const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *cmd,
void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err;
int arglen = strlen(arg);
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
if (strcEQ(arg, "builtin")) {
sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
sc->server->pphrase_dialog_path = NULL;
}
else if ((arglen > 5) && strEQn(arg, "exec:", 5)) {
sc->server->pphrase_dialog_type = SSL_PPTYPE_FILTER;
sc->server->pphrase_dialog_path =
ap_server_root_relative(cmd->pool, arg+5);
if (!sc->server->pphrase_dialog_path) {
return apr_pstrcat(cmd->pool,
"Invalid SSLPassPhraseDialog exec: path ",
arg+5, NULL);
}
if (!ssl_util_path_check(SSL_PCM_EXISTS,
sc->server->pphrase_dialog_path,
cmd->pool))
{
char *warn = apr_pstrcat(cmd->pool,
"SSLPassPhraseDialog: file '",
sc->server->pphrase_dialog_path,
"' does not exist", NULL);
apn_warning(warn);
/*return apr_pstrcat(cmd->pool,
"SSLPassPhraseDialog: file '",
sc->server->pphrase_dialog_path,
"' does not exist", NULL);
*/
}
}
else if ((arglen > 1) && (arg[0] == '|')) {
sc->server->pphrase_dialog_type = SSL_PPTYPE_PIPE;
sc->server->pphrase_dialog_path = arg + 1;
char *comment = apr_pstrcat(cmd->pool, "The argument is not supported in Nginx:", arg, NULL);
apn_set_unsupport(cmd, comment);
}
else {
return "SSLPassPhraseDialog: Invalid argument";
}
return NULL;
}
static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)
{
int type, numlen;
const char *onf = NULL;
apr_array_header_t *entries;
if (strcEQn(var, "Email_", 6)) {
type = GEN_EMAIL;
var += 6;
}
else if (strcEQn(var, "DNS_", 4)) {
type = GEN_DNS;
var += 4;
}
else if (strcEQn(var, "OTHER_", 6)) {
type = GEN_OTHERNAME;
var += 6;
if (strEQn(var, "msUPN_", 6)) {
var += 6;
onf = "msUPN";
}
else if (strEQn(var, "dnsSRV_", 7)) {
var += 7;
onf = "id-on-dnsSRV";
}
else
return NULL;
}
else
return NULL;
/* sanity check: number must be between 1 and 4 digits */
numlen = strspn(var, "0123456789");
if ((numlen < 1) || (numlen > 4) || (numlen != strlen(var)))
return NULL;
if (modssl_X509_getSAN(p, xs, type, onf, atoi(var), &entries))
/* return the first entry from this 1-element array */
return APR_ARRAY_IDX(entries, 0, char *);
else
return NULL;
const char *nss_cmd_NSSPassPhraseDialog(cmd_parms *cmd,
void *dcfg,
const char *arg)
{
SSLModConfigRec *mc = myModConfig(cmd->server);
int arglen = strlen(arg);
if (strcEQ(arg, "builtin")) {
mc->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
mc->pphrase_dialog_path = NULL;
}
else if (((arglen > 5) && strEQn(arg, "file:", 5)) ||
((arglen > 6) && strEQn(arg, "defer:", 6))) {
apr_finfo_t finfo;
apr_status_t rc;
if (strEQn(arg, "file:", 5)) {
mc->pphrase_dialog_type = SSL_PPTYPE_FILE;
mc->pphrase_dialog_path = ap_server_root_relative(cmd->pool, arg+5);
} else {
mc->pphrase_dialog_type = SSL_PPTYPE_DEFER;
mc->pphrase_dialog_path = ap_server_root_relative(cmd->pool, arg+6);
}
if (!mc->pphrase_dialog_path)
return apr_pstrcat(cmd->pool,
"Invalid NSSPassPhraseDialog file: path ",
arg+5, NULL);
rc = apr_stat(&finfo, mc->pphrase_dialog_path,
APR_FINFO_TYPE|APR_FINFO_SIZE, cmd->pool);
if ((rc != APR_SUCCESS) || (finfo.filetype != APR_REG)) {
return apr_pstrcat(cmd->pool,
"NSSPassPhraseDialog: file '",
mc->pphrase_dialog_path,
"' does not exist", NULL);
}
}
return NULL;
}
static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname,
const char *var)
{
const char *ptr;
char *result;
X509_NAME_ENTRY *xsne;
int i, j, n, idx = 0, raw = 0;
apr_size_t varlen;
ptr = ap_strrchr_c(var, '_');
if (ptr && ptr > var && strcmp(ptr + 1, "RAW") == 0) {
var = apr_pstrmemdup(p, var, ptr - var);
raw = 1;
}
/* if an _N suffix is used, find the Nth attribute of given name */
ptr = ap_strchr_c(var, '_');
if (ptr != NULL && strspn(ptr + 1, "0123456789") == strlen(ptr + 1)) {
idx = atoi(ptr + 1);
varlen = ptr - var;
} else {
varlen = strlen(var);
}
result = NULL;
for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
&& strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
for (j = 0; j < X509_NAME_entry_count(xsname); j++) {
xsne = X509_NAME_get_entry(xsname, j);
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {
