Here is a short overview of the source files:
+ * README .................. This file ;)
# Makefile.in ............. Makefile template for Unix platform
# config.m4 ............... Autoconf stub for the Apache config mechanism
# mod_ssl.c ............... main source file containing API structures
- - mod_ssl.h ............... common header file of mod_ssl
- - ssl_engine_config.c ..... module configuration handling
+ # mod_ssl.h ............... common header file of mod_ssl
+ # ssl_engine_config.c ..... module configuration handling
# ssl_engine_dh.c ......... DSA/DH support
# ssl_engine_ds.c ......... data structures
- ssl_engine_ext.c ........ Extensions to other Apache parts
- - ssl_engine_init.c ....... module initialization
- - ssl_engine_io.c ......... I/O support
- - ssl_engine_kernel.c ..... SSL engine kernel
- - ssl_engine_log.c ........ logfile support
+ # ssl_engine_init.c ....... module initialization
+ * ssl_engine_io.c ......... I/O support
+ # ssl_engine_kernel.c ..... SSL engine kernel
+ # ssl_engine_log.c ........ logfile support
# ssl_engine_mutex.c ...... mutual exclusion support
- - ssl_engine_pphrase.c .... pass-phrase handling
- - ssl_engine_rand.c ....... PRNG support
- - ssl_engine_vars.c ....... Variable Expansion support
+ # ssl_engine_pphrase.c .... pass-phrase handling
+ # ssl_engine_rand.c ....... PRNG support
+ # ssl_engine_vars.c ....... Variable Expansion support
# ssl_expr.c .............. expression handling main source
# ssl_expr.h .............. expression handling common header
- ssl_expr_scan.c ......... expression scanner automaton (pre-generated)
- ssl_expr_parse.h ........ expression parser header (pre-generated)
- ssl_expr_parse.y ........ expression parser source
# ssl_expr_eval.c ......... expression machine evaluation
- - ssl_scache.c ............ session cache abstraction layer
- - ssl_scache_dbm.c ........ session cache via DBM file
+ # ssl_scache.c ............ session cache abstraction layer
+ # ssl_scache_dbm.c ........ session cache via DBM file
- ssl_scache_shmcb.c ...... session cache via shared memory cyclic buffer
- ssl_scache_shmht.c ...... session cache via shared memory hash table
# ssl_util.c .............. utility functions
# ssl_util_table.c ........ the hash table library source
# ssl_util_table.h ........ the hash table library header
- Legend: # = already ported to Apache 2.0
+ Legend: # = already ported to Apache 2.0 and is cleaned up
+ * = ported to Apache 2.0 but still needs cleaning up
- = port still not finished
The source files are written in clean ANSI C and pass the ``gcc -O -g
SSL_SESSION ............. OpenSSL Session
SSL ..................... OpenSSL Connection
BIO ..................... OpenSSL Connection Buffer
+ SSLFilterRec ............ mod_ssl Filter Context
For an overview how these are related and chained together have a look at the
page in README.dsov.{fig,ps}. It contains overview diagrams for those data
from Apache 1.3 and this mod_ssl version for Apache 2.0:
o The DBM based session cache is now based on APR's DBM API only.
+ o Introduced Filter logic (similar to mod_tls)
+ o Eliminated ap_global_ctx. Storing Persistant information in
+ process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and
+ ssl_config_global_* () functions have an extra parameter now -
+ "server_rec *" - which is used to retrieve the SSLModConfigRec.
TODO
+ o use ssl_var_lookup?
o Whether to unregister and how to unregister?
ssl_var_unregister();
ssl_ext_unregister();
ssl_io_unregister();
o We certainly need CRYPTO_set_locking_callback() now also under Unix!
-
+ o Eliminate APR_BLOCK_READ from churn (). The APR_NONBLOCK_READ doesn't work
+ currently. The filter logic has to be changed to handle situations when
+ the data is not available immediately.
+ o Enable the use of ssl_var_* and ssl_ext_* functionalities.
+ o Enable use of MM, SHMCB and SHMHT.
+ o Try to use APR routines in ssl_util_ssl.c for performing FILE operations.
*/
#include "mod_ssl.h"
+#include "util_md5.h"
+#include <assert.h>
/*
* the table of configuration directives we provide
* the various processing hooks
*/
-static void ssl_hook_pre_config(
+static int ssl_hook_pre_config(
apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp)
-{
- /* unused */
- return;
-}
-
-
-static void ssl_hook_post_config(
- apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
-{
- /* ssl_init_Module() */
- return;
-}
-
-static int ssl_hook_pre_connection(conn_rec *r)
{
/* unused */
return DECLINED;
}
-static int ssl_hook_process_connection(conn_rec *r)
+static int ssl_hook_post_read_request(request_rec *r)
{
- /* call ssl_hook_NewConnection */
- /* hook ssl_hook_CloseConnection() */
+ /* ssl_hook_ReadReq() */
return DECLINED;
}
-static int ssl_hook_handler(request_rec *r)
+static int ssl_hook_pre_connection(conn_rec *c)
{
- /* ssl_hook_Handler() */
- return DECLINED;
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ apr_table_t *apctx;
+ SSL *ssl;
+ unsigned char *cpVHostID;
+ char *cpVHostMD5;
+
+ /*
+ * Create SSL context
+ */
+ apr_table_setn(c->notes, "ssl", NULL);
+
+ /*
+ * Immediately stop processing if SSL is disabled for this connection
+ */
+ if (sc == NULL || !sc->bEnabled)
+ return DECLINED;
+
+ /*
+ * Remember the connection information for
+ * later access inside callback functions
+ */
+ cpVHostID = (unsigned char *)ssl_util_vhostid(c->pool,c->base_server);
+ ssl_log(c->base_server, SSL_LOG_INFO, "Connection to child %d established "
+ "(server %s, client %s)", c->id, cpVHostID,
+ c->remote_ip != NULL ? c->remote_ip : "unknown");
+
+ /*
+ * Seed the Pseudo Random Number Generator (PRNG)
+ */
+ ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, "");
+
+ /*
+ * Create a new SSL connection with the configured server SSL context and
+ * attach this to the socket. Additionally we register this attachment
+ * so we can detach later.
+ */
+ if ((ssl = SSL_new(sc->pSSLCtx)) == NULL) {
+ ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ "Unable to create a new SSL connection from the SSL context");
+ apr_table_setn(c->notes, "ssl", NULL);
+ c->aborted = 1;
+ return DECLINED; /* XXX */
+ }
+ SSL_clear(ssl);
+ cpVHostMD5 = ap_md5(c->pool, cpVHostID);
+ if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5,
+ strlen(cpVHostMD5))) {
+ ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ "Unable to set session id context to `%s'", cpVHostMD5);
+ apr_table_setn(c->notes, "ssl", NULL);
+ c->aborted = 1;
+ return DECLINED; /* XXX */
+ }
+ SSL_set_app_data(ssl, c);
+ apctx = apr_table_make(c->pool, AP_CTX_MAX_ENTRIES);
+ apr_table_setn(apctx, "ssl::request_rec", NULL);
+ apr_table_setn(apctx, "ssl::verify::depth", AP_CTX_NUM2PTR(0));
+ SSL_set_app_data2(ssl, apctx);
+
+ apr_table_setn(c->notes, "ssl", (const char *)ssl);
+
+ /*
+ * Configure callbacks for SSL connection
+ */
+ SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
+ SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH);
+#if 0 /* XXX */
+ if (sc->nLogLevel >= SSL_LOG_DEBUG) {
+ BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
+ BIO_set_callback_arg(SSL_get_rbio(ssl), ssl);
+ }
+#endif
+ /*
+ * Predefine some client verification results
+ */
+ apr_table_setn(c->notes, "ssl::client::dn", NULL);
+ apr_table_setn(c->notes, "ssl::verify::error", NULL);
+ apr_table_setn(c->notes, "ssl::verify::info", NULL);
+ SSL_set_verify_result(ssl, X509_V_OK);
+
+ /*
+ * We have to manage a I/O timeout ourself, because Apache
+ * does it the first time when reading the request, but we're
+ * working some time before this happens.
+ */
+ ssl_util_setmodconfig(c->base_server, "ssl::handshake::timeout", (void *)FALSE);
+#if 0 /* XXX */
+ ap_set_callback_and_alarm(ssl_hook_TimeoutConnection, c->base_server->timeout);
+#endif
+ ssl_io_filter_init(c, ssl);
+
+ return APR_SUCCESS;
}
-static int ssl_hook_translate_name(request_rec *r)
+/*
+ * The hook is NOT registered with ap_hook_process_connection. Instead, it is
+ * called manually from the churn () before it tries to read any data.
+ * There is some problem if I accept conn_rec *. Still investigating..
+ * Adv. if conn_rec * can be accepted is we can hook this function using the
+ * ap_hook_process_connection hook.
+ */
+static int ssl_hook_process_connection(SSLFilterRec *pRec)
{
- /* ssl_hook_Translate() */
- return DECLINED;
+ int n, err;
+ conn_rec *c = SSL_get_app_data (pRec->pssl);
+
+ if (!SSL_is_init_finished(pRec->pssl))
+ {
+ if ((n = SSL_accept(pRec->pssl)) <= 0) {
+
+ if ((err = SSL_get_error(pRec->pssl, n)) == SSL_ERROR_ZERO_RETURN) {
+ /*
+ * The case where the connection was closed before any data
+ * was transferred. That's not a real error and can occur
+ * sporadically with some clients.
+ */
+ ssl_log(c->base_server, SSL_LOG_INFO,
+ "SSL handshake stopped: connection was closed");
+ }
+ else if (err == SSL_ERROR_WANT_READ) {
+ /*
+ * This is in addition to what was present earlier. It is
+ * borrowed from openssl_state_machine.c [mod_tls].
+ * TBD.
+ */
+ return 0;
+ }
+ else if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) {
+ /*
+ * The case where OpenSSL has recognized a HTTP request:
+ * This means the client speaks plain HTTP on our HTTPS port.
+ * Hmmmm... At least for this error we can be more friendly
+ * and try to provide him with a HTML error page. We have only
+ * one problem:OpenSSL has already read some bytes from the HTTP
+ * request. So we have to skip the request line manually and
+ * instead provide a faked one in order to continue the internal
+ * Apache processing.
+ *
+ */
+
+#if 0 /* XXX */
+ /*
+ * Still need to be ported to Apache 2.0 style
+ */
+ char ca[2];
+ int rv;
+
+ /* log the situation */
+ ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ "SSL handshake failed: HTTP spoken on HTTPS port; "
+ "trying to send HTML error page");
+ /* first: skip the remaining bytes of the request line */
+ do {
+ do {
+ rv = read(fb->fd, ca, 1);
+ } while (rv == -1 && errno == EINTR);
+ } while (rv > 0 && ca[0] != '\012' /*LF*/);
+
+ /* second: fake the request line */
+ fb->inbase = ap_palloc(fb->pool, fb->bufsiz);
+ ap_cpystrn((char *)fb->inbase, "GET /mod_ssl:error:HTTP-request HTTP/1.0\r\n",
+ fb->bufsiz);
+ fb->inptr = fb->inbase;
+ fb->incnt = strlen((char *)fb->inptr);
+#endif
+ }
+ else if (ssl_util_getmodconfig_ssl(pRec->pssl, "ssl::handshake::timeout")
+ == (void *)TRUE) {
+ ssl_log(c->base_server, SSL_LOG_ERROR,
+ "SSL handshake timed out (client %s, server %s)",
+ c->remote_ip != NULL ? c->remote_ip : "unknown",
+ ssl_util_vhostid(c->pool,c->base_server));
+ }
+ else if ((SSL_get_error(pRec->pssl, n) == SSL_ERROR_SYSCALL)
+ && (errno != EINTR)) {
+ if (errno > 0)
+ ssl_log(c->base_server,
+ SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
+ "SSL handshake interrupted by system "
+ "[Hint: Stop button pressed in browser?!]");
+ else
+ ssl_log(c->base_server,
+ SSL_LOG_INFO|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
+ "Spurious SSL handshake interrupt [Hint: "
+ "Usually just one of those OpenSSL confusions!?]");
+ }
+ else {
+ /*
+ * Ok, anything else is a fatal error
+ */
+ ssl_log(c->base_server,
+ SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
+ "SSL handshake failed (server %s, client %s)",
+ ssl_util_vhostid(c->pool,c->base_server),
+ c->remote_ip != NULL ? c->remote_ip : "unknown");
+ }
+ /*
+ * try to gracefully shutdown the connection:
+ * - send an own shutdown message (be gracefully)
+ * - don't wait for peer's shutdown message (deadloop)
+ * - kick away the SSL stuff immediately
+ * - block the socket, so Apache cannot operate any more
+ */
+ SSL_set_shutdown(pRec->pssl, SSL_RECEIVED_SHUTDOWN);
+ SSL_smart_shutdown(pRec->pssl);
+ SSL_free(pRec->pssl);
+ apr_table_setn(c->notes, "ssl", NULL);
+ c->aborted = 1;
+ return APR_EGENERAL;
+ }
+ }
+ return APR_SUCCESS;
}
-static void ssl_hook_init_child(apr_pool_t *pchild, server_rec *s)
+static void ssl_hook_open_logs(apr_pool_t *p, apr_pool_t *plog,
+ apr_pool_t *ptemp, server_rec *s)
{
- /* ssl_init_Child() */
return;
}
-static int ssl_hook_auth_checker(request_rec *r)
+static int ssl_hook_quick_handler (request_rec *r)
{
/* ssl_hook_Auth() */
return DECLINED;
}
-static int ssl_hook_check_user_id(request_rec *r)
+static int ssl_hook_fixer_upper (request_rec *r)
{
/* ssl_hook_UserCheck */
return DECLINED;
}
-static int ssl_hook_access_checker(request_rec *r)
+static const char *ssl_hook_http_method (const request_rec *r)
{
- /* ssl_hook_Access() */
- return DECLINED;
+ SSLSrvConfigRec *sc = mySrvConfig(r->server);
+
+ if (sc->bEnabled == FALSE)
+ return NULL;
+
+ return "https";
}
-static int ssl_hook_fixups(request_rec *r)
+static apr_port_t ssl_hook_default_port (const request_rec *r)
{
- /* ssl_hook_Fixup() */
- return DECLINED;
+ SSLSrvConfigRec *sc = mySrvConfig(r->server);
+
+ if (sc->bEnabled == FALSE)
+ return 0;
+ return 443;
}
-static int ssl_hook_post_read_request(request_rec *r)
+static int ssl_hook_insert_filter (request_rec *r)
{
/* ssl_hook_ReadReq() */
return DECLINED;
}
-static void ssl_hook_child_init(apr_pool_t *pchild, server_rec *s)
-{
- /* ssl_init_Child() */
- return;
-}
-
/*
* the module registration phase
*/
+
static void ssl_register_hooks(apr_pool_t *p)
{
- ap_hook_pre_config (ssl_hook_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_post_config (ssl_hook_post_config, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_handler (ssl_hook_handler, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_translate_name (ssl_hook_translate_name, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_child_init (ssl_hook_child_init, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_auth_checker (ssl_hook_auth_checker, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_check_user_id (ssl_hook_check_user_id, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_access_checker (ssl_hook_access_checker, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_fixups (ssl_hook_fixups, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_post_read_request (ssl_hook_post_read_request, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_pre_connection (ssl_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_process_connection(ssl_hook_process_connection, NULL, NULL, APR_HOOK_MIDDLE);
+ ssl_io_filter_register(p);
+ ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_http_method (ssl_hook_http_method, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_handler (ssl_hook_Handler, NULL,NULL, APR_HOOK_MIDDLE);
+#if 0 /* XXX - Work in progress */
+ ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_process_connection (ssl_hook_process_connection,
+ NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_post_read_request (ssl_hook_post_read_request,
+ NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_check_user_id (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_access_checker(ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_auth_checker (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE);
+
+ ap_hook_open_logs (ssl_hook_open_logs, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_quick_handler (ssl_hook_quick_handler, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_log_transaction(ssl_hook_fixer_upper, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_create_request(ssl_hook_fixer_upper, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_type_checker (ssl_hook_fixer_upper, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_insert_filter (ssl_hook_insert_filter, NULL,NULL, APR_HOOK_MIDDLE);
+#endif
+#if 0 /* XXX */
ssl_var_register();
ssl_ext_register();
ssl_io_register();
-
- return;
+#endif
}
-/*
- * the main module structure
- */
module AP_MODULE_DECLARE_DATA ssl_module = {
STANDARD20_MODULE_STUFF,
ssl_config_perdir_create, /* create per-dir config structures */
ssl_config_cmds, /* table of configuration directives */
ssl_register_hooks /* register hooks */
};
-
#ifndef __MOD_SSL_H__
#define __MOD_SSL_H__
+#define MOD_SSL_VERSION "3.0a0"
+
/*
* Optionally enable the experimental stuff, but allow the user to
* override the decision which experimental parts are included by using
* CFLAGS="-DSSL_EXPERIMENTAL_xxxx_IGNORE".
*/
-#if 0 /* XXX */
#ifdef SSL_EXPERIMENTAL
#ifndef SSL_EXPERIMENTAL_PERDIRCA_IGNORE
#define SSL_EXPERIMENTAL_PERDIRCA
#endif
#endif
#endif /* SSL_EXPERIMENTAL */
-#endif /* XXX */
/*
* Power up our brain...
