diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 1999-03-01 04:29:16 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 1999-03-01 04:29:16 +0000 |
| commit | b382e02d07bda45c222a5ed31b68ebcd2c9224b6 (patch) | |
| tree | 418c1e477506d50d6be49420a910e0c61e8bfde9 | |
| parent | a20ee2041618d60562f0f98a6ad11ead188b1976 (diff) | |
mod_ssl-2.2.3-1.3.4 (will require libssl-1.1 for https to work, but
mostly harmless otherwise).
41 files changed, 2762 insertions, 87 deletions
diff --git a/usr.sbin/httpd/Makefile.tmpl b/usr.sbin/httpd/Makefile.tmpl index c8a0538c20d..6bc3caf6a17 100644 --- a/usr.sbin/httpd/Makefile.tmpl +++ b/usr.sbin/httpd/Makefile.tmpl @@ -123,9 +123,13 @@ suexec_uidmin = @suexec_uidmin@ suexec_gidmin = @suexec_gidmin@ suexec_safepath = @suexec_safepath@ +# SSL (optional) +ssl = @ssl@ + # some substituted configuration parameters conf_group = @conf_group@ conf_port = @conf_port@ +conf_port_ssl = @conf_port_ssl@ conf_serveradmin = @conf_serveradmin@ conf_servername = @conf_servername@ @@ -135,6 +139,11 @@ install-support = @install_support@ clean-support = @clean_support@ distclean-support = @distclean_support@ +# `make certificate' parameters +TYPE = test +CRT = +KEY = + # forwarding arguments MFWD = root=$(root) @@ -154,6 +163,7 @@ build: @echo "===> $(SRC)" @$(MAKE) -f $(TOP)/$(MKF) $(MFLAGS) $(MFWD) build-std @$(MAKE) -f $(TOP)/$(MKF) $(MFLAGS) $(MFWD) $(build-support) + @$(MAKE) -f $(TOP)/$(MKF) $(MFLAGS) $(MFWD) build-certificate @touch $(TOP)/$(SRC)/.apaci.build.ok @echo "<=== $(SRC)" @@ -184,6 +194,39 @@ build-support: fi; \ echo "<=== $(SRC)/support" +# SSL certificate generation +build-certificate: + -@if [ ".$(ssl)" = .1 ]; then \ + if [ ".`grep '(SKIPME)' $(TOP)/conf/ssl.crt/server.crt`" != . ]; then \ + if [ ".$(QUIET)" != .1 ]; then \ + echo "+---------------------------------------------------------------------+"; \ + echo "| Before you install the package you now should prepare the SSL |"; \ + echo "| certificate system by running the 'make certificate' command. |"; \ + echo "| For different situations the following variants are provided: |"; \ + echo "| |"; \ + echo "| % make certificate TYPE=dummy (dummy self-signed Snake Oil cert) |"; \ + echo "| % make certificate TYPE=test (test cert signed by Snake Oil CA) |"; \ + echo "| % make certificate TYPE=custom (custom cert signed by own CA) |"; \ + echo "| % make certificate TYPE=existing (existing cert) |"; \ + echo "| CRT=/path/to/your.crt [KEY=/path/to/your.key] |"; \ + echo "| |"; \ + echo "| Use TYPE=dummy when you're a vendor package maintainer, |"; \ + echo "| the TYPE=test when you're an admin but want to do tests only, |"; \ + echo "| the TYPE=custom when you're an admin willing to run a real server |"; \ + echo "| and TYPE=existing when you're an admin who upgrades a server. |"; \ + echo "| (The default is TYPE=test) |"; \ + echo "| |"; \ + echo "| Thanks for using Apache & mod_ssl. Ralf S. Engelschall |"; \ + echo "| rse@engelschall.com |"; \ + echo "| www.engelschall.com |"; \ + echo "+---------------------------------------------------------------------+"; \ + fi \ + fi \ + fi + +certificate: + @cd $(TOP)/$(SRC); $(MAKE) $(MFLAGS) certificate TYPE=$(TYPE) CRT=$(CRT) KEY=$(KEY) + ## ------------------------------------------------------------------ ## Installation Targets ## ------------------------------------------------------------------ @@ -221,6 +264,10 @@ install: echo "| |"; \ echo "| $(sbindir)/$${apachectl} start"; \ echo "| |"; \ + echo "| Or when you want to run it with SSL enabled use: |"; \ + echo "| |"; \ + echo "| $(sbindir)/$${apachectl} startssl"; \ + echo "| |"; \ echo "| Thanks for using Apache. The Apache Group |"; \ echo "| http://www.apache.org/ |"; \ echo "+--------------------------------------------------------+"; \ @@ -239,6 +286,9 @@ install-mktree: $(MKDIR) $(root)$(mandir)/man1 $(MKDIR) $(root)$(mandir)/man8 $(MKDIR) $(root)$(sysconfdir) + $(MKDIR) $(root)$(sysconfdir)/ssl.crt + $(MKDIR) $(root)$(sysconfdir)/ssl.csr + $(MKDIR) $(root)$(sysconfdir)/ssl.key $(MKDIR) $(root)$(datadir)/htdocs $(MKDIR) $(root)$(datadir)/icons $(MKDIR) $(root)$(datadir)/cgi-bin @@ -279,19 +329,34 @@ install-programs: echo "$(INSTALL_DSO) $(TOP)/$(SRC)/$${mod} $(root)$(libexecdir)/$${file}"; \ $(INSTALL_DSO) $(TOP)/$(SRC)/$${mod} $(root)$(libexecdir)/$${file}; \ name=`$(TOP)/$(AUX)/fmn.sh $(TOP)/$(SRC)/$${mod}`; \ + if [ ".$$name" = .ssl_module ]; then \ + echo "<IfDefine SSL>" >>$(SRC)/.apaci.install.conf; \ + fi; \ echo dummy | awk '{ printf("LoadModule %-18s %s\n", modname, modpath); }' \ modname="$${name}" modpath="$(libexecdir_relative)$${file}" >>$(SRC)/.apaci.install.conf; \ + if [ ".$$name" = .ssl_module ]; then \ + echo "</IfDefine>" >>$(SRC)/.apaci.install.conf; \ + fi; \ done; \ echo "" >>$(SRC)/.apaci.install.conf; \ echo "# Reconstruction of the complete module list from all available modules" >>$(SRC)/.apaci.install.conf; \ echo "# (static and shared ones) to achieve correct module execution order." >>$(SRC)/.apaci.install.conf; \ echo "# [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]" >>$(SRC)/.apaci.install.conf; \ echo "ClearModuleList" >>$(SRC)/.apaci.install.conf; \ - egrep "^[ ]*(Add|Shared)Module" $(SRC)/Configuration.apaci |\ - sed -e 's:SharedModule:AddModule:' \ - -e 's:modules/[^/]*/::' \ - -e 's:[ ]lib: mod_:' \ - -e 's:\.[soam].*$$:.c:' >>$(SRC)/.apaci.install.conf; \ + for mod in `egrep "^[ ]*(Add|Shared)Module" $(SRC)/Configuration.apaci |\ + sed -e 's:[ ]*SharedModule::' \ + -e 's:[ ]*AddModule::' \ + -e 's:modules/[^/]*/::' \ + -e 's:[ ]lib: mod_:' \ + -e 's:\.[soam]*$$:.c:'`; do \ + if [ ".$$mod" = .mod_ssl.c ]; then \ + echo "<IfDefine SSL>" >>$(SRC)/.apaci.install.conf; \ + fi; \ + echo "AddModule $$mod" >>$(SRC)/.apaci.install.conf; \ + if [ ".$$mod" = .mod_ssl.c ]; then \ + echo "</IfDefine>" >>$(SRC)/.apaci.install.conf; \ + fi; \ + done; \ fi @echo "<=== [programs]" @@ -411,6 +476,12 @@ install-config: echo ""; \ cat $(TOP)/conf/$${conf}-dist ) |\ sed -e '/# LoadModule/r $(TOP)/$(SRC)/.apaci.install.conf' \ + -e "s;logs/ssl_mutex;$(runtimedir)/$${target_prefix}ssl_mutex;" \ + -e "s;logs/ssl_scache;$(runtimedir)/$${target_prefix}ssl_scache;" \ + -e "s;logs/ssl_engine_log;$(logfiledir)/$${target_prefix}ssl_engine_log;" \ + -e "s;logs/ssl_request_log;$(logfiledir)/$${target_prefix}ssl_request_log;" \ + -e 's;@@ServerRoot@@/conf/ssl.crt;$(sysconfdir)/ssl.crt;' \ + -e 's;@@ServerRoot@@/conf/ssl.key;$(sysconfdir)/ssl.key;' \ -e 's;@@ServerRoot@@/htdocs;$(datadir)/htdocs;' \ -e 's;@@ServerRoot@@/icons;$(datadir)/icons;' \ -e 's;@@ServerRoot@@/cgi-bin;$(datadir)/cgi-bin;' \ @@ -427,9 +498,12 @@ install-config: -e 's;conf/mime.types;$(sysconfdir)/mime.types;' \ -e 's;Group #-1;Group $(conf_group);' \ -e 's;Port 80;Port $(conf_port);' \ + -e 's;Listen 80;Listen $(conf_port);' \ + -e 's;Listen 443;Listen $(conf_port_ssl);' \ -e 's;ServerAdmin you@your.address;ServerAdmin $(conf_serveradmin);' \ -e 's;ServerName new.host.name;ServerName $(conf_servername);' \ - > $(TOP)/$(SRC)/.apaci.install.tmp && \ + -e 's;VirtualHost _default_:443;VirtualHost _default_:$(conf_port_ssl);' \ + > $(TOP)/$(SRC)/.apaci.install.tmp && \ echo "$(INSTALL_DATA) $(TOP)/conf/$${conf}-dist[*] $(root)$(sysconfdir)/$${target_conf}.default"; \ $(INSTALL_DATA) $(TOP)/$(SRC)/.apaci.install.tmp $(root)$(sysconfdir)/$${target_conf}.default; \ if [ ! -f "$(root)$(sysconfdir)/$${target_conf}" ]; then \ @@ -449,6 +523,57 @@ install-config: echo "[PRESERVING EXISTING CONFIG FILE: $(root)$(sysconfdir)/$${conf}]"; \ fi; \ done + -@if [ ".$(ssl)" = .1 ]; then \ + echo "chmod 755 $(root)$(sysconfdir)/ssl.crt"; \ + chmod 755 $(root)$(sysconfdir)/ssl.crt; \ + echo "chmod 755 $(root)$(sysconfdir)/ssl.csr"; \ + chmod 755 $(root)$(sysconfdir)/ssl.csr; \ + echo "chmod 700 $(root)$(sysconfdir)/ssl.key"; \ + chmod 700 $(root)$(sysconfdir)/ssl.key; \ + if [ ! -f "$(root)$(sysconfdir)/ssl.crt/README.CRT" ]; then \ + echo "$(INSTALL_DATA) $(TOP)/conf/ssl.crt/README.CRT $(root)$(sysconfdir)/ssl.crt/README.CRT"; \ + $(INSTALL) $(TOP)/conf/ssl.crt/README.CRT $(root)$(sysconfdir)/ssl.crt/README.CRT; \ + echo "$(INSTALL_DATA) $(TOP)/conf/ssl.crt/Makefile $(root)$(sysconfdir)/ssl.crt/Makefile"; \ + $(INSTALL) $(TOP)/conf/ssl.crt/Makefile $(root)$(sysconfdir)/ssl.crt/Makefile; \ + echo "$(INSTALL_DATA) -m 400 $(TOP)/conf/ssl.crt/ca-bundle.crt $(root)$(sysconfdir)/ssl.crt/ca-bundle.crt"; \ + $(INSTALL) -m 400 $(TOP)/conf/ssl.crt/ca-bundle.crt $(root)$(sysconfdir)/ssl.crt/ca-bundle.crt; \ + echo "$(INSTALL_DATA) -m 400 $(TOP)/conf/ssl.crt/snakeoil-ca.crt $(root)$(sysconfdir)/ssl.crt/snakeoil-ca.crt"; \ + $(INSTALL) -m 400 $(TOP)/conf/ssl.crt/snakeoil-ca.crt $(root)$(sysconfdir)/ssl.crt/snakeoil-ca.crt; \ + echo "$(INSTALL_DATA) -m 400 $(TOP)/conf/ssl.crt/server.crt $(root)$(sysconfdir)/ssl.crt/server.crt"; \ + $(INSTALL) -m 400 $(TOP)/conf/ssl.crt/server.crt $(root)$(sysconfdir)/ssl.crt/server.crt; \ + if [ -f "$(TOP)/conf/ssl.crt/ca.crt" ]; then \ + echo "$(INSTALL_DATA) -m 400 $(TOP)/conf/ssl.crt/ca.crt $(root)$(sysconfdir)/ssl.crt/ca.crt"; \ + $(INSTALL) -m 400 $(TOP)/conf/ssl.crt/ca.crt $(root)$(sysconfdir)/ssl.crt/ca.crt; \ + fi; \ + else \ + echo "[PRESERVING EXISTING CERTIFICATE FILES: $(root)$(sysconfdir)/ssl.crt/*]"; \ + fi; \ + echo "Updating hash symlinks in $(root)$(sysconfdir)/ssl.crt/:"; \ + SSL_PROGRAM="`grep '^SSL_PROGRAM=' $(TOP)/$(SRC)/Makefile.config | sed -e 's:^.*=::'`"; \ + (cd $(root)$(sysconfdir)/ssl.crt/ && $(MAKE) $(MFLAGS) SSLEAY=$$SSL_PROGRAM); \ + if [ ! -f "$(root)$(sysconfdir)/ssl.csr/README.CSR" ]; then \ + echo "$(INSTALL_DATA) $(TOP)/conf/ssl.csr/README.CSR $(root)$(sysconfdir)/ssl.csr/README.CSR"; \ + $(INSTALL) $(TOP)/conf/ssl.csr/README.CSR $(root)$(sysconfdir)/ssl.csr/README.CSR; \ + echo "$(INSTALL_DATA) -m 400 $(TOP)/conf/ssl.csr/server.csr $(root)$(sysconfdir)/ssl.csr/server.csr"; \ + $(INSTALL) -m 400 $(TOP)/conf/ssl.csr/server.csr $(root)$(sysconfdir)/ssl.csr/server.csr; \ + else \ + echo "[PRESERVING EXISTING CSR FILES: $(root)$(sysconfdir)/ssl.csr/*]"; \ + fi; \ + if [ ! -f "$(root)$(sysconfdir)/ssl.key/README.KEY" ]; then \ + echo "$(INSTALL_DATA) $(TOP)/conf/ssl.key/README.KEY $(root)$(sysconfdir)/ssl.key/README.KEY"; \ + $(INSTALL) $(TOP)/conf/ssl.key/README.KEY $(root)$(sysconfdir)/ssl.key/README.KEY; \ + echo "$(INSTALL_DATA) -m 400 $(TOP)/conf/ssl.key/snakeoil-ca.key $(root)$(sysconfdir)/ssl.key/snakeoil-ca.key"; \ + $(INSTALL) -m 400 $(TOP)/conf/ssl.key/snakeoil-ca.key $(root)$(sysconfdir)/ssl.key/snakeoil-ca.key; \ + echo "$(INSTALL_DATA) -m 400 $(TOP)/conf/ssl.key/server.key $(root)$(sysconfdir)/ssl.key/server.key"; \ + $(INSTALL) -m 400 $(TOP)/conf/ssl.key/server.key $(root)$(sysconfdir)/ssl.key/server.key; \ + if [ -f "$(TOP)/conf/ssl.key/ca.key" ]; then \ + echo "$(INSTALL_DATA) -m 400 $(TOP)/conf/ssl.key/ca.key $(root)$(sysconfdir)/ssl.key/ca.key"; \ + $(INSTALL) -m 400 $(TOP)/conf/ssl.key/ca.key $(root)$(sysconfdir)/ssl.key/ca.key; \ + fi; \ + else \ + echo "[PRESERVING EXISTING KEY FILES: $(root)$(sysconfdir)/ssl.key/*]"; \ + fi; \ + fi @echo "<=== [config]" diff --git a/usr.sbin/httpd/conf/httpd.conf b/usr.sbin/httpd/conf/httpd.conf index f712717054c..f59a44718e8 100644 --- a/usr.sbin/httpd/conf/httpd.conf +++ b/usr.sbin/httpd/conf/httpd.conf @@ -227,6 +227,17 @@ MaxRequestsPerChild 30 # Port 80 +## +## SSL Support +## +## When we also provide SSL we have to listen to the +## standard HTTP port (see above) and to the HTTPS port +## +<IfDefine SSL> +Listen 80 +Listen 443 +</IfDefine> + # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. @@ -842,3 +853,162 @@ BrowserMatch "JDK/1\.0" force-response-1.0 #<VirtualHost _default_:*> #</VirtualHost> + + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# +# Some MIME-types for downloading Certificates and CRLs +# +<IfDefine SSL> +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl +</IfDefine> + +<IfModule mod_ssl.c> + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First either `none' +# or `dbm:/path/to/file' for the mechanism to use and +# second the expiring timeout (in seconds). +SSLSessionCache dbm:logs/ssl_scache +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual explusion semaphore the +# SSL engine uses internally for inter-process synchronization. +SSLMutex file:logs/ssl_mutex + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed startup file:/dev/urandom 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# Logging: +# The home of the dedicated SSL protocol logfile. Errors are +# additionally duplicated in the general error log file. Put +# this somewhere where it cannot be used for symlink attacks on +# a real server (i.e. somewhere where only root can write). +# Log levels are (ascending order: higher ones include lower ones): +# none, error, warn, info, trace, debug. +SSLLog logs/ssl_engine_log +SSLLogLevel info + +</IfModule> + +<IfDefine SSL> + +## +## SSL Virtual Host Context +## + +<VirtualHost _default_:443> + +# General setup for the virtual host +DocumentRoot /var/www/htdocs +ServerName new.host.name +ServerAdmin you@your.address +ErrorLog logs/error_log +TransferLog logs/access_log + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. A test +# certificate can be generated with `make certificate' under +# built time. +SSLCertificateFile /etc/ssl/server.crt + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. +SSLCertificateKeyFile /etc/ssl/private/server.key + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +# Note: Inside SSLCACertificatePath you need hash symlinks +# to point to the certificate files. Use the provided +# Makefile to update the hash symlinks after changes. +#SSLCACertificatePath @@ServerRoot@@/conf/ssl.crt +#SSLCACertificateFile @@ServerRoot@@/conf/ssl.crt/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +#<Location /> +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +#</Location> + +# SSL Engine Options: +# Set various options for the SSL engine. +# FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# CompatEnvVars: +# This exports obsolete environment variables for backward compatibility +# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this +# to provide compatibility to existing CGI scripts. +#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +</VirtualHost> + +</IfDefine> + diff --git a/usr.sbin/httpd/conf/httpd.conf-dist b/usr.sbin/httpd/conf/httpd.conf-dist index c6f92e52a03..53590892b9b 100644 --- a/usr.sbin/httpd/conf/httpd.conf-dist +++ b/usr.sbin/httpd/conf/httpd.conf-dist @@ -228,6 +228,17 @@ MaxRequestsPerChild 30 # Port 80 +## +## SSL Support +## +## When we also provide SSL we have to listen to the +## standard HTTP port (see above) and to the HTTPS port +## +<IfDefine SSL> +Listen 80 +Listen 443 +</IfDefine> + # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. @@ -842,3 +853,161 @@ BrowserMatch "JDK/1\.0" force-response-1.0 #<VirtualHost _default_:*> #</VirtualHost> + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# +# Some MIME-types for downloading Certificates and CRLs +# +<IfDefine SSL> +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl +</IfDefine> + +<IfModule mod_ssl.c> + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First either `none' +# or `dbm:/path/to/file' for the mechanism to use and +# second the expiring timeout (in seconds). +SSLSessionCache dbm:logs/ssl_scache +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual explusion semaphore the +# SSL engine uses internally for inter-process synchronization. +SSLMutex file:logs/ssl_mutex + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed startup file:/dev/urandom 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# Logging: +# The home of the dedicated SSL protocol logfile. Errors are +# additionally duplicated in the general error log file. Put +# this somewhere where it cannot be used for symlink attacks on +# a real server (i.e. somewhere where only root can write). +# Log levels are (ascending order: higher ones include lower ones): +# none, error, warn, info, trace, debug. +SSLLog logs/ssl_engine_log +SSLLogLevel info + +</IfModule> + +<IfDefine SSL> + +## +## SSL Virtual Host Context +## + +<VirtualHost _default_:443> + +# General setup for the virtual host +DocumentRoot @@ServerRoot@@/htdocs +ServerName new.host.name +ServerAdmin you@your.address +ErrorLog logs/error_log +TransferLog logs/access_log + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. A test +# certificate can be generated with `make certificate' under +# built time. +SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server.crt + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. +SSLCertificateKeyFile @@ServerRoot@@/conf/ssl.key/server.key + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +# Note: Inside SSLCACertificatePath you need hash symlinks +# to point to the certificate files. Use the provided +# Makefile to update the hash symlinks after changes. +#SSLCACertificatePath @@ServerRoot@@/conf/ssl.crt +#SSLCACertificateFile @@ServerRoot@@/conf/ssl.crt/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +#<Location /> +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +#</Location> + +# SSL Engine Options: +# Set various options for the SSL engine. +# FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# CompatEnvVars: +# This exports obsolete environment variables for backward compatibility +# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this +# to provide compatibility to existing CGI scripts. +#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +</VirtualHost> + +</IfDefine> + diff --git a/usr.sbin/httpd/conf/httpd.conf-dist-win b/usr.sbin/httpd/conf/httpd.conf-dist-win index 1ad64192832..dad2bc424ec 100644 --- a/usr.sbin/httpd/conf/httpd.conf-dist-win +++ b/usr.sbin/httpd/conf/httpd.conf-dist-win @@ -185,6 +185,7 @@ ThreadsPerChild 50 #LoadModule speling_module modules/ApacheModuleSpeling.dll #LoadModule status_module modules/ApacheModuleStatus.dll #LoadModule usertrack_module modules/ApacheModuleUserTrack.dll +#LoadModule ssl_module modules/ApacheModuleSSL.dll ### Section 2: 'Main' server configuration # diff --git a/usr.sbin/httpd/configure b/usr.sbin/httpd/configure index 88fc65e4c04..d345c2e927f 100644 --- a/usr.sbin/httpd/configure +++ b/usr.sbin/httpd/configure @@ -178,6 +178,9 @@ suexec_uidmin=100 suexec_gidmin=100 suexec_safepath="/usr/local/bin:/usr/bin:/bin" +# ssl defaults +ssl=0 + # various other flags support=1 confadjust=1 @@ -858,7 +861,7 @@ echo "## restoring your configuration. Additional parameters can be supplied." echo "##" >>$configstatus echo "" >>$configstatus for var in CC CPP OPTIM CFLAGS CFLAGS_SHLIB LDFLAGS LD_SHLIB LDFLAGS_SHLIB \ - LDFLAGS_SHLIB_EXPORT LIBS INCLUDES RANLIB DEPS TARGET; do + LDFLAGS_SHLIB_EXPORT LIBS INCLUDES RANLIB DEPS TARGET SSL_BASE RSA_BASE; do eval "val=\"\$$var\"" if [ ".$val" != . ]; then echo "$var=$val" |\ @@ -904,6 +907,13 @@ if [ ".$PERL" = .no-perl-on-this-system ]; then fi ## +## SSL support +## +if [ ".$module_ssl" = .yes ]; then + ssl=1 +fi + +## ## target name ## if [ ".$TARGET" != . ]; then @@ -955,6 +965,7 @@ fi ## conf_group="#-1" conf_port="80" +conf_port_ssl="443" conf_serveradmin="you@your.address" conf_servername="new.host.name" if [ ".$confadjust" = .1 ]; then @@ -967,6 +978,7 @@ if [ ".$confadjust" = .1 ]; then fi if [ ".`id | grep root`" = . ]; then conf_port="8080" + conf_port_ssl="8443" fi conf_serveradmin="`$aux/buildinfo.sh -n %u@%h%d`" conf_servername="`$aux/buildinfo.sh -n %h%d`" @@ -1018,6 +1030,7 @@ if [ ".$show_layout" = .1 ]; then echo " SERVER_CONFIG_FILE: ${sysconfdir_relative}${thetarget}.conf" echo " ACCESS_CONFIG_FILE: ${sysconfdir_relative}access.conf" echo " RESOURCE_CONFIG_FILE: ${sysconfdir_relative}srm.conf" + echo " SSL_CERTIFCATE_FILE: ${sysconfdir_relative}ssl.crt/server.crt" echo "" if [ ".$suexec" = .1 ]; then echo "suEXEC setup:" @@ -1068,8 +1081,10 @@ sed <Makefile.tmpl >$mkf \ -e "s%@suexec_uidmin@%$suexec_uidmin%g" \ -e "s%@suexec_gidmin@%$suexec_gidmin%g" \ -e "s%@suexec_safepath@%$suexec_safepath%g" \ +-e "s%@ssl@%$ssl%g" \ -e "s%@conf_group@%$conf_group%g" \ -e "s%@conf_port@%$conf_port%g" \ +-e "s%@conf_port_ssl@%$conf_port_ssl%g" \ -e "s%@conf_serveradmin@%$conf_serveradmin%g" \ -e "s%@conf_servername@%$conf_servername%g" \ -e "s%@build_support@%$build_support%g" \ @@ -1097,6 +1112,7 @@ echo "echo '-DTYPES_CONFIG_FILE=\"${sysconfdir_relative}mime.types\"'" >>$src/ap echo "echo '-DSERVER_CONFIG_FILE=\"${sysconfdir_relative}${thetarget}.conf\"'" >>$src/apaci echo "echo '-DACCESS_CONFIG_FILE=\"${sysconfdir_relative}access.conf\"'" >>$src/apaci echo "echo '-DRESOURCE_CONFIG_FILE=\"${sysconfdir_relative}srm.conf\"'" >>$src/apaci +echo "echo '-DSSL_CERTIFCATE_FILE=\"${sysconfdir_relative}ssl.crt/server.crt\"'" >>$src/apaci chmod a+x $src/apaci CFLAGS="$CFLAGS \\\`\$(SRCDIR)/apaci\\\`" @@ -1112,7 +1128,7 @@ touch $sedsubst # generate settings from imported environment variables OIFS="$IFS" IFS="$DIFS" for var in CC CPP OPTIM CFLAGS CFLAGS_SHLIB LDFLAGS LD_SHLIB LDFLAGS_SHLIB \ - LDFLAGS_SHLIB_EXPORT LIBS INCLUDES RANLIB DEPS TARGET; do + LDFLAGS_SHLIB_EXPORT LIBS INCLUDES RANLIB DEPS TARGET SSL_BASE RSA_BASE; do eval "val=\"\$$var\""; if [ ".$val" != . ]; then case $var in diff --git a/usr.sbin/httpd/htdocs/manual/images/ssleay.gif b/usr.sbin/httpd/htdocs/manual/images/ssleay.gif Binary files differnew file mode 100644 index 00000000000..c59cdf5b3a8 --- /dev/null +++ b/usr.sbin/httpd/htdocs/manual/images/ssleay.gif diff --git a/usr.sbin/httpd/htdocs/manual/mod/directives.html b/usr.sbin/httpd/htdocs/manual/mod/directives.html index 57938e5b190..39394ceb305 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/directives.html +++ b/usr.sbin/httpd/htdocs/manual/mod/directives.html @@ -208,6 +208,24 @@ of the terms used in their descriptions available. <LI><A HREF="mod_setenvif.html#setenvif">SetEnvIf</A> <LI><A HREF="mod_setenvif.html#SetEnvIfNoCase">SetEnvIfNoCase</A> <LI><A HREF="mod_mime.html#sethandler">SetHandler</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLMutex">SSLMutex</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLPassPhraseDialog">SSLPassPhraseDialog</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLEngine">SSLEngine</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLCipherSuite">SSLCipherSuite</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLCertificateFile">SSLCertificateFile</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLCertificateKeyFile">SSLCertificateKeyFile</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLCACertificatePath">SSLCACertificatePath</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLCACertificateFile">SSLCACertificateFile</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLCACertificateReqFile">SSLCACertificateReqFile</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLVerifyClient">SSLVerifyClient</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLVerifyDepth">SSLVerifyDepth</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLSessionCache">SSLSessionCache</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLSessionCacheTimeout">SSLSessionCacheTimeout</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLLog">SSLLog</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLLogLevel">SSLLogLevel</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLOptions">SSLOptions</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLRequireSSL">SSLRequireSSL</A> +<LI><A HREF="mod_ssl/ssl_reference.html#SSLRequire">SSLRequire</A> <LI><A HREF="core.html#startservers">StartServers</A> <LI><A HREF="core.html#threadsperchild">ThreadsPerChild</A> <LI><A HREF="core.html#timeout">TimeOut</A> diff --git a/usr.sbin/httpd/htdocs/manual/mod/index.html b/usr.sbin/httpd/htdocs/manual/mod/index.html index 2a2aecea5a8..117021686ef 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/index.html +++ b/usr.sbin/httpd/htdocs/manual/mod/index.html @@ -15,11 +15,11 @@ <DIV ALIGN="CENTER"> <IMG SRC="../images/sub.gif" ALT="[APACHE DOCUMENTATION]"> <H3> - Apache HTTP Server Version 1.2 + Apache HTTP Server Version 1.3 </H3> </DIV> -<H1 ALIGN="CENTER">Apache modules</h1> +<H1 ALIGN="CENTER">Apache modules</H1> <P> Below is a list of all of the modules that come as part of the @@ -29,84 +29,104 @@ Apache distribution. See also the complete alphabetical list of >all Apache directives</A>. </P> -<dl> -<dt><A HREF="core.html">Core</A> -<dd>Core Apache features. -<dt><A HREF="mod_access.html">mod_access</A> -<dd>Host based access control. -<dt><A HREF="mod_actions.html">mod_actions</A> Apache 1.1 and later. -<dd>Filetype/method-based script execution -<dt><A HREF="mod_alias.html">mod_alias</A> -<dd>Aliases and redirects. -<dt><A HREF="mod_asis.html">mod_asis</A> -<dd>The .asis file handler. -<dt><A HREF="mod_auth.html">mod_auth</A> -<dd>User authentication using text files. -<dt><A HREF="mod_auth_anon.html">mod_auth_anon</A> -<dd>Anonymous user authentication, FTP-style. -<dt><A HREF="mod_auth_db.html">mod_auth_db</A> -<dd>User authentication using Berkeley DB files. -<dt><A HREF="mod_auth_dbm.html">mod_auth_dbm</A> -<dd>User authentication using DBM files. -<dt><A HREF="mod_auth_msql.html">mod_auth_msql</A> -<dd>User authentication using mSQL files. -<dt><A HREF="mod_browser.html">mod_browser</A> Apache 1.2 and up -<dd>Set environment variables based on User-Agent strings -<dt><A HREF="mod_cern_meta.html">mod_cern_meta</a> -<dd>Support for HTTP header metafiles. -<dt><A HREF="mod_cgi.html">mod_cgi</A> -<dd>Invoking CGI scripts. -<dt><A HREF="mod_cookies.html">mod_cookies</A> up to Apache 1.1.1 -<dd>Support for Netscape-like cookies. Replaced in Apache 1.2 by +<DL> +<DT><A HREF="core.html">Core</A> +<DD>Core Apache features. +<DT><A HREF="mod_access.html">mod_access</A> +<DD>Host based access control. +<DT><A HREF="mod_actions.html">mod_actions</A> Apache 1.1 and later. +<DD>Filetype/method-based script execution +<DT><A HREF="mod_alias.html">mod_alias</A> +<DD>Aliases and redirects. +<DT><A HREF="mod_asis.html">mod_asis</A> +<DD>The .asis file handler. +<DT><A HREF="mod_auth.html">mod_auth</A> +<DD>User authentication using text files. +<DT><A HREF="mod_auth_anon.html">mod_auth_anon</A> +<DD>Anonymous user authentication, FTP-style. +<DT><A HREF="mod_auth_db.html">mod_auth_db</A> +<DD>User authentication using Berkeley DB files. +<DT><A HREF="mod_auth_dbm.html">mod_auth_dbm</A> +<DD>User authentication using DBM files. +<DT><A HREF="mod_autoindex.html">mod_autoindex</A> +<DD>Automatic directory listings. +<DT><A HREF="mod_browser.html">mod_browser</A> Apache 1.2.* only +<DD>Set environment variables based on User-Agent strings. Replaced by + mod_setenvif in Apache 1.3 and up +<DT><A HREF="mod_cern_meta.html">mod_cern_meta</A> +<DD>Support for HTTP header metafiles. +<DT><A HREF="mod_cgi.html">mod_cgi</A> +<DD>Invoking CGI scripts. +<DT><A HREF="mod_cookies.html">mod_cookies</A> up to Apache 1.1.1 +<DD>Support for Netscape-like cookies. Replaced in Apache 1.2 by mod_usertrack -<dt><A HREF="mod_digest.html">mod_digest</A> -<dd>MD5 authentication -<dt><A HREF="mod_dir.html">mod_dir</A> -<dd>Automatic directory listings. -<dt><A HREF="mod_dld.html">mod_dld</A> -<dd>Start-time linking with the GNU libdld. -<dt><A HREF="mod_env.html">mod_env</A> -<dd>Passing of environments to CGI scripts -<dt><A HREF="mod_example.html">mod_example</A> Apache 1.2 and up -<dd>Demonstrates Apache API -<dt><A HREF="mod_expires.html">mod_expires</A> Apache 1.2 and up -<dd>Apply Expires: headers to resources -<dt><A HREF="mod_headers.html">mod_headers</A> Apache 1.2 and up -<dd>Add arbitrary HTTP headers to resources -<dt><A HREF="mod_imap.html">mod_imap</A> -<dd>The imagemap file handler. -<dt><A HREF="mod_include.html">mod_include</A> -<dd>Server-parsed documents. -<dt><A HREF="mod_info.html">mod_info</a> -<dd>Server configuration information -<dt><A HREF="mod_log_agent.html">mod_log_agent</A> -<dd>Logging of User Agents. -<dt><A HREF="mod_log_common.html">mod_log_common</A> up to Apache 1.1.1 -<dd>Standard logging in the Common Logfile Format. Replaced by the +<DT><A HREF="mod_digest.html">mod_digest</A> +<DD>MD5 authentication +<DT><A HREF="mod_dir.html">mod_dir</A> +<DD>Basic directory handling. +<DT><A HREF="mod_dld.html">mod_dld</A> Apache 1.2.