SSLModConfigRec *ssl_config_global_create(server_rec *s)
{
- apr_pool_t *pPool;
+ apr_pool_t *pool = s->process->pool;
SSLModConfigRec *mc;
apr_pool_userdata_get((void **)&mc, SSL_MOD_CONFIG_KEY,
- s->process->pool);
+ pool);
if (mc) {
return mc; /* reused for lifetime of the server */
/*
* allocate an own subpool which survives server restarts
*/
- pPool = s->process->pool;
- mc = (SSLModConfigRec *)apr_palloc(pPool, sizeof(*mc));
- mc->pPool = pPool;
+ mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
+ mc->pPool = pool;
mc->bFixed = FALSE;
/*
mc->nMutexMode = SSL_MUTEXMODE_UNSET;
mc->szMutexFile = NULL;
mc->pMutex = NULL;
- mc->aRandSeed = apr_array_make(pPool, 4,
+ mc->aRandSeed = apr_array_make(pool, 4,
sizeof(ssl_randseed_t));
- mc->tVHostKeys = apr_hash_make(pPool);
- mc->tPrivateKey = apr_hash_make(pPool);
- mc->tPublicCert = apr_hash_make(pPool);
- mc->tTmpKeys = apr_hash_make(pPool);
+ mc->tVHostKeys = apr_hash_make(pool);
+ mc->tPrivateKey = apr_hash_make(pool);
+ mc->tPublicCert = apr_hash_make(pool);
+ mc->tTmpKeys = apr_hash_make(pool);
#ifdef SSL_EXPERIMENTAL_ENGINE
mc->szCryptoDevice = NULL;
#endif
apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
apr_pool_cleanup_null,
- s->process->pool);
+ pool);
return mc;
}
{
SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
- ssl_randseed_t *pRS;
+ ssl_randseed_t *seed;
int arg2len = strlen(arg2);
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return NULL;
}
- pRS = apr_array_push(mc->aRandSeed);
+ seed = apr_array_push(mc->aRandSeed);
if (strcEQ(arg1, "startup")) {
- pRS->nCtx = SSL_RSCTX_STARTUP;
+ seed->nCtx = SSL_RSCTX_STARTUP;
}
else if (strcEQ(arg1, "connect")) {
- pRS->nCtx = SSL_RSCTX_CONNECT;
+ seed->nCtx = SSL_RSCTX_CONNECT;
}
else {
return apr_pstrcat(cmd->pool, "SSLRandomSeed: "
}
if ((arg2len > 5) && strEQn(arg2, "file:", 5)) {
- pRS->nSrc = SSL_RSSRC_FILE;
- pRS->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
+ seed->nSrc = SSL_RSSRC_FILE;
+ seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
}
else if ((arg2len > 5) && strEQn(arg2, "exec:", 5)) {
- pRS->nSrc = SSL_RSSRC_EXEC;
- pRS->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
+ seed->nSrc = SSL_RSSRC_EXEC;
+ seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
}
else if ((arg2len > 4) && strEQn(arg2, "egd:", 4)) {
- pRS->nSrc = SSL_RSSRC_EGD;
- pRS->cpPath = ap_server_root_relative(mc->pPool, arg2+4);
+ seed->nSrc = SSL_RSSRC_EGD;
+ seed->cpPath = ap_server_root_relative(mc->pPool, arg2+4);
}
else if (strcEQ(arg2, "builtin")) {
- pRS->nSrc = SSL_RSSRC_BUILTIN;
- pRS->cpPath = NULL;
+ seed->nSrc = SSL_RSSRC_BUILTIN;
+ seed->cpPath = NULL;
}
else {
- pRS->nSrc = SSL_RSSRC_FILE;
- pRS->cpPath = ap_server_root_relative(mc->pPool, arg2);
+ seed->nSrc = SSL_RSSRC_FILE;
+ seed->cpPath = ap_server_root_relative(mc->pPool, arg2);
}
- if (pRS->nSrc != SSL_RSSRC_BUILTIN) {
- if (!ssl_util_path_check(SSL_PCM_EXISTS, pRS->cpPath, cmd->pool)) {
+ if (seed->nSrc != SSL_RSSRC_BUILTIN) {
+ if (!ssl_util_path_check(SSL_PCM_EXISTS, seed->cpPath, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLRandomSeed: source path '",
- pRS->cpPath, "' does not exist", NULL);
+ seed->cpPath, "' does not exist", NULL);
}
}
if (!arg3) {
- pRS->nBytes = 0; /* read whole file */
+ seed->nBytes = 0; /* read whole file */
}
else {
- if (pRS->nSrc == SSL_RSSRC_BUILTIN) {
+ if (seed->nSrc == SSL_RSSRC_BUILTIN) {
return "SSLRandomSeed: byte specification not "
"allowed for builtin seed source";
}
- pRS->nBytes = atoi(arg3);
+ seed->nBytes = atoi(arg3);
- if (pRS->nBytes < 0) {
+ if (seed->nBytes < 0) {
return "SSLRandomSeed: invalid number of bytes specified";
}
}
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *cpPath = ap_server_root_relative(cmd->pool, arg);
+ const char *path = ap_server_root_relative(cmd->pool, arg);
int i;
- if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, cpPath, cmd->pool)) {
+ if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, path, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLCertificateFile: file '",
- cpPath, "' does not exist or is empty", NULL);
+ path, "' does not exist or is empty", NULL);
}
for (i = 0; i < SSL_AIDX_MAX; i++) {
if (!sc->szPublicCertFile[i]) {
- sc->szPublicCertFile[i] = cpPath;
+ sc->szPublicCertFile[i] = path;
return NULL;
}
}
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *cpPath = ap_server_root_relative(cmd->pool, arg);
+ const char *path = ap_server_root_relative(cmd->pool, arg);
int i;
- if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, cpPath, cmd->pool)) {
+ if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, path, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLCertificateKeyFile: file '",
- cpPath, "' does not exist or is empty", NULL);
+ path, "' does not exist or is empty", NULL);
}
for (i = 0; i < SSL_AIDX_MAX; i++) {
if (!sc->szPrivateKeyFile[i]) {
- sc->szPrivateKeyFile[i] = cpPath;
+ sc->szPrivateKeyFile[i] = path;
return NULL;
}
}
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *cpPath = ap_server_root_relative(cmd->pool, arg);
+ const char *path = ap_server_root_relative(cmd->pool, arg);
- if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, cpPath, cmd->pool)) {
+ if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, path, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLCertificateChainFile: file '",
- cpPath, "' does not exist or is empty", NULL);
+ path, "' does not exist or is empty", NULL);
}
- sc->szCertificateChain = cpPath;
+ sc->szCertificateChain = path;
return NULL;
}
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
#endif
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *cpPath = ap_server_root_relative(cmd->pool, arg);
+ const char *path = ap_server_root_relative(cmd->pool, arg);
- if (!ssl_util_path_check(SSL_FLAGS_CHECK_DIR, cpPath, cmd->pool)) {
+ if (!ssl_util_path_check(SSL_FLAGS_CHECK_DIR, path, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLCACertificatePath: directory '",
- cpPath, "' does not exist", NULL);
+ path, "' does not exist", NULL);
}
#ifdef SSL_EXPERIMENTAL_PERDIRCA
if (!(cmd->path || dc)) {
