From: Jim Jagielski Date: Tue, 7 Jul 2020 16:57:22 +0000 (+0000) Subject: Merge r1705539, r1877263, r1877291, r1879445 from trunk: X-Git-Tag: 2.4.44~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d6cc695f25c60baabef99908d32d511d28ff4ac;p=thirdparty%2Fapache%2Fhttpd.git Merge r1705539, r1877263, r1877291, r1879445 from trunk: deduplicate the code handling the directory traversal for the SSL[Proxy]CACertificatePath and SSLProxyMachineCertificatePath directives * modules/ssl/ssl_engine_init.c (ssl_add_version_components, ssl_init_Module): Use temporary pool for variable lookup results which don't need to live in pconf. mod_ssl: Factor out code to read a BIO into a palloc'ed string: * modules/ssl/ssl_util_ssl.c (modssl_bio_free_read): New function. (asn1_string_convert): Use it here. * modules/ssl/ssl_engine_vars.c: Use it throughout. * modules/ssl/ssl_scache.c (ssl_scache_init): Use <16 character cname argument for socache ->init() per the API constraint. Submitted by: kbrand, jorton, jorton, jorton Reviewed by: jailletc36, minfrin, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1879598 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/STATUS b/STATUS index 7b8cd669a76..fc92ed982cf 100644 --- a/STATUS +++ b/STATUS @@ -144,17 +144,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: +1: ylavic, minfrin, jim ylavic: the patch drops changes to apreq, which seems to not be in 2.4. - *) mod_ssl: deduplicate some code - mod_ssl: Use temporary pool for variable lookup results which don't need to live in pconf - mod_ssl: Factor out code to read a BIO into a palloc'ed string - mod_ssl: Use <16 character cname argument for socache ->init() per the API constraint - trunk patch http://svn.apache.org/r1705539 - http://svn.apache.org/r1877263 - http://svn.apache.org/r1877291 - http://svn.apache.org/r1879445 - 2.4.x patch: svn merge -c 1705539,1877263,1877291,1879445 ^/httpd/httpd/trunk . - +1: jailletc36, minfrin, jim - *) core: Drop an invalid Last-Modified header value coming from a (F)CGI script instead of replacing it with Unix epoch. Warn the users about Last-Modified header value replacements diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index bfad47a099a..807c8410c38 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -32,6 +32,9 @@ #include "mpm_common.h" #include "mod_md.h" +static apr_status_t ssl_init_ca_cert_path(server_rec *, apr_pool_t *, const char *, + STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *); + APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server, (server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx), (s,p,is_proxy,ctx), OK, DECLINED) @@ -169,15 +172,15 @@ DH *modssl_get_dh_params(unsigned keylen) return NULL; /* impossible to reach. */ } -static void ssl_add_version_components(apr_pool_t *p, +static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf, server_rec *s) { - char *modver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_INTERFACE"); - char *libver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_LIBRARY"); - char *incver = ssl_var_lookup(p, s, NULL, NULL, + char *modver = ssl_var_lookup(ptemp, s, NULL, NULL, "SSL_VERSION_INTERFACE"); + char *libver = ssl_var_lookup(ptemp, s, NULL, NULL, "SSL_VERSION_LIBRARY"); + char *incver = ssl_var_lookup(ptemp, s, NULL, NULL, "SSL_VERSION_LIBRARY_INTERFACE"); - ap_add_version_component(p, libver); + ap_add_version_component(pconf, libver); ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01876) "%s compiled against Server: %s, Library: %s", @@ -428,7 +431,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, * Announce mod_ssl and SSL library in HTTP Server field * as ``mod_ssl/X.X.X OpenSSL/X.X.X'' */ - ssl_add_version_components(p, base_server); + ssl_add_version_components(ptemp, p, base_server); modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ @@ -1586,26 +1589,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, } if (pkp->cert_path) { - apr_dir_t *dir; - apr_finfo_t dirent; - apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME; - - if (apr_dir_open(&dir, pkp->cert_path, ptemp) == APR_SUCCESS) { - while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) { - const char *fullname; - - if (dirent.filetype == APR_DIR) { - continue; /* don't try to load directories */ - } - - fullname = apr_pstrcat(ptemp, - pkp->cert_path, "/", dirent.name, - NULL); - load_x509_info(ptemp, sk, fullname); - } - - apr_dir_close(dir); - } + ssl_init_ca_cert_path(s, ptemp, pkp->cert_path, NULL, sk); } if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { @@ -2133,6 +2117,40 @@ static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, sk_X509_NAME_free(sk); } +static apr_status_t ssl_init_ca_cert_path(server_rec *s, + apr_pool_t *ptemp, + const char *path, + STACK_OF(X509_NAME) *ca_list, + STACK_OF(X509_INFO) *xi_list) +{ + apr_dir_t *dir; + apr_finfo_t direntry; + apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME; + + if (!path || (!ca_list && !xi_list) || + (apr_dir_open(&dir, path, ptemp) != APR_SUCCESS)) { + return APR_EGENERAL; + } + + while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) { + const char *file; + if (direntry.filetype == APR_DIR) { + continue; /* don't try to load directories */ + } + file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL); + if (ca_list) { + ssl_init_PushCAList(ca_list, s, ptemp, file); + } + if (xi_list) { + load_x509_info(ptemp, xi_list, file); + } + } + + apr_dir_close(dir); + + return APR_SUCCESS; +} + STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *ptemp, const char *ca_file, @@ -2165,30 +2183,13 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, /* * Process CA certificate path files */ - if (ca_path) { - apr_dir_t *dir; - apr_finfo_t direntry; - apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME; - apr_status_t rv; - - if ((rv = apr_dir_open(&dir, ca_path, ptemp)) != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02211) - "Failed to open Certificate Path `%s'", - ca_path); - sk_X509_NAME_pop_free(ca_list, X509_NAME_free); - return NULL; - } - - while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) { - const char *file; - if (direntry.filetype == APR_DIR) { - continue; /* don't try to load directories */ - } - file = apr_pstrcat(ptemp, ca_path, "/", direntry.name, NULL); - ssl_init_PushCAList(ca_list, s, ptemp, file); - } - - apr_dir_close(dir); + if (ca_path && + ssl_init_ca_cert_path(s, ptemp, + ca_path, ca_list, NULL) != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02211) + "Failed to open Certificate Path `%s'", ca_path); + sk_X509_NAME_pop_free(ca_list, X509_NAME_free); + return NULL; } /* diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 5724f188904..827d8318cf5 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -460,18 +460,13 @@ static char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r, } else { BIO* bio; - int n; unsigned long flags = XN_FLAG_RFC2253 & ~ASN1_STRFLGS_ESC_MSB; + if ((bio = BIO_new(BIO_s_mem())) == NULL) return NULL; X509_NAME_print_ex(bio, xsname, 0, flags); - n = BIO_pending(bio); - if (n > 0) { - result = apr_palloc(p, n+1); - n = BIO_read(bio, result, n); - result[n] = NUL; - } - BIO_free(bio); + + result = modssl_bio_free_read(p, bio); } return result; } @@ -678,19 +673,13 @@ static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var) static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm) { - char *result; BIO* bio; - int n; if ((bio = BIO_new(BIO_s_mem())) == NULL) return NULL; ASN1_TIME_print(bio, tm); - n = BIO_pending(bio); - result = apr_pcalloc(p, n+1); - n = BIO_read(bio, result, n); - result[n] = NUL; - BIO_free(bio); - return result; + + return modssl_bio_free_read(p, bio); } #define DIGIT2NUM(x) (((x)[0] - '0') * 10 + (x)[1] - '0') @@ -739,19 +728,13 @@ static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm) static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs) { - char *result; BIO *bio; - int n; if ((bio = BIO_new(BIO_s_mem())) == NULL) return NULL; i2a_ASN1_INTEGER(bio, X509_get_serialNumber(xs)); - n = BIO_pending(bio); - result = apr_pcalloc(p, n+1); - n = BIO_read(bio, result, n); - result[n] = NUL; - BIO_free(bio); - return result; + + return modssl_bio_free_read(p, bio); } static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var) @@ -806,19 +789,13 @@ static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl) static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs) { - char *result; BIO *bio; - int n; if ((bio = BIO_new(BIO_s_mem())) == NULL) return NULL; PEM_write_bio_X509(bio, xs); - n = BIO_pending(bio); - result = apr_pcalloc(p, n+1); - n = BIO_read(bio, result, n); - result[n] = NUL; - BIO_free(bio); - return result; + + return modssl_bio_free_read(p, bio); } static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, SSLConnRec *sslconn) diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c index 7b4a2036e94..c0a0950d62a 100644 --- a/modules/ssl/ssl_scache.c +++ b/modules/ssl/ssl_scache.c @@ -59,7 +59,7 @@ apr_status_t ssl_scache_init(server_rec *s, apr_pool_t *p) hints.expiry_interval = 300; rv = mc->stapling_cache->init(mc->stapling_cache_context, - "mod_ssl-stapling", &hints, s, p); + "mod_ssl-staple", &hints, s, p); if (rv) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01872) "Could not initialize stapling cache. Exiting."); @@ -84,7 +84,7 @@ apr_status_t ssl_scache_init(server_rec *s, apr_pool_t *p) hints.avg_id_len = 30; hints.expiry_interval = 30; - rv = mc->sesscache->init(mc->sesscache_context, "mod_ssl-session", &hints, s, p); + rv = mc->sesscache->init(mc->sesscache_context, "mod_ssl-sess", &hints, s, p); if (rv) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01874) "Could not initialize session cache. Exiting."); diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c index 6eca86908cc..74088f5e298 100644 --- a/modules/ssl/ssl_util_ssl.c +++ b/modules/ssl/ssl_util_ssl.c @@ -185,14 +185,27 @@ BOOL modssl_X509_getBC(X509 *cert, int *ca, int *pathlen) return TRUE; } +char *modssl_bio_free_read(apr_pool_t *p, BIO *bio) +{ + int len = BIO_pending(bio); + char *result = NULL; + + if (len > 0) { + result = apr_palloc(p, len+1); + len = BIO_read(bio, result, len); + result[len] = NUL; + } + BIO_free(bio); + return result; +} + /* Convert ASN.1 string to a pool-allocated char * string, escaping * control characters. If raw is zero, convert to UTF-8, otherwise * unchanged from the character set. */ static char *asn1_string_convert(apr_pool_t *p, ASN1_STRING *asn1str, int raw) { - char *result = NULL; BIO *bio; - int len, flags = ASN1_STRFLGS_ESC_CTRL; + int flags = ASN1_STRFLGS_ESC_CTRL; if ((bio = BIO_new(BIO_s_mem())) == NULL) return NULL; @@ -200,14 +213,8 @@ static char *asn1_string_convert(apr_pool_t *p, ASN1_STRING *asn1str, int raw) if (!raw) flags |= ASN1_STRFLGS_UTF8_CONVERT; ASN1_STRING_print_ex(bio, asn1str, flags); - len = BIO_pending(bio); - if (len > 0) { - result = apr_palloc(p, len+1); - len = BIO_read(bio, result, len); - result[len] = NUL; - } - BIO_free(bio); - return result; + + return modssl_bio_free_read(p, bio); } #define asn1_string_to_utf8(p, a) asn1_string_convert(p, a, 0) diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h index d6307d971a0..ec89185b1b0 100644 --- a/modules/ssl/ssl_util_ssl.h +++ b/modules/ssl/ssl_util_ssl.h @@ -78,6 +78,11 @@ BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int); +/* Reads the remaining data in BIO, if not empty, and copies it into a + * pool-allocated string. If empty, returns NULL. BIO_free(bio) is + * called for both cases. */ +char *modssl_bio_free_read(apr_pool_t *p, BIO *bio); + #endif /* __SSL_UTIL_SSL_H__ */ /** @} */