httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From do...@apache.org
Subject cvs commit: httpd-2.0/modules/ssl mod_ssl.c mod_ssl.h ssl_engine_config.c ssl_engine_init.c ssl_engine_kernel.c ssl_engine_pphrase.c
Date Thu, 28 Mar 2002 18:50:08 GMT
dougm       02/03/28 10:50:08

  Modified:    modules/ssl mod_ssl.c mod_ssl.h ssl_engine_config.c
                        ssl_engine_init.c ssl_engine_kernel.c
                        ssl_engine_pphrase.c
  Log:
  breakup SSLSrvConfigRec in preparation for proxy support:
  + modssl_pk_server_t - certs/keys for the server
  + modssl_pk_proxy_t  - certs/keys for the proxy
  + modssl_auth_ctx_t  - stuff related to authentication that can also
                         be per-dir, used by both server and proxy
  + modssl_ctx_t       - context that can be used by both server and proxy
  + SSLSrvConfigRec    - now contains original stuff specific to the
                         server config and modssl_ctx_t *server, *proxy
  
  Revision  Changes    Path
  1.54      +3 -3      httpd-2.0/modules/ssl/mod_ssl.c
  
  Index: mod_ssl.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v
  retrieving revision 1.53
  retrieving revision 1.54
  diff -u -r1.53 -r1.54
  --- mod_ssl.c	28 Mar 2002 17:11:12 -0000	1.53
  +++ mod_ssl.c	28 Mar 2002 18:50:07 -0000	1.54
  @@ -257,7 +257,7 @@
        * attach this to the socket. Additionally we register this attachment
        * so we can detach later.
        */
  -    if (!(ssl = SSL_new(sc->pSSLCtx))) {
  +    if (!(ssl = SSL_new(sc->server->ssl_ctx))) {
           ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                   "Unable to create a new SSL connection from the SSL context");
   
  @@ -404,7 +404,7 @@
               sslconn->verify_error)
           {
               if (ssl_verify_error_is_optional(verify_result) &&
  -                (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
  +                (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
               {
                   /* leaving this log message as an error for the moment,
                    * according to the mod_ssl docs:
  @@ -444,7 +444,7 @@
            * Make really sure that when a peer certificate
            * is required we really got one... (be paranoid)
            */
  -        if ((sc->nVerifyClient == SSL_CVERIFY_REQUIRE) &&
  +        if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) &&
               !sslconn->client_cert)
           {
               ssl_log(c->base_server, SSL_LOG_ERROR,
  
  
  
  1.99      +68 -31    httpd-2.0/modules/ssl/mod_ssl.h
  
  Index: mod_ssl.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
  retrieving revision 1.98
  retrieving revision 1.99
  diff -u -r1.98 -r1.99
  --- mod_ssl.h	28 Mar 2002 17:23:50 -0000	1.98
  +++ mod_ssl.h	28 Mar 2002 18:50:07 -0000	1.99
  @@ -468,39 +468,76 @@
       } rCtx;
   } SSLModConfigRec;
   
