| 1045 | #endif |
| 1046 | |
| 1047 | int ssl_hook_Access(request_rec *r) |
| 1048 | { |
| 1049 | SSLDirConfigRec *dc = myDirConfig(r); |
| 1050 | SSLSrvConfigRec *sc = mySrvConfig(r->server); |
| 1051 | SSLConnRec *sslconn = myConnConfig(r->connection); |
| 1052 | SSL *ssl = sslconn ? sslconn->ssl : NULL; |
| 1053 | apr_array_header_t *requires; |
| 1054 | ssl_require_t *ssl_requires; |
| 1055 | int ok, i, ret; |
| 1056 | |
| 1057 | /* On a slave connection, we do not expect to have an SSLConnRec, but |
| 1058 | * our master connection might have one. */ |
| 1059 | if (!(sslconn && ssl) && r->connection->master) { |
| 1060 | sslconn = myConnConfig(r->connection->master); |
| 1061 | ssl = sslconn ? sslconn->ssl : NULL; |
| 1062 | } |
| 1063 | |
| 1064 | /* |
| 1065 | * We should have handshaken here, otherwise we are being |
| 1066 | * redirected (ErrorDocument) from a renegotiation failure below. |
| 1067 | * The access is still forbidden in the latter case, let ap_die() handle |
| 1068 | * this recursive (same) error. |
| 1069 | */ |
| 1070 | if (ssl && !SSL_is_init_finished(ssl)) { |
| 1071 | return HTTP_FORBIDDEN; |
| 1072 | } |
| 1073 | |
| 1074 | /* |
| 1075 | * Support for SSLRequireSSL directive |
| 1076 | */ |
| 1077 | if (dc->bSSLRequired && !ssl) { |
| 1078 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219) |
| 1079 | "access to %s failed, reason: %s", |
| 1080 | r->filename, "SSL connection required"); |
| 1081 | |
| 1082 | /* remember forbidden access for strict require option */ |
| 1083 | apr_table_setn(r->notes, "ssl-access-forbidden", "1"); |
| 1084 | |
| 1085 | return HTTP_FORBIDDEN; |
| 1086 | } |
| 1087 | |
| 1088 | /* |
| 1089 | * Check to see whether SSL is in use; if it's not, then no |
| 1090 | * further access control checks are relevant. (the test for |
| 1091 | * sc->enabled is probably strictly unnecessary) |
| 1092 | */ |
| 1093 | if (sc->enabled == SSL_ENABLED_FALSE || !ssl) { |
| 1094 | return DECLINED; |
| 1095 | } |
| 1096 | |
| 1097 | #if SSL_HAVE_PROTOCOL_TLSV1_3 |
| 1098 | /* TLSv1.3+ is less complicated here. Branch off into a new codeline |
| 1099 | * and avoid messing with the past. */ |
| 1100 | if (SSL_version(ssl) >= TLS1_3_VERSION) { |
| 1101 | ret = ssl_hook_Access_modern(r, sc, dc, sslconn, ssl); |
| 1102 | } |
| 1103 | else |
| 1104 | #endif |
nothing calls this directly
no test coverage detected