You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2020/07/07 16:57:23 UTC
svn commit: r1879598 - in /httpd/httpd/branches/2.4.x: ./ STATUS
modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_vars.c
modules/ssl/ssl_scache.c modules/ssl/ssl_util_ssl.c
modules/ssl/ssl_util_ssl.h
Author: jim
Date: Tue Jul 7 16:57:22 2020
New Revision: 1879598
URL: http://svn.apache.org/viewvc?rev=1879598&view=rev
Log:
Merge r1705539, r1877263, r1877291, r1879445 from trunk:
deduplicate the code handling the directory traversal for the
SSL[Proxy]CACertificatePath and SSLProxyMachineCertificatePath
directives
* modules/ssl/ssl_engine_init.c (ssl_add_version_components,
ssl_init_Module): Use temporary pool for variable lookup results
which don't need to live in pconf.
mod_ssl: Factor out code to read a BIO into a palloc'ed string:
* modules/ssl/ssl_util_ssl.c (modssl_bio_free_read): New function.
(asn1_string_convert): Use it here.
* modules/ssl/ssl_engine_vars.c: Use it throughout.
* modules/ssl/ssl_scache.c (ssl_scache_init): Use <16 character
cname argument for socache ->init() per the API constraint.
Submitted by: kbrand, jorton, jorton, jorton
Reviewed by: jailletc36, minfrin, jim
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_scache.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.h
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1705539,1877263,1877291,1879445
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1879598&r1=1879597&r2=1879598&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Tue Jul 7 16:57:22 2020
@@ -144,17 +144,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
+1: ylavic, minfrin, jim
ylavic: the patch drops changes to apreq, which seems to not be in 2.4.
- *) mod_ssl: deduplicate some code
- mod_ssl: Use temporary pool for variable lookup results which don't need to live in pconf
- mod_ssl: Factor out code to read a BIO into a palloc'ed string
- mod_ssl: Use <16 character cname argument for socache ->init() per the API constraint
- trunk patch http://svn.apache.org/r1705539
- http://svn.apache.org/r1877263
- http://svn.apache.org/r1877291
- http://svn.apache.org/r1879445
- 2.4.x patch: svn merge -c 1705539,1877263,1877291,1879445 ^/httpd/httpd/trunk .
- +1: jailletc36, minfrin, jim
-
*) core: Drop an invalid Last-Modified header value coming
from a (F)CGI script instead of replacing it with Unix epoch.
Warn the users about Last-Modified header value replacements
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1879598&r1=1879597&r2=1879598&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Tue Jul 7 16:57:22 2020
@@ -32,6 +32,9 @@
#include "mpm_common.h"
#include "mod_md.h"
+static apr_status_t ssl_init_ca_cert_path(server_rec *, apr_pool_t *, const char *,
+ STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *);
+
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
(server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx),
(s,p,is_proxy,ctx), OK, DECLINED)
@@ -169,15 +172,15 @@ DH *modssl_get_dh_params(unsigned keylen
return NULL; /* impossible to reach. */
}
-static void ssl_add_version_components(apr_pool_t *p,
+static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
server_rec *s)
{
- char *modver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_INTERFACE");
- char *libver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_LIBRARY");
- char *incver = ssl_var_lookup(p, s, NULL, NULL,
+ char *modver = ssl_var_lookup(ptemp, s, NULL, NULL, "SSL_VERSION_INTERFACE");
+ char *libver = ssl_var_lookup(ptemp, s, NULL, NULL, "SSL_VERSION_LIBRARY");
+ char *incver = ssl_var_lookup(ptemp, s, NULL, NULL,
"SSL_VERSION_LIBRARY_INTERFACE");
- ap_add_version_component(p, libver);
+ ap_add_version_component(pconf, libver);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01876)
"%s compiled against Server: %s, Library: %s",
@@ -428,7 +431,7 @@ apr_status_t ssl_init_Module(apr_pool_t
* Announce mod_ssl and SSL library in HTTP Server field
* as ``mod_ssl/X.X.X OpenSSL/X.X.X''
*/
