From: Ralf S. Engelschall Date: Thu, 19 Jul 2001 16:08:01 +0000 (+0000) Subject: Apply mod_ssl MEGA porting patch. This is a cleaned up version of the X-Git-Tag: 2.0.21~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca8f54367fb1c30b21298afb8ef451fc983173cf;p=thirdparty%2Fapache%2Fhttpd.git Apply mod_ssl MEGA porting patch. This is a cleaned up version of the latest patches from Madhusudan which makes mod_ssl 95% working inside Apache 2.0. There is still a lot of more work (both porting and cleanup) to do be done. See modules/ssl/README for details. Submitted by: Madhusudan Mathihalli git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89618 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/README b/modules/ssl/README index d7fb29d5096..d404203b8d9 100644 --- a/modules/ssl/README +++ b/modules/ssl/README @@ -23,22 +23,23 @@ Here is a short overview of the source files: + * README .................. This file ;) # Makefile.in ............. Makefile template for Unix platform # config.m4 ............... Autoconf stub for the Apache config mechanism # mod_ssl.c ............... main source file containing API structures - - mod_ssl.h ............... common header file of mod_ssl - - ssl_engine_config.c ..... module configuration handling + # mod_ssl.h ............... common header file of mod_ssl + # ssl_engine_config.c ..... module configuration handling # ssl_engine_dh.c ......... DSA/DH support # ssl_engine_ds.c ......... data structures - ssl_engine_ext.c ........ Extensions to other Apache parts - - ssl_engine_init.c ....... module initialization - - ssl_engine_io.c ......... I/O support - - ssl_engine_kernel.c ..... SSL engine kernel - - ssl_engine_log.c ........ logfile support + # ssl_engine_init.c ....... module initialization + * ssl_engine_io.c ......... I/O support + # ssl_engine_kernel.c ..... SSL engine kernel + # ssl_engine_log.c ........ logfile support # ssl_engine_mutex.c ...... mutual exclusion support - - ssl_engine_pphrase.c .... pass-phrase handling - - ssl_engine_rand.c ....... PRNG support - - ssl_engine_vars.c ....... Variable Expansion support + # ssl_engine_pphrase.c .... pass-phrase handling + # ssl_engine_rand.c ....... PRNG support + # ssl_engine_vars.c ....... Variable Expansion support # ssl_expr.c .............. expression handling main source # ssl_expr.h .............. expression handling common header - ssl_expr_scan.c ......... expression scanner automaton (pre-generated) @@ -47,8 +48,8 @@ - ssl_expr_parse.h ........ expression parser header (pre-generated) - ssl_expr_parse.y ........ expression parser source # ssl_expr_eval.c ......... expression machine evaluation - - ssl_scache.c ............ session cache abstraction layer - - ssl_scache_dbm.c ........ session cache via DBM file + # ssl_scache.c ............ session cache abstraction layer + # ssl_scache_dbm.c ........ session cache via DBM file - ssl_scache_shmcb.c ...... session cache via shared memory cyclic buffer - ssl_scache_shmht.c ...... session cache via shared memory hash table # ssl_util.c .............. utility functions @@ -57,7 +58,8 @@ # ssl_util_table.c ........ the hash table library source # ssl_util_table.h ........ the hash table library header - Legend: # = already ported to Apache 2.0 + Legend: # = already ported to Apache 2.0 and is cleaned up + * = ported to Apache 2.0 but still needs cleaning up - = port still not finished The source files are written in clean ANSI C and pass the ``gcc -O -g @@ -100,6 +102,7 @@ SSL_SESSION ............. OpenSSL Session SSL ..................... OpenSSL Connection BIO ..................... OpenSSL Connection Buffer + SSLFilterRec ............ mod_ssl Filter Context For an overview how these are related and chained together have a look at the page in README.dsov.{fig,ps}. It contains overview diagrams for those data @@ -158,12 +161,23 @@ from Apache 1.3 and this mod_ssl version for Apache 2.0: o The DBM based session cache is now based on APR's DBM API only. + o Introduced Filter logic (similar to mod_tls) + o Eliminated ap_global_ctx. Storing Persistant information in + process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and + ssl_config_global_* () functions have an extra parameter now - + "server_rec *" - which is used to retrieve the SSLModConfigRec. TODO + o use ssl_var_lookup? o Whether to unregister and how to unregister? ssl_var_unregister(); ssl_ext_unregister(); ssl_io_unregister(); o We certainly need CRYPTO_set_locking_callback() now also under Unix! - + o Eliminate APR_BLOCK_READ from churn (). The APR_NONBLOCK_READ doesn't work + currently. The filter logic has to be changed to handle situations when + the data is not available immediately. + o Enable the use of ssl_var_* and ssl_ext_* functionalities. + o Enable use of MM, SHMCB and SHMHT. + o Try to use APR routines in ssl_util_ssl.c for performing FILE operations. diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 754ca51640e..f1b186339cc 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -58,6 +58,8 @@ */ #include "mod_ssl.h" +#include "util_md5.h" +#include /* * the table of configuration directives we provide @@ -202,116 +204,318 @@ static const command_rec ssl_config_cmds[] = { * the various processing hooks */ -static void ssl_hook_pre_config( +static int ssl_hook_pre_config( apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) -{ - /* unused */ - return; -} - - -static void ssl_hook_post_config( - apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) -{ - /* ssl_init_Module() */ - return; -} - -static int ssl_hook_pre_connection(conn_rec *r) { /* unused */ return DECLINED; } -static int ssl_hook_process_connection(conn_rec *r) +static int ssl_hook_post_read_request(request_rec *r) { - /* call ssl_hook_NewConnection */ - /* hook ssl_hook_CloseConnection() */ + /* ssl_hook_ReadReq() */ return DECLINED; } -static int ssl_hook_handler(request_rec *r) +static int ssl_hook_pre_connection(conn_rec *c) { - /* ssl_hook_Handler() */ - return DECLINED; + SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + apr_table_t *apctx; + SSL *ssl; + unsigned char *cpVHostID; + char *cpVHostMD5; + + /* + * Create SSL context + */ + apr_table_setn(c->notes, "ssl", NULL); + + /* + * Immediately stop processing if SSL is disabled for this connection + */ + if (sc == NULL || !sc->bEnabled) + return DECLINED; + + /* + * Remember the connection information for + * later access inside callback functions + */ + cpVHostID = (unsigned char *)ssl_util_vhostid(c->pool,c->base_server); + ssl_log(c->base_server, SSL_LOG_INFO, "Connection to child %d established " + "(server %s, client %s)", c->id, cpVHostID, + c->remote_ip != NULL ? c->remote_ip : "unknown"); + + /* + * Seed the Pseudo Random Number Generator (PRNG) + */ + ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, ""); + + /* + * Create a new SSL connection with the configured server SSL context and + * attach this to the socket. Additionally we register this attachment + * so we can detach later. + */ + if ((ssl = SSL_new(sc->pSSLCtx)) == NULL) { + ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + "Unable to create a new SSL connection from the SSL context"); + apr_table_setn(c->notes, "ssl", NULL); + c->aborted = 1; + return DECLINED; /* XXX */ + } + SSL_clear(ssl); + cpVHostMD5 = ap_md5(c->pool, cpVHostID); + if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5, + strlen(cpVHostMD5))) { + ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + "Unable to set session id context to `%s'", cpVHostMD5); + apr_table_setn(c->notes, "ssl", NULL); + c->aborted = 1; + return DECLINED; /* XXX */ + } + SSL_set_app_data(ssl, c); + apctx = apr_table_make(c->pool, AP_CTX_MAX_ENTRIES); + apr_table_setn(apctx, "ssl::request_rec", NULL); + apr_table_setn(apctx, "ssl::verify::depth", AP_CTX_NUM2PTR(0)); + SSL_set_app_data2(ssl, apctx); + + apr_table_setn(c->notes, "ssl", (const char *)ssl); + + /* + * Configure callbacks for SSL connection + */ + SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); + SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); +#if 0 /* XXX */ + if (sc->nLogLevel >= SSL_LOG_DEBUG) { + BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); + BIO_set_callback_arg(SSL_get_rbio(ssl), ssl); + } +#endif + /* + * Predefine some client verification results + */ + apr_table_setn(c->notes, "ssl::client::dn", NULL); + apr_table_setn(c->notes, "ssl::verify::error", NULL); + apr_table_setn(c->notes, "ssl::verify::info", NULL); + SSL_set_verify_result(ssl, X509_V_OK); + + /* + * We have to manage a I/O timeout ourself, because Apache + * does it the first time when reading the request, but we're + * working some time before this happens. + */ + ssl_util_setmodconfig(c->base_server, "ssl::handshake::timeout", (void *)FALSE); +#if 0 /* XXX */ + ap_set_callback_and_alarm(ssl_hook_TimeoutConnection, c->base_server->timeout); +#endif + ssl_io_filter_init(c, ssl); + + return APR_SUCCESS; } -static int ssl_hook_translate_name(request_rec *r) +/* + * The hook is NOT registered with ap_hook_process_connection. Instead, it is + * called manually from the churn () before it tries to read any data. + * There is some problem if I accept conn_rec *. Still investigating.. + * Adv. if conn_rec * can be accepted is we can hook this function using the + * ap_hook_process_connection hook. + */ +static int ssl_hook_process_connection(SSLFilterRec *pRec) { - /* ssl_hook_Translate() */ - return DECLINED; + int n, err; + conn_rec *c = SSL_get_app_data (pRec->pssl); + + if (!SSL_is_init_finished(pRec->pssl)) + { + if ((n = SSL_accept(pRec->pssl)) <= 0) { + + if ((err = SSL_get_error(pRec->pssl, n)) == SSL_ERROR_ZERO_RETURN) { + /* + * The case where the connection was closed before any data + * was transferred. That's not a real error and can occur + * sporadically with some clients. + */ + ssl_log(c->base_server, SSL_LOG_INFO, + "SSL handshake stopped: connection was closed"); + } + else if (err == SSL_ERROR_WANT_READ) { + /* + * This is in addition to what was present earlier. It is + * borrowed from openssl_state_machine.c [mod_tls]. + * TBD. + */ + return 0; + } + else if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) { + /* + * The case where OpenSSL has recognized a HTTP request: + * This means the client speaks plain HTTP on our HTTPS port. + * Hmmmm... At least for this error we can be more friendly + * and try to provide him with a HTML error page. We have only + * one problem:OpenSSL has already read some bytes from the HTTP + * request. So we have to skip the request line manually and + * instead provide a faked one in order to continue the internal + * Apache processing. + * + */ + +#if 0 /* XXX */ + /* + * Still need to be ported to Apache 2.0 style + */ + char ca[2]; + int rv; + + /* log the situation */ + ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + "SSL handshake failed: HTTP spoken on HTTPS port; " + "trying to send HTML error page"); + /* first: skip the remaining bytes of the request line */ + do { + do { + rv = read(fb->fd, ca, 1); + } while (rv == -1 && errno == EINTR); + } while (rv > 0 && ca[0] != '\012' /*LF*/); + + /* second: fake the request line */ + fb->inbase = ap_palloc(fb->pool, fb->bufsiz); + ap_cpystrn((char *)fb->inbase, "GET /mod_ssl:error:HTTP-request HTTP/1.0\r\n", + fb->bufsiz); + fb->inptr = fb->inbase; + fb->incnt = strlen((char *)fb->inptr); +#endif + } + else if (ssl_util_getmodconfig_ssl(pRec->pssl, "ssl::handshake::timeout") + == (void *)TRUE) { + ssl_log(c->base_server, SSL_LOG_ERROR, + "SSL handshake timed out (client %s, server %s)", + c->remote_ip != NULL ? c->remote_ip : "unknown", + ssl_util_vhostid(c->pool,c->base_server)); + } + else if ((SSL_get_error(pRec->pssl, n) == SSL_ERROR_SYSCALL) + && (errno != EINTR)) { + if (errno > 0) + ssl_log(c->base_server, + SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO, + "SSL handshake interrupted by system " + "[Hint: Stop button pressed in browser?!]"); + else + ssl_log(c->base_server, + SSL_LOG_INFO|SSL_ADD_SSLERR|SSL_ADD_ERRNO, + "Spurious SSL handshake interrupt [Hint: " + "Usually just one of those OpenSSL confusions!?]"); + } + else { + /* + * Ok, anything else is a fatal error + */ + ssl_log(c->base_server, + SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO, + "SSL handshake failed (server %s, client %s)", + ssl_util_vhostid(c->pool,c->base_server), + c->remote_ip != NULL ? c->remote_ip : "unknown"); + } + /* + * try to gracefully shutdown the connection: + * - send an own shutdown message (be gracefully) + * - don't wait for peer's shutdown message (deadloop) + * - kick away the SSL stuff immediately + * - block the socket, so Apache cannot operate any more + */ + SSL_set_shutdown(pRec->pssl, SSL_RECEIVED_SHUTDOWN); + SSL_smart_shutdown(pRec->pssl); + SSL_free(pRec->pssl); + apr_table_setn(c->notes, "ssl", NULL); + c->aborted = 1; + return APR_EGENERAL; + } + } + return APR_SUCCESS; } -static void ssl_hook_init_child(apr_pool_t *pchild, server_rec *s) +static void ssl_hook_open_logs(apr_pool_t *p, apr_pool_t *plog, + apr_pool_t *ptemp, server_rec *s) { - /* ssl_init_Child() */ return; } -static int ssl_hook_auth_checker(request_rec *r) +static int ssl_hook_quick_handler (request_rec *r) { /* ssl_hook_Auth() */ return DECLINED; } -static int ssl_hook_check_user_id(request_rec *r) +static int ssl_hook_fixer_upper (request_rec *r) { /* ssl_hook_UserCheck */ return DECLINED; } -static int ssl_hook_access_checker(request_rec *r) +static const char *ssl_hook_http_method (const request_rec *r) { - /* ssl_hook_Access() */ - return DECLINED; + SSLSrvConfigRec *sc = mySrvConfig(r->server); + + if (sc->bEnabled == FALSE) + return NULL; + + return "https"; } -static int ssl_hook_fixups(request_rec *r) +static apr_port_t ssl_hook_default_port (const request_rec *r) { - /* ssl_hook_Fixup() */ - return DECLINED; + SSLSrvConfigRec *sc = mySrvConfig(r->server); + + if (sc->bEnabled == FALSE) + return 0; + return 443; } -static int ssl_hook_post_read_request(request_rec *r) +static int ssl_hook_insert_filter (request_rec *r) { /* ssl_hook_ReadReq() */ return DECLINED; } -static void ssl_hook_child_init(apr_pool_t *pchild, server_rec *s) -{ - /* ssl_init_Child() */ - return; -} - /* * the module registration phase */ + static void ssl_register_hooks(apr_pool_t *p) { - ap_hook_pre_config (ssl_hook_pre_config, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_post_config (ssl_hook_post_config, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_handler (ssl_hook_handler, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_translate_name (ssl_hook_translate_name, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_child_init (ssl_hook_child_init, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_auth_checker (ssl_hook_auth_checker, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_check_user_id (ssl_hook_check_user_id, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_access_checker (ssl_hook_access_checker, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_fixups (ssl_hook_fixups, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_post_read_request (ssl_hook_post_read_request, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_pre_connection (ssl_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_process_connection(ssl_hook_process_connection, NULL, NULL, APR_HOOK_MIDDLE); + ssl_io_filter_register(p); + ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_http_method (ssl_hook_http_method, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_handler (ssl_hook_Handler, NULL,NULL, APR_HOOK_MIDDLE); +#if 0 /* XXX - Work in progress */ + ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_process_connection (ssl_hook_process_connection, + NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_post_read_request (ssl_hook_post_read_request, + NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_check_user_id (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_access_checker(ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_auth_checker (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE); + + ap_hook_open_logs (ssl_hook_open_logs, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_quick_handler (ssl_hook_quick_handler, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_log_transaction(ssl_hook_fixer_upper, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_create_request(ssl_hook_fixer_upper, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_type_checker (ssl_hook_fixer_upper, NULL,NULL, APR_HOOK_MIDDLE); + ap_hook_insert_filter (ssl_hook_insert_filter, NULL,NULL, APR_HOOK_MIDDLE); +#endif +#if 0 /* XXX */ ssl_var_register(); ssl_ext_register(); ssl_io_register(); - - return; +#endif } -/* - * the main module structure - */ module AP_MODULE_DECLARE_DATA ssl_module = { STANDARD20_MODULE_STUFF, ssl_config_perdir_create, /* create per-dir config structures */ @@ -321,4 +525,3 @@ module AP_MODULE_DECLARE_DATA ssl_module = { ssl_config_cmds, /* table of configuration directives */ ssl_register_hooks /* register hooks */ }; - diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h index 4fa82bd281b..04e32834dd3 100644 --- a/modules/ssl/mod_ssl.h +++ b/modules/ssl/mod_ssl.h @@ -64,12 +64,13 @@ #ifndef __MOD_SSL_H__ #define __MOD_SSL_H__ +#define MOD_SSL_VERSION "3.0a0" + /* * Optionally enable the experimental stuff, but allow the user to * override the decision which experimental parts are included by using * CFLAGS="-DSSL_EXPERIMENTAL_xxxx_IGNORE". */ -#if 0 /* XXX */ #ifdef SSL_EXPERIMENTAL #ifndef SSL_EXPERIMENTAL_PERDIRCA_IGNORE #define SSL_EXPERIMENTAL_PERDIRCA @@ -83,7 +84,6 @@ #endif #endif #endif /* SSL_EXPERIMENTAL */ -#endif /* XXX */ /* * Power up our brain... @@ -116,23 +116,24 @@ /* Apache headers */ #define CORE_PRIVATE -#include "ap_config.h" #include "httpd.h" #include "http_config.h" -#include "http_protocol.h" -#include "http_request.h" -#include "http_main.h" #include "http_core.h" #include "http_log.h" +#include "http_main.h" +#include "http_connection.h" +#include "http_request.h" +#include "http_protocol.h" +#include "util_script.h" +#include "util_filter.h" #include "scoreboard.h" -#include "util_md5.h" -#include "apr.h" +#include "unixd.h" +#include "apr_strings.h" +#include "apr_tables.h" #include "apr_lib.h" #include "apr_fnmatch.h" #include "apr_strings.h" -#include "apr_pools.h" -#include "apr_tables.h" -#include "apr_file_info.h" +#include "apr_dbm.h" #undef CORE_PRIVATE /* mod_ssl headers */ @@ -191,26 +192,25 @@ #define strIsEmpty(s) (s == NULL || s[0] == NUL) -#if 0 /* XXX */ #define cfgMerge(el,unset) new->el = add->el == unset ? base->el : add->el -#define cfgMergeArray(el) new->el = ap_append_arrays(p, add->el, base->el) -#define