From 135e06ed9655a8154705956be92d996d9a72e777 Mon Sep 17 00:00:00 2001
From: Andrew McNab <andrew.mcnab@manchester.ac.uk>
Date: Tue, 30 Mar 2010 14:41:39 +0000
Subject: [PATCH] Patch from Jan Just Keijser

---
 org.gridsite.core/CHANGES               |  4 ++
 org.gridsite.core/interface/gridsite.h  |  1 +
 org.gridsite.core/src/mod_gridsite.c    | 69 +++++++++++++++++++++++++++------
 org.gridsite.core/src/mod_ssl-private.h | 12 ++++++
 4 files changed, 75 insertions(+), 11 deletions(-)

diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES
index 1da5da3..6ae5b0b 100644
--- a/org.gridsite.core/CHANGES
+++ b/org.gridsite.core/CHANGES
@@ -1,3 +1,7 @@
+* Tue Mar 30 2010 Andrew McNab <Andrew.McNab@cern.ch>
+- Apply patch to mod_gridsite.c from Jan Just Keijser 
+  <janjust@nikhef.nl> to detect change to 
+  SSLSrvConfigRec etc in "sslireneg" patch to mod_ssl
 * Fri Nov 27 2009 Andrew McNab <Andrew.McNab@cern.ch>
 - GRSTx509MakeProxyCert() now creates RFC 3280 
   proxies if any earlier proxies are RFC style
diff --git a/org.gridsite.core/interface/gridsite.h b/org.gridsite.core/interface/gridsite.h
index dc2a249..c5c2241 100644
--- a/org.gridsite.core/interface/gridsite.h
+++ b/org.gridsite.core/interface/gridsite.h
@@ -157,6 +157,7 @@ typedef struct { GRSTgaclCred *firstcred; char *dnlists; } GRSTgaclUser;
 #define GRST_PROXYCERTINFO_OID		"1.3.6.1.5.5.7.1.14"
 #define GRST_VOMS_OID		"1.3.6.1.4.1.8005.100.100.5"
 #define GRST_VOMS_DIR		"/etc/grid-security/vomsdir"
+#define GRST_KEYUSAGE_OID       "2.5.29.15"
 
 #define GRST_ASN1_MAXCOORDLEN	50
 #define GRST_ASN1_MAXTAGS	500
diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c
index 58eb06d..9a14f33 100644
--- a/org.gridsite.core/src/mod_gridsite.c
+++ b/org.gridsite.core/src/mod_gridsite.c
@@ -1627,7 +1627,7 @@ static void *create_gridsite_srv_config(apr_pool_t *p, server_rec *s)
              sitecastgroups[i].port = 0; /* GridSiteCastGroup mcast-list */
            }
 
-        for (i=1; i <= GRST_SITECAST_ALIASES; ++i)
+        for (i=0; i <= GRST_SITECAST_ALIASES; ++i)
            {
              sitecastaliases[i].sitecast_url   = NULL;
              sitecastaliases[i].port           = 0;
@@ -4261,16 +4261,50 @@ void sitecast_responder(server_rec *main_server)
        } /* **** end of main listening loop **** */
 }
 
