You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by do...@apache.org on 2002/03/12 02:40:02 UTC
cvs commit: httpd-2.0/modules/ssl ssl_engine_kernel.c
dougm 02/03/11 17:40:02
Modified: modules/ssl ssl_engine_kernel.c
Log:
various style fixups / general changes to make code more readable.
Revision Changes Path
1.44 +460 -333 httpd-2.0/modules/ssl/ssl_engine_kernel.c
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- ssl_engine_kernel.c 10 Mar 2002 00:22:07 -0000 1.43
+++ ssl_engine_kernel.c 12 Mar 2002 01:40:02 -0000 1.44
@@ -72,17 +72,16 @@
*/
apr_status_t ssl_hook_CloseConnection(SSLFilterRec *filter)
{
- SSL *ssl;
+ SSL *ssl = filter->pssl;
const char *cpType = "";
conn_rec *conn;
SSLConnRec *sslconn;
- ssl = filter->pssl;
- conn = (conn_rec *)SSL_get_app_data(ssl);
-
- if (ssl == NULL)
+ if (!ssl) {
return APR_SUCCESS;
+ }
+ conn = (conn_rec *)SSL_get_app_data(ssl);
sslconn = myConnConfig(conn);
/*
@@ -152,7 +151,7 @@
"(server %s, client %s)",
conn->id, cpType,
ssl_util_vhostid(conn->pool, conn->base_server),
- conn->remote_ip != NULL ? conn->remote_ip : "unknown");
+ conn->remote_ip ? conn->remote_ip : "unknown");
}
/* deallocate the SSL connection */
@@ -179,16 +178,16 @@
* Get the SSL connection structure and perform the
* delayed interlinking from SSL back to request_rec
*/
- ssl = sslconn->ssl;
- if (ssl != NULL) {
+ if ((ssl = sslconn->ssl)) {
SSL_set_app_data2(ssl, r);
}
/*
* Force the mod_ssl content handler when URL indicates this
*/
- if (strEQn(r->uri, "/mod_ssl:", 9))
+ if (strEQn(r->uri, "/mod_ssl:", 9)) {
r->handler = "mod_ssl:content-handler";
+ }
return DECLINED;
}
@@ -237,19 +236,20 @@
{
SSLConnRec *sslconn = myConnConfig(r->connection);
- if (!sslconn || !sslconn->ssl)
+ if (!(sslconn && sslconn->ssl)) {
return DECLINED;
+ }
/*
* Log information about incoming HTTPS requests
*/
- if (ap_is_initial_req(r) && SSLConnLogApplies(sslconn, SSL_LOG_INFO)) {
+ if (SSLConnLogApplies(sslconn, SSL_LOG_INFO) && ap_is_initial_req(r)) {
ssl_log(r->server, SSL_LOG_INFO,
"%s HTTPS request received for child %d (server %s)",
- r->connection->keepalives <= 0 ?
- "Initial (No.1)" :
- apr_psprintf(r->pool, "Subsequent (No.%d)",
- r->connection->keepalives+1),
+ (r->connection->keepalives <= 0 ?
+ "Initial (No.1)" :
+ apr_psprintf(r->pool, "Subsequent (No.%d)",
+ r->connection->keepalives+1)),
r->connection->id,
ssl_util_vhostid(r->pool, r->server));
}
@@ -269,28 +269,39 @@
*/
int ssl_hook_Handler(request_rec *r)
{
- int port;
- char *thisport;
- char *thisurl;
-
- if (strNE(r->handler, "mod_ssl:content-handler"))
+ if (strNE(r->handler, "mod_ssl:content-handler")) {
return DECLINED;
- if (strNEn(r->uri, "/mod_ssl:", 9))
+ }
+
+ if (strNEn(r->uri, "/mod_ssl:", 9)) {
return DECLINED;
+ }
if (strEQ(r->uri, "/mod_ssl:error:HTTP-request")) {
- thisport = "";
- port = ap_get_server_port(r);
- if (!ap_is_default_port(port, r))
+ const char *errmsg;
+ char *thisurl;
+ char *thisport = "";
+ int port = ap_get_server_port(r);
+
+ if (!ap_is_default_port(port, r)) {
thisport = apr_psprintf(r->pool, ":%u", port);
- thisurl = ap_escape_html(r->pool, apr_psprintf(r->pool, "https://%s%s/",
- ap_get_server_name(r), thisport));
+ }
+
+ thisurl = ap_escape_html(r->pool,
+ apr_psprintf(r->pool, "https://%s%s/",
+ ap_get_server_name(r),
+ thisport));
+
+ errmsg = apr_psprintf(r->pool,
+ "Reason: You're speaking plain HTTP "
+ "to an SSL-enabled server port.<br />\n"
+ "Instead use the HTTPS scheme to access "
+ "this URL, please.<br />\n"
+ "<blockquote>Hint: "
+ "<a href=\"%s\"><b>%s</b></a></blockquote>",
+ thisurl, thisurl);
- apr_table_setn(r->notes, "error-notes", apr_psprintf(r->pool,
- "Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />\n"
- "Instead use the HTTPS scheme to access this URL, please.<br />\n"
- "<blockquote>Hint: <a href=\"%s\"><b>%s</b></a></blockquote>",
- thisurl, thisurl));
+ apr_table_setn(r->notes, "error-notes", errmsg);
}
return HTTP_BAD_REQUEST;
@@ -301,66 +312,53 @@
*/
int ssl_hook_Access(request_rec *r)
{
- SSLDirConfigRec *dc;
- SSLSrvConfigRec *sc;
- SSLConnRec *sslconn;
- SSL *ssl;
+ SSLDirConfigRec *dc = myDirConfig(r);
+ SSLSrvConfigRec *sc = mySrvConfig(r->server);
+ SSLConnRec *sslconn = myConnConfig(r->connection);
+ SSL *ssl = sslconn ? sslconn->ssl : NULL;
SSL_CTX *ctx = NULL;
apr_array_header_t *apRequirement;
- ssl_require_t *pRequirements;
- ssl_require_t *pRequirement;
+ ssl_require_t *pRequirements, *pRequirement;
char *cp;
- int ok;
- int i;
- BOOL renegotiate;
- BOOL renegotiate_quick;
+ int ok, i;
+ BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