cfgMergeTable(el) new->el = ap_overlay_tables(p, add->el, base->el) -#define cfgMergeCtx(el) new->el = ap_ctx_overlay(p, add->el, base->el) +#define cfgMergeArray(el) new->el = apr_array_append(p, add->el, base->el) +#define cfgMergeTable(el) new->el = apr_table_overlay(p, add->el, base->el) +#define cfgMergeCtx(el) new->el = apr_table_overlay(p, add->el, base->el) #define cfgMergeString(el) cfgMerge(el, NULL) #define cfgMergeBool(el) cfgMerge(el, UNSET) #define cfgMergeInt(el) cfgMerge(el, UNSET) -#endif /* XXX */ -#if 0 /* XXX */ -#define myModConfig() (SSLModConfigRec *)ap_ctx_get(ap_global_ctx, "ssl_module") -#endif /* XXX */ +#define myModConfig(srv) (SSLModConfigRec *)ssl_util_getmodconfig(srv, "ssl_module") #define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module) #define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module) -#if 0 /* XXX */ #define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val #define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num) -#endif /* XXX */ + +#define AP_CTX_NUM2PTR(n) (void *)(((unsigned long)(n))+1) +#define AP_CTX_PTR2NUM(p) (unsigned long)(((char *)(p))-1) + +#define AP_CTX_MAX_ENTRIES 1024 /* * SSL Logging @@ -240,12 +240,12 @@ /* * Support for MM library */ -#define SSL_MM_FILE_MODE ( S_IRUSR|S_IWUSR ) +#define SSL_MM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD ) /* * Support for DBM library */ -#define SSL_DBM_FILE_MODE ( S_IRUSR|S_IWUSR ) +#define SSL_DBM_FILE_MODE ( APR_UREAD | APR_UWRITE | APR_GREAD | APR_WREAD ) #if !defined(SSL_DBM_FILE_SUFFIX_DIR) && !defined(SSL_DBM_FILE_SUFFIX_PAG) #if defined(DBM_SUFFIX) @@ -298,7 +298,6 @@ typedef int ssl_algo_t; #define SSL_AIDX_DSA (1) #define SSL_AIDX_MAX (2) -#if 0 /* XXX */ /* * Define IDs for the temporary RSA keys and DH params @@ -357,7 +356,6 @@ typedef enum { SSL_PPTYPE_BUILTIN = 0, SSL_PPTYPE_FILTER = 1 } ssl_pphrase_t; -#endif /* XXX */ /* * Define the Path Checking modes @@ -368,8 +366,6 @@ typedef enum { #define SSL_PCM_ISNONZERO 8 typedef unsigned int ssl_pathcheck_t; -#if 0 /* XXX */ - /* * Define the SSL session cache modes and structures */ @@ -434,18 +430,30 @@ typedef struct { */ typedef struct { - pool *pPool; + SSL *pssl; + BIO *pbioRead; + BIO *pbioWrite; + ap_filter_t *pInputFilter; + ap_filter_t *pOutputFilter; + apr_bucket_brigade *pbbInput; /* encrypted input */ + apr_bucket_brigade *pbbPendingInput; /* decrypted input */ +} SSLFilterRec; + +typedef struct { + apr_pool_t *pPool; BOOL bFixed; int nInitCount; int nSessionCacheMode; char *szSessionCacheDataFile; int nSessionCacheDataSize; +#if 0 /* XXX */ AP_MM *pSessionCacheDataMM; - table_t *tSessionCacheDataTable; +#endif + apr_table_t *tSessionCacheDataTable; ssl_mutexmode_t nMutexMode; char *szMutexFile; apr_lock_t *pMutex; - array_header *aRandSeed; + apr_array_header_t *aRandSeed; ssl_ds_table *tTmpKeys; void *pTmpKeys[SSL_TKPIDX_MAX]; ssl_ds_table *tPublicCert; @@ -463,10 +471,9 @@ typedef struct { * (i.e. the configuration for the main server * and all contexts) */ -#endif /* XXX */ typedef struct { BOOL bEnabled; -#if 0 /* XXX */ + apr_table_t *ap_server_ctx; char *szPublicCertFile[SSL_AIDX_MAX]; char *szPrivateKeyFile[SSL_AIDX_MAX]; char *szCertificateChain; @@ -474,7 +481,7 @@ typedef struct { char *szCACertificateFile; char *szLogFile; char *szCipherSuite; - FILE *fileLogFile; + apr_file_t *fileLogFile; int nLogLevel; int nVerifyDepth; ssl_verify_t nVerifyClient; @@ -501,20 +508,16 @@ typedef struct { SSL_CTX *pSSLProxyCtx; STACK_OF(X509_INFO) *skProxyClientCerts; #endif -#endif /* XXX */ } SSLSrvConfigRec; -#if 0 /* XXX */ /* * Define the mod_ssl per-directory configuration structure * (i.e. the local configuration for all * and .htaccess contexts) */ -#endif /* XXX */ typedef struct { BOOL bSSLRequired; -#if 0 /* XXX */ - array_header *aRequirement; + apr_array_header_t *aRequirement; ssl_opt_t nOptions; ssl_opt_t nOptionsAdd; ssl_opt_t nOptionsDel; @@ -525,7 +528,6 @@ typedef struct { char *szCACertificatePath; char *szCACertificateFile; #endif -#endif /* XXX */ } SSLDirConfigRec; /* @@ -536,36 +538,36 @@ typedef struct { extern module AP_MODULE_DECLARE_DATA ssl_module; /* configuration handling */ -void ssl_config_global_create(void); -void ssl_config_global_fix(void); -BOOL ssl_config_global_isfixed(void); +void ssl_config_global_create(server_rec *); +void ssl_config_global_fix(SSLModConfigRec *); +BOOL ssl_config_global_isfixed(SSLModConfigRec *); void *ssl_config_server_create(apr_pool_t *, server_rec *); void *ssl_config_server_merge(apr_pool_t *, void *, void *); void *ssl_config_perdir_create(apr_pool_t *, char *); void *ssl_config_perdir_merge(apr_pool_t *, void *, void *); -const char *ssl_cmd_SSLMutex(cmd_parms *, char *, char *); -const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *); -const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *); -const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *); -const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int); -const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *); -const char *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *); -const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *); -const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, char *, char *); -const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, SSLDirConfigRec *, char *); -const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, SSLDirConfigRec *, char *); -const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, SSLDirConfigRec *, char *); -const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, SSLDirConfigRec *, char *); -const char *ssl_cmd_SSLVerifyClient(cmd_parms *, SSLDirConfigRec *, char *); -const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, SSLDirConfigRec *, char *); -const char *ssl_cmd_SSLSessionCache(cmd_parms *, char *, char *); -const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, char *, char *); -const char *ssl_cmd_SSLLog(cmd_parms *, char *, char *); -const char *ssl_cmd_SSLLogLevel(cmd_parms *, char *, char *); -const char *ssl_cmd_SSLProtocol(cmd_parms *, char *, const char *); -const char *ssl_cmd_SSLOptions(cmd_parms *, SSLDirConfigRec *, const char *); -const char *ssl_cmd_SSLRequireSSL(cmd_parms *, SSLDirConfigRec *, char *); -const char *ssl_cmd_SSLRequire(cmd_parms *, SSLDirConfigRec *, char *); +const char *ssl_cmd_SSLMutex(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); +const char *ssl_cmd_SSLEngine(cmd_parms *, void *, int); +const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLLog(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLLogLevel(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *); +const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *); #ifdef SSL_EXPERIMENTAL_PROXY const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, char *, const char *); const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, char *, char *); @@ -576,25 +578,24 @@ const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, char *, char *); const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, char *, char *); const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, char *, char *); #endif -#if 0 /* XXX */ /* module initialization */ -void ssl_init_Module(server_rec *, pool *); +void ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); void ssl_init_SSLLibrary(void); -void ssl_init_Engine(server_rec *, pool *); -void ssl_init_TmpKeysHandle(int, server_rec *, pool *); -void ssl_init_ConfigureServer(server_rec *, pool *, SSLSrvConfigRec *); -void ssl_init_CheckServers(server_rec *, pool *); +void ssl_init_Engine(server_rec *, apr_pool_t *); +void ssl_init_TmpKeysHandle(int, server_rec *, apr_pool_t *); +void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, SSLSrvConfigRec *); +void ssl_init_CheckServers(server_rec *, apr_pool_t *); STACK_OF(X509_NAME) - *ssl_init_FindCAList(server_rec *, pool *, char *, char *); -void ssl_init_Child(server_rec *, pool *); -void ssl_init_ChildKill(void *); -void ssl_init_ModuleKill(void *); + *ssl_init_FindCAList(server_rec *, apr_pool_t *, char *, char *); +void ssl_init_Child(apr_pool_t *, server_rec *); +apr_status_t ssl_init_ChildKill(void *data); +apr_status_t ssl_init_ModuleKill(void *data); /* Apache API hooks */ void ssl_hook_NewConnection(conn_rec *); void ssl_hook_TimeoutConnection(int); -void ssl_hook_CloseConnection(conn_rec *); +apr_status_t ssl_hook_CloseConnection(SSLFilterRec *); int ssl_hook_Translate(request_rec *); int ssl_hook_Auth(request_rec *); int ssl_hook_UserCheck(request_rec *); @@ -614,21 +615,22 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); void ssl_callback_LogTracingState(SSL *, int, int); /* Session Cache Support */ -void ssl_scache_init(server_rec *, pool *); +void ssl_scache_init(server_rec *, apr_pool_t *); void ssl_scache_kill(server_rec *); BOOL ssl_scache_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *); SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int); void ssl_scache_remove(server_rec *, UCHAR *, int); void ssl_scache_expire(server_rec *); -void ssl_scache_status(server_rec *, pool *, void (*)(char *, void *), void *); +void ssl_scache_status(server_rec *, apr_pool_t *, void (*)(char *, void *), void *); char *ssl_scache_id2sz(UCHAR *, int); -void ssl_scache_dbm_init(server_rec *, pool *); +void ssl_scache_dbm_init(server_rec *, apr_pool_t *); void ssl_scache_dbm_kill(server_rec *); BOOL ssl_scache_dbm_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *); SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *, UCHAR *, int); void ssl_scache_dbm_remove(server_rec *, UCHAR *, int); void ssl_scache_dbm_expire(server_rec *); -void ssl_scache_dbm_status(server_rec *, pool *, void (*)(char *, void *), void *); +void ssl_scache_dbm_status(server_rec *, apr_pool_t *, void (*)(char *, void *), void *); +#if 0 /* XXX */ void ssl_scache_shmht_init(server_rec *, pool *); void ssl_scache_shmht_kill(server_rec *); BOOL ssl_scache_shmht_store(server_rec *, UCHAR *, int, time_t, SSL_SESSION *); @@ -643,10 +645,11 @@ SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *, UCHAR *, int); void ssl_scache_shmcb_remove(server_rec *, UCHAR *, int); void ssl_scache_shmcb_expire(server_rec *); void ssl_scache_shmcb_status(server_rec *, pool *, void (*)(char *, void *), void *); +#endif /* Pass Phrase Support */ -void ssl_pphrase_Handle(server_rec *, pool *); -int ssl_pphrase_Handle_CB(char *, int, int); +void ssl_pphrase_Handle(server_rec *, apr_pool_t *); +int ssl_pphrase_Handle_CB(char *, int, int, void *); /* Diffie-Hellman Parameter Support */ DH *ssl_dh_GetTmpParam(int); @@ -667,40 +670,40 @@ void ssl_ds_table_wipeout(ssl_ds_table *); void ssl_ds_table_kill(ssl_ds_table *); /* Mutex Support */ -#endif /* XXX */ int ssl_mutex_init(server_rec *, apr_pool_t *); int ssl_mutex_reinit(server_rec *, apr_pool_t *); int ssl_mutex_on(server_rec *); int ssl_mutex_off(server_rec *); int ssl_mutex_kill(server_rec *); -#if 0 /* XXX */ /* Logfile Support */ -void ssl_log_open(server_rec *, server_rec *, pool *); +void ssl_log_open(server_rec *, server_rec *, apr_pool_t *); BOOL ssl_log_applies(server_rec *, int); void ssl_log(server_rec *, int, const char *, ...); void ssl_die(void); /* Variables */ +#if 0 /* XXX */ void ssl_var_register(void); void ssl_var_unregister(void); #endif /* XXX */ char *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *); /* I/O */ -#if 0 /* XXX */ void ssl_io_register(void); void ssl_io_unregister(void); +void ssl_io_filter_init(conn_rec *, SSL *); +void ssl_io_filter_register(apr_pool_t *); long ssl_io_data_cb(BIO *, int, const char *, int, long, long); /* PRNG */ -int ssl_rand_seed(server_rec *, pool *, ssl_rsctx_t, char *); +int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *); /* Extensions */ +#if 0 /* XXX */ void ssl_ext_register(void); void ssl_ext_unregister(void); - -#endif /* XXX */ +#endif /* Utility Functions */ char *ssl_util_vhostid(apr_pool_t *, server_rec *); @@ -715,5 +718,8 @@ ssl_algo_t ssl_util_algotypeof(X509 *, EVP_PKEY *); char *ssl_util_algotypestr(ssl_algo_t); char *ssl_util_ptxtsub(apr_pool_t *, const char *, const char *, char *); void ssl_util_thread_setup(void); +apr_status_t ssl_util_setmodconfig(server_rec *, const char *, SSLModConfigRec *); +SSLModConfigRec *ssl_util_getmodconfig(server_rec *, const char *); +SSLModConfigRec *ssl_util_getmodconfig_ssl(SSL *, const char *); #endif /* __MOD_SSL_H__ */ diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 690dc82764b..e479561962e 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -62,26 +62,23 @@ -- Unknown */ #include "mod_ssl.h" -#if 0 /* XXX */ - /* _________________________________________________________________ ** ** Support for Global Configuration ** _________________________________________________________________ */ -void ssl_config_global_create(void) +void ssl_config_global_create(server_rec *s) { - pool *pPool; - SSLModConfigRec *mc; + apr_pool_t *pPool; + SSLModConfigRec *mc = myModConfig(s); - mc = ap_ctx_get(ap_global_ctx, "ssl_module"); if (mc == NULL) { /* * allocate an own subpool which survives server restarts */ - pPool = ap_make_sub_pool(NULL); - mc = (SSLModConfigRec *)ap_palloc(pPool, sizeof(SSLModConfigRec)); + pPool = s->process->pool; + mc = (SSLModConfigRec *)apr_palloc(pPool, sizeof(SSLModConfigRec)); mc->pPool = pPool; mc->bFixed = FALSE; @@ -92,12 +89,14 @@ void ssl_config_global_create(void) mc->nSessionCacheMode = SSL_SCMODE_UNSET; mc->szSessionCacheDataFile = NULL; mc->nSessionCacheDataSize = 0; +#if 0 /* XXX */ mc->pSessionCacheDataMM = NULL; +#endif mc->tSessionCacheDataTable = NULL; mc->nMutexMode = SSL_MUTEXMODE_UNSET; mc->szMutexFile = NULL; mc->pMutex = NULL; - mc->aRandSeed = ap_make_array(pPool, 4, sizeof(ssl_randseed_t)); + mc->aRandSeed = apr_array_make(pPool, 4, sizeof(ssl_randseed_t)); mc->tPrivateKey = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t)); mc->tPublicCert = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t)); mc->tTmpKeys = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t)); @@ -110,26 +109,22 @@ void ssl_config_global_create(void) /* * And push it into Apache's global context */ - ap_ctx_set(ap_global_ctx, "ssl_module", mc); + ssl_util_setmodconfig(s, "ssl_module", mc); } return; } -void ssl_config_global_fix(void) +void ssl_config_global_fix(SSLModConfigRec *mc) { - SSLModConfigRec *mc = myModConfig(); mc->bFixed = TRUE; return; } -BOOL ssl_config_global_isfixed(void) +BOOL ssl_config_global_isfixed(SSLModConfigRec *mc) { - SSLModConfigRec *mc = myModConfig(); return (mc->bFixed); } -#endif /* XXX */ - /* _________________________________________________________________ ** ** Configuration handling @@ -141,12 +136,11 @@ BOOL ssl_config_global_isfixed(void) */ void *ssl_config_server_create(apr_pool_t *p, server_rec *s) { -#if 0 /* XXX */ SSLSrvConfigRec *sc; - ssl_config_global_create(); + ssl_config_global_create(s); - sc = ap_palloc(p, sizeof(SSLSrvConfigRec)); + sc = apr_palloc(p, sizeof(SSLSrvConfigRec)); sc->bEnabled = UNSET; sc->szCACertificatePath = NULL; sc->szCACertificateFile = NULL; @@ -184,8 +178,6 @@ void *ssl_config_server_create(apr_pool_t *p, server_rec *s) (void)memset(sc->pPrivateKey, 0, SSL_AIDX_MAX*sizeof(EVP_PKEY *)); return sc; -#endif /* XXX */ - return NULL; } /* @@ -193,11 +185,10 @@ void *ssl_config_server_create(apr_pool_t *p, server_rec *s) */ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) { -#if 0 /* XXX */ + int i; SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev; SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv; - SSLSrvConfigRec *new = (SSLSrvConfigRec *)ap_palloc(p, sizeof(SSLSrvConfigRec)); - int i; + SSLSrvConfigRec *new = (SSLSrvConfigRec *)apr_palloc(p, sizeof(SSLSrvConfigRec)); cfgMergeBool(bEnabled); cfgMergeString(szCACertificatePath); @@ -238,8 +229,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) #endif return new; -#endif /* XXX */ - return NULL; } /* @@ -247,11 +236,10 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) */ void *ssl_config_perdir_create(apr_pool_t *p, char *dir) { -#if 0 /* XXX */ - SSLDirConfigRec *dc = ap_palloc(p, sizeof(SSLDirConfigRec)); + SSLDirConfigRec *dc = apr_palloc(p, sizeof(SSLDirConfigRec)); dc->bSSLRequired = FALSE; - dc->aRequirement = ap_make_array(p, 4, sizeof(ssl_require_t)); + dc->aRequirement = apr_array_make(p, 4, sizeof(ssl_require_t)); dc->nOptions = SSL_OPT_NONE|SSL_OPT_RELSET; dc->nOptionsAdd = SSL_OPT_NONE; dc->nOptionsDel = SSL_OPT_NONE; @@ -259,14 +247,13 @@ void *ssl_config_perdir_create(apr_pool_t *p, char *dir) dc->szCipherSuite = NULL; dc->nVerifyClient = SSL_CVERIFY_UNSET; dc->nVerifyDepth = UNSET; + #ifdef SSL_EXPERIMENTAL_PERDIRCA dc->szCACertificatePath = NULL; dc->szCACertificateFile = NULL; #endif return dc; -#endif /* XXX */ - return NULL; } /* @@ -274,11 +261,9 @@ void *ssl_config_perdir_create(apr_pool_t *p, char *dir) */ void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv) { -#if 0 /* XXX */ SSLDirConfigRec *base = (SSLDirConfigRec *)basev; SSLDirConfigRec *add = (SSLDirConfigRec *)addv; - SSLDirConfigRec *new = (SSLDirConfigRec *)ap_palloc(p, - sizeof(SSLDirConfigRec)); + SSLDirConfigRec *new = (SSLDirConfigRec *)apr_palloc(p, sizeof(SSLDirConfigRec)); cfgMerge(bSSLRequired, FALSE); cfgMergeArray(aRequirement); @@ -297,14 +282,13 @@ void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv) cfgMergeString(szCipherSuite); cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET); cfgMergeInt(nVerifyDepth); + #ifdef SSL_EXPERIMENTAL_PERDIRCA cfgMergeString(szCACertificatePath); cfgMergeString(szCACertificateFile); #endif return new; -#endif /* XXX */ - return NULL; } @@ -313,23 +297,22 @@ void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv) */ const char *ssl_cmd_SSLMutex( - cmd_parms *cmd, char *struct_ptr, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ const char *err; - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(cmd->server); if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) return err; - if (ssl_config_global_isfixed()) + if (ssl_config_global_isfixed(mc)) return NULL; if (strcEQ(arg, "none") || strcEQ(arg, "no")) { mc->nMutexMode = SSL_MUTEXMODE_NONE; } else if (strlen(arg) > 5 && strcEQn(arg, "file:", 5)) { mc->nMutexMode = SSL_MUTEXMODE_USED; - mc->szMutexFile = ap_psprintf(mc->pPool, "%s.%lu", - ap_server_root_relative(cmd->pool, "mutex", arg+5), + mc->szMutexFile = (char *)apr_psprintf(mc->pPool, "%s.