www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

mod_ssl: Update the ssl_var_lookup() API:

Browse Source 
a) constify return value and variable name passed-in
b) require that pool argument is non-NULL
c) add gcc warning attributes for NULL arguments or ignored result.

This allows removal of inefficient internal duplication of constant
strings which was necessary only to allow non-const char *, and
removal of unsafe casts to/from const in various places.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Assume pool is
  non-NULL; return constant and remove apr_pstrdup of constant
  result string.  Also constify variable name.
  (ssl_var_lookup_*): Update to return const char * and avoid
  duplication where now possible.

* modules/ssl/mod_ssl.h: Update ssl_var_lookup() optional function
  API description and add GCC warning attributes as per private API.

* modules/ssl/ssl_engine_init.c (ssl_add_version_components): Adjust
  for const return value.

* modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Pass c->pool
  to ssl_var_lookup.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Pass r->pool to
  ssl_var_lookup, expect const return and dup the string since r->user
  is char *.
  (log_tracing_state): Pass c->pool to ssl_var_lookup.

* modules/http2/h2_h2.c (h2_is_acceptable_connection): Assume
  return value of ssl_var_lookup is const.

Github: closes #120


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877475 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joe Orton
2020-05-07 15:34:04 +00:00
parent 8f55fe9f98
commit b77cd8dfde
8 changed files with 103 additions and 128 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
*) mod_ssl: The "ssl_var_lookup" optional function API now takes a
const char *name argument and returns a const char * string
value. The pool argument must now be non-NULL. [Joe Orton]
*) mod_ssl: With OpenSSL 1.1.1 and later, SSLRandomSeed is now
ignored. OpenSSL must be configured with a suitable entropy
source, or mod_ssl will fail to start up. [Joe Orton]

2
modules/http2/h2_h2.c
View File

@@ -473,7 +473,7 @@ int h2_is_acceptable_connection(conn_rec *c, request_rec *r, int require_all)
*/
apr_pool_t *pool = c->pool;
server_rec *s = c->base_server;
char *val;
const char *val;
if (!opt_ssl_var_lookup) {
/* unable to check */

12
modules/ssl/mod_ssl.h
View File

@@ -53,11 +53,13 @@
#endif
/** The ssl_var_lookup() optional function retrieves SSL environment
* variables. */
APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
(apr_pool_t *, server_rec *,
conn_rec *, request_rec *,
char *));
* variables. The pool in which to allocate the return value must be
* non-NULL since httpd 2.5.1. c and/or r may be NULL. */
APR_DECLARE_OPTIONAL_FN(const char *, ssl_var_lookup,
(apr_pool_t *p, server_rec *s,
conn_rec *c, request_rec *r,
const char *name))
AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT;
/** The ssl_ext_list() optional function attempts to build an array
* of all the values contained in the named X.509 extension. The

10
modules/ssl/ssl_engine_init.c
View File

@@ -176,10 +176,12 @@ DH *modssl_get_dh_params(unsigned keylen)
static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
server_rec *s)
{
char *modver = ssl_var_lookup(ptemp, s, NULL, NULL, "SSL_VERSION_INTERFACE");
char *libver = ssl_var_lookup(ptemp, s, NULL, NULL, "SSL_VERSION_LIBRARY");
char *incver = ssl_var_lookup(ptemp, s, NULL, NULL,
"SSL_VERSION_LIBRARY_INTERFACE");
const char *modver = ssl_var_lookup(ptemp, s, NULL, NULL,
"SSL_VERSION_INTERFACE");
const char *libver = ssl_var_lookup(ptemp, s, NULL, NULL,
"SSL_VERSION_LIBRARY");
const char *incver = ssl_var_lookup(ptemp, s, NULL, NULL,
"SSL_VERSION_LIBRARY_INTERFACE");
ap_add_version_component(pconf, libver);

2
modules/ssl/ssl_engine_io.c
View File

@@ -1365,7 +1365,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
const char *hostname;
int match = 0;
hostname = ssl_var_lookup(NULL, server, c, NULL,
hostname = ssl_var_lookup(c->pool, server, c, NULL,
"SSL_CLIENT_S_DN_CN");
/* Do string match or simplest wildcard match if that

