ssl_engine_compat.c

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

/*                      _             _
**  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
** | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
** | | | | | | (_) | (_| |   \__ \__ \ |  www.modssl.org
** |_| |_| |_|\___/ \__,_|___|___/___/_|  ftp.modssl.org
**                      |_____|
**  ssl_engine_compat.c
**  Backward Compatibility
*/

/* ====================================================================
 * Copyright (c) 1998-2006 Ralf S. Engelschall. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following
 *    disclaimer in the documentation and/or other materials
 *    provided with the distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by
 *     Ralf S. Engelschall <rse@engelschall.com> for use in the
 *     mod_ssl project (http://www.modssl.org/)."
 *
 * 4. The names "mod_ssl" must not be used to endorse or promote
 *    products derived from this software without prior written
 *    permission. For written permission, please contact
 *    rse@engelschall.com.
 *
 * 5. Products derived from this software may not be called "mod_ssl"
 *    nor may "mod_ssl" appear in their names without prior
 *    written permission of Ralf S. Engelschall.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by
 *     Ralf S. Engelschall <rse@engelschall.com> for use in the
 *     mod_ssl project (http://www.modssl.org/)."
 *
 * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL RALF S. ENGELSCHALL OR
 * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */

                             /* ``Backward compatibility is for
                                  users who don't want to live
                                  on the bleeding edge.''
                                            -- Unknown          */
#ifdef SSL_COMPAT

#include "mod_ssl.h"


/*  _________________________________________________________________
**
**  Backward Compatibility
**  _________________________________________________________________
*/

/*
 * The mapping of obsolete directives to official ones...
 */

static char *ssl_compat_RequireSSL(pool *, const char *, const char *, const char *);
static char *ssl_compat_SSLSessionLockFile(pool *, const char *, const char *, const char *);
static char *ssl_compat_SSLCacheDisable(pool *, const char *, const char *, const char *);
static char *ssl_compat_SSLRequireCipher(pool *, const char *, const char *, const char *);
static char *ssl_compat_SSLBanCipher(pool *, const char *, const char *, const char *);
static char *ssl_compat_SSL_SessionDir(pool *, const char *, const char *, const char *);
static char *ssl_compat_words2list(pool *, const char *);

#define CRM_BEGIN              /* nop */
#define CRM_ENTRY(what,action) { what, action },
#define CRM_END                { NULL, NULL, NULL, NULL, NULL, NULL }
#define CRM_CMD(cmd)           cmd, NULL, NULL
#define CRM_STR(str)           NULL, str, NULL
#define CRM_PAT(cmd)           NULL, NULL, pat
#define CRM_LOG(msg)           msg, NULL, NULL
#define CRM_SUB(new)           NULL, new, NULL
#define CRM_CAL(fct)           NULL, NULL, fct

static struct {
    char *cpCommand;
    char *cpSubstring;
    char *cpPattern;
    char *cpMessage;
    char *cpSubst;
    char *(*fpSubst)(pool *, const char *, const char *, const char *);
} ssl_cmd_rewrite_map[] = {
    CRM_BEGIN

    /*
     * Apache-SSL 1.x & mod_ssl 2.0.x backward compatibility
     */
    CRM_ENTRY( CRM_CMD("SSLEnable"),                   CRM_SUB("SSLEngine on")                )
    CRM_ENTRY( CRM_CMD("SSLDisable"),                  CRM_SUB("SSLEngine off")               )
    CRM_ENTRY( CRM_CMD("SSLLogFile"),                  CRM_SUB("SSLLog")                      )
    CRM_ENTRY( CRM_CMD("SSLRequiredCiphers"),          CRM_SUB("SSLCipherSuite")              )
    CRM_ENTRY( CRM_CMD("SSLRequireCipher"),            CRM_CAL(ssl_compat_SSLRequireCipher)   )
    CRM_ENTRY( CRM_CMD("SSLBanCipher"),                CRM_CAL(ssl_compat_SSLBanCipher)       )
    CRM_ENTRY( CRM_CMD("SSLFakeBasicAuth"),            CRM_SUB("SSLOptions +FakeBasicAuth")   )
    CRM_ENTRY( CRM_CMD("SSLCacheServerPath"),          CRM_LOG("Use SSLSessionCache instead") )
    CRM_ENTRY( CRM_CMD("SSLCacheServerPort"),          CRM_LOG("Use SSLSessionCache instead") )