%lu", + ap_server_root_relative(cmd->pool, arg+5), (unsigned long)getpid()); } else if (strcEQ(arg, "sem") || strcEQ(arg, "yes")) { @@ -338,14 +321,12 @@ const char *ssl_cmd_SSLMutex( } else return "SSLMutex: Invalid argument"; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLPassPhraseDialog( - cmd_parms *cmd, char *struct_ptr, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; @@ -357,23 +338,21 @@ const char *ssl_cmd_SSLPassPhraseDialog( } else if (strlen(arg) > 5 && strEQn(arg, "exec:", 5)) { sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER; - sc->szPassPhraseDialogPath = ap_server_root_relative(cmd->pool, "dialog", arg+5); + sc->szPassPhraseDialogPath = (char *)ap_server_root_relative(cmd->pool, arg+5); if (!ssl_util_path_check(SSL_PCM_EXISTS, sc->szPassPhraseDialogPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '", - sc->szPassPhraseDialogPath, "' not exists", NULL); + return ((const char *)apr_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '", + sc->szPassPhraseDialogPath, "' not exists",NULL)); } else return "SSLPassPhraseDialog: Invalid argument"; -#endif /* XXX */ return NULL; } #ifdef SSL_EXPERIMENTAL_ENGINE const char *ssl_cmd_SSLCryptoDevice( - cmd_parms *cmd, char *struct_ptr, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(cmd->server); const char *err; ENGINE *e; #if SSL_LIBRARY_VERSION >= 0x00907000 @@ -397,43 +376,42 @@ const char *ssl_cmd_SSLCryptoDevice( } else return "SSLCryptoDevice: Invalid argument"; -#endif /* XXX */ return NULL; } #endif const char *ssl_cmd_SSLRandomSeed( - cmd_parms *cmd, char *struct_ptr, char *arg1, char *arg2, char *arg3) + cmd_parms *cmd, void *ctx, const char *arg1, + const char *arg2, const char *arg3) { -#if 0 /* XXX */ - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(cmd->server); const char *err; ssl_randseed_t *pRS; if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) return err; - if (ssl_config_global_isfixed()) + if (ssl_config_global_isfixed(mc)) return NULL; - pRS = ap_push_array(mc->aRandSeed); + pRS = apr_array_push(mc->aRandSeed); if (strcEQ(arg1, "startup")) pRS->nCtx = SSL_RSCTX_STARTUP; else if (strcEQ(arg1, "connect")) pRS->nCtx = SSL_RSCTX_CONNECT; else - return ap_pstrcat(cmd->pool, "SSLRandomSeed: " - "invalid context: `", arg1, "'"); + return apr_pstrcat(cmd->pool, "SSLRandomSeed: " + "invalid context: `", arg1, "'"); if (strlen(arg2) > 5 && strEQn(arg2, "file:", 5)) { pRS->nSrc = SSL_RSSRC_FILE; - pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+5)); + pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+5)); } else if (strlen(arg2) > 5 && strEQn(arg2, "exec:", 5)) { pRS->nSrc = SSL_RSSRC_EXEC; - pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+5)); + pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+5)); } #if SSL_LIBRARY_VERSION >= 0x00905100 else if (strlen(arg2) > 4 && strEQn(arg2, "egd:", 4)) { pRS->nSrc = SSL_RSSRC_EGD; - pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+4)); + pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+4)); } #endif else if (strcEQ(arg2, "builtin")) { @@ -442,12 +420,12 @@ const char *ssl_cmd_SSLRandomSeed( } else { pRS->nSrc = SSL_RSSRC_FILE; - pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2)); + pRS->cpPath = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2)); } if (pRS->nSrc != SSL_RSSRC_BUILTIN) if (!ssl_util_path_check(SSL_PCM_EXISTS, pRS->cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLRandomSeed: source path '", - pRS->cpPath, "' not exists", NULL); + return apr_pstrcat(cmd->pool, "SSLRandomSeed: source path '", + pRS->cpPath, "' not exists", NULL); if (arg3 == NULL) pRS->nBytes = 0; /* read whole file */ else { @@ -458,108 +436,101 @@ const char *ssl_cmd_SSLRandomSeed( if (pRS->nBytes < 0) return "SSLRandomSeed: invalid number of bytes specified"; } -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLEngine( - cmd_parms *cmd, char *struct_ptr, int flag) + cmd_parms *cmd, void *ctx, int flag) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->bEnabled = (flag ? TRUE : FALSE); -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLCipherSuite( - cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; if (cmd->path == NULL || dc == NULL) - sc->szCipherSuite = arg; + sc->szCipherSuite = (char *)arg; else - dc->szCipherSuite = arg; -#endif /* XXX */ + dc->szCipherSuite = (char *)arg; return NULL; } const char *ssl_cmd_SSLCertificateFile( - cmd_parms *cmd, char *struct_ptr, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; int i; - cpPath = ap_server_root_relative(cmd->pool, "certkey", arg); + cpPath = (char *)ap_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLCertificateFile: file '", + return apr_pstrcat(cmd->pool, "SSLCertificateFile: file '", cpPath, "' not exists or empty", NULL); for (i = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++) ; if (i == SSL_AIDX_MAX) - return ap_psprintf(cmd->pool, "SSLCertificateFile: only up to %d " + return apr_psprintf(cmd->pool, "SSLCertificateFile: only up to %d " "different certificates per virtual host allowed", SSL_AIDX_MAX); sc->szPublicCertFile[i] = cpPath; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLCertificateKeyFile( - cmd_parms *cmd, char *struct_ptr, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; int i; - cpPath = ap_server_root_relative(cmd->pool, "certkey", arg); + cpPath = (char *)ap_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLCertificateKeyFile: file '", + return apr_pstrcat(cmd->pool, "SSLCertificateKeyFile: file '", cpPath, "' not exists or empty", NULL); - for (i = 0; i < SSL_AIDX_MAX && sc->szPrivateKeyFile[i] != NULL; i++) + for (i = 0; i < SSL_AIDX_MAX && (sc->szPrivateKeyFile[i] != NULL) && + (strlen(sc->szPrivateKeyFile[i]) != 0); i++) ; if (i == SSL_AIDX_MAX) - return ap_psprintf(cmd->pool, "SSLCertificateKeyFile: only up to %d " + return apr_psprintf(cmd->pool, "SSLCertificateKeyFile: only up to %d " "different private keys per virtual host allowed", SSL_AIDX_MAX); sc->szPrivateKeyFile[i] = cpPath; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLCertificateChainFile( - cmd_parms *cmd, char *struct_ptr, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, "certkey", arg); + cpPath = (char *)ap_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLCertificateChainFile: file '", + return apr_pstrcat(cmd->pool, "SSLCertificateChainFile: file '", cpPath, "' not exists or empty", NULL); sc->szCertificateChain = cpPath; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLCACertificatePath( - cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ +#ifdef SSL_EXPERIMENTAL_PERDIRCA + SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; +#endif SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, "certkey", arg); + cpPath = (char *)ap_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLCACertificatePath: directory '", - cpPath, "' not exists", NULL); + return apr_pstrcat(cmd->pool, "SSLCACertificatePath: directory '", + cpPath, "' not exists", NULL); #ifdef SSL_EXPERIMENTAL_PERDIRCA if (cmd->path == NULL || dc == NULL) sc->szCACertificatePath = cpPath; @@ -568,21 +539,22 @@ const char *ssl_cmd_SSLCACertificatePath( #else sc->szCACertificatePath = cpPath; #endif -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLCACertificateFile( - cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ +#ifdef SSL_EXPERIMENTAL_PERDIRCA + SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; +#endif SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, "certkey", arg); + cpPath = (char *)ap_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLCACertificateFile: file '", - cpPath, "' not exists or empty", NULL); + return apr_pstrcat(cmd->pool, "SSLCACertificateFile: file '", + cpPath, "' not exists or empty", NULL); #ifdef SSL_EXPERIMENTAL_PERDIRCA if (cmd->path == NULL || dc == NULL) sc->szCACertificateFile = cpPath; @@ -591,46 +563,41 @@ const char *ssl_cmd_SSLCACertificateFile( #else sc->szCACertificateFile = cpPath; #endif -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLCARevocationPath( - cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, "certkey", arg); + cpPath = (char *)ap_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLCARecocationPath: directory '", - cpPath, "' not exists", NULL); + return apr_pstrcat(cmd->pool, "SSLCARecocationPath: directory '", + cpPath, "' not exists", NULL); sc->szCARevocationPath = cpPath; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLCARevocationFile( - cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, "certkey", arg); + cpPath = (char *)ap_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLCARevocationFile: file '", - cpPath, "' not exists or empty", NULL); + return apr_pstrcat(cmd->pool, "SSLCARevocationFile: file '", + cpPath, "' not exists or empty", NULL); sc->szCARevocationFile = cpPath; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLVerifyClient( - cmd_parms *cmd, SSLDirConfigRec *dc, char *level) + cmd_parms *cmd, void *ctx, const char *level) { -#if 0 /* XXX */ + SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ssl_verify_t id; @@ -648,14 +615,13 @@ const char *ssl_cmd_SSLVerifyClient( sc->nVerifyClient = id; else dc->nVerifyClient = id; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLVerifyDepth( - cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ + SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; SSLSrvConfigRec *sc = mySrvConfig(cmd->server); int d; @@ -666,40 +632,41 @@ const char *ssl_cmd_SSLVerifyDepth( sc->nVerifyDepth = d; else dc->nVerifyDepth = d; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLSessionCache( - cmd_parms *cmd, char *struct_ptr, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ + SSLModConfigRec *mc = myModConfig(cmd->server); const char *err; - SSLModConfigRec *mc = myModConfig(); char *cp, *cp2; int maxsize; if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) return err; - if (ssl_config_global_isfixed()) + if (ssl_config_global_isfixed(mc)) return NULL; + if (strcEQ(arg, "none")) { mc->nSessionCacheMode = SSL_SCMODE_NONE; mc->szSessionCacheDataFile = NULL; } else if (strlen(arg) > 4 && strcEQn(arg, "dbm:", 4)) { mc->nSessionCacheMode = SSL_SCMODE_DBM; - mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool, - ap_server_root_relative(cmd->pool, "scache", arg+4)); + mc->szSessionCacheDataFile = apr_pstrdup(mc->pPool, + ap_server_root_relative(cmd->pool, arg+4)); } else if ( (strlen(arg) > 4 && strcEQn(arg, "shm:", 4)) || (strlen(arg) > 6 && strcEQn(arg, "shmht:", 6))) { +#if 0 /* XXX */ if (!ap_mm_useable()) return "SSLSessionCache: shared memory cache not useable on this platform"; +#endif mc->nSessionCacheMode = SSL_SCMODE_SHMHT; cp = strchr(arg, ':'); - mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool, - ap_server_root_relative(cmd->pool, "scache", cp+1)); + mc->szSessionCacheDataFile = (char *)apr_pstrdup(mc->pPool, + ap_server_root_relative(cmd->pool, cp+1)); mc->tSessionCacheDataTable = NULL; mc->nSessionCacheDataSize = 1024*512; /* 512KB */ if ((cp = strchr(mc->szSessionCacheDataFile, '(')) != NULL) { @@ -710,17 +677,23 @@ const char *ssl_cmd_SSLSessionCache( mc->nSessionCacheDataSize = atoi(cp); if (mc->nSessionCacheDataSize <= 8192) return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes"; +#if 0 /* XXX */ maxsize = ap_mm_core_maxsegsize(); +#else + maxsize = 1024 * 512; +#endif if (mc->nSessionCacheDataSize >= maxsize) - return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: " + return apr_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: " "size has to be < %d bytes on this platform", maxsize); } } else if (strlen(arg) > 6 && strcEQn(arg, "shmcb:", 6)) { +#if 0 /* XXX */ if (!ap_mm_useable()) return "SSLSessionCache: shared memory cache not useable on this platform"; +#endif mc->nSessionCacheMode = SSL_SCMODE_SHMCB; - mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool, + mc->szSessionCacheDataFile = apr_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg+6)); mc->tSessionCacheDataTable = NULL; mc->nSessionCacheDataSize = 1024*512; /* 512KB */ @@ -732,50 +705,48 @@ const char *ssl_cmd_SSLSessionCache( mc->nSessionCacheDataSize = atoi(cp); if (mc->nSessionCacheDataSize <= 8192) return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes"; +#if 0 /* XXX */ maxsize = ap_mm_core_maxsegsize(); +#else + maxsize = 1024 * 512; +#endif if (mc->nSessionCacheDataSize >= maxsize) - return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: " + return apr_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: " "size has to be < %d bytes on this platform", maxsize); } } else return "SSLSessionCache: Invalid argument"; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLSessionCacheTimeout( - cmd_parms *cmd, char *struct_ptr, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->nSessionCacheTimeout = atoi(arg); if (sc->nSessionCacheTimeout < 0) return "SSLSessionCacheTimeout: Invalid argument"; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLLog( - cmd_parms *cmd, char *struct_ptr, char *arg) + cmd_parms *cmd, void *ctx, const char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; if ((err = ap_check_cmd_context(cmd, NOT_IN_LIMIT|NOT_IN_DIRECTORY |NOT_IN_LOCATION|NOT_IN_FILES )) != NULL) return err; - sc->szLogFile = arg; -#endif /* XXX */ + sc->szLogFile = (char *)arg; return NULL; } const char *ssl_cmd_SSLLogLevel( - cmd_parms *cmd, char *struct_ptr, char *level) + cmd_parms *cmd, void *ctx, const char *level) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; @@ -796,14 +767,13 @@ const char *ssl_cmd_SSLLogLevel( sc->nLogLevel = SSL_LOG_DEBUG; else return "SSLLogLevel: Invalid argument"; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLOptions( - cmd_parms *cmd, SSLDirConfigRec *dc, const char *cpLine) + cmd_parms *cmd, void *ctx, const char *cpLine) { -#if 0 /* XXX */ + SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; ssl_opt_t opt; int first; char action; @@ -835,7 +805,7 @@ const char *ssl_cmd_SSLOptions( else if (strcEQ(w, "OptRenegotiate")) opt = SSL_OPT_OPTRENEGOTIATE; else - return ap_pstrcat(cmd->pool, "SSLOptions: Illegal option '", w, "'", NULL); + return apr_pstrcat(cmd->pool, "SSLOptions: Illegal option '", w, "'", NULL); if (action == '-') { dc->nOptionsAdd &= ~opt; @@ -853,39 +823,35 @@ const char *ssl_cmd_SSLOptions( dc->nOptionsDel = SSL_OPT_NONE; } } -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLRequireSSL( - cmd_parms *cmd, SSLDirConfigRec *dc, char *cipher) + cmd_parms *cmd, void *ctx) { -#if 0 /* XXX */ + SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; dc->bSSLRequired = TRUE; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLRequire( - cmd_parms *cmd, SSLDirConfigRec *dc, char *cpExpr) + cmd_parms *cmd, void *ctx, const char *cpExpr) { -#if 0 /* XXX */ + SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; ssl_expr *mpExpr; ssl_require_t *pReqRec; - if ((mpExpr = ssl_expr_comp(cmd->pool, cpExpr)) == NULL) - return ap_pstrcat(cmd->pool, "SSLRequire: ", ssl_expr_get_error(), NULL); - pReqRec = ap_push_array(dc->aRequirement); - pReqRec->cpExpr = ap_pstrdup(cmd->pool, cpExpr); + if ((mpExpr = ssl_expr_comp(cmd->pool, (char *)cpExpr)) == NULL) + return apr_pstrcat(cmd->pool, "SSLRequire: ", ssl_expr_get_error(), NULL); + pReqRec = apr_array_push(dc->aRequirement); + pReqRec->cpExpr = apr_pstrdup(cmd->pool, cpExpr); pReqRec->mpExpr = mpExpr; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLProtocol( - cmd_parms *cmd, char *struct_ptr, const char *opt) + cmd_parms *cmd, void *ctx, const char *opt) { -#if 0 /* XXX */ SSLSrvConfigRec *sc; ssl_proto_t options, thisopt; char action; @@ -909,7 +875,8 @@ const char *ssl_cmd_SSLProtocol( else if (strcEQ(w, "all")) thisopt = SSL_PROTOCOL_ALL; else - return ap_pstrcat(cmd->pool, "SSLProtocol: Illegal protocol '", w, "'", NULL); + return apr_pstrcat(cmd->pool, "SSLProtocol: Illegal protocol '", + w, "'", NULL); if (action == '-') options &= ~thisopt; @@ -919,7 +886,6 @@ const char *ssl_cmd_SSLProtocol( options = thisopt; } sc->nProtocol = options; -#endif /* XXX */ return NULL; } @@ -928,7 +894,6 @@ const char *ssl_cmd_SSLProtocol( const char *ssl_cmd_SSLProxyProtocol( cmd_parms *cmd, char *struct_ptr, const char *opt) { -#if 0 /* XXX */ SSLSrvConfigRec *sc; ssl_proto_t options, thisopt; char action; @@ -952,7 +917,7 @@ const char *ssl_cmd_SSLProxyProtocol( else if (strcEQ(w, "all")) thisopt = SSL_PROTOCOL_ALL; else - return ap_pstrcat(cmd->pool, "SSLProxyProtocol: " + return apr_pstrcat(cmd->pool, "SSLProxyProtocol: " "Illegal protocol '", w, "'", NULL); if (action == '-') options &= ~thisopt; @@ -962,36 +927,30 @@ const char *ssl_cmd_SSLProxyProtocol( options = thisopt; } sc->nProxyProtocol = options; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLProxyCipherSuite( cmd_parms *cmd, char *struct_ptr, char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->szProxyCipherSuite = arg; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLProxyVerify( cmd_parms *cmd, char *struct_ptr, int flag) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->bProxyVerify = (flag ? TRUE : FALSE); -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLProxyVerifyDepth( cmd_parms *cmd, char *struct_ptr, char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); int d; @@ -999,71 +958,62 @@ const char *ssl_cmd_SSLProxyVerifyDepth( if (d < 0) return "SSLProxyVerifyDepth: Invalid argument"; sc->nProxyVerifyDepth = d; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLProxyCACertificateFile( cmd_parms *cmd, char *struct_ptr, char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, "certkey", arg); + cpPath = ap_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '", + return apr_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '", cpPath, "' not exists or empty", NULL); sc->szProxyCACertificateFile = cpPath; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLProxyCACertificatePath( cmd_parms *cmd, char *struct_ptr, char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, "certkey", arg); + cpPath = ap_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '", - cpPath, "' does not exists", NULL); + return apr_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '", + cpPath, "' does not exists", NULL); sc->szProxyCACertificatePath = cpPath; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLProxyMachineCertificateFile( cmd_parms *cmd, char *struct_ptr, char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, "certkey", arg); + cpPath = ap_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '", - cpPath, "' not exists or empty", NULL); + return apr_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '", + cpPath, "' not exists or empty", NULL); sc->szProxyClientCertificateFile = cpPath; -#endif /* XXX */ return NULL; } const char *ssl_cmd_SSLProxyMachineCertificatePath( cmd_parms *cmd, char *struct_ptr, char *arg) { -#if 0 /* XXX */ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, "certkey", arg); + cpPath = ap_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath, cmd->pool)) - return ap_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '", - cpPath, "' does not exists", NULL); + return apr_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '", + cpPath, "' does not exists", NULL); sc->szProxyClientCertificatePath = cpPath; -#endif /* XXX */ return NULL; } diff --git a/modules/ssl/ssl_engine_ds.c b/modules/ssl/ssl_engine_ds.c index 25fdf20c15f..4782f454452 100644 --- a/modules/ssl/ssl_engine_ds.c +++ b/modules/ssl/ssl_engine_ds.c @@ -76,7 +76,7 @@ ssl_ds_array *ssl_ds_array_make(apr_pool_t *p, int size) if ((a = (ssl_ds_array *)apr_palloc(p, sizeof(ssl_ds_array))) == NULL) return NULL; a->pPool = p; - if ((a->pSubPool = apr_pool_sub_make(p, NULL)) != APR_SUCCESS) + if ((a->pSubPool = apr_pool_sub_make(p, NULL)) == NULL) return NULL; a->aData = apr_array_make(a->pSubPool, 2, size); return a; @@ -130,7 +130,7 @@ ssl_ds_table *ssl_ds_table_make(apr_pool_t *p, int size) if ((t = (ssl_ds_table *)apr_palloc(p, sizeof(ssl_ds_table))) == NULL) return NULL; t->pPool = p; - if ((t->pSubPool = apr_pool_sub_make(p, NULL)) != APR_SUCCESS) + if ((t->pSubPool = apr_pool_sub_make(p, NULL)) == NULL) return NULL; t->aKey = apr_array_make(t->pSubPool, 2, MAX_STRING_LEN); t->aData = apr_array_make(t->pSubPool, 2, size); diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 46fb0c5f189..7865c09c5c3 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -61,8 +61,6 @@ -- Unknown */ #include "mod_ssl.h" -#if 0 /* XXX */ - /* _________________________________________________________________ ** ** Module Initialization @@ -72,25 +70,25 @@ /* * Per-module initialization */ -void ssl_init_Module(server_rec *s, pool *p) +void ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + apr_pool_t *ptemp, server_rec *s) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); SSLSrvConfigRec *sc; server_rec *s2; - char *cp; - - mc->nInitCount++; /* * Let us cleanup on restarts and exists */ - ap_register_cleanup(p, s, ssl_init_ModuleKill, ssl_init_ChildKill); + apr_pool_cleanup_register(p, s, ssl_init_ModuleKill, ssl_init_ChildKill); /* * Any init round fixes the global config */ - ssl_config_global_create(); /* just to avoid problems */ - ssl_config_global_fix(); + ssl_config_global_create(s); /* just to avoid problems */ + ssl_config_global_fix(mc); + + mc->nInitCount++; /* * try to fix the configuration and open the dedicated SSL @@ -123,10 +121,12 @@ void ssl_init_Module(server_rec *s, pool *p) * Identification */ if (mc->nInitCount == 1) { +#if 0 /* XXX */ ssl_log(s, SSL_LOG_INFO, "Server: %s, Interface: %s, Library: %s", - SERVER_BASEVERSION, + AP_SERVER_BASEVERSION, ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"), ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY")); +#endif } /* @@ -159,7 +159,7 @@ void ssl_init_Module(server_rec *s, pool *p) * module segment (code & data) gets unloaded and re-loaded between * the first and the second round. This means no global data survives * between first and the second init round. We overcome this by using - * an entry ("ssl_module") inside the ap_global_ctx. + * an entry ("ssl_module") inside the process_rec->pool->user_data. * * The situation as a table: * @@ -257,10 +257,12 @@ void ssl_init_Module(server_rec *s, pool *p) * Announce mod_ssl and SSL library in HTTP Server field * as ``mod_ssl/X.X.X OpenSSL/X.X.X'' */ +#if 0 /* XXX */ if ((cp = ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_PRODUCT")) != NULL && cp[0] != NUL) - ap_add_version_component(cp); - ap_add_version_component(ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE")); - ap_add_version_component(ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY")); + ap_add_version_component(p, cp); + ap_add_version_component(p, ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE")); + ap_add_version_component(p, ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY")); +#endif return; } @@ -283,9 +285,9 @@ void ssl_init_SSLLibrary(void) * a hardware accellerator card for crypto operations. */ #ifdef SSL_EXPERIMENTAL_ENGINE -void ssl_init_Engine(server_rec *s, pool *p) +void ssl_init_Engine(server_rec *s, apr_pool_t *p) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); ENGINE *e; if (mc->szCryptoDevice != NULL) { @@ -310,9 +312,9 @@ void ssl_init_Engine(server_rec *s, pool *p) /* * Handle the Temporary RSA Keys and DH Params */ -void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p) +void ssl_init_TmpKeysHandle(int action, server_rec *s, apr_pool_t *p) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); ssl_asn1_t *asn1; unsigned char *ucp; RSA *rsa; @@ -333,7 +335,7 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p) } asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:512"); asn1->nData = i2d_RSAPrivateKey(rsa, NULL); - asn1->cpData = ap_palloc(mc->pPool, asn1->nData); + asn1->cpData = apr_palloc(mc->pPool, asn1->nData); ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */ RSA_free(rsa); @@ -345,7 +347,7 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p) } asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:1024"); asn1->nData = i2d_RSAPrivateKey(rsa, NULL); - asn1->cpData = ap_palloc(mc->pPool, asn1->nData); + asn1->cpData = apr_palloc(mc->pPool, asn1->nData); ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */ RSA_free(rsa); @@ -358,7 +360,7 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p) } asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:512"); asn1->nData = i2d_DHparams(dh, NULL); - asn1->cpData = ap_palloc(mc->pPool, asn1->nData); + asn1->cpData = apr_palloc(mc->pPool, asn1->nData); ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */ /* no need to free dh, it's static */ @@ -369,7 +371,7 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p) } asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:1024"); asn1->nData = i2d_DHparams(dh, NULL); - asn1->cpData = ap_palloc(mc->pPool, asn1->nData); + asn1->cpData = apr_palloc(mc->pPool, asn1->nData); ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */ /* no need to free dh, it's static */ } @@ -463,9 +465,9 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p) /* * Configure a particular server */ -void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) +void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); int nVerify; char *cpVHostID; EVP_PKEY *pKey; @@ -515,9 +517,9 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) cpVHostID); ssl_die(); } - cp = ap_pstrcat(p, (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""), - (sc->nProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), - (sc->nProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL); + cp = apr_pstrcat(p, (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""), + (sc->nProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), + (sc->nProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL); cp[strlen(cp)-2] = NUL; ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Creating new SSL context (protocols: %s)", cpVHostID, cp); @@ -633,7 +635,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) * Configure server certificate(s) */ ok = FALSE; - cp = ap_psprintf(p, "%s:RSA", cpVHostID); + cp = apr_psprintf(p, "%s:RSA", cpVHostID); if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) { ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring RSA server certificate", cpVHostID); @@ -652,7 +654,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) } ok = TRUE; } - cp = ap_psprintf(p, "%s:DSA", cpVHostID); + cp = apr_psprintf(p, "%s:DSA", cpVHostID); if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) { ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring DSA server certificate", cpVHostID); @@ -703,8 +705,8 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"), pathlen); } if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) { - if (ap_is_fnmatch(cp) && - !ap_fnmatch(cp, s->server_hostname, FNM_PERIOD|FNM_CASE_BLIND)) { + if (apr_is_fnmatch(cp) && + !apr_fnmatch(cp, s->server_hostname, FNM_PERIOD|FNM_CASE_BLIND)) { ssl_log(s, SSL_LOG_WARN, "Init: (%s) %s server certificate wildcard CommonName (CN) `%s' " "does NOT match server name!?", cpVHostID, @@ -724,7 +726,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) * Configure server private key(s) */ ok = FALSE; - cp = ap_psprintf(p, "%s:RSA", cpVHostID); + cp = apr_psprintf(p, "%s:RSA", cpVHostID); if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) { ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring RSA server private key", cpVHostID); @@ -744,7 +746,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) } ok = TRUE; } - cp = ap_psprintf(p, "%s:DSA", cpVHostID); + cp = apr_psprintf(p, "%s:DSA", cpVHostID); if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) { ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring DSA server private key", cpVHostID); @@ -819,13 +821,13 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) return; } -void ssl_init_CheckServers(server_rec *sm, pool *p) +void ssl_init_CheckServers(server_rec *sm, apr_pool_t *p) { server_rec *s; server_rec **ps; SSLSrvConfigRec *sc; ssl_ds_table *t; - pool *sp; + apr_pool_t *sp; char *key; BOOL bConflict; @@ -851,14 +853,14 @@ void ssl_init_CheckServers(server_rec *sm, pool *p) * just the certificate/keys of one virtual host (which one cannot be said * easily - but that doesn't matter here). */ - sp = ap_make_sub_pool(p); + apr_pool_create(&sp, p); t = ssl_ds_table_make(sp, sizeof(server_rec *)); bConflict = FALSE; for (s = sm; s != NULL; s = s->next) { sc = mySrvConfig(s); if (!sc->bEnabled) continue; - key = ap_psprintf(sp, "%pA:%u", &s->addrs->host_addr, s->addrs->host_port); + key = apr_psprintf(sp, "%pA:%u", &s->addrs->host_addr, s->addrs->host_port); ps = ssl_ds_table_get(t, key); if (ps != NULL) { ssl_log(sm, SSL_LOG_WARN, @@ -876,7 +878,8 @@ void ssl_init_CheckServers(server_rec *sm, pool *p) *ps = s; } ssl_ds_table_kill(t); - ap_destroy_pool(sp); + /* XXX - It was giving some problem earlier - check it out - TBD */ + apr_pool_destroy(sp); if (bConflict) ssl_log(sm, SSL_LOG_WARN, "Init: You should not use name-based virtual hosts in conjunction with SSL!!"); @@ -889,14 +892,14 @@ static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b) return(X509_NAME_cmp(*a, *b)); } -STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile, char *cpCApath) +STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *pp, char *cpCAfile, char *cpCApath) { STACK_OF(X509_NAME) *skCAList; STACK_OF(X509_NAME) *sk; - DIR *dir; - struct DIR_TYPE *direntry; + apr_dir_t *dir; + apr_finfo_t direntry; char *cp; - pool *p; + apr_pool_t *p; int n; /* @@ -904,7 +907,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile * is remains in memory for the complete operation time of * the server. */ - p = ap_make_sub_pool(pp); + p = apr_pool_sub_make(pp, NULL); /* * Start with a empty stack/list where new @@ -930,9 +933,9 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile * Process CA certificate path files */ if (cpCApath != NULL) { - dir = ap_popendir(p, cpCApath); - while ((direntry = readdir(dir)) != NULL) { - cp = ap_pstrcat(p, cpCApath, "/", direntry->d_name, NULL); + apr_dir_open(&dir, cpCApath, p); + while ((apr_dir_read(&direntry, APR_FINFO_DIRENT, dir)) != APR_SUCCESS) { + cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL); sk = SSL_load_client_CA_file(cp); for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) { ssl_log(s, SSL_LOG_TRACE, @@ -942,32 +945,33 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile sk_X509_NAME_push(skCAList, sk_X509_NAME_value(sk, n)); } } - ap_pclosedir(p, dir); + apr_dir_close(dir); } /* * Cleanup */ sk_X509_NAME_set_cmp_func(skCAList, NULL); - ap_destroy_pool(p); + apr_pool_destroy(p); return skCAList; } -void ssl_init_Child(server_rec *s, pool *p) +void ssl_init_Child(apr_pool_t *p, server_rec *s) { /* open the mutex lockfile */ ssl_mutex_reinit(s, p); return; } -void ssl_init_ChildKill(void *data) +apr_status_t ssl_init_ChildKill(void *data) { + /* server_rec *s = (server_rec *)data; */ /* currently nothing to do */ - return; + return APR_SUCCESS; } -void ssl_init_ModuleKill(void *data) +apr_status_t ssl_init_ModuleKill(void *data) { SSLSrvConfigRec *sc; server_rec *s = (server_rec *)data; @@ -976,7 +980,9 @@ void ssl_init_ModuleKill(void *data) * Drop the session cache and mutex */ ssl_scache_kill(s); +#if 0 /* XXX */ ssl_mutex_kill(s); +#endif /* * Destroy the temporary keys and params @@ -1020,8 +1026,6 @@ void ssl_init_ModuleKill(void *data) EVP_cleanup(); #endif - return; + return APR_SUCCESS; } -#endif /* XXX */ - diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index ee8ce294ddb..f89ef4df060 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -68,10 +68,9 @@ ** _________________________________________________________________ */ -#if 0 /* XXX */ -static int ssl_io_hook_read(BUFF *fb, char *buf, int len); -static int ssl_io_hook_write(BUFF *fb, char *buf, int len); -#endif /* XXX */ +/* XXX THIS STUFF NEEDS A MAJOR CLEANUP -RSE XXX */ + +static const char ssl_io_filter[] = "SSL/TLS Filter"; void ssl_io_register(void) { @@ -91,15 +90,12 @@ void ssl_io_unregister(void) return; } -#if 0 /* XXX */ - -static int ssl_io_hook_read(BUFF *fb, char *buf, int len) +static int ssl_io_hook_read(SSL *ssl, unsigned char *buf, int len) { - SSL *ssl; conn_rec *c; int rc; - if ((ssl = ap_ctx_get(fb->ctx, "ssl")) != NULL) { + if (ssl != NULL) { rc = SSL_read(ssl, buf, len); /* * Simulate an EINTR in case OpenSSL wants to read more. @@ -113,27 +109,30 @@ static int ssl_io_hook_read(BUFF *fb, char *buf, int len) */ if (rc < 0 && SSL_get_error(ssl, rc) == SSL_ERROR_SSL) { c = (conn_rec *)SSL_get_app_data(ssl); - ssl_log(c->server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, "SSL error on reading data"); } /* * read(2) returns only the generic error number -1 */ if (rc < 0) - rc = -1; + /* + * XXX - Just trying to reflect the behaviour in + * openssl_state_machine.c [mod_tls]. TBD + */ + rc = 0; } else - rc = read(fb->fd_in, buf, len); + rc = -1; return rc; } -static int ssl_io_hook_write(BUFF *fb, char *buf, int len) +static int ssl_io_hook_write(SSL *ssl, unsigned char *buf, int len) { - SSL *ssl; conn_rec *c; int rc; - if ((ssl = ap_ctx_get(fb->ctx, "ssl")) != NULL) { + if (ssl != NULL) { rc = SSL_write(ssl, buf, len); /* * Simulate an EINTR in case OpenSSL wants to write more. @@ -145,20 +144,296 @@ static int ssl_io_hook_write(BUFF *fb, char *buf, int len) */ if (rc < 0 && SSL_get_error(ssl, rc) == SSL_ERROR_SSL) { c = (conn_rec *)SSL_get_app_data(ssl); - ssl_log(c->server, SSL_LOG_ERROR|SSL_ADD_SSLERR, + ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, "SSL error on writing data"); } /* * write(2) returns only the generic error number -1 */ if (rc < 0) - rc = -1; + /* + * XXX - Just trying to reflect the behaviour in + * openssl_state_machine.c [mod_tls]. TBD + */ + rc = 0; } else - rc = write(fb->fd, buf, len); + rc = -1; return rc; } +static apr_status_t churn_output(SSLFilterRec *pRec) +{ + apr_bucket_brigade *pbbOutput=NULL; + int done; + + do { + char buf[1024]; + int n; + apr_bucket *pbkt; + + done=0; + + if (BIO_pending(pRec->pbioWrite)) { + n = BIO_read(pRec->pbioWrite,buf,sizeof buf); + if(n > 0) { + char *pbuf; + + if(!pbbOutput) + pbbOutput=apr_brigade_create(pRec->pOutputFilter->c->pool); + + pbuf=apr_pmemdup(pRec->pOutputFilter->c->pool,buf,n); + pbkt=apr_bucket_pool_create(pbuf,n, + pRec->pOutputFilter->c->pool); + APR_BRIGADE_INSERT_TAIL(pbbOutput,pbkt); + done=1; + /* } else if(n == 0) { + apr_bucket *pbktEOS=apr_bucket_create_eos(); + APR_BRIGADE_INSERT_TAIL(pbbOutput,pbktEOS);*/ + } + assert (n > 0); /* XXX => Check if required */ +#if 0 /* XXX */ + } + else if (n == 0) + done = 1; + else + assert (n > 0); +#endif + } +#if 0 /* XXX */ + else + { + done = 1; + } +#endif + } while(done); + + /* XXX: check for errors */ + if(pbbOutput) { + apr_bucket *pbkt; + + /* XXX: it may be possible to not always flush */ + pbkt=apr_bucket_flush_create(); + APR_BRIGADE_INSERT_TAIL(pbbOutput,pbkt); + ap_pass_brigade(pRec->pOutputFilter->next,pbbOutput); + } + + return APR_SUCCESS; +} + +static apr_status_t churn (SSLFilterRec *pRec, + apr_read_type_e eReadType, apr_size_t *readbytes) +{ + apr_bucket *pbktIn; + ap_input_mode_t eMode = (eReadType == APR_BLOCK_READ) + ? AP_MODE_BLOCKING : AP_MODE_NONBLOCKING; + +/* XXX : Errrr... bad way of doing things TBD */ +eReadType = APR_BLOCK_READ; +eMode = AP_MODE_BLOCKING; + + if(APR_BRIGADE_EMPTY(pRec->pbbInput)) { + ap_get_brigade(pRec->pInputFilter->next,pRec->pbbInput,eMode,readbytes); + if(APR_BRIGADE_EMPTY(pRec->pbbInput)) + return APR_EOF; + } + + APR_BRIGADE_FOREACH(pbktIn,pRec->pbbInput) { + const char *data; + apr_size_t len; + int n; + char buf[1024]; + apr_status_t ret; + + if(APR_BUCKET_IS_EOS(pbktIn)) { + break; + } + + /* read filter */ + ret=apr_bucket_read(pbktIn,&data,&len,eReadType); + + APR_BUCKET_REMOVE(pbktIn); + + if(ret == APR_SUCCESS && len == 0 && eReadType == APR_BLOCK_READ) + ret=APR_EOF; + + if(len == 0) { + /* Lazy frickin browsers just reset instead of shutting down. */ + if(ret == APR_EOF || APR_STATUS_IS_ECONNRESET(ret)) { + if(APR_BRIGADE_EMPTY(pRec->pbbPendingInput)) + return APR_EOF; + else + /* Next time around, the incoming brigade will be empty, + * so we'll return EOF then + */ + return APR_SUCCESS; + } + + if(eReadType != APR_NONBLOCK_READ) + ap_log_error(APLOG_MARK,APLOG_ERR,ret,NULL, + "Read failed in tls_in_filter"); + assert(eReadType == APR_NONBLOCK_READ); + assert(ret == APR_SUCCESS || APR_STATUS_IS_EAGAIN(ret)); + /* In this case, we have data in the output bucket, or we were + * non-blocking, so returning nothing is fine. + */ + return APR_SUCCESS; + } + + assert(len > 0); + + n = BIO_write (pRec->pbioRead, data, len); + assert(n == len); + + ssl_hook_process_connection (pRec); + + n = ssl_io_hook_read(pRec->pssl, (unsigned char *)buf, sizeof(buf)); + if(n > 0) { + apr_bucket *pbktOut; + char *pbuf; + + pbuf=apr_pmemdup(pRec->pInputFilter->c->pool,buf,n); + /* XXX: should we use a heap bucket instead? Or a transient (in + * which case we need a separate brigade for each bucket)? + */ + pbktOut=apr_bucket_pool_create(pbuf,n,pRec->pInputFilter->c->pool); + APR_BRIGADE_INSERT_TAIL(pRec->pbbPendingInput,pbktOut); + + /* Once we've read something, we can move to non-blocking mode (if + * we weren't already). + */ + eReadType=APR_NONBLOCK_READ; + + /* XXX: deal with EOF! */ + /* } else if(n == 0) { + apr_bucket *pbktEOS=apr_bucket_create_eos(); + APR_BRIGADE_INSERT_TAIL(pbbInput,pbktEOS);*/ + } + assert(n >= 0); + + ret=churn_output(pRec); + if(ret != APR_SUCCESS) + return ret; + } + + return churn_output(pRec); +} + +apr_status_t ssl_io_filter_Output(ap_filter_t *f,apr_bucket_brigade *pbbIn) +{ + SSLFilterRec *pRec=f->ctx; + apr_bucket *pbktIn; +conn_rec *c = SSL_get_app_data (pRec->pssl); + + APR_BRIGADE_FOREACH(pbktIn,pbbIn) { + const char *data; + apr_size_t len, n; + apr_status_t ret; + + if(APR_BUCKET_IS_EOS(pbktIn)) { + /* XXX: demote to debug */ + ssl_log(c->base_server, SSL_LOG_INFO, "EOS in output"); + + if (ssl_hook_CloseConnection (pRec) != APR_SUCCESS) + ssl_log(c->base_server, SSL_LOG_INFO, + "Error in ssl_hook_CloseConnection"); +#if 0 + /* XXX: dubious - does this always terminate? Does it return the right thing? */ + for( ; ; ) { + ret=churn_output(pRec); + if(ret != APR_SUCCESS) + return ret; + /* XXX - Verify if passing &len is okay for churn - TBD */ + len = 0; + ret=churn(pRec,APR_NONBLOCK_READ,&len); + if(ret != APR_SUCCESS) { + if(ret == APR_EOF) + return APR_SUCCESS; + else + return ret; + } + } +#endif + break; + } + + if(APR_BUCKET_IS_FLUSH(pbktIn)) { + /* assume that churn will flush (or already has) if there's output */ + /* XXX - Verify if passing &len is okay for churn - TBD */ + ssl_log(c->base_server, SSL_LOG_INFO, "FLUSH in output"); + len = 0; + ret=churn(pRec,APR_NONBLOCK_READ,&len); + if(ret != APR_SUCCESS) + return ret; + continue; + } + + ssl_log(c->base_server, SSL_LOG_INFO, "DATA in output"); + /* read filter */ + apr_bucket_read(pbktIn,&data,&len,APR_BLOCK_READ); + + /* write SSL */ + n = ssl_io_hook_write(pRec->pssl, (unsigned char *)data, len); + assert (n == len); + + + /* churn the state machine */ + ret=churn_output(pRec); + if(ret != APR_SUCCESS) + return ret; + } + return APR_SUCCESS; +} + +apr_status_t ssl_io_filter_Input(ap_filter_t *f,apr_bucket_brigade *pbbOut, + ap_input_mode_t eMode, apr_size_t *readbytes) +{ + apr_status_t ret; + SSLFilterRec *pRec = f->ctx; + apr_read_type_e eReadType = + (eMode == AP_MODE_BLOCKING) ? APR_BLOCK_READ : APR_NONBLOCK_READ; + + /* XXX: we don't currently support peek */ + assert(eMode != AP_MODE_PEEK); + + /* churn the state machine */ + ret = churn(pRec,eReadType,readbytes); + if(ret != APR_SUCCESS) + return ret; + + /* XXX: shame that APR_BRIGADE_FOREACH doesn't work here */ + while(!APR_BRIGADE_EMPTY(pRec->pbbPendingInput)) { + apr_bucket *pbktIn=APR_BRIGADE_FIRST(pRec->pbbPendingInput); + APR_BUCKET_REMOVE(pbktIn); + APR_BRIGADE_INSERT_TAIL(pbbOut,pbktIn); + } + + return APR_SUCCESS; +} + +void ssl_io_filter_init(conn_rec *c, SSL *ssl) +{ + SSLFilterRec *filter; + + filter = apr_pcalloc(c->pool, sizeof(SSLFilterRec)); + filter->pInputFilter = ap_add_input_filter(ssl_io_filter, filter, NULL, c); + filter->pOutputFilter = ap_add_output_filter(ssl_io_filter, filter, NULL, c); + filter->pbbInput = apr_brigade_create(c->pool); + filter->pbbPendingInput = apr_brigade_create(c->pool); + filter->pbioRead = BIO_new(BIO_s_mem()); + filter->pbioWrite = BIO_new(BIO_s_mem()); + SSL_set_bio(ssl, filter->pbioRead, filter->pbioWrite); + filter->pssl = ssl; + return; +} + +void ssl_io_filter_register(apr_pool_t *p) +{ + ap_register_input_filter (ssl_io_filter, ssl_io_filter_Input, AP_FTYPE_NETWORK); + ap_register_output_filter (ssl_io_filter, ssl_io_filter_Output, AP_FTYPE_NETWORK); + return; +} + /* _________________________________________________________________ ** ** I/O Data Debugging @@ -183,28 +458,28 @@ static void ssl_io_data_dump(server_rec *srvr, const char *s, long len) ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, "+-------------------------------------------------------------------------+"); for(i = 0 ; i< rows; i++) { - ap_snprintf(tmp, sizeof(tmp), "| %04x: ", i * DUMP_WIDTH); - ap_cpystrn(buf, tmp, sizeof(buf)); + apr_snprintf(tmp, sizeof(tmp), "| %04x: ", i * DUMP_WIDTH); + apr_cpystrn(buf, tmp, sizeof(buf)); for (j = 0; j < DUMP_WIDTH; j++) { if (((i * DUMP_WIDTH) + j) >= len) - ap_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf)); + apr_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf)); else { ch = ((unsigned char)*((char *)(s) + i * DUMP_WIDTH + j)) & 0xff; - ap_snprintf(tmp, sizeof(tmp), "%02x%c", ch , j==7 ? '-' : ' '); - ap_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf)); + apr_snprintf(tmp, sizeof(tmp), "%02x%c", ch , j==7 ? '-' : ' '); + apr_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf)); } } - ap_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf)); + apr_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf)); for (j = 0; j < DUMP_WIDTH; j++) { if (((i * DUMP_WIDTH) + j) >= len) - ap_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf)); + apr_cpystrn(buf+strlen(buf), " ", sizeof(buf)-strlen(buf)); else { ch = ((unsigned char)*((char *)(s) + i * DUMP_WIDTH + j)) & 0xff; - ap_snprintf(tmp, sizeof(tmp), "%c", ((ch >= ' ') && (ch <= '~')) ? ch : '.'); - ap_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf)); + apr_snprintf(tmp, sizeof(tmp), "%c", ((ch >= ' ') && (ch <= '~')) ? ch : '.'); + apr_cpystrn(buf+strlen(buf), tmp, sizeof(buf)-strlen(buf)); } } - ap_cpystrn(buf+strlen(buf), " |", sizeof(buf)-strlen(buf)); + apr_cpystrn(buf+strlen(buf), " |", sizeof(buf)-strlen(buf)); ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, "%s", buf); } if (trunc > 0) @@ -225,7 +500,7 @@ long ssl_io_data_cb(BIO *bio, int cmd, const char *argp, int argi, long argl, lo return rc; if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL) return rc; - s = c->server; + s = c->base_server; if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN) || cmd == (BIO_CB_READ |BIO_CB_RETURN) ) { @@ -250,6 +525,3 @@ long ssl_io_data_cb(BIO *bio, int cmd, const char *argp, int argi, long argl, lo } return rc; } - -#endif /* XXX */ - diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index b631715c478..20b9ec54857 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -373,19 +373,23 @@ void ssl_hook_TimeoutConnection(int sig) ap_ctx_set(ap_global_ctx, "ssl::handshake::timeout", (void *)TRUE); return; } +#endif /* XXX */ /* * Close the SSL part of the socket connection * (called immediately _before_ the socket is closed) */ -void ssl_hook_CloseConnection(conn_rec *conn) +apr_status_t ssl_hook_CloseConnection(SSLFilterRec *filter) { SSL *ssl; char *cpType; + conn_rec *conn; + + ssl = filter->pssl; + conn = (conn_rec *)SSL_get_app_data(ssl); - ssl = ap_ctx_get(conn->client->ctx, "ssl"); if (ssl == NULL) - return; + return APR_SUCCESS; /* * First make sure that no more data is pending in Apache's BUFF, @@ -393,7 +397,7 @@ void ssl_hook_CloseConnection(conn_rec *conn) * calls of Apache it would lead to an I/O error in the browser due * to the fact that the SSL layer was already removed by us. */ - ap_bflush(conn->client); + ap_flush_conn(conn); /* * Now close the SSL layer of the connection. We've to take @@ -431,13 +435,13 @@ void ssl_hook_CloseConnection(conn_rec *conn) * exchange close notify messages, but allow the user * to force the type of handshake via SetEnvIf directive */ - if (ap_ctx_get(conn->client->ctx, "ssl::flag::unclean-shutdown") == PTRUE) { + if (apr_table_get(conn->notes, "ssl::flag::unclean-shutdown") == PTRUE) { /* perform no close notify handshake at all (violates the SSL/TLS standard!) */ SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); cpType = "unclean"; } - else if (ap_ctx_get(conn->client->ctx, "ssl::flag::accurate-shutdown") == PTRUE) { + else if (apr_table_get(conn->notes, "ssl::flag::accurate-shutdown") == PTRUE) { /* send close notify and wait for clients close notify (standard compliant, but usually causes connection hangs) */ SSL_set_shutdown(ssl, 0); @@ -451,16 +455,17 @@ void ssl_hook_CloseConnection(conn_rec *conn) } SSL_smart_shutdown(ssl); - /* deallocate the SSL connection */ - SSL_free(ssl); - ap_ctx_set(conn->client->ctx, "ssl", NULL); - /* and finally log the fact that we've closed the connection */ - ssl_log(conn->server, SSL_LOG_INFO, + ssl_log(conn->base_server, SSL_LOG_INFO, "Connection to child %d closed with %s shutdown (server %s, client %s)", - conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server), + conn->id, cpType, ssl_util_vhostid(conn->pool, conn->base_server), conn->remote_ip != NULL ? conn->remote_ip : "unknown"); - return; + + /* deallocate the SSL connection */ + SSL_free(ssl); + apr_table_setn(conn->notes, "ssl", NULL); + + return APR_SUCCESS; } /* @@ -469,16 +474,16 @@ void ssl_hook_CloseConnection(conn_rec *conn) int ssl_hook_ReadReq(request_rec *r) { SSL *ssl; - ap_ctx *apctx; + apr_table_t *apctx; /* * Get the SSL connection structure and perform the * delayed interlinking from SSL back to request_rec */ - ssl = ap_ctx_get(r->connection->client->ctx, "ssl"); + ssl = (SSL *)apr_table_get(r->connection->notes, "ssl"); if (ssl != NULL) { apctx = SSL_get_app_data2(ssl); - ap_ctx_set(apctx, "ssl::request_rec", r); + apr_table_setn(apctx, "ssl::request_rec", (const char *)r); } /* @@ -487,12 +492,12 @@ int ssl_hook_ReadReq(request_rec *r) if (strEQn(r->uri, "/mod_ssl:", 9)) r->handler = "mod_ssl:content-handler"; if (ssl != NULL) { - ap_ctx_set(r->ctx, "ap::http::method", "https"); - ap_ctx_set(r->ctx, "ap::default::port", "443"); + apr_table_setn(r->notes, "ap::http::method", "https"); + apr_table_setn(r->notes, "ap::default::port", "443"); } else { - ap_ctx_set(r->ctx, "ap::http::method", NULL); - ap_ctx_set(r->ctx, "ap::default::port", NULL); + apr_table_setn(r->notes, "ap::http::method", NULL); + apr_table_setn(r->notes, "ap::default::port", NULL); } return DECLINED; } @@ -502,7 +507,7 @@ int ssl_hook_ReadReq(request_rec *r) */ int ssl_hook_Translate(request_rec *r) { - if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL) + if (apr_table_get(r->connection->notes, "ssl") == NULL) return DECLINED; /* @@ -513,23 +518,23 @@ int ssl_hook_Translate(request_rec *r) "%s HTTPS request received for child %d (server %s)", r->connection->keepalives <= 0 ? "Initial (No.1)" : - ap_psprintf(r->pool, "Subsequent (No.%d)", - r->connection->keepalives+1), - r->connection->child_num, + apr_psprintf(r->pool, "Subsequent (No.%d)", + r->connection->keepalives+1), + r->connection->id, ssl_util_vhostid(r->pool, r->server)); /* * Move SetEnvIf information from request_rec to conn_rec/BUFF * to allow the close connection handler to use them. */ - if (ap_table_get(r->subprocess_env, "ssl-unclean-shutdown") != NULL) - ap_ctx_set(r->connection->client->ctx, "ssl::flag::unclean-shutdown", PTRUE); + if (apr_table_get(r->subprocess_env, "ssl-unclean-shutdown") != NULL) + apr_table_setn(r->connection->notes, "ssl::flag::unclean-shutdown", PTRUE); else - ap_ctx_set(r->connection->client->ctx, "ssl::flag::unclean-shutdown", PFALSE); - if (ap_table_get(r->subprocess_env, "ssl-accurate-shutdown") != NULL) - ap_ctx_set(r->connection->client->ctx, "ssl::flag::accurate-shutdown", PTRUE); + apr_table_setn(r->connection->notes, "ssl::flag::unclean-shutdown", PFALSE); + if (apr_table_get(r->subprocess_env, "ssl-accurate-shutdown") != NULL) + apr_table_setn(r->connection->notes, "ssl::flag::accurate-shutdown", PTRUE); else - ap_ctx_set(r->connection->client->ctx, "ssl::flag::accurate-shutdown", PFALSE); + apr_table_setn(r->connection->notes, "ssl::flag::accurate-shutdown", PFALSE); return DECLINED; } @@ -552,15 +557,15 @@ int ssl_hook_Handler(request_rec *r) thisport = ""; port = ap_get_server_port(r); if (!ap_is_default_port(port, r)) - thisport = ap_psprintf(r->pool, ":%u", port); - thisurl = ap_psprintf(r->pool, "https://%s%s/", - ap_get_server_name(r), thisport); - - ap_table_setn(r->notes, "error-notes", ap_psprintf(r->pool, - "Reason: You're speaking plain HTTP to an SSL-enabled server port.
\n" - "Instead use the HTTPS scheme to access this URL, please.
\n" - "
Hint: %s
", - thisurl, thisurl)); + thisport = apr_psprintf(r->pool, ":%u", port); + thisurl = apr_psprintf(r->pool, "https://%s%s/", + ap_get_server_name(r), thisport); + + apr_table_setn(r->notes, "error-notes", apr_psprintf(r->pool, + "Reason: You're speaking plain HTTP to an SSL-enabled server port.
\n" + "Instead use the HTTPS scheme to access this URL, please.
\n" + "
Hint: %s
", + thisurl, thisurl)); } return HTTP_BAD_REQUEST; @@ -575,7 +580,7 @@ int ssl_hook_Access(request_rec *r) SSLSrvConfigRec *sc; SSL *ssl; SSL_CTX *ctx = NULL; - array_header *apRequirement; + apr_array_header_t *apRequirement; ssl_require_t *pRequirements; ssl_require_t *pRequirement; char *cp; @@ -597,7 +602,7 @@ int ssl_hook_Access(request_rec *r) STACK_OF(SSL_CIPHER) *skCipherOld; STACK_OF(SSL_CIPHER) *skCipher; SSL_CIPHER *pCipher; - ap_ctx *apctx; + apr_table_t *apctx; int nVerifyOld; int nVerify; int n; @@ -606,7 +611,7 @@ int ssl_hook_Access(request_rec *r) dc = myDirConfig(r); sc = mySrvConfig(r->server); - ssl = ap_ctx_get(r->connection->client->ctx, "ssl"); + ssl = (SSL *)apr_table_get(r->connection->notes, "ssl"); if (ssl != NULL) ctx = SSL_get_SSL_CTX(ssl); @@ -614,10 +619,13 @@ int ssl_hook_Access(request_rec *r) * Support for SSLRequireSSL directive */ if (dc->bSSLRequired && ssl == NULL) { - ap_log_reason("SSL connection required", r->filename, r); + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, + "access to %s failed for %s, reason: %s", r->filename, + ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL), + "SSL connection required"); /* remember forbidden access for strict require option */ - ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1); - return FORBIDDEN; + apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1); + return HTTP_FORBIDDEN; } /* @@ -692,7 +700,7 @@ int ssl_hook_Access(request_rec *r) "Unable to reconfigure (per-directory) permitted SSL ciphers"); if (skCipherOld != NULL) sk_SSL_CIPHER_free(skCipherOld); - return FORBIDDEN; + return HTTP_FORBIDDEN; } /* determine whether a renegotiation has to be forced */ skCipher = SSL_get_ciphers(ssl); @@ -745,12 +753,12 @@ int ssl_hook_Access(request_rec *r) */ if (dc->nVerifyDepth != UNSET) { apctx = SSL_get_app_data2(ssl); - if ((vp = ap_ctx_get(apctx, "ssl::verify::depth")) != NULL) + if ((vp = (void *)apr_table_get(apctx, "ssl::verify::depth")) != NULL) n = (int)AP_CTX_PTR2NUM(vp); else n = sc->nVerifyDepth; - ap_ctx_set(apctx, "ssl::verify::depth", - AP_CTX_NUM2PTR(dc->nVerifyDepth)); + apr_table_setn(apctx, "ssl::verify::depth", + (const char *)AP_CTX_NUM2PTR(dc->nVerifyDepth)); /* determine whether a renegotiation has to be forced */ if (dc->nVerifyDepth < n) { renegotiate = TRUE; @@ -838,14 +846,14 @@ int ssl_hook_Access(request_rec *r) ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Unable to reconfigure verify locations " "for client authentication"); - return FORBIDDEN; + return HTTP_FORBIDDEN; } if ((skCAList = ssl_init_FindCAList(r->server, r->pool, cpCAFile, cpCAPath)) == NULL) { ssl_log(r->server, SSL_LOG_ERROR, "Unable to determine list of available " "CA certificates for client authentication"); - return FORBIDDEN; + return HTTP_FORBIDDEN; } SSL_set_client_CA_list(ssl, skCAList); renegotiate = TRUE; @@ -918,7 +926,7 @@ int ssl_hook_Access(request_rec *r) if (renegotiate && r->method_number == M_POST) { ssl_log(r->server, SSL_LOG_ERROR, "SSL Re-negotiation in conjunction with POST method not supported!"); - return METHOD_NOT_ALLOWED; + return HTTP_METHOD_NOT_ALLOWED; } /* @@ -944,12 +952,12 @@ int ssl_hook_Access(request_rec *r) certstore = SSL_CTX_get_cert_store(ctx); if (certstore == NULL) { ssl_log(r->server, SSL_LOG_ERROR, "Cannot find certificate storage"); - return FORBIDDEN; + return HTTP_FORBIDDEN; } certstack = SSL_get_peer_cert_chain(ssl); if (certstack == NULL || sk_X509_num(certstack) == 0) { ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer certificate chain"); - return FORBIDDEN; + return HTTP_FORBIDDEN; } cert = sk_X509_value(certstack, 0); X509_STORE_CTX_init(&certstorectx, certstore, cert, certstack); @@ -976,7 +984,7 @@ int ssl_hook_Access(request_rec *r) SSL_do_handshake(ssl); if (SSL_get_state(ssl) != SSL_ST_OK) { ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation request failed"); - return FORBIDDEN; + return HTTP_FORBIDDEN; } ssl_log(r->server, SSL_LOG_INFO, "Awaiting re-negotiation handshake"); SSL_set_state(ssl, SSL_ST_ACCEPT); @@ -984,7 +992,7 @@ int ssl_hook_Access(request_rec *r) if (SSL_get_state(ssl) != SSL_ST_OK) { ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation handshake failed: Not accepted by client!?"); - return FORBIDDEN; + return HTTP_FORBIDDEN; } } @@ -993,8 +1001,8 @@ int ssl_hook_Access(request_rec *r) */ if ((cert = SSL_get_peer_certificate(ssl)) != NULL) { cp = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); - ap_ctx_set(r->connection->client->ctx, "ssl::client::dn", - ap_pstrdup(r->connection->pool, cp)); + apr_table_setn(r->connection->notes, "ssl::client::dn", + apr_pstrdup(r->connection->pool, cp)); free(cp); } @@ -1006,13 +1014,13 @@ int ssl_hook_Access(request_rec *r) && SSL_get_verify_result(ssl) != X509_V_OK ) { ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation handshake failed: Client verification failed"); - return FORBIDDEN; + return HTTP_FORBIDDEN; } if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE && SSL_get_peer_certificate(ssl) == NULL ) { ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation handshake failed: Client certificate missing"); - return FORBIDDEN; + return HTTP_FORBIDDEN; } } } @@ -1030,7 +1038,7 @@ int ssl_hook_Access(request_rec *r) ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Unable to reconfigure verify locations " "to per-server configuration parameters"); - return FORBIDDEN; + return HTTP_FORBIDDEN; } } #endif /* SSL_EXPERIMENTAL_PERDIRCA */ @@ -1044,12 +1052,14 @@ int ssl_hook_Access(request_rec *r) pRequirement = &pRequirements[i]; ok = ssl_expr_exec(r, pRequirement->mpExpr); if (ok < 0) { - cp = ap_psprintf(r->pool, "Failed to execute SSL requirement expression: %s", - ssl_expr_get_error()); - ap_log_reason(cp, r->filename, r); + cp = apr_psprintf(r->pool, "Failed to execute SSL requirement expression: %s", + ssl_expr_get_error()); + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, + "access to %s failed for %s, reason: %s", r->filename, + ap_get_remote_host(r->connection, r->per_dir_config, 1, NULL), cp); /* remember forbidden access for strict require option */ - ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1); - return FORBIDDEN; + apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1); + return HTTP_FORBIDDEN; } if (ok != 1) { ssl_log(r->server, SSL_LOG_INFO, @@ -1057,11 +1067,14 @@ int ssl_hook_Access(request_rec *r) r->filename, r->connection->remote_ip); ssl_log(r->server, SSL_LOG_INFO, "Failed expression: %s", pRequirement->cpExpr); - ap_log_reason("SSL requirement expression not fulfilled " - "(see SSL logfile for more details)", r->filename, r); + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, + "access to %s failed for %s, reason: %s", r->filename, + ap_get_remote_host(r->connection, r->per_dir_config, 1, NULL), + "SSL requirement expression not fulfilled " + "(see SSL logfile for more details)"); /* remember forbidden access for strict require option */ - ap_table_setn(r->notes, "ssl-access-forbidden", (void *)1); - return FORBIDDEN; + apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1); + return HTTP_FORBIDDEN; } } @@ -1099,8 +1112,8 @@ int ssl_hook_Auth(request_rec *r) * when strict require option is used. */ if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE) - && (ap_table_get(r->notes, "ssl-access-forbidden") != NULL)) - return FORBIDDEN; + && (apr_table_get(r->notes, "ssl-access-forbidden") != NULL)) + return HTTP_FORBIDDEN; /* * Make sure the user is not able to fake the client certificate @@ -1108,7 +1121,7 @@ int ssl_hook_Auth(request_rec *r) * ("/XX=YYY/XX=YYY/..") as the username and "password" as the * password. */ - if ((cpAL = ap_table_get(r->headers_in, "Authorization")) != NULL) { + if ((cpAL = apr_table_get(r->headers_in, "Authorization")) != NULL) { if (strcEQ(ap_getword(r->pool, &cpAL, ' '), "Basic")) { while (*cpAL == ' ' || *cpAL == '\t') cpAL++; @@ -1116,7 +1129,7 @@ int ssl_hook_Auth(request_rec *r) cpUN = ap_getword_nulls(r->pool, &cpAL, ':'); cpPW = cpAL; if (cpUN[0] == '/' && strEQ(cpPW, "password")) - return FORBIDDEN; + return HTTP_FORBIDDEN; } } @@ -1125,13 +1138,13 @@ int ssl_hook_Auth(request_rec *r) */ if (!sc->bEnabled) return DECLINED; - if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL) + if (apr_table_get(r->connection->notes, "ssl") == NULL) return DECLINED; if (!