--- /dev/null
+ *) core/mod_proxy/mod_ssl:
+ Adding `outgoing` flag to conn_rec, indicating a connection is
+ initiated by the server to somewhere, in contrast to incoming
+ connections from clients.
+ Adding 'ap_ssl_bind_outgoing()` function that marks a connection
+ as outgoing and is used by mod_proxy instead of the previous
+ optional function `ssl_engine_set`. This enables other SSL
+ module to secure proxy connections.
+ The optional functions `ssl_engine_set`, `ssl_engine_disable` and
+ `ssl_proxy_enable` are now provided by the core to have backward
+ compatibility with non-httpd modules that might use them. mod_ssl
+ itself no longer registers these functions, but keeps them in its
+ header for backward compatibility.
+ The core provided optional function wrap any registered function
+ like it was done for `ssl_is_ssl`.
+ [Stefan Eissing]
\ No newline at end of file
* 20210506.0 (2.5.1-dev) Add ap_proxy_tunnel_conn_get_read() and
* ap_proxy_tunnel_conn_get_transferred() change
* ap_proxy_transfer_between_connections() sent to apr_off_t *.
+ * 20210531.0 (2.5.1-dev) add conn_rec->outgoing and ap_ssl_bind_outgoing()
*/
#define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20210506
+#define MODULE_MAGIC_NUMBER_MAJOR 20210531
#endif
#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */
extern "C" {
#endif
+struct ap_conf_vector_t;
+
/**
* This hook allows modules that manage SSL connection to register their
* inquiry function for checking if a connection is using SSL from them.
*/
AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c);
+/**
+ * This hook declares a connection to be outgoing and the configuration that applies to it.
+ * This hook can be called several times in the lifetime of an outgoing connection, e.g.
+ * when it is re-used in different request contexts. It will at least be called after the
+ * connection was created and before the pre-connection hooks is invoked.
+ * All outgoing-connection hooks are run until one returns something other than ok or decline.
+ * if enable_ssl != 0, a hook that sets up SSL for the connection needs to return DONE.
+ *
+ * @param c The connection on which requests/data are to be sent.
+ * @param dir_conf The directory configuration in which this connection is being used.
+ * @param enable_ssl If != 0, the SSL protocol should be enabled for this connection.
+ * @return OK or DECLINED, DONE when ssl was enabled
+ */
+AP_DECLARE_HOOK(int, ssl_bind_outgoing,
+ (conn_rec *c, struct ap_conf_vector_t *dir_conf, int enable_ssl))
+
+/**
+ * Assures the connection is marked as outgoing and invokes the ssl_bind_outgoing hook.
+ * This may be called several times on an outgoing connection with varying dir_conf
+ * values. require_ssl is not allowed to change on the same connection.
+ *
+ * @param c The connection on which requests/data are to be sent.
+ * @param dir_conf The directory configuration in which this connection is being used.
+ * @param require_ssl != 0 iff this connection needs to be secured by SSL/TLS protocol.
+ * @return OK iff ssl was required and is enabled, DECLINED otherwise
+ */
+AP_DECLARE(int) ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf,
+ int require_ssl);
+
+/**
+ * Return != 0 iff handlers/hooks for outgoing connections are registered.
