From d56819eb04e061a4edcb4f983221797ee7cb95f0 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Mon, 17 Feb 2020 14:42:09 +0000 Subject: [PATCH] Merged /httpd/httpd/trunk:r1870020,1874133 *) mod_md: - Prefer MDContactEmail directive to ServerAdmin for registration. New directive thanks to Timothe Litt (@tlhackque). - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now check all matching virtual hosts for protocol support. Thanks to @mkauf. - Corrected a check when OCSP stapling was configured for hosts where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm). - Softening the restrictions where mod_md configuration directives may appear. This should allow for use in and sections. If all possible variations lead to the configuration you wanted in the first place, is another matter. [Michael Kaufmann , Timothe Litt (@tlhackque), Michal Karm Babacek (@Karm), Stefan Eissing (@icing)] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1874134 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 13 ++++ docs/manual/mod/mod_md.xml | 25 +++++++- modules/md/md_acme_drive.c | 2 +- modules/md/md_ocsp.c | 11 ++++ modules/md/md_result.c | 2 +- modules/md/md_version.h | 4 +- modules/md/mod_md.c | 54 ++++++++++++---- modules/md/mod_md_config.c | 127 ++++++++++++++++++++++++------------- modules/md/mod_md_config.h | 2 + modules/md/mod_md_ocsp.c | 4 +- modules/md/mod_md_os.c | 3 - 11 files changed, 180 insertions(+), 67 deletions(-) diff --git a/CHANGES b/CHANGES index bae84dec71b..3a8afbb679f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,19 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.42 + *) mod_md: + - Prefer MDContactEmail directive to ServerAdmin for registration. New directive + thanks to Timothe Litt (@tlhackque). + - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now + check all matching virtual hosts for protocol support. Thanks to @mkauf. + - Corrected a check when OCSP stapling was configured for hosts + where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm). + - Softening the restrictions where mod_md configuration directives may appear. This should + allow for use in and sections. If all possible variations lead to the configuration + you wanted in the first place, is another matter. + [Michael Kaufmann , Timothe Litt (@tlhackque), + Michal Karm Babacek (@Karm), Stefan Eissing (@icing)] + *) test: Added continuous testing with Travis CI. This tests various scenarios on Ubuntu with the full test suite. Architectures tested: amd64, s390x, ppc64le, arm64 diff --git a/docs/manual/mod/mod_md.xml b/docs/manual/mod/mod_md.xml index b98e536db3d..a80691411fb 100644 --- a/docs/manual/mod/mod_md.xml +++ b/docs/manual/mod/mod_md.xml @@ -304,7 +304,7 @@ MDChallengeDns01 /usr/bin/acme-setup-dns the MDomainSet.

There are 2 additional settings that are necessary for a Managed Domain: - ServerAdmin + a contact Email address (via MDContactEmail or ServerAdmin) and MDCertificateAgreement. The mail address of ServerAdmin is used to register at the CA (Let's Encrypt by default). @@ -317,7 +317,7 @@ MDChallengeDns01 /usr/bin/acme-setup-dns

Example -ServerAdmin mailto:admin@example.org +MDContactEmail admin@example.org MDCertificateAgreement accepted MDomain example.org www.example.org @@ -1215,5 +1215,24 @@ MDMessageCmd /etc/apache/md-message

- + + + MDContactEmail + + MDContactEmail address + + server config + + +

