www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

* moving the openssl related new hooks into mod_ssl_openssl.h

Browse Source 
* chaning type parameter to openssl types
 * adding explanation of return value in get_stapling_status()
 * adding array element description for add_cert_files and add_fallback_cert_files hooks


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1862823 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Eissing
2019-07-09 16:57:59 +00:00
parent 2bc9889e63
commit 3d90a98839
4 changed files with 56 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
modules/ssl/mod_ssl.h
View File

@@ -102,7 +102,10 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
#ifdef SSL_CERT_HOOKS #ifdef SSL_CERT_HOOKS
/** Lets others add certificate and key files to the given server. /** Lets others add certificate and key files to the given server.
* For each cert a key must also be added. */ * For each cert a key must also be added.
* @param cert_file and array of const char* with the path to the certificate chain
* @param key_file and array of const char* with the path to the private key file
*/
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_cert_files, APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_cert_files,
(server_rec *s, apr_pool_t *p, (server_rec *s, apr_pool_t *p,
apr_array_header_t *cert_files, apr_array_header_t *cert_files,
@@ -111,51 +114,15 @@ APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_cert_files,
/** In case no certificates are available for a server, this /** In case no certificates are available for a server, this
* lets other modules add a fallback certificate for the time * lets other modules add a fallback certificate for the time
* being. Regular requests against this server will be answered * being. Regular requests against this server will be answered
* with a 503. */ * with a 503.
* @param cert_file and array of const char* with the path to the certificate chain
* @param key_file and array of const char* with the path to the private key file
*/
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_fallback_cert_files, APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_fallback_cert_files,
(server_rec *s, apr_pool_t *p, (server_rec *s, apr_pool_t *p,
apr_array_header_t *cert_files, apr_array_header_t *cert_files,
apr_array_header_t *key_files)) apr_array_header_t *key_files))
/** On TLS connections that do not relate to a configured virtual host,
* allow other modules to provide a X509 certificate and EVP_PKEY to
* be used on the connection. This first hook which does not
* return DECLINED will determine the outcome. */
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, answer_challenge,
(conn_rec *c, const char *server_name,
void **pX509, void **pEVP_PKEY))
/** During post_config phase, ask around if someone wants to provide
* OCSP stapling status information for the given cert (with the also
* provided issuer certificate). The first hook which does not
* return DECLINED promises to take responsibility (and respond
* in later calls via hook ssl_get_stapling_status).
* If no hook takes over, mod_ssl's own stapling implementation will
* be applied (if configured).
*/
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_stapling_status,
(server_rec *s, apr_pool_t *p,
void *x509cert, void *x509issuer))
/** Anyone answering positive to ssl_init_stapling_status for a
* certificate, needs to register here and supply the actual OCSP stapling
* status data (OCSP_RESP) for a new connection.
* The data is returned in DER encoded bytes via pder and pderlen. The
* returned pointer may be NULL, which indicates that data is (currently)
* unavailable.
* If DER data is returned, it MUST come from a response with
* status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD
* or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means
* errors in OCSP retrieval are to be handled/logged by the hook and
* are not done by mod_ssl.
* Any DER bytes returned MUST be allocated via malloc() and ownership
* passes to mod_ssl. Meaning, the hook must return a malloced copy of
* the data it has. mod_ssl (or OpenSSL) will free it.
*/
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, get_stapling_status,
(unsigned char **pder, int *pderlen,
conn_rec *c, server_rec *s, void *x509cert))
#endif /* SSL_CERT_HOOKS */ #endif /* SSL_CERT_HOOKS */
#endif /* __MOD_SSL_H__ */ #endif /* __MOD_SSL_H__ */

