Merge r1587607, r1588868 from trunk:

mod_ssl: Add hooks to allow other modules to perform processing at
several stages of initialization and connection handling.  See
mod_ssl_openssl.h.

This is enough to allow implementation of Certificate Transparency
outside of mod_ssl.


Initialize post_handshake_rc for case where a failure has
already occurred (doesn't change execution but avoids warning
with some levels of gcc).

Pointed out by: kbrand

Submitted by: trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735886 13f79535-47bb-0310-9956-ffa450edef68

CHANGES

@@ -1,5 +1,9 @@
                                                          -*- coding: utf-8 -*-
 
+  *) mod_ssl: Add hooks to allow other modules to perform processing at
+     several stages of initialization and connection handling.  See
+     mod_ssl_openssl.h.  [Jeff Trawick]
+
   *) mod_http2: disabling PUSH when client sends GOAWAY.
 
   *) mod_rewrite: Don't implicitly URL-escape the original query string

CMakeLists.txt

@@ -445,6 +445,7 @@ SET(mod_session_crypto_requires      APU_HAVE_CRYPTO)
 SET(mod_session_crypto_extra_libs    mod_session)
 SET(mod_session_dbd_extra_libs       mod_session)
 SET(mod_socache_dc_requires          AN_UNIMPLEMENTED_SUPPORT_LIBRARY_REQUIREMENT)
+SET(mod_ssl_extra_defines            SSL_DECLARE_EXPORT)
 SET(mod_ssl_requires                 OPENSSL_FOUND)
 IF(OPENSSL_FOUND)
   SET(mod_ssl_extra_includes           ${OPENSSL_INCLUDE_DIR})
@@ -639,6 +640,7 @@ SET(other_installed_h
   ${CMAKE_CURRENT_SOURCE_DIR}/modules/proxy/mod_proxy.h
   ${CMAKE_CURRENT_SOURCE_DIR}/modules/session/mod_session.h
   ${CMAKE_CURRENT_SOURCE_DIR}/modules/ssl/mod_ssl.h
+  ${CMAKE_CURRENT_SOURCE_DIR}/modules/ssl/mod_ssl_openssl.h
 )
 # When mod_serf is buildable, don't forget to copy modules/proxy/mod_serf.h
 

Makefile.in

@@ -234,6 +234,7 @@ INSTALL_HEADERS = \
 	$(srcdir)/modules/proxy/mod_proxy.h \
         $(srcdir)/modules/session/mod_session.h \
 	$(srcdir)/modules/ssl/mod_ssl.h \
+	$(srcdir)/modules/ssl/mod_ssl_openssl.h \
 	$(srcdir)/os/$(OS_DIR)/*.h
 
 install-include:

Makefile.win

@@ -1132,6 +1132,7 @@ BEGIN {
 		modules\mappers\mod_rewrite.h \
 		modules\proxy\mod_proxy.h \
 		modules\ssl\mod_ssl.h \
+		modules\ssl\mod_ssl_openssl.h \
           ) do \
 	    @copy %f "$(INSTDIR)\include" < .y > nul
 	copy srclib\apr\Lib$(SHORT)\apr-1.lib		"$(INSTDIR)\lib" <.y

NWGNUmakefile

@@ -446,6 +446,7 @@ installdev :: FORCE
 	$(call COPY,$(STDMOD)/proxy/mod_proxy.h,                       $(INSTALLBASE)/include/)
 	$(call COPY,$(STDMOD)/session/mod_session.h,                   $(INSTALLBASE)/include/)
 	$(call COPY,$(STDMOD)/ssl/mod_ssl.h,                           $(INSTALLBASE)/include/)
+	$(call COPY,$(STDMOD)/ssl/mod_ssl_openssl.h,                   $(INSTALLBASE)/include/)
 	$(call COPY,$(APR)/*.imp,                                      $(INSTALLBASE)/lib/)
 	$(call COPY,$(NWOS)/*.imp,                                     $(INSTALLBASE)/lib/)
 	$(call COPY,$(NWOS)/*.xdc,                                     $(INSTALLBASE)/lib/)

STATUS

@@ -112,13 +112,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   *) mod_ssl: Add hooks to allow mod_ssl_ct to work on 2.4.x branch
-     Note: mod_ssl_ct in trunk also uses a proxy hook (proxy_detach_backend),
-           but that is only to set some envvars for logging, not for
-           functionality.  I think a better solution is required in that case.
-     trunk revisions: r1587607, r1588868
-     2.4.x patch: https://emptyhammock.com/media/downloads/mod_ssl_openssl-to-2.4.x.txt
-     +1: trawick, ylavic, jim
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:

include/ap_mmn.h

@@ -467,14 +467,15 @@
  *                          ap_prep_lingering_close().
  * 20120211.56 (2.4.19-dev) Split useragent_host from the conn_rec into
  *                          the request_rec, with ap_get_useragent_host()
+ * 20120211.57 (2.4.19-dev) Add mod_ssl_openssl.h and OpenSSL-specific hooks
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
 
