diff --git a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c index 1c09df1f68..d1a2c558e5 100644 --- a/modules/filters/mod_deflate.c +++ b/modules/filters/mod_deflate.c @@ -43,10 +43,10 @@ #include "apr_general.h" #include "util_filter.h" #include "apr_buckets.h" +#include "http_protocol.h" #include "http_request.h" #define APR_WANT_STRFUNC #include "apr_want.h" -#include "mod_ssl.h" #include "zlib.h" @@ -99,8 +99,6 @@ static const char deflate_magic[2] = { '\037', '\213' }; #define DEFAULT_MEMLEVEL 9 #define DEFAULT_BUFFERSIZE 8096 -static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *mod_deflate_ssl_var = NULL; - /* Check whether a request is gzipped, so we can un-gzip it. * If a request has multiple encodings, we need the gzip * to be the outermost non-identity encoding. @@ -553,10 +551,8 @@ static int check_ratio(request_rec *r, deflate_ctx *ctx, static int have_ssl_compression(request_rec *r) { const char *comp; - if (mod_deflate_ssl_var == NULL) - return 0; - comp = mod_deflate_ssl_var(r->pool, r->server, r->connection, r, - "SSL_COMPRESS_METHOD"); + comp = ap_ssl_var_lookup(r->pool, r->server, r->connection, r, + "SSL_COMPRESS_METHOD"); if (comp == NULL || *comp == '\0' || strcmp(comp, "NULL") == 0) return 0; return 1; @@ -1889,7 +1885,6 @@ static apr_status_t inflate_out_filter(ap_filter_t *f, static int mod_deflate_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) { - mod_deflate_ssl_var = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); return OK; } diff --git a/modules/http2/h2_alt_svc.c b/modules/http2/h2_alt_svc.c index 7f44100f36..0e7bc30f7f 100644 --- a/modules/http2/h2_alt_svc.c +++ b/modules/http2/h2_alt_svc.c @@ -98,7 +98,7 @@ static int h2_alt_svc_handler(request_rec *r) */ const char *alt_svc = ""; const char *svc_ma = ""; - int secure = h2_h2_is_tls(r->connection); + int secure = ap_ssl_conn_is_ssl(r->connection); int ma = h2_config_rgeti(r, H2_CONF_ALT_SVC_MAX_AGE); if (ma >= 0) { svc_ma = apr_psprintf(r->pool, "; ma=%d", ma); diff --git a/modules/http2/h2_conn_io.c b/modules/http2/h2_conn_io.c index 68c15d13e4..b6f56e4df9 100644 --- a/modules/http2/h2_conn_io.c +++ b/modules/http2/h2_conn_io.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include "h2_private.h" @@ -133,7 +134,7 @@ apr_status_t h2_conn_io_init(h2_conn_io *io, conn_rec *c, server_rec *s) { io->c = c; io->output = apr_brigade_create(c->pool, c->bucket_alloc); - io->is_tls = h2_h2_is_tls(c); + io->is_tls = ap_ssl_conn_is_ssl(c); io->buffer_output = io->is_tls; io->flush_threshold = (apr_size_t)h2_config_sgeti64(s, H2_CONF_STREAM_MAX_MEM); diff --git a/modules/http2/h2_h2.c b/modules/http2/h2_h2.c index 2256842d05..3c5d045d52 100644 --- a/modules/http2/h2_h2.c +++ b/modules/http2/h2_h2.c @@ -28,8 +28,6 @@ #include #include -#include "mod_ssl.h" - #include "mod_http2.h" #include "h2_private.h" @@ -57,13 +55,6 @@ const char *h2_clear_protos[] = { const char *H2_MAGIC_TOKEN = "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"; -/******************************************************************************* - * The optional mod_ssl functions we need. - */ -static APR_OPTIONAL_FN_TYPE(ssl_is_https) *opt_ssl_is_https; -static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *opt_ssl_var_lookup; - - /******************************************************************************* * HTTP/2 error stuff */ @@ -445,27 +436,14 @@ apr_status_t h2_h2_init(apr_pool_t *pool, server_rec *s) { (void)pool; ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "h2_h2, child_init"); - opt_ssl_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); - opt_ssl_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); - - if (!opt_ssl_is_https || !opt_ssl_var_lookup) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - APLOGNO(02951) "mod_ssl does not seem to be enabled"); - } - cipher_init(pool); return APR_SUCCESS; } -int h2_h2_is_tls(conn_rec *c) -{ - return opt_ssl_is_https && opt_ssl_is_https(c); -} - int h2_is_acceptable_connection(conn_rec *c, request_rec *r, int require_all) { - int is_tls = h2_h2_is_tls(c); + int is_tls = ap_ssl_conn_is_ssl(c); if (is_tls && h2_config_cgeti(c, H2_CONF_MODERN_TLS_ONLY) > 0) { /* Check TLS connection for modern TLS parameters, as defined in @@ -475,14 +453,9 @@ int h2_is_acceptable_connection(conn_rec *c, request_rec *r, int require_all) server_rec *s = c->base_server; const char *val; - if (!opt_ssl_var_lookup) { - /* unable to check */ - return 0; - } - /* Need Tlsv1.2 or higher, rfc 7540, ch. 9.2 */ - val = opt_ssl_var_lookup(pool, s, c, NULL, (char*)"SSL_PROTOCOL"); + val = ap_ssl_var_lookup(pool, s, c, NULL, (char*)"SSL_PROTOCOL"); if (val && *val) { if (strncmp("TLS", val, 3) || !strcmp("TLSv1", val) @@ -501,7 +474,7 @@ int h2_is_acceptable_connection(conn_rec *c, request_rec *r, int require_all) /* Check TLS cipher blacklist */ - val = opt_ssl_var_lookup(pool, s, c, NULL, (char*)"SSL_CIPHER"); + val = ap_ssl_var_lookup(pool, s, c, NULL, (char*)"SSL_CIPHER"); if (val && *val) { const char *source; if (cipher_is_blacklisted(val, &source)) { @@ -522,7 +495,7 @@ int h2_is_acceptable_connection(conn_rec *c, request_rec *r, int require_all) static int h2_allows_h2_direct(conn_rec *c) { - int is_tls = h2_h2_is_tls(c); + int is_tls = ap_ssl_conn_is_ssl(c); const char *needed_protocol = is_tls? "h2" : "h2c"; int h2_direct = h2_config_cgeti(c, H2_CONF_DIRECT); @@ -535,7 +508,7 @@ static int h2_allows_h2_direct(conn_rec *c) int h2_allows_h2_upgrade(request_rec *r) { int h2_upgrade = h2_config_rgeti(r, H2_CONF_UPGRADE); - return h2_upgrade > 0 || (h2_upgrade < 0 && !h2_h2_is_tls(r->connection)); + return h2_upgrade > 0 || (h2_upgrade < 0 && !ap_ssl_conn_is_ssl(r->connection)); } /******************************************************************************* @@ -631,7 +604,7 @@ int h2_h2_process_conn(conn_rec* c) if (!ctx) { ctx = h2_ctx_get(c, 1); } - h2_ctx_protocol_set(ctx, h2_h2_is_tls(c)? "h2" : "h2c"); + h2_ctx_protocol_set(ctx, ap_ssl_conn_is_ssl(c)? "h2" : "h2c"); } else if (APLOGctrace2(c)) { ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, diff --git a/modules/http2/h2_h2.h b/modules/http2/h2_h2.h index 339e898a10..8cfb9864fe 100644 --- a/modules/http2/h2_h2.h +++ b/modules/http2/h2_h2.h @@ -41,10 +41,6 @@ const char *h2_h2_err_description(unsigned int h2_error); */ apr_status_t h2_h2_init(apr_pool_t *pool, server_rec *s); -/* Is the connection a TLS connection? - */ -int h2_h2_is_tls(conn_rec *c); - /* Register apache hooks for h2 protocol */ void h2_h2_register_hooks(void); diff --git a/modules/http2/h2_switch.c b/modules/http2/h2_switch.c index 9ec658b8e1..bbc1472e33 100644 --- a/modules/http2/h2_switch.c +++ b/modules/http2/h2_switch.c @@ -52,7 +52,7 @@ static int h2_protocol_propose(conn_rec *c, request_rec *r, apr_array_header_t *proposals) { int proposed = 0; - int is_tls = h2_h2_is_tls(c); + int is_tls = ap_ssl_conn_is_ssl(c); const char **protos = is_tls? h2_tls_protos : h2_clear_protos; if (!h2_mpm_supported()) { @@ -127,7 +127,7 @@ static int h2_protocol_switch(conn_rec *c, request_rec *r, server_rec *s, const char *protocol) { int found = 0; - const char **protos = h2_h2_is_tls(c)? h2_tls_protos : h2_clear_protos; + const char **protos = ap_ssl_conn_is_ssl(c)? h2_tls_protos : h2_clear_protos; const char **p = protos; (void)s; diff --git a/modules/loggers/mod_log_json.c b/modules/loggers/mod_log_json.c index 825da6b170..f25be19c92 100644 --- a/modules/loggers/mod_log_json.c +++ b/modules/loggers/mod_log_json.c @@ -21,7 +21,6 @@ #include "http_protocol.h" #include "http_request.h" -#include #include "mod_log_config.h" #include "apr_strings.h" @@ -49,8 +48,6 @@ APLOG_USE_MODULE(log_json); module AP_MODULE_DECLARE_DATA log_json_module; -static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *log_json_ssl_lookup = NULL; -static APR_OPTIONAL_FN_TYPE(ssl_is_https) *log_json_ssl_is_https = NULL; static APR_OPTIONAL_FN_TYPE(ap_register_log_handler) *log_json_register = NULL; static const char *crit_error = @@ -99,21 +96,20 @@ log_json(request_rec *r, char *a) json_string(apr_table_get(r->headers_in, "User-Agent"))); json_object_set_new_nocheck(obj, "hdrs", hdrs); - if (log_json_ssl_is_https != NULL && log_json_ssl_lookup != NULL && - log_json_ssl_is_https(r->connection)) { + if (ap_ssl_conn_is_ssl(r->connection)) { json_t *tls = json_object(); json_object_set_new_nocheck(tls, "v", - json_string(log_json_ssl_lookup( + json_string(ap_ssl_var_lookup( r->pool, r->server, r->connection, r, "SSL_PROTOCOL"))); json_object_set_new_nocheck(tls, "cipher", - json_string(log_json_ssl_lookup( + json_string(ap_ssl_var_lookup( r->pool, r->server, r->connection, r, "SSL_CIPHER"))); json_object_set_new_nocheck(tls, "client_verify", - json_string(log_json_ssl_lookup( + json_string(ap_ssl_var_lookup( r->pool, r->server, r->connection, r, "SSL_CLIENT_VERIFY"))); json_object_set_new_nocheck(tls, "sni", - json_string(log_json_ssl_lookup( + json_string(ap_ssl_var_lookup( r->pool, r->server, r->connection, r, "SSL_TLS_SNI"))); json_object_set_new_nocheck(obj, "tls", tls); @@ -162,9 +158,6 @@ log_json_post_config( return OK; } - log_json_ssl_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); - log_json_ssl_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); - /* http://jansson.readthedocs.io/en/2.8/portability.html#portability-thread-safety */ json_object_seed(0); diff --git a/modules/lua/mod_lua.c b/modules/lua/mod_lua.c index d0806c9ad6..c672de8644 100644 --- a/modules/lua/mod_lua.c +++ b/modules/lua/mod_lua.c @@ -37,7 +37,6 @@ #include "mod_lua.h" #include "lua_apr.h" #include "lua_config.h" -#include "mod_ssl.h" #include "mod_auth.h" #include "util_mutex.h" @@ -52,8 +51,6 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ap_lua, AP_LUA, int, lua_open, APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ap_lua, AP_LUA, int, lua_request, (lua_State *L, request_rec *r), (L, r), OK, DECLINED) -static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *lua_ssl_val = NULL; -static APR_OPTIONAL_FN_TYPE(ssl_is_https) *lua_ssl_is_https = NULL; module AP_MODULE_DECLARE_DATA lua_module; @@ -1707,15 +1704,12 @@ static const char *register_lua_root(cmd_parms *cmd, void *_cfg, const char *ap_lua_ssl_val(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *var) { - if (lua_ssl_val) { - return (const char *)lua_ssl_val(p, s, c, r, (char *)var); - } - return NULL; + return