Changes with Apache 2.3.9
+ *) mod_ssl: Add authz providers for use with mod_authz_core and its
+ RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL),
+ 'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and
+ 'ssl-require' (expressions with same syntax as SSLRequire).
+ [Stefan Fritsch]
+
*) mod_ssl: Make the ssl expression parser thread-safe. It now requires
bison instead of yacc. [Stefan Fritsch]
APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
+ AUTHZ_PROVIDER_VERSION,
+ &ssl_authz_provider_require_ssl,
+ AP_AUTH_INTERNAL_PER_CONF);
+
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl-verify-client",
+ AUTHZ_PROVIDER_VERSION,
+ &ssl_authz_provider_verify_client,
+ AP_AUTH_INTERNAL_PER_CONF);
+
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl-require",
+ AUTHZ_PROVIDER_VERSION,
+ &ssl_authz_provider_sslrequire,
+ AP_AUTH_INTERNAL_PER_CONF);
+
}
module AP_MODULE_DECLARE_DATA ssl_module = {
ssl_require_t *require;
const char *errstring;
- if (!(expr = ssl_expr_comp(cmd->pool, (char *)arg, &errstring))) {
+ if (!(expr = ssl_expr_comp(cmd->pool, arg, &errstring))) {
return apr_pstrcat(cmd->pool, "SSLRequire: ", errstring, NULL);
}
return DECLINED;
}
+/* _________________________________________________________________
+**
+** Authz providers for use with mod_authz_core
+** _________________________________________________________________
+*/
+
+static authz_status ssl_authz_require_ssl_check(request_rec *r,
+ const char *require_line,
+ const void *parsed)
+{
+ SSLConnRec *sslconn = myConnConfig(r->connection);
+ SSL *ssl = sslconn ? sslconn->ssl : NULL;
+
+ if (ssl)
+ return AUTHZ_GRANTED;
+ else
+ return AUTHZ_DENIED;
+}
+
+static const char *ssl_authz_require_ssl_parse(cmd_parms *cmd,
+ const char *require_line,
+ const void **parsed)
+{
+ if (require_line && require_line[0])
+ return "'Require ssl' does not take arguments";
+
+ return NULL;
+}
+
+const authz_provider ssl_authz_provider_require_ssl =
+{
+ &ssl_authz_require_ssl_check,
+ &ssl_authz_require_ssl_parse,
+};
+
+static authz_status ssl_authz_verify_client_check(request_rec *r,
+ const char *require_line,
+ const void *parsed)
+{
+ SSLConnRec *sslconn = myConnConfig(r->connection);
+ SSL *ssl = sslconn ? sslconn->ssl : NULL;
+
+ if (!ssl)
+ return AUTHZ_DENIED;
+
+ if (sslconn->verify_error == NULL &&
+ sslconn->verify_info == NULL &&
+ SSL_get_verify_result(ssl) == X509_V_OK)
+ {
+ X509 *xs = SSL_get_peer_certificate(ssl);
+
+ if (xs) {
+ X509_free(xs);
+ return AUTHZ_GRANTED;
+ }
+ else {
+ X509_free(xs);
+ }
+ }
+
+ return AUTHZ_DENIED;
+}
+
+static const char *ssl_authz_verify_client_parse(cmd_parms *cmd,
+ const char *require_line,
+ const void **parsed)
+{
+ if (require_line && require_line[0])
+ return "'Require ssl-verify-client' does not take arguments";
+
+ return NULL;
+}
+
+const authz_provider ssl_authz_provider_verify_client =
+{
+ &ssl_authz_verify_client_check,
+ &ssl_authz_verify_client_parse,
+};
+
+
+static authz_status ssl_authz_sslrequire_check(request_rec *r,
+ const char *require_line,
+ const void *parsed)
+{
+ const ssl_expr *expr = parsed;
+ const char *errstring;
+ int ok = ssl_expr_exec(r, expr, &errstring);