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20120211
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 56                   /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 57                   /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a

modules/ssl/mod_ssl.c

@@ -26,12 +26,17 @@
 
 #include "ssl_private.h"
 #include "mod_ssl.h"
+#include "mod_ssl_openssl.h"
 #include "util_md5.h"
 #include "util_mutex.h"
 #include "ap_provider.h"
 
 #include <assert.h>
 
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, pre_handshake,
+                                    (conn_rec *c,SSL *ssl,int is_proxy),
+                                    (c,ssl,is_proxy), OK, DECLINED);
+
 /*
  *  the table of configuration directives we provide
  */
@@ -447,6 +452,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
     SSL *ssl;
     SSLConnRec *sslconn = myConnConfig(c);
     char *vhost_md5;
+    int rc;
     modssl_ctx_t *mctx;
     server_rec *server;
 
@@ -479,6 +485,11 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
         return DECLINED; /* XXX */
     }
 
+    rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0);
+    if (rc != OK && rc != DECLINED) {
+        return rc;
+    }
+
     vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
                               sc->vhost_id_len);
 

modules/ssl/mod_ssl.h

@@ -29,6 +29,27 @@
 #include "httpd.h"
 #include "apr_optional.h"
 
+/* Create a set of SSL_DECLARE(type), SSL_DECLARE_NONSTD(type) and
+ * SSL_DECLARE_DATA with appropriate export and import tags for the platform
+ */
+#if !defined(WIN32)
+#define SSL_DECLARE(type)            type
+#define SSL_DECLARE_NONSTD(type)     type
+#define SSL_DECLARE_DATA
+#elif defined(SSL_DECLARE_STATIC)
+#define SSL_DECLARE(type)            type __stdcall
+#define SSL_DECLARE_NONSTD(type)     type
+#define SSL_DECLARE_DATA
+#elif defined(SSL_DECLARE_EXPORT)
+#define SSL_DECLARE(type)            __declspec(dllexport) type __stdcall
+#define SSL_DECLARE_NONSTD(type)     __declspec(dllexport) type
+#define SSL_DECLARE_DATA             __declspec(dllexport)
+#else
+#define SSL_DECLARE(type)            __declspec(dllimport) type __stdcall
+#define SSL_DECLARE_NONSTD(type)     __declspec(dllimport) type
+#define SSL_DECLARE_DATA             __declspec(dllimport)
+#endif
+
 /** The ssl_var_lookup() optional function retrieves SSL environment
  * variables. */
 APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,

modules/ssl/ssl_engine_init.c

@@ -27,8 +27,14 @@
                                   see Recursive.''
                                         -- Unknown   */
 #include "ssl_private.h"
+#include "mod_ssl.h"
+#include "mod_ssl_openssl.h"
 #include "mpm_common.h"
 
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
+                                    (server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx),
+                                    (s,p,is_proxy,ctx), OK, DECLINED)
+
 /*  _________________________________________________________________
 **
 **  Module Initialization
@@ -321,6 +327,21 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
         return rv;
     }
 
+    for (s = base_server; s; s = s->next) {
+        sc = mySrvConfig(s);
+
+        if (sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) {
+            if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) {
+                return rv;
+            }
+        }
+        else if (sc->proxy_enabled == SSL_ENABLED_TRUE) {
+            if ((rv = ssl_run_init_server(s, p, 1, sc->proxy->ssl_ctx)) != APR_SUCCESS) {
+                return rv;
+            }
+        }
+    }
+
     /*
      *  Announce mod_ssl and SSL library in HTTP Server field
      *  as ``mod_ssl/X.X.X OpenSSL/X.X.X''

modules/ssl/ssl_engine_io.c

@@ -29,8 +29,13 @@
                                             -- Unknown    */
 #include "ssl_private.h"
 #include "mod_ssl.h"
+#include "mod_ssl_openssl.h"
 #include "apr_date.h"
 
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, proxy_post_handshake,
+                                    (conn_rec *c,SSL *ssl),
+                                    (c,ssl),OK,DECLINED);
+
 /*  _________________________________________________________________
 **
 **  I/O Hooks
@@ -1091,6 +1096,8 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
         const char *hostname_note = apr_table_get(c->notes,
                                                   "proxy-request-hostname");
         BOOL proxy_ssl_check_peer_ok = TRUE;
+        int post_handshake_rc = OK;
+
         sc = mySrvConfig(server);
 
 #ifdef HAVE_TLSEXT
@@ -1182,11 +1189,17 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
             }
         }
 
+        if (proxy_ssl_check_peer_ok == TRUE) {
+            /* another chance to fail */
+            post_handshake_rc = ssl_run_proxy_post_handshake(c, filter_ctx->pssl);
+        }
+
         if (cert) {
             X509_free(cert);
         }
 
-        if (proxy_ssl_check_peer_ok != TRUE) {
+        if (proxy_ssl_check_peer_ok != TRUE
+            || (post_handshake_rc != OK && post_handshake_rc != DECLINED)) {
             /* ensure that the SSL structures etc are freed, etc: */
             ssl_filter_io_shutdown(filter_ctx, c, 1);
             apr_table_setn(c->notes, "SSL_connect_rv", "err");