From 049b1d249d7a59fc35aaa4c553738853facb8411 Mon Sep 17 00:00:00 2001
From: Stephen Henson <drh@apache.org>
Date: Tue, 22 Oct 2013 19:55:43 +0000
Subject: [PATCH] SSL_CONF support for files and directories.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1534754 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/log-message-tags/next-number |  2 +-
 modules/ssl/ssl_engine_config.c   | 23 +++++++++++++++++++++--
 modules/ssl/ssl_engine_init.c     | 19 +++++++++++++------
 modules/ssl/ssl_private.h         |  1 +
 4 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
index efbf27c074..5cf23a56c5 100644
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-2547
+2548
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index d0742cb43f..05e4dd9cfa 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -154,6 +154,10 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
     mctx->srp_vbase =             NULL;
 #endif
 #ifdef HAVE_SSL_CONF_CMD
+    mctx->ssl_ctx_config = SSL_CONF_CTX_new();
+    SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_FILE);
+    SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_SERVER);
+    SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE);
     mctx->ssl_ctx_param = apr_array_make(p, 10, sizeof(ssl_ctx_param_t));
 #endif
 }
@@ -1826,9 +1830,24 @@ const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *cmd, void *dcfg,
 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
 					const char *arg1, const char *arg2)
 {
-    ssl_ctx_param_t *param;
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-    param = apr_array_push(sc->server->ssl_ctx_param);
+    ssl_ctx_param_t *param = apr_array_push(sc->server->ssl_ctx_param);
+    SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config;
+    const char *err;
+    int value_type = SSL_CONF_cmd_value_type(cctx, arg1);
+    if (value_type == SSL_CONF_TYPE_UNKNOWN) {
+        return apr_psprintf(cmd->pool,
+                            "'%s': invalid OpenSSL configuration command",
+                            arg1);
+    }
+    if (value_type == SSL_CONF_TYPE_FILE) {
+        if ((err = ssl_cmd_check_file(cmd, &arg2)))
+            return err;
+    }
+    else if (value_type == SSL_CONF_TYPE_DIR) {
+        if ((err = ssl_cmd_check_dir(cmd, &arg2)))
+            return err;
+    }
     param->name = arg1;
     param->value = arg2;
     return NULL;
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 6e6822e708..b9ffa497cf 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -515,20 +515,24 @@ static void ssl_init_ctx_protocol(server_rec *s,
 #ifdef HAVE_SSL_CONF_CMD
 {
     ssl_ctx_param_t *param = (ssl_ctx_param_t *)mctx->ssl_ctx_param->elts;
-    SSL_CONF_CTX *cctx;
+    SSL_CONF_CTX *cctx = mctx->ssl_ctx_config;
     int i;
-    cctx = SSL_CONF_CTX_new();
-    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE|SSL_CONF_FLAG_SERVER);
     SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
     for (i = 0; i < mctx->ssl_ctx_param->nelts; i++, param++) {
         if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407)
-                    "Error SSL_CONF_cmd(%s,%s)", param->name, param->value);
+                         "Error SSL_CONF_cmd(\"%s\",\"%s\")",
+                         param->name, param->value);
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+            ssl_die(s);
+        }
+    }
+    if (SSL_CONF_CTX_finish(cctx) == 0) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)
+                         "Error SSL_CONF_CTX_finish()");
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
             ssl_die(s);
-        }    
     }
-    SSL_CONF_CTX_free(cctx);
 }
 #endif
 
@@ -1574,6 +1578,9 @@ void ssl_init_Child(apr_pool_t *p, server_rec *s)
 static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
 {
     MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
+#ifdef HAVE_SSL_CONF_CMD
+    MODSSL_CFG_ITEM_FREE(SSL_CONF_CTX_free, mctx->ssl_ctx_config);
+#endif
 
 #ifdef HAVE_SRP
     if (mctx->srp_vbase != NULL) {
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 01f03be0f4..463c2ce8fc 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -656,6 +656,7 @@ typedef struct {
     long ocsp_resp_maxage;
     apr_interval_time_t ocsp_responder_timeout;
 #ifdef HAVE_SSL_CONF_CMD
+    SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
 #endif
 } modssl_ctx_t;
-- 
2.40.0