www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

breakup SSLSrvConfigRec in preparation for proxy support:

Browse Source 
+ modssl_pk_server_t - certs/keys for the server
+ modssl_pk_proxy_t  - certs/keys for the proxy
+ modssl_auth_ctx_t  - stuff related to authentication that can also
                       be per-dir, used by both server and proxy
+ modssl_ctx_t       - context that can be used by both server and proxy
+ SSLSrvConfigRec    - now contains original stuff specific to the
                       server config and modssl_ctx_t *server, *proxy


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94267 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Doug MacEachern
2002-03-28 18:50:07 +00:00
parent e90c7fb27f
commit 1d76ab39ff
6 changed files with 239 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/ssl/mod_ssl.c
View File

@@ -257,7 +257,7 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd)
* attach this to the socket. Additionally we register this attachment * attach this to the socket. Additionally we register this attachment
* so we can detach later. * so we can detach later.
*/ */
if (!(ssl = SSL_new(sc->pSSLCtx))) { if (!(ssl = SSL_new(sc->server->ssl_ctx))) {
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to create a new SSL connection from the SSL context"); "Unable to create a new SSL connection from the SSL context");
@@ -404,7 +404,7 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
sslconn->verify_error) sslconn->verify_error)
{ {
if (ssl_verify_error_is_optional(verify_result) && if (ssl_verify_error_is_optional(verify_result) &&
(sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA)) (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
{ {
/* leaving this log message as an error for the moment, /* leaving this log message as an error for the moment,
* according to the mod_ssl docs: * according to the mod_ssl docs:
@@ -444,7 +444,7 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
* Make really sure that when a peer certificate * Make really sure that when a peer certificate
* is required we really got one... (be paranoid) * is required we really got one... (be paranoid)
*/ */
if ((sc->nVerifyClient == SSL_CVERIFY_REQUIRE) && if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) &&
!sslconn->client_cert) !sslconn->client_cert)
{ {
ssl_log(c->base_server, SSL_LOG_ERROR, ssl_log(c->base_server, SSL_LOG_ERROR,

85
modules/ssl/mod_ssl.h
View File

@@ -468,12 +468,65 @@ typedef struct {
} rCtx; } rCtx;
} SSLModConfigRec; } SSLModConfigRec;
/* /* public cert/private key */
* Define the mod_ssl per-server configuration structure
* (i.e. the configuration for the main server
* and all <VirtualHost> contexts)
*/
typedef struct { typedef struct {
/*
* server only has 1-2 certs/keys
* 1 RSA and/or 1 DSA
*/
const char *cert_files[SSL_AIDX_MAX];
const char *key_files[SSL_AIDX_MAX];
X509 *certs[SSL_AIDX_MAX];
EVP_PKEY *keys[SSL_AIDX_MAX];
} modssl_pk_server_t;
typedef struct {
/* proxy can have any number of cert/key pairs */
const char *cert_file;
const char *cert_path;
STACK_OF(X509_INFO) *certs;
} modssl_pk_proxy_t;
/* stuff related to authentication that can also be per-dir */
typedef struct {
/* known/trusted CAs */
const char *ca_cert_path;
const char *ca_cert_file;
const char *cipher_suite;
/* for client or downstream server authentication */
int verify_depth;
ssl_verify_t verify_mode;
} modssl_auth_ctx_t;
typedef struct SSLSrvConfigRec SSLSrvConfigRec;
typedef struct {
SSLSrvConfigRec *sc; /* pointer back to server config */
SSL_CTX *ssl_ctx;
/* we are one or the other */
modssl_pk_server_t *pks;
modssl_pk_proxy_t *pkp;
/* config for handling encrypted keys */
ssl_pphrase_t pphrase_dialog_type;
const char *pphrase_dialog_path;
const char *cert_chain;
/* certificate revocation list */
const char *crl_path;
const char *crl_file;
X509_STORE *crl;
ssl_proto_t protocol;
modssl_auth_ctx_t auth;
} modssl_ctx_t;
struct SSLSrvConfigRec {
SSLModConfigRec *mc; SSLModConfigRec *mc;
BOOL enabled; BOOL enabled;
const char *vhost_id; const char *vhost_id;
@@ -482,25 +535,9 @@ typedef struct {
apr_file_t *log_file; apr_file_t *log_file;
int log_level; int log_level;
int session_cache_timeout; int session_cache_timeout;
modssl_ctx_t *server;
const char *szPublicCertFiles[SSL_AIDX_MAX]; modssl_ctx_t *proxy;
const char *szPrivateKeyFiles[SSL_AIDX_MAX]; };
const char *szCertificateChain;
