#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES

#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES

    ENGINE_cleanup();

    ENGINE_cleanup();

#endif

#endif

    ERR_remove_state(0);

    ERR_remove_state(0);

    /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only

    /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only

     * actually loaded the error strings once per process due to static

     * actually loaded the error strings once per process due to static

    /* We must register the library in full, to ensure our configuration

    /* We must register the library in full, to ensure our configuration

     * code can successfully test the SSL environment.

     * code can successfully test the SSL environment.

     */

     */

    CRYPTO_malloc_init();

    CRYPTO_malloc_init();

    ERR_load_crypto_strings();

    ERR_load_crypto_strings();

    SSL_load_error_strings();

    SSL_load_error_strings();

    SSL_library_init();

    SSL_library_init();

                      APR_LOCK_DEFAULT, 0);

                      APR_LOCK_DEFAULT, 0);

#endif

#endif

    return OK;

    return OK;

}

}

#define KEYTYPES "RSA or DSA"

#define KEYTYPES "RSA or DSA"

#endif

#endif

/*

/*

 * Grab well-defined DH parameters from OpenSSL, see the get_rfc*

 * Grab well-defined DH parameters from OpenSSL, see the get_rfc*

 * functions in <openssl/bn.h> for all available primes.

 * functions in <openssl/bn.h> for all available primes.

 */

 */

static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)

static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)

{

{

    if (!dh) {

    if (!dh) {

        return NULL;

        return NULL;

    }

    }

        DH_free(dh);

        DH_free(dh);

        return NULL;

        return NULL;

    }

    }

    return dh;

    return dh;

}

}

    MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;

    MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;

    char *cp;

    char *cp;

    int protocol = mctx->protocol;

    int protocol = mctx->protocol;

    SSLSrvConfigRec *sc = mySrvConfig(s);

    SSLSrvConfigRec *sc = mySrvConfig(s);

    /*

    /*

    ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,

    ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,

                 "Creating new SSL context (protocols: %s)", cp);

                 "Creating new SSL context (protocols: %s)", cp);

#ifndef OPENSSL_NO_SSL3

#ifndef OPENSSL_NO_SSL3

    else

    else

#endif

#endif

#endif

#endif

    mctx->ssl_ctx = ctx;

    mctx->ssl_ctx = ctx;

    unsigned long err;

    unsigned long err;

    int n;

    int n;

        return -1;

        return -1;

    if (BIO_read_filename(bio, file) <= 0) {

    if (BIO_read_filename(bio, file) <= 0) {

        BIO_free(bio);

        BIO_free(bio);

        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);

        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);

        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)

        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)

                     "Custom DH parameters (%d bits) for %s loaded from %s",

                     "Custom DH parameters (%d bits) for %s loaded from %s",

        DH_free(dhparams);

        DH_free(dhparams);

    }

    }

                                    (conn_rec *c,SSL *ssl),

                                    (conn_rec *c,SSL *ssl),

                                    (c,ssl),OK,DECLINED);

                                    (c,ssl),OK,DECLINED);

/*  _________________________________________________________________

/*  _________________________________________________________________

**

**

**  I/O Hooks

**  I/O Hooks

 * success, -1 on failure. */

 * success, -1 on failure. */

static int bio_filter_out_flush(BIO *bio)

static int bio_filter_out_flush(BIO *bio)

{

{

    apr_bucket *e;

    apr_bucket *e;

    AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb));

    AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb));

static int bio_filter_create(BIO *bio)

static int bio_filter_create(BIO *bio)

{

{

    return 1;

    return 1;

}

}

static int bio_filter_out_write(BIO *bio, const char *in, int inl)

static int bio_filter_out_write(BIO *bio, const char *in, int inl)

{

{

    apr_bucket *e;

    apr_bucket *e;

    int need_flush;

    int need_flush;

static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)

static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)

{

{

    long ret = 1;

    long ret = 1;

    switch (cmd) {

    switch (cmd) {

    case BIO_CTRL_RESET:

    case BIO_CTRL_RESET:

        ret = 0;

        ret = 0;

        break;

        break;

    case BIO_CTRL_GET_CLOSE:

    case BIO_CTRL_GET_CLOSE:

        break;

        break;

      case BIO_CTRL_SET_CLOSE:

      case BIO_CTRL_SET_CLOSE:

        break;

        break;

      case BIO_CTRL_FLUSH:

      case BIO_CTRL_FLUSH:

        ret = bio_filter_out_flush(bio);

        ret = bio_filter_out_flush(bio);

    return -1;

    return -1;