* and earlier +<DD>Start-time linking with the GNU libdld. Replaced in Apache 1.3 by mod_so +<DT><A HREF="mod_dll.html">mod_dll</A> Apache 1.3b1 to 1.3b5 only +<DD>Replaced in 1.3b6 by mod_so +<DT><A HREF="mod_env.html">mod_env</A> +<DD>Passing of environments to CGI scripts +<DT><A HREF="mod_example.html">mod_example</A> Apache 1.2 and up +<DD>Demonstrates Apache API +<DT><A HREF="mod_expires.html">mod_expires</A> Apache 1.2 and up +<DD>Apply Expires: headers to resources +<DT><A HREF="mod_headers.html">mod_headers</A> Apache 1.2 and up +<DD>Add arbitrary HTTP headers to resources +<DT><A HREF="mod_imap.html">mod_imap</A> +<DD>The imagemap file handler. +<DT><A HREF="mod_include.html">mod_include</A> +<DD>Server-parsed documents. +<DT><A HREF="mod_info.html">mod_info</A> +<DD>Server configuration information +<DT><A HREF="mod_isapi.html">mod_isapi</A> +<DD>Windows ISAPI Extension support +<DT><A HREF="mod_log_agent.html">mod_log_agent</A> +<DD>Logging of User Agents. +<DT><A HREF="mod_log_common.html">mod_log_common</A> up to Apache 1.1.1 +<DD>Standard logging in the Common Logfile Format. Replaced by the mod_log_config module in Apache 1.2 and up -<dt><A HREF="mod_log_config.html">mod_log_config</A> -<dd>User-configurable logging replacement for mod_log_common. -<dt><A HREF="mod_log_referer.html">mod_log_referer</A> -<dd>Logging of document references. -<dt><A HREF="mod_mime.html">mod_mime</A> -<dd>Determining document types. -<dt><A HREF="mod_negotiation.html">mod_negotiation</A> -<dd>Content negotiation. -<dt><A HREF="mod_rewrite.html">mod_rewrite</a> Apache 1.2 and up -<dd>Powerful URI-to-filename mapping using regular expressions -<dt><A HREF="mod_proxy.html">mod_proxy</A> -<dd>Caching proxy abilities -<dt><A HREF="mod_status.html">mod_status</a> -<dd>Server status display -<dt><A HREF="mod_userdir.html">mod_userdir</A> -<dd>User home directories. -<dt><A HREF="mod_usertrack.html">mod_usertrack</A> Apache 1.2 and up -<dd>User tracking using Cookies (replacement for mod_cookies.c) -</dl> +<DT><A HREF="mod_log_config.html">mod_log_config</A> +<DD>User-configurable logging replacement for mod_log_common. +<DT><A HREF="mod_log_referer.html">mod_log_referer</A> +<DD>Logging of document references. +<DT><A HREF="mod_mime.html">mod_mime</A> +<DD>Determining document types using file extensions. +<DT><A HREF="mod_mime_magic.html">mod_mime_magic</A> +<DD>Determining document types using "magic numbers". +<DT><A HREF="mod_mmap_static.html">mod_mmap_static</A> +<DD>Mapping files into memory for faster serving. +<DT><A HREF="mod_negotiation.html">mod_negotiation</A> +<DD>Content negotiation. +<DT><A HREF="mod_proxy.html">mod_proxy</A> +<DD>Caching proxy abilities +<DT><A HREF="mod_rewrite.html">mod_rewrite</A> Apache 1.2 and up +<DD>Powerful URI-to-filename mapping using regular expressions +<DT><A HREF="mod_setenvif.html">mod_setenvif</A> Apache 1.3 and up +<DD>Set environment variables based on client information +<DT><A HREF="mod_so.html">mod_so</A> Apache 1.3 and up +<DD>Experimental support for loading modules (DLLs on Windows) at runtime +<DT><A HREF="mod_speling.html">mod_speling</A> Apache 1.3 and up +<DD>Automatically correct minor typos in URLs +<DT><A HREF="mod_ssl/index.html">mod_ssl</A> Apache 1.3 with mod_ssl applied +<DD>Apache SSL interface to SSLeay +<DT><A HREF="mod_status.html">mod_status</A> +<DD>Server status display +<DT><A HREF="mod_userdir.html">mod_userdir</A> +<DD>User home directories. +<DT><A HREF="mod_unique_id.html">mod_unique_id</A> Apache 1.3 and up +<DD>Generate unique request identifier for every request +<DT><A HREF="mod_usertrack.html">mod_usertrack</A> Apache 1.2 and up +<DD>User tracking using Cookies (replacement for mod_cookies.c) +</DL> <HR> + <H3 ALIGN="CENTER"> - Apache HTTP Server Version 1.2 + Apache HTTP Server Version 1.3 </H3> <A HREF="./"><IMG SRC="../images/index.gif" ALT="Index"></A> diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_cover_title.gif b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_cover_title.gif Binary files differnew file mode 100644 index 00000000000..3b1291fa4e4 --- /dev/null +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_cover_title.gif diff --git a/usr.sbin/httpd/src/ApacheCore.def b/usr.sbin/httpd/src/ApacheCore.def index d6c8d8837d2..ce7044e12f7 100644 --- a/usr.sbin/httpd/src/ApacheCore.def +++ b/usr.sbin/httpd/src/ApacheCore.def @@ -324,4 +324,17 @@ EXPORTS ap_make_etag @317 ap_array_pstrcat @318 ap_os_is_filename_valid @319 + ap_add_config_define @320 + ap_global_ctx @321 + ap_ctx_new @322 + ap_ctx_get @323 + ap_ctx_set @324 + ap_hook_init @325 + ap_hook_kill @326 + ap_hook_configure @327 + ap_hook_register_I @328 + ap_hook_unregister_I @329 + ap_hook_status @330 + ap_hook_use @331 + ap_hook_call @332 diff --git a/usr.sbin/httpd/src/Configuration b/usr.sbin/httpd/src/Configuration index ca8b55aace5..a10f798aa6e 100644 --- a/usr.sbin/httpd/src/Configuration +++ b/usr.sbin/httpd/src/Configuration @@ -26,6 +26,47 @@ # not enabled). The AddModule directive can be used to enable such a # module. By default no such modules are defined. +################################################################ +# SSL support: +# +# o Set SSL_BASE to either the directory of your SSLeay +# source tree or the installation tree. Alternatively you can +# also use the value 'SYSTEM' which then indicates that SSLeay +# is installed under various system locations. +# +# o If you're a US-citizen you have to compile SSLeay with the +# RSAref library (which replaces the RSA code of SSLeay) +# because of patent legalities with the RSA algorithm used for +# the SSL protocol. For this situation you already have to +# compile SSLeay with the -DRSAref define and now you have to +# force Apache to link against the RSAglue library (from +# SSLeay) and the rsaref library (from RSA). So, set RSA_BASE +# to the directory of your RSAref source tree or to 'SYSTEM' +# (indicating that librsaref.a is installed under a system +# location) +# +# o Disable SSL_COMPAT rule to build mod_ssl without backward +# compatibility code for Apache-SSL 1.x, mod_ssl 2.0.x Sioux +# 1.x and Stronghold 2.x. +# +# o The SSL_SDBM rule controls whether the built-in SDBM library should be +# used instead of a custom defined or vendor supplied DBM library. Use the +# value 'default' for automatic determination or use 'yes' to force the use +# of SDBM in case the vendor DBM library is buggy or restricts the data +# sizes too dramatically. +# +# o The SSL_EXPERIMENTAL rule can be used to enable still experimental code +# inside mod_ssl. These are usually new features which need some more +# testing before they can be considered stable. So, enabled this on your own +# risk and only when you like to see Apache+mod_ssl dump core ;-) +# + +#SSL_BASE=/usr/local/ssl +#RSA_BASE=/usr/local/rsa +SSL_BASE=SYSTEM +Rule SSL_COMPAT=yes +Rule SSL_SDBM=default +Rule SSL_EXPERIMENTAL=no ################################################################ # Makefile configuration @@ -160,12 +201,20 @@ Rule SHARED_CHAIN=default # is performing this function. If PARANOID is set to yes, it will # actually print-out the code that the modules execute # +# EAPI: +# Enable the Extended API which provides more module hooks, a generic +# low-level hook mechanism and a generic context mechanism. Please notice +# that enabling this rule forces you to recompile (with -DEAPI) all existing +# modules which are already built and installed as DSOs. Because under EAPI +# the module configuration structure has a different size. +# Rule SOCKS4=no Rule SOCKS5=no Rule IRIXNIS=no Rule IRIXN32=yes Rule PARANOID=no +Rule EAPI=no # The following rules should be set automatically by Configure. However, if # they are not set by Configure (because we don't know the correct value for @@ -328,8 +377,8 @@ AddModule modules/standard/mod_auth.o ## "gdbm" package if not and possibly adjust EXTRA_LIBS. (This may be ## done by Configure at a later date) -# AddModule modules/standard/mod_auth_dbm.o -# AddModule modules/standard/mod_auth_db.o +AddModule modules/standard/mod_auth_dbm.o +AddModule modules/standard/mod_auth_db.o ## "digest" implements HTTP Digest Authentication rather than the less ## secure Basic Auth used by the other modules. @@ -391,3 +440,9 @@ AddModule modules/standard/mod_auth.o AddModule modules/standard/mod_setenvif.o +## mod_ssl incorporates SSL into Apache. +## It must stay last here to be first in execution to +## fake basic authorization. + +AddModule modules/ssl/libssl.a + diff --git a/usr.sbin/httpd/src/Configuration.tmpl b/usr.sbin/httpd/src/Configuration.tmpl index ca8b55aace5..351303ec0e8 100644 --- a/usr.sbin/httpd/src/Configuration.tmpl +++ b/usr.sbin/httpd/src/Configuration.tmpl @@ -26,6 +26,46 @@ # not enabled). The AddModule directive can be used to enable such a # module. By default no such modules are defined. +################################################################ +# SSL support: +# +# o Set SSL_BASE to either the directory of your SSLeay +# source tree or the installation tree. Alternatively you can +# also use the value 'SYSTEM' which then indicates that SSLeay +# is installed under various system locations. +# +# o If you're a US-citizen you have to compile SSLeay with the +# RSAref library (which replaces the RSA code of SSLeay) +# because of patent legalities with the RSA algorithm used for +# the SSL protocol. For this situation you already have to +# compile SSLeay with the -DRSAref define and now you have to +# force Apache to link against the RSAglue library (from +# SSLeay) and the rsaref library (from RSA). So, set RSA_BASE +# to the directory of your RSAref source tree or to 'SYSTEM' +# (indicating that librsaref.a is installed under a system +# location) +# +# o Disable SSL_COMPAT rule to build mod_ssl without backward +# compatibility code for Apache-SSL 1.x, mod_ssl 2.0.x Sioux +# 1.x and Stronghold 2.x. +# +# o The SSL_SDBM rule controls whether the built-in SDBM library should be +# used instead of a custom defined or vendor supplied DBM library. Use the +# value 'default' for automatic determination or use 'yes' to force the use +# of SDBM in case the vendor DBM library is buggy or restricts the data +# sizes too dramatically. +# +# o The SSL_EXPERIMENTAL rule can be used to enable still experimental code +# inside mod_ssl. These are usually new features which need some more +# testing before they can be considered stable. So, enabled this on your own +# risk and only when you like to see Apache+mod_ssl dump core ;-) +# + +#SSL_BASE=/usr/local/ssl +#RSA_BASE=/usr/local/rsa +Rule SSL_COMPAT=yes +Rule SSL_SDBM=default +Rule SSL_EXPERIMENTAL=no ################################################################ # Makefile configuration @@ -160,12 +200,20 @@ Rule SHARED_CHAIN=default # is performing this function. If PARANOID is set to yes, it will # actually print-out the code that the modules execute # +# EAPI: +# Enable the Extended API which provides more module hooks, a generic +# low-level hook mechanism and a generic context mechanism. Please notice +# that enabling this rule forces you to recompile (with -DEAPI) all existing +# modules which are already built and installed as DSOs. Because under EAPI +# the module configuration structure has a different size. +# Rule SOCKS4=no Rule SOCKS5=no Rule IRIXNIS=no Rule IRIXN32=yes Rule PARANOID=no +Rule EAPI=no # The following rules should be set automatically by Configure. However, if # they are not set by Configure (because we don't know the correct value for @@ -391,3 +439,9 @@ AddModule modules/standard/mod_auth.o AddModule modules/standard/mod_setenvif.o +## mod_ssl incorporates SSL into Apache. +## It must stay last here to be first in execution to +## fake basic authorization. + +# AddModule modules/ssl/libssl.a + diff --git a/usr.sbin/httpd/src/Configure b/usr.sbin/httpd/src/Configure index d00b0e2fed3..b3b36170a9b 100644 --- a/usr.sbin/httpd/src/Configure +++ b/usr.sbin/httpd/src/Configure @@ -228,6 +228,7 @@ RULE_SOCKS5=`./helpers/CutRule SOCKS5 $file` RULE_IRIXNIS=`./helpers/CutRule IRIXNIS $file` RULE_IRIXN32=`./helpers/CutRule IRIXN32 $file` RULE_PARANOID=`./helpers/CutRule PARANOID $file` +RULE_EAPI=`./helpers/CutRule EAPI $file` RULE_SHARED_CORE=`./helpers/CutRule SHARED_CORE $file` RULE_SHARED_CHAIN=`./helpers/CutRule SHARED_CHAIN $file` @@ -1538,6 +1539,19 @@ if [ "$RULE_WANTHSREGEX" = "yes" ]; then fi #################################################################### +# Extended API support: +if [ "$RULE_EAPI" = "yes" ]; then + echo " + enabling Extended API (EAPI)" + CFLAGS="$CFLAGS -DEAPI" + # some vendor compilers are too restrictive + case "$OS:$CC" in + *IRIX-32*:*/cc|*IRIX-32*:cc ) + CFLAGS="$CFLAGS -woff 1048,1110,1164" + ;; + esac +fi + +#################################################################### ## Now the SHARED_CHAIN stuff ## LIBS_SHLIB='' diff --git a/usr.sbin/httpd/src/Makefile.tmpl b/usr.sbin/httpd/src/Makefile.tmpl index bb9c9d8bc8a..b76ca00e433 100644 --- a/usr.sbin/httpd/src/Makefile.tmpl +++ b/usr.sbin/httpd/src/Makefile.tmpl @@ -11,6 +11,10 @@ OBJS= \ $(OSDIR)/libos.a \ ap/libap.a +TYPE=test +CRT= +KEY= + .c.o: $(CC) -c $(INCLUDES) $(CFLAGS) $< @@ -54,6 +58,13 @@ lib$(TARGET).