|
Packit |
90a5c9 |
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
Packit |
90a5c9 |
* contributor license agreements. See the NOTICE file distributed with
|
|
Packit |
90a5c9 |
* this work for additional information regarding copyright ownership.
|
|
Packit |
90a5c9 |
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
Packit |
90a5c9 |
* (the "License"); you may not use this file except in compliance with
|
|
Packit |
90a5c9 |
* the License. You may obtain a copy of the License at
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* Unless required by applicable law or agreed to in writing, software
|
|
Packit |
90a5c9 |
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
Packit |
90a5c9 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
Packit |
90a5c9 |
* See the License for the specific language governing permissions and
|
|
Packit |
90a5c9 |
* limitations under the License.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include <assert.h>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include <apr_strings.h>
|
|
Packit |
90a5c9 |
#include <apr_optional.h>
|
|
Packit |
90a5c9 |
#include <apr_optional_hooks.h>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include <httpd.h>
|
|
Packit |
90a5c9 |
#include <http_core.h>
|
|
Packit |
90a5c9 |
#include <http_config.h>
|
|
Packit |
90a5c9 |
#include <http_connection.h>
|
|
Packit |
90a5c9 |
#include <http_protocol.h>
|
|
Packit |
90a5c9 |
#include <http_request.h>
|
|
Packit |
90a5c9 |
#include <http_log.h>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "mod_ssl.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "mod_http2.h"
|
|
Packit |
90a5c9 |
#include "h2_private.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "h2_bucket_beam.h"
|
|
Packit |
90a5c9 |
#include "h2_stream.h"
|
|
Packit |
90a5c9 |
#include "h2_task.h"
|
|
Packit |
90a5c9 |
#include "h2_config.h"
|
|
Packit |
90a5c9 |
#include "h2_ctx.h"
|
|
Packit |
90a5c9 |
#include "h2_conn.h"
|
|
Packit |
90a5c9 |
#include "h2_filter.h"
|
|
Packit |
90a5c9 |
#include "h2_request.h"
|
|
Packit |
90a5c9 |
#include "h2_headers.h"
|
|
Packit |
90a5c9 |
#include "h2_session.h"
|
|
Packit |
90a5c9 |
#include "h2_util.h"
|
|
Packit |
90a5c9 |
#include "h2_h2.h"
|
|
Packit |
90a5c9 |
#include "mod_http2.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *h2_tls_protos[] = {
|
|
Packit |
90a5c9 |
"h2", NULL
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *h2_clear_protos[] = {
|
|
Packit |
90a5c9 |
"h2c", NULL
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *H2_MAGIC_TOKEN = "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n";
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*******************************************************************************
|
|
Packit |
90a5c9 |
* The optional mod_ssl functions we need.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static APR_OPTIONAL_FN_TYPE(ssl_is_https) *opt_ssl_is_https;
|
|
Packit |
90a5c9 |
static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *opt_ssl_var_lookup;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*******************************************************************************
|
|
Packit |
90a5c9 |
* HTTP/2 error stuff
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static const char *h2_err_descr[] = {
|
|
Packit |
90a5c9 |
"no error", /* 0x0 */
|
|
Packit |
90a5c9 |
"protocol error",
|
|
Packit |
90a5c9 |
"internal error",
|
|
Packit |
90a5c9 |
"flow control error",
|
|
Packit |
90a5c9 |
"settings timeout",
|
|
Packit |
90a5c9 |
"stream closed", /* 0x5 */
|
|
Packit |
90a5c9 |
"frame size error",
|
|
Packit |
90a5c9 |
"refused stream",
|
|
Packit |
90a5c9 |
"cancel",
|
|
Packit |
90a5c9 |
"compression error",
|
|
Packit |
90a5c9 |
"connect error", /* 0xa */
|
|
Packit |
90a5c9 |
"enhance your calm",
|
|
Packit |
90a5c9 |
"inadequate security",
|
|
Packit |
90a5c9 |
"http/1.1 required",
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
const char *h2_h2_err_description(unsigned int h2_error)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
if (h2_error < (sizeof(h2_err_descr)/sizeof(h2_err_descr[0]))) {
|
|
Packit |
90a5c9 |
return h2_err_descr[h2_error];
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return "unknown http/2 error code";
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*******************************************************************************
|
|
Packit |
90a5c9 |
* Check connection security requirements of RFC 7540
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*
|
|
Packit |
90a5c9 |
* Black Listed Ciphers from RFC 7549 Appendix A
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static const char *RFC7540_names[] = {
|
|
Packit |
90a5c9 |
/* ciphers with NULL encrpytion */
|
|
Packit |
90a5c9 |
"NULL-MD5", /* TLS_NULL_WITH_NULL_NULL */
|
|
Packit |
90a5c9 |
/* same */ /* TLS_RSA_WITH_NULL_MD5 */
|
|
Packit |
90a5c9 |
"NULL-SHA", /* TLS_RSA_WITH_NULL_SHA */
|
|
Packit |
90a5c9 |
"NULL-SHA256", /* TLS_RSA_WITH_NULL_SHA256 */
|
|
Packit |
90a5c9 |
"PSK-NULL-SHA", /* TLS_PSK_WITH_NULL_SHA */
|
|
Packit |
90a5c9 |
"DHE-PSK-NULL-SHA", /* TLS_DHE_PSK_WITH_NULL_SHA */
|
|
Packit |
90a5c9 |
"RSA-PSK-NULL-SHA", /* TLS_RSA_PSK_WITH_NULL_SHA */
|
|
Packit |
90a5c9 |
"PSK-NULL-SHA256", /* TLS_PSK_WITH_NULL_SHA256 */
|
|
Packit |
90a5c9 |
"PSK-NULL-SHA384", /* TLS_PSK_WITH_NULL_SHA384 */
|
|
Packit |
90a5c9 |
"DHE-PSK-NULL-SHA256", /* TLS_DHE_PSK_WITH_NULL_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-PSK-NULL-SHA384", /* TLS_DHE_PSK_WITH_NULL_SHA384 */
|
|
Packit |
90a5c9 |
"RSA-PSK-NULL-SHA256", /* TLS_RSA_PSK_WITH_NULL_SHA256 */
|
|
Packit |
90a5c9 |
"RSA-PSK-NULL-SHA384", /* TLS_RSA_PSK_WITH_NULL_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-NULL-SHA", /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-ECDSA-NULL-SHA", /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
