ssl_engine_config.c

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

/*                      _             _
**  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
** | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
** | | | | | | (_) | (_| |   \__ \__ \ |  www.modssl.org
** |_| |_| |_|\___/ \__,_|___|___/___/_|  ftp.modssl.org
**                      |_____|
**  ssl_engine_config.c
**  Apache Configuration Directives
*/

/* ====================================================================
 * Copyright (c) 1998-2006 Ralf S. Engelschall. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following
 *    disclaimer in the documentation and/or other materials
 *    provided with the distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by
 *     Ralf S. Engelschall <rse@engelschall.com> for use in the
 *     mod_ssl project (http://www.modssl.org/)."
 *
 * 4. The names "mod_ssl" must not be used to endorse or promote
 *    products derived from this software without prior written
 *    permission. For written permission, please contact
 *    rse@engelschall.com.
 *
 * 5. Products derived from this software may not be called "mod_ssl"
 *    nor may "mod_ssl" appear in their names without prior
 *    written permission of Ralf S. Engelschall.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by
 *     Ralf S. Engelschall <rse@engelschall.com> for use in the
 *     mod_ssl project (http://www.modssl.org/)."
 *
 * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL RALF S. ENGELSCHALL OR
 * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */

                                      /* ``Damned if you do,
                                           damned if you don't.''
                                               -- Unknown        */
#include "mod_ssl.h"


/*  _________________________________________________________________
**
**  Support for Global Configuration
**  _________________________________________________________________
*/

void ssl_hook_AddModule(module *m)
{
    if (m == &ssl_module) {
        /*
         * Announce us for the configuration files
         */
        ap_add_config_define("MOD_SSL");

        /*
         * Link ourself into the Apache kernel
         */
        ssl_var_register();
        ssl_ext_register();
        ssl_io_register();
#if defined(SSL_VENDOR) && defined(SSL_VENDOR_OBJS)
        ssl_vendor_register();
#endif
    }
    return;
}

void ssl_hook_RemoveModule(module *m)
{
    if (m == &ssl_module) {
        /*
         * Unlink ourself from the Apache kernel
         */
        ssl_var_unregister();
        ssl_ext_unregister();
        ssl_io_unregister();
#if defined(SSL_VENDOR) && defined(SSL_VENDOR_OBJS)
        ssl_vendor_unregister();
#endif
    }
    return;
}

void ssl_config_global_create(void)
{
    pool *pPool;
    SSLModConfigRec *mc;

    mc = ap_ctx_get(ap_global_ctx, "ssl_module");
    if (mc == NULL) {
        /*
         * allocate an own subpool which survives server restarts
         */
        pPool = ap_make_sub_pool(NULL);
        mc = (SSLModConfigRec *)ap_palloc(pPool, sizeof(SSLModConfigRec));
        mc->pPool = pPool;
        mc->bFixed = FALSE;

        /*
         * initialize per-module configuration
         */
        mc->nInitCount             = 0;
        mc->nSessionCacheMode      = SSL_SCMODE_UNSET;
        mc->szSessionCacheDataFile = NULL;
        mc->nSessionCacheDataSize  = 0;
        mc->pSessionCacheDataMM    = NULL;
        mc->tSessionCacheDataTable = NULL;
        mc->nMutexMode             = SSL_MUTEXMODE_UNSET;
        mc->szMutexFile            = NULL;
        mc->nMutexFD               = -1;
        mc->nMutexSEMID            = -1;
        mc->aRandSeed              = ap_make_array(pPool, 4, sizeof(ssl_randseed_t));
        mc->tPrivateKey            = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
        mc->tPublicCert            = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
        mc->tTmpKeys               = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
#ifdef SSL_EXPERIMENTAL_ENGINE
        mc->szCryptoDevice         = NULL;
#endif

        (void)memset(mc->pTmpKeys, 0, SSL_TKPIDX_MAX*sizeof(void *));

#ifdef SSL_VENDOR
        mc->ctx = ap_ctx_new(pPool);
        ap_hook_use("ap::mod_ssl::vendor::config_global_create",
                AP_HOOK_SIG2(void,ptr), AP_HOOK_MODE_ALL, mc);
#endif

