diff options
| author | Stefan Eissing <icing@apache.org> | 2020-02-17 15:05:03 +0100 |
|---|---|---|
| committer | Stefan Eissing <icing@apache.org> | 2020-02-17 15:05:03 +0100 |
| commit | 350dafdaa08658034a09ee3903527c3e96806df9 (patch) | |
| tree | d165ca77e1a6ddff8347c5c6904f5009cc710f8b | |
| parent | Back off a little when svn export is timing out. (diff) | |
| download | apache2-350dafdaa08658034a09ee3903527c3e96806df9.tar.xz apache2-350dafdaa08658034a09ee3903527c3e96806df9.zip | |
*) mod_md:
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks to Timothe Litt (@tlhackque).
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
- Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874132 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | CHANGES | 13 | ||||
| -rw-r--r-- | modules/md/md_acme_authz.c | 4 | ||||
| -rw-r--r-- | modules/md/md_acme_drive.c | 2 | ||||
| -rw-r--r-- | modules/md/md_acme_order.c | 2 | ||||
| -rw-r--r-- | modules/md/md_acmev1_drive.c | 2 | ||||
| -rw-r--r-- | modules/md/md_crypt.h | 2 | ||||
| -rw-r--r-- | modules/md/md_http.h | 12 | ||||
| -rw-r--r-- | modules/md/md_reg.c | 4 | ||||
| -rw-r--r-- | modules/md/md_reg.h | 6 | ||||
| -rw-r--r-- | modules/md/md_result.c | 2 | ||||
| -rw-r--r-- | modules/md/md_status.h | 4 | ||||
| -rw-r--r-- | modules/md/md_util.h | 2 | ||||
| -rw-r--r-- | modules/md/md_version.h | 4 | ||||
| -rw-r--r-- | modules/md/mod_md.c | 55 | ||||
| -rw-r--r-- | modules/md/mod_md_config.c | 127 | ||||
| -rw-r--r-- | modules/md/mod_md_config.h | 2 | ||||
| -rw-r--r-- | modules/md/mod_md_ocsp.c | 4 | ||||
| -rw-r--r-- | modules/md/mod_md_os.c | 3 |
18 files changed, 163 insertions, 87 deletions
@@ -1,6 +1,19 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_md: + - Prefer MDContactEmail directive to ServerAdmin for registration. New directive + thanks to Timothe Litt (@tlhackque). + - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now + check all matching virtual hosts for protocol support. Thanks to @mkauf. + - Corrected a check when OCSP stapling was configured for hosts + where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm). + - Softening the restrictions where mod_md configuration directives may appear. This should + allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration + you wanted in the first place, is another matter. + [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque), + Michal Karm Babacek (@Karm), Stefan Eissing (@icing)] + *) core: ap_method_mask_t type added for method bitmasks, changed from apr_int64_t and used for the method_mask field in ap_method_list_t, AP_METHOD_BIT, allowed field of request_rec, diff --git a/modules/md/md_acme_authz.c b/modules/md/md_acme_authz.c index b76a5a6ac6..66aa865b5b 100644 --- a/modules/md/md_acme_authz.c +++ b/modules/md/md_acme_authz.c @@ -588,8 +588,8 @@ apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s * - if setup failed, continue to look for another supported challenge type * - if there is no overlap in types, tell the user that she has to configure * either more types (dns, tls-alpn-01), make ports available or refrain - * from using wildcard domains when dns is not available. etc. - * - if there was an overlap, but no setup was successful, report that. We + * from useing wildcard domains when dns is not available. etc. + * - if there was an overlap, but no setup was successfull, report that. We * will retry this, maybe the failure is temporary (e.g. command to setup DNS */ rv = APR_ENOTIMPL; diff --git a/modules/md/md_acme_drive.c b/modules/md/md_acme_drive.c index b1db503f96..b88da757c5 100644 --- a/modules/md/md_acme_drive.c +++ b/modules/md/md_acme_drive.c @@ -132,7 +132,7 @@ apr_status_t md_acme_drive_set_acct(md_proto_driver_t *d, md_result_t *result) if (!ad->md->contacts || apr_is_empty_array(md->contacts)) { rv = APR_EINVAL; md_result_printf(result, rv, "No contact information is available for MD %s. " - "Configure one using the ServerAdmin directive.", md->name); + "Configure one using the MDContactEmail or ServerAdmin directive.", md->name); md_result_log(result, MD_LOG_ERR); goto