ssl_engine_config.c revision 273e512f20f262e5e2aa8e0e83371d1929fb76ad
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/* _ _
* _ __ ___ ___ __| | ___ ___| | mod_ssl
* | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
* | | | | | | (_) | (_| | \__ \__ \ |
* |_| |_| |_|\___/ \__,_|___|___/___/_|
* |_____|
* Apache Configuration Directives
*/
/* ``Damned if you do,
damned if you don't.''
-- Unknown */
#include "ssl_private.h"
#include "util_mutex.h"
#include "ap_provider.h"
/* _________________________________________________________________
**
** Support for Global Configuration
** _________________________________________________________________
*/
#define SSL_MOD_CONFIG_KEY "ssl_module"
{
void *vmc;
if (vmc) {
return vmc; /* reused for lifetime of the server */
}
/*
* allocate an own subpool which survives server restarts
*/
/*
* initialize per-module configuration
*/
sizeof(ssl_randseed_t));
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
#endif
#ifdef HAVE_OCSP_STAPLING
#endif
pool);
return mc;
}
{
}
{
}
/* _________________________________________________________________
**
** Configuration handling
** _________________________________________________________________
*/
{
#ifdef HAVE_TLS_SESSION_TICKETS
#endif
#ifdef HAVE_OCSP_STAPLING
#endif
#ifdef HAVE_SRP
#endif
#ifdef HAVE_SSL_CONF_CMD
#endif
}
apr_pool_t *p)
{
modssl_ctx_init(mctx, p);
}
apr_pool_t *p)
{
modssl_ctx_init(mctx, p);
#ifdef HAVE_TLS_SESSION_TICKETS
#endif
}
{
#ifdef HAVE_TLSEXT
#endif
#ifdef HAVE_FIPS
#endif
#ifndef OPENSSL_NO_COMP
#endif
modssl_ctx_init_proxy(sc, p);
modssl_ctx_init_server(sc, p);
return sc;
}
/*
* Create per-server SSL configuration
*/
{
return sc;
}
static void modssl_ctx_cfg_merge(apr_pool_t *p,
{
#ifdef HAVE_OCSP_STAPLING
#endif
#ifdef HAVE_SRP
#endif
#ifdef HAVE_SSL_CONF_CMD
#endif
}
static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,
{
}
static void modssl_ctx_cfg_merge_server(apr_pool_t *p,
{
int i;
for (i = 0; i < SSL_AIDX_MAX; i++) {
}
#ifdef HAVE_TLS_SESSION_TICKETS
#endif
}
/*
* Merge per-server SSL configurations
*/
{
#ifdef HAVE_TLSEXT
#endif
#ifdef HAVE_FIPS
#endif
#ifndef OPENSSL_NO_COMP
#endif
return mrg;
}
/*
* Create per-directory SSL configuration
*/
{
return dc;
}
/*
* Merge per-directory SSL configurations
*/
{
mrg->nOptionsAdd =
mrg->nOptionsDel =
}
else {
}
return mrg;
}
/*
* Configuration functions for particular directives
*/
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
}
"Invalid SSLPassPhraseDialog exec: path ",
}
{
"SSLPassPhraseDialog: file '",
"' does not exist", NULL);
}
}
}
else {
return "SSLPassPhraseDialog: Invalid argument";
}
return NULL;
}
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
void *dcfg,
const char *arg)
{
const char *err;
ENGINE *e;
return err;
}
}
else if ((e = ENGINE_by_id(arg))) {
ENGINE_free(e);
}
else {
err = "SSLCryptoDevice: Invalid argument; must be one of: "
"'builtin' (none)";
e = ENGINE_get_first();
while (e) {
/* Iterate; this call implicitly decrements the refcount
* on the 'old' e, per the docs in engine.h. */
e = ENGINE_get_next(e);
}
return err;
}
return NULL;
}
#endif
void *dcfg,
const char *arg1,
const char *arg2,
const char *arg3)
{
const char *err;
return err;
}
if (ssl_config_global_isfixed(mc)) {
return NULL;
}
}
}
else {
NULL);
}
}
}
}
}
else {
}
"Invalid SSLRandomSeed path ",
}
"SSLRandomSeed: source path '",
}
}
if (!arg3) {
}
else {
return "SSLRandomSeed: byte specification not "
"allowed for builtin seed source";
}
return "SSLRandomSeed: invalid number of bytes specified";
}
}
return NULL;
}
{
return NULL;
}
return NULL;
}
return NULL;
}
return "Argument must be On, Off, or Optional";
}
{
#ifdef HAVE_FIPS
#endif
const char *err;
return err;
}
#ifdef HAVE_FIPS
return "Conflicting SSLFIPS options, cannot be both On and Off";
#else
if (flag)
return "SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS";
#endif
return NULL;
}
void *dcfg,
const char *arg)
{
/* always disable null and export ciphers */
}
else {
}
return NULL;
}
#define SSL_FLAGS_CHECK_FILE \
#define SSL_FLAGS_CHECK_DIR \