/* Apache headers */
#define CORE_PRIVATE
-#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
-#include "http_protocol.h"
-#include "http_request.h"
-#include "http_main.h"
#include "http_core.h"
#include "http_log.h"
+#include "http_main.h"
+#include "http_connection.h"
+#include "http_request.h"
+#include "http_protocol.h"
+#include "util_script.h"
+#include "util_filter.h"
#include "scoreboard.h"
-#include "util_md5.h"
-#include "apr.h"
+#include "unixd.h"
+#include "apr_strings.h"
+#include "apr_tables.h"
#include "apr_lib.h"
#include "apr_fnmatch.h"
#include "apr_strings.h"
-#include "apr_pools.h"
-#include "apr_tables.h"
-#include "apr_file_info.h"
+#include "apr_dbm.h"
#undef CORE_PRIVATE
/* mod_ssl headers */
#define strIsEmpty(s) (s == NULL || s[0] == NUL)
-#if 0 /* XXX */
#define cfgMerge(el,unset) new->el = add->el == unset ? base->el : add->el
-#define cfgMergeArray(el) new->el = ap_append_arrays(p, add->el, base->el)
-#define cfgMergeTable(el) new->el = ap_overlay_tables(p, add->el, base->el)
-#define cfgMergeCtx(el) new->el = ap_ctx_overlay(p, add->el, base->el)
+#define cfgMergeArray(el) new->el = apr_array_append(p, add->el, base->el)
+#define cfgMergeTable(el) new->el = apr_table_overlay(p, add->el, base->el)
+#define cfgMergeCtx(el) new->el = apr_table_overlay(p, add->el, base->el)
#define cfgMergeString(el) cfgMerge(el, NULL)
#define cfgMergeBool(el) cfgMerge(el, UNSET)
#define cfgMergeInt(el) cfgMerge(el, UNSET)
-#endif /* XXX */
-#if 0 /* XXX */
-#define myModConfig() (SSLModConfigRec *)ap_ctx_get(ap_global_ctx, "ssl_module")
-#endif /* XXX */
+#define myModConfig(srv) (SSLModConfigRec *)ssl_util_getmodconfig(srv, "ssl_module")
#define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module)
#define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)
-#if 0 /* XXX */
#define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val
#define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num)
-#endif /* XXX */
+
+#define AP_CTX_NUM2PTR(n) (void *)(((unsigned long)(n))+1)
+#define AP_CTX_PTR2NUM(p) (unsigned long)(((char *)(p))-1)
+
+#define AP_CTX_MAX_ENTRIES 1024
/*
* SSL Logging
/*
* Support for MM library
*/
-#define SSL_MM_FILE_MODE ( S_IRUSR|S_IWUSR )
+#define SSL_MM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD )
/*
* Support for DBM library
*/
-#define SSL_DBM_FILE_MODE ( S_IRUSR|S_IWUSR )
+#define SSL_DBM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD )
#if !defined(SSL_DBM_FILE_SUFFIX_DIR) && !defined(SSL_DBM_FILE_SUFFIX_PAG)
#if defined(DBM_SUFFIX)
#define SSL_AIDX_DSA (1)
#define SSL_AIDX_MAX (2)
-#if 0 /* XXX */
/*
* Define IDs for the temporary RSA keys and DH params
SSL_PPTYPE_BUILTIN = 0,
SSL_PPTYPE_FILTER = 1
} ssl_pphrase_t;
-#endif /* XXX */
/*
* Define the Path Checking modes
#define SSL_PCM_ISNONZERO 8
typedef unsigned int ssl_pathcheck_t;
-#if 0 /* XXX */
-
/*
* Define the SSL session cache modes and structures
*/
*/
typedef struct {
- pool *pPool;
+ SSL *pssl;
+ BIO *pbioRead;
+ BIO *pbioWrite;
+ ap_filter_t *pInputFilter;
+ ap_filter_t *pOutputFilter;
+ apr_bucket_brigade *pbbInput; /* encrypted input */
+ apr_bucket_brigade *pbbPendingInput; /* decrypted input */
+} SSLFilterRec;
+
+typedef struct {
+ apr_pool_t *pPool;
BOOL bFixed;
int nInitCount;
int nSessionCacheMode;
char *szSessionCacheDataFile;
int nSessionCacheDataSize;
+#if 0 /* XXX */
AP_MM *pSessionCacheDataMM;
- table_t *tSessionCacheDataTable;
+#endif
+ apr_table_t *tSessionCacheDataTable;
ssl_mutexmode_t nMutexMode;
char *szMutexFile;
apr_lock_t *pMutex;
- array_header *aRandSeed;
+ apr_array_header_t *aRandSeed;
ssl_ds_table *tTmpKeys;
void *pTmpKeys[SSL_TKPIDX_MAX];
ssl_ds_table *tPublicCert;
* (i.e. the configuration for the main server
* and all <VirtualHost> contexts)
*/
-#endif /* XXX */
typedef struct {
BOOL bEnabled;
-#if 0 /* XXX */
+ apr_table_t *ap_server_ctx;
char *szPublicCertFile[SSL_AIDX_MAX];
char *szPrivateKeyFile[SSL_AIDX_MAX];
char *szCertificateChain;
char *szCACertificateFile;
char *szLogFile;
char *szCipherSuite;
- FILE *fileLogFile;
+ apr_file_t *fileLogFile;
int nLogLevel;
int nVerifyDepth;
ssl_verify_t nVerifyClient;
SSL_CTX *pSSLProxyCtx;
STACK_OF(X509_INFO) *skProxyClientCerts;
#endif
-#endif /* XXX */
} SSLSrvConfigRec;
-#if 0 /* XXX */
/*
* Define the mod_ssl per-directory configuration structure
* (i.e. the local configuration for all <Directory>
* and .htaccess contexts)
*/
-#endif /* XXX */
typedef struct {
BOOL bSSLRequired;
-#if 0 /* XXX */
- array_header *aRequirement;
+ apr_array_header_t *aRequirement;
ssl_opt_t nOptions;
ssl_opt_t nOptionsAdd;
ssl_opt_t nOptionsDel;
char *szCACertificatePath;
char *szCACertificateFile;
#endif
-#endif /* XXX */
} SSLDirConfigRec;
/*
extern module AP_MODULE_DECLARE_DATA ssl_module;
/* configuration handling */
-void ssl_config_global_create(void);
-void ssl_config_global_fix(void);
-BOOL ssl_config_global_isfixed(void);
+void ssl_config_global_create(server_rec *);
+void ssl_config_global_fix(SSLModConfigRec *);
+BOOL ssl_config_global_isfixed(SSLModConfigRec *);
void *ssl_config_server_create(apr_pool_t *, server_rec *);
void *ssl_config_server_merge(apr_pool_t *, void *, void *);
void *ssl_config_perdir_create(apr_pool_t *, char *);
void *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
-const char *ssl_cmd_SSLMutex(cmd_parms *, char *, char *);
-const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *);
-const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *);
-const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *);
-const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int);
-const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *);
-const char *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *);
-const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *);
-const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, char *, char *);
-const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, SSLDirConfigRec *, char *);
-const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, SSLDirConfigRec *, char *);
-const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, SSLDirConfigRec *, char *);
-const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, SSLDirConfigRec *, char *);
-const char *ssl_cmd_SSLVerifyClient(cmd_parms *, SSLDirConfigRec *, char *);
-const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, SSLDirConfigRec *, char *);
-const char *ssl_cmd_SSLSessionCache(cmd_parms *, char *, char *);
-const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, char *, char *);
-const char *ssl_cmd_SSLLog(cmd_parms *, char *, char *);
-const char *ssl_cmd_SSLLogLevel(cmd_parms *, char *, char *);
-const char *ssl_cmd_SSLProtocol(cmd_parms *, char *, const char *);
-const char *ssl_cmd_SSLOptions(cmd_parms *, SSLDirConfigRec *, const char *);
-const char *ssl_cmd_SSLRequireSSL(cmd_parms *, SSLDirConfigRec *, char *);
-const char *ssl_cmd_SSLRequire(cmd_parms *, SSLDirConfigRec *, char *);
+const char *ssl_cmd_SSLMutex(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
+const char *ssl_cmd_SSLEngine(cmd_parms *, void *, int);
+const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLLog(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLLogLevel(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
+const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
#ifdef SSL_EXPERIMENTAL_PROXY
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, char *, const char *);
const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, char *, char *);
#endif
-#if 0 /* XXX */
/* module initialization */
-void ssl_init_Module(server_rec *, pool *);
+void ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void ssl_init_SSLLibrary(void);
-void ssl_init_Engine(server_rec *, pool *);
-void ssl_init_TmpKeysHandle(int, server_rec *, pool *);
-void ssl_init_ConfigureServer(server_rec *, pool *, SSLSrvConfigRec *);
-void ssl_init_CheckServers(server_rec *, pool *);
+void ssl_init_Engine(server_rec *, apr_pool_t *);
+void ssl_init_TmpKeysHandle(int, server_rec *, apr_pool_t *);
+void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, SSLSrvConfigRec *);
+void ssl_init_CheckServers(server_rec *, apr_pool_t *);
STACK_OF(X509_NAME)
- *ssl_init_FindCAList(server_rec *, pool *, char *, char *);
-void ssl_init_Child(server_rec *, pool *);
-void ssl_init_ChildKill(void *);
-void ssl_init_ModuleKill(void *);
+ *ssl_init_FindCAList(server_rec *, apr_pool_t *, char *, char *);
+void ssl_init_Child(apr_pool_t *, server_rec *);
+apr_status_t ssl_init_ChildKill(void *data);
+apr_status_t ssl_init_ModuleKill(void *data);
/* Apache API hooks */
void ssl_hook_NewConnection(conn_rec *);
void ssl_hook_TimeoutConnection(int);
-void ssl_hook_CloseConnection(conn_rec *);
+apr_status_t ssl_hook_CloseConnection(SSLFilterRec *);
int ssl_hook_Translate(request_rec *);
int ssl_hook_Auth(request_rec *);
int ssl_hook_UserCheck(request_rec *);
void ssl_callback_LogTracingState(SSL *, int, int);
/* Session Cache Support */
-void ssl_scache_init(server_rec *, pool *);
+void ssl_scache_init(server_rec *, apr_pool_t *);
void ssl_scache_kill(server_rec *);
BOOL ssl_scache_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *);
SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int);
void ssl_scache_remove(server_rec *, UCHAR *, int);
void ssl_scache_expire(server_rec *);
-void ssl_scache_status(server_rec *, pool *, void (*)(char *, void *), void *);
+void ssl_scache_status(server_rec *, apr_pool_t *, void (*)(char *, void *), void *);
char *ssl_scache_id2sz(UCHAR *, int);
-void ssl_scache_dbm_init(server_rec *, pool *);
+void ssl_scache_dbm_init(server_rec *, apr_pool_t *);
void ssl_scache_dbm_kill(server_rec *);
BOOL ssl_scache_dbm_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *);
SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *, UCHAR *, int);
void ssl_scache_dbm_remove(server_rec *, UCHAR *, int);
void ssl_scache_dbm_expire(server_rec *);
-void ssl_scache_dbm_status(server_rec *, pool *, void (*)(char *, void *), void *);
+void ssl_scache_dbm_status(server_rec *, apr_pool_t *, void (*)(char *, void *), void *);
+#if 0 /* XXX */
void ssl_scache_shmht_init(server_rec *, pool *);
void ssl_scache_shmht_kill(server_rec *);
BOOL ssl_scache_shmht_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *);
void ssl_scache_shmcb_remove(server_rec *, UCHAR *, int);
void ssl_scache_shmcb_expire(server_rec *);
void ssl_scache_shmcb_status(server_rec *, pool *, void (*)(char *, void *), void *);
+#endif
/* Pass Phrase Support */
-void ssl_pphrase_Handle(server_rec *, pool *);
-int ssl_pphrase_Handle_CB(char *, int, int);
+void ssl_pphrase_Handle(server_rec *, apr_pool_t *);
+int ssl_pphrase_Handle_CB(char *, int, int, void *);
/* Diffie-Hellman Parameter Support */
DH *ssl_dh_GetTmpParam(int);
void ssl_ds_table_kill(ssl_ds_table *);
/* Mutex Support */
-#endif /* XXX */
int ssl_mutex_init(server_rec *, apr_pool_t *);
int ssl_mutex_reinit(server_rec *, apr_pool_t *);
int ssl_mutex_on(server_rec *);
int ssl_mutex_off(server_rec *);
int ssl_mutex_kill(server_rec *);
-#if 0 /* XXX */
/* Logfile Support */
-void ssl_log_open(server_rec *, server_rec *, pool *);
+void ssl_log_open(server_rec *, server_rec *, apr_pool_t *);
BOOL ssl_log_applies(server_rec *, int);
void ssl_log(server_rec *, int, const char *, ...);
void ssl_die(void);
/* Variables */
+#if 0 /* XXX */
void ssl_var_register(void);
void ssl_var_unregister(void);
#endif /* XXX */
char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
/* I/O */
-#if 0 /* XXX */
void ssl_io_register(void);
void ssl_io_unregister(void);
+void ssl_io_filter_init(conn_rec *, SSL *);
+void ssl_io_filter_register(apr_pool_t *);
long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
/* PRNG */
-int ssl_rand_seed(server_rec *, pool *, ssl_rsctx_t, char *);
+int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
/* Extensions */
+#if 0 /* XXX */
void ssl_ext_register(void);
void ssl_ext_unregister(void);
-
-#endif /* XXX */
+#endif
/* Utility Functions */
char *ssl_util_vhostid(apr_pool_t *, server_rec *);
char *ssl_util_algotypestr(ssl_algo_t);
char *ssl_util_ptxtsub(apr_pool_t *, const char *, const char *, char *);
void ssl_util_thread_setup(void);
+apr_status_t ssl_util_setmodconfig(server_rec *, const char *, SSLModConfigRec *);
+SSLModConfigRec *ssl_util_getmodconfig(server_rec *, const char *);
+SSLModConfigRec *ssl_util_getmodconfig_ssl(SSL *, const char *);
#endif /* __MOD_SSL_H__ */
-- Unknown */
#include "mod_ssl.h"
-#if 0 /* XXX */
-
/* _________________________________________________________________
**
** Support for Global Configuration
** _________________________________________________________________
*/
-void ssl_config_global_create(void)
+void ssl_config_global_create(server_rec *s)
{
- pool *pPool;
- SSLModConfigRec *mc;
+ apr_pool_t *pPool;
+ SSLModConfigRec *mc = myModConfig(s);
- mc = ap_ctx_get(ap_global_ctx, "ssl_module");
if (mc == NULL) {
/*
* allocate an own subpool which survives server restarts
*/
- pPool = ap_make_sub_pool(NULL);
- mc = (SSLModConfigRec *)ap_palloc(pPool, sizeof(SSLModConfigRec));
+ pPool = s->process->pool;
+ mc = (SSLModConfigRec *)apr_palloc(pPool, sizeof(SSLModConfigRec));
mc->pPool = pPool;
mc->bFixed = FALSE;
mc->nSessionCacheMode = SSL_SCMODE_UNSET;
mc->szSessionCacheDataFile = NULL;
mc->nSessionCacheDataSize = 0;
+#if 0 /* XXX */
mc->pSessionCacheDataMM = NULL;
+#endif
mc->tSessionCacheDataTable = NULL;
mc->nMutexMode = SSL_MUTEXMODE_UNSET;
mc->szMutexFile = NULL;
mc->pMutex = NULL;
- mc->aRandSeed = ap_make_array(pPool, 4, sizeof(ssl_randseed_t));
+ mc->aRandSeed = apr_array_make(pPool, 4, sizeof(ssl_randseed_t));
mc->tPrivateKey = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
mc->tPublicCert = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
mc->tTmpKeys = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
/*
* And push it into Apache's global context
*/
- ap_ctx_set(ap_global_ctx, "ssl_module", mc);
+ ssl_util_setmodconfig(s, "ssl_module", mc);
}
return;
}
-void ssl_config_global_fix(void)
+void ssl_config_global_fix(SSLModConfigRec *mc)
{
- SSLModConfigRec *mc = myModConfig();
mc->bFixed = TRUE;
return;
}
-BOOL ssl_config_global_isfixed(void)
+BOOL ssl_config_global_isfixed(SSLModConfigRec *mc)
{
- SSLModConfigRec *mc = myModConfig();
return (mc->bFixed);
}
-#endif /* XXX */
-
/* _________________________________________________________________
**
** Configuration handling
*/
void *ssl_config_server_create(apr_pool_t *p, server_rec *s)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc;
- ssl_config_global_create();
+ ssl_config_global_create(s);
- sc = ap_palloc(p, sizeof(SSLSrvConfigRec));
+ sc = apr_palloc(p, sizeof(SSLSrvConfigRec));
sc->bEnabled = UNSET;
sc->szCACertificatePath = NULL;
sc->szCACertificateFile = NULL;
(void)memset(sc->pPrivateKey, 0, SSL_AIDX_MAX*sizeof(EVP_PKEY *));
return sc;
-#endif /* XXX */
- return NULL;
}
/*
*/
void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
{
-#if 0 /* XXX */
+ int i;
SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev;
SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv;
- SSLSrvConfigRec *new = (SSLSrvConfigRec *)ap_palloc(p, sizeof(SSLSrvConfigRec));
- int i;
+ SSLSrvConfigRec *new = (SSLSrvConfigRec *)apr_palloc(p, sizeof(SSLSrvConfigRec));
cfgMergeBool(bEnabled);
cfgMergeString(szCACertificatePath);
#endif
return new;
-#endif /* XXX */
- return NULL;
}
/*
*/
void *ssl_config_perdir_create(apr_pool_t *p, char *dir)
{
-#if 0 /* XXX */
- SSLDirConfigRec *dc = ap_palloc(p, sizeof(SSLDirConfigRec));
+ SSLDirConfigRec *dc = apr_palloc(p, sizeof(SSLDirConfigRec));
dc->bSSLRequired = FALSE;
- dc->aRequirement = ap_make_array(p, 4, sizeof(ssl_require_t));
+ dc->aRequirement = apr_array_make(p, 4, sizeof(ssl_require_t));
dc->nOptions = SSL_OPT_NONE|SSL_OPT_RELSET;
dc->nOptionsAdd = SSL_OPT_NONE;
dc->nOptionsDel = SSL_OPT_NONE;
dc->szCipherSuite = NULL;
dc->nVerifyClient = SSL_CVERIFY_UNSET;
dc->nVerifyDepth = UNSET;
+
#ifdef SSL_EXPERIMENTAL_PERDIRCA
dc->szCACertificatePath = NULL;
dc->szCACertificateFile = NULL;
#endif
return dc;
-#endif /* XXX */
- return NULL;
}
/*
*/
void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv)
{
-#if 0 /* XXX */
SSLDirConfigRec *base = (SSLDirConfigRec *)basev;
SSLDirConfigRec *add = (SSLDirConfigRec *)addv;
- SSLDirConfigRec *new = (SSLDirConfigRec *)ap_palloc(p,
- sizeof(SSLDirConfigRec));
+ SSLDirConfigRec *new = (SSLDirConfigRec *)apr_palloc(p, sizeof(SSLDirConfigRec));
cfgMerge(bSSLRequired, FALSE);
cfgMergeArray(aRequirement);
cfgMergeString(szCipherSuite);
cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
cfgMergeInt(nVerifyDepth);
+
#ifdef SSL_EXPERIMENTAL_PERDIRCA
cfgMergeString(szCACertificatePath);
cfgMergeString(szCACertificateFile);
#endif
return new;
-#endif /* XXX */
- return NULL;
}
*/
const char *ssl_cmd_SSLMutex(
- cmd_parms *cmd, char *struct_ptr, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
const char *err;
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(cmd->server);
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
return err;
- if (ssl_config_global_isfixed())
+ if (ssl_config_global_isfixed(mc))
return NULL;
if (strcEQ(arg, "none") || strcEQ(arg, "no")) {
mc->nMutexMode = SSL_MUTEXMODE_NONE;
}
else if (strlen(arg) > 5 && strcEQn(arg, "file:", 5)) {
mc->nMutexMode = SSL_MUTEXMODE_USED;
- mc->szMutexFile = ap_psprintf(mc->pPool, "%s.%lu",
- ap_server_root_relative(cmd->pool, "mutex", arg+5),
+ mc->szMutexFile = (char *)apr_psprintf(mc->pPool, "%s.%lu",
+ ap_server_root_relative(cmd->pool, arg+5),
(unsigned long)getpid());
}
else if (strcEQ(arg, "sem") || strcEQ(arg, "yes")) {
}
else
return "SSLMutex: Invalid argument";
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLPassPhraseDialog(
- cmd_parms *cmd, char *struct_ptr, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
}
else if (strlen(arg) > 5 && strEQn(arg, "exec:", 5)) {
sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER;
- sc->szPassPhraseDialogPath = ap_server_root_relative(cmd->pool, "dialog", arg+5);
+ sc->szPassPhraseDialogPath = (char *)ap_server_root_relative(cmd->pool, arg+5);
if (!ssl_util_path_check(SSL_PCM_EXISTS, sc->szPassPhraseDialogPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '",
- sc->szPassPhraseDialogPath, "' not exists", NULL);
+ return ((const char *)apr_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '",
+ sc->szPassPhraseDialogPath, "' not exists",NULL));
}
else
return "SSLPassPhraseDialog: Invalid argument";
-#endif /* XXX */
return NULL;
}
#ifdef SSL_EXPERIMENTAL_ENGINE
const char *ssl_cmd_SSLCryptoDevice(
- cmd_parms *cmd, char *struct_ptr, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
ENGINE *e;
#if SSL_LIBRARY_VERSION >= 0x00907000
}
else
return "SSLCryptoDevice: Invalid argument";
-#endif /* XXX */
