ssl_private.h revision 807c9f7266ad3a966b6714fe578f3c9da1ca868b
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maeder/* Licensed to the Apache Software Foundation (ASF) under one or more
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maeder * contributor license agreements. See the NOTICE file distributed with
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * this work for additional information regarding copyright ownership.
e6d40133bc9f858308654afb1262b8b483ec5922Till Mossakowski * The ASF licenses this file to You under the Apache License, Version 2.0
2725abe920f91de62ae5c0b7230c1627cccf5fabChristian Maeder * (the "License"); you may not use this file except in compliance with
98890889ffb2e8f6f722b00e265a211f13b5a861Corneliu-Claudiu Prodescu * the License. You may obtain a copy of the License at
3f69b6948966979163bdfe8331c38833d5d90ecdChristian Maeder * http://www.apache.org/licenses/LICENSE-2.0
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * Unless required by applicable law or agreed to in writing, software
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * distributed under the License is distributed on an "AS IS" BASIS,
f3a94a197960e548ecd6520bb768cb0d547457bbChristian Maeder * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * See the License for the specific language governing permissions and
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * limitations under the License.
109a53dbf4c9233f869f63ba7a7f3fece49973c3Christian Maeder * @brief Internal interfaces private to mod_ssl.
109a53dbf4c9233f869f63ba7a7f3fece49973c3Christian Maeder * @defgroup MOD_SSL_PRIVATE Private
109a53dbf4c9233f869f63ba7a7f3fece49973c3Christian Maeder * @ingroup MOD_SSL
109a53dbf4c9233f869f63ba7a7f3fece49973c3Christian Maeder/** Apache headers */
7f7460e7095628f3437b116ee78d3043d11f8febChristian Maeder#define MOD_SSL_VERSION AP_SERVER_BASEREVISION
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder/** mod_ssl headers */
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maeder/** The #ifdef macros are only defined AFTER including the above
7f7460e7095628f3437b116ee78d3043d11f8febChristian Maeder * therefore we cannot include these system files at the top :-(
38c817b94e0a5b1ae94178b1075c187e07bcc5e1Christian Maeder#include <unistd.h> /** needed for STDIN_FILENO et.al., at least on FreeBSD */
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * Provide reasonable default for some defines
966519955f5f7111abac20118563132b9dd41165Christian Maeder * Provide reasonable defines for some types
33fcc19ef2b59493b4e91eebf701df95fd230765Christian Maeder#define BOOL unsigned int
8865728716566f42fa73e7e0bc080ba3225df764Christian Maeder#define UCHAR unsigned char
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * Provide useful shorthands
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder#define strEQn(s1,s2,n) (strncmp(s1,s2,n) == 0)
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maeder#define strNEn(s1,s2,n) (strncmp(s1,s2,n) != 0)
fdac680252d7347858bd67b4c2a2aaa52e623815Christian Maeder#define strcEQ(s1,s2) (strcasecmp(s1,s2) == 0)
a9e804dbec424ec36e34bab955cbe90edac5baa6Christian Maeder#define strcNE(s1,s2) (strcasecmp(s1,s2) != 0)
f8cc2399c16fcda7e3bf9d901a0de0cc8a455f86Ewaryst Schulz#define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder#define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)
b76d27eba526ecac2a20400fa505ec5c642ae7d2Dominik Luecke#define strIsEmpty(s) (s == NULL || s[0] == NUL)
8a5c05062ef501bf725a86a370a5145a198e81fdKlaus Luettich(SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module)
2353f65833a3da763392f771223250cd50b8d873Christian Maeder#define myCtxConfig(sslconn, sc) (sslconn->is_proxy ? sc->proxy : sc->server)
b53688bfed888214b485cf76439d57262d80e0a7Christian Maederap_set_module_config(c->conn_config, &ssl_module, val)
2353f65833a3da763392f771223250cd50b8d873Christian Maeder#define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module)
2353f65833a3da763392f771223250cd50b8d873Christian Maeder#define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder#define myModConfig(srv) (mySrvConfig((srv)))->mc
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder#define mySrvFromConn(c) (myConnConfig(c))->server
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder#define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder#define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder#define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder#define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num)
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * Defaults for the configuration
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder/* Default setting for per-dir reneg buffer. */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder#define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * Define the per-server SSLLogLevel constants which provide
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * finer-than-debug resolution to decide if logs are to be
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * assulted with tens of thousands of characters per request.
