From: Stefan Fritsch <sf@apache.org>
Date: Sun, 10 Jun 2012 19:50:25 +0000 (+0000)
Subject: Add some improvements as suggested by Kaspar
X-Git-Tag: 2.5.0-alpha~6742
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6dd8ce1c333ce0d9049fc81242336b3a30e2794a;p=apache

Add some improvements as suggested by Kaspar

- expand comment in config file
- check username == NULL
- detect SRP support via SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB, not via openssl
  version
- rename rv variable


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1348653 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
index 898a99628c..c766bb2fa5 100644
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -159,8 +159,10 @@ SSLCertificateKeyFile "@exp_sysconfdir@/server.key"
 
 #   TLS-SRP mutual authentication:
 #   Enable TLS-SRP and set the path to the OpenSSL SRP verifier
-#   file (containing login information for SRP user accounts). See
-#   the mod_ssl FAQ for instructions on creating this file.
+#   file (containing login information for SRP user accounts). 
+#   Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
+#   detailed instructions on creating this file. Example:
+#   "openssl srp -srpvfile @exp_sysconfdir@/passwd.srpv -add username"
 #SSLSRPVerifierFile "@exp_sysconfdir@/passwd.srpv"
 
 #   Access Control:
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 3a747471be..fd645cc5d3 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -532,7 +532,7 @@ static void ssl_init_ctx_tls_extensions(server_rec *s,
      * TLS-SRP support
      */
     if (mctx->srp_vfile != NULL) {
-        int rv;
+        int err;
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02308)
                      "Using SRP verifier file [%s]", mctx->srp_vfile);
 
@@ -545,10 +545,10 @@ static void ssl_init_ctx_tls_extensions(server_rec *s,
             ssl_die();
         }
 
-        rv = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
-        if (rv != SRP_NO_ERROR) {
+        err = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
+        if (err != SRP_NO_ERROR) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02310)
-                         "Unable to load SRP verifier file [error %d]", rv);
+                         "Unable to load SRP verifier file [error %d]", err);
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
             ssl_die();
         }
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index ef21794e18..1b69d4c013 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2254,7 +2254,8 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
     char *username = SSL_get_srp_username(ssl);
     SRP_user_pwd *u;
 
-    if ((u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
+    if (username == NULL
+        || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
         *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
         return SSL3_AL_FATAL;
     }
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index e04c933da9..5a0373d937 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -186,10 +186,12 @@
 #endif
 
 /* SRP support came in OpenSSL 1.0.1 */
-#if (OPENSSL_VERSION_NUMBER < 0x10001000)
-#define OPENSSL_NO_SRP
-#else
+#ifndef OPENSSL_NO_SRP
+#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB
 #include <openssl/srp.h>
+#else
+#define OPENSSL_NO_SRP
+#endif
 #endif
 
 /* mod_ssl headers */