(dc->nOptions & SSL_OPT_FAKEBASICAUTH)) return DECLINED; - if (r->connection->user) + if (r->user) return DECLINED; - if ((clientdn = (char *)ap_ctx_get(r->connection->client->ctx, "ssl::client::dn")) == NULL) + if ((clientdn = (char *)apr_table_get(r->connection->notes, "ssl::client::dn")) == NULL) return DECLINED; /* @@ -1145,10 +1158,10 @@ int ssl_hook_Auth(request_rec *r) * adding the string "xxj31ZMTZzkVA" as the password in the user file. * This is just the crypted variant of the word "password" ;-) */ - ap_snprintf(b1, sizeof(b1), "%s:password", clientdn); + apr_snprintf(b1, sizeof(b1), "%s:password", clientdn); ssl_util_uuencode(b2, b1, FALSE); - ap_snprintf(b1, sizeof(b1), "Basic %s", b2); - ap_table_set(r->headers_in, "Authorization", b1); + apr_snprintf(b1, sizeof(b1), "Basic %s", b2); + apr_table_set(r->headers_in, "Authorization", b1); ssl_log(r->server, SSL_LOG_INFO, "Faking HTTP Basic Auth header: \"Authorization: %s\"", b1); @@ -1164,8 +1177,8 @@ int ssl_hook_UserCheck(request_rec *r) * when strict require option is used. */ if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE) - && (ap_table_get(r->notes, "ssl-access-forbidden") != NULL)) - return FORBIDDEN; + && (apr_table_get(r->notes, "ssl-access-forbidden") != NULL)) + return HTTP_FORBIDDEN; return DECLINED; } @@ -1259,7 +1272,7 @@ int ssl_hook_Fixup(request_rec *r) { SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLDirConfigRec *dc = myDirConfig(r); - table *e = r->subprocess_env; + apr_table_t *e = r->subprocess_env; char *var; char *val; STACK_OF(X509) *sk; @@ -1271,21 +1284,23 @@ int ssl_hook_Fixup(request_rec *r) */ if (!sc->bEnabled) return DECLINED; - if ((ssl = ap_ctx_get(r->connection->client->ctx, "ssl")) == NULL) + if ((ssl = (SSL *)apr_table_get(r->connection->notes, "ssl")) == NULL) return DECLINED; /* * Annotate the SSI/CGI environment with standard SSL information */ /* the always present HTTPS (=HTTP over SSL) flag! */ - ap_table_set(e, "HTTPS", "on"); + apr_table_set(e, "HTTPS", "on"); /* standard SSL environment variables */ if (dc->nOptions & SSL_OPT_STDENVVARS) { for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) { var = (char *)ssl_hook_Fixup_vars[i]; +#if 0 /* XXX */ val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); +#endif if (!strIsEmpty(val)) - ap_table_set(e, var, val); + apr_table_set(e, var, val); } } @@ -1293,16 +1308,20 @@ int ssl_hook_Fixup(request_rec *r) * On-demand bloat up the SSI/CGI environment with certificate data */ if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) { +#if 0 /* XXX */ val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_SERVER_CERT"); - ap_table_set(e, "SSL_SERVER_CERT", val); + apr_table_set(e, "SSL_SERVER_CERT", val); val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT"); - ap_table_set(e, "SSL_CLIENT_CERT", val); + apr_table_set(e, "SSL_CLIENT_CERT", val); +#endif if ((sk = SSL_get_peer_cert_chain(ssl)) != NULL) { for (i = 0; i < sk_X509_num(sk); i++) { - var = ap_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i); + var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i); +#if 0 /* XXX */ val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); +#endif if (val != NULL) - ap_table_set(e, var, val); + apr_table_setn(e, var, val); } } } @@ -1351,7 +1370,7 @@ int ssl_hook_Fixup(request_rec *r) */ RSA *ssl_callback_TmpRSA(SSL *pSSL, int nExport, int nKeyLen) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = ssl_util_getmodconfig_ssl(pSSL, "ssl_module"); RSA *rsa; rsa = NULL; @@ -1377,7 +1396,7 @@ RSA *ssl_callback_TmpRSA(SSL *pSSL, int nExport, int nKeyLen) */ DH *ssl_callback_TmpDH(SSL *pSSL, int nExport, int nKeyLen) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = ssl_util_getmodconfig_ssl(pSSL, "ssl_module"); DH *dh; dh = NULL; @@ -1410,7 +1429,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) request_rec *r; SSLSrvConfigRec *sc; SSLDirConfigRec *dc; - ap_ctx *actx; + apr_table_t *actx; X509 *xs; int errnum; int errdepth; @@ -1424,9 +1443,9 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) */ ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx); conn = (conn_rec *)SSL_get_app_data(ssl); - actx = (ap_ctx *)SSL_get_app_data2(ssl); - r = (request_rec *)ap_ctx_get(actx, "ssl::request_rec"); - s = conn->server; + actx = (apr_table_t *)SSL_get_app_data2(ssl); + r = (request_rec *)apr_table_get(actx, "ssl::request_rec"); + s = conn->base_server; sc = mySrvConfig(s); dc = (r != NULL ? myDirConfig(r) : NULL); @@ -1469,7 +1488,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) ssl_log(s, SSL_LOG_TRACE, "Certificate Verification: Verifiable Issuer is configured as " "optional, therefore we're accepting the certificate"); - ap_ctx_set(conn->client->ctx, "ssl::verify::info", "GENEROUS"); + apr_table_setn(conn->notes, "ssl::verify::info", "GENEROUS"); ok = TRUE; } @@ -1488,8 +1507,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) if (!ok) { ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s", errnum, X509_verify_cert_error_string(errnum)); - ap_ctx_set(conn->client->ctx, "ssl::client::dn", NULL); - ap_ctx_set(conn->client->ctx, "ssl::verify::error", + apr_table_setn(conn->notes, "ssl::client::dn", NULL); + apr_table_setn(conn->notes, "ssl::verify::error", (void *)X509_verify_cert_error_string(errnum)); } @@ -1505,7 +1524,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) "Certificate Verification: Certificate Chain too long " "(chain has %d certificates, but maximum allowed are only %d)", errdepth, depth); - ap_ctx_set(conn->client->ctx, "ssl::verify::error", + apr_table_setn(conn->notes, "ssl::verify::error", (void *)X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG)); ok = FALSE; } @@ -1698,7 +1717,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew) * Get Apache context back through OpenSSL context */ conn = (conn_rec *)SSL_get_app_data(ssl); - s = conn->server; + s = conn->base_server; sc = mySrvConfig(s); /* @@ -1749,7 +1768,7 @@ SSL_SESSION *ssl_callback_GetSessionCacheEntry( * Get Apache context back through OpenSSL context */ conn = (conn_rec *)SSL_get_app_data(ssl); - s = conn->server; + s = conn->base_server; /* * Try to retrieve the SSL_SESSION from the inter-process cache @@ -1829,7 +1848,7 @@ void ssl_callback_LogTracingState(SSL *ssl, int where, int rc) */ if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL) return; - s = c->server; + s = c->base_server; if ((sc = mySrvConfig(s)) == NULL) return; @@ -1873,6 +1892,7 @@ void ssl_callback_LogTracingState(SSL *ssl, int where, int rc) * right after a finished handshake. */ if (where & SSL_CB_HANDSHAKE_DONE) { +#if 0 /* XXX */ ssl_log(s, SSL_LOG_INFO, "Connection: Client IP: %s, Protocol: %s, Cipher: %s (%s/%s bits)", ssl_var_lookup(NULL, s, c, NULL, "REMOTE_ADDR"), @@ -1880,10 +1900,9 @@ void ssl_callback_LogTracingState(SSL *ssl, int where, int rc) ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"), ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"), ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE")); +#endif } return; } -#endif /* XXX */ - diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index dabff6437d3..6743eec3eea 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -62,8 +62,6 @@ -- Ralf S. Engelschall */ #include "mod_ssl.h" -#if 0 /* XXX */ - /* _________________________________________________________________ ** ** Logfile Support @@ -73,9 +71,9 @@ /* * Open the SSL logfile */ -void ssl_log_open(server_rec *s_main, server_rec *s, pool *p) +void ssl_log_open(server_rec *s_main, server_rec *s, apr_pool_t *p) { - char *szLogFile; + const char *szLogFile; SSLSrvConfigRec *sc_main = mySrvConfig(s_main); SSLSrvConfigRec *sc = mySrvConfig(s); piped_log *pl; @@ -97,23 +95,23 @@ void ssl_log_open(server_rec *s_main, server_rec *s, pool *p) if (strEQ(sc->szLogFile, "/dev/null")) return; else if (sc->szLogFile[0] == '|') { - szLogFile = ap_server_root_relative(p, "log", sc->szLogFile+1); + szLogFile = ap_server_root_relative(p, sc->szLogFile+1); if ((pl = ap_open_piped_log(p, szLogFile)) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open reliable pipe to SSL logfile filter %s", szLogFile); ssl_die(); } - sc->fileLogFile = ap_pfdopen(p, ap_piped_log_write_fd(pl), "a"); - setbuf(sc->fileLogFile, NULL); + sc->fileLogFile = ap_piped_log_write_fd(pl); } else { - szLogFile = ap_server_root_relative(p, "log", sc->szLogFile); - if ((sc->fileLogFile = ap_pfopen(p, szLogFile, "a")) == NULL) { + szLogFile = ap_server_root_relative(p, sc->szLogFile); + if ((apr_file_open(&(sc->fileLogFile), szLogFile, + APR_WRITE|APR_APPEND|APR_CREATE, APR_OS_DEFAULT, p)) + != APR_SUCCESS) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open SSL logfile %s", szLogFile); ssl_die(); } - setbuf(sc->fileLogFile, NULL); } } return; @@ -184,8 +182,8 @@ void ssl_log(server_rec *s, int level, const char *msg, ...) char vstr[1024]; char str[1024]; char nstr[2]; - int timz; - struct tm *t; + apr_size_t len; + apr_exploded_time_t t; va_list ap; int add; int i; @@ -223,10 +221,10 @@ void ssl_log(server_rec *s, int level, const char *msg, ...) if (add & SSL_NO_TIMESTAMP) tstr[0] = NUL; else { - t = ap_get_gmtoff(&timz); - strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S", t); - i = strlen(tstr); - ap_snprintf(tstr+i, 80-i, " %05d] ", (unsigned int)getpid()); + apr_explode_localtime(&t, apr_time_now()); + apr_strftime(tstr, &len, 80, "[%d/%b/%Y %H:%M:%S", &t); + apr_snprintf(tstr + strlen(tstr), 80 - strlen(tstr), " %05d] ", + (unsigned int)getpid()); } /* determine whether newline should be written */ @@ -242,7 +240,7 @@ void ssl_log(server_rec *s, int level, const char *msg, ...) if (!(add & SSL_NO_LEVELID)) { for (i = 0; ssl_log_level2string[i].nLevel != 0; i++) { if (ssl_log_level2string[i].nLevel == level) { - ap_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel); + apr_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel); break; } } @@ -252,7 +250,7 @@ void ssl_log(server_rec *s, int level, const char *msg, ...) } /* create custom message */ - ap_vsnprintf(vstr, sizeof(vstr), msg, ap); + apr_vsnprintf(vstr, sizeof(vstr), msg, ap); /* write out SSLog message */ if ((add & SSL_ADD_ERRNO) && (add & SSL_ADD_SSLERR)) @@ -264,22 +262,23 @@ void ssl_log(server_rec *s, int level, const char *msg, ...) else astr = ""; if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { - ap_snprintf(str, sizeof(str), "%s%s%s%s%s", tstr, lstr, vstr, astr, nstr); - fprintf(sc->fileLogFile, "%s", str); + apr_snprintf(str, sizeof(str), "%s%s%s%s%s", + tstr, lstr, vstr, astr, nstr); + apr_file_printf(sc->fileLogFile, "%s", str); } if (level & SSL_LOG_ERROR) - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s, "mod_ssl: %s%s", vstr, astr); /* write out additional attachment messages */ if (add & SSL_ADD_ERRNO) { if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { - ap_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s", - tstr, lstr, strerror(safe_errno), safe_errno, nstr); - fprintf(sc->fileLogFile, "%s", str); + apr_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s", + tstr, lstr, strerror(safe_errno), safe_errno, nstr); + apr_file_printf(sc->fileLogFile, "%s", str); } if (level & SSL_LOG_ERROR) - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s, "System: %s (errno: %d)", strerror(safe_errno), safe_errno); } @@ -288,15 +287,15 @@ void ssl_log(server_rec *s, int level, const char *msg, ...) cpE = ERR_error_string(e, NULL); cpA = ssl_log_annotation(cpE); if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { - ap_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s", - tstr, lstr, SSL_LIBRARY_NAME, cpE, - cpA != NULL ? " [Hint: " : "", - cpA != NULL ? cpA : "", cpA != NULL ? "]" : "", - nstr); - fprintf(sc->fileLogFile, "%s", str); + apr_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s", + tstr, lstr, SSL_LIBRARY_NAME, cpE, + cpA != NULL ? " [Hint: " : "", + cpA != NULL ? cpA : "", cpA != NULL ? "]" : "", + nstr); + apr_file_printf(sc->fileLogFile, "%s", str); } if (level & SSL_LOG_ERROR) - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s, "%s: %s%s%s%s", SSL_LIBRARY_NAME, cpE, cpA != NULL ? " [Hint: " : "", cpA != NULL ? cpA : "", cpA != NULL ? "]" : ""); @@ -307,7 +306,7 @@ void ssl_log(server_rec *s, int level, const char *msg, ...) /* cleanup and return */ if (sc->fileLogFile != NULL) - fflush(sc->fileLogFile); + apr_file_flush(sc->fileLogFile); errno = safe_errno; va_end(ap); return; @@ -323,5 +322,3 @@ void ssl_die(void) exit(1); } -#endif /* XXX */ - diff --git a/modules/ssl/ssl_engine_mutex.c b/modules/ssl/ssl_engine_mutex.c index 47de4d52f2b..942e399b8e6 100644 --- a/modules/ssl/ssl_engine_mutex.c +++ b/modules/ssl/ssl_engine_mutex.c @@ -62,11 +62,9 @@ -- Unknown */ #include "mod_ssl.h" -#if 0 /* XXX */ - int ssl_mutex_init(server_rec *s, apr_pool_t *p) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); if (mc->nMutexMode == SSL_MUTEXMODE_NONE) return TRUE; @@ -78,7 +76,7 @@ int ssl_mutex_init(server_rec *s, apr_pool_t *p) int ssl_mutex_reinit(server_rec *s, apr_pool_t *p) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); if (mc->nMutexMode == SSL_MUTEXMODE_NONE) return TRUE; @@ -89,7 +87,7 @@ int ssl_mutex_reinit(server_rec *s, apr_pool_t *p) int ssl_mutex_on(server_rec *s) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); if (mc->nMutexMode == SSL_MUTEXMODE_NONE) return TRUE; @@ -102,7 +100,7 @@ int ssl_mutex_on(server_rec *s) int ssl_mutex_off(server_rec *s) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); if (mc->nMutexMode == SSL_MUTEXMODE_NONE) return TRUE; @@ -115,7 +113,7 @@ int ssl_mutex_off(server_rec *s) int ssl_mutex_kill(server_rec *s) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); if (mc->nMutexMode == SSL_MUTEXMODE_NONE) return TRUE; @@ -124,5 +122,3 @@ int ssl_mutex_kill(server_rec *s) return TRUE; } -#endif /* XXX */ - diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c index 653cb68b015..46f0966c16c 100644 --- a/modules/ssl/ssl_engine_pphrase.c +++ b/modules/ssl/ssl_engine_pphrase.c @@ -63,8 +63,6 @@ -- Clifford Stoll */ #include "mod_ssl.h" -#if 0 /* XXX */ - /* _________________________________________________________________ ** ** Pass Phrase and Private Key Handling @@ -75,9 +73,9 @@ #define BUILTIN_DIALOG_BACKOFF 2 #define BUILTIN_DIALOG_RETRIES 5 -void ssl_pphrase_Handle(server_rec *s, pool *p) +void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); SSLSrvConfigRec *sc; server_rec *pServ; char *cpVHostID; @@ -137,8 +135,12 @@ void ssl_pphrase_Handle(server_rec *s, pool *p) algoKey = SSL_ALGO_UNKNOWN; for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++) { - ap_cpystrn(szPath, sc->szPublicCertFile[i], sizeof(szPath)); + apr_cpystrn(szPath, sc->szPublicCertFile[i], sizeof(szPath)); +#if 0 /* XXX */ if ((fp = ap_pfopen(p, szPath, "r")) == NULL) { +#else + if ((fp = fopen(szPath, "r")) == NULL) { +#endif ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Init: Can't open server certificate file %s", szPath); ssl_die(); @@ -148,7 +150,11 @@ void ssl_pphrase_Handle(server_rec *s, pool *p) "Init: Unable to read server certificate from file %s", szPath); ssl_die(); } +#if 0 /* XXX */ ap_pfclose(p, fp); +#else + fclose(fp); +#endif /* * check algorithm type of certificate and make @@ -170,10 +176,10 @@ void ssl_pphrase_Handle(server_rec *s, pool *p) * certificate is actually used to configure mod_ssl's per-server * configuration structures). */ - cp = ap_psprintf(mc->pPool, "%s:%s", cpVHostID, an); + cp = apr_psprintf(mc->pPool, "%s:%s", cpVHostID, an); asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tPublicCert, cp); asn1->nData = i2d_X509(pX509Cert, NULL); - asn1->cpData = ap_palloc(mc->pPool, asn1->nData); + asn1->cpData = apr_palloc(mc->pPool, asn1->nData); ucp = asn1->cpData; i2d_X509(pX509Cert, &ucp); /* 2nd arg increments */ /* @@ -199,7 +205,7 @@ void ssl_pphrase_Handle(server_rec *s, pool *p) * by trying to re-use already known/entered pass phrases. */ if (sc->szPrivateKeyFile[j] != NULL) - ap_cpystrn(szPath, sc->szPrivateKeyFile[j++], sizeof(szPath)); + apr_cpystrn(szPath, sc->szPrivateKeyFile[j++], sizeof(szPath)); /* * Try to read the private key file with the help of @@ -230,15 +236,23 @@ void ssl_pphrase_Handle(server_rec *s, pool *p) * the callback function which serves the pass * phrases to OpenSSL */ +#if 0 /* XXX */ if ((fp = ap_pfopen(p, szPath, "r")) == NULL) { +#else + if ((fp = fopen(szPath, "r")) == NULL) { +#endif ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Init: Can't open server private key file %s", szPath); ssl_die(); } cpPassPhraseCur = NULL; bReadable = ((pPrivateKey = SSL_read_PrivateKey(fp, NULL, - ssl_pphrase_Handle_CB)) != NULL ? TRUE : FALSE); + ssl_pphrase_Handle_CB, s)) != NULL ? TRUE : FALSE); +#if 0 /* XXX */ ap_pfclose(p, fp); +#else + fclose(fp); +#endif /* * when the private key file now was readable, @@ -348,10 +362,10 @@ void ssl_pphrase_Handle(server_rec *s, pool *p) * because the SSL library uses static variables inside a * RSA structure which do not survive DSO reloads!) */ - cp = ap_psprintf(mc->pPool, "%s:%s", cpVHostID, an); + cp = apr_psprintf(mc->pPool, "%s:%s", cpVHostID, an); asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tPrivateKey, cp); asn1->nData = i2d_PrivateKey(pPrivateKey, NULL); - asn1->cpData = ap_palloc(mc->pPool, asn1->nData); + asn1->cpData = apr_palloc(mc->pPool, asn1->nData); ucp = asn1->cpData; i2d_PrivateKey(pPrivateKey, &ucp); /* 2nd arg increments */ /* @@ -385,11 +399,11 @@ void ssl_pphrase_Handle(server_rec *s, pool *p) return; } -int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify) +int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig((server_rec *)srv); server_rec *s; - pool *p; + apr_pool_t *p; ssl_ds_array *aPassPhrase; SSLSrvConfigRec *sc; int *pnPassPhraseCur; @@ -407,7 +421,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify) * Reconnect to the context of ssl_phrase_Handle() */ s = myCtxVarGet(mc, 1, server_rec *); - p = myCtxVarGet(mc, 2, pool *); + p = myCtxVarGet(mc, 2, apr_pool_t *); aPassPhrase = myCtxVarGet(mc, 3, ssl_ds_array *); pnPassPhraseCur = myCtxVarGet(mc, 4, int *); cppPassPhraseCur = myCtxVarGet(mc, 5, char **); @@ -425,7 +439,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify) * When remembered pass phrases are available use them... */ if ((cpp = (char **)ssl_ds_array_get(aPassPhrase, *pnPassPhraseCur)) != NULL) { - ap_cpystrn(buf, *cpp, bufsize); + apr_cpystrn(buf, *cpp, bufsize); len = strlen(buf); return len; } @@ -472,7 +486,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify) */ if (*pnPassPhraseDialog == 1) { fprintf(stderr, "%s mod_ssl/%s (Pass Phrase Dialog)\n", - SERVER_BASEVERSION, MOD_SSL_VERSION); + AP_SERVER_BASEVERSION, MOD_SSL_VERSION); fprintf(stderr, "Some of your private key files are encrypted for security reasons.