From b77cd8dfdedc2460dfca460b7d4335f88c43fe82 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Thu, 7 May 2020 15:34:04 +0000 Subject: [PATCH] mod_ssl: Update the ssl_var_lookup() API: a) constify return value and variable name passed-in b) require that pool argument is non-NULL c) add gcc warning attributes for NULL arguments or ignored result. This allows removal of inefficient internal duplication of constant strings which was necessary only to allow non-const char *, and removal of unsafe casts to/from const in various places. * modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Assume pool is non-NULL; return constant and remove apr_pstrdup of constant result string. Also constify variable name. (ssl_var_lookup_*): Update to return const char * and avoid duplication where now possible. * modules/ssl/mod_ssl.h: Update ssl_var_lookup() optional function API description and add GCC warning attributes as per private API. * modules/ssl/ssl_engine_init.c (ssl_add_version_components): Adjust for const return value. * modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Pass c->pool to ssl_var_lookup. * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Pass r->pool to ssl_var_lookup, expect const return and dup the string since r->user is char *. (log_tracing_state): Pass c->pool to ssl_var_lookup. * modules/http2/h2_h2.c (h2_is_acceptable_connection): Assume return value of ssl_var_lookup is const. Github: closes #120 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877475 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 + modules/http2/h2_h2.c | 2 +- modules/ssl/mod_ssl.h | 12 ++- modules/ssl/ssl_engine_init.c | 10 +- modules/ssl/ssl_engine_io.c | 2 +- modules/ssl/ssl_engine_kernel.c | 18 ++-- modules/ssl/ssl_engine_vars.c | 175 +++++++++++++------------------- modules/ssl/ssl_private.h | 8 +- 8 files changed, 103 insertions(+), 128 deletions(-) diff --git a/CHANGES b/CHANGES index 7250cdab2e..c6d70951a1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: The "ssl_var_lookup" optional function API now takes a + const char *name argument and returns a const char * string + value. The pool argument must now be non-NULL. [Joe Orton] + *) mod_ssl: With OpenSSL 1.1.1 and later, SSLRandomSeed is now ignored. OpenSSL must be configured with a suitable entropy source, or mod_ssl will fail to start up. [Joe Orton] diff --git a/modules/http2/h2_h2.c b/modules/http2/h2_h2.c index 1b69fe3502..f0350544ab 100644 --- a/modules/http2/h2_h2.c +++ b/modules/http2/h2_h2.c @@ -473,7 +473,7 @@ int h2_is_acceptable_connection(conn_rec *c, request_rec *r, int require_all) */ apr_pool_t *pool = c->pool; server_rec *s = c->base_server; - char *val; + const char *val; if (!opt_ssl_var_lookup) { /* unable to check */ diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h index a8f555c61b..d16ce25375 100644 --- a/modules/ssl/mod_ssl.h +++ b/modules/ssl/mod_ssl.h @@ -53,11 +53,13 @@ #endif /** The ssl_var_lookup() optional function retrieves SSL environment - * variables. */ -APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, - (apr_pool_t *, server_rec *, - conn_rec *, request_rec *, - char *)); + * variables. The pool in which to allocate the return value must be + * non-NULL since httpd 2.5.1. c and/or r may be NULL. */ +APR_DECLARE_OPTIONAL_FN(const char *, ssl_var_lookup, + (apr_pool_t *p, server_rec *s, + conn_rec *c, request_rec *r, + const char *name)) + AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT; /** The ssl_ext_list() optional function attempts to build an array * of all the values contained in the named X.509 extension. The diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index e3209f3e97..2bd0502fbb 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -176,10 +176,12 @@ DH *modssl_get_dh_params(unsigned keylen) static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf, server_rec *s) { - char *modver = ssl_var_lookup(ptemp, s, NULL, NULL, "SSL_VERSION_INTERFACE"); - char *libver = ssl_var_lookup(ptemp, s, NULL, NULL, "SSL_VERSION_LIBRARY"); - char *incver = ssl_var_lookup(ptemp, s, NULL, NULL, - "SSL_VERSION_LIBRARY_INTERFACE"); + const char *modver = ssl_var_lookup(ptemp, s, NULL, NULL, + "SSL_VERSION_INTERFACE"); + const char *libver = ssl_var_lookup(ptemp, s, NULL, NULL, + "SSL_VERSION_LIBRARY"); + const char *incver = ssl_var_lookup(ptemp, s, NULL, NULL, + "SSL_VERSION_LIBRARY_INTERFACE"); ap_add_version_component(pconf, libver); diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 8e44413031..91aebb2029 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1365,7 +1365,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) const char *hostname; int match = 0; - hostname = ssl_var_lookup(NULL, server, c, NULL, + hostname = ssl_var_lookup(c->pool, server, c, NULL, "SSL_CLIENT_S_DN_CN"); /* Do string match or simplest wildcard match if that diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 81a4513d67..924fe77b64 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1291,10 +1291,10 @@ int ssl_hook_Access(request_rec *r) * we need to postpone setting the username until later. */ if ((dc->nOptions & SSL_OPT_FAKEBASICAUTH) == 0 && dc->szUserName) { - char *val = ssl_var_lookup(r->pool, r->server, r->connection, - r, (char *)dc->szUserName); + const char *val = ssl_var_lookup(r->pool, r->server, r->connection, + r, dc->szUserName); if (val && val[0]) - r->user = val; + r->user = apr_pstrdup(r->pool, val); else ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02227) "Failed to set r->user to '%s'", dc->szUserName); @@ -1542,7 +1542,7 @@ int ssl_hook_Fixup(request_rec *r) { SSLDirConfigRec *dc = myDirConfig(r); apr_table_t *env = r->subprocess_env; - char *var, *val = ""; + const char *var, *val = ""; #ifdef HAVE_TLSEXT const char *servername; #endif @@ -1575,7 +1575,7 @@ int ssl_hook_Fixup(request_rec *r) modssl_var_extract_san_entries(env, ssl, r->pool); for (i = 0; ssl_hook_Fixup_vars[i]; i++) { - var = (char *)ssl_hook_Fixup_vars[i]; + var = ssl_hook_Fixup_vars[i]; val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); if (!strIsEmpty(val)) { apr_table_setn(env, var, val); @@ -2254,10 +2254,10 @@ static void log_tracing_state(const SSL *ssl, conn_rec *c, if (where & SSL_CB_HANDSHAKE_DONE) { ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02041) "Protocol: %s, Cipher: %s (%s/%s bits)", - ssl_var_lookup(NULL, s, c, NULL, "SSL_PROTOCOL"), - ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"), - ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"), - ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE")); + ssl_var_lookup(c->pool, s, c, NULL, "SSL_PROTOCOL"), + ssl_var_lookup(c->pool, s, c, NULL, "SSL_CIPHER"), + ssl_var_lookup(c->pool, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"), + ssl_var_lookup(c->pool, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE")); } } diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 249434a810..0583481f23 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -39,21 +39,21 @@ ** _________________________________________________________________ */ -static char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, request_rec *r, char *var); -static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var); -static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, const char *var); -static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var); -static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm); -static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm); -static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs); -static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var); -static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl); -static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs); -static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, const SSLConnRec *sslconn); -static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, const SSLConnRec *sslconn, char *var); +static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, request_rec *r, const char *var); +static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, const char *var); +static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, const char *var); +static const char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, const char *var); +static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm); +static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm); +static const char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs); +static const char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, const char *var); +static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl); +static const char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs); +static const char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, const SSLConnRec *sslconn); +static const char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, const SSLConnRec *sslconn, const char *var); static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize); -static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); -static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl); +static const char *ssl_var_lookup_ssl_version(const char *var); +static const