18
modules/ssl/ssl_engine_kernel.c
View File

@@ -1291,10 +1291,10 @@ int ssl_hook_Access(request_rec *r)
* we need to postpone setting the username until later.
*/
if ((dc->nOptions & SSL_OPT_FAKEBASICAUTH) == 0 && dc->szUserName) {
char *val = ssl_var_lookup(r->pool, r->server, r->connection,
r, (char *)dc->szUserName);
const char *val = ssl_var_lookup(r->pool, r->server, r->connection,
r, dc->szUserName);
if (val && val[0])
r->user = val;
r->user = apr_pstrdup(r->pool, val);
else
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02227)
"Failed to set r->user to '%s'", dc->szUserName);
@@ -1542,7 +1542,7 @@ int ssl_hook_Fixup(request_rec *r)
{
SSLDirConfigRec *dc = myDirConfig(r);
apr_table_t *env = r->subprocess_env;
char *var, *val = "";
const char *var, *val = "";
#ifdef HAVE_TLSEXT
const char *servername;
#endif
@@ -1575,7 +1575,7 @@ int ssl_hook_Fixup(request_rec *r)
modssl_var_extract_san_entries(env, ssl, r->pool);
for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
var = (char *)ssl_hook_Fixup_vars[i];
var = ssl_hook_Fixup_vars[i];
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
if (!strIsEmpty(val)) {
apr_table_setn(env, var, val);
@@ -2254,10 +2254,10 @@ static void log_tracing_state(const SSL *ssl, conn_rec *c,
if (where & SSL_CB_HANDSHAKE_DONE) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02041)
"Protocol: %s, Cipher: %s (%s/%s bits)",
ssl_var_lookup(NULL, s, c, NULL, "SSL_PROTOCOL"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE"));
ssl_var_lookup(c->pool, s, c, NULL, "SSL_PROTOCOL"),
ssl_var_lookup(c->pool, s, c, NULL, "SSL_CIPHER"),
ssl_var_lookup(c->pool, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"),
ssl_var_lookup(c->pool, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE"));
}
}