}

}

typedef struct {

typedef struct {

    int length;

    int length;

static int bio_filter_in_read(BIO *bio, char *in, int inlen)

static int bio_filter_in_read(BIO *bio, char *in, int inlen)

{

{

    apr_size_t inl = inlen;

    apr_size_t inl = inlen;

    apr_read_type_e block = inctx->block;

    apr_read_type_e block = inctx->block;

    inctx->rc = APR_SUCCESS;

    inctx->rc = APR_SUCCESS;

}

}

static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,

static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,

                                      char *buf,

                                      char *buf,

        return APR_EGENERAL;

        return APR_EGENERAL;

    }

    }

    res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);

    res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);

    if (res < 0) {

    if (res < 0) {

    if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {

    if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {

        bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)

        bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)

        bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)

        bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)

        apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ;

        apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ;

        ssl_err = SSL_get_error(filter_ctx->pssl, n);

        ssl_err = SSL_get_error(filter_ctx->pssl, n);

        return ap_pass_brigade(f->next, bb);

        return ap_pass_brigade(f->next, bb);

    }

    }

    /* When we are the writer, we must initialize the inctx

    /* When we are the writer, we must initialize the inctx

     * mode so that we block for any required ssl input, because

     * mode so that we block for any required ssl input, because

    filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);

    filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);

    inctx->ssl = ssl;

    inctx->ssl = ssl;

    inctx->bio_out = filter_ctx->pbioWrite;

    inctx->bio_out = filter_ctx->pbioWrite;

    filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,

    filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,

                                                       filter_ctx, r, c);

                                                       filter_ctx, r, c);

    /* write is non blocking for the benefit of async mpm */

    /* write is non blocking for the benefit of async mpm */

    if (c->cs) {

    if (c->cs) {

    }

    }

    return rc;

    return rc;

}

}

#include "util_md5.h"

#include "util_md5.h"

#include "scoreboard.h"

#include "scoreboard.h"

static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);

static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);

#ifdef HAVE_TLSEXT

#ifdef HAVE_TLSEXT

static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);

static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);

    SSL_set_accept_state(ssl);

    SSL_set_accept_state(ssl);

    SSL_do_handshake(ssl);

    SSL_do_handshake(ssl);

        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)

        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)

                      "TLS upgrade handshake failed");

                      "TLS upgrade handshake failed");

        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

    X509 *cert;

    X509 *cert;

    X509 *peercert;

    X509 *peercert;

    X509_STORE *cert_store = NULL;

    X509_STORE *cert_store = NULL;

    STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;

    STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;

    const SSL_CIPHER *cipher = NULL;

    const SSL_CIPHER *cipher = NULL;

    int depth, verify_old, verify, n, is_slave = 0;

    int depth, verify_old, verify, n, is_slave = 0;

         * forbidden in the latter case, let ap_die() handle

         * forbidden in the latter case, let ap_die() handle

         * this recursive (same) error.

         * this recursive (same) error.

         */

         */

            return HTTP_FORBIDDEN;

            return HTTP_FORBIDDEN;

        }

        }

        ctx = SSL_get_SSL_CTX(ssl);

        ctx = SSL_get_SSL_CTX(ssl);

                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));

                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));

                     n++)

                     n++)

                {

                {

                    if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {

                    if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {

                        renegotiate = TRUE;

                        renegotiate = TRUE;

                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));

                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));

                     n++)

                     n++)

                {

                {

                    if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {

                    if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {

                        renegotiate = TRUE;

                        renegotiate = TRUE;

                cert = sk_X509_value(cert_stack, 0);

                cert = sk_X509_value(cert_stack, 0);

            }

            }

            depth = SSL_get_verify_depth(ssl);

            depth = SSL_get_verify_depth(ssl);

            if (depth >= 0) {

            if (depth >= 0) {

            }

            }

                                       SSL_get_ex_data_X509_STORE_CTX_idx(),

                                       SSL_get_ex_data_X509_STORE_CTX_idx(),

                                       (char *)ssl);