\n"); fprintf(stderr, "In order to read them you have to provide us with the pass phrases.\n"); } @@ -523,18 +537,18 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify) sc->szPassPhraseDialogPath); if (strchr(sc->szPassPhraseDialogPath, ' ') != NULL) - cmd = ap_psprintf(p, "\"%s\" %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType); + cmd = apr_psprintf(p, "\"%s\" %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType); else - cmd = ap_psprintf(p, "%s %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType); + cmd = apr_psprintf(p, "%s %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType); result = ssl_util_readfilter(s, p, cmd); - ap_cpystrn(buf, result, bufsize); + apr_cpystrn(buf, result, bufsize); len = strlen(buf); } /* * Ok, we now have the pass phrase, so give it back */ - *cppPassPhraseCur = ap_pstrdup(p, buf); + *cppPassPhraseCur = apr_pstrdup(p, buf); /* * And return it's length to OpenSSL... @@ -542,5 +556,3 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify) return (len); } -#endif /* XXX */ - diff --git a/modules/ssl/ssl_engine_rand.c b/modules/ssl/ssl_engine_rand.c index 8e6caf5b352..6ccaa511e73 100644 --- a/modules/ssl/ssl_engine_rand.c +++ b/modules/ssl/ssl_engine_rand.c @@ -62,8 +62,6 @@ #include "mod_ssl.h" -#if 0 /* XXX */ - /* _________________________________________________________________ ** ** Support for better seeding of SSL library's RNG @@ -71,22 +69,22 @@ */ static int ssl_rand_choosenum(int, int); -static int ssl_rand_feedfp(pool *, FILE *, int); +static int ssl_rand_feedfp(apr_pool_t *, apr_file_t *, int); -int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx, char *prefix) +int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix) { SSLModConfigRec *mc; - array_header *apRandSeed; + apr_array_header_t *apRandSeed; ssl_randseed_t *pRandSeeds; ssl_randseed_t *pRandSeed; unsigned char stackdata[256]; int nReq, nDone; - FILE *fp; + apr_file_t *fp; int i, n, l; time_t t; pid_t pid; - mc = myModConfig(); + mc = myModConfig(s); nReq = 0; nDone = 0; apRandSeed = mc->aRandSeed; @@ -99,16 +97,17 @@ int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx, char *prefix) /* * seed in contents of an external file */ - if ((fp = ap_pfopen(p, pRandSeed->cpPath, "r")) == NULL) + if (apr_file_open(&fp, pRandSeed->cpPath, + APR_READ, APR_OS_DEFAULT, p) != APR_SUCCESS) continue; nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes); - ap_pfclose(p, fp); + apr_file_close(fp); } else if (pRandSeed->nSrc == SSL_RSSRC_EXEC) { /* * seed in contents generated by an external program */ - if ((fp = ssl_util_ppopen(s, p, ap_psprintf(p, "%s %d", + if ((fp = ssl_util_ppopen(s, p, apr_psprintf(p, "%s %d", pRandSeed->cpPath, pRandSeed->nBytes))) == NULL) continue; nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes); @@ -171,13 +170,13 @@ int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx, char *prefix) #define BUFSIZE 8192 -static int ssl_rand_feedfp(pool *p, FILE *fp, int nReq) +static int ssl_rand_feedfp(apr_pool_t *p, apr_file_t *fp, int nReq) { - int nDone; + apr_size_t nDone; unsigned char caBuf[BUFSIZE]; - int nBuf; - int nRead; - int nTodo; + apr_size_t nBuf; + apr_size_t nRead; + apr_size_t nTodo; nDone = 0; nRead = BUFSIZE; @@ -185,7 +184,8 @@ static int ssl_rand_feedfp(pool *p, FILE *fp, int nReq) while (1) { if (nReq > 0) nRead = (nTodo < BUFSIZE ? nTodo : BUFSIZE); - if ((nBuf = (int)fread(caBuf, 1, nRead, fp)) <= 0) + nBuf = nRead; + if (apr_file_read(fp, caBuf, &nBuf) != APR_SUCCESS) break; RAND_seed(caBuf, nBuf); nDone += nBuf; @@ -204,13 +204,11 @@ static int ssl_rand_choosenum(int l, int h) char buf[50]; srand((unsigned int)time(NULL)); - ap_snprintf(buf, sizeof(buf), "%.0f", - (((double)(rand()%RAND_MAX)/RAND_MAX)*(h-l))); + apr_snprintf(buf, sizeof(buf), "%.0f", + (((double)(rand()%RAND_MAX)/RAND_MAX)*(h-l))); i = atoi(buf)+1; if (i < l) i = l; if (i > h) i = h; return i; } -#endif /* XXX */ - diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 717da6f3b69..5c215f2f058 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -68,20 +68,18 @@ ** _________________________________________________________________ */ -#if 0 /* XXX */ -static char *ssl_var_lookup_header(pool *p, request_rec *r, const char *name); -static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var); -static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var); -static char *ssl_var_lookup_ssl_cert_dn(pool *p, X509_NAME *xsname, char *var); -static char *ssl_var_lookup_ssl_cert_valid(pool *p, ASN1_UTCTIME *tm); -static char *ssl_var_lookup_ssl_cert_serial(pool *p, X509 *xs); -static char *ssl_var_lookup_ssl_cert_chain(pool *p, STACK_OF(X509) *sk, char *var); -static char *ssl_var_lookup_ssl_cert_PEM(pool *p, X509 *xs); -static char *ssl_var_lookup_ssl_cert_verify(pool *p, conn_rec *c); -static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var); +static char *ssl_var_lookup_header(apr_pool_t *p, request_rec *r, const char *name); +static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var); +static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, X509 *xs, char *var); +static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var); +static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_UTCTIME *tm); +static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs); +static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var); +static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs); +static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c); +static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var); static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize); -static char *ssl_var_lookup_ssl_version(pool *p, char *var); -#endif /* XXX */ +static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); void ssl_var_register(void) { @@ -102,11 +100,9 @@ void ssl_var_unregister(void) return; } -#if 0 /* XXX */ - char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); char *result; BOOL resdup; time_t tc; @@ -153,7 +149,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, else if (strcEQ(var, "REQUEST_METHOD")) result = (char *)(r->method); else if (strcEQ(var, "REQUEST_SCHEME")) - result = ap_http_method(r); + result = (char *)ap_http_method(r); else if (strcEQ(var, "REQUEST_URI")) result = r->uri; else if (strcEQ(var, "SCRIPT_FILENAME") || @@ -165,7 +161,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, result = r->args; else if (strcEQ(var, "REMOTE_HOST")) result = (char *)ap_get_remote_host(r->connection, - r->per_dir_config, REMOTE_NAME); + r->per_dir_config, REMOTE_NAME, NULL); else if (strcEQ(var, "REMOTE_IDENT")) result = (char *)ap_get_remote_logname(r); else if (strcEQ(var, "IS_SUBREQ")) @@ -177,7 +173,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, else if (strcEQ(var, "SERVER_NAME")) result = (char *)ap_get_server_name(r); else if (strcEQ(var, "SERVER_PORT")) - result = ap_psprintf(p, "%u", ap_get_server_port(r)); + result = apr_psprintf(p, "%u", ap_get_server_port(r)); else if (strcEQ(var, "SERVER_PROTOCOL")) result = r->protocol; } @@ -189,13 +185,13 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, if (strcEQ(var, "REMOTE_ADDR")) result = c->remote_ip; else if (strcEQ(var, "REMOTE_USER")) - result = c->user; + result = r->user; else if (strcEQ(var, "AUTH_TYPE")) - result = c->ap_auth_type; + result = r->ap_auth_type; else if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)) result = ssl_var_lookup_ssl(p, c, var+4); else if (strcEQ(var, "HTTPS")) { - if (ap_ctx_get(c->client->ctx, "ssl") != NULL) + if (apr_table_get(c->notes, "ssl") != NULL) result = "on"; else result = "off"; @@ -211,20 +207,20 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, else if (strcEQ(var, "SERVER_SOFTWARE")) result = (char *)ap_get_server_version(); else if (strcEQ(var, "API_VERSION")) { - result = ap_psprintf(p, "%d", MODULE_MAGIC_NUMBER); + result = apr_psprintf(p, "%d", MODULE_MAGIC_NUMBER); resdup = FALSE; } else if (strcEQ(var, "TIME_YEAR")) { tc = time(NULL); tm = localtime(&tc); - result = ap_psprintf(p, "%02d%02d", + result = apr_psprintf(p, "%02d%02d", (tm->tm_year / 100) + 19, tm->tm_year % 100); resdup = FALSE; } #define MKTIMESTR(format, tmfield) \ tc = time(NULL); \ tm = localtime(&tc); \ - result = ap_psprintf(p, format, tm->tmfield); \ + result = apr_psprintf(p, format, tm->tmfield); \ resdup = FALSE; else if (strcEQ(var, "TIME_MON")) { MKTIMESTR("%02d", tm_mon+1) @@ -247,7 +243,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, else if (strcEQ(var, "TIME")) { tc = time(NULL); tm = localtime(&tc); - result = ap_psprintf(p, + result = apr_psprintf(p, "%02d%02d%02d%02d%02d%02d%02d", (tm->tm_year / 100) + 19, (tm->tm_year % 100), tm->tm_mon+1, tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec); @@ -255,39 +251,31 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, } /* all other env-variables from the parent Apache process */ else if (strlen(var) > 4 && strcEQn(var, "ENV:", 4)) { - result = (char *)ap_table_get(r->notes, var+4); + result = (char *)apr_table_get(r->notes, var+4); if (result == NULL) - result = (char *)ap_table_get(r->subprocess_env, var+4); + result = (char *)apr_table_get(r->subprocess_env, var+4); if (result == NULL) result = getenv(var+4); } } if (result != NULL && resdup) - result = ap_pstrdup(p, result); + result = apr_pstrdup(p, result); if (result == NULL) result = ""; return result; } -static char *ssl_var_lookup_header(pool *p, request_rec *r, const char *name) +static char *ssl_var_lookup_header(apr_pool_t *p, request_rec *r, const char *name) { - array_header *hdrs_arr; - table_entry *hdrs; - int i; - - hdrs_arr = ap_table_elts(r->headers_in); - hdrs = (table_entry *)hdrs_arr->elts; - for (i = 0; i < hdrs_arr->nelts; ++i) { - if (hdrs[i].key == NULL) - continue; - if (strcEQ(hdrs[i].key, name)) - return ap_pstrdup(p, hdrs[i].val); - } - return NULL; + char *hdr = NULL; + + if ((hdr = (char *)apr_table_get(r->headers_in, name)) != NULL) + hdr = apr_pstrdup(p, hdr); + return hdr; } -static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var) +static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var) { char *result; X509 *xs; @@ -296,7 +284,7 @@ static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var) result = NULL; - ssl = ap_ctx_get(c->client->ctx, "ssl"); + ssl = (SSL *)apr_table_get(c->notes, "ssl"); if (strlen(var) > 8 && strcEQn(var, "VERSION_", 8)) { result = ssl_var_lookup_ssl_version(p, var+8); } @@ -305,7 +293,7 @@ static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var) } else if (ssl != NULL && strcEQ(var, "SESSION_ID")) { SSL_SESSION *pSession = SSL_get_session(ssl); - result = ap_pstrdup(p, SSL_SESSION_id2sz(pSession->session_id, + result = apr_pstrdup(p, SSL_SESSION_id2sz(pSession->session_id, pSession->session_id_length)); } else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) { @@ -329,7 +317,7 @@ static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var) return result; } -static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var) +static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, X509 *xs, char *var) { char *result; BOOL resdup; @@ -341,7 +329,7 @@ static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var) resdup = TRUE; if (strcEQ(var, "M_VERSION")) { - result = ap_psprintf(p, "%lu", X509_get_version(xs)+1); + result = apr_psprintf(p, "%lu", X509_get_version(xs)+1); resdup = FALSE; } else if (strcEQ(var, "M_SERIAL")) { @@ -356,7 +344,7 @@ static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var) else if (strcEQ(var, "S_DN")) { xsname = X509_get_subject_name(xs); cp = X509_NAME_oneline(xsname, NULL, 0); - result = ap_pstrdup(p, cp); + result = apr_pstrdup(p, cp); free(cp); resdup = FALSE; } @@ -368,7 +356,7 @@ static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var) else if (strcEQ(var, "I_DN")) { xsname = X509_get_issuer_name(xs); cp = X509_NAME_oneline(xsname, NULL, 0); - result = ap_pstrdup(p, cp); + result = apr_pstrdup(p, cp); free(cp); resdup = FALSE; } @@ -379,12 +367,12 @@ static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var) } else if (strcEQ(var, "A_SIG")) { nid = OBJ_obj2nid(xs->cert_info->signature->algorithm); - result = ap_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); + result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); resdup = FALSE; } else if (strcEQ(var, "A_KEY")) { nid = OBJ_obj2nid(xs->cert_info->key->algor->algorithm); - result = ap_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); + result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); resdup = FALSE; } else if (strcEQ(var, "CERT")) { @@ -392,7 +380,7 @@ static char *ssl_var_lookup_ssl_cert(pool *p, X509 *xs, char *var) } if (result != NULL && resdup) - result = ap_pstrdup(p, result); + result = apr_pstrdup(p, result); return result; } @@ -417,7 +405,7 @@ static const struct { { NULL, 0 } }; -static char *ssl_var_lookup_ssl_cert_dn(pool *p, X509_NAME *xsname, char *var) +static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var) { char *result; X509_NAME_ENTRY *xsne; @@ -431,8 +419,8 @@ static char *ssl_var_lookup_ssl_cert_dn(pool *p, X509_NAME *xsname, char *var) xsne = sk_X509_NAME_ENTRY_value(xsname->entries, j); n = OBJ_obj2nid(xsne->object); if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid) { - result = ap_palloc(p, xsne->value->length+1); - ap_cpystrn(result, (char *)xsne->value->data, xsne->value->length+1); + result = apr_palloc(p, xsne->value->length+1); + apr_cpystrn(result, (char *)xsne->value->data, xsne->value->length+1); #ifdef CHARSET_EBCDIC ascii2ebcdic(result, result, xsne->value->length); #endif /* CHARSET_EBCDIC */ @@ -446,7 +434,7 @@ static char *ssl_var_lookup_ssl_cert_dn(pool *p, X509_NAME *xsname, char *var) return result; } -static char *ssl_var_lookup_ssl_cert_valid(pool *p, ASN1_UTCTIME *tm) +static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_UTCTIME *tm) { char *result; BIO* bio; @@ -456,14 +444,14 @@ static char *ssl_var_lookup_ssl_cert_valid(pool *p, ASN1_UTCTIME *tm) return NULL; ASN1_UTCTIME_print(bio, tm); n = BIO_pending(bio); - result = ap_pcalloc(p, n+1); + result = apr_pcalloc(p, n+1); n = BIO_read(bio, result, n); result[n] = NUL; BIO_free(bio); return result; } -static char *ssl_var_lookup_ssl_cert_serial(pool *p, X509 *xs) +static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs) { char *result; BIO *bio; @@ -473,14 +461,14 @@ static char *ssl_var_lookup_ssl_cert_serial(pool *p, X509 *xs) return NULL; i2a_ASN1_INTEGER(bio, X509_get_serialNumber(xs)); n = BIO_pending(bio); - result = ap_pcalloc(p, n+1); + result = apr_pcalloc(p, n+1); n = BIO_read(bio, result, n); result[n] = NUL; BIO_free(bio); return result; } -static char *ssl_var_lookup_ssl_cert_chain(pool *p, STACK_OF(X509) *sk, char *var) +static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var) { char *result; X509 *xs; @@ -499,7 +487,7 @@ static char *ssl_var_lookup_ssl_cert_chain(pool *p, STACK_OF(X509) *sk, char *va return result; } -static char *ssl_var_lookup_ssl_cert_PEM(pool *p, X509 *xs) +static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs) { char *result; BIO *bio; @@ -509,14 +497,14 @@ static char *ssl_var_lookup_ssl_cert_PEM(pool *p, X509 *xs) return NULL; PEM_write_bio_X509(bio, xs); n = BIO_pending(bio); - result = ap_pcalloc(p, n+1); + result = apr_pcalloc(p, n+1); n = BIO_read(bio, result, n); result[n] = NUL; BIO_free(bio); return result; } -static char *ssl_var_lookup_ssl_cert_verify(pool *p, conn_rec *c) +static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c) { char *result; long vrc; @@ -526,9 +514,9 @@ static char *ssl_var_lookup_ssl_cert_verify(pool *p, conn_rec *c) X509 *xs; result = NULL; - ssl = ap_ctx_get(c->client->ctx, "ssl"); - verr = ap_ctx_get(c->client->ctx, "ssl::verify::error"); - vinfo = ap_ctx_get(c->client->ctx, "ssl::verify::info"); + ssl = (SSL *) apr_table_get(c->notes, "ssl"); + verr = (char *)apr_table_get(c->notes, "ssl::verify::error"); + vinfo = (char *)apr_table_get(c->notes, "ssl::verify::info"); vrc = SSL_get_verify_result(ssl); xs = SSL_get_peer_certificate(ssl); @@ -543,11 +531,11 @@ static char *ssl_var_lookup_ssl_cert_verify(pool *p, conn_rec *c) result = "GENEROUS"; else /* client verification failed */ - result = ap_psprintf(p, "FAILED:%s", verr); + result = apr_psprintf(p, "FAILED:%s", verr); return result; } -static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var) +static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var) { char *result; BOOL resdup; @@ -557,7 +545,7 @@ static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var) result = NULL; resdup = TRUE; - ssl = ap_ctx_get(c->client->ctx, "ssl"); + ssl = (SSL *)apr_table_get(c->notes, "ssl"); ssl_var_lookup_ssl_cipher_bits(ssl, &usekeysize, &algkeysize); if (strEQ(var, "")) @@ -565,16 +553,16 @@ static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var) else