        /*
         * And push it into Apache's global context
         */
        ap_ctx_set(ap_global_ctx, "ssl_module", mc);
    }
    return;
}

void ssl_config_global_fix(void)
{
    SSLModConfigRec *mc = myModConfig();
    mc->bFixed = TRUE;
    return;
}

BOOL ssl_config_global_isfixed(void)
{
    SSLModConfigRec *mc = myModConfig();
    return (mc->bFixed);
}


/*  _________________________________________________________________
**
**  Configuration handling
**  _________________________________________________________________
*/

/*
 *  Create per-server SSL configuration
 */
void *ssl_config_server_create(pool *p, server_rec *s)
{
    SSLSrvConfigRec *sc;

    ssl_config_global_create();

    sc = ap_palloc(p, sizeof(SSLSrvConfigRec));
    sc->bEnabled               = UNSET;
    sc->szCACertificatePath    = NULL;
    sc->szCACertificateFile    = NULL;
    sc->szCertificateChain     = NULL;
    sc->szLogFile              = NULL;
    sc->szCipherSuite          = NULL;
    sc->nLogLevel              = SSL_LOG_NONE;
    sc->nVerifyDepth           = UNSET;
    sc->nVerifyClient          = SSL_CVERIFY_UNSET;
    sc->nSessionCacheTimeout   = UNSET;
    sc->nPassPhraseDialogType  = SSL_PPTYPE_UNSET;
    sc->szPassPhraseDialogPath = NULL;
    sc->nProtocol              = SSL_PROTOCOL_ALL;
    sc->fileLogFile            = NULL;
    sc->pSSLCtx                = NULL;
    sc->szCARevocationPath     = NULL;
    sc->szCARevocationFile     = NULL;
    sc->pRevocationStore       = NULL;

#ifdef SSL_EXPERIMENTAL_PROXY
    sc->nProxyVerifyDepth             = UNSET;
    sc->szProxyCACertificatePath      = NULL;
    sc->szProxyCACertificateFile      = NULL;
    sc->szProxyClientCertificateFile  = NULL;
    sc->szProxyClientCertificatePath  = NULL;
    sc->szProxyCipherSuite            = NULL;
    sc->nProxyProtocol                = SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_TLSV1;
    sc->bProxyVerify                  = UNSET;
    sc->pSSLProxyCtx                  = NULL;
#endif

    (void)memset(sc->szPublicCertFile, 0, SSL_AIDX_MAX*sizeof(char *));
    (void)memset(sc->szPrivateKeyFile, 0, SSL_AIDX_MAX*sizeof(char *));
    (void)memset(sc->pPublicCert, 0, SSL_AIDX_MAX*sizeof(X509 *));
    (void)memset(sc->pPrivateKey, 0, SSL_AIDX_MAX*sizeof(EVP_PKEY *));

#ifdef SSL_VENDOR
    sc->ctx = ap_ctx_new(p);
    ap_hook_use("ap::mod_ssl::vendor::config_server_create",
                AP_HOOK_SIG4(void,ptr,ptr,ptr), AP_HOOK_MODE_ALL,
                p, s, sc);
#endif

    return sc;
}

/*
 *  Merge per-server SSL configurations
 */
void *ssl_config_server_merge(pool *p, void *basev, void *addv)
{
    SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev;
    SSLSrvConfigRec *add  = (SSLSrvConfigRec *)addv;
    SSLSrvConfigRec *new  = (SSLSrvConfigRec *)ap_palloc(p, sizeof(SSLSrvConfigRec));
    int i;

    cfgMergeBool(bEnabled);
    cfgMergeString(szCACertificatePath);
    cfgMergeString(szCACertificateFile);
    cfgMergeString(szCertificateChain);
    cfgMergeString(szLogFile);
    cfgMergeString(szCipherSuite);
    cfgMerge(nLogLevel, SSL_LOG_NONE);
    cfgMergeInt(nVerifyDepth);
    cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
    cfgMergeInt(nSessionCacheTimeout);
    cfgMerge(nPassPhraseDialogType, SSL_PPTYPE_UNSET);
    cfgMergeString(szPassPhraseDialogPath);
    cfgMerge(nProtocol, SSL_PROTOCOL_ALL);
    cfgMerge(fileLogFile, NULL);
    cfgMerge(pSSLCtx, NULL);
    cfgMerge(szCARevocationPath, NULL);
    cfgMerge(szCARevocationFile, NULL);
    cfgMerge(pRevocationStore, NULL);

    for (i = 0; i < SSL_AIDX_MAX; i++) {
        cfgMergeString(szPublicCertFile[i]);
        cfgMergeString(szPrivateKeyFile[i]);
        cfgMerge(pPublicCert[i], NULL);
        cfgMerge(pPrivateKey[i], NULL);
    }

