/* _ _ ** _ __ ___ ___ __| | ___ ___| | mod_ssl ** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL ** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org ** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org ** |_____| ** ssl_engine_config.c ** Apache Configuration Directives */ /* ==================================================================== * Copyright (c) 1998-2004 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following * disclaimer in the documentation and/or other materials * provided with the distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by * Ralf S. Engelschall for use in the * mod_ssl project (http://www.modssl.org/)." * * 4. The names "mod_ssl" must not be used to endorse or promote * products derived from this software without prior written * permission. For written permission, please contact * rse@engelschall.com. * * 5. Products derived from this software may not be called "mod_ssl" * nor may "mod_ssl" appear in their names without prior * written permission of Ralf S. Engelschall. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by * Ralf S. Engelschall for use in the * mod_ssl project (http://www.modssl.org/)." * * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== */ /* ``Damned if you do, damned if you don't.'' -- Unknown */ #include "mod_ssl.h" /* _________________________________________________________________ ** ** Support for Global Configuration ** _________________________________________________________________ */ void ssl_hook_AddModule(module *m) { if (m == &ssl_module) { /* * Announce us for the configuration files */ ap_add_config_define("MOD_SSL"); /* * Link ourself into the Apache kernel */ ssl_var_register(); ssl_ext_register(); ssl_io_register(); #if defined(SSL_VENDOR) && defined(SSL_VENDOR_OBJS) ssl_vendor_register(); #endif } return; } void ssl_hook_RemoveModule(module *m) { if (m == &ssl_module) { /* * Unlink ourself from the Apache kernel */ ssl_var_unregister(); ssl_ext_unregister(); ssl_io_unregister(); #if defined(SSL_VENDOR) && defined(SSL_VENDOR_OBJS) ssl_vendor_unregister(); #endif } return; } void ssl_config_global_create(void) { pool *pPool; SSLModConfigRec *mc; mc = ap_ctx_get(ap_global_ctx, "ssl_module"); if (mc == NULL) { /* * allocate an own subpool which survives server restarts */ pPool = ap_make_sub_pool(NULL); mc = (SSLModConfigRec *)ap_palloc(pPool, sizeof(SSLModConfigRec)); mc->pPool = pPool; mc->bFixed = FALSE; /* * initialize per-module configuration */ mc->nInitCount = 0; mc->nSessionCacheMode = SSL_SCMODE_UNSET; mc->szSessionCacheDataFile = NULL; mc->nSessionCacheDataSize = 0; mc->pSessionCacheDataMM = NULL; mc->tSessionCacheDataTable = NULL; mc->nMutexMode = SSL_MUTEXMODE_UNSET; mc->szMutexFile = NULL; mc->nMutexFD = -1; mc->nMutexSEMID = -1; mc->aRandSeed = ap_make_array(pPool, 4, sizeof(ssl_randseed_t)); mc->tPrivateKey = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t)); mc->tPublicCert = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t)); mc->tTmpKeys = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t)); #ifdef SSL_EXPERIMENTAL_ENGINE mc->szCryptoDevice = NULL; #endif (void)memset(mc->pTmpKeys, 0, SSL_TKPIDX_MAX*sizeof(void *)); #ifdef SSL_VENDOR mc->ctx = ap_ctx_new(pPool); ap_hook_use("ap::mod_ssl::vendor::config_global_create", AP_HOOK_SIG2(void,ptr), AP_HOOK_MODE_ALL, mc); #endif /* * And push it into Apache's global context */ ap_ctx_set(ap_global_ctx, "ssl_module", mc); } return; } void ssl_config_global_fix(void) { SSLModConfigRec *mc = myModConfig(); mc->bFixed = TRUE; return; } BOOL ssl_config_global_isfixed(void) { SSLModConfigRec *mc = myModConfig(); return (mc->bFixed); } /* _________________________________________________________________ ** ** Configuration handling ** _________________________________________________________________ */ /* * Create per-server SSL configuration */ void *ssl_config_server_create(pool *p, server_rec *s) { SSLSrvConfigRec *sc; ssl_config_global_create(); sc = ap_palloc(p, sizeof(SSLSrvConfigRec)); sc->bEnabled = UNSET; sc->szCACertificatePath = NULL; sc->szCACertificateFile = NULL; sc->szCertificateChain = NULL; sc->szLogFile = NULL; sc->szCipherSuite = NULL; sc->nLogLevel = SSL_LOG_NONE; sc->nVerifyDepth = UNSET; sc->nVerifyClient = SSL_CVERIFY_UNSET; sc->nSessionCacheTimeout = UNSET; sc->nPassPhraseDialogType = SSL_PPTYPE_UNSET; sc->szPassPhraseDialogPath = NULL; sc->nProtocol = SSL_PROTOCOL_ALL; sc->fileLogFile = NULL; sc->pSSLCtx = NULL; sc->szCARevocationPath = NULL; sc->szCARevocationFile = NULL; sc->pRevocationStore = NULL; #ifdef SSL_EXPERIMENTAL_PROXY sc->nProxyVerifyDepth = UNSET; sc->szProxyCACertificatePath = NULL; sc->szProxyCACertificateFile = NULL; sc->szProxyClientCertificateFile = NULL; sc->szProxyClientCertificatePath = NULL; sc->szProxyCipherSuite = NULL; sc->nProxyProtocol = SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_TLSV1; sc->bProxyVerify = UNSET; sc->pSSLProxyCtx = NULL; #endif (void)memset(sc->szPublicCertFile, 0, SSL_AIDX_MAX*sizeof(char *)); (void)memset(sc->szPrivateKeyFile, 0, SSL_AIDX_MAX*sizeof(char *)); (void)memset(sc->pPublicCert, 0, SSL_AIDX_MAX*sizeof(X509 *)); (void)memset(sc->pPrivateKey, 0, SSL_AIDX_MAX*sizeof(EVP_PKEY *)); #ifdef SSL_VENDOR sc->ctx = ap_ctx_new(p); ap_hook_use("ap::mod_ssl::vendor::config_server_create", AP_HOOK_SIG4(void,ptr,ptr,ptr), AP_HOOK_MODE_ALL, p, s, sc); #endif return sc; } /* * Merge per-server SSL configurations */ void *ssl_config_server_merge(pool *p, void *basev, void *addv) { SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev; SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv; SSLSrvConfigRec *new = (SSLSrvConfigRec *)ap_palloc(p, sizeof(SSLSrvConfigRec)); int i; cfgMergeBool(bEnabled); cfgMergeString(szCACertificatePath); cfgMergeString(szCACertificateFile); cfgMergeString(szCertificateChain); cfgMergeString(szLogFile); cfgMergeString(szCipherSuite); cfgMerge(nLogLevel, SSL_LOG_NONE); cfgMergeInt(nVerifyDepth); cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET); cfgMergeInt(nSessionCacheTimeout); cfgMerge(nPassPhraseDialogType, SSL_PPTYPE_UNSET); cfgMergeString(szPassPhraseDialogPath); cfgMerge(nProtocol, SSL_PROTOCOL_ALL); cfgMerge(fileLogFile, NULL); cfgMerge(pSSLCtx, NULL); cfgMerge(szCARevocationPath, NULL); cfgMerge(szCARevocationFile, NULL); cfgMerge(pRevocationStore, NULL); for (i = 0; i < SSL_AIDX_MAX; i++) { cfgMergeString(szPublicCertFile[i]); cfgMergeString(szPrivateKeyFile[i]); cfgMerge(pPublicCert[i], NULL); cfgMerge(pPrivateKey[i], NULL); } #ifdef SSL_VENDOR cfgMergeCtx(ctx); ap_hook_use("ap::mod_ssl::vendor::config_server_merge", AP_HOOK_SIG5(void,ptr,ptr,ptr,ptr), AP_HOOK_MODE_ALL, p, base, add, new); #endif #ifdef SSL_EXPERIMENTAL_PROXY cfgMergeInt(nProxyVerifyDepth); cfgMergeString(szProxyCACertificatePath); cfgMergeString(szProxyCACertificateFile); cfgMergeString(szProxyClientCertificateFile); cfgMergeString(szProxyClientCertificatePath); cfgMergeString(szProxyCipherSuite); cfgMerge(nProxyProtocol, (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_TLSV1)); cfgMergeBool(bProxyVerify); cfgMerge(pSSLProxyCtx, NULL); #endif return new; } /* * Create per-directory SSL configuration */ void *ssl_config_perdir_create(pool *p, char *dir) { SSLDirConfigRec *dc = ap_palloc(p, sizeof(SSLDirConfigRec)); dc->bSSLRequired = FALSE; dc->aRequirement = ap_make_array(p, 4, sizeof(ssl_require_t)); dc->nOptions = SSL_OPT_NONE|SSL_OPT_RELSET; dc->nOptionsAdd = SSL_OPT_NONE; dc->nOptionsDel = SSL_OPT_NONE; dc->szCipherSuite = NULL; dc->nVerifyClient = SSL_CVERIFY_UNSET; dc->nVerifyDepth = UNSET; #ifdef SSL_EXPERIMENTAL_PERDIRCA dc->szCACertificatePath = NULL; dc->szCACertificateFile = NULL; #endif #ifdef SSL_VENDOR dc->ctx = ap_ctx_new(p); ap_hook_use("ap::mod_ssl::vendor::config_perdir_create", AP_HOOK_SIG4(void,ptr,ptr,ptr), AP_HOOK_MODE_ALL, p, dir, dc); #endif return dc; } /* * Merge per-directory SSL configurations */ void *ssl_config_perdir_merge(pool *p, void *basev, void *addv) { SSLDirConfigRec *base = (SSLDirConfigRec *)basev; SSLDirConfigRec *add = (SSLDirConfigRec *)addv; SSLDirConfigRec *new = (SSLDirConfigRec *)ap_palloc(p, sizeof(SSLDirConfigRec)); cfgMerge(bSSLRequired, FALSE); cfgMergeArray(aRequirement); if (add->nOptions & SSL_OPT_RELSET) { new->nOptionsAdd = (base->nOptionsAdd & ~(add->nOptionsDel)) | add->nOptionsAdd; new->nOptionsDel = (base->nOptionsDel & ~(add->nOptionsAdd)) | add->nOptionsDel; new->nOptions = (base->nOptions & ~(new->nOptionsDel)) | new->nOptionsAdd; } else { new->nOptions = add->nOptions; new->nOptionsAdd = add->nOptionsAdd; new->nOptionsDel = add->nOptionsDel; } cfgMergeString(szCipherSuite); cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET); cfgMergeInt(nVerifyDepth); #ifdef SSL_EXPERIMENTAL_PERDIRCA cfgMergeString(szCACertificatePath); cfgMergeString(szCACertificateFile); #endif #ifdef SSL_VENDOR cfgMergeCtx(ctx); ap_hook_use("ap::mod_ssl::vendor::config_perdir_merge", AP_HOOK_SIG5(void,ptr,ptr,ptr,ptr), AP_HOOK_MODE_ALL, p, base, add, new); #endif return new; } /* * Directive Rewriting */ char *ssl_hook_RewriteCommand(cmd_parms *cmd, void *config, const char *cmd_line) { #ifdef SSL_COMPAT return ssl_compat_directive(cmd->server, cmd->pool, cmd_line); #else return NULL; #endif } /* * Configuration functions for particular directives */ const char *ssl_cmd_SSLMutex( cmd_parms *cmd, char *struct_ptr, char *arg) { const char *err; SSLModConfigRec *mc = myModConfig(); if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) return err; if (ssl_config_global_isfixed()) return NULL; if (strcEQ(arg, "none")) { mc->nMutexMode = SSL_MUTEXMODE_NONE; } else if (strlen(arg) > 5 && strcEQn(arg, "file:", 5)) { #ifndef WIN32 mc->nMutexMode = SSL_MUTEXMODE_FILE; mc->szMutexFile = ap_psprintf(mc->pPool, "%s.%lu", ssl_util_server_root_relative(cmd->pool, "mutex", arg+5), (unsigned long)getpid()); #else return "SSLMutex: Lockfiles not available on this platform"; #endif } else if (strcEQ(arg, "sem")) { #ifdef SSL_CAN_USE_SEM mc->nMutexMode = SSL_MUTEXMODE_SEM; #else return "SSLMutex: Semaphores not available on this platform"; #endif } else return "SSLMutex: Invalid argument"; return NULL; } const char *ssl_cmd_SSLPassPhraseDialog( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) return err; if (strcEQ(arg, "builtin")) { sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN; sc->szPassPhraseDialogPath = NULL; } else if (strlen(arg) > 5 && strEQn(arg, "exec:", 5)) { sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER; sc->szPassPhraseDialogPath = ssl_util_server_root_relative(cmd->pool, "dialog", arg+5); if (!ssl_util_path_check(SSL_PCM_EXISTS, sc->szPassPhraseDialogPath)) return ap_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '", sc->szPassPhraseDialogPath, "' not exists", NULL); } else return "SSLPassPhraseDialog: Invalid argument"; return NULL; } #ifdef