Skip to content

Commit f20bd2e

Browse files
author
Stefan Fritsch
committed
Add authz providers for use with mod_authz_core and its RequireAny/RequireAll
containers: 'ssl' (equivalent to SSLRequireSSL) 'ssl-verify-client' (for use with 'SSLVerifyClient optional') 'ssl-require' (expressions with same syntax as SSLRequire) We may decide to axe 'ssl-require' again in favor of the generic 'expr' provider, depending on the development of the ap_expr parser. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1002837 13f79535-47bb-0310-9956-ffa450edef68
1 parent 06a8bb9 commit f20bd2e

8 files changed

Lines changed: 166 additions & 9 deletions

File tree

CHANGES

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,12 @@
22

33
Changes with Apache 2.3.9
44

5+
*) mod_ssl: Add authz providers for use with mod_authz_core and its
6+
RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL),
7+
'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and
8+
'ssl-require' (expressions with same syntax as SSLRequire).
9+
[Stefan Fritsch]
10+
511
*) mod_ssl: Make the ssl expression parser thread-safe. It now requires
612
bison instead of yacc. [Stefan Fritsch]
713

modules/ssl/mod_ssl.c

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -554,6 +554,22 @@ static void ssl_register_hooks(apr_pool_t *p)
554554

555555
APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
556556
APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
557+
558+
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
559+
AUTHZ_PROVIDER_VERSION,
560+
&ssl_authz_provider_require_ssl,
561+
AP_AUTH_INTERNAL_PER_CONF);
562+
563+
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl-verify-client",
564+
AUTHZ_PROVIDER_VERSION,
565+
&ssl_authz_provider_verify_client,
566+
AP_AUTH_INTERNAL_PER_CONF);
567+
568+
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl-require",
569+
AUTHZ_PROVIDER_VERSION,
570+
&ssl_authz_provider_sslrequire,
571+
AP_AUTH_INTERNAL_PER_CONF);
572+
557573
}
558574

559575
module AP_MODULE_DECLARE_DATA ssl_module = {

modules/ssl/ssl_engine_config.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1151,7 +1151,7 @@ const char *ssl_cmd_SSLRequire(cmd_parms *cmd,
11511151
ssl_require_t *require;
11521152
const char *errstring;
11531153

1154-
if (!(expr = ssl_expr_comp(cmd->pool, (char *)arg, &errstring))) {
1154+
if (!(expr = ssl_expr_comp(cmd->pool, arg, &errstring))) {
11551155
return apr_pstrcat(cmd->pool, "SSLRequire: ", errstring, NULL);
11561156
}
11571157

modules/ssl/ssl_engine_kernel.c

Lines changed: 129 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1202,6 +1202,135 @@ int ssl_hook_Fixup(request_rec *r)
12021202
return DECLINED;
12031203
}
12041204

1205+
/* _________________________________________________________________
1206+
**
1207+
** Authz providers for use with mod_authz_core
1208+
** _________________________________________________________________
1209+
*/
1210+
1211+
static authz_status ssl_authz_require_ssl_check(request_rec *r,
1212+
const char *require_line,
1213+
const void *parsed)
1214+
{
1215+
SSLConnRec *sslconn = myConnConfig(r->connection);
1216+
SSL *ssl = sslconn ? sslconn->ssl : NULL;
1217+
1218+
if (ssl)
1219+
return AUTHZ_GRANTED;
1220+
else
1221+
return AUTHZ_DENIED;
1222+
}
1223+
1224+
static const char *ssl_authz_require_ssl_parse(cmd_parms *cmd,
1225+
const char *require_line,
1226+
const void **parsed)
1227+
{
1228+
if (require_line && require_line[0])
1229+
return "'Require ssl' does not take arguments";
1230+
1231+
return NULL;
1232+
}
1233+
1234+
const authz_provider ssl_authz_provider_require_ssl =
1235+
{
1236+
&ssl_authz_require_ssl_check,
1237+
&ssl_authz_require_ssl_parse,
1238+
};
1239+
1240+
static authz_status ssl_authz_verify_client_check(request_rec *r,
1241+
const char *require_line,
1242+
const void *parsed)
1243+
{
1244+
SSLConnRec *sslconn = myConnConfig(r->connection);
1245+
SSL *ssl = sslconn ? sslconn->ssl : NULL;
1246+
1247+
if (!ssl)
1248+
return AUTHZ_DENIED;
1249+
1250+
if (sslconn->verify_error == NULL &&
1251+
sslconn->verify_info == NULL &&
1252+
SSL_get_verify_result(ssl) == X509_V_OK)
1253+
{
1254+
X509 *xs = SSL_get_peer_certificate(ssl);
1255+
1256+
if (xs) {
1257+
X509_free(xs);
1258+
return AUTHZ_GRANTED;
1259+
}
1260+
else {
1261+
X509_free(xs);
1262+
}
1263+
}
1264+
1265+
return AUTHZ_DENIED;
1266+
}
1267+
1268+
static const char *ssl_authz_verify_client_parse(cmd_parms *cmd,
1269+
const char *require_line,
1270+
const void **parsed)
1271+
{
1272+
if (require_line && require_line[0])
1273+
return "'Require ssl-verify-client' does not take arguments";
1274+
1275+
return NULL;
1276+
}
1277+
1278+
const authz_provider ssl_authz_provider_verify_client =
1279+
{
1280+
&ssl_authz_verify_client_check,
1281+
&ssl_authz_verify_client_parse,
1282+
};
1283+
1284+
1285+
static authz_status ssl_authz_sslrequire_check(request_rec *r,
1286+
const char *require_line,
1287+
const void *parsed)
1288+
{
1289+
const ssl_expr *expr = parsed;
1290+
const char *errstring;
1291+
int ok = ssl_expr_exec(r, expr, &errstring);
1292+
1293+
if (ok < 0) {
1294+
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
1295+
"Failed to execute SSL requirement expression in "
1296+
"'Require ssl-require': %s",
1297+
errstring);
1298+
return AUTHZ_DENIED;
1299+
}
1300+
1301+
if (ok != 1) {
1302+
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
1303+
"SSL requirement expression in 'Require ssl-require' "
1304+
"not fulfilled");
1305+
return AUTHZ_DENIED;
1306+
}
1307+
1308+
return AUTHZ_GRANTED;
1309+
}
1310+
1311+
static const char *ssl_authz_sslrequire_parse(cmd_parms *cmd,
1312+
const char *require_line,
1313+
const void **parsed)
1314+
{
1315+
const char *errstring;
1316+
ssl_expr *expr = ssl_expr_comp(cmd->pool, require_line, &errstring);
1317+
1318+
if (!expr)
1319+
return apr_psprintf(cmd->pool, "Error in 'Require require-ssl': %s",
1320+
errstring);
1321+
1322+
*parsed = expr;
1323+
1324+
return NULL;
1325+
}
1326+
1327+
const authz_provider ssl_authz_provider_sslrequire =
1328+
{
1329+
&ssl_authz_sslrequire_check,
1330+
&ssl_authz_sslrequire_parse,
1331+
};
1332+
1333+
12051334
/* _________________________________________________________________
12061335
**
12071336
** OpenSSL Callback Functions

