You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2016/03/16 23:54:27 UTC
svn commit: r1735337 - in /httpd/httpd/trunk/modules/ssl:
ssl_engine_config.c ssl_engine_init.c ssl_engine_kernel.c ssl_private.h
Author: ylavic
Date: Wed Mar 16 22:54:27 2016
New Revision: 1735337
URL: http://svn.apache.org/viewvc?rev=1735337&view=rev
Log:
mod_ssl: follow up to r1734561.
Simplify CRL check mode and flags handling/merging by using a single mask (int).
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1735337&r1=1735336&r2=1735337&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Wed Mar 16 22:54:27 2016
@@ -121,8 +121,7 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->crl_path = NULL;
mctx->crl_file = NULL;
- mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
- mctx->crl_check_flags = UNSET;
+ mctx->crl_check_mask = UNSET;
mctx->auth.ca_cert_path = NULL;
mctx->auth.ca_cert_file = NULL;
@@ -272,8 +271,7 @@ static void modssl_ctx_cfg_merge(apr_poo
cfgMerge(crl_path, NULL);
cfgMerge(crl_file, NULL);
- cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
- cfgMergeInt(crl_check_flags);
+ cfgMergeInt(crl_check_mask);
cfgMergeString(auth.ca_cert_path);
cfgMergeString(auth.ca_cert_file);
@@ -975,23 +973,38 @@ const char *ssl_cmd_SSLCARevocationFile(
static const char *ssl_cmd_crlcheck_parse(cmd_parms *parms,
const char *arg,
- ssl_crlcheck_t *mode)
+ int *mask)
{
- if (strcEQ(arg, "none")) {
- *mode = SSL_CRLCHECK_NONE;
+ const char *w;
+
+ w = ap_getword_conf(parms->temp_pool, &arg);
+ if (strcEQ(w, "none")) {
+ *mask = SSL_CRLCHECK_NONE;
}
- else if (strcEQ(arg, "leaf")) {
- *mode = SSL_CRLCHECK_LEAF;
+ else if (strcEQ(w, "leaf")) {
+ *mask = SSL_CRLCHECK_LEAF;
}
- else if (strcEQ(arg, "chain")) {
- *mode = SSL_CRLCHECK_CHAIN;
+ else if (strcEQ(w, "chain")) {
+ *mask = SSL_CRLCHECK_CHAIN;
}
else {
return apr_pstrcat(parms->temp_pool, parms->cmd->name,
- ": Invalid argument '", arg, "'",
+ ": Invalid argument '", w, "'",
NULL);
}
+ while (*arg) {
+ w = ap_getword_conf(parms->temp_pool, &arg);
+ if (strcEQ(w, "no_crl_for_cert_ok")) {
+ *mask |= SSL_CRLCHECK_NO_CRL_FOR_CERT_OK;
+ }
+ else {
+ return apr_pstrcat(parms->temp_pool, parms->cmd->name,
+ ": Invalid argument '", w, "'",
+ NULL);
+ }
+ }
+
return NULL;
}
@@ -1000,29 +1013,8 @@ const char *ssl_cmd_SSLCARevocationCheck
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *err, *w;
- w = ap_getword_conf(cmd->temp_pool, &arg);
- err = ssl_cmd_crlcheck_parse(cmd, w, &sc->server->crl_check_mode);
- if (err || sc->server->crl_check_mode == SSL_CRLCHECK_NONE) {
- return err;
- }
-
- if (sc->server->crl_check_flags == UNSET) {
- sc->server->crl_check_flags = 0;
- }
- while (*arg) {
- w = ap_getword_conf(cmd->temp_pool, &arg);
- if (strcEQ(w, "no_crl_for_cert_ok")) {
- sc->server->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
- }
- else {
- return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
- ": Invalid flag '", w, "'",
- NULL);
- }
- }
- return NULL;
+ return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mask);
}
static const char *ssl_cmd_verify_parse(cmd_parms *parms,
@@ -1535,29 +1527,8 @@ const char *ssl_cmd_SSLProxyCARevocation
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *err, *w;
- w = ap_getword_conf(cmd->temp_pool, &arg);
- err = ssl_cmd_crlcheck_parse(cmd, w, &sc->proxy->crl_check_mode);
- if (err || sc->proxy->crl_check_mode == SSL_CRLCHECK_NONE) {
- return err;
- }
-
- if (sc->proxy->crl_check_flags == UNSET) {
- sc->proxy->crl_check_flags = 0;
- }
- while (*arg) {
- w = ap_getword_conf(cmd->temp_pool, &arg);
- if (strcEQ(w, "no_crl_for_cert_ok")) {
- sc->proxy->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
- }
- else {
- return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
- ": Invalid flag '", w, "'",
- NULL);
- }
- }
- return NULL;
