From 3f6c23e40aa1e05a76d4f57ad815d476237a8ac7 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Fri, 14 Jan 2005 13:54:31 +0000
Subject: [PATCH] * modules/ssl/mod_ssl.c: Declare new config directives
 SSLCADNRequestFile and SSLCADNRequestPath.

* modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path,
ca_name_file fields.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of
SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA
DN list sent in the CertificateRequest from those certificates.

* modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use
pcalloc to zero-initialize the entire modssl_pk_server_t structure.
(ssl_config_server_new): Merge the ca_name_* fields.
(ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New
functions.

PR: 32848
Submitted by: Tim Taylor <tim.taylor dfas.mil>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@125165 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         |  5 ++++
 modules/ssl/mod_ssl.c           |  6 +++++
 modules/ssl/ssl_engine_config.c | 45 +++++++++++++++++++++++++--------
 modules/ssl/ssl_engine_init.c   | 15 +++++++----
 modules/ssl/ssl_private.h       |  7 +++++
 5 files changed, 63 insertions(+), 15 deletions(-)

diff --git a/CHANGES b/CHANGES
index 69285749384..37f0f4c0738 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@ Changes with Apache 2.1.3
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives
+     which can be used to configure a specific list of CA names to send
+     in a client certificate request.  PR 32848. 
+     [Tim Taylor <tim.taylor dfas.mil>]
+
   *) --with-module can now take more than one module to be statically
      linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
      If the <modtype>-subdirectory doesn't exist it will be created and
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index fb9e75bd68c..4fa39008adf 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -116,6 +116,12 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_ALL(CACertificateFile, TAKE1,
                 "SSL CA Certificate file "
                 "(`/path/to/file' - PEM encoded)")
+    SSL_CMD_SRV(CADNRequestPath, TAKE1,
+                "SSL CA Distinguished Name path "
+                "(`/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
+    SSL_CMD_SRV(CADNRequestFile, TAKE1,
+                "SSL CA Distinguished Name file "
+                "(`/path/to/file' - PEM encoded to derive acceptable CA names to request)")
     SSL_CMD_SRV(CARevocationPath, TAKE1,
                 "SSL CA Certificate Revocation List (CRL) path "
                 "(`/path/to/dir' - contains PEM encoded files)")
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index d9cc5b8a1eb..85831ea45f9 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -152,17 +152,9 @@ static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
 
     modssl_ctx_init(mctx);
 
-    mctx->pks = apr_palloc(p, sizeof(*mctx->pks));
+    mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
 
-    memset((void*)mctx->pks->cert_files, 0, sizeof(mctx->pks->cert_files));
-
-    memset((void*)mctx->pks->key_files, 0, sizeof(mctx->pks->key_files));
-
-    /* certs/keys are set during module init */
-
-    memset(mctx->pks->certs, 0, sizeof(mctx->pks->certs));
-
-    memset(mctx->pks->keys, 0, sizeof(mctx->pks->keys));
+    /* mctx->pks->... certs/keys are set during module init */
 }
 
 static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
@@ -245,6 +237,9 @@ static void modssl_ctx_cfg_merge_server(modssl_ctx_t *base,
         cfgMergeString(pks->cert_files[i]);
         cfgMergeString(pks->key_files[i]);
     }
+
+    cfgMergeString(pks->ca_name_path);
+    cfgMergeString(pks->ca_name_file);
 }
 
 /*
@@ -835,6 +830,36 @@ const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd,
     return NULL;
 }
 
+const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *cmd, void *dcfg,
+                                       const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    const char *err;
+
+    if ((err = ssl_cmd_check_dir(cmd, &arg))) {
+        return err;
+    }
+
+    sc->server->pks->ca_name_path = arg;
+
+    return NULL;
+}
+
+const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *cmd, void *dcfg,
+                                       const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    const char *err;
+
+    if ((err = ssl_cmd_check_file(cmd, &arg))) {
+        return err;
+    }
+
+    sc->server->pks->ca_name_file = arg;
+
+    return NULL;
+}
+
 const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd,
                                         void *dcfg,
                                         const char *arg)
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 2a9c7a4ef82..bcc0d388f5f 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -544,12 +544,17 @@ static void ssl_init_ctx_verify(server_rec *s,
             ssl_die();
         }
 
-        ca_list = ssl_init_FindCAList(s, ptemp,
-                                      mctx->auth.ca_cert_file,
-                                      mctx->auth.ca_cert_path);
+        if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) {
+            ca_list = ssl_init_FindCAList(s, ptemp,
+                                          mctx->pks->ca_name_file,
+                                          mctx->pks->ca_name_path);
+        } else
+            ca_list = ssl_init_FindCAList(s, ptemp,
+                                          mctx->auth.ca_cert_file,
+                                          mctx->auth.ca_cert_path);
         if (!ca_list) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-                    "Unable to determine list of available "
+                    "Unable to determine list of acceptable "
                     "CA certificates for client authentication");
             ssl_die();
         }
@@ -1151,7 +1156,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
 
         if ((rv = apr_dir_open(&dir, ca_path, ptemp)) != APR_SUCCESS) {
             ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
-                    "Failed to open SSLCACertificatePath `%s'",
+                    "Failed to open Certificate Path `%s'",
                     ca_path);
             ssl_die();
         }
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 4f834948ba1..19f9d8a9ced 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -379,6 +379,11 @@ typedef struct {
     const char  *key_files[SSL_AIDX_MAX];
     X509        *certs[SSL_AIDX_MAX];
     EVP_PKEY    *keys[SSL_AIDX_MAX];
+
+    /* Certificates which specify the set of CA names which should be
+     * sent in the CertificateRequest message: */
+    const char  *ca_name_path;
+    const char  *ca_name_file;
 } modssl_pk_server_t;
 
 typedef struct {
@@ -487,6 +492,8 @@ const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
-- 
2.47.2