+ */
+AP_DECLARE(int) ap_ssl_has_outgoing_handlers(void);
+
/**
* This hook allows modules to look up SSL related variables for a
* server/connection/request, depending on what they inquire. Some
/** The minimum level of filter type to allow setaside buckets */
int async_filter;
+
+ int outgoing;
};
struct conn_slave_rec {
* if c == NULL just check if the optional function was imported
* else run the optional function so ssl filters are inserted
*/
- if (proxy_ssl_enable) {
- return c ? proxy_ssl_enable(c) : 1;
+ if (c == NULL) {
+ return ap_ssl_has_outgoing_handlers();
}
-
- return 0;
+ return ap_ssl_bind_outgoing(c, NULL, 1) == OK;
}
PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c)
{
- if (proxy_ssl_disable) {
- return proxy_ssl_disable(c);
- }
-
- return 0;
+ return ap_ssl_bind_outgoing(c, NULL, 0) == OK;
}
PROXY_DECLARE(int) ap_proxy_ssl_engine(conn_rec *c,
* if c == NULL just check if the optional function was imported
* else run the optional function so ssl filters are inserted
*/
- if (proxy_ssl_engine) {
- return c ? proxy_ssl_engine(c, per_dir_config, 1, enable) : 1;
+ if (c == NULL) {
+ return ap_ssl_has_outgoing_handlers();
}
-
- if (!per_dir_config) {
- if (enable) {
- return ap_proxy_ssl_enable(c);
- }
- else {
- return ap_proxy_ssl_disable(c);
- }
- }
-
- return 0;
+ return ap_ssl_bind_outgoing(c, per_dir_config, enable) == OK;
}
PROXY_DECLARE(int) ap_proxy_conn_is_https(conn_rec *c)
#if APR_HAS_THREADS
#include "apr_thread_pool.h"
#endif
+#include "http_ssl.h"
module AP_MODULE_DECLARE_DATA proxy_hcheck_module;
(*backend)->addr = hc->cp->addr;
(*backend)->hostname = hc->s->hostname_ex;
if (strcmp(hc->s->scheme, "https") == 0 || strcmp(hc->s->scheme, "wss") == 0 ) {
- if (!ap_proxy_ssl_enable(NULL)) {
+ if (!ap_ssl_has_outgoing_handlers()) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, ctx->s, APLOGNO(03252)
"mod_ssl not configured?");
return !OK;
"HTTP: declining URL %s", url);
return DECLINED; /* only interested in HTTP, WS or FTP via proxy */
}
- if (is_ssl && !ap_proxy_ssl_enable(NULL)) {
+ if (is_ssl && !ap_ssl_has_outgoing_handlers()) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01112)
"HTTP: declining URL %s (mod_ssl not configured?)", url);
return DECLINED;
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
ap_conf_vector_t *per_dir_config,
- int new_proxy)
+ int reinit)
{
SSLConnRec *sslconn = myConnConfig(c);
int need_setup = 0;
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
need_setup = 1;
}
- else if (!new_proxy) {
+ else if (!reinit) {
return sslconn;
}
if (need_setup) {
sslconn->server = c->base_server;
sslconn->verify_depth = UNSET;
- if (new_proxy) {
- sslconn->is_proxy = 1;
+ if (c->outgoing) {
sslconn->cipher_suite = sslconn->dc->proxy->auth.cipher_suite;
}
else {
return DECLINED;
}
if (sslconn) {
+ /* This connection has already been configured. Check what applies. */
if (sslconn->disabled) {
return SUSPENDED;
}
- if (sslconn->is_proxy) {
+ if (c->outgoing) {
if (!sslconn->dc->proxy_enabled) {
return DECLINED;
}
}
}
else {
- if (mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) {
+ /* we decline by default for outgoing connections and for incoming
+ * where the base_server is not enabled. */
+ if (c->outgoing || mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) {
return DECLINED;
}
}
return OK;
}
-static int ssl_engine_set(conn_rec *c,
- ap_conf_vector_t *per_dir_config,
- int proxy, int enable)
+static int ssl_hook_ssl_bind_outgoing(conn_rec *c,
+ ap_conf_vector_t *per_dir_config,
+ int enable_ssl)
{
SSLConnRec *sslconn;
int status;
-
- if (proxy) {
- sslconn = ssl_init_connection_ctx(c, per_dir_config, 1);
- }
- else {
- sslconn = myConnConfig(c);
- }
+ sslconn = ssl_init_connection_ctx(c, per_dir_config, 1);
status = ssl_engine_status(c, sslconn);
-
- if (proxy && status == DECLINED) {
- if (enable) {
+ if (enable_ssl) {
+ if (status != OK) {
SSLSrvConfigRec *sc = mySrvConfig(sslconn->server);
- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
- "SSL Proxy requested for %s but not enabled "
- "[Hint: SSLProxyEngine]", sc->vhost_id);
+ sslconn->disabled = 1;