  -/*
  - * Define the mod_ssl per-server configuration structure
  - * (i.e. the configuration for the main server
  - *  and all <VirtualHost> contexts)
  - */
  +/* public cert/private key */
   typedef struct {
  +    /* 
  +     * server only has 1-2 certs/keys
  +     * 1 RSA and/or 1 DSA
  +     */
  +    const char  *cert_files[SSL_AIDX_MAX];
  +    const char  *key_files[SSL_AIDX_MAX];
  +    X509        *certs[SSL_AIDX_MAX];
  +    EVP_PKEY    *keys[SSL_AIDX_MAX];
  +} modssl_pk_server_t;
  +
  +typedef struct {
  +    /* proxy can have any number of cert/key pairs */
  +    const char  *cert_file;
  +    const char  *cert_path;
  +    STACK_OF(X509_INFO) *certs;
  +} modssl_pk_proxy_t;
  +
  +/* stuff related to authentication that can also be per-dir */
  +typedef struct {
  +    /* known/trusted CAs */
  +    const char  *ca_cert_path;
  +    const char  *ca_cert_file;
  +
  +    const char  *cipher_suite;
  +
  +    /* for client or downstream server authentication */
  +    int          verify_depth;
  +    ssl_verify_t verify_mode;
  +} modssl_auth_ctx_t;
  +
  +typedef struct SSLSrvConfigRec SSLSrvConfigRec;
  +
  +typedef struct {
  +    SSLSrvConfigRec *sc; /* pointer back to server config */
  +    SSL_CTX *ssl_ctx;
  +
  +    /* we are one or the other */
  +    modssl_pk_server_t *pks;
  +    modssl_pk_proxy_t  *pkp;
  +
  +    /* config for handling encrypted keys */
  +    ssl_pphrase_t pphrase_dialog_type;
  +    const char   *pphrase_dialog_path;
  +
  +    const char  *cert_chain;
  +
  +    /* certificate revocation list */
  +    const char  *crl_path;
  +    const char  *crl_file;
  +    X509_STORE  *crl;
  +
  +    ssl_proto_t  protocol;
  +
  +    modssl_auth_ctx_t auth;
  +} modssl_ctx_t;
  +
  +struct SSLSrvConfigRec {
       SSLModConfigRec *mc;
  -    BOOL         enabled;
  -    const char  *vhost_id;
  -    int          vhost_id_len;
  -    const char  *log_file_name;
  -    apr_file_t  *log_file;
  -    int          log_level;
  -    int          session_cache_timeout;
  -
  -    const char  *szPublicCertFiles[SSL_AIDX_MAX];
  -    const char  *szPrivateKeyFiles[SSL_AIDX_MAX];
  -    const char  *szCertificateChain;
  -    const char  *szCACertificatePath;
  -    const char  *szCACertificateFile;
  -    const char  *szCipherSuite;
  -    int          nVerifyDepth;
  -    ssl_verify_t nVerifyClient;
  -    X509        *pPublicCert[SSL_AIDX_MAX];
  -    EVP_PKEY    *pPrivateKey[SSL_AIDX_MAX];
  -    SSL_CTX     *pSSLCtx;
  -    int          nPassPhraseDialogType;
  -    const char  *szPassPhraseDialogPath;
  -    ssl_proto_t  nProtocol;
  -    const char  *szCARevocationPath;
  -    const char  *szCARevocationFile;
  -    X509_STORE  *pRevocationStore;
  -} SSLSrvConfigRec;
  +    BOOL             enabled;
  +    const char      *vhost_id;
  +    int              vhost_id_len;
  +    const char      *log_file_name;
  +    apr_file_t      *log_file;
  +    int              log_level;
  +    int              session_cache_timeout;
  +    modssl_ctx_t    *server;
  +    modssl_ctx_t    *proxy;
  +};
   
   /*
    * Define the mod_ssl per-directory configuration structure
  
  
  
  1.50      +91 -57    httpd-2.0/modules/ssl/ssl_engine_config.c
  
  Index: ssl_engine_config.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_config.c,v
  retrieving revision 1.49
  retrieving revision 1.50
  diff -u -r1.49 -r1.50
  --- ssl_engine_config.c	28 Mar 2002 17:23:50 -0000	1.49
  +++ ssl_engine_config.c	28 Mar 2002 18:50:07 -0000	1.50
  @@ -135,6 +135,53 @@
   **  _________________________________________________________________
   */
   
  +static void modssl_ctx_init(modssl_ctx_t *ctx, SSLSrvConfigRec *sc)
  +{
  +    ctx->sc                  = sc;
  +
  +    ctx->ssl_ctx             = NULL;
  +
  +    ctx->pks                 = NULL;
  +    ctx->pkp                 = NULL;
  +
  +    ctx->protocol            = SSL_PROTOCOL_ALL;
  +
  +    ctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
  +    ctx->pphrase_dialog_path = NULL;
  +
  +    ctx->cert_chain          = NULL;
  +
  +    ctx->crl_path            = NULL;
  +    ctx->crl_file            = NULL;
  +    ctx->crl                 = NULL;
  +
  +    ctx->auth.ca_cert_path   = NULL;
  +    ctx->auth.ca_cert_file   = NULL;
  +    ctx->auth.cipher_suite   = NULL;
  +    ctx->auth.verify_depth   = UNSET;
  +    ctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
  +}
  +
  +static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
  +                                   apr_pool_t *p)
  +{
  +    modssl_ctx_t *ctx;
  +
  +    ctx = sc->server = apr_palloc(p, sizeof(*sc->server));
  +
  +    modssl_ctx_init(ctx, sc);
  +
  +    ctx->pks = apr_palloc(p, sizeof(*ctx->pks));
  +
  +    memset((void*)ctx->pks->cert_files, 0, sizeof(ctx->pks->cert_files));
  +
  +    memset((void*)ctx->pks->key_files, 0, sizeof(ctx->pks->key_files));
  +
  +    memset(ctx->pks->certs, 0, sizeof(ctx->pks->certs));
  +
  +    memset(ctx->pks->keys, 0, sizeof(ctx->pks->keys));
  +}
  +
   /*
    *  Create per-server SSL configuration
    */
  @@ -151,24 +198,7 @@
       sc->log_level              = SSL_LOG_NONE;
       sc->session_cache_timeout  = UNSET;
   