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maedertypedef enum {
8c8545dd3bf34fbcbc16904b65d249658f8f9efcChristian Maeder * Support for MM library
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder#define SSL_MM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD )
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maeder * Define the certificate algorithm types
00df6fd583c19393fa141d5a0e21ac74c7bf5b19Christian Maeder#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA)
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * Define IDs for the temporary RSA keys and DH params
966519955f5f7111abac20118563132b9dd41165Christian Maeder * Define the SSL options
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder#define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE)
cb2044812811d66efe038d914966e04290be93faChristian Maeder * Define the SSL Protocol options
16b71dad8d398af412d66a4f4763f1ada5b03d23Christian Maeder#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
8c8545dd3bf34fbcbc16904b65d249658f8f9efcChristian Maeder * Define the SSL verify levels
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maedertypedef enum {
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder#define ssl_verify_error_is_optional(errnum) \
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
966519955f5f7111abac20118563132b9dd41165Christian Maeder * Define the SSL pass phrase dialog types
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maedertypedef enum {
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * Define the Path Checking modes
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maedertypedef unsigned int ssl_pathcheck_t;
16b71dad8d398af412d66a4f4763f1ada5b03d23Christian Maeder * Define the SSL mutex modes
33fcc19ef2b59493b4e91eebf701df95fd230765Christian Maedertypedef enum {
12aef5992d3af07dee81a4e02cf4be65a83f28bcChristian Maeder * Define the SSL enabled state
2360728d4185c0c04279c999941c64d36626af79Christian Maedertypedef enum {
f39b8dd9651dfcc38b06191cda23cacbfc298323Christian Maeder * Define the SSL requirement structure
2360728d4185c0c04279c999941c64d36626af79Christian Maedertypedef struct {
2360728d4185c0c04279c999941c64d36626af79Christian Maeder * Define the SSL random number generator seeding source
2360728d4185c0c04279c999941c64d36626af79Christian Maedertypedef enum {
2360728d4185c0c04279c999941c64d36626af79Christian Maedertypedef enum {
b53688bfed888214b485cf76439d57262d80e0a7Christian Maedertypedef struct {
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * Define the structure of an ASN.1 anything
b53688bfed888214b485cf76439d57262d80e0a7Christian Maedertypedef struct {
d56ece59c372cb887355825901222b9f3377f7e6Thiemo Wiedemeyer unsigned char *cpData;
2360728d4185c0c04279c999941c64d36626af79Christian Maeder * Define the mod_ssl per-module configuration structure
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * (i.e. the global configuration for each httpd process)
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maedertypedef enum {
a166da43d4e8f9dfa7a2651d033c6bea02627ca6Mihai Codescutypedef struct {
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder/* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * allocated out of the "process" pool and only a single such
2360728d4185c0c04279c999941c64d36626af79Christian Maeder * structure is created and used for the lifetime of the process.
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * (The process pool is s->process->pool and is stored in the .pPool
63da71bfb4226f504944b293fb77177ebcaea7d4Ewaryst Schulz * field.) Most members of this structure are likewise allocated out
76d027be764e2ff61bef959efb3ac8f56499e646Christian Maeder * of the process pool, but notably sesscache and sesscache_context
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * The structure is treated as mostly immutable after a single config
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * parse has completed; the post_config hook (ssl_init_Module) flips
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * the bFixed flag to true and subsequent invocations of the config
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * callbacks hence do nothing.
