* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
- if (!(ssl = SSL_new(sc->pSSLCtx))) {
+ if (!(ssl = SSL_new(sc->server->ssl_ctx))) {
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to create a new SSL connection from the SSL context");
sslconn->verify_error)
{
if (ssl_verify_error_is_optional(verify_result) &&
- (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
+ (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
{
/* leaving this log message as an error for the moment,
* according to the mod_ssl docs:
* Make really sure that when a peer certificate
* is required we really got one... (be paranoid)
*/
- if ((sc->nVerifyClient == SSL_CVERIFY_REQUIRE) &&
+ if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) &&
!sslconn->client_cert)
{
ssl_log(c->base_server, SSL_LOG_ERROR,
} rCtx;
} SSLModConfigRec;
-/*
- * Define the mod_ssl per-server configuration structure
- * (i.e. the configuration for the main server
- * and all <VirtualHost> contexts)
- */
+/* public cert/private key */
+typedef struct {
+ /*
+ * server only has 1-2 certs/keys
+ * 1 RSA and/or 1 DSA
+ */
+ const char *cert_files[SSL_AIDX_MAX];
+ const char *key_files[SSL_AIDX_MAX];
+ X509 *certs[SSL_AIDX_MAX];
+ EVP_PKEY *keys[SSL_AIDX_MAX];
+} modssl_pk_server_t;
+
+typedef struct {
+ /* proxy can have any number of cert/key pairs */
+ const char *cert_file;
+ const char *cert_path;
+ STACK_OF(X509_INFO) *certs;
+} modssl_pk_proxy_t;
+
+/* stuff related to authentication that can also be per-dir */
+typedef struct {
+ /* known/trusted CAs */
+ const char *ca_cert_path;
+ const char *ca_cert_file;
+
+ const char *cipher_suite;
+
+ /* for client or downstream server authentication */
+ int verify_depth;
+ ssl_verify_t verify_mode;
+} modssl_auth_ctx_t;
+
+typedef struct SSLSrvConfigRec SSLSrvConfigRec;
+
typedef struct {
+ SSLSrvConfigRec *sc; /* pointer back to server config */
+ SSL_CTX *ssl_ctx;
+
+ /* we are one or the other */
+ modssl_pk_server_t *pks;
+ modssl_pk_proxy_t *pkp;
+
+ /* config for handling encrypted keys */
+ ssl_pphrase_t pphrase_dialog_type;
+ const char *pphrase_dialog_path;
+
+ const char *cert_chain;
+
+ /* certificate revocation list */
+ const char *crl_path;
+ const char *crl_file;
+ X509_STORE *crl;
+
+ ssl_proto_t protocol;
+
+ modssl_auth_ctx_t auth;
+} modssl_ctx_t;
+
+struct SSLSrvConfigRec {
SSLModConfigRec *mc;
- BOOL enabled;
- const char *vhost_id;
- int vhost_id_len;
- const char *log_file_name;
- apr_file_t *log_file;
- int log_level;
- int session_cache_timeout;
-
- const char *szPublicCertFiles[SSL_AIDX_MAX];
- const char *szPrivateKeyFiles[SSL_AIDX_MAX];
- const char *szCertificateChain;
- const char *szCACertificatePath;
- const char *szCACertificateFile;
- const char *szCipherSuite;
- int nVerifyDepth;
- ssl_verify_t nVerifyClient;
- X509 *pPublicCert[SSL_AIDX_MAX];
- EVP_PKEY *pPrivateKey[SSL_AIDX_MAX];
- SSL_CTX *pSSLCtx;
- int nPassPhraseDialogType;
- const char *szPassPhraseDialogPath;
- ssl_proto_t nProtocol;
- const char *szCARevocationPath;
- const char *szCARevocationFile;
- X509_STORE *pRevocationStore;
-} SSLSrvConfigRec;
+ BOOL enabled;
+ const char *vhost_id;
+ int vhost_id_len;
+ const char *log_file_name;
