www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

breakup SSLSrvConfigRec in preparation for proxy support:

Browse Source 
+ modssl_pk_server_t - certs/keys for the server
+ modssl_pk_proxy_t  - certs/keys for the proxy
+ modssl_auth_ctx_t  - stuff related to authentication that can also
                       be per-dir, used by both server and proxy
+ modssl_ctx_t       - context that can be used by both server and proxy
+ SSLSrvConfigRec    - now contains original stuff specific to the
                       server config and modssl_ctx_t *server, *proxy


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94267 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Doug MacEachern
2002-03-28 18:50:07 +00:00
parent e90c7fb27f
commit 1d76ab39ff
6 changed files with 239 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/ssl/mod_ssl.c
View File

@@ -257,7 +257,7 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd)
* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
if (!(ssl = SSL_new(sc->pSSLCtx))) {
if (!(ssl = SSL_new(sc->server->ssl_ctx))) {
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to create a new SSL connection from the SSL context");
@@ -404,7 +404,7 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
sslconn->verify_error)
{
if (ssl_verify_error_is_optional(verify_result) &&
(sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
{
/* leaving this log message as an error for the moment,
* according to the mod_ssl docs:
@@ -444,7 +444,7 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
* Make really sure that when a peer certificate
* is required we really got one... (be paranoid)
*/
if ((sc->nVerifyClient == SSL_CVERIFY_REQUIRE) &&
if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) &&
!sslconn->client_cert)
{
ssl_log(c->base_server, SSL_LOG_ERROR,

85
modules/ssl/mod_ssl.h
View File

@@ -468,12 +468,65 @@ typedef struct {
} rCtx;
} SSLModConfigRec;
/*
* Define the mod_ssl per-server configuration structure
* (i.e. the configuration for the main server
* and all <VirtualHost> contexts)
*/
/* public cert/private key */
typedef struct {
/*
* server only has 1-2 certs/keys
* 1 RSA and/or 1 DSA
*/
const char *cert_files[SSL_AIDX_MAX];
const char *key_files[SSL_AIDX_MAX];
X509 *certs[SSL_AIDX_MAX];
EVP_PKEY *keys[SSL_AIDX_MAX];
} modssl_pk_server_t;
typedef struct {
/* proxy can have any number of cert/key pairs */
const char *cert_file;
const char *cert_path;
STACK_OF(X509_INFO) *certs;
} modssl_pk_proxy_t;
/* stuff related to authentication that can also be per-dir */
typedef struct {
/* known/trusted CAs */
const char *ca_cert_path;
const char *ca_cert_file;
const char *cipher_suite;
/* for client or downstream server authentication */
int verify_depth;
ssl_verify_t verify_mode;
} modssl_auth_ctx_t;
typedef struct SSLSrvConfigRec SSLSrvConfigRec;
typedef struct {
SSLSrvConfigRec *sc; /* pointer back to server config */
SSL_CTX *ssl_ctx;
/* we are one or the other */
modssl_pk_server_t *pks;
modssl_pk_proxy_t *pkp;
/* config for handling encrypted keys */
ssl_pphrase_t pphrase_dialog_type;
const char *pphrase_dialog_path;
const char *cert_chain;
/* certificate revocation list */
const char *crl_path;
const char *crl_file;
X509_STORE *crl;
ssl_proto_t protocol;
modssl_auth_ctx_t auth;
} modssl_ctx_t;
struct SSLSrvConfigRec {
SSLModConfigRec *mc;
BOOL enabled;
const char *vhost_id;
@@ -482,25 +535,9 @@ typedef struct {
apr_file_t *log_file;
int log_level;
int session_cache_timeout;
const char *szPublicCertFiles[SSL_AIDX_MAX];
const char *szPrivateKeyFiles[SSL_AIDX_MAX];
const char *szCertificateChain;
const char *szCACertificatePath;
const char *szCACertificateFile;
const char *szCipherSuite;
int nVerifyDepth;
ssl_verify_t nVerifyClient;
X509 *pPublicCert[SSL_AIDX_MAX];
EVP_PKEY *pPrivateKey[SSL_AIDX_MAX];
SSL_CTX *pSSLCtx;
int nPassPhraseDialogType;
const char *szPassPhraseDialogPath;
ssl_proto_t nProtocol;
const char *szCARevocationPath;
const char *szCARevocationFile;
X509_STORE *pRevocationStore;
} SSLSrvConfigRec;
modssl_ctx_t *server;
modssl_ctx_t *proxy;
};
/*
* Define the mod_ssl per-directory configuration structure

