From 1fcbc73b1354ae3f706b29d0104329f1332116e6 Mon Sep 17 00:00:00 2001 From: Doug MacEachern Date: Tue, 12 Mar 2002 01:40:02 +0000 Subject: [PATCH] various style fixups / general changes to make code more readable. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93848 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 795 ++++++++++++++++++-------------- 1 file changed, 461 insertions(+), 334 deletions(-) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index f7cd981b2d..95d899f00b 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -72,17 +72,16 @@ */ apr_status_t ssl_hook_CloseConnection(SSLFilterRec *filter) { - SSL *ssl; + SSL *ssl = filter->pssl; const char *cpType = ""; conn_rec *conn; SSLConnRec *sslconn; - ssl = filter->pssl; - conn = (conn_rec *)SSL_get_app_data(ssl); - - if (ssl == NULL) + if (!ssl) { return APR_SUCCESS; + } + conn = (conn_rec *)SSL_get_app_data(ssl); sslconn = myConnConfig(conn); /* @@ -152,7 +151,7 @@ apr_status_t ssl_hook_CloseConnection(SSLFilterRec *filter) "(server %s, client %s)", conn->id, cpType, ssl_util_vhostid(conn->pool, conn->base_server), - conn->remote_ip != NULL ? conn->remote_ip : "unknown"); + conn->remote_ip ? conn->remote_ip : "unknown"); } /* deallocate the SSL connection */ @@ -179,16 +178,16 @@ int ssl_hook_ReadReq(request_rec *r) * Get the SSL connection structure and perform the * delayed interlinking from SSL back to request_rec */ - ssl = sslconn->ssl; - if (ssl != NULL) { + if ((ssl = sslconn->ssl)) { SSL_set_app_data2(ssl, r); } /* * Force the mod_ssl content handler when URL indicates this */ - if (strEQn(r->uri, "/mod_ssl:", 9)) + if (strEQn(r->uri, "/mod_ssl:", 9)) { r->handler = "mod_ssl:content-handler"; + } return DECLINED; } @@ -237,19 +236,20 @@ int ssl_hook_Translate(request_rec *r) { SSLConnRec *sslconn = myConnConfig(r->connection); - if (!sslconn || !sslconn->ssl) + if (!(sslconn && sslconn->ssl)) { return DECLINED; + } /* * Log information about incoming HTTPS requests */ - if (ap_is_initial_req(r) && SSLConnLogApplies(sslconn, SSL_LOG_INFO)) { + if (SSLConnLogApplies(sslconn, SSL_LOG_INFO) && ap_is_initial_req(r)) { ssl_log(r->server, SSL_LOG_INFO, "%s HTTPS request received for child %d (server %s)", - r->connection->keepalives <= 0 ? - "Initial (No.1)" : - apr_psprintf(r->pool, "Subsequent (No.%d)", - r->connection->keepalives+1), + (r->connection->keepalives <= 0 ? + "Initial (No.1)" : + apr_psprintf(r->pool, "Subsequent (No.%d)", + r->connection->keepalives+1)), r->connection->id, ssl_util_vhostid(r->pool, r->server)); } @@ -269,28 +269,39 @@ int ssl_hook_Translate(request_rec *r) */ int ssl_hook_Handler(request_rec *r) { - int port; - char *thisport; - char *thisurl; - - if (strNE(r->handler, "mod_ssl:content-handler")) + if (strNE(r->handler, "mod_ssl:content-handler")) { return DECLINED; - if (strNEn(r->uri, "/mod_ssl:", 9)) + } + + if (strNEn(r->uri, "/mod_ssl:", 9)) { return DECLINED; + } if (strEQ(r->uri, "/mod_ssl:error:HTTP-request")) { - thisport = ""; - port = ap_get_server_port(r); - if (!ap_is_default_port(port, r)) + const char *errmsg; + char *thisurl; + char *thisport = ""; + int port = ap_get_server_port(r); + + if (!ap_is_default_port(port, r)) { thisport = apr_psprintf(r->pool, ":%u", port); - thisurl = ap_escape_html(r->pool, apr_psprintf(r->pool, "https://%s%s/", - ap_get_server_name(r), thisport)); - - apr_table_setn(r->notes, "error-notes", apr_psprintf(r->pool, - "Reason: You're speaking plain HTTP to an SSL-enabled server port.
\n" - "Instead use the HTTPS scheme to access this URL, please.
\n" - "
Hint: %s
", - thisurl, thisurl)); + } + + thisurl = ap_escape_html(r->pool, + apr_psprintf(r->pool, "https://%s%s/", + ap_get_server_name(r), + thisport)); + + errmsg = apr_psprintf(r->pool, + "Reason: You're speaking plain HTTP " + "to an SSL-enabled server port.
\n" + "Instead use the HTTPS scheme to access " + "this URL, please.