SSL_EXPERIMENTAL_ENGINE const char *ssl_cmd_SSLCryptoDevice( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLModConfigRec *mc = myModConfig(); const char *err; ENGINE *e; #if SSL_LIBRARY_VERSION >= 0x00907000 static int loaded_engines = FALSE; /* early loading to make sure the engines are already available for ENGINE_by_id() above... */ if (!loaded_engines) { ENGINE_load_builtin_engines(); loaded_engines = TRUE; } #endif if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) return err; if (strcEQ(arg, "builtin")) { mc->szCryptoDevice = NULL; } else if ((e = ENGINE_by_id(arg)) != NULL) { mc->szCryptoDevice = arg; ENGINE_free(e); } else return "SSLCryptoDevice: Invalid argument"; return NULL; } #endif const char *ssl_cmd_SSLRandomSeed( cmd_parms *cmd, char *struct_ptr, char *arg1, char *arg2, char *arg3) { SSLModConfigRec *mc = myModConfig(); const char *err; ssl_randseed_t *pRS; if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) return err; if (ssl_config_global_isfixed()) return NULL; pRS = ap_push_array(mc->aRandSeed); if (strcEQ(arg1, "startup")) pRS->nCtx = SSL_RSCTX_STARTUP; else if (strcEQ(arg1, "connect")) pRS->nCtx = SSL_RSCTX_CONNECT; else return ap_pstrcat(cmd->pool, "SSLRandomSeed: " "invalid context: `", arg1, "'"); if (strlen(arg2) > 5 && strEQn(arg2, "file:", 5)) { pRS->nSrc = SSL_RSSRC_FILE; pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2+5)); } else if (strlen(arg2) > 5 && strEQn(arg2, "exec:", 5)) { pRS->nSrc = SSL_RSSRC_EXEC; pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2+5)); } #if SSL_LIBRARY_VERSION >= 0x00905100 else if (strlen(arg2) > 4 && strEQn(arg2, "egd:", 4)) { pRS->nSrc = SSL_RSSRC_EGD; pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2+4)); } #endif else if (strcEQ(arg2, "builtin")) { pRS->nSrc = SSL_RSSRC_BUILTIN; pRS->cpPath = NULL; } else { pRS->nSrc = SSL_RSSRC_FILE; pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2)); } if (pRS->nSrc != SSL_RSSRC_BUILTIN) if (!ssl_util_path_check(SSL_PCM_EXISTS, pRS->cpPath)) return ap_pstrcat(cmd->pool, "SSLRandomSeed: source path '", pRS->cpPath, "' not exists", NULL); if (arg3 == NULL) pRS->nBytes = 0; /* read whole file */ else { if (pRS->nSrc == SSL_RSSRC_BUILTIN) return "SSLRandomSeed: byte specification not " "allowed for builtin seed source"; pRS->nBytes = atoi(arg3); if (pRS->nBytes < 0) return "SSLRandomSeed: invalid number of bytes specified"; } return NULL; } const char *ssl_cmd_SSLEngine( cmd_parms *cmd, char *struct_ptr, int flag) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->bEnabled = (flag ? TRUE : FALSE); return NULL; } const char *ssl_cmd_SSLCipherSuite( cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); if (cmd->path == NULL || dc == NULL) sc->szCipherSuite = arg; else dc->szCipherSuite = arg; return NULL; } const char *ssl_cmd_SSLCertificateFile( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; int i; cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCertificateFile: file '", cpPath, "' not exists or empty", NULL); for (i = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++) ; if (i == SSL_AIDX_MAX) return ap_psprintf(cmd->pool, "SSLCertificateFile: only up to %d " "different certificates per virtual host allowed", SSL_AIDX_MAX); sc->szPublicCertFile[i] = cpPath; return NULL; } const char *ssl_cmd_SSLCertificateKeyFile( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; int i; cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCertificateKeyFile: file '", cpPath, "' not exists or empty", NULL); for (i = 0; i < SSL_AIDX_MAX && sc->szPrivateKeyFile[i] != NULL; i++) ; if (i == SSL_AIDX_MAX) return