148
modules/ssl/ssl_engine_config.c
View File

@@ -135,6 +135,53 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc)
** _________________________________________________________________
*/
static void modssl_ctx_init(modssl_ctx_t *ctx, SSLSrvConfigRec *sc)
{
ctx->sc = sc;
ctx->ssl_ctx = NULL;
ctx->pks = NULL;
ctx->pkp = NULL;
ctx->protocol = SSL_PROTOCOL_ALL;
ctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
ctx->pphrase_dialog_path = NULL;
ctx->cert_chain = NULL;
ctx->crl_path = NULL;
ctx->crl_file = NULL;
ctx->crl = NULL;
ctx->auth.ca_cert_path = NULL;
ctx->auth.ca_cert_file = NULL;
ctx->auth.cipher_suite = NULL;
ctx->auth.verify_depth = UNSET;
ctx->auth.verify_mode = SSL_CVERIFY_UNSET;
}
static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
apr_pool_t *p)
{
modssl_ctx_t *ctx;
ctx = sc->server = apr_palloc(p, sizeof(*sc->server));
modssl_ctx_init(ctx, sc);
ctx->pks = apr_palloc(p, sizeof(*ctx->pks));
memset((void*)ctx->pks->cert_files, 0, sizeof(ctx->pks->cert_files));
memset((void*)ctx->pks->key_files, 0, sizeof(ctx->pks->key_files));
memset(ctx->pks->certs, 0, sizeof(ctx->pks->certs));
memset(ctx->pks->keys, 0, sizeof(ctx->pks->keys));
}
/*
* Create per-server SSL configuration
*/
@@ -151,24 +198,7 @@ void *ssl_config_server_create(apr_pool_t *p, server_rec *s)
sc->log_level = SSL_LOG_NONE;
sc->session_cache_timeout = UNSET;
sc->szCACertificatePath = NULL;
sc->szCACertificateFile = NULL;
sc->szCertificateChain = NULL;
sc->szCipherSuite = NULL;
sc->nVerifyDepth = UNSET;
sc->nVerifyClient = SSL_CVERIFY_UNSET;
sc->nPassPhraseDialogType = SSL_PPTYPE_UNSET;
sc->szPassPhraseDialogPath = NULL;
sc->nProtocol = SSL_PROTOCOL_ALL;
sc->pSSLCtx = NULL;
sc->szCARevocationPath = NULL;
sc->szCARevocationFile = NULL;
sc->pRevocationStore = NULL;
memset((void*)sc->szPublicCertFiles, 0, sizeof(sc->szPublicCertFiles));
memset((void*)sc->szPrivateKeyFiles, 0, sizeof(sc->szPrivateKeyFiles));
memset(sc->pPublicCert, 0, sizeof(sc->pPublicCert));
memset(sc->pPrivateKey, 0, sizeof(sc->pPrivateKey));
modssl_ctx_init_server(sc, p);
return sc;
}
@@ -183,6 +213,8 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv;
SSLSrvConfigRec *mrg = (SSLSrvConfigRec *)apr_palloc(p, sizeof(*mrg));
modssl_ctx_init_server(mrg, p);
cfgMerge(mc, NULL);
cfgMergeBool(enabled);
cfgMergeString(vhost_id);
@@ -191,25 +223,25 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
cfgMerge(log_level, SSL_LOG_NONE);
cfgMergeInt(session_cache_timeout);
cfgMergeString(szCACertificatePath);
cfgMergeString(szCACertificateFile);
cfgMergeString(szCertificateChain);
cfgMergeString(szCipherSuite);
cfgMergeInt(nVerifyDepth);
cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
cfgMerge(nPassPhraseDialogType, SSL_PPTYPE_UNSET);
cfgMergeString(szPassPhraseDialogPath);
cfgMerge(nProtocol, SSL_PROTOCOL_ALL);
cfgMerge(pSSLCtx, NULL);
cfgMerge(szCARevocationPath, NULL);
cfgMerge(szCARevocationFile, NULL);
cfgMerge(pRevocationStore, NULL);
cfgMergeString(server->auth.ca_cert_path);
cfgMergeString(server->auth.ca_cert_file);
cfgMergeString(server->cert_chain);
cfgMergeString(server->auth.cipher_suite);
cfgMergeInt(server->auth.verify_depth);
cfgMerge(server->auth.verify_mode, SSL_CVERIFY_UNSET);
cfgMerge(server->pphrase_dialog_type, SSL_PPTYPE_UNSET);
cfgMergeString(server->pphrase_dialog_path);
cfgMerge(server->protocol, SSL_PROTOCOL_ALL);
cfgMerge(server->ssl_ctx, NULL);
cfgMerge(server->crl_path, NULL);
cfgMerge(server->crl_file, NULL);
cfgMerge(server->crl, NULL);
for (i = 0; i < SSL_AIDX_MAX; i++) {
cfgMergeString(szPublicCertFiles[i]);
cfgMergeString(szPrivateKeyFiles[i]);
cfgMerge(pPublicCert[i], NULL);
cfgMerge(pPrivateKey[i], NULL);
cfgMergeString(server->pks->cert_files[i]);
cfgMergeString(server->pks->key_files[i]);
cfgMerge(server->pks->certs[i], NULL);
cfgMerge(server->pks->keys[i], NULL);
}
return mrg;
@@ -330,33 +362,33 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *cmd, void *ctx,
}
if (strcEQ(arg, "builtin")) {
sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN;