char *ssl_var_lookup_ssl_compress_meth(SSL *ssl); static const SSLConnRec *ssl_get_effective_config(conn_rec *c) { @@ -162,7 +162,7 @@ static apr_array_header_t *expr_peer_ext_list_fn(ap_expr_eval_ctx_t *ctx, static const char *expr_var_fn(ap_expr_eval_ctx_t *ctx, const void *data) { - char *var = (char *)data; + const char *var = data; const SSLConnRec *sslconn = ssl_get_effective_config(ctx->c); return sslconn ? ssl_var_lookup_ssl(ctx->p, sslconn, ctx->r, var) : NULL; @@ -171,7 +171,7 @@ static const char *expr_var_fn(ap_expr_eval_ctx_t *ctx, const void *data) static const char *expr_func_fn(ap_expr_eval_ctx_t *ctx, const void *data, const char *arg) { - char *var = (char *)arg; + const char *var = arg; return var ? ssl_var_lookup(ctx->p, ctx->s, ctx->c, ctx->r, var) : NULL; } @@ -239,29 +239,13 @@ void ssl_var_register(apr_pool_t *p) } /* This function must remain safe to use for a non-SSL connection. */ -char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) +const char *ssl_var_lookup(apr_pool_t *p, server_rec *s, + conn_rec *c, request_rec *r, + const char *var) { - const char *result; - BOOL resdup; + const char *result = NULL; apr_time_exp_t tm; - result = NULL; - resdup = TRUE; - - AP_DEBUG_ASSERT(s); - - /* - * When no pool is given try to find one - */ - if (p == NULL) { - if (r != NULL) - p = r->pool; - else if (c != NULL) - p = c->pool; - else - p = s->process->pool; - } - /* * Request dependent stuff */ @@ -367,23 +351,20 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, */ if (result == NULL) { if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12)) - result = ssl_var_lookup_ssl_version(p, var+12); + result = ssl_var_lookup_ssl_version(var+12); else if (strcEQ(var, "SERVER_SOFTWARE")) result = ap_get_server_banner(); else if (strcEQ(var, "API_VERSION")) { result = apr_itoa(p, MODULE_MAGIC_NUMBER_MAJOR); - resdup = FALSE; } else if (strcEQ(var, "TIME_YEAR")) { apr_time_exp_lt(&tm, apr_time_now()); result = apr_psprintf(p, "%02d%02d", (tm.tm_year / 100) + 19, tm.tm_year % 100); - resdup = FALSE; } #define MKTIMESTR(format, tmfield) \ apr_time_exp_lt(&tm, apr_time_now()); \ - result = apr_psprintf(p, format, tm.tmfield); \ - resdup = FALSE; + result = apr_psprintf(p, format, tm.tmfield); else if (strcEQ(var, "TIME_MON")) { MKTIMESTR("%02d", tm_mon+1) } @@ -408,7 +389,6 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, "%02d%02d%02d%02d%02d%02d%02d", (tm.tm_year / 100) + 19, (tm.tm_year % 100), tm.tm_mon+1, tm.tm_mday, tm.tm_hour, tm.tm_min, tm.tm_sec); - resdup = FALSE; } /* all other env-variables from the parent Apache process */ else if (strlen(var) > 4 && strcEQn(var, "ENV:", 4)) { @@ -416,17 +396,13 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, } } - if (result != NULL && resdup) - result = apr_pstrdup(p, result); - if (result == NULL) - result = ""; - return (char *)result; + return result ? result : ""; } -static char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, - request_rec *r, char *var) +static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, + request_rec *r, const char *var) { - char *result; + const char *result; X509 *xs; STACK_OF(X509) *sk; SSL *ssl; @@ -435,10 +411,10 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, ssl = sslconn->ssl; if (strlen(var) > 8 && strcEQn(var, "VERSION_", 8)) { - result = ssl_var_lookup_ssl_version(p, var+8); + result = ssl_var_lookup_ssl_version(var+8); } else if (ssl != NULL && strcEQ(var, "PROTOCOL")) { - result = (char *)SSL_get_version(ssl); + result = SSL_get_version(ssl); } else if (ssl != NULL && strcEQ(var, "SESSION_ID")) { char buf[MODSSL_SESSION_ID_STRING_LEN]; @@ -505,7 +481,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, #ifdef SSL_get_secure_renegotiation_support flag = SSL_get_secure_renegotiation_support(ssl); #endif - result = apr_pstrdup(p, flag ? "true" : "false"); + result = flag ? "true" : "false"; } #ifdef HAVE_SRP else if (ssl != NULL && strcEQ(var, "SRP_USER")) { @@ -523,7 +499,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, return result; } -static char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r, +static const char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r, X509_NAME *xsname) { char *result = NULL; @@ -551,20 +527,17 @@ static char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r, return result; } -static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, - char *var) +static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, + const char *var) { - char *result; - BOOL resdup; + const char *result; X509_NAME *xsname; int nid; result = NULL; - resdup = TRUE; if (strcEQ(var, "M_VERSION")) { result = apr_psprintf(p, "%lu", X509_get_version(xs)+1); - resdup = FALSE; } else if (strcEQ(var, "M_SERIAL")) { result = ssl_var_lookup_ssl_cert_serial(p, xs); @@ -577,7 +550,6 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, } else if (strcEQ(var, "V_REMAIN")) { result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs)); - resdup = FALSE; } else if (*var && strcEQ(var+1, "_DN")) { if (*var == 'S') @@ -587,7 +559,6 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, else return NULL; result = ssl_var_lookup_ssl_cert_dn_oneline(p, r, xsname); - resdup = FALSE; } else if (strlen(var) > 5 && strcEQn(var+1, "_DN_", 4)) { if (*var == 'S') @@ -597,11 +568,9 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, else return NULL; result = ssl_var_lookup_ssl_cert_dn(p, xsname, var+5); - resdup = FALSE; } else if (strlen(var) > 4 && strcEQn(var, "SAN_", 4)) { result = ssl_var_lookup_ssl_cert_san(p, xs, var+4); - resdup = FALSE; } else if (strcEQ(var, "A_SIG")) { #if MODSSL_USE_OPENSSL_PRE_1_1_API @@ -611,9 +580,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, X509_ALGOR_get0(&paobj, NULL, NULL, X509_get0_tbs_sigalg(xs)); nid = OBJ_obj2nid(paobj); #endif - result = apr_pstrdup(p, - (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); - resdup = FALSE; + result = (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid); } else if (strcEQ(var, "A_KEY")) { #if OPENSSL_VERSION_NUMBER < 0x10100000L @@ -623,16 +590,12 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, X509_PUBKEY_get0_param(&paobj, NULL, 0, NULL, X509_get_X509_PUBKEY(xs)); nid = OBJ_obj2nid(paobj); #endif - result = apr_pstrdup(p, - (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); - resdup = FALSE; + result = (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid); } else if (strcEQ(var, "CERT")) { result = ssl_var_lookup_ssl_cert_PEM(p, xs); } - if (resdup) - result = apr_pstrdup(p, result); return result; } @@ -640,7 +603,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, * extracted to for the SSL_{CLIENT,SERVER}_{I,S}_DN_* environment * variables. */ static const struct { - char *name; + const char *name; int nid; int extract; } ssl_var_lookup_ssl_cert_dn_rec[] = { @@ -663,11 +626,11 @@ static const struct { { NULL, 0, 0 } }; -static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, +static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, const char *var) { const char *ptr; - char *result; + const char *result; X509_NAME_ENTRY *xsne; int i, j, n, idx = 0, raw = 0; apr_size_t varlen; @@ -708,7 +671,7 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, return result; } -static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var) +static const char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, const char *var) { int type, numlen; const char *onf = NULL; @@ -751,7 +714,7 @@ static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var) return NULL; } -static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm) +static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm) { BIO* bio; @@ -766,7 +729,7 @@ static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm) /* Return a string giving the number of days remaining until 'tm', or * "0" if this can't be determined. */ -static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm) +static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm) { apr_time_t then, now = apr_time_now(); apr_time_exp_t exp = {0}; @@ -779,7 +742,7 @@ static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm) if ((tm->type == V_ASN1_UTCTIME && tm->length < 11) || (tm->type == V_ASN1_GENERALIZEDTIME && tm->length < 13) || !ASN1_TIME_check(tm)) { - return apr_pstrdup(p, "0"); + return "0"; } if (tm->type == V_ASN1_UTCTIME) { @@ -798,15 +761,15 @@ static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm) exp.tm_sec = DIGIT2NUM(dp + 8); if (apr_time_exp_gmt_get(&then, &exp) != APR_SUCCESS) { - return apr_pstrdup(p, "0"); + return "0"; } diff = (long)((apr_time_sec(then) - apr_time_sec(now)) / (60*60*24)); - return diff > 0 ? apr_ltoa(p, diff) : apr_pstrdup(p, "0"); + return diff > 0 ? apr_ltoa(p, diff) : "0"; } -static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs) +static const char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs) { BIO *bio; @@ -817,9 +780,9 @@ static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs) return modssl_bio_free_read(p, bio); } -static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var) +static const char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, const char *var) { - char *result; + const char *result; X509 *xs; int n; @@ -836,7 +799,7 @@ static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, ch return result; } -static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl) +static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl) { char *result; X509 *xs; @@ -867,7 +830,7 @@ static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl) return result; } -static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs) +static const char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs) { BIO *bio; @@ -878,8 +841,8 @@ static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs) return modssl_bio_free_read(p, bio); } -static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, - const SSLConnRec *sslconn) +static const char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, + const SSLConnRec *sslconn) { char *result; long vrc; @@ -914,37 +877,35 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, return result; } -static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, - const SSLConnRec *sslconn, char *var) +static const char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, + const SSLConnRec *sslconn, + const char *var) { - char *result; - BOOL resdup; + const char *result; int usekeysize, algkeysize; SSL *ssl; result = NULL; - resdup = TRUE; ssl = sslconn->ssl; ssl_var_lookup_ssl_cipher_bits(ssl, &usekeysize, &algkeysize); if (ssl && strEQ(var, "")) { MODSSL_SSL_CIPHER_CONST SSL_CIPHER *cipher = SSL_get_current_cipher(ssl); - result = (cipher != NULL ? (char *)SSL_CIPHER_get_name(cipher) : NULL); + + if (cipher) { + result = apr_pstrdup(p, SSL_CIPHER_get_name(cipher)); + } } else if (strcEQ(var, "_EXPORT")) result = (usekeysize < 56 ? "true" : "false"); else if (strcEQ(var, "_USEKEYSIZE")) { result = apr_itoa(p, usekeysize); - resdup = FALSE; } else if (strcEQ(var, "_ALGKEYSIZE")) { result = apr_itoa(p, algkeysize); - resdup = FALSE; } - if (result != NULL && resdup) - result = apr_pstrdup(p, result); return result; } @@ -960,16 +921,16 @@ static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algke return; } -static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var) +static const char *ssl_var_lookup_ssl_version(const char *var) { if (strEQ(var, "INTERFACE")) { - return apr_pstrdup(p, var_interface); + return var_interface; } else if (strEQ(var, "LIBRARY_INTERFACE")) { - return apr_pstrdup(p, var_library_interface); + return var_library_interface; } else if (strEQ(var, "LIBRARY")) { - return apr_pstrdup(p, var_library); + return var_library; } return NULL; } @@ -1202,9 +1163,9 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, return array; } -static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl) +static const char *ssl_var_lookup_ssl_compress_meth(SSL *ssl) { - char *result = "NULL"; + const char *result = "NULL"; #ifndef OPENSSL_NO_COMP SSL_SESSION *pSession = SSL_get_session(ssl); @@ -1272,7 +1233,7 @@ void ssl_var_log_config_register(apr_pool_t *p) static const char *ssl_var_log_handler_c(request_rec *r, char *a) { const SSLConnRec *sslconn = ssl_get_effective_config(r->connection); - char *result; + const char *result; if (sslconn == NULL || sslconn->ssl == NULL) return NULL; @@ -1288,7 +1249,7 @@ static const char *ssl_var_log_handler_c(request_rec *r, char *a) else if (strEQ(a, "errcode")) result = "-"; else if (strEQ(a, "errstr")) - result = (char *)sslconn->verify_error; + result = sslconn->verify_error; if (result != NULL && result[0] == NUL) result = NULL; return result; @@ -1300,7 +1261,7 @@ static const char *ssl_var_log_handler_c(request_rec *r, char *a) */ static const char *ssl_var_log_handler_x(request_rec *r, char *a) { - char *result; + const char *result; result = ssl_var_lookup(r->pool, r->server, r->connection, r, a); if (result != NULL && result[0] == NUL) diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index d7d71ec26a..e7df7b4d88 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -1107,7 +1107,13 @@ void ssl_log_rxerror(const char *file, int line, int level, /* Register variables for the lifetime of the process pool 'p'. */ void ssl_var_register(apr_pool_t *p); -char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); + +/* Matches optional function of the same name in the public API. The + * pool in which to allocate the return value must be non-NULL; c + * and/or r may be NULL. */ +const char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, + const char *name) + AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT; apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension); void ssl_var_log_config_register(apr_pool_t *p);