www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

* modules/ssl/mod_ssl.c: Declare new config directives

Browse Source 
SSLCADNRequestFile and SSLCADNRequestPath.

* modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path,
ca_name_file fields.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of
SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA
DN list sent in the CertificateRequest from those certificates.

* modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use
pcalloc to zero-initialize the entire modssl_pk_server_t structure.
(ssl_config_server_new): Merge the ca_name_* fields.
(ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New
functions.

PR: 32848
Submitted by: Tim Taylor <tim.taylor dfas.mil>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@125165 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joe Orton
2005-01-14 13:54:31 +00:00
parent 5d4ce7fb94
commit 3f6c23e40a
5 changed files with 63 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -2,6 +2,11 @@ Changes with Apache 2.1.3
[Remove entries to the current 2.0 section below, when backported] [Remove entries to the current 2.0 section below, when backported]
*) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives
which can be used to configure a specific list of CA names to send
in a client certificate request. PR 32848.
[Tim Taylor <tim.taylor dfas.mil>]
*) --with-module can now take more than one module to be statically *) --with-module can now take more than one module to be statically
linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,... linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
If the <modtype>-subdirectory doesn't exist it will be created and If the <modtype>-subdirectory doesn't exist it will be created and

6
modules/ssl/mod_ssl.c
View File

@@ -116,6 +116,12 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_ALL(CACertificateFile, TAKE1, SSL_CMD_ALL(CACertificateFile, TAKE1,
"SSL CA Certificate file " "SSL CA Certificate file "
"(`/path/to/file' - PEM encoded)") "(`/path/to/file' - PEM encoded)")
SSL_CMD_SRV(CADNRequestPath, TAKE1,
"SSL CA Distinguished Name path "
"(`/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
SSL_CMD_SRV(CADNRequestFile, TAKE1,
"SSL CA Distinguished Name file "
"(`/path/to/file' - PEM encoded to derive acceptable CA names to request)")
SSL_CMD_SRV(CARevocationPath, TAKE1, SSL_CMD_SRV(CARevocationPath, TAKE1,
"SSL CA Certificate Revocation List (CRL) path " "SSL CA Certificate Revocation List (CRL) path "
"(`/path/to/dir' - contains PEM encoded files)") "(`/path/to/dir' - contains PEM encoded files)")

45
modules/ssl/ssl_engine_config.c
View File

@@ -152,17 +152,9 @@ static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
modssl_ctx_init(mctx); modssl_ctx_init(mctx);
mctx->pks = apr_palloc(p, sizeof(*mctx->pks)); mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
memset((void*)mctx->pks->cert_files, 0, sizeof(mctx->pks->cert_files)); /* mctx->pks->... certs/keys are set during module init */
memset((void*)mctx->pks->key_files, 0, sizeof(mctx->pks->key_files));
/* certs/keys are set during module init */
memset(mctx->pks->certs, 0, sizeof(mctx->pks->certs));
memset(mctx->pks->keys, 0, sizeof(mctx->pks->keys));
} }
static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
@@ -245,6 +237,9 @@ static void modssl_ctx_cfg_merge_server(modssl_ctx_t *base,
cfgMergeString(pks->cert_files[i]); cfgMergeString(pks->cert_files[i]);
cfgMergeString(pks->key_files[i]); cfgMergeString(pks->key_files[i]);
} }
cfgMergeString(pks->ca_name_path);
cfgMergeString(pks->ca_name_file);
} }
/* /*
@@ -835,6 +830,36 @@ const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd,
return NULL; return NULL;
} }
const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *cmd, void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
if ((err = ssl_cmd_check_dir(cmd, &arg))) {
return err;
}
sc->server->pks->ca_name_path = arg;
return NULL;
}
const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *cmd, void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
if ((err = ssl_cmd_check_file(cmd, &arg))) {
return err;
}
sc->server->pks->ca_name_file = arg;
return NULL;
}
const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd, const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd,
void *dcfg, void *dcfg,
const char *arg) const char *arg)

9
modules/ssl/ssl_engine_init.c
View File

@@ -544,12 +544,17 @@ static void ssl_init_ctx_verify(server_rec *s,
ssl_die(); ssl_die();
} }
if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) {
ca_list = ssl_init_FindCAList(s, ptemp,
mctx->pks->ca_name_file,
mctx->pks->ca_name_path);
} else
ca_list = ssl_init_FindCAList(s, ptemp, ca_list = ssl_init_FindCAList(s, ptemp,
mctx->auth.ca_cert_file, mctx->auth.ca_cert_file,
mctx->auth.ca_cert_path); mctx->auth.ca_cert_path);
if (!ca_list) { if (!ca_list) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to determine list of available " "Unable to determine list of acceptable "
"CA certificates for client authentication"); "CA certificates for client authentication");
ssl_die(); ssl_die();
} }
@@ -1151,7 +1156,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
if ((rv = apr_dir_open(&dir, ca_path, ptemp)) != APR_SUCCESS) { if ((rv = apr_dir_open(&dir, ca_path, ptemp)) != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
"Failed to open SSLCACertificatePath `%s'", "Failed to open Certificate Path `%s'",
ca_path); ca_path);
ssl_die(); ssl_die();
} }

7
modules/ssl/ssl_private.h
View File

@@ -379,6 +379,11 @@ typedef struct {
const char *key_files[SSL_AIDX_MAX]; const char *key_files[SSL_AIDX_MAX];
X509 *certs[SSL_AIDX_MAX]; X509 *certs[SSL_AIDX_MAX];
EVP_PKEY *keys[SSL_AIDX_MAX]; EVP_PKEY *keys[SSL_AIDX_MAX];
/* Certificates which specify the set of CA names which should be
* sent in the CertificateRequest message: */
const char *ca_name_path;
const char *ca_name_file;
} modssl_pk_server_t; } modssl_pk_server_t;
typedef struct { typedef struct {
@@ -487,6 +492,8 @@ const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);