+ apr_file_t *log_file;
+ int log_level;
+ int session_cache_timeout;
+ modssl_ctx_t *server;
+ modssl_ctx_t *proxy;
+};
/*
* Define the mod_ssl per-directory configuration structure
** _________________________________________________________________
*/
+static void modssl_ctx_init(modssl_ctx_t *ctx, SSLSrvConfigRec *sc)
+{
+ ctx->sc = sc;
+
+ ctx->ssl_ctx = NULL;
+
+ ctx->pks = NULL;
+ ctx->pkp = NULL;
+
+ ctx->protocol = SSL_PROTOCOL_ALL;
+
+ ctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
+ ctx->pphrase_dialog_path = NULL;
+
+ ctx->cert_chain = NULL;
+
+ ctx->crl_path = NULL;
+ ctx->crl_file = NULL;
+ ctx->crl = NULL;
+
+ ctx->auth.ca_cert_path = NULL;
+ ctx->auth.ca_cert_file = NULL;
+ ctx->auth.cipher_suite = NULL;
+ ctx->auth.verify_depth = UNSET;
+ ctx->auth.verify_mode = SSL_CVERIFY_UNSET;
+}
+
+static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
+ apr_pool_t *p)
+{
+ modssl_ctx_t *ctx;
+
+ ctx = sc->server = apr_palloc(p, sizeof(*sc->server));
+
+ modssl_ctx_init(ctx, sc);
+
+ ctx->pks = apr_palloc(p, sizeof(*ctx->pks));
+
+ memset((void*)ctx->pks->cert_files, 0, sizeof(ctx->pks->cert_files));
+
+ memset((void*)ctx->pks->key_files, 0, sizeof(ctx->pks->key_files));
+
+ memset(ctx->pks->certs, 0, sizeof(ctx->pks->certs));
+
+ memset(ctx->pks->keys, 0, sizeof(ctx->pks->keys));
+}
+
/*
* Create per-server SSL configuration
*/
sc->log_level = SSL_LOG_NONE;
sc->session_cache_timeout = UNSET;
- sc->szCACertificatePath = NULL;
- sc->szCACertificateFile = NULL;
- sc->szCertificateChain = NULL;
- sc->szCipherSuite = NULL;
- sc->nVerifyDepth = UNSET;
- sc->nVerifyClient = SSL_CVERIFY_UNSET;
- sc->nPassPhraseDialogType = SSL_PPTYPE_UNSET;
- sc->szPassPhraseDialogPath = NULL;
- sc->nProtocol = SSL_PROTOCOL_ALL;
- sc->pSSLCtx = NULL;
- sc->szCARevocationPath = NULL;
- sc->szCARevocationFile = NULL;
- sc->pRevocationStore = NULL;
-
- memset((void*)sc->szPublicCertFiles, 0, sizeof(sc->szPublicCertFiles));
- memset((void*)sc->szPrivateKeyFiles, 0, sizeof(sc->szPrivateKeyFiles));
- memset(sc->pPublicCert, 0, sizeof(sc->pPublicCert));
- memset(sc->pPrivateKey, 0, sizeof(sc->pPrivateKey));
+ modssl_ctx_init_server(sc, p);
return sc;
}
SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv;
SSLSrvConfigRec *mrg = (SSLSrvConfigRec *)apr_palloc(p, sizeof(*mrg));
+ modssl_ctx_init_server(mrg, p);
+
cfgMerge(mc, NULL);
cfgMergeBool(enabled);
cfgMergeString(vhost_id);
cfgMerge(log_level, SSL_LOG_NONE);
cfgMergeInt(session_cache_timeout);
- cfgMergeString(szCACertificatePath);
- cfgMergeString(szCACertificateFile);
- cfgMergeString(szCertificateChain);
- cfgMergeString(szCipherSuite);
- cfgMergeInt(nVerifyDepth);
- cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
- cfgMerge(nPassPhraseDialogType, SSL_PPTYPE_UNSET);
- cfgMergeString(szPassPhraseDialogPath);
- cfgMerge(nProtocol, SSL_PROTOCOL_ALL);
- cfgMerge(pSSLCtx, NULL);
- cfgMerge(szCARevocationPath, NULL);
- cfgMerge(szCARevocationFile, NULL);
- cfgMerge(pRevocationStore, NULL);
+ cfgMergeString(server->auth.ca_cert_path);
+ cfgMergeString(server->auth.ca_cert_file);
+ cfgMergeString(server->cert_chain);
+ cfgMergeString(server->auth.cipher_suite);
+ cfgMergeInt(server->auth.verify_depth);