+
+ if (ok < 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Failed to execute SSL requirement expression in "
+ "'Require ssl-require': %s",
+ errstring);
+ return AUTHZ_DENIED;
+ }
+
+ if (ok != 1) {
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
+ "SSL requirement expression in 'Require ssl-require' "
+ "not fulfilled");
+ return AUTHZ_DENIED;
+ }
+
+ return AUTHZ_GRANTED;
+}
+
+static const char *ssl_authz_sslrequire_parse(cmd_parms *cmd,
+ const char *require_line,
+ const void **parsed)
+{
+ const char *errstring;
+ ssl_expr *expr = ssl_expr_comp(cmd->pool, require_line, &errstring);
+
+ if (!expr)
+ return apr_psprintf(cmd->pool, "Error in 'Require require-ssl': %s",
+ errstring);
+
+ *parsed = expr;
+
+ return NULL;
+}
+
+const authz_provider ssl_authz_provider_sslrequire =
+{
+ &ssl_authz_sslrequire_check,
+ &ssl_authz_sslrequire_parse,
+};
+
+
/* _________________________________________________________________
**
** OpenSSL Callback Functions
*/
-ssl_expr *ssl_expr_comp(apr_pool_t *p, char *expr, const char **err)
+ssl_expr *ssl_expr_comp(apr_pool_t *p, const char *expr, const char **err)
{
ssl_expr_info_type context;
int rc;
return node;
}
-int ssl_expr_exec(request_rec *r, ssl_expr *expr, const char **err)
+int ssl_expr_exec(request_rec *r, const ssl_expr *expr, const char **err)
{
BOOL rc;
typedef struct {
apr_pool_t *pool;
- char *inputbuf;
+ const char *inputbuf;
int inputlen;
- char *inputptr;
+ const char *inputptr;
ssl_expr *expr;
void *scanner;
char *error;
int ssl_expr_yylex_destroy(void *scanner);
void ssl_expr_yyset_extra(ssl_expr_info_type *context, void *scanner);
-ssl_expr *ssl_expr_comp(apr_pool_t *p, char *exprstr, const char **err);
-int ssl_expr_exec(request_rec *r, ssl_expr *expr, const char **err);
+ssl_expr *ssl_expr_comp(apr_pool_t *p, const char *exprstr, const char **err);
+int ssl_expr_exec(request_rec *r, const ssl_expr *expr, const char **err);
ssl_expr *ssl_expr_make(ssl_expr_node_op op, void *arg1, void *arg2,
ssl_expr_info_type *context);
-BOOL ssl_expr_eval(request_rec *r, ssl_expr *expr, const char **err);
+BOOL ssl_expr_eval(request_rec *r, const ssl_expr *expr, const char **err);
#endif /* __SSL_EXPR_H__ */
/** @} */
static char *ssl_expr_eval_func_file(request_rec *, char *, const char **err);
static int ssl_expr_eval_strcmplex(char *, char *, const char **err);
-BOOL ssl_expr_eval(request_rec *r, ssl_expr *node, const char **err)
+BOOL ssl_expr_eval(request_rec *r, const ssl_expr *node, const char **err)
{
switch (node->node_op) {
case op_True: {
#include "apr_global_mutex.h"
#include "apr_optional.h"
#include "ap_socache.h"
+#include "mod_auth.h"
#define MOD_SSL_VERSION AP_SERVER_BASEREVISION
int ssl_hook_Upgrade(request_rec *);
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s);
+/** Apache authz provisders */
+extern const authz_provider ssl_authz_provider_require_ssl;
+extern const authz_provider ssl_authz_provider_verify_client;
+extern const authz_provider ssl_authz_provider_sslrequire;
+
/** OpenSSL callbacks */
RSA *ssl_callback_TmpRSA(SSL *, int, int);
DH *ssl_callback_TmpDH(SSL *, int, int);
projects / apache / commitdiff