From: Yann Ylavic Date: Wed, 16 Mar 2016 22:54:27 +0000 (+0000) Subject: mod_ssl: follow up to r1734561. X-Git-Tag: 2.5.0-alpha~1884 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5bc7c3ca2d45d671581f9f712b0aa5fe8d0dc99a;p=apache mod_ssl: follow up to r1734561. Simplify CRL check mode and flags handling/merging by using a single mask (int). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1735337 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index d2c2b30de6..766eedd0f7 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -121,8 +121,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) mctx->crl_path = NULL; mctx->crl_file = NULL; - mctx->crl_check_mode = SSL_CRLCHECK_UNSET; - mctx->crl_check_flags = UNSET; + mctx->crl_check_mask = UNSET; mctx->auth.ca_cert_path = NULL; mctx->auth.ca_cert_file = NULL; @@ -272,8 +271,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, cfgMerge(crl_path, NULL); cfgMerge(crl_file, NULL); - cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET); - cfgMergeInt(crl_check_flags); + cfgMergeInt(crl_check_mask); cfgMergeString(auth.ca_cert_path); cfgMergeString(auth.ca_cert_file); @@ -975,23 +973,38 @@ const char *ssl_cmd_SSLCARevocationFile(cmd_parms *cmd, static const char *ssl_cmd_crlcheck_parse(cmd_parms *parms, const char *arg, - ssl_crlcheck_t *mode) + int *mask) { - if (strcEQ(arg, "none")) { - *mode = SSL_CRLCHECK_NONE; + const char *w; + + w = ap_getword_conf(parms->temp_pool, &arg); + if (strcEQ(w, "none")) { + *mask = SSL_CRLCHECK_NONE; } - else if (strcEQ(arg, "leaf")) { - *mode = SSL_CRLCHECK_LEAF; + else if (strcEQ(w, "leaf")) { + *mask = SSL_CRLCHECK_LEAF; } - else if (strcEQ(arg, "chain")) { - *mode = SSL_CRLCHECK_CHAIN; + else if (strcEQ(w, "chain")) { + *mask = SSL_CRLCHECK_CHAIN; } else { return apr_pstrcat(parms->temp_pool, parms->cmd->name, - ": Invalid argument '", arg, "'", + ": Invalid argument '", w, "'", NULL); } + while (*arg) { + w = ap_getword_conf(parms->temp_pool, &arg); + if (strcEQ(w, "no_crl_for_cert_ok")) { + *mask |= SSL_CRLCHECK_NO_CRL_FOR_CERT_OK; + } + else { + return apr_pstrcat(parms->temp_pool, parms->cmd->name, + ": Invalid argument '", w, "'", + NULL); + } + } + return NULL; } @@ -1000,29 +1013,8 @@ const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *cmd, const char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - const char *err, *w; - w = ap_getword_conf(cmd->temp_pool, &arg); - err = ssl_cmd_crlcheck_parse(cmd, w, &sc->server->crl_check_mode); - if (err || sc->server->crl_check_mode == SSL_CRLCHECK_NONE) { - return err; - } - - if (sc->server->crl_check_flags == UNSET) { - sc->server->crl_check_flags = 0; - } - while (*arg) { - w = ap_getword_conf(cmd->temp_pool, &arg); - if (strcEQ(w, "no_crl_for_cert_ok")) { - sc->server->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK; - } - else { - return apr_pstrcat(cmd->temp_pool, cmd->cmd->name, - ": Invalid flag '", w, "'", - NULL); - } - } - return NULL; + return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mask); } static const char *ssl_cmd_verify_parse(cmd_parms *parms, @@ -1535,29 +1527,8 @@ const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *cmd, const char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - const char *err, *w; - w = ap_getword_conf(cmd->temp_pool, &arg); - err = ssl_cmd_crlcheck_parse(cmd, w, &sc->proxy->crl_check_mode); - if (err || sc->proxy->crl_check_mode == SSL_CRLCHECK_NONE) { - return err; - } - - if (sc->proxy->crl_check_flags == UNSET) { - sc->proxy->crl_check_flags = 0; - } - while (*arg) { - w = ap_getword_conf(cmd->temp_pool, &arg); - if (strcEQ(w, "no_crl_for_cert_ok")) { - sc->proxy->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK; - } - else { - return apr_pstrcat(cmd->temp_pool, cmd->cmd->name, - ": Invalid flag '", w, "'", - NULL); - } - } - return