sc->szPassPhraseDialogPath = NULL;
sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
sc->server->pphrase_dialog_path = NULL;
}
else if ((arglen > 5) && strEQn(arg, "exec:", 5)) {
sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER;
sc->server->pphrase_dialog_type = SSL_PPTYPE_FILTER;
/* ### This is broken, exec: may contain args, no? */
sc->szPassPhraseDialogPath =
sc->server->pphrase_dialog_path =
ap_server_root_relative(cmd->pool, arg+5);
if (!sc->szPassPhraseDialogPath) {
if (!sc->server->pphrase_dialog_path) {
return apr_pstrcat(cmd->pool,
"Invalid SSLPassPhraseDialog exec: path ",
arg+5, NULL);
}
if (!ssl_util_path_check(SSL_PCM_EXISTS,
sc->szPassPhraseDialogPath,
sc->server->pphrase_dialog_path,
cmd->pool))
{
return apr_pstrcat(cmd->pool,
"SSLPassPhraseDialog: file '",
sc->szPassPhraseDialogPath,
sc->server->pphrase_dialog_path,
"' does not exist", NULL);
}
}
else if ((arglen > 1) && (arg[0] == '|')) {
sc->nPassPhraseDialogType = SSL_PPTYPE_PIPE;
sc->szPassPhraseDialogPath = arg + 1;
sc->server->pphrase_dialog_type = SSL_PPTYPE_PIPE;
sc->server->pphrase_dialog_path = arg + 1;
}
else {
return "SSLPassPhraseDialog: Invalid argument";
@@ -509,7 +541,7 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, void *ctx,
dc->szCipherSuite = arg;
}
else {
sc->szCipherSuite = arg;
sc->server->auth.cipher_suite = arg;
}
return NULL;
@@ -581,11 +613,11 @@ static const char *ssl_cmd_check_aidx_max(cmd_parms *parms,
switch (idx) {
case SSL_AIDX_CERTS:
desc = "certificates";
files = sc->szPublicCertFiles;
files = sc->server->pks->cert_files;
break;
case SSL_AIDX_KEYS:
desc = "private keys";
files = sc->szPrivateKeyFiles;
files = sc->server->pks->key_files;
break;
}
@@ -637,7 +669,7 @@ const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd, void *ctx,
return err;
}
sc->szCertificateChain = arg;
sc->server->cert_chain = arg;
return NULL;
}
@@ -663,7 +695,7 @@ const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd, void *ctx,
const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx,
const char *arg)
{
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
/*SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;*/
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
@@ -671,7 +703,8 @@ const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx,
return err;
}
MODSSL_SET_CA(szCACertificatePath);
/* XXX: bring back per-dir */
sc->server->auth.ca_cert_path = arg;
return NULL;
}
@@ -679,7 +712,7 @@ const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx,
const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, void *ctx,
const char *arg)
{
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
/*SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;*/
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
@@ -687,7 +720,8 @@ const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, void *ctx,
return err;
}
MODSSL_SET_CA(szCACertificateFile);
/* XXX: bring back per-dir */
sc->server->auth.ca_cert_file = arg;
return NULL;
}
@@ -702,7 +736,7 @@ const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd, void *ctx,
return err;
}
sc->szCARevocationPath = arg;
sc->server->crl_path = arg;
return NULL;
}
@@ -717,7 +751,7 @@ const char *ssl_cmd_SSLCARevocationFile(cmd_parms *cmd, void *ctx,
return err;
}
sc->szCARevocationFile = arg;
sc->server->crl_file = arg;
return NULL;
}
@@ -763,7 +797,7 @@ const char *ssl_cmd_SSLVerifyClient(cmd_parms *cmd, void *ctx,
dc->nVerifyClient = id;
}
else {
sc->nVerifyClient = id;
sc->server->auth.verify_mode = id;
}
return NULL;
@@ -798,7 +832,7 @@ const char *ssl_cmd_SSLVerifyDepth(cmd_parms *cmd, void *ctx,
dc->nVerifyDepth = depth;
}
else {
sc->nVerifyDepth = depth;
sc->server->auth.verify_depth = depth;
}
return NULL;
@@ -1141,7 +1175,7 @@ const char *ssl_cmd_SSLProtocol(cmd_parms *cmd, void *ctx,
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
return ssl_cmd_protocol_parse(cmd, opt, &sc->nProtocol);
return ssl_cmd_protocol_parse(cmd, opt, &sc->server->protocol);
}
#ifdef SSL_EXPERIMENTAL_PROXY