#ifdef SSL_EXPERIMENTAL_PERDIRCA
- BOOL reconfigured_locations;
+ BOOL reconfigured_locations = FALSE;
STACK_OF(X509_NAME) *skCAList;
- char *cpCAPath;
- char *cpCAFile;
+ char *cpCAPath, *cpCAFile;
#endif
X509 *cert;
STACK_OF(X509) *certstack;
X509_STORE *certstore;
X509_STORE_CTX certstorectx;
- int depth;
- STACK_OF(SSL_CIPHER) *skCipherOld;
- STACK_OF(SSL_CIPHER) *skCipher;
- SSL_CIPHER *pCipher;
- int nVerifyOld;
- int nVerify;
- int n;
- int rc;
-
- dc = myDirConfig(r);
- sc = mySrvConfig(r->server);
- sslconn = myConnConfig(r->connection);
- ssl = sslconn ? sslconn->ssl : NULL;
- if (ssl != NULL)
+ STACK_OF(SSL_CIPHER) *skCipherOld, *skCipher = NULL;
+ SSL_CIPHER *pCipher = NULL;
+ int depth, nVerifyOld, nVerify, n;
+
+ if (ssl) {
ctx = SSL_get_SSL_CTX(ssl);
+ }
/*
* Support for SSLRequireSSL directive
*/
- if (dc->bSSLRequired && ssl == NULL) {
+ if (dc->bSSLRequired && !ssl) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
- "access to %s failed for %s, reason: %s", r->filename,
- ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL),
- "SSL connection required");
+ "access to %s failed, reason: %s",
+ r->filename, "SSL connection required");
+
/* remember forbidden access for strict require option */
- apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
+ apr_table_setn(r->notes, "ssl-access-forbidden", "1");
+
return HTTP_FORBIDDEN;
}
/*
* Check to see if SSL protocol is on
*/
- if (!sc->bEnabled)
- return DECLINED;
- if (ssl == NULL)
+ if (!(sc->bEnabled || ssl)) {
return DECLINED;
-
+ }
/*
* Support for per-directory reconfigured SSL connection parameters.
*
@@ -381,11 +379,6 @@
* the reconfigured parameter suite is stronger (more restrictions) than
* the currently active one.
*/
- renegotiate = FALSE;
- renegotiate_quick = FALSE;
-#ifdef SSL_EXPERIMENTAL_PERDIRCA
- reconfigured_locations = FALSE;
-#endif
/*
* Override of SSLCipherSuite
@@ -408,60 +401,91 @@
* has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
* implicit optimizations.
*/
- if (dc->szCipherSuite != NULL) {
+ if (dc->szCipherSuite) {
/* remember old state */
- pCipher = NULL;
- skCipherOld = NULL;
- if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE)
+
+ if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
pCipher = SSL_get_current_cipher(ssl);
+ }
else {
skCipherOld = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
- if (skCipherOld != NULL)
+
+ if (skCipherOld) {
skCipherOld = sk_SSL_CIPHER_dup(skCipherOld);
+ }
}
+
/* configure new state */
if (!SSL_set_cipher_list(ssl, dc->szCipherSuite)) {
ssl_log(r->server, SSL_LOG_WARN|SSL_ADD_SSLERR,
- "Unable to reconfigure (per-directory) permitted SSL ciphers");
- if (skCipherOld != NULL)
+ "Unable to reconfigure (per-directory) "
+ "permitted SSL ciphers");
+
+ if (skCipherOld) {
sk_SSL_CIPHER_free(skCipherOld);
+ }
+
return HTTP_FORBIDDEN;
}
+
/* determine whether a renegotiation has to be forced */
skCipher = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
+
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
/* optimized way */
- if ((pCipher == NULL && skCipher != NULL) ||
- (pCipher != NULL && skCipher == NULL) )
+ if ((!pCipher && skCipher) ||
+ (pCipher && !skCipher))
+ {
renegotiate = TRUE;
- else if (pCipher != NULL && skCipher != NULL
- && sk_SSL_CIPHER_find(skCipher, pCipher) < 0) {
+ }
+ else if (pCipher && skCipher &&
+ (sk_SSL_CIPHER_find(skCipher, pCipher) < 0))
+ {
renegotiate = TRUE;
}
}
else {
/* paranoid way */
- if ((skCipherOld == NULL && skCipher != NULL) ||
- (skCipherOld != NULL && skCipher == NULL) )
+ if ((!skCipherOld && skCipher) ||
+ (skCipherOld && !skCipher))
+ {
renegotiate = TRUE;
- else if (skCipherOld != NULL && skCipher != NULL) {
- for (n = 0; !renegotiate && n < sk_SSL_CIPHER_num(skCipher); n++) {
- if (sk_SSL_CIPHER_find(skCipherOld, sk_SSL_CIPHER_value(skCipher, n)) < 0)
+ }
+ else if (skCipherOld && skCipher) {
+ for (n = 0;
+ !renegotiate && (n < sk_SSL_CIPHER_num(skCipher));
+ n++)
+ {
+ SSL_CIPHER *value = sk_SSL_CIPHER_value(skCipher, n);
+
+ if (sk_SSL_CIPHER_find(skCipherOld, value) < 0) {
renegotiate = TRUE;
+ }
}
- for (n = 0; !renegotiate && n < sk_SSL_CIPHER_num(skCipherOld); n++) {
- if (sk_SSL_CIPHER_find(skCipher, sk_SSL_CIPHER_value(skCipherOld, n)) < 0)
+
+ for (n = 0;
+ !renegotiate && (n < sk_SSL_CIPHER_num(skCipherOld));
+ n++)
+ {
+ SSL_CIPHER *value = sk_SSL_CIPHER_value(skCipherOld, n);
+
+ if (sk_SSL_CIPHER_find(skCipher, value) < 0) {
renegotiate = TRUE;
+ }
}
}
}
+
/* cleanup */
- if (skCipherOld != NULL)
+ if (skCipherOld) {
sk_SSL_CIPHER_free(skCipherOld);
