📄 ssl_engine_config.c
字号:
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { return err; } if (strcEQ(arg, "builtin")) { mc->szCryptoDevice = NULL; } else if ((e = ENGINE_by_id(arg))) { mc->szCryptoDevice = arg; ENGINE_free(e); } else { err = "SSLCryptoDevice: Invalid argument; must be one of: " "'builtin' (none)"; e = ENGINE_get_first(); while (e) { ENGINE *en; err = apr_pstrcat(cmd->pool, err, ", '", ENGINE_get_id(e), "' (", ENGINE_get_name(e), ")", NULL); en = ENGINE_get_next(e); ENGINE_free(e); e = en; } return err; } return NULL;}#endifconst char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2, const char *arg3){ SSLModConfigRec *mc = myModConfig(cmd->server); const char *err; ssl_randseed_t *seed; int arg2len = strlen(arg2); if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { return err; } if (ssl_config_global_isfixed(mc)) { return NULL; } seed = apr_array_push(mc->aRandSeed); if (strcEQ(arg1, "startup")) { seed->nCtx = SSL_RSCTX_STARTUP; } else if (strcEQ(arg1, "connect")) { seed->nCtx = SSL_RSCTX_CONNECT; } else { return apr_pstrcat(cmd->pool, "SSLRandomSeed: " "invalid context: `", arg1, "'", NULL); } if ((arg2len > 5) && strEQn(arg2, "file:", 5)) { seed->nSrc = SSL_RSSRC_FILE; seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5); } else if ((arg2len > 5) && strEQn(arg2, "exec:", 5)) { seed->nSrc = SSL_RSSRC_EXEC; seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5); } else if ((arg2len > 4) && strEQn(arg2, "egd:", 4)) {#ifdef HAVE_SSL_RAND_EGD seed->nSrc = SSL_RSSRC_EGD; seed->cpPath = ap_server_root_relative(mc->pPool, arg2+4);#else return "egd not supported with this SSL toolkit";#endif } else if (strcEQ(arg2, "builtin")) { seed->nSrc = SSL_RSSRC_BUILTIN; seed->cpPath = NULL; } else { seed->nSrc = SSL_RSSRC_FILE; seed->cpPath = ap_server_root_relative(mc->pPool, arg2); } if (seed->nSrc != SSL_RSSRC_BUILTIN) { if (!seed->cpPath) { return apr_pstrcat(cmd->pool, "Invalid SSLRandomSeed path ", arg2, NULL); } if (!ssl_util_path_check(SSL_PCM_EXISTS, seed->cpPath, cmd->pool)) { return apr_pstrcat(cmd->pool, "SSLRandomSeed: source path '", seed->cpPath, "' does not exist", NULL); } } if (!arg3) { seed->nBytes = 0; /* read whole file */ } else { if (seed->nSrc == SSL_RSSRC_BUILTIN) { return "SSLRandomSeed: byte specification not " "allowed for builtin seed source"; } seed->nBytes = atoi(arg3); if (seed->nBytes < 0) { return "SSLRandomSeed: invalid number of bytes specified"; } } return NULL;}const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg){ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); if (!strcasecmp(arg, "On")) { sc->enabled = SSL_ENABLED_TRUE; return NULL; } else if (!strcasecmp(arg, "Off")) { sc->enabled = SSL_ENABLED_FALSE; return NULL; } else if (!strcasecmp(arg, "Optional")) { sc->enabled = SSL_ENABLED_OPTIONAL; return NULL; } return "Argument must be On, Off, or Optional";}const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg){ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; if (cmd->path) { dc->szCipherSuite = arg; } else { sc->server->auth.cipher_suite = arg; } return NULL;}#define SSL_FLAGS_CHECK_FILE \ (SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO)#define SSL_FLAGS_CHECK_DIR \ (SSL_PCM_EXISTS|SSL_PCM_ISDIR)static const char *ssl_cmd_check_file(cmd_parms *parms, const char **file){ const char *filepath = ap_server_root_relative(parms->pool, *file); if (!filepath) { return apr_pstrcat(parms->pool, parms->cmd->name, ": Invalid file path ", *file, NULL); } *file = filepath; if (ssl_util_path_check(SSL_FLAGS_CHECK_FILE, *file, parms->pool)) { return NULL; } return apr_pstrcat(parms->pool, parms->cmd->name, ": file '", *file, "' does not exist or is empty", NULL);}const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag){#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->cipher_server_pref = flag?TRUE:FALSE; return NULL;#else return "SSLHonorCiperOrder unsupported; not implemented by the SSL library";#endif}static const char *ssl_cmd_check_dir(cmd_parms *parms, const char **dir){ const char *dirpath = ap_server_root_relative(parms->pool, *dir); if (!dirpath) { return apr_pstrcat(parms->pool, parms->cmd->name, ": Invalid dir path ", *dir, NULL); } *dir = dirpath; if (ssl_util_path_check(SSL_FLAGS_CHECK_DIR, *dir, parms->pool)) { return NULL; } return apr_pstrcat(parms->pool, parms->cmd->name, ": directory '", *dir, "' does not exist", NULL);}#define SSL_AIDX_CERTS 1#define SSL_AIDX_KEYS 2static const char *ssl_cmd_check_aidx_max(cmd_parms *parms, const char *arg, int idx){ SSLSrvConfigRec *sc = mySrvConfig(parms->server); const char *err, *desc=NULL, **files=NULL; int i; if ((err = ssl_cmd_check_file(parms, &arg))) { return err; } switch (idx) { case SSL_AIDX_CERTS: desc = "certificates"; files = sc->server->pks->cert_files; break; case SSL_AIDX_KEYS: desc = "private keys"; files = sc->server->pks->key_files; break; } for (i = 0; i < SSL_AIDX_MAX; i++) { if (!files[i]) { files[i] = arg; return NULL; } } return apr_psprintf(parms->pool, "%s: only up to %d " "different %s per virtual host allowed", parms->cmd->name, SSL_AIDX_MAX, desc);}const char *ssl_cmd_SSLCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg){ const char *err; if ((err = ssl_cmd_check_aidx_max(cmd, arg, SSL_AIDX_CERTS))) { return err; } return NULL;}const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *cmd, void *dcfg, const char *arg){ const char *err; if ((err = ssl_cmd_check_aidx_max(cmd, arg, SSL_AIDX_KEYS))) { return err; } return NULL;}const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd, void *dcfg, const char *arg){ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; if ((err = ssl_cmd_check_file(cmd, &arg))) { return err; } sc->server->cert_chain = arg; return NULL;}#define NO_PER_DIR_SSL_CA \ "Your ssl library does not have support for per-directory CA"#ifdef HAVE_SSL_SET_CERT_STORE# define MODSSL_HAVE_SSL_SET_CERT_STORE 1#else# define MODSSL_HAVE_SSL_SET_CERT_STORE 0#endif#define MODSSL_SET_CA(f) \ if (cmd->path) \ if (MODSSL_HAVE_SSL_SET_CERT_STORE) \ dc->f = arg; \ else \ return NO_PER_DIR_SSL_CA; \ else \ sc->f = arg \const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *dcfg, const char *arg){ /*SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;*/ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; if ((err = ssl_cmd_check_dir(cmd, &arg))) { return err; } /* XXX: bring back per-dir */ sc->server->auth.ca_cert_path = arg; return NULL;}const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, void *dcfg, const char *arg){ /*SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;*/ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; if ((err = ssl_cmd_check_file(cmd, &arg))) { return err; } /* XXX: bring back per-dir */ sc->server->auth.ca_cert_file = arg; return NULL;}const char *ssl_cmd_SSLCADNRequestPath(cmd_parms *cmd, void *dcfg, const char *arg){ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; if ((err = ssl_cmd_check_dir(cmd, &arg))) { return err; } sc->server->pks->ca_name_path = arg; return NULL;}const char *ssl_cmd_SSLCADNRequestFile(cmd_parms *cmd, void *dcfg, const char *arg){ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; if ((err = ssl_cmd_check_file(cmd, &arg))) { return err; } sc->server->pks->ca_name_file = arg; return NULL;}const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd, void *dcfg, const char *arg){ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; if ((err = ssl_cmd_check_dir(cmd, &arg))) { return err; } sc->server->crl_path = arg; return NULL;}const char *ssl_cmd_SSLCARevocationFile(cmd_parms *cmd, void *dcfg, const char *arg){ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; if ((err = ssl_cmd_check_file(cmd, &arg))) { return err; } sc->server->crl_file = arg; return NULL;}static const char *ssl_cmd_verify_parse(cmd_parms *parms, const char *arg, ssl_verify_t *id){ if (strcEQ(arg, "none") || strcEQ(arg, "off")) { *id = SSL_CVERIFY_NONE; } else if (strcEQ(arg, "optional")) { *id = SSL_CVERIFY_OPTIONAL; } else if (strcEQ(arg, "require") || strcEQ(arg, "on")) { *id = SSL_CVERIFY_REQUIRE; } else if (strcEQ(arg, "optional_no_ca")) { *id = SSL_CVERIFY_OPTIONAL_NO_CA; } else { return apr_pstrcat(parms->temp_pool, parms->cmd->name, ": Invalid argument '", arg, "'", NULL); } return NULL;}const char *ssl_cmd_SSLVerifyClient(cmd_parms *cmd, void *dcfg, const char *arg){ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ssl_verify_t mode; const char *err; if ((err = ssl_cmd_verify_parse(cmd, arg, &mode))) { return err; } if (cmd->path) { dc->nVerifyClient = mode; } else { sc->server->auth.verify_mode = mode; } return NULL;}static const char *ssl_cmd_verify_depth_parse(cmd_parms *parms, const char *arg, int *depth){ if ((*depth = atoi(arg)) >= 0) { return NULL; } return apr_pstrcat(parms->temp_pool, parms->cmd->name, ": Invalid argument '", arg, "'", NULL);}const char *ssl_cmd_SSLVerifyDepth(cmd_parms *cmd, void *dcfg, const char *arg){⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -