You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2017/10/04 14:55:26 UTC
svn commit: r1811082 - in /httpd/httpd/trunk: CHANGES
modules/md/md_acme_drive.c modules/md/md_json.c modules/md/md_reg.c
modules/md/md_reg.h modules/md/md_version.h modules/md/mod_md.c
modules/md/mod_md_config.h
Author: icing
Date: Wed Oct 4 14:55:26 2017
New Revision: 1811082
URL: http://svn.apache.org/viewvc?rev=1811082&view=rev
Log:
On the trunk:
mod_md: v0.9.9, fix for applying challenge type based on available ports.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/md/md_acme_drive.c
httpd/httpd/trunk/modules/md/md_json.c
httpd/httpd/trunk/modules/md/md_reg.c
httpd/httpd/trunk/modules/md/md_reg.h
httpd/httpd/trunk/modules/md/md_version.h
httpd/httpd/trunk/modules/md/mod_md.c
httpd/httpd/trunk/modules/md/mod_md_config.h
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1811082&r1=1811081&r2=1811082&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Oct 4 14:55:26 2017
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_md: v0.9.9, fix for applying challenge type based on available ports. [Stefan Eissing]
+
*) mod_proxy_uwsgi: New UWSGI mod_proxy (sub)module contributed by unbit.com.
*) mod_http2: v0.10.12, removed optimization for mutex handling in bucket beams that
Modified: httpd/httpd/trunk/modules/md/md_acme_drive.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_acme_drive.c?rev=1811082&r1=1811081&r2=1811082&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_acme_drive.c (original)
+++ httpd/httpd/trunk/modules/md/md_acme_drive.c Wed Oct 4 14:55:26 2017
@@ -632,6 +632,21 @@ static apr_status_t acme_driver_init(md_
return APR_EGENERAL;
}
+ if (!d->can_http) {
+ ad->ca_challenges = md_array_str_remove(d->p, ad->ca_challenges, MD_AUTHZ_TYPE_HTTP01, 0);
+ }
+ if (!d->can_https) {
+ ad->ca_challenges = md_array_str_remove(d->p, ad->ca_challenges, MD_AUTHZ_TYPE_TLSSNI01, 0);
+ }
+
+ if (apr_is_empty_array(ad->ca_challenges)) {
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, d->p, "%s: specific CA challenge methods "
+ "have been configured, but the server is unable to use any of those. "
+ "For 'http-01' it needs to be reachable on port 80, for 'tls-sni-01'"
+ " port 443 is needed.", d->md->name);
+ return APR_EGENERAL;
+ }
+
md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, 0, d->p, "%s: init driver", d->md->name);
return rv;
Modified: httpd/httpd/trunk/modules/md/md_json.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_json.c?rev=1811082&r1=1811081&r2=1811082&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_json.c (original)
+++ httpd/httpd/trunk/modules/md/md_json.c Wed Oct 4 14:55:26 2017
@@ -28,7 +28,8 @@
#if defined(__GNUC__)
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wunreachable-code"
-#elif defined(__clang__)
+#endif
+#if defined(__clang__)
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wunused-function"
#endif
@@ -40,7 +41,8 @@
#if defined(__GNUC__)
#pragma GCC diagnostic pop
-#elif defined(__clang__)
+#endif
+#if defined(__clang__)
#pragma clang diagnostic pop
#endif
Modified: httpd/httpd/trunk/modules/md/md_reg.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_reg.c?rev=1811082&r1=1811081&r2=1811082&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_reg.c (original)
+++ httpd/httpd/trunk/modules/md/md_reg.c Wed Oct 4 14:55:26 2017
@@ -37,7 +37,6 @@
struct md_reg_t {
struct md_store_t *store;
struct apr_hash_t *protos;
- int was_synched;
int can_http;
int can_https;
const char *proxy_url;
@@ -46,6 +45,27 @@ struct md_reg_t {