+ The ACME protocol requires you to give a contact url when you sign up. Currently, + Let's Encrypt wants an email address (and it will use it to inform you about renewals + or changed terms of service). mod_md uses the MDContactEmail directive email in + your Apache configuration, so please specify the correct address there. + If MDContactEmail is not present, mod_md will use the + ServerAdmin directive. +

+ + + diff --git a/modules/md/md_acme_drive.c b/modules/md/md_acme_drive.c index b1db503f966..b88da757c51 100644 --- a/modules/md/md_acme_drive.c +++ b/modules/md/md_acme_drive.c @@ -132,7 +132,7 @@ apr_status_t md_acme_drive_set_acct(md_proto_driver_t *d, md_result_t *result) if (!ad->md->contacts || apr_is_empty_array(md->contacts)) { rv = APR_EINVAL; md_result_printf(result, rv, "No contact information is available for MD %s. " - "Configure one using the ServerAdmin directive.", md->name); + "Configure one using the MDContactEmail or ServerAdmin directive.", md->name); md_result_log(result, MD_LOG_ERR); goto leave; } diff --git a/modules/md/md_ocsp.c b/modules/md/md_ocsp.c index 90fb3329058..dc95393249e 100644 --- a/modules/md/md_ocsp.c +++ b/modules/md/md_ocsp.c @@ -32,6 +32,13 @@ #include #include +#if defined(LIBRESSL_VERSION_NUMBER) +/* Missing from LibreSSL */ +#define MD_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f) +#else /* defined(LIBRESSL_VERSION_NUMBER) */ +#define MD_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) +#endif + #include "md.h" #include "md_crypt.h" #include "md_json.h" @@ -566,7 +573,11 @@ static const char *single_resp_summary(OCSP_SINGLERESP* resp, apr_pool_t *p) ASN1_GENERALIZEDTIME *bup = NULL, *bnextup = NULL; md_timeperiod_t valid; +#if MD_USE_OPENSSL_PRE_1_1_API + certid = resp->certId; +#else certid = OCSP_SINGLERESP_get0_id(resp); +#endif status = OCSP_single_get0_status(resp, &reason, NULL, &bup, &bnextup); valid.start = bup? md_asn1_generalized_time_get(bup) : apr_time_now(); valid.end = md_asn1_generalized_time_get(bnextup); diff --git a/modules/md/md_result.c b/modules/md/md_result.c index 7d8370faddb..29996e94ca6 100644 --- a/modules/md/md_result.c +++ b/modules/md/md_result.c @@ -32,7 +32,7 @@ static const char *dup_trim(apr_pool_t *p, const char *s) { char *d = apr_pstrdup(p, s); - apr_collapse_spaces(d, d); + if (d) apr_collapse_spaces(d, d); return d; } diff --git a/modules/md/md_version.h b/modules/md/md_version.h index 331e403d721..f51cf69effc 100644 --- a/modules/md/md_version.h +++ b/modules/md/md_version.h @@ -27,7 +27,7 @@ * @macro * Version number of the md module as c string */ -#define MOD_MD_VERSION "2.2.3" +#define MOD_MD_VERSION "2.2.7-git" /** * @macro @@ -35,7 +35,7 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define MOD_MD_VERSION_NUM 0x020203 +#define MOD_MD_VERSION_NUM 0x020207 #define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory" diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c index 1c83d4a3bf1..c9922f2a0df 100644 --- a/modules/md/mod_md.c +++ b/modules/md/mod_md.c @@ -297,6 +297,8 @@ leave: static void merge_srv_config(md_t *md, md_srv_conf_t *base_sc, apr_pool_t *p) { + const char *contact; + if (!md->sc) { md->sc = base_sc; } @@ -310,9 +312,14 @@ static void merge_srv_config(md_t *md, md_srv_conf_t *base_sc, apr_pool_t *p) if (!md->ca_agreement) { md->ca_agreement = md_config_gets(md->sc, MD_CONFIG_CA_AGREEMENT); } - if (md->sc->s->server_admin && strcmp(DEFAULT_ADMIN, md->sc->s->server_admin)) { + contact = md_config_gets(md->sc, MD_CONFIG_CA_CONTACT); + if (contact && contact[0]) { + apr_array_clear(md->contacts); + APR_ARRAY_PUSH(md->contacts, const char *) = + md_util_schemify(p, contact, "mailto"); + } else