+ }
+
/* tracing */
- if (renegotiate)
+ if (renegotiate) {
ssl_log(r->server, SSL_LOG_TRACE,
"Reconfigured cipher suite will force renegotiation");
+ }
}
/*
@@ -486,7 +510,8 @@
if (dc->nVerifyDepth < n) {
renegotiate = TRUE;
ssl_log(r->server, SSL_LOG_TRACE,
- "Reduced client verification depth will force renegotiation");
+ "Reduced client verification depth "
+ "will force renegotiation");
}
}
@@ -509,29 +534,44 @@
nVerifyOld = SSL_get_verify_mode(ssl);
/* configure new state */
nVerify = SSL_VERIFY_NONE;
- if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE)
- nVerify |= SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
- if ( (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL)
- || (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) )
+
+ if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
+ nVerify |= SSL_VERIFY_PEER_STRICT;
+ }
+
+ if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
+ (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
+ {
nVerify |= SSL_VERIFY_PEER;
+ }
+
SSL_set_verify(ssl, nVerify, ssl_callback_SSLVerify);
SSL_set_verify_result(ssl, X509_V_OK);
+
/* determine whether we've to force a renegotiation */
if (nVerify != nVerifyOld) {
- if ( ( (nVerifyOld == SSL_VERIFY_NONE)
- && (nVerify != SSL_VERIFY_NONE))
- || ( !(nVerifyOld & SSL_VERIFY_PEER)
- && (nVerify & SSL_VERIFY_PEER))
- || ( !(nVerifyOld & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
- && (nVerify & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))) {
+ if (((nVerifyOld == SSL_VERIFY_NONE) &&
+ (nVerify != SSL_VERIFY_NONE)) ||
+
+ (!(nVerifyOld & SSL_VERIFY_PEER) &&
+ (nVerify & SSL_VERIFY_PEER)) ||
+
+ (!(nVerifyOld & SSL_VERIFY_PEER_STRICT) &&
+ (nVerify & SSL_VERIFY_PEER_STRICT)))
+ {
renegotiate = TRUE;
/* optimization */
- if ( dc->nOptions & SSL_OPT_OPTRENEGOTIATE
- && nVerifyOld == SSL_VERIFY_NONE
- && SSL_get_peer_certificate(ssl) != NULL)
+
+ if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
+ (nVerifyOld == SSL_VERIFY_NONE) &&
+ SSL_get_peer_certificate(ssl))
+ {
renegotiate_quick = TRUE;
+ }
+
ssl_log(r->server, SSL_LOG_TRACE,
- "Changed client verification type will force %srenegotiation",
+ "Changed client verification type "
+ "will force %srenegotiation",
renegotiate_quick ? "quick " : "");
}
}
@@ -547,19 +587,25 @@
* OpenSSL provides a SSL_load_verify_locations() function we've no other
* chance to provide this functionality...
*/
+
#ifdef SSL_EXPERIMENTAL_PERDIRCA
- if ( ( dc->szCACertificateFile != NULL
- && ( sc->szCACertificateFile == NULL
- || ( sc->szCACertificateFile != NULL
- && strNE(dc->szCACertificateFile, sc->szCACertificateFile))))
- || ( dc->szCACertificatePath != NULL
- && ( sc->szCACertificatePath == NULL
- || ( sc->szCACertificatePath != NULL
- && strNE(dc->szCACertificatePath, sc->szCACertificatePath)))) ) {
- cpCAFile = dc->szCACertificateFile != NULL ?
- dc->szCACertificateFile : sc->szCACertificateFile;
- cpCAPath = dc->szCACertificatePath != NULL ?
- dc->szCACertificatePath : sc->szCACertificatePath;
+ /*
+ * check if per-dir and per-server config field are not the same.
+ * if f is defined in per-dir and not defined in per-server
+ * or f is defined in both but not the equal ...
+ */
+#define MODSSL_CFG_NE(f) \
+ (dc->f && (!sc->f || (sc->f && strNE(dc->f, sc->f))))
+
+ if (MODSSL_CFG_NE(szCACertificateFile) ||
+ MODSSL_CFG_NE(szCACertificatePath))
+ {
+ cpCAFile = dc->szCACertificateFile ?
+ dc->szCACertificateFile : sc->szCACertificateFile;
+
+ cpCAPath = dc->szCACertificatePath ?
+ dc->szCACertificatePath : sc->szCACertificatePath;
+
/*
FIXME: This should be...
if (!SSL_load_verify_locations(ssl, cpCAFile, cpCAPath)) {
@@ -569,20 +615,27 @@
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to reconfigure verify locations "
"for client authentication");
+
return HTTP_FORBIDDEN;
}
- if ((skCAList = ssl_init_FindCAList(r->server, r->pool,
- cpCAFile, cpCAPath)) == NULL) {
+
+ if (!(skCAList = ssl_init_FindCAList(r->server, r->pool,
+ cpCAFile, cpCAPath)))
+ {
ssl_log(r->server, SSL_LOG_ERROR,
"Unable to determine list of available "
"CA certificates for client authentication");
+
return HTTP_FORBIDDEN;
}
+
SSL_set_client_CA_list(ssl, skCAList);
renegotiate = TRUE;
reconfigured_locations = TRUE;
+
ssl_log(r->server, SSL_LOG_TRACE,
- "Changed client verification locations will force renegotiation");
+ "Changed client verification locations "
+ "will force renegotiation");
}
#endif /* SSL_EXPERIMENTAL_PERDIRCA */
@@ -646,9 +699,11 @@
*
* !! BUT ALL THIS IS STILL NOT RE-IMPLEMENTED FOR APACHE 2.0 !!