175
modules/ssl/ssl_engine_vars.c
View File

@@ -39,21 +39,21 @@
** _________________________________________________________________
*/
static char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, request_rec *r, char *var);
static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var);
static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, const char *var);
static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var);
static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm);
static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var);
static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl);
static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, const SSLConnRec *sslconn);
static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, const SSLConnRec *sslconn, char *var);
static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, request_rec *r, const char *var);
static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, const char *var);
static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, const char *var);
static const char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, const char *var);
static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm);
static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
static const char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
static const char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, const char *var);
static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl);
static const char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
static const char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, const SSLConnRec *sslconn);
static const char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, const SSLConnRec *sslconn, const char *var);
static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
static const char *ssl_var_lookup_ssl_version(const char *var);
static const char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
static const SSLConnRec *ssl_get_effective_config(conn_rec *c)
{
@@ -162,7 +162,7 @@ static apr_array_header_t *expr_peer_ext_list_fn(ap_expr_eval_ctx_t *ctx,
static const char *expr_var_fn(ap_expr_eval_ctx_t *ctx, const void *data)
{
char *var = (char *)data;
const char *var = data;
const SSLConnRec *sslconn = ssl_get_effective_config(ctx->c);
return sslconn ? ssl_var_lookup_ssl(ctx->p, sslconn, ctx->r, var) : NULL;
@@ -171,7 +171,7 @@ static const char *expr_var_fn(ap_expr_eval_ctx_t *ctx, const void *data)
static const char *expr_func_fn(ap_expr_eval_ctx_t *ctx, const void *data,
const char *arg)
{
char *var = (char *)arg;
const char *var = arg;
return var ? ssl_var_lookup(ctx->p, ctx->s, ctx->c, ctx->r, var) : NULL;
}
@@ -239,29 +239,13 @@ void ssl_var_register(apr_pool_t *p)
}
/* This function must remain safe to use for a non-SSL connection. */
char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var)
const char *ssl_var_lookup(apr_pool_t *p, server_rec *s,
conn_rec *c, request_rec *r,
const char *var)
{
const char *result;
BOOL resdup;
const char *result = NULL;
apr_time_exp_t tm;
result = NULL;
resdup = TRUE;
AP_DEBUG_ASSERT(s);
/*
* When no pool is given try to find one
*/
if (p == NULL) {
if (r != NULL)
p = r->pool;
else if (c != NULL)
p = c->pool;
else
p = s->process->pool;
}
/*
* Request dependent stuff
*/
@@ -367,23 +351,20 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
*/
if (result == NULL) {
if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
result = ssl_var_lookup_ssl_version(p, var+12);
result = ssl_var_lookup_ssl_version(var+12);
else if (strcEQ(var, "SERVER_SOFTWARE"))
result = ap_get_server_banner();
else if (strcEQ(var, "API_VERSION")) {
result = apr_itoa(p, MODULE_MAGIC_NUMBER_MAJOR);
resdup = FALSE;
}
else if (strcEQ(var, "TIME_YEAR")) {
apr_time_exp_lt(&tm, apr_time_now());
result = apr_psprintf(p, "%02d%02d",
(tm.tm_year / 100) + 19, tm.tm_year % 100);
resdup = FALSE;
}
#define MKTIMESTR(format, tmfield) \
apr_time_exp_lt(&tm, apr_time_now()); \
result = apr_psprintf(p, format, tm.tmfield); \
resdup = FALSE;
result = apr_psprintf(p, format, tm.tmfield);
else if (strcEQ(var, "TIME_MON")) {
MKTIMESTR("%02d", tm_mon+1)
}
@@ -408,7 +389,6 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
"%02d%02d%02d%02d%02d%02d%02d", (tm.tm_year / 100) + 19,
(tm.tm_year % 100), tm.tm_mon+1, tm.tm_mday,
tm.tm_hour, tm.tm_min, tm.tm_sec);
resdup = FALSE;
}
/* all other env-variables from the parent Apache process */
else if (strlen(var) > 4 && strcEQn(var, "ENV:", 4)) {
@@ -416,17 +396,13 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
}
}
if (result != NULL && resdup)
result = apr_pstrdup(p, result);
if (result == NULL)
result = "";
return (char *)result;
return result ? result : "";
}
static char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn,
request_rec *r, char *var)
static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn,
request_rec *r, const char *var)
{
char *result;
const char *result;
X509 *xs;
STACK_OF(X509) *sk;
SSL *ssl;
@@ -435,10 +411,10 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn,
ssl = sslconn->ssl;