ap_psprintf(cmd->pool, "SSLCertificateKeyFile: only up to %d " "different private keys per virtual host allowed", SSL_AIDX_MAX); sc->szPrivateKeyFile[i] = cpPath; return NULL; } const char *ssl_cmd_SSLCertificateChainFile( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCertificateChainFile: file '", cpPath, "' not exists or empty", NULL); sc->szCertificateChain = cpPath; return NULL; } const char *ssl_cmd_SSLCACertificatePath( cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLCACertificatePath: directory '", cpPath, "' not exists", NULL); #ifdef SSL_EXPERIMENTAL_PERDIRCA if (cmd->path == NULL || dc == NULL) sc->szCACertificatePath = cpPath; else dc->szCACertificatePath = cpPath; #else sc->szCACertificatePath = cpPath; #endif return NULL; } const char *ssl_cmd_SSLCACertificateFile( cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCACertificateFile: file '", cpPath, "' not exists or empty", NULL); #ifdef SSL_EXPERIMENTAL_PERDIRCA if (cmd->path == NULL || dc == NULL) sc->szCACertificateFile = cpPath; else dc->szCACertificateFile = cpPath; #else sc->szCACertificateFile = cpPath; #endif return NULL; } const char *ssl_cmd_SSLCARevocationPath( cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLCARecocationPath: directory '", cpPath, "' not exists", NULL); sc->szCARevocationPath = cpPath; return NULL; } const char *ssl_cmd_SSLCARevocationFile( cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCARevocationFile: file '", cpPath, "' not exists or empty", NULL); sc->szCARevocationFile = cpPath; return NULL; } const char *ssl_cmd_SSLVerifyClient( cmd_parms *cmd, SSLDirConfigRec *dc, char *level) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ssl_verify_t id; if (strEQ(level, "0") || strcEQ(level, "none")) id = SSL_CVERIFY_NONE; else if (strEQ(level, "1") || strcEQ(level, "optional")) id = SSL_CVERIFY_OPTIONAL; else if (strEQ(level, "2") || strcEQ(level, "require")) id = SSL_CVERIFY_REQUIRE; else if (strEQ(level, "3") || strcEQ(level, "optional_no_ca")) id = SSL_CVERIFY_OPTIONAL_NO_CA; else return "SSLVerifyClient: Invalid argument"; if (cmd->path == NULL || dc == NULL) sc->nVerifyClient = id; else dc->nVerifyClient = id; return NULL; } const char *ssl_cmd_SSLVerifyDepth( cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); int d; d = atoi(arg); if (d < 0) return "SSLVerifyDepth: Invalid argument"; if (cmd->path == NULL || dc == NULL) sc->nVerifyDepth = d; else dc->nVerifyDepth = d; return NULL; } const char *ssl_cmd_SSLSessionCache( cmd_parms *cmd, char *struct_ptr, char *arg) { const char *err; SSLModConfigRec *mc = myModConfig(); char *cp, *cp2; int maxsize; if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) return err; if (ssl_config_global_isfixed()) return NULL; if (strcEQ(arg, "none")) { mc->nSessionCacheMode = SSL_SCMODE_NONE; mc->szSessionCacheDataFile = NULL; } else if (strlen(arg) > 4 && strcEQn(arg, "dbm:", 4)) { mc->nSessionCacheMode = SSL_SCMODE_DBM; mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "scache", arg+4)); } else if ( (strlen(arg) > 4 && strcEQn(arg, "shm:", 4)) || (strlen(arg) > 6 && strcEQn(arg, "shmht:", 6))) { if (!ap_mm_useable()) return "SSLSessionCache: shared memory cache not useable on this platform"; mc->nSessionCacheMode = SSL_SCMODE_SHMHT; cp = strchr(arg, ':'); mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "scache", cp+1)); mc->tSessionCacheDataTable = NULL; mc->nSessionCacheDataSize = 1024*512; /* 512KB */ if ((cp = strchr(mc->szSessionCacheDataFile, '(')) != NULL) { *cp++ = NUL; if ((cp2 = strchr(cp, ')')) == NULL) return "SSLSessionCache: Invalid argument: no closing parenthesis"; *cp2 = NUL; mc->nSessionCacheDataSize = atoi(cp); if (mc->nSessionCacheDataSize < 8192) return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes"; maxsize = ap_mm_core_maxsegsize(); if (mc->nSessionCacheDataSize >= maxsize) return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: " "size has to be < %d bytes on this platform", maxsize); } } else if (strlen(arg) > 6 && strcEQn(arg, "shmcb:", 6)) { if (!ap_mm_useable()) return "SSLSessionCache: shared memory cache not useable on this platform"; mc->nSessionCacheMode = SSL_SCMODE_SHMCB; mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg+6)); mc->tSessionCacheDataTable = NULL; mc->nSessionCacheDataSize = 1024*512; /* 512KB */ if ((cp = strchr(mc->szSessionCacheDataFile, '(')) != NULL) { *cp++ = NUL; if ((cp2 = strchr(cp, ')')) == NULL) return "SSLSessionCache: Invalid argument: no closing parenthesis"; *cp2 = NUL; mc->nSessionCacheDataSize = atoi(cp); if (mc->nSessionCacheDataSize < 8192) return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes"; maxsize = ap_mm_core_maxsegsize(); if (mc->nSessionCacheDataSize >= maxsize) return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: " "size has to be < %d bytes on this platform", maxsize); } } else #ifdef SSL_VENDOR if (!ap_hook_use("ap::mod_ssl::vendor::cmd_sslsessioncache", AP_HOOK_SIG4(void,ptr,ptr,ptr), AP_HOOK_MODE_ALL, cmd, arg, mc)) #endif return "SSLSessionCache: Invalid argument"; return NULL; } const char *ssl_cmd_SSLSessionCacheTimeout( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->nSessionCacheTimeout = atoi(arg); if (sc->nSessionCacheTimeout < 0) return "SSLSessionCacheTimeout: Invalid argument"; return NULL; } const char *ssl_cmd_SSLLog( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; if ((err = ap_check_cmd_context(cmd, NOT_IN_LIMIT|NOT_IN_DIRECTORY |NOT_IN_LOCATION|NOT_IN_FILES )) != NULL) return err; sc->szLogFile = arg; return NULL; } const char *ssl_cmd_SSLLogLevel( cmd_parms *cmd, char *struct_ptr, char *level) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; if ((err = ap_check_cmd_context(cmd, NOT_IN_LIMIT|NOT_IN_DIRECTORY |NOT_IN_LOCATION|NOT_IN_FILES )) != NULL) return err; if (strcEQ(level, "none")) sc->nLogLevel = SSL_LOG_NONE; else if (strcEQ(level, "error")) sc->nLogLevel = SSL_LOG_ERROR; else if (strcEQ(level, "warn")) sc->nLogLevel = SSL_LOG_WARN; else if (strcEQ(level, "info")) sc->nLogLevel = SSL_LOG_INFO; else if (strcEQ(level, "trace")) sc->nLogLevel = SSL_LOG_TRACE; else if (strcEQ(level, "debug")) sc->nLogLevel = SSL_LOG_DEBUG; else return "SSLLogLevel: Invalid argument"; return NULL; } const char *ssl_cmd_SSLOptions( cmd_parms *cmd, SSLDirConfigRec *dc, const char *cpLine) { ssl_opt_t opt; int first; char action; char *w; first = TRUE; while (cpLine[0] != NUL) { w = ap_getword_conf(cmd->pool, &cpLine); action = NUL; if (*w == '+' || *w == '-') { action = *(w++); } else if (first) { dc->nOptions = SSL_OPT_NONE; first = FALSE; } if (strcEQ(w, "StdEnvVars")) opt = SSL_OPT_STDENVVARS; else if (strcEQ(w, "CompatEnvVars")) opt = SSL_OPT_COMPATENVVARS; else if (strcEQ(w, "ExportCertData")) opt = SSL_OPT_EXPORTCERTDATA; else if (strcEQ(w, "FakeBasicAuth")) opt = SSL_OPT_FAKEBASICAUTH; else if (strcEQ(w, "StrictRequire")) opt = SSL_OPT_STRICTREQUIRE; else if (strcEQ(w, "OptRenegotiate")) opt = SSL_OPT_OPTRENEGOTIATE; else return ap_pstrcat(cmd->pool, "SSLOptions: Illegal option '", w, "'", NULL); if (action == '-') { dc->nOptionsAdd &= ~opt; dc->nOptionsDel |= opt; dc->nOptions &= ~opt; } else if (action == '+') { dc->nOptionsAdd |= opt; dc->nOptionsDel &= ~opt; dc->nOptions |= opt; } else { dc->nOptions = opt; dc->nOptionsAdd = opt; dc->nOptionsDel = SSL_OPT_NONE; } } return NULL; } const char *ssl_cmd_SSLRequireSSL( cmd_parms *cmd, SSLDirConfigRec *dc, char *cipher) { dc->bSSLRequired = TRUE; return NULL; } const char *ssl_cmd_SSLRequire( cmd_parms *cmd, SSLDirConfigRec *dc, char *cpExpr) { ssl_expr *mpExpr; ssl_require_t *pReqRec; if ((mpExpr = ssl_expr_comp(cmd->pool, cpExpr)) == NULL) return ap_pstrcat(cmd->pool, "SSLRequire: ", ssl_expr_get_error(), NULL); pReqRec = ap_push_array(dc->aRequirement); pReqRec->cpExpr = ap_pstrdup(cmd->pool, cpExpr); pReqRec->mpExpr = mpExpr; return NULL; } const char *ssl_cmd_SSLProtocol( cmd_parms *cmd, char *struct_ptr, const char *opt) { SSLSrvConfigRec *sc; ssl_proto_t options, thisopt; char action; char *w; sc = mySrvConfig(cmd->server); options = SSL_PROTOCOL_NONE; while (opt[0] != NUL) { w = ap_getword_conf(cmd->pool, &opt); action = NUL; if (*w == '+' || *w == '-') action = *(w++); if (strcEQ(w, "SSLv2")) thisopt = SSL_PROTOCOL_SSLV2; else if (strcEQ(w, "SSLv3")) thisopt = SSL_PROTOCOL_SSLV3; else if (strcEQ(w, "TLSv1")) thisopt = SSL_PROTOCOL_TLSV1; else if (strcEQ(w, "all")) thisopt = SSL_PROTOCOL_ALL; else return ap_pstrcat(cmd->pool, "SSLProtocol: Illegal protocol '", w, "'", NULL); if (action == '-') options &= ~thisopt; else if (action == '+') options |= thisopt; else options = thisopt; } sc->nProtocol = options; return NULL; } #ifdef SSL_EXPERIMENTAL_PROXY const char *ssl_cmd_SSLProxyProtocol( cmd_parms *cmd, char *struct_ptr, const char *opt) { SSLSrvConfigRec *sc; ssl_proto_t options, thisopt; char action; char *w; sc = mySrvConfig(cmd->server); options = SSL_PROTOCOL_NONE; while (opt[0] != NUL) { w = ap_getword_conf(cmd->pool, &opt); action = NUL; if (*w == '+' || *w == '-') action = *(w++); if (strcEQ(w, "SSLv2")) thisopt = SSL_PROTOCOL_SSLV2; else if (strcEQ(w, "SSLv3")) thisopt = SSL_PROTOCOL_SSLV3; else if (strcEQ(w, "TLSv1")) thisopt = SSL_PROTOCOL_TLSV1; else if (strcEQ(w, "all")) thisopt = SSL_PROTOCOL_ALL; else return ap_pstrcat(cmd->pool, "SSLProxyProtocol: " "Illegal protocol '", w, "'", NULL); if (action == '-') options &= ~thisopt; else if (action == '+') options |= thisopt; else options = thisopt; } sc->nProxyProtocol = options; return NULL; } const char *ssl_cmd_SSLProxyCipherSuite( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->szProxyCipherSuite = arg; return NULL; } const char *ssl_cmd_SSLProxyVerify( cmd_parms *cmd, char *struct_ptr, int flag) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->bProxyVerify = (flag ? TRUE : FALSE); return NULL; } const char *ssl_cmd_SSLProxyVerifyDepth( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); int d; d = atoi(arg); if (d < 0) return "SSLProxyVerifyDepth: Invalid argument"; sc->nProxyVerifyDepth = d; return NULL; } const char *ssl_cmd_SSLProxyCACertificateFile( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '", cpPath, "' not exists or empty", NULL); sc->szProxyCACertificateFile = cpPath; return NULL; } const char *ssl_cmd_SSLProxyCACertificatePath( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '", cpPath, "' does not exists", NULL); sc->szProxyCACertificatePath = cpPath; return NULL; } const char *ssl_cmd_SSLProxyMachineCertificateFile( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '", cpPath, "' not exists or empty", NULL); sc->szProxyClientCertificateFile = cpPath; return NULL; } const char *ssl_cmd_SSLProxyMachineCertificatePath( cmd_parms *cmd, char *struct_ptr, char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '", cpPath, "' does not exists", NULL); sc->szProxyClientCertificatePath = cpPath; return NULL; } #endif /* SSL_EXPERIMENTAL_PROXY */