90
modules/ssl/ssl_engine_init.c
View File

@@ -239,8 +239,8 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT;
}
if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET) {
sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN;
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) {
sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
}
/* Open the dedicated SSL logfile */
@@ -374,7 +374,7 @@ static void ssl_init_server_check(server_rec *s,
* check for important parameters and the
* possibility that the user forgot to set them.
*/
if (!sc->szPublicCertFiles[0]) {
if (!sc->server->pks->cert_files[0]) {
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"No SSL Certificate set [hint: SSLCertificateFile]");
ssl_die();
@@ -383,8 +383,8 @@ static void ssl_init_server_check(server_rec *s,
/*
* Check for problematic re-initializations
*/
if (sc->pPublicCert[SSL_AIDX_RSA] ||
sc->pPublicCert[SSL_AIDX_DSA])
if (sc->server->pks->certs[SSL_AIDX_RSA] ||
sc->server->pks->certs[SSL_AIDX_DSA])
{
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Illegal attempt to re-initialise SSL for server "
@@ -400,7 +400,7 @@ static SSL_CTX *ssl_init_ctx(server_rec *s,
{
SSL_CTX *ctx = NULL;
char *cp;
int protocol = sc->nProtocol;
int protocol = sc->server->protocol;
/*
* Create the new per-server SSL context
@@ -428,7 +428,7 @@ static SSL_CTX *ssl_init_ctx(server_rec *s,
ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */
}
sc->pSSLCtx = ctx;
sc->server->ssl_ctx = ctx;
SSL_CTX_set_options(ctx, SSL_OP_ALL);
@@ -459,7 +459,7 @@ static void ssl_init_ctx_session_cache(server_rec *s,
apr_pool_t *ptemp,
SSLSrvConfigRec *sc)
{
SSL_CTX *ctx = sc->pSSLCtx;
SSL_CTX *ctx = sc->server->ssl_ctx;
SSLModConfigRec *mc = myModConfig(s);
long cache_mode = SSL_SESS_CACHE_OFF;
@@ -483,7 +483,7 @@ static void ssl_init_ctx_callbacks(server_rec *s,
apr_pool_t *ptemp,
SSLSrvConfigRec *sc)
{
SSL_CTX *ctx = sc->pSSLCtx;
SSL_CTX *ctx = sc->server->ssl_ctx;
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
@@ -499,28 +499,28 @@ static void ssl_init_ctx_verify(server_rec *s,
apr_pool_t *ptemp,
SSLSrvConfigRec *sc)
{
SSL_CTX *ctx = sc->pSSLCtx;
SSL_CTX *ctx = sc->server->ssl_ctx;
int verify = SSL_VERIFY_NONE;
STACK_OF(X509_NAME) *ca_list;
if (sc->nVerifyClient == SSL_CVERIFY_UNSET) {
sc->nVerifyClient = SSL_CVERIFY_NONE;
if (sc->server->auth.verify_mode == SSL_CVERIFY_UNSET) {
sc->server->auth.verify_mode = SSL_CVERIFY_NONE;
}
if (sc->nVerifyDepth == UNSET) {
sc->nVerifyDepth = 1;
if (sc->server->auth.verify_depth == UNSET) {
sc->server->auth.verify_depth = 1;
}
/*
* Configure callbacks for SSL context
*/
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
if (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
verify |= SSL_VERIFY_PEER_STRICT;
}
if ((sc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
(sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
if ((sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
{
verify |= SSL_VERIFY_PEER;
}
@@ -530,13 +530,13 @@ static void ssl_init_ctx_verify(server_rec *s,
/*
* Configure Client Authentication details
*/
if (sc->szCACertificateFile || sc->szCACertificatePath) {
if (sc->server->auth.ca_cert_file || sc->server->auth.ca_cert_path) {
ssl_log(s, SSL_LOG_TRACE|SSL_INIT,
"Configuring client authentication");
if (!SSL_CTX_load_verify_locations(ctx,
sc->szCACertificateFile,
sc->szCACertificatePath))
sc->server->auth.ca_cert_file,
sc->server->auth.ca_cert_path))
{
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure verify locations "
@@ -545,8 +545,8 @@ static void ssl_init_ctx_verify(server_rec *s,
}
ca_list = ssl_init_FindCAList(s, ptemp,
sc->szCACertificateFile,
sc->szCACertificatePath);
sc->server->auth.ca_cert_file,
sc->server->auth.ca_cert_path);
if (!ca_list) {
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to determine list of available "
@@ -561,7 +561,7 @@ static void ssl_init_ctx_verify(server_rec *s,
* Give a warning when no CAs were configured but client authentication
* should take place. This cannot work.