if (strlen(var) > 8 && strcEQn(var, "VERSION_", 8)) {
result = ssl_var_lookup_ssl_version(p, var+8);
result = ssl_var_lookup_ssl_version(var+8);
}
else if (ssl != NULL && strcEQ(var, "PROTOCOL")) {
result = (char *)SSL_get_version(ssl);
result = SSL_get_version(ssl);
}
else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
char buf[MODSSL_SESSION_ID_STRING_LEN];
@@ -505,7 +481,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn,
#ifdef SSL_get_secure_renegotiation_support
flag = SSL_get_secure_renegotiation_support(ssl);
#endif
result = apr_pstrdup(p, flag ? "true" : "false");
result = flag ? "true" : "false";
}
#ifdef HAVE_SRP
else if (ssl != NULL && strcEQ(var, "SRP_USER")) {
@@ -523,7 +499,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn,
return result;
}
static char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r,
static const char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r,
X509_NAME *xsname)
{
char *result = NULL;
@@ -551,20 +527,17 @@ static char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r,
return result;
}
static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
char *var)
static const char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
const char *var)
{
char *result;
BOOL resdup;
const char *result;
X509_NAME *xsname;
int nid;
result = NULL;
resdup = TRUE;
if (strcEQ(var, "M_VERSION")) {
result = apr_psprintf(p, "%lu", X509_get_version(xs)+1);
resdup = FALSE;
}
else if (strcEQ(var, "M_SERIAL")) {
result = ssl_var_lookup_ssl_cert_serial(p, xs);
@@ -577,7 +550,6 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
}
else if (strcEQ(var, "V_REMAIN")) {
result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs));
resdup = FALSE;
}
else if (*var && strcEQ(var+1, "_DN")) {
if (*var == 'S')
@@ -587,7 +559,6 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
else
return NULL;
result = ssl_var_lookup_ssl_cert_dn_oneline(p, r, xsname);
resdup = FALSE;
}
else if (strlen(var) > 5 && strcEQn(var+1, "_DN_", 4)) {
if (*var == 'S')
@@ -597,11 +568,9 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
else
return NULL;
result = ssl_var_lookup_ssl_cert_dn(p, xsname, var+5);
resdup = FALSE;
}
else if (strlen(var) > 4 && strcEQn(var, "SAN_", 4)) {
result = ssl_var_lookup_ssl_cert_san(p, xs, var+4);
resdup = FALSE;
}
else if (strcEQ(var, "A_SIG")) {
#if MODSSL_USE_OPENSSL_PRE_1_1_API
@@ -611,9 +580,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
X509_ALGOR_get0(&paobj, NULL, NULL, X509_get0_tbs_sigalg(xs));
nid = OBJ_obj2nid(paobj);
#endif
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
result = (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid);
}
else if (strcEQ(var, "A_KEY")) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -623,16 +590,12 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
X509_PUBKEY_get0_param(&paobj, NULL, 0, NULL, X509_get_X509_PUBKEY(xs));
nid = OBJ_obj2nid(paobj);
#endif
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
result = (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid);
}
else if (strcEQ(var, "CERT")) {
result = ssl_var_lookup_ssl_cert_PEM(p, xs);
}
if (resdup)
result = apr_pstrdup(p, result);
return result;
}
@@ -640,7 +603,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
* extracted to for the SSL_{CLIENT,SERVER}_{I,S}_DN_* environment
* variables. */
static const struct {
char *name;
const char *name;
int nid;
int extract;
} ssl_var_lookup_ssl_cert_dn_rec[] = {
@@ -663,11 +626,11 @@ static const struct {
{ NULL, 0, 0 }
};
static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname,
static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname,
const char *var)
{
const char *ptr;
char *result;
const char *result;
X509_NAME_ENTRY *xsne;
int i, j, n, idx = 0, raw = 0;
apr_size_t varlen;
@@ -708,7 +671,7 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname,
return result;
}
static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)
static const char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, const char *var)
{
int type, numlen;
const char *onf = NULL;
@@ -751,7 +714,7 @@ static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)
return NULL;
}
static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)
static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)
{
BIO* bio;
@@ -766,7 +729,7 @@ static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)
/* Return a string giving the number of days remaining until 'tm', or
* "0" if this can't be determined. */
static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm)
static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm)
{
apr_time_t then, now = apr_time_now();
apr_time_exp_t exp = {0};
@@ -779,7 +742,7 @@ static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm)
if ((tm->type == V_ASN1_UTCTIME && tm->length < 11) ||
(tm->type == V_ASN1_GENERALIZEDTIME && tm->length < 13) ||
!ASN1_TIME_check(tm)) {
return apr_pstrdup(p, "0");
return "0";
}
if (tm->type == V_ASN1_UTCTIME) {
@@ -798,15 +761,15 @@ static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm)
exp.tm_sec = DIGIT2NUM(dp + 8);
if (apr_time_exp_gmt_get(&then, &exp) != APR_SUCCESS) {
