[Fedora-directory-commits] coolkey/src/libckyapplet Makefile.in, 1.4, 1.5
by Doctor Conrad
Author: rrelyea
Update of /cvs/dirsec/coolkey/src/libckyapplet
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24612/libckyapplet
Modified Files:
Makefile.in
Log Message:
Checking autobuild Makefiles with Windows build changes.
Index: Makefile.in
===================================================================
RCS file: /cvs/dirsec/coolkey/src/libckyapplet/Makefile.in,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- Makefile.in 18 Aug 2006 00:40:25 -0000 1.4
+++ Makefile.in 18 Aug 2006 00:54:39 -0000 1.5
@@ -238,7 +238,7 @@
dynlink.c
quote = \"
-libckyapplet_la_LDFLAGS = -version-info 1:0:0 -no-undefined
+libckyapplet_la_LDFLAGS = -version-info 1:0:0
libckyapplet_la_CFLAGS = $(CFLAGS) -DSCARD_LIB_NAME=$(quote)$(SCARD_LIB_NAME)$(quote) $(PCSC_CFLAGS)
nobase_include_HEADERS = \
cky_base.h \
17 years, 1 month
[Fedora-directory-commits] coolkey/src/coolkey Makefile.in,1.2,1.3
by Doctor Conrad
Author: rrelyea
Update of /cvs/dirsec/coolkey/src/coolkey
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24612/coolkey
Modified Files:
Makefile.in
Log Message:
Checking autobuild Makefiles with Windows build changes.
Index: Makefile.in
===================================================================
RCS file: /cvs/dirsec/coolkey/src/coolkey/Makefile.in,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- Makefile.in 9 Jun 2006 21:56:34 -0000 1.2
+++ Makefile.in 18 Aug 2006 00:54:38 -0000 1.3
@@ -253,10 +253,10 @@
slot.h \
$(NULL)
-libcoolkeypk11_la_LDFLAGS = -module -avoid-version -export-symbols coolkeypk11.sym
-libcoolkeypk11_la_CPPFLAGS = $(CPPFLAGS) -DNSS_HIDE_NONSTANDARD_OBJECTS=1 -I$(top_srcdir)/src/libckyapplet $(PCSC_CFLAGS)
+libcoolkeypk11_la_LDFLAGS = -module -avoid-version -export-symbols coolkeypk11.sym -no-undefined
+libcoolkeypk11_la_CPPFLAGS = $(CPPFLAGS) -DNSS_HIDE_NONSTANDARD_OBJECTS=1 -I$(top_srcdir)/src/libckyapplet $(PCSC_CFLAGS) $(ZLIB_CFLAGS)
libcoolkeypk11_la_DEPENDENCIES = coolkeypk11.sym
-libcoolkeypk11_la_LIBADD = @LIBCKYAPPLET@
+libcoolkeypk11_la_LIBADD = @LIBCKYAPPLET@ $(ZLIB_LIBRARY)
all: all-recursive
.SUFFIXES:
17 years, 1 month
[Fedora-directory-commits] coolkey/src/coolkey Makefile.am,1.2,1.3
by Doctor Conrad
Author: rrelyea
Update of /cvs/dirsec/coolkey/src/coolkey
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24551
Modified Files:
Makefile.am
Log Message:
Windows build changes.