*/
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
if (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
if (sk_X509_NAME_num(ca_list) == 0) {
@@ -578,8 +578,8 @@ static void ssl_init_ctx_cipher_suite(server_rec *s,
apr_pool_t *ptemp,
SSLSrvConfigRec *sc)
{
SSL_CTX *ctx = sc->pSSLCtx;
const char *suite = sc->szCipherSuite;
SSL_CTX *ctx = sc->server->ssl_ctx;
const char *suite = sc->server->auth.cipher_suite;
/*
* Configure SSL Cipher Suite
@@ -608,18 +608,18 @@ static void ssl_init_ctx_crl(server_rec *s,
* Configure Certificate Revocation List (CRL) Details
*/
if (!(sc->szCARevocationFile || sc->szCARevocationPath)) {
if (!(sc->server->crl_file || sc->server->crl_path)) {
return;
}
ssl_log(s, SSL_LOG_TRACE|SSL_INIT,
"Configuring certificate revocation facility");
sc->pRevocationStore =
SSL_X509_STORE_create((char *)sc->szCARevocationFile,
(char *)sc->szCARevocationPath);
sc->server->crl =
SSL_X509_STORE_create((char *)sc->server->crl_file,
(char *)sc->server->crl_path);
if (!sc->pRevocationStore) {
if (!sc->server->crl) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure X.509 CRL storage "
"for certificate revocation");
@@ -634,7 +634,7 @@ static void ssl_init_ctx_cert_chain(server_rec *s,
{
BOOL skip_first = TRUE;
int i, n;
const char *chain = sc->szCertificateChain;
const char *chain = sc->server->cert_chain;
/*
* Optionally configure extra server certificate chain certificates.
@@ -654,14 +654,14 @@ static void ssl_init_ctx_cert_chain(server_rec *s,
return;
}
for (i = 0; (i < SSL_AIDX_MAX) && sc->szPublicCertFiles[i]; i++) {
if (strEQ(sc->szPublicCertFiles[i], chain)) {
for (i = 0; (i < SSL_AIDX_MAX) && sc->server->pks->cert_files[i]; i++) {
if (strEQ(sc->server->pks->cert_files[i], chain)) {
skip_first = TRUE;
break;
}
}
n = SSL_CTX_use_certificate_chain(sc->pSSLCtx,
n = SSL_CTX_use_certificate_chain(sc->server->ssl_ctx,
(char *)chain,
skip_first, NULL);
if (n < 0) {
@@ -701,13 +701,13 @@ static int ssl_server_import_cert(server_rec *s,
ssl_die();
}
if (SSL_CTX_use_certificate(sc->pSSLCtx, cert) <= 0) {
if (SSL_CTX_use_certificate(sc->server->ssl_ctx, cert) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure %s server certificate", type);
ssl_die();
}
sc->pPublicCert[idx] = cert;
sc->server->pks->certs[idx] = cert;
return TRUE;
}
@@ -739,7 +739,7 @@ static int ssl_server_import_key(server_rec *s,
ssl_die();
}
if (SSL_CTX_use_PrivateKey(sc->pSSLCtx, pkey) <= 0) {
if (SSL_CTX_use_PrivateKey(sc->server->ssl_ctx, pkey) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure %s server private key", type);
ssl_die();
@@ -749,8 +749,8 @@ static int ssl_server_import_key(server_rec *s,
* XXX: wonder if this is still needed, this is old todo doc.
* (see http://www.psy.uq.edu.au/~ftp/Crypto/ssleay/TODO.html)
*/
if ((pkey_type == EVP_PKEY_DSA) && sc->pPublicCert[idx]) {
EVP_PKEY *pubkey = X509_get_pubkey(sc->pPublicCert[idx]);
if ((pkey_type == EVP_PKEY_DSA) && sc->server->pks->certs[idx]) {
EVP_PKEY *pubkey = X509_get_pubkey(sc->server->pks->certs[idx]);
if (pubkey && EVP_PKEY_missing_parameters(pubkey)) {
EVP_PKEY_copy_parameters(pubkey, pkey);
@@ -759,7 +759,7 @@ static int ssl_server_import_key(server_rec *s,
}
}
sc->pPrivateKey[idx] = pkey;
sc->server->pks->keys[idx] = pkey;
return TRUE;
}
@@ -847,7 +847,7 @@ static void ssl_init_server_certs(server_rec *s,
}
for (i = 0; i < SSL_AIDX_MAX; i++) {
ssl_check_public_cert(s, ptemp, sc->pPublicCert[i], i);
ssl_check_public_cert(s, ptemp, sc->server->pks->certs[i], i);
}
have_rsa = ssl_server_import_key(s, sc, rsa_id, SSL_AIDX_RSA);
@@ -1107,17 +1107,17 @@ apr_status_t ssl_init_ModuleKill(void *data)
for (i=0; i < SSL_AIDX_MAX; i++) {
MODSSL_CFG_ITEM_FREE(X509_free,
sc->pPublicCert[i]);
sc->server->pks->certs[i]);
MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
sc->pPrivateKey[i]);
sc->server->pks->keys[i]);
}
MODSSL_CFG_ITEM_FREE(X509_STORE_free,
sc->pRevocationStore);
sc->server->crl);
MODSSL_CFG_ITEM_FREE(SSL_CTX_free,
sc->pSSLCtx);
sc->server->ssl_ctx);
}
/*