modules/ssl/ssl_expr.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@
3636
*/
3737

3838

39-
ssl_expr *ssl_expr_comp(apr_pool_t *p, char *expr, const char **err)
39+
ssl_expr *ssl_expr_comp(apr_pool_t *p, const char *expr, const char **err)
4040
{
4141
ssl_expr_info_type context;
4242
int rc;
@@ -72,7 +72,7 @@ ssl_expr *ssl_expr_make(ssl_expr_node_op op, void *a1, void *a2,
7272
return node;
7373
}
7474

75-
int ssl_expr_exec(request_rec *r, ssl_expr *expr, const char **err)
75+
int ssl_expr_exec(request_rec *r, const ssl_expr *expr, const char **err)
7676
{
7777
BOOL rc;
7878

modules/ssl/ssl_expr.h

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -85,9 +85,9 @@ typedef ssl_expr_node ssl_expr;
8585

8686
typedef struct {
8787
apr_pool_t *pool;
88-
char *inputbuf;
88+
const char *inputbuf;
8989
int inputlen;
90-
char *inputptr;
90+
const char *inputptr;
9191
ssl_expr *expr;
9292
void *scanner;
9393
char *error;
@@ -99,11 +99,11 @@ int ssl_expr_yylex_init(void **scanner);
9999
int ssl_expr_yylex_destroy(void *scanner);
100100
void ssl_expr_yyset_extra(ssl_expr_info_type *context, void *scanner);
101101

102-
ssl_expr *ssl_expr_comp(apr_pool_t *p, char *exprstr, const char **err);
103-
int ssl_expr_exec(request_rec *r, ssl_expr *expr, const char **err);
102+
ssl_expr *ssl_expr_comp(apr_pool_t *p, const char *exprstr, const char **err);
103+
int ssl_expr_exec(request_rec *r, const ssl_expr *expr, const char **err);
104104
ssl_expr *ssl_expr_make(ssl_expr_node_op op, void *arg1, void *arg2,
105105
ssl_expr_info_type *context);
106-
BOOL ssl_expr_eval(request_rec *r, ssl_expr *expr, const char **err);
106+
BOOL ssl_expr_eval(request_rec *r, const ssl_expr *expr, const char **err);
107107

108108
#endif /* __SSL_EXPR_H__ */
109109
/** @} */

modules/ssl/ssl_expr_eval.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ static BOOL ssl_expr_eval_oid(request_rec *r, const char *word,
4141
static char *ssl_expr_eval_func_file(request_rec *, char *, const char **err);
4242
static int ssl_expr_eval_strcmplex(char *, char *, const char **err);
4343

44-
BOOL ssl_expr_eval(request_rec *r, ssl_expr *node, const char **err)
44+
BOOL ssl_expr_eval(request_rec *r, const ssl_expr *node, const char **err)
4545
{
4646
switch (node->node_op) {
4747
case op_True: {

modules/ssl/ssl_private.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@
5151
#include "apr_global_mutex.h"
5252
#include "apr_optional.h"
5353
#include "ap_socache.h"
54+
#include "mod_auth.h"
5455

5556
#define MOD_SSL_VERSION AP_SERVER_BASEREVISION
5657

@@ -613,6 +614,11 @@ int ssl_hook_ReadReq(request_rec *);
613614
int ssl_hook_Upgrade(request_rec *);
614615
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s);
615616

617+
/** Apache authz provisders */
618+
extern const authz_provider ssl_authz_provider_require_ssl;
619+
extern const authz_provider ssl_authz_provider_verify_client;
620+
extern const authz_provider ssl_authz_provider_sslrequire;
621+
616622
/** OpenSSL callbacks */
617623
RSA *ssl_callback_TmpRSA(SSL *, int, int);
618624
DH *ssl_callback_TmpDH(SSL *, int, int);

0 commit comments

Comments
 (0)