- sc->szCACertificatePath = cpPath;
+ sc->szCACertificatePath = path;
}
else {
- dc->szCACertificatePath = cpPath;
+ dc->szCACertificatePath = path;
}
#else
- sc->szCACertificatePath = cpPath;
+ sc->szCACertificatePath = path;
#endif
return NULL;
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
#endif
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *cpPath = ap_server_root_relative(cmd->pool, arg);
+ const char *path = ap_server_root_relative(cmd->pool, arg);
- if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, cpPath, cmd->pool)) {
+ if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, path, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLCACertificateFile: file '",
- cpPath, "' does not exist or is empty", NULL);
+ path, "' does not exist or is empty", NULL);
}
#ifdef SSL_EXPERIMENTAL_PERDIRCA
if (!(cmd->path || dc)) {
- sc->szCACertificateFile = cpPath;
+ sc->szCACertificateFile = path;
}
else {
- dc->szCACertificateFile = cpPath;
+ dc->szCACertificateFile = path;
}
#else
- sc->szCACertificateFile = cpPath;
+ sc->szCACertificateFile = path;
#endif
return NULL;
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *cpPath = ap_server_root_relative(cmd->pool, arg);
+ const char *path = ap_server_root_relative(cmd->pool, arg);
- if (!ssl_util_path_check(SSL_FLAGS_CHECK_DIR, cpPath, cmd->pool)) {
+ if (!ssl_util_path_check(SSL_FLAGS_CHECK_DIR, path, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLCARevcocationPath: directory '",
- cpPath, "' does not exist", NULL);
+ path, "' does not exist", NULL);
}
- sc->szCARevocationPath = cpPath;
+ sc->szCARevocationPath = path;
return NULL;
}
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *cpPath = ap_server_root_relative(cmd->pool, arg);
+ const char *path = ap_server_root_relative(cmd->pool, arg);
- if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, cpPath, cmd->pool)) {
+ if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, path, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLCARevocationFile: file '",
- cpPath, "' does not exist or is empty", NULL);
+ path, "' does not exist or is empty", NULL);
}
- sc->szCARevocationFile = cpPath;
+ sc->szCARevocationFile = path;
return NULL;
}
}
const char *ssl_cmd_SSLOptions(cmd_parms *cmd, void *ctx,
- const char *cpLine)
+ const char *arg)
{
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
ssl_opt_t opt;
int first = TRUE;
char action, *w;
- while (*cpLine) {
- w = ap_getword_conf(cmd->pool, &cpLine);
+ while (*arg) {
+ w = ap_getword_conf(cmd->pool, &arg);
action = NUL;
if ((*w == '+') || (*w == '-')) {
}
const char *ssl_cmd_SSLRequire(cmd_parms *cmd, void *ctx,
- const char *cpExpr)
+ const char *arg)
{
SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;
- ssl_expr *mpExpr;
- ssl_require_t *pReqRec;
+ ssl_expr *expr;
+ ssl_require_t *require;
- if (!(mpExpr = ssl_expr_comp(cmd->pool, (char *)cpExpr))) {
+ if (!(expr = ssl_expr_comp(cmd->pool, (char *)arg))) {
return apr_pstrcat(cmd->pool, "SSLRequire: ",
ssl_expr_get_error(), NULL);
}
- pReqRec = apr_array_push(dc->aRequirement);
- pReqRec->cpExpr = apr_pstrdup(cmd->pool, cpExpr);
- pReqRec->mpExpr = mpExpr;
+ require = apr_array_push(dc->aRequirement);
+ require->cpExpr = apr_pstrdup(cmd->pool, arg);
+ require->mpExpr = expr;
return NULL;
}
char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *cpPath = ap_server_root_relative(cmd->pool, arg);
+ const char *path = ap_server_root_relative(cmd->pool, arg);
- if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, cpPath, cmd->pool)) {
+ if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, path, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLProxyCACertificateFile: file '",
- cpPath, "' does not exist or is empty", NULL);
+ path, "' does not exist or is empty", NULL);
}
- sc->szProxyCACertificateFile = cpPath;
+ sc->szProxyCACertificateFile = path;
return NULL;
}
char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *cpPath = ap_server_root_relative(cmd->pool, arg);
+ const char *path = ap_server_root_relative(cmd->pool, arg);
- if (!ssl_util_path_check(SSL_FLAGS_CHECK_DIR, cpPath, cmd->pool)) {
+ if (!ssl_util_path_check(SSL_FLAGS_CHECK_DIR, path, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLProxyCACertificatePath: directory '",
- cpPath, "' does not exist", NULL);
+ path, "' does not exist", NULL);
}
- sc->szProxyCACertificatePath = cpPath;
+ sc->szProxyCACertificatePath = path;
return NULL;
}
char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *cpPath = ap_server_root_relative(cmd->pool, arg);
+ const char *path = ap_server_root_relative(cmd->pool, arg);
- if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, cpPath, cmd->pool)) {
+ if (!ssl_util_path_check(SSL_FLAGS_CHECK_FILE, path, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLProxyMachineCertFile: file '",
- cpPath, "' does not exist or is empty", NULL);
+ path, "' does not exist or is empty", NULL);
}
- sc->szProxyClientCertificateFile = cpPath;
+ sc->szProxyClientCertificateFile = path;
return NULL;
}
char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *cpPath = ap_server_root_relative(cmd->pool, arg);
+ const char *path = ap_server_root_relative(cmd->pool, arg);
- if (!ssl_util_path_check(SSL_FLAGS_CHECK_DIR, cpPath, cmd->pool)) {
+ if (!ssl_util_path_check(SSL_FLAGS_CHECK_DIR, path, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLProxyMachineCertPath: directory '",
- cpPath, "' does not exist", NULL);
+ path, "' does not exist", NULL);
}
- sc->szProxyClientCertificatePath = cpPath;
+ sc->szProxyClientCertificatePath = path;
return NULL;
}
{
SSLModConfigRec *mc = myModConfig(s);
ssl_asn1_t *asn1;
- unsigned char *ucp;
+ unsigned char *ptr;
long int length;
RSA *rsa;
DH *dh;
}
length = i2d_RSAPrivateKey(rsa, NULL);
- ucp = ssl_asn1_table_set(mc->tTmpKeys, "RSA:512", length);
- (void)i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */
+ ptr = ssl_asn1_table_set(mc->tTmpKeys, "RSA:512", length);
+ (void)i2d_RSAPrivateKey(rsa, &ptr); /* 2nd arg increments */
RSA_free(rsa);
/* generate 1024 bit RSA key */
}
length = i2d_RSAPrivateKey(rsa, NULL);
- ucp = ssl_asn1_table_set(mc->tTmpKeys, "RSA:1024", length);