    /*
     * Apache-SSL 1.x backward compatibility
     */
    CRM_ENTRY( CRM_CMD("SSLExportClientCertificates"), CRM_SUB("SSLOptions +ExportCertData")  )
    CRM_ENTRY( CRM_CMD("SSLCacheServerRunDir"),        CRM_LOG("Not needed for mod_ssl")      )

    /*
     * Sioux 1.x backward compatibility
     */
    CRM_ENTRY( CRM_CMD("SSL_CertFile"),            CRM_SUB("SSLCertificateFile")              )
    CRM_ENTRY( CRM_CMD("SSL_KeyFile"),             CRM_SUB("SSLCertificateKeyFile")           )
    CRM_ENTRY( CRM_CMD("SSL_CipherSuite"),         CRM_SUB("SSLCipherSuite")                  )
    CRM_ENTRY( CRM_CMD("SSL_X509VerifyDir"),       CRM_SUB("SSLCACertificatePath")            )
    CRM_ENTRY( CRM_CMD("SSL_Log"),                 CRM_SUB("SSLLogFile")                      )
    CRM_ENTRY( CRM_CMD("SSL_Connect"),             CRM_SUB("SSLEngine")                       )
    CRM_ENTRY( CRM_CMD("SSL_ClientAuth"),          CRM_SUB("SSLVerifyClient")                 )
    CRM_ENTRY( CRM_CMD("SSL_X509VerifyDepth"),     CRM_SUB("SSLVerifyDepth")                  )
    CRM_ENTRY( CRM_CMD("SSL_FetchKeyPhraseFrom"),  CRM_LOG("Use SSLPassPhraseDialog instead") )
    CRM_ENTRY( CRM_CMD("SSL_SessionDir"),          CRM_CAL(ssl_compat_SSL_SessionDir)         )
    CRM_ENTRY( CRM_CMD("SSL_Require"),             CRM_LOG("Use SSLRequire instead (Syntax!)"))
    CRM_ENTRY( CRM_CMD("SSL_CertFileType"),        CRM_LOG("Not supported by mod_ssl")        )
    CRM_ENTRY( CRM_CMD("SSL_KeyFileType"),         CRM_LOG("Not supported by mod_ssl")        )
    CRM_ENTRY( CRM_CMD("SSL_X509VerifyPolicy"),    CRM_LOG("Not supported by mod_ssl")        )
    CRM_ENTRY( CRM_CMD("SSL_LogX509Attributes"),   CRM_LOG("Not supported by mod_ssl")        )