/**************************************************************************************************/
/* life cycle */
+static apr_status_t load_props(md_reg_t *reg, apr_pool_t *p)
+{
+ md_json_t *json;
+ apr_status_t rv;
+
+ rv = md_store_load(reg->store, MD_SG_NONE, NULL, MD_FN_HTTPD_JSON,
+ MD_SV_JSON, (void**)&json, p);
+ if (APR_SUCCESS == rv) {
+ if (md_json_has_key(json, MD_KEY_PROTO, MD_KEY_HTTP, NULL)) {
+ reg->can_http = md_json_getb(json, MD_KEY_PROTO, MD_KEY_HTTP, NULL);
+ }
+ if (md_json_has_key(json, MD_KEY_PROTO, MD_KEY_HTTPS, NULL)) {
+ reg->can_https = md_json_getb(json, MD_KEY_PROTO, MD_KEY_HTTPS, NULL);
+ }
+ }
+ else if (APR_STATUS_IS_ENOENT(rv)) {
+ rv = APR_SUCCESS;
+ }
+ return rv;
+}
+
apr_status_t md_reg_init(md_reg_t **preg, apr_pool_t *p, struct md_store_t *store,
const char *proxy_url)
{
@@ -58,7 +78,10 @@ apr_status_t md_reg_init(md_reg_t **preg
reg->can_http = 1;
reg->can_https = 1;
reg->proxy_url = proxy_url? apr_pstrdup(p, proxy_url) : NULL;
- rv = md_acme_protos_add(reg->protos, p);
+
+ if (APR_SUCCESS == (rv = md_acme_protos_add(reg->protos, p))) {
+ rv = load_props(reg, p);
+ }
*preg = (rv == APR_SUCCESS)? reg : NULL;
return rv;
@@ -618,34 +641,21 @@ static int find_changes(void *baton, md_
return 1;
}
-static apr_status_t load_props(md_reg_t *reg, apr_pool_t *p)
+apr_status_t md_reg_set_props(md_reg_t *reg, apr_pool_t *p, int can_http, int can_https)
{
- md_json_t *json;
- apr_status_t rv;
-
- rv = md_store_load(reg->store, MD_SG_NONE, NULL, MD_FN_HTTPD_JSON,
- MD_SV_JSON, (void**)&json, p);
- if (APR_SUCCESS == rv) {
- if (md_json_has_key(json, MD_KEY_PROTO, MD_KEY_HTTP, NULL)) {
- reg->can_http = md_json_getb(json, MD_KEY_PROTO, MD_KEY_HTTP, NULL);
- }
- if (md_json_has_key(json, MD_KEY_PROTO, MD_KEY_HTTPS, NULL)) {
- reg->can_https = md_json_getb(json, MD_KEY_PROTO, MD_KEY_HTTPS, NULL);
- }
- }
- else if (APR_STATUS_IS_ENOENT(rv)) {
- rv = APR_SUCCESS;
+ if (reg->can_http != can_http || reg->can_https != can_https) {
+ md_json_t *json;
+
+ reg->can_http = can_http;
+ reg->can_https = can_https;
+
+ json = md_json_create(p);
+ md_json_setb(can_http, json, MD_KEY_PROTO, MD_KEY_HTTP, NULL);
+ md_json_setb(can_https, json, MD_KEY_PROTO, MD_KEY_HTTPS, NULL);
+
+ return md_store_save(reg->store, p, MD_SG_NONE, NULL, MD_FN_HTTPD_JSON, MD_SV_JSON, json, 0);
}
- return rv;
-}
-
-static apr_status_t sync_props(md_reg_t *reg, apr_pool_t *p, int can_http, int can_https)
-{
- md_json_t *json = md_json_create(p);
- md_json_setb(can_http, json, MD_KEY_PROTO, MD_KEY_HTTP, NULL);
- md_json_setb(can_https, json, MD_KEY_PROTO, MD_KEY_HTTPS, NULL);
-
- return md_store_save(reg->store, p, MD_SG_NONE, NULL, MD_FN_HTTPD_JSON, MD_SV_JSON, json, 0);
+ return APR_SUCCESS;
}
/**
@@ -665,19 +675,12 @@ static apr_status_t sync_props(md_reg_t
* c. compare MD acme url/protocol, update if changed
*/
apr_status_t md_reg_sync(md_reg_t *reg, apr_pool_t *p, apr_pool_t *ptemp,
- apr_array_header_t *master_mds, int can_http, int can_https)
+ apr_array_header_t *master_mds)
{
sync_ctx ctx;
md_store_t *store = reg->store;
apr_status_t rv;
- if (APR_SUCCESS != (rv = sync_props(reg, ptemp, can_http, can_https))) {
- reg->was_synched = 0;
- return rv;
- }
-
- reg->was_synched = 1;
-
ctx.p = ptemp;
ctx.conf_mds = master_mds;
ctx.store_mds = apr_array_make(ptemp, 100, sizeof(md_t *));
@@ -843,20 +846,16 @@ static apr_status_t init_proto_driver(md
/* If this registry instance was not synched before (and obtained server
* properties that way), read them from the store.
