| /* Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| /** |
| * @file mod_ssl_openssl.h |
| * @brief Interface to OpenSSL-specific APIs provided by mod_ssl |
| * |
| * @defgroup MOD_SSL mod_ssl_openssl |
| * @ingroup APACHE_MODS |
| * @{ |
| */ |
| |
| #ifndef __MOD_SSL_OPENSSL_H__ |
| #define __MOD_SSL_OPENSSL_H__ |
| |
| #include "mod_ssl.h" |
| |
| /* OpenSSL headers */ |
| |
| #ifndef SSL_PRIVATE_H |
| #include <openssl/opensslv.h> |
| #if (OPENSSL_VERSION_NUMBER >= 0x10001000) |
| /* must be defined before including ssl.h */ |
| #define OPENSSL_NO_SSL_INTERN |
| #endif |
| #include <openssl/ssl.h> |
| #endif |
| |
| /** |
| * init_server hook -- allow SSL_CTX-specific initialization to be performed by |
| * a module for each SSL-enabled server (one at a time) |
| * @param s SSL-enabled [virtual] server |
| * @param p pconf pool |
| * @param is_proxy 1 if this server supports backend connections |
| * over SSL/TLS, 0 if it supports client connections over SSL/TLS |
| * @param ctx OpenSSL SSL Context for the server |
| */ |
| APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_server, |
| (server_rec *s, apr_pool_t *p, int is_proxy, SSL_CTX *ctx)) |
| |
| /** |
| * pre_handshake hook |
| * @param c conn_rec for new connection from client or to backend server |
| * @param ssl OpenSSL SSL Connection for the client or backend server |
| * @param is_proxy 1 if this handshake is for a backend connection, 0 otherwise |
| */ |
| APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, pre_handshake, |
| (conn_rec *c, SSL *ssl, int is_proxy)) |
| |
| /** |
| * proxy_post_handshake hook -- allow module to abort after successful |
| * handshake with backend server and subsequent peer checks |
| * @param c conn_rec for connection to backend server |
| * @param ssl OpenSSL SSL Connection for the client or backend server |
| */ |
| APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, proxy_post_handshake, |
| (conn_rec *c, SSL *ssl)) |
| |
| /** On TLS connections that do not relate to a configured virtual host, |
| * allow other modules to provide a X509 certificate and EVP_PKEY to |
| * be used on the connection. This first hook which does not |
| * return DECLINED will determine the outcome. */ |
| APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, answer_challenge, |
| (conn_rec *c, const char *server_name, |
| X509 **pcert, EVP_PKEY **pkey)) |
| |
| /** During post_config phase, ask around if someone wants to provide |
| * OCSP stapling status information for the given cert (with the also |
| * provided issuer certificate). The first hook which does not |
| * return DECLINED promises to take responsibility (and respond |
| * in later calls via hook ssl_get_stapling_status). |
| * If no hook takes over, mod_ssl's own stapling implementation will |
| * be applied (if configured). |
| */ |
| APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_stapling_status, |
| (server_rec *s, apr_pool_t *p, |
| X509 *cert, X509 *issuer)) |
| |
| /** Anyone answering positive to ssl_init_stapling_status for a |
| * certificate, needs to register here and supply the actual OCSP stapling |
| * status data (OCSP_RESP) for a new connection. |
| * A hook supplying the response data must return APR_SUCCESS. |
| * The data is returned in DER encoded bytes via pder and pderlen. The |
| * returned pointer may be NULL, which indicates that data is (currently) |
| * unavailable. |
| * If DER data is returned, it MUST come from a response with |
| * status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD |
| * or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means |
| * errors in OCSP retrieval are to be handled/logged by the hook and |
| * are not done by mod_ssl. |
| * Any DER bytes returned MUST be allocated via malloc() and ownership |
| * passes to mod_ssl. Meaning, the hook must return a malloced copy of |
| * the data it has. mod_ssl (or OpenSSL) will free it. |
| */ |
| APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, get_stapling_status, |
| (unsigned char **pder, int *pderlen, |
| conn_rec *c, server_rec *s, X509 *cert)) |
| |
| #endif /* __MOD_SSL_OPENSSL_H__ */ |
| /** @} */ |