leave; } diff --git a/modules/md/md_acme_order.c b/modules/md/md_acme_order.c index 974334a79c..2907d5296c 100644 --- a/modules/md/md_acme_order.c +++ b/modules/md/md_acme_order.c @@ -513,7 +513,7 @@ static apr_status_t check_challenges(void *baton, int attempt) rv = APR_EINVAL; if (!authz->error_type) { md_result_printf(ctx->result, rv, - "domain authorization for %s failed, CA considers " + "domain authorization for %s failed, CA consideres " "answer to challenge invalid, no error given", authz->domain); } diff --git a/modules/md/md_acmev1_drive.c b/modules/md/md_acmev1_drive.c index 027d494b4a..30e2add19d 100644 --- a/modules/md/md_acmev1_drive.c +++ b/modules/md/md_acmev1_drive.c @@ -49,7 +49,7 @@ * Pre-Req: we have an account for the ACME server that has accepted the current license agreement * For each domain in MD: * - check if there already is a valid AUTHZ resource - * - if not, create an AUTHZ resource with challenge data + * - if ot, create an AUTHZ resource with challenge data */ static apr_status_t ad_setup_order(md_proto_driver_t *d, md_result_t *result) { diff --git a/modules/md/md_crypt.h b/modules/md/md_crypt.h index 2fba40912b..7d60af3ae2 100644 --- a/modules/md/md_crypt.h +++ b/modules/md/md_crypt.h @@ -100,7 +100,7 @@ typedef enum { } md_cert_state_t; /** - * Create a holder of the certificate that will free its memory when the + * Create a holder of the certificate that will free its memmory when the * pool is destroyed. */ md_cert_t *md_cert_make(apr_pool_t *p, void *x509); diff --git a/modules/md/md_http.h b/modules/md/md_http.h index 78668b31d2..23187b6dfa 100644 --- a/modules/md/md_http.h +++ b/modules/md/md_http.h @@ -86,7 +86,7 @@ apr_status_t md_http_create(md_http_t **phttp, apr_pool_t *p, const char *user_a void md_http_set_response_limit(md_http_t *http, apr_off_t resp_limit); /** - * Set the timeout for the complete request. This needs to take everything from + * Set the timeout for the complete reqest. This needs to take everything from * DNS looksups, to conntects, to transfer of all data into account and should * be sufficiently large. * Set to 0 the have no timeout for this. @@ -134,7 +134,7 @@ void md_http_set_on_status_cb(md_http_request_t *req, md_http_status_cb *cb, voi void md_http_set_on_response_cb(md_http_request_t *req, md_http_response_cb *cb, void *baton); /** - * Create a GET request. + * Create a GET reqest. * @param preq the created request after success * @param http the md_http instance * @param url the url to GET @@ -144,7 +144,7 @@ apr_status_t md_http_GET_create(md_http_request_t **preq, md_http_t *http, const struct apr_table_t *headers); /** - * Create a HEAD request. + * Create a HEAD reqest. * @param preq the created request after success * @param http the md_http instance * @param url the url to GET @@ -154,7 +154,7 @@ apr_status_t md_http_HEAD_create(md_http_request_t **preq, md_http_t *http, cons struct apr_table_t *headers); /** - * Create a POST request with a bucket brigade as request body. + * Create a POST reqest with a bucket brigade as request body. * @param preq the created request after success * @param http the md_http instance * @param url the url to GET @@ -168,7 +168,7 @@ apr_status_t md_http_POST_create(md_http_request_t **preq, md_http_t *http, cons struct apr_bucket_brigade *body, int detect_len); /** - * Create a POST request with known request body data. + * Create a POST reqest with known request body data. * @param preq the created request after success * @param http the md_http instance * @param url the url to GET @@ -213,7 +213,7 @@ typedef apr_status_t md_http_next_req(md_http_request_t **preq, void *baton, * To limit the number of parallel requests, nextreq should return APR_ENOENT when the limit * is reached. It will be called again when the number of in_flight requests changes. * - * When all requests are done, nextreq will be called one more time. Should it not + * When all reqests are done, nextreq will be called one more time. Should it not * return anything, this function returns. */ apr_status_t md_http_multi_perform(md_http_t *http, md_http_next_req *nextreq, void *baton); diff --git a/modules/md/md_reg.c b/modules/md/md_reg.c index 9c57c29046..4092edeb6e 100644 --- a/modules/md/md_reg.c +++ b/modules/md/md_reg.c @@ -670,7 +670,7 @@ int md_reg_should_warn(md_reg_t *reg, const md_t *md, apr_pool_t *p) } /**************************************************************************************************/ -/* syncing */ +/* synching */ apr_status_t md_reg_set_props(md_reg_t *reg, apr_pool_t *p, int can_http, int can_https) { @@ -836,7 +836,7 @@ leave: } /** - * Finish syncing an MD with the store. + * Finish synching an MD with the store. * 1. if there are changed properties (or if the MD is new), save it. * 2. read any existing certificate and init the state of the memory MD */ diff --git a/modules/md/md_reg.h b/modules/md/md_reg.h index b656d5c0a3..adf2b1ef46 100644 --- a/modules/md/md_reg.h +++ b/modules/md/md_reg.h @@ -145,7 +145,7 @@ apr_status_t md_reg_delete_acct(md_reg_t *reg, apr_pool_t *p, const char *acct_i * Cleanup any challenges that are no longer in use. * * @param reg the registry - * @param p pool for permanent storage + * @param p pool for permament storage * @param ptemp pool for temporary storage * @param mds the list of configured MDs */ @@ -160,7 +160,7 @@ apr_status_t md_reg_cleanup_challenges(md_reg_t *reg, apr_pool_t *p, apr_pool_t apr_status_t md_reg_freeze_domains(md_reg_t *reg, apr_array_header_t *mds); /** - * Return if the certificate of the MD should be renewed. This includes reaching + * Return if the certificate of the MD shoud be renewed. This includes reaching * the renewal window of an otherwise valid certificate. It return also !0 iff * no certificate has been obtained yet. */ @@ -222,7 +222,7 @@ struct md_proto_t { }; /** - * Run a test initialization of the renew protocol for the given MD. This verifies + * Run a test intialization of the renew protocol for the given MD. This verifies * basic parameter settings and is expected to return a description of encountered * problems in <pmessage> when != APR_SUCCESS. * A message return is allocated fromt the given pool. diff --git a/modules/md/md_result.c b/modules/md/md_result.c index 7d8370fadd..29996e94ca 100644 --- a/modules/md/md_result.c +++ b/modules/md/md_result.c @@ -32,7 +32,7 @@ static const char *dup_trim(apr_pool_t *p, const char *s) { char *d = apr_pstrdup(p, s); - apr_collapse_spaces(d, d); + if (d) apr_collapse_spaces(d, d); return d; } diff --git a/modules/md/md_status.h b/modules/md/md_status.h index 3b25dbbff9..ac25ccda7d 100644 --- a/modules/md/md_status.h +++ b/modules/md/md_status.h @@ -40,7 +40,7 @@ apr_status_t md_status_get_json(struct md_json_t **pjson, apr_array_header_t *md /** * Take stock of all MDs given for a short overview. The JSON returned - * will carry integers for MD_KEY_COMPLETE, MD_KEY_RENEWING, + * will carry intergers for MD_KEY_COMPLETE, MD_KEY_RENEWING, * MD_KEY_ERRORED, MD_KEY_READY and MD_KEY_TOTAL. */ void md_status_take_stock(struct md_json_t **pjson, apr_array_header_t *mds, @@ -101,7 +101,7 @@ void md_job_log_append(md_job_t *job, const char *type, const char *status, const char *detail); /** - * Retrieve the latest log entry of a certain type. + * Retrieve the lastest log entry of a certain type. */ md_json_t *md_job_log_get_latest(md_job_t *job, const char *type); diff --git a/modules/md/md_util.h b/modules/md/md_util.h index 3d92756459..0473cdf4cb 100644 --- a/modules/md/md_util.h +++ b/modules/md/md_util.h @@ -90,7 +90,7 @@ struct apr_array_header_t *md_array_str_compact(apr_pool_t *p, struct apr_array_ int case_sensitive); /** - * Create a new array with all occurrences of <exclude> removed. + * Create a new array with all occurances of <exclude> removed. */ struct apr_array_header_t *md_array_str_remove(apr_pool_t *p, struct apr_array_header_t *src, const char *exclude, int case_sensitive); diff --git a/modules/md/md_version.h b/modules/md/md_version.h index be5dbd5cfb..f51cf69eff 100644 --- a/modules/md/md_version.h +++ b/modules/md/md_version.h @@ -27,7 +27,7 @@ * @macro * Version number of the md module as c