Hi,
Here's a patch which exposes more of the ssl_engine_ext.c code. The
ap_hook_* functionality is still not ported to the 2.0 style. Pl. let me
know if you have any comments / suggestions..
Thanks
-Madhu & Julius
<<patch_ext.txt>>
Index: mod_ssl.h
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.22
diff -u -r1.22 mod_ssl.h
--- mod_ssl.h 2001/07/30 22:35:33 1.22
+++ mod_ssl.h 2001/07/31 00:07:19
@@ -703,9 +701,7 @@
/* Extensions */
void ssl_ext_register(apr_pool_t *p);
-#if 0 /* XXX */
void ssl_ext_unregister(void);
-#endif
/* Utility Functions */
char *ssl_util_vhostid(apr_pool_t *, server_rec *);
Index: ssl_engine_ext.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_ext.c,v
retrieving revision 1.5
diff -u -r1.5 ssl_engine_ext.c
--- ssl_engine_ext.c 2001/07/30 22:35:33 1.5
+++ ssl_engine_ext.c 2001/07/31 02:02:59
@@ -69,7 +69,6 @@
#include "..\..\modules\loggers\mod_log_config.h"
static void ssl_ext_mlc_register(apr_pool_t *p);
-#if 0 /* XXX */
static void ssl_ext_mlc_unregister(void);
static void ssl_ext_mr_register(void);
static void ssl_ext_mr_unregister(void);
@@ -77,31 +76,25 @@
static void ssl_ext_mp_unregister(void);
static void ssl_ext_ms_register(void);
static void ssl_ext_ms_unregister(void);
-#endif /* XXX */
void ssl_ext_register(apr_pool_t *p)
{
ssl_ext_mlc_register(p);
-#if 0 /* XXX */
ssl_ext_mr_register();
ssl_ext_mp_register();
ssl_ext_ms_register();
-#endif /* XXX */
return;
}
void ssl_ext_unregister(void)
{
-#if 0 /* XXX */
ssl_ext_mlc_unregister();
ssl_ext_mr_unregister();
ssl_ext_mp_unregister();
ssl_ext_ms_unregister();
-#endif /* XXX */
return;
}
-
/* _________________________________________________________________
**
** SSL Extension to mod_log_config
@@ -128,16 +121,16 @@
return;
}
-#if 0 /* XXX - We don't really need this (do we???) */
static void ssl_ext_mlc_unregister(void)
{
+#if 0 /* XXX */
ap_hook_unregister("ap::mod_log_config::log_c",
ssl_ext_mlc_log_c);
ap_hook_unregister("ap::mod_log_config::log_x",
ssl_ext_mlc_log_x);
+#endif /* XXX */
return;
}
-#endif /* XXX */
/*
* implement the %{..}c log function
@@ -189,7 +182,6 @@
** _________________________________________________________________
*/
-#if 0 /* XXX */
static char *ssl_ext_mr_lookup_variable(request_rec *r, char *var);
/*
@@ -197,15 +189,19 @@
*/
static void ssl_ext_mr_register(void)
{
+#if 0 /* XXX */
ap_hook_register("ap::mod_rewrite::lookup_variable",
ssl_ext_mr_lookup_variable, AP_HOOK_NOCTX);
+#endif /* XXX */
return;
}
static void ssl_ext_mr_unregister(void)
{
+#if 0 /* XXX */
ap_hook_unregister("ap::mod_rewrite::lookup_variable",
ssl_ext_mr_lookup_variable);
+#endif /* XXX */
return;
}
@@ -228,11 +224,11 @@
static int ssl_ext_mp_canon(request_rec *, char *);
static int ssl_ext_mp_handler(request_rec *, void *, char *, char *, int, char *);
static int ssl_ext_mp_set_destport(request_rec *);
-static char *ssl_ext_mp_new_connection(request_rec *, BUFF *, char *);
-static void ssl_ext_mp_close_connection(void *);
-static int ssl_ext_mp_write_host_header(request_rec *, BUFF *, char *, int, char *);
+static char *ssl_ext_mp_new_connection(request_rec *, char *);
+static apr_status_t ssl_ext_mp_close_connection(void *);
+static int ssl_ext_mp_write_host_header(request_rec *, char *, int, char *);
#ifdef SSL_EXPERIMENTAL_PROXY
-static void ssl_ext_mp_init(server_rec *, pool *);
