diff options
Diffstat (limited to 'modules/ssl/ssl_engine_compat.c')
| -rw-r--r-- | modules/ssl/ssl_engine_compat.c | 511 |
1 files changed, 511 insertions, 0 deletions
diff --git a/modules/ssl/ssl_engine_compat.c b/modules/ssl/ssl_engine_compat.c new file mode 100644 index 0000000000..a9fe50fdfe --- /dev/null +++ b/modules/ssl/ssl_engine_compat.c @@ -0,0 +1,511 @@ +/* _ _ +** _ __ ___ ___ __| | ___ ___| | mod_ssl +** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL +** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org +** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org +** |_____| +** ssl_engine_compat.c +** Backward Compatibility +*/ + +/* ==================================================================== + * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by + * Ralf S. Engelschall <rse@engelschall.com> for use in the + * mod_ssl project (http://www.modssl.org/)." + * + * 4. The names "mod_ssl" must not be used to endorse or promote + * products derived from this software without prior written + * permission. For written permission, please contact + * rse@engelschall.com. + * + * 5. Products derived from this software may not be called "mod_ssl" + * nor may "mod_ssl" appear in their names without prior + * written permission of Ralf S. Engelschall. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by + * Ralf S. Engelschall <rse@engelschall.com> for use in the + * mod_ssl project (http://www.modssl.org/)." + * + * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR + * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + + /* ``Backward compatibility is for + users who don't want to live + on the bleeding edge.'' + -- Unknown */ +#ifdef SSL_COMPAT + +#include "mod_ssl.h" + + +/* _________________________________________________________________ +** +** Backward Compatibility +** _________________________________________________________________ +*/ + +/* + * The mapping of obsolete directives to official ones... + */ + +static char *ssl_compat_RequireSSL(pool *, const char *, const char *, const char *); +static char *ssl_compat_SSLSessionLockFile(pool *, const char *, const char *, const char *); +static char *ssl_compat_SSLCacheDisable(pool *, const char *, const char *, const char *); +static char *ssl_compat_SSLRequireCipher(pool *, const char *, const char *, const char *); +static char *ssl_compat_SSLBanCipher(pool *, const char *, const char *, const char *); +static char *ssl_compat_SSL_SessionDir(pool *, const char *, const char *, const char *); +static char *ssl_compat_words2list(pool *, const char *); + +#define CRM_BEGIN /* nop */ +#define CRM_ENTRY(what,action) { what, action }, +#define CRM_END { NULL, NULL, NULL, NULL, NULL, NULL } +#define CRM_CMD(cmd) cmd, NULL, NULL +#define CRM_STR(str) NULL, str, NULL +#define CRM_PAT(cmd) NULL, NULL, pat +#define CRM_LOG(msg) msg, NULL, NULL +#define CRM_SUB(new) NULL, new, NULL +#define CRM_CAL(fct) NULL, NULL, fct + +static struct { + char *cpCommand; + char *cpSubstring; + char *cpPattern; + char *cpMessage; + char *cpSubst; + char *(*fpSubst)(pool *, const char *, const char *, const char *); +} ssl_cmd_rewrite_map[] = { + CRM_BEGIN + + /* + * Apache-SSL 1.x & mod_ssl 2.0.x backward compatibility + */ + CRM_ENTRY( CRM_CMD("SSLEnable"), CRM_SUB("SSLEngine on") ) + CRM_ENTRY( CRM_CMD("SSLDisable"), CRM_SUB("SSLEngine off") ) + CRM_ENTRY( CRM_CMD("SSLLogFile"), CRM_SUB("SSLLog") ) + CRM_ENTRY( CRM_CMD("SSLRequiredCiphers"), CRM_SUB("SSLCipherSuite") ) + CRM_ENTRY( CRM_CMD("SSLRequireCipher"), CRM_CAL(ssl_compat_SSLRequireCipher) ) + CRM_ENTRY( CRM_CMD("SSLBanCipher"), CRM_CAL(ssl_compat_SSLBanCipher) ) + CRM_ENTRY( CRM_CMD("SSLFakeBasicAuth"), CRM_SUB("SSLOptions +FakeBasicAuth") ) + CRM_ENTRY( CRM_CMD("SSLCacheServerPath"), CRM_LOG("Use SSLSessionCache