return NULL;
}
#endif
const char *ssl_cmd_SSLRandomSeed(
- cmd_parms *cmd, char *struct_ptr, char *arg1, char *arg2, char *arg3)
+ cmd_parms *cmd, void *ctx, const char *arg1,
+ const char *arg2, const char *arg3)
{
-#if 0 /* XXX */
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
ssl_randseed_t *pRS;
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
return err;
- if (ssl_config_global_isfixed())
+ if (ssl_config_global_isfixed(mc))
return NULL;
- pRS = ap_push_array(mc->aRandSeed);
+ pRS = apr_array_push(mc->aRandSeed);
if (strcEQ(arg1, "startup"))
pRS->nCtx = SSL_RSCTX_STARTUP;
else if (strcEQ(arg1, "connect"))
pRS->nCtx = SSL_RSCTX_CONNECT;
else
- return ap_pstrcat(cmd->pool, "SSLRandomSeed: "
- "invalid context: `", arg1, "'");
+ return apr_pstrcat(cmd->pool, "SSLRandomSeed: "
+ "invalid context: `", arg1, "'");
if (strlen(arg2) > 5 && strEQn(arg2, "file:", 5)) {
pRS->nSrc = SSL_RSSRC_FILE;
- pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+5));
+ pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+5));
}
else if (strlen(arg2) > 5 && strEQn(arg2, "exec:", 5)) {
pRS->nSrc = SSL_RSSRC_EXEC;
- pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+5));
+ pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+5));
}
#if SSL_LIBRARY_VERSION >= 0x00905100
else if (strlen(arg2) > 4 && strEQn(arg2, "egd:", 4)) {
pRS->nSrc = SSL_RSSRC_EGD;
- pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+4));
+ pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+4));
}
#endif
else if (strcEQ(arg2, "builtin")) {
}
else {
pRS->nSrc = SSL_RSSRC_FILE;
- pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2));
+ pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2));
}
if (pRS->nSrc != SSL_RSSRC_BUILTIN)
if (!ssl_util_path_check(SSL_PCM_EXISTS, pRS->cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLRandomSeed: source path '",
- pRS->cpPath, "' not exists", NULL);
+ return apr_pstrcat(cmd->pool, "SSLRandomSeed: source path '",
+ pRS->cpPath, "' not exists", NULL);
if (arg3 == NULL)
pRS->nBytes = 0; /* read whole file */
else {
if (pRS->nBytes < 0)
return "SSLRandomSeed: invalid number of bytes specified";
}
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLEngine(
- cmd_parms *cmd, char *struct_ptr, int flag)
+ cmd_parms *cmd, void *ctx, int flag)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->bEnabled = (flag ? TRUE : FALSE);
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCipherSuite(
- cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
if (cmd->path == NULL || dc == NULL)
- sc->szCipherSuite = arg;
+ sc->szCipherSuite = (char *)arg;
else
- dc->szCipherSuite = arg;
-#endif /* XXX */
+ dc->szCipherSuite = (char *)arg;
return NULL;
}
const char *ssl_cmd_SSLCertificateFile(
- cmd_parms *cmd, char *struct_ptr, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
int i;
- cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
+ cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLCertificateFile: file '",
+ return apr_pstrcat(cmd->pool, "SSLCertificateFile: file '",
cpPath, "' not exists or empty", NULL);
for (i = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++)
;
if (i == SSL_AIDX_MAX)
- return ap_psprintf(cmd->pool, "SSLCertificateFile: only up to %d "
+ return apr_psprintf(cmd->pool, "SSLCertificateFile: only up to %d "
"different certificates per virtual host allowed",
SSL_AIDX_MAX);
sc->szPublicCertFile[i] = cpPath;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCertificateKeyFile(
- cmd_parms *cmd, char *struct_ptr, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
int i;
- cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
+ cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLCertificateKeyFile: file '",
+ return apr_pstrcat(cmd->pool, "SSLCertificateKeyFile: file '",
cpPath, "' not exists or empty", NULL);
- for (i = 0; i < SSL_AIDX_MAX && sc->szPrivateKeyFile[i] != NULL; i++)
+ for (i = 0; i < SSL_AIDX_MAX && (sc->szPrivateKeyFile[i] != NULL) &&
+ (strlen(sc->szPrivateKeyFile[i]) != 0); i++)
;
if (i == SSL_AIDX_MAX)
- return ap_psprintf(cmd->pool, "SSLCertificateKeyFile: only up to %d "
+ return apr_psprintf(cmd->pool, "SSLCertificateKeyFile: only up to %d "
"different private keys per virtual host allowed",
SSL_AIDX_MAX);
sc->szPrivateKeyFile[i] = cpPath;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCertificateChainFile(
- cmd_parms *cmd, char *struct_ptr, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
- cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
+ cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLCertificateChainFile: file '",
+ return apr_pstrcat(cmd->pool, "SSLCertificateChainFile: file '",
cpPath, "' not exists or empty", NULL);
sc->szCertificateChain = cpPath;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCACertificatePath(
- cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
+#ifdef SSL_EXPERIMENTAL_PERDIRCA
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
+#endif
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
- cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
+ cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLCACertificatePath: directory '",
- cpPath, "' not exists", NULL);
+ return apr_pstrcat(cmd->pool, "SSLCACertificatePath: directory '",
+ cpPath, "' not exists", NULL);
#ifdef SSL_EXPERIMENTAL_PERDIRCA
if (cmd->path == NULL || dc == NULL)
sc->szCACertificatePath = cpPath;
#else
sc->szCACertificatePath = cpPath;
#endif
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCACertificateFile(
- cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
+#ifdef SSL_EXPERIMENTAL_PERDIRCA
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
+#endif
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
- cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
+ cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLCACertificateFile: file '",
- cpPath, "' not exists or empty", NULL);
+ return apr_pstrcat(cmd->pool, "SSLCACertificateFile: file '",
+ cpPath, "' not exists or empty", NULL);
#ifdef SSL_EXPERIMENTAL_PERDIRCA
if (cmd->path == NULL || dc == NULL)
sc->szCACertificateFile = cpPath;
#else
sc->szCACertificateFile = cpPath;
#endif
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCARevocationPath(
- cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
- cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
+ cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLCARecocationPath: directory '",
- cpPath, "' not exists", NULL);
+ return apr_pstrcat(cmd->pool, "SSLCARecocationPath: directory '",
+ cpPath, "' not exists", NULL);
sc->szCARevocationPath = cpPath;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLCARevocationFile(
- cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
- cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
+ cpPath = (char *)ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLCARevocationFile: file '",
- cpPath, "' not exists or empty", NULL);
+ return apr_pstrcat(cmd->pool, "SSLCARevocationFile: file '",
+ cpPath, "' not exists or empty", NULL);
sc->szCARevocationFile = cpPath;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLVerifyClient(
- cmd_parms *cmd, SSLDirConfigRec *dc, char *level)
+ cmd_parms *cmd, void *ctx, const char *level)
{
-#if 0 /* XXX */
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
ssl_verify_t id;
sc->nVerifyClient = id;
else
dc->nVerifyClient = id;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLVerifyDepth(
- cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
int d;
sc->nVerifyDepth = d;
else
dc->nVerifyDepth = d;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLSessionCache(
- cmd_parms *cmd, char *struct_ptr, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
+ SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
- SSLModConfigRec *mc = myModConfig();
char *cp, *cp2;
int maxsize;
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
return err;
- if (ssl_config_global_isfixed())
+ if (ssl_config_global_isfixed(mc))
return NULL;
+
if (strcEQ(arg, "none")) {
mc->nSessionCacheMode = SSL_SCMODE_NONE;
mc->szSessionCacheDataFile = NULL;
}
else if (strlen(arg) > 4 && strcEQn(arg, "dbm:", 4)) {
mc->nSessionCacheMode = SSL_SCMODE_DBM;
- mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
- ap_server_root_relative(cmd->pool, "scache", arg+4));
+ mc->szSessionCacheDataFile = apr_pstrdup(mc->pPool,
+ ap_server_root_relative(cmd->pool, arg+4));
}
else if ( (strlen(arg) > 4 && strcEQn(arg, "shm:", 4))
|| (strlen(arg) > 6 && strcEQn(arg, "shmht:", 6))) {
+#if 0 /* XXX */
if (!ap_mm_useable())
return "SSLSessionCache: shared memory cache not useable on this platform";
+#endif
mc->nSessionCacheMode = SSL_SCMODE_SHMHT;
cp = strchr(arg, ':');
- mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
- ap_server_root_relative(cmd->pool, "scache", cp+1));
+ mc->szSessionCacheDataFile = (char *)apr_pstrdup(mc->pPool,
+ ap_server_root_relative(cmd->pool, cp+1));
mc->tSessionCacheDataTable = NULL;
mc->nSessionCacheDataSize = 1024*512; /* 512KB */
if ((cp = strchr(mc->szSessionCacheDataFile, '(')) != NULL) {
mc->nSessionCacheDataSize = atoi(cp);
if (mc->nSessionCacheDataSize <= 8192)
return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes";
+#if 0 /* XXX */
maxsize = ap_mm_core_maxsegsize();
+#else
+ maxsize = 1024 * 512;
+#endif
if (mc->nSessionCacheDataSize >= maxsize)
- return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
+ return apr_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
"size has to be < %d bytes on this platform", maxsize);
}
}
else if (strlen(arg) > 6 && strcEQn(arg, "shmcb:", 6)) {
+#if 0 /* XXX */
if (!ap_mm_useable())
return "SSLSessionCache: shared memory cache not useable on this platform";
+#endif
mc->nSessionCacheMode = SSL_SCMODE_SHMCB;
- mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
+ mc->szSessionCacheDataFile = apr_pstrdup(mc->pPool,
ap_server_root_relative(cmd->pool, arg+6));
mc->tSessionCacheDataTable = NULL;
mc->nSessionCacheDataSize = 1024*512; /* 512KB */
mc->nSessionCacheDataSize = atoi(cp);
if (mc->nSessionCacheDataSize <= 8192)
return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes";
+#if 0 /* XXX */
maxsize = ap_mm_core_maxsegsize();
+#else
+ maxsize = 1024 * 512;
+#endif
if (mc->nSessionCacheDataSize >= maxsize)
- return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
+ return apr_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
"size has to be < %d bytes on this platform", maxsize);
}
}
else
return "SSLSessionCache: Invalid argument";
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLSessionCacheTimeout(
- cmd_parms *cmd, char *struct_ptr, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->nSessionCacheTimeout = atoi(arg);
if (sc->nSessionCacheTimeout < 0)
return "SSLSessionCacheTimeout: Invalid argument";
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLLog(
- cmd_parms *cmd, char *struct_ptr, char *arg)
+ cmd_parms *cmd, void *ctx, const char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
if ((err = ap_check_cmd_context(cmd, NOT_IN_LIMIT|NOT_IN_DIRECTORY
|NOT_IN_LOCATION|NOT_IN_FILES )) != NULL)
return err;
- sc->szLogFile = arg;
-#endif /* XXX */
+ sc->szLogFile = (char *)arg;
return NULL;
}
const char *ssl_cmd_SSLLogLevel(
- cmd_parms *cmd, char *struct_ptr, char *level)
+ cmd_parms *cmd, void *ctx, const char *level)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
sc->nLogLevel = SSL_LOG_DEBUG;
else
return "SSLLogLevel: Invalid argument";
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLOptions(
- cmd_parms *cmd, SSLDirConfigRec *dc, const char *cpLine)
+ cmd_parms *cmd, void *ctx, const char *cpLine)
{
-#if 0 /* XXX */
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
ssl_opt_t opt;
int first;
char action;
else if (strcEQ(w, "OptRenegotiate"))
opt = SSL_OPT_OPTRENEGOTIATE;
else
- return ap_pstrcat(cmd->pool, "SSLOptions: Illegal option '", w, "'", NULL);
+ return apr_pstrcat(cmd->pool, "SSLOptions: Illegal option '", w, "'", NULL);
if (action == '-') {
dc->nOptionsAdd &= ~opt;
dc->nOptionsDel = SSL_OPT_NONE;
}
}
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLRequireSSL(
- cmd_parms *cmd, SSLDirConfigRec *dc, char *cipher)
+ cmd_parms *cmd, void *ctx)
{
-#if 0 /* XXX */
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
dc->bSSLRequired = TRUE;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLRequire(
- cmd_parms *cmd, SSLDirConfigRec *dc, char *cpExpr)
+ cmd_parms *cmd, void *ctx, const char *cpExpr)
{
-#if 0 /* XXX */
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
ssl_expr *mpExpr;
ssl_require_t *pReqRec;
- if ((mpExpr = ssl_expr_comp(cmd->pool, cpExpr)) == NULL)
- return ap_pstrcat(cmd->pool, "SSLRequire: ", ssl_expr_get_error(), NULL);
- pReqRec = ap_push_array(dc->aRequirement);
- pReqRec->cpExpr = ap_pstrdup(cmd->pool, cpExpr);
+ if ((mpExpr = ssl_expr_comp(cmd->pool, (char *)cpExpr)) == NULL)
+ return apr_pstrcat(cmd->pool, "SSLRequire: ", ssl_expr_get_error(), NULL);
+ pReqRec = apr_array_push(dc->aRequirement);
+ pReqRec->cpExpr = apr_pstrdup(cmd->pool, cpExpr);
pReqRec->mpExpr = mpExpr;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProtocol(
- cmd_parms *cmd, char *struct_ptr, const char *opt)
+ cmd_parms *cmd, void *ctx, const char *opt)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc;
ssl_proto_t options, thisopt;
char action;
else if (strcEQ(w, "all"))
thisopt = SSL_PROTOCOL_ALL;
else
- return ap_pstrcat(cmd->pool, "SSLProtocol: Illegal protocol '", w, "'", NULL);
+ return apr_pstrcat(cmd->pool, "SSLProtocol: Illegal protocol '",
+ w, "'", NULL);
if (action == '-')
options &= ~thisopt;
options = thisopt;
}
sc->nProtocol = options;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyProtocol(
cmd_parms *cmd, char *struct_ptr, const char *opt)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc;
ssl_proto_t options, thisopt;
char action;
else if (strcEQ(w, "all"))
thisopt = SSL_PROTOCOL_ALL;
else
- return ap_pstrcat(cmd->pool, "SSLProxyProtocol: "
+ return apr_pstrcat(cmd->pool, "SSLProxyProtocol: "
"Illegal protocol '", w, "'", NULL);
if (action == '-')
options &= ~thisopt;
options = thisopt;
}
sc->nProxyProtocol = options;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyCipherSuite(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->szProxyCipherSuite = arg;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyVerify(
cmd_parms *cmd, char *struct_ptr, int flag)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->bProxyVerify = (flag ? TRUE : FALSE);
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyVerifyDepth(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
int d;
if (d < 0)
return "SSLProxyVerifyDepth: Invalid argument";
sc->nProxyVerifyDepth = d;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyCACertificateFile(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
- cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
+ cpPath = ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '",
+ return apr_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '",
cpPath, "' not exists or empty", NULL);
sc->szProxyCACertificateFile = cpPath;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyCACertificatePath(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
- cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
+ cpPath = ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '",
- cpPath, "' does not exists", NULL);
+ return apr_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '",
+ cpPath, "' does not exists", NULL);
sc->szProxyCACertificatePath = cpPath;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyMachineCertificateFile(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
- cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
+ cpPath = ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '",
- cpPath, "' not exists or empty", NULL);
+ return apr_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '",
+ cpPath, "' not exists or empty", NULL);
sc->szProxyClientCertificateFile = cpPath;
-#endif /* XXX */
return NULL;
}
const char *ssl_cmd_SSLProxyMachineCertificatePath(
cmd_parms *cmd, char *struct_ptr, char *arg)
{
-#if 0 /* XXX */
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
char *cpPath;
- cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
+ cpPath = ap_server_root_relative(cmd->pool, arg);
if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool))
- return ap_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '",
- cpPath, "' does not exists", NULL);
+ return apr_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '",
+ cpPath, "' does not exists", NULL);
sc->szProxyClientCertificatePath = cpPath;
-#endif /* XXX */
return NULL;
}
if ((a = (ssl_ds_array *)apr_palloc(p, sizeof(ssl_ds_array))) == NULL)
return NULL;
a->pPool = p;
- if ((a->pSubPool = apr_pool_sub_make(p, NULL)) != APR_SUCCESS)
+ if ((a->pSubPool = apr_pool_sub_make(p, NULL)) == NULL)
return NULL;
a->aData = apr_array_make(a->pSubPool, 2, size);
return a;
if ((t = (ssl_ds_table *)apr_palloc(p, sizeof(ssl_ds_table))) == NULL)
return NULL;
t->pPool = p;
- if ((t->pSubPool = apr_pool_sub_make(p, NULL)) != APR_SUCCESS)
+ if ((t->pSubPool = apr_pool_sub_make(p, NULL)) == NULL)
return NULL;
t->aKey = apr_array_make(t->pSubPool, 2, MAX_STRING_LEN);
t->aData = apr_array_make(t->pSubPool, 2, size);
-- Unknown */
#include "mod_ssl.h"
-#if 0 /* XXX */
-
/* _________________________________________________________________
**
** Module Initialization
/*
* Per-module initialization
*/
-void ssl_init_Module(server_rec *s, pool *p)
+void ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+ apr_pool_t *ptemp, server_rec *s)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
SSLSrvConfigRec *sc;
server_rec *s2;
- char *cp;
-
- mc->nInitCount++;
/*
* Let us cleanup on restarts and exists
*/
- ap_register_cleanup(p, s, ssl_init_ModuleKill, ssl_init_ChildKill);
+ apr_pool_cleanup_register(p, s, ssl_init_ModuleKill, ssl_init_ChildKill);
/*
* Any init round fixes the global config
*/
- ssl_config_global_create(); /* just to avoid problems */
- ssl_config_global_fix();
+ ssl_config_global_create(s); /* just to avoid problems */
+ ssl_config_global_fix(mc);
+
+ mc->nInitCount++;
/*
* try to fix the configuration and open the dedicated SSL
* Identification
*/
if (mc->nInitCount == 1) {
+#if 0 /* XXX */
ssl_log(s, SSL_LOG_INFO, "Server: %s, Interface: %s, Library: %s",
- SERVER_BASEVERSION,
+ AP_SERVER_BASEVERSION,
ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"),
ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY"));
+#endif
}
/*
* module segment (code & data) gets unloaded and re-loaded between
* the first and the second round. This means no global data survives
* between first and the second init round. We overcome this by using
- * an entry ("ssl_module") inside the ap_global_ctx.