+static void ssl_ext_mp_init(server_rec *, apr_pool_t *);
static int ssl_ext_mp_verify_cb(int, X509_STORE_CTX *);
static int ssl_ext_mp_clientcert_cb(SSL *, X509 **, EVP_PKEY **);
#endif
@@ -242,6 +238,7 @@
*/
static void ssl_ext_mp_register(void)
{
+#if 0 /* XXX */
#ifdef SSL_EXPERIMENTAL_PROXY
ap_hook_register("ap::mod_proxy::init",
ssl_ext_mp_init, AP_HOOK_NOCTX);
@@ -256,11 +253,13 @@
ssl_ext_mp_new_connection, AP_HOOK_NOCTX);
ap_hook_register("ap::mod_proxy::http::handler::write_host_header",
ssl_ext_mp_write_host_header, AP_HOOK_NOCTX);
+#endif /* XXX */
return;
}
static void ssl_ext_mp_unregister(void)
{
+#if 0 /* XXX */
#ifdef SSL_EXPERIMENTAL_PROXY
ap_hook_unregister("ap::mod_proxy::init", ssl_ext_mp_init);
#endif
@@ -272,6 +271,7 @@
ssl_ext_mp_new_connection);
ap_hook_unregister("ap::mod_proxy::http::handler::write_host_header",
ssl_ext_mp_write_host_header);
+#endif /* XXX */
return;
}
@@ -279,7 +279,7 @@
* SSL proxy initialization
*/
#ifdef SSL_EXPERIMENTAL_PROXY
-static void ssl_ext_mp_init(server_rec *s, pool *p)
+static void ssl_ext_mp_init(server_rec *s, apr_pool_t *p)
{
SSLSrvConfigRec *sc;
char *cpVHostID;
@@ -295,7 +295,7 @@
for (; s != NULL; s = s->next) {
sc = mySrvConfig(s);
cpVHostID = ssl_util_vhostid(p, s);
-
+
if (sc->bProxyVerify == UNSET)
sc->bProxyVerify = FALSE;
@@ -308,7 +308,7 @@
cpVHostID);
ssl_die();
}
- cp = ap_pstrcat(p, (sc->nProxyProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " :
""),
+ cp = apr_pstrcat(p, (sc->nProxyProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " :
+""),
(sc->nProxyProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " :
""),
(sc->nProxyProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " :
""), NULL);
cp[strlen(cp)-2] = NUL;
@@ -421,8 +421,10 @@
if (strcEQn(url, "https:", 6)) {
rc = OK;
+#if 0 /* XXX */
ap_hook_call("ap::mod_proxy::http::canon",
&rc, r, url+6, "https", DEFAULT_HTTPS_PORT);
+#endif /* XXX */
return rc;
}
return DECLINED;
@@ -434,26 +436,28 @@
int rc;
if (strcEQ(protocol, "https")) {
- ap_ctx_set(r->ctx, "ssl::proxy::enabled", PTRUE);
+ apr_table_setn(r->notes, "ssl::proxy::enabled", PTRUE);
+#if 0 /* XXX */
ap_hook_call("ap::mod_proxy::http::handler",
&rc, r, cr, url, proxyhost, proxyport);
+#endif /* XXX */
return rc;
}
else {
- ap_ctx_set(r->ctx, "ssl::proxy::enabled", PFALSE);
+ apr_table_setn(r->notes, "ssl::proxy::enabled", PFALSE);
}
return DECLINED;
}
static int ssl_ext_mp_set_destport(request_rec *r)
{
- if (ap_ctx_get(r->ctx, "ssl::proxy::enabled") == PTRUE)
+ if (apr_table_get(r->notes, "ssl::proxy::enabled") == PTRUE)
return DEFAULT_HTTPS_PORT;
else
return DEFAULT_HTTP_PORT;
}
-static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb, char *peer)
+static char *ssl_ext_mp_new_connection(request_rec *r, char *peer)
{
#ifndef SSL_EXPERIMENTAL_PROXY
SSL_CTX *ssl_ctx;
@@ -461,14 +465,14 @@
SSL *ssl;
char *errmsg;
int rc;
- char *cpVHostID;
+ unsigned char *cpVHostID;
char *cpVHostMD5;
#ifdef SSL_EXPERIMENTAL_PROXY
SSLSrvConfigRec *sc;
char *cp;
#endif
- if (ap_ctx_get(r->ctx, "ssl::proxy::enabled") == PFALSE)
+ if (apr_table_get(r->notes, "ssl::proxy::enabled") == PFALSE)
return NULL;
/*
@@ -477,7 +481,7 @@
#ifdef SSL_EXPERIMENTAL_PROXY
sc = mySrvConfig(r->server);
#endif
- cpVHostID = ssl_util_vhostid(r->pool, r->server);
+ cpVHostID = (unsigned char *)ssl_util_vhostid(r->pool, r->server);