*/
- if (renegotiate && r->method_number == M_POST) {
+ if (renegotiate && (r->method_number == M_POST)) {
ssl_log(r->server, SSL_LOG_ERROR,
- "SSL Re-negotiation in conjunction with POST method not supported!");
+ "SSL Re-negotiation in conjunction "
+ "with POST method not supported!");
+
return HTTP_METHOD_NOT_ALLOWED;
}
@@ -669,57 +724,74 @@
*/
ssl_log(r->server, SSL_LOG_INFO,
"Requesting connection re-negotiation");
+
if (renegotiate_quick) {
/* perform just a manual re-verification of the peer */
ssl_log(r->server, SSL_LOG_TRACE,
"Performing quick renegotiation: "
"just re-verifying the peer");
- certstore = SSL_CTX_get_cert_store(ctx);
- if (certstore == NULL) {
+
+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) {
ssl_log(r->server, SSL_LOG_ERROR,
"Cannot find certificate storage");
+
return HTTP_FORBIDDEN;
}
+
certstack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
- if (certstack == NULL || sk_X509_num(certstack) == 0) {
+
+ if (!certstack || (sk_X509_num(certstack) == 0)) {
ssl_log(r->server, SSL_LOG_ERROR,
"Cannot find peer certificate chain");
+
return HTTP_FORBIDDEN;
}
+
cert = sk_X509_value(certstack, 0);
X509_STORE_CTX_init(&certstorectx, certstore, cert, certstack);
depth = SSL_get_verify_depth(ssl);
- if (depth >= 0)
+
+ if (depth >= 0) {
X509_STORE_CTX_set_depth(&certstorectx, depth);
+ }
+
X509_STORE_CTX_set_ex_data(&certstorectx,
- SSL_get_ex_data_X509_STORE_CTX_idx(), (char *)ssl);
- if (!X509_verify_cert(&certstorectx))
+ SSL_get_ex_data_X509_STORE_CTX_idx(),
+ (char *)ssl);
+
+ if (!X509_verify_cert(&certstorectx)) {
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Re-negotiation verification step failed");
+ }
+
SSL_set_verify_result(ssl, certstorectx.error);
X509_STORE_CTX_cleanup(&certstorectx);
}
else {
+ request_rec *id = r->main ? r->main : r;
+
/* do a full renegotiation */
ssl_log(r->server, SSL_LOG_TRACE,
"Performing full renegotiation: "
"complete handshake protocol");
- if (r->main != NULL)
- SSL_set_session_id_context(ssl, (unsigned char *)&(r->main),
- sizeof(r->main));
- else
- SSL_set_session_id_context(ssl, (unsigned char *)&r, sizeof(r));
- /* will need to push to / pull from filters to renegotiate */
+
+ SSL_set_session_id_context(ssl,
+ (unsigned char *)&id,
+ sizeof(id));
+
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
if (SSL_get_state(ssl) != SSL_ST_OK) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation request failed");
+
return HTTP_FORBIDDEN;
}
+
ssl_log(r->server, SSL_LOG_INFO,
"Awaiting re-negotiation handshake");
+
SSL_set_state(ssl, SSL_ST_ACCEPT);
SSL_do_handshake(ssl);
@@ -727,6 +799,7 @@
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: "
"Not accepted by client!?");
+
return HTTP_FORBIDDEN;
}
}
@@ -734,7 +807,7 @@
/*
* Remember the peer certificate's DN
*/
- if ((cert = SSL_get_peer_certificate(ssl)) != NULL) {
+ if ((cert = SSL_get_peer_certificate(ssl))) {
sslconn->client_cert = cert;
sslconn->client_dn = NULL;
}
@@ -743,16 +816,21 @@
* Finally check for acceptable renegotiation results
*/
if (dc->nVerifyClient != SSL_CVERIFY_NONE) {
- if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE
- && SSL_get_verify_result(ssl) != X509_V_OK ) {
+ BOOL verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE);
+
+ if (verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
ssl_log(r->server, SSL_LOG_ERROR,
- "Re-negotiation handshake failed: Client verification failed");
+ "Re-negotiation handshake failed: "
+ "Client verification failed");
+
return HTTP_FORBIDDEN;
}
- if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE
- && SSL_get_peer_certificate(ssl) == NULL ) {
+
+ if (verify && !SSL_get_peer_certificate(ssl)) {
ssl_log(r->server, SSL_LOG_ERROR,
- "Re-negotiation handshake failed: Client certificate missing");
+ "Re-negotiation handshake failed: "
+ "Client certificate missing");
+
return HTTP_FORBIDDEN;
}
}
@@ -767,10 +845,13 @@
#ifdef SSL_EXPERIMENTAL_PERDIRCA
if (renegotiate && reconfigured_locations) {
if (!SSL_CTX_load_verify_locations(ctx,
- sc->szCACertificateFile, sc->szCACertificatePath)) {
+ sc->szCACertificateFile,
+ sc->szCACertificatePath))
+ {
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to reconfigure verify locations "
"to per-server configuration parameters");
+
return HTTP_FORBIDDEN;
}
}
@@ -781,32 +862,45 @@
*/
apRequirement = dc->aRequirement;
pRequirements = (ssl_require_t *)apRequirement->elts;
+
for (i = 0; i < apRequirement->nelts; i++) {
pRequirement = &pRequirements[i];
ok = ssl_expr_exec(r, pRequirement->mpExpr);
+
if (ok < 0) {
- cp = apr_psprintf(r->pool, "Failed to execute SSL requirement expression: %s",
+ cp = apr_psprintf(r->pool,
+ "Failed to execute "
+ "SSL requirement expression: %s",
ssl_expr_get_error());
+
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
- "access to %s failed for %s, reason: %s", r->filename,
- ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL), cp);
+ "access to %s failed, reason: %s",
+ r->filename, cp);
+
/* remember forbidden access for strict require option */
- apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
+ apr_table_setn(r->notes, "ssl-access-forbidden", "1");
+
return HTTP_FORBIDDEN;
}
+
if (ok != 1) {
ssl_log(r->server, SSL_LOG_INFO,
- "Access to %s denied for %s (requirement expression not fulfilled)",
+ "Access to %s denied for %s "
+ "(requirement expression not fulfilled)",
r->filename, r->connection->remote_ip);
+
ssl_log(r->server, SSL_LOG_INFO,
"Failed expression: %s", pRequirement->cpExpr);
+
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
- "access to %s failed for %s, reason: %s", r->filename,
- ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL),
- "SSL requirement expression not fulfilled "
- "(see SSL logfile for more details)");
+ "access to %s failed, reason: %s",
+ r->filename,
+ "SSL requirement expression not fulfilled "
+ "(see SSL logfile for more details)");
+
/* remember forbidden access for strict require option */
- apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1);
+ apr_table_setn(r->notes, "ssl-access-forbidden", "1");
+
return HTTP_FORBIDDEN;
}
}
@@ -817,8 +911,8 @@
* of OK, because mod_auth and other modules still might want to
* deny access.
