www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Apply mod_ssl MEGA porting patch. This is a cleaned up version of the

Browse Source 
latest patches from Madhusudan which makes mod_ssl 95% working inside
Apache 2.0. There is still a lot of more work (both porting and cleanup)
to do be done. See modules/ssl/README for details.

Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89618 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Ralf S. Engelschall
2001-07-19 16:08:01 +00:00
parent d7a428b08a
commit ca8f54367f
18 changed files with 1322 additions and 822 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
modules/ssl/README
View File

@@ -23,22 +23,23 @@
Here is a short overview of the source files:
* README .................. This file ;)
# Makefile.in ............. Makefile template for Unix platform
# config.m4 ............... Autoconf stub for the Apache config mechanism
# mod_ssl.c ............... main source file containing API structures
- mod_ssl.h ............... common header file of mod_ssl
- ssl_engine_config.c ..... module configuration handling
# mod_ssl.h ............... common header file of mod_ssl
# ssl_engine_config.c ..... module configuration handling
# ssl_engine_dh.c ......... DSA/DH support
# ssl_engine_ds.c ......... data structures
- ssl_engine_ext.c ........ Extensions to other Apache parts
- ssl_engine_init.c ....... module initialization
- ssl_engine_io.c ......... I/O support
- ssl_engine_kernel.c ..... SSL engine kernel
- ssl_engine_log.c ........ logfile support
# ssl_engine_init.c ....... module initialization
* ssl_engine_io.c ......... I/O support
# ssl_engine_kernel.c ..... SSL engine kernel
# ssl_engine_log.c ........ logfile support
# ssl_engine_mutex.c ...... mutual exclusion support
- ssl_engine_pphrase.c .... pass-phrase handling
- ssl_engine_rand.c ....... PRNG support
- ssl_engine_vars.c ....... Variable Expansion support
# ssl_engine_pphrase.c .... pass-phrase handling
# ssl_engine_rand.c ....... PRNG support
# ssl_engine_vars.c ....... Variable Expansion support
# ssl_expr.c .............. expression handling main source
# ssl_expr.h .............. expression handling common header
- ssl_expr_scan.c ......... expression scanner automaton (pre-generated)
@@ -47,8 +48,8 @@
- ssl_expr_parse.h ........ expression parser header (pre-generated)
- ssl_expr_parse.y ........ expression parser source
# ssl_expr_eval.c ......... expression machine evaluation
- ssl_scache.c ............ session cache abstraction layer
- ssl_scache_dbm.c ........ session cache via DBM file
# ssl_scache.c ............ session cache abstraction layer
# ssl_scache_dbm.c ........ session cache via DBM file
- ssl_scache_shmcb.c ...... session cache via shared memory cyclic buffer
- ssl_scache_shmht.c ...... session cache via shared memory hash table
# ssl_util.c .............. utility functions
@@ -57,7 +58,8 @@
# ssl_util_table.c ........ the hash table library source
# ssl_util_table.h ........ the hash table library header
Legend: # = already ported to Apache 2.0
Legend: # = already ported to Apache 2.0 and is cleaned up
* = ported to Apache 2.0 but still needs cleaning up
- = port still not finished
The source files are written in clean ANSI C and pass the ``gcc -O -g
@@ -100,6 +102,7 @@
SSL_SESSION ............. OpenSSL Session
SSL ..................... OpenSSL Connection
BIO ..................... OpenSSL Connection Buffer
SSLFilterRec ............ mod_ssl Filter Context
For an overview how these are related and chained together have a look at the
page in README.dsov.{fig,ps}. It contains overview diagrams for those data
@@ -158,12 +161,23 @@
from Apache 1.3 and this mod_ssl version for Apache 2.0:
o The DBM based session cache is now based on APR's DBM API only.
o Introduced Filter logic (similar to mod_tls)
o Eliminated ap_global_ctx. Storing Persistant information in
process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and
ssl_config_global_* () functions have an extra parameter now -
"server_rec *" - which is used to retrieve the SSLModConfigRec.
TODO
o use ssl_var_lookup?
o Whether to unregister and how to unregister?
ssl_var_unregister();
ssl_ext_unregister();
ssl_io_unregister();
o We certainly need CRYPTO_set_locking_callback() now also under Unix!
o Eliminate APR_BLOCK_READ from churn (). The APR_NONBLOCK_READ doesn't work
currently. The filter logic has to be changed to handle situations when
the data is not available immediately.
o Enable the use of ssl_var_* and ssl_ext_* functionalities.
o Enable use of MM, SHMCB and SHMHT.
o Try to use APR routines in ssl_util_ssl.c for performing FILE operations.

371
modules/ssl/mod_ssl.c
View File

@@ -58,6 +58,8 @@
*/
#include "mod_ssl.h"
#include "util_md5.h"
#include <assert.h>
/*
* the table of configuration directives we provide
@@ -202,73 +204,10 @@ static const command_rec ssl_config_cmds[] = {
* the various processing hooks
*/
static void ssl_hook_pre_config(
static int ssl_hook_pre_config(
apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp)
{
/* unused */
return;
}
static void ssl_hook_post_config(
apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
{
/* ssl_init_Module() */
return;
}
static int ssl_hook_pre_connection(conn_rec *r)
{
/* unused */
return DECLINED;
}
static int ssl_hook_process_connection(conn_rec *r)
{
/* call ssl_hook_NewConnection */
/* hook ssl_hook_CloseConnection() */
return DECLINED;
}
static int ssl_hook_handler(request_rec *r)
{
/* ssl_hook_Handler() */
return DECLINED;
}
static int ssl_hook_translate_name(request_rec *r)
{
/* ssl_hook_Translate() */
return DECLINED;
}
static void ssl_hook_init_child(apr_pool_t *pchild, server_rec *s)
{
/* ssl_init_Child() */
return;
}
static int ssl_hook_auth_checker(request_rec *r)
{
/* ssl_hook_Auth() */
return DECLINED;
}
static int ssl_hook_check_user_id(request_rec *r)
{
/* ssl_hook_UserCheck */
return DECLINED;
}
static int ssl_hook_access_checker(request_rec *r)
{
/* ssl_hook_Access() */
return DECLINED;
}
static int ssl_hook_fixups(request_rec *r)
{
/* ssl_hook_Fixup() */
return DECLINED;
}
@@ -278,40 +217,305 @@ static int ssl_hook_post_read_request(request_rec *r)
return DECLINED;
}
static void ssl_hook_child_init(apr_pool_t *pchild, server_rec *s)
static int ssl_hook_pre_connection(conn_rec *c)
{
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
apr_table_t *apctx;
SSL *ssl;
unsigned char *cpVHostID;
char *cpVHostMD5;
/*
* Create SSL context
*/
apr_table_setn(c->notes, "ssl", NULL);
/*
* Immediately stop processing if SSL is disabled for this connection
*/
if (sc == NULL || !sc->bEnabled)
return DECLINED;
/*
* Remember the connection information for
* later access inside callback functions
*/
cpVHostID = (unsigned char *)ssl_util_vhostid(c->pool,c->base_server);
ssl_log(c->base_server, SSL_LOG_INFO, "Connection to child %d established "
"(server %s, client %s)", c->id, cpVHostID,
c->remote_ip != NULL ? c->remote_ip : "unknown");
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, "");
/*
* Create a new SSL connection with the configured server SSL context and
* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
if ((ssl = SSL_new(sc->pSSLCtx)) == NULL) {
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to create a new SSL connection from the SSL context");
apr_table_setn(c->notes, "ssl", NULL);
c->aborted = 1;
return DECLINED; /* XXX */
}
SSL_clear(ssl);
cpVHostMD5 = ap_md5(c->pool, cpVHostID);
if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5,
strlen(cpVHostMD5))) {
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to set session id context to `%s'", cpVHostMD5);
apr_table_setn(c->notes, "ssl", NULL);
c->aborted = 1;
return DECLINED; /* XXX */
}
SSL_set_app_data(ssl, c);
apctx = apr_table_make(c->pool, AP_CTX_MAX_ENTRIES);
apr_table_setn(apctx, "ssl::request_rec", NULL);
apr_table_setn(apctx, "ssl::verify::depth", AP_CTX_NUM2PTR(0));
SSL_set_app_data2(ssl, apctx);
apr_table_setn(c->notes, "ssl", (const char *)ssl);
/*
* Configure callbacks for SSL connection
*/
SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH);
#if 0 /* XXX */
if (sc->nLogLevel >= SSL_LOG_DEBUG) {
BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
BIO_set_callback_arg(SSL_get_rbio(ssl), ssl);
}
#endif
/*
* Predefine some client verification results
*/
apr_table_setn(c->notes, "ssl::client::dn", NULL);
apr_table_setn(c->notes, "ssl::verify::error", NULL);
apr_table_setn(c->notes, "ssl::verify::info", NULL);
SSL_set_verify_result(ssl, X509_V_OK);
/*
* We have to manage a I/O timeout ourself, because Apache
* does it the first time when reading the request, but we're
* working some time before this happens.
*/
ssl_util_setmodconfig(c->base_server, "ssl::handshake::timeout", (void *)FALSE);
#if 0 /* XXX */
ap_set_callback_and_alarm(ssl_hook_TimeoutConnection, c->base_server->timeout);
#endif
ssl_io_filter_init(c, ssl);
return APR_SUCCESS;
}
/*
* The hook is NOT registered with ap_hook_process_connection. Instead, it is
* called manually from the churn () before it tries to read any data.
* There is some problem if I accept conn_rec *. Still investigating..
* Adv. if conn_rec * can be accepted is we can hook this function using the
* ap_hook_process_connection hook.
*/
static int ssl_hook_process_connection(SSLFilterRec *pRec)
{
int n, err;
conn_rec *c = SSL_get_app_data (pRec->pssl);
if (!SSL_is_init_finished(pRec->pssl))
{
if ((n = SSL_accept(pRec->pssl)) <= 0) {
if ((err = SSL_get_error(pRec->pssl, n)) == SSL_ERROR_ZERO_RETURN) {
/*
* The case where the connection was closed before any data
* was transferred. That's not a real error and can occur
* sporadically with some clients.
*/
ssl_log(c->base_server, SSL_LOG_INFO,
"SSL handshake stopped: connection was closed");
}
else if (err == SSL_ERROR_WANT_READ) {
/*
* This is in addition to what was present earlier. It is
* borrowed from openssl_state_machine.c [mod_tls].
* TBD.
*/
return 0;
}
else if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) {
/*
* The case where OpenSSL has recognized a HTTP request:
* This means the client speaks plain HTTP on our HTTPS port.
* Hmmmm... At least for this error we can be more friendly
* and try to provide him with a HTML error page. We have only
* one problem:OpenSSL has already read some bytes from the HTTP
* request. So we have to skip the request line manually and
* instead provide a faked one in order to continue the internal
* Apache processing.
*
*/
#if 0 /* XXX */
/*
* Still need to be ported to Apache 2.0 style
*/
char ca[2];
int rv;
/* log the situation */
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"SSL handshake failed: HTTP spoken on HTTPS port; "
"trying to send HTML error page");
/* first: skip the remaining bytes of the request line */
do {
do {
rv = read(fb->fd, ca, 1);
} while (rv == -1 && errno == EINTR);
} while (rv > 0 && ca[0] != '\012' /*LF*/);
/* second: fake the request line */
fb->inbase = ap_palloc(fb->pool, fb->bufsiz);
ap_cpystrn((char *)fb->inbase, "GET /mod_ssl:error:HTTP-request HTTP/1.0\r\n",
fb->bufsiz);
fb->inptr = fb->inbase;
fb->incnt = strlen((char *)fb->inptr);
#endif
}
else if (ssl_util_getmodconfig_ssl(pRec->pssl, "ssl::handshake::timeout")
== (void *)TRUE) {
ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL handshake timed out (client %s, server %s)",
c->remote_ip != NULL ? c->remote_ip : "unknown",
ssl_util_vhostid(c->pool,c->base_server));
}
else if ((SSL_get_error(pRec->pssl, n) == SSL_ERROR_SYSCALL)
&& (errno != EINTR)) {
if (errno > 0)
ssl_log(c->base_server,
SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
"SSL handshake interrupted by system "
"[Hint: Stop button pressed in browser?!]");
else
ssl_log(c->base_server,
SSL_LOG_INFO|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
"Spurious SSL handshake interrupt [Hint: "
"Usually just one of those OpenSSL confusions!?]");
}
else {
/*
* Ok, anything else is a fatal error
*/
ssl_log(c->base_server,
SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
"SSL handshake failed (server %s, client %s)",
ssl_util_vhostid(c->pool,c->base_server),
c->remote_ip != NULL ? c->remote_ip : "unknown");
}
/*
* try to gracefully shutdown the connection:
* - send an own shutdown message (be gracefully)
* - don't wait for peer's shutdown message (deadloop)
* - kick away the SSL stuff immediately
* - block the socket, so Apache cannot operate any more
*/
SSL_set_shutdown(pRec->pssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(pRec->pssl);
SSL_free(pRec->pssl);
apr_table_setn(c->notes, "ssl", NULL);
c->aborted = 1;
return APR_EGENERAL;
}
}
return APR_SUCCESS;
}
static void ssl_hook_open_logs(apr_pool_t *p, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *s)
{
/* ssl_init_Child() */
return;
}
static int ssl_hook_quick_handler (request_rec *r)
{
/* ssl_hook_Auth() */
return DECLINED;
}
static int ssl_hook_fixer_upper (request_rec *r)
{
/* ssl_hook_UserCheck */
return DECLINED;
}
static const char *ssl_hook_http_method (const request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
if (sc->bEnabled == FALSE)
return NULL;
return "https";
}
static apr_port_t ssl_hook_default_port (const request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
if (sc->bEnabled == FALSE)
return 0;
return 443;
}
static int ssl_hook_insert_filter (request_rec *r)
{
/* ssl_hook_ReadReq() */
return DECLINED;
}
/*
* the module registration phase
*/
static void ssl_register_hooks(apr_pool_t *p)
{
ap_hook_pre_config (ssl_hook_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config (ssl_hook_post_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_handler (ssl_hook_handler, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_translate_name (ssl_hook_translate_name, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (ssl_hook_child_init, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_auth_checker (ssl_hook_auth_checker, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id (ssl_hook_check_user_id, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_access_checker (ssl_hook_access_checker, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_fixups (ssl_hook_fixups, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_read_request (ssl_hook_post_read_request, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_pre_connection (ssl_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_process_connection(ssl_hook_process_connection, NULL, NULL, APR_HOOK_MIDDLE);
ssl_io_filter_register(p);
ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_http_method (ssl_hook_http_method, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_handler (ssl_hook_Handler, NULL,NULL, APR_HOOK_MIDDLE);
#if 0 /* XXX - Work in progress */
ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_process_connection (ssl_hook_process_connection,
NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_post_read_request (ssl_hook_post_read_request,
NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_access_checker(ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_auth_checker (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_open_logs (ssl_hook_open_logs, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_quick_handler (ssl_hook_quick_handler, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_log_transaction(ssl_hook_fixer_upper, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_create_request(ssl_hook_fixer_upper, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_type_checker (ssl_hook_fixer_upper, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_insert_filter (ssl_hook_insert_filter, NULL,NULL, APR_HOOK_MIDDLE);
#endif
#if 0 /* XXX */
ssl_var_register();
ssl_ext_register();
ssl_io_register();
return;
#endif
}
/*
* the main module structure
*/
module AP_MODULE_DECLARE_DATA ssl_module = {
STANDARD20_MODULE_STUFF,
ssl_config_perdir_create, /* create per-dir config structures */
@@ -321,4 +525,3 @@ module AP_MODULE_DECLARE_DATA ssl_module = {
ssl_config_cmds, /* table of configuration directives */
ssl_register_hooks /* register hooks */
};

