static SSLConnRec *ssl_get_effective_config(conn_rec *c)
{
SSLConnRec *sslconn = myConnConfig(c);
if (!(sslconn && sslconn->ssl) && c->master) {
/* use master connection if no SSL defined here */
sslconn = myConnConfig(c->master);
}
return sslconn;
}
static int modssl_register_alpn(conn_rec *c,
ssl_alpn_propose_protos advertisefn,
ssl_alpn_proto_negotiated negotiatedfn)
{
#if defined(HAVE_ALPN_NPN) || defined(HAVE_TLS_NPN)
SSLConnRec *sslconn = myConnConfig(c);
if (!sslconn) {
return DECLINED;
}
if (!sslconn->alpn_proposefns) {
sslconn->alpn_proposefns =
apr_array_make(c->pool, 5, sizeof(ssl_alpn_propose_protos));
sslconn->alpn_negofns =
apr_array_make(c->pool, 5, sizeof(ssl_alpn_proto_negotiated));
}
if (advertisefn)
APR_ARRAY_PUSH(sslconn->alpn_proposefns, ssl_alpn_propose_protos) =
advertisefn;
if (negotiatedfn)
APR_ARRAY_PUSH(sslconn->alpn_negofns, ssl_alpn_proto_negotiated) =
negotiatedfn;
return OK;
#else
return DECLINED;
#endif
}
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
{
SSLConnRec *sslconn = myConnConfig(c);
if (sslconn) {
return sslconn;
}
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
sslconn->server = c->base_server;
myConnConfigSet(c, sslconn);
return sslconn;
}
static int ssl_hook_process_connection(conn_rec* c)
{
SSLConnRec *sslconn = myConnConfig(c);
if (sslconn && !sslconn->disabled) {
/* On an active SSL connection, let the input filters initialize
* themselves which triggers the handshake, which again triggers
* all kinds of useful things such as SNI and ALPN.
*/
apr_bucket_brigade* temp;
temp = apr_brigade_create(c->pool, c->bucket_alloc);
ap_get_brigade(c->input_filters, temp,
AP_MODE_INIT, APR_BLOCK_READ, 0);
apr_brigade_destroy(temp);
}
return DECLINED;
}
static int ssl_hook_pre_connection(conn_rec *c, void *csd)
{
SSLSrvConfigRec *sc;
SSLConnRec *sslconn = myConnConfig(c);
if (sslconn) {
sc = mySrvConfig(sslconn->server);
}
else {
sc = mySrvConfig(c->base_server);
}
/*
* Immediately stop processing if SSL is disabled for this connection
*/
if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE ||
(sslconn && sslconn->is_proxy))))
{
return DECLINED;
}
/*
* Create SSL context
*/
if (!sslconn) {
sslconn = ssl_init_connection_ctx(c);
}
if (sslconn->disabled) {
return DECLINED;
}
/*
* Remember the connection information for
* later access inside callback functions
*/
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(01964)
"Connection to child %ld established "
"(server %s)", c->id, sc->vhost_id);
return ssl_init_ssl_connection(c, NULL);
}
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
{
SSLConnRec *sslconn = myConnConfig(c);
SSLSrvConfigRec *sc;
if (sslconn) {
return sslconn;
}
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
sslconn->server = c->base_server;
sslconn->verify_depth = UNSET;
sc = mySrvConfig(c->base_server);
sslconn->cipher_suite = sc->server->auth.cipher_suite;
myConnConfigSet(c, sslconn);
return sslconn;
}
int ssl_engine_disable(conn_rec *c)
{
SSLSrvConfigRec *sc;
SSLConnRec *sslconn = myConnConfig(c);
if (sslconn) {
sc = mySrvConfig(sslconn->server);
}
else {
sc = mySrvConfig(c->base_server);
}
if (sc->enabled == SSL_ENABLED_FALSE) {
return 0;
}
sslconn = ssl_init_connection_ctx(c);
sslconn->disabled = 1;
return 1;
}
int ssl_init_ssl_connection(conn_rec *c)
{
SSLSrvConfigRec *sc;
SSL *ssl;
SSLConnRec *sslconn = myConnConfig(c);
char *vhost_md5;
modssl_ctx_t *mctx;
server_rec *server;
if (!sslconn) {
sslconn = ssl_init_connection_ctx(c);
}
server = sslconn->server;
sc = mySrvConfig(server);
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, "");
mctx = sslconn->is_proxy ? sc->proxy : sc->server;
/*
* Create a new SSL connection with the configured server SSL context and
* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
if (!(ssl = SSL_new(mctx->ssl_ctx))) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"Unable to create a new SSL connection from the SSL "
"context");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
return DECLINED; /* XXX */
}
vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
sc->vhost_id_len);
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
APR_MD5_DIGESTSIZE*2))
{
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"Unable to set session id context to `%s'", vhost_md5);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
return DECLINED; /* XXX */
}
SSL_set_app_data(ssl, c);
SSL_set_app_data2(ssl, NULL); /* will be request_rec */
sslconn->ssl = ssl;
/*
* Configure callbacks for SSL connection
*/
SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH);
SSL_set_verify_result(ssl, X509_V_OK);
ssl_io_filter_init(c, ssl);
return APR_SUCCESS;
}