mirror of
https://github.com/apache/httpd.git
synced 2025-08-01 07:26:57 +03:00
1e06568a28
* mod_ssl_openssl.h:
Make it the first openssl to be included openssl header, selecting the
OpenSSL api based on OPENSSL_API_COMPAT eventually.
* ssl_private.h;
Define OPENSSL_API_COMPAT to version 1.1.1 (last one supporting EGINE_ API)
before including mod_ssl_openssl.h to enable the ENGINE_ api (TODO: switch to
new "providers" api before the ENGINE_ api is abandonned..).
mod_ssl.h is now implicitely included from there.
Fix preprocessor "#define FOO (COND)" to "#if COND #define FOO 1 #else #define FOO 0".
Define MODSSL_HAVE_ENGINE_API iff OPENSSL_API_COMPAT < 3.0 (otherwise all the
engine features are disabled, only "builtin" is accepted).
Define HAVE_SRP iff OPENSSL_API_COMPAT < 3.0 (no replacement for this api
above, so it might not be implemenentedain httpd anymore at some point..).
Define X509_get_not{Before,After} if missing to the non deprecated version.
New modssl_set_io_callbacks() to factorize compat code for io callbacks.
ssl_dh_GetParamFromFile() becomes modssl_dh_from_file() for openssl < 3.0 and
modssl_dh_pkey_from_file() for openssl >= 3.0.
* mod_ssl.c, mod_ssl_ct.c, ssl_util_stapling:
Including "ssl_private.h" only is suited/enough now.
* mod_ssl_ct.c, ssl_ct_log_config:
Use EVP api with openssl >= 3 instead of the deprecated SHA256 one.
* ssl_engine_config.c(ssl_cmd_SSLCryptoDevice):
Disabled engines (besides NULL/"builtin"/NULL) unless MODSSL_HAVE_ENGINE_API.
* ssl_engine_init:
New compat modssl_runtime_lib_version() to address deprecated SSLeay().
ssl_init_Engine() does nothing unless MODSSL_HAVE_ENGINE_API.
Simplify ssl_init_server_certs() (less #ifdef-ery) with scoped local vars.
Compat loading DH parameters and EC curve from cert.
* ssl_engine_io.c, ssl_engine_kernel.c:
Implement common modssl_set_io_callbacks() and use it.
* ssl_engine_pphrase(modssl_load_engine_keypair):
Depend on MODSSL_HAVE_ENGINE_API, or return ENOTIMPL.
* ssl_util.c(modssl_is_engine_id):
No engine supported unless MODSSL_HAVE_ENGINE_API.
* ssl_util_ssl.c(modssl_dh_pkey_from_file, modssl_ec_group_from_file):
Compat with openssl >= 3.0.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908537 13f79535-47bb-0310-9956-ffa450edef68
117 lines
4.8 KiB
C
117 lines
4.8 KiB
C
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
* contributor license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright ownership.
|
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
* (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
/**
|
|
* @file mod_ssl_openssl.h
|
|
* @brief Interface to OpenSSL-specific APIs provided by mod_ssl
|
|
*
|
|
* @defgroup MOD_SSL mod_ssl_openssl
|
|
* @ingroup APACHE_MODS
|
|
* @{
|
|
*/
|
|
|
|
#ifndef __MOD_SSL_OPENSSL_H__
|
|
#define __MOD_SSL_OPENSSL_H__
|
|
|
|
#include "mod_ssl.h"
|
|
|
|
/* OpenSSL headers */
|
|
|
|
#include <openssl/opensslv.h>
|
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
|
#include <openssl/macros.h> /* for OPENSSL_API_LEVEL */
|
|
#endif
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10001000
|
|
/* must be defined before including ssl.h */
|
|
#define OPENSSL_NO_SSL_INTERN
|
|
#endif
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/x509.h>
|
|
|
|
/**
|
|
* init_server hook -- allow SSL_CTX-specific initialization to be performed by
|
|
* a module for each SSL-enabled server (one at a time)
|
|
* @param s SSL-enabled [virtual] server
|
|
* @param p pconf pool
|
|
* @param is_proxy 1 if this server supports backend connections
|
|
* over SSL/TLS, 0 if it supports client connections over SSL/TLS
|
|
* @param ctx OpenSSL SSL Context for the server
|
|
*/
|
|
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_server,
|
|
(server_rec *s, apr_pool_t *p, int is_proxy, SSL_CTX *ctx))
|
|
|
|
/**
|
|
* pre_handshake hook
|
|
* @param c conn_rec for new connection from client or to backend server
|
|
* @param ssl OpenSSL SSL Connection for the client or backend server
|
|
* @param is_proxy 1 if this handshake is for a backend connection, 0 otherwise
|
|
*/
|
|
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, pre_handshake,
|
|
(conn_rec *c, SSL *ssl, int is_proxy))
|
|
|
|
/**
|
|
* proxy_post_handshake hook -- allow module to abort after successful
|
|
* handshake with backend server and subsequent peer checks
|
|
* @param c conn_rec for connection to backend server
|
|
* @param ssl OpenSSL SSL Connection for the client or backend server
|
|
*/
|
|
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, proxy_post_handshake,
|
|
(conn_rec *c, SSL *ssl))
|
|
|
|
/** On TLS connections that do not relate to a configured virtual host,
|
|
* allow other modules to provide a X509 certificate and EVP_PKEY to
|
|
* be used on the connection. This first hook which does not
|
|
* return DECLINED will determine the outcome. */
|
|
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, answer_challenge,
|
|
(conn_rec *c, const char *server_name,
|
|
X509 **pcert, EVP_PKEY **pkey))
|
|
|
|
/** During post_config phase, ask around if someone wants to provide
|
|
* OCSP stapling status information for the given cert (with the also
|
|
* provided issuer certificate). The first hook which does not
|
|
* return DECLINED promises to take responsibility (and respond
|
|
* in later calls via hook ssl_get_stapling_status).
|
|
* If no hook takes over, mod_ssl's own stapling implementation will
|
|
* be applied (if configured).
|
|
*/
|
|
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_stapling_status,
|
|
(server_rec *s, apr_pool_t *p,
|
|
X509 *cert, X509 *issuer))
|
|
|
|
/** Anyone answering positive to ssl_init_stapling_status for a
|
|
* certificate, needs to register here and supply the actual OCSP stapling
|
|
* status data (OCSP_RESP) for a new connection.
|
|
* A hook supplying the response data must return APR_SUCCESS.
|
|
* The data is returned in DER encoded bytes via pder and pderlen. The
|
|
* returned pointer may be NULL, which indicates that data is (currently)
|
|
* unavailable.
|
|
* If DER data is returned, it MUST come from a response with
|
|
* status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD
|
|
* or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means
|
|
* errors in OCSP retrieval are to be handled/logged by the hook and
|
|
* are not done by mod_ssl.
|
|
* Any DER bytes returned MUST be allocated via malloc() and ownership
|
|
* passes to mod_ssl. Meaning, the hook must return a malloced copy of
|
|
* the data it has. mod_ssl (or OpenSSL) will free it.
|
|
*/
|
|
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, get_stapling_status,
|
|
(unsigned char **pder, int *pderlen,
|
|
conn_rec *c, server_rec *s, X509 *cert))
|
|
|
|
#endif /* __MOD_SSL_OPENSSL_H__ */
|
|
/** @} */
|