From: Andrew McNab Date: Wed, 31 Mar 2010 12:48:58 +0000 (+0000) Subject: Use SSLSrvConfigRec_server macro X-Git-Tag: gridsite-core_R_1_5_10_1~2 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=c357bc97f59e3ffa2f64a13d5d305f82114d9cb8;p=jra1mw.git Use SSLSrvConfigRec_server macro --- diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES index 6ae5b0b..77182d3 100644 --- a/org.gridsite.core/CHANGES +++ b/org.gridsite.core/CHANGES @@ -1,3 +1,6 @@ +* Wed Mar 31 2010 Andrew McNab +- Introduce SSLSrvConfigRec_server macro to take + this into account when accessing the *server member * Tue Mar 30 2010 Andrew McNab - Apply patch to mod_gridsite.c from Jan Just Keijser to detect change to diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index 9a14f33..2843116 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -46,6 +46,9 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. + + This work has been partially funded by the EU Commission (contract + INFSO-RI-222667) under the EGEE-III collaboration. */ /*------------------------------------------------------------------* @@ -133,6 +136,10 @@ char *ocspmodes = NULL; struct sitecast_group sitecastgroups[GRST_SITECAST_GROUPS+1]; struct sitecast_alias sitecastaliases[GRST_SITECAST_ALIASES]; + /* This global records whether the SSLSrvConfigRec struct will have + the extra BOOL insecure_reneg member */ +int mod_ssl_with_insecure_reneg = 0; + #if AP_MODULE_MAGIC_AT_LEAST(20051115,0) /* SSL_app_data2_idx is private in Apache 2.2 mod_ssl but can be determined at init time, and then recorded here */ @@ -3488,7 +3495,7 @@ int GRST_ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) server_rec *s = c->base_server; SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module); SSLConnRec *sslconn = (SSLConnRec *) ap_get_module_config(c->conn_config, &ssl_module); - modssl_ctx_t *mctx = sslconn->is_proxy ? sc->proxy : sc->server; + modssl_ctx_t *mctx = sslconn->is_proxy ? SSLSrvConfigRec_proxy(sc) : SSLSrvConfigRec_server(sc); X509_OBJECT obj; X509_NAME *subject, *issuer; X509 *cert; @@ -3698,7 +3705,7 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) request_rec *r = (request_rec *) SSL_get_ex_data(ssl, GRST_SSL_app_data2_idx); SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module); SSLDirConfigRec *dc = r ? (SSLDirConfigRec *) ap_get_module_config(r->per_dir_config, &ssl_module) : NULL; - modssl_ctx_t *mctx = sslconn->is_proxy ? sc->proxy : sc->server; + modssl_ctx_t *mctx = sslconn->is_proxy ? SSLSrvConfigRec_proxy(sc) : SSLSrvConfigRec_server(sc); int verify, depth; #endif STACK_OF(X509) *certstack; @@ -4261,49 +4268,17 @@ void sitecast_responder(server_rec *main_server) } /* **** end of main listening loop **** */ } -SSL_CTX *mod_gridsite_get_ssl_context( server_rec *this_server) -{ - SSLSrvConfigRec *sc; - SSL_CTX *ctx = NULL; - - sc = ap_get_module_config(this_server->module_config, &ssl_module); - - if ((sc != NULL) && - (sc->enabled) && - (sc->server != NULL) && - (sc->server->ssl_ctx != NULL)) - ctx = sc->server->ssl_ctx; - - return ctx; -} - -SSL_CTX *mod_gridsite_get_ssl_context2(server_rec *this_server) -{ - SSLSrvConfigRec2 *sc; - SSL_CTX *ctx = NULL; - - sc = ap_get_module_config(this_server->module_config, &ssl_module); - - if ((sc != NULL) && - (sc->enabled) && - (sc->server != NULL) && - (sc->server->ssl_ctx != NULL)) - ctx = sc->server->ssl_ctx; - - return ctx; -} - static int mod_gridsite_server_post_config(apr_pool_t *pPool, apr_pool_t *pLog, apr_pool_t *pTemp, server_rec *main_server) { SSL_CTX *ctx; - int i =0; - int mod_ssl_with_insecure_reneg = 0; + SSLSrvConfigRec *sc; + int i = 0; server_rec *this_server; apr_proc_t *procnew = NULL; apr_status_t status; - char *path; - const char *userdata_key = "sitecast_init"; + char *path; + const char *userdata_key = "sitecast_init"; const