WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
+
+ This work has been partially funded by the EU Commission (contract
+ INFSO-RI-222667) under the EGEE-III collaboration.
*/
/*------------------------------------------------------------------*
struct sitecast_group sitecastgroups[GRST_SITECAST_GROUPS+1];
struct sitecast_alias sitecastaliases[GRST_SITECAST_ALIASES];
+ /* This global records whether the SSLSrvConfigRec struct will have
+ the extra BOOL insecure_reneg member */
+int mod_ssl_with_insecure_reneg = 0;
+
#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
/* SSL_app_data2_idx is private in Apache 2.2 mod_ssl but can be
determined at init time, and then recorded here */
sitecastgroups[i].port = 0; /* GridSiteCastGroup mcast-list */
}
- for (i=1; i <= GRST_SITECAST_ALIASES; ++i)
+ for (i=0; i <= GRST_SITECAST_ALIASES; ++i)
{
sitecastaliases[i].sitecast_url = NULL;
sitecastaliases[i].port = 0;
server_rec *s = c->base_server;
SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module);
SSLConnRec *sslconn = (SSLConnRec *) ap_get_module_config(c->conn_config, &ssl_module);
- modssl_ctx_t *mctx = sslconn->is_proxy ? sc->proxy : sc->server;
+ modssl_ctx_t *mctx = sslconn->is_proxy ? SSLSrvConfigRec_proxy(sc) : SSLSrvConfigRec_server(sc);
X509_OBJECT obj;
X509_NAME *subject, *issuer;
X509 *cert;
request_rec *r = (request_rec *) SSL_get_ex_data(ssl, GRST_SSL_app_data2_idx);
SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module);
SSLDirConfigRec *dc = r ? (SSLDirConfigRec *) ap_get_module_config(r->per_dir_config, &ssl_module) : NULL;
- modssl_ctx_t *mctx = sslconn->is_proxy ? sc->proxy : sc->server;
+ modssl_ctx_t *mctx = sslconn->is_proxy ? SSLSrvConfigRec_proxy(sc) : SSLSrvConfigRec_server(sc);
int verify, depth;
#endif
STACK_OF(X509) *certstack;
{
SSL_CTX *ctx;
SSLSrvConfigRec *sc;
+ int i = 0;
server_rec *this_server;
apr_proc_t *procnew = NULL;
apr_status_t status;
- char *path;
- const char *userdata_key = "sitecast_init";
+ char *path;
+ const char *userdata_key = "sitecast_init";
+ const char *insecure_reneg = "SSLInsecureRenegotiation";
apr_pool_userdata_get((void **) &procnew, userdata_key,
main_server->process->pool);
GRST_SSL_app_data2_idx);
#endif
+
+ /* look for a SSLInsecureRenegotiation flag - if it exists then the mod_ssl
+ internal variable 'SSLSrvConfigRec' is different */
+ while ( ssl_module.cmds[i].name && !mod_ssl_with_insecure_reneg)
+ {
+ mod_ssl_with_insecure_reneg = (strncmp( ssl_module.cmds[i].name,
+ insecure_reneg, sizeof(insecure_reneg) ) == 0);
+ i++;
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, status, main_server,
+ "mod_gridsite: mod_ssl_with_insecure_reneg = %d", mod_ssl_with_insecure_reneg);
+
for (this_server = main_server;
this_server != NULL;
this_server = this_server->next)
{
/* we do some GridSite OpenSSL magic for HTTPS servers */
-
+
sc = ap_get_module_config(this_server->module_config, &ssl_module);
-
- if ((sc != NULL) &&
- (sc->enabled) &&
- (sc->server != NULL) &&
- (sc->server->ssl_ctx != NULL))
+
+ if ((sc != NULL) &&
+ (sc->enabled) &&
+ (SSLSrvConfigRec_server(sc) != NULL) &&
+ (SSLSrvConfigRec_server(sc)->ssl_ctx != NULL))
{
- ctx = sc->server->ssl_ctx;
+ ctx = SSLSrvConfigRec_server(sc)->ssl_ctx;
/* in 0.9.7 we could set the issuer-checking callback directly */
// ctx->cert_store->check_issued = GRST_X509_check_issued_wrapper;
apr_dir_t *dir;
char *filename;
apr_finfo_t finfo;
- SSLSrvConfigRec *sc = ap_get_module_config(pServer->module_config,
- &ssl_module);
+ SSLSrvConfigRec *sc = ap_get_module_config(pServer->module_config,
+ &ssl_module);
GRSTgaclInit();
mod_gridsite_log_func_server = pServer;
GRSTerrorLogFunc = mod_gridsite_log_func;
* limitations under the License.
*/
+/*
+ This work has been partially funded by the EU Commission (contract
+ INFSO-RI-222667) under the EGEE-III collaboration.
+*/
+
/*------------------------------------------------------------------*
* This program is part of GridSite: http://www.gridsite.org/ *
*------------------------------------------------------------------*/
#endif
} modssl_ctx_t;
+/* original SSLSrvConfigRec */
typedef struct {
void *mc;
BOOL enabled;
modssl_ctx_t *proxy;
} SSLSrvConfigRec;
+/* SSLSrvConfigRec after mod_ssl patch for CVE-2009-3555 */
+typedef struct {
+ void *mc;
+ unsigned int enabled;
+ unsigned int proxy_enabled;
+ const char *vhost_id;
+ int vhost_id_len;
+ int session_cache_timeout;
+#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
+ BOOL cipher_server_pref;
+#endif
+ /* this is the member that was added */
+ int insecure_reneg;
+ modssl_ctx_t *server;
+ modssl_ctx_t *proxy;
+} SSLSrvConfigRec2;
+
+/* The server and proxy members of SSLSrvConfigRec must only be accessed
+ using these macros: */
+#define SSLSrvConfigRec_server(sc) (mod_ssl_with_insecure_reneg ? (((SSLSrvConfigRec2 *) sc)->server) : (((SSLSrvConfigRec *) sc)->server))
+#define SSLSrvConfigRec_proxy(sc) (mod_ssl_with_insecure_reneg ? (((SSLSrvConfigRec2 *) sc)->proxy) : (((SSLSrvConfigRec *) sc)->proxy))
+
#if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
typedef struct {
BOOL bSSLRequired;
} SSLDirConfigRec;
#endif
-
extern module AP_MODULE_DECLARE_DATA ssl_module;
git://scientific.zcu.cz / jra1mw.git / commitdiff