* modules/ssl/mod_ssl.c: Declare new config directives

SSLCADNRequestFile and SSLCADNRequestPath. * modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path, ca_name_file fields. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA DN list sent in the CertificateRequest from those certificates. * modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use pcalloc to zero-initialize the entire modssl_pk_server_t structure. (ssl_config_server_new): Merge the ca_name_* fields. (ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New functions. PR: 32848 Submitted by: Tim Taylor <tim.taylor dfas.mil> git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@125165 13f79535-47bb-0310-9956-ffa450edef68
author: Joe Orton <jorton@apache.org> 2005-01-14 14:54:31 +0100
committer: Joe Orton <jorton@apache.org> 2005-01-14 14:54:31 +0100
commit: 3f6c23e40aa1e05a76d4f57ad815d476237a8ac7 (patch)
tree: a59bb47fdc50e23d4b15e5ef74be997dfd651c31 /modules
parent: Fix VPATH errors introduced in r124104. (diff)
download: apache2-3f6c23e40aa1e05a76d4f57ad815d476237a8ac7.tar.xz
apache2-3f6c23e40aa1e05a76d4f57ad815d476237a8ac7.zip
4 files changed, 58 insertions, 15 deletions
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index fb9e75bd68..4fa39008ad 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -116,6 +116,12 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_ALL(CACertificateFile, TAKE1,
                 "SSL CA Certificate file "
                 "(`/path/to/file' - PEM encoded)")
+    SSL_CMD_SRV(CADNRequestPath, TAKE1,
+                "SSL CA Distinguished Name path "
+                "(`/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
+    SSL_CMD_SRV(CADNRequestFile, TAKE1,
+                "SSL CA Distinguished Name file "
+                "(`/path/to/file' - PEM encoded to derive acceptable CA names to request)")
     SSL_CMD_SRV(CARevocationPath, TAKE1,
                 "SSL CA Certificate Revocation List (CRL) path "
                 "(`/path/to/dir' - contains PEM encoded files)")
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index d9cc5b8a1e..85831ea45f 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -152,17 +152,9 @@ static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
 
     modssl_ctx_init(mctx);
 
-    mctx->pks = apr_palloc(p, sizeof(*mctx->pks));
+    mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
 
-    memset((void*)mctx->pks->cert_files, 0, sizeof(mctx->pks->cert_files));
-
-    memset((void*)mctx->pks->key_files, 0, sizeof(mctx->pks->key_files));
-
-    /* certs/keys are set during module init */
-
-    memset(mctx->pks->certs, 0, sizeof(mctx->pks->certs));
-
-    memset(mctx->pks->keys, 0, sizeof(mctx->pks->keys));
+    /* mctx->pks->... certs/keys are set during module init */
 }
 
 static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
@@ -245,6 +237,9 @@ static void modssl_ctx_cfg_merge_server(modssl_ctx_t *base,
         cfgMergeString(pks->cert_files[i]);
         cfgMergeString(pks->key_files[i]);
     }
+
+    cfgMergeString(pks->ca_name_path);
+    cfgMergeString(pks->ca_name_file);
 }
 
 /*
@@ -835,6 +830,36 @@ const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd,
     return NULL;
 }
 
+const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *cmd, void *dcfg,
+                                       const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    const char *err;
+
+    if ((err = ssl_cmd_check_dir(cmd, &arg))) {
+        return err;
+    }
+
+    sc->server->pks->ca_name_path = arg;
+
+    return NULL;
+}
+
+const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *cmd, void *dcfg,
+                                       const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    const char *err;
+
+    if ((err = ssl_cmd_check_file(cmd, &arg))) {
+        return err;
+    }
+
+    sc->server->pks->ca_name_file = arg;
+
+    return NULL;
+}
+
 const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd,
                                         void *dcfg,
                                         const char *arg)
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 2a9c7a4ef8..bcc0d388f5 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -544,12 +544,17 @@ static void ssl_init_ctx_verify(server_rec *s,
             ssl_die();
         }
 
-        ca_list = ssl_init_FindCAList(s, ptemp,
-                                      mctx->auth.ca_cert_file,
-                                      mctx->auth.ca_cert_path);
+        if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) {
+            ca_list = ssl_init_FindCAList(s, ptemp,
+                                          mctx->pks->ca_name_file,
+                                          mctx->pks->ca_name_path);
+        } else
+            ca_list = ssl_init_FindCAList(s, ptemp,
+                                          mctx->auth.ca_cert_file,
+                                          mctx->auth.ca_cert_path);
         if (!ca_list) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-                    "Unable to determine list of available "
+                    "Unable to determine list of acceptable "
                     "CA certificates for client authentication");
             ssl_die();
         }
@@ -1151,7 +1156,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
 
         if ((rv = apr_dir_open(&dir, ca_path, ptemp)) != APR_SUCCESS) {
             ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
-                    "Failed to open SSLCACertificatePath `%s'",
+                    "Failed to open Certificate Path `%s'",
                     ca_path);
             ssl_die();
         }
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 4f834948ba..19f9d8a9ce 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -379,6 +379,11 @@ typedef struct {
     const char  *key_files[SSL_AIDX_MAX];
     X509        *certs[SSL_AIDX_MAX];
     EVP_PKEY    *keys[SSL_AIDX_MAX];
+
+    /* Certificates which specify the set of CA names which should be
+     * sent in the CertificateRequest message: */
+    const char  *ca_name_path;
+    const char  *ca_name_file;
 } modssl_pk_server_t;
 
 typedef struct {
@@ -487,6 +492,8 @@ const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLCADNRequestFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
author	Joe Orton <jorton@apache.org>	2005-01-14 14:54:31 +0100
committer	Joe Orton <jorton@apache.org>	2005-01-14 14:54:31 +0100
commit	3f6c23e40aa1e05a76d4f57ad815d476237a8ac7 (patch)
tree	a59bb47fdc50e23d4b15e5ef74be997dfd651c31 /modules
parent	Fix VPATH errors introduced in r124104. (diff)
download	apache2-3f6c23e40aa1e05a76d4f57ad815d476237a8ac7.tar.xz apache2-3f6c23e40aa1e05a76d4f57ad815d476237a8ac7.zip