if( md->sc->s->server_admin && strcmp(DEFAULT_ADMIN, md->sc->s->server_admin)) { apr_array_clear(md->contacts); - APR_ARRAY_PUSH(md->contacts, const char *) = + APR_ARRAY_PUSH(md->contacts, const char *) = md_util_schemify(p, md->sc->s->server_admin, "mailto"); } if (md->renew_mode == MD_RENEW_DEFAULT) { @@ -436,30 +443,48 @@ static server_rec *get_public_https_server(md_t *md, const char *domain, server_ md_srv_conf_t *sc; md_mod_conf_t *mc; server_rec *s; + server_rec *res = NULL; request_rec r; int i; + int check_port = 1; sc = md_config_get(base_server); mc = sc->mc; memset(&r, 0, sizeof(r)); - - if (!mc->can_https) return NULL; + + if (md->ca_challenges && md->ca_challenges->nelts > 0) { + /* skip the port check if "tls-alpn-01" is pre-configured */ + check_port = !(md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0); + } + + if (check_port && !mc->can_https) return NULL; + /* find an ssl server matching domain from MD */ for (s = base_server; s; s = s->next) { sc = md_config_get(s); if (!sc || !sc->is_ssl || !sc->assigned) continue; if (base_server == s && !mc->manage_base_server) continue; - if (base_server != s && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue; + if (base_server != s && check_port && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue; for (i = 0; i < sc->assigned->nelts; ++i) { if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) { r.server = s; if (ap_matches_request_vhost(&r, domain, s->port)) { - return s; + if (check_port) { + return s; + } + else { + /* there may be multiple matching servers because we ignore the port. + if possible, choose a server that supports the acme-tls/1 protocol */ + if (ap_is_allowed_protocol(NULL, NULL, s, PROTO_ACME_TLS_1)) { + return s; + } + res = s; + } } } } } - return NULL; + return res; } static apr_status_t auto_add_domains(md_t *md, server_rec *base_server, apr_pool_t *p) @@ -556,10 +581,17 @@ static apr_status_t link_md_to_servers(md_mod_conf_t *mc, md_t *md, server_rec * s->server_hostname, s->port, md->name, sc->name, domain, (int)sc->assigned->nelts); - if (s->server_admin && strcmp(DEFAULT_ADMIN, s->server_admin)) { + if (sc->ca_contact && sc->ca_contact[0]) { + uri = md_util_schemify(p, sc->ca_contact, "mailto"); + if (md_array_str_index(md->contacts, uri, 0, 0) < 0) { + APR_ARRAY_PUSH(md->contacts, const char *) = uri; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(10044) + "%s: added contact %s", md->name, uri); + } + } else if (s->server_admin && strcmp(DEFAULT_ADMIN, s->server_admin)) { uri = md_util_schemify(p, s->server_admin, "mailto"); if (md_array_str_index(md->contacts, uri, 0, 0) < 0) { - APR_ARRAY_PUSH(md->contacts, const char *) = uri; + APR_ARRAY_PUSH(md->contacts, const char *) = uri; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(10044) "%s: added contact %s", md->name, uri); } @@ -683,7 +715,7 @@ static apr_status_t check_invalid_duplicates(server_rec *base_server) md_srv_conf_t *sc; ap_log_error( APLOG_MARK, APLOG_TRACE1, 0, base_server, - "cecking duplicate ssl assignments"); + "checking duplicate ssl assignments"); for (s = base_server; s; s = s->next) { sc = md_config_get(s); if (!sc || !sc->assigned) continue; @@ -1067,7 +1099,7 @@ static apr_status_t get_certificate(server_rec *s, apr_pool_t *p, int fallback, } else if (sc->assigned->nelts != 1) { if (!fallback) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10207) + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10042) "conflict: %d MDs match Virtualhost %s which uses SSL, however " "there can be at most 1.", (int)sc->assigned->nelts, s->server_hostname); diff --git a/modules/md/mod_md_config.c b/modules/md/mod_md_config.c index 8d78af0c4b1..66684213aa7 100644 --- a/modules/md/mod_md_config.c +++ b/modules/md/mod_md_config.c @@ -105,6 +105,7 @@ static md_srv_conf_t defconf = { &def_renew_window, /* renew window */ &def_warn_window, /* warn window */ NULL, /* ca url */ + NULL, /* ca contact (email) */ "ACME", /* ca protocol */ NULL, /* ca agreemnent */ NULL, /* ca challenges array */ @@ -156,6 +157,7 @@ static void srv_conf_props_clear(md_srv_conf_t *sc) sc->renew_window = NULL; sc->warn_window = NULL; sc->ca_url = NULL; + sc->ca_contact = NULL; sc->ca_proto = NULL; sc->ca_agreement = NULL; sc->ca_challenges = NULL; @@ -173,6 +175,7 @@ static void srv_conf_props_copy(md_srv_conf_t *to, const md_srv_conf_t *from) to->warn_window = from->warn_window; to->renew_window = from->renew_window; to->ca_url = from->ca_url; + to->ca_contact = from->ca_contact; to->ca_proto = from->ca_proto; to->ca_agreement = from->ca_agreement; to->ca_challenges = from->ca_challenges; @@ -229,6 +232,7 @@ static void *md_config_merge(apr_pool_t *pool, void *basev, void *addv) nsc->warn_window = add->warn_window? add->warn_window : base->warn_window; nsc->ca_url = add->ca_url? add->ca_url : base->ca_url; + nsc->ca_contact = add->ca_contact? add->ca_contact : base->ca_contact; nsc->ca_proto = add->ca_proto? add->ca_proto : base->ca_proto; nsc->ca_agreement = add->ca_agreement? add->ca_agreement : base->ca_agreement; nsc->ca_challenges = (add->ca_challenges? apr_array_copy(pool, add->ca_challenges) @@ -267,6 +271,30 @@ static const char *md_section_check(cmd_parms *cmd) { return NULL; } +#define MD_LOC_GLOBAL (0x01) +#define MD_LOC_MD (0x02) +#define MD_LOC_ELSE (0x04) +#define MD_LOC_ALL (0x07) +#define MD_LOC_NOT_MD (0x102) + +static const char *md_conf_check_location(cmd_parms *cmd, int flags) +{ + if (MD_LOC_GLOBAL == flags) { + return ap_check_cmd_context(cmd, GLOBAL_ONLY); + } + if (MD_LOC_NOT_MD == flags && inside_md_section(cmd)) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, " is not allowed inside an '", + MD_CMD_MD_SECTION, "' context", NULL); + } + if (MD_LOC_MD == flags) { + return md_section_check(cmd); + } + else if ((MD_LOC_MD & flags) && inside_md_section(cmd)) { + return NULL; + } + return ap_check_cmd_context(cmd, NOT_IN_DIRECTORY|NOT_IN_LOCATION); +} + static const char *set_on_off(int *pvalue, const char *s, apr_pool_t *p) { if (!apr_strnatcasecmp("off", s)) { @@ -314,7 +342,7 @@ static const char *md_config_sec_start(cmd_parms *cmd, void *mconfig, const char int transitive = -1; (void)mconfig; - if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } @@ -400,8 +428,7 @@ static const char *md_config_set_names(cmd_parms *cmd, void *dc, int i, transitive = -1; (void)dc; - err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE); - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } @@ -436,20 +463,33 @@ static const char *md_config_set_ca(cmd_parms *cmd, void *dc, const char *value) const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } sc->ca_url = value; return NULL; } +static const char *md_config_set_contact(cmd_parms *cmd, void *dc, const char *value) +{ + md_srv_conf_t *sc = md_config_get(cmd->server); + const char *err; + + (void)dc; + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { + return err; + } + sc->ca_contact = value; + return NULL; +} + static const char *md_config_set_ca_proto(cmd_parms *cmd, void *dc, const char *value) { md_srv_conf_t *config = md_config_get(cmd->server); const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } config->ca_proto = value; @@ -462,7 +502,7 @@ static const char *md_config_set_agreement(cmd_parms *cmd, void *dc, const char const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } config->ca_agreement = value; @@ -489,7 +529,7 @@ static const char *md_config_set_renew_mode(cmd_parms *cmd, void *dc, const char return apr_pstrcat(cmd->pool, "unknown MDDriveMode ", value, NULL); } - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } config->renew_mode = renew_mode; @@ -502,7 +542,7 @@ static const char *md_config_set_must_staple(cmd_parms *cmd, void *dc, const cha const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } return set_on_off(&config->must_staple, value, cmd->pool); @@ -514,7 +554,7 @@ static const char *md_config_set_stapling(cmd_parms *cmd, void *dc, const char * const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } return set_on_off(&config->stapling, value, cmd->pool); @@ -526,7 +566,7 @@ static const char *md_config_set_staple_others(cmd_parms *cmd, void *dc, const c const char *err; (void)dc; - if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } return set_on_off(&config->staple_others, value, cmd->pool); @@ -535,7 +575,7 @@ static const char *md_config_set_staple_others(cmd_parms *cmd, void *dc, const c static const char *md_config_set_base_server(cmd_parms *cmd, void *dc, const char *value) { md_srv_conf_t *config = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err = md_conf_check_location(cmd, MD_LOC_NOT_MD); (void)dc; if (err) return err; @@ -547,11 +587,10 @@ static const char *md_config_set_require_https(cmd_parms *cmd, void *dc, const c md_srv_conf_t *config = md_config_get(cmd->server); const char *err; - (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } - + (void)dc; if (!apr_strnatcasecmp("off", value)) { config->require_https = MD_REQUIRE_OFF; } @@ -574,8 +613,7 @@ static const char *md_config_set_renew_window(cmd_parms *cmd, void *dc, const ch const char *err; (void)dc; - if (!inside_md_section(cmd) - && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } err = md_timeslice_parse(&config->renew_window, cmd->pool, value, MD_TIME_LIFE_NORM); @@ -593,8 +631,7 @@ static const char *md_config_set_warn_window(cmd_parms *cmd, void *dc, const cha const char *err; (void)dc; - if (!inside_md_section(cmd) - && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } err = md_timeslice_parse(&config->warn_window, cmd->pool, value, MD_TIME_LIFE_NORM); @@ -609,9 +646,9 @@ static const char *md_config_set_warn_window(cmd_parms *cmd, void *dc, const cha static const char *md_config_set_proxy(cmd_parms *cmd, void *arg, const char *value) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } md_util_abs_http_uri_check(cmd->pool, value, &err); @@ -626,9 +663,9 @@ static const char *md_config_set_proxy(cmd_parms *cmd, void *arg, const char *va static const char *md_config_set_store_dir(cmd_parms *cmd, void *arg, const char *value) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } sc->mc->base_dir = value; @@ -686,10 +723,10 @@ static const char *md_config_set_port_map(cmd_parms *cmd, void *arg, const char *v1, const char *v2) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; (void)arg; - if (!err) { + if (!