Commit 333e3b83 authored by Joe Orton's avatar Joe Orton
Browse files

* modules/ssl/mod_ssl.c: Declare new config directives 

SSLCADNRequestFile and SSLCADNRequestPath.

* modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path,
ca_name_file fields.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of
SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA
DN list sent in the CertificateRequest from those certificates.

* modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use
pcalloc to zero-initialize the entire modssl_pk_server_t structure.
(ssl_config_server_new): Merge the ca_name_* fields.
(ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New
functions.

PR: 32848
Submitted by: Tim Taylor <tim.taylor dfas.mil>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@125165 13f79535-47bb-0310-9956-ffa450edef68
parent 902ebd94

mod_ssl.c

+6 −0
Original line number Diff line number Diff line
@@ -116,6 +116,12 @@ static const command_rec ssl_config_cmds[] = { 
    SSL_CMD_ALL(CACertificateFile, TAKE1,

                "SSL CA Certificate file "

                "(`/path/to/file' - PEM encoded)")

    SSL_CMD_SRV(CADNRequestPath, TAKE1,

                "SSL CA Distinguished Name path "

                "(`/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")

    SSL_CMD_SRV(CADNRequestFile, TAKE1,

                "SSL CA Distinguished Name file "

                "(`/path/to/file' - PEM encoded to derive acceptable CA names to request)")

    SSL_CMD_SRV(CARevocationPath, TAKE1,

                "SSL CA Certificate Revocation List (CRL) path "

                "(`/path/to/dir' - contains PEM encoded files)")

ssl_engine_config.c

+35 −10
Original line number Diff line number Diff line
@@ -152,17 +152,9 @@ static void modssl_ctx_init_server(SSLSrvConfigRec *sc, 


    modssl_ctx_init(mctx);



    mctx->pks = apr_palloc(p, sizeof(*mctx->pks));

    mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));



    memset((void*)mctx->pks->cert_files, 0, sizeof(mctx->pks->cert_files));



    memset((void*)mctx->pks->key_files, 0, sizeof(mctx->pks->key_files));



    /* certs/keys are set during module init */



    memset(mctx->pks->certs, 0, sizeof(mctx->pks->certs));



    memset(mctx->pks->keys, 0, sizeof(mctx->pks->keys));

    /* mctx->pks->... certs/keys are set during module init */

}



static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
@@ -245,6 +237,9 @@ static void modssl_ctx_cfg_merge_server(modssl_ctx_t *base, 
        cfgMergeString(pks->cert_files[i]);

        cfgMergeString(pks->key_files[i]);

    }



    cfgMergeString(pks->ca_name_path);

    cfgMergeString(pks->ca_name_file);

}



/*
@@ -835,6 +830,36 @@ const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, 
    return NULL;

}



const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *cmd, void *dcfg,

                                       const char *arg)

{

    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    const char *err;



    if ((err = ssl_cmd_check_dir(cmd, &arg))) {

        return err;

    }



    sc->server->pks->ca_name_path = arg;



    return NULL;

}



const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *cmd, void *dcfg,

                                       const char *arg)

{

    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    const char *err;



    if ((err = ssl_cmd_check_file(cmd, &arg))) {

        return err;

    }



    sc->server->pks->ca_name_file = arg;



    return NULL;

}



const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd,

                                        void *dcfg,

                                        const char *arg)

ssl_engine_init.c

+10 −5
Original line number Diff line number Diff line
@@ -544,12 +544,17 @@ static void ssl_init_ctx_verify(server_rec *s, 
            ssl_die();

        }



        if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) {

            ca_list = ssl_init_FindCAList(s, ptemp,

                                          mctx->pks->ca_name_file,

                                          mctx->pks->ca_name_path);

        } else

            ca_list = ssl_init_FindCAList(s, ptemp,

                                          mctx->auth.ca_cert_file,

                                          mctx->auth.ca_cert_path);

        if (!ca_list) {

            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

                    "Unable to determine list of available "

                    "Unable to determine list of acceptable "

                    "CA certificates for client authentication");

            ssl_die();

        }
@@ -1151,7 +1156,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, 


        if ((rv = apr_dir_open(&dir, ca_path, ptemp)) != APR_SUCCESS) {

            ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,

                    "Failed to open SSLCACertificatePath `%s'",

                    "Failed to open Certificate Path `%s'",

                    ca_path);

            ssl_die();

        }

ssl_private.h

+7 −0
Original line number Diff line number Diff line
@@ -379,6 +379,11 @@ typedef struct { 
    const char  *key_files[SSL_AIDX_MAX];

    X509        *certs[SSL_AIDX_MAX];

    EVP_PKEY    *keys[SSL_AIDX_MAX];



    /* Certificates which specify the set of CA names which should be

     * sent in the CertificateRequest message: */

    const char  *ca_name_path;

    const char  *ca_name_file;

} modssl_pk_server_t;



typedef struct {
@@ -487,6 +492,8 @@ const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); 
const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);

const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);