ssl_engine_config.c

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

    return new;
}

/*
 * Directive Rewriting
 */

char *ssl_hook_RewriteCommand(cmd_parms *cmd, void *config, const char *cmd_line)
{
#ifdef SSL_COMPAT
    return ssl_compat_directive(cmd->server, cmd->pool, cmd_line);
#else
    return NULL;
#endif
}

/*
 *  Configuration functions for particular directives
 */

const char *ssl_cmd_SSLMutex(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    const char *err;
    SSLModConfigRec *mc = myModConfig();

    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
        return err;
    if (ssl_config_global_isfixed())
        return NULL;
    if (strcEQ(arg, "none")) {
        mc->nMutexMode  = SSL_MUTEXMODE_NONE;
    }
    else if (strlen(arg) > 5 && strcEQn(arg, "file:", 5)) {
#ifndef WIN32
        mc->nMutexMode  = SSL_MUTEXMODE_FILE;
        mc->szMutexFile = ap_psprintf(mc->pPool, "%s.%lu",
                                      ssl_util_server_root_relative(cmd->pool, "mutex", arg+5),
                                      (unsigned long)getpid());
#else
        return "SSLMutex: Lockfiles not available on this platform";
#endif
    }
    else if (strcEQ(arg, "sem")) {
#ifdef SSL_CAN_USE_SEM
        mc->nMutexMode  = SSL_MUTEXMODE_SEM;
#else
        return "SSLMutex: Semaphores not available on this platform";
#endif
    }
    else
        return "SSLMutex: Invalid argument";
    return NULL;
}

const char *ssl_cmd_SSLPassPhraseDialog(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    const char *err;

    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
        return err;
    if (strcEQ(arg, "builtin")) {
        sc->nPassPhraseDialogType  = SSL_PPTYPE_BUILTIN;
        sc->szPassPhraseDialogPath = NULL;
    }
    else if (strlen(arg) > 5 && strEQn(arg, "exec:", 5)) {
        sc->nPassPhraseDialogType  = SSL_PPTYPE_FILTER;
        sc->szPassPhraseDialogPath = ssl_util_server_root_relative(cmd->pool, "dialog", arg+5);
        if (!ssl_util_path_check(SSL_PCM_EXISTS, sc->szPassPhraseDialogPath))
            return ap_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '",
                              sc->szPassPhraseDialogPath, "' not exists", NULL);
    }
    else
        return "SSLPassPhraseDialog: Invalid argument";
    return NULL;
}

#ifdef SSL_EXPERIMENTAL_ENGINE
const char *ssl_cmd_SSLCryptoDevice(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLModConfigRec *mc = myModConfig();
    const char *err;
    ENGINE *e;
#if SSL_LIBRARY_VERSION >= 0x00907000
    static int loaded_engines = FALSE;

    /* early loading to make sure the engines are already 
       available for ENGINE_by_id() above... */
    if (!loaded_engines) {
        ENGINE_load_builtin_engines();
        loaded_engines = TRUE;
    }
#endif
    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
        return err;
    if (strcEQ(arg, "builtin")) {
        mc->szCryptoDevice = NULL;
    }
    else if ((e = ENGINE_by_id(arg)) != NULL) {
        mc->szCryptoDevice = arg;
        ENGINE_free(e);
    }
    else
        return "SSLCryptoDevice: Invalid argument";
    return NULL;
}
#endif

const char *ssl_cmd_SSLRandomSeed(
    cmd_parms *cmd, char *struct_ptr, char *arg1, char *arg2, char *arg3)
{
    SSLModConfigRec *mc = myModConfig();
    const char *err;
    ssl_randseed_t *pRS;

    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
        return err;
    if (ssl_config_global_isfixed())
        return NULL;
    pRS = ap_push_array(mc->aRandSeed);
    if (strcEQ(arg1, "startup"))
        pRS->nCtx = SSL_RSCTX_STARTUP;
    else if (strcEQ(arg1, "connect"))
        pRS->nCtx = SSL_RSCTX_CONNECT;
    else
        return ap_pstrcat(cmd->pool, "SSLRandomSeed: "
                          "invalid context: `", arg1, "'");
    if (strlen(arg2) > 5 && strEQn(arg2, "file:", 5)) {
        pRS->nSrc   = SSL_RSSRC_FILE;
        pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2+5));
    }
    else if (strlen(arg2) > 5 && strEQn(arg2, "exec:", 5)) {
        pRS->nSrc   = SSL_RSSRC_EXEC;
        pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2+5));
    }
#if SSL_LIBRARY_VERSION >= 0x00905100
    else if (strlen(arg2) > 4 && strEQn(arg2, "egd:", 4)) {
        pRS->nSrc   = SSL_RSSRC_EGD;
        pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2+4));
    }
#endif
    else if (strcEQ(arg2, "builtin")) {
        pRS->nSrc   = SSL_RSSRC_BUILTIN;
        pRS->cpPath = NULL;
    }
    else {
        pRS->nSrc   = SSL_RSSRC_FILE;
        pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, "random", arg2));
    }
    if (pRS->nSrc != SSL_RSSRC_BUILTIN)
        if (!ssl_util_path_check(SSL_PCM_EXISTS, pRS->cpPath))
            return ap_pstrcat(cmd->pool, "SSLRandomSeed: source path '",
                              pRS->cpPath, "' not exists", NULL);
    if (arg3 == NULL)
        pRS->nBytes = 0; /* read whole file */
    else {
        if (pRS->nSrc == SSL_RSSRC_BUILTIN)
            return "SSLRandomSeed: byte specification not "
                   "allowed for builtin seed source";
        pRS->nBytes = atoi(arg3);
        if (pRS->nBytes < 0)
            return "SSLRandomSeed: invalid number of bytes specified";
    }
    return NULL;
}