12
modules/ssl/ssl_engine_kernel.c
View File

@@ -497,7 +497,7 @@ int ssl_hook_Access(request_rec *r)
if (dc->nVerifyDepth != UNSET) {
/* XXX: doesnt look like sslconn->verify_depth is actually used */
if (!(n = sslconn->verify_depth)) {
sslconn->verify_depth = n = sc->nVerifyDepth;
sslconn->verify_depth = n = sc->server->auth.verify_depth;
}
/* determine whether a renegotiation has to be forced */
@@ -1301,7 +1301,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
verify = dc->nVerifyClient;
}
else {
verify = sc->nVerifyClient;
verify = sc->server->auth.verify_mode;
}
if (ssl_verify_error_is_optional(errnum) &&
@@ -1344,7 +1344,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
depth = dc->nVerifyDepth;
}
else {
depth = sc->nVerifyDepth;
depth = sc->server->auth.verify_depth;
}
if (errdepth > depth) {
@@ -1378,7 +1378,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
* Unless a revocation store for CRLs was created we
* cannot do any CRL-based verification, of course.
*/
if (!sc->pRevocationStore) {
if (!sc->server->crl) {
return ok;
}
@@ -1425,7 +1425,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
* the current certificate in order to verify it's integrity.
*/
memset((char *)&obj, 0, sizeof(obj));
rc = SSL_X509_STORE_lookup(sc->pRevocationStore,
rc = SSL_X509_STORE_lookup(sc->server->crl,
X509_LU_CRL, subject, &obj);
crl = obj.data.crl;
@@ -1502,7 +1502,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
* the current certificate in order to check for revocation.
*/
memset((char *)&obj, 0, sizeof(obj));
rc = SSL_X509_STORE_lookup(sc->pRevocationStore,
rc = SSL_X509_STORE_lookup(sc->server->crl,
X509_LU_CRL, issuer, &obj);
crl = obj.data.crl;