string */ -#define MOD_MD_VERSION "2.2.4" +#define MOD_MD_VERSION "2.2.7-git" /** * @macro @@ -35,7 +35,7 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define MOD_MD_VERSION_NUM 0x020204 +#define MOD_MD_VERSION_NUM 0x020207 #define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory" diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c index 7943d377b3..c9922f2a0d 100644 --- a/modules/md/mod_md.c +++ b/modules/md/mod_md.c @@ -297,6 +297,8 @@ leave: static void merge_srv_config(md_t *md, md_srv_conf_t *base_sc, apr_pool_t *p) { + const char *contact; + if (!md->sc) { md->sc = base_sc; } @@ -310,9 +312,14 @@ static void merge_srv_config(md_t *md, md_srv_conf_t *base_sc, apr_pool_t *p) if (!md->ca_agreement) { md->ca_agreement = md_config_gets(md->sc, MD_CONFIG_CA_AGREEMENT); } - if (md->sc->s->server_admin && strcmp(DEFAULT_ADMIN, md->sc->s->server_admin)) { + contact = md_config_gets(md->sc, MD_CONFIG_CA_CONTACT); + if (contact && contact[0]) { + apr_array_clear(md->contacts); + APR_ARRAY_PUSH(md->contacts, const char *) = + md_util_schemify(p, contact, "mailto"); + } else if( md->sc->s->server_admin && strcmp(DEFAULT_ADMIN, md->sc->s->server_admin)) { apr_array_clear(md->contacts); - APR_ARRAY_PUSH(md->contacts, const char *) = + APR_ARRAY_PUSH(md->contacts, const char *) = md_util_schemify(p, md->sc->s->server_admin, "mailto"); } if (md->renew_mode == MD_RENEW_DEFAULT) { @@ -436,9 +443,10 @@ static server_rec *get_public_https_server(md_t *md, const char *domain, server_ md_srv_conf_t *sc; md_mod_conf_t *mc; server_rec *s; + server_rec *res = NULL; request_rec r; int i; - int skip_port_check = 0; + int check_port = 1; sc = md_config_get(base_server); mc = sc->mc; @@ -446,27 +454,37 @@ static server_rec *get_public_https_server(md_t *md, const char *domain, server_ if (md->ca_challenges && md->ca_challenges->nelts > 0) { /* skip the port check if "tls-alpn-01" is pre-configured */ - skip_port_check = md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0; + check_port = !(md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0); } - if (!skip_port_check && !mc->can_https) return NULL; + if (check_port && !mc->can_https) return NULL; /* find an ssl server matching domain from MD */ for (s = base_server; s; s = s->next) { sc = md_config_get(s); if (!sc || !sc->is_ssl || !sc->assigned) continue; if (base_server == s && !mc->manage_base_server) continue; - if (base_server != s && !skip_port_check && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue; + if (base_server != s && check_port && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue; for (i = 0; i < sc->assigned->nelts; ++i) { if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) { r.server = s; if (ap_matches_request_vhost(&r, domain, s->port)) { - return s; + if (check_port) { + return s; + } + else { + /* there may be multiple matching servers because we ignore the port. + if possible, choose a server that supports the acme-tls/1 protocol */ + if (ap_is_allowed_protocol(NULL, NULL, s, PROTO_ACME_TLS_1)) { + return s; + } + res = s; + } } } } } - return NULL; + return res; } static apr_status_t auto_add_domains(md_t *md, server_rec *base_server, apr_pool_t *p) @@ -563,10 +581,17 @@ static apr_status_t link_md_to_servers(md_mod_conf_t *mc, md_t *md, server_rec * s->server_hostname, s->port, md->name, sc->name, domain, (int)sc->assigned->nelts); - if (s->server_admin && strcmp(DEFAULT_ADMIN, s->server_admin)) { + if (sc->ca_contact && sc->ca_contact[0]) { + uri = md_util_schemify(p, sc->ca_contact, "mailto"); + if (md_array_str_index(md->contacts, uri, 0, 0) < 0) { + APR_ARRAY_PUSH(md->contacts, const char *) = uri; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(10044) + "%s: added contact %s", md->name, uri); + } + } else if (s->server_admin && strcmp(DEFAULT_ADMIN, s->server_admin)) { uri = md_util_schemify(p, s->server_admin, "mailto"); if (md_array_str_index(md->contacts, uri, 0, 0) < 0) { - APR_ARRAY_PUSH(md->contacts, const char *) = uri; + APR_ARRAY_PUSH(md->contacts, const char *) = uri; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(10044) "%s: added contact %s", md->name, uri); } @@ -690,7 +715,7 @@ static apr_status_t check_invalid_duplicates(server_rec *base_server) md_srv_conf_t *sc; ap_log_error( APLOG_MARK, APLOG_TRACE1, 0, base_server, - "cecking duplicate ssl assignments"); + "checking duplicate ssl assignments"); for (s = base_server; s; s = s->next) { sc = md_config_get(s); if (!sc || !sc->assigned) continue; @@ -854,7 +879,7 @@ static apr_status_t md_post_config_before_ssl(apr_pool_t *p, apr_pool_t *plog, /* How to bootstrap this module: * 1. find out if we know if http: and/or https: requests will arrive - * 2. apply the now complete configuration settings to the MDs + * 2. apply the now complete configuration setttings to the MDs * 3. Link MDs to the server_recs they are used in. Detect unused MDs. * 4. Update the store with the MDs. Change domain names, create new MDs, etc. * Basically all MD properties that are configured directly. @@ -863,7 +888,7 @@ static apr_status_t md_post_config_before_ssl(apr_pool_t *p, apr_pool_t *plog, * store will find the old settings and "recover" the previous name. * 5. Load any staged data from previous driving. * 6. on a dry run, this is all we do - * 7. Read back the MD properties that reflect the existence and aspect of + * 7. Read back the MD properties that reflect the existance and aspect of * credentials that are in the store (or missing there). * Expiry times, MD state, etc. * 8. Determine the list of MDs that need driving/supervision. @@ -880,7 +905,7 @@ static apr_status_t md_post_config_before_ssl(apr_pool_t *p, apr_pool_t *plog, /*4*/ if (APR_SUCCESS != (rv = md_reg_sync_start(mc->reg, mc->mds, ptemp))) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10073) - "syncing %d mds to registry", mc->mds->nelts); + "synching %d mds to registry", mc->mds->nelts); goto leave; } /*5*/ @@ -923,7 +948,7 @@ static apr_status_t md_post_config_after_ssl(apr_pool_t *p, apr_pool_t *plog, } if (APR_SUCCESS != (rv = md_reg_sync_finish(mc->reg, md, p, ptemp))) { ap_log_error( APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10172) - "md[%s]: error syncing to store", md->name); + "md[%s]: error synching to store", md->name); goto leave; } } diff --git a/modules/md/mod_md_config.c b/modules/md/mod_md_config.c index 8d78af0c4b..66684213aa 100644 --- a/modules/md/mod_md_config.c +++ b/modules/md/mod_md_config.c @@ -105,6 +105,7 @@ static md_srv_conf_t defconf = { &def_renew_window, /* renew window */ &def_warn_window, /* warn window */ NULL, /* ca url */ + NULL, /* ca contact (email) */ "ACME", /* ca protocol */ NULL, /* ca agreemnent */ NULL, /* ca challenges array */ @@ -156,6 +157,7 @@ static void srv_conf_props_clear(md_srv_conf_t *sc) sc->renew_window = NULL; sc->warn_window = NULL; sc->ca_url = NULL; + sc->ca_contact = NULL; sc->ca_proto = NULL; sc->ca_agreement = NULL; sc->ca_challenges = NULL; @@ -173,6 +175,7 @@ static void srv_conf_props_copy(md_srv_conf_t *to, const md_srv_conf_t *from) to->warn_window = from->warn_window; to->renew_window = from->renew_window; to->ca_url = from->ca_url; + to->ca_contact = from->ca_contact; to->ca_proto = from->ca_proto; to->ca_agreement = from->ca_agreement; to->ca_challenges = from->ca_challenges; @@ -229,6 +232,7 @@ static void *md_config_merge(apr_pool_t *pool, void *basev, void *addv) nsc->warn_window = add->warn_window? add->warn_window : base->warn_window; nsc->ca_url = add->ca_url? add->ca_url : base->ca_url; + nsc->ca_contact = add->ca_contact? add->ca_contact : base->ca_contact; nsc->ca_proto = add->ca_proto? add->ca_proto : base->ca_proto; nsc->ca_agreement = add->ca_agreement? add->ca_agreement : base->ca_agreement; nsc->ca_challenges = (add->ca_challenges? apr_array_copy(pool, add->ca_challenges) @@ -267,6 +271,30 @@ static const char *md_section_check(cmd_parms *cmd) { return NULL; } +#define MD_LOC_GLOBAL (0x01) +#define MD_LOC_MD (0x02) +#define MD_LOC_ELSE (0x04) +#define MD_LOC_ALL (0x07) +#define MD_LOC_NOT_MD (0x102) + +static const char *md_conf_check_location(cmd_parms *cmd, int flags) +{ + if (MD_LOC_GLOBAL == flags) { + return ap_check_cmd_context(cmd, GLOBAL_ONLY); + } + if (MD_LOC_NOT_MD == flags && inside_md_section(cmd)) { + return apr_pstrcat(cmd->pool, cmd->cmd->name, " is not allowed inside an '", + MD_CMD_MD_SECTION, "' context", NULL); + } + if (MD_LOC_MD == flags) { + return md_section_check(cmd); + } + else if ((MD_LOC_MD & flags) && inside_md_section(cmd)) { + return NULL; + } + return ap_check_cmd_context(cmd, NOT_IN_DIRECTORY|NOT_IN_LOCATION); +} + static const char *set_on_off(int *pvalue, const char *s, apr_pool_t *p) { if (!apr_strnatcasecmp("off", s)) { @@ -314,7 +342,7 @@ static const char *md_config_sec_start(cmd_parms *cmd, void *mconfig, const char int transitive = -1; (void)mconfig; - if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } @@ -400,8 +428,7 @@ static const char *md_config_set_names(cmd_parms *cmd, void *dc, int i, transitive = -1; (void)dc; - err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE); - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } @@ -436,20 +463,33 @@ static const char *md_config_set_ca(cmd_parms *cmd, void *dc, const char *value) const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } sc->ca_url = value; return NULL; } +static const char *md_config_set_contact(cmd_parms *cmd, void *dc, const char *value) +{ + md_srv_conf_t *sc = md_config_get(cmd->server); + const char *err; + + (void)dc; + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { + return err; + } + sc->ca_contact = value; + return NULL; +} + static const char *md_config_set_ca_proto(cmd_parms *cmd, void *dc, const char *value) { md_srv_conf_t *config = md_config_get(cmd->server); const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } config->ca_proto = value; @@ -462,7 +502,7 @@ static const char *md_config_set_agreement(cmd_parms *cmd, void *dc, const char const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } config->ca_agreement = value; @@ -489,7 +529,7 @@ static const char *md_config_set_renew_mode(cmd_parms *cmd, void *dc, const char return apr_pstrcat(cmd->pool, "unknown MDDriveMode ", value, NULL); } - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } config->renew_mode = renew_mode; @@ -502,7 +542,7 @@ static const char *md_config_set_must_staple(cmd_parms *cmd, void *dc, const cha const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } return set_on_off(&config->must_staple, value, cmd->pool); @@ -514,7 +554,7 @@ static const char *md_config_set_stapling(cmd_parms *cmd, void *dc, const char * const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } return set_on_off(&config->stapling, value, cmd->pool); @@ -526,7 +566,7 @@ static const char *md_config_set_staple_others(cmd_parms *cmd, void *dc, const c const char *err; (void)dc; - if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } return set_on_off(&config->staple_others, value, cmd->pool); @@ -535,7 +575,7 @@ static const char *md_config_set_staple_others(cmd_parms *cmd, void *dc, const c static const char *md_config_set_base_server(cmd_parms *cmd, void *dc, const char *value) { md_srv_conf_t *config = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err = md_conf_check_location(cmd, MD_LOC_NOT_MD); (void)dc; if (err) return err; @@ -547,11 +587,10 @@ static const char *md_config_set_require_https(cmd_parms *cmd, void *dc, const c md_srv_conf_t *config = md_config_get(cmd->server); const char *err; - (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } - + (void)dc; if (!apr_strnatcasecmp("off", value)) { config->require_https = MD_REQUIRE_OFF; } @@ -574,8 +613,7 @@ static const char *md_config_set_renew_window(cmd_parms *cmd, void *dc, const ch const char *err; (void)dc; - if (!inside_md_section(cmd) - && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } err = md_timeslice_parse(&config->renew_window, cmd->pool, value, MD_TIME_LIFE_NORM); @@ -593,8 +631,7 @@ static const char *md_config_set_warn_window(cmd_parms *cmd, void *dc, const cha const char *err; (void)dc; - if (!inside_md_section(cmd) - && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } err = md_timeslice_parse(&config->warn_window, cmd->pool, value, MD_TIME_LIFE_NORM); @@ -609,9 +646,9 @@ static const char *md_config_set_warn_window(cmd_parms *cmd, void *dc, const cha static const char *md_config_set_proxy(cmd_parms *cmd, void *arg, const char *value) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } md_util_abs_http_uri_check(cmd->pool, value, &err); @@ -626,9 +663,9 @@ static const char *md_config_set_proxy(cmd_parms *cmd, void *arg, const char *va static const char *md_config_set_store_dir(cmd_parms *cmd, void *arg, const char *value) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } sc->mc->base_dir = value; @@ -686,10 +723,10 @@ static const char *md_config_set_port_map(cmd_parms *cmd, void *arg, const char *v1, const char *v2) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; (void)arg; - if (!err) { + if (!(err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { err = set_port_map(sc->mc, v1); } if (!err && v2) { @@ -707,8 +744,7 @@ static const char *md_config_set_cha_tyes(cmd_parms *cmd, void *dc, int i; (void)dc; - if (!inside_md_section(cmd) - && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } pcha = &config->ca_challenges; @@ -735,8 +771,7 @@ static const char *md_config_set_pkeys(cmd_parms *cmd, void *dc, apr_int64_t bits; (void)dc; - if (!inside_md_section(cmd) - && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } if (argc <= 0) { @@ -784,9 +819,9 @@ static const char *md_config_set_pkeys(cmd_parms *cmd, void *dc, static const char *md_config_set_notify_cmd(cmd_parms *cmd, void *mconfig, const char *arg) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } sc->mc->notify_cmd = arg; @@ -797,9 +832,9 @@ static const char *md_config_set_notify_cmd(cmd_parms *cmd, void *mconfig, const static const char *md_config_set_msg_cmd(cmd_parms *cmd, void *mconfig, const char *arg) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } sc->mc->message_cmd = arg; @@ -810,9 +845,9 @@ static const char *md_config_set_msg_cmd(cmd_parms *cmd, void *mconfig, const ch static const char *md_config_set_dns01_cmd(cmd_parms *cmd, void *mconfig, const char *arg) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } apr_table_set(sc->mc->env, MD_KEY_CMD_DNS01, arg); @@ -826,7 +861,7 @@ static const char *md_config_set_cert_file(cmd_parms *cmd, void *mconfig, const const char *err; (void)mconfig; - if (NULL != (err = md_section_check(cmd))) return err; + if ((err = md_conf_check_location(cmd, MD_LOC_MD))) return err; assert(sc->current); sc->current->cert_file = arg; return NULL; @@ -838,7 +873,7 @@ static const char *md_config_set_key_file(cmd_parms *cmd, void *mconfig, const c const char *err; (void)mconfig; - if (NULL != (err = md_section_check(cmd))) return err; + if ((err = md_conf_check_location(cmd, MD_LOC_MD))) return err; assert(sc->current); sc->current->pkey_file = arg; return NULL; @@ -850,7 +885,7 @@ static const char *md_config_set_server_status(cmd_parms *cmd, void *dc, const c const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } return set_on_off(&sc->mc->server_status_enabled, value, cmd->pool); @@ -862,7 +897,7 @@ static const char *md_config_set_certificate_status(cmd_parms *cmd, void *dc, co const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } return set_on_off(&sc->mc->certificate_status_enabled, value, cmd->pool); @@ -874,7 +909,7 @@ static const char *md_config_set_ocsp_keep_window(cmd_parms *cmd, void *dc, cons const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } err = md_timeslice_parse(&sc->mc->ocsp_keep_window, cmd->pool, value, MD_TIME_OCSP_KEEP_NORM); @@ -888,7 +923,7 @@ static const char *md_config_set_ocsp_renew_window(cmd_parms *cmd, void *dc, con const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } err = md_timeslice_parse(&sc->mc->ocsp_renew_window, cmd->pool, value, MD_TIME_LIFE_NORM); @@ -907,7 +942,7 @@ static const char *md_config_set_cert_check(cmd_parms *cmd, void *dc, const char *err; (void)dc; - if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { + if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) { return err; } sc->mc->cert_check_name = name; @@ -918,11 +953,11 @@ static const char *md_config_set_cert_check(cmd_parms *cmd, void *dc, static const char *md_config_set_activation_delay(cmd_parms *cmd, void *mconfig, const char *arg) { md_srv_conf_t *sc = md_config_get(cmd->server); - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *err; apr_interval_time_t delay; (void)mconfig; - if (err) { + if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) { return err; } if (md_duration_parse(&delay, arg, "d") != APR_SUCCESS) { @@ -941,6 +976,8 @@ const command_rec md_cmds[] = { "A list of challenge types to be used."), AP_INIT_TAKE1("MDCertificateProtocol", md_config_set_ca_proto, NULL, RSRC_CONF, "Protocol used to obtain/renew certificates"), + AP_INIT_TAKE1("MDContactEmail", md_config_set_contact, NULL, RSRC_CONF, + "Email address used for account registration"), AP_INIT_TAKE1("MDDriveMode", md_config_set_renew_mode, NULL, RSRC_CONF, "deprecated, older name for MDRenewMode"), AP_INIT_TAKE1("MDRenewMode", md_config_set_renew_mode, NULL, RSRC_CONF, @@ -972,7 +1009,7 @@ const command_rec md_cmds[] = { "the directory for file system storage of managed domain data."), AP_INIT_TAKE1("MDRenewWindow", md_config_set_renew_window, NULL, RSRC_CONF, "Time length for renewal before certificate expires (defaults to days)."), - AP_INIT_TAKE1("MDRequireHttps", md_config_set_require_https, NULL, RSRC_CONF, + AP_INIT_TAKE1("MDRequireHttps", md_config_set_require_https, NULL, RSRC_CONF|OR_AUTHCFG, "Redirect non-secure requests to the https: equivalent."), AP_INIT_RAW_ARGS("MDNotifyCmd", md_config_set_notify_cmd, NULL, RSRC_CONF, "Set the command to run when signup/renew of domain is complete."), @@ -1065,6 +1102,8 @@ const char *md_config_gets(const md_srv_conf_t *sc, md_config_var_t var) switch (var) { case MD_CONFIG_CA_URL: return sc->ca_url? sc->ca_url : defconf.ca_url; + case MD_CONFIG_CA_CONTACT: + return sc->ca_contact? sc->ca_contact : defconf.ca_contact; case MD_CONFIG_CA_PROTO: return sc->ca_proto? sc->ca_proto : defconf.ca_proto; case MD_CONFIG_BASE_DIR: diff --git a/modules/md/mod_md_config.h b/modules/md/mod_md_config.h index 0f1138d9b3..2be0f68d30 100644 --- a/modules/md/mod_md_config.h +++ b/modules/md/mod_md_config.h @@ -25,6 +25,7 @@ struct md_pkey_spec_t; typedef enum { MD_CONFIG_CA_URL, + MD_CONFIG_CA_CONTACT, MD_CONFIG_CA_PROTO, MD_CONFIG_BASE_DIR, MD_CONFIG_CA_AGREEMENT, @@ -85,6 +86,7 @@ typedef struct md_srv_conf_t { md_timeslice_t *warn_window; /* time before expiration that warning are sent out */ const char *ca_url; /* url of CA certificate service */ + const char *ca_contact; /* contact email registered to account */ const char *ca_proto; /* protocol used vs CA (e.g. ACME) */ const char *ca_agreement; /* accepted agreement uri between CA and user */ struct apr_array_header_t *ca_challenges; /* challenge types configured */ diff --git a/modules/md/mod_md_ocsp.c b/modules/md/mod_md_ocsp.c index 655697140d..fcc0a98160 100644 --- a/modules/md/mod_md_ocsp.c +++ b/modules/md/mod_md_ocsp.c @@ -62,7 +62,7 @@ apr_status_t md_ocsp_init_stapling_status(server_rec *s, apr_pool_t *p, sc = md_config_get(s); if (!staple_here(sc)) goto declined; - md = ((sc->assigned || sc->assigned->nelts == 1)? + md = ((sc->assigned && sc->assigned->nelts == 1)? APR_ARRAY_IDX(sc->assigned, 0, const md_t*) : NULL); rv = md_ocsp_prime(sc->mc->ocsp, md_cert_wrap(p, cert), md_cert_wrap(p, issuer), md); @@ -85,7 +85,7 @@ apr_status_t md_ocsp_get_stapling_status(unsigned char **pder, int *pderlen, sc = md_config_get(s); if (!staple_here(sc)) goto declined; - md = ((sc->assigned || sc->assigned->nelts == 1)? + md = ((sc->assigned && sc->assigned->nelts == 1)? APR_ARRAY_IDX(sc->assigned, 0, const md_t*) : NULL); ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "get stapling for: %s", md? md->name : s->server_hostname); diff --git a/modules/md/mod_md_os.c b/modules/md/mod_md_os.c index 1291863d15..06a5beec05 100644 --- a/modules/md/mod_md_os.c +++ b/modules/md/mod_md_os.c @@ -25,9 +25,6 @@ #if APR_HAVE_UNISTD_H #include <unistd.h> #endif -#ifdef WIN32 -#include "mpm_winnt.h" -#endif #if AP_NEED_SET_MUTEX_PERMS #include "unixd.h" #endif |