+ * an entry ("ssl_module") inside the process_rec->pool->user_data.
*
* The situation as a table:
*
* Announce mod_ssl and SSL library in HTTP Server field
* as ``mod_ssl/X.X.X OpenSSL/X.X.X''
*/
+#if 0 /* XXX */
if ((cp = ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_PRODUCT")) != NULL && cp[0] != NUL)
- ap_add_version_component(cp);
- ap_add_version_component(ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"));
- ap_add_version_component(ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY"));
+ ap_add_version_component(p, cp);
+ ap_add_version_component(p, ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"));
+ ap_add_version_component(p, ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY"));
+#endif
return;
}
* a hardware accellerator card for crypto operations.
*/
#ifdef SSL_EXPERIMENTAL_ENGINE
-void ssl_init_Engine(server_rec *s, pool *p)
+void ssl_init_Engine(server_rec *s, apr_pool_t *p)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
ENGINE *e;
if (mc->szCryptoDevice != NULL) {
/*
* Handle the Temporary RSA Keys and DH Params
*/
-void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p)
+void ssl_init_TmpKeysHandle(int action, server_rec *s, apr_pool_t *p)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
ssl_asn1_t *asn1;
unsigned char *ucp;
RSA *rsa;
}
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:512");
asn1->nData = i2d_RSAPrivateKey(rsa, NULL);
- asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
+ asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */
RSA_free(rsa);
}
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:1024");
asn1->nData = i2d_RSAPrivateKey(rsa, NULL);
- asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
+ asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */
RSA_free(rsa);
}
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:512");
asn1->nData = i2d_DHparams(dh, NULL);
- asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
+ asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */
/* no need to free dh, it's static */
}
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:1024");
asn1->nData = i2d_DHparams(dh, NULL);
- asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
+ asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */
/* no need to free dh, it's static */
}
/*
* Configure a particular server
*/
-void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
+void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
int nVerify;
char *cpVHostID;
EVP_PKEY *pKey;
cpVHostID);
ssl_die();
}
- cp = ap_pstrcat(p, (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
- (sc->nProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
- (sc->nProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL);
+ cp = apr_pstrcat(p, (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
+ (sc->nProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+ (sc->nProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL);
cp[strlen(cp)-2] = NUL;
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Creating new SSL context (protocols: %s)", cpVHostID, cp);
* Configure server certificate(s)
*/
ok = FALSE;
- cp = ap_psprintf(p, "%s:RSA", cpVHostID);
+ cp = apr_psprintf(p, "%s:RSA", cpVHostID);
if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring RSA server certificate", cpVHostID);
}
ok = TRUE;
}
- cp = ap_psprintf(p, "%s:DSA", cpVHostID);
+ cp = apr_psprintf(p, "%s:DSA", cpVHostID);
if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring DSA server certificate", cpVHostID);
cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"), pathlen);
}
if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) {
- if (ap_is_fnmatch(cp) &&
- !ap_fnmatch(cp, s->server_hostname, FNM_PERIOD|FNM_CASE_BLIND)) {
+ if (apr_is_fnmatch(cp) &&
+ !apr_fnmatch(cp, s->server_hostname, FNM_PERIOD|FNM_CASE_BLIND)) {
ssl_log(s, SSL_LOG_WARN,
"Init: (%s) %s server certificate wildcard CommonName (CN) `%s' "
"does NOT match server name!?", cpVHostID,
* Configure server private key(s)
*/
ok = FALSE;
- cp = ap_psprintf(p, "%s:RSA", cpVHostID);
+ cp = apr_psprintf(p, "%s:RSA", cpVHostID);
if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring RSA server private key", cpVHostID);
}
ok = TRUE;
}
- cp = ap_psprintf(p, "%s:DSA", cpVHostID);
+ cp = apr_psprintf(p, "%s:DSA", cpVHostID);
if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring DSA server private key", cpVHostID);
return;
}
-void ssl_init_CheckServers(server_rec *sm, pool *p)
+void ssl_init_CheckServers(server_rec *sm, apr_pool_t *p)
{
server_rec *s;
server_rec **ps;
SSLSrvConfigRec *sc;
ssl_ds_table *t;
- pool *sp;
+ apr_pool_t *sp;
char *key;
BOOL bConflict;
* just the certificate/keys of one virtual host (which one cannot be said
* easily - but that doesn't matter here).
*/
- sp = ap_make_sub_pool(p);
+ apr_pool_create(&sp, p);
t = ssl_ds_table_make(sp, sizeof(server_rec *));
bConflict = FALSE;
for (s = sm; s != NULL; s = s->next) {
sc = mySrvConfig(s);
if (!sc->bEnabled)
continue;
- key = ap_psprintf(sp, "%pA:%u", &s->addrs->host_addr, s->addrs->host_port);
+ key = apr_psprintf(sp, "%pA:%u", &s->addrs->host_addr, s->addrs->host_port);
ps = ssl_ds_table_get(t, key);
if (ps != NULL) {
ssl_log(sm, SSL_LOG_WARN,
*ps = s;
}
ssl_ds_table_kill(t);
- ap_destroy_pool(sp);
+ /* XXX - It was giving some problem earlier - check it out - TBD */
+ apr_pool_destroy(sp);
if (bConflict)
ssl_log(sm, SSL_LOG_WARN,
"Init: You should not use name-based virtual hosts in conjunction with SSL!!");
return(X509_NAME_cmp(*a, *b));
}
-STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile, char *cpCApath)
+STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *pp, char *cpCAfile, char *cpCApath)
{
STACK_OF(X509_NAME) *skCAList;
STACK_OF(X509_NAME) *sk;
- DIR *dir;
- struct DIR_TYPE *direntry;
+ apr_dir_t *dir;
+ apr_finfo_t direntry;
char *cp;
- pool *p;
+ apr_pool_t *p;
int n;
/*
* is remains in memory for the complete operation time of
* the server.
*/
- p = ap_make_sub_pool(pp);
+ p = apr_pool_sub_make(pp, NULL);
/*
* Start with a empty stack/list where new
* Process CA certificate path files
*/
if (cpCApath != NULL) {
- dir = ap_popendir(p, cpCApath);
- while ((direntry = readdir(dir)) != NULL) {
- cp = ap_pstrcat(p, cpCApath, "/", direntry->d_name, NULL);
+ apr_dir_open(&dir, cpCApath, p);
+ while ((apr_dir_read(&direntry, APR_FINFO_DIRENT, dir)) != APR_SUCCESS) {
+ cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL);
sk = SSL_load_client_CA_file(cp);
for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
ssl_log(s, SSL_LOG_TRACE,
sk_X509_NAME_push(skCAList, sk_X509_NAME_value(sk, n));
}
}
- ap_pclosedir(p, dir);
+ apr_dir_close(dir);
}
/*
* Cleanup
*/
sk_X509_NAME_set_cmp_func(skCAList, NULL);
- ap_destroy_pool(p);
+ apr_pool_destroy(p);
return skCAList;
}
-void ssl_init_Child(server_rec *s, pool *p)
+void ssl_init_Child(apr_pool_t *p, server_rec *s)
{
/* open the mutex lockfile */
ssl_mutex_reinit(s, p);
return;
}
-void ssl_init_ChildKill(void *data)
+apr_status_t ssl_init_ChildKill(void *data)
{
+ /* server_rec *s = (server_rec *)data; */
/* currently nothing to do */
- return;
+ return APR_SUCCESS;
}
-void ssl_init_ModuleKill(void *data)
+apr_status_t ssl_init_ModuleKill(void *data)
{
SSLSrvConfigRec *sc;
server_rec *s = (server_rec *)data;
* Drop the session cache and mutex
*/
ssl_scache_kill(s);
+#if 0 /* XXX */
ssl_mutex_kill(s);
+#endif
/*
* Destroy the temporary keys and params
EVP_cleanup();
#endif
- return;
+ return APR_SUCCESS;
}
-#endif /* XXX */
-
** _________________________________________________________________
*/
-#if 0 /* XXX */
-static int ssl_io_hook_read(BUFF *fb, char *buf, int len);
-static int ssl_io_hook_write(BUFF *fb, char *buf, int len);
-#endif /* XXX */
+/* XXX THIS STUFF NEEDS A MAJOR CLEANUP -RSE XXX */
+
+static const char ssl_io_filter[] = "SSL/TLS Filter";
void ssl_io_register(void)
{
return;
}
-#if 0 /* XXX */
-
-static int ssl_io_hook_read(BUFF *fb, char *buf, int len)
+static int ssl_io_hook_read(SSL *ssl, unsigned char *buf, int len)
{
- SSL *ssl;
conn_rec *c;
int rc;
- if ((ssl = ap_ctx_get(fb->ctx, "ssl")) != NULL) {
+ if (ssl != NULL) {
rc = SSL_read(ssl, buf, len);
/*
* Simulate an EINTR in case OpenSSL wants to read more.
*/
if (rc < 0 && SSL_get_error(ssl, rc) == SSL_ERROR_SSL) {
c = (conn_rec *)SSL_get_app_data(ssl);
- ssl_log(c->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"SSL error on reading data");
}
/*
* read(2) returns only the generic error number -1
*/
if (rc < 0)
- rc = -1;
+ /*
+ * XXX - Just trying to reflect the behaviour in
+ * openssl_state_machine.c [mod_tls]. TBD
+ */
+ rc = 0;
}
else
- rc = read(fb->fd_in, buf, len);
+ rc = -1;
return rc;
}
-static int ssl_io_hook_write(BUFF *fb, char *buf, int len)
+static int ssl_io_hook_write(SSL *ssl, unsigned char *buf, int len)
{
- SSL *ssl;
conn_rec *c;
int rc;
- if ((ssl = ap_ctx_get(fb->ctx, "ssl")) != NULL) {
+ if (ssl != NULL) {
rc = SSL_write(ssl, buf, len);
/*
* Simulate an EINTR in case OpenSSL wants to write more.
*/
if (rc < 0 && SSL_get_error(ssl, rc) == SSL_ERROR_SSL) {
c = (conn_rec *)SSL_get_app_data(ssl);
- ssl_log(c->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"SSL error on writing data");
}
/*
* write(2) returns only the generic error number -1
*/
if (rc < 0)
- rc = -1;
+ /*
+ * XXX - Just trying to reflect the behaviour in
+ * openssl_state_machine.c [mod_tls]. TBD
+ */
+ rc = 0;
}
else
- rc = write(fb->fd, buf, len);
+ rc = -1;
return rc;
}
+static apr_status_t churn_output(SSLFilterRec *pRec)
+{
+ apr_bucket_brigade *pbbOutput=NULL;
+ int done;
+
+ do {
+ char buf[1024];
+ int n;
+ apr_bucket *pbkt;
+
+ done=0;
+
+ if (BIO_pending(pRec->pbioWrite)) {
+ n = BIO_read(pRec->pbioWrite,buf,sizeof buf);
+ if(n > 0) {
+ char *pbuf;
+
+ if(!pbbOutput)
+ pbbOutput=apr_brigade_create(pRec->pOutputFilter->c->pool);
+
+ pbuf=apr_pmemdup(pRec->pOutputFilter->c->pool,buf,n);
+ pbkt=apr_bucket_pool_create(pbuf,n,
+ pRec->pOutputFilter->c->pool);
+ APR_BRIGADE_INSERT_TAIL(pbbOutput,pbkt);
+ done=1;
+ /* } else if(n == 0) {
+ apr_bucket *pbktEOS=apr_bucket_create_eos();
+ APR_BRIGADE_INSERT_TAIL(pbbOutput,pbktEOS);*/
+ }
+ assert (n > 0); /* XXX => Check if required */
+#if 0 /* XXX */
+ }
+ else if (n == 0)
+ done = 1;
+ else
+ assert (n > 0);
+#endif
+ }
+#if 0 /* XXX */
+ else
+ {
+ done = 1;
+ }
+#endif
+ } while(done);
+
+ /* XXX: check for errors */
+ if(pbbOutput) {
+ apr_bucket *pbkt;
+
+ /* XXX: it may be possible to not always flush */
+ pbkt=apr_bucket_flush_create();
+ APR_BRIGADE_INSERT_TAIL(pbbOutput,pbkt);
+ ap_pass_brigade(pRec->pOutputFilter->next,pbbOutput);
+ }
+
+ return APR_SUCCESS;
+}
+
+static apr_status_t churn (SSLFilterRec *pRec,
+ apr_read_type_e eReadType, apr_size_t *readbytes)
+{
+ apr_bucket *pbktIn;
+ ap_input_mode_t eMode = (eReadType == APR_BLOCK_READ)
+ ? AP_MODE_BLOCKING : AP_MODE_NONBLOCKING;
+
+/* XXX : Errrr... bad way of doing things TBD */
+eReadType = APR_BLOCK_READ;
+eMode = AP_MODE_BLOCKING;
+
+ if(APR_BRIGADE_EMPTY(pRec->pbbInput)) {
+ ap_get_brigade(pRec->pInputFilter->next,pRec->pbbInput,eMode,readbytes);
+ if(APR_BRIGADE_EMPTY(pRec->pbbInput))
+ return APR_EOF;
+ }
+
+ APR_BRIGADE_FOREACH(pbktIn,pRec->pbbInput) {
+ const char *data;
+ apr_size_t len;
+ int n;
+ char buf[1024];
+ apr_status_t ret;
+
+ if(APR_BUCKET_IS_EOS(pbktIn)) {
+ break;
+ }
+
+ /* read filter */
+ ret=apr_bucket_read(pbktIn,&data,&len,eReadType);
+
+ APR_BUCKET_REMOVE(pbktIn);
+
+ if(ret == APR_SUCCESS && len == 0 && eReadType == APR_BLOCK_READ)
+ ret=APR_EOF;
+
+ if(len == 0) {
+ /* Lazy frickin browsers just reset instead of shutting down. */
+ if(ret == APR_EOF || APR_STATUS_IS_ECONNRESET(ret)) {
+ if(APR_BRIGADE_EMPTY(pRec->pbbPendingInput))
+ return APR_EOF;
+ else
+ /* Next time around, the incoming brigade will be empty,
+ * so we'll return EOF then
+ */
+ return APR_SUCCESS;
+ }
+
+ if(eReadType != APR_NONBLOCK_READ)
+ ap_log_error(APLOG_MARK,APLOG_ERR,ret,NULL,
+ "Read failed in tls_in_filter");
+ assert(eReadType == APR_NONBLOCK_READ);
+ assert(ret == APR_SUCCESS || APR_STATUS_IS_EAGAIN(ret));
+ /* In this case, we have data in the output bucket, or we were
+ * non-blocking, so returning nothing is fine.
+ */
+ return APR_SUCCESS;
+ }
+
+ assert(len > 0);
+
+ n = BIO_write (pRec->pbioRead, data, len);
+ assert(n == len);
+
+ ssl_hook_process_connection (pRec);
+
+ n = ssl_io_hook_read(pRec->pssl, (unsigned char *)buf, sizeof(buf));
+ if(n > 0) {
+ apr_bucket *pbktOut;
+ char *pbuf;
+
+ pbuf=apr_pmemdup(pRec->pInputFilter->c->pool,buf,n);
+ /* XXX: should we use a heap bucket instead? Or a transient (in
+ * which case we need a separate brigade for each bucket)?
+ */
+ pbktOut=apr_bucket_pool_create(pbuf,n,pRec->pInputFilter->c->pool);
+ APR_BRIGADE_INSERT_TAIL(pRec->pbbPendingInput,pbktOut);
+
+ /* Once we've read something, we can move to non-blocking mode (if
+ * we weren't already).
