From: Kaspar Brand <kbrand@apache.org>
Date: Mon, 15 Apr 2013 15:56:07 +0000 (+0000)
Subject: revert r1352596, for the reasons explained in
X-Git-Tag: 2.5.0-alpha~5578
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1c780f18be048ec9587896533e2c22f00e41b285;p=apache

revert r1352596, for the reasons explained in
https://mail-archives.apache.org/mod_mbox/httpd-dev/201304.mbox/%3C515FED7C.5010009%40velox.ch%3E


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1468131 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index f9cc39163f..70f440b596 100644
--- a/CHANGES
+++ b/CHANGES
@@ -134,8 +134,6 @@ Changes with Apache 2.5.0
      - mod_socache_shmcb, mod_socache_dbm: shared memory or dbm for cache
      [Jeff Trawick]
 
-  *) mod_ssl: Add RFC 5878 support. [Ben Laurie]
-
   *) suexec: Add --enable-suexec-capabilites support on Linux, to use
      setuid/setgid capability bits rather than a setuid root binary.
      [Joe Orton]
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 2e78be3196..5dbc26761e 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -99,15 +99,6 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_SRV(PKCS7CertificateFile, TAKE1,
                 "PKCS#7 file containing server certificate and chain"
                 " certificates ('/path/to/file' - PEM encoded)")
-    SSL_CMD_ALL(RSAAuthzFile, TAKE1,
-                "RFC 5878 Authz Extension file for RSA certificate "
-                "(`/path/to/file')")
-    SSL_CMD_ALL(DSAAuthzFile, TAKE1,
-                "RFC 5878 Authz Extension file for DSA certificate "
-                "(`/path/to/file')")
-    SSL_CMD_ALL(ECAuthzFile, TAKE1,
-                "RFC 5878 Authz Extension file for EC certificate "
-                "(`/path/to/file')")
 #ifdef HAVE_TLS_SESSION_TICKETS
     SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
                 "TLS session ticket encryption/decryption key file (RFC 5077) "
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 20c46daeb7..62e217acac 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -125,10 +125,6 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
     mctx->crl_file            = NULL;
     mctx->crl_check_mode      = SSL_CRLCHECK_UNSET;
 
-    mctx->rsa_authz_file      = NULL;
-    mctx->dsa_authz_file      = NULL;
-    mctx->ec_authz_file       = NULL;
-
     mctx->auth.ca_cert_path   = NULL;
     mctx->auth.ca_cert_file   = NULL;
     mctx->auth.cipher_suite   = NULL;
@@ -265,10 +261,6 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
     cfgMerge(crl_file, NULL);
     cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
 
-    cfgMergeString(rsa_authz_file);
-    cfgMergeString(dsa_authz_file);
-    cfgMergeString(ec_authz_file);
-
     cfgMergeString(auth.ca_cert_path);
     cfgMergeString(auth.ca_cert_file);
     cfgMergeString(auth.cipher_suite);
@@ -858,54 +850,6 @@ const char *ssl_cmd_SSLPKCS7CertificateFile(cmd_parms *cmd,
     return NULL;
 }
 
-const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *cmd,
-				    void *dcfg,
-				    const char *arg)
-{
-    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-    const char *err;
-
-    if ((err = ssl_cmd_check_file(cmd, &arg))) {
-        return err;
-    }
-
-    sc->server->rsa_authz_file = arg;
-
-    return NULL;
-}
-
-const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *cmd,
-				    void *dcfg,
-				    const char *arg)
-{
-    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-    const char *err;
-
-    if ((err = ssl_cmd_check_file(cmd, &arg))) {
-        return err;
-    }
-
-    sc->server->dsa_authz_file = arg;
-
-    return NULL;
-}
-
-const char *ssl_cmd_SSLECAuthzFile(cmd_parms *cmd,
-				   void *dcfg,
-				   const char *arg)
-{
-    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-    const char *err;
-
-    if ((err = ssl_cmd_check_file(cmd, &arg))) {
-        return err;
-    }
-
-    sc->server->ec_authz_file = arg;
-
-    return NULL;
-}
-
 #ifdef HAVE_TLS_SESSION_TICKETS
 const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd,
                                             void *dcfg,
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index e8b6f1a9c1..a5b15c8874 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1022,8 +1022,7 @@ static void ssl_init_ctx(server_rec *s,
 static int ssl_server_import_cert(server_rec *s,
                                   modssl_ctx_t *mctx,
                                   const char *id,
-                                  int idx,
-				  const char *authz_file)
+                                  int idx)
 {
     SSLModConfigRec *mc = myModConfig(s);
     ssl_asn1_t *asn1;
@@ -1062,24 +1061,6 @@ static int ssl_server_import_cert(server_rec *s,
     }
 #endif
 
-    if (authz_file) {
-#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER >= 0x10002000L
-	if (!SSL_CTX_use_authz_file(mctx->ssl_ctx, authz_file)) {
-	    ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-			 "Unable to initialize TLS authz extension");
-	    ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
-	    ssl_die(s);
-	}
-	ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "Set %s authz_file to %s",
-		     type, authz_file);
-#else
-	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-		     "Unable to initialize TLS authz extension: "
-		     "OpenSSL version too low");
-	ssl_die(s);
-#endif
-    }
-
     mctx->pks->certs[idx] = cert;
 
     return TRUE;
@@ -1217,13 +1198,10 @@ static void ssl_init_server_certs(server_rec *s,
     ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
 #endif
 
-    have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA,
-				      mctx->rsa_authz_file);
-    have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA,
-				      mctx->dsa_authz_file);
+    have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
+    have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
 #ifndef OPENSSL_NO_EC
-    have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC,
-				      mctx->ec_authz_file);
+    have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
 #endif
 
     if (!(have_rsa || have_dsa
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index edcd1d8050..740fba0e84 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -678,11 +678,6 @@ typedef struct {
     SRP_VBASE  *srp_vbase;
 #endif
 
-    /** RFC 5878 */
-    const char  *rsa_authz_file;
-    const char  *dsa_authz_file;
-    const char  *ec_authz_file;
-
     modssl_auth_ctx_t auth;
 
     BOOL ocsp_enabled; /* true if OCSP verification enabled */
@@ -762,9 +757,6 @@ const char  *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
 const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
-const char  *ssl_cmd_SSLRSAAuthzFile(cmd_parms *, void *, const char *);
-const char  *ssl_cmd_SSLDSAAuthzFile(cmd_parms *, void *, const char *);
-const char  *ssl_cmd_SSLECAuthzFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);