Allow the enabled flag to be set to more than just TRUE or FALSE so that (2987752a) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

ssl_engine_config.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -171,7 +171,7 @@ static SSLSrvConfigRec ssl_config_server_new(apr_pool_t p)
		SSLSrvConfigRec sc = apr_palloc(p, sizeof(sc));

		sc->mc = NULL;
		sc->enabled = FALSE;
		sc->enabled = SSL_ENABLED_FALSE;
		sc->proxy_enabled = UNSET;
		sc->vhost_id = NULL; /* set during module init */
		sc->vhost_id_len = 0; /* set during module init */
		@@ -257,7 +257,7 @@ void ssl_config_server_merge(apr_pool_t p, void basev, void addv)
		SSLSrvConfigRec *mrg = ssl_config_server_new(p);

		cfgMerge(mc, NULL);
		cfgMergeBool(enabled);
		cfgMerge(enabled, SSL_ENABLED_UNSET);
		cfgMergeBool(proxy_enabled);
		cfgMergeInt(session_cache_timeout);

		@@ -606,15 +606,15 @@ const char ssl_cmd_SSLEngine(cmd_parms cmd, void dcfg, const char arg)
		SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

		if (!strcasecmp(arg, "On")) {
		sc->enabled = TRUE;
		sc->enabled = SSL_ENABLED_TRUE;
		return NULL;
		}
		else if (!strcasecmp(arg, "Off")) {
		sc->enabled = FALSE;
		sc->enabled = SSL_ENABLED_FALSE;
		return NULL;
		}
		else if (!strcasecmp(arg, "Optional")) {
		sc->enabled = UNSET;
		sc->enabled = SSL_ENABLED_OPTIONAL;
		return NULL;
		}

ssl_engine_init.c

+7 −10

Original line number	Diff line number	Diff line
		@@ -206,13 +206,11 @@ int ssl_init_Module(apr_pool_t p, apr_pool_t plog,
		sc->vhost_id = ssl_util_vhostid(p, s);
		sc->vhost_id_len = strlen(sc->vhost_id);

		#if 0
		/* If sc->enabled is UNSET, then SSL is optional on this vhost */
		/* Fix up stuff that may not have been set */
		if (sc->enabled == UNSET) {
		sc->enabled = FALSE;
		if (sc->enabled == SSL_ENABLED_UNSET) {
		sc->enabled = SSL_ENABLED_FALSE;
		}
		#endif
		if (sc->proxy_enabled == UNSET) {
		sc->proxy_enabled = FALSE;
		}
		@@ -960,10 +958,9 @@ void ssl_init_ConfigureServer(server_rec *s,
		apr_pool_t *ptemp,
		SSLSrvConfigRec *sc)
		{
		/* A bit of a hack, but initialize the server if SSL is optional or
		* not.
		/* Initialize the server if SSL is enabled or optional.
		*/
		if (sc->enabled) {
		if ((sc->enabled == SSL_ENABLED_TRUE) \|\| (sc->enabled == SSL_ENABLED_OPTIONAL)) {
		ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
		"Configuring server for SSL protocol");
		ssl_init_server_ctx(s, p, ptemp, sc);
		@@ -991,7 +988,7 @@ void ssl_init_CheckServers(server_rec base_server, apr_pool_t p)
		for (s = base_server; s; s = s->next) {
		sc = mySrvConfig(s);

		if ((sc->enabled == TRUE) && (s->port == DEFAULT_HTTP_PORT)) {
		if ((sc->enabled == SSL_ENABLED_TRUE) && (s->port == DEFAULT_HTTP_PORT)) {
		ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
		base_server,
		"Init: (%s) You configured HTTPS(%d) "
		@@ -1000,7 +997,7 @@ void ssl_init_CheckServers(server_rec base_server, apr_pool_t p)
		DEFAULT_HTTPS_PORT, DEFAULT_HTTP_PORT);
		}

		if (!sc->enabled && (s->port == DEFAULT_HTTPS_PORT)) {
		if ((sc->enabled == SSL_ENABLED_FALSE) && (s->port == DEFAULT_HTTPS_PORT)) {
		ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
		base_server,
		"Init: (%s) You configured HTTP(%d) "
		@@ -1021,7 +1018,7 @@ void ssl_init_CheckServers(server_rec base_server, apr_pool_t p)
		for (s = base_server; s; s = s->next) {
		sc = mySrvConfig(s);

		if (!(sc->enabled && s->addrs)) {
		if (!((sc->enabled == SSL_ENABLED_TRUE) && s->addrs)) {
		continue;
		}

ssl_engine_kernel.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -190,7 +190,7 @@ int ssl_hook_Access(request_rec *r)
		* Support for SSLRequireSSL directive
		*/
		if (dc->bSSLRequired && !ssl) {
		if (sc->enabled == UNSET) {
		if (sc->enabled == SSL_ENABLED_OPTIONAL) {
		/* This vhost was configured for optional SSL, just tell the
		* client that we need to upgrade.
		*/
		@@ -213,7 +213,7 @@ int ssl_hook_Access(request_rec *r)
		/*
		* Check to see if SSL protocol is on
		*/
		if (!(sc->enabled \|\| ssl)) {
		if (!((sc->enabled == SSL_ENABLED_TRUE) \|\| (sc->enabled == SSL_ENABLED_OPTIONAL) \|\| ssl)) {
		return DECLINED;
		}
		/*
		@@ -860,7 +860,7 @@ int ssl_hook_UserCheck(request_rec *r)
		* - ssl not enabled
		* - client did not present a certificate
		*/
		if (!(sc->enabled && sslconn->ssl && sslconn->client_cert) \|\|
		if (!((sc->enabled == SSL_ENABLED_TRUE \|\| sc->enabled == SSL_ENABLED_OPTIONAL) && sslconn->ssl && sslconn->client_cert) \|\|
		!(dc->nOptions & SSL_OPT_FAKEBASICAUTH) \|\| r->user)
		{
		return DECLINED;
		@@ -1012,14 +1012,14 @@ int ssl_hook_Fixup(request_rec *r)
		SSL *ssl;
		int i;

		if (sc->enabled == UNSET) {
		if (sc->enabled == SSL_ENABLED_OPTIONAL) {
		apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
		}

		/*
		* Check to see if SSL is on
		*/
		if (!(sc->enabled && sslconn && (ssl = sslconn->ssl))) {
		if (!(((sc->enabled == SSL_ENABLED_TRUE) \|\| (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) {
		return DECLINED;
		}

ssl_private.h

+11 −1

Original line number	Diff line number	Diff line
		@@ -271,6 +271,16 @@ typedef enum {
		SSL_MUTEXMODE_USED = 1
		} ssl_mutexmode_t;

		/*
		* Define the SSL enabled state
		*/
		typedef enum {
		SSL_ENABLED_UNSET = UNSET,
		SSL_ENABLED_FALSE = 0,
		SSL_ENABLED_TRUE = 1,
		SSL_ENABLED_OPTIONAL = 3
		} ssl_enabled_t;

		/*
		* Define the SSL requirement structure
		*/
		@@ -420,7 +430,7 @@ typedef struct {

		struct SSLSrvConfigRec {
		SSLModConfigRec *mc;
		BOOL enabled;
		ssl_enabled_t enabled;
		BOOL proxy_enabled;
		const char *vhost_id;
		int vhost_id_len;