|
|
Packit |
90a5c9 |
"ECDH-RSA-NULL-SHA", /* TLS_ECDH_RSA_WITH_NULL_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-RSA-NULL-SHA", /* TLS_ECDHE_RSA_WITH_NULL_SHA */
|
|
Packit |
90a5c9 |
"AECDH-NULL-SHA", /* TLS_ECDH_anon_WITH_NULL_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-NULL-SHA", /* TLS_ECDHE_PSK_WITH_NULL_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-NULL-SHA256", /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-NULL-SHA384", /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* DES/3DES ciphers */
|
|
Packit |
90a5c9 |
"PSK-3DES-EDE-CBC-SHA", /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-PSK-3DES-EDE-CBC-SHA", /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"RSA-PSK-3DES-EDE-CBC-SHA", /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-DES-CBC3-SHA", /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-ECDSA-DES-CBC3-SHA", /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDH-RSA-DES-CBC3-SHA", /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-RSA-DES-CBC3-SHA", /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"AECDH-DES-CBC3-SHA", /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"SRP-3DES-EDE-CBC-SHA", /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"SRP-RSA-3DES-EDE-CBC-SHA", /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"SRP-DSS-3DES-EDE-CBC-SHA", /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-3DES-EDE-CBC-SHA", /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"DES-CBC-SHA", /* TLS_RSA_WITH_DES_CBC_SHA */
|
|
Packit |
90a5c9 |
"DES-CBC3-SHA", /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-DSS-DES-CBC3-SHA", /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-RSA-DES-CBC-SHA", /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-RSA-DES-CBC3-SHA", /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"ADH-DES-CBC-SHA", /* TLS_DH_anon_WITH_DES_CBC_SHA */
|
|
Packit |
90a5c9 |
"ADH-DES-CBC3-SHA", /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"EXP-DH-DSS-DES-CBC-SHA", /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-DSS-DES-CBC-SHA", /* TLS_DH_DSS_WITH_DES_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-DSS-DES-CBC3-SHA", /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"EXP-DH-RSA-DES-CBC-SHA", /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-RSA-DES-CBC-SHA", /* TLS_DH_RSA_WITH_DES_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-RSA-DES-CBC3-SHA", /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* blacklisted EXPORT ciphers */
|
|
Packit |
90a5c9 |
"EXP-RC4-MD5", /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
|
|
Packit |
90a5c9 |
"EXP-RC2-CBC-MD5", /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
|
|
Packit |
90a5c9 |
"EXP-DES-CBC-SHA", /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
|
|
Packit |
90a5c9 |
"EXP-DHE-DSS-DES-CBC-SHA", /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
|
|
Packit |
90a5c9 |
"EXP-DHE-RSA-DES-CBC-SHA", /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
|
|
Packit |
90a5c9 |
"EXP-ADH-DES-CBC-SHA", /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
|
|
Packit |
90a5c9 |
"EXP-ADH-RC4-MD5", /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* blacklisted RC4 encryption */
|
|
Packit |
90a5c9 |
"RC4-MD5", /* TLS_RSA_WITH_RC4_128_MD5 */
|
|
Packit |
90a5c9 |
"RC4-SHA", /* TLS_RSA_WITH_RC4_128_SHA */
|
|
Packit |
90a5c9 |
"ADH-RC4-MD5", /* TLS_DH_anon_WITH_RC4_128_MD5 */
|
|
Packit |
90a5c9 |
"KRB5-RC4-SHA", /* TLS_KRB5_WITH_RC4_128_SHA */
|
|
Packit |
90a5c9 |
"KRB5-RC4-MD5", /* TLS_KRB5_WITH_RC4_128_MD5 */
|
|
Packit |
90a5c9 |
"EXP-KRB5-RC4-SHA", /* TLS_KRB5_EXPORT_WITH_RC4_40_SHA */
|
|
Packit |
90a5c9 |
"EXP-KRB5-RC4-MD5", /* TLS_KRB5_EXPORT_WITH_RC4_40_MD5 */
|
|
Packit |
90a5c9 |
"PSK-RC4-SHA", /* TLS_PSK_WITH_RC4_128_SHA */
|
|
Packit |
90a5c9 |
"DHE-PSK-RC4-SHA", /* TLS_DHE_PSK_WITH_RC4_128_SHA */
|
|
Packit |
90a5c9 |
"RSA-PSK-RC4-SHA", /* TLS_RSA_PSK_WITH_RC4_128_SHA */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-RC4-SHA", /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-ECDSA-RC4-SHA", /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
|
|
Packit |
90a5c9 |
"ECDH-RSA-RC4-SHA", /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-RSA-RC4-SHA", /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
|
|
Packit |
90a5c9 |
"AECDH-RC4-SHA", /* TLS_ECDH_anon_WITH_RC4_128_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-RC4-SHA", /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* blacklisted AES128 encrpytion ciphers */
|
|
Packit |
90a5c9 |
"AES128-SHA256", /* TLS_RSA_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-DSS-AES128-SHA", /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-RSA-AES128-SHA", /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-DSS-AES128-SHA", /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-RSA-AES128-SHA", /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"ADH-AES128-SHA", /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"AES128-SHA256", /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DH-DSS-AES128-SHA256", /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DH-RSA-AES128-SHA256", /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-DSS-AES128-SHA256", /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-RSA-AES128-SHA256", /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-AES128-SHA", /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-ECDSA-AES128-SHA", /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDH-RSA-AES128-SHA", /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-RSA-AES128-SHA", /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"AECDH-AES128-SHA", /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-ECDSA-AES128-SHA256", /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-AES128-SHA256", /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDHE-RSA-AES128-SHA256", /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-AES128-SHA256", /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ADH-AES128-SHA256", /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"PSK-AES128-CBC-SHA", /* TLS_PSK_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-PSK-AES128-CBC-SHA", /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"RSA-PSK-AES128-CBC-SHA", /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"PSK-AES128-CBC-SHA256", /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-PSK-AES128-CBC-SHA256", /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"RSA-PSK-AES128-CBC-SHA256", /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-AES128-CBC-SHA", /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-AES128-CBC-SHA256", /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"AES128-CCM", /* TLS_RSA_WITH_AES_128_CCM */
|
|
Packit |
90a5c9 |
"AES128-CCM8", /* TLS_RSA_WITH_AES_128_CCM_8 */
|
|
Packit |
90a5c9 |
"PSK-AES128-CCM", /* TLS_PSK_WITH_AES_128_CCM */
|
|
Packit |
90a5c9 |
"PSK-AES128-CCM8", /* TLS_PSK_WITH_AES_128_CCM_8 */
|
|
Packit |
90a5c9 |
"AES128-GCM-SHA256", /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"DH-RSA-AES128-GCM-SHA256", /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"DH-DSS-AES128-GCM-SHA256", /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"ADH-AES128-GCM-SHA256", /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"PSK-AES128-GCM-SHA256", /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"RSA-PSK-AES128-GCM-SHA256", /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-AES128-GCM-SHA256", /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-AES128-GCM-SHA256", /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"SRP-AES-128-CBC-SHA", /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"SRP-RSA-AES-128-CBC-SHA", /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"SRP-DSS-AES-128-CBC-SHA", /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* blacklisted AES256 encrpytion ciphers */
|
|
Packit |
90a5c9 |
"AES256-SHA", /* TLS_RSA_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-DSS-AES256-SHA", /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-RSA-AES256-SHA", /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-DSS-AES256-SHA", /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-RSA-AES256-SHA", /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"ADH-AES256-SHA", /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"AES256-SHA256", /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DH-DSS-AES256-SHA256", /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DH-RSA-AES256-SHA256", /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-DSS-AES256-SHA256", /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-RSA-AES256-SHA256", /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ADH-AES256-SHA256", /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-AES256-SHA", /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-ECDSA-AES256-SHA", /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDH-RSA-AES256-SHA", /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-RSA-AES256-SHA", /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"AECDH-AES256-SHA", /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-ECDSA-AES256-SHA384", /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-AES256-SHA384", /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDHE-RSA-AES256-SHA384", /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-AES256-SHA384", /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"PSK-AES256-CBC-SHA", /* TLS_PSK_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-PSK-AES256-CBC-SHA", /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"RSA-PSK-AES256-CBC-SHA", /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"PSK-AES256-CBC-SHA384", /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"DHE-PSK-AES256-CBC-SHA384", /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"RSA-PSK-AES256-CBC-SHA384", /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-AES256-CBC-SHA", /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-AES256-CBC-SHA384", /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"SRP-AES-256-CBC-SHA", /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"SRP-RSA-AES-256-CBC-SHA", /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"SRP-DSS-AES-256-CBC-SHA", /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"AES256-CCM", /* TLS_RSA_WITH_AES_256_CCM */
|
|
Packit |
90a5c9 |
"AES256-CCM8", /* TLS_RSA_WITH_AES_256_CCM_8 */
|
|
Packit |
90a5c9 |
"PSK-AES256-CCM", /* TLS_PSK_WITH_AES_256_CCM */
|
|
Packit |
90a5c9 |
"PSK-AES256-CCM8", /* TLS_PSK_WITH_AES_256_CCM_8 */
|
|
Packit |
90a5c9 |
"AES256-GCM-SHA384", /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"DH-RSA-AES256-GCM-SHA384", /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"DH-DSS-AES256-GCM-SHA384", /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"ADH-AES256-GCM-SHA384", /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"PSK-AES256-GCM-SHA384", /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"RSA-PSK-AES256-GCM-SHA384", /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-AES256-GCM-SHA384", /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-AES256-GCM-SHA384", /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* blacklisted CAMELLIA128 encrpytion ciphers */
|
|
Packit |
90a5c9 |
