httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From do...@apache.org
Subject cvs commit: httpd-2.0/modules/ssl mod_ssl.h ssl_engine_init.c ssl_engine_kernel.c
Date Sat, 30 Mar 2002 05:40:03 GMT
dougm       02/03/29 21:40:03

  Modified:    modules/ssl mod_ssl.h ssl_engine_init.c ssl_engine_kernel.c
  Log:
  implement proxy client certificate callback
  (uses SSLProxyMachineCertificate{File,Cert} when downstream server
  requires a client certificate)
  
  Revision  Changes    Path
  1.108     +1 -0      httpd-2.0/modules/ssl/mod_ssl.h
  
  Index: mod_ssl.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
  retrieving revision 1.107
  retrieving revision 1.108
  diff -u -r1.107 -r1.108
  --- mod_ssl.h	30 Mar 2002 00:00:21 -0000	1.107
  +++ mod_ssl.h	30 Mar 2002 05:40:02 -0000	1.108
  @@ -628,6 +628,7 @@
   DH          *ssl_callback_TmpDH(SSL *, int, int);
   int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
   int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, server_rec *);
  +int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
   int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
   SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
   void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
  
  
  
  1.92      +4 -0      httpd-2.0/modules/ssl/ssl_engine_init.c
  
  Index: ssl_engine_init.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
  retrieving revision 1.91
  retrieving revision 1.92
  diff -u -r1.91 -r1.92
  --- ssl_engine_init.c	30 Mar 2002 01:50:10 -0000	1.91
  +++ ssl_engine_init.c	30 Mar 2002 05:40:02 -0000	1.92
  @@ -908,6 +908,9 @@
       STACK_OF(X509_INFO) *sk;
       modssl_pk_proxy_t *pkp = mctx->pkp;
   
  +    SSL_CTX_set_client_cert_cb(mctx->ssl_ctx,
  +                               ssl_callback_proxy_cert);
  +
       if (!(pkp->cert_file || pkp->cert_path)) {
           return;
       }
  @@ -926,6 +929,7 @@
           ssl_log(s, SSL_LOG_TRACE|SSL_INIT,
                   "loaded %d client certs for SSL proxy",
                   ncerts);
  +
           pkp->certs = sk;
       }
       else {
  
  
  
  1.62      +98 -0     httpd-2.0/modules/ssl/ssl_engine_kernel.c
  
  Index: ssl_engine_kernel.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
  retrieving revision 1.61
  retrieving revision 1.62
  diff -u -r1.61 -r1.62
  --- ssl_engine_kernel.c	28 Mar 2002 18:50:07 -0000	1.61
  +++ ssl_engine_kernel.c	30 Mar 2002 05:40:02 -0000	1.62
  @@ -1543,6 +1543,104 @@
       return ok;
   }
   
  +#define SSLPROXY_CERT_CB_LOG_FMT \
  +   "Proxy client certificate callback: (%s) "
  +
  +static void modssl_proxy_info_log(server_rec *s,
  +                                  X509_INFO *info,
  +                                  const char *msg)
  +{
  +    SSLSrvConfigRec *sc = mySrvConfig(s);
  +    char name_buf[256];
  +    X509_NAME *name;
  +    const char *dn;
  +
  +    if (sc->log_level < SSL_LOG_TRACE) {
  +        return;
  +    }
  +
  +    name = X509_get_subject_name(info->x509);
  +    dn = X509_NAME_oneline(name, name_buf, sizeof(name_buf));
  +
  +    ssl_log(s, SSL_LOG_TRACE,
  +            SSLPROXY_CERT_CB_LOG_FMT "%s, sending %s", 
  +            sc->vhost_id, msg, dn ? dn : "-uknown-");
  +}
  +
  +/*
  + * caller will decrement the cert and key reference
  + * so we need to increment here to prevent them from
  + * being freed.
  + */
  +#define modssl_set_cert_info(info, cert, pkey) \
  +    *cert = info->x509; \
  +    *pkey = info->x_pkey->dec_pkey; \
  +    CRYPTO_add(&((*cert)->references), +1, CRYPTO_LOCK_X509_PKEY); \
  +    CRYPTO_add(&((*pkey)->references), +1, CRYPTO_LOCK_X509_PKEY)
  +
  +int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) 
  +{
  +    conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
  +    server_rec *s = c->base_server;
  +    SSLSrvConfigRec *sc = mySrvConfig(s);
  +    X509_NAME *ca_name, *issuer;
  +    X509_INFO *info;
  +    STACK_OF(X509_NAME) *ca_list;
  +    STACK_OF(X509_INFO) *certs = sc->proxy->pkp->certs;
  +    int i, j;
  +    
  +    ssl_log(s, SSL_LOG_TRACE, 
  +            SSLPROXY_CERT_CB_LOG_FMT "entered",
  +            sc->vhost_id);
  +
  +    if (!certs || (sk_X509_INFO_num(certs) <= 0)) {
  +        ssl_log(s, SSL_LOG_WARN,
  +                SSLPROXY_CERT_CB_LOG_FMT
  +                "downstream server wanted client certificate "
  +                "but none are configured", sc->vhost_id);
  +        return FALSE;
  +    }                                                                     
  +
  +    ca_list = SSL_get_client_CA_list(ssl);
  +
  +    if (!ca_list || (sk_X509_NAME_num(ca_list) <= 0)) {
  +        /* 
  +         * downstream server didn't send us a list of acceptable CA certs, 
  +         * so we send the first client cert in the list.
  +         */   
  +        info = sk_X509_INFO_value(certs, 0);
  +        
  +        modssl_proxy_info_log(s, info, "no acceptable CA list");
  +
  +        modssl_set_cert_info(info, x509, pkey);
  +
  +        return TRUE;
  +    }         
  +
  +    for (i = 0; i < sk_X509_NAME_num(ca_list); i++) {
  +        ca_name = sk_X509_NAME_value(ca_list, i);
  +
  +        for (j = 0; j < sk_X509_INFO_num(certs); j++) {
  +            info = sk_X509_INFO_value(certs, j);
  +            issuer = X509_get_issuer_name(info->x509);
  +
  +            if (X509_NAME_cmp(issuer, ca_name) == 0) {
  +                modssl_proxy_info_log(s, info, "found acceptable cert");
  +
  +                modssl_set_cert_info(info, x509, pkey);
  +
  +                return TRUE;
  +            }
  +        }
  +    }
  +
  +    ssl_log(s, SSL_LOG_TRACE,
  +            SSLPROXY_CERT_CB_LOG_FMT
  +            "no client certificate found!?", sc->vhost_id);
  +
  +    return FALSE; 
  +}
  +
   static void ssl_session_log(server_rec *s,
                               const char *request,
                               unsigned char *id,
  
  
  

Mime
View raw message