- (void)i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */
+ ptr = ssl_asn1_table_set(mc->tTmpKeys, "RSA:1024", length);
+ (void)i2d_RSAPrivateKey(rsa, &ptr); /* 2nd arg increments */
RSA_free(rsa);
ssl_log(s, SSL_LOG_INFO,
}
length = i2d_DHparams(dh, NULL);
- ucp = ssl_asn1_table_set(mc->tTmpKeys, "DH:512", length);
- (void)i2d_DHparams(dh, &ucp); /* 2nd arg increments */
+ ptr = ssl_asn1_table_set(mc->tTmpKeys, "DH:512", length);
+ (void)i2d_DHparams(dh, &ptr); /* 2nd arg increments */
DH_free(dh);
/* import 1024 bit DH param */
}
length = i2d_DHparams(dh, NULL);
- ucp = ssl_asn1_table_set(mc->tTmpKeys, "DH:1024", length);
- (void)i2d_DHparams(dh, &ucp); /* 2nd arg increments */
+ ptr = ssl_asn1_table_set(mc->tTmpKeys, "DH:1024", length);
+ (void)i2d_DHparams(dh, &ptr); /* 2nd arg increments */
DH_free(dh);
}
else if (action == SSL_TKP_ALLOC) { /* Allocate Keys and Params */
/* allocate 512 bit RSA key */
if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "RSA:512"))) {
- ucp = asn1->cpData;
+ ptr = asn1->cpData;
if (!(mc->pTmpKeys[SSL_TKPIDX_RSA512] =
- d2i_RSAPrivateKey(NULL, &ucp, asn1->nData)))
+ d2i_RSAPrivateKey(NULL, &ptr, asn1->nData)))
{
ssl_log(s, SSL_LOG_ERROR,
"Init: Failed to load temporary "
/* allocate 1024 bit RSA key */
if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "RSA:1024"))) {
- ucp = asn1->cpData;
+ ptr = asn1->cpData;
if (!(mc->pTmpKeys[SSL_TKPIDX_RSA1024] =
- d2i_RSAPrivateKey(NULL, &ucp, asn1->nData)))
+ d2i_RSAPrivateKey(NULL, &ptr, asn1->nData)))
{
ssl_log(s, SSL_LOG_ERROR,
"Init: Failed to load temporary "
/* allocate 512 bit DH param */
if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "DH:512"))) {
- ucp = asn1->cpData;
+ ptr = asn1->cpData;
if (!(mc->pTmpKeys[SSL_TKPIDX_DH512] =
- d2i_DHparams(NULL, &ucp, asn1->nData)))
+ d2i_DHparams(NULL, &ptr, asn1->nData)))
{
ssl_log(s, SSL_LOG_ERROR,
"Init: Failed to load temporary "
/* allocate 1024 bit DH param */
if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "DH:1024"))) {
- ucp = asn1->cpData;
+ ptr = asn1->cpData;
if (!(mc->pTmpKeys[SSL_TKPIDX_DH1024] =
- d2i_DHparams(NULL, &ucp, asn1->nData)))
+ d2i_DHparams(NULL, &ptr, asn1->nData)))
{
ssl_log(s, SSL_LOG_ERROR,
"Init: Failed to load temporary "
SSLSrvConfigRec *sc)
{
SSLModConfigRec *mc = myModConfig(s);
- int nVerify = SSL_VERIFY_NONE;
- char *cp, *cpVHostID;
- EVP_PKEY *pKey;
+ int verify = SSL_VERIFY_NONE;
+ char *cp, *vhost_id;
+ EVP_PKEY *pkey;
SSL_CTX *ctx;
- STACK_OF(X509_NAME) *skCAList;
+ STACK_OF(X509_NAME) *ca_list;
ssl_asn1_t *asn1;
- unsigned char *ucp;
+ unsigned char *ptr;
BOOL ok = FALSE;
- int isca, pathlen;
+ int is_ca, pathlen;
int i, n;
long cache_mode;
/*
* Create the server host:port string because we need it a lot
*/
- sc->szVHostID = cpVHostID = ssl_util_vhostid(p, s);
+ sc->szVHostID = vhost_id = ssl_util_vhostid(p, s);
sc->nVHostID_length = strlen(sc->szVHostID);
/*
if (!sc->szPublicCertFile[0]) {
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) No SSL Certificate set [hint: SSLCertificateFile]",
- cpVHostID);
+ vhost_id);
ssl_die();
}
{
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) Illegal attempt to re-initialise SSL for server "
- "(theoretically shouldn't happen!)", cpVHostID);
+ "(theoretically shouldn't happen!)", vhost_id);
ssl_die();
}
if (sc->nProtocol == SSL_PROTOCOL_NONE) {
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) No SSL protocols available [hint: SSLProtocol]",
- cpVHostID);
+ vhost_id);
ssl_die();
}
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Creating new SSL context (protocols: %s)",
- cpVHostID, cp);
+ vhost_id, cp);
if (sc->nProtocol == SSL_PROTOCOL_SSLV2) {
ctx = SSL_CTX_new(SSLv2_server_method()); /* only SSLv2 is left */
* Configure callbacks for SSL context
*/
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
- nVerify |= SSL_VERIFY_PEER_STRICT;
+ verify |= SSL_VERIFY_PEER_STRICT;
}
if ((sc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
(sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
{
- nVerify |= SSL_VERIFY_PEER;
+ verify |= SSL_VERIFY_PEER;
}
- SSL_CTX_set_verify(ctx, nVerify, ssl_callback_SSLVerify);
+ SSL_CTX_set_verify(ctx, verify, ssl_callback_SSLVerify);
SSL_CTX_sess_set_new_cb(ctx, ssl_callback_NewSessionCacheEntry);
SSL_CTX_sess_set_get_cb(ctx, ssl_callback_GetSessionCacheEntry);
if (sc->szCipherSuite) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring permitted SSL ciphers [%s]",
- cpVHostID, sc->szCipherSuite);
+ vhost_id, sc->szCipherSuite);
if (!SSL_CTX_set_cipher_list(ctx, sc->szCipherSuite)) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure permitted SSL ciphers",
- cpVHostID);
+ vhost_id);
ssl_die();
}
}
*/
if (sc->szCACertificateFile || sc->szCACertificatePath) {
ssl_log(s, SSL_LOG_TRACE,
- "Init: (%s) Configuring client authentication", cpVHostID);
+ "Init: (%s) Configuring client authentication", vhost_id);
if (!SSL_CTX_load_verify_locations(ctx,
sc->szCACertificateFile,
{
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure verify locations "
- "for client authentication", cpVHostID);
+ "for client authentication", vhost_id);
ssl_die();
}
- skCAList = ssl_init_FindCAList(s, p,
- sc->szCACertificateFile,
- sc->szCACertificatePath);
- if (!skCAList) {
+ ca_list = ssl_init_FindCAList(s, p,
+ sc->szCACertificateFile,
+ sc->szCACertificatePath);
+ if (!ca_list) {
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) Unable to determine list of available "
"CA certificates for client authentication",
- cpVHostID);
+ vhost_id);
ssl_die();
}
- SSL_CTX_set_client_CA_list(sc->pSSLCtx, (STACK *)skCAList);
+ SSL_CTX_set_client_CA_list(sc->pSSLCtx, (STACK *)ca_list);
}
/*
if (sc->szCARevocationFile || sc->szCARevocationPath) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring certificate revocation facility",
- cpVHostID);
+ vhost_id);
sc->pRevocationStore =
SSL_X509_STORE_create((char *)sc->szCARevocationFile,
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure X.509 CRL storage "
"for certificate revocation",
- cpVHostID);
+ vhost_id);
ssl_die();
}
}
* should take place. This cannot work.