+ cfgMerge(server->auth.verify_mode, SSL_CVERIFY_UNSET);
+ cfgMerge(server->pphrase_dialog_type, SSL_PPTYPE_UNSET);
+ cfgMergeString(server->pphrase_dialog_path);
+ cfgMerge(server->protocol, SSL_PROTOCOL_ALL);
+ cfgMerge(server->ssl_ctx, NULL);
+ cfgMerge(server->crl_path, NULL);
+ cfgMerge(server->crl_file, NULL);
+ cfgMerge(server->crl, NULL);
for (i = 0; i < SSL_AIDX_MAX; i++) {
- cfgMergeString(szPublicCertFiles[i]);
- cfgMergeString(szPrivateKeyFiles[i]);
- cfgMerge(pPublicCert[i], NULL);
- cfgMerge(pPrivateKey[i], NULL);
+ cfgMergeString(server->pks->cert_files[i]);
+ cfgMergeString(server->pks->key_files[i]);
+ cfgMerge(server->pks->certs[i], NULL);
+ cfgMerge(server->pks->keys[i], NULL);
}
return mrg;
}
if (strcEQ(arg, "builtin")) {
- sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN;
- sc->szPassPhraseDialogPath = NULL;
+ sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
+ sc->server->pphrase_dialog_path = NULL;
}
else if ((arglen > 5) && strEQn(arg, "exec:", 5)) {
- sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER;
+ sc->server->pphrase_dialog_type = SSL_PPTYPE_FILTER;
/* ### This is broken, exec: may contain args, no? */
- sc->szPassPhraseDialogPath =
+ sc->server->pphrase_dialog_path =
ap_server_root_relative(cmd->pool, arg+5);
- if (!sc->szPassPhraseDialogPath) {
+ if (!sc->server->pphrase_dialog_path) {
return apr_pstrcat(cmd->pool,
"Invalid SSLPassPhraseDialog exec: path ",
arg+5, NULL);
}
if (!ssl_util_path_check(SSL_PCM_EXISTS,
- sc->szPassPhraseDialogPath,
+ sc->server->pphrase_dialog_path,
cmd->pool))
{
return apr_pstrcat(cmd->pool,
"SSLPassPhraseDialog: file '",
- sc->szPassPhraseDialogPath,
+ sc->server->pphrase_dialog_path,
"' does not exist", NULL);
}
}
else if ((arglen > 1) && (arg[0] == '|')) {
- sc->nPassPhraseDialogType = SSL_PPTYPE_PIPE;
- sc->szPassPhraseDialogPath = arg + 1;
+ sc->server->pphrase_dialog_type = SSL_PPTYPE_PIPE;
+ sc->server->pphrase_dialog_path = arg + 1;
}
else {
return "SSLPassPhraseDialog: Invalid argument";
dc->szCipherSuite = arg;
}
else {
- sc->szCipherSuite = arg;
+ sc->server->auth.cipher_suite = arg;
}
return NULL;
switch (idx) {
case SSL_AIDX_CERTS:
desc = "certificates";
- files = sc->szPublicCertFiles;
+ files = sc->server->pks->cert_files;
break;
case SSL_AIDX_KEYS:
desc = "private keys";
- files = sc->szPrivateKeyFiles;
+ files = sc->server->pks->key_files;
break;
}
return err;
}
- sc->szCertificateChain = arg;
+ sc->server->cert_chain = arg;
return NULL;
}
const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx,
const char *arg)
{
- SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
+ /*SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;*/
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
return err;
}
- MODSSL_SET_CA(szCACertificatePath);
+ /* XXX: bring back per-dir */
+ sc->server->auth.ca_cert_path = arg;
return NULL;
}
const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, void *ctx,
const char *arg)
{
- SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
+ /*SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;*/
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
return err;
}
- MODSSL_SET_CA(szCACertificateFile);
+ /* XXX: bring back per-dir */