const char *szCACertificatePath;
const char *szCACertificateFile;
const char *szCipherSuite;
int nVerifyDepth;
ssl_verify_t nVerifyClient;
X509 *pPublicCert[SSL_AIDX_MAX];
EVP_PKEY *pPrivateKey[SSL_AIDX_MAX];
SSL_CTX *pSSLCtx;
int nPassPhraseDialogType;
const char *szPassPhraseDialogPath;
ssl_proto_t nProtocol;
const char *szCARevocationPath;
const char *szCARevocationFile;
X509_STORE *pRevocationStore;
} SSLSrvConfigRec;
/* /*
* Define the mod_ssl per-directory configuration structure * Define the mod_ssl per-directory configuration structure

148
modules/ssl/ssl_engine_config.c
View File

@@ -135,6 +135,53 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc)
** _________________________________________________________________ ** _________________________________________________________________
*/ */
static void modssl_ctx_init(modssl_ctx_t *ctx, SSLSrvConfigRec *sc)
{
ctx->sc = sc;
ctx->ssl_ctx = NULL;
ctx->pks = NULL;
ctx->pkp = NULL;
ctx->protocol = SSL_PROTOCOL_ALL;
ctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
ctx->pphrase_dialog_path = NULL;
ctx->cert_chain = NULL;
ctx->crl_path = NULL;
ctx->crl_file = NULL;
ctx->crl = NULL;
ctx->auth.ca_cert_path = NULL;
ctx->auth.ca_cert_file = NULL;
ctx->auth.cipher_suite = NULL;
ctx->auth.verify_depth = UNSET;
ctx->auth.verify_mode = SSL_CVERIFY_UNSET;
}
static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
apr_pool_t *p)
{
modssl_ctx_t *ctx;
ctx = sc->server = apr_palloc(p, sizeof(*sc->server));
modssl_ctx_init(ctx, sc);
ctx->pks = apr_palloc(p, sizeof(*ctx->pks));
memset((void*)ctx->pks->cert_files, 0, sizeof(ctx->pks->cert_files));
memset((void*)ctx->pks->key_files, 0, sizeof(ctx->pks->key_files));
memset(ctx->pks->certs, 0, sizeof(ctx->pks->certs));
memset(ctx->pks->keys, 0, sizeof(ctx->pks->keys));
}
/* /*
* Create per-server SSL configuration * Create per-server SSL configuration
*/ */
@@ -151,24 +198,7 @@ void *ssl_config_server_create(apr_pool_t *p, server_rec *s)
sc->log_level = SSL_LOG_NONE; sc->log_level = SSL_LOG_NONE;
sc->session_cache_timeout = UNSET; sc->session_cache_timeout = UNSET;
sc->szCACertificatePath = NULL; modssl_ctx_init_server(sc, p);
sc->szCACertificateFile = NULL;
sc->szCertificateChain = NULL;
sc->szCipherSuite = NULL;
sc->nVerifyDepth = UNSET;
sc->nVerifyClient = SSL_CVERIFY_UNSET;
sc->nPassPhraseDialogType = SSL_PPTYPE_UNSET;
sc->szPassPhraseDialogPath = NULL;
sc->nProtocol = SSL_PROTOCOL_ALL;
sc->pSSLCtx = NULL;
sc->szCARevocationPath = NULL;
sc->szCARevocationFile = NULL;
sc->pRevocationStore = NULL;
memset((void*)sc->szPublicCertFiles, 0, sizeof(sc->szPublicCertFiles));
memset((void*)sc->szPrivateKeyFiles, 0, sizeof(sc->szPrivateKeyFiles));
memset(sc->pPublicCert, 0, sizeof(sc->pPublicCert));
memset(sc->pPrivateKey, 0, sizeof(sc->pPrivateKey));
return sc; return sc;
} }
@@ -183,6 +213,8 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv; SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv;
SSLSrvConfigRec *mrg = (SSLSrvConfigRec *)apr_palloc(p, sizeof(*mrg)); SSLSrvConfigRec *mrg = (SSLSrvConfigRec *)apr_palloc(p, sizeof(*mrg));
modssl_ctx_init_server(mrg, p);
cfgMerge(mc, NULL); cfgMerge(mc, NULL);
cfgMergeBool(enabled); cfgMergeBool(enabled);
cfgMergeString(vhost_id); cfgMergeString(vhost_id);
@@ -191,25 +223,25 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
cfgMerge(log_level, SSL_LOG_NONE); cfgMerge(log_level, SSL_LOG_NONE);
cfgMergeInt(session_cache_timeout); cfgMergeInt(session_cache_timeout);
cfgMergeString(szCACertificatePath); cfgMergeString(server->auth.ca_cert_path);
cfgMergeString(szCACertificateFile); cfgMergeString(server->auth.ca_cert_file);
cfgMergeString(szCertificateChain); cfgMergeString(server->cert_chain);
cfgMergeString(szCipherSuite); cfgMergeString(server->auth.cipher_suite);
cfgMergeInt(nVerifyDepth); cfgMergeInt(server->auth.verify_depth);
cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET); cfgMerge(server->auth.verify_mode, SSL_CVERIFY_UNSET);
cfgMerge(nPassPhraseDialogType, SSL_PPTYPE_UNSET); cfgMerge(server->pphrase_dialog_type, SSL_PPTYPE_UNSET);
cfgMergeString(szPassPhraseDialogPath); cfgMergeString(server->pphrase_dialog_path);
cfgMerge(nProtocol, SSL_PROTOCOL_ALL); cfgMerge(server->protocol, SSL_PROTOCOL_ALL);
cfgMerge(pSSLCtx, NULL); cfgMerge(server->ssl_ctx, NULL);
cfgMerge(szCARevocationPath, NULL); cfgMerge(server->crl_path, NULL);
cfgMerge(szCARevocationFile, NULL); cfgMerge(server->crl_file, NULL);
