* moving the openssl related new hooks into mod_ssl_openssl.h

* chaning type parameter to openssl types * adding explanation of return value in get_stapling_status() * adding array element description for add_cert_files and add_fallback_cert_files hooks git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1862823 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2019-07-09 16:57:59 +00:00
parent 2bc9889e63
commit 3d90a98839
4 changed files with 56 additions and 50 deletions
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -102,7 +102,10 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
 #ifdef SSL_CERT_HOOKS

 /** Lets others add certificate and key files to the given server.
- * For each cert a key must also be added. */
+ * For each cert a key must also be added.
+ * @param cert_file and array of const char* with the path to the certificate chain
+ * @param key_file and array of const char* with the path to the private key file
+ */
 APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_cert_files,
                          (server_rec *s, apr_pool_t *p, 
                           apr_array_header_t *cert_files,
@@ -111,51 +114,15 @@ APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_cert_files,
 /** In case no certificates are available for a server, this
 * lets other modules add a fallback certificate for the time
 * being. Regular requests against this server will be answered
- * with a 503. */
+ * with a 503. 
+ * @param cert_file and array of const char* with the path to the certificate chain
+ * @param key_file and array of const char* with the path to the private key file
+ */
 APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_fallback_cert_files,
                          (server_rec *s, apr_pool_t *p, 
                           apr_array_header_t *cert_files,
                           apr_array_header_t *key_files))

-/** On TLS connections that do not relate to a configured virtual host,
- * allow other modules to provide a X509 certificate and EVP_PKEY to
- * be used on the connection. This first hook which does not
- * return DECLINED will determine the outcome. */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, answer_challenge,
-                          (conn_rec *c, const char *server_name, 
-                          void **pX509, void **pEVP_PKEY))
-
-/** During post_config phase, ask around if someone wants to provide
- * OCSP stapling status information for the given cert (with the also
- * provided issuer certificate). The first hook which does not
- * return DECLINED promises to take responsibility (and respond
- * in later calls via hook ssl_get_stapling_status).
- * If no hook takes over, mod_ssl's own stapling implementation will
- * be applied (if configured).
- */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_stapling_status,
-                          (server_rec *s, apr_pool_t *p, 
-                          void *x509cert, void *x509issuer))
-
-/** Anyone answering positive to ssl_init_stapling_status for a 
- * certificate, needs to register here and supply the actual OCSP stapling
- * status data (OCSP_RESP) for a new connection.
- * The data is returned in DER encoded bytes via pder and pderlen. The
- * returned pointer may be NULL, which indicates that data is (currently)
- * unavailable.
- * If DER data is returned, it MUST come from a response with
- * status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD
- * or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means
- * errors in OCSP retrieval are to be handled/logged by the hook and
- * are not done by mod_ssl.
- * Any DER bytes returned MUST be allocated via malloc() and ownership
- * passes to mod_ssl. Meaning, the hook must return a malloced copy of
- * the data it has. mod_ssl (or OpenSSL) will free it. 
- */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, get_stapling_status,
-                          (unsigned char **pder, int *pderlen, 
-                          conn_rec *c, server_rec *s, void *x509cert))
-                          
 #endif /* SSL_CERT_HOOKS */

 #endif /* __MOD_SSL_H__ */
--- a/modules/ssl/mod_ssl_openssl.h
+++ b/modules/ssl/mod_ssl_openssl.h
@@ -69,5 +69,45 @@ APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, pre_handshake,
 APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, proxy_post_handshake,
                          (conn_rec *c, SSL *ssl))