184
modules/ssl/mod_ssl.h
View File

@@ -64,12 +64,13 @@
#ifndef __MOD_SSL_H__
#define __MOD_SSL_H__
#define MOD_SSL_VERSION "3.0a0"
/*
* Optionally enable the experimental stuff, but allow the user to
* override the decision which experimental parts are included by using
* CFLAGS="-DSSL_EXPERIMENTAL_xxxx_IGNORE".
*/
#if 0 /* XXX */
#ifdef SSL_EXPERIMENTAL
#ifndef SSL_EXPERIMENTAL_PERDIRCA_IGNORE
#define SSL_EXPERIMENTAL_PERDIRCA
@@ -83,7 +84,6 @@
#endif
#endif
#endif /* SSL_EXPERIMENTAL */
#endif /* XXX */
/*
* Power up our brain...
@@ -116,23 +116,24 @@
/* Apache headers */
#define CORE_PRIVATE
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
#include "http_protocol.h"
#include "http_request.h"
#include "http_main.h"
#include "http_core.h"
#include "http_log.h"
#include "http_main.h"
#include "http_connection.h"
#include "http_request.h"
#include "http_protocol.h"
#include "util_script.h"
#include "util_filter.h"
#include "scoreboard.h"
#include "util_md5.h"
#include "apr.h"
#include "unixd.h"
#include "apr_strings.h"
#include "apr_tables.h"
#include "apr_lib.h"
#include "apr_fnmatch.h"
#include "apr_strings.h"
#include "apr_pools.h"
#include "apr_tables.h"
#include "apr_file_info.h"
#include "apr_dbm.h"
#undef CORE_PRIVATE
/* mod_ssl headers */
@@ -191,26 +192,25 @@
#define strIsEmpty(s) (s == NULL || s[0] == NUL)
#if 0 /* XXX */
#define cfgMerge(el,unset) new->el = add->el == unset ? base->el : add->el
#define cfgMergeArray(el) new->el = ap_append_arrays(p, add->el, base->el)
#define cfgMergeTable(el) new->el = ap_overlay_tables(p, add->el, base->el)
#define cfgMergeCtx(el) new->el = ap_ctx_overlay(p, add->el, base->el)
#define cfgMergeArray(el) new->el = apr_array_append(p, add->el, base->el)
#define cfgMergeTable(el) new->el = apr_table_overlay(p, add->el, base->el)
#define cfgMergeCtx(el) new->el = apr_table_overlay(p, add->el, base->el)
#define cfgMergeString(el) cfgMerge(el, NULL)
#define cfgMergeBool(el) cfgMerge(el, UNSET)
#define cfgMergeInt(el) cfgMerge(el, UNSET)
#endif /* XXX */
#if 0 /* XXX */
#define myModConfig() (SSLModConfigRec *)ap_ctx_get(ap_global_ctx, "ssl_module")
#endif /* XXX */
#define myModConfig(srv) (SSLModConfigRec *)ssl_util_getmodconfig(srv, "ssl_module")
#define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module)
#define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)
#if 0 /* XXX */
#define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val
#define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num)
#endif /* XXX */
#define AP_CTX_NUM2PTR(n) (void *)(((unsigned long)(n))+1)
#define AP_CTX_PTR2NUM(p) (unsigned long)(((char *)(p))-1)
#define AP_CTX_MAX_ENTRIES 1024
/*
* SSL Logging
@@ -240,12 +240,12 @@
/*
* Support for MM library
*/
#define SSL_MM_FILE_MODE ( S_IRUSR|S_IWUSR )
#define SSL_MM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD )
/*
* Support for DBM library
*/
#define SSL_DBM_FILE_MODE ( S_IRUSR|S_IWUSR )
#define SSL_DBM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD )
#if !defined(SSL_DBM_FILE_SUFFIX_DIR) && !defined(SSL_DBM_FILE_SUFFIX_PAG)
#if defined(DBM_SUFFIX)
@@ -298,7 +298,6 @@ typedef int ssl_algo_t;
#define SSL_AIDX_DSA (1)
#define SSL_AIDX_MAX (2)
#if 0 /* XXX */
/*
* Define IDs for the temporary RSA keys and DH params
@@ -357,7 +356,6 @@ typedef enum {
SSL_PPTYPE_BUILTIN = 0,
SSL_PPTYPE_FILTER = 1
} ssl_pphrase_t;
#endif /* XXX */
/*
* Define the Path Checking modes
@@ -368,8 +366,6 @@ typedef enum {
#define SSL_PCM_ISNONZERO 8
typedef unsigned int ssl_pathcheck_t;
#if 0 /* XXX */
/*
* Define the SSL session cache modes and structures
*/
@@ -434,18 +430,30 @@ typedef struct {
*/
typedef struct {
pool *pPool;
SSL *pssl;
BIO *pbioRead;
BIO *pbioWrite;
ap_filter_t *pInputFilter;
ap_filter_t *pOutputFilter;
apr_bucket_brigade *pbbInput; /* encrypted input */
apr_bucket_brigade *pbbPendingInput; /* decrypted input */
} SSLFilterRec;
typedef struct {
apr_pool_t *pPool;
BOOL bFixed;
int nInitCount;
int nSessionCacheMode;
char *szSessionCacheDataFile;
int nSessionCacheDataSize;
#if 0 /* XXX */
AP_MM *pSessionCacheDataMM;
table_t *tSessionCacheDataTable;
#endif
apr_table_t *tSessionCacheDataTable;
ssl_mutexmode_t nMutexMode;
char *szMutexFile;
apr_lock_t *pMutex;
array_header *aRandSeed;
apr_array_header_t *aRandSeed;
ssl_ds_table *tTmpKeys;
void *pTmpKeys[SSL_TKPIDX_MAX];
ssl_ds_table *tPublicCert;
@@ -463,10 +471,9 @@ typedef struct {
* (i.e. the configuration for the main server
* and all <VirtualHost> contexts)
*/
#endif /* XXX */
typedef struct {
BOOL bEnabled;
#if 0 /* XXX */
apr_table_t *ap_server_ctx;
char *szPublicCertFile[SSL_AIDX_MAX];
char *szPrivateKeyFile[SSL_AIDX_MAX];
char *szCertificateChain;
@@ -474,7 +481,7 @@ typedef struct {
char *szCACertificateFile;
char *szLogFile;
char *szCipherSuite;
FILE *fileLogFile;
apr_file_t *fileLogFile;
int nLogLevel;
int nVerifyDepth;
ssl_verify_t nVerifyClient;
@@ -501,20 +508,16 @@ typedef struct {
SSL_CTX *pSSLProxyCtx;
STACK_OF(X509_INFO) *skProxyClientCerts;
#endif
#endif /* XXX */
} SSLSrvConfigRec;
#if 0 /* XXX */
/*
* Define the mod_ssl per-directory configuration structure
* (i.e. the local configuration for all <Directory>
* and .htaccess contexts)
*/
#endif /* XXX */
typedef struct {
BOOL bSSLRequired;
#if 0 /* XXX */
array_header *aRequirement;
apr_array_header_t *aRequirement;
ssl_opt_t nOptions;
ssl_opt_t nOptionsAdd;
ssl_opt_t nOptionsDel;
@@ -525,7 +528,6 @@ typedef struct {
char *szCACertificatePath;
char *szCACertificateFile;
#endif
#endif /* XXX */
} SSLDirConfigRec;
/*
@@ -536,36 +538,36 @@ typedef struct {
extern module AP_MODULE_DECLARE_DATA ssl_module;
/* configuration handling */
void ssl_config_global_create(void);
void ssl_config_global_fix(void);
BOOL ssl_config_global_isfixed(void);
void ssl_config_global_create(server_rec *);
void ssl_config_global_fix(SSLModConfigRec *);
BOOL ssl_config_global_isfixed(SSLModConfigRec *);
void *ssl_config_server_create(apr_pool_t *, server_rec *);
void *ssl_config_server_merge(apr_pool_t *, void *, void *);
void *ssl_config_perdir_create(apr_pool_t *, char *);
void *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
const char *ssl_cmd_SSLMutex(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLVerifyClient(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLSessionCache(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLLog(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLLogLevel(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLProtocol(cmd_parms *, char *, const char *);
const char *ssl_cmd_SSLOptions(cmd_parms *, SSLDirConfigRec *, const char *);
const char *ssl_cmd_SSLRequireSSL(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLRequire(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLMutex(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, int);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLLog(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLLogLevel(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
#ifdef SSL_EXPERIMENTAL_PROXY
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, char *, const char *);
const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, char *, char *);
@@ -576,25 +578,24 @@ const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, char *, char *);
#endif
#if 0 /* XXX */
/* module initialization */
void ssl_init_Module(server_rec *, pool *);
void ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void ssl_init_SSLLibrary(void);
void ssl_init_Engine(server_rec *, pool *);
void ssl_init_TmpKeysHandle(int, server_rec *, pool *);
void ssl_init_ConfigureServer(server_rec *, pool *, SSLSrvConfigRec *);
void ssl_init_CheckServers(server_rec *, pool *);
void ssl_init_Engine(server_rec *, apr_pool_t *);
void ssl_init_TmpKeysHandle(int, server_rec *, apr_pool_t *);
void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, SSLSrvConfigRec *);
void ssl_init_CheckServers(server_rec *, apr_pool_t *);
STACK_OF(X509_NAME)
*ssl_init_FindCAList(server_rec *, pool *, char *, char *);
void ssl_init_Child(server_rec *, pool *);
void ssl_init_ChildKill(void *);
void ssl_init_ModuleKill(void *);
*ssl_init_FindCAList(server_rec *, apr_pool_t *, char *, char *);
void ssl_init_Child(apr_pool_t *, server_rec *);
apr_status_t ssl_init_ChildKill(void *data);
apr_status_t ssl_init_ModuleKill(void *data);
/* Apache API hooks */
void ssl_hook_NewConnection(conn_rec *);
void ssl_hook_TimeoutConnection(int);
void ssl_hook_CloseConnection(conn_rec *);
apr_status_t ssl_hook_CloseConnection(SSLFilterRec *);
int ssl_hook_Translate(request_rec *);
int ssl_hook_Auth(request_rec *);
int ssl_hook_UserCheck(request_rec *);
@@ -614,21 +615,22 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
void ssl_callback_LogTracingState(SSL *, int, int);
/* Session Cache Support */
void ssl_scache_init(server_rec *, pool *);
void ssl_scache_init(server_rec *, apr_pool_t *);
void ssl_scache_kill(server_rec *);
BOOL ssl_scache_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *);
SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int);
void ssl_scache_remove(server_rec *, UCHAR *, int);
void ssl_scache_expire(server_rec *);
void ssl_scache_status(server_rec *, pool *, void (*)(char *, void *), void *);
void ssl_scache_status(server_rec *, apr_pool_t *, void (*)(char *, void *), void *);
char *ssl_scache_id2sz(UCHAR *, int);
void ssl_scache_dbm_init(server_rec *, pool *);
void ssl_scache_dbm_init(server_rec *, apr_pool_t *);
void ssl_scache_dbm_kill(server_rec *);
BOOL ssl_scache_dbm_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *);
SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *, UCHAR *, int);
void ssl_scache_dbm_remove(server_rec *, UCHAR *, int);
void ssl_scache_dbm_expire(server_rec *);
void ssl_scache_dbm_status(server_rec *, pool *, void (*)(char *, void *), void *);
void ssl_scache_dbm_status(server_rec *, apr_pool_t *, void (*)(char *, void *), void *);
#if 0 /* XXX */
void ssl_scache_shmht_init(server_rec *, pool *);
void ssl_scache_shmht_kill(server_rec *);
BOOL ssl_scache_shmht_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *);
@@ -643,10 +645,11 @@ SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *, UCHAR *, int);
void ssl_scache_shmcb_remove(server_rec *, UCHAR *, int);
void ssl_scache_shmcb_expire(server_rec *);
void ssl_scache_shmcb_status(server_rec *, pool *, void (*)(char *, void *), void *);
#endif
/* Pass Phrase Support */
void ssl_pphrase_Handle(server_rec *, pool *);
int ssl_pphrase_Handle_CB(char *, int, int);
void ssl_pphrase_Handle(server_rec *, apr_pool_t *);
int ssl_pphrase_Handle_CB(char *, int, int, void *);
/* Diffie-Hellman Parameter Support */
DH *ssl_dh_GetTmpParam(int);
@@ -667,40 +670,40 @@ void ssl_ds_table_wipeout(ssl_ds_table *);
void ssl_ds_table_kill(ssl_ds_table *);
/* Mutex Support */
#endif /* XXX */
int ssl_mutex_init(server_rec *, apr_pool_t *);
int ssl_mutex_reinit(server_rec *, apr_pool_t *);
int ssl_mutex_on(server_rec *);
int ssl_mutex_off(server_rec *);
int ssl_mutex_kill(server_rec *);
#if 0 /* XXX */
/* Logfile Support */
void ssl_log_open(server_rec *, server_rec *, pool *);
void ssl_log_open(server_rec *, server_rec *, apr_pool_t *);
BOOL ssl_log_applies(server_rec *, int);
void ssl_log(server_rec *, int, const char *, ...);
void ssl_die(void);
/* Variables */
#if 0 /* XXX */
void ssl_var_register(void);
void ssl_var_unregister(void);
#endif /* XXX */
char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
/* I/O */
#if 0 /* XXX */
void ssl_io_register(void);
void ssl_io_unregister(void);
void ssl_io_filter_init(conn_rec *, SSL *);
void ssl_io_filter_register(apr_pool_t *);
long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
/* PRNG */
int ssl_rand_seed(server_rec *, pool *, ssl_rsctx_t, char *);
int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
/* Extensions */
#if 0 /* XXX */
void ssl_ext_register(void);
void ssl_ext_unregister(void);
#endif /* XXX */
#endif
/* Utility Functions */
char *ssl_util_vhostid(apr_pool_t *, server_rec *);
@@ -715,5 +718,8 @@ ssl_algo_t ssl_util_algotypeof(X509 *, EVP_PKEY *);
char *ssl_util_algotypestr(ssl_algo_t);
char *ssl_util_ptxtsub(apr_pool_t *, const char *, const char *, char *);
void ssl_util_thread_setup(void);
apr_status_t ssl_util_setmodconfig(server_rec *, const char *, SSLModConfigRec *);
SSLModConfigRec *ssl_util_getmodconfig(server_rec *, const char *);
SSLModConfigRec *ssl_util_getmodconfig_ssl(SSL *, const char *);
#endif /* __MOD_SSL_H__ */

