/* Licensed to the Apache Software Foundation (ASF) under one or more

 * contributor license agreements.  See the NOTICE file distributed with

 * this work for additional information regarding copyright ownership.

 * The ASF licenses this file to You under the Apache License, Version 2.0

 * (the "License"); you may not use this file except in compliance with

 * the License.  You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

/*                      _             _

 *  _ __ ___   ___   __| |    ___ ___| |  mod_ssl

 * | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL

 * | | | | | | (_) | (_| |   \__ \__ \ |

 * |_| |_| |_|\___/ \__,_|___|___/___/_|

 *                      |_____|

 *  ssl_engine_kernel.c

 *  The SSL engine kernel

 */

                             /* ``It took me fifteen years to discover

                                  I had no talent for programming, but

                                  I couldn't give it up because by that

                                  time I was too famous.''

                                            -- Unknown                */

#include "ssl_private.h"

#include "mod_ssl.h"

#include "util_md5.h"

#include "scoreboard.h"

static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);

#ifdef HAVE_TLSEXT

static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);

#endif

#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols"

#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1"

#define CONNECTION_HEADER "Connection: Upgrade"

/* Perform an upgrade-to-TLS for the given request, per RFC 2817. */

static apr_status_t upgrade_connection(request_rec *r)

{

    struct conn_rec *conn = r->connection;

    apr_bucket_brigade *bb;

    SSLConnRec *sslconn;

    apr_status_t rv;

    SSL *ssl;

    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02028)

                  "upgrading connection to TLS");

    bb = apr_brigade_create(r->pool, conn->bucket_alloc);

    rv = ap_fputs(conn->output_filters, bb, SWITCH_STATUS_LINE CRLF

                  UPGRADE_HEADER CRLF CONNECTION_HEADER CRLF CRLF);

    if (rv == APR_SUCCESS) {

        APR_BRIGADE_INSERT_TAIL(bb,

                                apr_bucket_flush_create(conn->bucket_alloc));

        rv = ap_pass_brigade(conn->output_filters, bb);

    }

    if (rv) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02029)

                      "failed to send 101 interim response for connection "

                      "upgrade");

        return rv;

    }

    ssl_init_ssl_connection(conn, r);

    sslconn = myConnConfig(conn);

    ssl = sslconn->ssl;

    /* Perform initial SSL handshake. */

    SSL_set_accept_state(ssl);

    SSL_do_handshake(ssl);

    if (!SSL_is_init_finished(ssl)) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)

                      "TLS upgrade handshake failed");

        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

        return APR_ECONNABORTED;

    }

    return APR_SUCCESS;

}

/* Perform a speculative (and non-blocking) read from the connection

 * filters for the given request, to determine whether there is any

 * pending data to read.  Return non-zero if there is, else zero. */

static int has_buffered_data(request_rec *r)

{

    apr_bucket_brigade *bb;

    apr_off_t len;

    apr_status_t rv;

    int result;

    bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);

    rv = ap_get_brigade(r->connection->input_filters, bb, AP_MODE_SPECULATIVE,

                        APR_NONBLOCK_READ, 1);

    result = rv == APR_SUCCESS

        && apr_brigade_length(bb, 1, &len) == APR_SUCCESS

        && len > 0;

    apr_brigade_destroy(bb);

    return result;

}

/* If a renegotiation is required for the location, and the request

 * includes a message body (and the client has not requested a "100

 * Continue" response), then the client will be streaming the request

 * body over the wire already.  In that case, it is not possible to

 * stop and perform a new SSL handshake immediately; once the SSL

 * library moves to the "accept" state, it will reject the SSL packets

 * which the client is sending for the request body.

 *

 * To allow authentication to complete in the hook, the solution used

 * here is to fill a (bounded) buffer with the request body, and then

 * to reinject that request body later.

 *

 * This function is called to fill the renegotiation buffer for the

 * location as required, or fail.  Returns zero on success or HTTP_

 * error code on failure.

