diff --git a/CHANGES b/CHANGES index b2364409f4..6bbc8ba262 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,9 @@ -*- coding: utf-8 -*- + *) mod_ssl: Add hooks to allow other modules to perform processing at + several stages of initialization and connection handling. See + mod_ssl_openssl.h. [Jeff Trawick] + *) mod_http2: disabling PUSH when client sends GOAWAY. *) mod_rewrite: Don't implicitly URL-escape the original query string diff --git a/CMakeLists.txt b/CMakeLists.txt index 8b67d7a0e7..2ea01808d9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -445,6 +445,7 @@ SET(mod_session_crypto_requires APU_HAVE_CRYPTO) SET(mod_session_crypto_extra_libs mod_session) SET(mod_session_dbd_extra_libs mod_session) SET(mod_socache_dc_requires AN_UNIMPLEMENTED_SUPPORT_LIBRARY_REQUIREMENT) +SET(mod_ssl_extra_defines SSL_DECLARE_EXPORT) SET(mod_ssl_requires OPENSSL_FOUND) IF(OPENSSL_FOUND) SET(mod_ssl_extra_includes ${OPENSSL_INCLUDE_DIR}) @@ -639,6 +640,7 @@ SET(other_installed_h ${CMAKE_CURRENT_SOURCE_DIR}/modules/proxy/mod_proxy.h ${CMAKE_CURRENT_SOURCE_DIR}/modules/session/mod_session.h ${CMAKE_CURRENT_SOURCE_DIR}/modules/ssl/mod_ssl.h + ${CMAKE_CURRENT_SOURCE_DIR}/modules/ssl/mod_ssl_openssl.h ) # When mod_serf is buildable, don't forget to copy modules/proxy/mod_serf.h diff --git a/Makefile.in b/Makefile.in index c1b08f9b55..6d952b24a1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -234,6 +234,7 @@ INSTALL_HEADERS = \ $(srcdir)/modules/proxy/mod_proxy.h \ $(srcdir)/modules/session/mod_session.h \ $(srcdir)/modules/ssl/mod_ssl.h \ + $(srcdir)/modules/ssl/mod_ssl_openssl.h \ $(srcdir)/os/$(OS_DIR)/*.h install-include: diff --git a/Makefile.win b/Makefile.win index 570037fa84..041efa5ba0 100644 --- a/Makefile.win +++ b/Makefile.win @@ -1132,6 +1132,7 @@ BEGIN { modules\mappers\mod_rewrite.h \ modules\proxy\mod_proxy.h \ modules\ssl\mod_ssl.h \ + modules\ssl\mod_ssl_openssl.h \ ) do \ @copy %f "$(INSTDIR)\include" < .y > nul copy srclib\apr\Lib$(SHORT)\apr-1.lib "$(INSTDIR)\lib" <.y diff --git a/NWGNUmakefile b/NWGNUmakefile index e382203d4c..904430d2c4 100644 --- a/NWGNUmakefile +++ b/NWGNUmakefile @@ -446,6 +446,7 @@ installdev :: FORCE $(call COPY,$(STDMOD)/proxy/mod_proxy.h, $(INSTALLBASE)/include/) $(call COPY,$(STDMOD)/session/mod_session.h, $(INSTALLBASE)/include/) $(call COPY,$(STDMOD)/ssl/mod_ssl.h, $(INSTALLBASE)/include/) + $(call COPY,$(STDMOD)/ssl/mod_ssl_openssl.h, $(INSTALLBASE)/include/) $(call COPY,$(APR)/*.imp, $(INSTALLBASE)/lib/) $(call COPY,$(NWOS)/*.imp, $(INSTALLBASE)/lib/) $(call COPY,$(NWOS)/*.xdc, $(INSTALLBASE)/lib/) diff --git a/STATUS b/STATUS index 25e59e81cc..fa36c330bb 100644 --- a/STATUS +++ b/STATUS @@ -112,13 +112,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_ssl: Add hooks to allow mod_ssl_ct to work on 2.4.x branch - Note: mod_ssl_ct in trunk also uses a proxy hook (proxy_detach_backend), - but that is only to set some envvars for logging, not for - functionality. I think a better solution is required in that case. - trunk revisions: r1587607, r1588868 - 2.4.x patch: https://emptyhammock.com/media/downloads/mod_ssl_openssl-to-2.4.x.txt - +1: trawick, ylavic, jim PATCHES PROPOSED TO BACKPORT FROM TRUNK: diff --git a/include/ap_mmn.h b/include/ap_mmn.h index c017f2700c..8a28919a77 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -467,6 +467,7 @@ * ap_prep_lingering_close(). * 20120211.56 (2.4.19-dev) Split useragent_host from the conn_rec into * the request_rec, with ap_get_useragent_host() + * 20120211.57 (2.4.19-dev) Add mod_ssl_openssl.h and OpenSSL-specific hooks */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ @@ -474,7 +475,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20120211 #endif -#define MODULE_MAGIC_NUMBER_MINOR 56 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 57 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 835bf55251..219e33376f 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -26,12 +26,17 @@ #include "ssl_private.h" #include "mod_ssl.h" +#include "mod_ssl_openssl.h" #include "util_md5.h" #include "util_mutex.h" #include "ap_provider.h" #include +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, pre_handshake, + (conn_rec *c,SSL *ssl,int is_proxy), + (c,ssl,is_proxy), OK, DECLINED); + /* * the table of configuration directives we provide */ @@ -447,6 +452,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) SSL *ssl; SSLConnRec *sslconn = myConnConfig(c); char *vhost_md5; + int rc; modssl_ctx_t *mctx; server_rec *server; @@ -479,6 +485,11 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) return DECLINED; /* XXX */ } + rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0); + if (rc != OK && rc != DECLINED) { + return rc; + } + vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id, sc->vhost_id_len); diff --git a/modules/ssl/mod_ssl.dsp b/modules/ssl/mod_ssl.dsp index 58b55456ab..72af2936ce 100644 --- a/modules/ssl/mod_ssl.dsp +++ b/modules/ssl/mod_ssl.dsp @@ -43,7 +43,7 @@ RSC=rc.exe # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MD /W3 /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /FD /c -# ADD CPP /nologo /MD /W3 /O2 /Oy- /Zi /I "../../include" /I "../generators" /I "../../srclib/apr/include" /I "../../srclib/apr-util/include" /I "../../srclib/openssl/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "WIN32_LEAN_AND_MEAN" /D "NO_IDEA" /D "NO_RC5" /D "NO_MDC2" /D "OPENSSL_NO_IDEA" /D "OPENSSL_NO_RC5" /D "OPENSSL_NO_MDC2" /D "HAVE_OPENSSL" /D "HAVE_SSL_SET_STATE" /D "HAVE_OPENSSL_ENGINE_H" /D "HAVE_ENGINE_INIT" /D "HAVE_ENGINE_LOAD_BUILTIN_ENGINES" /Fd"Release\mod_ssl_src" /FD /c +# ADD CPP /nologo /MD /W3 /O2 /Oy- /Zi /I "../../include" /I "../generators" /I "../../srclib/apr/include" /I "../../srclib/apr-util/include" /I "../../srclib/openssl/inc32" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "WIN32_LEAN_AND_MEAN" /D "NO_IDEA" /D "NO_RC5" /D "NO_MDC2" /D "OPENSSL_NO_IDEA" /D "OPENSSL_NO_RC5" /D "OPENSSL_NO_MDC2" /D "HAVE_OPENSSL" /D "HAVE_SSL_SET_STATE" /D "HAVE_OPENSSL_ENGINE_H" /D "HAVE_ENGINE_INIT" /D "HAVE_ENGINE_LOAD_BUILTIN_ENGINES" /D "SSL_DECLARE_EXPORT" /Fd"Release\mod_ssl_src" /FD /c # ADD BASE MTL /nologo /D "NDEBUG" /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" @@ -75,7 +75,7 @@ PostBuild_Cmds=if exist $(TargetPath).manifest mt.exe -manifest $(TargetPath).ma # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MDd /W3 /EHsc /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /FD /c -# ADD CPP /nologo /MDd /W3 /EHsc /Zi /Od /I "../../include" /I "../generators" /I "../../srclib/apr/include" /I "../../srclib/apr-util/include" /I "../../srclib/openssl/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "WIN32_LEAN_AND_MEAN" /D "NO_IDEA" /D "NO_RC5" /D "NO_MDC2" /D "OPENSSL_NO_IDEA" /D "OPENSSL_NO_RC5" /D "OPENSSL_NO_MDC2" /D "HAVE_OPENSSL" /D "HAVE_SSL_SET_STATE" /D "HAVE_OPENSSL_ENGINE_H" /D "HAVE_ENGINE_INIT" /D "HAVE_ENGINE_LOAD_BUILTIN_ENGINES" /Fd"Debug\mod_ssl_src" /FD /c +# ADD CPP /nologo /MDd /W3 /EHsc /Zi /Od /I "../../include" /I "../generators" /I "../../srclib/apr/include" /I "../../srclib/apr-util/include" /I "../../srclib/openssl/inc32" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "WIN32_LEAN_AND_MEAN" /D "NO_IDEA" /D "NO_RC5" /D "NO_MDC2" /D "OPENSSL_NO_IDEA" /D "OPENSSL_NO_RC5" /D "OPENSSL_NO_MDC2" /D "HAVE_OPENSSL" /D "HAVE_SSL_SET_STATE" /D "HAVE_OPENSSL_ENGINE_H" /D "HAVE_ENGINE_INIT" /D "HAVE_ENGINE_LOAD_BUILTIN_ENGINES" /D "SSL_DECLARE_EXPORT" /Fd"Debug\mod_ssl_src" /FD /c # ADD BASE MTL /nologo /D "_DEBUG" /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h index 48984e2401..db8ffafd2e 100644 --- a/modules/ssl/mod_ssl.h +++ b/modules/ssl/mod_ssl.h @@ -29,6 +29,27 @@ #include "httpd.h" #include "apr_optional.h" +/* Create a set of SSL_DECLARE(type), SSL_DECLARE_NONSTD(type) and + * SSL_DECLARE_DATA with appropriate export and import tags for the platform + */ +#if !defined(WIN32) +#define SSL_DECLARE(type) type +#define SSL_DECLARE_NONSTD(type) type +#define SSL_DECLARE_DATA +#elif defined(SSL_DECLARE_STATIC) +#define SSL_DECLARE(type) type __stdcall +#define SSL_DECLARE_NONSTD(type) type +#define SSL_DECLARE_DATA +#elif defined(SSL_DECLARE_EXPORT) +#define SSL_DECLARE(type) __declspec(dllexport) type __stdcall +#define SSL_DECLARE_NONSTD(type) __declspec(dllexport) type +#define SSL_DECLARE_DATA __declspec(dllexport) +#else +#define SSL_DECLARE(type) __declspec(dllimport) type __stdcall +#define SSL_DECLARE_NONSTD(type) __declspec(dllimport) type +#define SSL_DECLARE_DATA __declspec(dllimport) +#endif + /** The ssl_var_lookup() optional function retrieves SSL environment * variables. */ APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 3704bd7230..797fbd12e0 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -27,8 +27,14 @@ see Recursive.'' -- Unknown */ #include "ssl_private.h" +#include "mod_ssl.h" +#include "mod_ssl_openssl.h" #include "mpm_common.h" +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server, + (server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx), + (s,p,is_proxy,ctx), OK, DECLINED) + /* _________________________________________________________________ ** ** Module Initialization @@ -321,6 +327,21 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, return rv; } + for (s = base_server; s; s = s->next) { + sc = mySrvConfig(s); + + if (sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) { + if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) { + return rv; + } + } + else if (sc->proxy_enabled == SSL_ENABLED_TRUE) { + if ((rv = ssl_run_init_server(s, p, 1, sc->proxy->ssl_ctx)) != APR_SUCCESS) { + return rv; + } + } + } + /* * Announce mod_ssl and SSL library in HTTP Server field * as ``mod_ssl/X.X.X OpenSSL/X.X.X'' diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 19961697ef..77c484828a 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -29,8 +29,13 @@ -- Unknown */ #include "ssl_private.h" #include "mod_ssl.h" +#include "mod_ssl_openssl.h" #include "apr_date.h" +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, proxy_post_handshake, + (conn_rec *c,SSL *ssl), + (c,ssl),OK,DECLINED); + /* _________________________________________________________________ ** ** I/O Hooks @@ -1091,6 +1096,8 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname"); BOOL proxy_ssl_check_peer_ok = TRUE; + int post_handshake_rc = OK; + sc = mySrvConfig(server); #ifdef HAVE_TLSEXT @@ -1182,11 +1189,17 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) } } + if (proxy_ssl_check_peer_ok == TRUE) { + /* another chance to fail */ + post_handshake_rc = ssl_run_proxy_post_handshake(c, filter_ctx->pssl); + } + if (cert) { X509_free(cert); } - if (proxy_ssl_check_peer_ok != TRUE) { + if (proxy_ssl_check_peer_ok != TRUE + || (post_handshake_rc != OK && post_handshake_rc != DECLINED)) { /* ensure that the SSL structures etc are freed, etc: */ ssl_filter_io_shutdown(filter_ctx, c, 1); apr_table_setn(c->notes, "SSL_connect_rv", "err");