Changed ap_ssl_answer_challenge() and its hook to provide PEM data for

certificate and key instead of file names. Added support for this in mod_ssl and verified with a local mod_md version that uses it. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887151 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2021-03-03 15:52:18 +00:00
parent 33af74c29f
commit 6951408220
7 changed files with 111 additions and 52 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2317,33 +2317,32 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)

 static apr_status_t set_challenge_creds(conn_rec *c, const char *servername,
                                        SSL *ssl, X509 *cert, EVP_PKEY *key,
-                                        const char *cert_file, const char *key_file)
+                                        const char *cert_pem, const char *key_pem)
 {
    SSLConnRec *sslcon = myConnConfig(c);
+    apr_status_t rv = APR_SUCCESS;
+    int our_data = 0;
    
    sslcon->service_unavailable = 1;
-    if (cert_file) {
-        if (SSL_use_certificate_file(ssl, cert_file, SSL_FILETYPE_PEM) < 1) {
-            ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10264)
-                          "Failed to configure challenge certificate %s",
+    if (cert_pem) {
+        cert = NULL;
+        key = NULL;
+        our_data = 1;
+        
+        rv = modssl_read_cert(c->pool, cert_pem, key_pem, NULL, NULL, &cert, &key);
+        if (rv != APR_SUCCESS) {
+            ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO()
+                          "Failed to parse PEM of challenge certificate %s",
                          servername);
-            return APR_EGENERAL;
+            goto cleanup;
        }
-        if (key_file == NULL) key_file = cert_file;
-        if (SSL_use_PrivateKey_file(ssl, key_file, SSL_FILETYPE_PEM) < 1) {
-            ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10265)
-                          "Failed to configure challenge private key %s",
-                          servername);
-            return APR_EGENERAL;
-        }
-        goto check;
    }
    
    if ((SSL_use_certificate(ssl, cert) < 1)) {
        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10086)
                      "Failed to configure challenge certificate %s",
                      servername);
-        return APR_EGENERAL;
+        rv = APR_EGENERAL; goto cleanup;
    }
    
    if (!SSL_use_PrivateKey(ssl, key)) {
@@ -2351,16 +2350,19 @@ static apr_status_t set_challenge_creds(conn_rec *c, const char *servername,
                      "error '%s' using Challenge key: %s",
                      ERR_error_string(ERR_peek_last_error(), NULL), 
                      servername);
-        return APR_EGENERAL;
+        rv = APR_EGENERAL; goto cleanup;
    }
    
-check:
    if (SSL_check_private_key(ssl) < 1) {
        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10088)
                      "Challenge certificate and private key %s "
                      "do not match", servername);
-        return APR_EGENERAL;
+        rv = APR_EGENERAL; goto cleanup;
    }
+    
+cleanup:
+    if (our_data && cert) X509_free(cert);
+    if (our_data && key) EVP_PKEY_free(key);
    return APR_SUCCESS;
 }
  
@@ -2370,10 +2372,6 @@ check:
 */
 static apr_status_t init_vhost(conn_rec *c, SSL *ssl, const char *servername)
 {
-    X509 *cert;
-    EVP_PKEY *key;
-    const char *cert_file, *key_file;
-    
    if (c) {
        SSLConnRec *sslcon = myConnConfig(c);

@@ -2396,16 +2394,6 @@ static apr_status_t init_vhost(conn_rec *c, SSL *ssl, const char *servername)
                sslcon->vhost_found = +1;
                return APR_SUCCESS;
            }
-            else if (ssl_is_challenge(c, servername, &cert, &key, &cert_file, &key_file)) {
-                /* With ACMEv1 we can have challenge connections to a unknown domains
-                 * that need to be answered with a special certificate and will
-                 * otherwise not answer any requests. */
-                if (set_challenge_creds(c, servername, ssl, cert, key, 
-                                        cert_file, key_file) != APR_SUCCESS) {
-                    return APR_EGENERAL;
-                }
-                SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
-            }
            else {
                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044)
                              "No matching SSL virtual host for servername "
@@ -2792,11 +2780,11 @@ int ssl_callback_alpn_select(SSL *ssl,
            const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
            X509 *cert;
            EVP_PKEY *key;
-            const char *cert_file, *key_file;
+            const char *cert_pem, *key_pem;

-            if (ssl_is_challenge(c, servername, &cert, &key, &cert_file, &key_file)) {
+            if (ssl_is_challenge(c, servername, &cert, &key, &cert_pem, &key_pem)) {
                if (set_challenge_creds(c, servername, ssl, cert, key, 
-                                        cert_file, key_file) != APR_SUCCESS) {
+                                        cert_pem, key_pem) != APR_SUCCESS) {
                    return SSL_TLSEXT_ERR_ALERT_FATAL;
                }
                SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);