                                       (char *)ssl);

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)

                              "Re-negotiation verification step failed");

                              "Re-negotiation verification step failed");

                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

            }

            }

            if (cert_stack != SSL_get_peer_cert_chain(ssl)) {

            if (cert_stack != SSL_get_peer_cert_chain(ssl)) {

                /* we created this ourselves, so free it */

                /* we created this ourselves, so free it */

            SSL_renegotiate(ssl);

            SSL_renegotiate(ssl);

            SSL_do_handshake(ssl);

            SSL_do_handshake(ssl);

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)

                              "Re-negotiation request failed");

                              "Re-negotiation request failed");

                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226)

            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226)

                          "Awaiting re-negotiation handshake");

                          "Awaiting re-negotiation handshake");

            SSL_do_handshake(ssl);

            SSL_do_handshake(ssl);

            sslconn->reneg_state = RENEG_REJECT;

            sslconn->reneg_state = RENEG_REJECT;

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)

                              "Re-negotiation handshake failed");

                              "Re-negotiation handshake failed");

                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

    SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);

    SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);

#endif

#endif

    pkey = SSL_get_privatekey(ssl);

    pkey = SSL_get_privatekey(ssl);

    /*

    /*

     * OpenSSL will call us with either keylen == 512 or keylen == 1024

     * OpenSSL will call us with either keylen == 512 or keylen == 1024

 * so we need to increment here to prevent them from

 * so we need to increment here to prevent them from

 * being freed.

 * being freed.

 */

 */

#define modssl_set_cert_info(info, cert, pkey) \

#define modssl_set_cert_info(info, cert, pkey) \

    *cert = info->x509; \

    *cert = info->x509; \

    CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \

    CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \

    *pkey = info->x_pkey->dec_pkey; \

    *pkey = info->x_pkey->dec_pkey; \

    CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)

    CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)

int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)

int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)

{

{

static void ssl_session_log(server_rec *s,

static void ssl_session_log(server_rec *s,

                            const char *request,

                            const char *request,

                            unsigned int idlen,

                            unsigned int idlen,

                            const char *status,

                            const char *status,

                            const char *result,

                            const char *result,

 *  of our other Apache pre-forked server processes.

 *  of our other Apache pre-forked server processes.

 */

 */

SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,

SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,

                                               int idlen, int *do_copy)

                                               int idlen, int *do_copy)

{

{

    /* Get Apache context back through OpenSSL context */

    /* Get Apache context back through OpenSSL context */

    if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {

    if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {

        int state = SSL_get_state((SSL *)ssl);

        int state = SSL_get_state((SSL *)ssl);

        if (state == SSL3_ST_SR_CLNT_HELLO_A

        if (state == SSL3_ST_SR_CLNT_HELLO_A

            || state == SSL23_ST_SR_CLNT_HELLO_A) {

            || state == SSL23_ST_SR_CLNT_HELLO_A) {

            scr->reneg_state = RENEG_ABORT;

            scr->reneg_state = RENEG_ABORT;

            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)

            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)

                          "rejecting client initiated renegotiation");

                          "rejecting client initiated renegotiation");

        }

        }

        memcpy(keyname, ticket_key->key_name, 16);

        memcpy(keyname, ticket_key->key_name, 16);

        EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,

        EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,

                           ticket_key->aes_key, iv);

                           ticket_key->aes_key, iv);

        HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);

        HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);

    SRP_user_pwd *u;

    SRP_user_pwd *u;

    if (username == NULL

    if (username == NULL

        *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;

        *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;

        return SSL3_AL_FATAL;

        return SSL3_AL_FATAL;

    }

    }

    if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {

    if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {

        *ad = SSL_AD_INTERNAL_ERROR;

        *ad = SSL_AD_INTERNAL_ERROR;

        return SSL3_AL_FATAL;

        return SSL3_AL_FATAL;

    }

    }

    /* reset all other options */

    /* reset all other options */

    return SSL_ERROR_NONE;

    return SSL_ERROR_NONE;

}

}

{

{

    OCSP_REQUEST *req = OCSP_REQUEST_new();

    OCSP_REQUEST *req = OCSP_REQUEST_new();

    if (!*certid || !OCSP_request_add0_id(req, *certid)) {

    if (!*certid || !OCSP_request_add0_id(req, *certid)) {

        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)

