* moving the openssl related new hooks into mod_ssl_openssl.h
* chaning type parameter to openssl types
* adding explanation of return value in get_stapling_status()
* adding array element description for add_cert_files and add_fallback_cert_files hooks
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1862823 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
index 47d254f..a8f555c 100644
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -102,7 +102,10 @@
#ifdef SSL_CERT_HOOKS
/** Lets others add certificate and key files to the given server.
- * For each cert a key must also be added. */
+ * For each cert a key must also be added.
+ * @param cert_file and array of const char* with the path to the certificate chain
+ * @param key_file and array of const char* with the path to the private key file
+ */
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_cert_files,
(server_rec *s, apr_pool_t *p,
apr_array_header_t *cert_files,
@@ -111,51 +114,15 @@
/** In case no certificates are available for a server, this
* lets other modules add a fallback certificate for the time
* being. Regular requests against this server will be answered
- * with a 503. */
+ * with a 503.
+ * @param cert_file and array of const char* with the path to the certificate chain
+ * @param key_file and array of const char* with the path to the private key file
+ */
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_fallback_cert_files,
(server_rec *s, apr_pool_t *p,
apr_array_header_t *cert_files,
apr_array_header_t *key_files))
-/** On TLS connections that do not relate to a configured virtual host,
- * allow other modules to provide a X509 certificate and EVP_PKEY to
- * be used on the connection. This first hook which does not
- * return DECLINED will determine the outcome. */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, answer_challenge,
- (conn_rec *c, const char *server_name,
- void **pX509, void **pEVP_PKEY))
-
-/** During post_config phase, ask around if someone wants to provide
- * OCSP stapling status information for the given cert (with the also
- * provided issuer certificate). The first hook which does not
- * return DECLINED promises to take responsibility (and respond
- * in later calls via hook ssl_get_stapling_status).
- * If no hook takes over, mod_ssl's own stapling implementation will
- * be applied (if configured).
- */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_stapling_status,
- (server_rec *s, apr_pool_t *p,
- void *x509cert, void *x509issuer))
-
-/** Anyone answering positive to ssl_init_stapling_status for a
- * certificate, needs to register here and supply the actual OCSP stapling
- * status data (OCSP_RESP) for a new connection.
- * The data is returned in DER encoded bytes via pder and pderlen. The
- * returned pointer may be NULL, which indicates that data is (currently)
- * unavailable.
- * If DER data is returned, it MUST come from a response with
- * status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD
- * or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means
- * errors in OCSP retrieval are to be handled/logged by the hook and
- * are not done by mod_ssl.
- * Any DER bytes returned MUST be allocated via malloc() and ownership
- * passes to mod_ssl. Meaning, the hook must return a malloced copy of
- * the data it has. mod_ssl (or OpenSSL) will free it.
- */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, get_stapling_status,
- (unsigned char **pder, int *pderlen,
- conn_rec *c, server_rec *s, void *x509cert))
-
#endif /* SSL_CERT_HOOKS */
#endif /* __MOD_SSL_H__ */
diff --git a/modules/ssl/mod_ssl_openssl.h b/modules/ssl/mod_ssl_openssl.h
index 0fa654a..d4f684f 100644
--- a/modules/ssl/mod_ssl_openssl.h
+++ b/modules/ssl/mod_ssl_openssl.h
@@ -69,5 +69,45 @@
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, proxy_post_handshake,
(conn_rec *c, SSL *ssl))
+/** On TLS connections that do not relate to a configured virtual host,
+ * allow other modules to provide a X509 certificate and EVP_PKEY to
+ * be used on the connection. This first hook which does not
+ * return DECLINED will determine the outcome. */
+APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, answer_challenge,
+ (conn_rec *c, const char *server_name,
+ X509 **pcert, EVP_PKEY **pkey))
+
+/** During post_config phase, ask around if someone wants to provide
+ * OCSP stapling status information for the given cert (with the also
+ * provided issuer certificate). The first hook which does not
+ * return DECLINED promises to take responsibility (and respond
+ * in later calls via hook ssl_get_stapling_status).
+ * If no hook takes over, mod_ssl's own stapling implementation will
+ * be applied (if configured).
+ */
+APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_stapling_status,
+ (server_rec *s, apr_pool_t *p,
+ X509 *cert, X509 *issuer))
+
+/** Anyone answering positive to ssl_init_stapling_status for a
+ * certificate, needs to register here and supply the actual OCSP stapling
+ * status data (OCSP_RESP) for a new connection.
+ * A hook supplying the response data must return APR_SUCCESS.
+ * The data is returned in DER encoded bytes via pder and pderlen. The
+ * returned pointer may be NULL, which indicates that data is (currently)
+ * unavailable.
+ * If DER data is returned, it MUST come from a response with
+ * status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD
+ * or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means
+ * errors in OCSP retrieval are to be handled/logged by the hook and
+ * are not done by mod_ssl.
+ * Any DER bytes returned MUST be allocated via malloc() and ownership
+ * passes to mod_ssl. Meaning, the hook must return a malloced copy of
+ * the data it has. mod_ssl (or OpenSSL) will free it.
+ */
+APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, get_stapling_status,
+ (unsigned char **pder, int *pderlen,
+ conn_rec *c, server_rec *s, X509 *cert))
+
#endif /* __MOD_SSL_OPENSSL_H__ */
/** @} */
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index eb9d2dc..ddc9641 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -39,7 +39,6 @@
(server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx),
(s,p,is_proxy,ctx), OK, DECLINED)
-/* Implement 'ap_run_ssl_add_cert_files'. */
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_cert_files,
(server_rec *s, apr_pool_t *p,
apr_array_header_t *cert_files, apr_array_header_t *key_files),
@@ -54,8 +53,8 @@
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, answer_challenge,
(conn_rec *c, const char *server_name,
- void **pX509, void **pEVP_PKEY),
- (c, server_name, pX509, pEVP_PKEY),
+ X509 **pcert, EVP_PKEY **pkey),
+ (c, server_name, pcert, pkey),
DECLINED, DECLINED)
@@ -198,7 +197,7 @@
int ssl_is_challenge(conn_rec *c, const char *servername,
X509 **pcert, EVP_PKEY **pkey)
{
- if (APR_SUCCESS == ssl_run_answer_challenge(c, servername, (void**)pcert, (void**)pkey)) {
+ if (APR_SUCCESS == ssl_run_answer_challenge(c, servername, pcert, pkey)) {
return 1;
}
*pcert = NULL;
diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index 4105c80..78edd6f 100644
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -31,18 +31,18 @@
#include "ssl_private.h"
#include "ap_mpm.h"
#include "apr_thread_mutex.h"
-#include "mod_ssl.h"
+#include "mod_ssl_openssl.h"
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_stapling_status,
(server_rec *s, apr_pool_t *p,
- void *x509cert, void *x509issuer),
- (s, p, x509cert, x509issuer),
+ X509 *cert, X509 *issuer),
+ (s, p, cert, issuer),
DECLINED, DECLINED)
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, get_stapling_status,
(unsigned char **pder, int *pderlen,
- conn_rec *c, server_rec *s, void *x509cert),
- (pder, pderlen, c, s, x509cert),
+ conn_rec *c, server_rec *s, X509 *cert),
+ (pder, pderlen, c, s, cert),
DECLINED, DECLINED)