314
modules/ssl/ssl_engine_config.c
View File

@@ -62,26 +62,23 @@
-- Unknown */
#include "mod_ssl.h"
#if 0 /* XXX */
/* _________________________________________________________________
**
** Support for Global Configuration
** _________________________________________________________________
*/
void ssl_config_global_create(void)
void ssl_config_global_create(server_rec *s)
{
pool *pPool;
SSLModConfigRec *mc;
apr_pool_t *pPool;
SSLModConfigRec *mc = myModConfig(s);
mc = ap_ctx_get(ap_global_ctx, "ssl_module");
if (mc == NULL) {
/*
* allocate an own subpool which survives server restarts
*/
pPool = ap_make_sub_pool(NULL);
mc = (SSLModConfigRec *)ap_palloc(pPool, sizeof(SSLModConfigRec));
pPool = s->process->pool;
mc = (SSLModConfigRec *)apr_palloc(pPool, sizeof(SSLModConfigRec));
mc->pPool = pPool;
mc->bFixed = FALSE;
@@ -92,12 +89,14 @@ void ssl_config_global_create(void)
mc->nSessionCacheMode = SSL_SCMODE_UNSET;
mc->szSessionCacheDataFile = NULL;
mc->nSessionCacheDataSize = 0;
#if 0 /* XXX */
mc->pSessionCacheDataMM = NULL;
#endif
mc->tSessionCacheDataTable = NULL;
mc->nMutexMode = SSL_MUTEXMODE_UNSET;
mc->szMutexFile = NULL;
mc->pMutex = NULL;
mc->aRandSeed = ap_make_array(pPool, 4, sizeof(ssl_randseed_t));
mc->aRandSeed = apr_array_make(pPool, 4, sizeof(ssl_randseed_t));
mc->tPrivateKey = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
mc->tPublicCert = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
mc->tTmpKeys = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
@@ -110,26 +109,22 @@ void ssl_config_global_create(void)
/*
* And push it into Apache's global context
*/
ap_ctx_set(ap_global_ctx, "ssl_module", mc);
ssl_util_setmodconfig(s, "ssl_module", mc);
}
return;
}
void ssl_config_global_fix(void)
void ssl_config_global_fix(SSLModConfigRec *mc)
{
SSLModConfigRec *mc = myModConfig();
mc->bFixed = TRUE;
return;
}
BOOL ssl_config_global_isfixed(void)
BOOL ssl_config_global_isfixed(SSLModConfigRec *mc)
{
SSLModConfigRec *mc = myModConfig();
return (mc->bFixed);
}
#endif /* XXX */
/* _________________________________________________________________
**
** Configuration handling
@@ -141,12 +136,11 @@ BOOL ssl_config_global_isfixed(void)
*/
void *ssl_config_server_create(apr_pool_t *p, server_rec *s)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc;
ssl_config_global_create();
ssl_config_global_create(s);
sc = ap_palloc(p, sizeof(SSLSrvConfigRec));
sc = apr_palloc(p, sizeof(SSLSrvConfigRec));
sc->bEnabled = UNSET;
sc->szCACertificatePath = NULL;
sc->szCACertificateFile = NULL;
@@ -184,8 +178,6 @@ void *ssl_config_server_create(apr_pool_t *p, server_rec *s)
(void)memset(sc->pPrivateKey, 0, SSL_AIDX_MAX*sizeof(EVP_PKEY *));
return sc;
#endif /* XXX */
return NULL;
}
/*
@@ -193,11 +185,10 @@ void *ssl_config_server_create(apr_pool_t *p, server_rec *s)
*/
void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
{
#if 0 /* XXX */
int i;
SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev;
SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv;
SSLSrvConfigRec *new = (SSLSrvConfigRec *)ap_palloc(p, sizeof(SSLSrvConfigRec));
int i;
SSLSrvConfigRec *new = (SSLSrvConfigRec *)apr_palloc(p, sizeof(SSLSrvConfigRec));
cfgMergeBool(bEnabled);
cfgMergeString(szCACertificatePath);
@@ -238,8 +229,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
#endif
return new;
#endif /* XXX */
return NULL;
}
/*
@@ -247,11 +236,10 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
*/
void *ssl_config_perdir_create(apr_pool_t *p, char *dir)
{
#if 0 /* XXX */
SSLDirConfigRec *dc = ap_palloc(p, sizeof(SSLDirConfigRec));
SSLDirConfigRec *dc = apr_palloc(p, sizeof(SSLDirConfigRec));
dc->bSSLRequired = FALSE;
dc->aRequirement = ap_make_array(p, 4, sizeof(ssl_require_t));
dc->aRequirement = apr_array_make(p, 4, sizeof(ssl_require_t));
dc->nOptions = SSL_OPT_NONE|SSL_OPT_RELSET;
dc->nOptionsAdd = SSL_OPT_NONE;
dc->nOptionsDel = SSL_OPT_NONE;
@@ -259,14 +247,13 @@ void *ssl_config_perdir_create(apr_pool_t *p, char *dir)
dc->szCipherSuite = NULL;
dc->nVerifyClient = SSL_CVERIFY_UNSET;
dc->nVerifyDepth = UNSET;
#ifdef SSL_EXPERIMENTAL_PERDIRCA
dc->szCACertificatePath = NULL;
dc->szCACertificateFile = NULL;
#endif
return dc;
#endif /* XXX */
return NULL;
}
/*
@@ -274,11 +261,9 @@ void *ssl_config_perdir_create(apr_pool_t *p, char *dir)
*/
void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv)
{
#if 0 /* XXX */
SSLDirConfigRec *base = (SSLDirConfigRec *)basev;
SSLDirConfigRec *add = (SSLDirConfigRec *)addv;
SSLDirConfigRec *new = (SSLDirConfigRec *)ap_palloc(p,
sizeof(SSLDirConfigRec));
SSLDirConfigRec *new = (SSLDirConfigRec *)apr_palloc(p, sizeof(SSLDirConfigRec));
cfgMerge(bSSLRequired, FALSE);
cfgMergeArray(aRequirement);
@@ -297,14 +282,13 @@ void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv)
cfgMergeString(szCipherSuite);
cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
cfgMergeInt(nVerifyDepth);
#ifdef SSL_EXPERIMENTAL_PERDIRCA
cfgMergeString(szCACertificatePath);
cfgMergeString(szCACertificateFile);
#endif
return new;
#endif /* XXX */
return NULL;
}
@@ -313,23 +297,22 @@ void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv)
*/
const char *ssl_cmd_SSLMutex(
cmd_parms *cmd, char *struct_ptr, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
const char *err;
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(cmd->server);
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
return err;
if (ssl_config_global_isfixed())
if (ssl_config_global_isfixed(mc))
return NULL;
if (strcEQ(arg, "none") || strcEQ(arg, "no")) {
mc->nMutexMode = SSL_MUTEXMODE_NONE;
}
else if (strlen(arg) > 5 && strcEQn(arg, "file:", 5)) {
mc->nMutexMode = SSL_MUTEXMODE_USED;
mc->szMutexFile = ap_psprintf(mc->pPool, "%s.%lu",
ap_server_root_relative(cmd->pool, "mutex", arg+5),
mc->szMutexFile = (char *)apr_psprintf(mc->pPool, "%s.%lu",
ap_server_root_relative(cmd->pool, arg+5),
(unsigned long)getpid());
}
else if (strcEQ(arg, "sem") || strcEQ(arg, "yes")) {
@@ -338,14 +321,12 @@ const char *ssl_cmd_SSLMutex(
}
else
return "SSLMutex: Invalid argument";
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLPassPhraseDialog(
cmd_parms *cmd, char *struct_ptr, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
@@ -357,23 +338,21 @@ const char *ssl_cmd_SSLPassPhraseDialog(
}
else if (strlen(arg) > 5 && strEQn(arg, "exec:", 5)) {
sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER;
sc->szPassPhraseDialogPath = ap_server_root_relative(cmd->pool, "dialog", arg+5);
sc->szPassPhraseDialogPath = (char *)ap_server_root_relative(cmd->pool, arg+5);
if (!ssl_util_path_check(SSL_PCM_EXISTS, sc->szPassPhraseDialogPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '",
sc->szPassPhraseDialogPath, "' not exists", NULL);
return ((const char *)apr_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '",
sc->szPassPhraseDialogPath, "' not exists",NULL));
}
else
return "SSLPassPhraseDialog: Invalid argument";
#endif /* XXX */
return NULL;
}
#ifdef SSL_EXPERIMENTAL_ENGINE
const char *ssl_cmd_SSLCryptoDevice(
cmd_parms *cmd, char *struct_ptr, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
ENGINE *e;
#if SSL_LIBRARY_VERSION >= 0x00907000
@@ -397,43 +376,42 @@ const char *ssl_cmd_SSLCryptoDevice(
}
else
return "SSLCryptoDevice: Invalid argument";
#endif /* XXX */
return NULL;
}
#endif
const char *ssl_cmd_SSLRandomSeed(
cmd_parms *cmd, char *struct_ptr, char *arg1, char *arg2, char *arg3)
cmd_parms *cmd, void *ctx, const char *arg1,
const char *arg2, const char *arg3)
{
#if 0 /* XXX */
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
ssl_randseed_t *pRS;
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
return err;
if (ssl_config_global_isfixed())
if (ssl_config_global_isfixed(mc))
return NULL;
pRS = ap_push_array(mc->aRandSeed);
pRS = apr_array_push(mc->aRandSeed);
if (strcEQ(arg1, "startup"))
pRS->nCtx = SSL_RSCTX_STARTUP;
else if (strcEQ(arg1, "connect"))
pRS->nCtx = SSL_RSCTX_CONNECT;
else
return ap_pstrcat(cmd->pool, "SSLRandomSeed: "
return apr_pstrcat(cmd->pool, "SSLRandomSeed: "
"invalid context: `", arg1, "'");
if (strlen(arg2) > 5 && strEQn(arg2, "file:", 5)) {
pRS->nSrc = SSL_RSSRC_FILE;
pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+5));
pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+5));
}
else if (strlen(arg2) > 5 && strEQn(arg2, "exec:", 5)) {
pRS->nSrc = SSL_RSSRC_EXEC;
pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+5));
pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+5));
}
#if SSL_LIBRARY_VERSION >= 0x00905100
else if (strlen(arg2) > 4 && strEQn(arg2, "egd:", 4)) {
pRS->nSrc = SSL_RSSRC_EGD;
pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+4));
pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+4));
}
#endif
else if (strcEQ(arg2, "builtin")) {
@@ -442,11 +420,11 @@ const char *ssl_cmd_SSLRandomSeed(
}
else {
pRS->nSrc = SSL_RSSRC_FILE;
pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2));
pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2));
}
if (pRS->nSrc != SSL_RSSRC_BUILTIN)
if (!ssl_util_path_check(SSL_PCM_EXISTS, pRS->cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLRandomSeed: source path '",
return apr_pstrcat(cmd->pool, "SSLRandomSeed: source path '",
pRS->cpPath, "' not exists", NULL);
if (arg3 == NULL)
pRS->nBytes = 0; /* read whole file */
@@ -458,107 +436,100 @@ const char *ssl_cmd_SSLRandomSeed(
if (pRS->nBytes < 0)
return "SSLRandomSeed: invalid number of bytes specified";
}
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLEngine(
cmd_parms *cmd, char *struct_ptr, int flag)
cmd_parms *cmd, void *ctx, int flag)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->bEnabled = (flag ? TRUE : FALSE);
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCipherSuite(
cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
if (cmd->path == NULL || dc == NULL)
sc->szCipherSuite = arg;
sc->szCipherSuite = (char *)arg;
else
dc->szCipherSuite = arg;
#endif /* XXX */
dc->szCipherSuite = (char *)arg;
return NULL;
}
const char *ssl_cmd_SSLCertificateFile(
cmd_parms *cmd, char *struct_ptr, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
int i;
cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLCertificateFile: file '",
return apr_pstrcat(cmd->pool, "SSLCertificateFile: file '",
cpPath, "' not exists or empty", NULL);
for (i = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++)
;
if (i == SSL_AIDX_MAX)
return ap_psprintf(cmd->pool, "SSLCertificateFile: only up to %d "
return apr_psprintf(cmd->pool, "SSLCertificateFile: only up to %d "
"different certificates per virtual host allowed",
SSL_AIDX_MAX);
sc->szPublicCertFile[i] = cpPath;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCertificateKeyFile(
cmd_parms *cmd, char *struct_ptr, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
int i;
cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLCertificateKeyFile: file '",
return apr_pstrcat(cmd->pool, "SSLCertificateKeyFile: file '",
cpPath, "' not exists or empty", NULL);
for (i = 0; i < SSL_AIDX_MAX && sc->szPrivateKeyFile[i] != NULL; i++)
for (i = 0; i < SSL_AIDX_MAX && (sc->szPrivateKeyFile[i] != NULL) &&
(strlen(sc->szPrivateKeyFile[i]) != 0); i++)
;
if (i == SSL_AIDX_MAX)
return ap_psprintf(cmd->pool, "SSLCertificateKeyFile: only up to %d "
return apr_psprintf(cmd->pool, "SSLCertificateKeyFile: only up to %d "
"different private keys per virtual host allowed",
SSL_AIDX_MAX);
sc->szPrivateKeyFile[i] = cpPath;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCertificateChainFile(
cmd_parms *cmd, char *struct_ptr, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLCertificateChainFile: file '",
return apr_pstrcat(cmd->pool, "SSLCertificateChainFile: file '",
cpPath, "' not exists or empty", NULL);
sc->szCertificateChain = cpPath;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCACertificatePath(
cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
#ifdef SSL_EXPERIMENTAL_PERDIRCA
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
#endif
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLCACertificatePath: directory '",
return apr_pstrcat(cmd->pool, "SSLCACertificatePath: directory '",
cpPath, "' not exists", NULL);
#ifdef SSL_EXPERIMENTAL_PERDIRCA
if (cmd->path == NULL || dc == NULL)
@@ -568,20 +539,21 @@ const char *ssl_cmd_SSLCACertificatePath(
#else
sc->szCACertificatePath = cpPath;
#endif
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCACertificateFile(
cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
#ifdef SSL_EXPERIMENTAL_PERDIRCA
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
#endif
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLCACertificateFile: file '",
return apr_pstrcat(cmd->pool, "SSLCACertificateFile: file '",
cpPath, "' not exists or empty", NULL);
#ifdef SSL_EXPERIMENTAL_PERDIRCA
if (cmd->path == NULL || dc == NULL)
@@ -591,46 +563,41 @@ const char *ssl_cmd_SSLCACertificateFile(
#else
sc->szCACertificateFile = cpPath;
#endif
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCARevocationPath(
cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLCARecocationPath: directory '",
return apr_pstrcat(cmd->pool, "SSLCARecocationPath: directory '",
cpPath, "' not exists", NULL);
sc->szCARevocationPath = cpPath;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCARevocationFile(
cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLCARevocationFile: file '",
return apr_pstrcat(cmd->pool, "SSLCARevocationFile: file '",
cpPath, "' not exists or empty", NULL);
sc->szCARevocationFile = cpPath;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLVerifyClient(
cmd_parms *cmd, SSLDirConfigRec *dc, char *level)
cmd_parms *cmd, void *ctx, const char *level)
{
#if 0 /* XXX */
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
ssl_verify_t id;
@@ -648,14 +615,13 @@ const char *ssl_cmd_SSLVerifyClient(
sc->nVerifyClient = id;
else
dc->nVerifyClient = id;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLVerifyDepth(
cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
int d;
@@ -666,40 +632,41 @@ const char *ssl_cmd_SSLVerifyDepth(
sc->nVerifyDepth = d;
else
dc->nVerifyDepth = d;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLSessionCache(
cmd_parms *cmd, char *struct_ptr, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
SSLModConfigRec *mc = myModConfig();
char *cp, *cp2;
int maxsize;
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
return err;
if (ssl_config_global_isfixed())
if (ssl_config_global_isfixed(mc))
return NULL;
if (strcEQ(arg, "none")) {
mc->nSessionCacheMode = SSL_SCMODE_NONE;
mc->szSessionCacheDataFile = NULL;
}
else if (strlen(arg) > 4 && strcEQn(arg, "dbm:", 4)) {
mc->nSessionCacheMode = SSL_SCMODE_DBM;
mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
ap_server_root_relative(cmd->pool, "scache", arg+4));
mc->szSessionCacheDataFile = apr_pstrdup(mc->pPool,
ap_server_root_relative(cmd->pool, arg+4));
}
else if ( (strlen(arg) > 4 && strcEQn(arg, "shm:", 4))
|| (strlen(arg) > 6 && strcEQn(arg, "shmht:", 6))) {
#if 0 /* XXX */
if (!ap_mm_useable())
return "SSLSessionCache: shared memory cache not useable on this platform";
#endif
mc->nSessionCacheMode = SSL_SCMODE_SHMHT;
cp = strchr(arg, ':');
mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
ap_server_root_relative(cmd->pool, "scache", cp+1));
mc->szSessionCacheDataFile = (char *)apr_pstrdup(mc->pPool,
ap_server_root_relative(cmd->pool, cp+1));
mc->tSessionCacheDataTable = NULL;
mc->nSessionCacheDataSize = 1024*512; /* 512KB */
if ((cp = strchr(mc->szSessionCacheDataFile, '(')) != NULL) {
@@ -710,17 +677,23 @@ const char *ssl_cmd_SSLSessionCache(
mc->nSessionCacheDataSize = atoi(cp);
if (mc->nSessionCacheDataSize <= 8192)
return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes";
#if 0 /* XXX */
maxsize = ap_mm_core_maxsegsize();
#else
maxsize = 1024 * 512;
#endif
if (mc->nSessionCacheDataSize >= maxsize)
return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
return apr_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
"size has to be < %d bytes on this platform", maxsize);
}
}
else if (strlen(arg) > 6 && strcEQn(arg, "shmcb:", 6)) {
#if 0 /* XXX */
if (!ap_mm_useable())
return "SSLSessionCache: shared memory cache not useable on this platform";
#endif
mc->nSessionCacheMode = SSL_SCMODE_SHMCB;
mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
mc->szSessionCacheDataFile = apr_pstrdup(mc->pPool,
ap_server_root_relative(cmd->pool, arg+6));
mc->tSessionCacheDataTable = NULL;
mc->nSessionCacheDataSize = 1024*512; /* 512KB */
@@ -732,50 +705,48 @@ const char *ssl_cmd_SSLSessionCache(
mc->nSessionCacheDataSize = atoi(cp);
if (mc->nSessionCacheDataSize <= 8192)
return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes";
#if 0 /* XXX */
maxsize = ap_mm_core_maxsegsize();
#else
maxsize = 1024 * 512;
#endif
if (mc->nSessionCacheDataSize >= maxsize)
return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
return apr_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
"size has to be < %d bytes on this platform", maxsize);
}
}
else
return "SSLSessionCache: Invalid argument";
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLSessionCacheTimeout(
cmd_parms *cmd, char *struct_ptr, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->nSessionCacheTimeout = atoi(arg);
if (sc->nSessionCacheTimeout < 0)
return "SSLSessionCacheTimeout: Invalid argument";
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLLog(
cmd_parms *cmd, char *struct_ptr, char *arg)
cmd_parms *cmd, void *ctx, const char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
if ((err = ap_check_cmd_context(cmd, NOT_IN_LIMIT|NOT_IN_DIRECTORY
|NOT_IN_LOCATION|NOT_IN_FILES )) != NULL)
return err;
sc->szLogFile = arg;
#endif /* XXX */
sc->szLogFile = (char *)arg;
return NULL;
}
const char *ssl_cmd_SSLLogLevel(
cmd_parms *cmd, char *struct_ptr, char *level)
cmd_parms *cmd, void *ctx, const char *level)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
@@ -796,14 +767,13 @@ const char *ssl_cmd_SSLLogLevel(
sc->nLogLevel = SSL_LOG_DEBUG;
else
return "SSLLogLevel: Invalid argument";
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLOptions(
cmd_parms *cmd, SSLDirConfigRec *dc, const char *cpLine)
cmd_parms *cmd, void *ctx, const char *cpLine)
{
#if 0 /* XXX */
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
ssl_opt_t opt;
int first;
char action;
@@ -835,7 +805,7 @@ const char *ssl_cmd_SSLOptions(
else if (strcEQ(w, "OptRenegotiate"))
opt = SSL_OPT_OPTRENEGOTIATE;
else
return ap_pstrcat(cmd->pool, "SSLOptions: Illegal option '", w, "'", NULL);
return apr_pstrcat(cmd->pool, "SSLOptions: Illegal option '", w, "'", NULL);
if (action == '-') {
dc->nOptionsAdd &= ~opt;
@@ -853,39 +823,35 @@ const char *ssl_cmd_SSLOptions(
dc->nOptionsDel = SSL_OPT_NONE;
}
}
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLRequireSSL(
cmd_parms *cmd, SSLDirConfigRec *dc, char *cipher)
cmd_parms *cmd, void *ctx)
{
#if 0 /* XXX */
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
dc->bSSLRequired = TRUE;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLRequire(
cmd_parms *cmd, SSLDirConfigRec *dc, char *cpExpr)
cmd_parms *cmd, void *ctx, const char *cpExpr)
{
#if 0 /* XXX */
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
ssl_expr *mpExpr;
ssl_require_t *pReqRec;
if ((mpExpr = ssl_expr_comp(cmd->pool, cpExpr)) == NULL)
return ap_pstrcat(cmd->pool, "SSLRequire: ", ssl_expr_get_error(), NULL);
pReqRec = ap_push_array(dc->aRequirement);
pReqRec->cpExpr = ap_pstrdup(cmd->pool, cpExpr);
if ((mpExpr = ssl_expr_comp(cmd->pool, (char *)cpExpr)) == NULL)
return apr_pstrcat(cmd->pool, "SSLRequire: ", ssl_expr_get_error(), NULL);
pReqRec = apr_array_push(dc->aRequirement);
pReqRec->cpExpr = apr_pstrdup(cmd->pool, cpExpr);
pReqRec->mpExpr = mpExpr;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProtocol(
cmd_parms *cmd, char *struct_ptr, const char *opt)
cmd_parms *cmd, void *ctx, const char *opt)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc;
ssl_proto_t options, thisopt;
char action;
@@ -909,7 +875,8 @@ const char *ssl_cmd_SSLProtocol(
else if (strcEQ(w, "all"))
thisopt = SSL_PROTOCOL_ALL;
else
return ap_pstrcat(cmd->pool, "SSLProtocol: Illegal protocol '", w, "'", NULL);
return apr_pstrcat(cmd->pool, "SSLProtocol: Illegal protocol '",
w, "'", NULL);
if (action == '-')
options &= ~thisopt;
@@ -919,7 +886,6 @@ const char *ssl_cmd_SSLProtocol(
options = thisopt;
}
sc->nProtocol = options;
#endif /* XXX */
return NULL;
}
@@ -928,7 +894,6 @@ const char *ssl_cmd_SSLProtocol(
const char *ssl_cmd_SSLProxyProtocol(
cmd_parms *cmd, char *struct_ptr, const char *opt)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc;
ssl_proto_t options, thisopt;
char action;
@@ -952,7 +917,7 @@ const char *ssl_cmd_SSLProxyProtocol(
else if (strcEQ(w, "all"))
thisopt = SSL_PROTOCOL_ALL;
else
return ap_pstrcat(cmd->pool, "SSLProxyProtocol: "
return apr_pstrcat(cmd->pool, "SSLProxyProtocol: "
"Illegal protocol '", w, "'", NULL);
if (action == '-')
options &= ~thisopt;
@@ -962,36 +927,30 @@ const char *ssl_cmd_SSLProxyProtocol(
options = thisopt;
}
sc->nProxyProtocol = options;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyCipherSuite(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->szProxyCipherSuite = arg;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyVerify(
cmd_parms *cmd, char *struct_ptr, int flag)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->bProxyVerify = (flag ? TRUE : FALSE);
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyVerifyDepth(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
int d;
@@ -999,71 +958,62 @@ const char *ssl_cmd_SSLProxyVerifyDepth(
if (d < 0)
return "SSLProxyVerifyDepth: Invalid argument";
sc->nProxyVerifyDepth = d;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyCACertificateFile(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
cpPath = ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '",
return apr_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '",
cpPath, "' not exists or empty", NULL);
sc->szProxyCACertificateFile = cpPath;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyCACertificatePath(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
cpPath = ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '",
return apr_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '",
cpPath, "' does not exists", NULL);
sc->szProxyCACertificatePath = cpPath;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyMachineCertificateFile(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
cpPath = ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '",
return apr_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '",
cpPath, "' not exists or empty", NULL);
sc->szProxyClientCertificateFile = cpPath;
#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyMachineCertificatePath(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
cpPath = ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool))
return ap_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '",
return apr_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '",
cpPath, "' does not exists", NULL);
sc->szProxyClientCertificatePath = cpPath;
#endif /* XXX */
return NULL;
}

4
modules/ssl/ssl_engine_ds.c
View File

@@ -76,7 +76,7 @@ ssl_ds_array *ssl_ds_array_make(apr_pool_t *p, int size)
if ((a = (ssl_ds_array *)apr_palloc(p, sizeof(ssl_ds_array))) == NULL)
return NULL;
a->pPool = p;
if ((a->pSubPool = apr_pool_sub_make(p, NULL)) != APR_SUCCESS)
if ((a->pSubPool = apr_pool_sub_make(p, NULL)) == NULL)
return NULL;
a->aData = apr_array_make(a->pSubPool, 2, size);
return a;
@@ -130,7 +130,7 @@ ssl_ds_table *ssl_ds_table_make(apr_pool_t *p, int size)
if ((t = (ssl_ds_table *)apr_palloc(p, sizeof(ssl_ds_table))) == NULL)
return NULL;
t->pPool = p;
if ((t->pSubPool = apr_pool_sub_make(p, NULL)) != APR_SUCCESS)
if ((t->pSubPool = apr_pool_sub_make(p, NULL)) == NULL)
return NULL;
t->aKey = apr_array_make(t->pSubPool, 2, MAX_STRING_LEN);
t->aData = apr_array_make(t->pSubPool, 2, size);