+ */
+ eReadType=APR_NONBLOCK_READ;
+
+ /* XXX: deal with EOF! */
+ /* } else if(n == 0) {
+ apr_bucket *pbktEOS=apr_bucket_create_eos();
+ APR_BRIGADE_INSERT_TAIL(pbbInput,pbktEOS);*/
+ }
+ assert(n >= 0);
+
+ ret=churn_output(pRec);
+ if(ret != APR_SUCCESS)
+ return ret;
+ }
+
+ return churn_output(pRec);
+}
+
+apr_status_t ssl_io_filter_Output(ap_filter_t *f,apr_bucket_brigade *pbbIn)
+{
+ SSLFilterRec *pRec=f->ctx;
+ apr_bucket *pbktIn;
+conn_rec *c = SSL_get_app_data (pRec->pssl);
+
+ APR_BRIGADE_FOREACH(pbktIn,pbbIn) {
+ const char *data;
+ apr_size_t len, n;
+ apr_status_t ret;
+
+ if(APR_BUCKET_IS_EOS(pbktIn)) {
+ /* XXX: demote to debug */
+ ssl_log(c->base_server, SSL_LOG_INFO, "EOS in output");
+
+ if (ssl_hook_CloseConnection (pRec) != APR_SUCCESS)
+ ssl_log(c->base_server, SSL_LOG_INFO,
+ "Error in ssl_hook_CloseConnection");
+#if 0
+ /* XXX: dubious - does this always terminate? Does it return the right thing? */
+ for( ; ; ) {
+ ret=churn_output(pRec);
+ if(ret != APR_SUCCESS)
+ return ret;
+ /* XXX - Verify if passing &len is okay for churn - TBD */
+ len = 0;
+ ret=churn(pRec,APR_NONBLOCK_READ,&len);
+ if(ret != APR_SUCCESS) {
+ if(ret == APR_EOF)
+ return APR_SUCCESS;
+ else
+ return ret;
+ }
+ }
+#endif
+ break;
+ }
+
+ if(APR_BUCKET_IS_FLUSH(pbktIn)) {
+ /* assume that churn will flush (or already has) if there's output */
+ /* XXX - Verify if passing &len is okay for churn - TBD */
+ ssl_log(c->base_server, SSL_LOG_INFO, "FLUSH in output");
+ len = 0;
+ ret=churn(pRec,APR_NONBLOCK_READ,&len);
+ if(ret != APR_SUCCESS)
+ return ret;
+ continue;
+ }
+
+ ssl_log(c->base_server, SSL_LOG_INFO, "DATA in output");
+ /* read filter */
+ apr_bucket_read(pbktIn,&data,&len,APR_BLOCK_READ);
+
+ /* write SSL */
+ n = ssl_io_hook_write(pRec->pssl, (unsigned char *)data, len);
+ assert (n == len);
+
+
+ /* churn the state machine */
+ ret=churn_output(pRec);
+ if(ret != APR_SUCCESS)
+ return ret;
+ }
+ return APR_SUCCESS;
+}
+
+apr_status_t ssl_io_filter_Input(ap_filter_t *f,apr_bucket_brigade *pbbOut,
+ ap_input_mode_t eMode, apr_size_t *readbytes)
+{
+ apr_status_t ret;
+ SSLFilterRec *pRec = f->ctx;
+ apr_read_type_e eReadType =
+ (eMode == AP_MODE_BLOCKING) ? APR_BLOCK_READ : APR_NONBLOCK_READ;
+
+ /* XXX: we don't currently support peek */
+ assert(eMode != AP_MODE_PEEK);
+
+ /* churn the state machine */
+ ret = churn(pRec,eReadType,readbytes);
+ if(ret != APR_SUCCESS)
+ return ret;
+
+ /* XXX: shame that APR_BRIGADE_FOREACH doesn't work here */
+ while(!APR_BRIGADE_EMPTY(pRec->pbbPendingInput)) {
+ apr_bucket *pbktIn=APR_BRIGADE_FIRST(pRec->pbbPendingInput);
+ APR_BUCKET_REMOVE(pbktIn);
+ APR_BRIGADE_INSERT_TAIL(pbbOut,pbktIn);
+ }
+
+ return APR_SUCCESS;
+}
+
+void ssl_io_filter_init(conn_rec *c, SSL *ssl)
+{
+ SSLFilterRec *filter;
+
+ filter = apr_pcalloc(c->pool, sizeof(SSLFilterRec));
+ filter->pInputFilter = ap_add_input_filter(ssl_io_filter, filter, NULL, c);
+ filter->pOutputFilter = ap_add_output_filter(ssl_io_filter, filter, NULL, c);
+ filter->pbbInput = apr_brigade_create(c->pool);
+ filter->pbbPendingInput = apr_brigade_create(c->pool);
+ filter->pbioRead = BIO_new(BIO_s_mem());
+ filter->pbioWrite = BIO_new(BIO_s_mem());
+ SSL_set_bio(ssl, filter->pbioRead, filter->pbioWrite);
+ filter->pssl = ssl;
+ return;
+}
+
+void ssl_io_filter_register(apr_pool_t *p)
+{
+ ap_register_input_filter (ssl_io_filter, ssl_io_filter_Input, AP_FTYPE_NETWORK);
+ ap_register_output_filter (ssl_io_filter, ssl_io_filter_Output, AP_FTYPE_NETWORK);
+ return;
+}
+
/* _________________________________________________________________
**
** I/O Data Debugging
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
"+-------------------------------------------------------------------------+");
for(i = 0 ; i< rows; i++) {
- ap_snprintf(tmp, sizeof(tmp), "| %04x: ", i * DUMP_WIDTH);
- ap_cpystrn(buf, tmp, sizeof(buf));
+ apr_snprintf(tmp, sizeof(tmp), "| %04x: ", i * DUMP_WIDTH);
+ apr_cpystrn(buf, tmp, sizeof(buf));
for (j = 0; j < DUMP_WIDTH; j++) {
if (((i * DUMP_WIDTH) + j) >= len)
- ap_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
+ apr_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
else {
ch = ((unsigned char)*((char *)(s) + i * DUMP_WIDTH + j)) & 0xff;
- ap_snprintf(tmp, sizeof(tmp), "%02x%c", ch , j==7 ? '-' : ' ');
- ap_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf));
+ apr_snprintf(tmp, sizeof(tmp), "%02x%c", ch , j==7 ? '-' : ' ');
+ apr_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf));
}
}
- ap_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
+ apr_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
for (j = 0; j < DUMP_WIDTH; j++) {
if (((i * DUMP_WIDTH) + j) >= len)
- ap_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
+ apr_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf));
else {
ch = ((unsigned char)*((char *)(s) + i * DUMP_WIDTH + j)) & 0xff;
- ap_snprintf(tmp, sizeof(tmp), "%c", ((ch >= ' ') && (ch <= '~')) ? ch : '.');
- ap_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf));
+ apr_snprintf(tmp, sizeof(tmp), "%c", ((ch >= ' ') && (ch <= '~')) ? ch : '.');
+ apr_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf));
}
}
- ap_cpystrn(buf+strlen(buf), " |", sizeof(buf)-strlen(buf));
+ apr_cpystrn(buf+strlen(buf), " |", sizeof(buf)-strlen(buf));
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, "%s", buf);
}
if (trunc > 0)
return rc;
if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL)
return rc;
- s = c->server;
+ s = c->base_server;
if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN)
|| cmd == (BIO_CB_READ |BIO_CB_RETURN) ) {
}
return rc;
}
-
-#endif /* XXX */
-
ap_ctx_set(ap_global_ctx, "ssl::handshake::timeout", (void *)TRUE);
return;
}
+#endif /* XXX */
/*
* Close the SSL part of the socket connection
* (called immediately _before_ the socket is closed)
*/
-void ssl_hook_CloseConnection(conn_rec *conn)
+apr_status_t ssl_hook_CloseConnection(SSLFilterRec *filter)
{
SSL *ssl;
char *cpType;
+ conn_rec *conn;
+
+ ssl = filter->pssl;
+ conn = (conn_rec *)SSL_get_app_data(ssl);
- ssl = ap_ctx_get(conn->client->ctx, "ssl");
if (ssl == NULL)
- return;
+ return APR_SUCCESS;
/*
* First make sure that no more data is pending in Apache's BUFF,
* calls of Apache it would lead to an I/O error in the browser due
* to the fact that the SSL layer was already removed by us.
*/
- ap_bflush(conn->client);
+ ap_flush_conn(conn);
/*
* Now close the SSL layer of the connection. We've to take
* exchange close notify messages, but allow the user
* to force the type of handshake via SetEnvIf directive
*/
- if (ap_ctx_get(conn->client->ctx, "ssl::flag::unclean-shutdown") == PTRUE) {
+ if (apr_table_get(conn->notes, "ssl::flag::unclean-shutdown") == PTRUE) {
/* perform no close notify handshake at all
(violates the SSL/TLS standard!) */
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
cpType = "unclean";
}
- else if (ap_ctx_get(conn->client->ctx, "ssl::flag::accurate-shutdown") == PTRUE) {
+ else if (apr_table_get(conn->notes, "ssl::flag::accurate-shutdown") == PTRUE) {
/* send close notify and wait for clients close notify
(standard compliant, but usually causes connection hangs) */
SSL_set_shutdown(ssl, 0);
}
SSL_smart_shutdown(ssl);
- /* deallocate the SSL connection */
- SSL_free(ssl);
- ap_ctx_set(conn->client->ctx, "ssl", NULL);
-
/* and finally log the fact that we've closed the connection */
- ssl_log(conn->server, SSL_LOG_INFO,
+ ssl_log(conn->base_server, SSL_LOG_INFO,
"Connection to child %d closed with %s shutdown (server %s, client %s)",
- conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server),
+ conn->id, cpType, ssl_util_vhostid(conn->pool, conn->base_server),
conn->remote_ip != NULL ? conn->remote_ip : "unknown");
- return;
+
+ /* deallocate the SSL connection */
+ SSL_free(ssl);
+ apr_table_setn(conn->notes, "ssl", NULL);
+
+ return APR_SUCCESS;
}
/*
int ssl_hook_ReadReq(request_rec *r)
{
SSL *ssl;
- ap_ctx *apctx;
+ apr_table_t *apctx;
/*
* Get the SSL connection structure and perform the
* delayed interlinking from SSL back to request_rec
*/
- ssl = ap_ctx_get(r->connection->client->ctx, "ssl");
+ ssl = (SSL *)apr_table_get(r->connection->notes, "ssl");
if (ssl != NULL) {
apctx = SSL_get_app_data2(ssl);
- ap_ctx_set(apctx, "ssl::request_rec", r);
+ apr_table_setn(apctx, "ssl::request_rec", (const char *)r);
}
/*
if (strEQn(r->uri, "/mod_ssl:", 9))
r->handler = "mod_ssl:content-handler";
if (ssl != NULL) {
- ap_ctx_set(r->ctx, "ap::http::method", "https");
- ap_ctx_set(r->ctx, "ap::default::port", "443");
+ apr_table_setn(r->notes, "ap::http::method", "https");
+ apr_table_setn(r->notes, "ap::default::port", "443");
}
else {
- ap_ctx_set(r->ctx, "ap::http::method", NULL);
- ap_ctx_set(r->ctx, "ap::default::port", NULL);
+ apr_table_setn(r->notes, "ap::http::method", NULL);
+ apr_table_setn(r->notes, "ap::default::port", NULL);
}
return DECLINED;
}
*/
int ssl_hook_Translate(request_rec *r)
{
- if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL)
+ if (apr_table_get(r->connection->notes, "ssl") == NULL)
return DECLINED;
/*
"%s HTTPS request received for child %d (server %s)",
r->connection->keepalives <= 0 ?
"Initial (No.1)" :
- ap_psprintf(r->pool, "Subsequent (No.%d)",
- r->connection->keepalives+1),
- r->connection->child_num,
+ apr_psprintf(r->pool, "Subsequent (No.%d)",
+ r->connection->keepalives+1),
+ r->connection->id,
ssl_util_vhostid(r->pool, r->server));
/*
* Move SetEnvIf information from request_rec to conn_rec/BUFF
* to allow the close connection handler to use them.
*/
- if (ap_table_get(r->subprocess_env, "ssl-unclean-shutdown") != NULL)
- ap_ctx_set(r->connection->client->ctx, "ssl::flag::unclean-shutdown", PTRUE);
+ if (apr_table_get(r->subprocess_env, "ssl-unclean-shutdown") != NULL)
+ apr_table_setn(r->connection->notes, "ssl::flag::unclean-shutdown", PTRUE);
else
- ap_ctx_set(r->connection->client->ctx, "ssl::flag::unclean-shutdown", PFALSE);
- if (ap_table_get(r->subprocess_env, "ssl-accurate-shutdown") != NULL)
- ap_ctx_set(r->connection->client->ctx, "ssl::flag::accurate-shutdown", PTRUE);
+ apr_table_setn(r->connection->notes, "ssl::flag::unclean-shutdown", PFALSE);
+ if (apr_table_get(r->subprocess_env, "ssl-accurate-shutdown") != NULL)
+ apr_table_setn(r->connection->notes, "ssl::flag::accurate-shutdown", PTRUE);
else
- ap_ctx_set(r->connection->client->ctx, "ssl::flag::accurate-shutdown", PFALSE);
+ apr_table_setn(r->connection->notes, "ssl::flag::accurate-shutdown", PFALSE);
return DECLINED;
}
thisport = "";
port = ap_get_server_port(r);
if (!ap_is_default_port(port, r))
- thisport = ap_psprintf(r->pool, ":%u", port);
- thisurl = ap_psprintf(r->pool, "https://%s%s/",
- ap_get_server_name(r), thisport);
-
- ap_table_setn(r->notes, "error-notes", ap_psprintf(r->pool,
- "Reason: You're speaking plain HTTP to an SSL-enabled server port.<BR>\n"
- "Instead use the HTTPS scheme to access this URL, please.<BR>\n"
- "<BLOCKQUOTE>Hint: <A HREF=\"%s\"><B>%s</B></A></BLOCKQUOTE>",
- thisurl, thisurl));
+ thisport = apr_psprintf(r->pool, ":%u", port);
+ thisurl = apr_psprintf(r->pool, "https://%s%s/",
+ ap_get_server_name(r), thisport);
+
+ apr_table_setn(r->notes, "error-notes", apr_psprintf(r->pool,
+ "Reason: You're speaking plain HTTP to an SSL-enabled server port.<BR>\n"
+ "Instead use the HTTPS scheme to access this URL, please.<BR>\n"
+
"<BLOCKQUOTE>Hint: <A HREF=\"%s\"><B>%s</B></A></BLOCKQUOTE>",
+ thisurl, thisurl));
}
return HTTP_BAD_REQUEST;
SSLSrvConfigRec *sc;
SSL *ssl;
SSL_CTX *ctx = NULL;
- array_header *apRequirement;
+ apr_array_header_t *apRequirement;
ssl_require_t *pRequirements;
ssl_require_t *pRequirement;
char *cp;
STACK_OF(SSL_CIPHER) *skCipherOld;
STACK_OF(SSL_CIPHER) *skCipher;
SSL_CIPHER *pCipher;
- ap_ctx *apctx;
+ apr_table_t *apctx;
int nVerifyOld;
int nVerify;
int n;
dc = myDirConfig(r);
sc = mySrvConfig(r->server);
- ssl = ap_ctx_get(r->connection->client->ctx, "ssl");
+ ssl = (SSL *)apr_table_get(r->connection->notes, "ssl");
if (ssl != NULL)
ctx = SSL_get_SSL_CTX(ssl);
* Support for SSLRequireSSL directive
*/
if (dc->bSSLRequired && ssl == NULL) {
- ap_log_reason("SSL connection required", r->filename, r);
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ "access to %s failed for %s, reason: %s", r->filename,
+ ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL),
+ "SSL connection required");
/* remember forbidden access for strict require option */
- ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
- return FORBIDDEN;
+ apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
+ return HTTP_FORBIDDEN;
}
/*
"Unable to reconfigure (per-directory) permitted SSL ciphers");
if (skCipherOld != NULL)
sk_SSL_CIPHER_free(skCipherOld);
- return FORBIDDEN;
+ return HTTP_FORBIDDEN;
}
/* determine whether a renegotiation has to be forced */
skCipher = SSL_get_ciphers(ssl);
*/
if (dc->nVerifyDepth != UNSET) {
apctx = SSL_get_app_data2(ssl);
- if ((vp = ap_ctx_get(apctx, "ssl::verify::depth")) != NULL)
+ if ((vp = (void *)apr_table_get(apctx, "ssl::verify::depth")) != NULL)
n = (int)AP_CTX_PTR2NUM(vp);
else
n = sc->nVerifyDepth;
- ap_ctx_set(apctx, "ssl::verify::depth",
- AP_CTX_NUM2PTR(dc->nVerifyDepth));
+ apr_table_setn(apctx, "ssl::verify::depth",
+ (const char *)AP_CTX_NUM2PTR(dc->nVerifyDepth));
/* determine whether a renegotiation has to be forced */
if (dc->nVerifyDepth < n) {
renegotiate = TRUE;
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to reconfigure verify locations "
"for client authentication");
- return FORBIDDEN;
+ return HTTP_FORBIDDEN;
}
if ((skCAList = ssl_init_FindCAList(r->server, r->pool,
cpCAFile, cpCAPath)) == NULL) {
ssl_log(r->server, SSL_LOG_ERROR,
"Unable to determine list of available "
"CA certificates for client authentication");
- return FORBIDDEN;
+ return HTTP_FORBIDDEN;
}
SSL_set_client_CA_list(ssl, skCAList);
renegotiate = TRUE;
if (renegotiate && r->method_number == M_POST) {
ssl_log(r->server, SSL_LOG_ERROR,
"SSL Re-negotiation in conjunction with POST method not supported!");
- return METHOD_NOT_ALLOWED;
+ return HTTP_METHOD_NOT_ALLOWED;
}
/*
certstore = SSL_CTX_get_cert_store(ctx);
if (certstore == NULL) {
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find certificate storage");
- return FORBIDDEN;
+ return HTTP_FORBIDDEN;
}
certstack = SSL_get_peer_cert_chain(ssl);
if (certstack == NULL || sk_X509_num(certstack) == 0) {
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer certificate chain");
- return FORBIDDEN;
+ return HTTP_FORBIDDEN;
}
cert = sk_X509_value(certstack, 0);
X509_STORE_CTX_init(&certstorectx, certstore, cert, certstack);
SSL_do_handshake(ssl);
if (SSL_get_state(ssl) != SSL_ST_OK) {
ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation request failed");
- return FORBIDDEN;
+ return HTTP_FORBIDDEN;
}
ssl_log(r->server, SSL_LOG_INFO, "Awaiting re-negotiation handshake");
SSL_set_state(ssl, SSL_ST_ACCEPT);
if (SSL_get_state(ssl) != SSL_ST_OK) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Not accepted by client!?");
- return FORBIDDEN;
+ return HTTP_FORBIDDEN;
}
}
*/
if ((cert = SSL_get_peer_certificate(ssl)) != NULL) {
cp = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
- ap_ctx_set(r->connection->client->ctx, "ssl::client::dn",
- ap_pstrdup(r->connection->pool, cp));
+ apr_table_setn(r->connection->notes, "ssl::client::dn",
+ apr_pstrdup(r->connection->pool, cp));
free(cp);
}
&& SSL_get_verify_result(ssl) != X509_V_OK ) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Client verification failed");
- return FORBIDDEN;
+ return HTTP_FORBIDDEN;
}
if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE
&& SSL_get_peer_certificate(ssl) == NULL ) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Client certificate missing");
- return FORBIDDEN;
+ return HTTP_FORBIDDEN;
}
}
}
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to reconfigure verify locations "
"to per-server configuration parameters");
- return FORBIDDEN;
+ return HTTP_FORBIDDEN;
}
}
#endif /* SSL_EXPERIMENTAL_PERDIRCA */
pRequirement = &pRequirements[i];
ok = ssl_expr_exec(r, pRequirement->mpExpr);
if (ok < 0) {
- cp = ap_psprintf(r->pool, "Failed to execute SSL requirement expression: %s",
- ssl_expr_get_error());
- ap_log_reason(cp, r->filename, r);
+ cp = apr_psprintf(r->pool, "Failed to execute SSL requirement expression: %s",
+ ssl_expr_get_error());
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ "access to %s failed for %s, reason: %s", r->filename,
+ ap_get_remote_host(r->connection, r->per_dir_config, 1, NULL), cp);
/* remember forbidden access for strict require option */
- ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
- return FORBIDDEN;
+ apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
+ return HTTP_FORBIDDEN;
}
if (ok != 1) {
ssl_log(r->server, SSL_LOG_INFO,
r->filename, r->connection->remote_ip);
ssl_log(r->server, SSL_LOG_INFO,
"Failed expression: %s", pRequirement->cpExpr);
- ap_log_reason("SSL requirement expression not fulfilled "
- "(see SSL logfile for more details)", r->filename, r);
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ "access to %s failed for %s, reason: %s", r->filename,
+ ap_get_remote_host(r->connection, r->per_dir_config, 1, NULL),
+ "SSL requirement expression not fulfilled "
+ "(see SSL logfile for more details)");
/* remember forbidden access for strict require option */
- ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
- return FORBIDDEN;
+ apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
+ return HTTP_FORBIDDEN;
}
}
* when strict require option is used.
