www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

This stuff shouldn't have been committed. This is the SSL upgrade stuff,

Browse Source 
and it was included in a commit that shouldn't have touched these files.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97201 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Ryan Bloom
2002-10-14 04:15:58 +00:00
parent 62eedfbb8b
commit 658c2437bd
7 changed files with 39 additions and 179 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
modules/ssl/mod_ssl.c
View File

@@ -105,7 +105,7 @@ static const command_rec ssl_config_cmds[] = {
/* /*
* Per-server context configuration directives * Per-server context configuration directives
*/ */
SSL_CMD_SRV(Engine, TAKE1, SSL_CMD_SRV(Engine, FLAG,
"SSL switch for the protocol engine " "SSL switch for the protocol engine "
"(`on', `off')") "(`on', `off')")
SSL_CMD_ALL(CipherSuite, TAKE1, SSL_CMD_ALL(CipherSuite, TAKE1,
@@ -274,7 +274,7 @@ int ssl_engine_disable(conn_rec *c)
return 1; return 1;
} }
int ssl_init_ssl_connection(conn_rec *c) static int ssl_hook_pre_connection(conn_rec *c, void *csd)
{ {
SSLSrvConfigRec *sc = mySrvConfig(c->base_server); SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSL *ssl; SSL *ssl;
@@ -283,14 +283,40 @@ int ssl_init_ssl_connection(conn_rec *c)
modssl_ctx_t *mctx; modssl_ctx_t *mctx;
/* /*
* Seed the Pseudo Random Number Generator (PRNG) * Immediately stop processing if SSL is disabled for this connection
*/ */
ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, ""); if (!(sc && (sc->enabled ||
(sslconn && sslconn->is_proxy))))
{
return DECLINED;
}
/*
* Create SSL context
*/
if (!sslconn) { if (!sslconn) {
sslconn = ssl_init_connection_ctx(c); sslconn = ssl_init_connection_ctx(c);
} }
if (sslconn->disabled) {
return DECLINED;
}
/*
* Remember the connection information for
* later access inside callback functions
*/
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
"Connection to child %ld established "
"(server %s, client %s)", c->id, sc->vhost_id,
c->remote_ip ? c->remote_ip : "unknown");
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, "");
mctx = sslconn->is_proxy ? sc->proxy : sc->server; mctx = sslconn->is_proxy ? sc->proxy : sc->server;
/* /*
@@ -342,44 +368,6 @@ int ssl_init_ssl_connection(conn_rec *c)
return APR_SUCCESS; return APR_SUCCESS;
} }
static int ssl_hook_pre_connection(conn_rec *c, void *csd)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLConnRec *sslconn = myConnConfig(c);
/*
* Immediately stop processing if SSL is disabled for this connection
*/
if (!(sc && (sc->enabled == TRUE ||
(sslconn && sslconn->is_proxy))))
{
return DECLINED;
}
/*
* Create SSL context
*/
if (!sslconn) {
sslconn = ssl_init_connection_ctx(c);
}
if (sslconn->disabled) {
return DECLINED;
}
/*
* Remember the connection information for
* later access inside callback functions
*/
ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
"Connection to child %ld established "
"(server %s, client %s)", c->id, sc->vhost_id,
c->remote_ip ? c->remote_ip : "unknown");
return ssl_init_ssl_connection(c);
}
static apr_status_t ssl_abort(SSLFilterRec *filter, conn_rec *c) static apr_status_t ssl_abort(SSLFilterRec *filter, conn_rec *c)
{ {
SSLConnRec *sslconn = myConnConfig(c); SSLConnRec *sslconn = myConnConfig(c);
@@ -584,15 +572,6 @@ static apr_port_t ssl_hook_default_port(const request_rec *r)
return 443; return 443;
} }
static void ssl_hook_Insert_Filter(request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
if (sc->enabled == UNSET) {
ap_add_output_filter("UPGRADE_FILTER", NULL, r, r->connection);
}
}
/* /*
* the module registration phase * the module registration phase
*/ */
@@ -613,8 +592,6 @@ static void ssl_register_hooks(apr_pool_t *p)
ap_hook_access_checker(ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE); ap_hook_access_checker(ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_auth_checker (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE); ap_hook_auth_checker (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_post_read_request(ssl_hook_ReadReq, NULL,NULL, APR_HOOK_MIDDLE); ap_hook_post_read_request(ssl_hook_ReadReq, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_insert_filter (ssl_hook_Insert_Filter, NULL,NULL, APR_HOOK_MIDDLE);
/* ap_hook_handler (ssl_hook_Upgrade, NULL,NULL, APR_HOOK_MIDDLE); */
ssl_var_register(); ssl_var_register();