  -    sc->szCACertificatePath    = NULL;
  -    sc->szCACertificateFile    = NULL;
  -    sc->szCertificateChain     = NULL;
  -    sc->szCipherSuite          = NULL;
  -    sc->nVerifyDepth           = UNSET;
  -    sc->nVerifyClient          = SSL_CVERIFY_UNSET;
  -    sc->nPassPhraseDialogType  = SSL_PPTYPE_UNSET;
  -    sc->szPassPhraseDialogPath = NULL;
  -    sc->nProtocol              = SSL_PROTOCOL_ALL;
  -    sc->pSSLCtx                = NULL;
  -    sc->szCARevocationPath     = NULL;
  -    sc->szCARevocationFile     = NULL;
  -    sc->pRevocationStore       = NULL;
  -
  -    memset((void*)sc->szPublicCertFiles, 0, sizeof(sc->szPublicCertFiles));
  -    memset((void*)sc->szPrivateKeyFiles, 0, sizeof(sc->szPrivateKeyFiles));
  -    memset(sc->pPublicCert,       0, sizeof(sc->pPublicCert));
  -    memset(sc->pPrivateKey,       0, sizeof(sc->pPrivateKey));
  +    modssl_ctx_init_server(sc, p);
   
       return sc;
   }
  @@ -183,6 +213,8 @@
       SSLSrvConfigRec *add  = (SSLSrvConfigRec *)addv;
       SSLSrvConfigRec *mrg  = (SSLSrvConfigRec *)apr_palloc(p, sizeof(*mrg));
   
  +    modssl_ctx_init_server(mrg, p);
  +
       cfgMerge(mc, NULL);
       cfgMergeBool(enabled);
       cfgMergeString(vhost_id);
  @@ -191,25 +223,25 @@
       cfgMerge(log_level, SSL_LOG_NONE);
       cfgMergeInt(session_cache_timeout);
   
  -    cfgMergeString(szCACertificatePath);
  -    cfgMergeString(szCACertificateFile);
  -    cfgMergeString(szCertificateChain);
  -    cfgMergeString(szCipherSuite);
  -    cfgMergeInt(nVerifyDepth);
  -    cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
  -    cfgMerge(nPassPhraseDialogType, SSL_PPTYPE_UNSET);
  -    cfgMergeString(szPassPhraseDialogPath);
  -    cfgMerge(nProtocol, SSL_PROTOCOL_ALL);
  -    cfgMerge(pSSLCtx, NULL);
  -    cfgMerge(szCARevocationPath, NULL);
  -    cfgMerge(szCARevocationFile, NULL);
  -    cfgMerge(pRevocationStore, NULL);
  +    cfgMergeString(server->auth.ca_cert_path);
  +    cfgMergeString(server->auth.ca_cert_file);
  +    cfgMergeString(server->cert_chain);
  +    cfgMergeString(server->auth.cipher_suite);
  +    cfgMergeInt(server->auth.verify_depth);
  +    cfgMerge(server->auth.verify_mode, SSL_CVERIFY_UNSET);
  +    cfgMerge(server->pphrase_dialog_type, SSL_PPTYPE_UNSET);
  +    cfgMergeString(server->pphrase_dialog_path);
  +    cfgMerge(server->protocol, SSL_PROTOCOL_ALL);
  +    cfgMerge(server->ssl_ctx, NULL);
  +    cfgMerge(server->crl_path, NULL);
  +    cfgMerge(server->crl_file, NULL);
  +    cfgMerge(server->crl, NULL);
   
       for (i = 0; i < SSL_AIDX_MAX; i++) {
  -        cfgMergeString(szPublicCertFiles[i]);
  -        cfgMergeString(szPrivateKeyFiles[i]);
  -        cfgMerge(pPublicCert[i], NULL);
  -        cfgMerge(pPrivateKey[i], NULL);
  +        cfgMergeString(server->pks->cert_files[i]);
  +        cfgMergeString(server->pks->key_files[i]);
  +        cfgMerge(server->pks->certs[i], NULL);
  +        cfgMerge(server->pks->keys[i], NULL);
       }
   