"CAMELLIA128-SHA", /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-DSS-CAMELLIA128-SHA", /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-RSA-CAMELLIA128-SHA", /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-DSS-CAMELLIA128-SHA", /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-RSA-CAMELLIA128-SHA", /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"ADH-CAMELLIA128-SHA", /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-ECDSA-CAMELLIA128-SHA256", /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-CAMELLIA128-SHA256", /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDHE-RSA-CAMELLIA128-SHA256", /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-CAMELLIA128-SHA256", /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"PSK-CAMELLIA128-SHA256", /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-PSK-CAMELLIA128-SHA256", /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"RSA-PSK-CAMELLIA128-SHA256", /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-CAMELLIA128-SHA256", /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"CAMELLIA128-GCM-SHA256", /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"DH-RSA-CAMELLIA128-GCM-SHA256", /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"DH-DSS-CAMELLIA128-GCM-SHA256", /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"ADH-CAMELLIA128-GCM-SHA256", /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-CAMELLIA128-GCM-SHA256",/* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-CAMELLIA128-GCM-SHA256", /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"PSK-CAMELLIA128-GCM-SHA256", /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"RSA-PSK-CAMELLIA128-GCM-SHA256", /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"CAMELLIA128-SHA256", /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DH-DSS-CAMELLIA128-SHA256", /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DH-RSA-CAMELLIA128-SHA256", /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-DSS-CAMELLIA128-SHA256", /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-RSA-CAMELLIA128-SHA256", /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ADH-CAMELLIA128-SHA256", /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* blacklisted CAMELLIA256 encrpytion ciphers */
|
|
Packit |
90a5c9 |
"CAMELLIA256-SHA", /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-RSA-CAMELLIA256-SHA", /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-DSS-CAMELLIA256-SHA", /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-DSS-CAMELLIA256-SHA", /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-RSA-CAMELLIA256-SHA", /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"ADH-CAMELLIA256-SHA", /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
|
|
Packit |
90a5c9 |
"ECDHE-ECDSA-CAMELLIA256-SHA384", /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-CAMELLIA256-SHA384", /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDHE-RSA-CAMELLIA256-SHA384", /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-CAMELLIA256-SHA384", /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"PSK-CAMELLIA256-SHA384", /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"DHE-PSK-CAMELLIA256-SHA384", /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"RSA-PSK-CAMELLIA256-SHA384", /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-CAMELLIA256-SHA384", /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"CAMELLIA256-SHA256", /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DH-DSS-CAMELLIA256-SHA256", /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DH-RSA-CAMELLIA256-SHA256", /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-DSS-CAMELLIA256-SHA256", /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-RSA-CAMELLIA256-SHA256", /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ADH-CAMELLIA256-SHA256", /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"CAMELLIA256-GCM-SHA384", /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"DH-RSA-CAMELLIA256-GCM-SHA384", /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"DH-DSS-CAMELLIA256-GCM-SHA384", /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"ADH-CAMELLIA256-GCM-SHA384", /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-CAMELLIA256-GCM-SHA384",/* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-CAMELLIA256-GCM-SHA384", /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"PSK-CAMELLIA256-GCM-SHA384", /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"RSA-PSK-CAMELLIA256-GCM-SHA384", /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* The blacklisted ARIA encrpytion ciphers */
|
|
Packit |
90a5c9 |
"ARIA128-SHA256", /* TLS_RSA_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ARIA256-SHA384", /* TLS_RSA_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"DH-DSS-ARIA128-SHA256", /* TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DH-DSS-ARIA256-SHA384", /* TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"DH-RSA-ARIA128-SHA256", /* TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DH-RSA-ARIA256-SHA384", /* TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"DHE-DSS-ARIA128-SHA256", /* TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-DSS-ARIA256-SHA384", /* TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"DHE-RSA-ARIA128-SHA256", /* TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-RSA-ARIA256-SHA384", /* TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ADH-ARIA128-SHA256", /* TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ADH-ARIA256-SHA384", /* TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDHE-ECDSA-ARIA128-SHA256", /* TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDHE-ECDSA-ARIA256-SHA384", /* TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-ARIA128-SHA256", /* TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-ARIA256-SHA384", /* TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDHE-RSA-ARIA128-SHA256", /* TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDHE-RSA-ARIA256-SHA384", /* TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-ARIA128-SHA256", /* TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-ARIA256-SHA384", /* TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ARIA128-GCM-SHA256", /* TLS_RSA_WITH_ARIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"ARIA256-GCM-SHA384", /* TLS_RSA_WITH_ARIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"DH-DSS-ARIA128-GCM-SHA256", /* TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"DH-DSS-ARIA256-GCM-SHA384", /* TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"DH-RSA-ARIA128-GCM-SHA256", /* TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"DH-RSA-ARIA256-GCM-SHA384", /* TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"ADH-ARIA128-GCM-SHA256", /* TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"ADH-ARIA256-GCM-SHA384", /* TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-ARIA128-GCM-SHA256", /* TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-ECDSA-ARIA256-GCM-SHA384", /* TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-ARIA128-GCM-SHA256", /* TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"ECDH-RSA-ARIA256-GCM-SHA384", /* TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"PSK-ARIA128-SHA256", /* TLS_PSK_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"PSK-ARIA256-SHA384", /* TLS_PSK_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"DHE-PSK-ARIA128-SHA256", /* TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"DHE-PSK-ARIA256-SHA384", /* TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"RSA-PSK-ARIA128-SHA256", /* TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"RSA-PSK-ARIA256-SHA384", /* TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
"ARIA128-GCM-SHA256", /* TLS_PSK_WITH_ARIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"ARIA256-GCM-SHA384", /* TLS_PSK_WITH_ARIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"RSA-PSK-ARIA128-GCM-SHA256", /* TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 */
|
|
Packit |
90a5c9 |
"RSA-PSK-ARIA256-GCM-SHA384", /* TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-ARIA128-SHA256", /* TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 */
|
|
Packit |
90a5c9 |
"ECDHE-PSK-ARIA256-SHA384", /* TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* blacklisted SEED encryptions */
|
|
Packit |
90a5c9 |
"SEED-SHA", /*TLS_RSA_WITH_SEED_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-DSS-SEED-SHA", /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
|
|
Packit |
90a5c9 |
"DH-RSA-SEED-SHA", /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-DSS-SEED-SHA", /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
|
|
Packit |
90a5c9 |
"DHE-RSA-SEED-SHA", /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
|
|
Packit |
90a5c9 |
"ADH-SEED-SHA", /* TLS_DH_anon_WITH_SEED_CBC_SHA */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* blacklisted KRB5 ciphers */
|
|
Packit |
90a5c9 |
"KRB5-DES-CBC-SHA", /* TLS_KRB5_WITH_DES_CBC_SHA */
|
|
Packit |
90a5c9 |
"KRB5-DES-CBC3-SHA", /* TLS_KRB5_WITH_3DES_EDE_CBC_SHA */
|
|
Packit |
90a5c9 |
"KRB5-IDEA-CBC-SHA", /* TLS_KRB5_WITH_IDEA_CBC_SHA */
|
|
Packit |
90a5c9 |
"KRB5-DES-CBC-MD5", /* TLS_KRB5_WITH_DES_CBC_MD5 */
|
|
Packit |
90a5c9 |
"KRB5-DES-CBC3-MD5", /* TLS_KRB5_WITH_3DES_EDE_CBC_MD5 */
|
|
Packit |
90a5c9 |
"KRB5-IDEA-CBC-MD5", /* TLS_KRB5_WITH_IDEA_CBC_MD5 */
|
|
Packit |
90a5c9 |
"EXP-KRB5-DES-CBC-SHA", /* TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA */
|
|
Packit |
90a5c9 |
"EXP-KRB5-DES-CBC-MD5", /* TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 */
|
|
Packit |
90a5c9 |
"EXP-KRB5-RC2-CBC-SHA", /* TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA */
|
|
Packit |
90a5c9 |
"EXP-KRB5-RC2-CBC-MD5", /* TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* blacklisted exoticas */
|
|
Packit |
90a5c9 |
"DHE-DSS-CBC-SHA", /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
|
|
Packit |
90a5c9 |
"IDEA-CBC-SHA", /* TLS_RSA_WITH_IDEA_CBC_SHA */
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* not really sure if the following names are correct */
|
|
Packit |
90a5c9 |
"SSL3_CK_SCSV", /* TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
|
|
Packit |
90a5c9 |
"SSL3_CK_FALLBACK_SCSV"
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
static size_t RFC7540_names_LEN = sizeof(RFC7540_names)/sizeof(RFC7540_names[0]);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static apr_hash_t *BLCNames;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void cipher_init(apr_pool_t *pool)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
apr_hash_t *hash = apr_hash_make(pool);
|
|
Packit |
90a5c9 |
const char *source;
|
|
Packit |
90a5c9 |
unsigned int i;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
source = "rfc7540";
|
|
Packit |
90a5c9 |
for (i = 0; i < RFC7540_names_LEN; ++i) {
|
|
Packit |
90a5c9 |
apr_hash_set(hash, RFC7540_names[i], APR_HASH_KEY_STRING, source);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
BLCNames = hash;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int cipher_is_blacklisted(const char *cipher, const char **psource)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
*psource = apr_hash_get(BLCNames, cipher, APR_HASH_KEY_STRING);
|
|
Packit |
90a5c9 |
return !!*psource;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*******************************************************************************
|
|
Packit |
90a5c9 |
* Hooks for processing incoming connections:
|
|
Packit |
90a5c9 |
* - process_conn take over connection in case of h2