+ sc->server->auth.ca_cert_file = arg;
return NULL;
}
return err;
}
- sc->szCARevocationPath = arg;
+ sc->server->crl_path = arg;
return NULL;
}
return err;
}
- sc->szCARevocationFile = arg;
+ sc->server->crl_file = arg;
return NULL;
}
dc->nVerifyClient = id;
}
else {
- sc->nVerifyClient = id;
+ sc->server->auth.verify_mode = id;
}
return NULL;
dc->nVerifyDepth = depth;
}
else {
- sc->nVerifyDepth = depth;
+ sc->server->auth.verify_depth = depth;
}
return NULL;
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- return ssl_cmd_protocol_parse(cmd, opt, &sc->nProtocol);
+ return ssl_cmd_protocol_parse(cmd, opt, &sc->server->protocol);
}
#ifdef SSL_EXPERIMENTAL_PROXY
sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT;
}
- if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET) {
- sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN;
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) {
+ sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
}
/* Open the dedicated SSL logfile */
* check for important parameters and the
* possibility that the user forgot to set them.
*/
- if (!sc->szPublicCertFiles[0]) {
+ if (!sc->server->pks->cert_files[0]) {
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"No SSL Certificate set [hint: SSLCertificateFile]");
ssl_die();
/*
* Check for problematic re-initializations
*/
- if (sc->pPublicCert[SSL_AIDX_RSA] ||
- sc->pPublicCert[SSL_AIDX_DSA])
+ if (sc->server->pks->certs[SSL_AIDX_RSA] ||
+ sc->server->pks->certs[SSL_AIDX_DSA])
{
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Illegal attempt to re-initialise SSL for server "
{
SSL_CTX *ctx = NULL;
char *cp;
- int protocol = sc->nProtocol;
+ int protocol = sc->server->protocol;
/*
* Create the new per-server SSL context
ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */
}
- sc->pSSLCtx = ctx;
+ sc->server->ssl_ctx = ctx;
SSL_CTX_set_options(ctx, SSL_OP_ALL);
apr_pool_t *ptemp,
SSLSrvConfigRec *sc)
{
- SSL_CTX *ctx = sc->pSSLCtx;
+ SSL_CTX *ctx = sc->server->ssl_ctx;
SSLModConfigRec *mc = myModConfig(s);
long cache_mode = SSL_SESS_CACHE_OFF;
apr_pool_t *ptemp,
SSLSrvConfigRec *sc)
{
- SSL_CTX *ctx = sc->pSSLCtx;
+ SSL_CTX *ctx = sc->server->ssl_ctx;
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
apr_pool_t *ptemp,
SSLSrvConfigRec *sc)
{
- SSL_CTX *ctx = sc->pSSLCtx;
+ SSL_CTX *ctx = sc->server->ssl_ctx;
int verify = SSL_VERIFY_NONE;
STACK_OF(X509_NAME) *ca_list;
- if (sc->nVerifyClient == SSL_CVERIFY_UNSET) {
- sc->nVerifyClient = SSL_CVERIFY_NONE;
+ if (sc->server->auth.verify_mode == SSL_CVERIFY_UNSET) {
+ sc->server->auth.verify_mode = SSL_CVERIFY_NONE;
}
- if (sc->nVerifyDepth == UNSET) {
- sc->nVerifyDepth = 1;
+ if (sc->server->auth.verify_depth == UNSET) {
+ sc->server->auth.verify_depth = 1;
}
/*
* Configure callbacks for SSL context
*/
- if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
+ if (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
verify |= SSL_VERIFY_PEER_STRICT;
}
- if ((sc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
- (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
+ if ((sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
+ (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