cfgMerge(pRevocationStore, NULL); cfgMerge(server->crl, NULL);
for (i = 0; i < SSL_AIDX_MAX; i++) { for (i = 0; i < SSL_AIDX_MAX; i++) {
cfgMergeString(szPublicCertFiles[i]); cfgMergeString(server->pks->cert_files[i]);
cfgMergeString(szPrivateKeyFiles[i]); cfgMergeString(server->pks->key_files[i]);
cfgMerge(pPublicCert[i], NULL); cfgMerge(server->pks->certs[i], NULL);
cfgMerge(pPrivateKey[i], NULL); cfgMerge(server->pks->keys[i], NULL);
} }
return mrg; return mrg;
@@ -330,33 +362,33 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *cmd, void *ctx,
} }
if (strcEQ(arg, "builtin")) { if (strcEQ(arg, "builtin")) {
sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN; sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
sc->szPassPhraseDialogPath = NULL; sc->server->pphrase_dialog_path = NULL;
} }
else if ((arglen > 5) && strEQn(arg, "exec:", 5)) { else if ((arglen > 5) && strEQn(arg, "exec:", 5)) {
sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER; sc->server->pphrase_dialog_type = SSL_PPTYPE_FILTER;
/* ### This is broken, exec: may contain args, no? */ /* ### This is broken, exec: may contain args, no? */
sc->szPassPhraseDialogPath = sc->server->pphrase_dialog_path =
ap_server_root_relative(cmd->pool, arg+5); ap_server_root_relative(cmd->pool, arg+5);
if (!sc->szPassPhraseDialogPath) { if (!sc->server->pphrase_dialog_path) {
return apr_pstrcat(cmd->pool, return apr_pstrcat(cmd->pool,
"Invalid SSLPassPhraseDialog exec: path ", "Invalid SSLPassPhraseDialog exec: path ",
arg+5, NULL); arg+5, NULL);
} }
if (!ssl_util_path_check(SSL_PCM_EXISTS, if (!ssl_util_path_check(SSL_PCM_EXISTS,
sc->szPassPhraseDialogPath, sc->server->pphrase_dialog_path,
cmd->pool)) cmd->pool))
{ {
return apr_pstrcat(cmd->pool, return apr_pstrcat(cmd->pool,
"SSLPassPhraseDialog: file '", "SSLPassPhraseDialog: file '",
sc->szPassPhraseDialogPath, sc->server->pphrase_dialog_path,
"' does not exist", NULL); "' does not exist", NULL);
} }
} }
else if ((arglen > 1) && (arg[0] == '|')) { else if ((arglen > 1) && (arg[0] == '|')) {
sc->nPassPhraseDialogType = SSL_PPTYPE_PIPE; sc->server->pphrase_dialog_type = SSL_PPTYPE_PIPE;
sc->szPassPhraseDialogPath = arg + 1; sc->server->pphrase_dialog_path = arg + 1;
} }
else { else {
return "SSLPassPhraseDialog: Invalid argument"; return "SSLPassPhraseDialog: Invalid argument";
@@ -509,7 +541,7 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, void *ctx,
dc->szCipherSuite = arg; dc->szCipherSuite = arg;
} }
else { else {
sc->szCipherSuite = arg; sc->server->auth.cipher_suite = arg;
} }
return NULL; return NULL;
@@ -581,11 +613,11 @@ static const char *ssl_cmd_check_aidx_max(cmd_parms *parms,
switch (idx) { switch (idx) {
case SSL_AIDX_CERTS: case SSL_AIDX_CERTS:
desc = "certificates"; desc = "certificates";
files = sc->szPublicCertFiles; files = sc->server->pks->cert_files;
break; break;
case SSL_AIDX_KEYS: case SSL_AIDX_KEYS:
desc = "private keys"; desc = "private keys";
files = sc->szPrivateKeyFiles; files = sc->server->pks->key_files;
break; break;
} }
@@ -637,7 +669,7 @@ const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd, void *ctx,
return err; return err;
} }
sc->szCertificateChain = arg; sc->server->cert_chain = arg;
return NULL; return NULL;
} }
@@ -663,7 +695,7 @@ const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd, void *ctx,
const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx, const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx,
const char *arg) const char *arg)
{ {
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; /*SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;*/
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err; const char *err;
@@ -671,7 +703,8 @@ const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx,
return err; return err;
} }
MODSSL_SET_CA(szCACertificatePath); /* XXX: bring back per-dir */
sc->server->auth.ca_cert_path = arg;
return NULL; return NULL;
} }
@@ -679,7 +712,7 @@ const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx,
const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, void *ctx, const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, void *ctx,
const char *arg) const char *arg)
{ {
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; /*SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;*/
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err; const char *err;
@@ -687,7 +720,8 @@ const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, void *ctx,