/*
* Create a SSL context and handle
@@ -489,71 +493,70 @@
ssl = SSL_new(ssl_ctx);
#endif
if (ssl == NULL) {
- errmsg = ap_psprintf(r->pool, "SSL proxy new failed (%s): peer %s: %s",
+ errmsg = apr_psprintf(r->pool, "SSL proxy new failed (%s): peer %s: %s",
cpVHostID, peer,
ERR_reason_error_string(ERR_get_error()));
- ap_ctx_set(fb->ctx, "ssl", NULL);
+ apr_table_setn(r->connection->notes, "ssl", NULL);
return errmsg;
}
SSL_clear(ssl);
- cpVHostMD5 = ap_md5(r->pool, (unsigned char *)cpVHostID);
+ cpVHostMD5 = ap_md5(r->pool, cpVHostID);
if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5,
strlen(cpVHostMD5))) {
- errmsg = ap_psprintf(r->pool, "Unable to set session id context to `%s': peer
%s: %s",
+ errmsg = apr_psprintf(r->pool, "Unable to set session id context to `%s':
+peer %s: %s",
cpVHostMD5, peer,
ERR_reason_error_string(ERR_get_error()));
- ap_ctx_set(fb->ctx, "ssl", NULL);
+ apr_table_setn(r->connection->notes, "ssl", NULL);
return errmsg;
}
+#if 0 /* XXX - Do something. It'll not work as it is now - TBD */
SSL_set_fd(ssl, fb->fd);
+#endif /* XXX */
#ifdef SSL_EXPERIMENTAL_PROXY
- SSL_set_app_data(ssl, fb->ctx);
+ SSL_set_app_data(ssl, r->connection->notes);
#endif
- ap_ctx_set(fb->ctx, "ssl", ssl);
+ apr_table_setn(r->connection->notes, "ssl", (void *)ssl);
#ifdef SSL_EXPERIMENTAL_PROXY
- ap_ctx_set(fb->ctx, "ssl::proxy::server_rec", r->server);
- ap_ctx_set(fb->ctx, "ssl::proxy::peer", peer);
- ap_ctx_set(fb->ctx, "ssl::proxy::servername", cpVHostID);
- ap_ctx_set(fb->ctx, "ssl::proxy::verifyerror", NULL);
+ apr_table_setn(r->connection->notes, "ssl::proxy::server_rec", r->server);
+ apr_table_setn(r->connection->notes, "ssl::proxy::peer", peer);
+ apr_table_setn(r->connection->notes, "ssl::proxy::servername", cpVHostID);
+ apr_table_setn(r->connection->notes, "ssl::proxy::verifyerror", NULL);
#endif
/*
* Give us a chance to gracefully close the connection
*/
- ap_register_cleanup(r->pool, (void *)fb,
- ssl_ext_mp_close_connection, ssl_ext_mp_close_connection);
+ apr_pool_cleanup_register(r->pool, (void *)ssl,
+ ssl_ext_mp_close_connection, ssl_ext_mp_close_connection);
/*
* Establish the SSL connection
*/
if ((rc = SSL_connect(ssl)) <= 0) {
#ifdef SSL_EXPERIMENTAL_PROXY
- if ((cp = (char *)ap_ctx_get(fb->ctx, "ssl::proxy::verifyerror")) != NULL) {
+ if ((cp = (char *)apr_table_get(r->connection->notes,
+"ssl::proxy::verifyerror")) != NULL) {
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(ssl);
SSL_free(ssl);
- ap_ctx_set(fb->ctx, "ssl", NULL);
- ap_bsetflag(fb, B_EOF|B_EOUT, 1);
+ apr_table_setn(r->connection->notes, "ssl", NULL);
return NULL;
}
#endif
- errmsg = ap_psprintf(r->pool, "SSL proxy connect failed (%s): peer %s: %s",
+ errmsg = apr_psprintf(r->pool, "SSL proxy connect failed (%s): peer %s: %s",
cpVHostID, peer,
ERR_reason_error_string(ERR_get_error()));
ssl_log(r->server, SSL_LOG_ERROR, errmsg);
SSL_free(ssl);
- ap_ctx_set(fb->ctx, "ssl", NULL);
+ apr_table_setn(r->connection->notes, "ssl", NULL);
return errmsg;
}
return NULL;
}
-static void ssl_ext_mp_close_connection(void *_fb)
+static apr_status_t ssl_ext_mp_close_connection(void *_fb)
{
- BUFF *fb = _fb;
- SSL *ssl;
+ SSL *ssl = (SSL *)_fb;
#ifndef SSL_EXPERIMENTAL_PROXY
SSL_CTX *ctx;
#endif
- ssl = ap_ctx_get(fb->ctx, "ssl");
if (ssl != NULL) {
#ifndef SSL_EXPERIMENTAL_PROXY
ctx = SSL_get_SSL_CTX(ssl);
