* 20201214.1 (2.5.1-dev) Add ap_ssl_conn_is_ssl()/ap_ssl_var_lookup() and hooks
* 20201214.2 (2.5.1-dev) Add ap_ssl_add_cert_files, ap_ssl_add_fallback_cert_files
* 20201214.3 (2.5.1-dev) Move ap_ssl_* into new http_ssl.h header file
- * 20201214.4 (2.5.1-dev) Add `ap_bytes_t` to httpd.h.
- * Add ap_ssl_ocsp* hooks and functions to http_ssl.h.
+ * 20201214.4 (2.5.1-dev) Add ap_ssl_ocsp* hooks and functions to http_ssl.h.
+ * 20210420.0 (2.5.1-dev) Removed `ap_bytes_t` again from httpd.h and usage in ap_ssl_ocsp*()
*/
#define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20201214
+#define MODULE_MAGIC_NUMBER_MAJOR 20210420
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 4 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
* @return OK iff stapling is being provided
*/
AP_DECLARE_HOOK(int, ssl_ocsp_prime_hook, (server_rec *s, apr_pool_t *p,
- const ap_bytes_t *id, const char *pem))
+ const char *id, apr_size_t id_len,
+ const char *pem))
/**
* Registering a certificate for Provisioning of OCSP responses. It is the caller's
* APR_ENOENT when no provided was found or took responsibility.
*/
AP_DECLARE(apr_status_t) ap_ssl_ocsp_prime(server_rec *s, apr_pool_t *p,
- const ap_bytes_t *id,
+ const char *id, apr_size_t id_len,
const char *pem);
/**
* @return OK iff response data has been provided, DECLINED otherwise
*/
AP_DECLARE_HOOK(int, ssl_ocsp_get_resp_hook,
- (server_rec *s, conn_rec *c, const ap_bytes_t *id,
+ (server_rec *s, conn_rec *c, const char *id, apr_size_t id_len,
ap_ssl_ocsp_copy_resp *cb, void *userdata))
/**
* @return APR_SUCCESS iff data has been provided
*/
AP_DECLARE(apr_status_t) ap_ssl_ocsp_get_resp(server_rec *s, conn_rec *c,
- const ap_bytes_t *id,
+ const char *id, apr_size_t id_len,
ap_ssl_ocsp_copy_resp *cb, void *userdata);
#ifdef __cplusplus
typedef struct request_rec request_rec;
/** A structure that represents the status of the current connection */
typedef struct conn_state_t conn_state_t;
-/** A structure that represents a number of bytes */
-typedef struct ap_bytes_t ap_bytes_t;
/* ### would be nice to not include this from httpd.h ... */
/* This comes after we have defined the request_rec type */
float loadavg15;
};
-/**
- * @struct ap_bytes_t
- * @brief A structure to hold a number of bytes
- */
-struct ap_bytes_t {
- unsigned char *data;
- apr_size_t len;
-};
-
/**
* Get the context_document_root for a request. This is a generalization of
* the document root, which is too limited in the presence of mappers like
/* Need Tlsv1.2 or higher, rfc 7540, ch. 9.2
*/
- val = ap_ssl_var_lookup(pool, s, c, NULL, (char*)"SSL_PROTOCOL");
+ val = ap_ssl_var_lookup(pool, s, c, NULL, "SSL_PROTOCOL");
if (val && *val) {
if (strncmp("TLS", val, 3)
|| !strcmp("TLSv1", val)
/* Check TLS cipher blacklist
*/
- val = ap_ssl_var_lookup(pool, s, c, NULL, (char*)"SSL_CIPHER");
+ val = ap_ssl_var_lookup(pool, s, c, NULL, "SSL_CIPHER");
if (val && *val) {
const char *source;
if (cipher_is_blacklisted(val, &source)) {
const char *ap_lua_ssl_val(apr_pool_t *p, server_rec *s, conn_rec *c,
request_rec *r, const char *var)
{
- return ap_ssl_var_lookup(p, s, c, r, (char *)var);
+ return ap_ssl_var_lookup(p, s, c, r, var);
}
int ap_lua_ssl_is_https(conn_rec *c)
return rv;
}
-apr_status_t md_ocsp_prime(md_ocsp_reg_t *reg, const md_data_t *external_id,
+apr_status_t md_ocsp_prime(md_ocsp_reg_t *reg, const char *ext_id, apr_size_t ext_id_len,
