diff options
| author | Joe Orton <jorton@apache.org> | 2005-01-14 13:54:31 +0000 |
|---|---|---|
| committer | Joe Orton <jorton@apache.org> | 2005-01-14 13:54:31 +0000 |
| commit | 7e914c473ad59822acd59066b581705990a6359e (patch) | |
| tree | 4698d87a129fdafd8fd42a0604cde15d4bff85fd | |
| parent | 3fe5a0f6a6291c84a29cf5e2a4e14c9f08aca184 (diff) | |
| download | httpd-7e914c473ad59822acd59066b581705990a6359e.tar.gz | |
* modules/ssl/mod_ssl.c: Declare new config directives
SSLCADNRequestFile and SSLCADNRequestPath.
* modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path,
ca_name_file fields.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of
SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA
DN list sent in the CertificateRequest from those certificates.
* modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use
pcalloc to zero-initialize the entire modssl_pk_server_t structure.
(ssl_config_server_new): Merge the ca_name_* fields.
(ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New
functions.
PR: 32848
Submitted by: Tim Taylor <tim.taylor dfas.mil>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@125165 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | mod_ssl.c | 6 | ||||
| -rw-r--r-- | ssl_engine_config.c | 45 | ||||
| -rw-r--r-- | ssl_engine_init.c | 15 | ||||
| -rw-r--r-- | ssl_private.h | 7 |
4 files changed, 58 insertions, 15 deletions
@@ -116,6 +116,12 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_ALL(CACertificateFile, TAKE1, "SSL CA Certificate file " "(`/path/to/file' - PEM encoded)") + SSL_CMD_SRV(CADNRequestPath, TAKE1, + "SSL CA Distinguished Name path " + "(`/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)") + SSL_CMD_SRV(CADNRequestFile, TAKE1, + "SSL CA Distinguished Name file " + "(`/path/to/file' - PEM encoded to derive acceptable CA names to request)") SSL_CMD_SRV(CARevocationPath, TAKE1, "SSL CA Certificate Revocation List (CRL) path " "(`/path/to/dir' - contains PEM encoded files)") diff --git a/ssl_engine_config.c b/ssl_engine_config.c index d9cc5b8a1e..85831ea45f 100644 --- a/ssl_engine_config.c +++ b/ssl_engine_config.c @@ -152,17 +152,9 @@ static void modssl_ctx_init_server(SSLSrvConfigRec *sc, modssl_ctx_init(mctx); - mctx->pks = apr_palloc(p, sizeof(*mctx->pks)); + mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks)); - memset((void*)mctx->pks->cert_files, 0, sizeof(mctx->pks->cert_files)); - - memset((void*)mctx->pks->key_files, 0, sizeof(mctx->pks->key_files)); - - /* certs/keys are set during module init */ - - memset(mctx->pks->certs, 0, sizeof(mctx->pks->certs)); - - memset(mctx->pks->keys, 0, sizeof(mctx->pks->keys)); + /* mctx->pks->... certs/keys are set during module init */ } static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) @@ -245,6 +237,9 @@ static void modssl_ctx_cfg_merge_server(modssl_ctx_t *base, cfgMergeString(pks->cert_files[i]); cfgMergeString(pks->key_files[i]); } + + cfgMergeString(pks->ca_name_path); + cfgMergeString(pks->ca_name_file); } /* @@ -835,6 +830,36 @@ const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, return NULL; } +const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *cmd, void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + const char *err; + + if ((err = ssl_cmd_check_dir(cmd, &arg))) { + return err; + } + + sc->server->pks->ca_name_path = arg; + + return NULL; +} + +const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *cmd, void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + const char *err; + + if ((err = ssl_cmd_check_file(cmd, &arg))) { + return err; + } + + sc->server->pks->ca_name_file = arg; + + return NULL; +} + const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd, void *dcfg, const char *arg) diff --git a/ssl_engine_init.c b/ssl_engine_init.c index 2a9c7a4ef8..bcc0d388f5 100644 --- a/ssl_engine_init.c +++ b/ssl_engine_init.c @@ -544,12 +544,17 @@ static void ssl_init_ctx_verify(server_rec *s, ssl_die(); } - ca_list = ssl_init_FindCAList(s, ptemp, - mctx->auth.ca_cert_file, - mctx->auth.ca_cert_path); + if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) { + ca_list = ssl_init_FindCAList(s, ptemp, + mctx->pks->ca_name_file, + mctx->pks->ca_name_path); + } else + ca_list = ssl_init_FindCAList(s, ptemp, + mctx->auth.ca_cert_file, + mctx->auth.ca_cert_path); if (!ca_list) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Unable to determine list of available " + "Unable to determine list of acceptable " "CA certificates for client authentication"); ssl_die(); } @@ -1151,7 +1156,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, if ((rv = apr_dir_open(&dir, ca_path, ptemp)) != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, - "Failed to open SSLCACertificatePath `%s'", + "Failed to open Certificate Path `%s'", ca_path); ssl_die(); } diff --git a/ssl_private.h b/ssl_private.h index 4f834948ba..19f9d8a9ce 100644 --- a/ssl_private.h +++ b/ssl_private.h @@ -379,6 +379,11 @@ typedef struct { const char *key_files[SSL_AIDX_MAX]; X509 *certs[SSL_AIDX_MAX]; EVP_PKEY *keys[SSL_AIDX_MAX]; + + /* Certificates which specify the set of CA names which should be + * sent in the CertificateRequest message: */ + const char *ca_name_path; + const char *ca_name_file; } modssl_pk_server_t; typedef struct { @@ -487,6 +492,8 @@ const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); |