return err; return err;
} }
MODSSL_SET_CA(szCACertificateFile); /* XXX: bring back per-dir */
sc->server->auth.ca_cert_file = arg;
return NULL; return NULL;
} }
@@ -702,7 +736,7 @@ const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd, void *ctx,
return err; return err;
} }
sc->szCARevocationPath = arg; sc->server->crl_path = arg;
return NULL; return NULL;
} }
@@ -717,7 +751,7 @@ const char *ssl_cmd_SSLCARevocationFile(cmd_parms *cmd, void *ctx,
return err; return err;
} }
sc->szCARevocationFile = arg; sc->server->crl_file = arg;
return NULL; return NULL;
} }
@@ -763,7 +797,7 @@ const char *ssl_cmd_SSLVerifyClient(cmd_parms *cmd, void *ctx,
dc->nVerifyClient = id; dc->nVerifyClient = id;
} }
else { else {
sc->nVerifyClient = id; sc->server->auth.verify_mode = id;
} }
return NULL; return NULL;
@@ -798,7 +832,7 @@ const char *ssl_cmd_SSLVerifyDepth(cmd_parms *cmd, void *ctx,
dc->nVerifyDepth = depth; dc->nVerifyDepth = depth;
} }
else { else {
sc->nVerifyDepth = depth; sc->server->auth.verify_depth = depth;
} }
return NULL; return NULL;
@@ -1141,7 +1175,7 @@ const char *ssl_cmd_SSLProtocol(cmd_parms *cmd, void *ctx,
{ {
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
return ssl_cmd_protocol_parse(cmd, opt, &sc->nProtocol); return ssl_cmd_protocol_parse(cmd, opt, &sc->server->protocol);
} }
#ifdef SSL_EXPERIMENTAL_PROXY #ifdef SSL_EXPERIMENTAL_PROXY

90
modules/ssl/ssl_engine_init.c
View File

@@ -239,8 +239,8 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT; sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT;
} }
if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET) { if (sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) {
sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN; sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
} }
/* Open the dedicated SSL logfile */ /* Open the dedicated SSL logfile */
@@ -374,7 +374,7 @@ static void ssl_init_server_check(server_rec *s,
* check for important parameters and the * check for important parameters and the
* possibility that the user forgot to set them. * possibility that the user forgot to set them.
*/ */
if (!sc->szPublicCertFiles[0]) { if (!sc->server->pks->cert_files[0]) {
ssl_log(s, SSL_LOG_ERROR|SSL_INIT, ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"No SSL Certificate set [hint: SSLCertificateFile]"); "No SSL Certificate set [hint: SSLCertificateFile]");
ssl_die(); ssl_die();
@@ -383,8 +383,8 @@ static void ssl_init_server_check(server_rec *s,
/* /*
* Check for problematic re-initializations * Check for problematic re-initializations
*/ */
if (sc->pPublicCert[SSL_AIDX_RSA] || if (sc->server->pks->certs[SSL_AIDX_RSA] ||
sc->pPublicCert[SSL_AIDX_DSA]) sc->server->pks->certs[SSL_AIDX_DSA])
{ {
ssl_log(s, SSL_LOG_ERROR|SSL_INIT, ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Illegal attempt to re-initialise SSL for server " "Illegal attempt to re-initialise SSL for server "
@@ -400,7 +400,7 @@ static SSL_CTX *ssl_init_ctx(server_rec *s,
{ {
SSL_CTX *ctx = NULL; SSL_CTX *ctx = NULL;
char *cp; char *cp;
int protocol = sc->nProtocol; int protocol = sc->server->protocol;
/* /*
* Create the new per-server SSL context * Create the new per-server SSL context
@@ -428,7 +428,7 @@ static SSL_CTX *ssl_init_ctx(server_rec *s,
ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */ ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */
} }
sc->pSSLCtx = ctx; sc->server->ssl_ctx = ctx;
SSL_CTX_set_options(ctx, SSL_OP_ALL); SSL_CTX_set_options(ctx, SSL_OP_ALL);
@@ -459,7 +459,7 @@ static void ssl_init_ctx_session_cache(server_rec *s,
apr_pool_t *ptemp, apr_pool_t *ptemp,
SSLSrvConfigRec *sc) SSLSrvConfigRec *sc)
{ {
SSL_CTX *ctx = sc->pSSLCtx; SSL_CTX *ctx = sc->server->ssl_ctx;
SSLModConfigRec *mc = myModConfig(s); SSLModConfigRec *mc = myModConfig(s);
long cache_mode = SSL_SESS_CACHE_OFF; long cache_mode = SSL_SESS_CACHE_OFF;
@@ -483,7 +483,7 @@ static void ssl_init_ctx_callbacks(server_rec *s,
apr_pool_t *ptemp, apr_pool_t *ptemp,
SSLSrvConfigRec *sc) SSLSrvConfigRec *sc)
{ {
SSL_CTX *ctx = sc->pSSLCtx; SSL_CTX *ctx = sc->server->ssl_ctx;
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
@@ -499,28 +499,28 @@ static void ssl_init_ctx_verify(server_rec *s,
apr_pool_t *ptemp, apr_pool_t *ptemp,
SSLSrvConfigRec *sc) SSLSrvConfigRec *sc)
{ {
SSL_CTX *ctx = sc->pSSLCtx; SSL_CTX *ctx = sc->server->ssl_ctx;