       return mrg;
  @@ -330,33 +362,33 @@
       }
   
       if (strcEQ(arg, "builtin")) {
  -        sc->nPassPhraseDialogType  = SSL_PPTYPE_BUILTIN;
  -        sc->szPassPhraseDialogPath = NULL;
  +        sc->server->pphrase_dialog_type  = SSL_PPTYPE_BUILTIN;
  +        sc->server->pphrase_dialog_path = NULL;
       }
       else if ((arglen > 5) && strEQn(arg, "exec:", 5)) {
  -        sc->nPassPhraseDialogType  = SSL_PPTYPE_FILTER;
  +        sc->server->pphrase_dialog_type  = SSL_PPTYPE_FILTER;
           /* ### This is broken, exec: may contain args, no? */
  -        sc->szPassPhraseDialogPath =
  +        sc->server->pphrase_dialog_path =
               ap_server_root_relative(cmd->pool, arg+5);
  -        if (!sc->szPassPhraseDialogPath) {
  +        if (!sc->server->pphrase_dialog_path) {
               return apr_pstrcat(cmd->pool,
                                  "Invalid SSLPassPhraseDialog exec: path ",
                                  arg+5, NULL);
           }
           if (!ssl_util_path_check(SSL_PCM_EXISTS,
  -                                 sc->szPassPhraseDialogPath,
  +                                 sc->server->pphrase_dialog_path,
                                    cmd->pool))
           {
               return apr_pstrcat(cmd->pool,
                                  "SSLPassPhraseDialog: file '",
  -                               sc->szPassPhraseDialogPath,
  +                               sc->server->pphrase_dialog_path,
                                  "' does not exist", NULL);
           }
   
       }
       else if ((arglen > 1) && (arg[0] == '|')) {
  -        sc->nPassPhraseDialogType  = SSL_PPTYPE_PIPE;
  -        sc->szPassPhraseDialogPath = arg + 1;
  +        sc->server->pphrase_dialog_type  = SSL_PPTYPE_PIPE;
  +        sc->server->pphrase_dialog_path = arg + 1;
       }
       else {
           return "SSLPassPhraseDialog: Invalid argument";
  @@ -509,7 +541,7 @@
           dc->szCipherSuite = arg;
       }
       else {
  -        sc->szCipherSuite = arg;
  +        sc->server->auth.cipher_suite = arg;
       }
   
       return NULL;
  @@ -581,11 +613,11 @@
       switch (idx) {
         case SSL_AIDX_CERTS:
           desc = "certificates";
  -        files = sc->szPublicCertFiles;
  +        files = sc->server->pks->cert_files;
           break;
         case SSL_AIDX_KEYS:
           desc = "private keys";
  -        files = sc->szPrivateKeyFiles;
  +        files = sc->server->pks->key_files;
           break;
       }
   
  @@ -637,7 +669,7 @@
           return err;
       }
   
  -    sc->szCertificateChain = arg;
  +    sc->server->cert_chain = arg;
   
       return NULL;
   }
  @@ -663,7 +695,7 @@
   const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx,
                                            const char *arg)
   {
  -    SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
  +    /*SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;*/
       SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
       const char *err;
   
  @@ -671,7 +703,8 @@
           return err;
       }
   
  -    MODSSL_SET_CA(szCACertificatePath);
  +    /* XXX: bring back per-dir */
  +    sc->server->auth.ca_cert_path = arg;
   
       return NULL;
   }
  @@ -679,7 +712,7 @@
   const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, void *ctx,
                                            const char *arg)
   {
  -    SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
  +    /*SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;*/
       SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
       const char *err;
   
  @@ -687,7 +720,8 @@
           return err;
       }
   
  -    MODSSL_SET_CA(szCACertificateFile);
  +    /* XXX: bring back per-dir */
  +    sc->server->auth.ca_cert_file = arg;
   
       return NULL;
   }
  @@ -702,7 +736,7 @@
           return err;
       }
   
  -    sc->szCARevocationPath = arg;
  +    sc->server->crl_path = arg;
   
       return NULL;
   }
  @@ -717,7 +751,7 @@
           return err;
       }
   
  -    sc->szCARevocationFile = arg;
  +    sc->server->crl_file = arg;
   
       return NULL;
   }
  @@ -763,7 +797,7 @@
           dc->nVerifyClient = id;
       }
       else {
  -        sc->nVerifyClient = id;
  +        sc->server->auth.verify_mode = id;
       }
   
       return NULL;
  @@ -798,7 +832,7 @@
           dc->nVerifyDepth = depth;
       }
       else {
  -        sc->nVerifyDepth = depth;
  +        sc->server->auth.verify_depth = depth;
       }
   
       return NULL;
  @@ -1141,7 +1175,7 @@
   {
       SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
   
  -    return ssl_cmd_protocol_parse(cmd, opt, &sc->nProtocol);
  +    return ssl_cmd_protocol_parse(cmd, opt, &sc->server->protocol);
   }
   
   #ifdef SSL_EXPERIMENTAL_PROXY
  
  
  
  1.82      +45 -45    httpd-2.0/modules/ssl/ssl_engine_init.c
  
  Index: ssl_engine_init.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
  retrieving revision 1.81
  retrieving revision 1.82
  diff -u -r1.81 -r1.82
  --- ssl_engine_init.c	28 Mar 2002 17:11:12 -0000	1.81
  +++ ssl_engine_init.c	28 Mar 2002 18:50:07 -0000	1.82
  @@ -239,8 +239,8 @@
               sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT;
           }
   