52
modules/ssl/ssl_engine_pphrase.c
View File

@@ -213,7 +213,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
* Read in server certificate(s): This is the easy part
* because this file isn't encrypted in any way.
*/
if (sc->szPublicCertFiles[0] == NULL) {
if (sc->server->pks->cert_files[0] == NULL) {
ssl_log(pServ, SSL_LOG_ERROR|SSL_INIT,
"Server should be SSL-aware but has no certificate configured "
"[Hint: SSLCertificateFile]");
@@ -221,9 +221,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
}
algoCert = SSL_ALGO_UNKNOWN;
algoKey = SSL_ALGO_UNKNOWN;
for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->szPublicCertFiles[i] != NULL; i++) {
for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->server->pks->cert_files[i] != NULL; i++) {
apr_cpystrn(szPath, sc->szPublicCertFiles[i], sizeof(szPath));
apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath));
if ( exists_and_readable(szPath, p, NULL) != APR_SUCCESS ) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Init: Can't open server certificate file %s", szPath);
@@ -282,8 +282,8 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
* phrase for all). When this is the case we can minimize the dialogs
* by trying to re-use already known/entered pass phrases.
*/
if (sc->szPrivateKeyFiles[j] != NULL)
apr_cpystrn(szPath, sc->szPrivateKeyFiles[j++], sizeof(szPath));
if (sc->server->pks->key_files[j] != NULL)
apr_cpystrn(szPath, sc->server->pks->key_files[j++], sizeof(szPath));
/*
* Try to read the private key file with the help of
@@ -390,10 +390,10 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
* chances...
*/
#ifndef WIN32
if ((sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
|| sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE)
if ((sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE)
#else
if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE
#endif
&& cpPassPhraseCur != NULL
&& nPassPhraseRetry < BUILTIN_DIALOG_RETRIES ) {
@@ -408,7 +408,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
continue;
}
#ifdef WIN32
if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN) {
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: PassPhraseDialog BuiltIn not supported in server private key from file %s", szPath);
ssl_die();
@@ -429,16 +429,16 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
else {
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key not found");
}
if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
|| sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Private key not found.\n");
apr_file_printf(writetty, "**Stopped\n");
}
}
else {
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect");
if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
|| sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
apr_file_printf(writetty, "**Stopped\n");
}
@@ -524,8 +524,8 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
*/
if (nPassPhraseDialog > 0) {
sc = mySrvConfig(s);
if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
|| sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "\n");
apr_file_printf(writetty, "Ok: Pass Phrase Dialog successful.\n");
}
@@ -667,21 +667,21 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
/*
* Builtin or Pipe dialog
*/
if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
|| sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
char *prompt;
int i;
if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
if (!readtty) {
ssl_log(s, SSL_LOG_INFO,
"Init: Creating pass phrase dialog pipe child '%s'",
sc->szPassPhraseDialogPath);
if (ssl_pipe_child_create(p, sc->szPassPhraseDialogPath)
sc->server->pphrase_dialog_path);
if (ssl_pipe_child_create(p, sc->server->pphrase_dialog_path)
!= APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR,
"Init: Failed to create pass phrase pipe '%s'",
sc->szPassPhraseDialogPath);
sc->server->pphrase_dialog_path);
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize);
return (-1);
@@ -690,7 +690,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
ssl_log(s, SSL_LOG_INFO,
"Init: Requesting pass phrase via piped dialog");
}
else { /* sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN */
else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
#ifdef WIN32
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize);
@@ -735,10 +735,10 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
apr_file_puts(prompt, writetty);
for (;;) {
if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
i = pipe_get_passwd_cb(buf, bufsize, "", FALSE);
}
else { /* sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN */
else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
i = EVP_read_pw_string(buf, bufsize, "", FALSE);
}
if (i != 0) {
@@ -757,8 +757,8 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
/*
* Filter program
*/
else if (sc->nPassPhraseDialogType == SSL_PPTYPE_FILTER) {
const char *cmd = sc->szPassPhraseDialogPath;
else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
const char *cmd = sc->server->pphrase_dialog_path;
const char **argv = apr_palloc(p, sizeof(char *) * 4);
char *result;