*/
if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE)
- && (ap_table_get(r->notes, "ssl-access-forbidden") != NULL))
- return FORBIDDEN;
+ && (apr_table_get(r->notes, "ssl-access-forbidden") != NULL))
+ return HTTP_FORBIDDEN;
/*
* Make sure the user is not able to fake the client certificate
* ("/XX=YYY/XX=YYY/..") as the username and "password" as the
* password.
*/
- if ((cpAL = ap_table_get(r->headers_in, "Authorization")) != NULL) {
+ if ((cpAL = apr_table_get(r->headers_in, "Authorization")) != NULL) {
if (strcEQ(ap_getword(r->pool, &cpAL, ' '), "Basic")) {
while (*cpAL == ' ' || *cpAL == '\t')
cpAL++;
cpUN = ap_getword_nulls(r->pool, &cpAL, ':');
cpPW = cpAL;
if (cpUN[0] == '/' && strEQ(cpPW, "password"))
- return FORBIDDEN;
+ return HTTP_FORBIDDEN;
}
}
*/
if (!sc->bEnabled)
return DECLINED;
- if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL)
+ if (apr_table_get(r->connection->notes, "ssl") == NULL)
return DECLINED;
if (!(dc->nOptions & SSL_OPT_FAKEBASICAUTH))
return DECLINED;
- if (r->connection->user)
+ if (r->user)
return DECLINED;
- if ((clientdn = (char *)ap_ctx_get(r->connection->client->ctx, "ssl::client::dn")) == NULL)
+ if ((clientdn = (char *)apr_table_get(r->connection->notes, "ssl::client::dn")) == NULL)
return DECLINED;
/*
* adding the string "xxj31ZMTZzkVA" as the password in the user file.
* This is just the crypted variant of the word "password" ;-)
*/
- ap_snprintf(b1, sizeof(b1), "%s:password", clientdn);
+ apr_snprintf(b1, sizeof(b1), "%s:password", clientdn);
ssl_util_uuencode(b2, b1, FALSE);
- ap_snprintf(b1, sizeof(b1), "Basic %s", b2);
- ap_table_set(r->headers_in, "Authorization", b1);
+ apr_snprintf(b1, sizeof(b1), "Basic %s", b2);
+ apr_table_set(r->headers_in, "Authorization", b1);
ssl_log(r->server, SSL_LOG_INFO,
"Faking HTTP Basic Auth header: \"Authorization: %s\"", b1);
* when strict require option is used.
*/
if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE)
- && (ap_table_get(r->notes, "ssl-access-forbidden") != NULL))
- return FORBIDDEN;
+ && (apr_table_get(r->notes, "ssl-access-forbidden") != NULL))
+ return HTTP_FORBIDDEN;
return DECLINED;
}
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
- table *e = r->subprocess_env;
+ apr_table_t *e = r->subprocess_env;
char *var;
char *val;
STACK_OF(X509) *sk;
*/
if (!sc->bEnabled)
return DECLINED;
- if ((ssl = ap_ctx_get(r->connection->client->ctx, "ssl")) == NULL)
+ if ((ssl = (SSL *)apr_table_get(r->connection->notes, "ssl")) == NULL)
return DECLINED;
/*
* Annotate the SSI/CGI environment with standard SSL information
*/
/* the always present HTTPS (=HTTP over SSL) flag! */
- ap_table_set(e, "HTTPS", "on");
+ apr_table_set(e, "HTTPS", "on");
/* standard SSL environment variables */
if (dc->nOptions & SSL_OPT_STDENVVARS) {
for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) {
var = (char *)ssl_hook_Fixup_vars[i];
+#if 0 /* XXX */
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
+#endif
if (!strIsEmpty(val))
- ap_table_set(e, var, val);
+ apr_table_set(e, var, val);
}
}
* On-demand bloat up the SSI/CGI environment with certificate data
*/
if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) {
+#if 0 /* XXX */
val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_SERVER_CERT");
- ap_table_set(e, "SSL_SERVER_CERT", val);
+ apr_table_set(e, "SSL_SERVER_CERT", val);
val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
- ap_table_set(e, "SSL_CLIENT_CERT", val);
+ apr_table_set(e, "SSL_CLIENT_CERT", val);
+#endif
if ((sk = SSL_get_peer_cert_chain(ssl)) != NULL) {
for (i = 0; i < sk_X509_num(sk); i++) {
- var = ap_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
+ var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
+#if 0 /* XXX */
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
+#endif
if (val != NULL)
- ap_table_set(e, var, val);
+ apr_table_setn(e, var, val);
}
}
}
*/
RSA *ssl_callback_TmpRSA(SSL *pSSL, int nExport, int nKeyLen)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = ssl_util_getmodconfig_ssl(pSSL, "ssl_module");
RSA *rsa;
rsa = NULL;
*/
DH *ssl_callback_TmpDH(SSL *pSSL, int nExport, int nKeyLen)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = ssl_util_getmodconfig_ssl(pSSL, "ssl_module");
DH *dh;
dh = NULL;
request_rec *r;
SSLSrvConfigRec *sc;
SSLDirConfigRec *dc;
- ap_ctx *actx;
+ apr_table_t *actx;
X509 *xs;
int errnum;
int errdepth;
*/
ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
conn = (conn_rec *)SSL_get_app_data(ssl);
- actx = (ap_ctx *)SSL_get_app_data2(ssl);
- r = (request_rec *)ap_ctx_get(actx, "ssl::request_rec");
- s = conn->server;
+ actx = (apr_table_t *)SSL_get_app_data2(ssl);
+ r = (request_rec *)apr_table_get(actx, "ssl::request_rec");
+ s = conn->base_server;
sc = mySrvConfig(s);
dc = (r != NULL ? myDirConfig(r) : NULL);
ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: Verifiable Issuer is configured as "
"optional, therefore we're accepting the certificate");
- ap_ctx_set(conn->client->ctx, "ssl::verify::info", "GENEROUS");
+ apr_table_setn(conn->notes, "ssl::verify::info", "GENEROUS");
ok = TRUE;
}
if (!ok) {
ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s",
errnum, X509_verify_cert_error_string(errnum));
- ap_ctx_set(conn->client->ctx, "ssl::client::dn", NULL);
- ap_ctx_set(conn->client->ctx, "ssl::verify::error",
+ apr_table_setn(conn->notes, "ssl::client::dn", NULL);
+ apr_table_setn(conn->notes, "ssl::verify::error",
(void *)X509_verify_cert_error_string(errnum));
}
"Certificate Verification: Certificate Chain too long "
"(chain has %d certificates, but maximum allowed are only %d)",
errdepth, depth);
- ap_ctx_set(conn->client->ctx, "ssl::verify::error",
+ apr_table_setn(conn->notes, "ssl::verify::error",
(void *)X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG));
ok = FALSE;
}
* Get Apache context back through OpenSSL context
*/
conn = (conn_rec *)SSL_get_app_data(ssl);
- s = conn->server;
+ s = conn->base_server;
sc = mySrvConfig(s);
/*
* Get Apache context back through OpenSSL context
*/
conn = (conn_rec *)SSL_get_app_data(ssl);
- s = conn->server;
+ s = conn->base_server;
/*
* Try to retrieve the SSL_SESSION from the inter-process cache
*/
if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL)
return;
- s = c->server;
+ s = c->base_server;
if ((sc = mySrvConfig(s)) == NULL)
return;
* right after a finished handshake.
*/
if (where & SSL_CB_HANDSHAKE_DONE) {
+#if 0 /* XXX */
ssl_log(s, SSL_LOG_INFO,
"Connection: Client IP: %s, Protocol: %s, Cipher: %s (%s/%s bits)",
ssl_var_lookup(NULL, s, c, NULL, "REMOTE_ADDR"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE"));
+#endif
}
return;
}
-#endif /* XXX */
-
-- Ralf S. Engelschall */
#include "mod_ssl.h"
-#if 0 /* XXX */
-
/* _________________________________________________________________
**
** Logfile Support
/*
* Open the SSL logfile
*/
-void ssl_log_open(server_rec *s_main, server_rec *s, pool *p)
+void ssl_log_open(server_rec *s_main, server_rec *s, apr_pool_t *p)
{
- char *szLogFile;
+ const char *szLogFile;
SSLSrvConfigRec *sc_main = mySrvConfig(s_main);
SSLSrvConfigRec *sc = mySrvConfig(s);
piped_log *pl;
if (strEQ(sc->szLogFile, "/dev/null"))
return;
else if (sc->szLogFile[0] == '|') {
- szLogFile = ap_server_root_relative(p, "log", sc->szLogFile+1);
+ szLogFile = ap_server_root_relative(p, sc->szLogFile+1);
if ((pl = ap_open_piped_log(p, szLogFile)) == NULL) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open reliable pipe to SSL logfile filter %s", szLogFile);
ssl_die();
}
- sc->fileLogFile = ap_pfdopen(p, ap_piped_log_write_fd(pl), "a");
- setbuf(sc->fileLogFile, NULL);
+ sc->fileLogFile = ap_piped_log_write_fd(pl);
}
else {
- szLogFile = ap_server_root_relative(p, "log", sc->szLogFile);
- if ((sc->fileLogFile = ap_pfopen(p, szLogFile, "a")) == NULL) {
+ szLogFile = ap_server_root_relative(p, sc->szLogFile);
+ if ((apr_file_open(&(sc->fileLogFile), szLogFile,
+ APR_WRITE|APR_APPEND|APR_CREATE, APR_OS_DEFAULT, p))
+ != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSL logfile %s", szLogFile);
ssl_die();
}
- setbuf(sc->fileLogFile, NULL);
}
}
return;
char vstr[1024];
char str[1024];
char nstr[2];
- int timz;
- struct tm *t;
+ apr_size_t len;
+ apr_exploded_time_t t;
va_list ap;
int add;
int i;
if (add & SSL_NO_TIMESTAMP)
tstr[0] = NUL;
else {
- t = ap_get_gmtoff(&timz);
- strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S", t);
- i = strlen(tstr);
- ap_snprintf(tstr+i, 80-i, " %05d] ", (unsigned int)getpid());
+ apr_explode_localtime(&t, apr_time_now());
+ apr_strftime(tstr, &len, 80, "[%d/%b/%Y %H:%M:%S", &t);
+ apr_snprintf(tstr + strlen(tstr), 80 - strlen(tstr), " %05d] ",
+ (unsigned int)getpid());
}
/* determine whether newline should be written */
if (!(add & SSL_NO_LEVELID)) {
for (i = 0; ssl_log_level2string[i].nLevel != 0; i++) {
if (ssl_log_level2string[i].nLevel == level) {
- ap_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel);
+ apr_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel);
break;
}
}
}
/* create custom message */
- ap_vsnprintf(vstr, sizeof(vstr), msg, ap);
+ apr_vsnprintf(vstr, sizeof(vstr), msg, ap);
/* write out SSLog message */
if ((add & SSL_ADD_ERRNO) && (add & SSL_ADD_SSLERR))
else
astr = "";
if (level <= sc->nLogLevel && sc->fileLogFile != NULL) {
- ap_snprintf(str, sizeof(str), "%s%s%s%s%s", tstr, lstr, vstr, astr, nstr);
- fprintf(sc->fileLogFile, "%s", str);
+ apr_snprintf(str, sizeof(str), "%s%s%s%s%s",
+ tstr, lstr, vstr, astr, nstr);
+ apr_file_printf(sc->fileLogFile, "%s", str);
}
if (level & SSL_LOG_ERROR)
- ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
"mod_ssl: %s%s", vstr, astr);
/* write out additional attachment messages */
if (add & SSL_ADD_ERRNO) {
if (level <= sc->nLogLevel && sc->fileLogFile != NULL) {
- ap_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s",
- tstr, lstr, strerror(safe_errno), safe_errno, nstr);
- fprintf(sc->fileLogFile, "%s", str);
+ apr_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s",
+ tstr, lstr, strerror(safe_errno), safe_errno, nstr);
+ apr_file_printf(sc->fileLogFile, "%s", str);
}
if (level & SSL_LOG_ERROR)
- ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
"System: %s (errno: %d)",
strerror(safe_errno), safe_errno);
}
cpE = ERR_error_string(e, NULL);
cpA = ssl_log_annotation(cpE);
if (level <= sc->nLogLevel && sc->fileLogFile != NULL) {
- ap_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s",
- tstr, lstr, SSL_LIBRARY_NAME, cpE,
- cpA != NULL ? " [Hint: " : "",
- cpA != NULL ? cpA : "", cpA != NULL ? "]" : "",
- nstr);
- fprintf(sc->fileLogFile, "%s", str);
+ apr_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s",
+ tstr, lstr, SSL_LIBRARY_NAME, cpE,
+ cpA != NULL ? " [Hint: " : "",
+ cpA != NULL ? cpA : "", cpA != NULL ? "]" : "",
+ nstr);
+ apr_file_printf(sc->fileLogFile, "%s", str);
}
if (level & SSL_LOG_ERROR)
- ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s,
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
"%s: %s%s%s%s", SSL_LIBRARY_NAME, cpE,
cpA != NULL ? " [Hint: " : "",
cpA != NULL ? cpA : "", cpA != NULL ? "]" : "");
/* cleanup and return */
if (sc->fileLogFile != NULL)
- fflush(sc->fileLogFile);
+ apr_file_flush(sc->fileLogFile);
errno = safe_errno;
va_end(ap);
return;
exit(1);
}
-#endif /* XXX */
-
-- Unknown */
#include "mod_ssl.h"
-#if 0 /* XXX */
-
int ssl_mutex_init(server_rec *s, apr_pool_t *p)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
if (mc->nMutexMode == SSL_MUTEXMODE_NONE)
return TRUE;
int ssl_mutex_reinit(server_rec *s, apr_pool_t *p)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
if (mc->nMutexMode == SSL_MUTEXMODE_NONE)
return TRUE;
int ssl_mutex_on(server_rec *s)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
if (mc->nMutexMode == SSL_MUTEXMODE_NONE)
return TRUE;
int ssl_mutex_off(server_rec *s)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
if (mc->nMutexMode == SSL_MUTEXMODE_NONE)
return TRUE;
int ssl_mutex_kill(server_rec *s)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
if (mc->nMutexMode == SSL_MUTEXMODE_NONE)
return TRUE;
return TRUE;
}
-#endif /* XXX */
-
-- Clifford Stoll */
#include "mod_ssl.h"
-#if 0 /* XXX */
-
/* _________________________________________________________________
**
** Pass Phrase and Private Key Handling
#define BUILTIN_DIALOG_BACKOFF 2
#define BUILTIN_DIALOG_RETRIES 5
-void ssl_pphrase_Handle(server_rec *s, pool *p)
+void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
SSLSrvConfigRec *sc;
server_rec *pServ;
char *cpVHostID;
algoKey = SSL_ALGO_UNKNOWN;
for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++) {
- ap_cpystrn(szPath, sc->szPublicCertFile[i], sizeof(szPath));
+ apr_cpystrn(szPath, sc->szPublicCertFile[i], sizeof(szPath));
+#if 0 /* XXX */
if ((fp = ap_pfopen(p, szPath, "r")) == NULL) {
+#else
+ if ((fp = fopen(szPath, "r")) == NULL) {
+#endif
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Init: Can't open server certificate file %s", szPath);
ssl_die();
"Init: Unable to read server certificate from file %s", szPath);
ssl_die();
}
+#if 0 /* XXX */
ap_pfclose(p, fp);
+#else
+ fclose(fp);
+#endif
/*
* check algorithm type of certificate and make
* certificate is actually used to configure mod_ssl's per-server
* configuration structures).