        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)

                     "could not retrieve certificate id");

                     "could not retrieve certificate id");

    if (rc == V_OCSP_CERTSTATUS_GOOD) {

    if (rc == V_OCSP_CERTSTATUS_GOOD) {

        /* TODO: allow flags configuration. */

        /* TODO: allow flags configuration. */

            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)

            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)

                        "failed to verify the OCSP response");

                        "failed to verify the OCSP response");

            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);

            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);

                      "No cert available to check with OCSP");

                      "No cert available to check with OCSP");

        return 1;

        return 1;

    }

    }

        /* don't do OCSP checking for valid self-issued certs */

        /* don't do OCSP checking for valid self-issued certs */

        ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,

        ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,

                      "Skipping OCSP check for valid self-issued cert");

                      "Skipping OCSP check for valid self-issued cert");

#include "apr_time.h"

#include "apr_time.h"

/*  _________________________________________________________________

/*  _________________________________________________________________

**

**

**  Variable Lookup

**  Variable Lookup

        resdup = FALSE;

        resdup = FALSE;

    }

    }

    else if (strcEQ(var, "A_SIG")) {

    else if (strcEQ(var, "A_SIG")) {

        result = apr_pstrdup(p,

        result = apr_pstrdup(p,

                             (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));

                             (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));

        resdup = FALSE;

        resdup = FALSE;

    }

    }

    else if (strcEQ(var, "A_KEY")) {

    else if (strcEQ(var, "A_KEY")) {

        result = apr_pstrdup(p,

        result = apr_pstrdup(p,

                             (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));

                             (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));

        resdup = FALSE;

        resdup = FALSE;

    for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {

    for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {

        if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)

        if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)

            && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {

            && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {

                if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {

                if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {

                    result = modssl_X509_NAME_ENTRY_to_string(p, xsne);

                    result = modssl_X509_NAME_ENTRY_to_string(p, xsne);

static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,

static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,

                       X509_NAME *xn, apr_pool_t *p)

                       X509_NAME *xn, apr_pool_t *p)

{

{

    X509_NAME_ENTRY *xsne;

    X509_NAME_ENTRY *xsne;

    apr_hash_t *count;

    apr_hash_t *count;

    int i, nid;

    int i, nid;

    count = apr_hash_make(p);

    count = apr_hash_make(p);

    /* For each RDN... */

    /* For each RDN... */

         const char *tag;

         const char *tag;

         /* Retrieve the nid, and check whether this is one of the nids

         /* Retrieve the nid, and check whether this is one of the nids

          * which are to be extracted. */

          * which are to be extracted. */

         tag = apr_hash_get(nids, &nid, sizeof nid);

         tag = apr_hash_get(nids, &nid, sizeof nid);

         if (tag) {

         if (tag) {

    for (j = 0; j < count; j++) {

    for (j = 0; j < count; j++) {

        X509_EXTENSION *ext = X509_get_ext(xs, j);

        X509_EXTENSION *ext = X509_get_ext(xs, j);

            BIO *bio = BIO_new(BIO_s_mem());

            BIO *bio = BIO_new(BIO_s_mem());

            /* We want to obtain a string representation of the extensions

            /* We want to obtain a string representation of the extensions

int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);

int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);

int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);

int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);

int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);

int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);

void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);

void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);

void         ssl_callback_Info(const SSL *, int, int);

void         ssl_callback_Info(const SSL *, int, int);

#ifdef HAVE_TLSEXT

#ifdef HAVE_TLSEXT

void         ssl_scache_kill(server_rec *);

void         ssl_scache_kill(server_rec *);

BOOL         ssl_scache_store(server_rec *, UCHAR *, int,

BOOL         ssl_scache_store(server_rec *, UCHAR *, int,

                              apr_time_t, SSL_SESSION *, apr_pool_t *);

                              apr_time_t, SSL_SESSION *, apr_pool_t *);

void         ssl_scache_remove(server_rec *, UCHAR *, int,

void         ssl_scache_remove(server_rec *, UCHAR *, int,

                               apr_pool_t *);