*/
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
- skCAList = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
+ ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
- if (sk_X509_NAME_num(skCAList) == 0) {
+ if (sk_X509_NAME_num(ca_list) == 0) {
ssl_log(s, SSL_LOG_WARN,
"Init: Ops, you want to request client authentication, "
"but no CAs are known for verification!? "
/*
* Configure server certificate(s)
*/
- cp = apr_psprintf(p, "%s:RSA", cpVHostID);
+ cp = apr_psprintf(p, "%s:RSA", vhost_id);
if ((asn1 = ssl_asn1_table_get(mc->tPublicCert, cp))) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring RSA server certificate",
- cpVHostID);
+ vhost_id);
- ucp = asn1->cpData;
+ ptr = asn1->cpData;
if (!(sc->pPublicCert[SSL_AIDX_RSA] =
- d2i_X509(NULL, &ucp, asn1->nData)))
+ d2i_X509(NULL, &ptr, asn1->nData)))
{
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to import RSA server certificate",
- cpVHostID);
+ vhost_id);
ssl_die();
}
if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_RSA]) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure RSA server certificate",
- cpVHostID);
+ vhost_id);
ssl_die();
}
ok = TRUE;
}
- cp = apr_psprintf(p, "%s:DSA", cpVHostID);
+ cp = apr_psprintf(p, "%s:DSA", vhost_id);
if ((asn1 = ssl_asn1_table_get(mc->tPublicCert, cp))) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring DSA server certificate",
- cpVHostID);
+ vhost_id);
- ucp = asn1->cpData;
+ ptr = asn1->cpData;
if (!(sc->pPublicCert[SSL_AIDX_DSA] =
- d2i_X509(NULL, &ucp, asn1->nData)))
+ d2i_X509(NULL, &ptr, asn1->nData)))
{
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to import DSA server certificate",
- cpVHostID);
+ vhost_id);
ssl_die();
}
if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_DSA]) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure DSA server certificate",
- cpVHostID);
+ vhost_id);
ssl_die();
}
if (!ok) {
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) Ops, no RSA or DSA server certificate found?!",
- cpVHostID);
+ vhost_id);
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) You have to perform a *full* server restart "
"when you added or removed a certificate and/or key file",
- cpVHostID);
+ vhost_id);
ssl_die();
}
ssl_log(s, SSL_LOG_INFO,
"Init: (%s) %s server certificate enables "
"Server Gated Cryptography (SGC)",
- cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
+ vhost_id, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
}
- if (SSL_X509_getBC(sc->pPublicCert[i], &isca, &pathlen)) {
- if (isca) {
+ if (SSL_X509_getBC(sc->pPublicCert[i], &is_ca, &pathlen)) {
+ if (is_ca) {
ssl_log(s, SSL_LOG_WARN,
"Init: (%s) %s server certificate "
"is a CA certificate "
"(BasicConstraints: CA == TRUE !?)",
- cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
+ vhost_id, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
}
if (pathlen > 0) {
"Init: (%s) %s server certificate "
"is not a leaf certificate "
"(BasicConstraints: pathlen == %d > 0 !?)",
- cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
+ vhost_id, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
pathlen);
}
}
"Init: (%s) %s server certificate "
"wildcard CommonName (CN) `%s' "
"does NOT match server name!?",
- cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
+ vhost_id, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
cp);
}
else if (strNE(s->server_hostname, cp)) {
"Init: (%s) %s server certificate "
"CommonName (CN) `%s' "
"does NOT match server name!?",
- cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
+ vhost_id, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
cp);
}
}
* Configure server private key(s)
*/
ok = FALSE;
- cp = apr_psprintf(p, "%s:RSA", cpVHostID);
+ cp = apr_psprintf(p, "%s:RSA", vhost_id);
if ((asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp))) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring RSA server private key",
- cpVHostID);
+ vhost_id);
- ucp = asn1->cpData;
+ ptr = asn1->cpData;
if (!(sc->pPrivateKey[SSL_AIDX_RSA] =
- d2i_PrivateKey(EVP_PKEY_RSA, NULL, &ucp, asn1->nData)))
+ d2i_PrivateKey(EVP_PKEY_RSA, NULL, &ptr, asn1->nData)))
{
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to import RSA server private key",
- cpVHostID);
+ vhost_id);
ssl_die();
}
if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_RSA]) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure RSA server private key",
- cpVHostID);
+ vhost_id);
ssl_die();
}
ok = TRUE;
}
- cp = apr_psprintf(p, "%s:DSA", cpVHostID);
+ cp = apr_psprintf(p, "%s:DSA", vhost_id);
if ((asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp))) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring DSA server private key",
- cpVHostID);
+ vhost_id);
- ucp = asn1->cpData;
+ ptr = asn1->cpData;
if (!(sc->pPrivateKey[SSL_AIDX_DSA] =
- d2i_PrivateKey(EVP_PKEY_DSA, NULL, &ucp, asn1->nData)))
+ d2i_PrivateKey(EVP_PKEY_DSA, NULL, &ptr, asn1->nData)))
{
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to import DSA server private key",
- cpVHostID);
+ vhost_id);
ssl_die();
}
if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_DSA]) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure DSA server private key",
- cpVHostID);
+ vhost_id);
ssl_die();
}
if (!ok) {
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) Ops, no RSA or DSA server private key found?!",
- cpVHostID);
+ vhost_id);
ssl_die();
}
if (sc->pPublicCert[SSL_AIDX_DSA] &&
sc->pPrivateKey[SSL_AIDX_DSA])
{
- pKey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]);
+ pkey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]);
- if (pKey && (EVP_PKEY_key_type(pKey) == EVP_PKEY_DSA) &&
- EVP_PKEY_missing_parameters(pKey))
+ if (pkey && (EVP_PKEY_key_type(pkey) == EVP_PKEY_DSA) &&
+ EVP_PKEY_missing_parameters(pkey))
{
- EVP_PKEY_copy_parameters(pKey,
+ EVP_PKEY_copy_parameters(pkey,
sc->pPrivateKey[SSL_AIDX_DSA]);
}
}
* used only for the server certificate chain.