+ return ssl_cmd_crlcheck_parse(cmd, arg, &sc->proxy->crl_check_mask);
}
const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd,
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1735337&r1=1735336&r2=1735337&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 16 22:54:27 2016
@@ -229,13 +229,6 @@ apr_status_t ssl_init_Module(apr_pool_t
sc->fips = FALSE;
}
#endif
-
- if (sc->server && sc->server->crl_check_flags == UNSET) {
- sc->server->crl_check_flags = 0;
- }
- if (sc->proxy && sc->proxy->crl_check_flags == UNSET) {
- sc->proxy->crl_check_flags = 0;
- }
}
#if APR_HAS_THREADS
@@ -818,14 +811,15 @@ static apr_status_t ssl_init_ctx_crl(ser
X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
unsigned long crlflags = 0;
char *cfgp = mctx->pkp ? "SSLProxy" : "SSL";
+ int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
/*
* Configure Certificate Revocation List (CRL) Details
*/
if (!(mctx->crl_file || mctx->crl_path)) {
- if (mctx->crl_check_mode == SSL_CRLCHECK_LEAF ||
- mctx->crl_check_mode == SSL_CRLCHECK_CHAIN) {
+ if (crl_check_mode == SSL_CRLCHECK_LEAF ||
+ crl_check_mode == SSL_CRLCHECK_CHAIN) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01899)
"Host %s: CRL checking has been enabled, but "
"neither %sCARevocationFile nor %sCARevocationPath "
@@ -847,7 +841,7 @@ static apr_status_t ssl_init_ctx_crl(ser
return ssl_die(s);
}
- switch (mctx->crl_check_mode) {
+ switch (crl_check_mode) {
case SSL_CRLCHECK_LEAF:
crlflags = X509_V_FLAG_CRL_CHECK;
break;
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1735337&r1=1735336&r2=1735337&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Wed Mar 16 22:54:27 2016
@@ -1569,12 +1569,14 @@ int ssl_callback_SSLVerify(int ok, X509_
SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
SSLConnRec *sslconn = myConnConfig(conn);
modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
/* Get verify ingredients */
int errnum = X509_STORE_CTX_get_error(ctx);
int errdepth = X509_STORE_CTX_get_error_depth(ctx);
int depth, verify;
+
/*
* Log verification information
*/
@@ -1582,10 +1584,9 @@ int ssl_callback_SSLVerify(int ok, X509_
X509_STORE_CTX_get_current_cert(ctx), APLOGNO(02275)
"Certificate Verification, depth %d, "
"CRL checking mode: %s (%x)", errdepth,
- mctx->crl_check_mode == SSL_CRLCHECK_CHAIN ?
- "chain" : (mctx->crl_check_mode == SSL_CRLCHECK_LEAF ?
- "leaf" : "none"),
- mctx->crl_check_flags);
+ crl_check_mode == SSL_CRLCHECK_CHAIN ? "chain" :
+ crl_check_mode == SSL_CRLCHECK_LEAF ? "leaf" : "none",
+ mctx->crl_check_mask);
/*
* Check for optionally acceptable non-verifiable issuer situation
@@ -1635,7 +1636,7 @@ int ssl_callback_SSLVerify(int ok, X509_
}
if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL
- && (mctx->crl_check_flags & MODSSL_CCF_NO_CRL_FOR_CERT_OK)) {
+ && (mctx->crl_check_mask & SSL_CRLCHECK_NO_CRL_FOR_CERT_OK)) {
errnum = X509_V_OK;
ok = TRUE;
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1735337&r1=1735336&r2=1735337&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Wed Mar 16 22:54:27 2016
@@ -336,14 +336,15 @@ typedef enum {
|| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
/**
- * CRL checking modes
+ * CRL checking mask (mode | flags)
*/
-#define MODSSL_CCF_NO_CRL_FOR_CERT_OK (1 << 0)
typedef enum {
- SSL_CRLCHECK_UNSET = UNSET,
- SSL_CRLCHECK_NONE = 0,
- SSL_CRLCHECK_LEAF = 1,
- SSL_CRLCHECK_CHAIN = 2
+ SSL_CRLCHECK_NONE = (0),
+ SSL_CRLCHECK_LEAF = (1 << 0),
+ SSL_CRLCHECK_CHAIN = (1 << 1),
+
+#define SSL_CRLCHECK_FLAGS (~0x3)
+ SSL_CRLCHECK_NO_CRL_FOR_CERT_OK = (1 << 2)
} ssl_crlcheck_t;
/**
@@ -601,8 +602,7 @@ typedef struct {
/** certificate revocation list */
const char *crl_path;
const char *crl_file;
- ssl_crlcheck_t crl_check_mode;
- int crl_check_flags;
+ int crl_check_mask;
#ifdef HAVE_OCSP_STAPLING
/** OCSP stapling options */