 */

static int fill_reneg_buffer(request_rec *r, SSLDirConfigRec *dc)

{

    int rv;

    apr_size_t rsize;

    /* ### this is HTTP/1.1 specific, special case for protocol? */

    if (r->expecting_100 || !ap_request_has_body(r)) {

        return 0;

    }

    rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE : dc->nRenegBufferSize;

    if (rsize > 0) {

        /* Fill the I/O buffer with the request body if possible. */

        rv = ssl_io_buffer_fill(r, rsize);

    }

    else {

        /* If the reneg buffer size is set to zero, just fail. */

        rv = HTTP_REQUEST_ENTITY_TOO_LARGE;

    }

    return rv;

}

#ifdef HAVE_TLSEXT

static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)

{

    int i;

    const char *c;

    if (s1 == s2) {

        return 1;

    }

    else if (!s1 || !s2 || (s1->nelts != s2->nelts)) {

        return 0;

    }

    for (i = 0; i < s1->nelts; i++) {

        c = APR_ARRAY_IDX(s1, i, const char *);

        if (!c || !ap_array_str_contains(s2, c)) {

            return 0;

        }

    }

    return 1;

}

static int ssl_pk_server_compatible(modssl_pk_server_t *pks1, 

                                    modssl_pk_server_t *pks2) 

{

    if (!pks1 || !pks2) {

        return 0;

    }

    /* both have the same certificates? */

    if ((pks1->ca_name_path != pks2->ca_name_path)

        && (!pks1->ca_name_path || !pks2->ca_name_path 

            || strcmp(pks1->ca_name_path, pks2->ca_name_path))) {

        return 0;

    }

    if ((pks1->ca_name_file != pks2->ca_name_file)

        && (!pks1->ca_name_file || !pks2->ca_name_file 

            || strcmp(pks1->ca_name_file, pks2->ca_name_file))) {

        return 0;

    }

    if (!ap_array_same_str_set(pks1->cert_files, pks2->cert_files)

        || !ap_array_same_str_set(pks1->key_files, pks2->key_files)) {

        return 0;

    }

    return 1;

}

static int ssl_auth_compatible(modssl_auth_ctx_t *a1, 

                               modssl_auth_ctx_t *a2) 

{

    if (!a1 || !a2) {

        return 0;

    }

    /* both have the same verification */

    if ((a1->verify_depth != a2->verify_depth)

        || (a1->verify_mode != a2->verify_mode)) {

        return 0;

    }

    /* both have the same ca path/file */

    if ((a1->ca_cert_path != a2->ca_cert_path)

        && (!a1->ca_cert_path || !a2->ca_cert_path 

            || strcmp(a1->ca_cert_path, a2->ca_cert_path))) {

        return 0;

    }

    if ((a1->ca_cert_file != a2->ca_cert_file)

        && (!a1->ca_cert_file || !a2->ca_cert_file 

            || strcmp(a1->ca_cert_file, a2->ca_cert_file))) {

        return 0;

    }

    /* both have the same ca cipher suite string */

    if ((a1->cipher_suite != a2->cipher_suite)

        && (!a1->cipher_suite || !a2->cipher_suite 

            || strcmp(a1->cipher_suite, a2->cipher_suite))) {

        return 0;

    }

    /* both have the same ca cipher suite string */

    if ((a1->tls13_ciphers != a2->tls13_ciphers)

        && (!a1->tls13_ciphers || !a2->tls13_ciphers 

            || strcmp(a1->tls13_ciphers, a2->tls13_ciphers))) {

        return 0;

    }

    return 1;

}

static int ssl_ctx_compatible(modssl_ctx_t *ctx1, 

                              modssl_ctx_t *ctx2) 

{

    if (!ctx1 || !ctx2 

        || (ctx1->protocol != ctx2->protocol)

        || !ssl_auth_compatible(&ctx1->auth, &ctx2->auth)

        || !ssl_pk_server_compatible(ctx1->pks, ctx2->pks)) {

        return 0;

    }

    return 1;

}

static int ssl_server_compatible(server_rec *s1, server_rec *s2)