ap_ssl_var_lookup(p, s, c, r, (char *)var); } int ap_lua_ssl_is_https(conn_rec *c) { - return lua_ssl_is_https ? lua_ssl_is_https(c) : 0; + return ap_ssl_conn_is_ssl(c); } /*******************************/ @@ -2029,9 +2023,6 @@ static int lua_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t **pool; apr_status_t rs; - lua_ssl_val = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); - lua_ssl_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); - if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) return OK; diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index 7ce09197ea..b8ffb9fcbe 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -85,8 +85,6 @@ #include "http_vhost.h" #include "util_mutex.h" -#include "mod_ssl.h" - #include "mod_rewrite.h" #include "ap_expr.h" @@ -419,8 +417,6 @@ static apr_global_mutex_t *rewrite_mapr_lock_acquire = NULL; static const char *rewritemap_mutex_type = "rewrite-map"; /* Optional functions imported from mod_ssl when loaded: */ -static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *rewrite_ssl_lookup = NULL; -static APR_OPTIONAL_FN_TYPE(ssl_is_https) *rewrite_is_https = NULL; static char *escape_backref(apr_pool_t *p, const char *path, const char *escapeme, int noplus); /* @@ -1894,8 +1890,8 @@ static char *lookup_variable(char *var, rewrite_ctx *ctx) result = getenv(var); } } - else if (var[4] && !strncasecmp(var, "SSL", 3) && rewrite_ssl_lookup) { - result = rewrite_ssl_lookup(r->pool, r->server, r->connection, r, + else if (var[4] && !strncasecmp(var, "SSL", 3)) { + result = ap_ssl_var_lookup(r->pool, r->server, r->connection, r, var + 4); } } @@ -1993,7 +1989,7 @@ static char *lookup_variable(char *var, rewrite_ctx *ctx) case 5: if (!strcmp(var, "HTTPS")) { - int flag = rewrite_is_https && rewrite_is_https(r->connection); + int flag = ap_ssl_conn_is_ssl(r->connection); return apr_pstrdup(r->pool, flag ? "on" : "off"); } break; @@ -4581,9 +4577,6 @@ static int post_config(apr_pool_t *p, } } - rewrite_ssl_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); - rewrite_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); - return OK; } diff --git a/modules/metadata/mod_headers.c b/modules/metadata/mod_headers.c index e60281fdbd..8caa550a64 100644 --- a/modules/metadata/mod_headers.c +++ b/modules/metadata/mod_headers.c @@ -83,8 +83,6 @@ #include "http_protocol.h" #include "ap_expr.h" -#include "mod_ssl.h" /* for the ssl_var_lookup optional function defn */ - /* format_tag_hash is initialized during pre-config */ static apr_hash_t *format_tag_hash; @@ -161,9 +159,6 @@ typedef struct { module AP_MODULE_DECLARE_DATA headers_module; -/* Pointer to ssl_var_lookup, if available. */ -static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *header_ssl_lookup = NULL; - /* * Tag formatting functions */ @@ -210,17 +205,12 @@ static const char *header_request_env_var(request_rec *r, char *a) static const char *header_request_ssl_var(request_rec *r, char *name) { - if (header_ssl_lookup) { - const char *val = header_ssl_lookup(r->pool, r->server, - r->connection, r, name); - if (val && val[0]) - return unwrap_header(r->pool, val); - else - return "(null)"; - } - else { + const char *val = ap_ssl_var_lookup(r->pool, r->server, + r->connection, r, name); + if (val && val[0]) + return unwrap_header(r->pool, val); + else return "(null)"; - } } static const char *header_request_loadavg(request_rec *r, char *a) @@ -995,7 +985,6 @@ static int