  -        if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET) {
  -            sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN;
  +        if (sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) {
  +            sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
           }
   
           /* Open the dedicated SSL logfile */
  @@ -374,7 +374,7 @@
        * check for important parameters and the
        * possibility that the user forgot to set them.
        */
  -    if (!sc->szPublicCertFiles[0]) {
  +    if (!sc->server->pks->cert_files[0]) {
           ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
                   "No SSL Certificate set [hint: SSLCertificateFile]");
           ssl_die();
  @@ -383,8 +383,8 @@
       /*
        *  Check for problematic re-initializations
        */
  -    if (sc->pPublicCert[SSL_AIDX_RSA] ||
  -        sc->pPublicCert[SSL_AIDX_DSA])
  +    if (sc->server->pks->certs[SSL_AIDX_RSA] ||
  +        sc->server->pks->certs[SSL_AIDX_DSA])
       {
           ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
                   "Illegal attempt to re-initialise SSL for server "
  @@ -400,7 +400,7 @@
   {
       SSL_CTX *ctx = NULL;
       char *cp;
  -    int protocol = sc->nProtocol;
  +    int protocol = sc->server->protocol;
   
       /*
        *  Create the new per-server SSL context
  @@ -428,7 +428,7 @@
           ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */
       }
   
  -    sc->pSSLCtx = ctx;
  +    sc->server->ssl_ctx = ctx;
   
       SSL_CTX_set_options(ctx, SSL_OP_ALL);
   
  @@ -459,7 +459,7 @@
                                          apr_pool_t *ptemp,
                                          SSLSrvConfigRec *sc)
   {
  -    SSL_CTX *ctx = sc->pSSLCtx;
  +    SSL_CTX *ctx = sc->server->ssl_ctx;
       SSLModConfigRec *mc = myModConfig(s);
       long cache_mode = SSL_SESS_CACHE_OFF;
   
  @@ -483,7 +483,7 @@
                                      apr_pool_t *ptemp,
                                      SSLSrvConfigRec *sc)
   {
  -    SSL_CTX *ctx = sc->pSSLCtx;
  +    SSL_CTX *ctx = sc->server->ssl_ctx;
   
       SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
       SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
  @@ -499,28 +499,28 @@
                                   apr_pool_t *ptemp,
                                   SSLSrvConfigRec *sc)
   {
  -    SSL_CTX *ctx = sc->pSSLCtx;
  +    SSL_CTX *ctx = sc->server->ssl_ctx;
   
       int verify = SSL_VERIFY_NONE;
       STACK_OF(X509_NAME) *ca_list;
   
  -    if (sc->nVerifyClient == SSL_CVERIFY_UNSET) {
  -        sc->nVerifyClient = SSL_CVERIFY_NONE;
  +    if (sc->server->auth.verify_mode == SSL_CVERIFY_UNSET) {
  +        sc->server->auth.verify_mode = SSL_CVERIFY_NONE;
       }
   
  -    if (sc->nVerifyDepth == UNSET) {
  -        sc->nVerifyDepth = 1;
  +    if (sc->server->auth.verify_depth == UNSET) {
  +        sc->server->auth.verify_depth = 1;
       }
   
       /*
        *  Configure callbacks for SSL context
        */
  -    if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
  +    if (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
           verify |= SSL_VERIFY_PEER_STRICT;
       }
   
  -    if ((sc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
  -        (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
  +    if ((sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
  +        (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
       {
           verify |= SSL_VERIFY_PEER;
       }
  @@ -530,13 +530,13 @@
       /*
        * Configure Client Authentication details
        */
  -    if (sc->szCACertificateFile || sc->szCACertificatePath) {
  +    if (sc->server->auth.ca_cert_file || sc->server->auth.ca_cert_path) {
           ssl_log(s, SSL_LOG_TRACE|SSL_INIT,
                   "Configuring client authentication");
   
           if (!SSL_CTX_load_verify_locations(ctx,
  -                                           sc->szCACertificateFile,
  -                                           sc->szCACertificatePath))
  +                                           sc->server->auth.ca_cert_file,
  +                                           sc->server->auth.ca_cert_path))
           {
               ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
                       "Unable to configure verify locations "
  @@ -545,8 +545,8 @@
           }
   
           ca_list = ssl_init_FindCAList(s, ptemp,
  -                                      sc->szCACertificateFile,
  -                                      sc->szCACertificatePath);
  +                                      sc->server->auth.ca_cert_file,
  +                                      sc->server->auth.ca_cert_path);
           if (!ca_list) {
               ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
                       "Unable to determine list of available "
  @@ -561,7 +561,7 @@
        * Give a warning when no CAs were configured but client authentication
        * should take place. This cannot work.
        */
  -    if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
  +    if (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
           ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
   
           if (sk_X509_NAME_num(ca_list) == 0) {
  @@ -578,8 +578,8 @@
                                         apr_pool_t *ptemp,
                                         SSLSrvConfigRec *sc)
   {
  -    SSL_CTX *ctx = sc->pSSLCtx;
  -    const char *suite = sc->szCipherSuite;
  +    SSL_CTX *ctx = sc->server->ssl_ctx;
  +    const char *suite = sc->server->auth.cipher_suite;
   
