configuration directives we provide
*/
#define AP_END_CMD { NULL }
const char ssl_valid_ssl_mutex_string[] =
"Valid SSLMutex mechanisms are: `none', `default'"
#endif
#endif
#if APR_HAS_SYSVSEM_SERIALIZE && !defined(PERCHILD_MPM)
", `sysvsem'"
#endif
", `posixsem'"
#endif
", `pthread'"
#endif
#endif
", `sem'"
#endif
" ";
static const command_rec ssl_config_cmds[] = {
/*
* Global (main-server) context configuration directives
*/
"SSL dialog mechanism for the pass phrase query "
"(`builtin', `|/path/to/pipe_program`, "
"or `exec:/path/to/cgi_program')")
"SSL Session Cache storage "
#ifdef HAVE_ENGINE_INIT
"SSL external Crypto Device usage "
"(`builtin', `...')")
#endif
"SSL Pseudo Random Number Generator (PRNG) seeding source "
"(`startup|connect builtin|file:/path|exec:/path [bytes]')")
/*
* Per-server context configuration directives
*/
"SSL switch for the protocol engine "
"(`on', `off')")
"Colon-delimited list of permitted SSL Ciphers "
"(`XXX:...:XXX' - see manual)")
"SSL Server Certificate file "
"SSL Server Private Key file "
"SSL Server CA Certificate Chain file "
"SSL CA Certificate path "
"SSL CA Certificate file "
"SSL CA Certificate Revocation List (CRL) path "
"SSL CA Certificate Revocation List (CRL) file "
"SSL Client verify type "
"(`none', `optional', `require', `optional_no_ca')")
"SSL Client verify depth "
"(`N' - number of intermediate certificates)")
"SSL Session Cache object lifetime "
"(`N' - number of seconds)")
"Enable or disable various SSL protocols"
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
/*
* Proxy configuration for remote SSL connections
*/
"SSL switch for the proxy protocol engine "
"(`on', `off')")
"SSL Proxy: enable or disable SSL protocol flavors "
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
"(`XXX:...:XXX' - see manual)")
"SSL Proxy: whether to verify the remote certificate "
"(`on' or `off')")
"SSL Proxy: maximum certificate verification depth "
"(`N' - number of intermediate certificates)")
"SSL Proxy: file containing server certificates "
"SSL Proxy: directory containing server certificates "
"SSL Proxy: CA Certificate Revocation List (CRL) path "
"SSL Proxy: CA Certificate Revocation List (CRL) file "
"SSL Proxy: file containing client certificates "
"SSL Proxy: directory containing client certificates "
/*
* Per-directory context configuration directives
*/
"Set one or more options to configure the SSL engine"
"(`[+-]option[=value] ...' - see manual)")
"Require the SSL protocol for the per-directory context "
"(no arguments)")
"Require a boolean expression to evaluate to true for granting access"
"(arbitrary complex boolean expression - see manual)")
/* Deprecated directives. */
"SSLLog directive is no longer supported - use ErrorLog."),
"SSLLogLevel directive is no longer supported - use LogLevel."),
};
/*
* the various processing hooks
*/
{
/* We must register the library in full, to ensure our configuration
* code can successfully test the SSL environment.
*/
#endif
/* Register us to handle mod_log_config %c/%x variables */
#if 0 /* XXX */
/* XXX: Register us to handle mod_status extensions that don't exist yet */
#endif /* -0- */
return OK;
}
{
if (sslconn) {
return sslconn;
}
myConnConfigSet(c, sslconn);
return sslconn;
}
int ssl_proxy_enable(conn_rec *c)
{
if (!sc->proxy_enabled) {
"SSL Proxy requested for %s but not enabled "
return 0;
}
return 1;
}
int ssl_engine_disable(conn_rec *c)
{
return 0;
}
return 1;
}
int ssl_init_ssl_connection(conn_rec *c)
{
char *vhost_md5;
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
if (!sslconn) {
}
/*
* Create a new SSL connection with the configured server SSL context and
* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
"Unable to create a new SSL connection from the SSL "
"context");
c->aborted = 1;
return DECLINED; /* XXX */
}
sc->vhost_id_len);
MD5_DIGESTSIZE*2))
{
"Unable to set session id context to `%s'", vhost_md5);
c->aborted = 1;
return DECLINED; /* XXX */
}
SSL_set_app_data(ssl, c);
/*
* Configure callbacks for SSL connection
*/
ssl_io_filter_init(c, ssl);
return APR_SUCCESS;
}
static const char *ssl_hook_http_method(const request_rec *r)
{
return NULL;
}
return "https";
}
{
return 0;
}
return 443;
}
{
/*
* Immediately stop processing if SSL is disabled for this connection
*/
{
return DECLINED;
}
/*
* Create SSL context
*/
if (!sslconn) {
}
return DECLINED;
}
/*
* Remember the connection information for
* later access inside callback functions
*/
"Connection to child %ld established "
return ssl_init_ssl_connection(c);
}
static void ssl_hook_Insert_Filter(request_rec *r)
{
}
}
/*
* the module registration phase
*/
static void ssl_register_hooks(apr_pool_t *p)
{
/* ap_hook_handler (ssl_hook_Upgrade, NULL,NULL, APR_HOOK_MIDDLE); */
}
ssl_config_perdir_create, /* create per-dir config structures */
ssl_config_perdir_merge, /* merge per-dir config structures */
ssl_config_server_create, /* create per-server config structures */
ssl_config_server_merge, /* merge per-server config structures */
ssl_config_cmds, /* table of configuration directives */
ssl_register_hooks /* register hooks */
};