@@ -561,23 +564,29 @@
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(ssl);
SSL_free(ssl);
- ap_ctx_set(fb->ctx, "ssl", NULL);
+#if 0 /* XXX */
+ apr_table_unset(r->connection->notes, "ssl");
+#endif /* XXX */
#ifndef SSL_EXPERIMENTAL_PROXY
if (ctx != NULL)
SSL_CTX_free(ctx);
#endif
}
- return;
+ return APR_SUCCESS;
}
static int ssl_ext_mp_write_host_header(
- request_rec *r, BUFF *fb, char *host, int port, char *portstr)
+ request_rec *r, char *host, int port, char *portstr)
{
- if (ap_ctx_get(r->ctx, "ssl::proxy::enabled") == PFALSE)
+ if (apr_table_get(r->notes, "ssl::proxy::enabled") == PFALSE)
return DECLINED;
+ /*
+ * XXX - The ap_bvputs is replaced by ap_rvputs - This is just a temporary
+ * fix. We'll have to see the implications and change it accordingly - TBD
+ */
if (portstr != NULL && port != DEFAULT_HTTPS_PORT) {
- ap_bvputs(fb, "Host: ", host, ":", portstr, "\r\n", NULL);
+ ap_rvputs(r, "Host: ", host, ":", portstr, "\r\n", NULL);
return OK;
}
return DECLINED;
@@ -599,16 +608,16 @@
char *peer;
char *servername;
server_rec *s;
- ap_ctx *pCtx;
+ apr_table_t *pCtx;
STACK_OF(X509_NAME) *sk;
STACK_OF(X509_INFO) *pcerts;
char *cp;
int i, j;
- pCtx = (ap_ctx *)SSL_get_app_data(ssl);
- s = ap_ctx_get(pCtx, "ssl::proxy::server_rec");
- peer = ap_ctx_get(pCtx, "ssl::proxy::peer");
- servername = ap_ctx_get(pCtx, "ssl::proxy::servername");
+ pCtx = (apr_table_t *)SSL_get_app_data(ssl);
+ s = apr_table_get(pCtx, "ssl::proxy::server_rec");
+ peer = apr_table_get(pCtx, "ssl::proxy::peer");
+ servername = apr_table_get(pCtx, "ssl::proxy::servername");
sc = mySrvConfig(s);
pcerts = sc->skProxyClientCerts;
@@ -690,17 +699,17 @@
int errnum;
int errdepth;
char *cp, *cp2;
- ap_ctx *pCtx;
+ apr_table_t *pCtx;
server_rec *s;
SSL *ssl;
char *peer;
char *servername;
ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
- pCtx = (ap_ctx *)SSL_get_app_data(ssl);
- s = ap_ctx_get(pCtx, "ssl::proxy::server_rec");
- peer = ap_ctx_get(pCtx, "ssl::proxy::peer");
- servername = ap_ctx_get(pCtx, "ssl::proxy::servername");
+ pCtx = (apr_table_t *)SSL_get_app_data(ssl);
+ s = apr_table_get(pCtx, "ssl::proxy::server_rec");
+ peer = apr_table_get(pCtx, "ssl::proxy::peer");
+ servername = apr_table_get(pCtx, "ssl::proxy::servername");
sc = mySrvConfig(s);
/*
@@ -741,7 +750,7 @@
"Error (%d): %s", servername,
peer != NULL ? peer : "-unknown-",
errnum, X509_verify_cert_error_string(errnum));
- ap_ctx_set(pCtx, "ssl::proxy::verifyerror",
+ apr_table_setn(pCtx, "ssl::proxy::verifyerror",
(void *)X509_verify_cert_error_string(errnum));
return ok;
}
@@ -756,7 +765,7 @@
"Certificate Chain too long "
"(chain has %d certificates, but maximum allowed are only %d)",
servername, peer, errdepth, sc->nProxyVerifyDepth);
- ap_ctx_set(pCtx, "ssl::proxy::verifyerror",
+ apr_table_setn(pCtx, "ssl::proxy::verifyerror",
(void
*)X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG));
ok = FALSE;
}
@@ -780,13 +789,17 @@
static void ssl_ext_ms_register(void)
{
+#if 0 /* XXX */
ap_hook_register("ap::mod_status::display", ssl_ext_ms_display, AP_HOOK_NOCTX);
+#endif /* XXX */
return;
}
static void ssl_ext_ms_unregister(void)
{
+#if 0 /* XXX */
ap_hook_unregister("ap::mod_status::display", ssl_ext_ms_display);
+#endif /* XXX */
return;
}
@@ -817,6 +830,3 @@
ap_rputs("</table>\n", r);
return;
}
-
-#endif /* XXX */
-