*/
- if (reg->was_synched
- || APR_SUCCESS == (rv = load_props(reg, p))) {
-
- driver->proto = proto;
- driver->p = p;
- driver->challenge = challenge;
- driver->can_http = reg->can_http;
- driver->can_https = reg->can_https;
- driver->reg = reg;
- driver->store = md_reg_store_get(reg);
- driver->proxy_url = reg->proxy_url;
- driver->md = md;
- driver->reset = reset;
- }
+ driver->proto = proto;
+ driver->p = p;
+ driver->challenge = challenge;
+ driver->can_http = reg->can_http;
+ driver->can_https = reg->can_https;
+ driver->reg = reg;
+ driver->store = md_reg_store_get(reg);
+ driver->proxy_url = reg->proxy_url;
+ driver->md = md;
+ driver->reset = reset;
return rv;
}
Modified: httpd/httpd/trunk/modules/md/md_reg.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_reg.h?rev=1811082&r1=1811081&r2=1811082&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_reg.h (original)
+++ httpd/httpd/trunk/modules/md/md_reg.h Wed Oct 4 14:55:26 2017
@@ -37,6 +37,8 @@ apr_status_t md_reg_init(md_reg_t **preg
struct md_store_t *md_reg_store_get(md_reg_t *reg);
+apr_status_t md_reg_set_props(md_reg_t *reg, apr_pool_t *p, int can_http, int can_https);
+
/**
* Add a new md to the registry. This will check the name for uniqueness and
* that domain names do not overlap with already existing mds.
@@ -119,7 +121,7 @@ apr_status_t md_reg_get_cred_files(md_re
* Synchronise the give master mds with the store.
*/
apr_status_t md_reg_sync(md_reg_t *reg, apr_pool_t *p, apr_pool_t *ptemp,
- apr_array_header_t *master_mds, int can_http, int can_https);
+ apr_array_header_t *master_mds);
/**************************************************************************************************/
/* protocol drivers */
Modified: httpd/httpd/trunk/modules/md/md_version.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_version.h?rev=1811082&r1=1811081&r2=1811082&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_version.h (original)
+++ httpd/httpd/trunk/modules/md/md_version.h Wed Oct 4 14:55:26 2017
@@ -26,7 +26,7 @@
* @macro
* Version number of the md module as c string
*/
-#define MOD_MD_VERSION "0.9.7-git"
+#define MOD_MD_VERSION "0.9.9"
/**
* @macro
@@ -34,7 +34,7 @@
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_MD_VERSION_NUM 0x000907
+#define MOD_MD_VERSION_NUM 0x000909
#define MD_EXPERIMENTAL 0
#define MD_ACME_DEF_URL "https://acme-v01.api.letsencrypt.org/directory"
Modified: httpd/httpd/trunk/modules/md/mod_md.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/mod_md.c?rev=1811082&r1=1811081&r2=1811082&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/mod_md.c (original)
+++ httpd/httpd/trunk/modules/md/mod_md.c Wed Oct 4 14:55:26 2017
@@ -415,55 +415,55 @@ static apr_status_t check_group_dir(md_s
return rv;
}
-static apr_status_t setup_store(md_mod_conf_t *mc, apr_pool_t *p, server_rec *s,
- int post_config)
+static apr_status_t setup_store(md_store_t **pstore, md_mod_conf_t *mc,
+ apr_pool_t *p, server_rec *s)
{
const char *base_dir;
- md_store_t *store;
apr_status_t rv;
base_dir = ap_server_root_relative(p, mc->base_dir);
- if (APR_SUCCESS != (rv = md_store_fs_init(&store, p, base_dir))) {