(err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { err = set_port_map(sc->mc, v1); } if (!err && v2) { @@ -707,8 +744,7 @@ static const char *md_config_set_cha_tyes(cmd_parms *cmd, void *dc, int i; (void)dc; - if (!inside_md_section(cmd) - && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } pcha = &config->ca_challenges; @@ -735,8 +771,7 @@ static const char *md_config_set_pkeys(cmd_parms *cmd, void *dc, apr_int64_t bits; (void)dc; - if (!inside_md_section(cmd) - && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } if (argc <= 0) { @@ -784,9 +819,9 @@ static const char *md_config_set_pkeys(cmd_parms *cmd, void *dc, static const char *md_config_set_notify_cmd(cmd_parms *cmd, void *mconfig, const char *arg) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } sc->mc->notify_cmd = arg; @@ -797,9 +832,9 @@ static const char *md_config_set_notify_cmd(cmd_parms *cmd, void *mconfig, const static const char *md_config_set_msg_cmd(cmd_parms *cmd, void *mconfig, const char *arg) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } sc->mc->message_cmd = arg; @@ -810,9 +845,9 @@ static const char *md_config_set_msg_cmd(cmd_parms *cmd, void *mconfig, const ch static const char *md_config_set_dns01_cmd(cmd_parms *cmd, void *mconfig, const char *arg) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } apr_table_set(sc->mc->env, MD_KEY_CMD_DNS01, arg); @@ -826,7 +861,7 @@ static const char *md_config_set_cert_file(cmd_parms *cmd, void *mconfig, const const char *err; (void)mconfig; - if (NULL != (err = md_section_check(cmd))) return err; + if ((err = md_conf_check_location(cmd, MD_LOC_MD))) return err; assert(sc->current); sc->current->cert_file = arg; return NULL; @@ -838,7 +873,7 @@ static const char *md_config_set_key_file(cmd_parms *cmd, void *mconfig, const c const char *err; (void)mconfig; - if (NULL != (err = md_section_check(cmd))) return err; + if ((err = md_conf_check_location(cmd, MD_LOC_MD))) return err; assert(sc->current); sc->current->pkey_file = arg; return NULL; @@ -850,7 +885,7 @@ static const char *md_config_set_server_status(cmd_parms *cmd, void *dc, const c const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } return set_on_off(&sc->mc->server_status_enabled, value, cmd->pool); @@ -862,7 +897,7 @@ static const char *md_config_set_certificate_status(cmd_parms *cmd, void *dc, co const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } return set_on_off(&sc->mc->certificate_status_enabled, value, cmd->pool); @@ -874,7 +909,7 @@ static const char *md_config_set_ocsp_keep_window(cmd_parms *cmd, void *dc, cons const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } err = md_timeslice_parse(&sc->mc->ocsp_keep_window, cmd->pool, value, MD_TIME_OCSP_KEEP_NORM); @@ -888,7 +923,7 @@ static const char *md_config_set_ocsp_renew_window(cmd_parms *cmd, void *dc, con const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } err = md_timeslice_parse(&sc->mc->ocsp_renew_window, cmd->pool, value, MD_TIME_LIFE_NORM); @@ -907,7 +942,7 @@ static const char *md_config_set_cert_check(cmd_parms *cmd, void *dc, const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } sc->mc->cert_check_name = name; @@ -918,11 +953,11 @@ static const char *md_config_set_cert_check(cmd_parms *cmd, void *dc, static const char *md_config_set_activation_delay(cmd_parms *cmd, void *mconfig, const char *arg) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; apr_interval_time_t delay; (void)mconfig; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } if (md_duration_parse(&delay, arg, "d") != APR_SUCCESS) { @@ -941,6 +976,8 @@ const command_rec md_cmds[] = { "A list of challenge types to be