md_cert_t *cert, md_cert_t *issuer, const md_t *md)
{
md_ocsp_status_t *ostat;
"md[%s]: adding ocsp info (responder=%s)",
name, ostat->responder_url);
apr_hash_set(reg->ostat_by_id, ostat->id.data, (apr_ssize_t)ostat->id.len, ostat);
- if (external_id) {
+ if (ext_id) {
md_ocsp_id_map_t *id_map;
id_map = apr_pcalloc(reg->p, sizeof(*id_map));
id_map->id = id;
- md_data_assign_pcopy(&id_map->external_id, external_id, reg->p);
+ md_data_assign_pcopy(&id_map->external_id, ext_id, ext_id_len, reg->p);
/* check for collision/uniqness? */
apr_hash_set(reg->id_by_external_id, id_map->external_id.data,
(apr_ssize_t)id_map->external_id.len, id_map);
return rv;
}
-apr_status_t md_ocsp_get_status(md_ocsp_copy_der *cb, void *userdata,
- md_ocsp_reg_t *reg, const md_data_t *external_id,
+apr_status_t md_ocsp_get_status(md_ocsp_copy_der *cb, void *userdata, md_ocsp_reg_t *reg,
+ const char *ext_id, apr_size_t ext_id_len,
apr_pool_t *p, const md_t *md)
{
md_ocsp_status_t *ostat;
const char *name;
apr_status_t rv = APR_SUCCESS;
md_ocsp_id_map_t *id_map;
- const md_data_t *id;
+ const char *id;
+ apr_size_t id_len;
int locked = 0;
(void)p;
md_log_perror(MD_LOG_MARK, MD_LOG_TRACE2, 0, reg->p,
"md[%s]: OCSP, get_status", name);
- id_map = apr_hash_get(reg->id_by_external_id,
- external_id->data, (apr_ssize_t)external_id->len);
- id = id_map? &id_map->id : external_id;
- ostat = apr_hash_get(reg->ostat_by_id, id->data, (apr_ssize_t)id->len);
+ id_map = apr_hash_get(reg->id_by_external_id, ext_id, (apr_ssize_t)ext_id_len);
+ id = id_map? id_map->id.data : ext_id;
+ id_len = id_map? id_map->id.len : ext_id_len;
+ ostat = apr_hash_get(reg->ostat_by_id, id, (apr_ssize_t)id_len);
if (!ostat) {
rv = APR_ENOENT;
goto cleanup;
apr_status_t md_ocsp_init_id(struct md_data_t *id, apr_pool_t *p, const md_cert_t *cert);
-apr_status_t md_ocsp_prime(md_ocsp_reg_t *reg, const struct md_data_t *external_id,
+apr_status_t md_ocsp_prime(md_ocsp_reg_t *reg, const char *ext_id, apr_size_t ext_id_len,
md_cert_t *x, md_cert_t *issuer, const md_t *md);
typedef void md_ocsp_copy_der(const unsigned char *der, apr_size_t der_len, void *userdata);
-apr_status_t md_ocsp_get_status(md_ocsp_copy_der *cb, void *userdata,
- md_ocsp_reg_t *reg, const struct md_data_t *external_id,
+apr_status_t md_ocsp_get_status(md_ocsp_copy_der *cb, void *userdata, md_ocsp_reg_t *reg,
+ const char *ext_id, apr_size_t ext_id_len,
apr_pool_t *p, const md_t *md);
apr_status_t md_ocsp_get_meta(md_ocsp_cert_stat_t *pstat, md_timeperiod_t *pvalid,
return d;
}
-void md_data_assign_pcopy(md_data_t *dest, const md_data_t *src, apr_pool_t *p)
+void md_data_assign_pcopy(md_data_t *dest, const char *src, apr_size_t src_len, apr_pool_t *p)
{
- dest->data = (src->data && src->len)? apr_pmemdup(p, src->data, src->len) : NULL;
- dest->len = dest->data? src->len : 0;
+ dest->data = (src && src_len)? apr_pmemdup(p, src, src_len) : NULL;
+ dest->len = dest->data? src_len : 0;
}
static const char * const hex_const[] = {
md_data_t *md_data_make(apr_pool_t *p, apr_size_t len);
md_data_t *md_data_create(apr_pool_t *p, const char *data, apr_size_t len);
-void md_data_assign_pcopy(md_data_t *dest, const md_data_t *src, apr_pool_t *p);
+void md_data_assign_pcopy(md_data_t *dest, const char *src, apr_size_t src_len, apr_pool_t *p);
apr_status_t md_data_to_hex(const char **phex, char separator,
apr_pool_t *p, const md_data_t *data);
md = ((sc->assigned && sc->assigned->nelts == 1)?