{
verify |= SSL_VERIFY_PEER;
}
/*
* Configure Client Authentication details
*/
- if (sc->szCACertificateFile || sc->szCACertificatePath) {
+ if (sc->server->auth.ca_cert_file || sc->server->auth.ca_cert_path) {
ssl_log(s, SSL_LOG_TRACE|SSL_INIT,
"Configuring client authentication");
if (!SSL_CTX_load_verify_locations(ctx,
- sc->szCACertificateFile,
- sc->szCACertificatePath))
+ sc->server->auth.ca_cert_file,
+ sc->server->auth.ca_cert_path))
{
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure verify locations "
}
ca_list = ssl_init_FindCAList(s, ptemp,
- sc->szCACertificateFile,
- sc->szCACertificatePath);
+ sc->server->auth.ca_cert_file,
+ sc->server->auth.ca_cert_path);
if (!ca_list) {
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to determine list of available "
* Give a warning when no CAs were configured but client authentication
* should take place. This cannot work.
*/
- if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
+ if (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
if (sk_X509_NAME_num(ca_list) == 0) {
apr_pool_t *ptemp,
SSLSrvConfigRec *sc)
{
- SSL_CTX *ctx = sc->pSSLCtx;
- const char *suite = sc->szCipherSuite;
+ SSL_CTX *ctx = sc->server->ssl_ctx;
+ const char *suite = sc->server->auth.cipher_suite;
/*
* Configure SSL Cipher Suite
* Configure Certificate Revocation List (CRL) Details
*/
- if (!(sc->szCARevocationFile || sc->szCARevocationPath)) {
+ if (!(sc->server->crl_file || sc->server->crl_path)) {
return;
}
ssl_log(s, SSL_LOG_TRACE|SSL_INIT,
"Configuring certificate revocation facility");
- sc->pRevocationStore =
- SSL_X509_STORE_create((char *)sc->szCARevocationFile,
- (char *)sc->szCARevocationPath);
+ sc->server->crl =
+ SSL_X509_STORE_create((char *)sc->server->crl_file,
+ (char *)sc->server->crl_path);
- if (!sc->pRevocationStore) {
+ if (!sc->server->crl) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure X.509 CRL storage "
"for certificate revocation");
{
BOOL skip_first = TRUE;
int i, n;
- const char *chain = sc->szCertificateChain;
+ const char *chain = sc->server->cert_chain;
/*
* Optionally configure extra server certificate chain certificates.
return;
}
- for (i = 0; (i < SSL_AIDX_MAX) && sc->szPublicCertFiles[i]; i++) {
- if (strEQ(sc->szPublicCertFiles[i], chain)) {
+ for (i = 0; (i < SSL_AIDX_MAX) && sc->server->pks->cert_files[i]; i++) {
+ if (strEQ(sc->server->pks->cert_files[i], chain)) {
skip_first = TRUE;
break;
}
}
- n = SSL_CTX_use_certificate_chain(sc->pSSLCtx,
+ n = SSL_CTX_use_certificate_chain(sc->server->ssl_ctx,
(char *)chain,
skip_first, NULL);
if (n < 0) {
ssl_die();
}
- if (SSL_CTX_use_certificate(sc->pSSLCtx, cert) <= 0) {
+ if (SSL_CTX_use_certificate(sc->server->ssl_ctx, cert) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure %s server certificate", type);
ssl_die();
}
- sc->pPublicCert[idx] = cert;
+ sc->server->pks->certs[idx] = cert;
return TRUE;
}
ssl_die();
}
- if (SSL_CTX_use_PrivateKey(sc->pSSLCtx, pkey) <= 0) {
+ if (SSL_CTX_use_PrivateKey(sc->server->ssl_ctx, pkey) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
"Unable to configure %s server private key", type);
ssl_die();
* XXX: wonder if this is still needed, this is old todo doc.