int verify = SSL_VERIFY_NONE; int verify = SSL_VERIFY_NONE;
STACK_OF(X509_NAME) *ca_list; STACK_OF(X509_NAME) *ca_list;
if (sc->nVerifyClient == SSL_CVERIFY_UNSET) { if (sc->server->auth.verify_mode == SSL_CVERIFY_UNSET) {
sc->nVerifyClient = SSL_CVERIFY_NONE; sc->server->auth.verify_mode = SSL_CVERIFY_NONE;
} }
if (sc->nVerifyDepth == UNSET) { if (sc->server->auth.verify_depth == UNSET) {
sc->nVerifyDepth = 1; sc->server->auth.verify_depth = 1;
} }
/* /*
* Configure callbacks for SSL context * Configure callbacks for SSL context
*/ */
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) { if (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
verify |= SSL_VERIFY_PEER_STRICT; verify |= SSL_VERIFY_PEER_STRICT;
} }
if ((sc->nVerifyClient == SSL_CVERIFY_OPTIONAL) || if ((sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
(sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA)) (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
{ {
verify |= SSL_VERIFY_PEER; verify |= SSL_VERIFY_PEER;
} }
@@ -530,13 +530,13 @@ static void ssl_init_ctx_verify(server_rec *s,
/* /*
* Configure Client Authentication details * Configure Client Authentication details
*/ */
if (sc->szCACertificateFile || sc->szCACertificatePath) { if (sc->server->auth.ca_cert_file || sc->server->auth.ca_cert_path) {
ssl_log(s, SSL_LOG_TRACE|SSL_INIT, ssl_log(s, SSL_LOG_TRACE|SSL_INIT,
"Configuring client authentication"); "Configuring client authentication");
if (!SSL_CTX_load_verify_locations(ctx, if (!SSL_CTX_load_verify_locations(ctx,
sc->szCACertificateFile, sc->server->auth.ca_cert_file,
sc->szCACertificatePath)) sc->server->auth.ca_cert_path))
{ {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure verify locations " "Unable to configure verify locations "
@@ -545,8 +545,8 @@ static void ssl_init_ctx_verify(server_rec *s,
} }
ca_list = ssl_init_FindCAList(s, ptemp, ca_list = ssl_init_FindCAList(s, ptemp,
sc->szCACertificateFile, sc->server->auth.ca_cert_file,
sc->szCACertificatePath); sc->server->auth.ca_cert_path);
if (!ca_list) { if (!ca_list) {
ssl_log(s, SSL_LOG_ERROR|SSL_INIT, ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to determine list of available " "Unable to determine list of available "
@@ -561,7 +561,7 @@ static void ssl_init_ctx_verify(server_rec *s,
* Give a warning when no CAs were configured but client authentication * Give a warning when no CAs were configured but client authentication
* should take place. This cannot work. * should take place. This cannot work.
*/ */
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) { if (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx); ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
if (sk_X509_NAME_num(ca_list) == 0) { if (sk_X509_NAME_num(ca_list) == 0) {
@@ -578,8 +578,8 @@ static void ssl_init_ctx_cipher_suite(server_rec *s,
apr_pool_t *ptemp, apr_pool_t *ptemp,
SSLSrvConfigRec *sc) SSLSrvConfigRec *sc)
{ {
SSL_CTX *ctx = sc->pSSLCtx; SSL_CTX *ctx = sc->server->ssl_ctx;
const char *suite = sc->szCipherSuite; const char *suite = sc->server->auth.cipher_suite;
/* /*
* Configure SSL Cipher Suite * Configure SSL Cipher Suite
@@ -608,18 +608,18 @@ static void ssl_init_ctx_crl(server_rec *s,
* Configure Certificate Revocation List (CRL) Details * Configure Certificate Revocation List (CRL) Details
*/ */
if (!(sc->szCARevocationFile || sc->szCARevocationPath)) { if (!(sc->server->crl_file || sc->server->crl_path)) {
return; return;
} }
ssl_log(s, SSL_LOG_TRACE|SSL_INIT, ssl_log(s, SSL_LOG_TRACE|SSL_INIT,
"Configuring certificate revocation facility"); "Configuring certificate revocation facility");
sc->pRevocationStore = sc->server->crl =
SSL_X509_STORE_create((char *)sc->szCARevocationFile, SSL_X509_STORE_create((char *)sc->server->crl_file,
(char *)sc->szCARevocationPath); (char *)sc->server->crl_path);
if (!sc->pRevocationStore) { if (!sc->server->crl) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure X.509 CRL storage " "Unable to configure X.509 CRL storage "
"for certificate revocation"); "for certificate revocation");
@@ -634,7 +634,7 @@ static void ssl_init_ctx_cert_chain(server_rec *s,
{ {
BOOL skip_first = TRUE; BOOL skip_first = TRUE;
int i, n; int i, n;
const char *chain = sc->szCertificateChain; const char *chain = sc->server->cert_chain;
/* /*
* Optionally configure extra server certificate chain certificates. * Optionally configure extra server certificate chain certificates.