*/
- rc = DECLINED;
- return rc;
+
+ return DECLINED;
}
/*
@@ -837,17 +931,17 @@
SSLDirConfigRec *dc = myDirConfig(r);
char b1[MAX_STRING_LEN], b2[MAX_STRING_LEN];
char *clientdn;
- const char *cpAL;
- const char *cpUN;
- const char *cpPW;
+ const char *cpAL, *cpUN, *cpPW;
/*
* Additionally forbid access (again)
* when strict require option is used.
*/
- if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE)
- && (apr_table_get(r->notes, "ssl-access-forbidden") != NULL))
+ if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) &&
+ (apr_table_get(r->notes, "ssl-access-forbidden")))
+ {
return HTTP_FORBIDDEN;
+ }
/*
* Make sure the user is not able to fake the client certificate
@@ -855,32 +949,35 @@
* ("/XX=YYY/XX=YYY/..") as the username and "password" as the
* password.
*/
- if ((cpAL = apr_table_get(r->headers_in, "Authorization")) != NULL) {
+ if ((cpAL = apr_table_get(r->headers_in, "Authorization"))) {
if (strcEQ(ap_getword(r->pool, &cpAL, ' '), "Basic")) {
- while (*cpAL == ' ' || *cpAL == '\t')
+ while ((*cpAL == ' ') || (*cpAL == '\t')) {
cpAL++;
+ }
+
cpAL = ap_pbase64decode(r->pool, cpAL);
cpUN = ap_getword_nulls(r->pool, &cpAL, ':');
cpPW = cpAL;
- if (cpUN[0] == '/' && strEQ(cpPW, "password"))
+
+ if ((cpUN[0] == '/') && strEQ(cpPW, "password")) {
return HTTP_FORBIDDEN;
+ }
}
}
/*
* We decline operation in various situations...
+ * - SSLOptions +FakeBasicAuth not configured
+ * - r->user already authenticated
+ * - ssl not enabled
+ * - client did not present a certificate
*/
- if (!sc->bEnabled)
- return DECLINED;
- if (sslconn->ssl == NULL)
- return DECLINED;
- if (!(dc->nOptions & SSL_OPT_FAKEBASICAUTH))
- return DECLINED;
- if (r->user)
- return DECLINED;
- if (sslconn->client_cert == NULL)
+ if (!(sc->bEnabled && sslconn->ssl && sslconn->client_cert) ||
+ !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user)
+ {
return DECLINED;
-
+ }
+
if (!sslconn->client_dn) {
X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
char *cp = X509_NAME_oneline(name, NULL, 0);
@@ -903,8 +1000,10 @@
*/
apr_snprintf(b1, sizeof(b1), "%s:password", clientdn);
ssl_util_uuencode(b2, b1, FALSE);
+
apr_snprintf(b1, sizeof(b1), "Basic %s", b2);
apr_table_set(r->headers_in, "Authorization", b1);
+
ssl_log(r->server, SSL_LOG_INFO,
"Faking HTTP Basic Auth header: \"Authorization: %s\"", b1);
@@ -920,9 +1019,11 @@
* Additionally forbid access (again)
* when strict require option is used.
*/
- if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE)
- && (apr_table_get(r->notes, "ssl-access-forbidden") != NULL))
+ if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) &&
+ (apr_table_get(r->notes, "ssl-access-forbidden")))
+ {
return HTTP_FORBIDDEN;
+ }
return DECLINED;
}
@@ -1018,8 +1119,7 @@
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
apr_table_t *e = r->subprocess_env;
- char *var;
- char *val = "";
+ char *var, *val = "";
STACK_OF(X509) *sk;
SSL *ssl;
int i;
@@ -1027,23 +1127,24 @@
/*
* Check to see if SSL is on
*/
- if (!sc->bEnabled)
- return DECLINED;
- if ((ssl = sslconn->ssl) == NULL)
+ if (!(sc->bEnabled || (sslconn && (ssl = sslconn->ssl)))) {
return DECLINED;
+ }
/*
* Annotate the SSI/CGI environment with standard SSL information
*/
/* the always present HTTPS (=HTTP over SSL) flag! */
- apr_table_set(e, "HTTPS", "on");
+ apr_table_setn(e, "HTTPS", "on");
+
/* standard SSL environment variables */
if (dc->nOptions & SSL_OPT_STDENVVARS) {
- for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) {
+ for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
var = (char *)ssl_hook_Fixup_vars[i];
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
- if (!strIsEmpty(val))
+ if (!strIsEmpty(val)) {
apr_table_set(e, var, val);
+ }
}
}
@@ -1051,16 +1152,24 @@
* On-demand bloat up the SSI/CGI environment with certificate data
*/
if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) {
- val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_SERVER_CERT");
- apr_table_set(e, "SSL_SERVER_CERT", val);
- val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
- apr_table_set(e, "SSL_CLIENT_CERT", val);
- if ((sk = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl)) != NULL) {
+ val = ssl_var_lookup(r->pool, r->server, r->connection,
+ r, "SSL_SERVER_CERT");
+
+ apr_table_setn(e, "SSL_SERVER_CERT", val);
+
+ val = ssl_var_lookup(r->pool, r->server, r->connection,
+ r, "SSL_CLIENT_CERT");
+
+ apr_table_setn(e, "SSL_CLIENT_CERT", val);
+
+ if ((sk = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl))) {
for (i = 0; i < sk_X509_num(sk); i++) {
var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
- val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
- if (val != NULL)
+ val = ssl_var_lookup(r->pool, r->server, r->connection,
+ r, var);
+ if (val) {
apr_table_setn(e, var, val);
+ }
}
}
}
@@ -1107,27 +1216,31 @@
* So we generated 512 and 1024 bit temporary keys on startup
* which we now just handle out on demand....