40
modules/ssl/mod_ssl_openssl.h
View File

@@ -69,5 +69,45 @@ APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, pre_handshake,
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, proxy_post_handshake, APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, proxy_post_handshake,
(conn_rec *c, SSL *ssl)) (conn_rec *c, SSL *ssl))
/** On TLS connections that do not relate to a configured virtual host,
* allow other modules to provide a X509 certificate and EVP_PKEY to
* be used on the connection. This first hook which does not
* return DECLINED will determine the outcome. */
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, answer_challenge,
(conn_rec *c, const char *server_name,
X509 **pcert, EVP_PKEY **pkey))
/** During post_config phase, ask around if someone wants to provide
* OCSP stapling status information for the given cert (with the also
* provided issuer certificate). The first hook which does not
* return DECLINED promises to take responsibility (and respond
* in later calls via hook ssl_get_stapling_status).
* If no hook takes over, mod_ssl's own stapling implementation will
* be applied (if configured).
*/
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_stapling_status,
(server_rec *s, apr_pool_t *p,
X509 *cert, X509 *issuer))
/** Anyone answering positive to ssl_init_stapling_status for a
* certificate, needs to register here and supply the actual OCSP stapling
* status data (OCSP_RESP) for a new connection.
* A hook supplying the response data must return APR_SUCCESS.
* The data is returned in DER encoded bytes via pder and pderlen. The
* returned pointer may be NULL, which indicates that data is (currently)
* unavailable.
* If DER data is returned, it MUST come from a response with
* status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD
* or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means
* errors in OCSP retrieval are to be handled/logged by the hook and
* are not done by mod_ssl.
* Any DER bytes returned MUST be allocated via malloc() and ownership
* passes to mod_ssl. Meaning, the hook must return a malloced copy of
* the data it has. mod_ssl (or OpenSSL) will free it.
*/
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, get_stapling_status,
(unsigned char **pder, int *pderlen,
conn_rec *c, server_rec *s, X509 *cert))
#endif /* __MOD_SSL_OPENSSL_H__ */ #endif /* __MOD_SSL_OPENSSL_H__ */
/** @} */ /** @} */

7
modules/ssl/ssl_engine_init.c
View File

@@ -39,7 +39,6 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
(server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx), (server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx),
(s,p,is_proxy,ctx), OK, DECLINED) (s,p,is_proxy,ctx), OK, DECLINED)
/* Implement 'ap_run_ssl_add_cert_files'. */
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_cert_files, APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_cert_files,
(server_rec *s, apr_pool_t *p, (server_rec *s, apr_pool_t *p,
apr_array_header_t *cert_files, apr_array_header_t *key_files), apr_array_header_t *cert_files, apr_array_header_t *key_files),
@@ -54,8 +53,8 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_fallback_cert_files,
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, answer_challenge, APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, answer_challenge,
(conn_rec *c, const char *server_name, (conn_rec *c, const char *server_name,
void **pX509, void **pEVP_PKEY), X509 **pcert, EVP_PKEY **pkey),
(c, server_name, pX509, pEVP_PKEY), (c, server_name, pcert, pkey),
DECLINED, DECLINED) DECLINED, DECLINED)
@@ -198,7 +197,7 @@ static void ssl_add_version_components(apr_pool_t *p,
int ssl_is_challenge(conn_rec *c, const char *servername, int ssl_is_challenge(conn_rec *c, const char *servername,
X509 **pcert, EVP_PKEY **pkey) X509 **pcert, EVP_PKEY **pkey)
{ {
if (APR_SUCCESS == ssl_run_answer_challenge(c, servername, (void**)pcert, (void**)pkey)) { if (APR_SUCCESS == ssl_run_answer_challenge(c, servername, pcert, pkey)) {
return 1; return 1;
} }
*pcert = NULL; *pcert = NULL;

10
modules/ssl/ssl_util_stapling.c
View File

@@ -31,18 +31,18 @@
#include "ssl_private.h" #include "ssl_private.h"
#include "ap_mpm.h" #include "ap_mpm.h"
#include "apr_thread_mutex.h" #include "apr_thread_mutex.h"
#include "mod_ssl.h" #include "mod_ssl_openssl.h"
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_stapling_status, APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_stapling_status,
(server_rec *s, apr_pool_t *p, (server_rec *s, apr_pool_t *p,
void *x509cert, void *x509issuer), X509 *cert, X509 *issuer),
(s, p, x509cert, x509issuer), (s, p, cert, issuer),
DECLINED, DECLINED) DECLINED, DECLINED)
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, get_stapling_status, APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, get_stapling_status,
(unsigned char **pder, int *pderlen, (unsigned char **pder, int *pderlen,
conn_rec *c, server_rec *s, void *x509cert), conn_rec *c, server_rec *s, X509 *cert),
(pder, pderlen, c, s, x509cert), (pder, pderlen, c, s, cert),
DECLINED, DECLINED) DECLINED, DECLINED)