@@ -654,14 +654,14 @@ static void ssl_init_ctx_cert_chain(server_rec *s,
return; return;
} }
for (i = 0; (i < SSL_AIDX_MAX) && sc->szPublicCertFiles[i]; i++) { for (i = 0; (i < SSL_AIDX_MAX) && sc->server->pks->cert_files[i]; i++) {
if (strEQ(sc->szPublicCertFiles[i], chain)) { if (strEQ(sc->server->pks->cert_files[i], chain)) {
skip_first = TRUE; skip_first = TRUE;
break; break;
} }
} }
n = SSL_CTX_use_certificate_chain(sc->pSSLCtx, n = SSL_CTX_use_certificate_chain(sc->server->ssl_ctx,
(char *)chain, (char *)chain,
skip_first, NULL); skip_first, NULL);
if (n < 0) { if (n < 0) {
@@ -701,13 +701,13 @@ static int ssl_server_import_cert(server_rec *s,
ssl_die(); ssl_die();
} }
if (SSL_CTX_use_certificate(sc->pSSLCtx, cert) <= 0) { if (SSL_CTX_use_certificate(sc->server->ssl_ctx, cert) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure %s server certificate", type); "Unable to configure %s server certificate", type);
ssl_die(); ssl_die();
} }
sc->pPublicCert[idx] = cert; sc->server->pks->certs[idx] = cert;
return TRUE; return TRUE;
} }
@@ -739,7 +739,7 @@ static int ssl_server_import_key(server_rec *s,
ssl_die(); ssl_die();
} }
if (SSL_CTX_use_PrivateKey(sc->pSSLCtx, pkey) <= 0) { if (SSL_CTX_use_PrivateKey(sc->server->ssl_ctx, pkey) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure %s server private key", type); "Unable to configure %s server private key", type);
ssl_die(); ssl_die();
@@ -749,8 +749,8 @@ static int ssl_server_import_key(server_rec *s,
* XXX: wonder if this is still needed, this is old todo doc. * XXX: wonder if this is still needed, this is old todo doc.
* (see http://www.psy.uq.edu.au/~ftp/Crypto/ssleay/TODO.html) * (see http://www.psy.uq.edu.au/~ftp/Crypto/ssleay/TODO.html)
*/ */
if ((pkey_type == EVP_PKEY_DSA) && sc->pPublicCert[idx]) { if ((pkey_type == EVP_PKEY_DSA) && sc->server->pks->certs[idx]) {
EVP_PKEY *pubkey = X509_get_pubkey(sc->pPublicCert[idx]); EVP_PKEY *pubkey = X509_get_pubkey(sc->server->pks->certs[idx]);
if (pubkey && EVP_PKEY_missing_parameters(pubkey)) { if (pubkey && EVP_PKEY_missing_parameters(pubkey)) {
EVP_PKEY_copy_parameters(pubkey, pkey); EVP_PKEY_copy_parameters(pubkey, pkey);
@@ -759,7 +759,7 @@ static int ssl_server_import_key(server_rec *s,
} }
} }
sc->pPrivateKey[idx] = pkey; sc->server->pks->keys[idx] = pkey;
return TRUE; return TRUE;
} }
@@ -847,7 +847,7 @@ static void ssl_init_server_certs(server_rec *s,
} }
for (i = 0; i < SSL_AIDX_MAX; i++) { for (i = 0; i < SSL_AIDX_MAX; i++) {
ssl_check_public_cert(s, ptemp, sc->pPublicCert[i], i); ssl_check_public_cert(s, ptemp, sc->server->pks->certs[i], i);
} }
have_rsa = ssl_server_import_key(s, sc, rsa_id, SSL_AIDX_RSA); have_rsa = ssl_server_import_key(s, sc, rsa_id, SSL_AIDX_RSA);
@@ -1107,17 +1107,17 @@ apr_status_t ssl_init_ModuleKill(void *data)
for (i=0; i < SSL_AIDX_MAX; i++) { for (i=0; i < SSL_AIDX_MAX; i++) {
MODSSL_CFG_ITEM_FREE(X509_free, MODSSL_CFG_ITEM_FREE(X509_free,
sc->pPublicCert[i]); sc->server->pks->certs[i]);
MODSSL_CFG_ITEM_FREE(EVP_PKEY_free, MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
sc->pPrivateKey[i]); sc->server->pks->keys[i]);
} }
MODSSL_CFG_ITEM_FREE(X509_STORE_free, MODSSL_CFG_ITEM_FREE(X509_STORE_free,
sc->pRevocationStore); sc->server->crl);
MODSSL_CFG_ITEM_FREE(SSL_CTX_free, MODSSL_CFG_ITEM_FREE(SSL_CTX_free,
sc->pSSLCtx); sc->server->ssl_ctx);
} }
/* /*

12
modules/ssl/ssl_engine_kernel.c
View File

@@ -497,7 +497,7 @@ int ssl_hook_Access(request_rec *r)
if (dc->nVerifyDepth != UNSET) { if (dc->nVerifyDepth != UNSET) {
/* XXX: doesnt look like sslconn->verify_depth is actually used */ /* XXX: doesnt look like sslconn->verify_depth is actually used */
if (!(n = sslconn->verify_depth)) { if (!(n = sslconn->verify_depth)) {
sslconn->verify_depth = n = sc->nVerifyDepth; sslconn->verify_depth = n = sc->server->auth.verify_depth;