112
modules/ssl/ssl_engine_init.c
View File

@@ -61,8 +61,6 @@
-- Unknown */
#include "mod_ssl.h"
#if 0 /* XXX */
/* _________________________________________________________________
**
** Module Initialization
@@ -72,25 +70,25 @@
/*
* Per-module initialization
*/
void ssl_init_Module(server_rec *s, pool *p)
void ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *s)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
SSLSrvConfigRec *sc;
server_rec *s2;
char *cp;
mc->nInitCount++;
/*
* Let us cleanup on restarts and exists
*/
ap_register_cleanup(p, s, ssl_init_ModuleKill, ssl_init_ChildKill);
apr_pool_cleanup_register(p, s, ssl_init_ModuleKill, ssl_init_ChildKill);
/*
* Any init round fixes the global config
*/
ssl_config_global_create(); /* just to avoid problems */
ssl_config_global_fix();
ssl_config_global_create(s); /* just to avoid problems */
ssl_config_global_fix(mc);
mc->nInitCount++;
/*
* try to fix the configuration and open the dedicated SSL
@@ -123,10 +121,12 @@ void ssl_init_Module(server_rec *s, pool *p)
* Identification
*/
if (mc->nInitCount == 1) {
#if 0 /* XXX */
ssl_log(s, SSL_LOG_INFO, "Server: %s, Interface: %s, Library: %s",
SERVER_BASEVERSION,
AP_SERVER_BASEVERSION,
ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"),
ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY"));
#endif
}
/*
@@ -159,7 +159,7 @@ void ssl_init_Module(server_rec *s, pool *p)
* module segment (code & data) gets unloaded and re-loaded between
* the first and the second round. This means no global data survives
* between first and the second init round. We overcome this by using
* an entry ("ssl_module") inside the ap_global_ctx.
* an entry ("ssl_module") inside the process_rec->pool->user_data.
*
* The situation as a table:
*
@@ -257,10 +257,12 @@ void ssl_init_Module(server_rec *s, pool *p)
* Announce mod_ssl and SSL library in HTTP Server field
* as ``mod_ssl/X.X.X OpenSSL/X.X.X''
*/
#if 0 /* XXX */
if ((cp = ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_PRODUCT")) != NULL && cp[0] != NUL)
ap_add_version_component(cp);
ap_add_version_component(ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"));
ap_add_version_component(ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY"));
ap_add_version_component(p, cp);
ap_add_version_component(p, ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"));
ap_add_version_component(p, ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY"));
#endif
return;
}
@@ -283,9 +285,9 @@ void ssl_init_SSLLibrary(void)
* a hardware accellerator card for crypto operations.
*/
#ifdef SSL_EXPERIMENTAL_ENGINE
void ssl_init_Engine(server_rec *s, pool *p)
void ssl_init_Engine(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
ENGINE *e;
if (mc->szCryptoDevice != NULL) {
@@ -310,9 +312,9 @@ void ssl_init_Engine(server_rec *s, pool *p)
/*
* Handle the Temporary RSA Keys and DH Params
*/
void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p)
void ssl_init_TmpKeysHandle(int action, server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
ssl_asn1_t *asn1;
unsigned char *ucp;
RSA *rsa;
@@ -333,7 +335,7 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p)
}
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:512");
asn1->nData = i2d_RSAPrivateKey(rsa, NULL);
asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */
RSA_free(rsa);
@@ -345,7 +347,7 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p)
}
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:1024");
asn1->nData = i2d_RSAPrivateKey(rsa, NULL);
asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */
RSA_free(rsa);
@@ -358,7 +360,7 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p)
}
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:512");
asn1->nData = i2d_DHparams(dh, NULL);
asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */
/* no need to free dh, it's static */
@@ -369,7 +371,7 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p)
}
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:1024");
asn1->nData = i2d_DHparams(dh, NULL);
asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */
/* no need to free dh, it's static */
}
@@ -463,9 +465,9 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p)
/*
* Configure a particular server
*/
void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
int nVerify;
char *cpVHostID;
EVP_PKEY *pKey;
@@ -515,7 +517,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
cpVHostID);
ssl_die();
}
cp = ap_pstrcat(p, (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
cp = apr_pstrcat(p, (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
(sc->nProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
(sc->nProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL);
cp[strlen(cp)-2] = NUL;
@@ -633,7 +635,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
* Configure server certificate(s)
*/
ok = FALSE;
cp = ap_psprintf(p, "%s:RSA", cpVHostID);
cp = apr_psprintf(p, "%s:RSA", cpVHostID);
if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring RSA server certificate", cpVHostID);
@@ -652,7 +654,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
}
ok = TRUE;
}
cp = ap_psprintf(p, "%s:DSA", cpVHostID);
cp = apr_psprintf(p, "%s:DSA", cpVHostID);
if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring DSA server certificate", cpVHostID);
@@ -703,8 +705,8 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"), pathlen);
}
if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) {
if (ap_is_fnmatch(cp) &&
!ap_fnmatch(cp, s->server_hostname, FNM_PERIOD|FNM_CASE_BLIND)) {
if (apr_is_fnmatch(cp) &&
!apr_fnmatch(cp, s->server_hostname, FNM_PERIOD|FNM_CASE_BLIND)) {
ssl_log(s, SSL_LOG_WARN,
"Init: (%s) %s server certificate wildcard CommonName (CN) `%s' "
"does NOT match server name!?", cpVHostID,
@@ -724,7 +726,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
* Configure server private key(s)
*/
ok = FALSE;
cp = ap_psprintf(p, "%s:RSA", cpVHostID);
cp = apr_psprintf(p, "%s:RSA", cpVHostID);
if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring RSA server private key", cpVHostID);
@@ -744,7 +746,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
}
ok = TRUE;
}
cp = ap_psprintf(p, "%s:DSA", cpVHostID);
cp = apr_psprintf(p, "%s:DSA", cpVHostID);
if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring DSA server private key", cpVHostID);
@@ -819,13 +821,13 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
return;
}
void ssl_init_CheckServers(server_rec *sm, pool *p)
void ssl_init_CheckServers(server_rec *sm, apr_pool_t *p)
{
server_rec *s;
server_rec **ps;
SSLSrvConfigRec *sc;
ssl_ds_table *t;
pool *sp;
apr_pool_t *sp;
char *key;
BOOL bConflict;
@@ -851,14 +853,14 @@ void ssl_init_CheckServers(server_rec *sm, pool *p)
* just the certificate/keys of one virtual host (which one cannot be said
* easily - but that doesn't matter here).
*/
sp = ap_make_sub_pool(p);
apr_pool_create(&sp, p);
t = ssl_ds_table_make(sp, sizeof(server_rec *));
bConflict = FALSE;
for (s = sm; s != NULL; s = s->next) {
sc = mySrvConfig(s);
if (!sc->bEnabled)
continue;
key = ap_psprintf(sp, "%pA:%u", &s->addrs->host_addr, s->addrs->host_port);
key = apr_psprintf(sp, "%pA:%u", &s->addrs->host_addr, s->addrs->host_port);
ps = ssl_ds_table_get(t, key);
if (ps != NULL) {
ssl_log(sm, SSL_LOG_WARN,
@@ -876,7 +878,8 @@ void ssl_init_CheckServers(server_rec *sm, pool *p)
*ps = s;
}
ssl_ds_table_kill(t);
ap_destroy_pool(sp);
/* XXX - It was giving some problem earlier - check it out - TBD */
apr_pool_destroy(sp);
if (bConflict)
ssl_log(sm, SSL_LOG_WARN,
"Init: You should not use name-based virtual hosts in conjunction with SSL!!");
@@ -889,14 +892,14 @@ static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b)
return(X509_NAME_cmp(*a, *b));
}
STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile, char *cpCApath)
STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *pp, char *cpCAfile, char *cpCApath)
{
STACK_OF(X509_NAME) *skCAList;
STACK_OF(X509_NAME) *sk;
DIR *dir;
struct DIR_TYPE *direntry;
apr_dir_t *dir;
apr_finfo_t direntry;
char *cp;
pool *p;
apr_pool_t *p;
int n;
/*
@@ -904,7 +907,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile
* is remains in memory for the complete operation time of
* the server.
*/
p = ap_make_sub_pool(pp);
p = apr_pool_sub_make(pp, NULL);
/*
* Start with a empty stack/list where new
@@ -930,9 +933,9 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile
* Process CA certificate path files
*/
if (cpCApath != NULL) {
dir = ap_popendir(p, cpCApath);
while ((direntry = readdir(dir)) != NULL) {
cp = ap_pstrcat(p, cpCApath, "/", direntry->d_name, NULL);
apr_dir_open(&dir, cpCApath, p);
while ((apr_dir_read(&direntry, APR_FINFO_DIRENT, dir)) != APR_SUCCESS) {
cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL);
sk = SSL_load_client_CA_file(cp);
for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
ssl_log(s, SSL_LOG_TRACE,
@@ -942,32 +945,33 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile
sk_X509_NAME_push(skCAList, sk_X509_NAME_value(sk, n));
}
}
ap_pclosedir(p, dir);
apr_dir_close(dir);
}
/*
* Cleanup
*/
sk_X509_NAME_set_cmp_func(skCAList, NULL);
ap_destroy_pool(p);
apr_pool_destroy(p);
return skCAList;
}
void ssl_init_Child(server_rec *s, pool *p)
void ssl_init_Child(apr_pool_t *p, server_rec *s)
{
/* open the mutex lockfile */
ssl_mutex_reinit(s, p);
return;
}
void ssl_init_ChildKill(void *data)
apr_status_t ssl_init_ChildKill(void *data)
{
/* server_rec *s = (server_rec *)data; */
/* currently nothing to do */
return;
return APR_SUCCESS;
}
void ssl_init_ModuleKill(void *data)
apr_status_t ssl_init_ModuleKill(void *data)
{
SSLSrvConfigRec *sc;
server_rec *s = (server_rec *)data;
@@ -976,7 +980,9 @@ void ssl_init_ModuleKill(void *data)
* Drop the session cache and mutex
*/
ssl_scache_kill(s);
#if 0 /* XXX */
ssl_mutex_kill(s);
#endif
/*
* Destroy the temporary keys and params
@@ -1020,8 +1026,6 @@ void ssl_init_ModuleKill(void *data)
EVP_cleanup();
#endif
return;
return APR_SUCCESS;
}
#endif /* XXX */

336
modules/ssl/ssl_engine_io.c
View File

@@ -68,10 +68,9 @@
** _________________________________________________________________
*/
#if 0 /* XXX */
static int ssl_io_hook_read(BUFF *fb, char *buf, int len);
static int ssl_io_hook_write(BUFF *fb, char *buf, int len);
#endif /* XXX */
/* XXX THIS STUFF NEEDS A MAJOR CLEANUP -RSE XXX */
static const char ssl_io_filter[] = "SSL/TLS Filter";
void ssl_io_register(void)
{
@@ -91,15 +90,12 @@ void ssl_io_unregister(void)
return;
}
#if 0 /* XXX */
static int ssl_io_hook_read(BUFF *fb, char *buf, int len)
static int ssl_io_hook_read(SSL *ssl, unsigned char *buf, int len)
{
SSL *ssl;
conn_rec *c;
int rc;
if ((ssl = ap_ctx_get(fb->ctx, "ssl")) != NULL) {
if (ssl != NULL) {
rc = SSL_read(ssl, buf, len);
/*
* Simulate an EINTR in case OpenSSL wants to read more.
@@ -113,27 +109,30 @@ static int ssl_io_hook_read(BUFF *fb, char *buf, int len)
*/
if (rc < 0 && SSL_get_error(ssl, rc) == SSL_ERROR_SSL) {
c = (conn_rec *)SSL_get_app_data(ssl);
ssl_log(c->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"SSL error on reading data");
}
/*
* read(2) returns only the generic error number -1
*/
if (rc < 0)
rc = -1;
/*
* XXX - Just trying to reflect the behaviour in
* openssl_state_machine.c [mod_tls]. TBD
*/
rc = 0;
}
else
rc = read(fb->fd_in, buf, len);
rc = -1;
return rc;
}
static int ssl_io_hook_write(BUFF *fb, char *buf, int len)
static int ssl_io_hook_write(SSL *ssl, unsigned char *buf, int len)
{
SSL *ssl;
conn_rec *c;
int rc;
if ((ssl = ap_ctx_get(fb->ctx, "ssl")) != NULL) {
if (ssl != NULL) {
rc = SSL_write(ssl, buf, len);
/*
* Simulate an EINTR in case OpenSSL wants to write more.
@@ -145,20 +144,296 @@ static int ssl_io_hook_write(BUFF *fb, char *buf, int len)
*/
if (rc < 0 && SSL_get_error(ssl, rc) == SSL_ERROR_SSL) {
c = (conn_rec *)SSL_get_app_data(ssl);
ssl_log(c->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"SSL error on writing data");
}
/*
* write(2) returns only the generic error number -1
*/
if (rc < 0)
rc = -1;
/*
* XXX - Just trying to reflect the behaviour in
* openssl_state_machine.c [mod_tls]. TBD
*/
rc = 0;
}
else
rc = write(fb->fd, buf, len);
rc = -1;
return rc;
}
static apr_status_t churn_output(SSLFilterRec *pRec)
{
apr_bucket_brigade *pbbOutput=NULL;
int done;
do {
char buf[1024];
int n;
apr_bucket *pbkt;
done=0;
if (BIO_pending(pRec->pbioWrite)) {
n = BIO_read(pRec->pbioWrite,buf,sizeof buf);
if(n > 0) {
char *pbuf;
if(!pbbOutput)
pbbOutput=apr_brigade_create(pRec->pOutputFilter->c->pool);
pbuf=apr_pmemdup(pRec->pOutputFilter->c->pool,buf,n);
pbkt=apr_bucket_pool_create(pbuf,n,
pRec->pOutputFilter->c->pool);
APR_BRIGADE_INSERT_TAIL(pbbOutput,pbkt);
done=1;
/* } else if(n == 0) {
apr_bucket *pbktEOS=apr_bucket_create_eos();
APR_BRIGADE_INSERT_TAIL(pbbOutput,pbktEOS);*/
}
assert (n > 0); /* XXX => Check if required */
#if 0 /* XXX */
}
else if (n == 0)
done = 1;
else
assert (n > 0);
#endif
}
#if 0 /* XXX */
else
{
done = 1;
}
#endif
} while(done);
/* XXX: check for errors */
if(pbbOutput) {
apr_bucket *pbkt;
/* XXX: it may be possible to not always flush */
pbkt=apr_bucket_flush_create();
APR_BRIGADE_INSERT_TAIL(pbbOutput,pbkt);
ap_pass_brigade(pRec->pOutputFilter->next,pbbOutput);
}
return APR_SUCCESS;
}
static apr_status_t churn (SSLFilterRec *pRec,
apr_read_type_e eReadType, apr_size_t *readbytes)
{
apr_bucket *pbktIn;
ap_input_mode_t eMode = (eReadType == APR_BLOCK_READ)
? AP_MODE_BLOCKING : AP_MODE_NONBLOCKING;
/* XXX : Errrr... bad way of doing things TBD */
eReadType = APR_BLOCK_READ;
eMode = AP_MODE_BLOCKING;
if(APR_BRIGADE_EMPTY(pRec->pbbInput)) {
ap_get_brigade(pRec->pInputFilter->next,pRec->pbbInput,eMode,readbytes);
if(APR_BRIGADE_EMPTY(pRec->pbbInput))
return APR_EOF;
}
APR_BRIGADE_FOREACH(pbktIn,pRec->pbbInput) {
const char *data;
apr_size_t len;
int n;
char buf[1024];
apr_status_t ret;
if(APR_BUCKET_IS_EOS(pbktIn)) {
break;
}
/* read filter */
ret=apr_bucket_read(pbktIn,&data,&len,eReadType);
APR_BUCKET_REMOVE(pbktIn);
if(ret == APR_SUCCESS && len == 0 && eReadType == APR_BLOCK_READ)
ret=APR_EOF;
if(len == 0) {
/* Lazy frickin browsers just reset instead of shutting down. */
if(ret == APR_EOF || APR_STATUS_IS_ECONNRESET(ret)) {
if(APR_BRIGADE_EMPTY(pRec->pbbPendingInput))
return APR_EOF;
else
/* Next time around, the incoming brigade will be empty,
* so we'll return EOF then
*/
return APR_SUCCESS;
}
if(eReadType != APR_NONBLOCK_READ)
ap_log_error(APLOG_MARK,APLOG_ERR,ret,NULL,
"Read failed in tls_in_filter");
assert(eReadType == APR_NONBLOCK_READ);
assert(ret == APR_SUCCESS || APR_STATUS_IS_EAGAIN(ret));
/* In this case, we have data in the output bucket, or we were
* non-blocking, so returning nothing is fine.
*/
return APR_SUCCESS;
}
assert(len > 0);
n = BIO_write (pRec->pbioRead, data, len);
assert(n == len);
ssl_hook_process_connection (pRec);
n = ssl_io_hook_read(pRec->pssl, (unsigned char *)buf, sizeof(buf));
if(n > 0) {
apr_bucket *pbktOut;
char *pbuf;
pbuf=apr_pmemdup(pRec->pInputFilter->c->pool,buf,n);
/* XXX: should we use a heap bucket instead? Or a transient (in
* which case we need a separate brigade for each bucket)?
*/
pbktOut=apr_bucket_pool_create(pbuf,n,pRec->pInputFilter->c->pool);
APR_BRIGADE_INSERT_TAIL(pRec->pbbPendingInput,pbktOut);
/* Once we've read something, we can move to non-blocking mode (if
* we weren't already).
*/
eReadType=APR_NONBLOCK_READ;
/* XXX: deal with EOF! */
/* } else if(n == 0) {
apr_bucket *pbktEOS=apr_bucket_create_eos();
APR_BRIGADE_INSERT_TAIL(pbbInput,pbktEOS);*/
}
assert(n >= 0);
ret=churn_output(pRec);
if(ret != APR_SUCCESS)
return ret;
}
return churn_output(pRec);
}
apr_status_t ssl_io_filter_Output(ap_filter_t *f,apr_bucket_brigade *pbbIn)
{
SSLFilterRec *pRec=f->ctx;
apr_bucket *pbktIn;
conn_rec *c = SSL_get_app_data (pRec->pssl);
APR_BRIGADE_FOREACH(pbktIn,pbbIn) {
const char *data;
apr_size_t len, n;
apr_status_t ret;
if(APR_BUCKET_IS_EOS(pbktIn)) {
/* XXX: demote to debug */
ssl_log(c->base_server, SSL_LOG_INFO, "EOS in output");
if (ssl_hook_CloseConnection (pRec) != APR_SUCCESS)
ssl_log(c->base_server, SSL_LOG_INFO,
"Error in ssl_hook_CloseConnection");
#if 0
/* XXX: dubious - does this always terminate? Does it return the right thing? */
for( ; ; ) {
ret=churn_output(pRec);
if(ret != APR_SUCCESS)
return ret;
/* XXX - Verify if passing &len is okay for churn - TBD */
len = 0;
ret=churn(pRec,APR_NONBLOCK_READ,&len);
if(ret != APR_SUCCESS) {
if(ret == APR_EOF)
return APR_SUCCESS;
else
return ret;
}
}
#endif
break;
}
if(APR_BUCKET_IS_FLUSH(pbktIn)) {
/* assume that churn will flush (or already has) if there's output */
/* XXX - Verify if passing &len is okay for churn - TBD */
ssl_log(c->base_server, SSL_LOG_INFO, "FLUSH in output");
len = 0;
ret=churn(pRec,APR_NONBLOCK_READ,&len);
if(ret != APR_SUCCESS)
return ret;
continue;
}
ssl_log(c->base_server, SSL_LOG_INFO, "DATA in output");
/* read filter */
apr_bucket_read(pbktIn,&data,&len,APR_BLOCK_READ);
/* write SSL */
n = ssl_io_hook_write(pRec->pssl, (unsigned char *)data, len);
assert (n == len);
/* churn the state machine */
ret=churn_output(pRec);
if(ret != APR_SUCCESS)
return ret;
}
return APR_SUCCESS;
}
apr_status_t ssl_io_filter_Input(ap_filter_t *f,apr_bucket_brigade *pbbOut,
ap_input_mode_t eMode, apr_size_t *readbytes)
{
apr_status_t ret;
SSLFilterRec *pRec = f->ctx;
apr_read_type_e eReadType =
(eMode == AP_MODE_BLOCKING) ? APR_BLOCK_READ : APR_NONBLOCK_READ;
/* XXX: we don't currently support peek */
assert(eMode != AP_MODE_PEEK);
/* churn the state machine */
ret = churn(pRec,eReadType,readbytes);
if(ret != APR_SUCCESS)
return ret;
/* XXX: shame that APR_BRIGADE_FOREACH doesn't work here */
while(!APR_BRIGADE_EMPTY(pRec->pbbPendingInput)) {
apr_bucket *pbktIn=APR_BRIGADE_FIRST(pRec->pbbPendingInput);
APR_BUCKET_REMOVE(pbktIn);
APR_BRIGADE_INSERT_TAIL(pbbOut,pbktIn);
}
return APR_SUCCESS;
}
void ssl_io_filter_init(conn_rec *c, SSL *ssl)
{
SSLFilterRec *filter;
filter = apr_pcalloc(c->pool, sizeof(SSLFilterRec));
filter->pInputFilter = ap_add_input_filter(ssl_io_filter, filter, NULL, c);
filter->pOutputFilter = ap_add_output_filter(ssl_io_filter, filter, NULL, c);
filter->pbbInput = apr_brigade_create(c->pool);
filter->pbbPendingInput = apr_brigade_create(c->pool);
filter->pbioRead = BIO_new(BIO_s_mem());
filter->pbioWrite = BIO_new(BIO_s_mem());
SSL_set_bio(ssl, filter->pbioRead, filter->pbioWrite);
filter->pssl = ssl;
return;
}
void ssl_io_filter_register(apr_pool_t *p)
{
ap_register_input_filter (ssl_io_filter, ssl_io_filter_Input, AP_FTYPE_NETWORK);
ap_register_output_filter (ssl_io_filter, ssl_io_filter_Output, AP_FTYPE_NETWORK);
return;
}
/* _________________________________________________________________
**
** I/O Data Debugging
@@ -183,28 +458,28 @@ static void ssl_io_data_dump(server_rec *srvr, const char *s, long len)
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
"+-------------------------------------------------------------------------+");
for(i = 0 ; i< rows; i++) {
ap_snprintf(tmp, sizeof(tmp), "| %04x: ", i * DUMP_WIDTH);
ap_cpystrn(buf, tmp, sizeof(buf));
apr_snprintf(tmp, sizeof(tmp), "| %04x: ", i * DUMP_WIDTH);
apr_cpystrn(buf, tmp, sizeof(buf));
for (j = 0; j < DUMP_WIDTH; j++) {
if (((i * DUMP_WIDTH) + j) >= len)
ap_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
apr_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
else {
ch = ((unsigned char)*((char *)(s) + i * DUMP_WIDTH + j)) & 0xff;
ap_snprintf(tmp, sizeof(tmp), "%02x%c", ch , j==7 ? '-' : ' ');
ap_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf));
apr_snprintf(tmp, sizeof(tmp), "%02x%c", ch , j==7 ? '-' : ' ');
apr_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf));
}
}
ap_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
apr_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
for (j = 0; j < DUMP_WIDTH; j++) {
if (((i * DUMP_WIDTH) + j) >= len)
ap_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
apr_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
else {
ch = ((unsigned char)*((char *)(s) + i * DUMP_WIDTH + j)) & 0xff;
ap_snprintf(tmp, sizeof(tmp), "%c", ((ch >= ' ') && (ch <= '~')) ? ch : '.');
ap_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf));
apr_snprintf(tmp, sizeof(tmp), "%c", ((ch >= ' ') && (ch <= '~')) ? ch : '.');
apr_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf));
}
}
ap_cpystrn(buf+strlen(buf), " |", sizeof(buf)-strlen(buf));
apr_cpystrn(buf+strlen(buf), " |", sizeof(buf)-strlen(buf));
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, "%s", buf);
}
if (trunc > 0)
@@ -225,7 +500,7 @@ long ssl_io_data_cb(BIO *bio, int cmd, const char *argp, int argi, long argl, lo
return rc;
if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL)
return rc;
s = c->server;
s = c->base_server;
if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN)
|| cmd == (BIO_CB_READ |BIO_CB_RETURN) ) {
@@ -250,6 +525,3 @@ long ssl_io_data_cb(BIO *bio, int cmd, const char *argp, int argi, long argl, lo
}
return rc;
}
#endif /* XXX */