{

    SSLSrvConfigRec *sc1 = s1? mySrvConfig(s1) : NULL;

    SSLSrvConfigRec *sc2 = s2? mySrvConfig(s2) : NULL;

    /* both use the same TLS protocol? */

    if (!sc1 || !sc2 

        || !ssl_ctx_compatible(sc1->server, sc2->server)) {

        return 0;

    }

    return 1;

}

#endif

/*

 *  Post Read Request Handler

 */

int ssl_hook_ReadReq(request_rec *r)

{

    SSLSrvConfigRec *sc = mySrvConfig(r->server);

    SSLConnRec *sslconn;

    const char *upgrade;

#ifdef HAVE_TLSEXT

    const char *servername;

#endif

    SSL *ssl;

    /* Perform TLS upgrade here if "SSLEngine optional" is configured,

     * SSL is not already set up for this connection, and the client

     * has sent a suitable Upgrade header. */

    if (sc->enabled == SSL_ENABLED_OPTIONAL && !myConnConfig(r->connection)

        && (upgrade = apr_table_get(r->headers_in, "Upgrade")) != NULL

        && ap_find_token(r->pool, upgrade, "TLS/1.0")) {

        if (upgrade_connection(r)) {

            return AP_FILTER_ERROR;

        }

    }

    /* If we are on a slave connection, we do not expect to have an SSLConnRec,

     * but our master connection might. */

    sslconn = myConnConfig(r->connection);

    if (!(sslconn && sslconn->ssl) && r->connection->master) {

        sslconn = myConnConfig(r->connection->master);

    }

    /* If "SSLEngine optional" is configured, this is not an SSL

     * connection, and this isn't a subrequest, send an Upgrade

     * response header.  Note this must happen before map_to_storage

     * and OPTIONS * request processing is completed.

     */

    if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl)

        && !r->main) {

        apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");

        apr_table_mergen(r->headers_out, "Connection", "upgrade");

    }

    if (!sslconn) {

        return DECLINED;

    }

    if (sslconn->service_unavailable) {

        /* This is set when the SSL properties of this connection are

         * incomplete or if this connection was made to challenge a 

         * particular hostname (ACME). We never serve any request on 

         * such a connection. */

         /* TODO: a retry-after indicator would be nice here */

        return HTTP_SERVICE_UNAVAILABLE;

    }

    if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) {

        apr_table_setn(r->notes, "error-notes",

                       "Reason: You're speaking plain HTTP to an SSL-enabled "

                       "server port.
\n Instead use the HTTPS scheme to "

                       "access this URL, please.
\n");

        /* Now that we have caught this error, forget it. we are done

         * with using SSL on this request.

         */

        sslconn->non_ssl_request = NON_SSL_OK;

        return HTTP_BAD_REQUEST;

    }

    /*

     * Get the SSL connection structure and perform the

     * delayed interlinking from SSL back to request_rec

     */

    ssl = sslconn->ssl;

    if (!ssl) {

        return DECLINED;

    }

#ifdef HAVE_TLSEXT

    /*

     * Perform SNI checks only on the initial request.  In particular,

     * if these checks detect a problem, the checks shouldn't return an

     * error again when processing an ErrorDocument redirect for the

     * original problem.

     */

    if (r->proxyreq != PROXYREQ_PROXY && ap_is_initial_req(r)) {

        server_rec *handshakeserver = sslconn->server;

        SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);

        if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {

            /*

             * The SNI extension supplied a hostname. So don't accept requests

             * with either no hostname or a hostname that selected a different

             * virtual host than the one used for the handshake, causing

             * different SSL parameters to be applied, such as SSLProtocol,

             * SSLCACertificateFile/Path and SSLCADNRequestFile/Path which

             * cannot be renegotiated (SSLCA* due to current limitations in

             * OpenSSL, see:

             * http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3C48592955.2090303@velox.ch%3E

             * and

             * http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E

             * )

             */

            if (!r->hostname) {

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02031)

                            "Hostname %s provided via SNI, but no hostname"