*/
if (sc->szCertificateChain) {
- BOOL bSkipFirst = FALSE;
+ BOOL skip_first = FALSE;
for (i = 0; (i < SSL_AIDX_MAX) && sc->szPublicCertFile[i]; i++) {
if (strEQ(sc->szPublicCertFile[i], sc->szCertificateChain)) {
- bSkipFirst = TRUE;
+ skip_first = TRUE;
break;
}
}
n = SSL_CTX_use_certificate_chain(ctx,
(char *)sc->szCertificateChain,
- bSkipFirst, NULL);
+ skip_first, NULL);
if (n < 0) {
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) Failed to configure CA certificate chain!",
- cpVHostID);
+ vhost_id);
ssl_die();
}
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring server certificate chain "
"(%d CA certificate%s)",
- cpVHostID, n, n == 1 ? "" : "s");
+ vhost_id, n, n == 1 ? "" : "s");
}
}
void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
{
- server_rec *s;
- server_rec **ps;
+ server_rec *s, **ps;
SSLSrvConfigRec *sc;
- ssl_ds_table *t;
- apr_pool_t *sp;
+ ssl_ds_table *table;
+ apr_pool_t *subpool;
char *key;
- BOOL bConflict = FALSE;
+ BOOL conflict = FALSE;
/*
* Give out warnings when a server has HTTPS configured
* just the certificate/keys of one virtual host (which one cannot be said
* easily - but that doesn't matter here).
*/
- apr_pool_create(&sp, p);
- t = ssl_ds_table_make(sp, sizeof(server_rec *));
+ apr_pool_create(&subpool, p);
+ table = ssl_ds_table_make(subpool, sizeof(server_rec *));
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
continue;
}
- key = apr_psprintf(sp, "%pA:%u",
+ key = apr_psprintf(subpool, "%pA:%u",
&s->addrs->host_addr, s->addrs->host_port);
- if ((ps = ssl_ds_table_get(t, key))) {
+ if ((ps = ssl_ds_table_get(table, key))) {
ssl_log(base_server, SSL_LOG_WARN,
"Init: SSL server IP/port conflict: "
"%s (%s:%d) vs. %s (%s:%d)",
ssl_util_vhostid(p, *ps),
((*ps)->defn_name ? (*ps)->defn_name : "unknown"),
(*ps)->defn_line_number);
- bConflict = TRUE;
+ conflict = TRUE;
continue;
}
- ps = ssl_ds_table_push(t, key);
+ ps = ssl_ds_table_push(table, key);
*ps = s;
}
- ssl_ds_table_kill(t);
+ ssl_ds_table_kill(table);
/* XXX - It was giving some problem earlier - check it out - TBD */
- apr_pool_destroy(sp);
+ apr_pool_destroy(subpool);
- if (bConflict) {
+ if (conflict) {
ssl_log(base_server, SSL_LOG_WARN,
"Init: You should not use name-based "
"virtual hosts in conjunction with SSL!!");
return(X509_NAME_cmp(*a, *b));
}
-static void ssl_init_PushCAList(STACK_OF(X509_NAME) *skCAList,
+static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
server_rec *s, const char *file)
{
int n;
* we must also check for duplicates ourselves.
*/
- if (sk_X509_NAME_find(skCAList, name) < 0) {
- /* this will be freed when skCAList is */
- sk_X509_NAME_push(skCAList, name);
+ if (sk_X509_NAME_find(ca_list, name) < 0) {
+ /* this will be freed when ca_list is */
+ sk_X509_NAME_push(ca_list, name);
}
else {
/* need to free this ourselves, else it will leak */
}
STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
- apr_pool_t *pp,
- const char *cpCAfile,
- const char *cpCApath)
+ apr_pool_t *p,
+ const char *ca_file,
+ const char *ca_path)
{
- STACK_OF(X509_NAME) *skCAList;
- apr_pool_t *p;
+ STACK_OF(X509_NAME) *ca_list;
+ apr_pool_t *subpool;
/*
* Use a subpool so we don't bloat up the server pool which
* is remains in memory for the complete operation time of
* the server.
*/
- apr_pool_sub_make(&p, pp, NULL);
+ apr_pool_sub_make(&subpool, p, NULL);
/*
* Start with a empty stack/list where new
* entries get added in sorted order.
*/
- skCAList = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
+ ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
/*
* Process CA certificate bundle file
*/
- if (cpCAfile) {
- ssl_init_PushCAList(skCAList, s, cpCAfile);
+ if (ca_file) {
+ ssl_init_PushCAList(ca_list, s, ca_file);
}
/*
* Process CA certificate path files
*/
- if (cpCApath) {
+ if (ca_path) {
apr_dir_t *dir;
apr_finfo_t direntry;
apr_int32_t finfo_flags = APR_FINFO_MIN|APR_FINFO_NAME;
- if (apr_dir_open(&dir, cpCApath, p) != APR_SUCCESS) {
+ if (apr_dir_open(&dir, ca_path, subpool) != APR_SUCCESS) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
"Init: Failed to open SSLCACertificatePath `%s'",
- cpCApath);
+ ca_path);
ssl_die();
}
while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {
- const char *cp;
+ const char *file;
if (direntry.filetype == APR_DIR) {
continue; /* don't try to load directories */
}
- cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL);
- ssl_init_PushCAList(skCAList, s, cp);
+ file = apr_pstrcat(subpool, ca_path, "/", direntry.name, NULL);
+ ssl_init_PushCAList(ca_list, s, file);
}
apr_dir_close(dir);
/*
* Cleanup
*/
- sk_X509_NAME_set_cmp_func(skCAList, NULL);
- apr_pool_destroy(p);
+ sk_X509_NAME_set_cmp_func(ca_list, NULL);
+ apr_pool_destroy(subpool);
- return skCAList;
+ return ca_list;
}
void ssl_init_Child(apr_pool_t *p, server_rec *s)
apr_status_t ssl_hook_CloseConnection(SSLFilterRec *filter)
{
SSL *ssl = filter->pssl;
- const char *cpType = "";
+ const char *type = "";
conn_rec *conn;
SSLConnRec *sslconn;
/* send close notify, but don't wait for clients close notify
(standard compliant and safe, so it's the DEFAULT!) */
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
- cpType = "standard";
+ type = "standard";
break;
case SSL_SHUTDOWN_TYPE_UNCLEAN:
/* perform no close notify handshake at all
(violates the SSL/TLS standard!) */
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
- cpType = "unclean";
+ type = "unclean";
break;
case SSL_SHUTDOWN_TYPE_ACCURATE:
/* send close notify and wait for clients close notify
(standard compliant, but usually causes connection hangs) */
SSL_set_shutdown(ssl, 0);
- cpType = "accurate";
+ type = "accurate";
break;
}
ssl_log(conn->base_server, SSL_LOG_INFO,
