-*- coding: utf-8 -*-
+ *) mod_ssl: Add hooks to allow other modules to perform processing at
+ several stages of initialization and connection handling. See
+ mod_ssl_openssl.h. [Jeff Trawick]
+
*) mod_http2: disabling PUSH when client sends GOAWAY.
*) mod_rewrite: Don't implicitly URL-escape the original query string
SET(mod_session_crypto_extra_libs mod_session)
SET(mod_session_dbd_extra_libs mod_session)
SET(mod_socache_dc_requires AN_UNIMPLEMENTED_SUPPORT_LIBRARY_REQUIREMENT)
+SET(mod_ssl_extra_defines SSL_DECLARE_EXPORT)
SET(mod_ssl_requires OPENSSL_FOUND)
IF(OPENSSL_FOUND)
SET(mod_ssl_extra_includes ${OPENSSL_INCLUDE_DIR})
${CMAKE_CURRENT_SOURCE_DIR}/modules/proxy/mod_proxy.h
${CMAKE_CURRENT_SOURCE_DIR}/modules/session/mod_session.h
${CMAKE_CURRENT_SOURCE_DIR}/modules/ssl/mod_ssl.h
+ ${CMAKE_CURRENT_SOURCE_DIR}/modules/ssl/mod_ssl_openssl.h
)
# When mod_serf is buildable, don't forget to copy modules/proxy/mod_serf.h
$(srcdir)/modules/proxy/mod_proxy.h \
$(srcdir)/modules/session/mod_session.h \
$(srcdir)/modules/ssl/mod_ssl.h \
+ $(srcdir)/modules/ssl/mod_ssl_openssl.h \
$(srcdir)/os/$(OS_DIR)/*.h
install-include:
modules\mappers\mod_rewrite.h \
modules\proxy\mod_proxy.h \
modules\ssl\mod_ssl.h \
+ modules\ssl\mod_ssl_openssl.h \
) do \
@copy %f "$(INSTDIR)\include" < .y > nul
copy srclib\apr\Lib$(SHORT)\apr-1.lib "$(INSTDIR)\lib" <.y
$(call COPY,$(STDMOD)/proxy/mod_proxy.h, $(INSTALLBASE)/include/)
$(call COPY,$(STDMOD)/session/mod_session.h, $(INSTALLBASE)/include/)
$(call COPY,$(STDMOD)/ssl/mod_ssl.h, $(INSTALLBASE)/include/)
+ $(call COPY,$(STDMOD)/ssl/mod_ssl_openssl.h, $(INSTALLBASE)/include/)
$(call COPY,$(APR)/*.imp, $(INSTALLBASE)/lib/)
$(call COPY,$(NWOS)/*.imp, $(INSTALLBASE)/lib/)
$(call COPY,$(NWOS)/*.xdc, $(INSTALLBASE)/lib/)
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) mod_ssl: Add hooks to allow mod_ssl_ct to work on 2.4.x branch
- Note: mod_ssl_ct in trunk also uses a proxy hook (proxy_detach_backend),
- but that is only to set some envvars for logging, not for
- functionality. I think a better solution is required in that case.
- trunk revisions: r1587607, r1588868
- 2.4.x patch: https://emptyhammock.com/media/downloads/mod_ssl_openssl-to-2.4.x.txt
- +1: trawick, ylavic, jim
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
* ap_prep_lingering_close().
* 20120211.56 (2.4.19-dev) Split useragent_host from the conn_rec into
* the request_rec, with ap_get_useragent_host()
+ * 20120211.57 (2.4.19-dev) Add mod_ssl_openssl.h and OpenSSL-specific hooks
*/
#define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20120211
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 56 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 57 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
#include "ssl_private.h"
#include "mod_ssl.h"
+#include "mod_ssl_openssl.h"
#include "util_md5.h"
#include "util_mutex.h"
#include "ap_provider.h"
#include <assert.h>
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, pre_handshake,
+ (conn_rec *c,SSL *ssl,int is_proxy),
+ (c,ssl,is_proxy), OK, DECLINED);
+
/*
* the table of configuration directives we provide
*/
SSL *ssl;
SSLConnRec *sslconn = myConnConfig(c);
char *vhost_md5;
+ int rc;
modssl_ctx_t *mctx;
server_rec *server;
return DECLINED; /* XXX */
}
+ rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0);
+ if (rc != OK && rc != DECLINED) {
+ return rc;
+ }
+
vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
sc->vhost_id_len);
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MD /W3 /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /FD /c
-# ADD CPP /nologo /MD /W3 /O2 /Oy- /Zi /I "../../include" /I "../generators" /I "../../srclib/apr/include" /I "../../srclib/apr-util/include" /I "../../srclib/openssl/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "WIN32_LEAN_AND_MEAN" /D "NO_IDEA" /D "NO_RC5" /D "NO_MDC2" /D "OPENSSL_NO_IDEA" /D "OPENSSL_NO_RC5" /D "OPENSSL_NO_MDC2" /D "HAVE_OPENSSL" /D "HAVE_SSL_SET_STATE" /D "HAVE_OPENSSL_ENGINE_H" /D "HAVE_ENGINE_INIT" /D "HAVE_ENGINE_LOAD_BUILTIN_ENGINES" /Fd"Release\mod_ssl_src" /FD /c
+# ADD CPP /nologo /MD /W3 /O2 /Oy- /Zi /I "../../include" /I "../generators" /I "../../srclib/apr/include" /I "../../srclib/apr-util/include" /I "../../srclib/openssl/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "WIN32_LEAN_AND_MEAN" /D "NO_IDEA" /D "NO_RC5" /D "NO_MDC2" /D "OPENSSL_NO_IDEA" /D "OPENSSL_NO_RC5" /D "OPENSSL_NO_MDC2" /D "HAVE_OPENSSL" /D "HAVE_SSL_SET_STATE" /D "HAVE_OPENSSL_ENGINE_H" /D "HAVE_ENGINE_INIT" /D "HAVE_ENGINE_LOAD_BUILTIN_ENGINES" /D "SSL_DECLARE_EXPORT" /Fd"Release\mod_ssl_src" /FD /c
