diff options
-rw-r--r-- | modules/arch/netware/mod_nw_ssl.c | 135 |
1 files changed, 75 insertions, 60 deletions
diff --git a/modules/arch/netware/mod_nw_ssl.c b/modules/arch/netware/mod_nw_ssl.c index 84aa6fbee7..652bc62967 100644 --- a/modules/arch/netware/mod_nw_ssl.c +++ b/modules/arch/netware/mod_nw_ssl.c @@ -15,7 +15,7 @@ */ /* - * mod_tls.c - Apache SSL/TLS module for NetWare by Mike Gardiner. + * based on mod_tls.c - Apache SSL/TLS module for NetWare by Mike Gardiner. * * This module gives Apache the ability to do SSL/TLS with a minimum amount * of effort. All of the SSL/TLS logic is already on NetWare versions 5 and @@ -31,6 +31,17 @@ * * SecureListen 443 "SSL CertificateIP" * SecureListen 123.45.67.89:443 mycert + * + * The module also supports RFC 2817 / TLS Upgrade for HTTP 1.1. + * For this add a "NWSSLUpgradeable" with two arguments. The first + * argument is an address and/or port. The second argument is the key pair + * name as created in ConsoleOne. + * + * Examples: + * + * NWSSLUpgradeable 8080 "SSL CertificateIP" + * NWSSLUpgradeable 123.45.67.89:8080 mycert + * */ #define WS_SSL @@ -115,7 +126,7 @@ struct seclistenup_rec { struct NWSSLSrvConfigRec { apr_table_t *sltable; apr_table_t *slutable; - apr_pool_t *pPool; + apr_pool_t *pPool; }; struct secsocket_data { @@ -163,8 +174,8 @@ static unsigned long parse_addr(const char *w, unsigned short *ports) p = strchr(w, ':'); if (ports != NULL) { *ports = 0; - if (p != NULL && strcmp(p + 1, "*") != 0) - *ports = atoi(p + 1); + if (p != NULL && strcmp(p + 1, "*") != 0) + *ports = atoi(p + 1); } if (p != NULL) @@ -224,14 +235,16 @@ static char *get_port_key(conn_rec *c) for (sl = ap_seclistenersup; sl; sl = sl->next) { if ((sl->port == (c->local_addr)->port) && - ((strcmp(sl->addr, "0.0.0.0") == 0) || (strcmp(sl->addr, c->local_ip) == 0))) { + ((strcmp(sl->addr, "0.0.0.0") == 0) || + (strcmp(sl->addr, c->local_ip) == 0))) { return sl->key; } } return NULL; } -static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *server, +static int make_secure_socket(apr_pool_t *pconf, + const struct sockaddr_in *server, char* key, int mutual, server_rec *sconf) { int s; @@ -255,10 +268,11 @@ static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *serve SecureProtoInfo.iSecurityScheme = SECURITY_PROTOCOL_SSL; s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, - (LPWSAPROTOCOL_INFO)&SecureProtoInfo, 0, 0); + (LPWSAPROTOCOL_INFO)&SecureProtoInfo, 0, 0); if (s == INVALID_SOCKET) { - ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, APLOGNO(02120) + ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, + APLOGNO(02120) "make_secure_socket: failed to get a socket for %s", addr); return -1; @@ -269,7 +283,8 @@ static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *serve if (WSAIoctl(s, SO_SSL_SET_FLAGS, (char *)&optParam, sizeof(optParam), NULL, 0, NULL, NULL, NULL)) { - ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, APLOGNO(02121) + ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, + APLOGNO(02121) "make_secure_socket: for %s, WSAIoctl: " "(SO_SSL_SET_FLAGS)", addr); return -1; @@ -283,8 +298,9 @@ static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *serve opts.siddir = NULL; if (WSAIoctl(s, SO_SSL_SET_SERVER, (char *)&opts, sizeof(opts), - NULL, 0, NULL, NULL, NULL) != 0) { - ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, APLOGNO(02122) + NULL, 0, NULL, NULL, NULL) != 0) { + ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, + APLOGNO(02122) "make_secure_socket: for %s, WSAIoctl: " "(SO_SSL_SET_SERVER)", addr); return -1; @@ -293,9 +309,10 @@ static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *serve if (mutual) { optParam = 0x07; /* SO_SSL_AUTH_CLIENT */ - if(WSAIoctl(s, SO_SSL_SET_FLAGS, (char*)&optParam, - sizeof(optParam), NULL, 0, NULL, NULL, NULL)) { - ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, APLOGNO(02123) + if (WSAIoctl(s, SO_SSL_SET_FLAGS, (char*)&optParam, sizeof(optParam), + NULL, 0, NULL, NULL, NULL)) { + ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, + APLOGNO(02123) "make_secure_socket: for %s, WSAIoctl: " "(SO_SSL_SET_FLAGS)", addr); return -1; @@ -311,10 +328,10 @@ static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *serve static int convert_secure_socket(conn_rec *c, apr_socket_t *csd) { - int rcode; - struct tlsclientopts sWS2Opts; - struct nwtlsopts sNWTLSOpts; - struct sslserveropts opts; + int rcode; + struct tlsclientopts sWS2Opts; + struct nwtlsopts sNWTLSOpts; + struct sslserveropts opts; unsigned long ulFlags; SOCKET sock; unicode_t keyFileName[60]; @@ -322,23 +339,23 @@ static int convert_secure_socket(conn_rec *c, apr_socket_t *csd) apr_os_sock_get(&sock, csd); /* zero out buffers */ - memset((char *)&sWS2Opts, 0, sizeof(struct tlsclientopts)); - memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts)); + memset((char *)&sWS2Opts, 0, sizeof(struct tlsclientopts)); + memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts)); /* turn on ssl for the socket */ - ulFlags = (numcerts ? SO_TLS_ENABLE : SO_TLS_ENABLE | SO_TLS_BLIND_ACCEPT); - rcode = WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long), + ulFlags = (numcerts ? SO_TLS_ENABLE : SO_TLS_ENABLE | SO_TLS_BLIND_ACCEPT); + rcode = WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long), NULL, 0, NULL, NULL, NULL); - if (SOCKET_ERROR == rcode) - { + if (SOCKET_ERROR == rcode) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, APLOGNO(02124) - "Error: %d with ioctlsocket(flag SO_TLS_ENABLE)", WSAGetLastError()); - return rcode; - } + "Error: %d with WSAIoctl(flag SO_TLS_ENABLE)", + WSAGetLastError()); + return rcode; + } ulFlags = SO_TLS_UNCLEAN_SHUTDOWN; - WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long), - NULL, 0, NULL, NULL, NULL); + WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long), + NULL, 0, NULL, NULL, NULL); /* setup the socket for SSL */ memset (&sWS2Opts, 0, sizeof(sWS2Opts)); @@ -365,11 +382,12 @@ static int convert_secure_socket(conn_rec *c, apr_socket_t *csd) NULL, NULL); /* make sure that it was successful */ - if(SOCKET_ERROR == rcode ){ - ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, APLOGNO(02125) - "Error: %d with ioctl (SO_TLS_SET_CLIENT)", WSAGetLastError()); - } - return rcode; + if (SOCKET_ERROR == rcode ) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, APLOGNO(02125) + "Error: %d with WSAIoctl(SO_TLS_SET_CLIENT)", + WSAGetLastError()); + } + return rcode; } static int SSLize_Socket(SOCKET socketHnd, char *key, request_rec *r) @@ -383,24 +401,25 @@ static int SSLize_Socket(SOCKET socketHnd, char *key, request_rec *r) memset((char *)&sWS2Opts, 0, sizeof(struct tlsserveropts)); memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts)); - ulFlag = SO_TLS_ENABLE; - rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag, sizeof(unsigned long), NULL, 0, NULL, NULL, NULL); - if(rcode) - { + rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag, + sizeof(unsigned long), NULL, 0, NULL, NULL, NULL); + if(rcode) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02126) - "Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_ENABLE)", WSAGetLastError()); + "Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_ENABLE)", + WSAGetLastError()); goto ERR; } ulFlag = SO_TLS_SERVER; - rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag, sizeof(unsigned long),NULL, 0, NULL, NULL, NULL); + rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag, + sizeof(unsigned