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(10272)
+ "SSL Proxy requested for %s but not enabled for us.",
+ sc->vhost_id);
+ }
+ else {
+ sslconn->disabled = 0;
+ return OK;
}
- sslconn->disabled = 1;
}
- else if (sslconn) {
- sslconn->disabled = !enable;
+ else {
+ sslconn->disabled = 1;
}
-
- return status != DECLINED;
-}
-
-static int ssl_proxy_enable(conn_rec *c)
-{
- return ssl_engine_set(c, NULL, 1, 1);
-}
-
-static int ssl_engine_disable(conn_rec *c)
-{
- return ssl_engine_set(c, NULL, 0, 0);
+ return DECLINED;
}
#if defined(SSL_MAX_SID_CTX_LENGTH) && (APR_MD5_DIGESTSIZE * 2) > SSL_MAX_SID_CTX_LENGTH
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT,
- sslconn->is_proxy ? "Proxy: " : "Server: ");
+ c->outgoing ? "Proxy: " : "Server: ");
- mctx = myCtxConfig(sslconn, sc);
+ mctx = myConnCtxConfig(c, sc);
/*
* Create a new SSL connection with the configured server SSL context and
return DECLINED; /* XXX */
}
- rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0);
+ rc = ssl_run_pre_handshake(c, ssl, c->outgoing ? 1 : 0);
if (rc != OK && rc != DECLINED) {
return rc;
}
APR_HOOK_MIDDLE);
ssl_var_register(p);
-
- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
- APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
+ ap_hook_ssl_bind_outgoing (ssl_hook_ssl_bind_outgoing, NULL, NULL, APR_HOOK_MIDDLE);
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
AUTHZ_PROVIDER_VERSION,
}
server = sslconn->server;
- if (sslconn->is_proxy) {
+ if (c->outgoing) {
#ifdef HAVE_TLSEXT
apr_ipsubnet_t *ip;
#endif
SSLSrvConfigRec *sc = mySrvConfig(s);
SSLConnRec *sslconn = myConnConfig(conn);
SSLDirConfigRec *dc = r ? myDirConfig(r) : sslconn->dc;
- modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ modssl_ctx_t *mctx = myConnCtxConfig(conn, sc);
int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
/* Get verify ingredients */
* Check for optionally acceptable non-verifiable issuer situation
*/
if (dc) {
- if (sslconn->is_proxy) {
+ if (conn->outgoing) {
verify = dc->proxy->auth.verify_mode;
}
else {
* Finally check the depth of the certificate verification
*/
if (dc) {
- if (sslconn->is_proxy) {
+ if (conn->outgoing) {
depth = dc->proxy->auth.verify_depth;
}
else {
/* If the reneg state is to reject renegotiations, check the SSL
* state machine and move to ABORT if a Client Hello is being
* read. */
- if (!sslconn->is_proxy &&
+ if (!c->outgoing &&
(where & SSL_CB_HANDSHAKE_START) &&
sslconn->reneg_state == RENEG_REJECT) {
sslconn->reneg_state = RENEG_ABORT;
* Don't switch the protocol if none is configured for this vhost,
* the default in this case is still the base server's SSLProtocol.
*/
- if (myCtxConfig(sslcon, sc)->protocol_set) {
+ if (myConnCtxConfig(c, sc)->protocol_set) {
SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
}
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
- SSLConnRec *sslconn = myConnConfig(c);
- modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ modssl_ctx_t *mctx = myConnCtxConfig(c, sc);
modssl_ticket_key_t *ticket_key = mctx->ticket_key;
if (mode == 1) {
return sslconn;
}
-static int ssl_is_https(conn_rec *c)
+static int ssl_conn_is_ssl(conn_rec *c)
{
const SSLConnRec *sslconn = ssl_get_effective_config(c);
- return sslconn && sslconn->ssl;
+ return (sslconn && sslconn->ssl)? OK : DECLINED;
}
/* Returns certificate data, either PEM encoded if 'pem' is non-zero,
{
char *cp, *cp2;
- APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+ ap_hook_ssl_conn_is_ssl(ssl_conn_is_ssl, NULL, NULL, APR_HOOK_MIDDLE);
APR_REGISTER_OPTIONAL_FN(ssl_get_tls_cb);
APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
((SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module))
#define myDirConfig(req) \
((SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module))
-#define myCtxConfig(sslconn, sc) \
- (sslconn->is_proxy ? sslconn->dc->proxy : sc->server)
+#define myConnCtxConfig(c, sc) \
+ (c->outgoing ? myConnConfig(c)->dc->proxy : sc->server)
#define myModConfig(srv) mySrvConfig((srv))->mc
#define mySrvFromConn(c) myConnConfig(c)->server
#define myDirConfigFromConn(c) myConnConfig(c)->dc