# ADD BASE MTL /nologo /D "NDEBUG" /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MDd /W3 /EHsc /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FD /c
-# ADD CPP /nologo /MDd /W3 /EHsc /Zi /Od /I "../../include" /I "../generators" /I "../../srclib/apr/include" /I "../../srclib/apr-util/include" /I "../../srclib/openssl/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "WIN32_LEAN_AND_MEAN" /D "NO_IDEA" /D "NO_RC5" /D "NO_MDC2" /D "OPENSSL_NO_IDEA" /D "OPENSSL_NO_RC5" /D "OPENSSL_NO_MDC2" /D "HAVE_OPENSSL" /D "HAVE_SSL_SET_STATE" /D "HAVE_OPENSSL_ENGINE_H" /D "HAVE_ENGINE_INIT" /D "HAVE_ENGINE_LOAD_BUILTIN_ENGINES" /Fd"Debug\mod_ssl_src" /FD /c
+# ADD CPP /nologo /MDd /W3 /EHsc /Zi /Od /I "../../include" /I "../generators" /I "../../srclib/apr/include" /I "../../srclib/apr-util/include" /I "../../srclib/openssl/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "WIN32_LEAN_AND_MEAN" /D "NO_IDEA" /D "NO_RC5" /D "NO_MDC2" /D "OPENSSL_NO_IDEA" /D "OPENSSL_NO_RC5" /D "OPENSSL_NO_MDC2" /D "HAVE_OPENSSL" /D "HAVE_SSL_SET_STATE" /D "HAVE_OPENSSL_ENGINE_H" /D "HAVE_ENGINE_INIT" /D "HAVE_ENGINE_LOAD_BUILTIN_ENGINES" /D "SSL_DECLARE_EXPORT" /Fd"Debug\mod_ssl_src" /FD /c
# ADD BASE MTL /nologo /D "_DEBUG" /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD BASE RSC /l 0x409 /d "_DEBUG"
#include "httpd.h"
#include "apr_optional.h"
+/* Create a set of SSL_DECLARE(type), SSL_DECLARE_NONSTD(type) and
+ * SSL_DECLARE_DATA with appropriate export and import tags for the platform
+ */
+#if !defined(WIN32)
+#define SSL_DECLARE(type) type
+#define SSL_DECLARE_NONSTD(type) type
+#define SSL_DECLARE_DATA
+#elif defined(SSL_DECLARE_STATIC)
+#define SSL_DECLARE(type) type __stdcall
+#define SSL_DECLARE_NONSTD(type) type
+#define SSL_DECLARE_DATA
+#elif defined(SSL_DECLARE_EXPORT)
+#define SSL_DECLARE(type) __declspec(dllexport) type __stdcall
+#define SSL_DECLARE_NONSTD(type) __declspec(dllexport) type
+#define SSL_DECLARE_DATA __declspec(dllexport)
+#else
+#define SSL_DECLARE(type) __declspec(dllimport) type __stdcall
+#define SSL_DECLARE_NONSTD(type) __declspec(dllimport) type
+#define SSL_DECLARE_DATA __declspec(dllimport)
+#endif
+
/** The ssl_var_lookup() optional function retrieves SSL environment
* variables. */
APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
see Recursive.''
-- Unknown */
#include "ssl_private.h"
+#include "mod_ssl.h"
+#include "mod_ssl_openssl.h"
#include "mpm_common.h"
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
+ (server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx),
+ (s,p,is_proxy,ctx), OK, DECLINED)
+
/* _________________________________________________________________
**
** Module Initialization
return rv;
}
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
+
+ if (sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) {
+ if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) {
+ return rv;
+ }
+ }
+ else if (sc->proxy_enabled == SSL_ENABLED_TRUE) {
+ if ((rv = ssl_run_init_server(s, p, 1, sc->proxy->ssl_ctx)) != APR_SUCCESS) {
+ return rv;
+ }
+ }
+ }
+
/*
* Announce mod_ssl and SSL library in HTTP Server field
* as ``mod_ssl/X.X.X OpenSSL/X.X.X''
-- Unknown */
#include "ssl_private.h"
#include "mod_ssl.h"
+#include "mod_ssl_openssl.h"
#include "apr_date.h"
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, proxy_post_handshake,
+ (conn_rec *c,SSL *ssl),
+ (c,ssl),OK,DECLINED);
+
/* _________________________________________________________________
**
** I/O Hooks
const char *hostname_note = apr_table_get(c->notes,
"proxy-request-hostname");
BOOL proxy_ssl_check_peer_ok = TRUE;
+ int post_handshake_rc = OK;
+
sc = mySrvConfig(server);
#ifdef HAVE_TLSEXT
}
}
+ if (proxy_ssl_check_peer_ok == TRUE) {
+ /* another chance to fail */
+ post_handshake_rc = ssl_run_proxy_post_handshake(c, filter_ctx->pssl);
+ }
+
if (cert) {
X509_free(cert);
}
- if (proxy_ssl_check_peer_ok != TRUE) {
+ if (proxy_ssl_check_peer_ok != TRUE
+ || (post_handshake_rc != OK && post_handshake_rc != DECLINED)) {
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
apr_table_setn(c->notes, "SSL_connect_rv", "err");
projects / thirdparty / apache / httpd.git / commitdiff