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static int h2_h2_process_conn(conn_rec* c);
|
|
Packit |
90a5c9 |
static int h2_h2_pre_close_conn(conn_rec* c);
|
|
Packit |
90a5c9 |
static int h2_h2_post_read_req(request_rec *r);
|
|
Packit |
90a5c9 |
static int h2_h2_late_fixups(request_rec *r);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*******************************************************************************
|
|
Packit |
90a5c9 |
* Once per lifetime init, retrieve optional functions
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
apr_status_t h2_h2_init(apr_pool_t *pool, server_rec *s)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
(void)pool;
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "h2_h2, child_init");
|
|
Packit |
90a5c9 |
opt_ssl_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
|
|
Packit |
90a5c9 |
opt_ssl_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!opt_ssl_is_https || !opt_ssl_var_lookup) {
|
|
Packit |
90a5c9 |
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
|
Packit |
90a5c9 |
APLOGNO(02951) "mod_ssl does not seem to be enabled");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
cipher_init(pool);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return APR_SUCCESS;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int h2_h2_is_tls(conn_rec *c)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
return opt_ssl_is_https && opt_ssl_is_https(c);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int h2_is_acceptable_connection(conn_rec *c, int require_all)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
int is_tls = h2_h2_is_tls(c);
|
|
Packit |
90a5c9 |
const h2_config *cfg = h2_config_get(c);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (is_tls && h2_config_geti(cfg, H2_CONF_MODERN_TLS_ONLY) > 0) {
|
|
Packit |
90a5c9 |
/* Check TLS connection for modern TLS parameters, as defined in
|
|
Packit |
90a5c9 |
* RFC 7540 and https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
apr_pool_t *pool = c->pool;
|
|
Packit |
90a5c9 |
server_rec *s = c->base_server;
|
|
Packit |
90a5c9 |
char *val;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!opt_ssl_var_lookup) {
|
|
Packit |
90a5c9 |
/* unable to check */
|
|
Packit |
90a5c9 |
return 0;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Need Tlsv1.2 or higher, rfc 7540, ch. 9.2
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
val = opt_ssl_var_lookup(pool, s, c, NULL, (char*)"SSL_PROTOCOL");
|
|
Packit |
90a5c9 |
if (val && *val) {
|
|
Packit |
90a5c9 |
if (strncmp("TLS", val, 3)
|
|
Packit |
90a5c9 |
|| !strcmp("TLSv1", val)
|
|
Packit |
90a5c9 |
|| !strcmp("TLSv1.1", val)) {
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(03050)
|
|
Packit |
90a5c9 |
"h2_h2(%ld): tls protocol not suitable: %s",
|
|
Packit |
90a5c9 |
(long)c->id, val);
|
|
Packit |
90a5c9 |
return 0;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else if (require_all) {
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(03051)
|
|
Packit |
90a5c9 |
"h2_h2(%ld): tls protocol is indetermined", (long)c->id);
|
|
Packit |
90a5c9 |
return 0;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* Check TLS cipher blacklist
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
val = opt_ssl_var_lookup(pool, s, c, NULL, (char*)"SSL_CIPHER");
|
|
Packit |
90a5c9 |
if (val && *val) {
|
|
Packit |
90a5c9 |
const char *source;
|
|
Packit |
90a5c9 |
if (cipher_is_blacklisted(val, &source)) {
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(03052)
|
|
Packit |
90a5c9 |
"h2_h2(%ld): tls cipher %s blacklisted by %s",
|
|
Packit |
90a5c9 |
(long)c->id, val, source);
|
|
Packit |
90a5c9 |
return 0;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else if (require_all) {
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(03053)
|
|
Packit |
90a5c9 |
"h2_h2(%ld): tls cipher is indetermined", (long)c->id);
|
|
Packit |
90a5c9 |
return 0;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return 1;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int h2_allows_h2_direct(conn_rec *c)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
const h2_config *cfg = h2_config_get(c);
|
|
Packit |
90a5c9 |
int is_tls = h2_h2_is_tls(c);
|
|
Packit |
90a5c9 |
const char *needed_protocol = is_tls? "h2" : "h2c";
|
|
Packit |
90a5c9 |
int h2_direct = h2_config_geti(cfg, H2_CONF_DIRECT);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (h2_direct < 0) {
|
|
Packit |
90a5c9 |
h2_direct = is_tls? 0 : 1;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return (h2_direct
|
|
Packit |
90a5c9 |
&& ap_is_allowed_protocol(c, NULL, NULL, needed_protocol));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int h2_allows_h2_upgrade(conn_rec *c)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
const h2_config *cfg = h2_config_get(c);
|
|
Packit |
90a5c9 |
int h2_upgrade = h2_config_geti(cfg, H2_CONF_UPGRADE);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return h2_upgrade > 0 || (h2_upgrade < 0 && !h2_h2_is_tls(c));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/*******************************************************************************
|
|
Packit |
90a5c9 |
* Register various hooks
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
static const char* const mod_ssl[] = { "mod_ssl.c", NULL};
|
|
Packit |
90a5c9 |
static const char* const mod_reqtimeout[] = { "mod_reqtimeout.c", NULL};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
void h2_h2_register_hooks(void)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
/* Our main processing needs to run quite late. Definitely after mod_ssl,
|
|
Packit |
90a5c9 |
* as we need its connection filters, but also before reqtimeout as its
|
|
Packit |
90a5c9 |
* method of timeouts is specific to HTTP/1.1 (as of now).
