summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--modules/arch/netware/mod_nw_ssl.c135
1 files changed, 75 insertions, 60 deletions
diff --git a/modules/arch/netware/mod_nw_ssl.c b/modules/arch/netware/mod_nw_ssl.c
index 84aa6fbee7..652bc62967 100644
--- a/modules/arch/netware/mod_nw_ssl.c
+++ b/modules/arch/netware/mod_nw_ssl.c
@@ -15,7 +15,7 @@
*/
/*
- * mod_tls.c - Apache SSL/TLS module for NetWare by Mike Gardiner.
+ * based on mod_tls.c - Apache SSL/TLS module for NetWare by Mike Gardiner.
*
* This module gives Apache the ability to do SSL/TLS with a minimum amount
* of effort. All of the SSL/TLS logic is already on NetWare versions 5 and
@@ -31,6 +31,17 @@
*
* SecureListen 443 "SSL CertificateIP"
* SecureListen 123.45.67.89:443 mycert
+ *
+ * The module also supports RFC 2817 / TLS Upgrade for HTTP 1.1.
+ * For this add a "NWSSLUpgradeable" with two arguments. The first
+ * argument is an address and/or port. The second argument is the key pair
+ * name as created in ConsoleOne.
+ *
+ * Examples:
+ *
+ * NWSSLUpgradeable 8080 "SSL CertificateIP"
+ * NWSSLUpgradeable 123.45.67.89:8080 mycert
+ *
*/
#define WS_SSL
@@ -115,7 +126,7 @@ struct seclistenup_rec {
struct NWSSLSrvConfigRec {
apr_table_t *sltable;
apr_table_t *slutable;
- apr_pool_t *pPool;
+ apr_pool_t *pPool;
};
struct secsocket_data {
@@ -163,8 +174,8 @@ static unsigned long parse_addr(const char *w, unsigned short *ports)
p = strchr(w, ':');
if (ports != NULL) {
*ports = 0;
- if (p != NULL && strcmp(p + 1, "*") != 0)
- *ports = atoi(p + 1);
+ if (p != NULL && strcmp(p + 1, "*") != 0)
+ *ports = atoi(p + 1);
}
if (p != NULL)
@@ -224,14 +235,16 @@ static char *get_port_key(conn_rec *c)
for (sl = ap_seclistenersup; sl; sl = sl->next) {
if ((sl->port == (c->local_addr)->port) &&
- ((strcmp(sl->addr, "0.0.0.0") == 0) || (strcmp(sl->addr, c->local_ip) == 0))) {
+ ((strcmp(sl->addr, "0.0.0.0") == 0) ||
+ (strcmp(sl->addr, c->local_ip) == 0))) {
return sl->key;
}
}
return NULL;
}
-static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *server,
+static int make_secure_socket(apr_pool_t *pconf,
+ const struct sockaddr_in *server,
char* key, int mutual, server_rec *sconf)
{
int s;
@@ -255,10 +268,11 @@ static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *serve
SecureProtoInfo.iSecurityScheme = SECURITY_PROTOCOL_SSL;
s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP,
- (LPWSAPROTOCOL_INFO)&SecureProtoInfo, 0, 0);
+ (LPWSAPROTOCOL_INFO)&SecureProtoInfo, 0, 0);
if (s == INVALID_SOCKET) {
- ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, APLOGNO(02120)
+ ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
+ APLOGNO(02120)
"make_secure_socket: failed to get a socket for %s",
addr);
return -1;
@@ -269,7 +283,8 @@ static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *serve
if (WSAIoctl(s, SO_SSL_SET_FLAGS, (char *)&optParam,
sizeof(optParam), NULL, 0, NULL, NULL, NULL)) {
- ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, APLOGNO(02121)
+ ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
+ APLOGNO(02121)
"make_secure_socket: for %s, WSAIoctl: "
"(SO_SSL_SET_FLAGS)", addr);
return -1;
@@ -283,8 +298,9 @@ static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *serve
opts.siddir = NULL;
if (WSAIoctl(s, SO_SSL_SET_SERVER, (char *)&opts, sizeof(opts),
- NULL, 0, NULL, NULL, NULL) != 0) {
- ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, APLOGNO(02122)
+ NULL, 0, NULL, NULL, NULL) != 0) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
+ APLOGNO(02122)
"make_secure_socket: for %s, WSAIoctl: "
"(SO_SSL_SET_SERVER)", addr);
return -1;
@@ -293,9 +309,10 @@ static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *serve
if (mutual) {
optParam = 0x07; /* SO_SSL_AUTH_CLIENT */
