*** apache_ssl.c.orig Thu Mar 2 17:20:59 2000 --- apache_ssl.c Thu Mar 2 17:25:48 2000 *************** *** 79,84 **** --- 79,85 ---- #define DEBUG_SSL_STATE FALSE #define USE_OLD_ENVIRONMENT FALSE /* Set to TRUE to use the old SSL_{CLIENT,SERVER}_I* instead of SSL_{CLIENT,SERVER}_I_* */ + #define USE_EXTENDED_ENVIRONMENT TRUE /* Set to TRUE to use the SSL_{CLIENT,SERVER}_{I,S}_DN* (~ mod_ssl) */ #define SSL_IS_OPTIONAL FALSE /* Set to TRUE if you want to allow SSL to be disabled on a per-request basis (useful for subrequests) */ *************** *** 528,533 **** --- 529,536 ---- if(pConfig->bDisabled || OPTIONAL_SSL) return DECLINED; + if (r->connection->client->ssl == NULL) return DECLINED; + #if RENEG # if DEBUG_RENEG fprintf(stderr,"Renegotiated for %s (%x)!\n",r->filename,VerifyFlags(rec)); *************** *** 604,621 **** *s=toupper(*s); } ! static void ExpandCert(pool *p,table *pEnv,char *szPrefix,char *szCert) { char buf[HUGE_STRING_LEN]; ! char *s,*t; /* Expand a X509_oneline entry into it's base components and register them as environment variables. Needed if you want to pass certificate information to CGI's. The naming convention SHOULD be fairly compatible with CGI's written for stronghold's certificate info - Q */ /* FIXME - strtok() and strcspn() may cause problems on some systems - Q */ ! t=ap_psprintf(p,"%sDN",szPrefix); ! ap_table_setn(pEnv,t,ap_pstrdup(p,szCert)); ap_cpystrn(buf,szCert,sizeof buf); for(s=strtok(buf,"/") ; s != NULL ; s=strtok(NULL,"/")) --- 607,658 ---- *s=toupper(*s); } ! #ifdef USE_EXTENDED_ENVIRONMENT ! static void get_serial(pool *p,table *pEnv,char *name, X509 *xs) ! { ! BIO *bio; ! char *result; ! int n; ! ! if ((bio = BIO_new(BIO_s_mem())) == NULL) return; ! i2a_ASN1_INTEGER(bio, X509_get_serialNumber(xs)); ! n = BIO_pending(bio); ! result = ap_pcalloc(p, n+1); ! n = BIO_read(bio, result, n); ! result[n] = 0; ! ap_table_setn(pEnv,name, result); ! BIO_free(bio); ! } ! ! static void get_valid(pool *p, table *pEnv, char *name, ASN1_UTCTIME *tm) ! { ! BIO *bio; ! char *result; ! int n; ! ! if ((bio = BIO_new(BIO_s_mem())) == NULL) return; ! ASN1_UTCTIME_print(bio, tm); ! n = BIO_pending(bio); ! result = ap_pcalloc(p, n+1); ! n = BIO_read(bio, result, n); ! result[n] = 0; ! ap_table_setn(pEnv, name, result); ! BIO_free(bio); ! } ! ! #endif ! ! static void ExpandCert(pool *p,table *pEnv,char *szPrefix, char *szDN, char *szCert) { char buf[HUGE_STRING_LEN]; ! char *s, *t; /* Expand a X509_oneline entry into it's base components and register them as environment variables. Needed if you want to pass certificate information to CGI's. The naming convention SHOULD be fairly compatible with CGI's written for stronghold's certificate info - Q */ /* FIXME - strtok() and strcspn() may cause problems on some systems - Q */ ! ap_table_setn(pEnv,szDN,ap_pstrdup(p,szCert)); ap_cpystrn(buf,szCert,sizeof buf); for(s=strtok(buf,"/") ; s != NULL ; s=strtok(NULL,"/")) *************** *** 701,706 **** --- 738,744 ---- if(pConfig->bDisabled || OPTIONAL_SSL) return; + if (r->connection->client->ssl == NULL) return; cipher=SSL_get_cipher(r->connection->client->ssl); ap_table_set(e,"HTTPS","on"); ap_table_set(e,"HTTPS_CIPHER",cipher); *************** *** 725,740 **** if(r->connection->client->szClientX509) { ! ExpandCert(r->pool,e,"SSL_CLIENT_", r->connection->client->szClientX509); xs=SSL_get_peer_certificate(r->connection->client->ssl); ExpandCert(r->pool,e, #if USE_OLD_ENVIRONMENT ! "SSL_CLIENT_I", #else ! "SSL_CLIENT_I_", #endif X509_NAME_oneline(X509_get_issuer_name(xs),NULL,0)); #if APACHE_SSL_EXPORT_CERTS if(pDirConfig->bExportCerts) AddCertToEnv(r->pool,e,"SSL_CLIENT_CERT",xs); --- 763,792 ---- if(r->connection->client->szClientX509) { ! ExpandCert(r->pool,e,"SSL_CLIENT_", "SSL_CLIENT_DN", ! r->connection->client->szClientX509); ! #ifdef USE_EXTENDED_ENVIRONMENT ! ExpandCert(r->pool,e,"SSL_CLIENT_S_DN_", "SSL_CLIENT_S_DN", r->connection->client->szClientX509); + #endif xs=SSL_get_peer_certificate(r->connection->client->ssl); ExpandCert(r->pool,e, #if USE_OLD_ENVIRONMENT ! "SSL_CLIENT_I", "SSL_CLIENT_I_DN", #else ! "SSL_CLIENT_I_", "SSL_CLIENT_I_DN", #endif X509_NAME_oneline(X509_get_issuer_name(xs),NULL,0)); + #ifdef USE_EXTENDED_ENVIRONMENT + ExpandCert(r->pool,e, + "SSL_CLIENT_I_DN_", "SSL_CLIENT_I_DN", + X509_NAME_oneline(X509_get_issuer_name(xs),NULL,0)); + get_serial(r->pool, e, "SSL_CLIENT_M_SERIAL", xs); + get_valid(r->pool, e, "SSL_CLIENT_V_START", X509_get_notBefore(xs)); + get_valid(r->pool, e, "SSL_CLIENT_V_END", X509_get_notAfter(xs)); + t=ap_psprintf(r->pool,"%lu", X509_get_version(xs)+1); + ap_table_setn(e,"SSL_CLIENT_M_VERSION",t); + #endif #if APACHE_SSL_EXPORT_CERTS if(pDirConfig->bExportCerts) AddCertToEnv(r->pool,e,"SSL_CLIENT_CERT",xs); *************** *** 742,756 **** } xs=SSL_get_certificate(r->connection->client->ssl); ! ExpandCert(r->pool,e,"SSL_SERVER_", X509_NAME_oneline(X509_get_subject_name(xs),NULL,0)); ExpandCert(r->pool,e, #if USE_OLD_ENVIRONMENT ! "SSL_SERVER_I", #else ! "SSL_SERVER_I_", #endif X509_NAME_oneline(X509_get_issuer_name(xs),NULL,0)); #if APACHE_SSL_EXPORT_CERTS # if !APACHE_SSL_KEEP_CERTS --- 794,822 ---- } xs=SSL_get_certificate(r->connection->client->ssl); ! ExpandCert(r->pool,e,"SSL_SERVER_", "SSL_SERVER_DN", ! X509_NAME_oneline(X509_get_subject_name(xs),NULL,0)); ! #ifdef USE_EXTENDED_ENVIRONMENT ! ExpandCert(r->pool,e,"SSL_SERVER_S_", "SSL_SERVER_S_DN", X509_NAME_oneline(X509_get_subject_name(xs),NULL,0)); + #endif ExpandCert(r->pool,e, #if USE_OLD_ENVIRONMENT ! "SSL_SERVER_I", "SSL_SERVER_I_DN", #else ! "SSL_SERVER_I_", "SSL_SERVER_I_DN", #endif X509_NAME_oneline(X509_get_issuer_name(xs),NULL,0)); + #ifdef USE_EXTENDED_ENVIRONMENT + ExpandCert(r->pool,e, + "SSL_SERVER_I_DN_", "SSL_SERVER_I_DN", + X509_NAME_oneline(X509_get_issuer_name(xs),NULL,0)); + get_serial(r->pool, e, "SSL_SERVER_M_SERIAL", xs); + get_valid(r->pool, e, "SSL_SERVER_V_START", X509_get_notBefore(xs)); + get_valid(r->pool, e, "SSL_SERVER_V_END", X509_get_notAfter(xs)); + t=ap_psprintf(r->pool,"%lu", X509_get_version(xs)+1); + ap_table_setn(e,"SSL_SERVER_M_VERSION",t); + #endif #if APACHE_SSL_EXPORT_CERTS # if !APACHE_SSL_KEEP_CERTS *************** *** 965,970 **** --- 1031,1039 ---- t=GlobalCacheGet(aucKey,nKey,pnData,&tExpiresAt); if(!t) return NULL; + #if DEBUG_SESSIONS + fprintf(stderr,"Session found in global cache, to=%ld\n", tExpiresAt); + #endif t2=malloc(nKey); memcpy(t2,aucKey,nKey); *************** *** 977,982 **** --- 1046,1054 ---- t=p->aucData; *pnData=p->nData; *pbLocal=TRUE; + #if DEBUG_SESSIONS + fprintf(stderr,"Session found in local cache\n"); + #endif } return t; } *************** *** 1065,1070 **** --- 1137,1143 ---- pConfig=ap_get_module_config(pCurrentConnection->server->module_config, &apache_ssl_module); tExpiresAt=time(NULL)+pConfig->tSessionCacheTimeout; + SSL_set_timeout(pSession, pConfig->tSessionCacheTimeout); t=malloc(pSession->session_id_length); memcpy(t,pSession->session_id,pSession->session_id_length); *************** *** 1098,1105 **** #endif t=CacheFind(aucSessionID,nLength,&nData,&bLocal); ! if(!t) return NULL; pSession=d2i_SSL_SESSION(NULL,&t,nData); if(!pSession) --- 1171,1182 ---- #endif t=CacheFind(aucSessionID,nLength,&nData,&bLocal); ! if(!t) { ! #if DEBUG_SESSIONS ! fprintf(stderr,"Session not found\n"); ! #endif return NULL; + } pSession=d2i_SSL_SESSION(NULL,&t,nData); if(!pSession)