const char *ssl_cmd_SSLEngine(
    cmd_parms *cmd, char *struct_ptr, int flag)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    sc->bEnabled = (flag ? TRUE : FALSE);
    return NULL;
}

const char *ssl_cmd_SSLCipherSuite(
    cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    if (cmd->path == NULL || dc == NULL)
        sc->szCipherSuite = arg;
    else
        dc->szCipherSuite = arg;
    return NULL;
}

const char *ssl_cmd_SSLCertificateFile(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    char *cpPath;
    int i;

    cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg);
    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
        return ap_pstrcat(cmd->pool, "SSLCertificateFile: file '",
                          cpPath, "' not exists or empty", NULL);
    for (i = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++)
        ;
    if (i == SSL_AIDX_MAX)
        return ap_psprintf(cmd->pool, "SSLCertificateFile: only up to %d "
                          "different certificates per virtual host allowed", 
                          SSL_AIDX_MAX);
    sc->szPublicCertFile[i] = cpPath;
    return NULL;
}

const char *ssl_cmd_SSLCertificateKeyFile(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    char *cpPath;
    int i;

    cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg);
    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
        return ap_pstrcat(cmd->pool, "SSLCertificateKeyFile: file '",
                          cpPath, "' not exists or empty", NULL);
    for (i = 0; i < SSL_AIDX_MAX && sc->szPrivateKeyFile[i] != NULL; i++)
        ;
    if (i == SSL_AIDX_MAX)
        return ap_psprintf(cmd->pool, "SSLCertificateKeyFile: only up to %d "
                          "different private keys per virtual host allowed", 
                          SSL_AIDX_MAX);
    sc->szPrivateKeyFile[i] = cpPath;
    return NULL;
}

const char *ssl_cmd_SSLCertificateChainFile(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    char *cpPath;

    cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg);
    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
        return ap_pstrcat(cmd->pool, "SSLCertificateChainFile: file '",
                          cpPath, "' not exists or empty", NULL);
    sc->szCertificateChain = cpPath;
    return NULL;
}

const char *ssl_cmd_SSLCACertificatePath(
    cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    char *cpPath;

    cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg);
    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
        return ap_pstrcat(cmd->pool, "SSLCACertificatePath: directory '",
                          cpPath, "' not exists", NULL);
#ifdef SSL_EXPERIMENTAL_PERDIRCA
    if (cmd->path == NULL || dc == NULL)
        sc->szCACertificatePath = cpPath;
    else
        dc->szCACertificatePath = cpPath;
#else
    sc->szCACertificatePath = cpPath;
#endif
    return NULL;
}

const char *ssl_cmd_SSLCACertificateFile(
    cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    char *cpPath;

    cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg);
    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
        return ap_pstrcat(cmd->pool, "SSLCACertificateFile: file '",
                          cpPath, "' not exists or empty", NULL);
#ifdef SSL_EXPERIMENTAL_PERDIRCA
    if (cmd->path == NULL || dc == NULL)
        sc->szCACertificateFile = cpPath;
    else
        dc->szCACertificateFile = cpPath;
#else
    sc->szCACertificateFile = cpPath;
#endif
    return NULL;
}

const char *ssl_cmd_SSLCARevocationPath(
    cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    char *cpPath;

    cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg);
    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
        return ap_pstrcat(cmd->pool, "SSLCARecocationPath: directory '",
                          cpPath, "' not exists", NULL);
    sc->szCARevocationPath = cpPath;
    return NULL;
}

const char *ssl_cmd_SSLCARevocationFile(
    cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    char *cpPath;

    cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg);
    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
        return ap_pstrcat(cmd->pool, "SSLCARevocationFile: file '",
                          cpPath, "' not exists or empty", NULL);
    sc->szCARevocationFile = cpPath;
    return NULL;
}

const char *ssl_cmd_SSLVerifyClient(
    cmd_parms *cmd, SSLDirConfigRec *dc, char *level)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    ssl_verify_t id;

    if (strEQ(level, "0") || strcEQ(level, "none"))
        id = SSL_CVERIFY_NONE;
    else if (strEQ(level, "1") || strcEQ(level, "optional"))
        id = SSL_CVERIFY_OPTIONAL;
    else if (strEQ(level, "2") || strcEQ(level, "require"))
        id = SSL_CVERIFY_REQUIRE;
    else if (strEQ(level, "3") || strcEQ(level, "optional_no_ca"))
        id = SSL_CVERIFY_OPTIONAL_NO_CA;
    else
        return "SSLVerifyClient: Invalid argument";
    if (cmd->path == NULL || dc == NULL)
        sc->nVerifyClient = id;
    else
        dc->nVerifyClient = id;
    return NULL;
}

const char *ssl_cmd_SSLVerifyDepth(
    cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    int d;

    d = atoi(arg);
    if (d < 0)
        return "SSLVerifyDepth: Invalid argument";
    if (cmd->path == NULL || dc == NULL)
        sc->nVerifyDepth = d;
    else
        dc->nVerifyDepth = d;
    return NULL;
}

const char *ssl_cmd_SSLSessionCache(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    const char *err;
    SSLModConfigRec *mc = myModConfig();
    char *cp, *cp2;
    int maxsize;

    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)