mod_ssl_openssl.h 4.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113
  1. /* Licensed to the Apache Software Foundation (ASF) under one or more
  2. * contributor license agreements. See the NOTICE file distributed with
  3. * this work for additional information regarding copyright ownership.
  4. * The ASF licenses this file to You under the Apache License, Version 2.0
  5. * (the "License"); you may not use this file except in compliance with
  6. * the License. You may obtain a copy of the License at
  7. *
  8. * http://www.apache.org/licenses/LICENSE-2.0
  9. *
  10. * Unless required by applicable law or agreed to in writing, software
  11. * distributed under the License is distributed on an "AS IS" BASIS,
  12. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. * See the License for the specific language governing permissions and
  14. * limitations under the License.
  15. */
  16. /**
  17. * @file mod_ssl_openssl.h
  18. * @brief Interface to OpenSSL-specific APIs provided by mod_ssl
  19. *
  20. * @defgroup MOD_SSL mod_ssl_openssl
  21. * @ingroup APACHE_MODS
  22. * @{
  23. */
  24. #ifndef __MOD_SSL_OPENSSL_H__
  25. #define __MOD_SSL_OPENSSL_H__
  26. #include "mod_ssl.h"
  27. /* OpenSSL headers */
  28. #ifndef SSL_PRIVATE_H
  29. #include <openssl/opensslv.h>
  30. #if (OPENSSL_VERSION_NUMBER >= 0x10001000)
  31. /* must be defined before including ssl.h */
  32. #define OPENSSL_NO_SSL_INTERN
  33. #endif
  34. #include <openssl/ssl.h>
  35. #endif
  36. /**
  37. * init_server hook -- allow SSL_CTX-specific initialization to be performed by
  38. * a module for each SSL-enabled server (one at a time)
  39. * @param s SSL-enabled [virtual] server
  40. * @param p pconf pool
  41. * @param is_proxy 1 if this server supports backend connections
  42. * over SSL/TLS, 0 if it supports client connections over SSL/TLS
  43. * @param ctx OpenSSL SSL Context for the server
  44. */
  45. APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_server,
  46. (server_rec *s, apr_pool_t *p, int is_proxy, SSL_CTX *ctx))
  47. /**
  48. * pre_handshake hook
  49. * @param c conn_rec for new connection from client or to backend server
  50. * @param ssl OpenSSL SSL Connection for the client or backend server
  51. * @param is_proxy 1 if this handshake is for a backend connection, 0 otherwise
  52. */
  53. APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, pre_handshake,
  54. (conn_rec *c, SSL *ssl, int is_proxy))
  55. /**
  56. * proxy_post_handshake hook -- allow module to abort after successful
  57. * handshake with backend server and subsequent peer checks
  58. * @param c conn_rec for connection to backend server
  59. * @param ssl OpenSSL SSL Connection for the client or backend server
  60. */
  61. APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, proxy_post_handshake,
  62. (conn_rec *c, SSL *ssl))
  63. /** On TLS connections that do not relate to a configured virtual host,
  64. * allow other modules to provide a X509 certificate and EVP_PKEY to
  65. * be used on the connection. This first hook which does not
  66. * return DECLINED will determine the outcome. */
  67. APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, answer_challenge,
  68. (conn_rec *c, const char *server_name,
  69. X509 **pcert, EVP_PKEY **pkey))
  70. /** During post_config phase, ask around if someone wants to provide
  71. * OCSP stapling status information for the given cert (with the also
  72. * provided issuer certificate). The first hook which does not
  73. * return DECLINED promises to take responsibility (and respond
  74. * in later calls via hook ssl_get_stapling_status).
  75. * If no hook takes over, mod_ssl's own stapling implementation will
  76. * be applied (if configured).
  77. */
  78. APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_stapling_status,
  79. (server_rec *s, apr_pool_t *p,
  80. X509 *cert, X509 *issuer))
  81. /** Anyone answering positive to ssl_init_stapling_status for a
  82. * certificate, needs to register here and supply the actual OCSP stapling
  83. * status data (OCSP_RESP) for a new connection.
  84. * A hook supplying the response data must return APR_SUCCESS.
  85. * The data is returned in DER encoded bytes via pder and pderlen. The
  86. * returned pointer may be NULL, which indicates that data is (currently)
  87. * unavailable.
  88. * If DER data is returned, it MUST come from a response with
  89. * status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD
  90. * or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means
  91. * errors in OCSP retrieval are to be handled/logged by the hook and
  92. * are not done by mod_ssl.
  93. * Any DER bytes returned MUST be allocated via malloc() and ownership
  94. * passes to mod_ssl. Meaning, the hook must return a malloced copy of
  95. * the data it has. mod_ssl (or OpenSSL) will free it.
  96. */
  97. APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, get_stapling_status,
  98. (unsigned char **pder, int *pderlen,
  99. conn_rec *c, server_rec *s, X509 *cert))
  100. #endif /* __MOD_SSL_OPENSSL_H__ */
  101. /** @} */