                            " provided in HTTP request", servername);

                return HTTP_BAD_REQUEST;

            }

            if (r->server != handshakeserver 

                && !ssl_server_compatible(sslconn->server, r->server)) {

                /* 

                 * The request does not select the virtual host that was

                 * selected by the SNI and its SSL parameters are different

                 */

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032)

                             "Hostname %s provided via SNI and hostname %s provided"

                             " via HTTP have no compatible SSL setup",

                             servername, r->hostname);

                return HTTP_MISDIRECTED_REQUEST;

            }

        }

        else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)

                  || hssc->strict_sni_vhost_check == SSL_ENABLED_TRUE)

                 && r->connection->vhost_lookup_data) {

            /*

             * We are using a name based configuration here, but no hostname was

             * provided via SNI. Don't allow that if are requested to do strict

             * checking. Check whether this strict checking was set up either in the

             * server config we used for handshaking or in our current server.

             * This should avoid insecure configuration by accident.

             */

            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02033)

                         "No hostname was provided via SNI for a name based"

                         " virtual host");

            apr_table_setn(r->notes, "error-notes",

                           "Reason: The client software did not provide a "

                           "hostname using Server Name Indication (SNI), "

                           "which is required to access this server.
\n");

            return HTTP_FORBIDDEN;

        }

    }

#endif

    modssl_set_app_data2(ssl, r);

    /*

     * Log information about incoming HTTPS requests

     */

    if (APLOGrinfo(r) && ap_is_initial_req(r)) {

        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02034)

                     "%s HTTPS request received for child %ld (server %s)",

                     (r->connection->keepalives <= 0 ?

                     "Initial (No.1)" :

                     apr_psprintf(r->pool, "Subsequent (No.%d)",

                                  r->connection->keepalives+1)),

                     r->connection->id,

                     ssl_util_vhostid(r->pool, r->server));

    }

    /* SetEnvIf ssl-*-shutdown flags can only be per-server,

     * so they won't change across keepalive requests

     */

    if (sslconn->shutdown_type == SSL_SHUTDOWN_TYPE_UNSET) {

        ssl_configure_env(r, sslconn);

    }

    return DECLINED;

}

/*

 * Move SetEnvIf information from request_rec to conn_rec/BUFF

 * to allow the close connection handler to use them.

 */

static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn)

{

    int i;

    const apr_array_header_t *arr = apr_table_elts(r->subprocess_env);

    const apr_table_entry_t *elts = (const apr_table_entry_t *)arr->elts;

    sslconn->shutdown_type = SSL_SHUTDOWN_TYPE_STANDARD;

    for (i = 0; i < arr->nelts; i++) {

        const char *key = elts[i].key;

        switch (*key) {

          case 's':

            /* being case-sensitive here.

             * and not checking for the -shutdown since these are the only

             * SetEnvIf "flags" we support

             */

            if (!strncmp(key+1, "sl-", 3)) {

                key += 4;

                if (!strncmp(key, "unclean", 7)) {

                    sslconn->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN;

                }

                else if (!strncmp(key, "accurate", 8)) {

                    sslconn->shutdown_type = SSL_SHUTDOWN_TYPE_ACCURATE;

                }

                return; /* should only ever be one ssl-*-shutdown */

            }

            break;

        }

    }

}

static int ssl_check_post_client_verify(request_rec *r, SSLSrvConfigRec *sc, 

                                        SSLDirConfigRec *dc, SSLConnRec *sslconn,

                                        SSL *ssl)

{

    X509 *cert;

    /*

     * Remember the peer certificate's DN

     */

    if ((cert = SSL_get_peer_certificate(ssl))) {

        if (sslconn->client_cert) {

            X509_free(sslconn->client_cert);

        }

        sslconn->client_cert = cert;

        sslconn->client_dn = NULL;

    }

    /*

     * Finally check for acceptable renegotiation results

     */

    if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||

        (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {

        BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||

                          (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));

        if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {

            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02262)

                          "Re-negotiation handshake failed: "

                          "Client verification failed");

            return HTTP_FORBIDDEN;

        }

        if (do_verify) {

            if (cert == NULL) {

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02263)

                              "Re-negotiation handshake failed: "

                              "Client certificate missing");

                return HTTP_FORBIDDEN;

            }

        }

    }

    return OK;

}

/*

 *  Access Handler, classic flavour, for SSL/TLS up to v1.2 

 *  where everything can be renegotiated and no one is happy.