Index: Makefile.am
===================================================================
RCS file: /cvs/dirsec/coolkey/src/coolkey/Makefile.am,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- Makefile.am 9 Jun 2006 21:56:34 -0000 1.2
+++ Makefile.am 18 Aug 2006 00:41:42 -0000 1.3
@@ -48,10 +48,10 @@
slot.h \
$(NULL)
-libcoolkeypk11_la_LDFLAGS = -module -avoid-version -export-symbols coolkeypk11.sym
-libcoolkeypk11_la_CPPFLAGS = $(CPPFLAGS) -DNSS_HIDE_NONSTANDARD_OBJECTS=1 -I$(top_srcdir)/src/libckyapplet $(PCSC_CFLAGS)
+libcoolkeypk11_la_LDFLAGS = -module -avoid-version -export-symbols coolkeypk11.sym -no-undefined
+libcoolkeypk11_la_CPPFLAGS = $(CPPFLAGS) -DNSS_HIDE_NONSTANDARD_OBJECTS=1 -I$(top_srcdir)/src/libckyapplet $(PCSC_CFLAGS) $(ZLIB_CFLAGS)
libcoolkeypk11_la_DEPENDENCIES = coolkeypk11.sym
-libcoolkeypk11_la_LIBADD = @LIBCKYAPPLET@
+libcoolkeypk11_la_LIBADD = @LIBCKYAPPLET@ $(ZLIB_LIBRARY)
#
17 years, 1 month
[Fedora-directory-commits] coolkey/src/libckyapplet Makefile.in, 1.3, 1.4
by Doctor Conrad
Author: rrelyea
Update of /cvs/dirsec/coolkey/src/libckyapplet
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24515
Modified Files:
Makefile.in
Log Message:
Add -no-undefines so that Windows will actually build a shared library.
Index: Makefile.in
===================================================================
RCS file: /cvs/dirsec/coolkey/src/libckyapplet/Makefile.in,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- Makefile.in 10 Jun 2006 00:51:09 -0000 1.3
+++ Makefile.in 18 Aug 2006 00:40:25 -0000 1.4
@@ -238,7 +238,7 @@
dynlink.c
quote = \"
-libckyapplet_la_LDFLAGS = -version-info 1:0:0
+libckyapplet_la_LDFLAGS = -version-info 1:0:0 -no-undefined
libckyapplet_la_CFLAGS = $(CFLAGS) -DSCARD_LIB_NAME=$(quote)$(SCARD_LIB_NAME)$(quote) $(PCSC_CFLAGS)
nobase_include_HEADERS = \
cky_base.h \
17 years, 1 month
[Fedora-directory-commits] mod_nss nss_engine_kernel.c,1.8,1.9
by Doctor Conrad
Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1959
Modified Files:
nss_engine_kernel.c
Log Message:
Merge in http://svn.apache.org/viewvc?view=rev&revision=354394
* nss_engine_kernel.c (nss_hook_Access): Omit further access control
checks if SSL is not in use regardless of vhost settings.
Index: nss_engine_kernel.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_kernel.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- nss_engine_kernel.c 9 Aug 2006 20:11:45 -0000 1.8
+++ nss_engine_kernel.c 9 Aug 2006 20:32:47 -0000 1.9
@@ -126,11 +126,14 @@
}
/*
- * Check to see if SSL protocol is on
+ * Check to see if SSL protocol is enabled. If it's not then
+ * no further access control checks are relevant. The test for
+ * sc->enabled is probably strictly unnecessary
*/
- if (!(sc->enabled || ssl)) {
+ if (!(sc->enabled || !ssl)) {
return DECLINED;
}
+
/*
* Support for per-directory reconfigured SSL connection parameters.
*
17 years, 1 month
[Fedora-directory-commits] mod_nss mod_nss.h, 1.14, 1.15 nss_engine_io.c, 1.6, 1.7 nss_engine_kernel.c, 1.7, 1.8
by Doctor Conrad
Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv903
Modified Files:
mod_nss.h nss_engine_io.c nss_engine_kernel.c
Log Message:
Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=290965
Implement a (bounded) buffer of request body data to provide a limited
but safe fix for the mod_nss renegotiation-vs-requests-with-bodies
bug:
* mod_nss.h (nss_io_buffer_fill): Add prototype.
* nss_engine_io.c (nss_io_buffer_fill,
nss_io_filter_buffer): New functions.
* nss_engine_kernel.c (nss_hook_Access): If a renegotiation is needed,
and the request has a non-zero content-length, or a t-e header (and
100-continue was not requested), call nss_io_buffer_fill to set aside
the request body data if possible, then proceed with the negotiation.