       /*
        *  Configure SSL Cipher Suite
  @@ -608,18 +608,18 @@
        * Configure Certificate Revocation List (CRL) Details
        */
   
  -    if (!(sc->szCARevocationFile || sc->szCARevocationPath)) {
  +    if (!(sc->server->crl_file || sc->server->crl_path)) {
           return;
       }
   
       ssl_log(s, SSL_LOG_TRACE|SSL_INIT,
               "Configuring certificate revocation facility");
   
  -    sc->pRevocationStore =
  -        SSL_X509_STORE_create((char *)sc->szCARevocationFile,
  -                              (char *)sc->szCARevocationPath);
  +    sc->server->crl =
  +        SSL_X509_STORE_create((char *)sc->server->crl_file,
  +                              (char *)sc->server->crl_path);
   
  -    if (!sc->pRevocationStore) {
  +    if (!sc->server->crl) {
           ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
                   "Unable to configure X.509 CRL storage "
                   "for certificate revocation");
  @@ -634,7 +634,7 @@
   {
       BOOL skip_first = TRUE;
       int i, n;
  -    const char *chain = sc->szCertificateChain;
  +    const char *chain = sc->server->cert_chain;
   
       /* 
        * Optionally configure extra server certificate chain certificates.
  @@ -654,14 +654,14 @@
           return;
       }
   
  -    for (i = 0; (i < SSL_AIDX_MAX) && sc->szPublicCertFiles[i]; i++) {
  -        if (strEQ(sc->szPublicCertFiles[i], chain)) {
  +    for (i = 0; (i < SSL_AIDX_MAX) && sc->server->pks->cert_files[i];
i++) {
  +        if (strEQ(sc->server->pks->cert_files[i], chain)) {
               skip_first = TRUE;
               break;
           }
       }
   
  -    n = SSL_CTX_use_certificate_chain(sc->pSSLCtx,
  +    n = SSL_CTX_use_certificate_chain(sc->server->ssl_ctx,
                                         (char *)chain, 
                                         skip_first, NULL);
       if (n < 0) {
  @@ -701,13 +701,13 @@
           ssl_die();
       }
   
  -    if (SSL_CTX_use_certificate(sc->pSSLCtx, cert) <= 0) {
  +    if (SSL_CTX_use_certificate(sc->server->ssl_ctx, cert) <= 0) {
           ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
                   "Unable to configure %s server certificate", type);
           ssl_die();
       }
   
  -    sc->pPublicCert[idx] = cert;
  +    sc->server->pks->certs[idx] = cert;
   
       return TRUE;
   }
  @@ -739,7 +739,7 @@
           ssl_die();
       }
   
  -    if (SSL_CTX_use_PrivateKey(sc->pSSLCtx, pkey) <= 0) {
  +    if (SSL_CTX_use_PrivateKey(sc->server->ssl_ctx, pkey) <= 0) {
           ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
                   "Unable to configure %s server private key", type);
           ssl_die();
  @@ -749,8 +749,8 @@
        * XXX: wonder if this is still needed, this is old todo doc.
        * (see http://www.psy.uq.edu.au/~ftp/Crypto/ssleay/TODO.html)
        */
  -    if ((pkey_type == EVP_PKEY_DSA) && sc->pPublicCert[idx]) {
  -        EVP_PKEY *pubkey = X509_get_pubkey(sc->pPublicCert[idx]);
  +    if ((pkey_type == EVP_PKEY_DSA) && sc->server->pks->certs[idx]) {
  +        EVP_PKEY *pubkey = X509_get_pubkey(sc->server->pks->certs[idx]);
   
           if (pubkey && EVP_PKEY_missing_parameters(pubkey)) {
               EVP_PKEY_copy_parameters(pubkey, pkey);
  @@ -759,7 +759,7 @@
           }
       }
   