213
modules/ssl/ssl_engine_kernel.c
View File

@@ -373,19 +373,23 @@ void ssl_hook_TimeoutConnection(int sig)
ap_ctx_set(ap_global_ctx, "ssl::handshake::timeout", (void *)TRUE);
return;
}
#endif /* XXX */
/*
* Close the SSL part of the socket connection
* (called immediately _before_ the socket is closed)
*/
void ssl_hook_CloseConnection(conn_rec *conn)
apr_status_t ssl_hook_CloseConnection(SSLFilterRec *filter)
{
SSL *ssl;
char *cpType;
conn_rec *conn;
ssl = filter->pssl;
conn = (conn_rec *)SSL_get_app_data(ssl);
ssl = ap_ctx_get(conn->client->ctx, "ssl");
if (ssl == NULL)
return;
return APR_SUCCESS;
/*
* First make sure that no more data is pending in Apache's BUFF,
@@ -393,7 +397,7 @@ void ssl_hook_CloseConnection(conn_rec *conn)
* calls of Apache it would lead to an I/O error in the browser due
* to the fact that the SSL layer was already removed by us.
*/
ap_bflush(conn->client);
ap_flush_conn(conn);
/*
* Now close the SSL layer of the connection. We've to take
@@ -431,13 +435,13 @@ void ssl_hook_CloseConnection(conn_rec *conn)
* exchange close notify messages, but allow the user
* to force the type of handshake via SetEnvIf directive
*/
if (ap_ctx_get(conn->client->ctx, "ssl::flag::unclean-shutdown") == PTRUE) {
if (apr_table_get(conn->notes, "ssl::flag::unclean-shutdown") == PTRUE) {
/* perform no close notify handshake at all
(violates the SSL/TLS standard!) */
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
cpType = "unclean";
}
else if (ap_ctx_get(conn->client->ctx, "ssl::flag::accurate-shutdown") == PTRUE) {
else if (apr_table_get(conn->notes, "ssl::flag::accurate-shutdown") == PTRUE) {
/* send close notify and wait for clients close notify
(standard compliant, but usually causes connection hangs) */
SSL_set_shutdown(ssl, 0);
@@ -451,16 +455,17 @@ void ssl_hook_CloseConnection(conn_rec *conn)
}
SSL_smart_shutdown(ssl);
/* and finally log the fact that we've closed the connection */
ssl_log(conn->base_server, SSL_LOG_INFO,
"Connection to child %d closed with %s shutdown (server %s, client %s)",
conn->id, cpType, ssl_util_vhostid(conn->pool, conn->base_server),
conn->remote_ip != NULL ? conn->remote_ip : "unknown");
/* deallocate the SSL connection */
SSL_free(ssl);
ap_ctx_set(conn->client->ctx, "ssl", NULL);
apr_table_setn(conn->notes, "ssl", NULL);
/* and finally log the fact that we've closed the connection */
ssl_log(conn->server, SSL_LOG_INFO,
"Connection to child %d closed with %s shutdown (server %s, client %s)",
conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server),
conn->remote_ip != NULL ? conn->remote_ip : "unknown");
return;
return APR_SUCCESS;
}
/*
@@ -469,16 +474,16 @@ void ssl_hook_CloseConnection(conn_rec *conn)
int ssl_hook_ReadReq(request_rec *r)
{
SSL *ssl;
ap_ctx *apctx;
apr_table_t *apctx;
/*
* Get the SSL connection structure and perform the
* delayed interlinking from SSL back to request_rec
*/
ssl = ap_ctx_get(r->connection->client->ctx, "ssl");
ssl = (SSL *)apr_table_get(r->connection->notes, "ssl");
if (ssl != NULL) {
apctx = SSL_get_app_data2(ssl);
ap_ctx_set(apctx, "ssl::request_rec", r);
apr_table_setn(apctx, "ssl::request_rec", (const char *)r);
}
/*
@@ -487,12 +492,12 @@ int ssl_hook_ReadReq(request_rec *r)
if (strEQn(r->uri, "/mod_ssl:", 9))
r->handler = "mod_ssl:content-handler";
if (ssl != NULL) {
ap_ctx_set(r->ctx, "ap::http::method", "https");
ap_ctx_set(r->ctx, "ap::default::port", "443");
apr_table_setn(r->notes, "ap::http::method", "https");
apr_table_setn(r->notes, "ap::default::port", "443");
}
else {
ap_ctx_set(r->ctx, "ap::http::method", NULL);
ap_ctx_set(r->ctx, "ap::default::port", NULL);
apr_table_setn(r->notes, "ap::http::method", NULL);
apr_table_setn(r->notes, "ap::default::port", NULL);
}
return DECLINED;
}
@@ -502,7 +507,7 @@ int ssl_hook_ReadReq(request_rec *r)
*/
int ssl_hook_Translate(request_rec *r)
{
if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL)
if (apr_table_get(r->connection->notes, "ssl") == NULL)
return DECLINED;
/*
@@ -513,23 +518,23 @@ int ssl_hook_Translate(request_rec *r)
"%s HTTPS request received for child %d (server %s)",
r->connection->keepalives <= 0 ?
"Initial (No.1)" :
ap_psprintf(r->pool, "Subsequent (No.%d)",
apr_psprintf(r->pool, "Subsequent (No.%d)",
r->connection->keepalives+1),
r->connection->child_num,
r->connection->id,
ssl_util_vhostid(r->pool, r->server));
/*
* Move SetEnvIf information from request_rec to conn_rec/BUFF
* to allow the close connection handler to use them.
*/
if (ap_table_get(r->subprocess_env, "ssl-unclean-shutdown") != NULL)
ap_ctx_set(r->connection->client->ctx, "ssl::flag::unclean-shutdown", PTRUE);
if (apr_table_get(r->subprocess_env, "ssl-unclean-shutdown") != NULL)
apr_table_setn(r->connection->notes, "ssl::flag::unclean-shutdown", PTRUE);
else
ap_ctx_set(r->connection->client->ctx, "ssl::flag::unclean-shutdown", PFALSE);
if (ap_table_get(r->subprocess_env, "ssl-accurate-shutdown") != NULL)
ap_ctx_set(r->connection->client->ctx, "ssl::flag::accurate-shutdown", PTRUE);
apr_table_setn(r->connection->notes, "ssl::flag::unclean-shutdown", PFALSE);
if (apr_table_get(r->subprocess_env, "ssl-accurate-shutdown") != NULL)
apr_table_setn(r->connection->notes, "ssl::flag::accurate-shutdown", PTRUE);
else
ap_ctx_set(r->connection->client->ctx, "ssl::flag::accurate-shutdown", PFALSE);
apr_table_setn(r->connection->notes, "ssl::flag::accurate-shutdown", PFALSE);
return DECLINED;
}
@@ -552,11 +557,11 @@ int ssl_hook_Handler(request_rec *r)
thisport = "";
port = ap_get_server_port(r);
if (!ap_is_default_port(port, r))
thisport = ap_psprintf(r->pool, ":%u", port);
thisurl = ap_psprintf(r->pool, "https://%s%s/",
thisport = apr_psprintf(r->pool, ":%u", port);
thisurl = apr_psprintf(r->pool, "https://%s%s/",
ap_get_server_name(r), thisport);
ap_table_setn(r->notes, "error-notes", ap_psprintf(r->pool,
apr_table_setn(r->notes, "error-notes", apr_psprintf(r->pool,
"Reason: You're speaking plain HTTP to an SSL-enabled server port.<BR>\n"
"Instead use the HTTPS scheme to access this URL, please.<BR>\n"
"<BLOCKQUOTE>Hint: <A HREF=\"%s\"><B>%s</B></A></BLOCKQUOTE>",
@@ -575,7 +580,7 @@ int ssl_hook_Access(request_rec *r)
SSLSrvConfigRec *sc;
SSL *ssl;
SSL_CTX *ctx = NULL;
array_header *apRequirement;
apr_array_header_t *apRequirement;
ssl_require_t *pRequirements;
ssl_require_t *pRequirement;
char *cp;
@@ -597,7 +602,7 @@ int ssl_hook_Access(request_rec *r)
STACK_OF(SSL_CIPHER) *skCipherOld;
STACK_OF(SSL_CIPHER) *skCipher;
SSL_CIPHER *pCipher;
ap_ctx *apctx;
apr_table_t *apctx;
int nVerifyOld;
int nVerify;
int n;
@@ -606,7 +611,7 @@ int ssl_hook_Access(request_rec *r)
dc = myDirConfig(r);
sc = mySrvConfig(r->server);
ssl = ap_ctx_get(r->connection->client->ctx, "ssl");
ssl = (SSL *)apr_table_get(r->connection->notes, "ssl");
if (ssl != NULL)
ctx = SSL_get_SSL_CTX(ssl);
@@ -614,10 +619,13 @@ int ssl_hook_Access(request_rec *r)
* Support for SSLRequireSSL directive
*/
if (dc->bSSLRequired && ssl == NULL) {
ap_log_reason("SSL connection required", r->filename, r);
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
"access to %s failed for %s, reason: %s", r->filename,
ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL),
"SSL connection required");
/* remember forbidden access for strict require option */
ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
return FORBIDDEN;
apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
return HTTP_FORBIDDEN;
}
/*
@@ -692,7 +700,7 @@ int ssl_hook_Access(request_rec *r)
"Unable to reconfigure (per-directory) permitted SSL ciphers");
if (skCipherOld != NULL)
sk_SSL_CIPHER_free(skCipherOld);
return FORBIDDEN;
return HTTP_FORBIDDEN;
}
/* determine whether a renegotiation has to be forced */
skCipher = SSL_get_ciphers(ssl);
@@ -745,12 +753,12 @@ int ssl_hook_Access(request_rec *r)
*/
if (dc->nVerifyDepth != UNSET) {
apctx = SSL_get_app_data2(ssl);
if ((vp = ap_ctx_get(apctx, "ssl::verify::depth")) != NULL)
if ((vp = (void *)apr_table_get(apctx, "ssl::verify::depth")) != NULL)
n = (int)AP_CTX_PTR2NUM(vp);
else
n = sc->nVerifyDepth;
ap_ctx_set(apctx, "ssl::verify::depth",
AP_CTX_NUM2PTR(dc->nVerifyDepth));
apr_table_setn(apctx, "ssl::verify::depth",
(const char *)AP_CTX_NUM2PTR(dc->nVerifyDepth));
/* determine whether a renegotiation has to be forced */
if (dc->nVerifyDepth < n) {
renegotiate = TRUE;
@@ -838,14 +846,14 @@ int ssl_hook_Access(request_rec *r)
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to reconfigure verify locations "
"for client authentication");
return FORBIDDEN;
return HTTP_FORBIDDEN;
}
if ((skCAList = ssl_init_FindCAList(r->server, r->pool,
cpCAFile, cpCAPath)) == NULL) {
ssl_log(r->server, SSL_LOG_ERROR,
"Unable to determine list of available "
"CA certificates for client authentication");
return FORBIDDEN;
return HTTP_FORBIDDEN;
}
SSL_set_client_CA_list(ssl, skCAList);
renegotiate = TRUE;
@@ -918,7 +926,7 @@ int ssl_hook_Access(request_rec *r)
if (renegotiate && r->method_number == M_POST) {
ssl_log(r->server, SSL_LOG_ERROR,
"SSL Re-negotiation in conjunction with POST method not supported!");
return METHOD_NOT_ALLOWED;
return HTTP_METHOD_NOT_ALLOWED;
}
/*
@@ -944,12 +952,12 @@ int ssl_hook_Access(request_rec *r)
certstore = SSL_CTX_get_cert_store(ctx);
if (certstore == NULL) {
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find certificate storage");
return FORBIDDEN;
return HTTP_FORBIDDEN;
}
certstack = SSL_get_peer_cert_chain(ssl);
if (certstack == NULL || sk_X509_num(certstack) == 0) {
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer certificate chain");
return FORBIDDEN;
return HTTP_FORBIDDEN;
}
cert = sk_X509_value(certstack, 0);
X509_STORE_CTX_init(&certstorectx, certstore, cert, certstack);
@@ -976,7 +984,7 @@ int ssl_hook_Access(request_rec *r)
SSL_do_handshake(ssl);
if (SSL_get_state(ssl) != SSL_ST_OK) {
ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation request failed");
return FORBIDDEN;
return HTTP_FORBIDDEN;
}
ssl_log(r->server, SSL_LOG_INFO, "Awaiting re-negotiation handshake");
SSL_set_state(ssl, SSL_ST_ACCEPT);
@@ -984,7 +992,7 @@ int ssl_hook_Access(request_rec *r)
if (SSL_get_state(ssl) != SSL_ST_OK) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Not accepted by client!?");
return FORBIDDEN;
return HTTP_FORBIDDEN;
}
}
@@ -993,8 +1001,8 @@ int ssl_hook_Access(request_rec *r)
*/
if ((cert = SSL_get_peer_certificate(ssl)) != NULL) {
cp = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
ap_ctx_set(r->connection->client->ctx, "ssl::client::dn",
ap_pstrdup(r->connection->pool, cp));
apr_table_setn(r->connection->notes, "ssl::client::dn",
apr_pstrdup(r->connection->pool, cp));
free(cp);
}
@@ -1006,13 +1014,13 @@ int ssl_hook_Access(request_rec *r)
&& SSL_get_verify_result(ssl) != X509_V_OK ) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Client verification failed");
return FORBIDDEN;
return HTTP_FORBIDDEN;
}
if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE
&& SSL_get_peer_certificate(ssl) == NULL ) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Client certificate missing");
return FORBIDDEN;
return HTTP_FORBIDDEN;
}
}
}
@@ -1030,7 +1038,7 @@ int ssl_hook_Access(request_rec *r)
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to reconfigure verify locations "
"to per-server configuration parameters");
return FORBIDDEN;
return HTTP_FORBIDDEN;
}
}
#endif /* SSL_EXPERIMENTAL_PERDIRCA */
@@ -1044,12 +1052,14 @@ int ssl_hook_Access(request_rec *r)
pRequirement = &pRequirements[i];
ok = ssl_expr_exec(r, pRequirement->mpExpr);
if (ok < 0) {
cp = ap_psprintf(r->pool, "Failed to execute SSL requirement expression: %s",
cp = apr_psprintf(r->pool, "Failed to execute SSL requirement expression: %s",
ssl_expr_get_error());
ap_log_reason(cp, r->filename, r);
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
"access to %s failed for %s, reason: %s", r->filename,
ap_get_remote_host(r->connection, r->per_dir_config, 1, NULL), cp);
/* remember forbidden access for strict require option */
ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
return FORBIDDEN;
apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
return HTTP_FORBIDDEN;
}
if (ok != 1) {
ssl_log(r->server, SSL_LOG_INFO,
@@ -1057,11 +1067,14 @@ int ssl_hook_Access(request_rec *r)
r->filename, r->connection->remote_ip);
ssl_log(r->server, SSL_LOG_INFO,
"Failed expression: %s", pRequirement->cpExpr);
ap_log_reason("SSL requirement expression not fulfilled "
"(see SSL logfile for more details)", r->filename, r);
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
"access to %s failed for %s, reason: %s", r->filename,
ap_get_remote_host(r->connection, r->per_dir_config, 1, NULL),
"SSL requirement expression not fulfilled "
"(see SSL logfile for more details)");
/* remember forbidden access for strict require option */
ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
return FORBIDDEN;
apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
return HTTP_FORBIDDEN;
}
}
@@ -1099,8 +1112,8 @@ int ssl_hook_Auth(request_rec *r)
* when strict require option is used.
*/
if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE)
&& (ap_table_get(r->notes, "ssl-access-forbidden") != NULL))
return FORBIDDEN;
&& (apr_table_get(r->notes, "ssl-access-forbidden") != NULL))
return HTTP_FORBIDDEN;
/*
* Make sure the user is not able to fake the client certificate
@@ -1108,7 +1121,7 @@ int ssl_hook_Auth(request_rec *r)
* ("/XX=YYY/XX=YYY/..") as the username and "password" as the
* password.
*/
if ((cpAL = ap_table_get(r->headers_in, "Authorization")) != NULL) {
if ((cpAL = apr_table_get(r->headers_in, "Authorization")) != NULL) {
if (strcEQ(ap_getword(r->pool, &cpAL, ' '), "Basic")) {
while (*cpAL == ' ' || *cpAL == '\t')
cpAL++;
@@ -1116,7 +1129,7 @@ int ssl_hook_Auth(request_rec *r)
cpUN = ap_getword_nulls(r->pool, &cpAL, ':');
cpPW = cpAL;
if (cpUN[0] == '/' && strEQ(cpPW, "password"))
return FORBIDDEN;
return HTTP_FORBIDDEN;
}
}
@@ -1125,13 +1138,13 @@ int ssl_hook_Auth(request_rec *r)
*/
if (!sc->bEnabled)
return DECLINED;
if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL)
if (apr_table_get(r->connection->notes, "ssl") == NULL)
return DECLINED;
if (!(dc->nOptions & SSL_OPT_FAKEBASICAUTH))
return DECLINED;
if (r->connection->user)
if (r->user)
return DECLINED;
if ((clientdn = (char *)ap_ctx_get(r->connection->client->ctx, "ssl::client::dn")) == NULL)
if ((clientdn = (char *)apr_table_get(r->connection->notes, "ssl::client::dn")) == NULL)
return DECLINED;
/*
@@ -1145,10 +1158,10 @@ int ssl_hook_Auth(request_rec *r)
* adding the string "xxj31ZMTZzkVA" as the password in the user file.
* This is just the crypted variant of the word "password" ;-)
*/
ap_snprintf(b1, sizeof(b1), "%s:password", clientdn);
apr_snprintf(b1, sizeof(b1), "%s:password", clientdn);
ssl_util_uuencode(b2, b1, FALSE);
ap_snprintf(b1, sizeof(b1), "Basic %s", b2);
ap_table_set(r->headers_in, "Authorization", b1);
apr_snprintf(b1, sizeof(b1), "Basic %s", b2);
apr_table_set(r->headers_in, "Authorization", b1);
ssl_log(r->server, SSL_LOG_INFO,
"Faking HTTP Basic Auth header: \"Authorization: %s\"", b1);
@@ -1164,8 +1177,8 @@ int ssl_hook_UserCheck(request_rec *r)
* when strict require option is used.
*/
if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE)
&& (ap_table_get(r->notes, "ssl-access-forbidden") != NULL))
return FORBIDDEN;
&& (apr_table_get(r->notes, "ssl-access-forbidden") != NULL))
return HTTP_FORBIDDEN;
return DECLINED;
}
@@ -1259,7 +1272,7 @@ int ssl_hook_Fixup(request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
table *e = r->subprocess_env;
apr_table_t *e = r->subprocess_env;
char *var;
char *val;
STACK_OF(X509) *sk;
@@ -1271,21 +1284,23 @@ int ssl_hook_Fixup(request_rec *r)
*/
if (!sc->bEnabled)
return DECLINED;
if ((ssl = ap_ctx_get(r->connection->client->ctx, "ssl")) == NULL)
if ((ssl = (SSL *)apr_table_get(r->connection->notes, "ssl")) == NULL)
return DECLINED;
/*
* Annotate the SSI/CGI environment with standard SSL information
*/
/* the always present HTTPS (=HTTP over SSL) flag! */
ap_table_set(e, "HTTPS", "on");
apr_table_set(e, "HTTPS", "on");
/* standard SSL environment variables */
if (dc->nOptions & SSL_OPT_STDENVVARS) {
for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) {
var = (char *)ssl_hook_Fixup_vars[i];
#if 0 /* XXX */
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
#endif
if (!strIsEmpty(val))
ap_table_set(e, var, val);
apr_table_set(e, var, val);
}
}
@@ -1293,16 +1308,20 @@ int ssl_hook_Fixup(request_rec *r)
* On-demand bloat up the SSI/CGI environment with certificate data
*/
if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) {
#if 0 /* XXX */
val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_SERVER_CERT");
ap_table_set(e, "SSL_SERVER_CERT", val);
apr_table_set(e, "SSL_SERVER_CERT", val);
val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
ap_table_set(e, "SSL_CLIENT_CERT", val);
apr_table_set(e, "SSL_CLIENT_CERT", val);
#endif
if ((sk = SSL_get_peer_cert_chain(ssl)) != NULL) {
for (i = 0; i < sk_X509_num(sk); i++) {
var = ap_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
#if 0 /* XXX */
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
#endif
if (val != NULL)
ap_table_set(e, var, val);
apr_table_setn(e, var, val);
}
}
}
@@ -1351,7 +1370,7 @@ int ssl_hook_Fixup(request_rec *r)
*/
RSA *ssl_callback_TmpRSA(SSL *pSSL, int nExport, int nKeyLen)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = ssl_util_getmodconfig_ssl(pSSL, "ssl_module");
RSA *rsa;
rsa = NULL;
@@ -1377,7 +1396,7 @@ RSA *ssl_callback_TmpRSA(SSL *pSSL, int nExport, int nKeyLen)
*/
DH *ssl_callback_TmpDH(SSL *pSSL, int nExport, int nKeyLen)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = ssl_util_getmodconfig_ssl(pSSL, "ssl_module");
DH *dh;
dh = NULL;
@@ -1410,7 +1429,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
request_rec *r;
SSLSrvConfigRec *sc;
SSLDirConfigRec *dc;
ap_ctx *actx;
apr_table_t *actx;
X509 *xs;
int errnum;
int errdepth;
@@ -1424,9 +1443,9 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
*/
ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
conn = (conn_rec *)SSL_get_app_data(ssl);
actx = (ap_ctx *)SSL_get_app_data2(ssl);
r = (request_rec *)ap_ctx_get(actx, "ssl::request_rec");
s = conn->server;
actx = (apr_table_t *)SSL_get_app_data2(ssl);
r = (request_rec *)apr_table_get(actx, "ssl::request_rec");
s = conn->base_server;
sc = mySrvConfig(s);
dc = (r != NULL ? myDirConfig(r) : NULL);
@@ -1469,7 +1488,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: Verifiable Issuer is configured as "
"optional, therefore we're accepting the certificate");
ap_ctx_set(conn->client->ctx, "ssl::verify::info", "GENEROUS");
apr_table_setn(conn->notes, "ssl::verify::info", "GENEROUS");
ok = TRUE;
}
@@ -1488,8 +1507,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
if (!ok) {
ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s",
errnum, X509_verify_cert_error_string(errnum));
ap_ctx_set(conn->client->ctx, "ssl::client::dn", NULL);
ap_ctx_set(conn->client->ctx, "ssl::verify::error",
apr_table_setn(conn->notes, "ssl::client::dn", NULL);
apr_table_setn(conn->notes, "ssl::verify::error",
(void *)X509_verify_cert_error_string(errnum));
}
@@ -1505,7 +1524,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
"Certificate Verification: Certificate Chain too long "
"(chain has %d certificates, but maximum allowed are only %d)",
errdepth, depth);
ap_ctx_set(conn->client->ctx, "ssl::verify::error",
apr_table_setn(conn->notes, "ssl::verify::error",
(void *)X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG));
ok = FALSE;
}
@@ -1698,7 +1717,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
* Get Apache context back through OpenSSL context
*/
conn = (conn_rec *)SSL_get_app_data(ssl);
s = conn->server;
s = conn->base_server;
sc = mySrvConfig(s);
/*
@@ -1749,7 +1768,7 @@ SSL_SESSION *ssl_callback_GetSessionCacheEntry(
* Get Apache context back through OpenSSL context
*/
conn = (conn_rec *)SSL_get_app_data(ssl);
s = conn->server;
s = conn->base_server;
/*
* Try to retrieve the SSL_SESSION from the inter-process cache
@@ -1829,7 +1848,7 @@ void ssl_callback_LogTracingState(SSL *ssl, int where, int rc)
*/
if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL)
return;
s = c->server;
s = c->base_server;
if ((sc = mySrvConfig(s)) == NULL)
return;
@@ -1873,6 +1892,7 @@ void ssl_callback_LogTracingState(SSL *ssl, int where, int rc)
* right after a finished handshake.
*/
if (where & SSL_CB_HANDSHAKE_DONE) {
#if 0 /* XXX */
ssl_log(s, SSL_LOG_INFO,
"Connection: Client IP: %s, Protocol: %s, Cipher: %s (%s/%s bits)",
ssl_var_lookup(NULL, s, c, NULL, "REMOTE_ADDR"),
@@ -1880,10 +1900,9 @@ void ssl_callback_LogTracingState(SSL *ssl, int where, int rc)
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE"));
#endif
}
return;
}
#endif /* XXX */