5
modules/ssl/mod_ssl.h
View File

@@ -549,7 +549,7 @@ const char *ssl_cmd_SSLMutex(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLEngine(cmd_parms *, void *, int);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
@@ -601,7 +601,6 @@ int ssl_hook_Access(request_rec *);
int ssl_hook_Fixup(request_rec *); int ssl_hook_Fixup(request_rec *);
int ssl_hook_ReadReq(request_rec *); int ssl_hook_ReadReq(request_rec *);
int ssl_hook_Handler(request_rec *); int ssl_hook_Handler(request_rec *);
int ssl_hook_Upgrade(request_rec *);
/* OpenSSL callbacks */ /* OpenSSL callbacks */
RSA *ssl_callback_TmpRSA(SSL *, int, int); RSA *ssl_callback_TmpRSA(SSL *, int, int);
@@ -723,8 +722,6 @@ ssl_algo_t ssl_util_algotypeof(X509 *, EVP_PKEY *);
char *ssl_util_algotypestr(ssl_algo_t); char *ssl_util_algotypestr(ssl_algo_t);
char *ssl_util_ptxtsub(apr_pool_t *, const char *, const char *, char *); char *ssl_util_ptxtsub(apr_pool_t *, const char *, const char *, char *);
void ssl_util_thread_setup(apr_pool_t *); void ssl_util_thread_setup(apr_pool_t *);
int ssl_init_ssl_connection(conn_rec *c);
#define APR_SHM_MAXSIZE (64 * 1024 * 1024) #define APR_SHM_MAXSIZE (64 * 1024 * 1024)
#endif /* __MOD_SSL_H__ */ #endif /* __MOD_SSL_H__ */

19
modules/ssl/ssl_engine_config.c
View File

@@ -205,7 +205,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc)); SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc));
sc->mc = NULL; sc->mc = NULL;
sc->enabled = FALSE; sc->enabled = UNSET;
sc->proxy_enabled = UNSET; sc->proxy_enabled = UNSET;
sc->vhost_id = NULL; /* set during module init */ sc->vhost_id = NULL; /* set during module init */
sc->vhost_id_len = 0; /* set during module init */ sc->vhost_id_len = 0; /* set during module init */
@@ -581,24 +581,13 @@ const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd,
return NULL; return NULL;
} }
const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg) const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, int flag)
{ {
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
if (!strcasecmp(arg, "On")) { sc->enabled = flag ? TRUE : FALSE;
sc->enabled = TRUE;
return NULL;
}
else if (!strcasecmp(arg, "Off")) {
sc->enabled = FALSE;
return NULL;
}
else if (!strcasecmp(arg, "Optional")) {
sc->enabled = UNSET;
return NULL;
}
return "Argument must be On, Off, or Optional"; return NULL;
} }
const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,

9
modules/ssl/ssl_engine_init.c
View File

@@ -247,13 +247,11 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
sc->vhost_id = ssl_util_vhostid(p, s); sc->vhost_id = ssl_util_vhostid(p, s);
sc->vhost_id_len = strlen(sc->vhost_id); sc->vhost_id_len = strlen(sc->vhost_id);
#if 0
/* If sc->enabled is UNSET, then SSL is optional on this vhost */
/* Fix up stuff that may not have been set */ /* Fix up stuff that may not have been set */
if (sc->enabled == UNSET) { if (sc->enabled == UNSET) {
sc->enabled = FALSE; sc->enabled = FALSE;
} }
#endif
if (sc->proxy_enabled == UNSET) { if (sc->proxy_enabled == UNSET) {
sc->proxy_enabled = FALSE; sc->proxy_enabled = FALSE;
} }
@@ -983,9 +981,6 @@ void ssl_init_ConfigureServer(server_rec *s,
apr_pool_t *ptemp, apr_pool_t *ptemp,
SSLSrvConfigRec *sc) SSLSrvConfigRec *sc)
{ {
/* A bit of a hack, but initialize the server if SSL is optional or
* not.
*/
if (sc->enabled) { if (sc->enabled) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Configuring server for SSL protocol"); "Configuring server for SSL protocol");
@@ -1014,7 +1009,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
for (s = base_server; s; s = s->next) { for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s); sc = mySrvConfig(s);
if ((sc->enabled == TRUE) && (s->port == DEFAULT_HTTP_PORT)) { if (sc->enabled && (s->port == DEFAULT_HTTP_PORT)) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
base_server, base_server,
"Init: (%s) You configured HTTPS(%d) " "Init: (%s) You configured HTTPS(%d) "