4692b8b63985ab174478d389e20a544054e09ce8Karl Luc * This odd lifetime strategy is used so that encrypted private keys
d95f77e19ae3835318a6340d872193fbb3cbab05Karl Luc * can be decrypted once at startup and continue to be used across
26b1c101b72100b69045effdfaab3889de6c8c93Christian Maeder * subsequent server reloads where the interactive password prompt is
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * not possible.
2353f65833a3da763392f771223250cd50b8d873Christian Maeder * It is really an ABI nightmare waiting to happen since DSOs are
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maeder * reloaded across restarts, and nothing prevents the struct type
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maeder * changing across such reloads, yet the cached structure will be
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maeder * assumed to match regardless.
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * This should really be fixed using a smaller structure which only
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * stores that which is absolutely necessary (the private keys, maybe
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * the random seed), and have that structure be strictly ABI-versioned
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * for safety.
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maedertypedef struct {
12aef5992d3af07dee81a4e02cf4be65a83f28bcChristian Maeder /* OpenSSL SSL_SESS_CACHE_* flags: */
af6e92e4a9ca308f928f9909acee115f801c5db5Ewaryst Schulz /* The configured provider, and associated private data
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * structure. */
8a5c05062ef501bf725a86a370a5145a198e81fdKlaus Luettich#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder/** public cert/private key */
bc263f610d20a9cd3014ddfca903026127fa0d48Christian Maedertypedef struct {
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * server only has 1-2 certs/keys
53a3042e1da2253fd3f103bfef4deb47fc0bf6a6Ewaryst Schulz * 1 RSA and/or 1 DSA
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder /** Certificates which specify the set of CA names which should be
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * sent in the CertificateRequest message: */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maedertypedef struct {
df86c42574168135e8e2af9cf468fae774874cd0Christian Maeder /** proxy can have any number of cert/key pairs */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder/** stuff related to authentication that can also be per-dir */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maedertypedef struct {
59aa5703ac7f3b99e97cd5926e77088b256c5f40Christian Maeder /** for client or downstream server authentication */
7968d3a131e5a684ec1ff0c6d88aae638549153dChristian Maedertypedef struct SSLSrvConfigRec SSLSrvConfigRec;
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maedertypedef struct {
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maeder SSLSrvConfigRec *sc; /** pointer back to server config */
b76d27eba526ecac2a20400fa505ec5c642ae7d2Dominik Luecke /** we are one or the other */
7968d3a131e5a684ec1ff0c6d88aae638549153dChristian Maeder /** config for handling encrypted keys */
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maeder /** certificate revocation list */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder BOOL ocsp_enabled; /* true if OCSP verification enabled */
bc263f610d20a9cd3014ddfca903026127fa0d48Christian Maeder BOOL ocsp_force_default; /* true if the default responder URL is
511284753313165e629cedf508752d6818ccc4d2Christian Maeder * used regardless of per-cert URL */
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder const char *ocsp_responder; /* default responder URL */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * Define the mod_ssl per-directory configuration structure
f03420e44d8204b2945edaab5c70a84e7c381892Christian Maeder * (i.e. the local configuration for all <Directory>
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * and .htaccess contexts)
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maedertypedef struct {
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maeder * function prototypes
91ba5d95b2472cb075646b6120a559dc6581a867Christian Maeder/** API glue structures */
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederextern module AP_MODULE_DECLARE_DATA ssl_module;
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maeder/** configuration handling */