instead") ) + CRM_ENTRY( CRM_CMD("SSLCacheServerPort"), CRM_LOG("Use SSLSessionCache instead") ) + + /* + * Apache-SSL 1.x backward compatibility + */ + CRM_ENTRY( CRM_CMD("SSLExportClientCertificates"), CRM_SUB("SSLOptions +ExportCertData") ) + CRM_ENTRY( CRM_CMD("SSLCacheServerRunDir"), CRM_LOG("Not needed for mod_ssl") ) + + /* + * Sioux 1.x backward compatibility + */ + CRM_ENTRY( CRM_CMD("SSL_CertFile"), CRM_SUB("SSLCertificateFile") ) + CRM_ENTRY( CRM_CMD("SSL_KeyFile"), CRM_SUB("SSLCertificateKeyFile") ) + CRM_ENTRY( CRM_CMD("SSL_CipherSuite"), CRM_SUB("SSLCipherSuite") ) + CRM_ENTRY( CRM_CMD("SSL_X509VerifyDir"), CRM_SUB("SSLCACertificatePath") ) + CRM_ENTRY( CRM_CMD("SSL_Log"), CRM_SUB("SSLLogFile") ) + CRM_ENTRY( CRM_CMD("SSL_Connect"), CRM_SUB("SSLEngine") ) + CRM_ENTRY( CRM_CMD("SSL_ClientAuth"), CRM_SUB("SSLVerifyClient") ) + CRM_ENTRY( CRM_CMD("SSL_X509VerifyDepth"), CRM_SUB("SSLVerifyDepth") ) + CRM_ENTRY( CRM_CMD("SSL_FetchKeyPhraseFrom"), CRM_LOG("Use SSLPassPhraseDialog instead") ) + CRM_ENTRY( CRM_CMD("SSL_SessionDir"), CRM_CAL(ssl_compat_SSL_SessionDir) ) + CRM_ENTRY( CRM_CMD("SSL_Require"), CRM_LOG("Use SSLRequire instead (Syntax!)")) + CRM_ENTRY( CRM_CMD("SSL_CertFileType"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSL_KeyFileType"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSL_X509VerifyPolicy"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSL_LogX509Attributes"), CRM_LOG("Not supported by mod_ssl") ) + + /* + * Stronghold 2.x backward compatibility + */ + CRM_ENTRY( CRM_CMD("StrongholdAccelerator"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("StrongholdKey"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("StrongholdLicenseFile"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSLFlag"), CRM_SUB("SSLEngine") ) + CRM_ENTRY( CRM_CMD("SSLClientCAfile"), CRM_SUB("SSLCACertificateFile") ) + CRM_ENTRY( CRM_CMD("SSLSessionLockFile"), CRM_CAL(ssl_compat_SSLSessionLockFile) ) + CRM_ENTRY( CRM_CMD("SSLCacheDisable"), CRM_CAL(ssl_compat_SSLCacheDisable) ) + CRM_ENTRY( CRM_CMD("RequireSSL"), CRM_CAL(ssl_compat_RequireSSL) ) + CRM_ENTRY( CRM_CMD("SSLCipherList"), CRM_SUB("SSLCipherSuite") ) + CRM_ENTRY( CRM_CMD("SSLErrorFile"), CRM_LOG("Not needed for mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSLRoot"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSL_CertificateLogDir"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("AuthCertDir"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSL_Group"), CRM_LOG("Not supported by mod_ssl") ) +#ifndef SSL_EXPERIMENTAL_PROXY + CRM_ENTRY( CRM_CMD("SSLProxyMachineCertPath"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSLProxyMachineCertFile"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSLProxyCACertificatePath"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSLProxyCACertificateFile"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSLProxyVerifyDepth"), CRM_LOG("Not supported by mod_ssl") ) + CRM_ENTRY( CRM_CMD("SSLProxyCipherList"), CRM_LOG("Not supported by mod_ssl") ) +#else + CRM_ENTRY( CRM_CMD("SSLProxyCipherList"), CRM_SUB("SSLProxyCipherSuite") ) +#endif + + CRM_END +}; + +static char *ssl_compat_RequireSSL( + pool *p, const char *oline, const char *cmd, const char *args) +{ + char *cp; + + for (cp = (char *)args; ap_isspace(*cp); cp++) + ; + if (strcEQ(cp, "on")) + return "SSLRequireSSL"; + return ""; +} + +static char *ssl_compat_SSLSessionLockFile( + pool *p, const char *oline, const char *cmd, const char *args) +{ + char *cp; + + for (cp = (char *)args; ap_isspace(*cp); cp++) + ; + return ap_pstrcat(p, "SSLMutex file:", cp, NULL); +} + +static char *ssl_compat_SSLCacheDisable( + pool *p, const char *oline, const char *cmd, const char *args) +{ + char *cp; + + for (cp = (char *)args; ap_isspace(*cp); cp++) + ; + if (strcEQ(cp, "on")) + return "SSLSessionCache none"; + return ""; +} + +static char *ssl_compat_SSLRequireCipher(pool *p, const char *oline, const char *cmd, const char *args) +{ + return ap_pstrcat(p, "SSLRequire %{SSL_CIPHER} in {", + ssl_compat_words2list(p, args), + "}", NULL); +} + +static char *ssl_compat_SSLBanCipher(pool *p, const char *oline, const char *cmd, const char *args) +{ + return ap_pstrcat(p, "SSLRequire not (%{SSL_CIPHER} in {", + ssl_compat_words2list(p, args), + "})", NULL); +} + +static char *ssl_compat_SSL_SessionDir( + pool *p, const char *oline, const char *cmd, const char *args) +{ + char *cp; + + for (cp = (char *)args; ap_isspace(*cp); cp++) + ; + return ap_pstrcat(p, "SSLSessionCache dir:", cp, NULL); +} + +static char *ssl_compat_words2list(pool *p, const char *oline) +{ + char *line; + char *cpB; + char *cpE; + char *cpI; + char *cpO; + char n; + + /* + * Step 1: Determine borders + */ + cpB = (char *)oline; + while (*cpB == ' ' || *cpB == '\t') + cpB++; + cpE = cpB+strlen(cpB); + while (cpE > cpB && (*(cpE-1) == ' ' || *(cpE-1) == '\t')) + cpE--; + + /* + * Step 2: Determine final size and allocate buffer + */ + for (cpI = cpB, n = 1; cpI < cpE; cpI++) + if ((*cpI == ' ' || *cpI == '\t') && + (cpI > cpB && *(cpI-1) != ' ' && *(cpI-1) != '\t')) + n++; + line = ap_palloc(p, (cpE-cpB)+(n*2)+n+1); + cpI = cpB; + cpO = line; + while (cpI < cpE) { + if ( (*cpI != ' ' && *cpI != '\t') + && ( cpI == cpB + || ( cpI > cpB + && (*(cpI-1) == ' ' || *(cpI-1) == '\t')))) { + *cpO++ = '"'; + *cpO++ = *cpI++; + } + else if ( (*cpI == ' ' || *cpI == '\t') + && ( cpI > cpB + && (*(cpI-1) != ' ' && *(cpI-1) != '\t'))) { + *cpO++ = '"'; + *cpO++ = ','; + *cpO++ = *cpI++; + } + else { + *cpO++ = *cpI++; + } + } + if (cpI > cpB && (*(cpI-1) != ' ' && *(cpI-1) != '\t')) + *cpO++ = '"'; + *cpO++ = NUL; + return line; +} + +char *ssl_compat_directive(server_rec *s, pool *p, const char *oline) +{ + int i; + char *line; + char *cp; + char caCmd[1024]; + char *cpArgs; + int match; + + /* + * Skip comment lines + */ + cp = (char *)oline; + while ((*cp == ' ' || *cp == '\t' || *cp == '\n') && (*cp != NUL)) + cp++; + if (*cp == '#' || *cp == NUL) + return NULL; + + /* + * Extract directive name + */ + cp = (char *)oline; + for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < 1024; ) + caCmd[i++] = *cp++; + caCmd[i] = NUL; + cpArgs = cp; + + /* + * Apply rewriting map + */ + line = NULL; + for (i = 0; !(ssl_cmd_rewrite_map[i].cpCommand == NULL && + ssl_cmd_rewrite_map[i].cpPattern == NULL ); i++) { + /* + * Matching + */ + match = FALSE; + if (ssl_cmd_rewrite_map[i].cpCommand != NULL) { + if (strcEQ(ssl_cmd_rewrite_map[i].cpCommand, caCmd)) + match = TRUE; + } + else if (ssl_cmd_rewrite_map[i].cpSubstring != NULL) { + if (strstr(oline, ssl_cmd_rewrite_map[i].cpSubstring) != NULL) + match = TRUE; + } + else if (ssl_cmd_rewrite_map[i].cpPattern != NULL) { + if (ap_fnmatch(ssl_cmd_rewrite_map[i].cpPattern, oline, 0)) + match = TRUE; + } + + /* + * Action Processing + */ + if (match) { + if (ssl_cmd_rewrite_map[i].cpMessage != NULL) { + ap_log_error(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, s, + "mod_ssl:Compat: OBSOLETE '%s' => %s", + oline, ssl_cmd_rewrite_map[i].cpMessage); + line = ""; + break; + } + else if (ssl_cmd_rewrite_map[i].cpSubst != NULL) { + if (ssl_cmd_rewrite_map[i].cpCommand != NULL) + line = ap_pstrcat(p, ssl_cmd_rewrite_map[i].cpSubst, + cpArgs, NULL); + else if (ssl_cmd_rewrite_map[i].cpSubstring != NULL) + line = ssl_util_ptxtsub(p, oline, ssl_cmd_rewrite_map[i].cpSubstring, + ssl_cmd_rewrite_map[i].cpSubst); + else + line = ssl_cmd_rewrite_map[i].cpSubst; + break; + } + else if (ssl_cmd_rewrite_map[i].fpSubst != NULL) { + line = ((char *(*)(pool *, const char *, const char *, const char *)) + (ssl_cmd_rewrite_map[i].fpSubst))(p, oline, caCmd, cpArgs); + break; + } + } + } + if (line != NULL && line[0] != NUL) + ap_log_error(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, s, + "mod_ssl:Compat: MAPPED '%s' => '%s'", oline, line); + return line; +} + +/* + * The mapping of obsolete environment variables to official ones... + */ + +#define VRM_BEGIN /* nop */ +#define VRM_ENTRY(var,action) { var, action }, +#define VRM_END { NULL, NULL, NULL } +#define VRM_VAR(old) old +#define VRM_SUB(new) new, NULL +#define VRM_LOG(msg) NULL, msg + +static struct { + char *cpOld; + char *cpNew; + char *cpMsg; +} ssl_var_rewrite_map[] = { + VRM_BEGIN + + /* + * Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.x + * and Stronghold 2.x backward compatibility + */ + VRM_ENTRY( VRM_VAR("SSL_PROTOCOL_VERSION"), VRM_SUB("SSL_PROTOCOL") ) + VRM_ENTRY( VRM_VAR("SSLEAY_VERSION"), VRM_SUB("SSL_VERSION_LIBRARY") ) + VRM_ENTRY( VRM_VAR("HTTPS_SECRETKEYSIZE"), VRM_SUB("SSL_CIPHER_USEKEYSIZE") ) + VRM_ENTRY( VRM_VAR("HTTPS_KEYSIZE"), VRM_SUB("SSL_CIPHER_ALGKEYSIZE") ) + VRM_ENTRY( VRM_VAR("HTTPS_CIPHER"), VRM_SUB("SSL_CIPHER") ) + VRM_ENTRY( VRM_VAR("HTTPS_EXPORT"), VRM_SUB("SSL_CIPHER_EXPORT") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_KEY_SIZE"), VRM_SUB("SSL_CIPHER_ALGKEYSIZE") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_CERTIFICATE"), VRM_SUB("SSL_SERVER_CERT") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_CERT_START"), VRM_SUB("SSL_SERVER_V_START") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_CERT_END"), VRM_SUB("SSL_SERVER_V_END") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_CERT_SERIAL"), VRM_SUB("SSL_SERVER_M_SERIAL") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_SIGNATURE_ALGORITHM"),VRM_SUB("SSL_SERVER_A_SIG") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_DN"), VRM_SUB("SSL_SERVER_S_DN") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_CN"), VRM_SUB("SSL_SERVER_S_DN_CN") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_EMAIL"), VRM_SUB("SSL_SERVER_S_DN_Email") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_O"), VRM_SUB("SSL_SERVER_S_DN_O") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_OU"), VRM_SUB("SSL_SERVER_S_DN_OU") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_C"), VRM_SUB("SSL_SERVER_S_DN_C") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_SP"), VRM_SUB("SSL_SERVER_S_DN_SP") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_L"), VRM_SUB("SSL_SERVER_S_DN_L") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_IDN"), VRM_SUB("SSL_SERVER_I_DN") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_ICN"), VRM_SUB("SSL_SERVER_I_DN_CN") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_IEMAIL"), VRM_SUB("SSL_SERVER_I_DN_Email") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_IO"), VRM_SUB("SSL_SERVER_I_DN_O") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_IOU"), VRM_SUB("SSL_SERVER_I_DN_OU") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_IC"), VRM_SUB("SSL_SERVER_I_DN_C") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_ISP"), VRM_SUB("SSL_SERVER_I_DN_SP") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_IL"), VRM_SUB("SSL_SERVER_I_DN_L") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_CERTIFICATE"), VRM_SUB("SSL_CLIENT_CERT") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_CERT_START"), VRM_SUB("SSL_CLIENT_V_START") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_CERT_END"), VRM_SUB("SSL_CLIENT_V_END") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_CERT_SERIAL"), VRM_SUB("SSL_CLIENT_M_SERIAL") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_SIGNATURE_ALGORITHM"),VRM_SUB("SSL_CLIENT_A_SIG") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_DN"), VRM_SUB("SSL_CLIENT_S_DN") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_CN"), VRM_SUB("SSL_CLIENT_S_DN_CN") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_EMAIL"), VRM_SUB("SSL_CLIENT_S_DN_Email") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_O"), VRM_SUB("SSL_CLIENT_S_DN_O") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_OU"), VRM_SUB("SSL_CLIENT_S_DN_OU") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_C"), VRM_SUB("SSL_CLIENT_S_DN_C") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_SP"), VRM_SUB("SSL_CLIENT_S_DN_SP") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_L"), VRM_SUB("SSL_CLIENT_S_DN_L") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_IDN"), VRM_SUB("SSL_CLIENT_I_DN") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_ICN"), VRM_SUB("SSL_CLIENT_I_DN_CN") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_IEMAIL"), VRM_SUB("SSL_CLIENT_I_DN_Email") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_IO"), VRM_SUB("SSL_CLIENT_I_DN_O") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_IOU"), VRM_SUB("SSL_CLIENT_I_DN_OU") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_IC"), VRM_SUB("SSL_CLIENT_I_DN_C") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_ISP"), VRM_SUB("SSL_CLIENT_I_DN_SP") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_IL"), VRM_SUB("SSL_CLIENT_I_DN_L") ) + VRM_ENTRY( VRM_VAR("SSL_EXPORT"), VRM_SUB("SSL_CIPHER_EXPORT") ) + VRM_ENTRY( VRM_VAR("SSL_KEYSIZE"), VRM_SUB("SSL_CIPHER_ALGKEYSIZE") ) + VRM_ENTRY( VRM_VAR("SSL_SECRETKEYSIZE"), VRM_SUB("SSL_CIPHER_USEKEYSIZE") ) + VRM_ENTRY( VRM_VAR("SSL_SSLEAY_VERSION"), VRM_SUB("SSL_VERSION_LIBRARY") ) + + VRM_ENTRY( VRM_VAR("SSL_STRONG_CRYPTO"), VRM_LOG("Not supported by mod_ssl") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_KEY_EXP"), VRM_LOG("Not supported by mod_ssl") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_KEY_SIZE"), VRM_LOG("Not supported by mod_ssl") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_KEY_ALGORITHM"), VRM_LOG("Not supported by mod_ssl") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_SESSIONDIR"), VRM_LOG("Not supported by mod_ssl") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_CERTIFICATELOGDIR"), VRM_LOG("Not supported by mod_ssl") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_CERTFILE"), VRM_LOG("Not supported by mod_ssl") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_KEYFILE"), VRM_LOG("Not supported by mod_ssl") ) + VRM_ENTRY( VRM_VAR("SSL_SERVER_KEYFILETYPE"), VRM_LOG("Not supported by mod_ssl") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_KEY_EXP"), VRM_LOG("Not supported by mod_ssl") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_KEY_ALGORITHM"), VRM_LOG("Not supported by mod_ssl") ) + VRM_ENTRY( VRM_VAR("SSL_CLIENT_KEY_SIZE"), VRM_LOG("Not supported by mod_ssl") ) + + VRM_END +}; + +void ssl_compat_variables(request_rec *r) +{ + char *cpOld; + char *cpNew; + char *cpMsg; + char *cpVal; + int i; + + for (i = 0; ssl_var_rewrite_map[i].cpOld != NULL; i++) { + cpOld = ssl_var_rewrite_map[i].cpOld; + cpMsg = ssl_var_rewrite_map[i].cpMsg; + cpNew = ssl_var_rewrite_map[i].cpNew; + if (cpNew != NULL) { + cpVal = ssl_var_lookup(r->pool, r->server, r->connection, r, cpNew); + if (!strIsEmpty(cpVal)) + ap_table_set(r->subprocess_env, cpOld, cpVal); + } + else if (cpMsg != NULL) { +#ifdef SSL_VENDOR + /* + * something that isn't provided by mod_ssl, so at least + * let vendor extensions provide a reasonable value first. + */ + cpVal = NULL; + ap_hook_use("ap::mod_ssl::vendor::compat_variables_lookup", + AP_HOOK_SIG3(ptr,ptr,ptr), + AP_HOOK_DECLINE(NULL), + &cpVal, r, cpOld); + if (cpVal != NULL) { + ap_table_set(r->subprocess_env, cpOld, cpVal); + continue; + } +#endif + + /* + * we cannot print a message, so we set at least + * the variables content to the compat message + */ + ap_table_set(r->subprocess_env, cpOld, cpMsg); + } + } + return; +} + +#endif /* SSL_COMPAT */ |