 */

static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc,

                                   SSLConnRec *sslconn, SSL *ssl)

{

    server_rec *handshakeserver = sslconn ? sslconn->server : NULL;

    SSLSrvConfigRec *hssc       = handshakeserver? mySrvConfig(handshakeserver) : NULL;

    SSL_CTX *ctx = ssl ? SSL_get_SSL_CTX(ssl) : NULL;

    BOOL renegotiate = FALSE, renegotiate_quick = FALSE;

    X509 *peercert;

    X509_STORE *cert_store = NULL;

    X509_STORE_CTX *cert_store_ctx;

    STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;

    const SSL_CIPHER *cipher = NULL;

    int depth, verify_old, verify, n, rc;

    const char *ncipher_suite;

#ifdef HAVE_SRP

    /*

     * Support for per-directory reconfigured SSL connection parameters

     *

     * We do not force any renegotiation if the user is already authenticated

     * via SRP.

     *

     */

    if (SSL_get_srp_username(ssl)) {

        return DECLINED;

    }

#endif

    /*

     * Support for per-directory reconfigured SSL connection parameters.

     *

     * This is implemented by forcing an SSL renegotiation with the

     * reconfigured parameter suite. But Apache's internal API processing

     * makes our life very hard here, because when internal sub-requests occur

     * we nevertheless should avoid multiple unnecessary SSL handshakes (they

     * require extra network I/O and especially time to perform).

     *

     * But the optimization for filtering out the unnecessary handshakes isn't

     * obvious and trivial.  Especially because while Apache is in its

     * sub-request processing the client could force additional handshakes,

     * too. And these take place perhaps without our notice. So the only

     * possibility is to explicitly _ask_ OpenSSL whether the renegotiation

     * has to be performed or not. It has to performed when some parameters

     * which were previously known (by us) are not those we've now

     * reconfigured (as known by OpenSSL) or (in optimized way) at least when

     * the reconfigured parameter suite is stronger (more restrictions) than

     * the currently active one.

     */

    /*

     * Override of SSLCipherSuite

     *

     * We provide two options here:

     *

     * o The paranoid and default approach where we force a renegotiation when

     *   the cipher suite changed in _any_ way (which is straight-forward but

     *   often forces renegotiations too often and is perhaps not what the

     *   user actually wanted).

     *

     * o The optimized and still secure way where we force a renegotiation

     *   only if the currently active cipher is no longer contained in the

     *   reconfigured/new cipher suite. Any other changes are not important

     *   because it's the servers choice to select a cipher from the ones the

     *   client supports. So as long as the current cipher is still in the new

     *   cipher suite we're happy. Because we can assume we would have

     *   selected it again even when other (better) ciphers exists now in the

     *   new cipher suite. This approach is fine because the user explicitly

     *   has to enable this via ``SSLOptions +OptRenegotiate''. So we do no

     *   implicit optimizations.

     */     

    ncipher_suite = (dc->szCipherSuite? 

                     dc->szCipherSuite : (r->server != handshakeserver)?

                     sc->server->auth.cipher_suite : NULL);

    if (ncipher_suite && (!sslconn->cipher_suite 

                          || strcmp(ncipher_suite, sslconn->cipher_suite))) {

        /* remember old state */

        if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {

            cipher = SSL_get_current_cipher(ssl);

        }

        else {

            cipher_list_old = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);

            if (cipher_list_old) {

                cipher_list_old = sk_SSL_CIPHER_dup(cipher_list_old);

            }

        }

        /* configure new state */

        if (r->connection->master) {

            /* TODO: this categorically fails changed cipher suite settings

             * on slave connections. We could do better by

             * - create a new SSL* from our SSL_CTX and set cipher suite there,

             *   and retrieve ciphers, free afterwards

             * Modifying the SSL on a slave connection is no good.