+SSL_CTX *mod_gridsite_get_ssl_context( server_rec *this_server)
+{
+   SSLSrvConfigRec  *sc;
+   SSL_CTX          *ctx = NULL;
+
+   sc = ap_get_module_config(this_server->module_config, &ssl_module);
+
+   if ((sc                  != NULL)  &&
+       (sc->enabled)                  &&
+       (sc->server          != NULL)  &&
+       (sc->server->ssl_ctx != NULL))
+      ctx = sc->server->ssl_ctx;
+
+   return ctx;
+}
+
+SSL_CTX *mod_gridsite_get_ssl_context2(server_rec *this_server)
+{
+   SSLSrvConfigRec2 *sc;
+   SSL_CTX          *ctx = NULL;
+
+   sc = ap_get_module_config(this_server->module_config, &ssl_module);
+
+   if ((sc                  != NULL)  &&
+       (sc->enabled)                  &&
+       (sc->server          != NULL)  &&
+       (sc->server->ssl_ctx != NULL))
+      ctx = sc->server->ssl_ctx;
+
+   return ctx;
+}
+
 static int mod_gridsite_server_post_config(apr_pool_t *pPool,
                   apr_pool_t *pLog, apr_pool_t *pTemp, server_rec *main_server)
 {
    SSL_CTX         *ctx;
-   SSLSrvConfigRec *sc;
+   int              i =0;
+   int              mod_ssl_with_insecure_reneg = 0;
    server_rec      *this_server;
    apr_proc_t      *procnew = NULL;
    apr_status_t     status;
    char            *path;
    const char *userdata_key = "sitecast_init";
+   const char *insecure_reneg = "SSLInsecureRenegotiation";
 
    apr_pool_userdata_get((void **) &procnew, userdata_key, 
                          main_server->process->pool);
@@ -4323,20 +4357,33 @@ static int mod_gridsite_server_post_config(apr_pool_t *pPool,
               GRST_SSL_app_data2_idx);
 #endif
 
+  
+   /* look for a SSLInsecureRenegotiation flag - if it exists then the mod_ssl
+      internal variable 'SSLSrvConfigRec' is different */
+   while ( ssl_module.cmds[i].name && !mod_ssl_with_insecure_reneg)
+   {
+       mod_ssl_with_insecure_reneg = (strncmp( ssl_module.cmds[i].name, 
+                                      insecure_reneg, sizeof(insecure_reneg) ) == 0);
+       i++;
+   }
+
+   
+   ap_log_error(APLOG_MARK, APLOG_NOTICE, status, main_server,
+              "mod_gridsite: mod_ssl_with_insecure_reneg = %d", mod_ssl_with_insecure_reneg);
+
    for (this_server = main_server; 
         this_server != NULL; 
         this_server = this_server->next)
       {
         /* we do some GridSite OpenSSL magic for HTTPS servers */
-      
-        sc = ap_get_module_config(this_server->module_config, &ssl_module);
+     
+        if (mod_ssl_with_insecure_reneg)
+            ctx = mod_gridsite_get_ssl_context2(this_server);
+        else 
+            ctx = mod_gridsite_get_ssl_context(this_server);
 
-        if ((sc                  != NULL)  &&
-            (sc->enabled)                  &&
-            (sc->server          != NULL)  &&
-            (sc->server->ssl_ctx != NULL))
-          {
-            ctx = sc->server->ssl_ctx;
+        if (ctx)
+        {
 
             /* in 0.9.7 we could set the issuer-checking callback directly */
 //          ctx->cert_store->check_issued = GRST_X509_check_issued_wrapper;
@@ -4353,7 +4400,7 @@ static int mod_gridsite_server_post_config(apr_pool_t *pPool,
             if (main_server->loglevel >= APLOG_DEBUG)
                  ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, main_server,
                       "Set mod_ssl verify callbacks to GridSite wrappers");
-          }
+        }
       }
 
    /* create sessions directory if necessary */
diff --git a/org.gridsite.core/src/mod_ssl-private.h b/org.gridsite.core/src/mod_ssl-private.h
index f4d3582..59bcdee 100644
--- a/org.gridsite.core/src/mod_ssl-private.h
+++ b/org.gridsite.core/src/mod_ssl-private.h
@@ -181,4 +181,16 @@ typedef struct {
 #endif
 
 
+typedef struct {
+  void            *mc;
+  unsigned int     enabled;
+  unsigned int     proxy_enabled;
+  const char      *vhost_id;
+  int              vhost_id_len;
+  int              session_cache_timeout;
+  int              insecure_reneg;
+  modssl_ctx_t    *server;
+  modssl_ctx_t    *proxy;
+} SSLSrvConfigRec2;
+
 extern module AP_MODULE_DECLARE_DATA ssl_module;
-- 
1.8.2.3