*/
+
RSA *ssl_callback_TmpRSA(SSL *pSSL, int nExport, int nKeyLen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(pSSL);
SSLModConfigRec *mc = myModConfig(c->base_server);
- RSA *rsa;
+ RSA *rsa = NULL;
- rsa = NULL;
if (nExport) {
/* It's because an export cipher is used */
- if (nKeyLen == 512)
+ if (nKeyLen == 512) {
rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA512];
- else if (nKeyLen == 1024)
+ }
+ else if (nKeyLen == 1024) {
rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024];
- else
+ }
+ else {
/* it's too expensive to generate on-the-fly, so keep 1024bit */
rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024];
+ }
}
else {
/* It's because a sign-only certificate situation exists */
rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024];
}
+
return rsa;
}
@@ -1138,23 +1251,26 @@
{
conn_rec *c = (conn_rec *)SSL_get_app_data(pSSL);
SSLModConfigRec *mc = myModConfig(c->base_server);
- DH *dh;
+ DH *dh = NULL;
- dh = NULL;
if (nExport) {
/* It's because an export cipher is used */
- if (nKeyLen == 512)
+ if (nKeyLen == 512) {
dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH512];
- else if (nKeyLen == 1024)
+ }
+ else if (nKeyLen == 1024) {
dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024];
- else
+ }
+ else {
/* it's too expensive to generate on-the-fly, so keep 1024bit */
dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024];
+ }
}
else {
/* It's because a sign-only certificate situation exists */
dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024];
}
+
return dh;
}
@@ -1164,36 +1280,21 @@
*/
int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
{
- SSL *ssl;
- conn_rec *conn;
- server_rec *s;
- request_rec *r;
- SSLSrvConfigRec *sc;
- SSLDirConfigRec *dc;
- SSLConnRec *sslconn;
- X509 *xs;
- int errnum;
- int errdepth;
- int depth;
- int verify;
-
- /*
- * Get Apache context back through OpenSSL context
- */
- ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
- conn = (conn_rec *)SSL_get_app_data(ssl);
- sslconn = myConnConfig(conn);
- r = (request_rec *)SSL_get_app_data2(ssl);
- s = conn->base_server;
- sc = mySrvConfig(s);
- dc = (r != NULL ? myDirConfig(r) : NULL);
-
- /*
- * Get verify ingredients
- */
- xs = X509_STORE_CTX_get_current_cert(ctx);
- errnum = X509_STORE_CTX_get_error(ctx);
- errdepth = X509_STORE_CTX_get_error_depth(ctx);
+ /* Get Apache context back through OpenSSL context */
+ SSL *ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
+ conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
+ server_rec *s = conn->base_server;
+ request_rec *r = (request_rec *)SSL_get_app_data2(ssl);
+
+ SSLSrvConfigRec *sc = mySrvConfig(s);
+ SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
+ SSLConnRec *sslconn = myConnConfig(conn);
+
+ /* Get verify ingredients */
+ X509 *xs = X509_STORE_CTX_get_current_cert(ctx);
+ int errnum = X509_STORE_CTX_get_error(ctx);
+ int errdepth = X509_STORE_CTX_get_error_depth(ctx);
+ int depth, verify;
/*
* Log verification information
@@ -1201,29 +1302,39 @@
if (sc->nLogLevel >= SSL_LOG_TRACE) {
char *cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
char *cp2 = X509_NAME_oneline(X509_get_issuer_name(xs), NULL, 0);
+
ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: depth: %d, subject: %s, issuer: %s",
- errdepth, cp != NULL ? cp : "-unknown-",
- cp2 != NULL ? cp2 : "-unknown");
- if (cp)
+ errdepth,
+ cp ? cp : "-unknown-",
+ cp2 ? cp2 : "-unknown-");
+
+ if (cp) {
free(cp);
- if (cp2)
+ }
+
+ if (cp2) {
free(cp2);
+ }
}
/*
* Check for optionally acceptable non-verifiable issuer situation
*/
- if (dc != NULL && dc->nVerifyClient != SSL_CVERIFY_UNSET)
+ if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
verify = dc->nVerifyClient;
- else
+ }
+ else {
verify = sc->nVerifyClient;
+ }
+
if (ssl_verify_error_is_optional(errnum) &&
- verify == SSL_CVERIFY_OPTIONAL_NO_CA)
+ (verify == SSL_CVERIFY_OPTIONAL_NO_CA))
{
ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: Verifiable Issuer is configured as "
"optional, therefore we're accepting the certificate");
+
sslconn->verify_info = "GENEROUS";
ok = TRUE;
}
@@ -1232,56 +1343,59 @@
* Additionally perform CRL-based revocation checks
*/
if (ok) {
- ok = ssl_callback_SSLVerify_CRL(ok, ctx, s);
- if (!ok)
+ if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, s))) {
errnum = X509_STORE_CTX_get_error(ctx);
+ }
}
/*
* If we already know it's not ok, log the real reason
*/
if (!ok) {
- ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s",
+ ssl_log(s, SSL_LOG_ERROR,
+ "Certificate Verification: Error (%d): %s",
errnum, X509_verify_cert_error_string(errnum));
+
sslconn->client_dn = NULL;
sslconn->client_cert = NULL;
- sslconn->verify_error =
- X509_verify_cert_error_string(errnum);
+ sslconn->verify_error = X509_verify_cert_error_string(errnum);
}
/*
* Finally check the depth of the certificate verification
*/
- if (dc != NULL && dc->nVerifyDepth != UNSET)
+ if (dc && (dc->nVerifyDepth != UNSET)) {
depth = dc->nVerifyDepth;
- else
+ }
+ else {
depth = sc->nVerifyDepth;
+ }
+
if (errdepth > depth) {
ssl_log(s, SSL_LOG_ERROR,
"Certificate Verification: Certificate Chain too long "
"(chain has %d certificates, but maximum allowed are only %d)",
errdepth, depth);
- sslconn->verify_error =
- X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG);
+
+ errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+ sslconn->verify_error = X509_verify_cert_error_string(errnum);
+
ok = FALSE;
}
/*
* And finally signal OpenSSL the (perhaps changed) state
*/
- return (ok);
+ return ok;
}
-int ssl_callback_SSLVerify_CRL(
- int ok, X509_STORE_CTX *ctx, server_rec *s)
+int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
{
- SSLSrvConfigRec *sc;
+ SSLSrvConfigRec *sc = mySrvConfig(s);
X509_OBJECT obj;
- X509_NAME *subject;
- X509_NAME *issuer;
+ X509_NAME *subject, *issuer;
X509 *xs;
X509_CRL *crl;
- X509_REVOKED *revoked;
BIO *bio;
int i, n, rc;
@@ -1289,9 +1403,9 @@
* Unless a revocation store for CRLs was created we
* cannot do any CRL-based verification, of course.
