Add some improvements as suggested by Kaspar

- expand comment in config file
- check username == NULL
- detect SRP support via SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB, not via openssl
  version
- rename rv variable

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1348653 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
index 898a99628c3336e446f13ed9523cf21a4d780197..c766bb2fa52179c65e19b43fe0131e6463c8e54b 100644 (file)
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -159,8 +159,10 @@ SSLCertificateKeyFile "@exp_sysconfdir@/server.key"
 
 #   TLS-SRP mutual authentication:
 #   Enable TLS-SRP and set the path to the OpenSSL SRP verifier
-#   file (containing login information for SRP user accounts). See
-#   the mod_ssl FAQ for instructions on creating this file.
+#   file (containing login information for SRP user accounts). 
+#   Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
+#   detailed instructions on creating this file. Example:
+#   "openssl srp -srpvfile @exp_sysconfdir@/passwd.srpv -add username"
 #SSLSRPVerifierFile "@exp_sysconfdir@/passwd.srpv"
 
 #   Access Control:

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 3a747471bedc7b266e7df6b11834fbe801c06ad7..fd645cc5d3af9fab6ae986ece6eb9d2e947e8bf3 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -532,7 +532,7 @@ static void ssl_init_ctx_tls_extensions(server_rec *s,
      * TLS-SRP support
      */
     if (mctx->srp_vfile != NULL) {
-        int rv;
+        int err;
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02308)
                      "Using SRP verifier file [%s]", mctx->srp_vfile);
 
@@ -545,10 +545,10 @@ static void ssl_init_ctx_tls_extensions(server_rec *s,
             ssl_die();
         }
 
-        rv = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
-        if (rv != SRP_NO_ERROR) {
+        err = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
+        if (err != SRP_NO_ERROR) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02310)
-                         "Unable to load SRP verifier file [error %d]", rv);
+                         "Unable to load SRP verifier file [error %d]", err);
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
             ssl_die();
         }

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index ef21794e18417b757f21dbc8ae3f681bb49ca923..1b69d4c01334a89f3ccc2686f97a02439a2dc3f3 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2254,7 +2254,8 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
     char *username = SSL_get_srp_username(ssl);
     SRP_user_pwd *u;
 
-    if ((u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
+    if (username == NULL
+        || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
         *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
         return SSL3_AL_FATAL;
     }

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index e04c933da9caa05c2729365c1376740481e5b657..5a0373d9372301c739d678ee557e3b331a6d2e8b 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -186,10 +186,12 @@
 #endif
 
 /* SRP support came in OpenSSL 1.0.1 */
-#if (OPENSSL_VERSION_NUMBER < 0x10001000)
-#define OPENSSL_NO_SRP
-#else
+#ifndef OPENSSL_NO_SRP
+#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB
 #include <openssl/srp.h>
+#else
+#define OPENSSL_NO_SRP
+#endif
 #endif
 
 /* mod_ssl headers */