diff --git modules/ssl/mod_ssl.c modules/ssl/mod_ssl.c index 46db863..ff972c8 100644 --- modules/ssl/mod_ssl.c +++ modules/ssl/mod_ssl.c @@ -688,7 +688,6 @@ static void ssl_register_hooks(apr_pool_t *p) AP_AUTH_INTERNAL_PER_CONF); ap_hook_check_authz (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF); - ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE); APR_OPTIONAL_HOOK(proxy, section_post_config, ssl_proxy_section_post_config, NULL, NULL, diff --git modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_engine_kernel.c index 7cf048c..5e37545 100644 --- modules/ssl/ssl_engine_kernel.c +++ modules/ssl/ssl_engine_kernel.c @@ -416,6 +416,44 @@ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn) /* * Access Handler */ +static const char *const ssl_export_environ_vars[] = { + "SSL_VERSION_INTERFACE", + "SSL_VERSION_LIBRARY", + "SSL_PROTOCOL", + "SSL_SECURE_RENEG", + "SSL_COMPRESS_METHOD", + "SSL_CIPHER", + "SSL_CIPHER_EXPORT", + "SSL_CIPHER_USEKEYSIZE", + "SSL_CIPHER_ALGKEYSIZE", + "SSL_CLIENT_VERIFY", + "SSL_CLIENT_M_VERSION", + "SSL_CLIENT_M_SERIAL", + "SSL_CLIENT_V_START", + "SSL_CLIENT_V_END", + "SSL_CLIENT_V_REMAIN", + "SSL_CLIENT_S_DN", + "SSL_CLIENT_I_DN", + "SSL_CLIENT_A_KEY", + "SSL_CLIENT_A_SIG", + "SSL_CLIENT_CERT_RFC4523_CEA", + "SSL_SERVER_M_VERSION", + "SSL_SERVER_M_SERIAL", + "SSL_SERVER_V_START", + "SSL_SERVER_V_END", + "SSL_SERVER_S_DN", + "SSL_SERVER_I_DN", + "SSL_SERVER_A_KEY", + "SSL_SERVER_A_SIG", + "SSL_SESSION_ID", + "SSL_SESSION_RESUMED", +#ifdef HAVE_SRP + "SSL_SRP_USER", + "SSL_SRP_USERINFO", +#endif + NULL +}; + int ssl_hook_Access(request_rec *r) { SSLDirConfigRec *dc = myDirConfig(r); @@ -1145,6 +1183,68 @@ int ssl_hook_Access(request_rec *r) } } + apr_table_t *env = r->subprocess_env; + + /* + * Annotate the SSI/CGI environment with standard SSL information + */ + /* the always present HTTPS (=HTTP over SSL) flag! */ + apr_table_setn(env, "HTTPS", "on"); + +#ifdef HAVE_TLSEXT + /* add content of SNI TLS extension (if supplied with ClientHello) */ + const char *servername; + if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { + apr_table_set(env, "SSL_TLS_SNI", servername); + } +#endif + + /* standard SSL environment variables */ + if (dc->nOptions & SSL_OPT_STDENVVARS) { + modssl_var_extract_dns(env, ssl, r->pool); + modssl_var_extract_san_entries(env, ssl, r->pool); + + for (i = 0; ssl_export_environ_vars[i]; i++) { + char *var = (char *)ssl_export_environ_vars[i]; + char *val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); + if (!strIsEmpty(val)) { + apr_table_setn(env, var, val); + } + } + } + + /* + * On-demand bloat up the SSI/CGI environment with certificate data + */ + if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) { + char *val = ssl_var_lookup(r->pool, r->server, r->connection, + r, "SSL_SERVER_CERT"); + + apr_table_setn(env, "SSL_SERVER_CERT", val); + + val = ssl_var_lookup(r->pool, r->server, r->connection, + r, "SSL_CLIENT_CERT"); + + apr_table_setn(env, "SSL_CLIENT_CERT", val); + + STACK_OF(X509) *peer_certs = (STACK_OF(X509) *) SSL_get_peer_cert_chain(ssl); + if (peer_certs) { + for (i = 0; i < sk_X509_num(peer_certs); i++) { + char *var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i); + val = ssl_var_lookup(r->pool, r->server, r->connection, + r, var); + if (val) { + apr_table_setn(env, var, val); + } + } + } + } + +#ifdef SSL_get_secure_renegotiation_support + apr_table_setn(r->notes, "ssl-secure-reneg", + SSL_get_secure_renegotiation_support(ssl) ? "1" : "0"); +#endif + /* * Else access is granted from our point of view (except vendor * handlers override). But we have to return DECLINED here instead @@ -1292,135 +1392,6 @@ int ssl_hook_Auth(request_rec *r) return DECLINED; } -/* - * Fixup Handler - */ - -static const char *const ssl_hook_Fixup_vars[] = { - "SSL_VERSION_INTERFACE", - "SSL_VERSION_LIBRARY", - "SSL_PROTOCOL", - "SSL_SECURE_RENEG", - "SSL_COMPRESS_METHOD", - "SSL_CIPHER", - "SSL_CIPHER_EXPORT", - "SSL_CIPHER_USEKEYSIZE", - "SSL_CIPHER_ALGKEYSIZE", - "SSL_CLIENT_VERIFY", - "SSL_CLIENT_M_VERSION", - "SSL_CLIENT_M_SERIAL", - "SSL_CLIENT_V_START", - "SSL_CLIENT_V_END", - "SSL_CLIENT_V_REMAIN", - "SSL_CLIENT_S_DN", - "SSL_CLIENT_I_DN", - "SSL_CLIENT_A_KEY", - "SSL_CLIENT_A_SIG", - "SSL_CLIENT_CERT_RFC4523_CEA", - "SSL_SERVER_M_VERSION", - "SSL_SERVER_M_SERIAL", - "SSL_SERVER_V_START", - "SSL_SERVER_V_END", - "SSL_SERVER_S_DN", - "SSL_SERVER_I_DN", - "SSL_SERVER_A_KEY", - "SSL_SERVER_A_SIG", - "SSL_SESSION_ID", - "SSL_SESSION_RESUMED", -#ifdef HAVE_SRP - "SSL_SRP_USER", - "SSL_SRP_USERINFO", -#endif - NULL -}; - -int ssl_hook_Fixup(request_rec *r) -{ - SSLConnRec *sslconn = myConnConfig(r->connection); - SSLSrvConfigRec *sc = mySrvConfig(r->server); - SSLDirConfigRec *dc = myDirConfig(r); - apr_table_t *env = r->subprocess_env; - char *var, *val = ""; -#ifdef HAVE_TLSEXT - const char *servername; -#endif - STACK_OF(X509) *peer_certs; - SSL *ssl; - int i; - - if (!(sslconn && sslconn->ssl) && r->connection->master) { - sslconn = myConnConfig(r->connection->master); - } - - /* - * Check to see if SSL is on - */ - if (!(((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) { - return DECLINED; - } - - /* - * Annotate the SSI/CGI environment with standard SSL information - */ - /* the always present HTTPS (=HTTP over SSL) flag! */ - apr_table_setn(env, "HTTPS", "on"); - -#ifdef HAVE_TLSEXT - /* add content of SNI TLS extension (if supplied with ClientHello) */ - if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { - apr_table_set(env, "SSL_TLS_SNI", servername); - } -#endif - - /* standard SSL environment variables */ - if (dc->nOptions & SSL_OPT_STDENVVARS) { - modssl_var_extract_dns(env, ssl, r->pool); - modssl_var_extract_san_entries(env, ssl, r->pool); - - for (i = 0; ssl_hook_Fixup_vars[i]; i++) { - var = (char *)ssl_hook_Fixup_vars[i]; - val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); - if (!strIsEmpty(val)) { - apr_table_setn(env, var, val); - } - } - } - - /* - * On-demand bloat up the SSI/CGI environment with certificate data - */ - if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) { - val = ssl_var_lookup(r->pool, r->server, r->connection, - r, "SSL_SERVER_CERT"); - - apr_table_setn(env, "SSL_SERVER_CERT", val); - - val = ssl_var_lookup(r->pool, r->server, r->connection, - r, "SSL_CLIENT_CERT"); - - apr_table_setn(env, "SSL_CLIENT_CERT", val); - - if ((peer_certs = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl))) { - for (i = 0; i < sk_X509_num(peer_certs); i++) { - var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i); - val = ssl_var_lookup(r->pool, r->server, r->connection, - r, var); - if (val) { - apr_table_setn(env, var, val); - } - } - } - } - - -#ifdef SSL_get_secure_renegotiation_support - apr_table_setn(r->notes, "ssl-secure-reneg", - SSL_get_secure_renegotiation_support(ssl) ? "1" : "0"); -#endif - - return DECLINED; -} - /* _________________________________________________________________ ** ** Authz providers for use with mod_authz_core diff --git modules/ssl/ssl_private.h modules/ssl/ssl_private.h index 6795ace..f370d74 100644 --- modules/ssl/ssl_private.h +++ modules/ssl/ssl_private.h @@ -837,7 +837,6 @@ apr_status_t ssl_init_ModuleKill(void *data); int ssl_hook_Auth(request_rec *); int ssl_hook_UserCheck(request_rec *); int ssl_hook_Access(request_rec *); -int ssl_hook_Fixup(request_rec *); int ssl_hook_ReadReq(request_rec *); int ssl_hook_Upgrade(request_rec *); void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s);