NULL; + return ssl_cmd_crlcheck_parse(cmd, arg, &sc->proxy->crl_check_mask); } const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd, diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index ad15d89fcd..da7785d74b 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -229,13 +229,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, sc->fips = FALSE; } #endif - - if (sc->server && sc->server->crl_check_flags == UNSET) { - sc->server->crl_check_flags = 0; - } - if (sc->proxy && sc->proxy->crl_check_flags == UNSET) { - sc->proxy->crl_check_flags = 0; - } } #if APR_HAS_THREADS @@ -818,14 +811,15 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s, X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx); unsigned long crlflags = 0; char *cfgp = mctx->pkp ? "SSLProxy" : "SSL"; + int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS; /* * Configure Certificate Revocation List (CRL) Details */ if (!(mctx->crl_file || mctx->crl_path)) { - if (mctx->crl_check_mode == SSL_CRLCHECK_LEAF || - mctx->crl_check_mode == SSL_CRLCHECK_CHAIN) { + if (crl_check_mode == SSL_CRLCHECK_LEAF || + crl_check_mode == SSL_CRLCHECK_CHAIN) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01899) "Host %s: CRL checking has been enabled, but " "neither %sCARevocationFile nor %sCARevocationPath " @@ -847,7 +841,7 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s, return ssl_die(s); } - switch (mctx->crl_check_mode) { + switch (crl_check_mode) { case SSL_CRLCHECK_LEAF: crlflags = X509_V_FLAG_CRL_CHECK; break; diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 025a95a870..0edd2d08bd 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1569,12 +1569,14 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL; SSLConnRec *sslconn = myConnConfig(conn); modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); + int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS; /* Get verify ingredients */ int errnum = X509_STORE_CTX_get_error(ctx); int errdepth = X509_STORE_CTX_get_error_depth(ctx); int depth, verify; + /* * Log verification information */ @@ -1582,10 +1584,9 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) X509_STORE_CTX_get_current_cert(ctx), APLOGNO(02275) "Certificate Verification, depth %d, " "CRL checking mode: %s (%x)", errdepth, - mctx->crl_check_mode == SSL_CRLCHECK_CHAIN ? - "chain" : (mctx->crl_check_mode == SSL_CRLCHECK_LEAF ? - "leaf" : "none"), - mctx->crl_check_flags); + crl_check_mode == SSL_CRLCHECK_CHAIN ? "chain" : + crl_check_mode == SSL_CRLCHECK_LEAF ? "leaf" : "none", + mctx->crl_check_mask); /* * Check for optionally acceptable non-verifiable issuer situation @@ -1635,7 +1636,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) } if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL - && (mctx->crl_check_flags & MODSSL_CCF_NO_CRL_FOR_CERT_OK)) { + && (mctx->crl_check_mask & SSL_CRLCHECK_NO_CRL_FOR_CERT_OK)) { errnum = X509_V_OK; ok = TRUE; } diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 690e8476bb..42c04612dc 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -336,14 +336,15 @@ typedef enum { || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) /** - * CRL checking modes + * CRL checking mask (mode | flags) */ -#define MODSSL_CCF_NO_CRL_FOR_CERT_OK (1 << 0) typedef enum { - SSL_CRLCHECK_UNSET = UNSET, - SSL_CRLCHECK_NONE = 0, - SSL_CRLCHECK_LEAF = 1, - SSL_CRLCHECK_CHAIN = 2 + SSL_CRLCHECK_NONE = (0), + SSL_CRLCHECK_LEAF = (1 << 0), + SSL_CRLCHECK_CHAIN = (1 << 1), + +#define SSL_CRLCHECK_FLAGS (~0x3) + SSL_CRLCHECK_NO_CRL_FOR_CERT_OK = (1 << 2) } ssl_crlcheck_t; /** @@ -601,8 +602,7 @@ typedef struct { /** certificate revocation list */ const char *crl_path; const char *crl_file; - ssl_crlcheck_t crl_check_mode; - int crl_check_flags; + int crl_check_mask; #ifdef HAVE_OCSP_STAPLING /** OCSP stapling options */