91ba5d95b2472cb075646b6120a559dc6581a867Christian MaederSSLModConfigRec *ssl_config_global_create(server_rec *);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maedervoid ssl_config_global_fix(SSLModConfigRec *);
f03420e44d8204b2945edaab5c70a84e7c381892Christian MaederBOOL ssl_config_global_isfixed(SSLModConfigRec *);
f03420e44d8204b2945edaab5c70a84e7c381892Christian Maedervoid *ssl_config_server_create(apr_pool_t *, server_rec *);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maedervoid *ssl_config_server_merge(apr_pool_t *, void *, void *);
d81905a5b924415c524d702df26204683c82c12eChristian Maedervoid *ssl_config_perdir_create(apr_pool_t *, char *);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maedervoid *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
91ba5d95b2472cb075646b6120a559dc6581a867Christian Maederconst char *ssl_cmd_SSLMutex(cmd_parms *, void *, const char *);
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maederconst char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
d27b1887e61f1dc53d77c37f59dbf5019242a686Christian Maederconst char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
d27b1887e61f1dc53d77c37f59dbf5019242a686Christian Maederconst char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maederconst char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
f03420e44d8204b2945edaab5c70a84e7c381892Christian Maederconst char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
f03420e44d8204b2945edaab5c70a84e7c381892Christian Maederconst char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
f03420e44d8204b2945edaab5c70a84e7c381892Christian Maederconst char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederconst char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
91ba5d95b2472cb075646b6120a559dc6581a867Christian Maederconst char *ssl_cmd_SSLPKCS7CertificateFile(cmd_parms *, void *, const char *);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederconst char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
f03420e44d8204b2945edaab5c70a84e7c381892Christian Maederconst char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
f03420e44d8204b2945edaab5c70a84e7c381892Christian Maederconst char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maederconst char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
818b228955ef40dd5a253bd942dd6ab8779ed713Christian Maederconst char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederconst char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
bbba6dd86153aacb0f662b182b128df0eb09fd54Christian Maederconst char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
16b71dad8d398af412d66a4f4763f1ada5b03d23Christian Maederconst char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
16b71dad8d398af412d66a4f4763f1ada5b03d23Christian Maederconst char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
8c8545dd3bf34fbcbc16904b65d249658f8f9efcChristian Maederconst char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
33fcc19ef2b59493b4e91eebf701df95fd230765Christian Maederconst char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederconst char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maederconst char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederconst char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
4a2f7efdf67dfcda0946f1b6373f41976ddea7a4Christian Maederconst char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
3490b73f69b58ab742417b0867d0e2d4a7778cc0Christian Maederconst char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
3490b73f69b58ab742417b0867d0e2d4a7778cc0Christian Maederconst char *ssl_cmd_SSLLogLevelDebugDump(cmd_parms *, void *, const char *);
7968d3a131e5a684ec1ff0c6d88aae638549153dChristian Maederconst char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
3490b73f69b58ab742417b0867d0e2d4a7778cc0Christian Maederconst char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maederconst char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maederconst char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
ab2f38d9cd1249f6bc9cc5b838dc2fcd76189c0fChristian Maederconst char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
974b0baababf2878820de073b8fad8db68bef08aDominik Lueckeconst char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
8d780c893d6df5dab3dcc7d8444b7517f6547f11Christian Maederconst char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
8d780c893d6df5dab3dcc7d8444b7517f6547f11Christian Maederconst char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, void *, const char *);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederconst char *ssl_cmd_SSLProxyCARevocationPath(cmd_parms *, void *, const char *);