PR: 12355
Index: mod_nss.h
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.h,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- mod_nss.h 9 Aug 2006 19:17:56 -0000 1.14
+++ mod_nss.h 9 Aug 2006 20:11:45 -0000 1.15
@@ -447,6 +447,10 @@
void nss_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
char *nss_util_readfilter(server_rec *, apr_pool_t *, const char *,
const char * const *);
+/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
+ * to allow an SSL renegotiation to take place. */
+int nss_io_buffer_fill(request_rec *r);
+
int nss_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix);
/* Pass Phrase Handling */
Index: nss_engine_io.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_io.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- nss_engine_io.c 7 Apr 2006 20:17:12 -0000 1.6
+++ nss_engine_io.c 9 Aug 2006 20:11:45 -0000 1.7
@@ -602,6 +602,7 @@
}
static const char nss_io_filter[] = "NSS SSL/TLS Filter";
+static const char nss_io_buffer[] = "NSS SSL/TLS Buffer";
static apr_status_t nss_filter_io_shutdown(nss_filter_ctx_t *filter_ctx,
conn_rec *c,
@@ -916,6 +917,180 @@
return;
}
+/* 128K maximum buffer size by default. */
+#ifndef SSL_MAX_IO_BUFFER
+#define SSL_MAX_IO_BUFFER (128 * 1024)
+#endif
+
+struct modnss_buffer_ctx {
+ apr_bucket_brigade *bb;
+};
+
+int nss_io_buffer_fill(request_rec *r)
+{
+ conn_rec *c = r->connection;
+ struct modnss_buffer_ctx *ctx;
+ apr_bucket_brigade *tempb;
+ apr_off_t total = 0; /* total length buffered */
+ int eos = 0; /* non-zero once EOS is seen */
+
+ /* Create the context which will be passed to the input filter. */
+ ctx = apr_palloc(r->pool, sizeof *ctx);
+ ctx->bb = apr_brigade_create(r->pool, c->bucket_alloc);
+
+ /* ... and a temporary brigade. */
+ tempb = apr_brigade_create(r->pool, c->bucket_alloc);
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "filling buffer");
+
+ do {
+ apr_status_t rv;
+ apr_bucket *e, *next;
+
+ /* The request body is read from the protocol-level input
+ * filters; the buffering filter will reinject it from that
+ * level, allowing content/resource filters to run later, if
+ * necessary. */
+
+ rv = ap_get_brigade(r->proto_input_filters, tempb, AP_MODE_READBYTES,
+ APR_BLOCK_READ, 8192);
+ if (rv) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+ "could not read request body for SSL buffer");
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ /* Iterate through the returned brigade: setaside each bucket
+ * into the context's pool and move it into the brigade. */
+ for (e = APR_BRIGADE_FIRST(tempb);
+ e != APR_BRIGADE_SENTINEL(tempb) && !eos; e = next) {
+ const char *data;
+ apr_size_t len;
+
+ next = APR_BUCKET_NEXT(e);
+
+ if (APR_BUCKET_IS_EOS(e)) {
+ eos = 1;
+ } else if (!APR_BUCKET_IS_METADATA(e)) {
+ rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+ if (rv != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+ "could not read bucket for SSL buffer");
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ total += len;
+ }
+
+ rv = apr_bucket_setaside(e, r->pool);
+ if (rv != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+ "could not setaside bucket for SSL buffer");
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ APR_BUCKET_REMOVE(e);
+ APR_BRIGADE_INSERT_TAIL(ctx->bb, e);
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "total of %" APR_OFF_T_FMT " bytes in buffer, eos=%d",
+ total, eos);
+
+ /* Fail if this exceeds the maximum buffer size. */
+ if (total > SSL_MAX_IO_BUFFER) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "request body exceeds maximum size for SSL buffer");
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+
+ } while (!eos);
+
+ apr_brigade_destroy(tempb);
+
+ /* Insert the filter which will supply the buffered data. */
+ ap_add_input_filter(nss_io_buffer, ctx, r, c);
+
+ return 0;
+}
+
+/* This input filter supplies the buffered request body to the caller
+ * from the brigade stored in f->ctx. */