APR_ARRAY_IDX(sc->assigned, 0, const md_t*) : NULL);
- rv = md_ocsp_prime(sc->mc->ocsp, NULL, md_cert_wrap(p, cert),
+ rv = md_ocsp_prime(sc->mc->ocsp, NULL, 0, md_cert_wrap(p, cert),
md_cert_wrap(p, issuer), md);
ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s, "init stapling for: %s",
md? md->name : s->server_hostname);
}
int md_ocsp_prime_status(server_rec *s, apr_pool_t *p,
- const ap_bytes_t *external_id, const char *pem)
+ const char *id, apr_size_t id_len, const char *pem)
{
md_srv_conf_t *sc;
const md_t *md;
apr_array_header_t *chain;
apr_status_t rv = APR_ENOENT;
- md_data_t eid;
sc = md_config_get(s);
if (!staple_here(sc)) goto cleanup;
goto cleanup;
}
- eid.data = (char*)external_id->data;
- eid.len = external_id->len;
- rv = md_ocsp_prime(sc->mc->ocsp, &eid,
+ rv = md_ocsp_prime(sc->mc->ocsp, id, id_len,
APR_ARRAY_IDX(chain, 0, md_cert_t*),
APR_ARRAY_IDX(chain, 1, md_cert_t*), md);
ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s, "init stapling for: %s",
rv = md_ocsp_init_id(&id, c->pool, cert);
if (APR_SUCCESS != rv) goto declined;
- rv = md_ocsp_get_status(ocsp_copy_der, &ctx, sc->mc->ocsp, &id, c->pool, md);
+ rv = md_ocsp_get_status(ocsp_copy_der, &ctx, sc->mc->ocsp, id.data, id.len, c->pool, md);
if (APR_STATUS_IS_ENOENT(rv)) goto declined;
*pder = ctx.der;
*pderlen = (int)ctx.der_len;
}
int md_ocsp_provide_status(server_rec *s, conn_rec *c,
- const ap_bytes_t *external_id,
+ const char *id, apr_size_t id_len,
ap_ssl_ocsp_copy_resp *cb, void *userdata)
{
md_srv_conf_t *sc;
const md_t *md;
- md_data_t eid;
apr_status_t rv;
sc = md_config_get(s);
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "get stapling for: %s",
md? md->name : s->server_hostname);
- eid.data = (const char *)external_id->data;
- eid.len = external_id->len;
- rv = md_ocsp_get_status(cb, userdata, sc->mc->ocsp, &eid, c->pool, md);
+ rv = md_ocsp_get_status(cb, userdata, sc->mc->ocsp, id, id_len, c->pool, md);
if (APR_STATUS_IS_ENOENT(rv)) goto declined;
return OK;
conn_rec *c, server_rec *s, X509 *cert);
int md_ocsp_prime_status(server_rec *s, apr_pool_t *p,
- const ap_bytes_t *id, const char *pem);
+ const char *id, apr_size_t id_len, const char *pem);
-int md_ocsp_provide_status(server_rec *s, conn_rec *c, const ap_bytes_t *id,
+int md_ocsp_provide_status(server_rec *s, conn_rec *c, const char *id, apr_size_t id_len,
ap_ssl_ocsp_copy_resp *cb, void *userdata);
/**
conn_rec *c, request_rec *r,
const char *var)
{
- return ap_ssl_var_lookup(p, s, c, r, (char *)var);
+ return ap_ssl_var_lookup(p, s, c, r, var);
}
static int proxy_post_config(apr_pool_t *pconf, apr_pool_t *plog,
ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10086)
"Failed to configure challenge certificate %s",
servername);
- rv = APR_EGENERAL; goto cleanup;
+ rv = APR_EGENERAL;
+ goto cleanup;
}
if (!SSL_use_PrivateKey(ssl, key)) {
"error '%s' using Challenge key: %s",
ERR_error_string(ERR_peek_last_error(), NULL),
servername);
- rv = APR_EGENERAL; goto cleanup;
+ rv = APR_EGENERAL;
+ goto cleanup;
}
if (SSL_check_private_key(ssl) < 1) {
ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10088)
"Challenge certificate and private key %s "
"do not match", servername);
- rv = APR_EGENERAL; goto cleanup;
+ rv = APR_EGENERAL;
+ goto cleanup;
}
cleanup:
in = BIO_new_mem_buf(cert_pem, -1);
if (in == NULL) {
- rv = APR_ENOMEM; goto cleanup;
+ rv = APR_ENOMEM;
+ goto cleanup;
}
x = PEM_read_bio_X509(in, NULL, cb, ud);
if (x == NULL) {
- rv = APR_ENOENT; goto cleanup;
+ rv = APR_ENOENT;
+ goto cleanup;
}
BIO_free(in);
in = BIO_new_mem_buf(key_pem? key_pem : cert_pem, -1);