#ifdef SSL_VENDOR
    cfgMergeCtx(ctx);
    ap_hook_use("ap::mod_ssl::vendor::config_server_merge",
                AP_HOOK_SIG5(void,ptr,ptr,ptr,ptr), AP_HOOK_MODE_ALL,
                p, base, add, new);
#endif

#ifdef SSL_EXPERIMENTAL_PROXY
    cfgMergeInt(nProxyVerifyDepth);
    cfgMergeString(szProxyCACertificatePath);
    cfgMergeString(szProxyCACertificateFile);
    cfgMergeString(szProxyClientCertificateFile);
    cfgMergeString(szProxyClientCertificatePath);
    cfgMergeString(szProxyCipherSuite);
    cfgMerge(nProxyProtocol, (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_TLSV1));
    cfgMergeBool(bProxyVerify);
    cfgMerge(pSSLProxyCtx, NULL);
#endif

    return new;
}

/*
 *  Create per-directory SSL configuration
 */
void *ssl_config_perdir_create(pool *p, char *dir)
{
    SSLDirConfigRec *dc = ap_palloc(p, sizeof(SSLDirConfigRec));

    dc->bSSLRequired  = FALSE;
    dc->aRequirement  = ap_make_array(p, 4, sizeof(ssl_require_t));
    dc->nOptions      = SSL_OPT_NONE|SSL_OPT_RELSET;
    dc->nOptionsAdd   = SSL_OPT_NONE;
    dc->nOptionsDel   = SSL_OPT_NONE;

    dc->szCipherSuite          = NULL;
    dc->nVerifyClient          = SSL_CVERIFY_UNSET;
    dc->nVerifyDepth           = UNSET;
#ifdef SSL_EXPERIMENTAL_PERDIRCA
    dc->szCACertificatePath    = NULL;
    dc->szCACertificateFile    = NULL;
#endif

#ifdef SSL_VENDOR
    dc->ctx = ap_ctx_new(p);
    ap_hook_use("ap::mod_ssl::vendor::config_perdir_create",
                AP_HOOK_SIG4(void,ptr,ptr,ptr), AP_HOOK_MODE_ALL,
                p, dir, dc);
#endif

    return dc;
}

/*
 *  Merge per-directory SSL configurations
 */
void *ssl_config_perdir_merge(pool *p, void *basev, void *addv)
{
    SSLDirConfigRec *base = (SSLDirConfigRec *)basev;
    SSLDirConfigRec *add  = (SSLDirConfigRec *)addv;
    SSLDirConfigRec *new  = (SSLDirConfigRec *)ap_palloc(p,
                                               sizeof(SSLDirConfigRec));

    cfgMerge(bSSLRequired, FALSE);
    cfgMergeArray(aRequirement);

    if (add->nOptions & SSL_OPT_RELSET) {
        new->nOptionsAdd = (base->nOptionsAdd & ~(add->nOptionsDel)) | add->nOptionsAdd;
        new->nOptionsDel = (base->nOptionsDel & ~(add->nOptionsAdd)) | add->nOptionsDel;
        new->nOptions    = (base->nOptions    & ~(new->nOptionsDel)) | new->nOptionsAdd;
    }
    else {
        new->nOptions    = add->nOptions;
        new->nOptionsAdd = add->nOptionsAdd;
        new->nOptionsDel = add->nOptionsDel;
    }

    cfgMergeString(szCipherSuite);
    cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
    cfgMergeInt(nVerifyDepth);
#ifdef SSL_EXPERIMENTAL_PERDIRCA
    cfgMergeString(szCACertificatePath);
    cfgMergeString(szCACertificateFile);
#endif

#ifdef SSL_VENDOR
    cfgMergeCtx(ctx);
    ap_hook_use("ap::mod_ssl::vendor::config_perdir_merge",
                AP_HOOK_SIG5(void,ptr,ptr,ptr,ptr), AP_HOOK_MODE_ALL,
                p, base, add, new);
#endif