\n" + "
Hint: " + "%s
", + thisurl, thisurl); + + apr_table_setn(r->notes, "error-notes", errmsg); } return HTTP_BAD_REQUEST; @@ -301,66 +312,53 @@ int ssl_hook_Handler(request_rec *r) */ int ssl_hook_Access(request_rec *r) { - SSLDirConfigRec *dc; - SSLSrvConfigRec *sc; - SSLConnRec *sslconn; - SSL *ssl; + SSLDirConfigRec *dc = myDirConfig(r); + SSLSrvConfigRec *sc = mySrvConfig(r->server); + SSLConnRec *sslconn = myConnConfig(r->connection); + SSL *ssl = sslconn ? sslconn->ssl : NULL; SSL_CTX *ctx = NULL; apr_array_header_t *apRequirement; - ssl_require_t *pRequirements; - ssl_require_t *pRequirement; + ssl_require_t *pRequirements, *pRequirement; char *cp; - int ok; - int i; - BOOL renegotiate; - BOOL renegotiate_quick; + int ok, i; + BOOL renegotiate = FALSE, renegotiate_quick = FALSE; #ifdef SSL_EXPERIMENTAL_PERDIRCA - BOOL reconfigured_locations; + BOOL reconfigured_locations = FALSE; STACK_OF(X509_NAME) *skCAList; - char *cpCAPath; - char *cpCAFile; + char *cpCAPath, *cpCAFile; #endif X509 *cert; STACK_OF(X509) *certstack; X509_STORE *certstore; X509_STORE_CTX certstorectx; - int depth; - STACK_OF(SSL_CIPHER) *skCipherOld; - STACK_OF(SSL_CIPHER) *skCipher; - SSL_CIPHER *pCipher; - int nVerifyOld; - int nVerify; - int n; - int rc; - - dc = myDirConfig(r); - sc = mySrvConfig(r->server); - sslconn = myConnConfig(r->connection); - ssl = sslconn ? sslconn->ssl : NULL; - if (ssl != NULL) + STACK_OF(SSL_CIPHER) *skCipherOld, *skCipher = NULL; + SSL_CIPHER *pCipher = NULL; + int depth, nVerifyOld, nVerify, n; + + if (ssl) { ctx = SSL_get_SSL_CTX(ssl); + } /* * Support for SSLRequireSSL directive */ - if (dc->bSSLRequired && ssl == NULL) { + if (dc->bSSLRequired && !ssl) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, - "access to %s failed for %s, reason: %s", r->filename, - ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL), - "SSL connection required"); + "access to %s failed, reason: %s", + r->filename, "SSL connection required"); + /* remember forbidden access for strict require option */ - apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1); + apr_table_setn(r->notes, "ssl-access-forbidden", "1"); + return HTTP_FORBIDDEN; } /* * Check to see if SSL protocol is on */ - if (!sc->bEnabled) - return DECLINED; - if (ssl == NULL) + if (!(sc->bEnabled || ssl)) { return DECLINED; - + } /* * Support for per-directory reconfigured SSL connection parameters. * @@ -381,11 +379,6 @@ int ssl_hook_Access(request_rec *r) * the reconfigured parameter suite is stronger (more restrictions) than * the currently active one. */ - renegotiate = FALSE; - renegotiate_quick = FALSE; -#ifdef SSL_EXPERIMENTAL_PERDIRCA - reconfigured_locations = FALSE; -#endif /* * Override of SSLCipherSuite @@ -408,60 +401,91 @@ int ssl_hook_Access(request_rec *r) * has to enable this via ``SSLOptions +OptRenegotiate''. So we do no * implicit optimizations. */ - if (dc->szCipherSuite != NULL) { + if (dc->szCipherSuite) { /* remember old state */ - pCipher = NULL; - skCipherOld = NULL; - if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) + + if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { pCipher = SSL_get_current_cipher(ssl); + } else { skCipherOld = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl); - if (skCipherOld != NULL) + + if (skCipherOld) { skCipherOld = sk_SSL_CIPHER_dup(skCipherOld); + } } + /* configure new state */ if (!SSL_set_cipher_list(ssl, dc->szCipherSuite)) { ssl_log(r->server, SSL_LOG_WARN|SSL_ADD_SSLERR, - "Unable to reconfigure (per-directory) permitted SSL ciphers"); - if (skCipherOld != NULL) + "Unable to reconfigure (per-directory) " + "permitted SSL ciphers"); + + if (skCipherOld) { sk_SSL_CIPHER_free(skCipherOld); + } + return HTTP_FORBIDDEN; } + /* determine whether a renegotiation has to be forced */ skCipher = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl); + if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { /* optimized way */ - if ((pCipher == NULL && skCipher != NULL) || - (pCipher != NULL && skCipher == NULL) ) + if ((!pCipher && skCipher) || + (pCipher && !skCipher)) + { renegotiate = TRUE; - else if (pCipher != NULL && skCipher != NULL - && sk_SSL_CIPHER_find(skCipher, pCipher) < 0) { + } + else if (pCipher && skCipher && + (sk_SSL_CIPHER_find(skCipher, pCipher) < 0)) + { renegotiate = TRUE; } } else { /* paranoid way */ - if ((skCipherOld == NULL && skCipher != NULL) || - (skCipherOld != NULL && skCipher == NULL) ) + if ((!skCipherOld && skCipher) || + (skCipherOld && !skCipher)) + { renegotiate = TRUE; - else if (skCipherOld != NULL && skCipher != NULL) { - for (n = 0; !renegotiate && n < sk_SSL_CIPHER_num(skCipher); n++) { - if (sk_SSL_CIPHER_find(skCipherOld, sk_SSL_CIPHER_value(skCipher, n)) < 0) + } + else if (skCipherOld && skCipher) { + for (n = 0; + !renegotiate && (n < sk_SSL_CIPHER_num(skCipher)); + n++) + { + SSL_CIPHER *value = sk_SSL_CIPHER_value(skCipher, n); + + if (sk_SSL_CIPHER_find(skCipherOld, value) < 0) { renegotiate = TRUE; + } } - for (n = 0; !renegotiate && n < sk_SSL_CIPHER_num(skCipherOld); n++) { - if (sk_SSL_CIPHER_find(skCipher, sk_SSL_CIPHER_value(skCipherOld, n)) < 0) + + for (n = 0; + !renegotiate && (n < sk_SSL_CIPHER_num(skCipherOld)); + n++) + { + SSL_CIPHER *value = sk_SSL_CIPHER_value(skCipherOld, n); + + if (sk_SSL_CIPHER_find(skCipher, value) < 0) { renegotiate = TRUE; + } } } } + /* cleanup */ - if (skCipherOld != NULL) + if (skCipherOld) { sk_SSL_CIPHER_free(skCipherOld); + } + /* tracing */ - if (renegotiate) + if (renegotiate) { ssl_log(r->server, SSL_LOG_TRACE, "Reconfigured cipher suite will force renegotiation"); + } } /* @@ -486,7 +510,8 @@ int ssl_hook_Access(request_rec *r) if (dc->nVerifyDepth < n) { renegotiate = TRUE; ssl_log(r->server, SSL_LOG_TRACE, - "Reduced client verification depth will force renegotiation"); + "Reduced client verification depth " + "will force renegotiation"); } } @@ -509,29 +534,44 @@ int ssl_hook_Access(request_rec *r) nVerifyOld = SSL_get_verify_mode(ssl); /* configure new state */ nVerify = SSL_VERIFY_NONE; - if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) - nVerify |= SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - if ( (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) - || (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ) + + if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) { + nVerify |= SSL_VERIFY_PEER_STRICT; + } + + if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) || + (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA)) + { nVerify |= SSL_VERIFY_PEER; + } + SSL_set_verify(ssl, nVerify, ssl_callback_SSLVerify); SSL_set_verify_result(ssl, X509_V_OK); + /* determine whether we've to force a renegotiation */ if (nVerify != nVerifyOld) { - if ( ( (nVerifyOld == SSL_VERIFY_NONE) - && (nVerify != SSL_VERIFY_NONE)) - || ( !(nVerifyOld & SSL_VERIFY_PEER) - && (nVerify & SSL_VERIFY_PEER)) - || ( !(nVerifyOld & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) - && (nVerify & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))) { + if (((nVerifyOld == SSL_VERIFY_NONE) && + (nVerify != SSL_VERIFY_NONE)) || + + (!(nVerifyOld & SSL_VERIFY_PEER) && + (nVerify & SSL_VERIFY_PEER)) || + + (!(nVerifyOld & SSL_VERIFY_PEER_STRICT) && + (nVerify & SSL_VERIFY_PEER_STRICT))) + { renegotiate = TRUE; /* optimization */ - if ( dc->nOptions & SSL_OPT_OPTRENEGOTIATE - && nVerifyOld == SSL_VERIFY_NONE - && SSL_get_peer_certificate(ssl) != NULL) + + if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) && + (nVerifyOld == SSL_VERIFY_NONE) && + SSL_get_peer_certificate(ssl)) + { renegotiate_quick = TRUE; + } + ssl_log(r->server, SSL_LOG_TRACE, - "Changed client verification type will force %srenegotiation", + "Changed client verification type " + "will force %srenegotiation", renegotiate_quick ? "quick " : ""); } } @@ -547,19 +587,25 @@ int ssl_hook_Access(request_rec *r) * OpenSSL provides a SSL_load_verify_locations() function we've no other * chance to provide this functionality... */ + #ifdef SSL_EXPERIMENTAL_PERDIRCA - if ( ( dc->szCACertificateFile != NULL - && ( sc->szCACertificateFile == NULL - || ( sc->szCACertificateFile != NULL - && strNE(dc->szCACertificateFile, sc->szCACertificateFile)))) - || ( dc->szCACertificatePath != NULL - && ( sc->szCACertificatePath == NULL - || ( sc->szCACertificatePath != NULL - && strNE(dc->szCACertificatePath, sc->szCACertificatePath)))) ) { - cpCAFile = dc->szCACertificateFile != NULL ? - dc->szCACertificateFile : sc->szCACertificateFile; - cpCAPath = dc->szCACertificatePath != NULL ? - dc->szCACertificatePath : sc->szCACertificatePath; + /* + * check if per-dir and per-server config field are not the same. + * if f is defined in per-dir and not defined in per-server + * or f is defined in both but not the equal ... + */ +#define MODSSL_CFG_NE(f) \ + (dc->f && (!sc->f || (sc->f && strNE(dc->f, sc->f)))) + + if (MODSSL_CFG_NE(szCACertificateFile) || + MODSSL_CFG_NE(szCACertificatePath)) + { + cpCAFile = dc->szCACertificateFile ? + dc->szCACertificateFile : sc->szCACertificateFile; + + cpCAPath = dc->szCACertificatePath ? + dc->szCACertificatePath : sc->szCACertificatePath; + /* FIXME: This should be... if (!SSL_load_verify_locations(ssl, cpCAFile, cpCAPath)) { @@ -569,20 +615,27 @@ int ssl_hook_Access(request_rec *r) ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Unable to reconfigure verify locations " "for client authentication"); + return HTTP_FORBIDDEN; } - if ((skCAList = ssl_init_FindCAList(r->server, r->pool, - cpCAFile, cpCAPath)) == NULL) { + + if (!(skCAList = ssl_init_FindCAList(r->server, r->pool, + cpCAFile, cpCAPath))) + { ssl_log(r->server, SSL_LOG_ERROR, "Unable to determine list of available " "CA certificates for client authentication"); + return HTTP_FORBIDDEN; } + SSL_set_client_CA_list(ssl, skCAList); renegotiate = TRUE; reconfigured_locations = TRUE; + ssl_log(r->server, SSL_LOG_TRACE, - "Changed client verification locations will force renegotiation"); + "Changed client verification locations " + "will force renegotiation"); } #endif /* SSL_EXPERIMENTAL_PERDIRCA */ @@ -646,9 +699,11 @@ int ssl_hook_Access(request_rec *r) * * !! BUT ALL THIS IS STILL NOT RE-IMPLEMENTED FOR APACHE 2.0 !! */ - if (renegotiate && r->method_number == M_POST) { + if (renegotiate && (r->method_number == M_POST)) { ssl_log(r->server, SSL_LOG_ERROR, - "SSL Re-negotiation in conjunction with POST method not supported!"); + "SSL Re-negotiation in conjunction " + "with POST method not supported!"); + return HTTP_METHOD_NOT_ALLOWED; } @@ -669,57 +724,74 @@ int ssl_hook_Access(request_rec *r) */ ssl_log(r->server, SSL_LOG_INFO, "Requesting connection re-negotiation"); + if (renegotiate_quick) { /* perform just a manual re-verification of the peer */ ssl_log(r->server, SSL_LOG_TRACE, "Performing quick renegotiation: " "just re-verifying the peer"); - certstore = SSL_CTX_get_cert_store(ctx); - if (certstore == NULL) { + + if (!