long),NULL, 0, NULL, NULL, NULL); - if(rcode) - { + if (rcode) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02127) - "Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_SERVER)", WSAGetLastError()); + "Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_SERVER)", + WSAGetLastError()); goto ERR; } @@ -426,7 +445,6 @@ static int SSLize_Socket(SOCKET socketHnd, char *key, request_rec *r) sNWTLSOpts.reserved2 = NULL; sNWTLSOpts.reserved3 = NULL; - rcode = WSAIoctl(socketHnd, SO_TLS_SET_SERVER, &sWS2Opts, @@ -436,7 +454,7 @@ static int SSLize_Socket(SOCKET socketHnd, char *key, request_rec *r) NULL, NULL, NULL); - if(SOCKET_ERROR == rcode) { + if (SOCKET_ERROR == rcode) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02128) "Error: %d with WSAIoctl(SO_TLS_SET_SERVER)", WSAGetLastError()); goto ERR; @@ -630,9 +648,9 @@ static int nwssl_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_sockaddr_t *sa; int found; - /* Pull all of the listeners that were created by mod_nw_ssl out of the - ap_listeners list so that the normal listen socket processing does - automatically close them */ + /* Pull all of the listeners that were created by mod_nw_ssl out of the + ap_listeners list so that the normal listen socket processing does + automatically close them */ nw_old_listeners = NULL; ap_old_seclisteners = NULL; @@ -851,8 +869,7 @@ static int isSecureConnEx (const server_rec *s, const conn_rec *c, const apr_tab char port[8]; itoa((c->local_addr)->port, port, 10); - if (!apr_table_do(compare_ipports, (void*)c, t, port, NULL)) - { + if (!apr_table_do(compare_ipports, (void*)c, t, port, NULL)) { return 1; } @@ -875,19 +892,19 @@ static int isSecureConnUpgradeable (const server_rec *s, const conn_rec *c) static int isSecure (const request_rec *r) { - return isSecureConn (r->server, r->connection); + return isSecureConn (r->server, r->connection); } static int isSecureUpgradeable (const request_rec *r) { - return isSecureConnUpgradeable (r->server, r->connection); + return isSecureConnUpgradeable (r->server, r->connection); } static int isSecureUpgraded (const request_rec *r) { secsocket_data *csd_data = (secsocket_data*)ap_get_module_config(r->connection->conn_config, &nwssl_module); - return csd_data->is_secure; + return csd_data->is_secure; } static int nwssl_hook_Fixup(request_rec *r) @@ -1048,15 +1065,14 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, * Connection stuff */ if (result == NULL && c != NULL) { - - /* XXX-Can't get specific SSL info from NetWare */ + /* XXX-Can't get specific SSL info from NetWare */ /* SSLConnRec *sslconn = myConnConfig(c); if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) && sslconn && sslconn->ssl) result = ssl_var_lookup_ssl(p, c, var+4);*/ - if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)) - result = NULL; + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)) + result = NULL; } /* @@ -1064,7 +1080,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, */ if (result == NULL) { if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12)) - result = NULL; + result = NULL; /* XXX-Can't get specific SSL info from NetWare */ /*result = ssl_var_lookup_ssl_version(p, var+12);*/ else if (strcEQ(var, "SERVER_SOFTWARE")) @@ -1131,7 +1147,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, #define CONNECTION_HEADER "Connection: Upgrade" static apr_status_t ssl_io_filter_Upgrade(ap_filter_t *f, - apr_bucket_brigade *bb) + apr_bucket_brigade *bb) { const char *upgrade; @@ -1172,7 +1188,6 @@ static apr_status_t ssl_io_filter_Upgrade(ap_filter_t *f, return ap_pass_brigade(f->next, bb); } - /* Send the interim 101 response. */ upgradebb = apr_brigade_create(r->pool, f->c->bucket_alloc); |