+/** On TLS connections that do not relate to a configured virtual host,
+ * allow other modules to provide a X509 certificate and EVP_PKEY to
+ * be used on the connection. This first hook which does not
+ * return DECLINED will determine the outcome. */
+APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, answer_challenge,
+                          (conn_rec *c, const char *server_name, 
+                          X509 **pcert, EVP_PKEY **pkey))
+
+/** During post_config phase, ask around if someone wants to provide
+ * OCSP stapling status information for the given cert (with the also
+ * provided issuer certificate). The first hook which does not
+ * return DECLINED promises to take responsibility (and respond
+ * in later calls via hook ssl_get_stapling_status).
+ * If no hook takes over, mod_ssl's own stapling implementation will
+ * be applied (if configured).
+ */
+APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_stapling_status,
+                          (server_rec *s, apr_pool_t *p, 
+                          X509 *cert, X509 *issuer))
+
+/** Anyone answering positive to ssl_init_stapling_status for a 
+ * certificate, needs to register here and supply the actual OCSP stapling
+ * status data (OCSP_RESP) for a new connection.
+ * A hook supplying the response data must return APR_SUCCESS.
+ * The data is returned in DER encoded bytes via pder and pderlen. The
+ * returned pointer may be NULL, which indicates that data is (currently)
+ * unavailable.
+ * If DER data is returned, it MUST come from a response with
+ * status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD
+ * or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means
+ * errors in OCSP retrieval are to be handled/logged by the hook and
+ * are not done by mod_ssl.
+ * Any DER bytes returned MUST be allocated via malloc() and ownership
+ * passes to mod_ssl. Meaning, the hook must return a malloced copy of
+ * the data it has. mod_ssl (or OpenSSL) will free it. 
+ */
+APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, get_stapling_status,
+                          (unsigned char **pder, int *pderlen, 
+                          conn_rec *c, server_rec *s, X509 *cert))
+                          
 #endif /* __MOD_SSL_OPENSSL_H__ */
 /** @} */
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -39,7 +39,6 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
                                    (server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx),
                                    (s,p,is_proxy,ctx), OK, DECLINED)

-/* Implement 'ap_run_ssl_add_cert_files'. */
 APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_cert_files,
                                    (server_rec *s, apr_pool_t *p, 
                                    apr_array_header_t *cert_files, apr_array_header_t *key_files),
@@ -54,8 +53,8 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_fallback_cert_files,

 APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, answer_challenge,
                                    (conn_rec *c, const char *server_name, 
-                                    void **pX509, void **pEVP_PKEY),
-                                    (c, server_name, pX509, pEVP_PKEY),
+                                    X509 **pcert, EVP_PKEY **pkey),
+                                    (c, server_name, pcert, pkey),
                                    DECLINED, DECLINED)


@@ -198,7 +197,7 @@ static void ssl_add_version_components(apr_pool_t *p,
 int ssl_is_challenge(conn_rec *c, const char *servername, 
                     X509 **pcert, EVP_PKEY **pkey)
 {
-    if (APR_SUCCESS == ssl_run_answer_challenge(c, servername, (void**)pcert, (void**)pkey)) {
+    if (APR_SUCCESS == ssl_run_answer_challenge(c, servername, pcert, pkey)) {
        return 1;
    }
    *pcert = NULL;
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -31,18 +31,18 @@
 #include "ssl_private.h"
 #include "ap_mpm.h"
 #include "apr_thread_mutex.h"
-#include "mod_ssl.h"
+#include "mod_ssl_openssl.h"

 APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_stapling_status,
                                    (server_rec *s, apr_pool_t *p, 
-                                     void *x509cert, void *x509issuer),
-                                     (s, p, x509cert, x509issuer),
+                                     X509 *cert, X509 *issuer),
+                                     (s, p, cert, issuer),
                                    DECLINED, DECLINED)

 APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, get_stapling_status,
                                    (unsigned char **pder, int *pderlen, 
-                                     conn_rec *c, server_rec *s, void *x509cert),
-                                     (pder, pderlen, c, s, x509cert), 
+                                     conn_rec *c, server_rec *s, X509 *cert),
+                                     (pder, pderlen, c, s, cert), 
                                    DECLINED, DECLINED)