$(SHLIB_SUFFIX_NAME): subdirs modules.o done; \ fi +certificate: + @./support/mkcert.sh \ + "$(MAKE)" "$(MFLAGS_STATIC)" \ + "$(SSL_PROGRAM)" ./support \ + "$(TYPE)" "$(CRT)" "$(KEY)" + @cd ../conf/ssl.crt; $(MAKE) $(MFLAGS_STATIC) SSLEAY=$(SSL_PROGRAM) >/dev/null 2>&1 + subdirs: @for i in $(SUBDIRS); do \ echo "===> $(SDP)$$i"; \ diff --git a/usr.sbin/httpd/src/ap/Makefile.tmpl b/usr.sbin/httpd/src/ap/Makefile.tmpl index 4c1503cb923..346b6b6df79 100644 --- a/usr.sbin/httpd/src/ap/Makefile.tmpl +++ b/usr.sbin/httpd/src/ap/Makefile.tmpl @@ -6,7 +6,7 @@ LDFLAGS=$(LDFLAGS1) $(EXTRA_LDFLAGS) LIB=libap.a OBJS=ap_execve.o ap_cpystrn.o ap_signal.o \ - ap_slack.o ap_snprintf.o ap_fnmatch.o + ap_slack.o ap_snprintf.o ap_fnmatch.o ap_hook.o ap_ctx.o .c.o: $(CC) -c $(INCLUDES) $(CFLAGS) $< diff --git a/usr.sbin/httpd/src/ap/ap.mak b/usr.sbin/httpd/src/ap/ap.mak index af4fe5e72f7..1e7c74a81b0 100644 --- a/usr.sbin/httpd/src/ap/ap.mak +++ b/usr.sbin/httpd/src/ap/ap.mak @@ -48,6 +48,8 @@ ALL : "$(OUTDIR)\ap.lib" CLEAN : -@erase "$(INTDIR)\ap_cpystrn.obj" -@erase "$(INTDIR)\ap_fnmatch.obj" + -@erase "$(INTDIR)\ap_hook.obj" + -@erase "$(INTDIR)\ap_ctx.obj" -@erase "$(INTDIR)\ap_signal.obj" -@erase "$(INTDIR)\ap_slack.obj" -@erase "$(INTDIR)\ap_snprintf.obj" @@ -70,6 +72,8 @@ LIB32_FLAGS=/nologo /out:"$(OUTDIR)\ap.lib" LIB32_OBJS= \ "$(INTDIR)\ap_cpystrn.obj" \ "$(INTDIR)\ap_fnmatch.obj" \ + "$(INTDIR)\ap_hook.obj" \ + "$(INTDIR)\ap_ctx.obj" \ "$(INTDIR)\ap_signal.obj" \ "$(INTDIR)\ap_slack.obj" \ "$(INTDIR)\ap_snprintf.obj" @@ -100,6 +104,8 @@ ALL : "$(OUTDIR)\ap.lib" CLEAN : -@erase "$(INTDIR)\ap_cpystrn.obj" -@erase "$(INTDIR)\ap_fnmatch.obj" + -@erase "$(INTDIR)\ap_hook.obj" + -@erase "$(INTDIR)\ap_ctx.obj" -@erase "$(INTDIR)\ap_signal.obj" -@erase "$(INTDIR)\ap_slack.obj" -@erase "$(INTDIR)\ap_snprintf.obj" @@ -122,6 +128,8 @@ LIB32_FLAGS=/nologo /out:"$(OUTDIR)\ap.lib" LIB32_OBJS= \ "$(INTDIR)\ap_cpystrn.obj" \ "$(INTDIR)\ap_fnmatch.obj" \ + "$(INTDIR)\ap_hook.obj" \ + "$(INTDIR)\ap_ctx.obj" \ "$(INTDIR)\ap_signal.obj" \ "$(INTDIR)\ap_slack.obj" \ "$(INTDIR)\ap_snprintf.obj" diff --git a/usr.sbin/httpd/src/include/ap_config_auto.h b/usr.sbin/httpd/src/include/ap_config_auto.h new file mode 100644 index 00000000000..846e30351c4 --- /dev/null +++ b/usr.sbin/httpd/src/include/ap_config_auto.h @@ -0,0 +1,59 @@ +/* + * ap_config_auto.h -- Automatically determined configuration stuff + * THIS FILE WAS AUTOMATICALLY GENERATED - DO NOT EDIT! + */ + +#ifndef AP_CONFIG_AUTO_H +#define AP_CONFIG_AUTO_H + +/* check: #include <dlfcn.h> */ +#ifndef HAVE_DLFCN_H +#define HAVE_DLFCN_H 1 +#endif + +/* check: #include <dl.h> */ +#ifdef HAVE_DL_H +#undef HAVE_DL_H +#endif + +/* check: #include <bstring.h> */ +#ifdef HAVE_BSTRING_H +#undef HAVE_BSTRING_H +#endif + +/* check: #include <crypt.h> */ +#ifdef HAVE_CRYPT_H +#undef HAVE_CRYPT_H +#endif + +/* check: #include <unistd.h> */ +#ifndef HAVE_UNISTD_H +#define HAVE_UNISTD_H 1 +#endif + +/* check: #include <sys/resource.h> */ +#ifndef HAVE_SYS_RESOURCE_H +#define HAVE_SYS_RESOURCE_H 1 +#endif + +/* check: #include <sys/select.h> */ +#ifndef HAVE_SYS_SELECT_H +#define HAVE_SYS_SELECT_H 1 +#endif + +/* check: #include <sys/processor.h> */ +#ifdef HAVE_SYS_PROCESSOR_H +#undef HAVE_SYS_PROCESSOR_H +#endif + +/* build flag: -DMOD_SSL=202103 */ +#ifndef MOD_SSL +#define MOD_SSL 202103 +#endif + +/* build flag: -DEAPI */ +#ifndef EAPI +#define EAPI 1 +#endif + +#endif /* AP_CONFIG_AUTO_H */ diff --git a/usr.sbin/httpd/src/include/ap_mmn.h b/usr.sbin/httpd/src/include/ap_mmn.h index bbfabe604f4..4a4316027d1 100644 --- a/usr.sbin/httpd/src/include/ap_mmn.h +++ b/usr.sbin/httpd/src/include/ap_mmn.h @@ -205,7 +205,23 @@ * for a non-binary-compatible release. */ +/* + * Under Extended API situations we replace the magic cookie "AP13" with + * "EAPI" to let us distinguish between the EAPI module structure (which + * contain additional pointers at the end) and standard module structures + * (which lack at least NULL's for the pointers at the end). This is + * important because standard ("AP13") modules would dump core when we + * dispatch over the additional hooks because NULL's are missing at the end of + * the module structure. See also the code in mod_so for details on loading + * (we accept both "AP13" and "EAPI"). + */ +#ifdef EAPI +#define MODULE_MAGIC_COOKIE_AP13 0x41503133UL /* "AP13" */ +#define MODULE_MAGIC_COOKIE_EAPI 0x45415049UL /* "EAPI" */ +#define MODULE_MAGIC_COOKIE MODULE_MAGIC_COOKIE_EAPI +#else #define MODULE_MAGIC_COOKIE 0x41503133UL /* "AP13" */ +#endif #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 19990108 diff --git a/usr.sbin/httpd/src/include/buff.h b/usr.sbin/httpd/src/include/buff.h index 27ccd1537be..e2e00a5f126 100644 --- a/usr.sbin/httpd/src/include/buff.h +++ b/usr.sbin/httpd/src/include/buff.h @@ -124,6 +124,10 @@ struct buff_struct { /* transport handle, for RPC binding handle or some such */ void *t_handle; +#ifdef EAPI + ap_ctx *ctx; +#endif /* EAPI */ + #ifdef B_SFIO Sfio_t *sf_in; Sfio_t *sf_out; diff --git a/usr.sbin/httpd/src/include/http_conf_globals.h b/usr.sbin/httpd/src/include/http_conf_globals.h index c540c4e0a8c..53c429421be 100644 --- a/usr.sbin/httpd/src/include/http_conf_globals.h +++ b/usr.sbin/httpd/src/include/http_conf_globals.h @@ -86,6 +86,9 @@ extern MODULE_VAR_EXPORT int ap_suexec_enabled; extern int ap_listenbacklog; extern int ap_dump_settings; extern API_VAR_EXPORT int ap_extended_status; +#ifdef EAPI +extern API_VAR_EXPORT ap_ctx *ap_global_ctx; +#endif /* EAPI */ extern char *ap_pid_fname; extern char *ap_scoreboard_fname; diff --git a/usr.sbin/httpd/src/include/http_config.h b/usr.sbin/httpd/src/include/http_config.h index 5962efc186c..21b51ddf8bc 100644 --- a/usr.sbin/httpd/src/include/http_config.h +++ b/usr.sbin/httpd/src/include/http_config.h @@ -273,6 +273,55 @@ typedef struct module_struct { void (*child_exit) (server_rec *, pool *); #endif int (*post_read_request) (request_rec *); + +#ifdef EAPI + /* + * ANSI C guarantees us that we can at least _extend_ the module structure + * with additional hooks without the need to change all existing modules. + * Because: ``If there are fewer initializers in the list than members of + * the structure, the trailing members are initialized with 0.'' (The C + * Programming Language, 2nd Ed., A8.7 Initialization). So we just + * have to put our additional hooks here: + * + * add_module: + * Called from within ap_add_module() right after the module structure + * was linked into the Apache internal module list. It is mainly + * intended to be used to define configuration defines (<IfDefine>) + * which have to be available directly after a LoadModule/AddModule. + * Actually this is the earliest possible hook a module can use. + * + * remove_module: + * Called from within ap_remove_module() right before the module + * structure is kicked out from the Apache internal module list. + * Actually this is last possible hook a module can use and exists for + * consistency with the add_module hook. + * + * rewrite_command: + * Called right after a configuration directive line was read and + * before it is processed. It is mainly intended to be used for + * rewriting directives in order to provide backward compatibility to + * old directive variants. + * + * new_connection: + * Called from within the internal new_connection() function, right + * after the conn_rec structure for the new established connection was + * created and before Apache starts processing the request with + * ap_read_request(). It is mainly intended to be used to setup/run + * connection dependent things like sending start headers for + * on-the-fly compression, etc. + */ +#ifdef ULTRIX_BRAIN_DEATH + void (*add_module) (); + void (*remove_module) (); + char *(*rewrite_command) (); + void (*new_connection) (); +#else + void (*add_module) (struct module_struct *); + void (*remove_module) (struct module_struct *); + char *(*rewrite_command) (cmd_parms *, void *config, const char *); + void (*new_connection) (conn_rec *); +#endif +#endif /* EAPI */ } module; /* Initializer for the first few module slots, which are only diff --git a/usr.sbin/httpd/src/include/http_main.h b/usr.sbin/httpd/src/include/http_main.h index a0d014de785..fec41a6034c 100644 --- a/usr.sbin/httpd/src/include/http_main.h +++ b/usr.sbin/httpd/src/include/http_main.h @@ -124,7 +124,11 @@ API_EXPORT(void) ap_child_terminate(request_rec *r); API_EXPORT(void) ap_sync_scoreboard_image(void); int ap_update_child_status(int child_num, int status, request_rec *r); void ap_time_process_request(int child_num, int status); +#ifdef EAPI +API_EXPORT(unsigned int) ap_set_callback_and_alarm(void (*fn) (int), int x); +#else unsigned int ap_set_callback_and_alarm(void (*fn) (int), int x); +#endif API_EXPORT(int) ap_check_alarm(void); #ifndef NO_OTHER_CHILD diff --git a/usr.sbin/httpd/src/include/httpd.h b/usr.sbin/httpd/src/include/httpd.h index 318966b4a8d..581836ec522 100644 --- a/usr.sbin/httpd/src/include/httpd.h +++ b/usr.sbin/httpd/src/include/httpd.h @@ -70,6 +70,15 @@ extern "C" { #include "ap_config.h" #include "alloc.h" +/* + * Include the Extended API headers. + * Don't move the position. It has to be after alloc.h because it uses the + * pool stuff but before buff.h because the buffer stuff uses the EAPI, too. + */ +#ifdef EAPI +#include "ap_hook.h" +#include "ap_ctx.h" +#endif /* EAPI */ #include "buff.h" #include "ap.h" @@ -136,8 +145,13 @@ extern "C" { #define DEFAULT_HTTP_PORT 80 #define DEFAULT_HTTPS_PORT 443 #define ap_is_default_port(port,r) ((port) == ap_default_port(r)) +#ifdef EAPI +#define ap_http_method(r) (ap_ctx_get((r)->ctx, "ap::http::method") != NULL ? ((char *)ap_ctx_get((r)->ctx, "ap::http::method")) : "http") +#define ap_default_port(r) (ap_ctx_get((r)->ctx, "ap::default::port") != NULL ? atoi((char *)ap_ctx_get((r)->ctx, "ap::default::port")) : DEFAULT_HTTP_PORT) +#else /* EAPI */ #define ap_http_method(r) "http" #define ap_default_port(r) DEFAULT_HTTP_PORT +#endif /* EAPI */ /* --------- Default user name and group name running standalone ---------- */ /* --- These may be specified as numbers by placing a # before a number --- */ @@ -426,6 +440,9 @@ enum server_token_type { API_EXPORT(const char *) ap_get_server_version(void); API_EXPORT(void) ap_add_version_component(const char *component); API_EXPORT(const char *) ap_get_server_built(void); +#ifdef EAPI +API_EXPORT(void) ap_add_config_define(const char *define); +#endif /* EAPI */ /* Numeric release version identifier: MMNNFFRBB: major minor fix final beta * Always increases along the same track as the source branch. @@ -780,6 +797,10 @@ struct request_rec { * record to improve 64bit alignment the next time we need to break * binary compatibility for some other reason. */ + +#ifdef EAPI + ap_ctx *ctx; +#endif /* EAPI */ }; @@ -824,6 +845,10 @@ struct conn_rec { signed int double_reverse:2;/* have we done double-reverse DNS? * -1 yes/failure, 0 not yet, 1 yes/success */ int keepalives; /* How many times have we used it? */ + +#ifdef EAPI + ap_ctx *ctx; +#endif /* EAPI */ }; /* Per-vhost config... */ @@ -896,6 +921,10 @@ struct server_rec { int limit_req_line; /* limit on size of the HTTP request line */ int limit_req_fieldsize; /* limit on size of any request header field */ int limit_req_fields; /* limit on number of request header fields */ + +#ifdef EAPI + ap_ctx *ctx; +#endif /* EAPI */ }; /* These are more like real hosts than virtual hosts */ diff --git a/usr.sbin/httpd/src/main/buff.c b/usr.sbin/httpd/src/main/buff.c index cf78599c7c7..85006a92478 100644 --- a/usr.sbin/httpd/src/main/buff.c +++ b/usr.sbin/httpd/src/main/buff.c @@ -125,7 +125,11 @@ select() sometimes returns 1 even though the write will block. We must work around this. */ +#ifdef EAPI +API_EXPORT(int) sendwithtimeout(int sock, const char *buf, int len, int flags) +#else /* EAPI */ int sendwithtimeout(int sock, const char *buf, int len, int flags) +#endif /* EAPI */ { int iostate = 1; fd_set fdset; @@ -183,8 +187,11 @@ int sendwithtimeout(int sock, const char *buf, int len, int flags) return (rv); } - +#ifdef EAPI +API_EXPORT(int) recvwithtimeout(int sock, char *buf, int len, int flags) +#else /* EAPI */ int recvwithtimeout(int sock, char *buf, int len, int flags) +#endif /* EAPI */ { int iostate = 1; fd_set fdset; @@ -242,6 +249,9 @@ static int ap_read(BUFF *fb, void *buf, int nbyte) } else #endif +#ifdef EAPI + if (!ap_hook_call("ap::buff::read", &rv, fb, buf, nbyte)) +#endif /* EAPI */ rv = read(fb->fd_in, buf, nbyte); return rv; @@ -253,6 +263,9 @@ static ap_inline int buff_read(BUFF *fb, void *buf, int nbyte) #if defined (WIN32) if (fb->flags & B_SOCKET) { +#ifdef EAPI + if (!ap_hook_call("ap::buff::recvwithtimeout", &rv, fb, buf, nbyte)) +#endif /* EAPI */ rv = recvwithtimeout(fb->fd_in, buf, nbyte, 0); if (rv == SOCKET_ERROR) errno = WSAGetLastError(); @@ -295,6 +308,9 @@ static int ap_write(BUFF *fb, const void *buf, int nbyte) } else #endif +#ifdef EAPI + if (!ap_hook_call("ap::buff::write", &rv, fb, buf, nbyte)) +#endif /* EAPI */ #if defined (B_SFIO) rv = sfwrite(fb->sf_out, buf, nbyte); #else @@ -310,6 +326,9 @@ static ap_inline int buff_write(BUFF *fb, const void *buf, int nbyte) #if defined(WIN32) if (fb->flags & B_SOCKET) { +#ifdef EAPI + if (!ap_hook_call("ap::buff::sendwithtimeout", &rv, fb, buf, nbyte)) +#endif /* EAPI */ rv = sendwithtimeout(fb->fd, buf, nbyte, 0); if (rv == SOCKET_ERROR) errno = WSAGetLastError(); @@ -385,6 +404,10 @@ API_EXPORT(BUFF *) ap_bcreate(pool *p, int flags) (size_t) SF_UNBOUND, 1, SF_WRITE); #endif +#ifdef EAPI + fb->ctx = ap_ctx_new(p); +#endif /* EAPI */ + return fb; } @@ -1041,6 +1064,9 @@ static int writev_it_all(BUFF *fb, struct iovec *vec, int nvec) i = 0; while (i < nvec) { do +#ifdef EAPI + if (!ap_hook_call("ap::buff::writev", &rv, fb, &vec[i], nvec -i)) +#endif /* EAPI */ rv = writev(fb->fd, &vec[i], nvec - i); while (rv == -1 && (errno == EINTR || errno == EAGAIN) && !