(certstore = SSL_CTX_get_cert_store(ctx))) { ssl_log(r->server, SSL_LOG_ERROR, "Cannot find certificate storage"); + return HTTP_FORBIDDEN; } + certstack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl); - if (certstack == NULL || sk_X509_num(certstack) == 0) { + + if (!certstack || (sk_X509_num(certstack) == 0)) { ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer certificate chain"); + return HTTP_FORBIDDEN; } + cert = sk_X509_value(certstack, 0); X509_STORE_CTX_init(&certstorectx, certstore, cert, certstack); depth = SSL_get_verify_depth(ssl); - if (depth >= 0) + + if (depth >= 0) { X509_STORE_CTX_set_depth(&certstorectx, depth); + } + X509_STORE_CTX_set_ex_data(&certstorectx, - SSL_get_ex_data_X509_STORE_CTX_idx(), (char *)ssl); - if (!X509_verify_cert(&certstorectx)) + SSL_get_ex_data_X509_STORE_CTX_idx(), + (char *)ssl); + + if (!X509_verify_cert(&certstorectx)) { ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Re-negotiation verification step failed"); + } + SSL_set_verify_result(ssl, certstorectx.error); X509_STORE_CTX_cleanup(&certstorectx); } else { + request_rec *id = r->main ? r->main : r; + /* do a full renegotiation */ ssl_log(r->server, SSL_LOG_TRACE, "Performing full renegotiation: " "complete handshake protocol"); - if (r->main != NULL) - SSL_set_session_id_context(ssl, (unsigned char *)&(r->main), - sizeof(r->main)); - else - SSL_set_session_id_context(ssl, (unsigned char *)&r, sizeof(r)); - /* will need to push to / pull from filters to renegotiate */ + + SSL_set_session_id_context(ssl, + (unsigned char *)&id, + sizeof(id)); + SSL_renegotiate(ssl); SSL_do_handshake(ssl); if (SSL_get_state(ssl) != SSL_ST_OK) { ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation request failed"); + return HTTP_FORBIDDEN; } + ssl_log(r->server, SSL_LOG_INFO, "Awaiting re-negotiation handshake"); + SSL_set_state(ssl, SSL_ST_ACCEPT); SSL_do_handshake(ssl); @@ -727,6 +799,7 @@ int ssl_hook_Access(request_rec *r) ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation handshake failed: " "Not accepted by client!?"); + return HTTP_FORBIDDEN; } } @@ -734,7 +807,7 @@ int ssl_hook_Access(request_rec *r) /* * Remember the peer certificate's DN */ - if ((cert = SSL_get_peer_certificate(ssl)) != NULL) { + if ((cert = SSL_get_peer_certificate(ssl))) { sslconn->client_cert = cert; sslconn->client_dn = NULL; } @@ -743,16 +816,21 @@ int ssl_hook_Access(request_rec *r) * Finally check for acceptable renegotiation results */ if (dc->nVerifyClient != SSL_CVERIFY_NONE) { - if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE - && SSL_get_verify_result(ssl) != X509_V_OK ) { + BOOL verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE); + + if (verify && (SSL_get_verify_result(ssl) != X509_V_OK)) { ssl_log(r->server, SSL_LOG_ERROR, - "Re-negotiation handshake failed: Client verification failed"); + "Re-negotiation handshake failed: " + "Client verification failed"); + return HTTP_FORBIDDEN; } - if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE - && SSL_get_peer_certificate(ssl) == NULL ) { + + if (verify && !SSL_get_peer_certificate(ssl)) { ssl_log(r->server, SSL_LOG_ERROR, - "Re-negotiation handshake failed: Client certificate missing"); + "Re-negotiation handshake failed: " + "Client certificate missing"); + return HTTP_FORBIDDEN; } } @@ -767,10 +845,13 @@ int ssl_hook_Access(request_rec *r) #ifdef SSL_EXPERIMENTAL_PERDIRCA if (renegotiate && reconfigured_locations) { if (!SSL_CTX_load_verify_locations(ctx, - sc->szCACertificateFile, sc->szCACertificatePath)) { + sc->szCACertificateFile, + sc->szCACertificatePath)) + { ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Unable to reconfigure verify locations " "to per-server configuration parameters"); + return HTTP_FORBIDDEN; } } @@ -781,32 +862,45 @@ int ssl_hook_Access(request_rec *r) */ apRequirement = dc->aRequirement; pRequirements = (ssl_require_t *)apRequirement->elts; + for (i = 0; i < apRequirement->nelts; i++) { pRequirement = &pRequirements[i]; ok = ssl_expr_exec(r, pRequirement->mpExpr); + if (ok < 0) { - cp = apr_psprintf(r->pool, "Failed to execute SSL requirement expression: %s", + cp = apr_psprintf(r->pool, + "Failed to execute " + "SSL requirement expression: %s", ssl_expr_get_error()); + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, - "access to %s failed for %s, reason: %s", r->filename, - ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL), cp); + "access to %s failed, reason: %s", + r->filename, cp); + /* remember forbidden access for strict require option */ - apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1); + apr_table_setn(r->notes, "ssl-access-forbidden", "1"); + return HTTP_FORBIDDEN; } + if (ok != 1) { ssl_log(r->server, SSL_LOG_INFO, - "Access to %s denied for %s (requirement expression not fulfilled)", + "Access to %s denied for %s " + "(requirement expression not fulfilled)", r->filename, r->connection->remote_ip); + ssl_log(r->server, SSL_LOG_INFO, "Failed expression: %s", pRequirement->cpExpr); + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, - "access to %s failed for %s, reason: %s", r->filename, - ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL), - "SSL requirement expression not fulfilled " - "(see SSL logfile for more details)"); + "access to %s failed, reason: %s", + r->filename, + "SSL requirement expression not fulfilled " + "(see SSL logfile for more details)"); + /* remember forbidden access for strict require option */ - apr_table_setn(r->notes, "ssl-access-forbidden", (void *)1); + apr_table_setn(r->notes, "ssl-access-forbidden", "1"); + return HTTP_FORBIDDEN; } } @@ -817,8 +911,8 @@ int ssl_hook_Access(request_rec *r) * of OK, because mod_auth and other modules still might want to * deny access. */ - rc = DECLINED; - return rc; + + return DECLINED; } /* @@ -837,17 +931,17 @@ int ssl_hook_UserCheck(request_rec *r) SSLDirConfigRec *dc = myDirConfig(r); char b1[MAX_STRING_LEN], b2[MAX_STRING_LEN]; char *clientdn; - const char *cpAL; - const char *cpUN; - const char *cpPW; + const char *cpAL, *cpUN, *cpPW; /* * Additionally forbid access (again) * when strict require option is used. */ - if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE) - && (apr_table_get(r->notes, "ssl-access-forbidden") != NULL)) + if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) && + (apr_table_get(r->notes, "ssl-access-forbidden"))) + { return HTTP_FORBIDDEN; + } /* * Make sure the user is not able to fake the client certificate @@ -855,32 +949,35 @@ int ssl_hook_UserCheck(request_rec *r) * ("/XX=YYY/XX=YYY/..") as the username and "password" as the * password. */ - if ((cpAL = apr_table_get(r->headers_in, "Authorization")) != NULL) { + if ((cpAL = apr_table_get(r->headers_in, "Authorization"))) { if (strcEQ(ap_getword(r->pool, &cpAL, ' '), "Basic")) { - while (*cpAL == ' ' || *cpAL == '\t') + while ((*cpAL == ' ') || (*cpAL == '\t')) { cpAL++; + } + cpAL = ap_pbase64decode(r->pool, cpAL); cpUN = ap_getword_nulls(r->pool, &cpAL, ':'); cpPW = cpAL; - if (cpUN[0] == '/' && strEQ(cpPW, "password")) + + if ((cpUN[0] == '/') && strEQ(cpPW, "password")) { return HTTP_FORBIDDEN; + } } } /* * We decline operation in various situations... + * - SSLOptions +FakeBasicAuth not configured + * - r->user already authenticated + * - ssl not enabled + * - client did not present a certificate */ - if (!sc->bEnabled) - return DECLINED; - if (sslconn->ssl == NULL) - return DECLINED; - if (!(dc->nOptions & SSL_OPT_FAKEBASICAUTH)) - return DECLINED; - if (r->user) - return DECLINED; - if (sslconn->client_cert == NULL) + if (!(sc->bEnabled && sslconn->ssl && sslconn->client_cert) || + !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user) + { return DECLINED; - + } + if (!sslconn->client_dn) { X509_NAME *name = X509_get_subject_name(sslconn->client_cert); char *cp = X509_NAME_oneline(name, NULL, 0); @@ -903,8 +1000,10 @@ int ssl_hook_UserCheck(request_rec *r) */ apr_snprintf(b1, sizeof(b1), "%s:password", clientdn); ssl_util_uuencode(b2, b1, FALSE); + apr_snprintf(b1, sizeof(b1), "Basic %s", b2); apr_table_set(r->headers_in, "Authorization", b1); + ssl_log(r->server, SSL_LOG_INFO, "Faking HTTP Basic Auth header: \"Authorization: %s\"", b1); @@ -920,9 +1019,11 @@ int ssl_hook_Auth(request_rec *r) * Additionally forbid access (again) * when strict require option is used. */ - if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE) - && (apr_table_get(r->notes, "ssl-access-forbidden") != NULL)) + if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) && + (apr_table_get(r->notes, "ssl-access-forbidden"))) + { return HTTP_FORBIDDEN; + } return DECLINED; } @@ -1018,8 +1119,7 @@ int ssl_hook_Fixup(request_rec *r) SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLDirConfigRec *dc = myDirConfig(r); apr_table_t *e = r->subprocess_env; - char *var; - char *val = ""; + char *var, *val = ""; STACK_OF(X509) *sk; SSL *ssl; int i; @@ -1027,23 +1127,24 @@ int ssl_hook_Fixup(request_rec *r) /* * Check to see if SSL is on */ - if (!sc->bEnabled) - return DECLINED; - if ((ssl = sslconn->ssl) == NULL) + if (!(sc->bEnabled || (sslconn && (ssl = sslconn->ssl)))) { return DECLINED; + } /* * Annotate the SSI/CGI environment with standard SSL information */ /* the always present HTTPS (=HTTP over SSL) flag! */ - apr_table_set(e, "HTTPS", "on"); + apr_table_setn(e, "HTTPS", "on"); + /* standard SSL environment variables */ if (dc->nOptions & SSL_OPT_STDENVVARS) { - for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) { + for (i = 0; ssl_hook_Fixup_vars[i]; i++) { var = (char *)ssl_hook_Fixup_vars[i]; val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); - if (!strIsEmpty(val)) + if (!strIsEmpty(val)) { apr_table_set(e, var, val); + } } } @@ -1051,16 +1152,24 @@ int ssl_hook_Fixup(request_rec *r) * On-demand bloat up the SSI/CGI environment with certificate data */ if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) { - val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_SERVER_CERT"); - apr_table_set(e, "SSL_SERVER_CERT", val); - val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT"); - apr_table_set(e, "SSL_CLIENT_CERT", val); - if ((sk = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl)) != NULL) { + val = ssl_var_lookup(r->pool, r->server, r->connection, + r, "SSL_SERVER_CERT"); + + apr_table_setn(e, "SSL_SERVER_CERT", val); + + val = ssl_var_lookup(r->pool, r->server, r->connection, + r, "SSL_CLIENT_CERT"); + + apr_table_setn(e, "SSL_CLIENT_CERT", val); + + if ((sk = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl))) { for (i = 0; i < sk_X509_num(sk); i++) { var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i); - val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); - if (val != NULL) + val = ssl_var_lookup(r->pool, r->server, r->connection, + r, var); + if (val) { apr_table_setn(e, var, val); + } } } } @@ -1107,27 +1216,31 @@ int ssl_hook_Fixup(request_rec *r) * So we generated 512 and 1024 bit temporary keys on startup * which we now just handle out on demand.... */ + RSA *ssl_callback_TmpRSA(SSL *pSSL, int nExport, int nKeyLen) { conn_rec *c = (conn_rec *)SSL_get_app_data(pSSL); SSLModConfigRec *mc = myModConfig(c->base_server); - RSA *rsa; + RSA *rsa = NULL; - rsa = NULL; if (nExport) { /* It's because an export cipher is used */ - if (nKeyLen == 512) + if (nKeyLen == 512) { rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA512]; - else if (nKeyLen == 1024) + } + else if (nKeyLen == 1024) { rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024]; - else + } + else { /* it's too expensive to generate