Return-Path: 
 <cvs-return-15237-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 64168 invoked by uid 500); 17 Mar 2003 17:09:09 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
list-post: <mailto:cvs@httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 64157 invoked by uid 500); 17 Mar 2003 17:09:09 -0000
Delivered-To: apmail-httpd-2.0-cvs@apache.org
Date: 17 Mar 2003 17:09:09 -0000
Message-ID: <20030317170909.50016.qmail@icarus.apache.org>
From: bnicholes@apache.org
To: httpd-2.0-cvs@apache.org
Subject: cvs commit: httpd-2.0/modules/arch/netware mod_nw_ssl.c
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

bnicholes    2003/03/17 09:09:09

  Modified:    modules/arch/netware Tag: APACHE_2_0_BRANCH mod_nw_ssl.c
  Log:
  Added the optional ssl_enable functions to allow mod_proxy to hook into
  mod_nw_ssl on NetWare.This allows a unsecure connection to be upgraded
  to a secure connection when required by mod_proxy.Also added the
  directive NWSSLTrustedCerts to allow an administrator to provide a list of
  certificates used to upgrade the secure connections.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.7.2.2   +124 -1    httpd-2.0/modules/arch/netware/mod_nw_ssl.c
  
  Index: mod_nw_ssl.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/arch/netware/mod_nw_ssl.c,v
  retrieving revision 1.7.2.1
  retrieving revision 1.7.2.2
  diff -u -r1.7.2.1 -r1.7.2.2
  --- mod_nw_ssl.c	3 Feb 2003 17:31:32 -0000	1.7.2.1
  +++ mod_nw_ssl.c	17 Mar 2003 17:09:09 -0000	1.7.2.2
  @@ -87,6 +87,10 @@
   #include "ap_listen.h"
   #include "apr_strings.h"
   #include "apr_portable.h"
  +#include "apr_optional.h"
  +
  +APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
  +APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
   
   module AP_MODULE_DECLARE_DATA nwssl_module;
   
  @@ -108,10 +112,30 @@
       apr_table_t *sltable;
   };
   
  +static apr_array_header_t *certlist = NULL;
  +static unicode_t** certarray = NULL;
  +static int numcerts = 0;
   static seclisten_rec* ap_seclisteners = NULL;
   
   #define get_nwssl_cfg(srv) (NWSSLSrvConfigRec *) ap_get_module_config(srv->module_config, &nwssl_module)
   
  +
  +static void build_cert_list (apr_pool_t *p)
  +{
  +    int i;
  +    char **rootcerts = (char **)certlist->elts;
  +
  +    numcerts = certlist->nelts;
  +    certarray = apr_palloc(p, sizeof(unicode_t*)*numcerts);
  +
  +    for (i = 0; i < numcerts; ++i) {
  +        unicode_t *unistr;
  +        unistr = (unicode_t*)apr_palloc(p, strlen(rootcerts[i])*4);
  +        loc2uni (UNI_LOCAL_DEFAULT, unistr, rootcerts[i], 0, 2);
  +        certarray[i] = unistr;
  +    }
  +}
  +
   /*
    * Parses a host of the form <address>[:port]
    * :port is permitted if 'port' is not NULL
  @@ -257,6 +281,66 @@
       return s;
   }
   