57
modules/ssl/ssl_engine_log.c
View File

@@ -62,8 +62,6 @@
-- Ralf S. Engelschall */
#include "mod_ssl.h"
#if 0 /* XXX */
/* _________________________________________________________________
**
** Logfile Support
@@ -73,9 +71,9 @@
/*
* Open the SSL logfile
*/
void ssl_log_open(server_rec *s_main, server_rec *s, pool *p)
void ssl_log_open(server_rec *s_main, server_rec *s, apr_pool_t *p)
{
char *szLogFile;
const char *szLogFile;
SSLSrvConfigRec *sc_main = mySrvConfig(s_main);
SSLSrvConfigRec *sc = mySrvConfig(s);
piped_log *pl;
@@ -97,23 +95,23 @@ void ssl_log_open(server_rec *s_main, server_rec *s, pool *p)
if (strEQ(sc->szLogFile, "/dev/null"))
return;
else if (sc->szLogFile[0] == '|') {
szLogFile = ap_server_root_relative(p, "log", sc->szLogFile+1);
szLogFile = ap_server_root_relative(p, sc->szLogFile+1);
if ((pl = ap_open_piped_log(p, szLogFile)) == NULL) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open reliable pipe to SSL logfile filter %s", szLogFile);
ssl_die();
}
sc->fileLogFile = ap_pfdopen(p, ap_piped_log_write_fd(pl), "a");
setbuf(sc->fileLogFile, NULL);
sc->fileLogFile = ap_piped_log_write_fd(pl);
}
else {
szLogFile = ap_server_root_relative(p, "log", sc->szLogFile);
if ((sc->fileLogFile = ap_pfopen(p, szLogFile, "a")) == NULL) {
szLogFile = ap_server_root_relative(p, sc->szLogFile);
if ((apr_file_open(&(sc->fileLogFile), szLogFile,
APR_WRITE|APR_APPEND|APR_CREATE, APR_OS_DEFAULT, p))
!= APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSL logfile %s", szLogFile);
ssl_die();
}
setbuf(sc->fileLogFile, NULL);
}
}
return;
@@ -184,8 +182,8 @@ void ssl_log(server_rec *s, int level, const char *msg, ...)
char vstr[1024];
char str[1024];
char nstr[2];
int timz;
struct tm *t;
apr_size_t len;
apr_exploded_time_t t;
va_list ap;
int add;
int i;
@@ -223,10 +221,10 @@ void ssl_log(server_rec *s, int level, const char *msg, ...)
if (add & SSL_NO_TIMESTAMP)
tstr[0] = NUL;
else {
t = ap_get_gmtoff(&timz);
strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S", t);
i = strlen(tstr);
ap_snprintf(tstr+i, 80-i, " %05d] ", (unsigned int)getpid());
apr_explode_localtime(&t, apr_time_now());
apr_strftime(tstr, &len, 80, "[%d/%b/%Y %H:%M:%S", &t);
apr_snprintf(tstr + strlen(tstr), 80 - strlen(tstr), " %05d] ",
(unsigned int)getpid());
}
/* determine whether newline should be written */
@@ -242,7 +240,7 @@ void ssl_log(server_rec *s, int level, const char *msg, ...)
if (!(add & SSL_NO_LEVELID)) {
for (i = 0; ssl_log_level2string[i].nLevel != 0; i++) {
if (ssl_log_level2string[i].nLevel == level) {
ap_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel);
apr_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel);
break;
}
}
@@ -252,7 +250,7 @@ void ssl_log(server_rec *s, int level, const char *msg, ...)
}
/* create custom message */
ap_vsnprintf(vstr, sizeof(vstr), msg, ap);
apr_vsnprintf(vstr, sizeof(vstr), msg, ap);
/* write out SSLog message */
if ((add & SSL_ADD_ERRNO) && (add & SSL_ADD_SSLERR))
@@ -264,22 +262,23 @@ void ssl_log(server_rec *s, int level, const char *msg, ...)
else
astr = "";
if (level <= sc->nLogLevel && sc->fileLogFile != NULL) {
ap_snprintf(str, sizeof(str), "%s%s%s%s%s", tstr, lstr, vstr, astr, nstr);
fprintf(sc->fileLogFile, "%s", str);
apr_snprintf(str, sizeof(str), "%s%s%s%s%s",
tstr, lstr, vstr, astr, nstr);
apr_file_printf(sc->fileLogFile, "%s", str);
}
if (level & SSL_LOG_ERROR)
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
"mod_ssl: %s%s", vstr, astr);
/* write out additional attachment messages */
if (add & SSL_ADD_ERRNO) {
if (level <= sc->nLogLevel && sc->fileLogFile != NULL) {
ap_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s",
apr_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s",
tstr, lstr, strerror(safe_errno), safe_errno, nstr);
fprintf(sc->fileLogFile, "%s", str);
apr_file_printf(sc->fileLogFile, "%s", str);
}
if (level & SSL_LOG_ERROR)
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
"System: %s (errno: %d)",
strerror(safe_errno), safe_errno);
}
@@ -288,15 +287,15 @@ void ssl_log(server_rec *s, int level, const char *msg, ...)
cpE = ERR_error_string(e, NULL);
cpA = ssl_log_annotation(cpE);
if (level <= sc->nLogLevel && sc->fileLogFile != NULL) {
ap_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s",
apr_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s",
tstr, lstr, SSL_LIBRARY_NAME, cpE,
cpA != NULL ? " [Hint: " : "",
cpA != NULL ? cpA : "", cpA != NULL ? "]" : "",
nstr);
fprintf(sc->fileLogFile, "%s", str);
apr_file_printf(sc->fileLogFile, "%s", str);
}
if (level & SSL_LOG_ERROR)
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
"%s: %s%s%s%s", SSL_LIBRARY_NAME, cpE,
cpA != NULL ? " [Hint: " : "",
cpA != NULL ? cpA : "", cpA != NULL ? "]" : "");
@@ -307,7 +306,7 @@ void ssl_log(server_rec *s, int level, const char *msg, ...)
/* cleanup and return */
if (sc->fileLogFile != NULL)
fflush(sc->fileLogFile);
apr_file_flush(sc->fileLogFile);
errno = safe_errno;
va_end(ap);
return;
@@ -323,5 +322,3 @@ void ssl_die(void)
exit(1);
}
#endif /* XXX */

14
modules/ssl/ssl_engine_mutex.c
View File

@@ -62,11 +62,9 @@
-- Unknown */
#include "mod_ssl.h"
#if 0 /* XXX */
int ssl_mutex_init(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
if (mc->nMutexMode == SSL_MUTEXMODE_NONE)
return TRUE;
@@ -78,7 +76,7 @@ int ssl_mutex_init(server_rec *s, apr_pool_t *p)
int ssl_mutex_reinit(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
if (mc->nMutexMode == SSL_MUTEXMODE_NONE)
return TRUE;
@@ -89,7 +87,7 @@ int ssl_mutex_reinit(server_rec *s, apr_pool_t *p)
int ssl_mutex_on(server_rec *s)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
if (mc->nMutexMode == SSL_MUTEXMODE_NONE)
return TRUE;
@@ -102,7 +100,7 @@ int ssl_mutex_on(server_rec *s)
int ssl_mutex_off(server_rec *s)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
if (mc->nMutexMode == SSL_MUTEXMODE_NONE)
return TRUE;
@@ -115,7 +113,7 @@ int ssl_mutex_off(server_rec *s)
int ssl_mutex_kill(server_rec *s)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
if (mc->nMutexMode == SSL_MUTEXMODE_NONE)
return TRUE;
@@ -124,5 +122,3 @@ int ssl_mutex_kill(server_rec *s)
return TRUE;
}
#endif /* XXX */