*/
- sc = mySrvConfig(s);
- if (sc->pRevocationStore == NULL)
+ if (!sc->pRevocationStore) {
return ok;
+ }
/*
* Determine certificate ingredients in advance
@@ -1336,9 +1450,11 @@
* the current certificate in order to verify it's integrity.
*/
memset((char *)&obj, 0, sizeof(obj));
- rc = SSL_X509_STORE_lookup(sc->pRevocationStore, X509_LU_CRL, subject, &obj);
+ rc = SSL_X509_STORE_lookup(sc->pRevocationStore,
+ X509_LU_CRL, subject, &obj);
crl = obj.data.crl;
- if (rc > 0 && crl != NULL) {
+
+ if ((rc > 0) && crl) {
/*
* Log information about CRL
* (A little bit complicated because of ASN.1 and BIOs...)
@@ -1350,15 +1466,20 @@
bio = BIO_new(BIO_s_mem());
BIO_printf(bio, "lastUpdate: ");
ASN1_UTCTIME_print(bio, X509_CRL_get_lastUpdate(crl));
+
BIO_printf(bio, ", nextUpdate: ");
ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
+
n = BIO_pending(bio);
cp = malloc(n+1);
n = BIO_read(bio, cp, n);
cp[n] = NUL;
BIO_free(bio);
+
cp2 = X509_NAME_oneline(subject, NULL, 0);
+
ssl_log(s, SSL_LOG_TRACE, "CA CRL: Issuer: %s, %s", cp2, cp);
+
free(cp2);
free(cp);
}
@@ -1368,8 +1489,10 @@
*/
if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0) {
ssl_log(s, SSL_LOG_WARN, "Invalid signature on CRL");
+
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
X509_OBJECT_free_contents(&obj);
+
return FALSE;
}
@@ -1377,20 +1500,29 @@
* Check date of CRL to make sure it's not expired
*/
i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
+
if (i == 0) {
- ssl_log(s, SSL_LOG_WARN, "Found CRL has invalid nextUpdate field");
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
+ ssl_log(s, SSL_LOG_WARN,
+ "Found CRL has invalid nextUpdate field");
+
+ X509_STORE_CTX_set_error(ctx,
+ X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
X509_OBJECT_free_contents(&obj);
+
return FALSE;
}
+
if (i < 0) {
ssl_log(s, SSL_LOG_WARN,
"Found CRL is expired - "
"revoking all certificates until you get updated CRL");
+
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED);
X509_OBJECT_free_contents(&obj);
+
return FALSE;
}
+
X509_OBJECT_free_contents(&obj);
}
@@ -1399,31 +1531,26 @@
* the current certificate in order to check for revocation.
*/
memset((char *)&obj, 0, sizeof(obj));
- rc = SSL_X509_STORE_lookup(sc->pRevocationStore, X509_LU_CRL, issuer, &obj);
+ rc = SSL_X509_STORE_lookup(sc->pRevocationStore,
+ X509_LU_CRL, issuer, &obj);
+
crl = obj.data.crl;
- if (rc > 0 && crl != NULL) {
+ if ((rc > 0) && crl) {
/*
* Check if the current certificate is revoked by this CRL
*/
-#if SSL_LIBRARY_VERSION < 0x00904000
- n = sk_num(X509_CRL_get_REVOKED(crl));
-#else
n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
-#endif
+
for (i = 0; i < n; i++) {
-#if SSL_LIBRARY_VERSION < 0x00904000
- revoked = (X509_REVOKED *)sk_value(X509_CRL_get_REVOKED(crl), i);
-#else
- revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
-#endif
- if (ASN1_INTEGER_cmp(X509_REVOKED_get_serialNumber(revoked),
- X509_get_serialNumber(xs)) == 0) {
+ X509_REVOKED *revoked =
+ sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
+ ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked);
+ if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(xs))) {
if (sc->nLogLevel >= SSL_LOG_INFO) {
char *cp = X509_NAME_oneline(issuer, NULL, 0);
- long serial = ASN1_INTEGER_get(
- X509_REVOKED_get_serialNumber(revoked));
+ long serial = ASN1_INTEGER_get(sn);
ssl_log(s, SSL_LOG_INFO,
"Certificate with serial %ld (0x%lX) "
@@ -1431,13 +1558,17 @@
serial, serial, cp);
free(cp);
}
+
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
X509_OBJECT_free_contents(&obj);
+
return FALSE;
}
}
+
X509_OBJECT_free_contents(&obj);
}
+
return ok;
}
@@ -1449,28 +1580,20 @@
*/
int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
{
- conn_rec *conn;
- server_rec *s;
- SSLSrvConfigRec *sc;
- long t;
+ /* Get Apache context back through OpenSSL context */
+ conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
+ server_rec *s = conn->base_server;
+ SSLSrvConfigRec *sc = mySrvConfig(s);
+ long timeout = sc->nSessionCacheTimeout;
BOOL rc;
unsigned char *session_id;
unsigned int session_id_length;
-
- /*
- * Get Apache context back through OpenSSL context
- */
- conn = (conn_rec *)SSL_get_app_data(ssl);
- s = conn->base_server;
- sc = mySrvConfig(s);
-
/*
* Set the timeout also for the internal OpenSSL cache, because this way
* our inter-process cache is consulted only when it's really necessary.
*/
- t = sc->nSessionCacheTimeout;
- SSL_set_timeout(pNew, t);
+ SSL_set_timeout(pNew, timeout);
/*
* Store the SSL_SESSION in the inter-process cache with the
@@ -1479,18 +1602,19 @@
session_id = SSL_SESSION_get_session_id(pNew);
session_id_length = SSL_SESSION_get_session_id_length(pNew);
- t = (SSL_get_time(pNew) + sc->nSessionCacheTimeout);
- rc = ssl_scache_store(s, session_id, session_id_length, t, pNew);
-
+ timeout += SSL_get_time(pNew);
+ rc = ssl_scache_store(s, session_id, session_id_length,
+ timeout, pNew);
/*
* Log this cache operation
*/
- ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
+ ssl_log(s, SSL_LOG_TRACE,
+ "Inter-Process Session Cache: "
"request=SET status=%s id=%s timeout=%ds (session caching)",
- rc == TRUE ? "OK" : "BAD",
+ (rc == TRUE ? "OK" : "BAD"),
SSL_SESSION_id2sz(session_id, session_id_length),
- t-time(NULL));
+ (timeout - time(NULL)));
/*
* return 0 which means to OpenSSL that the pNew is still
@@ -1506,20 +1630,16 @@
* inter-process disk-cache where it was perhaps stored by one
* of our other Apache pre-forked server processes.
