MCPcopy Create free account
hub / github.com/apache/httpd / ssl_hook_Access_modern

Function ssl_hook_Access_modern

modules/ssl/ssl_engine_kernel.c:913–1044  ·  view source on GitHub ↗

* Access Handler, modern flavour, for SSL/TLS v1.3 and onward. * Only client certificates can be requested, everything else stays. */

Source from the content-addressed store, hash-verified

911 * Only client certificates can be requested, everything else stays.
912 */
913static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc,
914 SSLConnRec *sslconn, SSL *ssl)
915{
916 if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
917 (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
918 int vmode_inplace, vmode_needed;
919 int change_vmode = FALSE;
920 int n, rc;
921
922 vmode_inplace = SSL_get_verify_mode(ssl);
923 vmode_needed = SSL_VERIFY_NONE;
924
925 if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
926 (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) {
927 vmode_needed |= SSL_VERIFY_PEER_STRICT;
928 }
929
930 if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
931 (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
932 (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
933 (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
934 {
935 vmode_needed |= SSL_VERIFY_PEER;
936 }
937
938 if (vmode_needed == SSL_VERIFY_NONE) {
939 return DECLINED;
940 }
941
942 vmode_needed |= SSL_VERIFY_CLIENT_ONCE;
943 if (vmode_inplace != vmode_needed) {
944 /* Need to change, if new setting is more restrictive than existing one */
945
946 if ((vmode_inplace == SSL_VERIFY_NONE)
947 || (!(vmode_inplace & SSL_VERIFY_PEER)
948 && (vmode_needed & SSL_VERIFY_PEER))
949 || (!(vmode_inplace & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
950 && (vmode_needed & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
951 /* need to change the effective verify mode */
952 change_vmode = TRUE;
953 }
954 else {
955 /* FIXME: does this work with TLSv1.3? Is this more than re-inspecting
956 * the certificate we should already have? */
957 /*
958 * override of SSLVerifyDepth
959 *
960 * The depth checks are handled by us manually inside the
961 * verify callback function and not by OpenSSL internally
962 * (and our function is aware of both the per-server and
963 * per-directory contexts). So we cannot ask OpenSSL about
964 * the currently verify depth. Instead we remember it in our
965 * SSLConnRec attached to the SSL* of OpenSSL. We've to force
966 * the renegotiation if the reconfigured/new verify depth is
967 * less than the currently active/remembered verify depth
968 * (because this means more restriction on the certificate
969 * chain).
970 */

Callers 1

ssl_hook_AccessFunction · 0.85

Calls 4

fill_reneg_bufferFunction · 0.85
ssl_log_ssl_errorFunction · 0.85
modssl_set_app_data2Function · 0.85

Tested by

no test coverage detected