58
modules/ssl/ssl_engine_pphrase.c
View File

@@ -63,8 +63,6 @@
-- Clifford Stoll */
#include "mod_ssl.h"
#if 0 /* XXX */
/* _________________________________________________________________
**
** Pass Phrase and Private Key Handling
@@ -75,9 +73,9 @@
#define BUILTIN_DIALOG_BACKOFF 2
#define BUILTIN_DIALOG_RETRIES 5
void ssl_pphrase_Handle(server_rec *s, pool *p)
void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
SSLSrvConfigRec *sc;
server_rec *pServ;
char *cpVHostID;
@@ -137,8 +135,12 @@ void ssl_pphrase_Handle(server_rec *s, pool *p)
algoKey = SSL_ALGO_UNKNOWN;
for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++) {
ap_cpystrn(szPath, sc->szPublicCertFile[i], sizeof(szPath));
apr_cpystrn(szPath, sc->szPublicCertFile[i], sizeof(szPath));
#if 0 /* XXX */
if ((fp = ap_pfopen(p, szPath, "r")) == NULL) {
#else
if ((fp = fopen(szPath, "r")) == NULL) {
#endif
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Init: Can't open server certificate file %s", szPath);
ssl_die();
@@ -148,7 +150,11 @@ void ssl_pphrase_Handle(server_rec *s, pool *p)
"Init: Unable to read server certificate from file %s", szPath);
ssl_die();
}
#if 0 /* XXX */
ap_pfclose(p, fp);
#else
fclose(fp);
#endif
/*
* check algorithm type of certificate and make
@@ -170,10 +176,10 @@ void ssl_pphrase_Handle(server_rec *s, pool *p)
* certificate is actually used to configure mod_ssl's per-server
* configuration structures).
*/
cp = ap_psprintf(mc->pPool, "%s:%s", cpVHostID, an);
cp = apr_psprintf(mc->pPool, "%s:%s", cpVHostID, an);
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tPublicCert, cp);
asn1->nData = i2d_X509(pX509Cert, NULL);
asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_X509(pX509Cert, &ucp); /* 2nd arg increments */
/*
@@ -199,7 +205,7 @@ void ssl_pphrase_Handle(server_rec *s, pool *p)
* by trying to re-use already known/entered pass phrases.
*/
if (sc->szPrivateKeyFile[j] != NULL)
ap_cpystrn(szPath, sc->szPrivateKeyFile[j++], sizeof(szPath));
apr_cpystrn(szPath, sc->szPrivateKeyFile[j++], sizeof(szPath));
/*
* Try to read the private key file with the help of
@@ -230,15 +236,23 @@ void ssl_pphrase_Handle(server_rec *s, pool *p)
* the callback function which serves the pass
* phrases to OpenSSL
*/
#if 0 /* XXX */
if ((fp = ap_pfopen(p, szPath, "r")) == NULL) {
#else
if ((fp = fopen(szPath, "r")) == NULL) {
#endif
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Init: Can't open server private key file %s", szPath);
ssl_die();
}
cpPassPhraseCur = NULL;
bReadable = ((pPrivateKey = SSL_read_PrivateKey(fp, NULL,
ssl_pphrase_Handle_CB)) != NULL ? TRUE : FALSE);
ssl_pphrase_Handle_CB, s)) != NULL ? TRUE : FALSE);
#if 0 /* XXX */
ap_pfclose(p, fp);
#else
fclose(fp);
#endif
/*
* when the private key file now was readable,
@@ -348,10 +362,10 @@ void ssl_pphrase_Handle(server_rec *s, pool *p)
* because the SSL library uses static variables inside a
* RSA structure which do not survive DSO reloads!)
*/
cp = ap_psprintf(mc->pPool, "%s:%s", cpVHostID, an);
cp = apr_psprintf(mc->pPool, "%s:%s", cpVHostID, an);
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tPrivateKey, cp);
asn1->nData = i2d_PrivateKey(pPrivateKey, NULL);
asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_PrivateKey(pPrivateKey, &ucp); /* 2nd arg increments */
/*
@@ -385,11 +399,11 @@ void ssl_pphrase_Handle(server_rec *s, pool *p)
return;
}
int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig((server_rec *)srv);
server_rec *s;
pool *p;
apr_pool_t *p;
ssl_ds_array *aPassPhrase;
SSLSrvConfigRec *sc;
int *pnPassPhraseCur;
@@ -407,7 +421,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
* Reconnect to the context of ssl_phrase_Handle()
*/
s = myCtxVarGet(mc, 1, server_rec *);
p = myCtxVarGet(mc, 2, pool *);
p = myCtxVarGet(mc, 2, apr_pool_t *);
aPassPhrase = myCtxVarGet(mc, 3, ssl_ds_array *);
pnPassPhraseCur = myCtxVarGet(mc, 4, int *);
cppPassPhraseCur = myCtxVarGet(mc, 5, char **);
@@ -425,7 +439,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
* When remembered pass phrases are available use them...
*/
if ((cpp = (char **)ssl_ds_array_get(aPassPhrase, *pnPassPhraseCur)) != NULL) {
ap_cpystrn(buf, *cpp, bufsize);
apr_cpystrn(buf, *cpp, bufsize);
len = strlen(buf);
return len;
}
@@ -472,7 +486,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
*/
if (*pnPassPhraseDialog == 1) {
fprintf(stderr, "%s mod_ssl/%s (Pass Phrase Dialog)\n",
SERVER_BASEVERSION, MOD_SSL_VERSION);
AP_SERVER_BASEVERSION, MOD_SSL_VERSION);
fprintf(stderr, "Some of your private key files are encrypted for security reasons.\n");
fprintf(stderr, "In order to read them you have to provide us with the pass phrases.\n");
}
@@ -523,18 +537,18 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
sc->szPassPhraseDialogPath);
if (strchr(sc->szPassPhraseDialogPath, ' ') != NULL)
cmd = ap_psprintf(p, "\"%s\" %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType);
cmd = apr_psprintf(p, "\"%s\" %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType);
else
cmd = ap_psprintf(p, "%s %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType);
cmd = apr_psprintf(p, "%s %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType);
result = ssl_util_readfilter(s, p, cmd);
ap_cpystrn(buf, result, bufsize);
apr_cpystrn(buf, result, bufsize);
len = strlen(buf);
}
/*
* Ok, we now have the pass phrase, so give it back
*/
*cppPassPhraseCur = ap_pstrdup(p, buf);
*cppPassPhraseCur = apr_pstrdup(p, buf);
/*
* And return it's length to OpenSSL...
@@ -542,5 +556,3 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
return (len);
}
#endif /* XXX */

36
modules/ssl/ssl_engine_rand.c
View File

@@ -62,8 +62,6 @@
#include "mod_ssl.h"
#if 0 /* XXX */
/* _________________________________________________________________
**
** Support for better seeding of SSL library's RNG
@@ -71,22 +69,22 @@
*/
static int ssl_rand_choosenum(int, int);
static int ssl_rand_feedfp(pool *, FILE *, int);
static int ssl_rand_feedfp(apr_pool_t *, apr_file_t *, int);
int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx, char *prefix)
int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix)
{
SSLModConfigRec *mc;
array_header *apRandSeed;
apr_array_header_t *apRandSeed;
ssl_randseed_t *pRandSeeds;
ssl_randseed_t *pRandSeed;
unsigned char stackdata[256];
int nReq, nDone;
FILE *fp;
apr_file_t *fp;
int i, n, l;
time_t t;
pid_t pid;
mc = myModConfig();
mc = myModConfig(s);
nReq = 0;
nDone = 0;
apRandSeed = mc->aRandSeed;
@@ -99,16 +97,17 @@ int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx, char *prefix)
/*
* seed in contents of an external file
*/
if ((fp = ap_pfopen(p, pRandSeed->cpPath, "r")) == NULL)
if (apr_file_open(&fp, pRandSeed->cpPath,
APR_READ, APR_OS_DEFAULT, p) != APR_SUCCESS)
continue;
nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
ap_pfclose(p, fp);
apr_file_close(fp);
}
else if (pRandSeed->nSrc == SSL_RSSRC_EXEC) {
/*
* seed in contents generated by an external program
*/
if ((fp = ssl_util_ppopen(s, p, ap_psprintf(p, "%s %d",
if ((fp = ssl_util_ppopen(s, p, apr_psprintf(p, "%s %d",
pRandSeed->cpPath, pRandSeed->nBytes))) == NULL)
continue;
nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
@@ -171,13 +170,13 @@ int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx, char *prefix)
#define BUFSIZE 8192
static int ssl_rand_feedfp(pool *p, FILE *fp, int nReq)
static int ssl_rand_feedfp(apr_pool_t *p, apr_file_t *fp, int nReq)
{
int nDone;
apr_size_t nDone;
unsigned char caBuf[BUFSIZE];
int nBuf;
int nRead;
int nTodo;
apr_size_t nBuf;
apr_size_t nRead;
apr_size_t nTodo;
nDone = 0;
nRead = BUFSIZE;
@@ -185,7 +184,8 @@ static int ssl_rand_feedfp(pool *p, FILE *fp, int nReq)
while (1) {
if (nReq > 0)
nRead = (nTodo < BUFSIZE ? nTodo : BUFSIZE);
if ((nBuf = (int)fread(caBuf, 1, nRead, fp)) <= 0)
nBuf = nRead;
if (apr_file_read(fp, caBuf, &nBuf) != APR_SUCCESS)
break;
RAND_seed(caBuf, nBuf);
nDone += nBuf;
@@ -204,7 +204,7 @@ static int ssl_rand_choosenum(int l, int h)
char buf[50];
srand((unsigned int)time(NULL));
ap_snprintf(buf, sizeof(buf), "%.0f",
apr_snprintf(buf, sizeof(buf), "%.0f",
(((double)(rand()%RAND_MAX)/RAND_MAX)*(h-l)));
i = atoi(buf)+1;
if (i < l) i = l;
@@ -212,5 +212,3 @@ static int ssl_rand_choosenum(int l, int h)
return i;
}
#endif /* XXX */

144
modules/ssl/ssl_engine_vars.c
View File

@@ -68,20 +68,18 @@
** _________________________________________________________________
*/
#if 0 /* XXX */
static char *ssl_var_lookup_header(pool *p, request_rec *r, const char *name);
static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var);
static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var);
static char *ssl_var_lookup_ssl_cert_dn(pool *p, X509_NAME *xsname, char *var);
static char *ssl_var_lookup_ssl_cert_valid(pool *p, ASN1_UTCTIME *tm);
static char *ssl_var_lookup_ssl_cert_serial(pool *p, X509 *xs);
static char *ssl_var_lookup_ssl_cert_chain(pool *p, STACK_OF(X509) *sk, char *var);
static char *ssl_var_lookup_ssl_cert_PEM(pool *p, X509 *xs);
static char *ssl_var_lookup_ssl_cert_verify(pool *p, conn_rec *c);
static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var);
static char *ssl_var_lookup_header(apr_pool_t *p, request_rec *r, const char *name);
static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var);
static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, X509 *xs, char *var);
static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var);
static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_UTCTIME *tm);
static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var);
static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c);
static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
static char *ssl_var_lookup_ssl_version(pool *p, char *var);
#endif /* XXX */
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
void ssl_var_register(void)
{
@@ -102,11 +100,9 @@ void ssl_var_unregister(void)
return;
}
#if 0 /* XXX */
char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
char *result;
BOOL resdup;
time_t tc;
@@ -153,7 +149,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
else if (strcEQ(var, "REQUEST_METHOD"))
result = (char *)(r->method);
else if (strcEQ(var, "REQUEST_SCHEME"))
result = ap_http_method(r);
result = (char *)ap_http_method(r);
else if (strcEQ(var, "REQUEST_URI"))
result = r->uri;
else if (strcEQ(var, "SCRIPT_FILENAME") ||
@@ -165,7 +161,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
result = r->args;
else if (strcEQ(var, "REMOTE_HOST"))
result = (char *)ap_get_remote_host(r->connection,
r->per_dir_config, REMOTE_NAME);
r->per_dir_config, REMOTE_NAME, NULL);
else if (strcEQ(var, "REMOTE_IDENT"))
result = (char *)ap_get_remote_logname(r);
else if (strcEQ(var, "IS_SUBREQ"))
@@ -177,7 +173,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
else if (strcEQ(var, "SERVER_NAME"))
result = (char *)ap_get_server_name(r);
else if (strcEQ(var, "SERVER_PORT"))
result = ap_psprintf(p, "%u", ap_get_server_port(r));
result = apr_psprintf(p, "%u", ap_get_server_port(r));
else if (strcEQ(var, "SERVER_PROTOCOL"))
result = r->protocol;
}
@@ -189,13 +185,13 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
if (strcEQ(var, "REMOTE_ADDR"))
result = c->remote_ip;
else if (strcEQ(var, "REMOTE_USER"))
result = c->user;
result = r->user;
else if (strcEQ(var, "AUTH_TYPE"))
result = c->ap_auth_type;
result = r->ap_auth_type;
else if (strlen(var) > 4 && strcEQn(var, "SSL_", 4))
result = ssl_var_lookup_ssl(p, c, var+4);
else if (strcEQ(var, "HTTPS")) {
if (ap_ctx_get(c->client->ctx, "ssl") != NULL)
if (apr_table_get(c->notes, "ssl") != NULL)
result = "on";
else
result = "off";
@@ -211,20 +207,20 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
else if (strcEQ(var, "SERVER_SOFTWARE"))
result = (char *)ap_get_server_version();
else if (strcEQ(var, "API_VERSION")) {
result = ap_psprintf(p, "%d", MODULE_MAGIC_NUMBER);
result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER);
resdup = FALSE;
}
else if (strcEQ(var, "TIME_YEAR")) {
tc = time(NULL);
tm = localtime(&tc);
result = ap_psprintf(p, "%02d%02d",
result = apr_psprintf(p, "%02d%02d",
(tm->tm_year / 100) + 19, tm->tm_year % 100);
resdup = FALSE;
}
#define MKTIMESTR(format, tmfield) \
tc = time(NULL); \
tm = localtime(&tc); \
result = ap_psprintf(p, format, tm->tmfield); \
result = apr_psprintf(p, format, tm->tmfield); \
resdup = FALSE;
else if (strcEQ(var, "TIME_MON")) {
MKTIMESTR("%02d", tm_mon+1)
@@ -247,7 +243,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
else if (strcEQ(var, "TIME")) {
tc = time(NULL);
tm = localtime(&tc);
result = ap_psprintf(p,
result = apr_psprintf(p,
"%02d%02d%02d%02d%02d%02d%02d", (tm->tm_year / 100) + 19,
(tm->tm_year % 100), tm->tm_mon+1, tm->tm_mday,
tm->tm_hour, tm->tm_min, tm->tm_sec);
@@ -255,39 +251,31 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
}
/* all other env-variables from the parent Apache process */
else if (strlen(var) > 4 && strcEQn(var, "ENV:", 4)) {
result = (char *)ap_table_get(r->notes, var+4);
result = (char *)apr_table_get(r->notes, var+4);
if (result == NULL)
result = (char *)ap_table_get(r->subprocess_env, var+4);
result = (char *)apr_table_get(r->subprocess_env, var+4);
if (result == NULL)
result = getenv(var+4);
}
}
if (result != NULL && resdup)
result = ap_pstrdup(p, result);
result = apr_pstrdup(p, result);
if (result == NULL)
result = "";
return result;
}
static char *ssl_var_lookup_header(pool *p, request_rec *r, const char *name)
static char *ssl_var_lookup_header(apr_pool_t *p, request_rec *r, const char *name)
{
array_header *hdrs_arr;
table_entry *hdrs;
int i;
char *hdr = NULL;
hdrs_arr = ap_table_elts(r->headers_in);
hdrs = (table_entry *)hdrs_arr->elts;
for (i = 0; i < hdrs_arr->nelts; ++i) {
if (hdrs[i].key == NULL)
continue;
if (strcEQ(hdrs[i].key, name))
return ap_pstrdup(p, hdrs[i].val);
}
return NULL;
if ((hdr = (char *)apr_table_get(r->headers_in, name)) != NULL)
hdr = apr_pstrdup(p, hdr);
return hdr;
}
static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var)
static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var)
{
char *result;
X509 *xs;
@@ -296,7 +284,7 @@ static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var)
result = NULL;
ssl = ap_ctx_get(c->client->ctx, "ssl");
ssl = (SSL *)apr_table_get(c->notes, "ssl");
if (strlen(var) > 8 && strcEQn(var, "VERSION_", 8)) {
result = ssl_var_lookup_ssl_version(p, var+8);
}
@@ -305,7 +293,7 @@ static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var)
}
else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
SSL_SESSION *pSession = SSL_get_session(ssl);
result = ap_pstrdup(p, SSL_SESSION_id2sz(pSession->session_id,
result = apr_pstrdup(p, SSL_SESSION_id2sz(pSession->session_id,
pSession->session_id_length));
}
else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) {
@@ -329,7 +317,7 @@ static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var)
return result;
}
static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var)
static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, X509 *xs, char *var)
{
char *result;
BOOL resdup;
@@ -341,7 +329,7 @@ static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var)
resdup = TRUE;
if (strcEQ(var, "M_VERSION")) {
result = ap_psprintf(p, "%lu", X509_get_version(xs)+1);
result = apr_psprintf(p, "%lu", X509_get_version(xs)+1);
resdup = FALSE;
}
else if (strcEQ(var, "M_SERIAL")) {
@@ -356,7 +344,7 @@ static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var)
else if (strcEQ(var, "S_DN")) {
xsname = X509_get_subject_name(xs);
cp = X509_NAME_oneline(xsname, NULL, 0);
result = ap_pstrdup(p, cp);
result = apr_pstrdup(p, cp);
free(cp);
resdup = FALSE;
}
@@ -368,7 +356,7 @@ static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var)
else if (strcEQ(var, "I_DN")) {
xsname = X509_get_issuer_name(xs);
cp = X509_NAME_oneline(xsname, NULL, 0);
result = ap_pstrdup(p, cp);
result = apr_pstrdup(p, cp);
free(cp);
resdup = FALSE;
}
@@ -379,12 +367,12 @@ static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var)
}
else if (strcEQ(var, "A_SIG")) {
nid = OBJ_obj2nid(xs->cert_info->signature->algorithm);
result = ap_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
}
else if (strcEQ(var, "A_KEY")) {
nid = OBJ_obj2nid(xs->cert_info->key->algor->algorithm);
result = ap_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
}
else if (strcEQ(var, "CERT")) {
@@ -392,7 +380,7 @@ static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var)
}
if (result != NULL && resdup)
result = ap_pstrdup(p, result);
result = apr_pstrdup(p, result);
return result;
}
@@ -417,7 +405,7 @@ static const struct {
{ NULL, 0 }
};
static char *ssl_var_lookup_ssl_cert_dn(pool *p, X509_NAME *xsname, char *var)
static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var)
{
char *result;
X509_NAME_ENTRY *xsne;
@@ -431,8 +419,8 @@ static char *ssl_var_lookup_ssl_cert_dn(pool *p, X509_NAME *xsname, char *var)
xsne = sk_X509_NAME_ENTRY_value(xsname->entries, j);
n = OBJ_obj2nid(xsne->object);
if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid) {
result = ap_palloc(p, xsne->value->length+1);
ap_cpystrn(result, (char *)xsne->value->data, xsne->value->length+1);
result = apr_palloc(p, xsne->value->length+1);
apr_cpystrn(result, (char *)xsne->value->data, xsne->value->length+1);
#ifdef CHARSET_EBCDIC
ascii2ebcdic(result, result, xsne->value->length);
#endif /* CHARSET_EBCDIC */
@@ -446,7 +434,7 @@ static char *ssl_var_lookup_ssl_cert_dn(pool *p, X509_NAME *xsname, char *var)
return result;
}
static char *ssl_var_lookup_ssl_cert_valid(pool *p, ASN1_UTCTIME *tm)
static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_UTCTIME *tm)
{
char *result;
BIO* bio;
@@ -456,14 +444,14 @@ static char *ssl_var_lookup_ssl_cert_valid(pool *p, ASN1_UTCTIME *tm)
return NULL;
ASN1_UTCTIME_print(bio, tm);
n = BIO_pending(bio);
result = ap_pcalloc(p, n+1);
result = apr_pcalloc(p, n+1);
n = BIO_read(bio, result, n);
result[n] = NUL;
BIO_free(bio);
return result;
}
static char *ssl_var_lookup_ssl_cert_serial(pool *p, X509 *xs)
static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs)
{
char *result;
BIO *bio;
@@ -473,14 +461,14 @@ static char *ssl_var_lookup_ssl_cert_serial(pool *p, X509 *xs)
return NULL;
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(xs));
n = BIO_pending(bio);
result = ap_pcalloc(p, n+1);
result = apr_pcalloc(p, n+1);
n = BIO_read(bio, result, n);
result[n] = NUL;
BIO_free(bio);
return result;
}
static char *ssl_var_lookup_ssl_cert_chain(pool *p, STACK_OF(X509) *sk, char *var)
static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var)
{
char *result;
X509 *xs;
@@ -499,7 +487,7 @@ static char *ssl_var_lookup_ssl_cert_chain(pool *p, STACK_OF(X509) *sk, char *va
return result;
}
static char *ssl_var_lookup_ssl_cert_PEM(pool *p, X509 *xs)
static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
{
char *result;
BIO *bio;
@@ -509,14 +497,14 @@ static char *ssl_var_lookup_ssl_cert_PEM(pool *p, X509 *xs)
return NULL;
PEM_write_bio_X509(bio, xs);
n = BIO_pending(bio);
result = ap_pcalloc(p, n+1);
result = apr_pcalloc(p, n+1);
n = BIO_read(bio, result, n);
result[n] = NUL;
BIO_free(bio);
return result;
}
static char *ssl_var_lookup_ssl_cert_verify(pool *p, conn_rec *c)
static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c)
{
char *result;
long vrc;
@@ -526,9 +514,9 @@ static char *ssl_var_lookup_ssl_cert_verify(pool *p, conn_rec *c)
X509 *xs;
result = NULL;
ssl = ap_ctx_get(c->client->ctx, "ssl");
verr = ap_ctx_get(c->client->ctx, "ssl::verify::error");
vinfo = ap_ctx_get(c->client->ctx, "ssl::verify::info");
ssl = (SSL *) apr_table_get(c->notes, "ssl");
verr = (char *)apr_table_get(c->notes, "ssl::verify::error");
vinfo = (char *)apr_table_get(c->notes, "ssl::verify::info");
vrc = SSL_get_verify_result(ssl);
xs = SSL_get_peer_certificate(ssl);
@@ -543,11 +531,11 @@ static char *ssl_var_lookup_ssl_cert_verify(pool *p, conn_rec *c)
result = "GENEROUS";
else
/* client verification failed */
result = ap_psprintf(p, "FAILED:%s", verr);
result = apr_psprintf(p, "FAILED:%s", verr);
return result;
}
static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var)
static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var)
{
char *result;
BOOL resdup;
@@ -557,7 +545,7 @@ static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var)
result = NULL;
resdup = TRUE;
ssl = ap_ctx_get(c->client->ctx, "ssl");
ssl = (SSL *)apr_table_get(c->notes, "ssl");
ssl_var_lookup_ssl_cipher_bits(ssl, &usekeysize, &algkeysize);
if (strEQ(var, ""))
@@ -565,16 +553,16 @@ static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var)
else if (strcEQ(var, "_EXPORT"))
result = (usekeysize < 56 ? "true" : "false");
else if (strcEQ(var, "_USEKEYSIZE")) {
result = ap_psprintf(p, "%d", usekeysize);
result = apr_psprintf(p, "%d", usekeysize);
resdup = FALSE;
}
else if (strcEQ(var, "_ALGKEYSIZE")) {
result = ap_psprintf(p, "%d", algkeysize);
result = apr_psprintf(p, "%d", algkeysize);
resdup = FALSE;
}
if (result != NULL && resdup)
result = ap_pstrdup(p, result);
result = apr_pstrdup(p, result);
return result;
}
@@ -590,7 +578,7 @@ static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algke
return;
}
static char *ssl_var_lookup_ssl_version(pool *p, char *var)
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
{
char *result;
char *cp, *cp2;
@@ -599,16 +587,16 @@ static char *ssl_var_lookup_ssl_version(pool *p, char *var)
if (strEQ(var, "PRODUCT")) {
#if defined(SSL_PRODUCT_NAME) && defined(SSL_PRODUCT_VERSION)
result = ap_psprintf(p, "%s/%s", SSL_PRODUCT_NAME, SSL_PRODUCT_VERSION);
result = apr_psprintf(p, "%s/%s", SSL_PRODUCT_NAME, SSL_PRODUCT_VERSION);
#else
result = NULL;
#endif
}
else if (strEQ(var, "INTERFACE")) {
result = ap_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION);
result = apr_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION);
}
else if (strEQ(var, "LIBRARY")) {
result = ap_pstrdup(p, SSL_LIBRARY_TEXT);
result = apr_pstrdup(p, SSL_LIBRARY_TEXT);
if ((cp = strchr(result, ' ')) != NULL) {
*cp = '/';
if ((cp2 = strchr(cp, ' ')) != NULL)
@@ -617,7 +605,3 @@ static char *ssl_var_lookup_ssl_version(pool *p, char *var)
}
return result;
}
#endif /* XXX */

37
modules/ssl/ssl_scache.c
View File

@@ -63,106 +63,115 @@
-- Unknown */
#include "mod_ssl.h"
#if 0 /* XXX */
/* _________________________________________________________________
**
** Session Cache: Common Abstraction Layer
** _________________________________________________________________
*/
void ssl_scache_init(server_rec *s, pool *p)
void ssl_scache_init(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
ssl_scache_dbm_init(s, p);
#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
ssl_scache_shmht_init(s, p);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
ssl_scache_shmcb_init(s, p);
#endif
return;
}
void ssl_scache_kill(server_rec *s)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
ssl_scache_dbm_kill(s);
#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
ssl_scache_shmht_kill(s);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
ssl_scache_shmcb_kill(s);
#endif
return;
}
BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SSL_SESSION *sess)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
BOOL rv = FALSE;
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
rv = ssl_scache_dbm_store(s, id, idlen, expiry, sess);
#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
rv = ssl_scache_shmht_store(s, id, idlen, expiry, sess);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
rv = ssl_scache_shmcb_store(s, id, idlen, expiry, sess);
#endif
return rv;
}
SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
SSL_SESSION *sess = NULL;
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
sess = ssl_scache_dbm_retrieve(s, id, idlen);
#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
sess = ssl_scache_shmht_retrieve(s, id, idlen);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
sess = ssl_scache_shmcb_retrieve(s, id, idlen);
#endif
return sess;
}
void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
ssl_scache_dbm_remove(s, id, idlen);
#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
ssl_scache_shmht_remove(s, id, idlen);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
ssl_scache_shmcb_remove(s, id, idlen);
#endif
return;
}
void ssl_scache_status(server_rec *s, pool *p, void (*func)(char *, void *), void *arg)
void ssl_scache_status(server_rec *s, apr_pool_t *p, void (*func)(char *, void *), void *arg)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
ssl_scache_dbm_status(s, p, func, arg);
#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
ssl_scache_shmht_status(s, p, func, arg);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
ssl_scache_shmcb_status(s, p, func, arg);
#endif
return;
}
void ssl_scache_expire(server_rec *s)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
ssl_scache_dbm_expire(s);
#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
ssl_scache_shmht_expire(s);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
ssl_scache_shmcb_expire(s);
#endif
return;
}
#endif /* XXX */

139
modules/ssl/ssl_scache_dbm.c
View File

@@ -59,11 +59,9 @@
#include "mod_ssl.h"
#if 0 /* XXX */
void ssl_scache_dbm_init(server_rec *s, pool *p)
void ssl_scache_dbm_init(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
apr_dbm_t *dbm;
/* for the DBM we need the data file */
@@ -74,8 +72,8 @@ void ssl_scache_dbm_init(server_rec *s, pool *p)
/* open it once to create it and to make sure it _can_ be created */
ssl_mutex_on(s);
if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
O_RDWR|O_CREAT, SSL_DBM_FILE_MODE)) == NULL) {
if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot create SSLSessionCache DBM file `%s'",
mc->szSessionCacheDataFile);
@@ -91,20 +89,20 @@ void ssl_scache_dbm_init(server_rec *s, pool *p)
* cannot exactly determine the suffixes we try all possibilities.
*/
if (geteuid() == 0 /* is superuser */) {
chown(mc->szSessionCacheDataFile, ap_user_id, -1 /* no gid change */);
if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL),
ap_user_id, -1) == -1) {
if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL),
ap_user_id, -1) == -1)
chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL),
ap_user_id, -1);
chown(mc->szSessionCacheDataFile, unixd_config.user_id, -1 /* no gid change */);
if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL),
unixd_config.user_id, -1) == -1) {
if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL),
unixd_config.user_id, -1) == -1)
chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL),
unixd_config.user_id, -1);
}
if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL),
ap_user_id, -1) == -1) {
if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL),
ap_user_id, -1) == -1)
chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL),
ap_user_id, -1);
if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL),
unixd_config.user_id, -1) == -1) {
if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL),
unixd_config.user_id, -1) == -1)
chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL),
unixd_config.user_id, -1);
}
}
#endif
@@ -115,26 +113,26 @@ void ssl_scache_dbm_init(server_rec *s, pool *p)
void ssl_scache_dbm_kill(server_rec *s)
{
SSLModConfigRec *mc = myModConfig();
pool *p;
SSLModConfigRec *mc = myModConfig(s);
apr_pool_t *p;
if ((p = ap_make_sub_pool(NULL)) != NULL) {
if ((p = apr_pool_sub_make(mc->pPool, NULL)) != NULL) {
/* the correct way */
unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL));
unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL));
unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL));
unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL));
/* the additional ways to be sure */
unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL));
unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL));
unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL));
unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL));
unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL));
unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL));
unlink(mc->szSessionCacheDataFile);
ap_destroy_pool(p);
apr_pool_destroy(p);
}
return;
}
BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SSL_SESSION *sess)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
apr_dbm_t *dbm;
apr_datum_t dbmkey;
apr_datum_t dbmval;
@@ -169,8 +167,8 @@ BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SS
/* and store it to the DBM file */
ssl_mutex_on(s);
if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
O_RDWR, SSL_DBM_FILE_MODE)) == NULL) {
if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSLSessionCache DBM file `%s' for writing (store)",
mc->szSessionCacheDataFile);
@@ -178,7 +176,7 @@ BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SS
free(dbmval.dptr);
return FALSE;
}
if (apr_dbm_store(dbm, dbmkey, dbmval, DBM_INSERT) < 0) {
if (apr_dbm_store(dbm, dbmkey, dbmval) < 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot store SSL session to DBM file `%s'",
mc->szSessionCacheDataFile);
@@ -201,7 +199,7 @@ BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SS
SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *s, UCHAR *id, int idlen)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
apr_dbm_t *dbm;
apr_datum_t dbmkey;
apr_datum_t dbmval;
@@ -210,6 +208,7 @@ SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *s, UCHAR *id, int idlen)
int nData;
time_t expiry;
time_t now;
apr_status_t rc;
/* allow the regular expiring to occur */
ssl_scache_dbm_expire(s);
@@ -220,19 +219,21 @@ SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *s, UCHAR *id, int idlen)
/* and fetch it from the DBM file */
ssl_mutex_on(s);
if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
O_RDONLY, SSL_DBM_FILE_MODE)) == NULL) {
if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSLSessionCache DBM file `%s' for reading (fetch)",
mc->szSessionCacheDataFile);
ssl_mutex_off(s);
return NULL;
}
dbmval = apr_dbm_fetch(dbm, dbmkey);
rc = apr_dbm_fetch(dbm, dbmkey, &dbmval);
apr_dbm_close(dbm);
ssl_mutex_off(s);
/* immediately return if not found */
if (rc != APR_SUCCESS)
return NULL;
if (dbmval.dptr == NULL || dbmval.dsize <= sizeof(time_t))
return NULL;
@@ -259,7 +260,7 @@ SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *s, UCHAR *id, int idlen)
void ssl_scache_dbm_remove(server_rec *s, UCHAR *id, int idlen)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
apr_dbm_t *dbm;
apr_datum_t dbmkey;
@@ -269,8 +270,8 @@ void ssl_scache_dbm_remove(server_rec *s, UCHAR *id, int idlen)
/* and delete it from the DBM file */
ssl_mutex_on(s);
if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
O_RDWR, SSL_DBM_FILE_MODE)) == NULL) {
if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSLSessionCache DBM file `%s' for writing (delete)",
mc->szSessionCacheDataFile);
@@ -286,13 +287,13 @@ void ssl_scache_dbm_remove(server_rec *s, UCHAR *id, int idlen)
void ssl_scache_dbm_expire(server_rec *s)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
SSLSrvConfigRec *sc = mySrvConfig(s);
static time_t tLast = 0;
apr_dbm_t *dbm;
apr_datum_t dbmkey;
apr_datum_t dbmval;
pool *p;
apr_pool_t *p;
time_t tExpiresAt;
int nElements = 0;
int nDeleted = 0;
@@ -327,28 +328,28 @@ void ssl_scache_dbm_expire(server_rec *s)
ssl_mutex_on(s);
for (;;) {
/* allocate the key array in a memory sub pool */
if ((p = ap_make_sub_pool(NULL)) == NULL)
if ((p = apr_pool_sub_make(mc->pPool, NULL)) == NULL)
break;
if ((keylist = ap_palloc(p, sizeof(dbmkey)*KEYMAX)) == NULL) {
ap_destroy_pool(p);
if ((keylist = apr_palloc(p, sizeof(dbmkey)*KEYMAX)) == NULL) {
apr_pool_destroy(p);
break;
}
/* pass 1: scan DBM database */
keyidx = 0;
if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
O_RDWR, SSL_DBM_FILE_MODE)) == NULL) {
if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
APR_DBM_RWCREATE,SSL_DBM_FILE_MODE, p) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSLSessionCache DBM file `%s' for scanning",
mc->szSessionCacheDataFile);
ap_destroy_pool(p);
apr_pool_destroy(p);
break;
}
dbmkey = apr_dbm_firstkey(dbm);
apr_dbm_firstkey(dbm, &dbmkey);
while (dbmkey.dptr != NULL) {
nElements++;
bDelete = FALSE;
dbmval = apr_dbm_fetch(dbm, dbmkey);
apr_dbm_fetch(dbm, dbmkey, &dbmval);
if (dbmval.dsize <= sizeof(time_t) || dbmval.dptr == NULL)
bDelete = TRUE;
else {
@@ -357,7 +358,7 @@ void ssl_scache_dbm_expire(server_rec *s)
bDelete = TRUE;
}
if (bDelete) {
if ((keylist[keyidx].dptr = ap_palloc(p, dbmkey.dsize)) != NULL) {
if ((keylist[keyidx].dptr = apr_palloc(p, dbmkey.dsize)) != NULL) {
memcpy(keylist[keyidx].dptr, dbmkey.dptr, dbmkey.dsize);
keylist[keyidx].dsize = dbmkey.dsize;
keyidx++;
@@ -365,17 +366,17 @@ void ssl_scache_dbm_expire(server_rec *s)
break;
}
}
dbmkey = apr_dbm_nextkey(dbm);
apr_dbm_nextkey(dbm, &dbmkey);
}
apr_dbm_close(dbm);
/* pass 2: delete expired elements */
if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
O_RDWR, SSL_DBM_FILE_MODE)) == NULL) {
if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
APR_DBM_RWCREATE,SSL_DBM_FILE_MODE, p) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot re-open SSLSessionCache DBM file `%s' for expiring",
mc->szSessionCacheDataFile);
ap_destroy_pool(p);
apr_pool_destroy(p);
break;
}
for (i = 0; i < keyidx; i++) {
@@ -385,7 +386,7 @@ void ssl_scache_dbm_expire(server_rec *s)
apr_dbm_close(dbm);
/* destroy temporary pool */
ap_destroy_pool(p);
apr_pool_destroy(p);
if (keyidx < KEYMAX)
break;
@@ -397,9 +398,9 @@ void ssl_scache_dbm_expire(server_rec *s)
return;
}
void ssl_scache_dbm_status(server_rec *s, pool *p, void (*func)(char *, void *), void *arg)
void ssl_scache_dbm_status(server_rec *s, apr_pool_t *p, void (*func)(char *, void *), void *arg)
{
SSLModConfigRec *mc = myModConfig();
SSLModConfigRec *mc = myModConfig(s);
apr_dbm_t *dbm;
apr_datum_t dbmkey;
apr_datum_t dbmval;
@@ -410,17 +411,23 @@ void ssl_scache_dbm_status(server_rec *s, pool *p, void (*func)(char *, void *),
nElem = 0;
nSize = 0;
ssl_mutex_on(s);
if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
O_RDONLY, SSL_DBM_FILE_MODE)) == NULL) {
/*
* XXX - Check what pool is to be used - TBD
*/
if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSLSessionCache DBM file `%s' for status retrival",
mc->szSessionCacheDataFile);
ssl_mutex_off(s);
return;
}
dbmkey = apr_dbm_firstkey(dbm);
for ( ; dbmkey.dptr != NULL; dbmkey = apr_dbm_nextkey(dbm)) {
dbmval = apr_dbm_fetch(dbm, dbmkey);
/*
* XXX - Check the return value of apr_dbm_firstkey, apr_dbm_fetch - TBD
*/
apr_dbm_firstkey(dbm, &dbmkey);
for ( ; dbmkey.dptr != NULL; apr_dbm_nextkey(dbm, &dbmkey)) {
apr_dbm_fetch(dbm, dbmkey, &dbmval);
if (dbmval.dptr == NULL)
continue;
nElem += 1;
@@ -432,11 +439,9 @@ void ssl_scache_dbm_status(server_rec *s, pool *p, void (*func)(char *, void *),
nAverage = nSize / nElem;
else
nAverage = 0;
func(ap_psprintf(p, "cache type: <b>DBM</b>, maximum size: <b>unlimited</b><br>"), arg);
func(ap_psprintf(p, "current sessions: <b>%d</b>, current size: <b>%d</b> bytes<br>", nElem, nSize), arg);
func(ap_psprintf(p, "average session size: <b>%d</b> bytes<br>", nAverage), arg);
func(apr_psprintf(p, "cache type: <b>DBM</b>, maximum size: <b>unlimited</b><br>"), arg);
func(apr_psprintf(p, "current sessions: <b>%d</b>, current size: <b>%d</b> bytes<br>", nElem, nSize), arg);
func(apr_psprintf(p, "average session size: <b>%d</b> bytes<br>", nAverage), arg);
return;
}
#endif /* XXX */

31
modules/ssl/ssl_util.c
View File

@@ -298,3 +298,34 @@ char *ssl_util_ptxtsub(
return cpResult;
}
apr_status_t
ssl_util_setmodconfig(
server_rec *s, const char *key, SSLModConfigRec *mc)
{
return apr_pool_userdata_set((void *)mc, key, apr_pool_cleanup_null, s->process->pool);
}
SSLModConfigRec *
ssl_util_getmodconfig(
server_rec *s, const char *key)
{
SSLModConfigRec *mc = NULL;
if (apr_pool_userdata_get((void **)&mc, key, s->process->pool) != APR_SUCCESS)
ssl_log(s, SSL_LOG_TRACE, "Unable to retrieve SSLModConfig from global pool");
return mc;
}
SSLModConfigRec *
ssl_util_getmodconfig_ssl(
SSL *ssl, const char *key)
{
conn_rec *c;
SSLModConfigRec *mc = NULL;
c = SSL_get_app_data(ssl);
if (c != NULL)
mc = ssl_util_getmodconfig(c->base_server, key);
return mc;
}

4
modules/ssl/ssl_util_ssl.c
View File

@@ -148,7 +148,7 @@ static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
}
#endif
EVP_PKEY *SSL_read_PrivateKey(FILE *fp, EVP_PKEY **key, int (*cb)(char*,int,int,void*))
EVP_PKEY *SSL_read_PrivateKey(FILE *fp, EVP_PKEY **key, int (*cb)(char*,int,int,void*), void *s)
{
EVP_PKEY *rc;
BIO *bioS;
@@ -158,7 +158,7 @@ EVP_PKEY *SSL_read_PrivateKey(FILE *fp, EVP_PKEY **key, int (*cb)(char*,int,int,
#if SSL_LIBRARY_VERSION < 0x00904000
rc = PEM_read_PrivateKey(fp, key, cb);
#else
rc = PEM_read_PrivateKey(fp, key, cb, NULL);
rc = PEM_read_PrivateKey(fp, key, cb, s);
#endif
if (rc == NULL) {
/* 2. try DER+Base64 */

2
modules/ssl/ssl_util_ssl.h
View File

@@ -95,7 +95,7 @@ int SSL_get_app_data2_idx(void);
void *SSL_get_app_data2(SSL *);
void SSL_set_app_data2(SSL *, void *);
X509 *SSL_read_X509(FILE *, X509 **, int (*)(char*,int,int,void*));
EVP_PKEY *SSL_read_PrivateKey(FILE *, EVP_PKEY **, int (*)(char*,int,int,void*));
EVP_PKEY *SSL_read_PrivateKey(FILE *, EVP_PKEY **, int (*)(char*,int,int,void*), void *);
int SSL_smart_shutdown(SSL *ssl);
X509_STORE *SSL_X509_STORE_create(char *, char *);
int SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *);