ssl_engine_config.c

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

        return err;
    if (ssl_config_global_isfixed())
        return NULL;
    if (strcEQ(arg, "none")) {
        mc->nSessionCacheMode      = SSL_SCMODE_NONE;
        mc->szSessionCacheDataFile = NULL;
    }
    else if (strlen(arg) > 4 && strcEQn(arg, "dbm:", 4)) {
        mc->nSessionCacheMode      = SSL_SCMODE_DBM;
        mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
                                     ssl_util_server_root_relative(cmd->pool, "scache", arg+4));
    }
    else if (   (strlen(arg) > 4 && strcEQn(arg, "shm:",   4)) 
             || (strlen(arg) > 6 && strcEQn(arg, "shmht:", 6))) {
        if (!ap_mm_useable())
            return "SSLSessionCache: shared memory cache not useable on this platform";
        mc->nSessionCacheMode      = SSL_SCMODE_SHMHT;
        cp = strchr(arg, ':');
        mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
                                     ssl_util_server_root_relative(cmd->pool, "scache", cp+1));
        mc->tSessionCacheDataTable = NULL;
        mc->nSessionCacheDataSize  = 1024*512; /* 512KB */
        if ((cp = strchr(mc->szSessionCacheDataFile, '(')) != NULL) {
            *cp++ = NUL;
            if ((cp2 = strchr(cp, ')')) == NULL)
                return "SSLSessionCache: Invalid argument: no closing parenthesis";
            *cp2 = NUL;
            mc->nSessionCacheDataSize = atoi(cp);
            if (mc->nSessionCacheDataSize < 8192)
                return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes";
            maxsize = ap_mm_core_maxsegsize();
            if (mc->nSessionCacheDataSize >= maxsize)
                return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
                                   "size has to be < %d bytes on this platform", maxsize);
        }
    }
    else if (strlen(arg) > 6 && strcEQn(arg, "shmcb:", 6)) {
        if (!ap_mm_useable())
            return "SSLSessionCache: shared memory cache not useable on this platform";
        mc->nSessionCacheMode      = SSL_SCMODE_SHMCB;
        mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
                                     ap_server_root_relative(cmd->pool, arg+6));
        mc->tSessionCacheDataTable = NULL;
        mc->nSessionCacheDataSize  = 1024*512; /* 512KB */
        if ((cp = strchr(mc->szSessionCacheDataFile, '(')) != NULL) {
            *cp++ = NUL;
            if ((cp2 = strchr(cp, ')')) == NULL)
                return "SSLSessionCache: Invalid argument: no closing parenthesis";
            *cp2 = NUL;
            mc->nSessionCacheDataSize = atoi(cp);
            if (mc->nSessionCacheDataSize < 8192)
                return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes";
            maxsize = ap_mm_core_maxsegsize();
            if (mc->nSessionCacheDataSize >= maxsize)
                return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
                                   "size has to be < %d bytes on this platform", maxsize);
        }
    }
	else
#ifdef SSL_VENDOR
        if (!ap_hook_use("ap::mod_ssl::vendor::cmd_sslsessioncache",
             AP_HOOK_SIG4(void,ptr,ptr,ptr), AP_HOOK_MODE_ALL,
             cmd, arg, mc))
#endif
        return "SSLSessionCache: Invalid argument";
    return NULL;
}

const char *ssl_cmd_SSLSessionCacheTimeout(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    sc->nSessionCacheTimeout = atoi(arg);
    if (sc->nSessionCacheTimeout < 0)
        return "SSLSessionCacheTimeout: Invalid argument";
    return NULL;
}

const char *ssl_cmd_SSLLog(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    const char *err;

    if ((err = ap_check_cmd_context(cmd,  NOT_IN_LIMIT|NOT_IN_DIRECTORY
                                         |NOT_IN_LOCATION|NOT_IN_FILES )) != NULL)
        return err;
    sc->szLogFile = arg;
    return NULL;
}

const char *ssl_cmd_SSLLogLevel(
    cmd_parms *cmd, char *struct_ptr, char *level)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    const char *err;