+static apr_status_t nss_io_filter_buffer(ap_filter_t *f,
+ apr_bucket_brigade *bb,
+ ap_input_mode_t mode,
+ apr_read_type_e block,
+ apr_off_t bytes)
+{
+ struct modnss_buffer_ctx *ctx = f->ctx;
+ apr_status_t rv;
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, f->r,
+ "read from buffered SSL brigade, mode %d, "
+ "%" APR_OFF_T_FMT " bytes",
+ mode, bytes);
+
+ if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) {
+ return APR_ENOTIMPL;
+ }
+
+ if (mode == AP_MODE_READBYTES) {
+ apr_bucket *e;
+
+ /* Partition the buffered brigade. */
+ rv = apr_brigade_partition(ctx->bb, bytes, &e);
+ if (rv && rv != APR_INCOMPLETE) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r,
+ "could not partition buffered SSL brigade");
+ ap_remove_input_filter(f);
+ return rv;
+ }
+
+ /* If the buffered brigade contains less then the requested
+ * length, just pass it all back. */
+ if (rv == APR_INCOMPLETE) {
+ APR_BRIGADE_CONCAT(bb, ctx->bb);
+ } else {
+ apr_bucket *d = APR_BRIGADE_FIRST(ctx->bb);
+
+ e = APR_BUCKET_PREV(e);
+
+ /* Unsplice the partitioned segment and move it into the
+ * passed-in brigade; no convenient way to do this with
+ * the APR_BRIGADE_* macros. */
+ APR_RING_UNSPLICE(d, e, link);
+ APR_RING_SPLICE_HEAD(&bb->list, d, e, apr_bucket, link);
+ }
+ }
+ else {
+ /* Split a line into the passed-in brigade. */
+ rv = apr_brigade_split_line(bb, ctx->bb, mode, bytes);
+
+ if (rv) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r,
+ "could not split line from buffered SSL brigade");
+ ap_remove_input_filter(f);
+ return rv;
+ }
+ }
+
+ if (APR_BRIGADE_EMPTY(ctx->bb)) {
+ apr_bucket *e = APR_BRIGADE_LAST(bb);
+
+ /* Ensure that the brigade is terminated by an EOS if the
+ * buffered request body has been entirely consumed. */
+ if (e == APR_BRIGADE_SENTINEL(bb) || !APR_BUCKET_IS_EOS(e)) {
+ e = apr_bucket_eos_create(f->c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(bb, e);
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, f->r,
+ "buffered SSL brigade now exhausted; removing filter");
+ ap_remove_input_filter(f);
+ }
+
+ return APR_SUCCESS;
+}
+
static void nss_io_input_add_filter(nss_filter_ctx_t *filter_ctx, conn_rec *c,
PRFileDesc *ssl)
{
@@ -962,6 +1137,7 @@
{
ap_register_input_filter (nss_io_filter, nss_io_filter_input, NULL, AP_FTYPE_CONNECTION + 5);
ap_register_output_filter (nss_io_filter, nss_io_filter_output, NULL, AP_FTYPE_CONNECTION + 5);
+ ap_register_input_filter (nss_io_buffer, nss_io_filter_buffer, NULL, AP_FTYPE_PROTOCOL - 1);
return;
}
Index: nss_engine_kernel.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_kernel.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- nss_engine_kernel.c 9 Aug 2006 19:31:18 -0000 1.7
+++ nss_engine_kernel.c 9 Aug 2006 20:11:45 -0000 1.8
@@ -312,73 +312,35 @@
}
}
- /*
- * SSL renegotiations in conjunction with HTTP
- * requests using the POST method are not supported.
- *
- * Background:
- *
- * 1. When the client sends a HTTP/HTTPS request, Apache's core code
- * reads only the request line ("METHOD /path HTTP/x.y") and the
- * attached MIME headers ("Foo: bar") up to the terminating line ("CR
- * LF"). An attached request body (for instance the data of a POST
- * method) is _NOT_ read. Instead it is read by mod_cgi's content
- * handler and directly passed to the CGI script.
- *
- * 2. mod_ssl supports per-directory re-configuration of SSL parameters.
- * This is implemented by performing an SSL renegotiation of the
- * re-configured parameters after the request is read, but before the
- * response is sent. In more detail: the renegotiation happens after the
- * request line and MIME headers were read, but _before_ the attached
- * request body is read. The reason simply is that in the HTTP protocol
- * usually there is no acknowledgment step between the headers and the
- * body (there is the 100-continue feature and the chunking facility
- * only), so Apache has no API hook for this step.