if (in == NULL) {
- rv = APR_ENOMEM; goto cleanup;
+ rv = APR_ENOMEM;
+ goto cleanup;
}
key = PEM_read_bio_PrivateKey(in, NULL, cb, ud);
if (key == NULL) {
- rv = APR_ENOENT; goto cleanup;
+ rv = APR_ENOENT;
+ goto cleanup;
}
cleanup:
OCSP_CERTID *cid = NULL;
STACK_OF(OPENSSL_STRING) *aia = NULL;
const char *pem = NULL;
- ap_bytes_t key;
int rv = 1; /* until further notice */
if (x == NULL)
goto cleanup;
}
- key.data = idx;
- key.len = sizeof(idx);
- if (ap_ssl_ocsp_prime(s, p, &key, pem) == APR_SUCCESS
+ if (ap_ssl_ocsp_prime(s, p, (const char*)idx, sizeof(idx), pem) == APR_SUCCESS
|| ssl_run_init_stapling_status(s, p, x, issuer) == OK) {
/* Someone's taken over or mod_ssl's own implementation is not enabled */
if (mctx->stapling_enabled != TRUE) {
return 0;
}
+typedef struct {
+ unsigned char *data;
+ apr_size_t len;
+} ocsp_resp;
+
static void copy_ocsp_resp(const unsigned char *der, apr_size_t der_len, void *userdata)
{
- ap_bytes_t *resp = userdata;
+ ocsp_resp *resp = userdata;
resp->len = 0;
resp->data = der? OPENSSL_malloc(der_len) : NULL;
SSLConnRec *sslconn = myConnConfig(conn);
modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
UCHAR idx[SHA_DIGEST_LENGTH];
- ap_bytes_t key, resp;
+ ocsp_resp resp;
certinfo *cinf = NULL;
OCSP_RESPONSE *rsp = NULL;
int rv;
if (X509_digest(x, EVP_sha1(), idx, NULL) != 1) {
return SSL_TLSEXT_ERR_NOACK;
}
- key.data = idx;
- key.len = sizeof(idx);
- if (ap_ssl_ocsp_get_resp(s, conn, &key, copy_ocsp_resp, &resp) == APR_SUCCESS) {
+ if (ap_ssl_ocsp_get_resp(s, conn, (const char*)idx, sizeof(idx),
+ copy_ocsp_resp, &resp) == APR_SUCCESS) {
provided = 1;
}
else if (ssl_run_get_stapling_status(&resp.data, &rspderlen, conn, s, x) == APR_SUCCESS) {
const char *name)
{
const char *val = ap_run_ssl_var_lookup(p, s, c, r, name);
- if (val == NULL && module_ssl_is_https) {
+ if (val == NULL && module_ssl_var_lookup) {
val = module_ssl_var_lookup(p, s, c, r, name);
}
return val;
}
AP_DECLARE(apr_status_t) ap_ssl_ocsp_prime(server_rec *s, apr_pool_t *p,
- const ap_bytes_t *id,
+ const char *id, apr_size_t id_len,
const char *pem)
{
- int rv = ap_run_ssl_ocsp_prime_hook(s, p, id, pem);
+ int rv = ap_run_ssl_ocsp_prime_hook(s, p, id, id_len, pem);
return rv == OK? APR_SUCCESS : (rv == DECLINED? APR_ENOENT : APR_EGENERAL);
}
AP_DECLARE(apr_status_t) ap_ssl_ocsp_get_resp(server_rec *s, conn_rec *c,
- const ap_bytes_t *id,
+ const char *id, apr_size_t id_len,
ap_ssl_ocsp_copy_resp *cb, void *userdata)
{
- int rv = ap_run_ssl_ocsp_get_resp_hook(s, c, id, cb, userdata);
+ int rv = ap_run_ssl_ocsp_get_resp_hook(s, c, id, id_len, cb, userdata);
return rv == OK? APR_SUCCESS : (rv == DECLINED? APR_ENOENT : APR_EGENERAL);
}
(conn_rec *c, const char *server_name, const char **pcert_pem, const char **pkey_pem),
(c, server_name, pcert_pem, pkey_pem), DECLINED)
AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_ocsp_prime_hook,
- (server_rec *s, apr_pool_t *p, const ap_bytes_t *id, const char *pem),
- (s, p, id, pem), DECLINED)
+ (server_rec *s, apr_pool_t *p, const char *id, apr_size_t id_len, const char *pem),
+ (s, p, id, id_len, pem), DECLINED)
AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_ocsp_get_resp_hook,
- (server_rec *s, conn_rec *c, const ap_bytes_t *id, ap_ssl_ocsp_copy_resp *cb, void *userdata),
- (s, c, id, cb, userdata), DECLINED)
+ (server_rec *s, conn_rec *c, const char *id, apr_size_t id_len,
+ ap_ssl_ocsp_copy_resp *cb, void *userdata),
+ (s, c, id, id_len, cb, userdata), DECLINED)
projects / thirdparty / apache / httpd.git / commitdiff