    if ((err = ap_check_cmd_context(cmd,  NOT_IN_LIMIT|NOT_IN_DIRECTORY
                                         |NOT_IN_LOCATION|NOT_IN_FILES )) != NULL)
        return err;
    if (strcEQ(level, "none"))
        sc->nLogLevel = SSL_LOG_NONE;
    else if (strcEQ(level, "error"))
        sc->nLogLevel = SSL_LOG_ERROR;
    else if (strcEQ(level, "warn"))
        sc->nLogLevel = SSL_LOG_WARN;
    else if (strcEQ(level, "info"))
        sc->nLogLevel = SSL_LOG_INFO;
    else if (strcEQ(level, "trace"))
        sc->nLogLevel = SSL_LOG_TRACE;
    else if (strcEQ(level, "debug"))
        sc->nLogLevel = SSL_LOG_DEBUG;
    else
        return "SSLLogLevel: Invalid argument";
    return NULL;
}

const char *ssl_cmd_SSLOptions(
    cmd_parms *cmd, SSLDirConfigRec *dc, const char *cpLine)
{
    ssl_opt_t opt;
    int first;
    char action;
    char *w;

    first = TRUE;
    while (cpLine[0] != NUL) {
        w = ap_getword_conf(cmd->pool, &cpLine);
        action = NUL;

        if (*w == '+' || *w == '-') {
            action = *(w++);
        }
        else if (first) {
            dc->nOptions = SSL_OPT_NONE;
            first = FALSE;
        }

        if (strcEQ(w, "StdEnvVars"))
            opt = SSL_OPT_STDENVVARS;
        else if (strcEQ(w, "CompatEnvVars"))
            opt = SSL_OPT_COMPATENVVARS;
        else if (strcEQ(w, "ExportCertData"))
            opt = SSL_OPT_EXPORTCERTDATA;
        else if (strcEQ(w, "FakeBasicAuth"))
            opt = SSL_OPT_FAKEBASICAUTH;
        else if (strcEQ(w, "StrictRequire"))
            opt = SSL_OPT_STRICTREQUIRE;
        else if (strcEQ(w, "OptRenegotiate"))
            opt = SSL_OPT_OPTRENEGOTIATE;
        else
            return ap_pstrcat(cmd->pool, "SSLOptions: Illegal option '", w, "'", NULL);

        if (action == '-') {
            dc->nOptionsAdd &= ~opt;
            dc->nOptionsDel |=  opt;
            dc->nOptions    &= ~opt;
        }
        else if (action == '+') {
            dc->nOptionsAdd |=  opt;
            dc->nOptionsDel &= ~opt;
            dc->nOptions    |=  opt;
        }
        else {
            dc->nOptions    = opt;
            dc->nOptionsAdd = opt;
            dc->nOptionsDel = SSL_OPT_NONE;
        }
    }
    return NULL;
}

const char *ssl_cmd_SSLRequireSSL(
    cmd_parms *cmd, SSLDirConfigRec *dc, char *cipher)
{
    dc->bSSLRequired = TRUE;
    return NULL;
}

const char *ssl_cmd_SSLRequire(
    cmd_parms *cmd, SSLDirConfigRec *dc, char *cpExpr)
{
    ssl_expr *mpExpr;
    ssl_require_t *pReqRec;

    if ((mpExpr = ssl_expr_comp(cmd->pool, cpExpr)) == NULL)
        return ap_pstrcat(cmd->pool, "SSLRequire: ", ssl_expr_get_error(), NULL);
    pReqRec = ap_push_array(dc->aRequirement);
    pReqRec->cpExpr = ap_pstrdup(cmd->pool, cpExpr);
    pReqRec->mpExpr = mpExpr;
    return NULL;
}

const char *ssl_cmd_SSLProtocol(
    cmd_parms *cmd, char *struct_ptr, const char *opt)
{
    SSLSrvConfigRec *sc;
    ssl_proto_t options, thisopt;
    char action;
    char *w;

    sc = mySrvConfig(cmd->server);
    options = SSL_PROTOCOL_NONE;
    while (opt[0] != NUL) {
        w = ap_getword_conf(cmd->pool, &opt);