(fb->flags & B_EOUT)); diff --git a/usr.sbin/httpd/src/main/http_config.c b/usr.sbin/httpd/src/main/http_config.c index 206dae888eb..2159c448550 100644 --- a/usr.sbin/httpd/src/main/http_config.c +++ b/usr.sbin/httpd/src/main/http_config.c @@ -580,6 +580,20 @@ API_EXPORT(void) ap_add_module(module *m) m->name = tmp; } #endif /*_OSD_POSIX*/ + +#ifdef EAPI + /* + * Invoke the `add_module' hook inside the now existing set + * of modules to let them all now that this module was added. + */ + { + module *m2; + for (m2 = top_module; m2 != NULL; m2 = m2->next) + if (m2->magic == MODULE_MAGIC_COOKIE_EAPI) + if (m2->add_module != NULL) + (*m2->add_module)(m); + } +#endif /* EAPI */ } /* @@ -594,6 +608,21 @@ API_EXPORT(void) ap_remove_module(module *m) { module *modp; +#ifdef EAPI + /* + * Invoke the `remove_module' hook inside the now existing + * set of modules to let them all now that this module is + * beeing removed. + */ + { + module *m2; + for (m2 = top_module; m2 != NULL; m2 = m2->next) + if (m2->magic == MODULE_MAGIC_COOKIE_EAPI) + if (m2->remove_module != NULL) + (*m2->remove_module)(m); + } +#endif /* EAPI */ + modp = top_module; if (modp == m) { /* We are the top module, special case */ @@ -960,6 +989,27 @@ CORE_EXPORT(const char *) ap_handle_command(cmd_parms *parms, void *config, cons const command_rec *cmd; module *mod = top_module; +#ifdef EAPI + /* + * Invoke the `rewrite_command' of modules to allow + * they to rewrite the directive line before we + * process it. + */ + { + module *m; + char *cp; + for (m = top_module; m != NULL; m = m->next) { + if (m->magic == MODULE_MAGIC_COOKIE_EAPI) { + if (m->rewrite_command != NULL) { + cp = (m->rewrite_command)(parms, config, l); + if (cp != NULL) + l = cp; + } + } + } + } +#endif /* EAPI */ + if ((l[0] == '#') || (!l[0])) return NULL; @@ -1319,6 +1369,10 @@ CORE_EXPORT(const char *) ap_init_virtual_host(pool *p, const char *hostname, s->limit_req_fieldsize = main_server->limit_req_fieldsize; s->limit_req_fields = main_server->limit_req_fields; +#ifdef EAPI + s->ctx = ap_ctx_new(p); +#endif /* EAPI */ + *ps = s; return ap_parse_vhost_addrs(p, hostname, s); @@ -1430,6 +1484,10 @@ static server_rec *init_server_config(pool *p) s->module_config = create_server_config(p, s); s->lookup_defaults = create_default_per_dir_config(p); +#ifdef EAPI + s->ctx = ap_ctx_new(p); +#endif /* EAPI */ + return s; } diff --git a/usr.sbin/httpd/src/main/http_main.c b/usr.sbin/httpd/src/main/http_main.c index 46ca62a1097..c197baa2191 100644 --- a/usr.sbin/httpd/src/main/http_main.c +++ b/usr.sbin/httpd/src/main/http_main.c @@ -249,6 +249,9 @@ int ap_suexec_enabled = 0; int ap_listenbacklog; int ap_dump_settings = 0; API_VAR_EXPORT int ap_extended_status = 0; +#ifdef EAPI +API_VAR_EXPORT ap_ctx *ap_global_ctx; +#endif /* EAPI */ /* * The max child slot ever assigned, preserved across restarts. Necessary @@ -413,6 +416,16 @@ static void ap_set_version(void) } } +#ifdef EAPI +API_EXPORT(void) ap_add_config_define(const char *define) +{ + char **var; + var = (char **)ap_push_array(ap_server_config_defines); + *var = ap_pstrdup(pcommands, define); + return; +} +#endif /* EAPI */ + static APACHE_TLS int volatile exit_after_unblock = 0; #ifdef GPROF @@ -1147,7 +1160,11 @@ static void alrm_handler(int sig) } #endif +#ifdef EAPI +API_EXPORT(unsigned int) ap_set_callback_and_alarm(void (*fn) (int), int x) +#else unsigned int ap_set_callback_and_alarm(void (*fn) (int), int x) +#endif { unsigned int old; @@ -2971,6 +2988,24 @@ static conn_rec *new_connection(pool *p, server_rec *server, BUFF *inout, conn->remote_addr = *remaddr; conn->remote_ip = ap_pstrdup(conn->pool, inet_ntoa(conn->remote_addr.sin_addr)); +#ifdef EAPI + conn->ctx = ap_ctx_new(conn->pool); +#endif /* EAPI */ + +#ifdef EAPI + /* + * Invoke the `new_connection' hook of modules to let them do + * some connection dependent actions before we go on with + * processing the request on this connection. + */ + { + module *m; + for (m = top_module; m != NULL; m = m->next) + if (m->magic == MODULE_MAGIC_COOKIE_EAPI) + if (m->new_connection != NULL) + (*m->new_connection)(conn); + } +#endif /* EAPI */ return conn; } @@ -3341,6 +3376,9 @@ static void show_compile_settings(void) printf("Server's Module Magic Number: %u:%u\n", MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR); printf("Server compiled with....\n"); +#ifdef EAPI + printf(" -D EAPI\n"); +#endif #ifdef BIG_SECURITY_HOLE printf(" -D BIG_SECURITY_HOLE\n"); #endif @@ -3486,6 +3524,22 @@ static void common_init(void) ap_server_pre_read_config = ap_make_array(pcommands, 1, sizeof(char *)); ap_server_post_read_config = ap_make_array(pcommands, 1, sizeof(char *)); ap_server_config_defines = ap_make_array(pcommands, 1, sizeof(char *)); + +#ifdef EAPI + ap_hook_init(); + ap_hook_configure("ap::buff::read", + AP_HOOK_SIG4(int,ptr,ptr,int), AP_HOOK_TOPMOST); + ap_hook_configure("ap::buff::write", + AP_HOOK_SIG4(int,ptr,ptr,int), AP_HOOK_TOPMOST); + ap_hook_configure("ap::buff::writev", + AP_HOOK_SIG4(int,ptr,ptr,int), AP_HOOK_TOPMOST); + ap_hook_configure("ap::buff::sendwithtimeout", + AP_HOOK_SIG4(int,ptr,ptr,int), AP_HOOK_TOPMOST); + ap_hook_configure("ap::buff::recvwithtimeout", + AP_HOOK_SIG4(int,ptr,ptr,int), AP_HOOK_TOPMOST); + + ap_global_ctx = ap_ctx_new(NULL); +#endif /* EAPI */ } #ifndef MULTITHREAD diff --git a/usr.sbin/httpd/src/main/http_protocol.c b/usr.sbin/httpd/src/main/http_protocol.c index cae3aa2e8fe..9c4f831748e 100644 --- a/usr.sbin/httpd/src/main/http_protocol.c +++ b/usr.sbin/httpd/src/main/http_protocol.c @@ -916,6 +916,10 @@ request_rec *ap_read_request(conn_rec *conn) r->status = HTTP_REQUEST_TIME_OUT; /* Until we get a request */ r->the_request = NULL; +#ifdef EAPI + r->ctx = ap_ctx_new(r->pool); +#endif /* EAPI */ + #ifdef CHARSET_EBCDIC ap_bsetflag(r->connection->client, B_ASCII2EBCDIC|B_EBCDIC2ASCII, 1); #endif @@ -1065,6 +1069,11 @@ void ap_set_sub_req_protocol(request_rec *rnew, const request_rec *r) rnew->read_body = REQUEST_NO_BODY; rnew->main = (request_rec *) r; + +#ifdef EAPI + rnew->ctx = r->ctx; +#endif /* EAPI */ + } void ap_finalize_sub_req_protocol(request_rec *sub) diff --git a/usr.sbin/httpd/src/main/http_request.c b/usr.sbin/httpd/src/main/http_request.c index 71089516a07..693cf310648 100644 --- a/usr.sbin/httpd/src/main/http_request.c +++ b/usr.sbin/httpd/src/main/http_request.c @@ -1301,6 +1301,9 @@ static request_rec *internal_internal_redirect(const char *new_uri, request_rec new->no_local_copy = r->no_local_copy; new->read_length = r->read_length; /* We can only read it once */ new->vlist_validator = r->vlist_validator; +#ifdef EAPI + new->ctx = r->ctx; +#endif /* EAPI */ ap_table_setn(new->subprocess_env, "REDIRECT_STATUS", ap_psprintf(r->pool, "%d", r->status)); diff --git a/usr.sbin/httpd/src/modules/proxy/mod_proxy.c b/usr.sbin/httpd/src/modules/proxy/mod_proxy.c index 0816f6640d2..f5fcf29af6b 100644 --- a/usr.sbin/httpd/src/modules/proxy/mod_proxy.c +++ b/usr.sbin/httpd/src/modules/proxy/mod_proxy.c @@ -214,6 +214,9 @@ static int proxy_trans(request_rec *r) static int proxy_fixup(request_rec *r) { char *url, *p; +#ifdef EAPI + int rc; +#endif /* EAPI */ if (!r->proxyreq || strncmp(r->filename, "proxy:", 6) != 0) return DECLINED; @@ -221,6 +224,14 @@ static int proxy_fixup(request_rec *r) url = &r->filename[6]; /* canonicalise each specific scheme */ +#ifdef EAPI + if (ap_hook_use("ap::mod_proxy::canon", + AP_HOOK_SIG3(int,ptr,ptr), + AP_HOOK_DECLINE(DECLINED), + &rc, r, url) && rc != DECLINED) + return rc; + else +#endif /* EAPI */ if (strncasecmp(url, "http:", 5) == 0) return ap_proxy_http_canon(r, url + 5, "http", DEFAULT_HTTP_PORT); else if (strncasecmp(url, "ftp:", 4) == 0) @@ -238,7 +249,38 @@ static void proxy_init(server_rec *r, pool *p) ap_proxy_garbage_init(r, p); } +#ifdef EAPI +static void proxy_addmod(module *m) +{ + /* export: ap_proxy_http_canon() as `ap::mod_proxy::http::canon' */ + ap_hook_configure("ap::mod_proxy::http::canon", + AP_HOOK_SIG5(int,ptr,ptr,ptr,int), AP_HOOK_TOPMOST); + ap_hook_register("ap::mod_proxy::http::canon", + ap_proxy_http_canon, AP_HOOK_NOCTX); + + /* export: ap_proxy_http_handler() as `ap::mod_proxy::http::handler' */ + ap_hook_configure("ap::mod_proxy::http::handler", + AP_HOOK_SIG6(int,ptr,ptr,ptr,ptr,int), AP_HOOK_TOPMOST); + ap_hook_register("ap::mod_proxy::http::handler", + ap_proxy_http_handler, AP_HOOK_NOCTX); + + /* export: ap_proxyerror() as `ap::mod_proxy::error' */ + ap_hook_configure("ap::mod_proxy::error", + AP_HOOK_SIG3(int,ptr,ptr), AP_HOOK_TOPMOST); + ap_hook_register("ap::mod_proxy::error", + ap_proxyerror, AP_HOOK_NOCTX); + return; +} +static void proxy_remmod(module *m) +{ + /* remove the hook references */ + ap_hook_unregister("ap::mod_proxy::http::canon", ap_proxy_http_canon); + ap_hook_unregister("ap::mod_proxy::http::handler", ap_proxy_http_handler); + ap_hook_unregister("ap::mod_proxy::error", ap_proxyerror); + return; +} +#endif /* EAPI */ /* Send a redirection if the request contains a hostname which is not */ /* fully qualified, i.e. doesn't have a domain name appended. Some proxy */ @@ -368,6 +410,14 @@ static int proxy_handler(request_rec *r) /* CONNECT is a special method that bypasses the normal * proxy code. */ +#ifdef EAPI + if (!ap_hook_use("ap::mod_proxy::handler", + AP_HOOK_SIG7(int,ptr,ptr,ptr,ptr,int,ptr), + AP_HOOK_DECLINE(DECLINED), + &rc, r, cr, url, + ents[i].hostname, ents[i].port, + ents[i].protocol) || rc == DECLINED) { +#endif /* EAPI */ if (r->method_number == M_CONNECT) rc = ap_proxy_connect_handler(r, cr, url, ents[i].hostname, ents[i].port); @@ -377,6 +427,9 @@ static int proxy_handler(request_rec *r) ents[i].port); else rc = DECLINED; +#ifdef EAPI + } +#endif /* EAPI */ /* an error or success */ if (rc != DECLINED && rc != HTTP_BAD_GATEWAY) @@ -390,6 +443,14 @@ static int proxy_handler(request_rec *r) * give up?? */ /* handle the scheme */ +#ifdef EAPI + if (ap_hook_use("ap::mod_proxy::handler", + AP_HOOK_SIG7(int,ptr,ptr,ptr,ptr,int,ptr), + AP_HOOK_DECLINE(DECLINED), + &rc, r, cr, url, + NULL, 0, scheme) && rc != DECLINED) + return rc; +#endif /* EAPI */ if (r->method_number == M_CONNECT) return ap_proxy_connect_handler(r, cr, url, NULL, 0); if (strcasecmp(scheme, "http") == 0) @@ -895,4 +956,10 @@ module MODULE_VAR_EXPORT proxy_module = NULL, /* child_init */ NULL, /* child_exit */ proxy_detect /* post read-request */ +#ifdef EAPI + ,proxy_addmod, /* EAPI: add_module */ + proxy_remmod, /* EAPI: remove_module */ + NULL, /* EAPI: rewrite_command */ + NULL /* EAPI: new_connection */ +#endif }; diff --git a/usr.sbin/httpd/src/modules/proxy/proxy_http.c b/usr.sbin/httpd/src/modules/proxy/proxy_http.c index 2447b96aefe..d43dd1ee112 100644 --- a/usr.sbin/httpd/src/modules/proxy/proxy_http.c +++ b/usr.sbin/httpd/src/modules/proxy/proxy_http.c @@ -206,6 +206,12 @@ int ap_proxy_http_handler(request_rec *r, cache_req *c, char *url, return HTTP_BAD_REQUEST; urlptr += 3; destport = DEFAULT_HTTP_PORT; +#ifdef EAPI + ap_hook_use("ap::mod_proxy::http::handler::set_destport", + AP_HOOK_SIG2(int,ptr), + AP_HOOK_TOPMOST, + &destport, r); +#endif /* EAPI */ strp = strchr(urlptr, '/'); if (strp == NULL) { desthost = ap_pstrdup(p, urlptr); @@ -301,13 +307,41 @@ int ap_proxy_http_handler(request_rec *r, cache_req *c, char *url, f = ap_bcreate(p, B_RDWR | B_SOCKET); ap_bpushfd(f, sock, sock); +#ifdef EAPI + { + char *errmsg = NULL; + ap_hook_use("ap::mod_proxy::http::handler::new_connection", + AP_HOOK_SIG3(ptr,ptr,ptr), + AP_HOOK_DECLINE(NULL), + &errmsg, r, f); + if (errmsg != NULL) + return ap_proxyerror(r, errmsg); + } +#endif /* EAPI */ + ap_hard_timeout("proxy send", r); ap_bvputs(f, r->method, " ", proxyhost ? url : urlptr, " HTTP/1.0" CRLF, NULL); +#ifdef EAPI + { + int rc = DECLINED; + ap_hook_use("ap::mod_proxy::http::handler::write_host_header", + AP_HOOK_SIG6(int,ptr,ptr,ptr,int,ptr), + AP_HOOK_DECLINE(DECLINED), + &rc, r, f, desthost, destport, destportstr); + if (rc == DECLINED) { + if (destportstr != NULL && destport != DEFAULT_HTTP_PORT) + ap_bvputs(f, "Host: ", desthost, ":", destportstr, CRLF, NULL); + else + ap_bvputs(f, "Host: ", desthost, CRLF, NULL); + } + } +#else /* EAPI */ if (destportstr != NULL && destport != DEFAULT_HTTP_PORT) ap_bvputs(f, "Host: ", desthost, ":", destportstr, CRLF, NULL); else ap_bvputs(f, "Host: ", desthost, CRLF, NULL); +#endif /* EAPI */ if (conf->viaopt == via_block) { /* Block all outgoing Via: headers */ diff --git a/usr.sbin/httpd/src/modules/ssl/Makefile b/usr.sbin/httpd/src/modules/ssl/Makefile new file mode 100644 index 00000000000..167ccb839a9 --- /dev/null +++ b/usr.sbin/httpd/src/modules/ssl/Makefile @@ -0,0 +1,471 @@ +## +## Apache Makefile, automatically generated by Configure script. +## Hand-edited changes will be lost if the Configure script is re-run. +## Sources: - ../../Makefile.config (via /home/beck/src/usr.sbin/httpd/src/obj/Configuration) +## - ./Makefile.tmpl +## + +## +## Inherited Makefile options from Configure script +## (Begin of automatically generated section) +## +SRCDIR=../.. +SSL_BASE=SYSTEM +EXTRA_CFLAGS= +EXTRA_LDFLAGS= +EXTRA_LIBS= +EXTRA_INCLUDES= +EXTRA_DEPS= +OSDIR=$(SRCDIR)/os/unix +INCDIR=$(SRCDIR)/include +INCLUDES0=-I$(OSDIR) -I$(INCDIR) +SHELL=/bin/sh +CC=cc +CPP=cc -E +TARGET=httpd +OPTIM= +SSL_BASE=SYSTEM +SSL_BINDIR=/usr/sbin +SSL_INCDIR=/usr/include/ssl/ +SSL_LIBDIR=/usr/lib +SSL_PROGRAM=/usr/sbin/ssleay +SSL_VERSION=-DMOD_SSL_VERSION=\"2.2.3\" +SSL_CFLAGS= -DSSL_COMPAT -I$(SSL_INCDIR) +CFLAGS1=-O2 -DMOD_SSL=202103 -DEAPI +INCLUDES1= +LIBS_SHLIB= +LDFLAGS1= -L$(SSL_LIBDIR) +MFLAGS_STATIC= +REGLIB= +RANLIB=ranlib +LIBS1= -lssl -lcrypto +## +## (End of automatically generated section) +## + +## +## Default Makefile options from Configure script +## (Begin of automatically generated section) +## +CFLAGS=$(OPTIM) $(CFLAGS1) $(EXTRA_CFLAGS) +LIBS=$(EXTRA_LIBS) $(LIBS1) +INCLUDES=$(INCLUDES1) $(INCLUDES0) $(EXTRA_INCLUDES) +LDFLAGS=$(LDFLAGS1) $(EXTRA_LDFLAGS) +INCDIR=$(SRCDIR)/include +LIBEXT=a +## +## (End of automatically generated section) +## +## _ _ +## _ __ ___ ___ __| | ___ ___| | +## | '_ ` _ \ / _ \ / _` | / __/ __| | +## | | | | | | (_) | (_| | \__ \__ \ | mod_ssl - Apache Interface to SSLeay +## |_| |_| |_|\___/ \__,_|___|___/___/_| http://www.engelschall.com/sw/mod_ssl/ +## |_____| +## Makefile.tmpl +## Apache 1.3 Makefile template for SSL module (Unix environment) +## + +## ==================================================================== +## Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted provided that the following conditions +## are met: +## +## 1. Redistributions of source code must retain the above copyright +## notice, this list of conditions and the following disclaimer. +## +## 2. Redistributions in binary form must reproduce the above copyright +## notice, this list of conditions and the following +## disclaimer in the documentation and/or other materials +## provided with the distribution. +## +## 3. All advertising materials mentioning features or use of this +## software must display the following acknowledgment: +## "This product includes software developed by +## Ralf S. Engelschall <rse@engelschall.com> for use in the +## mod_ssl project (http://www.engelschall.com/sw/mod_ssl/)." +## +## 4. The names "mod_ssl" must not be used to endorse or promote +## products derived from this software without prior written +## permission. For written permission, please contact +## rse@engelschall.com. +## +## 5. Products derived from this software may not be called "mod_ssl" +## nor may "mod_ssl" appear in their names without prior +## written permission of Ralf S. Engelschall. +## +## 6. Redistributions of any form whatsoever must retain the following +## acknowledgment: +## "This product includes software developed by +## Ralf S. Engelschall <rse@engelschall.com> for use in the +## mod_ssl project (http://www.engelschall.com/sw/mod_ssl/)." +## +## THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY +## EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR +## HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +## NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +## LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +## STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +## OF THE POSSIBILITY OF SUCH DAMAGE. +## ==================================================================== +## + # + # ``I cannot write a program which is + # as popular as one from Larry Wall. + # But I can write one which is from me.'' + # -- RSE + +LIB=libssl.$(LIBEXT) + +OBJS=\ + mod_ssl.o\ + ssl_engine_config.o\ + ssl_engine_compat.o\ + ssl_engine_ds.o\ + ssl_engine_init.o\ + ssl_engine_kernel.o\ + ssl_engine_rand.o\ + ssl_engine_io.o\ + ssl_engine_log.o\ + ssl_engine_mutex.o\ + ssl_engine_pphrase.o\ + ssl_engine_scache.o\ + ssl_engine_vars.o\ + ssl_engine_ext.o\ + ssl_expr.o\ + ssl_expr_scan.o\ + ssl_expr_parse.o\ + ssl_expr_eval.o\ + ssl_util.o\ + ssl_util_ssl.o\ + ssl_util_sdbm.o + +OBJS_PIC=\ + mod_ssl.lo\ + ssl_engine_config.lo\ + ssl_engine_compat.lo\ + ssl_engine_ds.lo\ + ssl_engine_init.lo\ + ssl_engine_kernel.lo\ + ssl_engine_rand.lo\ + ssl_engine_io.lo\ + ssl_engine_log.lo\ + ssl_engine_mutex.lo\ + ssl_engine_pphrase.lo\ + ssl_engine_scache.lo\ + ssl_engine_vars.lo\ + ssl_engine_ext.lo\ + ssl_expr.lo\ + ssl_expr_scan.lo\ + ssl_expr_parse.lo\ + ssl_expr_eval.lo\ + ssl_util.lo\ + ssl_util_ssl.lo\ + ssl_util_sdbm.lo + +## +## END-USER AREA +## + +all: lib + +lib: $(LIB) + +libssl.a: $(OBJS) + rm -f $@ + ar cr $@ $(OBJS) + $(RANLIB) $@ + +libssl.so: $(OBJS_PIC) + rm -f $@ + $(LD_SHLIB) $(SSL_LDFLAGS) $(LDFLAGS_SHLIB) -o $@ $(OBJS_PIC) $(SSL_LIBS) $(LIBS_SHLIB) + +.SUFFIXES: .o .lo + +.c.o: + $(CC) -c $(INCLUDES) $(CFLAGS) $(SSL_CFLAGS) $(SSL_VERSION) $< + +.c.lo: + $(CC) -c $(INCLUDES) $(CFLAGS) $(CFLAGS_SHLIB) $(SSL_CFLAGS) $(SSL_VERSION) $< && mv $*.o $*.lo + +clean: + rm -f $(OBJS) $(OBJS_PIC) + rm -f libssl.a libssl.so + +realclean: clean + rm -f ssl_expr_parse.c ssl_expr_parse.h + rm -f ssl_expr_scan.c + +distclean: clean + -rm -f Makefile + +## +## DEVELOPER AREA +## We really don't expect end users to use these targets! +## + +ssl_expr_scan.c: ssl_expr_scan.l ssl_expr_parse.h + flex -Pssl_expr_yy -s -B ssl_expr_scan.l + sed -e '/$$Header:/d' <lex.ssl_expr_yy.c >ssl_expr_scan.c && rm -f lex.ssl_expr_yy.c + +ssl_expr_parse.c ssl_expr_parse.h: ssl_expr_parse.y + yacc -d -l ssl_expr_parse.y + sed -e 's;yy;ssl_expr_yy;g' -e '/yysccsid/d' \ + <y.tab.c >ssl_expr_parse.c && rm -f y.tab.c + sed -e 's;yy;ssl_expr_yy;g' \ + <y.tab.h >ssl_expr_parse.h && rm -f y.tab.h + +noexp: + @$(MAKE) $(MFLAGS) $(MFLAGS_STATIC) \ + SSL_CFLAGS="`echo $(SSL_CFLAGS) |\ + sed -e 's;-DSSL_EXPERIMENTAL;;'`" all + +exp: + @$(MAKE) $(MFLAGS) $(MFLAGS_STATIC) \ + SSL_CFLAGS="`echo $(SSL_CFLAGS) |\ + sed -e 's;-DSSL_EXPERIMENTAL;;' \ + -e 's;^;-DSSL_EXPERIMENTAL ;'`" all + +depend: + cp Makefile.tmpl Makefile.tmpl.bak \ + && sed -ne '1,/^# DO NOT REMOVE/p' Makefile.tmpl > Makefile.new \ + && gcc -MM $(INCLUDES) $(CFLAGS) $(SSL_CFLAGS) *.c >> Makefile.new \ + && sed -e '1,$$s; $(INCDIR)/; $$(INCDIR)/;g' \ + -e '1,$$s; $(OSDIR)/; $$(OSDIR)/;g' \ + -e '1,$$s;^\([a-z0-9_]*\)\.o:;\1.o \1.lo:;g' Makefile.new \ + > Makefile.tmpl \ + && rm Makefile.new + +## +## DEPENDENCY AREA +## + +$(OBJS) $(OBJS_PIC): Makefile + +# DO NOT REMOVE +mod_ssl.o mod_ssl.lo: mod_ssl.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_compat.o ssl_engine_compat.lo: ssl_engine_compat.c mod_ssl.h \ + $(INCDIR)/ap_config.h $(INCDIR)/ap_mmn.h \ + $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \ + $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_config.o ssl_engine_config.lo: ssl_engine_config.c mod_ssl.h \ + $(INCDIR)/ap_config.h $(INCDIR)/ap_mmn.h \ + $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \ + $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_ds.o ssl_engine_ds.lo: ssl_engine_ds.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_ext.o ssl_engine_ext.lo: ssl_engine_ext.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_init.o ssl_engine_init.lo: ssl_engine_init.c mod_ssl.h \ + $(INCDIR)/ap_config.h $(INCDIR)/ap_mmn.h \ + $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \ + $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_io.o ssl_engine_io.lo: ssl_engine_io.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_kernel.o ssl_engine_kernel.lo: ssl_engine_kernel.c mod_ssl.h \ + $(INCDIR)/ap_config.h $(INCDIR)/ap_mmn.h \ + $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \ + $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_log.o ssl_engine_log.lo: ssl_engine_log.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_mutex.o ssl_engine_mutex.lo: ssl_engine_mutex.c mod_ssl.h \ + $(INCDIR)/ap_config.h $(INCDIR)/ap_mmn.h \ + $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \ + $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_pphrase.o ssl_engine_pphrase.lo: ssl_engine_pphrase.c mod_ssl.h \ + $(INCDIR)/ap_config.h $(INCDIR)/ap_mmn.h \ + $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \ + $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_rand.o ssl_engine_rand.lo: ssl_engine_rand.c mod_ssl.h \ + $(INCDIR)/ap_config.h $(INCDIR)/ap_mmn.h \ + $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \ + $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_scache.o ssl_engine_scache.lo: ssl_engine_scache.c mod_ssl.h \ + $(INCDIR)/ap_config.h $(INCDIR)/ap_mmn.h \ + $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \ + $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_engine_vars.o ssl_engine_vars.lo: ssl_engine_vars.c mod_ssl.h \ + $(INCDIR)/ap_config.h $(INCDIR)/ap_mmn.h \ + $(INCDIR)/ap_config_auto.h $(OSDIR)/os.h \ + $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_expr.o ssl_expr.lo: ssl_expr.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_expr_eval.o ssl_expr_eval.lo: ssl_expr_eval.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_expr_parse.o ssl_expr_parse.lo: ssl_expr_parse.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_expr_scan.o ssl_expr_scan.lo: ssl_expr_scan.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h ssl_expr_parse.h +ssl_util.o ssl_util.lo: ssl_util.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_util_sdbm.o ssl_util_sdbm.lo: ssl_util_sdbm.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h +ssl_util_ssl.o ssl_util_ssl.lo: ssl_util_ssl.c mod_ssl.h $(INCDIR)/ap_config.h \ + $(INCDIR)/ap_mmn.h $(INCDIR)/ap_config_auto.h \ + $(OSDIR)/os.h $(OSDIR)/os-inline.c $(INCDIR)/ap_ctype.h \ + $(INCDIR)/httpd.h $(INCDIR)/alloc.h $(INCDIR)/ap_hook.h \ + $(INCDIR)/ap_ctx.h $(INCDIR)/buff.h $(INCDIR)/ap.h \ + $(INCDIR)/util_uri.h $(INCDIR)/http_config.h \ + $(INCDIR)/http_conf_globals.h $(INCDIR)/http_protocol.h \ + $(INCDIR)/http_main.h $(INCDIR)/http_core.h \ + $(INCDIR)/http_log.h $(INCDIR)/scoreboard.h \ + $(INCDIR)/fnmatch.h ssl_expr.h ssl_util_ssl.h diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c new file mode 100644 index 00000000000..4ba070ce386 --- /dev/null +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c @@ -0,0 +1,408 @@ +/* _ _ +** _ __ ___ ___ __| | ___ ___| | +** | '_ ` _ \ / _ \ / _` | / __/ __| | +** | | | | | | (_) | (_| | \__ \__ \ | mod_ssl - Apache Interface to SSLeay +** |_| |_| |_|\___/ \__,_|___|___/___/_| http://www.engelschall.com/sw/mod_ssl/ +** |_____| +** ssl_engine_scache.c +** Session Cache +*/ + +/* ==================================================================== + * Copyright (c) 1998-1999 Ralf S. Engelschall. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by + * Ralf S. Engelschall <rse@engelschall.com> for use in the + * mod_ssl project (http://www.engelschall.com/sw/mod_ssl/)." + * + * 4. The names "mod_ssl" must not be used to endorse or promote + * products derived from this software without prior written + * permission. For written permission, please contact + * rse@engelschall.com. + * + * 5. Products derived from this software may not be called "mod_ssl" + * nor may "mod_ssl" appear in their names without prior + * written permission of Ralf S. Engelschall. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by + * Ralf S. Engelschall <rse@engelschall.com> for use in the + * mod_ssl project (http://www.engelschall.com/sw/mod_ssl/)." + * + * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR + * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + /* ``Open-Source Software: generous + programmers from around the world all + join forces to help you shoot + yourself in the foot for free.'' + -- Unknown */ +#include "mod_ssl.h" + + +/* _________________________________________________________________ +** +** Session Cache Support (Common) +** _________________________________________________________________ +*/ + +/* + * FIXME: There is no define in SSLeay, but SSLeay uses 1024*10, + * so 1024*20 should be ok. + */ +#define MAX_SESSION_DER 1024*20 + +void ssl_scache_init(server_rec *s, pool *p) +{ + SSLModConfigRec *mc = myModConfig(); + + if (mc->nSessionCacheMode == SSL_SCMODE_DBM) + ssl_scache_dbm_init(s, p); + ssl_scache_expire(s); + return; +} + +void ssl_scache_store(server_rec *s, SSL_SESSION *pSession, int timeout) +{ + SSLModConfigRec *mc = myModConfig(); + ssl_scinfo_t SCI; + UCHAR buf[MAX_SESSION_DER]; + UCHAR *b; + + /* add the key */ + SCI.ucaKey = pSession->session_id; + SCI.nKey = pSession->session_id_length; + + /* transform the session into a data stream */ + SCI.ucaData = b = buf; + SCI.nData = i2d_SSL_SESSION(pSession, &b); + SCI.tExpiresAt = timeout; + + /* and store it... */ + if (mc->nSessionCacheMode == SSL_SCMODE_DBM) + ssl_scache_dbm_store(s, &SCI); + + return; +} + +SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen) +{ + SSLModConfigRec *mc = myModConfig(); + SSL_SESSION *pSession = NULL; + ssl_scinfo_t SCI; + time_t tNow; + + /* create cache query */ + SCI.ucaKey = id; + SCI.nKey = idlen; + SCI.ucaData = NULL; + SCI.nData = 0; + SCI.tExpiresAt = 0; + + /* perform cache query */ + if (mc->nSessionCacheMode == SSL_SCMODE_DBM) + ssl_scache_dbm_retrieve(s, &SCI); + + /* return immediately if not found */ + if (SCI.ucaData == NULL) + return NULL; + + /* check for expire time */ + tNow = time(NULL); + if (SCI.tExpiresAt <= tNow) { + if (mc->nSessionCacheMode == SSL_SCMODE_DBM) + ssl_scache_dbm_remove(s, &SCI); + return NULL; + } + + /* extract result and return it */ + pSession = d2i_SSL_SESSION(NULL, &SCI.ucaData, SCI.nData); + return pSession; +} + +void ssl_scache_remove(server_rec *s, SSL_SESSION *pSession) +{ + SSLModConfigRec *mc = myModConfig(); + ssl_scinfo_t SCI; + + /* create cache query */ + SCI.ucaKey = pSession->session_id; + SCI.nKey = pSession->session_id_length; + SCI.ucaData = NULL; + SCI.nData = 0; + SCI.tExpiresAt = 0; + + /* perform remove */ + if (mc->nSessionCacheMode == SSL_SCMODE_DBM) + ssl_scache_dbm_remove(s, &SCI); + + return; +} + +void ssl_scache_expire(server_rec *s) +{ + SSLModConfigRec *mc = myModConfig(); + + if (mc->nSessionCacheMode == SSL_SCMODE_DBM) + ssl_scache_dbm_expire(s); + return; +} + +char *ssl_scache_id2sz(UCHAR *id, int idlen) +{ + static char str[(SSL_MAX_SSL_SESSION_ID_LENGTH+1)*2]; + char *cp; + int n; + + cp = str; + for (n = 0; n < idlen && n < SSL_MAX_SSL_SESSION_ID_LENGTH; n++) { + ap_snprintf(cp, sizeof(str)-(cp-str), "%02X", id[n]); + cp += 2; + } + *cp = NUL; + return str; +} + + +/* _________________________________________________________________ +** +** Session Cache Support (DBM) +** _________________________________________________________________ +*/ + +void ssl_scache_dbm_init(server_rec *s, pool *p) +{ + SSLModConfigRec *mc = myModConfig(); + DBM *dbm; + + /* + * for the DBM we need the data file + */ + if (mc->szSessionCacheDataFile == NULL) { + ssl_log(s, SSL_LOG_ERROR, "SSLSessionCache required"); + ssl_die(); + } + + /* + * Open it once to create it and to make sure it + * _can_ be created. + */ + ssl_mutex_on(); + if ((dbm = ssl_dbm_open(mc->szSessionCacheDataFile, + O_RDWR|O_CREAT, SSL_DBM_FILE_MODE)) == NULL) { + ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, + "Cannot create SSLSessionCache DBM file `%s'", + mc->szSessionCacheDataFile); + ssl_mutex_off(); + return; + } + ssl_dbm_close(dbm); + +#ifndef WIN32 + /* + * we have to make sure the Apache child processes + * have access to the DBM file... + */ + if (geteuid() == 0 /* is superuser */) { + chown(mc->szSessionCacheDataFile, + ap_user_id, -1 /* no gid change */); + chown(ap_pstrcat(p, mc->szSessionCacheDataFile, + SSL_DBM_FILE_SUFFIX_DIR, NULL), + ap_user_id, -1 /* no gid change */); + chown(ap_pstrcat(p, mc->szSessionCacheDataFile, + SSL_DBM_FILE_SUFFIX_PAG, NULL), + ap_user_id, -1 /* no gid change */); + } +#endif + ssl_mutex_off(); + + return; +} + +void ssl_scache_dbm_store(server_rec *s, ssl_scinfo_t *SCI) +{ + SSLModConfigRec *mc = myModConfig(); + DBM *dbm; + datum dbmkey; + datum dbmval; + + /* create DBM key */ + dbmkey.dptr = SCI->ucaKey; + dbmkey.dsize = SCI->nKey; + + /* create DBM value */ + dbmval.dsize = sizeof(time_t)+SCI->nData; + dbmval.dptr = (UCHAR *)malloc(dbmval.dsize); + if (dbmval.dptr == NULL) + return; + memcpy(dbmval.dptr, &SCI->tExpiresAt, sizeof(time_t)); + memcpy((char *)dbmval.dptr+sizeof(time_t), SCI->ucaData, SCI->nData); + + /* and store it to the DBM file */ + ssl_mutex_on(); + if ((dbm = ssl_dbm_open(mc->szSessionCacheDataFile, + O_RDWR, SSL_DBM_FILE_MODE)) == NULL) { + ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, + "Cannot open SSLSessionCache DBM file `%s' for writing (store)", + mc->szSessionCacheDataFile); + ssl_mutex_off(); + return; + } + ssl_dbm_store(dbm, dbmkey, dbmval, DBM_INSERT); + ssl_dbm_close(dbm); + ssl_mutex_off(); + + /* free temporary buffers */ + free(dbmval.dptr); + + return; +} + +void ssl_scache_dbm_retrieve(server_rec *s, ssl_scinfo_t *SCI) +{ + SSLModConfigRec *mc = myModConfig(); + DBM *dbm; + datum dbmkey; + datum dbmval; + + /* initialize result */ + SCI->ucaData = NULL; + SCI->nData = 0; + SCI->tExpiresAt = 0; + + /* create DBM key and values */ + dbmkey.dptr = SCI->ucaKey; + dbmkey.dsize = SCI->nKey; + + /* and fetch it from the DBM file */ + ssl_mutex_on(); + if ((dbm = ssl_dbm_open(mc->szSessionCacheDataFile, + O_RDONLY, SSL_DBM_FILE_MODE)) == NULL) { + ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, + "Cannot open SSLSessionCache DBM file `%s' for reading (fetch)", + mc->szSessionCacheDataFile); + ssl_mutex_off(); + return; + } + dbmval = ssl_dbm_fetch(dbm, dbmkey); + ssl_dbm_close(dbm); + ssl_mutex_off(); + + /* immediately return if not found */ + if (dbmval.dptr == NULL || dbmval.dsize < sizeof(time_t)) + return; + + /* copy over the information to the SCI */ + SCI->nData = dbmval.dsize-sizeof(time_t); + SCI->ucaData = (UCHAR *)malloc(SCI->nData); + if (SCI->ucaData == NULL) { + SCI->nData = 0; + return; + } + memcpy(SCI->ucaData, (char *)dbmval.dptr+sizeof(time_t), SCI->nData); + memcpy(&SCI->tExpiresAt, dbmval.dptr, sizeof(time_t)); + + return; +} + +void ssl_scache_dbm_remove(server_rec *s, ssl_scinfo_t *SCI) +{ + SSLModConfigRec *mc = myModConfig(); + DBM *dbm; + datum dbmkey; + + /* create DBM key and values */ + dbmkey.dptr = SCI->ucaKey; + dbmkey.dsize = SCI->nKey; + + /* and delete it from the DBM file */ + ssl_mutex_on(); + if ((dbm = ssl_dbm_open(mc->szSessionCacheDataFile, + O_RDWR, SSL_DBM_FILE_MODE)) == NULL) { + ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, + "Cannot open SSLSessionCache DBM file `%s' for writing (delete)", + mc->szSessionCacheDataFile); + ssl_mutex_off(); + return; + } + ssl_dbm_delete(dbm, dbmkey); + ssl_dbm_close(dbm); + ssl_mutex_off(); + + return; +} + +void ssl_scache_dbm_expire(server_rec *s) +{ + SSLModConfigRec *mc = myModConfig(); + static int nExpireCalls = 0; + DBM *dbm; + datum dbmkey; + datum dbmval; + time_t tNow; + time_t tExpiresAt; + + /* + * It's to expensive to expire allways, + * so do it only from time to time... + */ + if (nExpireCalls++ < 100) + return; + else + nExpireCalls = 0; + + ssl_mutex_on(); + if ((dbm = ssl_dbm_open(mc->szSessionCacheDataFile, + O_RDWR, SSL_DBM_FILE_MODE)) == NULL) { + ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, + "Cannot open SSLSessionCache DBM file `%s' for expiring", + mc->szSessionCacheDataFile); + ssl_mutex_off(); + return; + } + tNow = time(NULL); + dbmkey = ssl_dbm_firstkey(dbm); + for ( ; dbmkey.dptr != NULL; dbmkey = ssl_dbm_nextkey(dbm)) { + dbmval = ssl_dbm_fetch(dbm, dbmkey); + if (dbmval.dptr == NULL) + continue; + if (dbmval.dsize < sizeof(time_t)) { + ssl_dbm_delete(dbm, dbmkey); + continue; + } + memcpy(&tExpiresAt, dbmval.dptr, sizeof(time_t)); + if (tExpiresAt >= tNow) + ssl_dbm_delete(dbm, dbmkey); + } + ssl_dbm_close(dbm); + ssl_mutex_off(); + + return; +} + diff --git a/usr.sbin/httpd/src/modules/standard/mod_log_config.c b/usr.sbin/httpd/src/modules/standard/mod_log_config.c index ceab066c5fb..21ed1973f99 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_log_config.c +++ b/usr.sbin/httpd/src/modules/standard/mod_log_config.c @@ -249,6 +249,9 @@ typedef struct { typedef const char *(*item_key_func) (request_rec *, char *); typedef struct { +#ifdef EAPI + char ch; +#endif item_key_func func; char *arg; int condition_sense; @@ -491,15 +494,36 @@ static struct log_item_list { } }; +#ifdef EAPI +static struct log_item_list *find_log_func(pool *p, char k) +#else /* EAPI */ static struct log_item_list *find_log_func(char k) +#endif /* EAPI */ { int i; +#ifdef EAPI + struct log_item_list *lil; +#endif /* EAPI */ for (i = 0; log_item_keys[i].ch; ++i) if (k == log_item_keys[i].ch) { return &log_item_keys[i]; } +#ifdef EAPI + if (ap_hook_status(ap_psprintf(p, "ap::mod_log_config::log_%c", k)) + != AP_HOOK_STATE_NOTEXISTANT) { + lil = (struct log_item_list *) + ap_pcalloc(p, sizeof(struct log_item_list)); + if (lil == NULL) + return NULL; + lil->ch = k; + lil->func = NULL; + lil->want_orig_default = 0; + return lil; + } +#endif /* EAPI */ + return NULL; } @@ -594,7 +618,11 @@ static char *parse_log_item(pool *p, log_format_item *it, const char **sa) break; default: +#ifdef EAPI + l = find_log_func(p, *s++); +#else /* EAPI */ l = find_log_func(*s++); +#endif /* EAPI */ if (!l) { char dummy[2]; @@ -603,6 +631,9 @@ static char *parse_log_item(pool *p, log_format_item *it, const char **sa) return ap_pstrcat(p, "Unrecognized LogFormat directive %", dummy, NULL); } +#ifdef EAPI + it->ch = s[-1]; +#endif it->func = l->func; if (it->want_orig == -1) { it->want_orig = l->want_orig_default; @@ -664,6 +695,15 @@ static const char *process_item(request_rec *r, request_rec *orig, /* We do. Do it... */ +#ifdef EAPI + if (item->func == NULL) { + cp = NULL; + ap_hook_use(ap_psprintf(r->pool, "ap::mod_log_config::log_%c", item->ch), + AP_HOOK_SIG3(ptr,ptr,ptr), AP_HOOK_DECLINE(NULL), + &cp, r, item->arg); + } + else +#endif cp = (*item->func) (item->want_orig ? orig : r, item->arg); return cp ? cp : "-"; } diff --git a/usr.sbin/httpd/src/modules/standard/mod_rewrite.c b/usr.sbin/httpd/src/modules/standard/mod_rewrite.c index 41db2358cb7..9898103006f 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_rewrite.c +++ b/usr.sbin/httpd/src/modules/standard/mod_rewrite.c @@ -3750,6 +3750,15 @@ static char *lookup_variable(request_rec *r, char *var) } #endif /* ndef WIN32 */ +#ifdef EAPI + else { + ap_hook_use("ap::mod_rewrite::lookup_variable", + AP_HOOK_SIG3(ptr,ptr,ptr), + AP_HOOK_DECLINE(NULL), + &result, r, var); + } +#endif + if (result == NULL) { return ap_pstrdup(r->pool, ""); } diff --git a/usr.sbin/httpd/src/modules/standard/mod_so.c b/usr.sbin/httpd/src/modules/standard/mod_so.c index 80ac4bcb673..ecc81f8f181 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_so.c +++ b/usr.sbin/httpd/src/modules/standard/mod_so.c @@ -257,7 +257,12 @@ static const char *load_module(cmd_parms *cmd, void *dummy, * Make sure the found module structure is really a module structure * */ +#ifdef EAPI + if ( modp->magic != MODULE_MAGIC_COOKIE_AP13 + && modp->magic != MODULE_MAGIC_COOKIE_EAPI) { +#else if (modp->magic != MODULE_MAGIC_COOKIE) { +#endif return ap_pstrcat(cmd->pool, "API module structure `", modname, "' in file ", szModuleFile, " is garbled -" " perhaps this is not an Apache module DSO?", NULL); diff --git a/usr.sbin/httpd/src/support/Makefile.tmpl b/usr.sbin/httpd/src/support/Makefile.tmpl index 04d78cb5b79..216d9657ea4 100644 --- a/usr.sbin/httpd/src/support/Makefile.tmpl +++ b/usr.sbin/httpd/src/support/Makefile.tmpl @@ -41,6 +41,12 @@ apxs: apxs.pl suexec: suexec.o $(CC) $(CFLAGS) suexec.o -o suexec $(LDFLAGS) $(LIBS) +ca-fix: ca-fix.c + $(CC) $(INCLUDES) $(CFLAGS) $(SSL_CFLAGS) \ + $(LDFLAGS) $(SSL_LDFLAGS) \ + -o ca-fix ca-fix.c \ + $(LIBS) $(SSL_LIBS) + clean: rm -f $(TARGETS) *.o diff --git a/usr.sbin/httpd/src/support/apachectl b/usr.sbin/httpd/src/support/apachectl index 7ea46467259..a3ea6fdc695 100644 --- a/usr.sbin/httpd/src/support/apachectl +++ b/usr.sbin/httpd/src/support/apachectl @@ -75,6 +75,18 @@ do ERROR=3 fi ;; + startssl|sslstart|start-SSL) + if [ $RUNNING -eq 1 ]; then + echo "$0 $ARG: httpd (pid $PID) already running" + continue + fi + if $HTTPD -DSSL; then + echo "$0 $ARG: httpd started" + else + echo "$0 $ARG: httpd could not be started" + ERROR=3 + fi + ;; stop) if [ $RUNNING -eq 0 ]; then echo "$0 $ARG: $STATUS" @@ -153,6 +165,7 @@ do cat <<EOF start - start httpd +startssl - start httpd with SSL enabled stop - stop httpd restart - restart httpd if running by sending a SIGHUP or start if not running diff --git a/usr.sbin/httpd/src/support/apxs.pl b/usr.sbin/httpd/src/support/apxs.pl index 8c0f802f2c1..f08450cdab4 100644 --- a/usr.sbin/httpd/src/support/apxs.pl +++ b/usr.sbin/httpd/src/support/apxs.pl @@ -618,5 +618,11 @@ module MODULE_VAR_EXPORT %NAME%_module = { NULL, /* child_init */ NULL, /* child_exit */ NULL /* [#0] post read-request */ +#ifdef EAPI + ,NULL, /* EAPI: add_module */ + NULL, /* EAPI: remove_module */ + NULL, /* EAPI: rewrite_command */ + NULL /* EAPI: new_connection */ +#endif }; diff --git a/usr.sbin/httpd/src/support/ca-fix.c b/usr.sbin/httpd/src/support/ca-fix.c new file mode 100644 index 00000000000..dab40933a15 --- /dev/null +++ b/usr.sbin/httpd/src/support/ca-fix.c @@ -0,0 +1,609 @@ +/* +** ca-fix, X.509 Certificate Patch Utility / Version 0.41 +** +** Copyright (c) 1997-1998 +** Dr Stephen N. Henson <shenson@drh-consultancy.demon.co.uk> +** http://www.drh-consultancy.demon.co.uk/ +** +** Commercial and non-commercial use is permitted. +** +** Any software using this code must include the following message in its +** startup code or documentation and in any advertising material: +** "This Product includes cryptographic software written by Dr S N Henson +** (shenson@bigfoot.com)" +** +** This software is allowed to be used in the mod_ssl package +** without the above advertisment clause with permission by Dr S N Henson as +** long as it's used under build-time only and never gets installed as part +** of neither the Apache nor the mod_ssl package. +*/ + +#include <stdio.h> +#include <stdlib.h> +#include <ctype.h> +#include <bio.h> +#include <objects.h> +#include <asn1.h> +#include <asn1_mac.h> +#include <x509.h> +#include <err.h> +#include <crypto.h> +#include <stack.h> +#include <evp.h> +#include <pem.h> + +#if SSLEAY_VERSION_NUMBER < 0x0900 +#define OBJ_create(a,b,c) OBJ_create_and_add_object(a,b,c) +#endif + +typedef struct { + int ca; + ASN1_INTEGER *pathlen; +} BASIC_CONSTRAINTS; + +int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *, unsigned char **); +ASN1_OBJECT *__OBJ_txt2obj(char *); + +int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **pp) +{ + M_ASN1_I2D_vars(a); + if (a->ca) + M_ASN1_I2D_len(a->ca, i2d_ASN1_BOOLEAN); + M_ASN1_I2D_len(a->pathlen, i2d_ASN1_INTEGER); + + M_ASN1_I2D_seq_total(); + if (a->ca) + M_ASN1_I2D_put(a->ca, i2d_ASN1_BOOLEAN); + M_ASN1_I2D_put(a->pathlen, i2d_ASN1_INTEGER); + M_ASN1_I2D_finish(); +} + +typedef struct { + char *name; + char *value; + char flag; +#define CERT_CRIT 0x1 +#define CERT_RAW 0x2 +#define CERT_RAW_FILE 0x4 +} EXT_ADD; + +STACK *exts; +STACK *extusage; + +void add_ext(char *, char *, char); + +unsigned char extbuf[10240]; + +int main(int argc, char **argv) +{ + char *infile = NULL, *outfile = NULL, *keyname = NULL; + BIO *in = NULL, *out = NULL, *inkey = NULL, *bio_err = NULL; + char **args; + int i; + int badarg = 0; + int bconsadd = 0, bconsdel = 0; + int nset = 0, nsclr = 0; + unsigned char ntype = 0, noout = 0, exthex = 0, extparse = 0; + unsigned char bscrit = 0, nscrit = 0, keycrit = 0, print = 0, sign = 1; + unsigned char setkey = 0; + X509 *cert; + EVP_PKEY *pkey = NULL; + BASIC_CONSTRAINTS bcons = {0, NULL}; + EVP_MD *dgst; + + if (bio_err == NULL) + bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); + + ERR_load_crypto_strings(); + args = argv + 1; + + while (*args) { + if (*args[0] == '-') { + if (!strcmp(*args, "-caset")) { + bconsadd = 1; + bcons.ca = 0xff; + } + else if (!strcmp(*args, "-caunset")) { + if (bcons.ca) + badarg = 