From 638a854aa56920e99f33754b3f5dc7b8eef5f114 Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Fri, 28 Mar 2008 15:32:16 +0000 Subject: [PATCH] Sync --- org.gridsite.core/src/mod_gridsite.c | 124 +++++++++++++++++++++++++++++++- org.gridsite.core/src/mod_ssl-private.h | 20 +++++- 2 files changed, 140 insertions(+), 4 deletions(-) diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index 01b16cc..6988b2c 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -3468,14 +3468,132 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) conn_rec *conn = (conn_rec *) SSL_get_app_data(ssl); server_rec *s = conn->base_server; SSLConnRec *sslconn = - (SSLConnRec *) ap_get_module_config(conn->conn_config, &ssl_module); + (SSLConnRec *) ap_get_module_config(conn->conn_config, &ssl_module); int errnum = X509_STORE_CTX_get_error(ctx); int errdepth = X509_STORE_CTX_get_error_depth(ctx); int returned_ok; int first_non_ca; +#if AP_MODULE_MAGIC_AT_LEAST(20051115,0) + request_rec *r = (request_rec *)SSL_get_app_data2(ssl); + SSLSrvConfigRec *sc = mySrvConfig(s); + SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL; + modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); + int verify; +#endif STACK_OF(X509) *certstack; GRSTx509Chain *grst_chain; +#if AP_MODULE_MAGIC_AT_LEAST(20051115,0) + /* + * Log verification information + */ + if (s->loglevel >= APLOG_DEBUG) + { + X509 *cert = X509_STORE_CTX_get_current_cert(ctx); + char *sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); + char *iname = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0); + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Certificate Verification: " + "depth: %d, subject: %s, issuer: %s", + errdepth, + sname ? sname : "-unknown-", + iname ? iname : "-unknown-"); + + if (sname) modssl_free(sname); + + if (iname) modssl_free(iname); + } + + /* + * Check for optionally acceptable non-verifiable issuer situation + */ + if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) + { + verify = dc->nVerifyClient; + } + else + { + verify = mctx->auth.verify_mode; + } + + if (verify == SSL_CVERIFY_NONE) + { + /* + * SSLProxyVerify is either not configured or set to "none". + * (this callback doesn't happen in the server context if SSLVerify + * is not configured or set to "none") + */ + return TRUE; + } + + if (ssl_verify_error_is_optional(errnum) && + (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) + { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Certificate Verification: Verifiable Issuer is " + "configured as optional, therefore we're accepting " + "the certificate"); + + sslconn->verify_info = "GENEROUS"; + ok = TRUE; + } + + /* + * Additionally perform CRL-based revocation checks + */ + if (ok) + { + if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, conn))) + { + errnum = X509_STORE_CTX_get_error(ctx); + } + } + + /* + * If we already know it's not ok, log the real reason + */ + if (!ok) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Certificate Verification: Error (%d): %s", + errnum, X509_verify_cert_error_string(errnum)); + + if (sslconn->client_cert) { + X509_free(sslconn->client_cert); + sslconn->client_cert = NULL; + } + sslconn->client_dn = NULL; + sslconn->verify_error = X509_verify_cert_error_string(errnum); + } + + /* + * Finally check the depth of the certificate verification + */ + if (dc && (dc->nVerifyDepth != UNSET)) + { + depth = dc->nVerifyDepth; + } + else + { + depth = mctx->auth.verify_depth; + } + + if (errdepth > depth) + { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Certificate Verification: Certificate Chain too long " + "(chain has %d certificates, but maximum allowed are " + "only %d)", + errdepth, depth); + + errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG; + sslconn->verify_error = X509_verify_cert_error_string(errnum); + + ok = FALSE; + } + +#endif + /* * GSI Proxy user-cert-as-CA handling: * we skip Invalid CA errors at this stage, since we will check this @@ -3515,7 +3633,11 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) } } +#if AP_MODULE_MAGIC_AT_LEAST(20051115,0) + returned_ok = ok; +#else returned_ok = ssl_callback_SSLVerify(ok, ctx); +#endif /* in case ssl_callback_SSLVerify changed it */ errnum = X509_STORE_CTX_get_error(ctx); diff --git a/org.gridsite.core/src/mod_ssl-private.h b/org.gridsite.core/src/mod_ssl-private.h index 7b0b784..f8d3647 100644 --- a/org.gridsite.core/src/mod_ssl-private.h +++ b/org.gridsite.core/src/mod_ssl-private.h @@ -1,5 +1,5 @@ /* - Copyright (c) 2003-4, Andrew McNab, University of Manchester + Copyright (c) 2003-8, Andrew McNab, University of Manchester All rights reserved. Redistribution and use in source and binary forms, with or @@ -67,6 +67,10 @@ #include +#ifndef BOOL +#define BOOL unsigned int +#endif + typedef enum { SSL_SHUTDOWN_TYPE_UNSET, SSL_SHUTDOWN_TYPE_STANDARD, @@ -74,6 +78,13 @@ typedef enum { SSL_SHUTDOWN_TYPE_ACCURATE } ssl_shutdown_type_e; +typedef enum { + SSL_ENABLED_UNSET = -1, + SSL_ENABLED_FALSE = 0, + SSL_ENABLED_TRUE = 1, + SSL_ENABLED_OPTIONAL = 3 +} ssl_enabled_t; + typedef struct { SSL *ssl; const char *client_dn; @@ -94,11 +105,14 @@ typedef struct { typedef struct { void *mc; - unsigned int enabled; - unsigned int proxy_enabled; + BOOL enabled; + BOOL proxy_enabled; const char *vhost_id; int vhost_id_len; int session_cache_timeout; +#if AP_MODULE_MAGIC_AT_LEAST(20051115,0) + BOOL cipher_server_pref; +#endif modssl_ctx_t *server; modssl_ctx_t *proxy; } SSLSrvConfigRec; -- 1.8.2.3