From 658c2437bd98f7949b96a702ca6c75c32b1f85e0 Mon Sep 17 00:00:00 2001 From: Ryan Bloom Date: Mon, 14 Oct 2002 04:15:58 +0000 Subject: [PATCH] This stuff shouldn't have been committed. This is the SSL upgrade stuff, and it was included in a commit that shouldn't have touched these files. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97201 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/mod_ssl.c | 83 ++++++++++++-------------------- modules/ssl/mod_ssl.h | 5 +- modules/ssl/ssl_engine_config.c | 19 ++------ modules/ssl/ssl_engine_init.c | 11 ++--- modules/ssl/ssl_engine_io.c | 84 --------------------------------- modules/ssl/ssl_engine_kernel.c | 14 ------ modules/ssl/ssl_util.c | 2 +- 7 files changed, 39 insertions(+), 179 deletions(-) diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 5805367f38..0365adfb3a 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -105,7 +105,7 @@ static const command_rec ssl_config_cmds[] = { /* * Per-server context configuration directives */ - SSL_CMD_SRV(Engine, TAKE1, + SSL_CMD_SRV(Engine, FLAG, "SSL switch for the protocol engine " "(`on', `off')") SSL_CMD_ALL(CipherSuite, TAKE1, @@ -274,7 +274,7 @@ int ssl_engine_disable(conn_rec *c) return 1; } -int ssl_init_ssl_connection(conn_rec *c) +static int ssl_hook_pre_connection(conn_rec *c, void *csd) { SSLSrvConfigRec *sc = mySrvConfig(c->base_server); SSL *ssl; @@ -283,14 +283,40 @@ int ssl_init_ssl_connection(conn_rec *c) modssl_ctx_t *mctx; /* - * Seed the Pseudo Random Number Generator (PRNG) + * Immediately stop processing if SSL is disabled for this connection */ - ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, ""); + if (!(sc && (sc->enabled || + (sslconn && sslconn->is_proxy)))) + { + return DECLINED; + } + /* + * Create SSL context + */ if (!sslconn) { sslconn = ssl_init_connection_ctx(c); } + if (sslconn->disabled) { + return DECLINED; + } + + /* + * Remember the connection information for + * later access inside callback functions + */ + + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, + "Connection to child %ld established " + "(server %s, client %s)", c->id, sc->vhost_id, + c->remote_ip ? c->remote_ip : "unknown"); + + /* + * Seed the Pseudo Random Number Generator (PRNG) + */ + ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, ""); + mctx = sslconn->is_proxy ? sc->proxy : sc->server; /* @@ -342,44 +368,6 @@ int ssl_init_ssl_connection(conn_rec *c) return APR_SUCCESS; } -static int ssl_hook_pre_connection(conn_rec *c, void *csd) -{ - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); - SSLConnRec *sslconn = myConnConfig(c); - - /* - * Immediately stop processing if SSL is disabled for this connection - */ - if (!(sc && (sc->enabled == TRUE || - (sslconn && sslconn->is_proxy)))) - { - return DECLINED; - } - - /* - * Create SSL context - */ - if (!sslconn) { - sslconn = ssl_init_connection_ctx(c); - } - - if (sslconn->disabled) { - return DECLINED; - } - - /* - * Remember the connection information for - * later access inside callback functions - */ - - ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, - "Connection to child %ld established " - "(server %s, client %s)", c->id, sc->vhost_id, - c->remote_ip ? c->remote_ip : "unknown"); - - return ssl_init_ssl_connection(c); -} - static apr_status_t ssl_abort(SSLFilterRec *filter, conn_rec *c) { SSLConnRec *sslconn = myConnConfig(c); @@ -584,15 +572,6 @@ static apr_port_t ssl_hook_default_port(const request_rec *r) return 443; } -static void ssl_hook_Insert_Filter(request_rec *r) -{ - SSLSrvConfigRec *sc = mySrvConfig(r->server); - - if (sc->enabled == UNSET) { - ap_add_output_filter("UPGRADE_FILTER", NULL, r, r->connection); - } -} - /* * the module registration phase */ @@ -613,8 +592,6 @@ static void ssl_register_hooks(apr_pool_t *p) ap_hook_access_checker(ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE); ap_hook_auth_checker (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE); ap_hook_post_read_request(ssl_hook_ReadReq, NULL,NULL, APR_HOOK_MIDDLE); - ap_hook_insert_filter (ssl_hook_Insert_Filter, NULL,NULL, APR_HOOK_MIDDLE); -/* ap_hook_handler (ssl_hook_Upgrade, NULL,NULL, APR_HOOK_MIDDLE); */ ssl_var_register(); diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h index 8c119971d1..5f8009d694 100644 --- a/modules/ssl/mod_ssl.h +++ b/modules/ssl/mod_ssl.h @@ -549,7 +549,7 @@ const char *ssl_cmd_SSLMutex(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); -const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLEngine(cmd_parms *, void *, int); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); @@ -601,7 +601,6 @@ int ssl_hook_Access(request_rec *); int ssl_hook_Fixup(request_rec *); int ssl_hook_ReadReq(request_rec *); int ssl_hook_Handler(request_rec *); -int ssl_hook_Upgrade(request_rec *); /* OpenSSL callbacks */ RSA *ssl_callback_TmpRSA(SSL *, int, int); @@ -723,8 +722,6 @@ ssl_algo_t ssl_util_algotypeof(X509 *, EVP_PKEY *); char *ssl_util_algotypestr(ssl_algo_t); char *ssl_util_ptxtsub(apr_pool_t *, const char *, const char *, char *); void ssl_util_thread_setup(apr_pool_t *); -int ssl_init_ssl_connection(conn_rec *c); - #define APR_SHM_MAXSIZE (64 * 1024 * 1024) #endif /* __MOD_SSL_H__ */ diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 0faab68289..1350e4fc56 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -205,7 +205,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc)); sc->mc = NULL; - sc->enabled = FALSE; + sc->enabled = UNSET; sc->proxy_enabled = UNSET; sc->vhost_id = NULL; /* set during module init */ sc->vhost_id_len = 0; /* set during module init */ @@ -581,24 +581,13 @@ const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd, return NULL; } -const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg) +const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, int flag) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - if (!strcasecmp(arg, "On")) { - sc->enabled = TRUE; - return NULL; - } - else if (!strcasecmp(arg, "Off")) { - sc->enabled = FALSE; - return NULL; - } - else if (!strcasecmp(arg, "Optional")) { - sc->enabled = UNSET; - return NULL; - } + sc->enabled = flag ? TRUE : FALSE; - return "Argument must be On, Off, or Optional"; + return NULL; } const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index c6e69747af..bf63baf4c1 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -247,13 +247,11 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, sc->vhost_id = ssl_util_vhostid(p, s); sc->vhost_id_len = strlen(sc->vhost_id); -#if 0 - /* If sc->enabled is UNSET, then SSL is optional on this vhost */ - /* Fix up stuff that may not have been set */ + /* Fix up stuff that may not have been set */ if (sc->enabled == UNSET) { sc->enabled = FALSE; } -#endif + if (sc->proxy_enabled == UNSET) { sc->proxy_enabled = FALSE; } @@ -983,9 +981,6 @@ void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *ptemp, SSLSrvConfigRec *sc) { - /* A bit of a hack, but initialize the server if SSL is optional or - * not. - */ if (sc->enabled) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Configuring server for SSL protocol"); @@ -1014,7 +1009,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); - if ((sc->enabled == TRUE) && (s->port == DEFAULT_HTTP_PORT)) { + if (sc->enabled && (s->port == DEFAULT_HTTP_PORT)) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, "Init: (%s) You configured HTTPS(%d) " diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 8b39054198..cdb6c965c6 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -577,85 +577,6 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, return APR_SUCCESS; } -static apr_status_t ssl_io_filter_Upgrade(ap_filter_t *f, - apr_bucket_brigade *bb) - -{ -#define