"Connection to child %d closed with %s shutdown"
"(server %s, client %s)",
- conn->id, cpType,
+ conn->id, type,
ssl_util_vhostid(conn->pool, conn->base_server),
conn->remote_ip ? conn->remote_ip : "unknown");
}
SSLConnRec *sslconn = myConnConfig(r->connection);
SSL *ssl = sslconn ? sslconn->ssl : NULL;
SSL_CTX *ctx = NULL;
- apr_array_header_t *apRequirement;
- ssl_require_t *pRequirements, *pRequirement;
+ apr_array_header_t *requires;
+ ssl_require_t *ssl_requires;
char *cp;
int ok, i;
BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
#ifdef SSL_EXPERIMENTAL_PERDIRCA
BOOL reconfigured_locations = FALSE;
- STACK_OF(X509_NAME) *skCAList;
- char *cpCAPath, *cpCAFile;
+ STACK_OF(X509_NAME) *ca_list;
+ char *ca_path, *ca_file;
#endif
X509 *cert;
- STACK_OF(X509) *certstack;
- X509_STORE *certstore;
- X509_STORE_CTX certstorectx;
- STACK_OF(SSL_CIPHER) *skCipherOld, *skCipher = NULL;
- SSL_CIPHER *pCipher = NULL;
- int depth, nVerifyOld, nVerify, n;
+ STACK_OF(X509) *cert_stack;
+ X509_STORE *cert_store;
+ X509_STORE_CTX cert_store_ctx;
+ STACK_OF(SSL_CIPHER) *cipher_list_old, *cipher_list = NULL;
+ SSL_CIPHER *cipher = NULL;
+ int depth, verify_old, verify, n;
if (ssl) {
ctx = SSL_get_SSL_CTX(ssl);
/* remember old state */
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
- pCipher = SSL_get_current_cipher(ssl);
+ cipher = SSL_get_current_cipher(ssl);
}
else {
- skCipherOld = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
+ cipher_list_old = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
- if (skCipherOld) {
- skCipherOld = sk_SSL_CIPHER_dup(skCipherOld);
+ if (cipher_list_old) {
+ cipher_list_old = sk_SSL_CIPHER_dup(cipher_list_old);
}
}
"Unable to reconfigure (per-directory) "
"permitted SSL ciphers");
- if (skCipherOld) {
- sk_SSL_CIPHER_free(skCipherOld);
+ if (cipher_list_old) {
+ sk_SSL_CIPHER_free(cipher_list_old);
}
return HTTP_FORBIDDEN;
}
/* determine whether a renegotiation has to be forced */
- skCipher = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
+ cipher_list = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
/* optimized way */
- if ((!pCipher && skCipher) ||
- (pCipher && !skCipher))
+ if ((!cipher && cipher_list) ||
+ (cipher && !cipher_list))
{
renegotiate = TRUE;
}
- else if (pCipher && skCipher &&
- (sk_SSL_CIPHER_find(skCipher, pCipher) < 0))
+ else if (cipher && cipher_list &&
+ (sk_SSL_CIPHER_find(cipher_list, cipher) < 0))
{
renegotiate = TRUE;
}
}
else {
/* paranoid way */
- if ((!skCipherOld && skCipher) ||
- (skCipherOld && !skCipher))
+ if ((!cipher_list_old && cipher_list) ||
+ (cipher_list_old && !cipher_list))
{
renegotiate = TRUE;
}
- else if (skCipherOld && skCipher) {
+ else if (cipher_list_old && cipher_list) {
for (n = 0;
- !renegotiate && (n < sk_SSL_CIPHER_num(skCipher));
+ !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));
n++)
{
- SSL_CIPHER *value = sk_SSL_CIPHER_value(skCipher, n);
+ SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
- if (sk_SSL_CIPHER_find(skCipherOld, value) < 0) {
+ if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {
renegotiate = TRUE;
}
}
for (n = 0;
- !renegotiate && (n < sk_SSL_CIPHER_num(skCipherOld));
+ !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));
n++)
{
- SSL_CIPHER *value = sk_SSL_CIPHER_value(skCipherOld, n);
+ SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
- if (sk_SSL_CIPHER_find(skCipher, value) < 0) {
+ if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {
renegotiate = TRUE;
}
}
}
/* cleanup */
- if (skCipherOld) {
- sk_SSL_CIPHER_free(skCipherOld);
+ if (cipher_list_old) {
+ sk_SSL_CIPHER_free(cipher_list_old);
}
/* tracing */
*/
if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
/* remember old state */
- nVerifyOld = SSL_get_verify_mode(ssl);
+ verify_old = SSL_get_verify_mode(ssl);
/* configure new state */
- nVerify = SSL_VERIFY_NONE;
+ verify = SSL_VERIFY_NONE;
if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
- nVerify |= SSL_VERIFY_PEER_STRICT;
+ verify |= SSL_VERIFY_PEER_STRICT;
}
if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
(dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
{
- nVerify |= SSL_VERIFY_PEER;
+ verify |= SSL_VERIFY_PEER;
}
- SSL_set_verify(ssl, nVerify, ssl_callback_SSLVerify);
+ SSL_set_verify(ssl, verify, ssl_callback_SSLVerify);
SSL_set_verify_result(ssl, X509_V_OK);
/* determine whether we've to force a renegotiation */
- if (nVerify != nVerifyOld) {
- if (((nVerifyOld == SSL_VERIFY_NONE) &&
- (nVerify != SSL_VERIFY_NONE)) ||
+ if (verify != verify_old) {
+ if (((verify_old == SSL_VERIFY_NONE) &&
+ (verify != SSL_VERIFY_NONE)) ||
- (!(nVerifyOld & SSL_VERIFY_PEER) &&
- (nVerify & SSL_VERIFY_PEER)) ||
+ (!(verify_old & SSL_VERIFY_PEER) &&
+ (verify & SSL_VERIFY_PEER)) ||
- (!(nVerifyOld & SSL_VERIFY_PEER_STRICT) &&
- (nVerify & SSL_VERIFY_PEER_STRICT)))
+ (!(verify_old & SSL_VERIFY_PEER_STRICT) &&
+ (verify & SSL_VERIFY_PEER_STRICT)))
{
renegotiate = TRUE;
/* optimization */
if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
- (nVerifyOld == SSL_VERIFY_NONE) &&
+ (verify_old == SSL_VERIFY_NONE) &&
SSL_get_peer_certificate(ssl))
{
renegotiate_quick = TRUE;
if (MODSSL_CFG_NE(szCACertificateFile) ||
MODSSL_CFG_NE(szCACertificatePath))
{
- cpCAFile = dc->szCACertificateFile ?
+ ca_file = dc->szCACertificateFile ?
dc->szCACertificateFile : sc->szCACertificateFile;
- cpCAPath = dc->szCACertificatePath ?
+ ca_path = dc->szCACertificatePath ?
dc->szCACertificatePath : sc->szCACertificatePath;
/*
FIXME: This should be...
- if (!SSL_load_verify_locations(ssl, cpCAFile, cpCAPath)) {
+ if (!SSL_load_verify_locations(ssl, ca_file, ca_path)) {
...but OpenSSL still doesn't provide this!