|
|
Packit |
90a5c9 |
* The core HTTP/1 processing run as REALLY_LAST, so we will have
|
|
Packit |
90a5c9 |
* a chance to take over before it.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
ap_hook_process_connection(h2_h2_process_conn,
|
|
Packit |
90a5c9 |
mod_ssl, mod_reqtimeout, APR_HOOK_LAST);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* One last chance to properly say goodbye if we have not done so
|
|
Packit |
90a5c9 |
* already. */
|
|
Packit |
90a5c9 |
ap_hook_pre_close_connection(h2_h2_pre_close_conn, NULL, mod_ssl, APR_HOOK_LAST);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* With "H2SerializeHeaders On", we install the filter in this hook
|
|
Packit |
90a5c9 |
* that parses the response. This needs to happen before any other post
|
|
Packit |
90a5c9 |
* read function terminates the request with an error. Otherwise we will
|
|
Packit |
90a5c9 |
* never see the response.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
ap_hook_post_read_request(h2_h2_post_read_req, NULL, NULL, APR_HOOK_REALLY_FIRST);
|
|
Packit |
90a5c9 |
ap_hook_fixups(h2_h2_late_fixups, NULL, NULL, APR_HOOK_LAST);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* special bucket type transfer through a h2_bucket_beam */
|
|
Packit |
90a5c9 |
h2_register_bucket_beamer(h2_bucket_headers_beam);
|
|
Packit |
90a5c9 |
h2_register_bucket_beamer(h2_bucket_observer_beam);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
int h2_h2_process_conn(conn_rec* c)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
apr_status_t status;
|
|
Packit |
90a5c9 |
h2_ctx *ctx;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (c->master) {
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ctx = h2_ctx_get(c, 0);
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "h2_h2, process_conn");
|
|
Packit |
90a5c9 |
if (h2_ctx_is_task(ctx)) {
|
|
Packit |
90a5c9 |
/* our stream pseudo connection */
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "h2_h2, task, declined");
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!ctx && c->keepalives == 0) {
|
|
Packit |
90a5c9 |
const char *proto = ap_get_protocol(c);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (APLOGctrace1(c)) {
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "h2_h2, process_conn, "
|
|
Packit |
90a5c9 |
"new connection using protocol '%s', direct=%d, "
|
|
Packit |
90a5c9 |
"tls acceptable=%d", proto, h2_allows_h2_direct(c),
|
|
Packit |
90a5c9 |
h2_is_acceptable_connection(c, 1));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!strcmp(AP_PROTOCOL_HTTP1, proto)
|
|
Packit |
90a5c9 |
&& h2_allows_h2_direct(c)
|
|
Packit |
90a5c9 |
&& h2_is_acceptable_connection(c, 1)) {
|
|
Packit |
90a5c9 |
/* Fresh connection still is on http/1.1 and H2Direct is enabled.
|
|
Packit |
90a5c9 |
* Otherwise connection is in a fully acceptable state.
|
|
Packit |
90a5c9 |
* -> peek at the first 24 incoming bytes
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
apr_bucket_brigade *temp;
|
|
Packit |
90a5c9 |
char *s = NULL;
|
|
Packit |
90a5c9 |
apr_size_t slen;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
temp = apr_brigade_create(c->pool, c->bucket_alloc);
|
|
Packit |
90a5c9 |
status = ap_get_brigade(c->input_filters, temp,
|
|
Packit |
90a5c9 |
AP_MODE_SPECULATIVE, APR_BLOCK_READ, 24);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (status != APR_SUCCESS) {
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, c, APLOGNO(03054)
|
|
Packit |
90a5c9 |
"h2_h2, error reading 24 bytes speculative");
|
|
Packit |
90a5c9 |
apr_brigade_destroy(temp);
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
apr_brigade_pflatten(temp, &s, &slen, c->pool);
|
|
Packit |
90a5c9 |
if ((slen >= 24) && !memcmp(H2_MAGIC_TOKEN, s, 24)) {
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,
|
|
Packit |
90a5c9 |
"h2_h2, direct mode detected");
|
|
Packit |
90a5c9 |
if (!ctx) {
|
|
Packit |
90a5c9 |
ctx = h2_ctx_get(c, 1);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
h2_ctx_protocol_set(ctx, h2_h2_is_tls(c)? "h2" : "h2c");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else if (APLOGctrace2(c)) {
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
|
|
Packit |
90a5c9 |
"h2_h2, not detected in %d bytes(base64): %s",
|
|
Packit |
90a5c9 |
(int)slen, h2_util_base64url_encode(s, slen, c->pool));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
apr_brigade_destroy(temp);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (ctx) {
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "process_conn");
|
|
Packit |
90a5c9 |
if (!h2_ctx_session_get(ctx)) {
|
|
Packit |
90a5c9 |
status = h2_conn_setup(ctx, c, NULL);
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, c, "conn_setup");
|
|
Packit |
90a5c9 |
if (status != APR_SUCCESS) {
|
|
Packit |
90a5c9 |
h2_ctx_clear(c);
|
|
Packit |
90a5c9 |