} }
/* determine whether a renegotiation has to be forced */ /* determine whether a renegotiation has to be forced */
@@ -1301,7 +1301,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
verify = dc->nVerifyClient; verify = dc->nVerifyClient;
} }
else { else {
verify = sc->nVerifyClient; verify = sc->server->auth.verify_mode;
} }
if (ssl_verify_error_is_optional(errnum) && if (ssl_verify_error_is_optional(errnum) &&
@@ -1344,7 +1344,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
depth = dc->nVerifyDepth; depth = dc->nVerifyDepth;
} }
else { else {
depth = sc->nVerifyDepth; depth = sc->server->auth.verify_depth;
} }
if (errdepth > depth) { if (errdepth > depth) {
@@ -1378,7 +1378,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
* Unless a revocation store for CRLs was created we * Unless a revocation store for CRLs was created we
* cannot do any CRL-based verification, of course. * cannot do any CRL-based verification, of course.
*/ */
if (!sc->pRevocationStore) { if (!sc->server->crl) {
return ok; return ok;
} }
@@ -1425,7 +1425,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
* the current certificate in order to verify it's integrity. * the current certificate in order to verify it's integrity.
*/ */
memset((char *)&obj, 0, sizeof(obj)); memset((char *)&obj, 0, sizeof(obj));
rc = SSL_X509_STORE_lookup(sc->pRevocationStore, rc = SSL_X509_STORE_lookup(sc->server->crl,
X509_LU_CRL, subject, &obj); X509_LU_CRL, subject, &obj);
crl = obj.data.crl; crl = obj.data.crl;
@@ -1502,7 +1502,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
* the current certificate in order to check for revocation. * the current certificate in order to check for revocation.
*/ */
memset((char *)&obj, 0, sizeof(obj)); memset((char *)&obj, 0, sizeof(obj));
rc = SSL_X509_STORE_lookup(sc->pRevocationStore, rc = SSL_X509_STORE_lookup(sc->server->crl,
X509_LU_CRL, issuer, &obj); X509_LU_CRL, issuer, &obj);
crl = obj.data.crl; crl = obj.data.crl;

52
modules/ssl/ssl_engine_pphrase.c
View File

@@ -213,7 +213,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
* Read in server certificate(s): This is the easy part * Read in server certificate(s): This is the easy part
* because this file isn't encrypted in any way. * because this file isn't encrypted in any way.
*/ */
if (sc->szPublicCertFiles[0] == NULL) { if (sc->server->pks->cert_files[0] == NULL) {
ssl_log(pServ, SSL_LOG_ERROR|SSL_INIT, ssl_log(pServ, SSL_LOG_ERROR|SSL_INIT,
"Server should be SSL-aware but has no certificate configured " "Server should be SSL-aware but has no certificate configured "
"[Hint: SSLCertificateFile]"); "[Hint: SSLCertificateFile]");
@@ -221,9 +221,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
} }
algoCert = SSL_ALGO_UNKNOWN; algoCert = SSL_ALGO_UNKNOWN;
algoKey = SSL_ALGO_UNKNOWN; algoKey = SSL_ALGO_UNKNOWN;
for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->szPublicCertFiles[i] != NULL; i++) { for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->server->pks->cert_files[i] != NULL; i++) {
apr_cpystrn(szPath, sc->szPublicCertFiles[i], sizeof(szPath)); apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath));
if ( exists_and_readable(szPath, p, NULL) != APR_SUCCESS ) { if ( exists_and_readable(szPath, p, NULL) != APR_SUCCESS ) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Init: Can't open server certificate file %s", szPath); "Init: Can't open server certificate file %s", szPath);
@@ -282,8 +282,8 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
* phrase for all). When this is the case we can minimize the dialogs * phrase for all). When this is the case we can minimize the dialogs
* by trying to re-use already known/entered pass phrases. * by trying to re-use already known/entered pass phrases.