const char *verify_info;
const char *verify_error;
int verify_depth;
- int is_proxy;
int disabled;
enum {
NON_SSL_OK = 0, /* is SSL request, or error handling completed */
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(conn);
SSLSrvConfigRec *sc = mySrvConfig(s);
- SSLConnRec *sslconn = myConnConfig(conn);
- modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ modssl_ctx_t *mctx = myConnCtxConfig(conn, sc);
UCHAR idx[SHA_DIGEST_LENGTH];
ocsp_resp resp;
certinfo *cinf = NULL;
#include "ap_config.h"
#include "httpd.h"
#include "http_core.h"
+#include "http_connection.h"
#include "http_protocol.h"
#include "http_request.h"
#include "http_ssl.h"
APR_HOOK_LINK(ssl_answer_challenge)
APR_HOOK_LINK(ssl_ocsp_prime_hook)
APR_HOOK_LINK(ssl_ocsp_get_resp_hook)
+ APR_HOOK_LINK(ssl_bind_outgoing)
)
APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
static APR_OPTIONAL_FN_TYPE(ssl_is_https) *module_ssl_is_https;
+APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *module_ssl_proxy_enable;
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *module_ssl_engine_disable;
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
+ ap_conf_vector_t *,
+ int proxy, int enable));
+static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *module_ssl_engine_set;
+
static int ssl_is_https(conn_rec *c)
{
return r;
}
+static int ssl_engine_set(conn_rec *c,
+ ap_conf_vector_t *per_dir_config,
+ int proxy, int enable)
+{
+ if (proxy) {
+ return ap_ssl_bind_outgoing(c, per_dir_config, enable) == OK;
+ }
+ else if (module_ssl_engine_set) {
+ return module_ssl_engine_set(c, per_dir_config, 0, enable);
+ }
+ else if (enable && module_ssl_proxy_enable) {
+ return module_ssl_proxy_enable(c);
+ }
+ else if (!enable && module_ssl_engine_disable) {
+ return module_ssl_engine_disable(c);
+ }
+ return 0;
+}
+
+static int ssl_proxy_enable(conn_rec *c)
+{
+ return ap_ssl_bind_outgoing(c, NULL, 1);
+}
+
+static int ssl_engine_disable(conn_rec *c)
+{
+ return ap_ssl_bind_outgoing(c, NULL, 0);
+}
+
+AP_DECLARE(int) ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf,
+ int enable_ssl)
+{
+ int rv, enabled = 0;
+
+ c->outgoing = 1;
+ rv = ap_run_ssl_bind_outgoing(c, dir_conf, enable_ssl);
+ enabled = (rv == OK);
+ if (enable_ssl && !enabled) {
+ /* the hooks did not take over. Is there an old skool optional that will? */
+ if (module_ssl_engine_set) {
+ enabled = module_ssl_engine_set(c, dir_conf, 1, 1);
+ }
+ else if (module_ssl_proxy_enable) {
+ enabled = module_ssl_proxy_enable(c);
+ }
+ }
+ else {
+ /* !enable_ssl || enabled
+ * any existing optional funcs need to not enable here */
+ if (module_ssl_engine_set) {
+ module_ssl_engine_set(c, dir_conf, 1, 0);
+ }
+ else if (module_ssl_engine_disable) {
+ module_ssl_engine_disable(c);
+ }
+ }
+ if (enable_ssl && !enabled) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0,
+ c, APLOGNO(01961) " failed to enable ssl support "
+ "[Hint: if using mod_ssl, see SSLProxyEngine]");
+ return DECLINED;
+ }
+ return OK;
+}
+
+AP_DECLARE(int) ap_ssl_has_outgoing_handlers(void)
+{
+ return (_hooks.link_ssl_bind_outgoing && _hooks.link_ssl_bind_outgoing->nelts > 0)
+ || module_ssl_engine_set || module_ssl_proxy_enable;
+}
+
APR_DECLARE_OPTIONAL_FN(const char *, ssl_var_lookup,
(apr_pool_t *p, server_rec *s,
conn_rec *c, request_rec *r,
module_ssl_var_lookup = (fn_ssl_var_lookup
&& fn_ssl_var_lookup != ssl_var_lookup)? fn_ssl_var_lookup : NULL;
APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+
+ module_ssl_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+ module_ssl_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+ module_ssl_engine_set = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
}
AP_DECLARE(apr_status_t) ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p,
(server_rec *s, conn_rec *c, const char *id, apr_size_t id_len,
ap_ssl_ocsp_copy_resp *cb, void *userdata),
(s, c, id, id_len, cb, userdata), DECLINED)
+AP_IMPLEMENT_HOOK_RUN_FIRST(int,ssl_bind_outgoing,(conn_rec *c, ap_conf_vector_t *dir_conf, int require_ssl),
+ (c, dir_conf, require_ssl), DECLINED)
projects / thirdparty / apache / httpd.git / commitdiff