on-the-fly, so keep 1024bit */ rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024]; + } } else { /* It's because a sign-only certificate situation exists */ rsa = (RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024]; } + return rsa; } @@ -1138,23 +1251,26 @@ DH *ssl_callback_TmpDH(SSL *pSSL, int nExport, int nKeyLen) { conn_rec *c = (conn_rec *)SSL_get_app_data(pSSL); SSLModConfigRec *mc = myModConfig(c->base_server); - DH *dh; + DH *dh = NULL; - dh = NULL; if (nExport) { /* It's because an export cipher is used */ - if (nKeyLen == 512) + if (nKeyLen == 512) { dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH512]; - else if (nKeyLen == 1024) + } + else if (nKeyLen == 1024) { dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024]; - else + } + else { /* it's too expensive to generate on-the-fly, so keep 1024bit */ dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024]; + } } else { /* It's because a sign-only certificate situation exists */ dh = (DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024]; } + return dh; } @@ -1164,36 +1280,21 @@ DH *ssl_callback_TmpDH(SSL *pSSL, int nExport, int nKeyLen) */ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) { - SSL *ssl; - conn_rec *conn; - server_rec *s; - request_rec *r; - SSLSrvConfigRec *sc; - SSLDirConfigRec *dc; - SSLConnRec *sslconn; - X509 *xs; - int errnum; - int errdepth; - int depth; - int verify; - - /* - * Get Apache context back through OpenSSL context - */ - ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx); - conn = (conn_rec *)SSL_get_app_data(ssl); - sslconn = myConnConfig(conn); - r = (request_rec *)SSL_get_app_data2(ssl); - s = conn->base_server; - sc = mySrvConfig(s); - dc = (r != NULL ? myDirConfig(r) : NULL); - - /* - * Get verify ingredients - */ - xs = X509_STORE_CTX_get_current_cert(ctx); - errnum = X509_STORE_CTX_get_error(ctx); - errdepth = X509_STORE_CTX_get_error_depth(ctx); + /* Get Apache context back through OpenSSL context */ + SSL *ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx); + conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); + server_rec *s = conn->base_server; + request_rec *r = (request_rec *)SSL_get_app_data2(ssl); + + SSLSrvConfigRec *sc = mySrvConfig(s); + SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL; + SSLConnRec *sslconn = myConnConfig(conn); + + /* Get verify ingredients */ + X509 *xs = X509_STORE_CTX_get_current_cert(ctx); + int errnum = X509_STORE_CTX_get_error(ctx); + int errdepth = X509_STORE_CTX_get_error_depth(ctx); + int depth, verify; /* * Log verification information @@ -1201,29 +1302,39 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) if (sc->nLogLevel >= SSL_LOG_TRACE) { char *cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0); char *cp2 = X509_NAME_oneline(X509_get_issuer_name(xs), NULL, 0); + ssl_log(s, SSL_LOG_TRACE, "Certificate Verification: depth: %d, subject: %s, issuer: %s", - errdepth, cp != NULL ? cp : "-unknown-", - cp2 != NULL ? cp2 : "-unknown"); - if (cp) + errdepth, + cp ? cp : "-unknown-", + cp2 ? cp2 : "-unknown-"); + + if (cp) { free(cp); - if (cp2) + } + + if (cp2) { free(cp2); + } } /* * Check for optionally acceptable non-verifiable issuer situation */ - if (dc != NULL && dc->nVerifyClient != SSL_CVERIFY_UNSET) + if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) { verify = dc->nVerifyClient; - else + } + else { verify = sc->nVerifyClient; + } + if (ssl_verify_error_is_optional(errnum) && - verify == SSL_CVERIFY_OPTIONAL_NO_CA) + (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) { ssl_log(s, SSL_LOG_TRACE, "Certificate Verification: Verifiable Issuer is configured as " "optional, therefore we're accepting the certificate"); + sslconn->verify_info = "GENEROUS"; ok = TRUE; } @@ -1232,56 +1343,59 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) * Additionally perform CRL-based revocation checks */ if (ok) { - ok = ssl_callback_SSLVerify_CRL(ok, ctx, s); - if (!ok) + if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, s))) { errnum = X509_STORE_CTX_get_error(ctx); + } } /* * If we already know it's not ok, log the real reason */ if (!ok) { - ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s", + ssl_log(s, SSL_LOG_ERROR, + "Certificate Verification: Error (%d): %s", errnum, X509_verify_cert_error_string(errnum)); + sslconn->client_dn = NULL; sslconn->client_cert = NULL; - sslconn->verify_error = - X509_verify_cert_error_string(errnum); + sslconn->verify_error = X509_verify_cert_error_string(errnum); } /* * Finally check the depth of the certificate verification */ - if (dc != NULL && dc->nVerifyDepth != UNSET) + if (dc && (dc->nVerifyDepth != UNSET)) { depth = dc->nVerifyDepth; - else + } + else { depth = sc->nVerifyDepth; + } + if (errdepth > depth) { ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Certificate Chain too long " "(chain has %d certificates, but maximum allowed are only %d)", errdepth, depth); - sslconn->verify_error = - X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG); + + errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG; + sslconn->verify_error = X509_verify_cert_error_string(errnum); + ok = FALSE; } /* * And finally signal OpenSSL the (perhaps changed) state */ - return (ok); + return ok; } -int ssl_callback_SSLVerify_CRL( - int ok, X509_STORE_CTX *ctx, server_rec *s) +int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s) { - SSLSrvConfigRec *sc; + SSLSrvConfigRec *sc = mySrvConfig(s); X509_OBJECT obj; - X509_NAME *subject; - X509_NAME *issuer; + X509_NAME *subject, *issuer; X509 *xs; X509_CRL *crl; - X509_REVOKED *revoked; BIO *bio; int i, n, rc; @@ -1289,9 +1403,9 @@ int ssl_callback_SSLVerify_CRL( * Unless a revocation store for CRLs was created we * cannot do any CRL-based verification, of course. */ - sc = mySrvConfig(s); - if (sc->pRevocationStore == NULL) + if (!sc->pRevocationStore) { return ok; + } /* * Determine certificate ingredients in advance @@ -1336,9 +1450,11 @@ int ssl_callback_SSLVerify_CRL( * the current certificate in order to verify it's integrity. */ memset((char *)&obj, 0, sizeof(obj)); - rc = SSL_X509_STORE_lookup(sc->pRevocationStore, X509_LU_CRL, subject, &obj); + rc = SSL_X509_STORE_lookup(sc->pRevocationStore, + X509_LU_CRL, subject, &obj); crl = obj.data.crl; - if (rc > 0 && crl != NULL) { + + if ((rc > 0) && crl) { /* * Log information about CRL * (A little bit complicated because of ASN.1 and BIOs...) @@ -1350,15 +1466,20 @@ int ssl_callback_SSLVerify_CRL( bio = BIO_new(BIO_s_mem()); BIO_printf(bio, "lastUpdate: "); ASN1_UTCTIME_print(bio, X509_CRL_get_lastUpdate(crl)); + BIO_printf(bio, ", nextUpdate: "); ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl)); + n = BIO_pending(bio); cp = malloc(n+1); n = BIO_read(bio, cp, n); cp[n] = NUL; BIO_free(bio); + cp2 = X509_NAME_oneline(subject, NULL, 0); + ssl_log(s, SSL_LOG_TRACE, "CA CRL: Issuer: %s, %s", cp2, cp); + free(cp2); free(cp); } @@ -1368,8 +1489,10 @@ int ssl_callback_SSLVerify_CRL( */ if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0) { ssl_log(s, SSL_LOG_WARN, "Invalid signature on CRL"); + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE); X509_OBJECT_free_contents(&obj); + return FALSE; } @@ -1377,20 +1500,29 @@ int ssl_callback_SSLVerify_CRL( * Check date of CRL to make sure it's not expired */ i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl)); + if (i == 0) { - ssl_log(s, SSL_LOG_WARN, "Found CRL has invalid nextUpdate field"); - X509_STORE_CTX_set_error(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD); + ssl_log(s, SSL_LOG_WARN, + "Found CRL has invalid nextUpdate field"); + + X509_STORE_CTX_set_error(ctx, + X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD); X509_OBJECT_free_contents(&obj); + return FALSE; } + if (i < 0) { ssl_log(s, SSL_LOG_WARN, "Found CRL is expired - " "revoking all certificates until you get updated CRL"); + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED); X509_OBJECT_free_contents(&obj); + return FALSE; } + X509_OBJECT_free_contents(&obj); } @@ -1399,31 +1531,26 @@ int ssl_callback_SSLVerify_CRL( * the current certificate in order to check for revocation. */ memset((char *)&obj, 0, sizeof(obj)); - rc = SSL_X509_STORE_lookup(sc->pRevocationStore, X509_LU_CRL, issuer, &obj); + rc = SSL_X509_STORE_lookup(sc->pRevocationStore, + X509_LU_CRL, issuer, &obj); + crl = obj.data.crl; - if (rc > 0 && crl != NULL) { + if ((rc > 0) && crl) { /* * Check if the current certificate is revoked by this CRL */ -#if SSL_LIBRARY_VERSION < 0x00904000 - n = sk_num(X509_CRL_get_REVOKED(crl)); -#else n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); -#endif + for (i = 0; i < n; i++) { -#if SSL_LIBRARY_VERSION < 0x00904000 - revoked = (X509_REVOKED *)sk_value(X509_CRL_get_REVOKED(crl), i); -#else - revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); -#endif - if (ASN1_INTEGER_cmp(X509_REVOKED_get_serialNumber(revoked), - X509_get_serialNumber(xs)) == 0) { + X509_REVOKED *revoked = + sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); + ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked); + if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(xs))) { if (sc->nLogLevel >= SSL_LOG_INFO) { char *cp = X509_NAME_oneline(issuer, NULL, 0); - long serial = ASN1_INTEGER_get( - X509_REVOKED_get_serialNumber(revoked)); + long serial = ASN1_INTEGER_get(sn); ssl_log(s, SSL_LOG_INFO, "Certificate with serial %ld (0x%lX) " @@ -1431,13 +1558,17 @@ int ssl_callback_SSLVerify_CRL( serial, serial, cp); free(cp); } + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); X509_OBJECT_free_contents(&obj); + return FALSE; } } + X509_OBJECT_free_contents(&obj); } + return ok; } @@ -1449,28 +1580,20 @@ int ssl_callback_SSLVerify_CRL( */ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew) { - conn_rec *conn; - server_rec *s; - SSLSrvConfigRec *sc; - long t; + /* Get Apache context back through OpenSSL context */ + conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); + server_rec *s = conn->base_server; + SSLSrvConfigRec *sc = mySrvConfig(s); + long timeout = sc->nSessionCacheTimeout; BOOL rc; unsigned char *session_id; unsigned int session_id_length; - - /* - * Get Apache context back through OpenSSL context - */ - conn = (conn_rec *)SSL_get_app_data(ssl); - s = conn->base_server; - sc = mySrvConfig(s); - /* * Set the timeout also for the internal OpenSSL cache, because this way * our inter-process cache is consulted only when it's really necessary. */ - t = sc->nSessionCacheTimeout; - SSL_set_timeout(pNew, t); + SSL_set_timeout(pNew, timeout); /* * Store the SSL_SESSION in the inter-process cache with the @@ -1479,18 +1602,19 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew) session_id = SSL_SESSION_get_session_id(pNew); session_id_length = SSL_SESSION_get_session_id_length(pNew); - t = (SSL_get_time(pNew) + sc->nSessionCacheTimeout); - rc = ssl_scache_store(s, session_id, session_id_length, t, pNew); - + timeout += SSL_get_time(pNew); + rc = ssl_scache_store(s, session_id, session_id_length, + timeout, pNew); /* * Log this cache operation */ - ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: " + ssl_log(s, SSL_LOG_TRACE, + "Inter-Process Session Cache: " "request=SET status=%s id=%s timeout=%ds (session caching)", - rc == TRUE ? "OK" : "BAD", + (rc == TRUE ? "OK" : "BAD"), SSL_SESSION_id2sz(session_id, session_id_length), - t-time(NULL)); + (timeout - time(NULL))); /* * return 0 which means to OpenSSL that the pNew is still @@ -1506,19 +1630,15 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew) * inter-process disk-cache where it was perhaps stored by one * of our other Apache pre-forked server processes. */ -SSL_SESSION *ssl_callback_GetSessionCacheEntry( - SSL *ssl, unsigned char *id, int idlen, int *pCopy) +SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl, + unsigned char *id, + int idlen, int *pCopy) { - conn_rec *conn; - server_rec *s; + /* Get Apache context back through OpenSSL context */ + conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); + server_rec *s = conn->base_server; SSL_SESSION *pSession; - /* - * Get Apache context back through OpenSSL context - */ - conn = (conn_rec *)SSL_get_app_data(ssl); - s = conn->base_server; - /* * Try to retrieve the SSL_SESSION from the inter-process cache */ @@ -1527,15 +1647,16 @@ SSL_SESSION *ssl_callback_GetSessionCacheEntry( /* * Log this cache operation */ - if (pSession != NULL) + if (pSession) { ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: " "request=GET status=FOUND id=%s (session reuse)", SSL_SESSION_id2sz(id, idlen)); - else + } + else { ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: " "request=GET status=MISSED id=%s (session renewal)", SSL_SESSION_id2sz(id, idlen)); - + } /* * Return NULL or the retrieved SSL_SESSION. But indicate (by * setting pCopy to 0) that the reference count on the @@ -1543,6 +1664,7 @@ SSL_SESSION *ssl_callback_GetSessionCacheEntry( * because we will no longer hold a reference to it ourself. */ *pCopy = 0; + return pSession; } @@ -1552,20 +1674,19 @@ SSL_SESSION *ssl_callback_GetSessionCacheEntry( * We use this to remove the SSL_SESSION in the inter-process * disk-cache, too. */ -void ssl_callback_DelSessionCacheEntry( - SSL_CTX *ctx, SSL_SESSION *pSession) +void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx, + SSL_SESSION *pSession) { server_rec *s; unsigned char *session_id; unsigned int session_id_length; - /* * Get Apache context back through OpenSSL context */ - s = (server_rec *)SSL_CTX_get_app_data(ctx); - if (s == NULL) /* on server shutdown Apache is already gone */ - return; + if (!(s = (server_rec *)SSL_CTX_get_app_data(ctx))) { + return; /* on server shutdown Apache is already gone */ + } /* * Remove the SSL_SESSION from the inter-process cache @@ -1575,7 +1696,6 @@ void ssl_callback_DelSessionCacheEntry( ssl_scache_remove(s, session_id, session_id_length); - /* * Log this cache operation */ @@ -1591,11 +1711,7 @@ void ssl_callback_DelSessionCacheEntry( * SSL handshake and does SSL record layer stuff. We use it to * trace OpenSSL's processing in out SSL logfile. */ -#if SSL_LIBRARY_VERSION >= 0x00907000 -void ssl_callback_LogTracingState(const SSL *ssl, int where, int rc) -#else void ssl_callback_LogTracingState(SSL *ssl, int where, int rc) -#endif { conn_rec *c; server_rec *s; @@ -1605,29 +1721,39 @@ void ssl_callback_LogTracingState(SSL *ssl, int where, int rc) /* * find corresponding server */ - if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) + if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) { return; + } + s = c->base_server; - if ((sc = mySrvConfig(s)) == NULL) + if (!(sc = mySrvConfig(s))) { return; + } /* * create the various trace messages */ if (sc->nLogLevel >= SSL_LOG_TRACE) { - if (where & SSL_CB_HANDSHAKE_START) - ssl_log(s, SSL_LOG_TRACE, "%s: Handshake: start", SSL_LIBRARY_NAME); - else if (where & SSL_CB_HANDSHAKE_DONE) - ssl_log(s, SSL_LOG_TRACE, "%s: Handshake: done", SSL_LIBRARY_NAME); - else if (where & SSL_CB_LOOP) + if (where & SSL_CB_HANDSHAKE_START) { + ssl_log(s, SSL_LOG_TRACE, + "%s: Handshake: start", SSL_LIBRARY_NAME); + } + else if (where & SSL_CB_HANDSHAKE_DONE) { + ssl_log(s, SSL_LOG_TRACE, + "%s: Handshake: done", SSL_LIBRARY_NAME); + } + else if (where & SSL_CB_LOOP) { ssl_log(s, SSL_LOG_TRACE, "%s: Loop: %s", SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); - else if (where & SSL_CB_READ) + } + else if (where & SSL_CB_READ) { ssl_log(s, SSL_LOG_TRACE, "%s: Read: %s", SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); - else if (where & SSL_CB_WRITE) + } + else if (where & SSL_CB_WRITE) { ssl_log(s, SSL_LOG_TRACE, "%s: Write: %s", SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } else if (where & SSL_CB_ALERT) { str = (where & SSL_CB_READ) ? "read" : "write"; ssl_log(s, SSL_LOG_TRACE, "%s: Alert: %s:%s:%s\n", @@ -1636,12 +1762,14 @@ void ssl_callback_LogTracingState(SSL *ssl, int where, int rc) SSL_alert_desc_string_long(rc)); } else if (where & SSL_CB_EXIT) { - if (rc == 0) + if (rc == 0) { ssl_log(s, SSL_LOG_TRACE, "%s: Exit: failed in %s", SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); - else if (rc < 0) + } + else if (rc < 0) { ssl_log(s, SSL_LOG_TRACE, "%s: Exit: error in %s", SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } } } @@ -1652,14 +1780,13 @@ void ssl_callback_LogTracingState(SSL *ssl, int where, int rc) */ if (where & SSL_CB_HANDSHAKE_DONE) { ssl_log(s, SSL_LOG_INFO, - "Connection: Client IP: %s, Protocol: %s, Cipher: %s (%s/%s bits)", + "Connection: Client IP: %s, Protocol: %s, " + "Cipher: %s (%s/%s bits)", ssl_var_lookup(NULL, s, c, NULL, "REMOTE_ADDR"), ssl_var_lookup(NULL, s, c, NULL, "SSL_PROTOCOL"), ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"), ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"), ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE")); } - - return; } -- 2.40.0