                               apr_pool_t *);

void         ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);

void         ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);

void         ssl_io_filter_register(apr_pool_t *);

void         ssl_io_filter_register(apr_pool_t *);

long         ssl_io_data_cb(BIO *, int, const char *, int, long, long);

long         ssl_io_data_cb(BIO *, int, const char *, int, long, long);

/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request

/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request

 * to allow an SSL renegotiation to take place. */

 * to allow an SSL renegotiation to take place. */

    return rv == APR_SUCCESS ? TRUE : FALSE;

    return rv == APR_SUCCESS ? TRUE : FALSE;

}

}

                                 apr_pool_t *p)

                                 apr_pool_t *p)

{

{

    SSLModConfigRec *mc = myModConfig(s);

    SSLModConfigRec *mc = myModConfig(s);

**  _________________________________________________________________

**  _________________________________________________________________

*/

*/

                               char *str, int strsize)

                               char *str, int strsize)

{

{

    if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)

    if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)

char       *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);

char       *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);

BOOL        modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);

BOOL        modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);

BOOL        modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);

BOOL        modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);

#endif /* __SSL_UTIL_SSL_H__ */

#endif /* __SSL_UTIL_SSL_H__ */

/** @} */

/** @} */

    X509 *issuer = NULL;

    X509 *issuer = NULL;

    int i;

    int i;

    X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);

    X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);

    STACK_OF(X509) *extra_certs = NULL;

    STACK_OF(X509) *extra_certs = NULL;

#ifdef OPENSSL_NO_SSL_INTERN

#ifdef OPENSSL_NO_SSL_INTERN

    for (i = 0; i < sk_X509_num(extra_certs); i++) {

    for (i = 0; i < sk_X509_num(extra_certs); i++) {

        issuer = sk_X509_value(extra_certs, i);

        issuer = sk_X509_value(extra_certs, i);

        if (X509_check_issued(issuer, x) == X509_V_OK) {

        if (X509_check_issued(issuer, x) == X509_V_OK) {

            CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);

            CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);

            return issuer;

            return issuer;

        }

        }

    }

    }

        return 0;

        return 0;

        issuer = NULL;

        issuer = NULL;

    return issuer;

    return issuer;

}

}

            if (bio) {

            if (bio) {

                int n;

                int n;

                    ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))

                    ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))

                    snum[n] = '\0';

                    snum[n] = '\0';

                BIO_free(bio);

                BIO_free(bio);

    fprintf(stderr, "    -h              Display usage information (this message)\n");

    fprintf(stderr, "    -h              Display usage information (this message)\n");

#ifdef USE_SSL

#ifdef USE_SSL

#ifndef OPENSSL_NO_SSL3

#ifndef OPENSSL_NO_SSL3

#define SSL3_HELP_MSG "SSL3, "

#define SSL3_HELP_MSG "SSL3, "

#else

#else

    fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");

    fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");

    fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n");

    fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n");

#endif

#endif

    exit(EINVAL);

    exit(EINVAL);

}

}

    char c;

    char c;

#ifdef USE_SSL

#ifdef USE_SSL

    AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method();

    AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method();

#endif

#endif

    /* table defaults  */

    /* table defaults  */

                break;

                break;

            case 'f':

            case 'f':

                if (strncasecmp(opt_arg, "ALL", 3) == 0) {

                if (strncasecmp(opt_arg, "ALL", 3) == 0) {

#ifndef OPENSSL_NO_SSL3

#ifndef OPENSSL_NO_SSL3

                } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {

                } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {

#endif

#endif

                } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {

                } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {

                } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) {

                } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) {

                } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {

                } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {

                }

                }

                break;

                break;

#endif

#endif

#ifdef RSAREF

#ifdef RSAREF

    R_malloc_init();

    R_malloc_init();

#else

#else

    CRYPTO_malloc_init();

    CRYPTO_malloc_init();

#endif

#endif

    SSL_load_error_strings();

    SSL_load_error_strings();

    SSL_library_init();

    SSL_library_init();

    bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);

    bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);

        ERR_print_errors(bio_err);

        ERR_print_errors(bio_err);

        exit(1);

        exit(1);

    }

    }

    SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);

    SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);

#ifdef SSL_MODE_RELEASE_BUFFERS

#ifdef SSL_MODE_RELEASE_BUFFERS

    /* Keep memory usage as low as possible */

    /* Keep memory usage as low as possible */