- *
- * 3. the problem now occurs when the client sends a POST request for
- * URL /foo via HTTPS the server and the server has SSL parameters
- * re-configured on a per-URL basis for /foo. Then mod_ssl has to
- * perform an SSL renegotiation after the request was read and before
- * the response is sent. But the problem is the pending POST body data
- * in the receive buffer of SSL (which Apache still has not read - it's
- * pending until mod_cgi sucks it in). When mod_ssl now tries to perform
- * the renegotiation the pending data leads to an I/O error.
- *
- * Solution Idea:
- *
- * There are only two solutions: Either to simply state that POST
- * requests to URLs with SSL re-configurations are not allowed, or to
- * renegotiate really after the _complete_ request (i.e. including
- * the POST body) was read. Obviously the latter would be preferred,
- * but it cannot be done easily inside Apache, because as already
- * mentioned, there is no API step between the body reading and the body
- * processing. And even when we mod_ssl would hook directly into the
- * loop of mod_cgi, we wouldn't solve the problem for other handlers, of
- * course. So the only general solution is to suck in the pending data
- * of the request body from the OpenSSL BIO into the Apache BUFF. Then
- * the renegotiation can be done and after this step Apache can proceed
- * processing the request as before.
+ /* If a renegotiation is now required for this location, and the
+ * request includes a message body (and the client has not
+ * requested a "100 Continue" response), then the client will be
+ * streaming the request body over the wire already. In that
+ * case, it is not possible to stop and perform a new SSL
+ * handshake immediately; once the SSL library moves to the
+ * "accept" state, it will reject the SSL packets which the client
+ * is sending for the request body.
*
- * Solution Implementation:
- *
- * We cannot simply suck in the data via an SSL_read-based loop because of
- * HTTP chunking. Instead we _have_ to use the Apache API for this step which
- * is aware of HTTP chunking. So the trick is to suck in the pending request
- * data via the Apache API (which uses Apache's BUFF code and in the
- * background mod_ssl's I/O glue code) and re-inject it later into the Apache
- * BUFF code again. This way the data flows twice through the Apache BUFF, of
- * course. But this way the solution doesn't depend on any Apache specifics
- * and is fully transparent to Apache modules.
- *
- * !! BUT ALL THIS IS STILL NOT RE-IMPLEMENTED FOR APACHE 2.0 !!
- */
- if (renegotiate && !renegotiate_quick && (r->method_number == M_POST)) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
- "SSL Re-negotiation in conjunction "
- "with POST method not supported!"
- "hint: try NSSOptions +OptRenegotiate");
+ * To allow authentication to complete in this auth hook, the
+ * solution used here is to fill a (bounded) buffer with the
+ * request body, and then to reinject that request body later.
+ */
+ if (renegotiate && !renegotiate_quick
+ && (apr_table_get(r->headers_in, "transfer-encoding")
+ || (apr_table_get(r->headers_in, "content-length")
+ && strcmp(apr_table_get(r->headers_in, "content-length"), "0")))
+ && !r->expecting_100) {
+ int rv;
- return HTTP_METHOD_NOT_ALLOWED;
+ /* Fill the I/O buffer with the request body if possible. */
+ rv = nss_io_buffer_fill(r);
+
+ if (rv) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "could not buffer message body to allow "
+ "SSL renegotiation to proceed");
+ return rv;
+ }
}
/*
17 years, 1 month
[Fedora-directory-commits] mod_nss nss_engine_vars.c, 1.7, 1.8 nss_engine_kernel.c, 1.6, 1.7
by Doctor Conrad
Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29576
Modified Files:
nss_engine_vars.c nss_engine_kernel.c
Log Message:
Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=104700
* nss_engine_vars.c (nss_var_lookup_ssl_cert_remain): New function.
(nss_var_lookup_nss_cert): Support _V_REMAIN suffix for
SSL_{SERVER,CLIENT} as number of days until certificate expires.
* nss_engine_kernel.c: Export SSL_CLIENT_V_REMAIN if +StdEnvVars is
configured.