* (see http://www.psy.uq.edu.au/~ftp/Crypto/ssleay/TODO.html)
*/
- if ((pkey_type == EVP_PKEY_DSA) && sc->pPublicCert[idx]) {
- EVP_PKEY *pubkey = X509_get_pubkey(sc->pPublicCert[idx]);
+ if ((pkey_type == EVP_PKEY_DSA) && sc->server->pks->certs[idx]) {
+ EVP_PKEY *pubkey = X509_get_pubkey(sc->server->pks->certs[idx]);
if (pubkey && EVP_PKEY_missing_parameters(pubkey)) {
EVP_PKEY_copy_parameters(pubkey, pkey);
}
}
- sc->pPrivateKey[idx] = pkey;
+ sc->server->pks->keys[idx] = pkey;
return TRUE;
}
}
for (i = 0; i < SSL_AIDX_MAX; i++) {
- ssl_check_public_cert(s, ptemp, sc->pPublicCert[i], i);
+ ssl_check_public_cert(s, ptemp, sc->server->pks->certs[i], i);
}
have_rsa = ssl_server_import_key(s, sc, rsa_id, SSL_AIDX_RSA);
for (i=0; i < SSL_AIDX_MAX; i++) {
MODSSL_CFG_ITEM_FREE(X509_free,
- sc->pPublicCert[i]);
+ sc->server->pks->certs[i]);
MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
- sc->pPrivateKey[i]);
+ sc->server->pks->keys[i]);
}
MODSSL_CFG_ITEM_FREE(X509_STORE_free,
- sc->pRevocationStore);
+ sc->server->crl);
MODSSL_CFG_ITEM_FREE(SSL_CTX_free,
- sc->pSSLCtx);
+ sc->server->ssl_ctx);
}
/*
if (dc->nVerifyDepth != UNSET) {
/* XXX: doesnt look like sslconn->verify_depth is actually used */
if (!(n = sslconn->verify_depth)) {
- sslconn->verify_depth = n = sc->nVerifyDepth;
+ sslconn->verify_depth = n = sc->server->auth.verify_depth;
}
/* determine whether a renegotiation has to be forced */
verify = dc->nVerifyClient;
}
else {
- verify = sc->nVerifyClient;
+ verify = sc->server->auth.verify_mode;
}
if (ssl_verify_error_is_optional(errnum) &&
depth = dc->nVerifyDepth;
}
else {
- depth = sc->nVerifyDepth;
+ depth = sc->server->auth.verify_depth;
}
if (errdepth > depth) {
* Unless a revocation store for CRLs was created we
* cannot do any CRL-based verification, of course.
*/
- if (!sc->pRevocationStore) {
+ if (!sc->server->crl) {
return ok;
}
* the current certificate in order to verify it's integrity.
*/
memset((char *)&obj, 0, sizeof(obj));
- rc = SSL_X509_STORE_lookup(sc->pRevocationStore,
+ rc = SSL_X509_STORE_lookup(sc->server->crl,
X509_LU_CRL, subject, &obj);
crl = obj.data.crl;
* the current certificate in order to check for revocation.
*/
memset((char *)&obj, 0, sizeof(obj));
- rc = SSL_X509_STORE_lookup(sc->pRevocationStore,
+ rc = SSL_X509_STORE_lookup(sc->server->crl,
X509_LU_CRL, issuer, &obj);
crl = obj.data.crl;
* Read in server certificate(s): This is the easy part
* because this file isn't encrypted in any way.