- if(WSAIoctl(s, SO_SSL_SET_FLAGS, (char*)&optParam,
- sizeof(optParam), NULL, 0, NULL, NULL, NULL)) {
- ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf, APLOGNO(02123)
+ if (WSAIoctl(s, SO_SSL_SET_FLAGS, (char*)&optParam, sizeof(optParam),
+ NULL, 0, NULL, NULL, NULL)) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, WSAGetLastError(), sconf,
+ APLOGNO(02123)
"make_secure_socket: for %s, WSAIoctl: "
"(SO_SSL_SET_FLAGS)", addr);
return -1;
@@ -311,10 +328,10 @@ static int make_secure_socket(apr_pool_t *pconf, const struct sockaddr_in *serve
static int convert_secure_socket(conn_rec *c, apr_socket_t *csd)
{
- int rcode;
- struct tlsclientopts sWS2Opts;
- struct nwtlsopts sNWTLSOpts;
- struct sslserveropts opts;
+ int rcode;
+ struct tlsclientopts sWS2Opts;
+ struct nwtlsopts sNWTLSOpts;
+ struct sslserveropts opts;
unsigned long ulFlags;
SOCKET sock;
unicode_t keyFileName[60];
@@ -322,23 +339,23 @@ static int convert_secure_socket(conn_rec *c, apr_socket_t *csd)
apr_os_sock_get(&sock, csd);
/* zero out buffers */
- memset((char *)&sWS2Opts, 0, sizeof(struct tlsclientopts));
- memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts));
+ memset((char *)&sWS2Opts, 0, sizeof(struct tlsclientopts));
+ memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts));
/* turn on ssl for the socket */
- ulFlags = (numcerts ? SO_TLS_ENABLE : SO_TLS_ENABLE | SO_TLS_BLIND_ACCEPT);
- rcode = WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long),
+ ulFlags = (numcerts ? SO_TLS_ENABLE : SO_TLS_ENABLE | SO_TLS_BLIND_ACCEPT);
+ rcode = WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long),
NULL, 0, NULL, NULL, NULL);
- if (SOCKET_ERROR == rcode)
- {
+ if (SOCKET_ERROR == rcode) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, APLOGNO(02124)
- "Error: %d with ioctlsocket(flag SO_TLS_ENABLE)", WSAGetLastError());
- return rcode;
- }
+ "Error: %d with WSAIoctl(flag SO_TLS_ENABLE)",
+ WSAGetLastError());
+ return rcode;
+ }
ulFlags = SO_TLS_UNCLEAN_SHUTDOWN;
- WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long),
- NULL, 0, NULL, NULL, NULL);
+ WSAIoctl(sock, SO_TLS_SET_FLAGS, &ulFlags, sizeof(unsigned long),
+ NULL, 0, NULL, NULL, NULL);
/* setup the socket for SSL */
memset (&sWS2Opts, 0, sizeof(sWS2Opts));
@@ -365,11 +382,12 @@ static int convert_secure_socket(conn_rec *c, apr_socket_t *csd)
NULL, NULL);
/* make sure that it was successful */
- if(SOCKET_ERROR == rcode ){
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, APLOGNO(02125)
- "Error: %d with ioctl (SO_TLS_SET_CLIENT)", WSAGetLastError());
- }
- return rcode;
+ if (SOCKET_ERROR == rcode ) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server, APLOGNO(02125)
+ "Error: %d with WSAIoctl(SO_TLS_SET_CLIENT)",
+ WSAGetLastError());
+ }
+ return rcode;
}
static int SSLize_Socket(SOCKET socketHnd, char *key, request_rec *r)
@@ -383,24 +401,25 @@ static int SSLize_Socket(SOCKET socketHnd, char *key, request_rec *r)
memset((char *)&sWS2Opts, 0, sizeof(struct tlsserveropts));
memset((char *)&sNWTLSOpts, 0, sizeof(struct nwtlsopts));
-
ulFlag = SO_TLS_ENABLE;
- rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag, sizeof(unsigned long), NULL, 0, NULL, NULL, NULL);
- if(rcode)
- {
+ rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag,
+ sizeof(unsigned long), NULL, 0, NULL, NULL, NULL);
+ if(rcode) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02126)
- "Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_ENABLE)", WSAGetLastError());
+ "Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_ENABLE)",
+ WSAGetLastError());
goto ERR;
}
ulFlag = SO_TLS_SERVER;
- rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag, sizeof(unsigned long),NULL, 0, NULL, NULL, NULL);