*/
- if (!SSL_CTX_load_verify_locations(ctx, cpCAFile, cpCAPath)) {
+ if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_path)) {
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Unable to reconfigure verify locations "
"for client authentication");
return HTTP_FORBIDDEN;
}
- if (!(skCAList = ssl_init_FindCAList(r->server, r->pool,
- cpCAFile, cpCAPath)))
+ if (!(ca_list = ssl_init_FindCAList(r->server, r->pool,
+ ca_file, ca_path)))
{
ssl_log(r->server, SSL_LOG_ERROR,
"Unable to determine list of available "
return HTTP_FORBIDDEN;
}
- SSL_set_client_CA_list(ssl, skCAList);
+ SSL_set_client_CA_list(ssl, ca_list);
renegotiate = TRUE;
reconfigured_locations = TRUE;
"Performing quick renegotiation: "
"just re-verifying the peer");
- if (!(certstore = SSL_CTX_get_cert_store(ctx))) {
+ if (!(cert_store = SSL_CTX_get_cert_store(ctx))) {
ssl_log(r->server, SSL_LOG_ERROR,
"Cannot find certificate storage");
return HTTP_FORBIDDEN;
}
- certstack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
+ cert_stack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
- if (!certstack || (sk_X509_num(certstack) == 0)) {
+ if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
ssl_log(r->server, SSL_LOG_ERROR,
"Cannot find peer certificate chain");
return HTTP_FORBIDDEN;
}
- cert = sk_X509_value(certstack, 0);
- X509_STORE_CTX_init(&certstorectx, certstore, cert, certstack);
+ cert = sk_X509_value(cert_stack, 0);
+ X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);
depth = SSL_get_verify_depth(ssl);
if (depth >= 0) {
- X509_STORE_CTX_set_depth(&certstorectx, depth);
+ X509_STORE_CTX_set_depth(&cert_store_ctx, depth);
}
- X509_STORE_CTX_set_ex_data(&certstorectx,
+ X509_STORE_CTX_set_ex_data(&cert_store_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx(),
(char *)ssl);
- if (!X509_verify_cert(&certstorectx)) {
+ if (!X509_verify_cert(&cert_store_ctx)) {
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Re-negotiation verification step failed");
}
- SSL_set_verify_result(ssl, certstorectx.error);
- X509_STORE_CTX_cleanup(&certstorectx);
+ SSL_set_verify_result(ssl, cert_store_ctx.error);
+ X509_STORE_CTX_cleanup(&cert_store_ctx);
}
else {
request_rec *id = r->main ? r->main : r;
* Finally check for acceptable renegotiation results
*/
if (dc->nVerifyClient != SSL_CVERIFY_NONE) {
- BOOL verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE);
+ BOOL do_verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE);
- if (verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
+ if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: "
"Client verification failed");
return HTTP_FORBIDDEN;
}
- if (verify && !SSL_get_peer_certificate(ssl)) {
+ if (do_verify && !SSL_get_peer_certificate(ssl)) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: "
"Client certificate missing");
/*
* Check SSLRequire boolean expressions
*/
- apRequirement = dc->aRequirement;
- pRequirements = (ssl_require_t *)apRequirement->elts;
+ requires = dc->aRequirement;
+ ssl_requires = (ssl_require_t *)requires->elts;
- for (i = 0; i < apRequirement->nelts; i++) {
- pRequirement = &pRequirements[i];
- ok = ssl_expr_exec(r, pRequirement->mpExpr);
+ for (i = 0; i < requires->nelts; i++) {
+ ssl_require_t *req = &ssl_requires[i];
+ ok = ssl_expr_exec(r, req->mpExpr);
if (ok < 0) {
cp = apr_psprintf(r->pool,
r->filename, r->connection->remote_ip);
ssl_log(r->server, SSL_LOG_INFO,
- "Failed expression: %s", pRequirement->cpExpr);
+ "Failed expression: %s", req->cpExpr);
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
"access to %s failed, reason: %s",
SSLConnRec *sslconn = myConnConfig(r->connection);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
- char b1[MAX_STRING_LEN], b2[MAX_STRING_LEN];
+ char buf1[MAX_STRING_LEN], buf2[MAX_STRING_LEN];
char *clientdn;
- const char *cpAL, *cpUN, *cpPW;
+ const char *auth_line, *username, *password;
/*
* Additionally forbid access (again)
* ("/XX=YYY/XX=YYY/..") as the username and "password" as the
* password.
*/
- if ((cpAL = apr_table_get(r->headers_in, "Authorization"))) {
- if (strcEQ(ap_getword(r->pool, &cpAL, ' '), "Basic")) {
- while ((*cpAL == ' ') || (*cpAL == '\t')) {
- cpAL++;
+ if ((auth_line = apr_table_get(r->headers_in, "Authorization"))) {
+ if (strcEQ(ap_getword(r->pool, &auth_line, ' '), "Basic")) {
+ while ((*auth_line == ' ') || (*auth_line == '\t')) {
+ auth_line++;
}
- cpAL = ap_pbase64decode(r->pool, cpAL);
- cpUN = ap_getword_nulls(r->pool, &cpAL, ':');
- cpPW = cpAL;
+ auth_line = ap_pbase64decode(r->pool, auth_line);
+ username = ap_getword_nulls(r->pool, &auth_line, ':');
+ password = auth_line;
- if ((cpUN[0] == '/') && strEQ(cpPW, "password")) {
+ if ((username[0] == '/') && strEQ(password, "password")) {
return HTTP_FORBIDDEN;
}
}
* adding the string "xxj31ZMTZzkVA" as the password in the user file.
* This is just the crypted variant of the word "password" ;-)
*/
- apr_snprintf(b1, sizeof(b1), "%s:password", clientdn);
- ssl_util_uuencode(b2, b1, FALSE);
+ apr_snprintf(buf1, sizeof(buf1), "%s:password", clientdn);
+ ssl_util_uuencode(buf2, buf1, FALSE);
- apr_snprintf(b1, sizeof(b1), "Basic %s", b2);
- apr_table_set(r->headers_in, "Authorization", b1);
+ apr_snprintf(buf1, sizeof(buf1), "Basic %s", buf2);
+ apr_table_set(r->headers_in, "Authorization", buf1);
ssl_log(r->server, SSL_LOG_INFO,
- "Faking HTTP Basic Auth header: \"Authorization: %s\"", b1);
+ "Faking HTTP Basic Auth header: \"Authorization: %s\"", buf1);
return DECLINED;
}
SSLConnRec *sslconn = myConnConfig(r->connection);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
- apr_table_t *e = r->subprocess_env;
+ apr_table_t *env = r->subprocess_env;
char *var, *val = "";
- STACK_OF(X509) *sk;
+ STACK_OF(X509) *peer_certs;
SSL *ssl;
int i;
* Annotate the SSI/CGI environment with standard SSL information
*/
/* the always present HTTPS (=HTTP over SSL) flag! */
- apr_table_setn(e, "HTTPS", "on");
+ apr_table_setn(env, "HTTPS", "on");
/* standard SSL environment variables */
if (dc->nOptions & SSL_OPT_STDENVVARS) {
var = (char *)ssl_hook_Fixup_vars[i];
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
if (!strIsEmpty(val)) {
- apr_table_set(e, var, val);
+ apr_table_setn(env, var, val);
}
}
}
val = ssl_var_lookup(r->pool, r->server, r->connection,
r, "SSL_SERVER_CERT");
- apr_table_setn(e, "SSL_SERVER_CERT", val);
+ apr_table_setn(env, "SSL_SERVER_CERT", val);
val = ssl_var_lookup(r->pool, r->server, r->connection,
r, "SSL_CLIENT_CERT");
- apr_table_setn(e, "SSL_CLIENT_CERT", val);
+ apr_table_setn(env, "SSL_CLIENT_CERT", val);
- if ((sk = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl))) {
- for (i = 0; i < sk_X509_num(sk); i++) {
+ if ((peer_certs = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl))) {
+ for (i = 0; i < sk_X509_num(peer_certs); i++) {
var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
val = ssl_var_lookup(r->pool, r->server, r->connection,
r, var);
if (val) {
- apr_table_setn(e, var, val);
+ apr_table_setn(env, var, val);
}
}
}
* which we now just handle out on demand....
