httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r776279 - in /httpd/httpd/branches/2.2.x: ./ docs/ modules/ssl/ssl_engine_io.c support/ab.c support/suexec.c
Date Tue, 19 May 2009 11:41:37 GMT
Author: jim
Date: Tue May 19 11:41:37 2009
New Revision: 776279

URL: http://svn.apache.org/viewvc?rev=776279&view=rev
Log:
Merge r769809 from trunk:

* Improve and simplify the implementation of SSLProxyCheckPeerExpire by
  directly using X509_get_notBefore(), X509_get_notAfter() and
  X509_cmp_current_time().
  Thanks to jorton for the pointer.

Submitted by: rpluem
Reviewed/backported by: jim

Modified:
    httpd/httpd/branches/2.2.x/   (props changed)
    httpd/httpd/branches/2.2.x/docs/   (props changed)
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
    httpd/httpd/branches/2.2.x/support/ab.c   (props changed)
    httpd/httpd/branches/2.2.x/support/suexec.c   (props changed)

Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue May 19 11:41:37 2009
@@ -1 +1 @@
-/httpd/httpd/trunk:451572,611483,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535
+/httpd/httpd/trunk:451572,611483,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809

Propchange: httpd/httpd/branches/2.2.x/docs/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue May 19 11:41:37 2009
@@ -1 +1 @@
-/httpd/httpd/trunk/docs:451572,611483,639005,639010,647395,657354,657459,660461,660566,664330,675610,678761,680082,681190,682369,683626,684351,685112,686549,686805,686809,687099,687754,692325,693120,693392,693727-693728,696006,697093,703441,703997,706318,707163,708902,711421,719357,720250,726109,728015,728020,728220,729316-729317,729586,732414,732421,732451,732504,732832,733127,733134,733218-733219,733465,733467,733695,734703,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535
+/httpd/httpd/trunk/docs:451572,611483,639005,639010,647395,657354,657459,660461,660566,664330,675610,678761,680082,681190,682369,683626,684351,685112,686549,686805,686809,687099,687754,692325,693120,693392,693727-693728,696006,697093,703441,703997,706318,707163,708902,711421,719357,720250,726109,728015,728020,728220,729316-729317,729586,732414,732421,732451,732504,732832,733127,733134,733218-733219,733465,733467,733695,734703,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=776279&r1=776278&r2=776279&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Tue May 19 11:41:37 2009
@@ -1012,31 +1012,6 @@
 }
 
 /*
- * Parse an ASN1time string as returned by ASN1_UTCTIME_print into an
- * apr_time_t.
- */
-static apr_time_t parseASN1time(apr_pool_t *p, const char *asn1time)
-{
-    char *asctime;
-
-    /*
-     * Little bit ugly hack:
-     * The ASN1time looks very similar to the asctime format which can be
-     * parsed by apr_date_parse_rfc:
-     * It misses the weekday at the beginning (which is ignored by
-     * apr_date_parse_rfc anyway) and it has a GMT at the end which
-     * does not into the asctime pattern. So add a dummy "Sun " before
-     * the ASN1time and remove the GMT string at the end.
-     */
-    asctime = apr_pstrcat(p, "Sun ", asn1time, NULL);
-    if (strlen(asctime) < 25) {
-        return APR_DATE_BAD;
-    }
-    asctime[24] = '\0';
-    return apr_date_parse_rfc(asctime);
-}
-
-/*
  * The hook is NOT registered with ap_hook_process_connection. Instead, it is
  * called manually from the churn () before it tries to read any data.
  * There is some problem if I accept conn_rec *. Still investigating..
@@ -1070,26 +1045,22 @@
         }
 
         if (sc->proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) {
-            apr_time_t start_time;
-            apr_time_t end_time;
-            apr_time_t now;
-
-            start_time = parseASN1time(c->pool,
-                                       ssl_var_lookup(NULL, c->base_server,
-                                                      c, NULL,
-                                                      "SSL_CLIENT_V_START"));
-            end_time = parseASN1time(c->pool,
-                                     ssl_var_lookup(NULL, c->base_server,
-                                                    c, NULL,
-                                                    "SSL_CLIENT_V_END"));
-            now = apr_time_now();
-            if ((now > end_time) || (now < start_time)) {
+            cert = SSL_get_peer_certificate(filter_ctx->pssl);
+            if (!cert
+                || (X509_cmp_current_time(
+                     X509_get_notBefore(cert)) >= 0)
+                || (X509_cmp_current_time(
+                     X509_get_notAfter(cert)) <= 0)) {
                 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                               "SSL Proxy: Peer certificate is expired");
+                if (cert) {
+                    X509_free(cert);
+                }
                 /* ensure that the SSL structures etc are freed, etc: */
                 ssl_filter_io_shutdown(filter_ctx, c, 1);
                 return HTTP_BAD_GATEWAY;
             }
+            X509_free(cert);
         }
         if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE)
             && ((hostname_note =

Propchange: httpd/httpd/branches/2.2.x/support/ab.c
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue May 19 11:41:37 2009
@@ -1 +1 @@
-/httpd/httpd/trunk/support/ab.c:83751-655654,657354,657433,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535
+/httpd/httpd/trunk/support/ab.c:83751-655654,657354,657433,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809

Propchange: httpd/httpd/branches/2.2.x/support/suexec.c
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue May 19 11:41:37 2009
@@ -1 +1 @@
-/httpd/httpd/trunk/support/suexec.c:451572,611483,639005,639010,647395,655711,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535
+/httpd/httpd/trunk/support/suexec.c:451572,611483,639005,639010,647395,655711,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809



Mime
View raw message