packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
httpd/mod_ssl-Fixes-PR-62654-where-require-ssl-did-not-wor.patch

176 lines
6.0 KiB
Diff
Raw Normal View History

Package init
2019-12-26 15:53:32 +08:00
From 13a0cba7b804a173499758bb696d67fac371205c Mon Sep 17 00:00:00 2001
From: Graham Leggett <minfrin@apache.org>
Date: Fri, 23 Nov 2018 15:10:24 +0000
Subject: [PATCH 276/504] *) mod_ssl: Fixes PR 62654 where "require ssl" did
not work on HTTP/2 connections, and PR 61519 where $HTTPS was incorrect
for the "SSLEngine optional" case. +1: jorton, jim, minfrin
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1847284 13f79535-47bb-0310-9956-ffa450edef68
---
CHANGES | 4 ++++
STATUS | 11 -----------
modules/ssl/mod_ssl.c | 16 ++--------------
modules/ssl/ssl_engine_kernel.c | 33 +++++++++++----------------------
modules/ssl/ssl_private.h | 5 +++++
modules/ssl/ssl_util.c | 17 +++++++++++++++++
6 files changed, 39 insertions(+), 47 deletions(-)
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 37947e78f7..9fdf9e042e 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -618,24 +618,12 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
static const char *ssl_hook_http_scheme(const request_rec *r)
{
- SSLSrvConfigRec *sc = mySrvConfig(r->server);
-
- if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
- return NULL;
- }
-
- return "https";
+ return modssl_request_is_tls(r, NULL) ? "https" : NULL;
}
static apr_port_t ssl_hook_default_port(const request_rec *r)
{
- SSLSrvConfigRec *sc = mySrvConfig(r->server);
-
- if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
- return 0;
- }
-
- return 443;
+ return modssl_request_is_tls(r, NULL) ? 443 : 0;
}
static int ssl_hook_pre_connection(conn_rec *c, void *csd)
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index de0ffb09ef..62d5539e82 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1342,8 +1342,7 @@ int ssl_hook_Access(request_rec *r)
*/
int ssl_hook_UserCheck(request_rec *r)
{
- SSLConnRec *sslconn = myConnConfig(r->connection);
- SSLSrvConfigRec *sc = mySrvConfig(r->server);
+ SSLConnRec *sslconn;
SSLDirConfigRec *dc = myDirConfig(r);
char *clientdn;
const char *auth_line, *username, *password;
@@ -1392,15 +1391,15 @@ int ssl_hook_UserCheck(request_rec *r)
/*
* We decline operation in various situations...
+ * - TLS not enabled
+ * - client did not present a certificate
* - SSLOptions +FakeBasicAuth not configured
* - r->user already authenticated
- * - ssl not enabled
- * - client did not present a certificate
*/
- if (!((sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL)
- && sslconn && sslconn->ssl && sslconn->client_cert) ||
- !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user)
- {
+ if (!modssl_request_is_tls(r, &sslconn)
+ || !sslconn->client_cert
+ || !(dc->nOptions & SSL_OPT_FAKEBASICAUTH)
+ || r->user) {
return DECLINED;
}
@@ -1500,8 +1499,6 @@ static const char *const ssl_hook_Fixup_vars[] = {
int ssl_hook_Fixup(request_rec *r)
{
- SSLConnRec *sslconn = myConnConfig(r->connection);
- SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
apr_table_t *env = r->subprocess_env;
char *var, *val = "";
@@ -1509,19 +1506,14 @@ int ssl_hook_Fixup(request_rec *r)
const char *servername;
#endif
STACK_OF(X509) *peer_certs;
+ SSLConnRec *sslconn;
SSL *ssl;
int i;
- if (!(sslconn && sslconn->ssl) && r->connection->master) {
- sslconn = myConnConfig(r->connection->master);
- }
-
- /*
- * Check to see if SSL is on
- */
- if (!(((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) {
+ if (!modssl_request_is_tls(r, &sslconn)) {
return DECLINED;
}
+ ssl = sslconn->ssl;
/*
* Annotate the SSI/CGI environment with standard SSL information
@@ -1595,10 +1587,7 @@ static authz_status ssl_authz_require_ssl_check(request_rec *r,
const char *require_line,
const void *parsed)
{
- SSLConnRec *sslconn = myConnConfig(r->connection);
- SSL *ssl = sslconn ? sslconn->ssl : NULL;
-
- if (ssl)
+ if (modssl_request_is_tls(r, NULL))
return AUTHZ_GRANTED;
else
return AUTHZ_DENIED;
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 160640384d..f46814d0ad 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -1101,6 +1101,11 @@ void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
* memory. */
DH *modssl_get_dh_params(unsigned keylen);
+/* Returns non-zero if the request was made over SSL/TLS. If sslconn
+ * is non-NULL and the request is using SSL/TLS, sets *sslconn to the
+ * corresponding SSLConnRec structure for the connection. */
+int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn);
+
int ssl_is_challenge(conn_rec *c, const char *servername,
X509 **pcert, EVP_PKEY **pkey);
diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c
index c372044bbb..0d23465e87 100644
--- a/modules/ssl/ssl_util.c
+++ b/modules/ssl/ssl_util.c
@@ -100,6 +100,23 @@ BOOL ssl_util_vhost_matches(const char *servername, server_rec *s)
return FALSE;
}
+int modssl_request_is_tls(const request_rec *r, SSLConnRec **scout)
+{
+ SSLConnRec *sslconn = myConnConfig(r->connection);
+ SSLSrvConfigRec *sc = mySrvConfig(r->server);
+
+ if (!(sslconn && sslconn->ssl) && r->connection->master) {
+ sslconn = myConnConfig(r->connection->master);
+ }
+
+ if (sc->enabled == SSL_ENABLED_FALSE || !sslconn || !sslconn->ssl)
+ return 0;
+
+ if (scout) *scout = sslconn;
+
+ return 1;
+}
+
apr_file_t *ssl_util_ppopen(server_rec *s, apr_pool_t *p, const char *cmd,
const char * const *argv)
{
--
2.19.1
Reference in New Issue Copy Permalink