+ if (APR_SUCCESS != (rv = md_store_fs_init(pstore, p, base_dir))) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10046)"setup store for %s", base_dir);
goto out;
}
- if (post_config) {
- md_store_fs_set_event_cb(store, store_file_ev, s);
- if (APR_SUCCESS != (rv = check_group_dir(store, MD_SG_CHALLENGES, p, s))) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10047)
- "setup challenges directory");
- goto out;
- }
- if (APR_SUCCESS != (rv = check_group_dir(store, MD_SG_STAGING, p, s))) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10048)
- "setup staging directory");
- goto out;
- }
- if (APR_SUCCESS != (rv = check_group_dir(store, MD_SG_ACCOUNTS, p, s))) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10049)
- "setup accounts directory");
- goto out;
- }
+ md_store_fs_set_event_cb(*pstore, store_file_ev, s);
+ if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_CHALLENGES, p, s))) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10047)
+ "setup challenges directory");
+ goto out;
+ }
+ if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_STAGING, p, s))) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10048)
+ "setup staging directory");
+ goto out;
+ }
+ if (APR_SUCCESS != (rv = check_group_dir(*pstore, MD_SG_ACCOUNTS, p, s))) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10049)
+ "setup accounts directory");
+ goto out;
}
- mc->store = store;
out:
return rv;
}
-static apr_status_t setup_reg(md_reg_t **preg, apr_pool_t *p, server_rec *s, int post_config)
+static apr_status_t setup_reg(md_reg_t **preg, apr_pool_t *p, server_rec *s,
+ int can_http, int can_https)
{
md_srv_conf_t *sc;
md_mod_conf_t *mc;
+ md_store_t *store;
apr_status_t rv;
sc = md_config_get(s);
mc = sc->mc;
- if (mc->store || APR_SUCCESS == (rv = setup_store(mc, p, s, post_config))) {
- return md_reg_init(preg, p, mc->store, mc->proxy_url);
+ if (APR_SUCCESS == (rv = setup_store(&store, mc, p, s))
+ && APR_SUCCESS == (rv = md_reg_init(preg, p, store, mc->proxy_url))) {
+ mc->reg = *preg;
+ return md_reg_set_props(*preg, p, can_http, can_https);
}
return rv;
}
@@ -896,13 +896,12 @@ static apr_status_t md_post_config(apr_p
mc = sc->mc;
/* Synchronize the defintions we now have with the store via a registry (reg). */
- if (APR_SUCCESS != (rv = setup_reg(®, p, s, 1))) {
+ if (APR_SUCCESS != (rv = setup_reg(®, p, s, mc->can_http, mc->can_https))) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10072)
"setup md registry");
goto out;
}
- if (APR_SUCCESS != (rv = md_reg_sync(reg, p, ptemp, mc->mds,
- mc->can_http, mc->can_https))) {
+ if (APR_SUCCESS != (rv = md_reg_sync(reg, p, ptemp, mc->mds))) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10073)
"synching %d mds to registry", mc->mds->nelts);
}
@@ -1005,6 +1004,7 @@ static apr_status_t md_get_certificate(s
apr_status_t rv = APR_ENOENT;
md_srv_conf_t *sc;
md_reg_t *reg;
+ md_store_t *store;
const md_t *md;
*pkeyfile = NULL;
@@ -1014,11 +1014,10 @@ static apr_status_t md_get_certificate(s
if (sc && sc->assigned) {
assert(sc->mc);
- assert(sc->mc->store);