- ssl_add_version_components(p, base_server);
+ ssl_add_version_components(ptemp, p, base_server);
modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
@@ -1586,26 +1589,7 @@ static apr_status_t ssl_init_proxy_certs
}
if (pkp->cert_path) {
- apr_dir_t *dir;
- apr_finfo_t dirent;
- apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
-
- if (apr_dir_open(&dir, pkp->cert_path, ptemp) == APR_SUCCESS) {
- while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) {
- const char *fullname;
-
- if (dirent.filetype == APR_DIR) {
- continue; /* don't try to load directories */
- }
-
- fullname = apr_pstrcat(ptemp,
- pkp->cert_path, "/", dirent.name,
- NULL);
- load_x509_info(ptemp, sk, fullname);
- }
-
- apr_dir_close(dir);
- }
+ ssl_init_ca_cert_path(s, ptemp, pkp->cert_path, NULL, sk);
}
if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
@@ -2133,6 +2117,40 @@ static void ssl_init_PushCAList(STACK_OF
sk_X509_NAME_free(sk);
}
+static apr_status_t ssl_init_ca_cert_path(server_rec *s,
+ apr_pool_t *ptemp,
+ const char *path,
+ STACK_OF(X509_NAME) *ca_list,
+ STACK_OF(X509_INFO) *xi_list)
+{
+ apr_dir_t *dir;
+ apr_finfo_t direntry;
+ apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
+
+ if (!path || (!ca_list && !xi_list) ||
+ (apr_dir_open(&dir, path, ptemp) != APR_SUCCESS)) {
+ return APR_EGENERAL;
+ }
+
+ while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {
+ const char *file;
+ if (direntry.filetype == APR_DIR) {
+ continue; /* don't try to load directories */
+ }
+ file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL);
+ if (ca_list) {
+ ssl_init_PushCAList(ca_list, s, ptemp, file);
+ }
+ if (xi_list) {
+ load_x509_info(ptemp, xi_list, file);
+ }
+ }
+
+ apr_dir_close(dir);
+
+ return APR_SUCCESS;
+}
+
STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
apr_pool_t *ptemp,
const char *ca_file,
@@ -2165,30 +2183,13 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList
/*
* Process CA certificate path files
*/
- if (ca_path) {
- apr_dir_t *dir;
- apr_finfo_t direntry;
- apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
- apr_status_t rv;
-
- if ((rv = apr_dir_open(&dir, ca_path, ptemp)) != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02211)
- "Failed to open Certificate Path `%s'",
- ca_path);
- sk_X509_NAME_pop_free(ca_list, X509_NAME_free);
- return NULL;
- }
-
- while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {
- const char *file;
- if (direntry.filetype == APR_DIR) {
- continue; /* don't try to load directories */
- }
- file = apr_pstrcat(ptemp, ca_path, "/", direntry.name, NULL);
- ssl_init_PushCAList(ca_list, s, ptemp, file);
- }
-
- apr_dir_close(dir);
+ if (ca_path &&
+ ssl_init_ca_cert_path(s, ptemp,
+ ca_path, ca_list, NULL) != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02211)
+ "Failed to open Certificate Path `%s'", ca_path);
+ sk_X509_NAME_pop_free(ca_list, X509_NAME_free);
+ return NULL;
}
/*
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c?rev=1879598&r1=1879597&r2=1879598&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c Tue Jul 7 16:57:22 2020
@@ -460,18 +460,13 @@ static char *ssl_var_lookup_ssl_cert_dn_
}
else {
BIO* bio;
- int n;
unsigned long flags = XN_FLAG_RFC2253 & ~ASN1_STRFLGS_ESC_MSB;
+
if ((bio = BIO_new(BIO_s_mem())) == NULL)
return NULL;
X509_NAME_print_ex(bio, xsname, 0, flags);
- n = BIO_pending(bio);
- if (n > 0) {
- result = apr_palloc(p, n+1);
- n = BIO_read(bio, result, n);
- result[n] = NUL;
- }
- BIO_free(bio);
+
+ result = modssl_bio_free_read(p, bio);
}
return result;
}
@@ -678,19 +673,13 @@ static char *ssl_var_lookup_ssl_cert_san
static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)
{
- char *result;
BIO* bio;
- int n;
if ((bio = BIO_new(BIO_s_mem())) == NULL)
return NULL;
ASN1_TIME_print(bio, tm);
- n = BIO_pending(bio);
- result = apr_pcalloc(p, n+1);
- n = BIO_read(bio, result, n);
- result[n] = NUL;
- BIO_free(bio);
- return result;
+
+ return modssl_bio_free_read(p, bio);
}
