You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2018/06/29 10:52:07 UTC
svn commit: r1834667 - in /httpd/httpd/trunk: CHANGES modules/md/md_crypt.c
modules/md/md_version.h modules/md/mod_md.c
Author: icing
Date: Fri Jun 29 10:52:07 2018
New Revision: 1834667
URL: http://svn.apache.org/viewvc?rev=1834667&view=rev
Log:
mod_md: more robust handling of http-01 challenges and hands-off when module
should not be involved, e.g. challenge setup by another ACME client.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/md/md_crypt.c
httpd/httpd/trunk/modules/md/md_version.h
httpd/httpd/trunk/modules/md/mod_md.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1834667&r1=1834666&r2=1834667&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Jun 29 10:52:07 2018
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_md: more robust handling of http-01 challenges and hands-off when module
+ should not be involved, e.g. challenge setup by another ACME client. [Stefan Eissing]
+
*) core: Re-allow '_' (underscore) in hostnames.
[Eric Covener]
Modified: httpd/httpd/trunk/modules/md/md_crypt.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_crypt.c?rev=1834667&r1=1834666&r2=1834667&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_crypt.c (original)
+++ httpd/httpd/trunk/modules/md/md_crypt.c Fri Jun 29 10:52:07 2018
@@ -50,6 +50,13 @@
#include <process.h>
#endif
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* Missing from LibreSSL */
+#define MD_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2080000f)
+#else /* defined(LIBRESSL_VERSION_NUMBER) */
+#define MD_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#endif
+
static int initialized;
struct md_pkey_t {
@@ -471,8 +478,8 @@ apr_status_t md_pkey_gen(md_pkey_t **ppk
}
}
-#if MODSSL_USE_OPENSSL_PRE_1_1_API || (defined(LIBRESSL_VERSION_NUMBER) && \
- LIBRESSL_VERSION_NUMBER < 0x2070000f)
+#if MD_USE_OPENSSL_PRE_1_1_API || (defined(LIBRESSL_VERSION_NUMBER) && \
+ LIBRESSL_VERSION_NUMBER < 0x2070000f)
#ifndef NID_tlsfeature
#define NID_tlsfeature 1020
Modified: httpd/httpd/trunk/modules/md/md_version.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_version.h?rev=1834667&r1=1834666&r2=1834667&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_version.h (original)
+++ httpd/httpd/trunk/modules/md/md_version.h Fri Jun 29 10:52:07 2018
@@ -27,7 +27,7 @@
* @macro
* Version number of the md module as c string
*/
-#define MOD_MD_VERSION "1.1.12"
+#define MOD_MD_VERSION "1.1.15"
/**
* @macro
@@ -35,7 +35,7 @@
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_MD_VERSION_NUM 0x01010c
+#define MOD_MD_VERSION_NUM 0x01010f
#define MD_ACME_DEF_URL "https://acme-v01.api.letsencrypt.org/directory"
Modified: httpd/httpd/trunk/modules/md/mod_md.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/mod_md.c?rev=1834667&r1=1834666&r2=1834667&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/mod_md.c (original)
+++ httpd/httpd/trunk/modules/md/mod_md.c Fri Jun 29 10:52:07 2018
@@ -1313,55 +1313,55 @@ static int md_http_challenge_pr(request_
&& !strncmp(ACME_CHALLENGE_PREFIX, r->parsed_uri.path, sizeof(ACME_CHALLENGE_PREFIX)-1)) {
sc = ap_get_module_config(r->server->module_config, &md_module);
if (sc && sc->mc) {
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
+ "access inside /.well-known/acme-challenge for %s%s",
+ r->hostname, r->parsed_uri.path);
configured = (NULL != md_get_by_domain(sc->mc->mds, r->hostname));
- if (r->method_number == M_GET) {
- name = r->parsed_uri.path + sizeof(ACME_CHALLENGE_PREFIX)-1;
- reg = sc && sc->mc? sc->mc->reg : NULL;
+ name = r->parsed_uri.path + sizeof(ACME_CHALLENGE_PREFIX)-1;
+ reg = sc && sc->mc? sc->mc->reg : NULL;
+
+ if (strlen(name) && !ap_strchr_c(name, '/') && reg) {
+ md_store_t *store = md_reg_store_get(reg);
- r->status = HTTP_NOT_FOUND;
- if (!ap_strchr_c(name, '/') && reg) {
- md_store_t *store = md_reg_store_get(reg);
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "Challenge for %s (%s)", r->hostname, r->uri);
+ rv = md_store_load(store, MD_SG_CHALLENGES, r->hostname,
+ MD_FN_HTTP01, MD_SV_TEXT, (void**)&data, r->pool);
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
+ "loading challenge for %s (%s)", r->hostname, r->uri);
+ if (APR_SUCCESS == rv) {
+ apr_size_t len = strlen(data);
- rv = md_store_load(store, MD_SG_CHALLENGES, r->hostname,
- MD_FN_HTTP01, MD_SV_TEXT, (void**)&data, r->pool);
- if (APR_SUCCESS == rv) {
- apr_size_t len = strlen(data);
-
- r->status = HTTP_OK;
- apr_table_setn(r->headers_out, "Content-Length", apr_ltoa(r->pool, (long)len));
-
- bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
- apr_brigade_write(bb, NULL, NULL, data, len);
- ap_pass_brigade(r->output_filters, bb);
- apr_brigade_cleanup(bb);
- }
- else if (!configured) {
- /* The request hostname is not for a configured domain. We are not
- * the sole authority here for /.well-known/acme-challenge (see PR62189).
- * So, we decline to handle this and let others step in.
- */
- return DECLINED;
- }
- else if (APR_STATUS_IS_ENOENT(rv)) {
- return HTTP_NOT_FOUND;
- }
- else if (APR_ENOENT != rv) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10081)
- "loading challenge %s from store", name);
- return HTTP_INTERNAL_SERVER_ERROR;
+ if (r->method_number != M_GET) {
+ return HTTP_NOT_IMPLEMENTED;
}
+ /* A GET on a challenge resource for a hostname we are
+ * configured for. Let's send the content back */
+ r->status = HTTP_OK;
+ apr_table_setn(r->headers_out, "Content-Length", apr_ltoa(r->pool, (long)len));
+
+ bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
+ apr_brigade_write(bb, NULL, NULL, data, len);
+ ap_pass_brigade(r->output_filters, bb);
+ apr_brigade_cleanup(bb);
+
+ return DONE;
+ }
+ else if (!configured) {
+ /* The request hostname is not for a configured domain. We are not
+ * the sole authority here for /.well-known/acme-challenge (see PR62189).
+ * So, we decline to handle this and let others step in.
+ */
+ return DECLINED;
+ }
+ else if (APR_STATUS_IS_ENOENT(rv)) {
+ return HTTP_NOT_FOUND;
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10081)
+ "loading challenge %s from store", name);
+ return HTTP_INTERNAL_SERVER_ERROR;
}
- return r->status;
- }
- else if (configured) {
- /* See comment above, we prevent any other access only for domains
- * the have been configured for mod_md. */
- return HTTP_NOT_IMPLEMENTED;
}
}
-
}
return DECLINED;
}