*/ */
if (sc->szPrivateKeyFiles[j] != NULL) if (sc->server->pks->key_files[j] != NULL)
apr_cpystrn(szPath, sc->szPrivateKeyFiles[j++], sizeof(szPath)); apr_cpystrn(szPath, sc->server->pks->key_files[j++], sizeof(szPath));
/* /*
* Try to read the private key file with the help of * Try to read the private key file with the help of
@@ -390,10 +390,10 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
* chances... * chances...
*/ */
#ifndef WIN32 #ifndef WIN32
if ((sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN if ((sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE)
#else #else
if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE
#endif #endif
&& cpPassPhraseCur != NULL && cpPassPhraseCur != NULL
&& nPassPhraseRetry < BUILTIN_DIALOG_RETRIES ) { && nPassPhraseRetry < BUILTIN_DIALOG_RETRIES ) {
@@ -408,7 +408,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
continue; continue;
} }
#ifdef WIN32 #ifdef WIN32
if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN) { if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: PassPhraseDialog BuiltIn not supported in server private key from file %s", szPath); "Init: PassPhraseDialog BuiltIn not supported in server private key from file %s", szPath);
ssl_die(); ssl_die();
@@ -429,16 +429,16 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
else { else {
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key not found"); ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key not found");
} }
if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Private key not found.\n"); apr_file_printf(writetty, "Apache:mod_ssl:Error: Private key not found.\n");
apr_file_printf(writetty, "**Stopped\n"); apr_file_printf(writetty, "**Stopped\n");
} }
} }
else { else {
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect"); ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect");
if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n"); apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
apr_file_printf(writetty, "**Stopped\n"); apr_file_printf(writetty, "**Stopped\n");
} }
@@ -524,8 +524,8 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
*/ */
if (nPassPhraseDialog > 0) { if (nPassPhraseDialog > 0) {
sc = mySrvConfig(s); sc = mySrvConfig(s);
if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "\n"); apr_file_printf(writetty, "\n");
apr_file_printf(writetty, "Ok: Pass Phrase Dialog successful.\n"); apr_file_printf(writetty, "Ok: Pass Phrase Dialog successful.\n");
} }
@@ -667,21 +667,21 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
/* /*
* Builtin or Pipe dialog * Builtin or Pipe dialog
*/ */
if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
char *prompt; char *prompt;
int i; int i;
if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
if (!readtty) { if (!readtty) {
ssl_log(s, SSL_LOG_INFO, ssl_log(s, SSL_LOG_INFO,
"Init: Creating pass phrase dialog pipe child '%s'", "Init: Creating pass phrase dialog pipe child '%s'",
sc->szPassPhraseDialogPath); sc->server->pphrase_dialog_path);
if (ssl_pipe_child_create(p, sc->szPassPhraseDialogPath) if (ssl_pipe_child_create(p, sc->server->pphrase_dialog_path)
!= APR_SUCCESS) { != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR, ssl_log(s, SSL_LOG_ERROR,
"Init: Failed to create pass phrase pipe '%s'", "Init: Failed to create pass phrase pipe '%s'",
sc->szPassPhraseDialogPath); sc->server->pphrase_dialog_path);
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize); memset(buf, 0, (unsigned int)bufsize);
return (-1); return (-1);
@@ -690,7 +690,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
ssl_log(s, SSL_LOG_INFO, ssl_log(s, SSL_LOG_INFO,
"Init: Requesting pass phrase via piped dialog"); "Init: Requesting pass phrase via piped dialog");
} }
else { /* sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN */ else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
#ifdef WIN32 #ifdef WIN32
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize); memset(buf, 0, (unsigned int)bufsize);
@@ -735,10 +735,10 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
apr_file_puts(prompt, writetty); apr_file_puts(prompt, writetty);
for (;;) { for (;;) {
if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
i = pipe_get_passwd_cb(buf, bufsize, "", FALSE); i = pipe_get_passwd_cb(buf, bufsize, "", FALSE);
} }
else { /* sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN */ else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
i = EVP_read_pw_string(buf, bufsize, "", FALSE); i = EVP_read_pw_string(buf, bufsize, "", FALSE);
} }
if (i != 0) { if (i != 0) {
@@ -757,8 +757,8 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
/* /*
* Filter program * Filter program
*/ */
else if (sc->nPassPhraseDialogType == SSL_PPTYPE_FILTER) { else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
const char *cmd = sc->szPassPhraseDialogPath; const char *cmd = sc->server->pphrase_dialog_path;
const char **argv = apr_palloc(p, sizeof(char *) * 4); const char **argv = apr_palloc(p, sizeof(char *) * 4);
char *result; char *result;