return !OK;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
h2_conn_run(ctx, c);
|
|
Packit |
90a5c9 |
return OK;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, "h2_h2, declined");
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int h2_h2_pre_close_conn(conn_rec *c)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
h2_ctx *ctx;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* slave connection? */
|
|
Packit |
90a5c9 |
if (c->master) {
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ctx = h2_ctx_get(c, 0);
|
|
Packit |
90a5c9 |
if (ctx) {
|
|
Packit |
90a5c9 |
/* If the session has been closed correctly already, we will not
|
|
Packit |
90a5c9 |
* find a h2_ctx here. The presence indicates that the session
|
|
Packit |
90a5c9 |
* is still ongoing. */
|
|
Packit |
90a5c9 |
return h2_conn_pre_close(ctx, c);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void check_push(request_rec *r, const char *tag)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
const h2_config *conf = h2_config_rget(r);
|
|
Packit |
90a5c9 |
if (!r->expecting_100
|
|
Packit |
90a5c9 |
&& conf && conf->push_list && conf->push_list->nelts > 0) {
|
|
Packit |
90a5c9 |
int i, old_status;
|
|
Packit |
90a5c9 |
const char *old_line;
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
|
|
Packit |
90a5c9 |
"%s, early announcing %d resources for push",
|
|
Packit |
90a5c9 |
tag, conf->push_list->nelts);
|
|
Packit |
90a5c9 |
for (i = 0; i < conf->push_list->nelts; ++i) {
|
|
Packit |
90a5c9 |
h2_push_res *push = &APR_ARRAY_IDX(conf->push_list, i, h2_push_res);
|
|
Packit |
90a5c9 |
apr_table_add(r->headers_out, "Link",
|
|
Packit |
90a5c9 |
apr_psprintf(r->pool, "<%s>; rel=preload%s",
|
|
Packit |
90a5c9 |
push->uri_ref, push->critical? "; critical" : ""));
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
old_status = r->status;
|
|
Packit |
90a5c9 |
old_line = r->status_line;
|
|
Packit |
90a5c9 |
r->status = 103;
|
|
Packit |
90a5c9 |
r->status_line = "103 Early Hints";
|
|
Packit |
90a5c9 |
ap_send_interim_response(r, 1);
|
|
Packit |
90a5c9 |
r->status = old_status;
|
|
Packit |
90a5c9 |
r->status_line = old_line;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int h2_h2_post_read_req(request_rec *r)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
/* slave connection? */
|
|
Packit |
90a5c9 |
if (r->connection->master) {
|
|
Packit |
90a5c9 |
h2_ctx *ctx = h2_ctx_rget(r);
|
|
Packit |
90a5c9 |
struct h2_task *task = h2_ctx_get_task(ctx);
|
|
Packit |
90a5c9 |
/* This hook will get called twice on internal redirects. Take care
|
|
Packit |
90a5c9 |
* that we manipulate filters only once. */
|
|
Packit |
90a5c9 |
if (task && !task->filters_set) {
|
|
Packit |
90a5c9 |
ap_filter_t *f;
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
|
|
Packit |
90a5c9 |
"h2_task(%s): adding request filters", task->id);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* setup the correct filters to process the request for h2 */
|
|
Packit |
90a5c9 |
ap_add_input_filter("H2_REQUEST", task, r, r->connection);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* replace the core http filter that formats response headers
|
|
Packit |
90a5c9 |
* in HTTP/1 with our own that collects status and headers */
|
|
Packit |
90a5c9 |
ap_remove_output_filter_byhandle(r->output_filters, "HTTP_HEADER");
|
|
Packit |
90a5c9 |
ap_add_output_filter("H2_RESPONSE", task, r, r->connection);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
for (f = r->input_filters; f; f = f->next) {
|
|
Packit |
90a5c9 |
if (!strcmp("H2_SLAVE_IN", f->frec->name)) {
|
|
Packit |
90a5c9 |
f->r = r;
|
|
Packit |
90a5c9 |
break;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
ap_add_output_filter("H2_TRAILERS_OUT", task, r, r->connection);
|
|
Packit |
90a5c9 |
task->filters_set = 1;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static int h2_h2_late_fixups(request_rec *r)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
/* slave connection? */
|
|
Packit |
90a5c9 |
if (r->connection->master) {
|
|
Packit |
90a5c9 |
h2_ctx *ctx = h2_ctx_rget(r);
|
|
Packit |
90a5c9 |
struct h2_task *task = h2_ctx_get_task(ctx);
|
|
Packit |
90a5c9 |
if (task) {
|
|
Packit |
90a5c9 |
/* check if we copy vs. setaside files in this location */
|
|
Packit |
90a5c9 |
task->output.copy_files = h2_config_geti(h2_config_rget(r),
|
|
Packit |
90a5c9 |
H2_CONF_COPY_FILES);
|
|
Packit |
90a5c9 |
if (task->output.copy_files) {
|
|
Packit |
90a5c9 |
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, task->c,
|
|
Packit |
90a5c9 |
"h2_slave_out(%s): copy_files on", task->id);
|
|
Packit |
90a5c9 |
h2_beam_on_file_beam(task->output.beam, h2_beam_no_files, NULL);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
check_push(r, "late_fixup");
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
return DECLINED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|