1; + else + bconsadd = 1; + } + else if (!strcmp(*args, "-caclr")) + bconsdel = 1; + else if (!strcmp(*args, "-setkey")) + setkey = 1; + else if (!strcmp(*args, "-print")) + print = 1; + else if (!strcmp(*args, "-noout")) + noout = 1; + else if (!strcmp(*args, "-nosign")) + sign = 0; + else if (!strcmp(*args, "-exthex")) + exthex = 1; + else if (!strcmp(*args, "-extparse")) + extparse = 1; + else if (!strcmp(*args, "-nsclr")) + nsclr = 1; + else if (!strcmp(*args, "-nobscrit")) + bscrit = 0; + else if (!strcmp(*args, "-bscrit")) + bscrit = 1; + else if (!strcmp(*args, "-nscrit")) + nscrit = 1; + else if (!strcmp(*args, "-extcrit")) + keycrit = 1; + else if (!strcmp(*args, "-pathlen")) { + if (args[1]) { + args++; + bconsadd = 1; + bcons.ca = 0xff; + bcons.pathlen = ASN1_INTEGER_new(); + ASN1_INTEGER_set(bcons.pathlen, + strtol(*args, NULL, 0)); + } + else + badarg = 1; + } + else if (!strcmp(*args, "-nscertype")) { + if (args[1]) { + args++; + nset = 1; + ntype = (unsigned char) strtol(*args, NULL, 0); + } + else + badarg = 1; + } + else if (!strcmp(*args, "-rawfile")) { + if (args[1] && args[2]) { + add_ext(args[1], args[2], CERT_RAW_FILE); + args += 2; + } + else + badarg = 1; + } + else if (!strcmp(*args, "-Crawfile")) { + if (args[1] && args[2]) { + add_ext(args[1], args[2], CERT_RAW_FILE | CERT_CRIT); + args += 2; + } + else + badarg = 1; + } + else if (!strcmp(*args, "-rawext")) { + if (args[1] && args[2]) { + add_ext(args[1], args[2], CERT_RAW); + args += 2; + } + else + badarg = 1; + } + else if (!strcmp(*args, "-Crawext")) { + if (args[1] && args[2]) { + add_ext(args[1], args[2], CERT_RAW | CERT_CRIT); + args += 2; + } + else + badarg = 1; + } + else if (!strcmp(*args, "-ext")) { + if (args[1] && args[2]) { + add_ext(args[1], args[2], 0); + args += 2; + } + else + badarg = 1; + } + else if (!strcmp(*args, "-Cext")) { + if (args[1] && args[2]) { + add_ext(args[1], args[2], CERT_CRIT); + args += 2; + } + else + badarg = 1; + } + else if (!strcmp(*args, "-extusage")) { + if (args[1]) { + ASN1_OBJECT *obj; + if (!extusage) + extusage = sk_new(NULL); + obj = __OBJ_txt2obj(args[1]); + if (!obj) { + BIO_printf(bio_err, "Error parsing extended usage object\n"); + ERR_print_errors(bio_err); + exit(1); + } + else + sk_push(extusage, (char *) obj); + args++; + } + else + badarg = 1; + } + else if (!strcmp(*args, "-delext")) { + if (args[1]) { + add_ext(args[1], NULL, 0); + args++; + } + else + badarg = 1; + } + else if (!strcmp(*args, "-inkey")) { + if (args[1]) { + args++; + keyname = *args; + } + else + badarg = 1; + } + else if (!strcmp(*args, "-in")) { + if (args[1]) { + args++; + infile = *args; + } + else + badarg = 1; + } + else if (!strcmp(*args, "-out")) { + if (args[1]) { + args++; + outfile = *args; + } + else + badarg = 1; + } + else + badarg = 1; + } + else + badarg = 1; + args++; + } + + if (badarg || (bconsadd && bconsdel)) { + BIO_printf(bio_err, "ca-fix version 0.41, certificate patcher\n"); + BIO_printf(bio_err, "Written by Dr. S N Henson (shenson@bigfoot.com)\n"); + BIO_printf(bio_err, "ca-fix [args]\n"); + BIO_printf(bio_err, "-in cert.pem input certificate.\n"); + BIO_printf(bio_err, "-out cert.pem output certificate.\n"); + BIO_printf(bio_err, "-noout don't output certificate\n"); + BIO_printf(bio_err, "-nosign don't sign certificate\n"); + BIO_printf(bio_err, "-print print certificate\n"); + BIO_printf(bio_err, "-extparse ASN1 parse extensions\n"); + BIO_printf(bio_err, "-exthex hex dump extensions\n"); + BIO_printf(bio_err, "-caset set cA flag, add basic constraints\n"); + BIO_printf(bio_err, "-caunset don't set cA flag, add basic constraints\n"); + BIO_printf(bio_err, "-caclr delete basic constraints\n"); + BIO_printf(bio_err, "-pathlen n set path length to \'n\'\n"); + BIO_printf(bio_err, "-bscrit make basic constraints critical\n"); + BIO_printf(bio_err, "-nscrit make nscertype critical (not recommended)\n"); + BIO_printf(bio_err, "-nscertype num set nscertype to num\n"); + BIO_printf(bio_err, "-nsclr delete nscertype\n"); + BIO_printf(bio_err, "-inkey pkey.pem private key of signer\n"); + BIO_printf(bio_err, "Expert options:\n"); + BIO_printf(bio_err, "-setkey changed certificate public key to match signer\n"); + BIO_printf(bio_err, "-delext ext delete extension (can use OID)\n"); + BIO_printf(bio_err, "-ext genopt val add several extensions\n"); + BIO_printf(bio_err, "-Cext genopt val add several critical extensions\n"); + BIO_printf(bio_err, "genopt can be: keyUsage, nsCertType, nsBaseUrl, nsRevocationUrl,\n"); + BIO_printf(bio_err, " nsCaRevocationUrl, nsRenewalUrl, nsCaPolicyUrl,\n"); + BIO_printf(bio_err, " nsSslServerName, nsComment\n"); + BIO_printf(bio_err, "-rawext opt HEX add raw extension (can use OID)\n"); + BIO_printf(bio_err, "-Crawext opt HEX add critical raw extension (can use OID)\n"); + BIO_printf(bio_err, "-Crawfile opt fn add raw extension from file (can use OID)\n"); + BIO_printf(bio_err, "-rawfile opt fn add critical raw extension from file (can use OID)\n"); + BIO_printf(bio_err, "-extusage OID add extended key usage extension\n"); + BIO_printf(bio_err, "-extcrit make extended key usage extension critical\n"); + exit(1); + } + + SSLeay_add_all_algorithms(); + X509v3_add_netscape_extensions(); + X509v3_add_standard_extensions(); + + in = BIO_new(BIO_s_file()); + out = BIO_new(BIO_s_file()); + + if (!infile) + BIO_set_fp(in, stdin, BIO_NOCLOSE); + else { + if (!keyname) + keyname = infile; + if (BIO_read_filename(in, infile) <= 0) { + perror(infile); + exit(1); + } + } + + if (keyname) { + inkey = BIO_new(BIO_s_file()); + if (BIO_read_filename(inkey, keyname) <= 0) { + perror(keyname); + exit(1); + } + } + + if (!outfile) + BIO_set_fp(out, stdout, BIO_NOCLOSE); + else { + if (BIO_write_filename(out, outfile) <= 0) { + perror(outfile); + exit(1); + } + } + + cert = PEM_read_bio_X509(in, NULL, NULL); + if (!cert) { + ERR_print_errors(bio_err); + exit(1); + } + + if (sign || setkey) { + pkey = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL); + if (!pkey) { + BIO_printf(bio_err, "Error loading private key\n"); + ERR_print_errors(bio_err); + exit(1); + } + } + + /* OK we've got the certificate: now fix it up */ + + /* Make it a V3 certificate */ + X509_set_version(cert, 2); + + if (setkey) + X509_set_pubkey(cert, pkey); + + if (bconsadd || bconsdel) { + int index; + index = X509_get_ext_by_NID(cert, NID_basic_constraints, -1); + if (index >= 0) + X509_delete_ext(cert, index); + } + if (nset || nsclr) { + int index; + index = X509_get_ext_by_NID(cert, NID_netscape_cert_type, -1); + if (index >= 0) + X509_delete_ext(cert, index); + } + + if (bconsadd) { + ASN1_OCTET_STRING *bcons_ext; + X509_EXTENSION *x; + unsigned char *bcons_der, *p; + int bcons_len; + + /* generate encoding of extension */ + bcons_len = i2d_BASIC_CONSTRAINTS(&bcons, NULL); + bcons_der = malloc(bcons_len); + p = bcons_der; + i2d_BASIC_CONSTRAINTS(&bcons, &p); + + bcons_ext = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(bcons_ext, bcons_der, bcons_len); + free(bcons_der); + x = X509_EXTENSION_create_by_NID(NULL, NID_basic_constraints, bscrit, + bcons_ext); + ASN1_OCTET_STRING_free(bcons_ext); + if (!x) { + BIO_printf(bio_err, "Error creating extension\n"); + ERR_print_errors(bio_err); + exit(1); + } + X509_add_ext(cert, x, -1); + X509_EXTENSION_free(x); + } + + if (nset) { + X509_EXTENSION *x; + ASN1_OCTET_STRING *str; + int data_type; + str = NULL; + data_type = X509v3_data_type_by_NID(NID_netscape_cert_type); + X509v3_pack_string(&str, data_type, &ntype, 1); + x = X509_EXTENSION_create_by_NID(NULL, NID_netscape_cert_type, + nscrit, str); + X509_add_ext(cert, x, -1); + X509_EXTENSION_free(x); + /*ASN1_OCTET_STRING_free(str); */ + } + /* Handle the generic extensions */ + if (exts) { + while (sk_num(exts)) { + EXT_ADD *tmpext; + int ext_nid, index; + char *ext_str; + unsigned char ext_bit; + ASN1_OCTET_STRING *str; + X509_EXTENSION *x; + ASN1_OBJECT *extobj; + tmpext = (EXT_ADD *) sk_pop(exts); + extobj = __OBJ_txt2obj(tmpext->name); + if (!extobj) { + fprintf(stderr, "Invalid object %s\n", tmpext->name); + ERR_print_errors(bio_err); + exit(1); + } + /* Delete extension if already present */ + index = X509_get_ext_by_OBJ(cert, extobj, -1); + if (index >= 0) + X509_delete_ext(cert, index); + if (!tmpext->value) + continue; + ext_nid = OBJ_obj2nid(extobj); + if (tmpext->flag & CERT_RAW) { + /* Covert hex extension into an OCTET STRING */ + unsigned char *rawext, *p, *q, tmphex[3]; + long rawlen; + rawlen = strlen(tmpext->value); + if (rawlen & 1) { + fprintf(stderr, "Invalid raw extension length\n"); + exit(1); + } + for (p = (unsigned char *)tmpext->value; *p; p++) + if (!isxdigit(*p)) { + fprintf(stderr, "Extension %s invalid hex digit %c\n", + tmpext->value, *p); + exit(1); + } + rawlen >>= 1; + rawext = Malloc(rawlen); + tmphex[2] = 0; + for (p = (unsigned char *)tmpext->value, q = rawext; *p; p += 2, q++) { + tmphex[0] = p[0]; + tmphex[1] = p[1]; + *q = (unsigned char)strtol((const char *)tmphex, NULL, 16); + } + str = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(str, rawext, rawlen); + Free(rawext); + } + else if (tmpext->flag & CERT_RAW_FILE) { + BIO *tmpin; + int extlen; + if (!(tmpin = BIO_new_file(tmpext->value, "rb"))) { + BIO_printf(bio_err, "Error opening file %s\n", tmpext->value); + ERR_print_errors(bio_err); + } + extlen = BIO_read(tmpin, (char *)extbuf, sizeof(extbuf)); + str = ASN1_STRING_new(); + ASN1_OCTET_STRING_set(str, extbuf, extlen); + } + else { + /* Get extension type */ + switch (ext_nid) { + + case NID_key_usage: + case NID_netscape_cert_type: + + ext_bit = (unsigned char) strtol(tmpext->value, NULL, 0); + ext_str = NULL; + + break; + + case NID_netscape_base_url: + case NID_netscape_revocation_url: + case NID_netscape_ca_revocation_url: + case NID_netscape_renewal_url: + case NID_netscape_ca_policy_url: + case NID_netscape_ssl_server_name: + case NID_netscape_comment: + + ext_str = tmpext->value; + + break; + + default: + + fprintf(stderr, "Unsuported extension %s\n", tmpext->name); + exit(1); + break; + } + + if (ext_str) + str = X509v3_pack_string(NULL, V_ASN1_IA5STRING, + (unsigned char *)tmpext->value, + strlen(tmpext->value)); + else + str = X509v3_pack_string(NULL, V_ASN1_BIT_STRING, + &ext_bit, 1); + } + x = X509_EXTENSION_create_by_NID(NULL, ext_nid, + tmpext->flag & CERT_CRIT, str); + X509_add_ext(cert, x, -1); + X509_EXTENSION_free(x); + } + } + + /* Handle extended key usage */ + if (extusage) { + int extlen; + unsigned char *extder, *p; + ASN1_OCTET_STRING *extkey; + X509_EXTENSION *x; + ASN1_OBJECT *extobj; + + + extobj = __OBJ_txt2obj("2.5.29.37"); + /* generate encoding of extension */ + extlen = i2d_ASN1_SET(extusage, NULL, i2d_ASN1_OBJECT, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); + extder = malloc(extlen); + p = extder; + i2d_ASN1_SET(extusage, &p, i2d_ASN1_OBJECT, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); + extkey = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(extkey, extder, extlen); + free(extder); + x = X509_EXTENSION_create_by_OBJ(NULL, extobj, keycrit, + extkey); + if (!x) { + BIO_printf(bio_err, "Error creating extension\n"); + ERR_print_errors(bio_err); + exit(1); + } + X509_add_ext(cert, x, -1); + X509_EXTENSION_free(x); + sk_pop_free(extusage, ASN1_OBJECT_free); + ASN1_OBJECT_free(extobj); + } + + + /* OK we've modified the certificate so it will have to be re-signed */ + dgst = EVP_get_digestbyobj(cert->sig_alg->algorithm); + if (sign) + X509_sign(cert, pkey, dgst); + if (print) + X509_print(out, cert); + if (extparse || exthex) { + BIO_printf(out, "X509 V3 Extensions.\n"); + for (i = 0; i < X509_get_ext_count(cert); i++) { + X509_EXTENSION *tmpext; + ASN1_OCTET_STRING *octval; + tmpext = X509_get_ext(cert, i); + octval = X509_EXTENSION_get_data(tmpext); + i2a_ASN1_OBJECT(out, X509_EXTENSION_get_object(tmpext)); + BIO_printf(out, ":\n"); + if (exthex) { + int j; + for (j = 0; j < octval->length; j++) + BIO_printf(out, "%02X", octval->data[j]); + BIO_printf(out, "\n"); + } + if (extparse) + ASN1_parse(out, octval->data, octval->length, 0); + } + } + if (!noout) + PEM_write_bio_X509(out, cert); + + return (0); + +} + +void add_ext(char *name, char *val, char flag) +{ + EXT_ADD *tmpext; + if (!exts) + exts = sk_new(NULL); + tmpext = (EXT_ADD *) Malloc(sizeof(EXT_ADD)); + tmpext->name = name; + tmpext->value = val; + tmpext->flag = flag; + sk_push(exts, (char *) tmpext); +} + +ASN1_OBJECT *__OBJ_txt2obj(char *name) +{ + int obj_nid; + ASN1_OBJECT *obj; + obj_nid = OBJ_sn2nid(name); + if (obj_nid != NID_undef) + return OBJ_nid2obj(obj_nid); + obj_nid = OBJ_create(name, name, name); + if (obj_nid <= 0) + return NULL; + obj = OBJ_nid2obj(obj_nid); + obj->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_DATA; + return obj; +} + diff --git a/usr.sbin/httpd/src/support/httpd.exp b/usr.sbin/httpd/src/support/httpd.exp index e11e3b2849a..63faaa3fbea 100644 --- a/usr.sbin/httpd/src/support/httpd.exp +++ b/usr.sbin/httpd/src/support/httpd.exp @@ -355,3 +355,16 @@ ap_vformatter ap_vsnprintf core_module top_module +ap_add_config_define +ap_global_ctx +ap_ctx_new +ap_ctx_get +ap_ctx_set +ap_hook_init +ap_hook_kill +ap_hook_configure +ap_hook_register_I +ap_hook_unregister_I +ap_hook_status +ap_hook_use +ap_hook_call diff --git a/usr.sbin/httpd/src/support/suexec.c b/usr.sbin/httpd/src/support/suexec.c index a260fc5e342..45fdf0d021b 100644 --- a/usr.sbin/httpd/src/support/suexec.c +++ b/usr.sbin/httpd/src/support/suexec.c @@ -214,7 +214,13 @@ static void clean_env(void) cidx++; for (ep = environ; *ep && cidx < AP_ENVBUF-1; ep++) { +#ifdef MOD_SSL + if (!strncmp(*ep, "HTTP_", 5) || + !strncmp(*ep, "HTTPS", 5) || + !strncmp(*ep, "SSL_", 4)) { +#else if (!strncmp(*ep, "HTTP_", 5)) { +#endif cleanenv[cidx] = *ep; cidx++; } |