*/
- cp = ap_psprintf(mc->pPool, "%s:%s", cpVHostID, an);
+ cp = apr_psprintf(mc->pPool, "%s:%s", cpVHostID, an);
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tPublicCert, cp);
asn1->nData = i2d_X509(pX509Cert, NULL);
- asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
+ asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_X509(pX509Cert, &ucp); /* 2nd arg increments */
/*
* by trying to re-use already known/entered pass phrases.
*/
if (sc->szPrivateKeyFile[j] != NULL)
- ap_cpystrn(szPath, sc->szPrivateKeyFile[j++], sizeof(szPath));
+ apr_cpystrn(szPath, sc->szPrivateKeyFile[j++], sizeof(szPath));
/*
* Try to read the private key file with the help of
* the callback function which serves the pass
* phrases to OpenSSL
*/
+#if 0 /* XXX */
if ((fp = ap_pfopen(p, szPath, "r")) == NULL) {
+#else
+ if ((fp = fopen(szPath, "r")) == NULL) {
+#endif
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Init: Can't open server private key file %s", szPath);
ssl_die();
}
cpPassPhraseCur = NULL;
bReadable = ((pPrivateKey = SSL_read_PrivateKey(fp, NULL,
- ssl_pphrase_Handle_CB)) != NULL ? TRUE : FALSE);
+ ssl_pphrase_Handle_CB, s)) != NULL ? TRUE : FALSE);
+#if 0 /* XXX */
ap_pfclose(p, fp);
+#else
+ fclose(fp);
+#endif
/*
* when the private key file now was readable,
* because the SSL library uses static variables inside a
* RSA structure which do not survive DSO reloads!)
*/
- cp = ap_psprintf(mc->pPool, "%s:%s", cpVHostID, an);
+ cp = apr_psprintf(mc->pPool, "%s:%s", cpVHostID, an);
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tPrivateKey, cp);
asn1->nData = i2d_PrivateKey(pPrivateKey, NULL);
- asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
+ asn1->cpData = apr_palloc(mc->pPool, asn1->nData);
ucp = asn1->cpData; i2d_PrivateKey(pPrivateKey, &ucp); /* 2nd arg increments */
/*
return;
}
-int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
+int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig((server_rec *)srv);
server_rec *s;
- pool *p;
+ apr_pool_t *p;
ssl_ds_array *aPassPhrase;
SSLSrvConfigRec *sc;
int *pnPassPhraseCur;
* Reconnect to the context of ssl_phrase_Handle()
*/
s = myCtxVarGet(mc, 1, server_rec *);
- p = myCtxVarGet(mc, 2, pool *);
+ p = myCtxVarGet(mc, 2, apr_pool_t *);
aPassPhrase = myCtxVarGet(mc, 3, ssl_ds_array *);
pnPassPhraseCur = myCtxVarGet(mc, 4, int *);
cppPassPhraseCur = myCtxVarGet(mc, 5, char **);
* When remembered pass phrases are available use them...
*/
if ((cpp = (char **)ssl_ds_array_get(aPassPhrase, *pnPassPhraseCur)) != NULL) {
- ap_cpystrn(buf, *cpp, bufsize);
+ apr_cpystrn(buf, *cpp, bufsize);
len = strlen(buf);
return len;
}
*/
if (*pnPassPhraseDialog == 1) {
fprintf(stderr, "%s mod_ssl/%s (Pass Phrase Dialog)\n",
- SERVER_BASEVERSION, MOD_SSL_VERSION);
+ AP_SERVER_BASEVERSION, MOD_SSL_VERSION);
fprintf(stderr, "Some of your private key files are encrypted for security reasons.\n");
fprintf(stderr, "In order to read them you have to provide us with the pass phrases.\n");
}
sc->szPassPhraseDialogPath);
if (strchr(sc->szPassPhraseDialogPath, ' ') != NULL)
- cmd = ap_psprintf(p, "\"%s\" %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType);
+ cmd = apr_psprintf(p, "\"%s\" %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType);
else
- cmd = ap_psprintf(p, "%s %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType);
+ cmd = apr_psprintf(p, "%s %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType);
result = ssl_util_readfilter(s, p, cmd);
- ap_cpystrn(buf, result, bufsize);
+ apr_cpystrn(buf, result, bufsize);
len = strlen(buf);
}
/*
* Ok, we now have the pass phrase, so give it back
*/
- *cppPassPhraseCur = ap_pstrdup(p, buf);
+ *cppPassPhraseCur = apr_pstrdup(p, buf);
/*
* And return it's length to OpenSSL...
return (len);
}
-#endif /* XXX */
-
#include "mod_ssl.h"
-#if 0 /* XXX */
-
/* _________________________________________________________________
**
** Support for better seeding of SSL library's RNG
*/
static int ssl_rand_choosenum(int, int);
-static int ssl_rand_feedfp(pool *, FILE *, int);
+static int ssl_rand_feedfp(apr_pool_t *, apr_file_t *, int);
-int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx, char *prefix)
+int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix)
{
SSLModConfigRec *mc;
- array_header *apRandSeed;
+ apr_array_header_t *apRandSeed;
ssl_randseed_t *pRandSeeds;
ssl_randseed_t *pRandSeed;
unsigned char stackdata[256];
int nReq, nDone;
- FILE *fp;
+ apr_file_t *fp;
int i, n, l;
time_t t;
pid_t pid;
- mc = myModConfig();
+ mc = myModConfig(s);
nReq = 0;
nDone = 0;
apRandSeed = mc->aRandSeed;
/*
* seed in contents of an external file
*/
- if ((fp = ap_pfopen(p, pRandSeed->cpPath, "r")) == NULL)
+ if (apr_file_open(&fp, pRandSeed->cpPath,
+ APR_READ, APR_OS_DEFAULT, p) != APR_SUCCESS)
continue;
nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
- ap_pfclose(p, fp);
+ apr_file_close(fp);
}
else if (pRandSeed->nSrc == SSL_RSSRC_EXEC) {
/*
* seed in contents generated by an external program
*/
- if ((fp = ssl_util_ppopen(s, p, ap_psprintf(p, "%s %d",
+ if ((fp = ssl_util_ppopen(s, p, apr_psprintf(p, "%s %d",
pRandSeed->cpPath, pRandSeed->nBytes))) == NULL)
continue;
nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
#define BUFSIZE 8192
-static int ssl_rand_feedfp(pool *p, FILE *fp, int nReq)
+static int ssl_rand_feedfp(apr_pool_t *p, apr_file_t *fp, int nReq)
{
- int nDone;
+ apr_size_t nDone;
unsigned char caBuf[BUFSIZE];
- int nBuf;
- int nRead;
- int nTodo;
+ apr_size_t nBuf;
+ apr_size_t nRead;
+ apr_size_t nTodo;
nDone = 0;
nRead = BUFSIZE;
while (1) {
if (nReq > 0)
nRead = (nTodo < BUFSIZE ? nTodo : BUFSIZE);
- if ((nBuf = (int)fread(caBuf, 1, nRead, fp)) <= 0)
+ nBuf = nRead;
+ if (apr_file_read(fp, caBuf, &nBuf) != APR_SUCCESS)
break;
RAND_seed(caBuf, nBuf);
nDone += nBuf;
char buf[50];
srand((unsigned int)time(NULL));
- ap_snprintf(buf, sizeof(buf), "%.0f",
- (((double)(rand()%RAND_MAX)/RAND_MAX)*(h-l)));
+ apr_snprintf(buf, sizeof(buf), "%.0f",
+ (((double)(rand()%RAND_MAX)/RAND_MAX)*(h-l)));
i = atoi(buf)+1;
if (i < l) i = l;
if (i > h) i = h;
return i;
}
-#endif /* XXX */
-
** _________________________________________________________________
*/
-#if 0 /* XXX */
-static char *ssl_var_lookup_header(pool *p, request_rec *r, const char *name);
-static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var);
-static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var);
-static char *ssl_var_lookup_ssl_cert_dn(pool *p, X509_NAME *xsname, char *var);
-static char *ssl_var_lookup_ssl_cert_valid(pool *p, ASN1_UTCTIME *tm);
-static char *ssl_var_lookup_ssl_cert_serial(pool *p, X509 *xs);
-static char *ssl_var_lookup_ssl_cert_chain(pool *p, STACK_OF(X509) *sk, char *var);
-static char *ssl_var_lookup_ssl_cert_PEM(pool *p, X509 *xs);
-static char *ssl_var_lookup_ssl_cert_verify(pool *p, conn_rec *c);
-static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var);
+static char *ssl_var_lookup_header(apr_pool_t *p, request_rec *r, const char *name);
+static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var);
+static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, X509 *xs, char *var);
+static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var);
+static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_UTCTIME *tm);
+static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
+static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var);
+static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
+static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c);
+static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
-static char *ssl_var_lookup_ssl_version(pool *p, char *var);
-#endif /* XXX */
+static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
void ssl_var_register(void)
{
return;
}
-#if 0 /* XXX */
-
char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
char *result;
BOOL resdup;
time_t tc;
else if (strcEQ(var, "REQUEST_METHOD"))
result = (char *)(r->method);
else if (strcEQ(var, "REQUEST_SCHEME"))
- result = ap_http_method(r);
+ result = (char *)ap_http_method(r);
else if (strcEQ(var, "REQUEST_URI"))
result = r->uri;
else if (strcEQ(var, "SCRIPT_FILENAME") ||
result = r->args;
else if (strcEQ(var, "REMOTE_HOST"))
result = (char *)ap_get_remote_host(r->connection,
- r->per_dir_config, REMOTE_NAME);
+ r->per_dir_config, REMOTE_NAME, NULL);
else if (strcEQ(var, "REMOTE_IDENT"))
result = (char *)ap_get_remote_logname(r);
else if (strcEQ(var, "IS_SUBREQ"))
else if (strcEQ(var, "SERVER_NAME"))
result = (char *)ap_get_server_name(r);
else if (strcEQ(var, "SERVER_PORT"))
- result = ap_psprintf(p, "%u", ap_get_server_port(r));
+ result = apr_psprintf(p, "%u", ap_get_server_port(r));
else if (strcEQ(var, "SERVER_PROTOCOL"))
result = r->protocol;
}
if (strcEQ(var, "REMOTE_ADDR"))
result = c->remote_ip;
else if (strcEQ(var, "REMOTE_USER"))
- result = c->user;
+ result = r->user;
else if (strcEQ(var, "AUTH_TYPE"))
- result = c->ap_auth_type;
+ result = r->ap_auth_type;
else if (strlen(var) > 4 && strcEQn(var, "SSL_", 4))
result = ssl_var_lookup_ssl(p, c, var+4);
else if (strcEQ(var, "HTTPS")) {
- if (ap_ctx_get(c->client->ctx, "ssl") != NULL)
+ if (apr_table_get(c->notes, "ssl") != NULL)
result = "on";
else
result = "off";
else if (strcEQ(var, "SERVER_SOFTWARE"))
result = (char *)ap_get_server_version();
else if (strcEQ(var, "API_VERSION")) {
- result = ap_psprintf(p, "%d", MODULE_MAGIC_NUMBER);
+ result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER);
resdup = FALSE;
}
else if (strcEQ(var, "TIME_YEAR")) {
tc = time(NULL);
tm = localtime(&tc);
- result = ap_psprintf(p, "%02d%02d",
+ result = apr_psprintf(p, "%02d%02d",
(tm->tm_year / 100) + 19, tm->tm_year % 100);
resdup = FALSE;
}
#define MKTIMESTR(format, tmfield) \
tc = time(NULL); \
tm = localtime(&tc); \
- result = ap_psprintf(p, format, tm->tmfield); \
+ result = apr_psprintf(p, format, tm->tmfield); \
resdup = FALSE;
else if (strcEQ(var, "TIME_MON")) {
MKTIMESTR("%02d", tm_mon+1)
else if (strcEQ(var, "TIME")) {
tc = time(NULL);
tm = localtime(&tc);
- result = ap_psprintf(p,
+ result = apr_psprintf(p,
"%02d%02d%02d%02d%02d%02d%02d", (tm->tm_year / 100) + 19,
(tm->tm_year % 100), tm->tm_mon+1, tm->tm_mday,
tm->tm_hour, tm->tm_min, tm->tm_sec);
}
/* all other env-variables from the parent Apache process */
else if (strlen(var) > 4 && strcEQn(var, "ENV:", 4)) {
- result = (char *)ap_table_get(r->notes, var+4);
+ result = (char *)apr_table_get(r->notes, var+4);
if (result == NULL)
- result = (char *)ap_table_get(r->subprocess_env, var+4);
+ result = (char *)apr_table_get(r->subprocess_env, var+4);
if (result == NULL)
result = getenv(var+4);
}
}
if (result != NULL && resdup)
- result = ap_pstrdup(p, result);
+ result = apr_pstrdup(p, result);
if (result == NULL)
result = "";
return result;
}
-static char *ssl_var_lookup_header(pool *p, request_rec *r, const char *name)
+static char *ssl_var_lookup_header(apr_pool_t *p, request_rec *r, const char *name)
{
- array_header *hdrs_arr;
- table_entry *hdrs;
- int i;
-
- hdrs_arr = ap_table_elts(r->headers_in);
- hdrs = (table_entry *)hdrs_arr->elts;
- for (i = 0; i < hdrs_arr->nelts; ++i) {
- if (hdrs[i].key == NULL)
- continue;
- if (strcEQ(hdrs[i].key, name))
- return ap_pstrdup(p, hdrs[i].val);
- }
- return NULL;
+ char *hdr = NULL;
+
+ if ((hdr = (char *)apr_table_get(r->headers_in, name)) != NULL)
+ hdr = apr_pstrdup(p, hdr);
+ return hdr;
}
-static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var)
+static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var)
{
char *result;
X509 *xs;
result = NULL;
- ssl = ap_ctx_get(c->client->ctx, "ssl");
+ ssl = (SSL *)apr_table_get(c->notes, "ssl");
if (strlen(var) > 8 && strcEQn(var, "VERSION_", 8)) {
result = ssl_var_lookup_ssl_version(p, var+8);
}
}
else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
SSL_SESSION *pSession = SSL_get_session(ssl);
- result = ap_pstrdup(p, SSL_SESSION_id2sz(pSession->session_id,
+ result = apr_pstrdup(p, SSL_SESSION_id2sz(pSession->session_id,
pSession->session_id_length));
}
else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) {
return result;
}
-static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var)
+static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, X509 *xs, char *var)
{
char *result;
BOOL resdup;
resdup = TRUE;
if (strcEQ(var, "M_VERSION")) {
- result = ap_psprintf(p, "%lu", X509_get_version(xs)+1);
+ result = apr_psprintf(p, "%lu", X509_get_version(xs)+1);
resdup = FALSE;
}
else if (strcEQ(var, "M_SERIAL")) {
else if (strcEQ(var, "S_DN")) {
xsname = X509_get_subject_name(xs);
cp = X509_NAME_oneline(xsname, NULL, 0);
- result = ap_pstrdup(p, cp);
+ result = apr_pstrdup(p, cp);
free(cp);
resdup = FALSE;
}
else if (strcEQ(var, "I_DN")) {
xsname = X509_get_issuer_name(xs);
cp = X509_NAME_oneline(xsname, NULL, 0);
- result = ap_pstrdup(p, cp);
+ result = apr_pstrdup(p, cp);
free(cp);
resdup = FALSE;
}
}
else if (strcEQ(var, "A_SIG")) {
nid = OBJ_obj2nid(xs->cert_info->signature->algorithm);
- result = ap_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
+ result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
}
else if (strcEQ(var, "A_KEY")) {
nid = OBJ_obj2nid(xs->cert_info->key->algor->algorithm);
- result = ap_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
+ result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
}
else if (strcEQ(var, "CERT")) {
}
if (result != NULL && resdup)
- result = ap_pstrdup(p, result);
+ result = apr_pstrdup(p, result);
return result;
}
{ NULL, 0 }
};
-static char *ssl_var_lookup_ssl_cert_dn(pool *p, X509_NAME *xsname, char *var)
+static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var)
{
char *result;
X509_NAME_ENTRY *xsne;
xsne = sk_X509_NAME_ENTRY_value(xsname->entries, j);
n = OBJ_obj2nid(xsne->object);
if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid) {
- result = ap_palloc(p, xsne->value->length+1);
- ap_cpystrn(result, (char *)xsne->value->data, xsne->value->length+1);
+ result = apr_palloc(p, xsne->value->length+1);
+ apr_cpystrn(result, (char *)xsne->value->data, xsne->value->length+1);
#ifdef CHARSET_EBCDIC
ascii2ebcdic(result, result, xsne->value->length);
#endif /* CHARSET_EBCDIC */
return result;
}
-static char *ssl_var_lookup_ssl_cert_valid(pool *p, ASN1_UTCTIME *tm)
+static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_UTCTIME *tm)
{
char *result;
BIO* bio;
return NULL;
ASN1_UTCTIME_print(bio, tm);
n = BIO_pending(bio);
- result = ap_pcalloc(p, n+1);
+ result = apr_pcalloc(p, n+1);
n = BIO_read(bio, result, n);
result[n] = NUL;
BIO_free(bio);
return result;
}
-static char *ssl_var_lookup_ssl_cert_serial(pool *p, X509 *xs)
+static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs)
{
char *result;
BIO *bio;
return NULL;
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(xs));
n = BIO_pending(bio);
- result = ap_pcalloc(p, n+1);
+ result = apr_pcalloc(p, n+1);
n = BIO_read(bio, result, n);
result[n] = NUL;
BIO_free(bio);
return result;
}
-static char *ssl_var_lookup_ssl_cert_chain(pool *p, STACK_OF(X509) *sk, char *var)
+static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var)
{
char *result;
X509 *xs;
return result;
}
-static char *ssl_var_lookup_ssl_cert_PEM(pool *p, X509 *xs)
+static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
{
char *result;
BIO *bio;
return NULL;
PEM_write_bio_X509(bio, xs);
n = BIO_pending(bio);
- result = ap_pcalloc(p, n+1);
+ result = apr_pcalloc(p, n+1);
n = BIO_read(bio, result, n);
result[n] = NUL;
BIO_free(bio);
return result;
}
-static char *ssl_var_lookup_ssl_cert_verify(pool *p, conn_rec *c)
+static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c)
{
char *result;
long vrc;
X509 *xs;
result = NULL;
- ssl = ap_ctx_get(c->client->ctx, "ssl");
- verr = ap_ctx_get(c->client->ctx, "ssl::verify::error");
- vinfo = ap_ctx_get(c->client->ctx, "ssl::verify::info");
+ ssl = (SSL *) apr_table_get(c->notes, "ssl");
+ verr = (char *)apr_table_get(c->notes, "ssl::verify::error");
+ vinfo = (char *)apr_table_get(c->notes, "ssl::verify::info");