*/
-SSL_SESSION *ssl_callback_GetSessionCacheEntry(
- SSL *ssl, unsigned char *id, int idlen, int *pCopy)
+SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
+ unsigned char *id,
+ int idlen, int *pCopy)
{
- conn_rec *conn;
- server_rec *s;
+ /* Get Apache context back through OpenSSL context */
+ conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
+ server_rec *s = conn->base_server;
SSL_SESSION *pSession;
/*
- * Get Apache context back through OpenSSL context
- */
- conn = (conn_rec *)SSL_get_app_data(ssl);
- s = conn->base_server;
-
- /*
* Try to retrieve the SSL_SESSION from the inter-process cache
*/
pSession = ssl_scache_retrieve(s, id, idlen);
@@ -1527,15 +1647,16 @@
/*
* Log this cache operation
*/
- if (pSession != NULL)
+ if (pSession) {
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=GET status=FOUND id=%s (session reuse)",
SSL_SESSION_id2sz(id, idlen));
- else
+ }
+ else {
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=GET status=MISSED id=%s (session renewal)",
SSL_SESSION_id2sz(id, idlen));
-
+ }
/*
* Return NULL or the retrieved SSL_SESSION. But indicate (by
* setting pCopy to 0) that the reference count on the
@@ -1543,6 +1664,7 @@
* because we will no longer hold a reference to it ourself.
*/
*pCopy = 0;
+
return pSession;
}
@@ -1552,20 +1674,19 @@
* We use this to remove the SSL_SESSION in the inter-process
* disk-cache, too.
*/
-void ssl_callback_DelSessionCacheEntry(
- SSL_CTX *ctx, SSL_SESSION *pSession)
+void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx,
+ SSL_SESSION *pSession)
{
server_rec *s;
unsigned char *session_id;
unsigned int session_id_length;
-
/*
* Get Apache context back through OpenSSL context
*/
- s = (server_rec *)SSL_CTX_get_app_data(ctx);
- if (s == NULL) /* on server shutdown Apache is already gone */
- return;
+ if (!(s = (server_rec *)SSL_CTX_get_app_data(ctx))) {
+ return; /* on server shutdown Apache is already gone */
+ }
/*
* Remove the SSL_SESSION from the inter-process cache
@@ -1575,7 +1696,6 @@
ssl_scache_remove(s, session_id, session_id_length);
-
/*
* Log this cache operation
*/
@@ -1591,11 +1711,7 @@
* SSL handshake and does SSL record layer stuff. We use it to
* trace OpenSSL's processing in out SSL logfile.
*/
-#if SSL_LIBRARY_VERSION >= 0x00907000
-void ssl_callback_LogTracingState(const SSL *ssl, int where, int rc)
-#else
void ssl_callback_LogTracingState(SSL *ssl, int where, int rc)
-#endif
{
conn_rec *c;
server_rec *s;
@@ -1605,29 +1721,39 @@
/*
* find corresponding server
*/
- if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL)
+ if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) {
return;
+ }
+
s = c->base_server;
- if ((sc = mySrvConfig(s)) == NULL)
+ if (!(sc = mySrvConfig(s))) {
return;
+ }
/*
* create the various trace messages
*/
if (sc->nLogLevel >= SSL_LOG_TRACE) {
- if (where & SSL_CB_HANDSHAKE_START)
- ssl_log(s, SSL_LOG_TRACE, "%s: Handshake: start", SSL_LIBRARY_NAME);
- else if (where & SSL_CB_HANDSHAKE_DONE)
- ssl_log(s, SSL_LOG_TRACE, "%s: Handshake: done", SSL_LIBRARY_NAME);
- else if (where & SSL_CB_LOOP)
+ if (where & SSL_CB_HANDSHAKE_START) {
+ ssl_log(s, SSL_LOG_TRACE,
+ "%s: Handshake: start", SSL_LIBRARY_NAME);
+ }
+ else if (where & SSL_CB_HANDSHAKE_DONE) {
+ ssl_log(s, SSL_LOG_TRACE,
+ "%s: Handshake: done", SSL_LIBRARY_NAME);
+ }
+ else if (where & SSL_CB_LOOP) {
ssl_log(s, SSL_LOG_TRACE, "%s: Loop: %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- else if (where & SSL_CB_READ)
+ }
+ else if (where & SSL_CB_READ) {
ssl_log(s, SSL_LOG_TRACE, "%s: Read: %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- else if (where & SSL_CB_WRITE)
+ }
+ else if (where & SSL_CB_WRITE) {
ssl_log(s, SSL_LOG_TRACE, "%s: Write: %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
else if (where & SSL_CB_ALERT) {
str = (where & SSL_CB_READ) ? "read" : "write";
ssl_log(s, SSL_LOG_TRACE, "%s: Alert: %s:%s:%s\n",
@@ -1636,12 +1762,14 @@
SSL_alert_desc_string_long(rc));
}
else if (where & SSL_CB_EXIT) {
- if (rc == 0)
+ if (rc == 0) {
ssl_log(s, SSL_LOG_TRACE, "%s: Exit: failed in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- else if (rc < 0)
+ }
+ else if (rc < 0) {
ssl_log(s, SSL_LOG_TRACE, "%s: Exit: error in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
}
}
@@ -1652,14 +1780,13 @@
*/
if (where & SSL_CB_HANDSHAKE_DONE) {
ssl_log(s, SSL_LOG_INFO,
- "Connection: Client IP: %s, Protocol: %s, Cipher: %s (%s/%s bits)",
+ "Connection: Client IP: %s, Protocol: %s, "
+ "Cipher: %s (%s/%s bits)",
ssl_var_lookup(NULL, s, c, NULL, "REMOTE_ADDR"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_PROTOCOL"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"),
ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE"));
}
-
- return;
}