- if (APR_SUCCESS != (rv = md_reg_init(®, p, sc->mc->store, sc->mc->proxy_url))) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO() "init registry");
- return rv;
- }
+ reg = sc->mc->reg;
+ assert(reg);
+ store = md_reg_store_get(reg);
+ assert(store);
md = md_reg_get(reg, sc->assigned->name, p);
@@ -1033,12 +1032,12 @@ static apr_status_t md_get_certificate(s
* clients do not get obscure TLS handshake errors or will see a fallback
* virtual host that is not intended to be served here. */
- md_store_get_fname(pkeyfile, sc->mc->store, MD_SG_DOMAINS,
+ md_store_get_fname(pkeyfile, store, MD_SG_DOMAINS,
md->name, MD_FN_FALLBACK_PKEY, p);
- md_store_get_fname(pcertfile, sc->mc->store, MD_SG_DOMAINS,
+ md_store_get_fname(pcertfile, store, MD_SG_DOMAINS,
md->name, MD_FN_FALLBACK_CERT, p);
if (!fexists(*pkeyfile, p) || !fexists(*pcertfile, p)) {
- if (APR_SUCCESS != (rv = setup_fallback_cert(sc->mc->store, md, p))) {
+ if (APR_SUCCESS != (rv = setup_fallback_cert(store, md, p))) {
ap_log_error(APLOG_MARK, APLOG_TRACE1, rv, s,
"%s: setup fallback certificate", md->name);
return rv;
@@ -1077,8 +1076,8 @@ static int md_is_challenge(conn_rec *c,
}
sc = md_config_get(c->base_server);
- if (sc && sc->mc->store) {
- md_store_t *store = sc->mc->store;
+ if (sc && sc->mc->reg) {
+ md_store_t *store = md_reg_store_get(sc->mc->reg);
md_cert_t *mdcert;
md_pkey_t *mdpkey;
@@ -1116,18 +1115,19 @@ static int md_http_challenge_pr(request_
apr_bucket_brigade *bb;
const md_srv_conf_t *sc;
const char *name, *data;
+ md_reg_t *reg;
apr_status_t rv;
if (!strncmp(ACME_CHALLENGE_PREFIX, r->parsed_uri.path, sizeof(ACME_CHALLENGE_PREFIX)-1)) {
if (r->method_number == M_GET) {
- md_store_t *store;
sc = ap_get_module_config(r->server->module_config, &md_module);
- store = sc? sc->mc->store : NULL;
+ reg = sc && sc->mc? sc->mc->reg : NULL;
name = r->parsed_uri.path + sizeof(ACME_CHALLENGE_PREFIX)-1;
r->status = HTTP_NOT_FOUND;
- if (!ap_strchr_c(name, '/') && store) {
+ if (!ap_strchr_c(name, '/') && reg) {
+ md_store_t *store = md_reg_store_get(reg);
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Challenge for %s (%s)", r->hostname, r->uri);
@@ -1253,3 +1253,4 @@ static void md_hooks(apr_pool_t *pool)
APR_REGISTER_OPTIONAL_FN(md_get_certificate);
APR_REGISTER_OPTIONAL_FN(md_is_challenge);
}
+
Modified: httpd/httpd/trunk/modules/md/mod_md_config.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/mod_md_config.h?rev=1811082&r1=1811081&r2=1811082&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/mod_md_config.h (original)
+++ httpd/httpd/trunk/modules/md/mod_md_config.h Wed Oct 4 14:55:26 2017
@@ -17,6 +17,7 @@
#define mod_md_md_config_h
struct md_store_t;
+struct md_reg_t;
struct md_pkey_spec_t;
typedef enum {
@@ -39,7 +40,7 @@ typedef struct {
apr_array_header_t *mds; /* all md_t* defined in the config, shared */
const char *base_dir; /* base dir for store */
const char *proxy_url; /* proxy url to use (or NULL) */
- struct md_store_t *store; /* store instance, singleton, shared */
+ struct md_reg_t *reg; /* md registry instance, singleton, shared */
int local_80; /* On which port http:80 arrives */
int local_443; /* On which port https:443 arrives */