const char **file)
{
if (!filepath) {
}
return NULL;
}
": file '", *file,
"' does not exist or is empty", NULL);
}
{
#if !defined(OPENSSL_NO_COMP)
#ifndef SSL_OP_NO_COMPRESSION
if (err)
return "This version of openssl does not support configuring "
"compression within <VirtualHost> sections.";
#endif
return NULL;
#else
return "Setting Compression mode unsupported; not implemented by the SSL library";
#endif
}
{
return NULL;
#else
return "SSLHonorCiperOrder unsupported; not implemented by the SSL library";
#endif
}
{
return NULL;
#else
return "The SSLInsecureRenegotiation directive is not available "
"with this SSL library";
#endif
}
const char **dir)
{
if (!dirpath) {
}
return NULL;
}
": directory '", *dir,
"' does not exist", NULL);
}
#define SSL_AIDX_CERTS 1
#define SSL_AIDX_KEYS 2
const char *arg,
int idx)
{
int i;
return err;
}
switch (idx) {
case SSL_AIDX_CERTS:
desc = "certificates";
break;
case SSL_AIDX_KEYS:
desc = "private keys";
break;
}
for (i = 0; i < SSL_AIDX_MAX; i++) {
if (!files[i]) {
return NULL;
}
}
"%s: only up to %d "
"different %s per virtual host allowed",
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
#ifdef HAVE_TLS_SESSION_TICKETS
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
#endif
#define NO_PER_DIR_SSL_CA \
"Your SSL library does not have support for per-directory CA"
void *dcfg,
const char *arg)
{
/*SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;*/
const char *err;
return err;
}
return NO_PER_DIR_SSL_CA;
}
/* XXX: bring back per-dir */
return NULL;
}
void *dcfg,
const char *arg)
{
/*SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;*/
const char *err;
return err;
}
return NO_PER_DIR_SSL_CA;
}
/* XXX: bring back per-dir */
return NULL;
}
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
const char *arg,
{
}
}
}
else {
NULL);
}
return NULL;
}
void *dcfg,
const char *arg)
{
}
const char *arg,
{
*id = SSL_CVERIFY_NONE;
}
}
}
}
else {
NULL);
}
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
}
else {
}
return NULL;
}
const char *arg,
int *depth)
{
return NULL;
}
NULL);
}
void *dcfg,
const char *arg)
{
int depth;
const char *err;
return err;
}
}
else {
}
return NULL;
}
void *dcfg,
const char *arg)
{
long enabled_flags;
return err;
}
/* The OpenSSL session cache mode must have both the flags
* SSL_SESS_CACHE_SERVER and SSL_SESS_CACHE_NO_INTERNAL set if a
* session cache is configured; NO_INTERNAL prevents the
* OpenSSL-internal session cache being used in addition to the
* "external" (mod_ssl-provided) cache, which otherwise causes
* additional memory consumption. */
/* Nothing to do; session cache will be off. */
}
/* ### Having a separate mode for this seems logically
* unnecessary; the stated purpose of sending non-empty
* session IDs would be better fixed in OpenSSL or simply
* doing it by default if "none" is used. */
}
else {
/* Argument is of form 'name:args' or just 'name'. */
if (sep) {
sep++;
}
else {
}
/* Find the provider of given name. */
name,
/* Cache found; create it, passing anything beyond the colon. */
}
else {
const char *all_names;
/* Build a comma-separated list of all registered provider
* names: */
"(known names: %s). Maybe you need to load the "
"appropriate socache module (mod_socache_%s?).",
}
}
if (err) {
}
return NULL;
}
void *dcfg,
const char *arg)
{
if (sc->session_cache_timeout < 0) {
return "SSLSessionCacheTimeout: Invalid argument";
}
return NULL;
}
void *dcfg,
const char *arg)
{
char action, *w;
while (*arg) {
if ((*w == '+') || (*w == '-')) {
action = *(w++);
}
else if (first) {
}
if (strcEQ(w, "StdEnvVars")) {
}
else if (strcEQ(w, "ExportCertData")) {
}
else if (strcEQ(w, "FakeBasicAuth")) {
}
else if (strcEQ(w, "StrictRequire")) {
}
else if (strcEQ(w, "OptRenegotiate")) {
}
else if (strcEQ(w, "LegacyDNStringFormat")) {
}
else {
"SSLOptions: Illegal option '", w, "'",
NULL);
}
if (action == '-') {
}
else if (action == '+') {
}
else {
}
}
return NULL;
}
{
return NULL;
}
void *dcfg,
const char *arg)
{
const char *errstring;
if (errstring) {
}
return NULL;
}
{
int val;
