From c16933db8c0a68457213d443eca072db729cdc79 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Mon, 16 Apr 2018 12:36:42 +0000 Subject: [PATCH] * modules/ssl/ssl_util.c (modssl_request_is_tls): Adjust to take SSLConnRec * out parameter rather than SSL *. * modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Use it here. (ssl_hook_Fixup): Adjust use. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1829263 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 19 ++++++++++--------- modules/ssl/ssl_private.h | 8 ++++---- modules/ssl/ssl_util.c | 4 ++-- 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 6e8c59f23d..ae16f91ada 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1326,8 +1326,7 @@ int ssl_hook_Access(request_rec *r) */ int ssl_hook_UserCheck(request_rec *r) { - SSLConnRec *sslconn = myConnConfig(r->connection); - SSLSrvConfigRec *sc = mySrvConfig(r->server); + SSLConnRec *sslconn; SSLDirConfigRec *dc = myDirConfig(r); const char *user, *auth_line, *username, *password; @@ -1375,15 +1374,15 @@ int ssl_hook_UserCheck(request_rec *r) /* * We decline operation in various situations... + * - TLS not enabled + * - client did not present a certificate * - SSLOptions +FakeBasicAuth not configured * - r->user already authenticated - * - ssl not enabled - * - client did not present a certificate */ - if (!((sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) - && sslconn && sslconn->ssl && sslconn->client_cert) || - !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user) - { + if (!modssl_request_is_tls(r, &sslconn) + || !sslconn->client_cert + || !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) + || r->user) { return DECLINED; } @@ -1509,12 +1508,14 @@ int ssl_hook_Fixup(request_rec *r) const char *servername; #endif STACK_OF(X509) *peer_certs; + SSLConnRec *sslconn; SSL *ssl; int i; - if (!modssl_request_is_tls(r, &ssl)) { + if (!modssl_request_is_tls(r, &sslconn)) { return DECLINED; } + ssl = sslconn->ssl; /* * Annotate the SSI/CGI environment with standard SSL information diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 517eead5ec..c5182469a5 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -1096,10 +1096,10 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx); * memory. */ DH *modssl_get_dh_params(unsigned keylen); -/* Returns non-zero if the request is using SSL/TLS. If ssl is - * non-NULL and the request is using SSL/TLS, sets *ssl to the - * corresponding SSL structure for the connectbion. */ -int modssl_request_is_tls(const request_rec *r, SSL **ssl); +/* Returns non-zero if the request was made over SSL/TLS. If sslconn + * is non-NULL and the request is using SSL/TLS, sets *sslconn to the + * corresponding SSLConnRec structure for the connection. */ +int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn); #if HAVE_VALGRIND extern int ssl_running_on_valgrind; diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c index 9a8a9f2f3a..098ae6a337 100644 --- a/modules/ssl/ssl_util.c +++ b/modules/ssl/ssl_util.c @@ -100,7 +100,7 @@ BOOL ssl_util_vhost_matches(const char *servername, server_rec *s) return FALSE; } -int modssl_request_is_tls(const request_rec *r, SSL **ssl) +int modssl_request_is_tls(const request_rec *r, SSLConnRec **scout) { SSLConnRec *sslconn = myConnConfig(r->connection); SSLSrvConfigRec *sc = mySrvConfig(r->server); @@ -112,7 +112,7 @@ int modssl_request_is_tls(const request_rec *r, SSL **ssl) if (sc->enabled == SSL_ENABLED_FALSE || !sslconn || !sslconn->ssl) return 0; - if (ssl) *ssl = sslconn->ssl; + if (scout) *scout = sslconn; return 1; } -- 2.50.1