  +int convert_secure_socket(conn_rec *c, apr_socket_t *csd)
  +{
  +	int rcode;
  +	struct tlsclientopts sWS2Opts;
  +	struct nwtlsopts sNWTLSOpts;
  +	unsigned long ulFlags;
  +    SOCKET sock;
  +
  +    apr_os_sock_get(&sock, csd);
  +
  +    /* zero out buffers */
  +	memset((char *)&sWS2Opts, 0, sizeof(struct tlsclientopts));
  +	memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts));
  +
  +    /* turn on ssl for the socket */
  +	ulFlags = SO_TLS_ENABLE;
  +	rcode = WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long),
  +                     NULL, 0, NULL, NULL, NULL);
  +	if (SOCKET_ERROR == rcode)
  +	{
  +        ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
  +                     "Error: %d with ioctlsocket(flag SO_TLS_ENABLE)", WSAGetLastError());
  +		return rcode;
  +	}
  +
  +
  +    /* setup the socket for SSL */
  +	sWS2Opts.wallet = NULL;    /* no client certificate */
  +	sWS2Opts.walletlen = 0;
  +	sWS2Opts.sidtimeout = 0;
  +	sWS2Opts.sidentries = 0;
  +	sWS2Opts.siddir = NULL;
  +	sWS2Opts.options = &sNWTLSOpts;
  +
  +	sNWTLSOpts.walletProvider 		= WAL_PROV_DER;	//the wallet provider defined in wdefs.h
  +	sNWTLSOpts.TrustedRootList 		= certarray;	//array of certs in UNICODE format
  +	sNWTLSOpts.numElementsInTRList 	= numcerts;     //number of certs in TRList
  +	sNWTLSOpts.keysList 			= NULL;
  +	sNWTLSOpts.numElementsInKeyList = 0;
  +	sNWTLSOpts.reservedforfutureuse = NULL;
  +	sNWTLSOpts.reservedforfutureCRL = NULL;
  +	sNWTLSOpts.reservedforfutureCRLLen = 0;
  +	sNWTLSOpts.reserved1			= NULL;
  +	sNWTLSOpts.reserved2			= NULL;
  +	sNWTLSOpts.reserved3			= NULL;
  +	
  +	
  +    /* make the IOCTL call */
  +	rcode = WSAIoctl(sock, SO_TLS_SET_CLIENT, &sWS2Opts,
  +	  			     sizeof(struct tlsclientopts), NULL, 0, NULL,
  +				     NULL, NULL);
  +	
  +    /* make sure that it was successfull */
  +	if(SOCKET_ERROR == rcode ){
  +        ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
  +                     "Error: %d with ioctl (SO_TLS_SET_CLIENT)", WSAGetLastError());
  +	}		
  +	return rcode;
  +}
  +
   static const char *set_secure_listener(cmd_parms *cmd, void *dummy, 
                                          const char *ips, const char* key, 
                                          const char* mutual)
  @@ -337,14 +421,33 @@
       return APR_SUCCESS;
   }
   
  +static const char *set_trusted_certs(cmd_parms *cmd, void *dummy, char *arg)
  +{
  +    char **ptr = (char **)apr_array_push(certlist);
  +
  +    *ptr = apr_pstrdup(cmd->pool, arg);
  +    return NULL;
  +}
  +
   static int nwssl_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
                            apr_pool_t *ptemp)
   {
       ap_seclisteners = NULL;
  +    certlist = apr_array_make(pconf, 1, sizeof(char *));
   
       return OK;
   }
   
  +static int nwssl_pre_connection(conn_rec *c, void *csd)
  +{
  +    
  +    if (apr_table_get(c->notes, "nwconv-ssl")) {
  +        convert_secure_socket(c, (apr_socket_t*)csd);
  +    }
  +    
  +    return OK;
  +}
  +
   static int nwssl_post_config(apr_pool_t *pconf, apr_pool_t *plog,
                             apr_pool_t *ptemp, server_rec *s)
   {
  @@ -383,11 +486,13 @@
                   lr->next = ap_listeners;
                   ap_listeners = lr;
                   apr_pool_cleanup_register(pconf, lr, nwssl_socket_cleanup, apr_pool_cleanup_null);
  -            }                        
  +            }
           } else {
               return HTTP_INTERNAL_SERVER_ERROR;
           }
       } 
  +    build_cert_list(pconf);
  +
       return OK;
   }
   
  @@ -440,20 +545,38 @@
       return NULL;
   }
   
  +int ssl_proxy_enable(conn_rec *c)
  +{
  +    apr_table_set(c->notes, "nwconv-ssl", "Y");
  +
  +    return 1;
  +}
  +
  +int ssl_engine_disable(conn_rec *c)
  +{
  +    return 1;
  +}
  +
   static const command_rec nwssl_module_cmds[] =
   {
       AP_INIT_TAKE23("SecureListen", set_secure_listener, NULL, RSRC_CONF,
         "specify an address and/or port with a key pair name.\n"
         "Optional third parameter of MUTUAL configures the port for mutual authentication."),
  +    AP_INIT_ITERATE("NWSSLTrustedCerts", set_trusted_certs, NULL, RSRC_CONF,
  +        "Adds trusted certificates that are used to create secure connections to proxied servers"),
       {NULL}
   };
   
   static void register_hooks(apr_pool_t *p)
   {
       ap_hook_pre_config(nwssl_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
  +    ap_hook_pre_connection(nwssl_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
       ap_hook_post_config(nwssl_post_config, NULL, NULL, APR_HOOK_MIDDLE);
       ap_hook_fixups(nwssl_hook_Fixup, NULL, NULL, APR_HOOK_MIDDLE);
       ap_hook_http_method(nwssl_hook_http_method,   NULL,NULL, APR_HOOK_MIDDLE);
  +
  +    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
  +    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
   }
   
   module AP_MODULE_DECLARE_DATA nwssl_module =