header_pre_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp) static int header_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) { - header_ssl_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); return OK; } diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c index 3380e1d5e0..0926ae113f 100644 --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -30,10 +30,6 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *, ap_conf_vector_t *, int proxy, int enable)); -APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); -APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, - (apr_pool_t *, server_rec *, - conn_rec *, request_rec *, char *)); #endif #ifndef MAX @@ -3133,8 +3129,6 @@ static const command_rec proxy_cmds[] = static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = NULL; static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable = NULL; static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *proxy_ssl_engine = NULL; -static APR_OPTIONAL_FN_TYPE(ssl_is_https) *proxy_is_https = NULL; -static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *proxy_ssl_val = NULL; PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c) { @@ -3184,23 +3178,14 @@ PROXY_DECLARE(int) ap_proxy_ssl_engine(conn_rec *c, PROXY_DECLARE(int) ap_proxy_conn_is_https(conn_rec *c) { - if (proxy_is_https) { - return proxy_is_https(c); - } - else - return 0; + return ap_ssl_conn_is_ssl(c); } PROXY_DECLARE(const char *) ap_proxy_ssl_val(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *var) { - if (proxy_ssl_val) { - /* XXX Perhaps the casting useless */ - return (const char *)proxy_ssl_val(p, s, c, r, (char *)var); - } - else - return NULL; + return ap_ssl_var_lookup(p, s, c, r, (char *)var); } static int proxy_post_config(apr_pool_t *pconf, apr_pool_t *plog, @@ -3218,8 +3203,6 @@ static int proxy_post_config(apr_pool_t *pconf, apr_pool_t *plog, proxy_ssl_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable); proxy_ssl_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); proxy_ssl_engine = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set); - proxy_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); - proxy_ssl_val = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); ap_proxy_strmatch_path = apr_strmatch_precompile(pconf, "path=", 0); ap_proxy_strmatch_domain = apr_strmatch_precompile(pconf, "domain=", 0); diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c index 765a1a8b67..ccf13b7cb8 100644 --- a/server/util_expr_eval.c +++ b/server/util_expr_eval.c @@ -1649,9 +1649,6 @@ static int op_file_subr(ap_expr_eval_ctx_t *ctx, const void *data, const char *a } -APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *)); -static APR_OPTIONAL_FN_TYPE(ssl_is_https) *is_https = NULL; - APR_DECLARE_OPTIONAL_FN(int, http2_is_h2, (conn_rec *)); static APR_OPTIONAL_FN_TYPE(http2_is_h2) *is_http2 = NULL; @@ -1673,7 +1670,7 @@ static const char *conn_var_fn(ap_expr_eval_ctx_t *ctx, const void *data) switch (index) { case 0: - if (is_https && is_https(c)) + if (ap_ssl_conn_is_ssl(c)) return "on"; else return "off"; @@ -2227,10 +2224,7 @@ static int expr_lookup_not_found(ap_expr_lookup_parms *parms) static int ap_expr_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) { - is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); is_http2 = APR_RETRIEVE_OPTIONAL_FN(http2_is_h2); - apr_pool_cleanup_register(pconf, &is_https, ap_pool_cleanup_set_null, - apr_pool_cleanup_null); return OK; }