#define DIGIT2NUM(x) (((x)[0] - '0') * 10 + (x)[1] - '0')
@@ -739,19 +728,13 @@ static char *ssl_var_lookup_ssl_cert_rem
static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs)
{
- char *result;
BIO *bio;
- int n;
if ((bio = BIO_new(BIO_s_mem())) == NULL)
return NULL;
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(xs));
- n = BIO_pending(bio);
- result = apr_pcalloc(p, n+1);
- n = BIO_read(bio, result, n);
- result[n] = NUL;
- BIO_free(bio);
- return result;
+
+ return modssl_bio_free_read(p, bio);
}
static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var)
@@ -806,19 +789,13 @@ static char *ssl_var_lookup_ssl_cert_rfc
static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
{
- char *result;
BIO *bio;
- int n;
if ((bio = BIO_new(BIO_s_mem())) == NULL)
return NULL;
PEM_write_bio_X509(bio, xs);
- n = BIO_pending(bio);
- result = apr_pcalloc(p, n+1);
- n = BIO_read(bio, result, n);
- result[n] = NUL;
- BIO_free(bio);
- return result;
+
+ return modssl_bio_free_read(p, bio);
}
static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, SSLConnRec *sslconn)
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_scache.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_scache.c?rev=1879598&r1=1879597&r2=1879598&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_scache.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_scache.c Tue Jul 7 16:57:22 2020
@@ -59,7 +59,7 @@ apr_status_t ssl_scache_init(server_rec
hints.expiry_interval = 300;
rv = mc->stapling_cache->init(mc->stapling_cache_context,
- "mod_ssl-stapling", &hints, s, p);
+ "mod_ssl-staple", &hints, s, p);
if (rv) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01872)
"Could not initialize stapling cache. Exiting.");
@@ -84,7 +84,7 @@ apr_status_t ssl_scache_init(server_rec
hints.avg_id_len = 30;
hints.expiry_interval = 30;
- rv = mc->sesscache->init(mc->sesscache_context, "mod_ssl-session", &hints, s, p);
+ rv = mc->sesscache->init(mc->sesscache_context, "mod_ssl-sess", &hints, s, p);
if (rv) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01874)
"Could not initialize session cache. Exiting.");
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.c?rev=1879598&r1=1879597&r2=1879598&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.c Tue Jul 7 16:57:22 2020
@@ -185,14 +185,27 @@ BOOL modssl_X509_getBC(X509 *cert, int *
return TRUE;
}
+char *modssl_bio_free_read(apr_pool_t *p, BIO *bio)
+{
+ int len = BIO_pending(bio);
+ char *result = NULL;
+
+ if (len > 0) {
+ result = apr_palloc(p, len+1);
+ len = BIO_read(bio, result, len);
+ result[len] = NUL;
+ }
+ BIO_free(bio);
+ return result;
+}
+
/* Convert ASN.1 string to a pool-allocated char * string, escaping
* control characters. If raw is zero, convert to UTF-8, otherwise
* unchanged from the character set. */
static char *asn1_string_convert(apr_pool_t *p, ASN1_STRING *asn1str, int raw)
{
- char *result = NULL;
BIO *bio;
- int len, flags = ASN1_STRFLGS_ESC_CTRL;
+ int flags = ASN1_STRFLGS_ESC_CTRL;
if ((bio = BIO_new(BIO_s_mem())) == NULL)
return NULL;
@@ -200,14 +213,8 @@ static char *asn1_string_convert(apr_poo
if (!raw) flags |= ASN1_STRFLGS_UTF8_CONVERT;
ASN1_STRING_print_ex(bio, asn1str, flags);
- len = BIO_pending(bio);
- if (len > 0) {
- result = apr_palloc(p, len+1);
- len = BIO_read(bio, result, len);
- result[len] = NUL;
- }
- BIO_free(bio);
- return result;
+
+ return modssl_bio_free_read(p, bio);
}
#define asn1_string_to_utf8(p, a) asn1_string_convert(p, a, 0)
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.h?rev=1879598&r1=1879597&r2=1879598&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.h Tue Jul 7 16:57:22 2020
@@ -78,6 +78,11 @@ BOOL modssl_X509_getSAN(apr_pool_
BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int);
+/* Reads the remaining data in BIO, if not empty, and copies it into a
+ * pool-allocated string. If empty, returns NULL. BIO_free(bio) is
+ * called for both cases. */
+char *modssl_bio_free_read(apr_pool_t *p, BIO *bio);
+
#endif /* __SSL_UTIL_SSL_H__ */
/** @} */