a) constify return value and variable name passed-in
b) require that pool argument is non-NULL
c) add gcc warning attributes for NULL arguments or ignored result.
This allows removal of inefficient internal duplication of constant
strings which was necessary only to allow non-const char *, and
removal of unsafe casts to/from const in various places.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Assume pool is
non-NULL; return constant and remove apr_pstrdup of constant
result string. Also constify variable name.
(ssl_var_lookup_*): Update to return const char * and avoid
duplication where now possible.
* modules/ssl/mod_ssl.h: Update ssl_var_lookup() optional function
API description and add GCC warning attributes as per private API.
* modules/ssl/ssl_engine_init.c (ssl_add_version_components): Adjust
for const return value.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Pass c->pool
to ssl_var_lookup.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Pass r->pool to
ssl_var_lookup, expect const return and dup the string since r->user
is char *.
(log_tracing_state): Pass c->pool to ssl_var_lookup.
* modules/http2/h2_h2.c (h2_is_acceptable_connection): Assume
return value of ssl_var_lookup is const.
Github: closes#120
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877475 13f79535-47bb-0310-9956-ffa450edef68
block client-initiated renegotiation with TLSv1.2 and earlier.
* modules/ssl/ssl_private.h: Define modssl_reneg_state enum,
modssl_set_reneg_state function.
* modules/ssl/ssl_engine_io.c (bio_filter_out_write,
bio_filter_in_read): #ifdef-out reneg protection if
SSL_OP_NO_RENEGOTATION is defined.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
Enable SSL_OP_NO_RENEGOTATION.
(ssl_init_ctx_callbacks): Only enable the "info" callback if
debug-level logging *or* OpenSSL doesn't support SSL_OP_NO_RENEGOTATION.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_classic): Use
modssl_set_reneg_state to set the reneg protection mode.
(ssl_hook_Access_modern): Drop manipulation of the reneg mode which
does nothing for TLSv1.3 already.
(ssl_callback_Info): Only enable reneg protection if
SSL_OP_NO_RENEGOTATION is *not* defined.
* modules/ssl/ssl_util_ssl.c (modssl_set_reneg_state): New function.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877397 13f79535-47bb-0310-9956-ffa450edef68
vhost at startup, rather than building it for each new connection.
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec):
Replace vhost_id_len field with vhost_md5.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Build the
sc->vhost_md5 hash here.
* modules/ssl/mod_ssl.c: Fail at compile time if the
SSL_set_session_id_context() API constraint on context length is
violated.
(ssl_init_ssl_connection): Use sc->vhost_md5.
* modules/ssl/ssl_engine_kernel.c (ssl_find_vhost): Use sc->vhost_md5
after renegotiation.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877349 13f79535-47bb-0310-9956-ffa450edef68
Drop the field from SSLModConfigRec and use pconf instead (where
appropriate) to match the new SSLModConfigRec lifetime.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_DelSessionCacheEntry):
Explicitly (and probably unsafely) use the process pool.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLRandomSeed): Use
cmd->pool to allocate paths.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Use pconf
to allocate the keylog_file.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Drop lookup
of SSLModConfigRec and use s->process->pool when no pool is
passed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877347 13f79535-47bb-0310-9956-ffa450edef68
Wrappers around deprecated API:
* X509_STORE_load_locations() => modssl_X509_STORE_load_locations(),
* CTX_load_verify_locations() => modssl_CTX_load_verify_locations(),
* ERR_peek_error_line_data() => modssl_ERR_peek_error_data(),
* DH_bits(dh) => BN_num_bits(DH_get0_p(dh)).
Provide a compatible version of ssl_callback_SessionTicket() which does not
use the deprecated HMAC_CTX and HMAC_Init_ex(), replaced by EVP_MAC_CTX and
EVP_MAC_CTX_set_params() respectively. This requires adapting struct
modssl_ticket_key_t to replace hmac_secret[] with OSSL_PARAM mac_params[],
created once at load time still.
The callback is registered by SSL_CTX_set_tlsext_ticket_key_evp_cb() instead
of SSL_CTX_set_tlsext_ticket_key_cb().
Since BIO_eof() may now be called openssl-3 state machine, the never-called
assertion in bio_filter_in_ctrl() does not hold anymore, and we have to
handle BIO_CTRL_EOF. For any other cmd, we continue to AP_DEBUG_ASSERT(0) and
log an error, yet the return value is changed from -1 to 0 which is the usual
unhandled value.
Note that OpenSSL 3.0.0 is still in alpha stage as of now, the API shouldn't
change though, neither breakage to 1.x.x API.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1876934 13f79535-47bb-0310-9956-ffa450edef68
for OpenSSL < 1.1.