used."), AP_INIT_TAKE1("MDCertificateProtocol", md_config_set_ca_proto, NULL, RSRC_CONF, "Protocol used to obtain/renew certificates"), + AP_INIT_TAKE1("MDContactEmail", md_config_set_contact, NULL, RSRC_CONF, + "Email address used for account registration"), AP_INIT_TAKE1("MDDriveMode", md_config_set_renew_mode, NULL, RSRC_CONF, "deprecated, older name for MDRenewMode"), AP_INIT_TAKE1("MDRenewMode", md_config_set_renew_mode, NULL, RSRC_CONF, @@ -972,7 +1009,7 @@ const command_rec md_cmds[] = { "the directory for file system storage of managed domain data."), AP_INIT_TAKE1("MDRenewWindow", md_config_set_renew_window, NULL, RSRC_CONF, "Time length for renewal before certificate expires (defaults to days)."), - AP_INIT_TAKE1("MDRequireHttps", md_config_set_require_https, NULL, RSRC_CONF, + AP_INIT_TAKE1("MDRequireHttps", md_config_set_require_https, NULL, RSRC_CONF|OR_AUTHCFG, "Redirect non-secure requests to the https: equivalent."), AP_INIT_RAW_ARGS("MDNotifyCmd", md_config_set_notify_cmd, NULL, RSRC_CONF, "Set the command to run when signup/renew of domain is complete."), @@ -1065,6 +1102,8 @@ const char *md_config_gets(const md_srv_conf_t *sc, md_config_var_t var) switch (var) { case MD_CONFIG_CA_URL: return sc->ca_url? sc->ca_url : defconf.ca_url; + case MD_CONFIG_CA_CONTACT: + return sc->ca_contact? sc->ca_contact : defconf.ca_contact; case MD_CONFIG_CA_PROTO: return sc->ca_proto? sc->ca_proto : defconf.ca_proto; case MD_CONFIG_BASE_DIR: diff --git a/modules/md/mod_md_config.h b/modules/md/mod_md_config.h index 0f1138d9b34..2be0f68d303 100644 --- a/modules/md/mod_md_config.h +++ b/modules/md/mod_md_config.h @@ -25,6 +25,7 @@ struct md_pkey_spec_t; typedef enum { MD_CONFIG_CA_URL, + MD_CONFIG_CA_CONTACT, MD_CONFIG_CA_PROTO, MD_CONFIG_BASE_DIR, MD_CONFIG_CA_AGREEMENT, @@ -85,6 +86,7 @@ typedef struct md_srv_conf_t { md_timeslice_t *warn_window; /* time before expiration that warning are sent out */ const char *ca_url; /* url of CA certificate service */ + const char *ca_contact; /* contact email registered to account */ const char *ca_proto; /* protocol used vs CA (e.g. ACME) */ const char *ca_agreement; /* accepted agreement uri between CA and user */ struct apr_array_header_t *ca_challenges; /* challenge types configured */ diff --git a/modules/md/mod_md_ocsp.c b/modules/md/mod_md_ocsp.c index 655697140d0..fcc0a98160c 100644 --- a/modules/md/mod_md_ocsp.c +++ b/modules/md/mod_md_ocsp.c @@ -62,7 +62,7 @@ apr_status_t md_ocsp_init_stapling_status(server_rec *s, apr_pool_t *p, sc = md_config_get(s); if (!staple_here(sc)) goto declined; - md = ((sc->assigned || sc->assigned->nelts == 1)? + md = ((sc->assigned && sc->assigned->nelts == 1)? APR_ARRAY_IDX(sc->assigned, 0, const md_t*) : NULL); rv = md_ocsp_prime(sc->mc->ocsp, md_cert_wrap(p, cert), md_cert_wrap(p, issuer), md); @@ -85,7 +85,7 @@ apr_status_t md_ocsp_get_stapling_status(unsigned char **pder, int *pderlen, sc = md_config_get(s); if (!staple_here(sc)) goto declined; - md = ((sc->assigned || sc->assigned->nelts == 1)? + md = ((sc->assigned && sc->assigned->nelts == 1)? APR_ARRAY_IDX(sc->assigned, 0, const md_t*) : NULL); ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "get stapling for: %s", md? md->name : s->server_hostname); diff --git a/modules/md/mod_md_os.c b/modules/md/mod_md_os.c index 1291863d153..06a5beec056 100644 --- a/modules/md/mod_md_os.c +++ b/modules/md/mod_md_os.c @@ -25,9 +25,6 @@ #if APR_HAVE_UNISTD_H #include #endif -#ifdef WIN32 -#include "mpm_winnt.h" -#endif #if AP_NEED_SET_MUTEX_PERMS #include "unixd.h" #endif -- 2.47.3