84
modules/ssl/ssl_engine_io.c
View File

@@ -577,85 +577,6 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
return APR_SUCCESS; return APR_SUCCESS;
} }
static apr_status_t ssl_io_filter_Upgrade(ap_filter_t *f,
apr_bucket_brigade *bb)
{
#define SWITCH_STATUS_LINE "101 Switching Protocols"
#define UPGRADE_HEADER "Upgrade: TLS/1.0 HTTP/1.1"
#define CONNECTION_HEADER "Conenction: Upgrade"
const char *upgrade;
const char *connection;
apr_bucket_brigade *upgradebb;
request_rec *r = f->r;
SSLConnRec *sslconn;
SSL *ssl;
/* Just remove the filter, if it doesn't work the first time, it won't
* work at all for this request.
*/
ap_remove_output_filter(f);
/* No need to ensure that this is a server with optional SSL, the filter
* is only inserted if that is true.
*/
upgrade = apr_table_get(r->headers_in, "Upgrade");
if (upgrade == NULL) {
return ap_pass_brigade(f->next, bb);
}
connection = apr_table_get(r->headers_in, "Connection");
apr_table_unset(r->headers_out, "Upgrade");
if (strcmp(connection, "Upgrade") || strcmp(upgrade, "TLS/1.0")) {
return ap_pass_brigade(f->next, bb);
}
if (r->method_number == M_OPTIONS) {
apr_bucket *b = NULL;
/* This is a mandatory SSL upgrade. */
upgradebb = apr_brigade_create(r->pool, f->c->bucket_alloc);
ap_fputstrs(f->next, upgradebb, SWITCH_STATUS_LINE, CRLF,
UPGRADE_HEADER, CRLF, CONNECTION_HEADER, CRLF, CRLF, NULL);
b = apr_bucket_flush_create(f->c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(upgradebb, b);
ap_pass_brigade(f->next, upgradebb);
}
else {
/* This is optional, and should be configurable, for now don't bother
* doing anything.
*/
return ap_pass_brigade(f->next, bb);
}
ssl_init_ssl_connection(f->c);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
"Awaiting re-negotiation handshake");
sslconn = myConnConfig(f->c);
ssl = sslconn->ssl;
SSL_set_state(ssl, SSL_ST_ACCEPT);
SSL_do_handshake(ssl);
if (SSL_get_state(ssl) != SSL_ST_OK) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"Re-negotiation handshake failed: "
"Not accepted by client!?");
return AP_FILTER_ERROR;
}
return OK;
}
static apr_status_t ssl_io_filter_Output(ap_filter_t *f, static apr_status_t ssl_io_filter_Output(ap_filter_t *f,
apr_bucket_brigade *bb) apr_bucket_brigade *bb)
{ {
@@ -1022,11 +943,6 @@ void ssl_io_filter_init(conn_rec *c, SSL *ssl)
void ssl_io_filter_register(apr_pool_t *p) void ssl_io_filter_register(apr_pool_t *p)
{ {
/* This filter MUST be after the HTTP_HEADER filter, but it also must be
* a resource-level filter so it has the request_rec.
*/
ap_register_output_filter ("UPGRADE_FILTER", ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5);
ap_register_input_filter (ssl_io_filter, ssl_io_filter_Input, NULL, AP_FTYPE_CONNECTION + 5); ap_register_input_filter (ssl_io_filter, ssl_io_filter_Input, NULL, AP_FTYPE_CONNECTION + 5);
ap_register_output_filter (ssl_io_filter, ssl_io_filter_Output, NULL, AP_FTYPE_CONNECTION + 5); ap_register_output_filter (ssl_io_filter, ssl_io_filter_Output, NULL, AP_FTYPE_CONNECTION + 5);
return; return;

14
modules/ssl/ssl_engine_kernel.c
View File

@@ -322,16 +322,6 @@ int ssl_hook_Access(request_rec *r)
* Support for SSLRequireSSL directive * Support for SSLRequireSSL directive
*/ */
if (dc->bSSLRequired && !ssl) { if (dc->bSSLRequired && !ssl) {
if (sc->enabled == UNSET) {
/* This vhost was configured for optional SSL, just tell the
* client that we need to upgrade.
*/
apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
return HTTP_UPGRADE_REQUIRED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"access to %s failed, reason: %s", "access to %s failed, reason: %s",
r->filename, "SSL connection required"); r->filename, "SSL connection required");
@@ -1120,10 +1110,6 @@ int ssl_hook_Fixup(request_rec *r)
SSL *ssl; SSL *ssl;
int i; int i;
if (sc->enabled == UNSET) {
apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
}
/* /*
* Check to see if SSL is on * Check to see if SSL is on
*/ */

2
modules/ssl/ssl_util.c
View File

@@ -84,7 +84,7 @@ char *ssl_util_vhostid(apr_pool_t *p, server_rec *s)
port = s->port; port = s->port;
else { else {
sc = mySrvConfig(s); sc = mySrvConfig(s);
if (sc->enabled == TRUE) if (sc->enabled)
port = DEFAULT_HTTPS_PORT; port = DEFAULT_HTTPS_PORT;
else else
port = DEFAULT_HTTP_PORT; port = DEFAULT_HTTP_PORT;