MCPcopy Create free account
hub / github.com/apache/httpd / ssl_hook_Access

Function ssl_hook_Access

modules/ssl/ssl_engine_kernel.c:1047–1184  ·  view source on GitHub ↗

Source from the content-addressed store, hash-verified

1045#endif
1046
1047int ssl_hook_Access(request_rec *r)
1048{
1049 SSLDirConfigRec *dc = myDirConfig(r);
1050 SSLSrvConfigRec *sc = mySrvConfig(r->server);
1051 SSLConnRec *sslconn = myConnConfig(r->connection);
1052 SSL *ssl = sslconn ? sslconn->ssl : NULL;
1053 apr_array_header_t *requires;
1054 ssl_require_t *ssl_requires;
1055 int ok, i, ret;
1056
1057 /* On a slave connection, we do not expect to have an SSLConnRec, but
1058 * our master connection might have one. */
1059 if (!(sslconn && ssl) && r->connection->master) {
1060 sslconn = myConnConfig(r->connection->master);
1061 ssl = sslconn ? sslconn->ssl : NULL;
1062 }
1063
1064 /*
1065 * We should have handshaken here, otherwise we are being
1066 * redirected (ErrorDocument) from a renegotiation failure below.
1067 * The access is still forbidden in the latter case, let ap_die() handle
1068 * this recursive (same) error.
1069 */
1070 if (ssl && !SSL_is_init_finished(ssl)) {
1071 return HTTP_FORBIDDEN;
1072 }
1073
1074 /*
1075 * Support for SSLRequireSSL directive
1076 */
1077 if (dc->bSSLRequired && !ssl) {
1078 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219)
1079 "access to %s failed, reason: %s",
1080 r->filename, "SSL connection required");
1081
1082 /* remember forbidden access for strict require option */
1083 apr_table_setn(r->notes, "ssl-access-forbidden", "1");
1084
1085 return HTTP_FORBIDDEN;
1086 }
1087
1088 /*
1089 * Check to see whether SSL is in use; if it's not, then no
1090 * further access control checks are relevant. (the test for
1091 * sc->enabled is probably strictly unnecessary)
1092 */
1093 if (sc->enabled == SSL_ENABLED_FALSE || !ssl) {
1094 return DECLINED;
1095 }
1096
1097#if SSL_HAVE_PROTOCOL_TLSV1_3
1098 /* TLSv1.3+ is less complicated here. Branch off into a new codeline
1099 * and avoid messing with the past. */
1100 if (SSL_version(ssl) >= TLS1_3_VERSION) {
1101 ret = ssl_hook_Access_modern(r, sc, dc, sslconn, ssl);
1102 }
1103 else
1104#endif

Callers

nothing calls this directly

Calls 4

ssl_hook_Access_modernFunction · 0.85
ssl_hook_Access_classicFunction · 0.85
ap_expr_execFunction · 0.85
ssl_var_lookupFunction · 0.70

Tested by

no test coverage detected