    /*
     * Stronghold 2.x backward compatibility
     */
    CRM_ENTRY( CRM_CMD("StrongholdAccelerator"),     CRM_LOG("Not supported by mod_ssl")      )
    CRM_ENTRY( CRM_CMD("StrongholdKey"),             CRM_LOG("Not supported by mod_ssl")      )
    CRM_ENTRY( CRM_CMD("StrongholdLicenseFile"),     CRM_LOG("Not supported by mod_ssl")      )
    CRM_ENTRY( CRM_CMD("SSLFlag"),                   CRM_SUB("SSLEngine")                     )
    CRM_ENTRY( CRM_CMD("SSLClientCAfile"),           CRM_SUB("SSLCACertificateFile")          )
    CRM_ENTRY( CRM_CMD("SSLSessionLockFile"),        CRM_CAL(ssl_compat_SSLSessionLockFile)   )
    CRM_ENTRY( CRM_CMD("SSLCacheDisable"),           CRM_CAL(ssl_compat_SSLCacheDisable)      )
    CRM_ENTRY( CRM_CMD("RequireSSL"),                CRM_CAL(ssl_compat_RequireSSL)           )
    CRM_ENTRY( CRM_CMD("SSLCipherList"),             CRM_SUB("SSLCipherSuite")                )
    CRM_ENTRY( CRM_CMD("SSLErrorFile"),              CRM_LOG("Not needed for mod_ssl")        )
    CRM_ENTRY( CRM_CMD("SSLRoot"),                   CRM_LOG("Not supported by mod_ssl")      )
    CRM_ENTRY( CRM_CMD("SSL_CertificateLogDir"),     CRM_LOG("Not supported by mod_ssl")      )
    CRM_ENTRY( CRM_CMD("AuthCertDir"),               CRM_LOG("Not supported by mod_ssl")      )
    CRM_ENTRY( CRM_CMD("SSL_Group"),                 CRM_LOG("Not supported by mod_ssl")      )
#ifndef SSL_EXPERIMENTAL_PROXY
    CRM_ENTRY( CRM_CMD("SSLProxyMachineCertPath"),   CRM_LOG("Not supported by mod_ssl")      )
    CRM_ENTRY( CRM_CMD("SSLProxyMachineCertFile"),   CRM_LOG("Not supported by mod_ssl")      )
    CRM_ENTRY( CRM_CMD("SSLProxyCACertificatePath"), CRM_LOG("Not supported by mod_ssl")      )
    CRM_ENTRY( CRM_CMD("SSLProxyCACertificateFile"), CRM_LOG("Not supported by mod_ssl")      )
    CRM_ENTRY( CRM_CMD("SSLProxyVerifyDepth"),       CRM_LOG("Not supported by mod_ssl")      )
    CRM_ENTRY( CRM_CMD("SSLProxyCipherList"),        CRM_LOG("Not supported by mod_ssl")      )
#else
    CRM_ENTRY( CRM_CMD("SSLProxyCipherList"),        CRM_SUB("SSLProxyCipherSuite")           )
#endif

    CRM_END
};

static char *ssl_compat_RequireSSL(
    pool *p, const char *oline, const char *cmd, const char *args)
{
    char *cp;
    
    for (cp = (char *)args; ap_isspace(*cp); cp++)
        ;
    if (strcEQ(cp, "on"))
        return "SSLRequireSSL";
    return "";
}

static char *ssl_compat_SSLSessionLockFile(
    pool *p, const char *oline, const char *cmd, const char *args)
{
    char *cp;

    for (cp = (char *)args; ap_isspace(*cp); cp++)
        ;
    return ap_pstrcat(p, "SSLMutex file:", cp, NULL);
}

static char *ssl_compat_SSLCacheDisable(
    pool *p, const char *oline, const char *cmd, const char *args)
{
    char *cp;

    for (cp = (char *)args; ap_isspace(*cp); cp++)
        ;
    if (strcEQ(cp, "on"))
        return "SSLSessionCache none";
    return "";
}

static char *ssl_compat_SSLRequireCipher(pool *p, const char *oline, const char *cmd, const char *args)
{
    return ap_pstrcat(p, "SSLRequire %{SSL_CIPHER} in {",
                          ssl_compat_words2list(p, args),
                          "}", NULL);
}

static char *ssl_compat_SSLBanCipher(pool *p, const char *oline, const char *cmd, const char *args)
{
    return ap_pstrcat(p, "SSLRequire not (%{SSL_CIPHER} in {",
                          ssl_compat_words2list(p, args),
                          "})", NULL);
}

static char *ssl_compat_SSL_SessionDir(
    pool *p, const char *oline, const char *cmd, const char *args)
{
    char *cp;
   
    for (cp = (char *)args; ap_isspace(*cp); cp++)
        ;
    return ap_pstrcat(p, "SSLSessionCache dir:", cp, NULL);
}

static char *ssl_compat_words2list(pool *p, const char *oline)
{
    char *line;
    char *cpB;
    char *cpE;
    char *cpI;
    char *cpO;
    char n;

    /*
     * Step 1: Determine borders
     */
    cpB = (char *)oline;
    while (*cpB == ' ' || *cpB == '\t')
       cpB++;
    cpE = cpB+strlen(cpB);
    while (cpE > cpB && (*(cpE-1) == ' ' || *(cpE-1) == '\t'))
        cpE--;

    /*
     * Step 2: Determine final size and allocate buffer