  -    sc->pPrivateKey[idx] = pkey;
  +    sc->server->pks->keys[idx] = pkey;
   
       return TRUE;
   }
  @@ -847,7 +847,7 @@
       }
   
       for (i = 0; i < SSL_AIDX_MAX; i++) {
  -        ssl_check_public_cert(s, ptemp, sc->pPublicCert[i], i);
  +        ssl_check_public_cert(s, ptemp, sc->server->pks->certs[i], i);
       }
   
       have_rsa = ssl_server_import_key(s, sc, rsa_id, SSL_AIDX_RSA);
  @@ -1107,17 +1107,17 @@
   
           for (i=0; i < SSL_AIDX_MAX; i++) {
               MODSSL_CFG_ITEM_FREE(X509_free,
  -                                 sc->pPublicCert[i]);
  +                                 sc->server->pks->certs[i]);
   
               MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
  -                                 sc->pPrivateKey[i]);
  +                                 sc->server->pks->keys[i]);
           }
   
           MODSSL_CFG_ITEM_FREE(X509_STORE_free,
  -                             sc->pRevocationStore);
  +                             sc->server->crl);
   
           MODSSL_CFG_ITEM_FREE(SSL_CTX_free,
  -                             sc->pSSLCtx);
  +                             sc->server->ssl_ctx);
       }
   
       /*
  
  
  
  1.61      +6 -6      httpd-2.0/modules/ssl/ssl_engine_kernel.c
  
  Index: ssl_engine_kernel.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
  retrieving revision 1.60
  retrieving revision 1.61
  diff -u -r1.60 -r1.61
  --- ssl_engine_kernel.c	28 Mar 2002 17:11:12 -0000	1.60
  +++ ssl_engine_kernel.c	28 Mar 2002 18:50:07 -0000	1.61
  @@ -497,7 +497,7 @@
       if (dc->nVerifyDepth != UNSET) {
           /* XXX: doesnt look like sslconn->verify_depth is actually used */
           if (!(n = sslconn->verify_depth)) {
  -            sslconn->verify_depth = n = sc->nVerifyDepth;
  +            sslconn->verify_depth = n = sc->server->auth.verify_depth;
           }
   
           /* determine whether a renegotiation has to be forced */
  @@ -1301,7 +1301,7 @@
           verify = dc->nVerifyClient;
       }
       else {
  -        verify = sc->nVerifyClient;
  +        verify = sc->server->auth.verify_mode;
       }
   
       if (ssl_verify_error_is_optional(errnum) &&
  @@ -1344,7 +1344,7 @@
           depth = dc->nVerifyDepth;
       }
       else {
  -        depth = sc->nVerifyDepth;
  +        depth = sc->server->auth.verify_depth;
       }
   
       if (errdepth > depth) {
  @@ -1378,7 +1378,7 @@
        * Unless a revocation store for CRLs was created we
        * cannot do any CRL-based verification, of course.
        */
  -    if (!sc->pRevocationStore) {
  +    if (!sc->server->crl) {
           return ok;
       }
   
  @@ -1425,7 +1425,7 @@
        * the current certificate in order to verify it's integrity.
        */
       memset((char *)&obj, 0, sizeof(obj));
  -    rc = SSL_X509_STORE_lookup(sc->pRevocationStore,
  +    rc = SSL_X509_STORE_lookup(sc->server->crl,
                                  X509_LU_CRL, subject, &obj);
       crl = obj.data.crl;
   
  @@ -1502,7 +1502,7 @@
        * the current certificate in order to check for revocation.
        */
       memset((char *)&obj, 0, sizeof(obj));
  -    rc = SSL_X509_STORE_lookup(sc->pRevocationStore,
  +    rc = SSL_X509_STORE_lookup(sc->server->crl,
                                  X509_LU_CRL, issuer, &obj);
   
       crl = obj.data.crl;
  
  
  
  1.35      +26 -26    httpd-2.0/modules/ssl/ssl_engine_pphrase.c
  
  Index: ssl_engine_pphrase.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_pphrase.c,v
  retrieving revision 1.34
  retrieving revision 1.35
  diff -u -r1.34 -r1.35
  --- ssl_engine_pphrase.c	28 Mar 2002 17:11:12 -0000	1.34
  +++ ssl_engine_pphrase.c	28 Mar 2002 18:50:07 -0000	1.35
  @@ -213,7 +213,7 @@
            * Read in server certificate(s): This is the easy part
            * because this file isn't encrypted in any way.
            */
  -        if (sc->szPublicCertFiles[0] == NULL) {
  +        if (sc->server->pks->cert_files[0] == NULL) {
               ssl_log(pServ, SSL_LOG_ERROR|SSL_INIT,
                       "Server should be SSL-aware but has no certificate configured "
                       "[Hint: SSLCertificateFile]");
  @@ -221,9 +221,9 @@
           }
           algoCert = SSL_ALGO_UNKNOWN;
           algoKey  = SSL_ALGO_UNKNOWN;
  -        for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->szPublicCertFiles[i] !=
NULL; i++) {
  +        for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->server->pks->cert_files[i]
!= NULL; i++) {
   
