RE: Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)

RE: Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)

am 19.02.2003 17:10:12 von Maik Mueller

> Cool..

> Can you please post the patch to the list, so that ppl can review the
> code,
> and give their comments.

> -Madhu
No problem!
Here is my short README describing the patch and its history form Apache
version 2.0.43 to 2.0.44:

Hello!
This is the distribution point for the Apache 2.0 as SSL Intermediary Patch.
Currently you need this patch to use Apache 2.0 as a trusted intermediary
in configuration with the SAP J2EE Engine.
The patch is subject to become part of the standard Apache 2.0 distribution.

Feedback welcome!
Maik (maik.mueller@sap.com)

INSTRUCTIONS:
- extract the Apache 2.0.43 distribution (httpd-2.0.43.tar.gz)
- change directory to httpd-2.0.43
- apply the patch with -p1 (patch -p1 < Apache-2.0.43-SSLintermediary.patch)
- follow the Apache INSTALL instructions

HISTORY:
02-12-30 initial release (available SAP internal)
03-01-07 httpd-2.0.43-patched-as-SSLintermediary.zip added
In this ZIP archive the Apache-2.0.43-SSLintermediary.patch is
already applied. More convenient for users not so familiar with the
usage of diff & patch.
03-01-08 httpd-2.0.43-win32-src-patched-as-SSLintermediary.zip added
You cannot use the UNIX source to build the WIN32 binaries.
This ZIP archive contains the already patched version of
httpd-2.0.43-win32-src. Use it to build the WIN32 binaries.
If you want to apply Apache-2.0.43-SSLintermediary.patch to the
original httpd-2.0.43-win32-src be aware that you have to convert
CR-LFs in CR before applying the patch. In the successfully patched
files you can again expand CR to CR-LF.
03-01-20 Bug in base 64 padding found. The calculation of the number of
padding
characters ('=') needed computes wrong results in some cases.
03-02-07 Apache 2.0.44 Released
Apache-2.0.44-SSLintermediary.patch corresponds to
httpd-2.0.44.tar.gz
The documentation changes are NO longer part of the patch.
Download mod_headers_mai.html.en for proposed documentation
changes.
SSLproxy.conf is a good example for a proxy's mod_ssl
configuration.
The SAP proposed header names are use in the example added to the
mod_headers documentation (see mod_headers_mai.html.en).

And here follows the patch (My proposed changes to the HTML docu are now not
included in the patch. Please advice me if and how to post this changes to
mod_headers.html.en):
--- httpd-2.0.44.ori/modules/metadata/mod_headers.c Mon Nov 4 19:31:57 2002
+++ httpd-2.0.44/modules/metadata/mod_headers.c Fri Feb 7 18:00:18 2003
@@ -109,6 +109,7 @@
#include "apr_lib.h"
#include "apr_strings.h"
#include "apr_buckets.h"
+#include "apr_base64.h"

#include "apr_hash.h"
#define APR_WANT_STRFUNC
@@ -198,6 +199,62 @@
else
return "(null)";
}
+
+/* Base 64 encoded ASN.1 data is usually tagged with decorations of
+ * the following style:
+ * -----BEGIN -----
+ *
+ * -----END -----
+ * The defines are used to search for such decorations.
+ */
+#define DECORATION_MARKER_BEGIN "-----BEGIN"
+#define DECORATION_MARKER_END "-----END"
+#define DECORATION_EOF_MARKER "-----"
+
+static const char *header_request_env_varB64(request_rec *r, char *a)
+{
+ const char *s = apr_table_get(r->subprocess_env,a);
+ char *pStartBody = NULL;
+ char *pBehindBody = NULL;
+ char *ptr;
+
+ if (s) {
+ /* search for decorations marking encapsulated base64 encoded data */
+ ptr = strstr((char *)s, DECORATION_MARKER_BEGIN);
+ if (ptr) {
+ ptr = strstr(ptr + strlen(DECORATION_MARKER_BEGIN),
DECORATION_EOF_MARKER);
+ if (ptr && (ptr + strlen(DECORATION_EOF_MARKER) + 1) != '\0') {
+ /* explicit check that there are sitll chars in the string */
+ pStartBody = ptr + strlen(DECORATION_EOF_MARKER) + 1;
+
+ ptr = strstr(pStartBody, DECORATION_MARKER_END);
+ if (ptr && strstr(ptr, DECORATION_EOF_MARKER))
+ pBehindBody = ptr;
+ }
+ }
+
+ if (pStartBody && pBehindBody) {
+ /* encapsulated base64 encoded data found */
+ /* all except the body will be skipped */
+ *pBehindBody = '\0';
+ apr_base64_cleanB64(pStartBody);
+ return pStartBody;
+ } else {
+ /* call apr_base64_encode() to encode the data */
+ int inlen = strlen(s);
+ int outsize = apr_base64_encode_len(inlen);
+ char *encoded = apr_palloc(r->pool, outsize);
+ int rc = apr_base64_encode(encoded, s, inlen);
+ if (rc > outsize)
+ return "(null)";
+ else
+ return encoded;
+ }
+ }
+ else
+ return "(null)";
+}
+
/*
* Config routines
*/
@@ -407,7 +464,7 @@

