httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)" <madhusudan_mathiha...@hp.com>
Subject RE: mod_ssl ssl::verify::depth ?
Date Thu, 22 Nov 2001 01:23:08 GMT
If I'm not wrong, what we're trying to do here is to enforce the strongest
SSLVerifyDepth b/w the directory config and the server-config - I'm not sure
if this patch would achieve that..

Thx
-Madhu

-----Original Message-----
From: Doug MacEachern [mailto:dougm@covalent.net]
Sent: Wednesday, November 21, 2001 3:53 PM
To: dev@httpd.apache.org
Subject: mod_ssl ssl::verify::depth ?


i was about to move the usage of c->notes.ssl::verify::depth to
SSLConnRec.verify_depth and in the process noticed the bloody thing is
never used.  the comment says:

    /*
     * override of SSLVerifyDepth
     *
     * The depth checks are handled by us manually inside the verify
callback
     * function and not by OpenSSL internally (and our function is aware of
     * both the per-server and per-directory contexts). So we cannot ask
     * OpenSSL about the currently verify depth. Instead we remember it in
our
     * ap_ctx attached to the SSL* of OpenSSL.  We've to force the
     * renegotiation if the reconfigured/new verify depth is less than the
     * currently active/remembered verify depth (because this means more
     * restriction on the certificate chain).
     */

but if you look at the patch below, after ssl::verify::depth usage is
replaced, this is only place it is referenced, in ssl_hook_Access:

        if (!(n = sslconn->verify_depth)) {
            sslconn->verify_depth = n = sc->nVerifyDepth;
        }

i see no reason why that couldn't just be:
        n = sc->nVerifyDepth;

can anybody see something i'm missing?  mod_ssl 1.x is no different.

Index: mod_ssl.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.34
diff -u -r1.34 mod_ssl.c
--- mod_ssl.c	2001/11/21 22:29:14	1.34
+++ mod_ssl.c	2001/11/21 23:17:16
@@ -274,7 +274,6 @@
     SSL_set_app_data(ssl, c);
     apctx = apr_table_make(c->pool, AP_CTX_MAX_ENTRIES);
     apr_table_setn(apctx, "ssl::request_rec", NULL);
-    apr_table_setn(apctx, "ssl::verify::depth", AP_CTX_NUM2PTR(0));
     SSL_set_app_data2(ssl, apctx);
 
     sslconn->ssl = ssl;
Index: mod_ssl.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.38
diff -u -r1.38 mod_ssl.h
--- mod_ssl.h	2001/11/21 22:29:14	1.38
+++ mod_ssl.h	2001/11/21 23:17:16
@@ -462,6 +462,7 @@
     ssl_shutdown_type_e shutdown_type;
     const char *verify_info;
     const char *verify_error;
+    int verify_depth;
 } SSLConnRec;
 
 typedef struct {
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.24
diff -u -r1.24 ssl_engine_kernel.c
--- ssl_engine_kernel.c	2001/11/21 22:29:14	1.24
+++ ssl_engine_kernel.c	2001/11/21 23:17:18
@@ -371,11 +371,9 @@
     STACK_OF(SSL_CIPHER) *skCipherOld;
     STACK_OF(SSL_CIPHER) *skCipher;
     SSL_CIPHER *pCipher;
-    apr_table_t *apctx;
     int nVerifyOld;
     int nVerify;
     int n;
-    void *vp;
     int rc;
 
     dc  = myDirConfig(r);
@@ -522,13 +520,10 @@
      * restriction on the certificate chain).
      */
     if (dc->nVerifyDepth != UNSET) {
-        apctx = (apr_table_t *)SSL_get_app_data2(ssl);
-        if ((vp = (void *)apr_table_get(apctx, "ssl::verify::depth")) !=
NULL)
-            n = (int)AP_CTX_PTR2NUM(vp);
-        else
-            n = sc->nVerifyDepth;
-        apr_table_setn(apctx, "ssl::verify::depth",
-                   (const char *)AP_CTX_NUM2PTR(dc->nVerifyDepth));
+        if (!(n = sslconn->verify_depth)) {
+            sslconn->verify_depth = n = sc->nVerifyDepth;
+        }
+
         /* determine whether a renegotiation has to be forced */
         if (dc->nVerifyDepth < n) {
             renegotiate = TRUE;

Mime
View raw message