*/
-RSA *ssl_callback_TmpRSA(SSL *pSSL, int nExport, int nKeyLen)
+RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen)
{
- conn_rec *c = (conn_rec *)SSL_get_app_data(pSSL);
+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
SSLModConfigRec *mc = myModConfig(c->base_server);
RSA *rsa = NULL;
- if (nExport) {
+ if (export) {
/* It's because an export cipher is used */
- if (nKeyLen == 512) {
+ if (keylen == 512) {
rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA512];
}
- else if (nKeyLen == 1024) {
+ else if (keylen == 1024) {
rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024];
}
else {
/*
* Handle out the already generated DH parameters...
*/
-DH *ssl_callback_TmpDH(SSL *pSSL, int nExport, int nKeyLen)
+DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
{
- conn_rec *c = (conn_rec *)SSL_get_app_data(pSSL);
+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
SSLModConfigRec *mc = myModConfig(c->base_server);
DH *dh = NULL;
- if (nExport) {
+ if (export) {
/* It's because an export cipher is used */
- if (nKeyLen == 512) {
+ if (keylen == 512) {
dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH512];
}
- else if (nKeyLen == 1024) {
+ else if (keylen == 1024) {
dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024];
}
else {
SSLConnRec *sslconn = myConnConfig(conn);
/* Get verify ingredients */
- X509 *xs = X509_STORE_CTX_get_current_cert(ctx);
int errnum = X509_STORE_CTX_get_error(ctx);
int errdepth = X509_STORE_CTX_get_error_depth(ctx);
int depth, verify;
* Log verification information
*/
if (sc->nLogLevel >= SSL_LOG_TRACE) {
- char *cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
- char *cp2 = X509_NAME_oneline(X509_get_issuer_name(xs), NULL, 0);
+ X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
+ char *sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
+ char *iname = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: depth: %d, subject: %s, issuer: %s",
errdepth,
- cp ? cp : "-unknown-",
- cp2 ? cp2 : "-unknown-");
+ sname ? sname : "-unknown-",
+ iname ? iname : "-unknown-");
- if (cp) {
- free(cp);
+ if (sname) {
+ free(sname);
}
- if (cp2) {
- free(cp2);
+ if (iname) {
+ free(iname);
}
}
SSLSrvConfigRec *sc = mySrvConfig(s);
X509_OBJECT obj;
X509_NAME *subject, *issuer;
- X509 *xs;
+ X509 *cert;
X509_CRL *crl;
BIO *bio;
int i, n, rc;
/*
* Determine certificate ingredients in advance
*/
- xs = X509_STORE_CTX_get_current_cert(ctx);
- subject = X509_get_subject_name(xs);
- issuer = X509_get_issuer_name(xs);
+ cert = X509_STORE_CTX_get_current_cert(ctx);
+ subject = X509_get_subject_name(cert);
+ issuer = X509_get_issuer_name(cert);
/*
* OpenSSL provides the general mechanism to deal with CRLs but does not
/*
* Verify the signature on this CRL
*/
- if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0) {
+ if (X509_CRL_verify(crl, X509_get_pubkey(cert)) <= 0) {
ssl_log(s, SSL_LOG_WARN, "Invalid signature on CRL");
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked);
- if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(xs))) {
+ if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) {
if (sc->nLogLevel >= SSL_LOG_INFO) {
char *cp = X509_NAME_oneline(issuer, NULL, 0);
long serial = ASN1_INTEGER_get(sn);
* SSL_SESSION also to the inter-process disk-cache to make share it with our
* other Apache pre-forked server processes.
*/
-int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
+int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session)
{
/* Get Apache context back through OpenSSL context */
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
* Set the timeout also for the internal OpenSSL cache, because this way
* our inter-process cache is consulted only when it's really necessary.
*/
- SSL_set_timeout(pNew, timeout);
+ SSL_set_timeout(session, timeout);
/*
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
- session_id = SSL_SESSION_get_session_id(pNew);
- session_id_length = SSL_SESSION_get_session_id_length(pNew);
+ session_id = SSL_SESSION_get_session_id(session);
+ session_id_length = SSL_SESSION_get_session_id_length(session);
- timeout += SSL_get_time(pNew);
+ timeout += SSL_get_time(session);
rc = ssl_scache_store(s, session_id, session_id_length,
- timeout, pNew);
+ timeout, session);
/*
* Log this cache operation
(timeout - time(NULL)));
/*
- * return 0 which means to OpenSSL that the pNew is still
+ * return 0 which means to OpenSSL that the session is still
* valid and was not freed by us with SSL_SESSION_free().
*/
return 0;
*/
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
unsigned char *id,
- int idlen, int *pCopy)
+ int idlen, int *do_copy)
{
/* Get Apache context back through OpenSSL context */
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = conn->base_server;
- SSL_SESSION *pSession;
+ SSL_SESSION *session;
/*
* Try to retrieve the SSL_SESSION from the inter-process cache
*/
- pSession = ssl_scache_retrieve(s, id, idlen);
+ session = ssl_scache_retrieve(s, id, idlen);
/*
* Log this cache operation
*/
- if (pSession) {
+ if (session) {
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=GET status=FOUND id=%s (session reuse)",
SSL_SESSION_id2sz(id, idlen));
}
/*
* Return NULL or the retrieved SSL_SESSION. But indicate (by
- * setting pCopy to 0) that the reference count on the
+ * setting do_copy to 0) that the reference count on the
* SSL_SESSION should not be incremented by the SSL library,
* because we will no longer hold a reference to it ourself.
*/
- *pCopy = 0;
+ *do_copy = 0;
- return pSession;
+ return session;
}
/*
* disk-cache, too.
*/
void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx,
- SSL_SESSION *pSession)
+ SSL_SESSION *session)
{
server_rec *s;
unsigned char *session_id;
/*
* Remove the SSL_SESSION from the inter-process cache
*/
- session_id = SSL_SESSION_get_session_id(pSession);
- session_id_length = SSL_SESSION_get_session_id_length(pSession);
+ session_id = SSL_SESSION_get_session_id(session);
+ session_id_length = SSL_SESSION_get_session_id_length(session);
ssl_scache_remove(s, session_id, session_id_length);
conn_rec *c;
server_rec *s;
SSLSrvConfigRec *sc;
- char *str;
/*
* find corresponding server
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (where & SSL_CB_ALERT) {
- str = (where & SSL_CB_READ) ? "read" : "write";
+ char *str = (where & SSL_CB_READ) ? "read" : "write";
ssl_log(s, SSL_LOG_TRACE, "%s: Alert: %s:%s:%s\n",
SSL_LIBRARY_NAME, str,
SSL_alert_type_string_long(rc),