Index: nss_engine_vars.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_vars.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- nss_engine_vars.c 3 Aug 2006 13:29:05 -0000 1.7
+++ nss_engine_vars.c 9 Aug 2006 19:31:18 -0000 1.8
@@ -32,6 +32,7 @@
static char *nss_var_lookup_nss_cert(apr_pool_t *p, CERTCertificate *xs, char *var, conn_rec *c);
static char *nss_var_lookup_nss_cert_dn(apr_pool_t *p, CERTName *cert, char *var);
static char *nss_var_lookup_nss_cert_valid(apr_pool_t *p, CERTCertificate *xs, int type);
+static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, CERTCertificate *xs);
static char *nss_var_lookup_nss_cert_chain(apr_pool_t *p, CERTCertificate *cert,char *var);
static char *nss_var_lookup_nss_cert_PEM(apr_pool_t *p, CERTCertificate *xs);
static char *nss_var_lookup_nss_cert_verify(apr_pool_t *p, conn_rec *c);
@@ -314,6 +315,10 @@
else if (strcEQ(var, "V_END")) {
result = nss_var_lookup_nss_cert_valid(p, xs, CERT_NOTAFTER);
}
+ else if (strcEQ(var, "V_REMAIN")) {
+ result = ssl_var_lookup_ssl_cert_remain(p, xs);
+ resdup = FALSE;
+ }
else if (strcEQ(var, "S_DN")) {
xsname = CERT_NameToAscii(&xs->subject);
result = apr_pstrdup(p, xsname);
@@ -441,6 +446,29 @@
return result;
}
+/* Return a string giving the number of days remaining until the cert
+ * expires "0" if this can't be determined.
+ *
+ * In mod_ssl this is more generic, passing in a time to calculate against,
+ * but I see no point in converting the end date into a string and back again.
+ */
+static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, CERTCertificate *xs)
+{
+ PRTime notBefore, notAfter;
+ PRTime now, diff;
+
+ CERT_GetCertTimes(xs, ¬Before, ¬After);
+ now = PR_Now();
+
+ /* Both times are relative to the epoch, so no TZ calcs are needed */
+ diff = notAfter - now;
+
+ /* PRTime is in microseconds so convert to seconds before days */
+ diff = (diff / PR_USEC_PER_SEC) / (60*60*24);
+
+ return (diff > 0) ? apr_itoa(p, diff) : apr_pstrdup(p, "0");
+}
+
static char *nss_var_lookup_nss_cert_chain(apr_pool_t *p, CERTCertificate *cert, char *var)
{
char *result;
Index: nss_engine_kernel.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_kernel.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- nss_engine_kernel.c 9 Aug 2006 19:17:56 -0000 1.6
+++ nss_engine_kernel.c 9 Aug 2006 19:31:18 -0000 1.7
@@ -732,6 +732,7 @@
"SSL_CLIENT_M_SERIAL",
"SSL_CLIENT_V_START",
"SSL_CLIENT_V_END",
+ "SSL_CLIENT_V_REMAIN",
"SSL_CLIENT_S_DN",
"SSL_CLIENT_S_DN_C",
"SSL_CLIENT_S_DN_ST",
17 years, 1 month
[Fedora-directory-commits] mod_nss nss_engine_kernel.c, 1.5, 1.6 mod_nss.c, 1.13, 1.14 mod_nss.h, 1.13, 1.14
by Doctor Conrad
Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29483
Modified Files:
nss_engine_kernel.c mod_nss.c mod_nss.h
Log Message:
Merge in changes from http://svn.apache.org/viewvc?view=rev&revision=161958
The issue was that mod_ssl wasn't always picking up ssl-unclean-shutdown
settings. This isn't an issue for mod_nss since it doesn't support
separate shutdown modes, but this does simplify the code a bit.
* mod_nss.h: Remove nss_hook_Translate.
* nss_engine_kernel.c
(nss_hook_ReadReq): Merge in nss_hook_Translate.
(nss_hook_Translate): Remove.
* mod_nss.c (nss_register_hooks): Ensure that _ReadReq
hook runs after mod_setenvif.c; don't register translate_name hook.