SWITCH_STATUS_LINE "101 Switching Protocols" -#define UPGRADE_HEADER "Upgrade: TLS/1.0 HTTP/1.1" -#define CONNECTION_HEADER "Conenction: Upgrade" - const char *upgrade; - const char *connection; - apr_bucket_brigade *upgradebb; - request_rec *r = f->r; - SSLConnRec *sslconn; - SSL *ssl; - - /* Just remove the filter, if it doesn't work the first time, it won't - * work at all for this request. - */ - ap_remove_output_filter(f); - - /* No need to ensure that this is a server with optional SSL, the filter - * is only inserted if that is true. - */ - - upgrade = apr_table_get(r->headers_in, "Upgrade"); - if (upgrade == NULL) { - return ap_pass_brigade(f->next, bb); - } - connection = apr_table_get(r->headers_in, "Connection"); - - apr_table_unset(r->headers_out, "Upgrade"); - - if (strcmp(connection, "Upgrade") || strcmp(upgrade, "TLS/1.0")) { - return ap_pass_brigade(f->next, bb); - } - - if (r->method_number == M_OPTIONS) { - apr_bucket *b = NULL; - /* This is a mandatory SSL upgrade. */ - - upgradebb = apr_brigade_create(r->pool, f->c->bucket_alloc); - - ap_fputstrs(f->next, upgradebb, SWITCH_STATUS_LINE, CRLF, - UPGRADE_HEADER, CRLF, CONNECTION_HEADER, CRLF, CRLF, NULL); - - b = apr_bucket_flush_create(f->c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(upgradebb, b); - - ap_pass_brigade(f->next, upgradebb); - } - else { - /* This is optional, and should be configurable, for now don't bother - * doing anything. - */ - return ap_pass_brigade(f->next, bb); - } - - ssl_init_ssl_connection(f->c); - - ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, - "Awaiting re-negotiation handshake"); - - sslconn = myConnConfig(f->c); - ssl = sslconn->ssl; - - SSL_set_state(ssl, SSL_ST_ACCEPT); - SSL_do_handshake(ssl); - - if (SSL_get_state(ssl) != SSL_ST_OK) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, - "Re-negotiation handshake failed: " - "Not accepted by client!?"); - - return AP_FILTER_ERROR; - } - - return OK; - -} - static apr_status_t ssl_io_filter_Output(ap_filter_t *f, apr_bucket_brigade *bb) { @@ -1022,11 +943,6 @@ void ssl_io_filter_init(conn_rec *c, SSL *ssl) void ssl_io_filter_register(apr_pool_t *p) { - /* This filter MUST be after the HTTP_HEADER filter, but it also must be - * a resource-level filter so it has the request_rec. - */ - ap_register_output_filter ("UPGRADE_FILTER", ssl_io_filter_Upgrade, NULL, AP_FTYPE_PROTOCOL + 5); - ap_register_input_filter (ssl_io_filter, ssl_io_filter_Input, NULL, AP_FTYPE_CONNECTION + 5); ap_register_output_filter (ssl_io_filter, ssl_io_filter_Output, NULL, AP_FTYPE_CONNECTION + 5); return; diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 40850a5e69..c03832b31f 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -322,16 +322,6 @@ int ssl_hook_Access(request_rec *r) * Support for SSLRequireSSL directive */ if (dc->bSSLRequired && !ssl) { - if (sc->enabled == UNSET) { - /* This vhost was configured for optional SSL, just tell the - * client that we need to upgrade. - */ - apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); - apr_table_setn(r->err_headers_out, "Connection", "Upgrade"); - - return HTTP_UPGRADE_REQUIRED; - } - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "access to %s failed, reason: %s", r->filename, "SSL connection required"); @@ -1120,10 +1110,6 @@ int ssl_hook_Fixup(request_rec *r) SSL *ssl; int i; - if (sc->enabled == UNSET) { - apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); - } - /* * Check to see if SSL is on */ diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c index 6b3ecabeaa..9b208b404f 100644 --- a/modules/ssl/ssl_util.c +++ b/modules/ssl/ssl_util.c @@ -84,7 +84,7 @@ char *ssl_util_vhostid(apr_pool_t *p, server_rec *s) port = s->port; else { sc = mySrvConfig(s); - if (sc->enabled == TRUE) + if (sc->enabled) port = DEFAULT_HTTPS_PORT; else port = DEFAULT_HTTP_PORT; -- 2.40.0