/* Handle the envclause on Header */
if (envclause != NULL) {
- if (inout != hdr_out) {
+ if (inout != hdr_out && inout != hdr_in) {
return "error: envclause (env=...) only valid on Header
directive";
}
if (strncasecmp(envclause, "env=", 4) != 0) {
@@ -448,12 +505,23 @@
return header_inout_cmd(hdr_out, cmd, indirconf, action, hdr, val,
envclause);
}

-/* handle RequestHeader directive */
+/* handle RequestHeader directive (enable env clause) */
static const char *request_header_cmd(cmd_parms *cmd, void *indirconf,
- const char *action, const char *inhdr,
- const char *value)
+ const char *args)
{
- return header_inout_cmd(hdr_in, cmd, indirconf, action, inhdr, value,
NULL);
+ const char *s;
+ const char *action;
+ const char *hdr;
+ const char *val;
+ const char *envclause;
+
+ s = apr_pstrdup(cmd->pool, args);
+ action = ap_getword_conf(cmd->pool, &s);
+ hdr = ap_getword_conf(cmd->pool, &s);
+ val = *s ? ap_getword_conf(cmd->pool, &s) : NULL;
+ envclause = *s ? ap_getword_conf(cmd->pool, &s) : NULL;
+
+ return header_inout_cmd(hdr_in, cmd, indirconf, action, hdr, val,
envclause);
}

/*
@@ -595,8 +663,8 @@
{
AP_INIT_RAW_ARGS("Header", header_cmd, NULL, OR_FILEINFO,
"an action, header and value followed by optional env
clause"),
- AP_INIT_TAKE23("RequestHeader", request_header_cmd, NULL, OR_FILEINFO,
- "an action, header and value"),
+ AP_INIT_RAW_ARGS("RequestHeader", request_header_cmd, NULL,
OR_FILEINFO,
+ "an action, header and value followed by optional env
clause"),
{NULL}
};

@@ -612,6 +680,7 @@
register_format_tag_handler(p, "D", (void*) header_request_duration,
0);
register_format_tag_handler(p, "t", (void*) header_request_time, 0);
register_format_tag_handler(p, "e", (void*) header_request_env_var, 0);
+ register_format_tag_handler(p, "E", (void*) header_request_env_varB64,
0);

return OK;
}
--- httpd-2.0.43.ori/srclib/apr-util/encoding/apr_base64.c Wed Mar 13
21:40:47 2002
+++ httpd-2.0.43/srclib/apr-util/encoding/apr_base64.c Sat Dec 28 18:18:21
2002
@@ -229,6 +229,31 @@
return nbytesdecoded;
}

+/* This function removes all non-base64 characters.
+ * Useful to get rid of spaces, CR, LF and other formatting characters.
+ */
+APU_DECLARE(int) apr_base64_cleanB64(char *bufcoded)
+{
+ char *ptr = bufcoded;
+ int len = strlen(bufcoded);
+ int i;
+
+ for (i = 0; i < len; i++)
+ if (pr2six[bufcoded[i]] <= 63)
+ *ptr++ = bufcoded[i];
+
+ /* reapply correct base64 padding */
+ switch ((ptr - bufcoded) % 4) {
+ case 2: /* TWO padding characters needed */
+ *ptr++ = '=';
+ case 3: /* ONE padding character needed */
+ *ptr++ = '=';
+ }
+ *ptr++ = '\0';
+
+ return (ptr - bufcoded);
+}
+
static const char basis_64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456 789+/";

--- httpd-2.0.43.ori/srclib/apr-util/include/apr_base64.h Wed Mar 13
21:40:48 2002
+++ httpd-2.0.43/srclib/apr-util/include/apr_base64.h Sun Dec 29 09:31:57
2002
@@ -142,6 +142,14 @@
APU_DECLARE(int) apr_base64_decode_binary(unsigned char * plain_dst,
const char *coded_src);

+/**
+ * This function removes all non-base64 characters.
+ * Useful to get rid of spaces, CR, LF and other formatting characters.
+ * @param bufcoded The encoded string (input/output)
+ * @return The new length of the encoded string
+ */
+APU_DECLARE(int) apr_base64_cleanB64(char *bufcoded);
+
/** @} */
#ifdef __cplusplus
}
--- httpd-2.0.43.ori/modules/ssl/ssl_engine_vars.c Tue May 28 23:47:31 2002
+++ httpd-2.0.43/modules/ssl/ssl_engine_vars.c Sun Dec 29 15:42:59 2002
@@ -479,6 +479,9 @@

result = NULL;

+ /* Fix inconsistency with SSL_CLIENT_CERT_CHAIN
+ Ignore '_' between SSL_CLIENT_CERT_CHAIN and the subsequent number.
*/
+ if (*var == '_') var++;
if (strspn(var, "0123456789") == strlen(var)) {
n = atoi(var);
if (n < sk_X509_num(sk)) {

Regards,
Maik
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org