  -            apr_cpystrn(szPath, sc->szPublicCertFiles[i], sizeof(szPath));
  +            apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath));
               if ( exists_and_readable(szPath, p, NULL) != APR_SUCCESS ) {
                   ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
                           "Init: Can't open server certificate file %s", szPath);
  @@ -282,8 +282,8 @@
                * phrase for all). When this is the case we can minimize the dialogs
                * by trying to re-use already known/entered pass phrases.
                */
  -            if (sc->szPrivateKeyFiles[j] != NULL)
  -                apr_cpystrn(szPath, sc->szPrivateKeyFiles[j++], sizeof(szPath));
  +            if (sc->server->pks->key_files[j] != NULL)
  +                apr_cpystrn(szPath, sc->server->pks->key_files[j++], sizeof(szPath));
   
               /*
                * Try to read the private key file with the help of
  @@ -390,10 +390,10 @@
                    * chances...
                    */
   #ifndef WIN32
  -                if ((sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
  -                       || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE)
  +                if ((sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
  +                       || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE)
   #else
  -                if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE
  +                if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE
   #endif
                       && cpPassPhraseCur != NULL
                       && nPassPhraseRetry < BUILTIN_DIALOG_RETRIES ) {
  @@ -408,7 +408,7 @@
                       continue;
                   }
   #ifdef WIN32
  -                if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN) {
  +                if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
                       ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                               "Init: PassPhraseDialog BuiltIn not supported in server private
key from file %s", szPath);
                       ssl_die();
  @@ -429,16 +429,16 @@
                       else {
                           ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key
not found");
                       }
  -                    if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
  -                          || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
  +                    if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
  +                          || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE)
{
                           apr_file_printf(writetty, "Apache:mod_ssl:Error: Private key not
found.\n");
                           apr_file_printf(writetty, "**Stopped\n");
                       }
                   }
                   else {
                       ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect");
  -                    if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
  -                          || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
  +                    if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
  +                          || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE)
{
                           apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
                           apr_file_printf(writetty, "**Stopped\n");
                       }
  @@ -524,8 +524,8 @@
        */
       if (nPassPhraseDialog > 0) {
           sc = mySrvConfig(s);
  -        if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
  -              || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
  +        if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
  +              || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
               apr_file_printf(writetty, "\n");
               apr_file_printf(writetty, "Ok: Pass Phrase Dialog successful.\n");
           }
  @@ -667,21 +667,21 @@
       /*
        * Builtin or Pipe dialog
        */
  -    if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
  -          || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
  +    if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
  +          || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
           char *prompt;
           int i;
   
  -        if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
  +        if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
               if (!readtty) {
                   ssl_log(s, SSL_LOG_INFO,
                           "Init: Creating pass phrase dialog pipe child '%s'",
  -                        sc->szPassPhraseDialogPath);
  -	        if (ssl_pipe_child_create(p, sc->szPassPhraseDialogPath)
  +                        sc->server->pphrase_dialog_path);
  +	        if (ssl_pipe_child_create(p, sc->server->pphrase_dialog_path)
                           != APR_SUCCESS) {
                       ssl_log(s, SSL_LOG_ERROR,
                               "Init: Failed to create pass phrase pipe '%s'",
  -                            sc->szPassPhraseDialogPath);
  +                            sc->server->pphrase_dialog_path);
                       PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
                       memset(buf, 0, (unsigned int)bufsize);
                       return (-1);
  @@ -690,7 +690,7 @@
               ssl_log(s, SSL_LOG_INFO,
                       "Init: Requesting pass phrase via piped dialog");
           }
  -        else { /* sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN */ 
  +        else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */ 
   #ifdef WIN32
               PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
               memset(buf, 0, (unsigned int)bufsize);
  @@ -735,10 +735,10 @@
           apr_file_puts(prompt, writetty);
   
           for (;;) {
  -            if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
  +            if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
                   i = pipe_get_passwd_cb(buf, bufsize, "", FALSE); 
               }  
  -            else { /* sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN */
  +            else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
                   i = EVP_read_pw_string(buf, bufsize, "", FALSE); 
               }  
               if (i != 0) {
  @@ -757,8 +757,8 @@
       /*
        * Filter program
        */
  -    else if (sc->nPassPhraseDialogType == SSL_PPTYPE_FILTER) {
  -        const char *cmd = sc->szPassPhraseDialogPath;
  +    else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
  +        const char *cmd = sc->server->pphrase_dialog_path;
           const char **argv = apr_palloc(p, sizeof(char *) * 4);
           char *result;
   
  
  
  

Mime
View raw message