return apr_pstrdup(p, "0");
return "0";
}
diff = (long)((apr_time_sec(then) - apr_time_sec(now)) / (60*60*24));
return diff > 0 ? apr_ltoa(p, diff) : apr_pstrdup(p, "0");
return diff > 0 ? apr_ltoa(p, diff) : "0";
}
static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs)
static const char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs)
{
BIO *bio;
@@ -817,9 +780,9 @@ static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs)
return modssl_bio_free_read(p, bio);
}
static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var)
static const char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, const char *var)
{
char *result;
const char *result;
X509 *xs;
int n;
@@ -836,7 +799,7 @@ static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, ch
return result;
}
static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl)
static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl)
{
char *result;
X509 *xs;
@@ -867,7 +830,7 @@ static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl)
return result;
}
static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
static const char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
{
BIO *bio;
@@ -878,8 +841,8 @@ static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
return modssl_bio_free_read(p, bio);
}
static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p,
const SSLConnRec *sslconn)
static const char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p,
const SSLConnRec *sslconn)
{
char *result;
long vrc;
@@ -914,37 +877,35 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p,
return result;
}
static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p,
const SSLConnRec *sslconn, char *var)
static const char *ssl_var_lookup_ssl_cipher(apr_pool_t *p,
const SSLConnRec *sslconn,
const char *var)
{
char *result;
BOOL resdup;
const char *result;
int usekeysize, algkeysize;
SSL *ssl;
result = NULL;
resdup = TRUE;
ssl = sslconn->ssl;
ssl_var_lookup_ssl_cipher_bits(ssl, &usekeysize, &algkeysize);
if (ssl && strEQ(var, "")) {
MODSSL_SSL_CIPHER_CONST SSL_CIPHER *cipher = SSL_get_current_cipher(ssl);
result = (cipher != NULL ? (char *)SSL_CIPHER_get_name(cipher) : NULL);
if (cipher) {
result = apr_pstrdup(p, SSL_CIPHER_get_name(cipher));
}
}
else if (strcEQ(var, "_EXPORT"))
result = (usekeysize < 56 ? "true" : "false");
else if (strcEQ(var, "_USEKEYSIZE")) {
result = apr_itoa(p, usekeysize);
resdup = FALSE;
}
else if (strcEQ(var, "_ALGKEYSIZE")) {
result = apr_itoa(p, algkeysize);
resdup = FALSE;
}
if (result != NULL && resdup)
result = apr_pstrdup(p, result);
return result;
}
@@ -960,16 +921,16 @@ static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algke
return;
}
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
static const char *ssl_var_lookup_ssl_version(const char *var)
{
if (strEQ(var, "INTERFACE")) {
return apr_pstrdup(p, var_interface);
return var_interface;
}
else if (strEQ(var, "LIBRARY_INTERFACE")) {
return apr_pstrdup(p, var_library_interface);
return var_library_interface;
}
else if (strEQ(var, "LIBRARY")) {
return apr_pstrdup(p, var_library);
return var_library;
}
return NULL;
}
@@ -1202,9 +1163,9 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
return array;
}
static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
static const char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
{
char *result = "NULL";
const char *result = "NULL";
#ifndef OPENSSL_NO_COMP
SSL_SESSION *pSession = SSL_get_session(ssl);
@@ -1272,7 +1233,7 @@ void ssl_var_log_config_register(apr_pool_t *p)
static const char *ssl_var_log_handler_c(request_rec *r, char *a)
{
const SSLConnRec *sslconn = ssl_get_effective_config(r->connection);
char *result;
const char *result;
if (sslconn == NULL || sslconn->ssl == NULL)
return NULL;
@@ -1288,7 +1249,7 @@ static const char *ssl_var_log_handler_c(request_rec *r, char *a)
else if (strEQ(a, "errcode"))
result = "-";
else if (strEQ(a, "errstr"))
result = (char *)sslconn->verify_error;
result = sslconn->verify_error;
if (result != NULL && result[0] == NUL)
result = NULL;
return result;
@@ -1300,7 +1261,7 @@ static const char *ssl_var_log_handler_c(request_rec *r, char *a)
*/
static const char *ssl_var_log_handler_x(request_rec *r, char *a)
{
char *result;
const char *result;
result = ssl_var_lookup(r->pool, r->server, r->connection, r, a);
if (result != NULL && result[0] == NUL)

8
modules/ssl/ssl_private.h
View File

@@ -1107,7 +1107,13 @@ void ssl_log_rxerror(const char *file, int line, int level,
/* Register variables for the lifetime of the process pool 'p'. */
void ssl_var_register(apr_pool_t *p);
char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
/* Matches optional function of the same name in the public API. The
* pool in which to allocate the return value must be non-NULL; c
* and/or r may be NULL. */
const char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
const char *name)
AP_FN_ATTR_NONNULL((1, 2, 5)) AP_FN_ATTR_WARN_UNUSED_RESULT;
apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, const char *extension);
void ssl_var_log_config_register(apr_pool_t *p);