char *insecure_reneg = "SSLInsecureRenegotiation"; apr_pool_userdata_get((void **) &procnew, userdata_key, @@ -4367,7 +4342,6 @@ static int mod_gridsite_server_post_config(apr_pool_t *pPool, i++; } - ap_log_error(APLOG_MARK, APLOG_NOTICE, status, main_server, "mod_gridsite: mod_ssl_with_insecure_reneg = %d", mod_ssl_with_insecure_reneg); @@ -4377,13 +4351,14 @@ static int mod_gridsite_server_post_config(apr_pool_t *pPool, { /* we do some GridSite OpenSSL magic for HTTPS servers */ - if (mod_ssl_with_insecure_reneg) - ctx = mod_gridsite_get_ssl_context2(this_server); - else - ctx = mod_gridsite_get_ssl_context(this_server); - - if (ctx) - { + sc = ap_get_module_config(this_server->module_config, &ssl_module); + + if ((sc != NULL) && + (sc->enabled) && + (SSLSrvConfigRec_server(sc) != NULL) && + (SSLSrvConfigRec_server(sc)->ssl_ctx != NULL)) + { + ctx = SSLSrvConfigRec_server(sc)->ssl_ctx; /* in 0.9.7 we could set the issuer-checking callback directly */ // ctx->cert_store->check_issued = GRST_X509_check_issued_wrapper; @@ -4400,7 +4375,7 @@ static int mod_gridsite_server_post_config(apr_pool_t *pPool, if (main_server->loglevel >= APLOG_DEBUG) ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, main_server, "Set mod_ssl verify callbacks to GridSite wrappers"); - } + } } /* create sessions directory if necessary */ @@ -4436,8 +4411,8 @@ static void mod_gridsite_child_init(apr_pool_t *pPool, server_rec *pServer) apr_dir_t *dir; char *filename; apr_finfo_t finfo; - SSLSrvConfigRec *sc = ap_get_module_config(pServer->module_config, - &ssl_module); + SSLSrvConfigRec *sc = ap_get_module_config(pServer->module_config, + &ssl_module); GRSTgaclInit(); mod_gridsite_log_func_server = pServer; GRSTerrorLogFunc = mod_gridsite_log_func; diff --git a/org.gridsite.core/src/mod_ssl-private.h b/org.gridsite.core/src/mod_ssl-private.h index 59bcdee..b1c4c08 100644 --- a/org.gridsite.core/src/mod_ssl-private.h +++ b/org.gridsite.core/src/mod_ssl-private.h @@ -49,6 +49,11 @@ * limitations under the License. */ +/* + This work has been partially funded by the EU Commission (contract + INFSO-RI-222667) under the EGEE-III collaboration. +*/ + /*------------------------------------------------------------------* * This program is part of GridSite: http://www.gridsite.org/ * *------------------------------------------------------------------*/ @@ -150,6 +155,7 @@ typedef struct { #endif } modssl_ctx_t; +/* original SSLSrvConfigRec */ typedef struct { void *mc; BOOL enabled; @@ -164,6 +170,28 @@ typedef struct { modssl_ctx_t *proxy; } SSLSrvConfigRec; +/* SSLSrvConfigRec after mod_ssl patch for CVE-2009-3555 */ +typedef struct { + void *mc; + unsigned int enabled; + unsigned int proxy_enabled; + const char *vhost_id; + int vhost_id_len; + int session_cache_timeout; +#if AP_MODULE_MAGIC_AT_LEAST(20051115,0) + BOOL cipher_server_pref; +#endif + /* this is the member that was added */ + int insecure_reneg; + modssl_ctx_t *server; + modssl_ctx_t *proxy; +} SSLSrvConfigRec2; + +/* The server and proxy members of SSLSrvConfigRec must only be accessed + using these macros: */ +#define SSLSrvConfigRec_server(sc) (mod_ssl_with_insecure_reneg ? (((SSLSrvConfigRec2) sc)->server) : (((SSLSrvConfigRec) sc)->server)) +#define SSLSrvConfigRec_proxy(sc) (mod_ssl_with_insecure_reneg ? (((SSLSrvConfigRec2) sc)->proxy) : (((SSLSrvConfigRec) sc)->proxy)) + #if AP_MODULE_MAGIC_AT_LEAST(20051115,0) typedef struct { BOOL bSSLRequired; @@ -180,17 +208,4 @@ typedef struct { } SSLDirConfigRec; #endif - -typedef struct { - void *mc; - unsigned int enabled; - unsigned int proxy_enabled; - const char *vhost_id; - int vhost_id_len; - int session_cache_timeout; - int insecure_reneg; - modssl_ctx_t *server; - modssl_ctx_t *proxy; -} SSLSrvConfigRec2; - extern module AP_MODULE_DECLARE_DATA ssl_module;