* modules/ssl/ssl_engine_kernel.c (modssl_set_cert_info):
* modules/ssl/ssl_util_stapling.c (stapling_get_issuer):
Use the above macros for all OpenSSL versions.
Github: closes#104
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1875702 13f79535-47bb-0310-9956-ffa450edef68
environment, using the standard format which can be parsed by (e.g.)
wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.
* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if
SSLKEYLOGFILE is set in the environment.
(ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.
* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):
New function.
PR: 63391
Github: closes#74
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1869842 13f79535-47bb-0310-9956-ffa450edef68
Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which
depends on its return value (OK/NOACK), mainly on session resumption, for
SSL_get_servername() to consider or ignore the SNI (returning NULL thus
making SSLStrictSNIVHostCheck fail for possibly legitimate cases).
This means that init_vhost() should accurately return whether the SNI exists
in the configured vhosts, even when it's called multiple times (e.g. first
from ClientHello callback and then from SNI callback), so save that state in
sslconn->vhost_found and reuse it.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1868743 13f79535-47bb-0310-9956-ffa450edef68
By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at
the earliest connection stage, we can switch the SSL_CTX of the SSL connection
early enough for OpenSSL to take into account the protocol configuration of the
vhost.
In other words:
SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)
followed by:
SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))
works as expected at this stage (while the same from the SNI callback is
ignored by/due to OpenSSL's state machine).
Extracting the SNI (to select the relevant vhost) in the ClientHello callback
is not as easy as calling SSL_get_servername() though, we have to work with
the raw TLS extensions helpers provided by OpenSSL. I stole this code from a
test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in
test/handshake_helper.c).
We can then call init_vhost() as with the SNI callback (in use only for OpenSSL
versions earlier than 1.1.1 now), and pass it the extracted SNI.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1868645 13f79535-47bb-0310-9956-ffa450edef68
Since ssl_callback_SSLVerify() is called for both server and proxy modes,
use myCtxConfig()->ocsp_mask to check the right mode/configuration (i.e.
none for proxy in any case).
PR 63679.
Submitted by: Lubos Uhliarik <luhliari redhat.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1865740 13f79535-47bb-0310-9956-ffa450edef68
Retrieve and set sslconn->client_cert here for both "modern" and
classic access control.
(ssl_hook_Access_classic, ssl_hook_Access_modern, ssl_hook_Access):
Restore SSLRequire and FakeBasicAuth checks to ssl_hook_Access so tests
are still applied for TLSv1.3.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1841218 13f79535-47bb-0310-9956-ffa450edef68
403 if SSL_verify_client_post_handshake() fails, e.g. when the
TLS/1.3 client didn't send the Post-Handshake Authentication
extension.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1840585 13f79535-47bb-0310-9956-ffa450edef68
This is already forbidden by the protocol, enforced by OpenSSL, and the
current logic can't work (ssl_callback_Info() may be called multiple times
with TLS 1.3).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833588 13f79535-47bb-0310-9956-ffa450edef68
to take SSLConnRec * out parameter rather than SSL *.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Use it here.
(ssl_hook_Fixup): Adjust use.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1829263 13f79535-47bb-0310-9956-ffa450edef68
consistently.
* modules/ssl/ssl_util.c (modssl_request_is_tls): New function.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Use it.
* modules/ssl/mod_ssl.c (ssl_hook_http_scheme, ssl_hook_default_port):
Use it.
PR: 61519
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1829250 13f79535-47bb-0310-9956-ffa450edef68
SSLVerifyClient support for TLSv1.3 protocol now fails similarly to TLSv1.2 in my setups. (Read: I cannot get client certs to work, but I think this change is an improvement)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1828720 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827992 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which
are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
to find a better name.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827924 13f79535-47bb-0310-9956-ffa450edef68
The logic in 'ap_request_has_body()' is:
has_body = (!r->header_only
&& (r->kept_body
|| apr_table_get(r->headers_in, "Transfer-Encoding")
|| ( (cls = apr_table_get(r->headers_in, "Content-Length"))
&& (apr_strtoff(&cl, cls, &estr, 10) == APR_SUCCESS)
&& (!*estr)
&& (cl > 0) )
)
);
So the test is slighly different from the original code. (but this looks fine to me)
This also has the advantage to avoid a redundant call to 'apr_table_get()' and to improve readability.
While at it, move the test '!r->expecting_100' a few lines above because it is cheap.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827374 13f79535-47bb-0310-9956-ffa450edef68
does not contain a colon before constructing Authorization header
for FakeBasicAuth mode. (Also constify 'user' variable.)
PR: 52644
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1815592 13f79535-47bb-0310-9956-ffa450edef68