             */

            apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "cipher-suite");

            return HTTP_FORBIDDEN;

        }

        if (!SSL_set_cipher_list(ssl, ncipher_suite)) {

            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02253)

                          "Unable to reconfigure (per-directory) "

                          "permitted SSL ciphers");

            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

            if (cipher_list_old) {

                sk_SSL_CIPHER_free(cipher_list_old);

            }

            return HTTP_FORBIDDEN;

        }

        /* determine whether a renegotiation has to be forced */

        cipher_list = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);

        if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {

            /* optimized way */

            if ((!cipher && cipher_list) ||

                (cipher && !cipher_list))

            {

                renegotiate = TRUE;

            }

            else if (cipher && cipher_list &&

                     (sk_SSL_CIPHER_find(cipher_list, cipher) < 0))

            {

                renegotiate = TRUE;

            }

        }

        else {

            /* paranoid way */

            if ((!cipher_list_old && cipher_list) ||

                (cipher_list_old && !cipher_list))

            {

                renegotiate = TRUE;

            }

            else if (cipher_list_old && cipher_list) {

                for (n = 0;

                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));

                     n++)

                {

                    const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);

                    if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {

                        renegotiate = TRUE;

                    }

                }

                for (n = 0;

                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));

                     n++)

                {

                    const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);

                    if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {

                        renegotiate = TRUE;

                    }

                }

            }

        }

        /* cleanup */

        if (cipher_list_old) {

            sk_SSL_CIPHER_free(cipher_list_old);

        }

        if (renegotiate) {

            if (r->connection->master) {

                /* The request causes renegotiation on a slave connection.

                 * This is not allowed since we might have concurrent requests

                 * on this connection.

                 */

                apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "cipher-suite");

                return HTTP_FORBIDDEN;

            }

#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE

            if (sc->cipher_server_pref == TRUE) {

                SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);

            }

#endif

            /* tracing */

            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02220)

                         "Reconfigured cipher suite will force renegotiation");

        }

    }

    /*

     * override of SSLVerifyClient

     *

     * We force a renegotiation if the reconfigured/new verify type is

     * stronger than the currently active verify type.

     *

     * The order is: none << optional_no_ca << optional << require

     *

     * Additionally the following optimization is possible here: When the

     * currently active verify type is "none" but a client certificate is

     * already known/present, it's enough to manually force a client

     * verification but at least skip the I/O-intensive renegotiation

     * handshake.

     */

    if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||

        (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {

        /* remember old state */

        verify_old = SSL_get_verify_mode(ssl);

        /* configure new state */

        verify = SSL_VERIFY_NONE;

        if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||

            (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) {

            verify |= SSL_VERIFY_PEER_STRICT;

        }

        if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||

            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||

            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||

            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))

        {

            verify |= SSL_VERIFY_PEER;

        }

        /* TODO: this seems premature since we do not know if there

         *       are any changes required.

         */

        SSL_set_verify(ssl, verify, ssl_callback_SSLVerify);

        SSL_set_verify_result(ssl, X509_V_OK);

        /* determine whether we've to force a renegotiation */

        if (!renegotiate && verify != verify_old) {

            if (((verify_old == SSL_VERIFY_NONE) &&

                 (verify     != SSL_VERIFY_NONE)) ||

                (!(verify_old & SSL_VERIFY_PEER) &&

                  (verify     & SSL_VERIFY_PEER)) ||

                (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&

                  (verify     & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))

            {

                renegotiate = TRUE;

                if (r->connection->master) {

                    /* The request causes renegotiation on a slave connection.

                     * This is not allowed since we might have concurrent requests

                     * on this connection.