vrc = SSL_get_verify_result(ssl);
xs = SSL_get_peer_certificate(ssl);
result = "GENEROUS";
else
/* client verification failed */
- result = ap_psprintf(p, "FAILED:%s", verr);
+ result = apr_psprintf(p, "FAILED:%s", verr);
return result;
}
-static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var)
+static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var)
{
char *result;
BOOL resdup;
result = NULL;
resdup = TRUE;
- ssl = ap_ctx_get(c->client->ctx, "ssl");
+ ssl = (SSL *)apr_table_get(c->notes, "ssl");
ssl_var_lookup_ssl_cipher_bits(ssl, &usekeysize, &algkeysize);
if (strEQ(var, ""))
else if (strcEQ(var, "_EXPORT"))
result = (usekeysize < 56 ? "true" : "false");
else if (strcEQ(var, "_USEKEYSIZE")) {
- result = ap_psprintf(p, "%d", usekeysize);
+ result = apr_psprintf(p, "%d", usekeysize);
resdup = FALSE;
}
else if (strcEQ(var, "_ALGKEYSIZE")) {
- result = ap_psprintf(p, "%d", algkeysize);
+ result = apr_psprintf(p, "%d", algkeysize);
resdup = FALSE;
}
if (result != NULL && resdup)
- result = ap_pstrdup(p, result);
+ result = apr_pstrdup(p, result);
return result;
}
return;
}
-static char *ssl_var_lookup_ssl_version(pool *p, char *var)
+static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
{
char *result;
char *cp, *cp2;
if (strEQ(var, "PRODUCT")) {
#if defined(SSL_PRODUCT_NAME) && defined(SSL_PRODUCT_VERSION)
- result = ap_psprintf(p, "%s/%s", SSL_PRODUCT_NAME, SSL_PRODUCT_VERSION);
+ result = apr_psprintf(p, "%s/%s", SSL_PRODUCT_NAME, SSL_PRODUCT_VERSION);
#else
result = NULL;
#endif
}
else if (strEQ(var, "INTERFACE")) {
- result = ap_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION);
+ result = apr_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION);
}
else if (strEQ(var, "LIBRARY")) {
- result = ap_pstrdup(p, SSL_LIBRARY_TEXT);
+ result = apr_pstrdup(p, SSL_LIBRARY_TEXT);
if ((cp = strchr(result, ' ')) != NULL) {
*cp = '/';
if ((cp2 = strchr(cp, ' ')) != NULL)
}
return result;
}
-
-#endif /* XXX */
-
-
-- Unknown */
#include "mod_ssl.h"
-#if 0 /* XXX */
-
/* _________________________________________________________________
**
** Session Cache: Common Abstraction Layer
** _________________________________________________________________
*/
-void ssl_scache_init(server_rec *s, pool *p)
+void ssl_scache_init(server_rec *s, apr_pool_t *p)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
ssl_scache_dbm_init(s, p);
+#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
ssl_scache_shmht_init(s, p);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
ssl_scache_shmcb_init(s, p);
+#endif
return;
}
void ssl_scache_kill(server_rec *s)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
ssl_scache_dbm_kill(s);
+#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
ssl_scache_shmht_kill(s);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
ssl_scache_shmcb_kill(s);
+#endif
return;
}
BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SSL_SESSION *sess)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
BOOL rv = FALSE;
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
rv = ssl_scache_dbm_store(s, id, idlen, expiry, sess);
+#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
rv = ssl_scache_shmht_store(s, id, idlen, expiry, sess);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
rv = ssl_scache_shmcb_store(s, id, idlen, expiry, sess);
+#endif
return rv;
}
SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
SSL_SESSION *sess = NULL;
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
sess = ssl_scache_dbm_retrieve(s, id, idlen);
+#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
sess = ssl_scache_shmht_retrieve(s, id, idlen);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
sess = ssl_scache_shmcb_retrieve(s, id, idlen);
+#endif
return sess;
}
void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
ssl_scache_dbm_remove(s, id, idlen);
+#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
ssl_scache_shmht_remove(s, id, idlen);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
ssl_scache_shmcb_remove(s, id, idlen);
+#endif
return;
}
-void ssl_scache_status(server_rec *s, pool *p, void (*func)(char *, void *), void *arg)
+void ssl_scache_status(server_rec *s, apr_pool_t *p, void (*func)(char *, void *), void *arg)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
ssl_scache_dbm_status(s, p, func, arg);
+#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
ssl_scache_shmht_status(s, p, func, arg);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
ssl_scache_shmcb_status(s, p, func, arg);
+#endif
return;
}
void ssl_scache_expire(server_rec *s)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
if (mc->nSessionCacheMode == SSL_SCMODE_DBM)
ssl_scache_dbm_expire(s);
+#if 0 /* XXX */
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT)
ssl_scache_shmht_expire(s);
else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB)
ssl_scache_shmcb_expire(s);
+#endif
return;
}
-
-#endif /* XXX */
-
#include "mod_ssl.h"
-#if 0 /* XXX */
-
-void ssl_scache_dbm_init(server_rec *s, pool *p)
+void ssl_scache_dbm_init(server_rec *s, apr_pool_t *p)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
apr_dbm_t *dbm;
/* for the DBM we need the data file */
/* open it once to create it and to make sure it _can_ be created */
ssl_mutex_on(s);
- if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
- O_RDWR|O_CREAT, SSL_DBM_FILE_MODE)) == NULL) {
+ if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
+ APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot create SSLSessionCache DBM file `%s'",
mc->szSessionCacheDataFile);
* cannot exactly determine the suffixes we try all possibilities.
*/
if (geteuid() == 0 /* is superuser */) {
- chown(mc->szSessionCacheDataFile, ap_user_id, -1 /* no gid change */);
- if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL),
- ap_user_id, -1) == -1) {
- if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL),
- ap_user_id, -1) == -1)
- chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL),
- ap_user_id, -1);
+ chown(mc->szSessionCacheDataFile, unixd_config.user_id, -1 /* no gid change */);
+ if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL),
+ unixd_config.user_id, -1) == -1) {
+ if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL),
+ unixd_config.user_id, -1) == -1)
+ chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL),
+ unixd_config.user_id, -1);
}
- if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL),
- ap_user_id, -1) == -1) {
- if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL),
- ap_user_id, -1) == -1)
- chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL),
- ap_user_id, -1);
+ if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL),
+ unixd_config.user_id, -1) == -1) {
+ if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL),
+ unixd_config.user_id, -1) == -1)
+ chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL),
+ unixd_config.user_id, -1);
}
}
#endif
void ssl_scache_dbm_kill(server_rec *s)
{
- SSLModConfigRec *mc = myModConfig();
- pool *p;
+ SSLModConfigRec *mc = myModConfig(s);
+ apr_pool_t *p;
- if ((p = ap_make_sub_pool(NULL)) != NULL) {
+ if ((p = apr_pool_sub_make(mc->pPool, NULL)) != NULL) {
/* the correct way */
- unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL));
- unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL));
+ unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL));
+ unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL));
/* the additional ways to be sure */
- unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL));
- unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL));
- unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL));
+ unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL));
+ unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL));
+ unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL));
unlink(mc->szSessionCacheDataFile);
- ap_destroy_pool(p);
+ apr_pool_destroy(p);
}
return;
}
BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SSL_SESSION *sess)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
apr_dbm_t *dbm;
apr_datum_t dbmkey;
apr_datum_t dbmval;
/* and store it to the DBM file */
ssl_mutex_on(s);
- if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
- O_RDWR, SSL_DBM_FILE_MODE)) == NULL) {
+ if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
+ APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSLSessionCache DBM file `%s' for writing (store)",
mc->szSessionCacheDataFile);
free(dbmval.dptr);
return FALSE;
}
- if (apr_dbm_store(dbm, dbmkey, dbmval, DBM_INSERT) < 0) {
+ if (apr_dbm_store(dbm, dbmkey, dbmval) < 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot store SSL session to DBM file `%s'",
mc->szSessionCacheDataFile);
SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *s, UCHAR *id, int idlen)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
apr_dbm_t *dbm;
apr_datum_t dbmkey;
apr_datum_t dbmval;
int nData;
time_t expiry;
time_t now;
+ apr_status_t rc;
/* allow the regular expiring to occur */
ssl_scache_dbm_expire(s);
/* and fetch it from the DBM file */
ssl_mutex_on(s);
- if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
- O_RDONLY, SSL_DBM_FILE_MODE)) == NULL) {
+ if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
+ APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSLSessionCache DBM file `%s' for reading (fetch)",
mc->szSessionCacheDataFile);
ssl_mutex_off(s);
return NULL;
}
- dbmval = apr_dbm_fetch(dbm, dbmkey);
+ rc = apr_dbm_fetch(dbm, dbmkey, &dbmval);
apr_dbm_close(dbm);
ssl_mutex_off(s);
/* immediately return if not found */
+ if (rc != APR_SUCCESS)
+ return NULL;
if (dbmval.dptr == NULL || dbmval.dsize <= sizeof(time_t))
return NULL;
void ssl_scache_dbm_remove(server_rec *s, UCHAR *id, int idlen)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
apr_dbm_t *dbm;
apr_datum_t dbmkey;
/* and delete it from the DBM file */
ssl_mutex_on(s);
- if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
- O_RDWR, SSL_DBM_FILE_MODE)) == NULL) {
+ if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
+ APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSLSessionCache DBM file `%s' for writing (delete)",
mc->szSessionCacheDataFile);
void ssl_scache_dbm_expire(server_rec *s)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
SSLSrvConfigRec *sc = mySrvConfig(s);
static time_t tLast = 0;
apr_dbm_t *dbm;
apr_datum_t dbmkey;
apr_datum_t dbmval;
- pool *p;
+ apr_pool_t *p;
time_t tExpiresAt;
int nElements = 0;
int nDeleted = 0;
ssl_mutex_on(s);
for (;;) {
/* allocate the key array in a memory sub pool */
- if ((p = ap_make_sub_pool(NULL)) == NULL)
+ if ((p = apr_pool_sub_make(mc->pPool, NULL)) == NULL)
break;
- if ((keylist = ap_palloc(p, sizeof(dbmkey)*KEYMAX)) == NULL) {
- ap_destroy_pool(p);
+ if ((keylist = apr_palloc(p, sizeof(dbmkey)*KEYMAX)) == NULL) {
+ apr_pool_destroy(p);
break;
}
/* pass 1: scan DBM database */
keyidx = 0;
- if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
- O_RDWR, SSL_DBM_FILE_MODE)) == NULL) {
+ if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
+ APR_DBM_RWCREATE,SSL_DBM_FILE_MODE, p) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSLSessionCache DBM file `%s' for scanning",
mc->szSessionCacheDataFile);
- ap_destroy_pool(p);
+ apr_pool_destroy(p);
break;
}
- dbmkey = apr_dbm_firstkey(dbm);
+ apr_dbm_firstkey(dbm, &dbmkey);
while (dbmkey.dptr != NULL) {
nElements++;
bDelete = FALSE;
- dbmval = apr_dbm_fetch(dbm, dbmkey);
+ apr_dbm_fetch(dbm, dbmkey, &dbmval);
if (dbmval.dsize <= sizeof(time_t) || dbmval.dptr == NULL)
bDelete = TRUE;
else {
bDelete = TRUE;
}
if (bDelete) {
- if ((keylist[keyidx].dptr = ap_palloc(p, dbmkey.dsize)) != NULL) {
+ if ((keylist[keyidx].dptr = apr_palloc(p, dbmkey.dsize)) != NULL) {
memcpy(keylist[keyidx].dptr, dbmkey.dptr, dbmkey.dsize);
keylist[keyidx].dsize = dbmkey.dsize;
keyidx++;
break;
}
}
- dbmkey = apr_dbm_nextkey(dbm);
+ apr_dbm_nextkey(dbm, &dbmkey);
}
apr_dbm_close(dbm);
/* pass 2: delete expired elements */
- if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
- O_RDWR, SSL_DBM_FILE_MODE)) == NULL) {
+ if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
+ APR_DBM_RWCREATE,SSL_DBM_FILE_MODE, p) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot re-open SSLSessionCache DBM file `%s' for expiring",
mc->szSessionCacheDataFile);
- ap_destroy_pool(p);
+ apr_pool_destroy(p);
break;
}
for (i = 0; i < keyidx; i++) {
apr_dbm_close(dbm);
/* destroy temporary pool */
- ap_destroy_pool(p);
+ apr_pool_destroy(p);
if (keyidx < KEYMAX)
break;
return;
}
-void ssl_scache_dbm_status(server_rec *s, pool *p, void (*func)(char *, void *), void *arg)
+void ssl_scache_dbm_status(server_rec *s, apr_pool_t *p, void (*func)(char *, void *), void *arg)
{
- SSLModConfigRec *mc = myModConfig();
+ SSLModConfigRec *mc = myModConfig(s);
apr_dbm_t *dbm;
apr_datum_t dbmkey;
apr_datum_t dbmval;
nElem = 0;
nSize = 0;
ssl_mutex_on(s);
- if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile,
- O_RDONLY, SSL_DBM_FILE_MODE)) == NULL) {
+ /*
+ * XXX - Check what pool is to be used - TBD
+ */
+ if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile,
+ APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Cannot open SSLSessionCache DBM file `%s' for status retrival",
mc->szSessionCacheDataFile);
ssl_mutex_off(s);
return;
}
- dbmkey = apr_dbm_firstkey(dbm);
- for ( ; dbmkey.dptr != NULL; dbmkey = apr_dbm_nextkey(dbm)) {
- dbmval = apr_dbm_fetch(dbm, dbmkey);
+ /*
+ * XXX - Check the return value of apr_dbm_firstkey, apr_dbm_fetch - TBD
+ */
+ apr_dbm_firstkey(dbm, &dbmkey);
+ for ( ; dbmkey.dptr != NULL; apr_dbm_nextkey(dbm, &dbmkey)) {
+ apr_dbm_fetch(dbm, dbmkey, &dbmval);
if (dbmval.dptr == NULL)
continue;
nElem += 1;
nAverage = nSize / nElem;
else
nAverage = 0;
- func(ap_psprintf(p, "cache type: <b>DBM</b>, maximum size: <b>unlimited</b><br>"), arg);
- func(ap_psprintf(p, "current sessions: <b>%d</b>, current size: <b>%d</b> bytes<br>", nElem, nSize), arg);
- func(ap_psprintf(p, "average session size: <b>%d</b> bytes<br>", nAverage), arg);
+ func(apr_psprintf(p, "cache type: <b>DBM</b>, maximum size: <b>unlimited</b><br>"), arg);
+ func(apr_psprintf(p, "current sessions: <b>%d</b>, current size: <b>%d</b> bytes<br>", nElem, nSize), arg);
+ func(apr_psprintf(p, "average session size: <b>%d</b> bytes<br>", nAverage), arg);
return;
}
-#endif /* XXX */
-
return cpResult;
}
+apr_status_t
+ssl_util_setmodconfig(
+ server_rec *s, const char *key, SSLModConfigRec *mc)
+{
+ return apr_pool_userdata_set((void *)mc, key, apr_pool_cleanup_null, s->process->pool);
+}
+
+SSLModConfigRec *
+ssl_util_getmodconfig(
+ server_rec *s, const char *key)
+{
+ SSLModConfigRec *mc = NULL;
+
+ if (apr_pool_userdata_get((void **)&mc, key, s->process->pool) != APR_SUCCESS)
+ ssl_log(s, SSL_LOG_TRACE, "Unable to retrieve SSLModConfig from global pool");
+ return mc;
+}
+
+SSLModConfigRec *
+ssl_util_getmodconfig_ssl(
+ SSL *ssl, const char *key)
+{
+ conn_rec *c;
+ SSLModConfigRec *mc = NULL;
+
+ c = SSL_get_app_data(ssl);
+ if (c != NULL)
+ mc = ssl_util_getmodconfig(c->base_server, key);
+ return mc;
+}
+
}
#endif
-EVP_PKEY *SSL_read_PrivateKey(FILE *fp, EVP_PKEY **key, int (*cb)(char*,int,int,void*))
+EVP_PKEY *SSL_read_PrivateKey(FILE *fp, EVP_PKEY **key, int (*cb)(char*,int,int,void*), void *s)
{
EVP_PKEY *rc;
BIO *bioS;
#if SSL_LIBRARY_VERSION < 0x00904000
rc = PEM_read_PrivateKey(fp, key, cb);
#else
- rc = PEM_read_PrivateKey(fp, key, cb, NULL);
+ rc = PEM_read_PrivateKey(fp, key, cb, s);
#endif
if (rc == NULL) {
/* 2. try DER+Base64 */
void *SSL_get_app_data2(SSL *);
void SSL_set_app_data2(SSL *, void *);
X509 *SSL_read_X509(FILE *, X509 **, int (*)(char*,int,int,void*));
-EVP_PKEY *SSL_read_PrivateKey(FILE *, EVP_PKEY **, int (*)(char*,int,int,void*));
+EVP_PKEY *SSL_read_PrivateKey(FILE *, EVP_PKEY **, int (*)(char*,int,int,void*), void *);
int SSL_smart_shutdown(SSL *ssl);
X509_STORE *SSL_X509_STORE_create(char *, char *);
int SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *);
projects / thirdparty / apache / httpd.git / commitdiff
