From: Stefan Eissing <icing@apache.org>
Date: Tue, 11 Sep 2018 08:41:56 +0000 (+0000)
Subject: adding revisions after review by jorton
X-Git-Tag: 2.4.36~37^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7c13636fb8a448ba643cf0debd8d7c2b710bfc2;p=thirdparty%2Fapache%2Fhttpd.git

adding revisions after review by jorton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840530 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 76000995a3f..1a74e1efb5b 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -431,7 +431,7 @@ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn)
 }
 
 static int ssl_check_post_client_verify(request_rec *r, SSLSrvConfigRec *sc, 
-                                        SSLDirConfigRec *dc, SSLConnRec *sslconn, SSL *ssl)
+                                        SSLDirConfigRec *dc, SSL *ssl)
 {
     /*
      * Finally check for acceptable renegotiation results
@@ -440,31 +440,31 @@ static int ssl_check_post_client_verify(request_rec *r, SSLSrvConfigRec *sc,
         (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
         BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
                           (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
-        
+
         if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02262)
                           "Re-negotiation handshake failed: "
                           "Client verification failed");
-            
+
             return HTTP_FORBIDDEN;
         }
-        
+
         if (do_verify) {
             X509 *peercert;
-            
+
             if ((peercert = SSL_get_peer_certificate(ssl)) == NULL) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02263)
                               "Re-negotiation handshake failed: "
                               "Client certificate missing");
-                
+
                 return HTTP_FORBIDDEN;
             }
-            
+
             X509_free(peercert);
         }
     }
     return OK;
-}    
+}
 
 /*
  *  Access Handler, classic flavour, for SSL/TLS up to v1.2 
@@ -1031,7 +1031,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
         /*
          * Finally check for acceptable renegotiation results
          */
-        if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
+        if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, ssl))) {
             return rc;
         }
 
@@ -1139,7 +1139,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
         int vmode_inplace, vmode_needed;
         int change_vmode = FALSE;
         int old_state, n, rc;
-    
+
         vmode_inplace = SSL_get_verify_mode(ssl);
         vmode_needed = SSL_VERIFY_NONE;
 
@@ -1159,16 +1159,16 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
         if (vmode_needed == SSL_VERIFY_NONE) {
             return DECLINED;
         }
-        
+
         vmode_needed |= SSL_VERIFY_CLIENT_ONCE;
         if (vmode_inplace != vmode_needed) {
             /* Need to change, if new setting is more restrictive than existing one */
-            
+
             if ((vmode_inplace == SSL_VERIFY_NONE)
                 || (!(vmode_inplace   & SSL_VERIFY_PEER) 
                     && (vmode_needed  & SSL_VERIFY_PEER))
                 || (!(vmode_inplace   & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) 
-                    && (vmode_inplace & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
+                    && (vmode_needed & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
                 /* need to change the effective verify mode */
                 change_vmode = TRUE;
             }
@@ -1203,7 +1203,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
                 }
             }
         }
-        
+
         if (change_vmode) {
             char peekbuf[1];
 
@@ -1215,9 +1215,9 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
                 apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client");
                 return HTTP_FORBIDDEN;
             }
-            
+
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() "verify client post handshake");
-            
+
             SSL_set_verify(ssl, vmode_needed, ssl_callback_SSLVerify);
             SSL_verify_client_post_handshake(ssl);
 
@@ -1238,12 +1238,12 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
             /*
              * Finally check for acceptable renegotiation results
              */
-            if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
+            if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, ssl))) {
                 return rc;
             }
         }
     }
-    
+
     return DECLINED;
 }
 #endif
@@ -1261,7 +1261,7 @@ int ssl_hook_Access(request_rec *r)
         sslconn         = myConnConfig(r->connection->master);
         ssl             = sslconn ? sslconn->ssl : NULL;
     }
-    
+
     /*
      * We should have handshaken here, otherwise we are being 
      * redirected (ErrorDocument) from a renegotiation failure below. 
@@ -1304,7 +1304,7 @@ int ssl_hook_Access(request_rec *r)
     if (sc->enabled == SSL_ENABLED_FALSE || !ssl) {
         return DECLINED;
     }
-    
+
 #if SSL_HAVE_PROTOCOL_TLSV1_3
     /* TLSv1.3+ is less complicated here. Branch off into a new codeline
      * and avoid messing with the past. */