083bc1972a66d73749760eab3a90bf4eb9ca7951Christian Maederconst char *ssl_cmd_SSLProxyCARevocationFile(cmd_parms *, void *, const char *);
bc263f610d20a9cd3014ddfca903026127fa0d48Christian Maederconst char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, void *, const char *);
bc263f610d20a9cd3014ddfca903026127fa0d48Christian Maederconst char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, void *, const char *);
966519955f5f7111abac20118563132b9dd41165Christian Maederconst char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
00df6fd583c19393fa141d5a0e21ac74c7bf5b19Christian Maederconst char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
f39b8dd9651dfcc38b06191cda23cacbfc298323Christian Maederconst char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
00df6fd583c19393fa141d5a0e21ac74c7bf5b19Christian Maeder/** module initialization */
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederint ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
0ae7a79e865d4a6022d705d160530682b3c1f825Christian Maedervoid ssl_init_Engine(server_rec *, apr_pool_t *);
f03420e44d8204b2945edaab5c70a84e7c381892Christian Maedervoid ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
0ae7a79e865d4a6022d705d160530682b3c1f825Christian Maedervoid ssl_init_CheckServers(server_rec *, apr_pool_t *);
2353f65833a3da763392f771223250cd50b8d873Christian Maeder *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maedervoid ssl_init_Child(apr_pool_t *, server_rec *);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maederapr_status_t ssl_init_ModuleKill(void *data);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder/** Apache API hooks */
2360728d4185c0c04279c999941c64d36626af79Christian Maedervoid ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s);
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder/** OpenSSL callbacks */
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederint ssl_callback_SSLVerify(int, X509_STORE_CTX *);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederint ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maederint ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
fefee7e1dee1ee5f0768a03a4abae88d1ca2c3fdRazvan Pascanuint ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
fefee7e1dee1ee5f0768a03a4abae88d1ca2c3fdRazvan PascanuSSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
fefee7e1dee1ee5f0768a03a4abae88d1ca2c3fdRazvan Pascanuvoid ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
fefee7e1dee1ee5f0768a03a4abae88d1ca2c3fdRazvan Pascanuvoid ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
fefee7e1dee1ee5f0768a03a4abae88d1ca2c3fdRazvan Pascanuint ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
fefee7e1dee1ee5f0768a03a4abae88d1ca2c3fdRazvan Pascanu/** Session Cache Support */
fefee7e1dee1ee5f0768a03a4abae88d1ca2c3fdRazvan Pascanuvoid ssl_scache_init(server_rec *, apr_pool_t *);
fefee7e1dee1ee5f0768a03a4abae88d1ca2c3fdRazvan Pascanuvoid ssl_scache_status_register(apr_pool_t *p);
16b71dad8d398af412d66a4f4763f1ada5b03d23Christian MaederBOOL ssl_scache_store(server_rec *, UCHAR *, int,
66a774f13272fde036481edd2298081ab3d04678Razvan PascanuSSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *);
16b71dad8d398af412d66a4f4763f1ada5b03d23Christian Maedervoid ssl_scache_remove(server_rec *, UCHAR *, int,
16b71dad8d398af412d66a4f4763f1ada5b03d23Christian Maeder/** Proxy Support */
9dd71ac51c9a6e72bcb126224f9c64131698b636Christian Maedervoid ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maederlong ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long);
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maeder/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
0ea2cddb8715a770e646895e16b7b8085f49167cChristian Maeder * to allow an SSL renegotiation to take place. */
0ea2cddb8715a770e646895e16b7b8085f49167cChristian Maederint ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen);
7245138e91992b96b153b8ac527e263d9dc8ff5bChristian Maederint ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
7245138e91992b96b153b8ac527e263d9dc8ff5bChristian Maeder/** Utility Functions */
0ea2cddb8715a770e646895e16b7b8085f49167cChristian Maederchar *ssl_util_vhostid(apr_pool_t *, server_rec *);
7968d3a131e5a684ec1ff0c6d88aae638549153dChristian Maederapr_file_t *ssl_util_ppopen(server_rec *, apr_pool_t *, const char *,
7968d3a131e5a684ec1ff0c6d88aae638549153dChristian Maeder const char * const *);
