www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

mod_ssl: follow up to r1734561.

Browse Source 
Simplify CRL check mode and flags handling/merging by using a single mask (int).

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1735337 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
2016-03-16 22:54:27 +00:00
parent e6622f1d5e
commit 5bc7c3ca2d
4 changed files with 45 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
modules/ssl/ssl_engine_config.c
View File

@@ -121,8 +121,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
mctx->crl_path = NULL; mctx->crl_path = NULL;
mctx->crl_file = NULL; mctx->crl_file = NULL;
mctx->crl_check_mode = SSL_CRLCHECK_UNSET; mctx->crl_check_mask = UNSET;
mctx->crl_check_flags = UNSET;
mctx->auth.ca_cert_path = NULL; mctx->auth.ca_cert_path = NULL;
mctx->auth.ca_cert_file = NULL; mctx->auth.ca_cert_file = NULL;
@@ -272,8 +271,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
cfgMerge(crl_path, NULL); cfgMerge(crl_path, NULL);
cfgMerge(crl_file, NULL); cfgMerge(crl_file, NULL);
cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET); cfgMergeInt(crl_check_mask);
cfgMergeInt(crl_check_flags);
cfgMergeString(auth.ca_cert_path); cfgMergeString(auth.ca_cert_path);
cfgMergeString(auth.ca_cert_file); cfgMergeString(auth.ca_cert_file);
@@ -975,23 +973,38 @@ const char *ssl_cmd_SSLCARevocationFile(cmd_parms *cmd,
static const char *ssl_cmd_crlcheck_parse(cmd_parms *parms, static const char *ssl_cmd_crlcheck_parse(cmd_parms *parms,
const char *arg, const char *arg,
ssl_crlcheck_t *mode) int *mask)
{ {
if (strcEQ(arg, "none")) { const char *w;
*mode = SSL_CRLCHECK_NONE;
w = ap_getword_conf(parms->temp_pool, &arg);
if (strcEQ(w, "none")) {
*mask = SSL_CRLCHECK_NONE;
} }
else if (strcEQ(arg, "leaf")) { else if (strcEQ(w, "leaf")) {
*mode = SSL_CRLCHECK_LEAF; *mask = SSL_CRLCHECK_LEAF;
} }
else if (strcEQ(arg, "chain")) { else if (strcEQ(w, "chain")) {
*mode = SSL_CRLCHECK_CHAIN; *mask = SSL_CRLCHECK_CHAIN;
} }
else { else {
return apr_pstrcat(parms->temp_pool, parms->cmd->name, return apr_pstrcat(parms->temp_pool, parms->cmd->name,
": Invalid argument '", arg, "'", ": Invalid argument '", w, "'",
NULL); NULL);
} }
while (*arg) {
w = ap_getword_conf(parms->temp_pool, &arg);
if (strcEQ(w, "no_crl_for_cert_ok")) {
*mask |= SSL_CRLCHECK_NO_CRL_FOR_CERT_OK;
}
else {
return apr_pstrcat(parms->temp_pool, parms->cmd->name,
": Invalid argument '", w, "'",
NULL);
}
}
return NULL; return NULL;
} }
@@ -1000,29 +1013,8 @@ const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *cmd,
const char *arg) const char *arg)
{ {
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err, *w;
w = ap_getword_conf(cmd->temp_pool, &arg); return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mask);
err = ssl_cmd_crlcheck_parse(cmd, w, &sc->server->crl_check_mode);
if (err || sc->server->crl_check_mode == SSL_CRLCHECK_NONE) {
return err;
}
if (sc->server->crl_check_flags == UNSET) {
sc->server->crl_check_flags = 0;
}
while (*arg) {
w = ap_getword_conf(cmd->temp_pool, &arg);
if (strcEQ(w, "no_crl_for_cert_ok")) {
sc->server->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
}
else {
return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
": Invalid flag '", w, "'",
NULL);
}
}
return NULL;
} }
static const char *ssl_cmd_verify_parse(cmd_parms *parms, static const char *ssl_cmd_verify_parse(cmd_parms *parms,
@@ -1535,29 +1527,8 @@ const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *cmd,
const char *arg) const char *arg)
{ {
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err, *w;
w = ap_getword_conf(cmd->temp_pool, &arg); return ssl_cmd_crlcheck_parse(cmd, arg, &sc->proxy->crl_check_mask);
err = ssl_cmd_crlcheck_parse(cmd, w, &sc->proxy->crl_check_mode);
if (err || sc->proxy->crl_check_mode == SSL_CRLCHECK_NONE) {
return err;
}
if (sc->proxy->crl_check_flags == UNSET) {
sc->proxy->crl_check_flags = 0;
}
while (*arg) {
w = ap_getword_conf(cmd->temp_pool, &arg);
if (strcEQ(w, "no_crl_for_cert_ok")) {
sc->proxy->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
}
else {
return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
": Invalid flag '", w, "'",
NULL);
}
}
return NULL;
} }
const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd, const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd,

