From 19927566032f6b8ffb0bf3bbca25574a7ee32186 Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Tue, 24 Jun 2008 14:07:52 +0000 Subject: [PATCH] CHANGES and more 1.7.x backports --- org.gridsite.core/CHANGES | 12 ++++ org.gridsite.core/src/mod_gridsite.c | 124 ++++++++++++++++++++++++++++++++++- 2 files changed, 135 insertions(+), 1 deletion(-) diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES index 2491c7a..a25915c 100644 --- a/org.gridsite.core/CHANGES +++ b/org.gridsite.core/CHANGES @@ -1,3 +1,15 @@ +* Mon Jun 23 2008 Andrew McNab +- Backport changes from 1.7.x for Apache 2.2 and + Debian/SL5. +- Define _LARGEFILE64_SOURCE in mod_gridsite.c and + gsexec.c if using Apache 2.2 +- Rely on GRSTx509ChainLoadCheck() instead of mod_ssl + checking if using Apache 2.2, as these functions are + no longer exposed by mod_ssl. +- mod_gridsite_perm_handler now run at hook level + APR_HOOK_REALLY_LAST to avoid httpd.conf gotchas. +* Mon Jun 23 2008 Andrew McNab +- ==== GridSite version 1.5.9 ==== * Tue Mar 18 2008 Andrew McNab - Add extern to declaration of GRSTerrorLogFunc in gridsite.h (bug #34658 from Luca Petronzio) diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index 12eb1ac..b6d28d8 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -3429,9 +3429,127 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) int errdepth = X509_STORE_CTX_get_error_depth(ctx); int returned_ok; int first_non_ca; +#if AP_MODULE_MAGIC_AT_LEAST(20051115,0) + request_rec *r = (request_rec *)SSL_get_app_data2(ssl); + SSLSrvConfigRec *sc = (SSLSrvConfigRec *) ap_get_module_config(s->module_config, &ssl_module); + SSLDirConfigRec *dc = r ? (SSLDirConfigRec *) ap_get_module_config(r->per_dir_config, &ssl_module) : NULL; + modssl_ctx_t *mctx = sslconn->is_proxy ? sc->proxy : sc->server; + int verify, depth; +#endif STACK_OF(X509) *certstack; GRSTx509Chain *grst_chain; +#if AP_MODULE_MAGIC_AT_LEAST(20051115,0) + /* + * Log verification information + */ + if (s->loglevel >= APLOG_DEBUG) + { + X509 *cert = X509_STORE_CTX_get_current_cert(ctx); + char *sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); + char *iname = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0); + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Certificate Verification: " + "depth: %d, subject: %s, issuer: %s", + errdepth, + sname ? sname : "-unknown-", + iname ? iname : "-unknown-"); + + if (sname) modssl_free(sname); + + if (iname) modssl_free(iname); + } + + /* + * Check for optionally acceptable non-verifiable issuer situation + */ + if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) + { + verify = dc->nVerifyClient; + } + else + { + verify = mctx->auth.verify_mode; + } + + if (verify == SSL_CVERIFY_NONE) + { + /* + * SSLProxyVerify is either not configured or set to "none". + * (this callback doesn't happen in the server context if SSLVerify + * is not configured or set to "none") + */ + return TRUE; + } + + if (ssl_verify_error_is_optional(errnum) && + (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) + { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Certificate Verification: Verifiable Issuer is " + "configured as optional, therefore we're accepting " + "the certificate"); + + sslconn->verify_info = "GENEROUS"; + ok = TRUE; + } + + /* + * Additionally perform CRL-based revocation checks + */ + if (ok) + { + if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, conn))) + { + errnum = X509_STORE_CTX_get_error(ctx); + } + } + + /* + * If we already know it's not ok, log the real reason + */ + if (!ok) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Certificate Verification: Error (%d): %s", + errnum, X509_verify_cert_error_string(errnum)); + + if (sslconn->client_cert) { + X509_free(sslconn->client_cert); + sslconn->client_cert = NULL; + } + sslconn->client_dn = NULL; + sslconn->verify_error = X509_verify_cert_error_string(errnum); + } + + /* + * Finally check the depth of the certificate verification + */ + if (dc && (dc->nVerifyDepth != UNSET)) + { + depth = dc->nVerifyDepth; + } + else + { + depth = mctx->auth.verify_depth; + } + + if (errdepth > depth) + { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Certificate Verification: Certificate Chain too long " + "(chain has %d certificates, but maximum allowed are " + "only %d)", + errdepth, depth); + + errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG; + sslconn->verify_error = X509_verify_cert_error_string(errnum); + + ok = FALSE; + } + +#endif + /* * GSI Proxy user-cert-as-CA handling: * we skip Invalid CA errors at this stage, since we will check this @@ -3471,7 +3589,11 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) } } +#if AP_MODULE_MAGIC_AT_LEAST(20051115,0) + returned_ok = ok; +#else returned_ok = ssl_callback_SSLVerify(ok, ctx); +#endif /* in case ssl_callback_SSLVerify changed it */ errnum = X509_STORE_CTX_get_error(ctx); @@ -4066,7 +4188,7 @@ static void register_hooks(apr_pool_t *p) ap_hook_fixups(mod_gridsite_first_fixups,NULL,NULL,APR_HOOK_FIRST); - ap_hook_fixups(mod_gridsite_perm_handler,NULL,NULL,APR_HOOK_LAST); + ap_hook_fixups(mod_gridsite_perm_handler,NULL,NULL,APR_HOOK_REALLY_LAST); ap_hook_handler(mod_gridsite_handler, NULL, NULL, APR_HOOK_FIRST); -- 1.8.2.3