7968d3a131e5a684ec1ff0c6d88aae638549153dChristian Maedervoid ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
7968d3a131e5a684ec1ff0c6d88aae638549153dChristian Maederchar *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
a461314c811f4187dff85c8be079a41b2f13f176Christian Maeder const char * const *);
a461314c811f4187dff85c8be079a41b2f13f176Christian MaederBOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
a461314c811f4187dff85c8be079a41b2f13f176Christian Maederssl_algo_t ssl_util_algotypeof(X509 *, EVP_PKEY *);
a461314c811f4187dff85c8be079a41b2f13f176Christian Maederint ssl_init_ssl_connection(conn_rec *c, request_rec *r);
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maeder/** Pass Phrase Support */
3bcd9d942601d59dd55a6069d8b2d1c33d7ced0eChristian Maedervoid ssl_pphrase_Handle(server_rec *, apr_pool_t *);
beff4152e9f0fe90885458d1a1733b183a2a8816Christian Maeder/** Diffie-Hellman Parameter Support */
a461314c811f4187dff85c8be079a41b2f13f176Christian Maederunsigned char *ssl_asn1_table_set(apr_hash_t *table,
3bcd9d942601d59dd55a6069d8b2d1c33d7ced0eChristian Maederssl_asn1_t *ssl_asn1_table_get(apr_hash_t *table,
7245138e91992b96b153b8ac527e263d9dc8ff5bChristian Maeder const char *key);
0a64bfd28dff15bc93e1f7a86e0a8052e879636dChristian Maedervoid ssl_asn1_table_unset(apr_hash_t *table,
be43c3fa0292555bd126784ae27ff5c1d23438cbChristian Maeder const char *key);
daec53c285f692c56db0cefe16061b46ba602cf0Christian Maederconst char *ssl_asn1_table_keyfmt(apr_pool_t *p,
daec53c285f692c56db0cefe16061b46ba602cf0Christian MaederSTACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7);
daec53c285f692c56db0cefe16061b46ba602cf0Christian Maeder/** Mutex Support */
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maederint ssl_mutex_init(server_rec *, apr_pool_t *);
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maederint ssl_mutex_reinit(server_rec *, apr_pool_t *);
daec53c285f692c56db0cefe16061b46ba602cf0Christian Maeder/** Logfile Support */
daec53c285f692c56db0cefe16061b46ba602cf0Christian Maedervoid ssl_log_ssl_error(const char *, int, int, server_rec *);
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder/* ssl_log_cxerror is a wrapper for ap_log_cerror which takes a
a3a7d8b3cdf05c8040c62dbcf9a15dc5042cd721Christian Maeder * certificate as an additional argument and appends details of that
93bc87ee96c68506945dbad8c704badaa42ecf14Christian Maeder * cert to the log message. All other arguments interpreted exactly
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maeder * as ap_log_cerror. */
b6ff72be73dad3d1394cf2c71e29e67624ff030bChristian Maedervoid ssl_log_cxerror(const char *file, int line, int level,
3bcd9d942601d59dd55a6069d8b2d1c33d7ced0eChristian Maeder const char *format, ...)
0a64bfd28dff15bc93e1f7a86e0a8052e879636dChristian Maeder/** Variables */
0a64bfd28dff15bc93e1f7a86e0a8052e879636dChristian Maeder/* Register variables for the lifetime of the process pool 'p'. */
b53688bfed888214b485cf76439d57262d80e0a7Christian Maederchar *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maederapr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maedervoid ssl_var_log_config_register(apr_pool_t *p);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder/* Extract SSL_*_DN_* variables into table 't' from SSL object 'ssl',
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * allocating from 'p': */
2353f65833a3da763392f771223250cd50b8d873Christian Maedervoid modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder/* Perform OCSP validation of the current cert in the given context.
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * Returns non-zero on success or zero on failure. On failure, the
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * context error code is set. */
b53688bfed888214b485cf76439d57262d80e0a7Christian Maederint modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder server_rec *s, conn_rec *c, apr_pool_t *pool);
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder/* OCSP helper interface; dispatches the given OCSP request to the
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * responder at the given URI. Returns the decoded OCSP response
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder * object, or NULL on error (in which case, errors will have been
2353f65833a3da763392f771223250cd50b8d873Christian Maeder * logged). Pool 'p' is used for temporary allocations. */
00df6fd583c19393fa141d5a0e21ac74c7bf5b19Christian MaederOCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
0ae7a79e865d4a6022d705d160530682b3c1f825Christian Maeder#endif /* SSL_PRIVATE_H */