result = modssl_X509_NAME_ENTRY_to_string(p, xsne, raw);
break;
}
}
break;
}
}
return result;
}
const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd,
void *dcfg,
const char *arg1,
const char *arg2,
const char *arg3)
{
SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
ssl_randseed_t *seed;
int arg2len = strlen(arg2);
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
if (ssl_config_global_isfixed(mc)) {
return NULL;
}
seed = apr_array_push(mc->aRandSeed);
if (strcEQ(arg1, "startup")) {
seed->nCtx = SSL_RSCTX_STARTUP;
}
else if (strcEQ(arg1, "connect")) {
seed->nCtx = SSL_RSCTX_CONNECT;
}
else {
return apr_pstrcat(cmd->pool, "SSLRandomSeed: "
"invalid context: `", arg1, "'",
NULL);
}
if ((arg2len > 5) && strEQn(arg2, "file:", 5)) {
seed->nSrc = SSL_RSSRC_FILE;
seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
}
else if ((arg2len > 5) && strEQn(arg2, "exec:", 5)) {
seed->nSrc = SSL_RSSRC_EXEC;
seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
}
else if ((arg2len > 4) && strEQn(arg2, "egd:", 4)) {
#ifdef HAVE_SSL_RAND_EGD
seed->nSrc = SSL_RSSRC_EGD;
seed->cpPath = ap_server_root_relative(mc->pPool, arg2+4);
#else
return "egd not supported with this SSL toolkit";
#endif
}
else if (strcEQ(arg2, "builtin")) {
seed->nSrc = SSL_RSSRC_BUILTIN;
seed->cpPath = NULL;
}
else {
seed->nSrc = SSL_RSSRC_FILE;
seed->cpPath = ap_server_root_relative(mc->pPool, arg2);
}
if (seed->nSrc != SSL_RSSRC_BUILTIN) {
if (!seed->cpPath) {
return apr_pstrcat(cmd->pool,
"Invalid SSLRandomSeed path ",
arg2, NULL);
}
if (!ssl_util_path_check(SSL_PCM_EXISTS, seed->cpPath, cmd->pool)) {
return apr_pstrcat(cmd->pool,
"SSLRandomSeed: source path '",
seed->cpPath, "' does not exist", NULL);
}
}
if (!arg3) {
seed->nBytes = 0; /* read whole file */
}
else {
if (seed->nSrc == SSL_RSSRC_BUILTIN) {
return "SSLRandomSeed: byte specification not "
"allowed for builtin seed source";
}
seed->nBytes = atoi(arg3);
if (seed->nBytes < 0) {
return "SSLRandomSeed: invalid number of bytes specified";
}
}
return NULL;
}
const char *nss_cmd_NSSRandomSeed(cmd_parms *cmd,
void *dcfg,
const char *arg1,
const char *arg2,
const char *arg3)
{
SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
ssl_randseed_t *seed;
int arg2len = strlen(arg2);
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
/* Only run through this once. Otherwise the random seed sources are
* pushed into the array for each server start (and we are guaranteed 2) */
if (mc->nInitCount >= 1) {
return NULL;
}
seed = apr_array_push(mc->aRandSeed);
if (strcEQ(arg1, "startup")) {
seed->nCtx = SSL_RSCTX_STARTUP;
}
else if (strcEQ(arg1, "connect")) {
return apr_pstrcat(cmd->pool, "NSSRandomSeed: "
"mod_nss doesn't do per-connection random seeding",
NULL);
}
else {
return apr_pstrcat(cmd->pool, "NSSRandomSeed: "
"invalid context: `", arg1, "'",
NULL);
}
if ((arg2len > 5) && strEQn(arg2, "file:", 5)) {
seed->nSrc = SSL_RSSRC_FILE;
seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
}
else if ((arg2len > 5) && strEQn(arg2, "exec:", 5)) {
seed->nSrc = SSL_RSSRC_EXEC;
seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
}
else if ((arg2len > 6) && strEQn(arg2, "defer:", 6)) {
seed->nSrc = SSL_RSSRC_FILE;
seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
}
else if (strcEQ(arg2, "builtin")) {
seed->nSrc = SSL_RSSRC_BUILTIN;
seed->cpPath = NULL;
}
else {
seed->nSrc = SSL_RSSRC_FILE;
seed->cpPath = ap_server_root_relative(mc->pPool, arg2);
}
if (seed->nSrc != SSL_RSSRC_BUILTIN) {
apr_finfo_t finfo;
if (!seed->cpPath) {
return apr_pstrcat(cmd->pool,
"Invalid NSSRandomSeed path ",
arg2, NULL);
}
if (apr_stat(&finfo, seed->cpPath, APR_FINFO_TYPE|APR_FINFO_SIZE, cmd->pool) != 0) {
return apr_pstrcat(cmd->pool,
"NSSRandomSeed: source path '",
seed->cpPath, "' does not exist", NULL);
}
}
if (!arg3) {
seed->nBytes = 0; /* read whole file */
}
else {
if (seed->nSrc == SSL_RSSRC_BUILTIN) {
return "NSSRandomSeed: byte specification not "
"allowed for builtin seed source";
}
seed->nBytes = atoi(arg3);
if (seed->nBytes < 0) {
return "NSSRandomSeed: invalid number of bytes specified";
}
}
return NULL;
}