+ rcode = WSAIoctl(socketHnd, SO_TLS_SET_FLAGS, &ulFlag,
+ sizeof(unsigned long),NULL, 0, NULL, NULL, NULL);
- if(rcode)
- {
+ if (rcode) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02127)
- "Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_SERVER)", WSAGetLastError());
+ "Error: %d with WSAIoctl(SO_TLS_SET_FLAGS, SO_TLS_SERVER)",
+ WSAGetLastError());
goto ERR;
}
@@ -426,7 +445,6 @@ static int SSLize_Socket(SOCKET socketHnd, char *key, request_rec *r)
sNWTLSOpts.reserved2 = NULL;
sNWTLSOpts.reserved3 = NULL;
-
rcode = WSAIoctl(socketHnd,
SO_TLS_SET_SERVER,
&sWS2Opts,
@@ -436,7 +454,7 @@ static int SSLize_Socket(SOCKET socketHnd, char *key, request_rec *r)
NULL,
NULL,
NULL);
- if(SOCKET_ERROR == rcode) {
+ if (SOCKET_ERROR == rcode) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02128)
"Error: %d with WSAIoctl(SO_TLS_SET_SERVER)", WSAGetLastError());
goto ERR;
@@ -630,9 +648,9 @@ static int nwssl_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_sockaddr_t *sa;
int found;
- /* Pull all of the listeners that were created by mod_nw_ssl out of the
- ap_listeners list so that the normal listen socket processing does
- automatically close them */
+ /* Pull all of the listeners that were created by mod_nw_ssl out of the
+ ap_listeners list so that the normal listen socket processing does
+ automatically close them */
nw_old_listeners = NULL;
ap_old_seclisteners = NULL;
@@ -851,8 +869,7 @@ static int isSecureConnEx (const server_rec *s, const conn_rec *c, const apr_tab
char port[8];
itoa((c->local_addr)->port, port, 10);
- if (!apr_table_do(compare_ipports, (void*)c, t, port, NULL))
- {
+ if (!apr_table_do(compare_ipports, (void*)c, t, port, NULL)) {
return 1;
}
@@ -875,19 +892,19 @@ static int isSecureConnUpgradeable (const server_rec *s, const conn_rec *c)
static int isSecure (const request_rec *r)
{
- return isSecureConn (r->server, r->connection);
+ return isSecureConn (r->server, r->connection);
}
static int isSecureUpgradeable (const request_rec *r)
{
- return isSecureConnUpgradeable (r->server, r->connection);
+ return isSecureConnUpgradeable (r->server, r->connection);
}
static int isSecureUpgraded (const request_rec *r)
{
secsocket_data *csd_data = (secsocket_data*)ap_get_module_config(r->connection->conn_config, &nwssl_module);
- return csd_data->is_secure;
+ return csd_data->is_secure;
}
static int nwssl_hook_Fixup(request_rec *r)
@@ -1048,15 +1065,14 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
* Connection stuff
*/
if (result == NULL && c != NULL) {
-
- /* XXX-Can't get specific SSL info from NetWare */
+ /* XXX-Can't get specific SSL info from NetWare */
/* SSLConnRec *sslconn = myConnConfig(c);
if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
&& sslconn && sslconn->ssl)
result = ssl_var_lookup_ssl(p, c, var+4);*/
- if (strlen(var) > 4 && strcEQn(var, "SSL_", 4))
- result = NULL;
+ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4))
+ result = NULL;
}
/*
@@ -1064,7 +1080,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
*/
if (result == NULL) {
if (strlen(var) > 12 && strcEQn(var, "SSL_VERSION_", 12))
- result = NULL;
+ result = NULL;
/* XXX-Can't get specific SSL info from NetWare */
/*result = ssl_var_lookup_ssl_version(p, var+12);*/
else if (strcEQ(var, "SERVER_SOFTWARE"))
@@ -1131,7 +1147,7 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
#define CONNECTION_HEADER "Connection: Upgrade"
static apr_status_t ssl_io_filter_Upgrade(ap_filter_t *f,
- apr_bucket_brigade *bb)
+ apr_bucket_brigade *bb)
{
const char *upgrade;
@@ -1172,7 +1188,6 @@ static apr_status_t ssl_io_filter_Upgrade(ap_filter_t *f,
return ap_pass_brigade(f->next, bb);
}
-
/* Send the interim 101 response. */
upgradebb = apr_brigade_create(r->pool, f->c->bucket_alloc);