*/
- if (sc->szPublicCertFiles[0] == NULL) {
+ if (sc->server->pks->cert_files[0] == NULL) {
ssl_log(pServ, SSL_LOG_ERROR|SSL_INIT,
"Server should be SSL-aware but has no certificate configured "
"[Hint: SSLCertificateFile]");
}
algoCert = SSL_ALGO_UNKNOWN;
algoKey = SSL_ALGO_UNKNOWN;
- for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->szPublicCertFiles[i] != NULL; i++) {
+ for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->server->pks->cert_files[i] != NULL; i++) {
- apr_cpystrn(szPath, sc->szPublicCertFiles[i], sizeof(szPath));
+ apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath));
if ( exists_and_readable(szPath, p, NULL) != APR_SUCCESS ) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Init: Can't open server certificate file %s", szPath);
* phrase for all). When this is the case we can minimize the dialogs
* by trying to re-use already known/entered pass phrases.
*/
- if (sc->szPrivateKeyFiles[j] != NULL)
- apr_cpystrn(szPath, sc->szPrivateKeyFiles[j++], sizeof(szPath));
+ if (sc->server->pks->key_files[j] != NULL)
+ apr_cpystrn(szPath, sc->server->pks->key_files[j++], sizeof(szPath));
/*
* Try to read the private key file with the help of
* chances...
*/
#ifndef WIN32
- if ((sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
- || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE)
+ if ((sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
+ || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE)
#else
- if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE
#endif
&& cpPassPhraseCur != NULL
&& nPassPhraseRetry < BUILTIN_DIALOG_RETRIES ) {
continue;
}
#ifdef WIN32
- if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN) {
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: PassPhraseDialog BuiltIn not supported in server private key from file %s", szPath);
ssl_die();
else {
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key not found");
}
- if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
- || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
+ || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Private key not found.\n");
apr_file_printf(writetty, "**Stopped\n");
}
}
else {
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect");
- if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
- || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
+ || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
apr_file_printf(writetty, "**Stopped\n");
}
*/
if (nPassPhraseDialog > 0) {
sc = mySrvConfig(s);
- if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
- || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
+ || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "\n");
apr_file_printf(writetty, "Ok: Pass Phrase Dialog successful.\n");
}
/*
* Builtin or Pipe dialog
*/
- if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN
- || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
+ || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
char *prompt;
int i;
- if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
if (!readtty) {
ssl_log(s, SSL_LOG_INFO,
"Init: Creating pass phrase dialog pipe child '%s'",
- sc->szPassPhraseDialogPath);
- if (ssl_pipe_child_create(p, sc->szPassPhraseDialogPath)
+ sc->server->pphrase_dialog_path);
+ if (ssl_pipe_child_create(p, sc->server->pphrase_dialog_path)
!= APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR,
"Init: Failed to create pass phrase pipe '%s'",
- sc->szPassPhraseDialogPath);
+ sc->server->pphrase_dialog_path);
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize);
return (-1);
ssl_log(s, SSL_LOG_INFO,
"Init: Requesting pass phrase via piped dialog");
}
- else { /* sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN */
+ else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
#ifdef WIN32
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize);
apr_file_puts(prompt, writetty);
for (;;) {
- if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) {
+ if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
i = pipe_get_passwd_cb(buf, bufsize, "", FALSE);
}
- else { /* sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN */
+ else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
i = EVP_read_pw_string(buf, bufsize, "", FALSE);
}
if (i != 0) {
/*
* Filter program
*/
- else if (sc->nPassPhraseDialogType == SSL_PPTYPE_FILTER) {
- const char *cmd = sc->szPassPhraseDialogPath;
+ else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) {
+ const char *cmd = sc->server->pphrase_dialog_path;
const char **argv = apr_palloc(p, sizeof(char *) * 4);
char *result;
projects / apache / commitdiff