14
modules/ssl/ssl_engine_init.c
View File

@@ -229,13 +229,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
sc->fips = FALSE; sc->fips = FALSE;
} }
#endif #endif
if (sc->server && sc->server->crl_check_flags == UNSET) {
sc->server->crl_check_flags = 0;
}
if (sc->proxy && sc->proxy->crl_check_flags == UNSET) {
sc->proxy->crl_check_flags = 0;
}
} }
#if APR_HAS_THREADS #if APR_HAS_THREADS
@@ -818,14 +811,15 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx); X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
unsigned long crlflags = 0; unsigned long crlflags = 0;
char *cfgp = mctx->pkp ? "SSLProxy" : "SSL"; char *cfgp = mctx->pkp ? "SSLProxy" : "SSL";
int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
/* /*
* Configure Certificate Revocation List (CRL) Details * Configure Certificate Revocation List (CRL) Details
*/ */
if (!(mctx->crl_file || mctx->crl_path)) { if (!(mctx->crl_file || mctx->crl_path)) {
if (mctx->crl_check_mode == SSL_CRLCHECK_LEAF || if (crl_check_mode == SSL_CRLCHECK_LEAF ||
mctx->crl_check_mode == SSL_CRLCHECK_CHAIN) { crl_check_mode == SSL_CRLCHECK_CHAIN) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01899) ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01899)
"Host %s: CRL checking has been enabled, but " "Host %s: CRL checking has been enabled, but "
"neither %sCARevocationFile nor %sCARevocationPath " "neither %sCARevocationFile nor %sCARevocationPath "
@@ -847,7 +841,7 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
return ssl_die(s); return ssl_die(s);
} }
switch (mctx->crl_check_mode) { switch (crl_check_mode) {
case SSL_CRLCHECK_LEAF: case SSL_CRLCHECK_LEAF:
crlflags = X509_V_FLAG_CRL_CHECK; crlflags = X509_V_FLAG_CRL_CHECK;
break; break;

11
modules/ssl/ssl_engine_kernel.c
View File

@@ -1569,12 +1569,14 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL; SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
SSLConnRec *sslconn = myConnConfig(conn); SSLConnRec *sslconn = myConnConfig(conn);
modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
/* Get verify ingredients */ /* Get verify ingredients */
int errnum = X509_STORE_CTX_get_error(ctx); int errnum = X509_STORE_CTX_get_error(ctx);
int errdepth = X509_STORE_CTX_get_error_depth(ctx); int errdepth = X509_STORE_CTX_get_error_depth(ctx);
int depth, verify; int depth, verify;
/* /*
* Log verification information * Log verification information
*/ */
@@ -1582,10 +1584,9 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
X509_STORE_CTX_get_current_cert(ctx), APLOGNO(02275) X509_STORE_CTX_get_current_cert(ctx), APLOGNO(02275)
"Certificate Verification, depth %d, " "Certificate Verification, depth %d, "
"CRL checking mode: %s (%x)", errdepth, "CRL checking mode: %s (%x)", errdepth,
mctx->crl_check_mode == SSL_CRLCHECK_CHAIN ? crl_check_mode == SSL_CRLCHECK_CHAIN ? "chain" :
"chain" : (mctx->crl_check_mode == SSL_CRLCHECK_LEAF ? crl_check_mode == SSL_CRLCHECK_LEAF ? "leaf" : "none",
"leaf" : "none"), mctx->crl_check_mask);
mctx->crl_check_flags);
/* /*
* Check for optionally acceptable non-verifiable issuer situation * Check for optionally acceptable non-verifiable issuer situation
@@ -1635,7 +1636,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
} }
if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL
&& (mctx->crl_check_flags & MODSSL_CCF_NO_CRL_FOR_CERT_OK)) { && (mctx->crl_check_mask & SSL_CRLCHECK_NO_CRL_FOR_CERT_OK)) {
errnum = X509_V_OK; errnum = X509_V_OK;
ok = TRUE; ok = TRUE;
} }

16
modules/ssl/ssl_private.h
View File

@@ -336,14 +336,15 @@ typedef enum {
|| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
/** /**
* CRL checking modes * CRL checking mask (mode | flags)
*/ */
#define MODSSL_CCF_NO_CRL_FOR_CERT_OK (1 << 0)
typedef enum { typedef enum {
SSL_CRLCHECK_UNSET = UNSET, SSL_CRLCHECK_NONE = (0),
SSL_CRLCHECK_NONE = 0, SSL_CRLCHECK_LEAF = (1 << 0),
SSL_CRLCHECK_LEAF = 1, SSL_CRLCHECK_CHAIN = (1 << 1),
SSL_CRLCHECK_CHAIN = 2
#define SSL_CRLCHECK_FLAGS (~0x3)
SSL_CRLCHECK_NO_CRL_FOR_CERT_OK = (1 << 2)
} ssl_crlcheck_t; } ssl_crlcheck_t;
/** /**
@@ -601,8 +602,7 @@ typedef struct {
/** certificate revocation list */ /** certificate revocation list */
const char *crl_path; const char *crl_path;
const char *crl_file; const char *crl_file;
ssl_crlcheck_t crl_check_mode; int crl_check_mask;
int crl_check_flags;
#ifdef HAVE_OCSP_STAPLING #ifdef HAVE_OCSP_STAPLING
/** OCSP stapling options */ /** OCSP stapling options */