                     */

                    apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client");

                    SSL_set_verify(ssl, verify_old, ssl_callback_SSLVerify);

                    return HTTP_FORBIDDEN;

                }

                /* optimization */

                if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&

                    (verify_old == SSL_VERIFY_NONE) &&

                    ((peercert = SSL_get_peer_certificate(ssl)) != NULL))

                {

                    renegotiate_quick = TRUE;

                    X509_free(peercert);

                }

                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02255)

                              "Changed client verification type will force "

                              "%srenegotiation",

                              renegotiate_quick ? "quick " : "");

            }

            else if (verify != SSL_VERIFY_NONE) {

                /*

                 * override of SSLVerifyDepth

                 *

                 * The depth checks are handled by us manually inside the

                 * verify callback function and not by OpenSSL internally

                 * (and our function is aware of both the per-server and

                 * per-directory contexts). So we cannot ask OpenSSL about

                 * the currently verify depth. Instead we remember it in our

                 * SSLConnRec attached to the SSL* of OpenSSL.  We've to force

                 * the renegotiation if the reconfigured/new verify depth is

                 * less than the currently active/remembered verify depth

                 * (because this means more restriction on the certificate

                 * chain).

                 */

                n = (sslconn->verify_depth != UNSET)

                    ? sslconn->verify_depth

                    : hssc->server->auth.verify_depth;

                /* determine the new depth */

                sslconn->verify_depth = (dc->nVerifyDepth != UNSET)

                                        ? dc->nVerifyDepth

                                        : sc->server->auth.verify_depth;

                if (sslconn->verify_depth < n) {

                    renegotiate = TRUE;

                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)

                                  "Reduced client verification depth will "

                                  "force renegotiation");

                }

            }

        }

        /* If we're handling a request for a vhost other than the default one,

         * then we need to make sure that client authentication is properly

         * enforced. For clients supplying an SNI extension, the peer

         * certificate verification has happened in the handshake already

         * (and r->server == handshakeserver). For non-SNI requests,

         * an additional check is needed here. If client authentication

         * is configured as mandatory, then we can only proceed if the

         * CA list doesn't have to be changed (OpenSSL doesn't provide

         * an option to change the list for an existing session).

         */

        if ((r->server != handshakeserver)

            && renegotiate

            && ((verify & SSL_VERIFY_PEER) ||

                (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {

#define MODSSL_CFG_CA_NE(f, sc1, sc2) \

            (sc1->server->auth.f && \

             (!sc2->server->auth.f || \

              strNE(sc1->server->auth.f, sc2->server->auth.f)))

            if (MODSSL_CFG_CA_NE(ca_cert_file, sc, hssc) ||

                MODSSL_CFG_CA_NE(ca_cert_path, sc, hssc)) {

                if (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {

                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02256)

                         "Non-default virtual host with SSLVerify set to "

                         "'require' and VirtualHost-specific CA certificate "

                         "list is only available to clients with TLS server "

                         "name indication (SNI) support");

                    SSL_set_verify(ssl, verify_old, NULL);

                    return HTTP_FORBIDDEN;

                } else

                    /* let it pass, possibly with an "incorrect" peer cert,

                     * so make sure the SSL_CLIENT_VERIFY environment variable

                     * will indicate partial success only, later on.

                     */

                    sslconn->verify_info = "GENEROUS";

            }

        }

    }

    /* Fill reneg buffer if required. */

    if (renegotiate && !renegotiate_quick) {

        rc = fill_reneg_buffer(r, dc);

        if (rc) {

            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02257)

                          "could not buffer message body to allow "

                          "SSL renegotiation to proceed");

            return rc;

        }

    }

    /*

     * now do the renegotiation if anything was actually reconfigured

     */

    if (renegotiate) {

        /*

         * Now we force the SSL renegotiation by sending the Hello Request

         * message to the client. Here we have to do a workaround: Actually

         * OpenSSL returns immediately after sending the Hello Request (the

         * intent AFAIK is because the SSL/TLS protocol says it's not a must

         * that the client replies to a Hello Request). But because we insist

         * on a reply (anything else is an error for us) we have to go to the

         * ACCEPT state manually. Using SSL_set_accept_state() doesn't work

         * here because it resets too much of the connection.  So we set the