if (val < 0) {
}
return NULL;
}
const char *arg,
{
while (*arg) {
char action = '\0';
if ((*w == '+') || (*w == '-')) {
action = *(w++);
}
if (strcEQ(w, "SSLv2")) {
if (action == '-') {
continue;
}
else {
return "SSLProtocol: SSLv2 is no longer supported";
}
}
else if (strcEQ(w, "SSLv3")) {
}
else if (strcEQ(w, "TLSv1")) {
}
#ifdef HAVE_TLSV1_X
else if (strcEQ(w, "TLSv1.1")) {
}
else if (strcEQ(w, "TLSv1.2")) {
}
#endif
else if (strcEQ(w, "all")) {
}
else {
": Illegal protocol '",
w, "'", NULL);
}
if (action == '-') {
}
else if (action == '+') {
}
else {
if (*options != SSL_PROTOCOL_NONE)
{
"Protocol '%s' of directive '%s' overrides already set parameters. "
"Check if a prefix is not missing.",
}
}
}
return NULL;
}
void *dcfg,
const char *arg)
{
}
{
return NULL;
}
void *dcfg,
const char *arg)
{
}
void *dcfg,
const char *arg)
{
/* always disable null and export ciphers */
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
int depth;
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
void *dcfg,
const char *arg)
{
const char *err;
return err;
}
return NULL;
}
const char *arg)
{
return NULL;
}
{
#ifdef OPENSSL_NO_OCSP
if (flag) {
return "OCSP support disabled in SSL library; cannot enable "
"OCSP validation";
}
#endif
return NULL;
}
{
return NULL;
}
{
return NULL;
}
{
return "SSLOCSPResponseTimeSkew: invalid argument";
}
return NULL;
}
{
return "SSLOCSPResponseMaxAge: invalid argument";
}
return NULL;
}
{
return "SSLOCSPResponderTimeout: invalid argument";
}
return NULL;
}
{
return NULL;
}
{
return NULL;
}
{
return NULL;
}
{
#ifdef HAVE_TLSEXT
return NULL;
#else
return "SSLStrictSNIVHostCheck failed; OpenSSL is not built with support "
"for TLS extensions and SNI indication. Refer to the "
"documentation, and build a compatible version of OpenSSL.";
#endif
}
#ifdef HAVE_OCSP_STAPLING
void *dcfg,
const char *arg)
{
return err;
}
/* Argument is of form 'name:args' or just 'name'. */
if (sep) {
sep++;
}
else {
}
/* Find the provider of given name. */
name,
if (mc->stapling_cache) {
/* Cache found; create it, passing anything beyond the colon. */
}
else {
const char *all_names;
/* Build a comma-separated list of all registered provider
* names: */
"(known names: %s) Maybe you need to load the "
"appropriate socache module (mod_socache_%s?)",
}
if (err) {
}
return NULL;
}
{
return NULL;
}
const char *arg)
{
return "SSLStaplingResponseTimeSkew: invalid argument";
}
return NULL;
}
const char *arg)
{
return "SSLStaplingResponseMaxAge: invalid argument";
}
return NULL;
}
const char *arg)
{
return "SSLStaplingStandardCacheTimeout: invalid argument";
}
return NULL;
}
const char *arg)
{
return "SSLStaplingErrorCacheTimeout: invalid argument";
}
return NULL;
}
{
return NULL;
}
{
return NULL;
}
const char *arg)
{
return "SSLStaplingResponderTimeout: invalid argument";
}
return NULL;
}
const char *arg)
{
return NULL;
}
#endif /* HAVE_OCSP_STAPLING */
#ifdef HAVE_SSL_CONF_CMD
{
const char *err;
if (value_type == SSL_CONF_TYPE_UNKNOWN) {
"'%s': invalid OpenSSL configuration command",
arg1);
}
if (value_type == SSL_CONF_TYPE_FILE) {
return err;
}
else if (value_type == SSL_CONF_TYPE_DIR) {
return err;
}
return NULL;
}
#endif
#ifdef HAVE_SRP
const char *arg)
{
const char *err;
return err;
/* SRP_VBASE_init takes char*, not const char* */
return NULL;
}
const char *arg)
{
/* SRP_VBASE_new takes char*, not const char* */
return NULL;
}
#endif /* HAVE_SRP */
return;
}
/* ca_cert_file is loaded using SSL_load_client_CA_file(). This method
* loads only file of PEM formatted certificates, so we have to load
* only PEM here too, to stay consistent.
*/
if (rc) {
}
}
const char *ca_cert_path)
{
return;
}
char *file;
continue; /* don't try to load directories */
}
}
}
{
if (ap_exists_config_define("DUMP_CERTS")) {
/* Dump the filenames of all configured server certificates to
* stdout. */
while (s) {
int i;
}
}
s = s->next;
}
return;
}
if (ap_exists_config_define("DUMP_CA_CERTS")) {
/* Dump the filenames of all configured server CA certificates to
* stdout. */
while (s) {
}
}
}
s = s->next;
}
return;
}
}