        action = NUL;
        if (*w == '+' || *w == '-')
            action = *(w++);

        if (strcEQ(w, "SSLv2"))
            thisopt = SSL_PROTOCOL_SSLV2;
        else if (strcEQ(w, "SSLv3"))
            thisopt = SSL_PROTOCOL_SSLV3;
        else if (strcEQ(w, "TLSv1"))
            thisopt = SSL_PROTOCOL_TLSV1;
        else if (strcEQ(w, "all"))
            thisopt = SSL_PROTOCOL_ALL;
        else
            return ap_pstrcat(cmd->pool, "SSLProtocol: Illegal protocol '", w, "'", NULL);

        if (action == '-')
            options &= ~thisopt;
        else if (action == '+')
            options |= thisopt;
        else
            options = thisopt;
    }
    sc->nProtocol = options;
    return NULL;
}

#ifdef SSL_EXPERIMENTAL_PROXY

const char *ssl_cmd_SSLProxyProtocol(
    cmd_parms *cmd, char *struct_ptr, const char *opt)
{
    SSLSrvConfigRec *sc;
    ssl_proto_t options, thisopt;
    char action;
    char *w;

    sc = mySrvConfig(cmd->server);
    options = SSL_PROTOCOL_NONE;
    while (opt[0] != NUL) {
        w = ap_getword_conf(cmd->pool, &opt);

        action = NUL;
        if (*w == '+' || *w == '-')
            action = *(w++);

        if (strcEQ(w, "SSLv2"))
            thisopt = SSL_PROTOCOL_SSLV2;
        else if (strcEQ(w, "SSLv3"))
            thisopt = SSL_PROTOCOL_SSLV3;
        else if (strcEQ(w, "TLSv1"))
            thisopt = SSL_PROTOCOL_TLSV1;
        else if (strcEQ(w, "all"))
            thisopt = SSL_PROTOCOL_ALL;
        else
            return ap_pstrcat(cmd->pool, "SSLProxyProtocol: "
                              "Illegal protocol '", w, "'", NULL);
        if (action == '-')
            options &= ~thisopt;
        else if (action == '+')
            options |= thisopt;
        else
            options = thisopt;
    }
    sc->nProxyProtocol = options;
    return NULL;
}

const char *ssl_cmd_SSLProxyCipherSuite(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    sc->szProxyCipherSuite = arg;
    return NULL;
}

const char *ssl_cmd_SSLProxyVerify(
    cmd_parms *cmd, char *struct_ptr, int flag)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    sc->bProxyVerify = (flag ? TRUE : FALSE);
    return NULL;
}

const char *ssl_cmd_SSLProxyVerifyDepth(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    int d;

    d = atoi(arg);
    if (d < 0)
        return "SSLProxyVerifyDepth: Invalid argument";
    sc->nProxyVerifyDepth = d;
    return NULL;
}

const char *ssl_cmd_SSLProxyCACertificateFile(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    char *cpPath;

    cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg);
    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
        return ap_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '",
                          cpPath, "' not exists or empty", NULL);
    sc->szProxyCACertificateFile = cpPath;
    return NULL;
}

const char *ssl_cmd_SSLProxyCACertificatePath(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    char *cpPath;

    cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg);
    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
        return ap_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '",
                          cpPath, "' does not exists", NULL);
    sc->szProxyCACertificatePath = cpPath;
    return NULL;
}

const char *ssl_cmd_SSLProxyMachineCertificateFile(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    char *cpPath;

    cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg);
    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
        return ap_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '",
                          cpPath, "' not exists or empty", NULL);
    sc->szProxyClientCertificateFile = cpPath;
    return NULL;
}

const char *ssl_cmd_SSLProxyMachineCertificatePath(
    cmd_parms *cmd, char *struct_ptr, char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    char *cpPath;

    cpPath = ssl_util_server_root_relative(cmd->pool, "certkey", arg);
    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
        return ap_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '",
                          cpPath, "' does not exists", NULL);
    sc->szProxyClientCertificatePath = cpPath;
    return NULL;
}

#endif /* SSL_EXPERIMENTAL_PROXY */