Index: nss_engine_kernel.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_kernel.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- nss_engine_kernel.c 7 Apr 2006 20:17:12 -0000 1.5
+++ nss_engine_kernel.c 9 Aug 2006 19:17:56 -0000 1.6
@@ -23,6 +23,7 @@
int nss_hook_ReadReq(request_rec *r)
{
SSLConnRec *sslconn = myConnConfig(r->connection);
+ PRFileDesc *ssl = sslconn ? sslconn->ssl : NULL;
if (!sslconn) {
return DECLINED;
@@ -62,19 +63,13 @@
return HTTP_BAD_REQUEST;
}
- return DECLINED;
-}
-
-/*
- * URL Translation Handler
- */
-int nss_hook_Translate(request_rec *r)
-{
- SSLConnRec *sslconn = myConnConfig(r->connection);
-
- if (!(sslconn && sslconn->ssl)) {
+ /* Get the SSL connection structure and perform the
+ * delayed interlinking from SSL back to request_rec
+ */
+ if (!ssl) {
return DECLINED;
}
+
/*
* Log information about incoming HTTPS requests
*/
@@ -92,7 +87,6 @@
return DECLINED;
}
-
/*
* Access Handler
*/
Index: mod_nss.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- mod_nss.c 3 Aug 2006 13:29:05 -0000 1.13
+++ mod_nss.c 9 Aug 2006 19:17:56 -0000 1.14
@@ -395,6 +395,10 @@
static void nss_register_hooks(apr_pool_t *p)
{
+ /* nss_hook_ReadReq needs to use the BrowserMatch settings so must
+ * run after mod_setenvif's post_read_request hook. */
+ static const char *pre_prr[] = { "mod_setenvif.c", NULL };
+
nss_io_filter_register(p);
ap_hook_pre_connection(nss_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
@@ -407,12 +411,11 @@
ap_hook_default_port (nss_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_pre_config (nss_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (nss_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
- ap_hook_translate_name(nss_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id (nss_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST);
ap_hook_fixups (nss_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_access_checker(nss_hook_Access, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_auth_checker (nss_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE);
- ap_hook_post_read_request(nss_hook_ReadReq, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_post_read_request(nss_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
nss_var_register();
Index: mod_nss.h
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.h,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- mod_nss.h 3 Aug 2006 13:29:05 -0000 1.13
+++ mod_nss.h 9 Aug 2006 19:17:56 -0000 1.14
@@ -403,7 +403,6 @@
int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]);
/* Apache API hooks */
-int nss_hook_Translate(request_rec *r);
int nss_hook_UserCheck(request_rec *r);
int nss_hook_Fixup(request_rec *r);
int nss_hook_Access(request_rec *r);
17 years, 1 month
[Fedora-directory-commits] mod_admserv mod_admserv.c,1.26,1.27
by Doctor Conrad
Author: rcritten
Update of /cvs/dirsec/mod_admserv
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv32710
Modified Files:
mod_admserv.c
Log Message:
200988
Use a macro so HP/ux can use their own setresuid() call instead of
seteuid. apxs provides the define we need via: apxs -q EXTRA_CPPFLAGS
Index: mod_admserv.c
===================================================================
RCS file: /cvs/dirsec/mod_admserv/mod_admserv.c,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- mod_admserv.c 17 Jul 2006 19:01:29 -0000 1.26
+++ mod_admserv.c 8 Aug 2006 20:04:43 -0000 1.27
@@ -65,6 +65,12 @@
#include "mod_admserv.h"
+#if defined(HPUX) || defined(HPUX10) || defined(HPUX11)
+#define SETEUID(id) setresuid((uid_t) -1, id, (uid_t) -1)
+#else
+#define SETEUID(id) seteuid(id)
+#endif
+
/*
* These are keys for items we store in r->notes to pass data from one stage
* in the request to another. They must be unique. If necessary, prefix
@@ -2031,7 +2037,7 @@
#ifdef CHANGE_EUID
/* make sure pset creates the cache file owned by the server uid, not root */
if (geteuid() == 0) {
- seteuid(unixd_config.user_id);
+ SETEUID(unixd_config.user_id);
reseteuid = 1;
}
#endif /* CHANGE_EUID */
@@ -2044,7 +2050,7 @@
#ifdef CHANGE_EUID
if (reseteuid) {
- seteuid(0);
+ SETEUID(0);
}
#endif /* CHANGE_EUID */
17 years, 1 month