* modules/ssl/ssl_util.c (modssl_request_is_tls): Adjust

to take SSLConnRec * out parameter rather than SSL *. * modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Use it here. (ssl_hook_Fixup): Adjust use. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1829263 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2018-04-16 12:36:42 +00:00
parent fb92787465
commit c16933db8c
3 changed files with 16 additions and 15 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1326,8 +1326,7 @@ int ssl_hook_Access(request_rec *r)
 */
 int ssl_hook_UserCheck(request_rec *r)
 {
-    SSLConnRec *sslconn = myConnConfig(r->connection);
-    SSLSrvConfigRec *sc = mySrvConfig(r->server);
+    SSLConnRec *sslconn;
    SSLDirConfigRec *dc = myDirConfig(r);
    const char *user, *auth_line, *username, *password;

@@ -1375,15 +1374,15 @@ int ssl_hook_UserCheck(request_rec *r)

    /*
     * We decline operation in various situations...
+     * - TLS not enabled
+     * - client did not present a certificate
     * - SSLOptions +FakeBasicAuth not configured
     * - r->user already authenticated
-     * - ssl not enabled
-     * - client did not present a certificate
     */
-    if (!((sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL)
-          && sslconn && sslconn->ssl && sslconn->client_cert) ||
-        !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user)
-    {
+    if (!modssl_request_is_tls(r, &sslconn)
+        || !sslconn->client_cert
+        || !(dc->nOptions & SSL_OPT_FAKEBASICAUTH)
+        || r->user) {
        return DECLINED;
    }

@@ -1509,12 +1508,14 @@ int ssl_hook_Fixup(request_rec *r)
    const char *servername;
 #endif
    STACK_OF(X509) *peer_certs;
+    SSLConnRec *sslconn;
    SSL *ssl;
    int i;

-    if (!modssl_request_is_tls(r, &ssl)) {
+    if (!modssl_request_is_tls(r, &sslconn)) {
        return DECLINED;
    }
+    ssl = sslconn->ssl;

    /*
     * Annotate the SSI/CGI environment with standard SSL information
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -1096,10 +1096,10 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
 * memory. */
 DH *modssl_get_dh_params(unsigned keylen);

-/* Returns non-zero if the request is using SSL/TLS.  If ssl is
- * non-NULL and the request is using SSL/TLS, sets *ssl to the
- * corresponding SSL structure for the connectbion. */
-int modssl_request_is_tls(const request_rec *r, SSL **ssl);
+/* Returns non-zero if the request was made over SSL/TLS.  If sslconn
+ * is non-NULL and the request is using SSL/TLS, sets *sslconn to the
+ * corresponding SSLConnRec structure for the connection. */
+int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn);

 #if HAVE_VALGRIND
 extern int ssl_running_on_valgrind;
--- a/modules/ssl/ssl_util.c
+++ b/modules/ssl/ssl_util.c
@@ -100,7 +100,7 @@ BOOL ssl_util_vhost_matches(const char *servername, server_rec *s)
    return FALSE;
 }

-int modssl_request_is_tls(const request_rec *r, SSL **ssl)
+int modssl_request_is_tls(const request_rec *r, SSLConnRec **scout)
 {
    SSLConnRec *sslconn = myConnConfig(r->connection);
    SSLSrvConfigRec *sc = mySrvConfig(r->server);
@@ -112,7 +112,7 @@ int modssl_request_is_tls(const request_rec *r, SSL **ssl)
    if (sc->enabled == SSL_ENABLED_FALSE || !sslconn || !sslconn->ssl)
        return 0;
    
-    if (ssl) *ssl = sslconn->ssl;
+    if (scout) *scout = sslconn;

    return 1;
 }