if (strcEQ(var, "_EXPORT")) result = (usekeysize < 56 ? "true" : "false"); else if (strcEQ(var, "_USEKEYSIZE")) { - result = ap_psprintf(p, "%d", usekeysize); + result = apr_psprintf(p, "%d", usekeysize); resdup = FALSE; } else if (strcEQ(var, "_ALGKEYSIZE")) { - result = ap_psprintf(p, "%d", algkeysize); + result = apr_psprintf(p, "%d", algkeysize); resdup = FALSE; } if (result != NULL && resdup) - result = ap_pstrdup(p, result); + result = apr_pstrdup(p, result); return result; } @@ -590,7 +578,7 @@ static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algke return; } -static char *ssl_var_lookup_ssl_version(pool *p, char *var) +static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var) { char *result; char *cp, *cp2; @@ -599,16 +587,16 @@ static char *ssl_var_lookup_ssl_version(pool *p, char *var) if (strEQ(var, "PRODUCT")) { #if defined(SSL_PRODUCT_NAME) && defined(SSL_PRODUCT_VERSION) - result = ap_psprintf(p, "%s/%s", SSL_PRODUCT_NAME, SSL_PRODUCT_VERSION); + result = apr_psprintf(p, "%s/%s", SSL_PRODUCT_NAME, SSL_PRODUCT_VERSION); #else result = NULL; #endif } else if (strEQ(var, "INTERFACE")) { - result = ap_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION); + result = apr_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION); } else if (strEQ(var, "LIBRARY")) { - result = ap_pstrdup(p, SSL_LIBRARY_TEXT); + result = apr_pstrdup(p, SSL_LIBRARY_TEXT); if ((cp = strchr(result, ' ')) != NULL) { *cp = '/'; if ((cp2 = strchr(cp, ' ')) != NULL) @@ -617,7 +605,3 @@ static char *ssl_var_lookup_ssl_version(pool *p, char *var) } return result; } - -#endif /* XXX */ - - diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c index 75734074ff3..07dc63fa14e 100644 --- a/modules/ssl/ssl_scache.c +++ b/modules/ssl/ssl_scache.c @@ -63,106 +63,115 @@ -- Unknown */ #include "mod_ssl.h" -#if 0 /* XXX */ - /* _________________________________________________________________ ** ** Session Cache: Common Abstraction Layer ** _________________________________________________________________ */ -void ssl_scache_init(server_rec *s, pool *p) +void ssl_scache_init(server_rec *s, apr_pool_t *p) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); if (mc->nSessionCacheMode == SSL_SCMODE_DBM) ssl_scache_dbm_init(s, p); +#if 0 /* XXX */ else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) ssl_scache_shmht_init(s, p); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) ssl_scache_shmcb_init(s, p); +#endif return; } void ssl_scache_kill(server_rec *s) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); if (mc->nSessionCacheMode == SSL_SCMODE_DBM) ssl_scache_dbm_kill(s); +#if 0 /* XXX */ else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) ssl_scache_shmht_kill(s); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) ssl_scache_shmcb_kill(s); +#endif return; } BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SSL_SESSION *sess) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); BOOL rv = FALSE; if (mc->nSessionCacheMode == SSL_SCMODE_DBM) rv = ssl_scache_dbm_store(s, id, idlen, expiry, sess); +#if 0 /* XXX */ else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) rv = ssl_scache_shmht_store(s, id, idlen, expiry, sess); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) rv = ssl_scache_shmcb_store(s, id, idlen, expiry, sess); +#endif return rv; } SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); SSL_SESSION *sess = NULL; if (mc->nSessionCacheMode == SSL_SCMODE_DBM) sess = ssl_scache_dbm_retrieve(s, id, idlen); +#if 0 /* XXX */ else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) sess = ssl_scache_shmht_retrieve(s, id, idlen); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) sess = ssl_scache_shmcb_retrieve(s, id, idlen); +#endif return sess; } void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); if (mc->nSessionCacheMode == SSL_SCMODE_DBM) ssl_scache_dbm_remove(s, id, idlen); +#if 0 /* XXX */ else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) ssl_scache_shmht_remove(s, id, idlen); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) ssl_scache_shmcb_remove(s, id, idlen); +#endif return; } -void ssl_scache_status(server_rec *s, pool *p, void (*func)(char *, void *), void *arg) +void ssl_scache_status(server_rec *s, apr_pool_t *p, void (*func)(char *, void *), void *arg) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); if (mc->nSessionCacheMode == SSL_SCMODE_DBM) ssl_scache_dbm_status(s, p, func, arg); +#if 0 /* XXX */ else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) ssl_scache_shmht_status(s, p, func, arg); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) ssl_scache_shmcb_status(s, p, func, arg); +#endif return; } void ssl_scache_expire(server_rec *s) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); if (mc->nSessionCacheMode == SSL_SCMODE_DBM) ssl_scache_dbm_expire(s); +#if 0 /* XXX */ else if (mc->nSessionCacheMode == SSL_SCMODE_SHMHT) ssl_scache_shmht_expire(s); else if (mc->nSessionCacheMode == SSL_SCMODE_SHMCB) ssl_scache_shmcb_expire(s); +#endif return; } - -#endif /* XXX */ - diff --git a/modules/ssl/ssl_scache_dbm.c b/modules/ssl/ssl_scache_dbm.c index 6904b21228b..2bccbe52213 100644 --- a/modules/ssl/ssl_scache_dbm.c +++ b/modules/ssl/ssl_scache_dbm.c @@ -59,11 +59,9 @@ #include "mod_ssl.h" -#if 0 /* XXX */ - -void ssl_scache_dbm_init(server_rec *s, pool *p) +void ssl_scache_dbm_init(server_rec *s, apr_pool_t *p) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); apr_dbm_t *dbm; /* for the DBM we need the data file */ @@ -74,8 +72,8 @@ void ssl_scache_dbm_init(server_rec *s, pool *p) /* open it once to create it and to make sure it _can_ be created */ ssl_mutex_on(s); - if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile, - O_RDWR|O_CREAT, SSL_DBM_FILE_MODE)) == NULL) { + if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile, + APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot create SSLSessionCache DBM file `%s'", mc->szSessionCacheDataFile); @@ -91,20 +89,20 @@ void ssl_scache_dbm_init(server_rec *s, pool *p) * cannot exactly determine the suffixes we try all possibilities. */ if (geteuid() == 0 /* is superuser */) { - chown(mc->szSessionCacheDataFile, ap_user_id, -1 /* no gid change */); - if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL), - ap_user_id, -1) == -1) { - if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL), - ap_user_id, -1) == -1) - chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL), - ap_user_id, -1); + chown(mc->szSessionCacheDataFile, unixd_config.user_id, -1 /* no gid change */); + if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL), + unixd_config.user_id, -1) == -1) { + if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL), + unixd_config.user_id, -1) == -1) + chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL), + unixd_config.user_id, -1); } - if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL), - ap_user_id, -1) == -1) { - if (chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL), - ap_user_id, -1) == -1) - chown(ap_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL), - ap_user_id, -1); + if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL), + unixd_config.user_id, -1) == -1) { + if (chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL), + unixd_config.user_id, -1) == -1) + chown(apr_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL), + unixd_config.user_id, -1); } } #endif @@ -115,26 +113,26 @@ void ssl_scache_dbm_init(server_rec *s, pool *p) void ssl_scache_dbm_kill(server_rec *s) { - SSLModConfigRec *mc = myModConfig(); - pool *p; + SSLModConfigRec *mc = myModConfig(s); + apr_pool_t *p; - if ((p = ap_make_sub_pool(NULL)) != NULL) { + if ((p = apr_pool_sub_make(mc->pPool, NULL)) != NULL) { /* the correct way */ - unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL)); - unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL)); + unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_DIR, NULL)); + unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, SSL_DBM_FILE_SUFFIX_PAG, NULL)); /* the additional ways to be sure */ - unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL)); - unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL)); - unlink(ap_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL)); + unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, ".dir", NULL)); + unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, ".pag", NULL)); + unlink(apr_pstrcat(p, mc->szSessionCacheDataFile, ".db", NULL)); unlink(mc->szSessionCacheDataFile); - ap_destroy_pool(p); + apr_pool_destroy(p); } return; } BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SSL_SESSION *sess) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); apr_dbm_t *dbm; apr_datum_t dbmkey; apr_datum_t dbmval; @@ -169,8 +167,8 @@ BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SS /* and store it to the DBM file */ ssl_mutex_on(s); - if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile, - O_RDWR, SSL_DBM_FILE_MODE)) == NULL) { + if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile, + APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open SSLSessionCache DBM file `%s' for writing (store)", mc->szSessionCacheDataFile); @@ -178,7 +176,7 @@ BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SS free(dbmval.dptr); return FALSE; } - if (apr_dbm_store(dbm, dbmkey, dbmval, DBM_INSERT) < 0) { + if (apr_dbm_store(dbm, dbmkey, dbmval) < 0) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot store SSL session to DBM file `%s'", mc->szSessionCacheDataFile); @@ -201,7 +199,7 @@ BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SS SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *s, UCHAR *id, int idlen) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); apr_dbm_t *dbm; apr_datum_t dbmkey; apr_datum_t dbmval; @@ -210,6 +208,7 @@ SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *s, UCHAR *id, int idlen) int nData; time_t expiry; time_t now; + apr_status_t rc; /* allow the regular expiring to occur */ ssl_scache_dbm_expire(s); @@ -220,19 +219,21 @@ SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *s, UCHAR *id, int idlen) /* and fetch it from the DBM file */ ssl_mutex_on(s); - if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile, - O_RDONLY, SSL_DBM_FILE_MODE)) == NULL) { + if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile, + APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open SSLSessionCache DBM file `%s' for reading (fetch)", mc->szSessionCacheDataFile); ssl_mutex_off(s); return NULL; } - dbmval = apr_dbm_fetch(dbm, dbmkey); + rc = apr_dbm_fetch(dbm, dbmkey, &dbmval); apr_dbm_close(dbm); ssl_mutex_off(s); /* immediately return if not found */ + if (rc != APR_SUCCESS) + return NULL; if (dbmval.dptr == NULL || dbmval.dsize <= sizeof(time_t)) return NULL; @@ -259,7 +260,7 @@ SSL_SESSION *ssl_scache_dbm_retrieve(server_rec *s, UCHAR *id, int idlen) void ssl_scache_dbm_remove(server_rec *s, UCHAR *id, int idlen) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); apr_dbm_t *dbm; apr_datum_t dbmkey; @@ -269,8 +270,8 @@ void ssl_scache_dbm_remove(server_rec *s, UCHAR *id, int idlen) /* and delete it from the DBM file */ ssl_mutex_on(s); - if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile, - O_RDWR, SSL_DBM_FILE_MODE)) == NULL) { + if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile, + APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open SSLSessionCache DBM file `%s' for writing (delete)", mc->szSessionCacheDataFile); @@ -286,13 +287,13 @@ void ssl_scache_dbm_remove(server_rec *s, UCHAR *id, int idlen) void ssl_scache_dbm_expire(server_rec *s) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); SSLSrvConfigRec *sc = mySrvConfig(s); static time_t tLast = 0; apr_dbm_t *dbm; apr_datum_t dbmkey; apr_datum_t dbmval; - pool *p; + apr_pool_t *p; time_t tExpiresAt; int nElements = 0; int nDeleted = 0; @@ -327,28 +328,28 @@ void ssl_scache_dbm_expire(server_rec *s) ssl_mutex_on(s); for (;;) { /* allocate the key array in a memory sub pool */ - if ((p = ap_make_sub_pool(NULL)) == NULL) + if ((p = apr_pool_sub_make(mc->pPool, NULL)) == NULL) break; - if ((keylist = ap_palloc(p, sizeof(dbmkey)*KEYMAX)) == NULL) { - ap_destroy_pool(p); + if ((keylist = apr_palloc(p, sizeof(dbmkey)*KEYMAX)) == NULL) { + apr_pool_destroy(p); break; } /* pass 1: scan DBM database */ keyidx = 0; - if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile, - O_RDWR, SSL_DBM_FILE_MODE)) == NULL) { + if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile, + APR_DBM_RWCREATE,SSL_DBM_FILE_MODE, p) != APR_SUCCESS) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open SSLSessionCache DBM file `%s' for scanning", mc->szSessionCacheDataFile); - ap_destroy_pool(p); + apr_pool_destroy(p); break; } - dbmkey = apr_dbm_firstkey(dbm); + apr_dbm_firstkey(dbm, &dbmkey); while (dbmkey.dptr != NULL) { nElements++; bDelete = FALSE; - dbmval = apr_dbm_fetch(dbm, dbmkey); + apr_dbm_fetch(dbm, dbmkey, &dbmval); if (dbmval.dsize <= sizeof(time_t) || dbmval.dptr == NULL) bDelete = TRUE; else { @@ -357,7 +358,7 @@ void ssl_scache_dbm_expire(server_rec *s) bDelete = TRUE; } if (bDelete) { - if ((keylist[keyidx].dptr = ap_palloc(p, dbmkey.dsize)) != NULL) { + if ((keylist[keyidx].dptr = apr_palloc(p, dbmkey.dsize)) != NULL) { memcpy(keylist[keyidx].dptr, dbmkey.dptr, dbmkey.dsize); keylist[keyidx].dsize = dbmkey.dsize; keyidx++; @@ -365,17 +366,17 @@ void ssl_scache_dbm_expire(server_rec *s) break; } } - dbmkey = apr_dbm_nextkey(dbm); + apr_dbm_nextkey(dbm, &dbmkey); } apr_dbm_close(dbm); /* pass 2: delete expired elements */ - if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile, - O_RDWR, SSL_DBM_FILE_MODE)) == NULL) { + if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile, + APR_DBM_RWCREATE,SSL_DBM_FILE_MODE, p) != APR_SUCCESS) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot re-open SSLSessionCache DBM file `%s' for expiring", mc->szSessionCacheDataFile); - ap_destroy_pool(p); + apr_pool_destroy(p); break; } for (i = 0; i < keyidx; i++) { @@ -385,7 +386,7 @@ void ssl_scache_dbm_expire(server_rec *s) apr_dbm_close(dbm); /* destroy temporary pool */ - ap_destroy_pool(p); + apr_pool_destroy(p); if (keyidx < KEYMAX) break; @@ -397,9 +398,9 @@ void ssl_scache_dbm_expire(server_rec *s) return; } -void ssl_scache_dbm_status(server_rec *s, pool *p, void (*func)(char *, void *), void *arg) +void ssl_scache_dbm_status(server_rec *s, apr_pool_t *p, void (*func)(char *, void *), void *arg) { - SSLModConfigRec *mc = myModConfig(); + SSLModConfigRec *mc = myModConfig(s); apr_dbm_t *dbm; apr_datum_t dbmkey; apr_datum_t dbmval; @@ -410,17 +411,23 @@ void ssl_scache_dbm_status(server_rec *s, pool *p, void (*func)(char *, void *), nElem = 0; nSize = 0; ssl_mutex_on(s); - if ((dbm = apr_dbm_open(mc->szSessionCacheDataFile, - O_RDONLY, SSL_DBM_FILE_MODE)) == NULL) { + /* + * XXX - Check what pool is to be used - TBD + */ + if (apr_dbm_open(&dbm, mc->szSessionCacheDataFile, + APR_DBM_RWCREATE, SSL_DBM_FILE_MODE, mc->pPool) != APR_SUCCESS) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open SSLSessionCache DBM file `%s' for status retrival", mc->szSessionCacheDataFile); ssl_mutex_off(s); return; } - dbmkey = apr_dbm_firstkey(dbm); - for ( ; dbmkey.dptr != NULL; dbmkey = apr_dbm_nextkey(dbm)) { - dbmval = apr_dbm_fetch(dbm, dbmkey); + /* + * XXX - Check the return value of apr_dbm_firstkey, apr_dbm_fetch - TBD + */ + apr_dbm_firstkey(dbm, &dbmkey); + for ( ; dbmkey.dptr != NULL; apr_dbm_nextkey(dbm, &dbmkey)) { + apr_dbm_fetch(dbm, dbmkey, &dbmval); if (dbmval.dptr == NULL) continue; nElem += 1; @@ -432,11 +439,9 @@ void ssl_scache_dbm_status(server_rec *s, pool *p, void (*func)(char *, void *), nAverage = nSize / nElem; else nAverage = 0; - func(ap_psprintf(p, "cache type: DBM, maximum size: unlimited
"), arg); - func(ap_psprintf(p, "current sessions: %d, current size: %d bytes
", nElem, nSize), arg); - func(ap_psprintf(p, "average session size: %d bytes
", nAverage), arg); + func(apr_psprintf(p, "cache type: DBM, maximum size: unlimited
"), arg); + func(apr_psprintf(p, "current sessions: %d, current size: %d bytes
", nElem, nSize), arg); + func(apr_psprintf(p, "average session size: %d bytes
", nAverage), arg); return; } -#endif /* XXX */ - diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c index d85d797cfb5..5742a34658f 100644 --- a/modules/ssl/ssl_util.c +++ b/modules/ssl/ssl_util.c @@ -298,3 +298,34 @@ char *ssl_util_ptxtsub( return cpResult; } +apr_status_t +ssl_util_setmodconfig( + server_rec *s, const char *key, SSLModConfigRec *mc) +{ + return apr_pool_userdata_set((void *)mc, key, apr_pool_cleanup_null, s->process->pool); +} + +SSLModConfigRec * +ssl_util_getmodconfig( + server_rec *s, const char *key) +{ + SSLModConfigRec *mc = NULL; + + if (apr_pool_userdata_get((void **)&mc, key, s->process->pool) != APR_SUCCESS) + ssl_log(s, SSL_LOG_TRACE, "Unable to retrieve SSLModConfig from global pool"); + return mc; +} + +SSLModConfigRec * +ssl_util_getmodconfig_ssl( + SSL *ssl, const char *key) +{ + conn_rec *c; + SSLModConfigRec *mc = NULL; + + c = SSL_get_app_data(ssl); + if (c != NULL) + mc = ssl_util_getmodconfig(c->base_server, key); + return mc; +} + diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c index f2454ca124e..7206d4c9a40 100644 --- a/modules/ssl/ssl_util_ssl.c +++ b/modules/ssl/ssl_util_ssl.c @@ -148,7 +148,7 @@ static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key) } #endif -EVP_PKEY *SSL_read_PrivateKey(FILE *fp, EVP_PKEY **key, int (*cb)(char*,int,int,void*)) +EVP_PKEY *SSL_read_PrivateKey(FILE *fp, EVP_PKEY **key, int (*cb)(char*,int,int,void*), void *s) { EVP_PKEY *rc; BIO *bioS; @@ -158,7 +158,7 @@ EVP_PKEY *SSL_read_PrivateKey(FILE *fp, EVP_PKEY **key, int (*cb)(char*,int,int, #if SSL_LIBRARY_VERSION < 0x00904000 rc = PEM_read_PrivateKey(fp, key, cb); #else - rc = PEM_read_PrivateKey(fp, key, cb, NULL); + rc = PEM_read_PrivateKey(fp, key, cb, s); #endif if (rc == NULL) { /* 2. try DER+Base64 */ diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h index bc941cbf8f1..40a0936932a 100644 --- a/modules/ssl/ssl_util_ssl.h +++ b/modules/ssl/ssl_util_ssl.h @@ -95,7 +95,7 @@ int SSL_get_app_data2_idx(void); void *SSL_get_app_data2(SSL *); void SSL_set_app_data2(SSL *, void *); X509 *SSL_read_X509(FILE *, X509 **, int (*)(char*,int,int,void*)); -EVP_PKEY *SSL_read_PrivateKey(FILE *, EVP_PKEY **, int (*)(char*,int,int,void*)); +EVP_PKEY *SSL_read_PrivateKey(FILE *, EVP_PKEY **, int (*)(char*,int,int,void*), void *); int SSL_smart_shutdown(SSL *ssl); X509_STORE *SSL_X509_STORE_create(char *, char *); int SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *);