"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/md_acme_authz.c" between
mod_md-2.4.2.tar.gz and mod_md-2.4.4.tar.gz

About: mod_md is an Apache module that adds Let's Encrypt (ACME) support.

md_acme_authz.c  (mod_md-2.4.2):md_acme_authz.c  (mod_md-2.4.4)
skipping to change at line 311 skipping to change at line 311
const char *acme_id, *token; const char *acme_id, *token;
apr_status_t rv; apr_status_t rv;
int notify_server; int notify_server;
md_data_t data; md_data_t data;
int i; int i;
(void)env; (void)env;
(void)mdomain; (void)mdomain;
if (md_array_str_index(acme_tls_1_domains, authz->domain, 0, 0) < 0) { if (md_array_str_index(acme_tls_1_domains, authz->domain, 0, 0) < 0) {
rv = APR_ENOTIMPL; rv = APR_ENOTIMPL;
md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, if (acme_tls_1_domains->nelts) {
"%s: protocol 'acme-tls/1' not enabled for this domain.", md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p,
authz->domain); "%s: protocol 'acme-tls/1' seems not enabled for this
goto out; domain, "
"but is enabled for other associated domains. "
"Continuing with fingers crossed.", authz->domain);
}
else {
md_log_perror(MD_LOG_MARK, MD_LOG_INFO, 0, p,
"%s: protocol 'acme-tls/1' seems not enabled for this
or "
"any other associated domain. Not attempting challenge
"
"type tls-alpn-01.", authz->domain);
goto out;
}
} }
if (APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, &notify_server ))) { if (APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, &notify_server ))) {
goto out; goto out;
} }
/* Create a "tls-alpn-01" certificate for the domain we want to authenticate . /* Create a "tls-alpn-01" certificate for the domain we want to authenticate .
* The server will need to answer a TLS connection with SNI == authz->domain * The server will need to answer a TLS connection with SNI == authz->domain
* and ALPN procotol "acme-tls/1" with this certificate. * and ALPN procotol "acme-tls/1" with this certificate.
*/ */
MD_DATA_SET_STR(&data, cha->key_authz); md_data_init_str(&data, cha->key_authz);
rv = md_crypt_sha256_digest_hex(&token, p, &data); rv = md_crypt_sha256_digest_hex(&token, p, &data);
if (APR_SUCCESS != rv) { if (APR_SUCCESS != rv) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: create tls-alpn-01 va lidation token", md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: create tls-alpn-01 va lidation token",
authz->domain); authz->domain);
goto out; goto out;
} }
acme_id = apr_psprintf(p, "critical,DER:04:20:%s", token); acme_id = apr_psprintf(p, "critical,DER:04:20:%s", token);
/* Each configured key type must be generated to ensure: /* Each configured key type must be generated to ensure:
* that any fallback certs already given to mod_ssl are replaced. * that any fallback certs already given to mod_ssl are replaced.
skipping to change at line 423 skipping to change at line 432
rv = APR_ENOTIMPL; rv = APR_ENOTIMPL;
md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "%s: dns-01 command not set", md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, "%s: dns-01 command not set",
authz->domain); authz->domain);
goto out; goto out;
} }
if (APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, &notify_server ))) { if (APR_SUCCESS != (rv = setup_key_authz(cha, authz, acme, p, &notify_server ))) {
goto out; goto out;
} }
MD_DATA_SET_STR(&data, cha->key_authz); md_data_init_str(&data, cha->key_authz);
rv = md_crypt_sha256_digest64(&token, p, &data); rv = md_crypt_sha256_digest64(&token, p, &data);
if (APR_SUCCESS != rv) { if (APR_SUCCESS != rv) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: create dns-01 token f or %s", md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: create dns-01 token f or %s",
mdomain, authz->domain); mdomain, authz->domain);
goto out; goto out;
} }
cmdline = apr_psprintf(p, "%s setup %s %s", dns01_cmd, authz->domain, token) ; cmdline = apr_psprintf(p, "%s setup %s %s", dns01_cmd, authz->domain, token) ;
md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p, md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, 0, p,
"%s: dns-01 setup command: %s", authz->domain, cmdline); "%s: dns-01 setup command: %s", authz->domain, cmdline);
skipping to change at line 560 skipping to change at line 569
return 1; return 1;
} }
apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s tore_t *store, apr_status_t md_acme_authz_respond(md_acme_authz_t *authz, md_acme_t *acme, md_s tore_t *store,
apr_array_header_t *challenges, md_pkeys_spec _t *key_specs, apr_array_header_t *challenges, md_pkeys_spec _t *key_specs,
apr_array_header_t *acme_tls_1_domains, const char *mdomain, apr_array_header_t *acme_tls_1_domains, const char *mdomain,
apr_table_t *env, apr_pool_t *p, const char * *psetup_token, apr_table_t *env, apr_pool_t *p, const char * *psetup_token,
md_result_t *result) md_result_t *result)
{ {
apr_status_t rv; apr_status_t rv;
int i; int i, j;
cha_find_ctx fctx; cha_find_ctx fctx;
const char *challenge_setup; const char *challenge_setup;
assert(acme); assert(acme);
assert(authz); assert(authz);
assert(authz->resource); assert(authz->resource);
fctx.p = p; fctx.p = p;
fctx.accepted = NULL; fctx.accepted = NULL;
/* Look in the order challenge types are defined: /* Look in the order challenge types are defined:
* - if they are offered by the CA, try to set it up * - if they are offered by the CA, try to set it up
* - if setup was successful, we are done and the CA will evaluate us * - if setup was successful, we are done and the CA will evaluate us
* - if setup failed, continue to look for another supported challenge type * - if setup failed, continue to look for another supported challenge type
* - if there is no overlap in types, tell the user that she has to configur e * - if there is no overlap in types, tell the user that she has to configur e
* either more types (dns, tls-alpn-01), make ports available or refrain * either more types (dns, tls-alpn-01), make ports available or refrain
* from using wildcard domains when dns is not available. etc. * from using wildcard domains when dns is not available. etc.
* - if there was an overlap, but no setup was successful, report that. We * - if there was an overlap, but no setup was successful, report that. We
* will retry this, maybe the failure is temporary (e.g. command to setup DNS * will retry this, maybe the failure is temporary (e.g. command to setup DNS
*/ */
md_result_printf(result, 0, "%s: selecting suitable authorization challenge
"
"type, this domain supports %s",
authz->domain, apr_array_pstrcat(p, challenges, ' '));
rv = APR_ENOTIMPL; rv = APR_ENOTIMPL;
challenge_setup = NULL; challenge_setup = NULL;
for (i = 0; i < challenges->nelts && !fctx.accepted; ++i) { for (i = 0; i < challenges->nelts; ++i) {
fctx.type = APR_ARRAY_IDX(challenges, i, const char *); fctx.type = APR_ARRAY_IDX(challenges, i, const char *);
fctx.accepted = NULL;
md_json_itera(find_type, &fctx, authz->resource, MD_KEY_CHALLENGES, NULL ); md_json_itera(find_type, &fctx, authz->resource, MD_KEY_CHALLENGES, NULL );
md_log_perror(MD_LOG_MARK, MD_LOG_TRACE1, 0, p,
"%s: challenge type '%s' for %s: %s",
authz->domain, fctx.type, mdomain,
fctx.accepted? "maybe acceptable" : "not applicable");
if (fctx.accepted) { if (fctx.accepted) {
for (i = 0; i < (int)CHA_TYPES_LEN; ++i) { for (j = 0; j < (int)CHA_TYPES_LEN; ++j) {
if (!apr_strnatcasecmp(CHA_TYPES[i].name, fctx.accepted->type)) if (!apr_strnatcasecmp(CHA_TYPES[j].name, fctx.accepted->type))
{ {
md_result_activity_printf(result, "Setting up challenge '%s' for domain %s", md_result_activity_printf(result, "Setting up challenge '%s' for domain %s",
fctx.accepted->type, authz->domain ); fctx.accepted->type, authz->domain );
rv = CHA_TYPES[i].setup(fctx.accepted, authz, acme, store, k ey_specs, rv = CHA_TYPES[j].setup(fctx.accepted, authz, acme, store, k ey_specs,
acme_tls_1_domains, mdomain, env, re sult, p); acme_tls_1_domains, mdomain, env, re sult, p);
if (APR_SUCCESS == rv) { if (APR_SUCCESS == rv) {
md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p, md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, rv, p,
"%s: set up challenge '%s' for %s", "%s: set up challenge '%s' for %s",
authz->domain, fctx.accepted->type, mdomai n); authz->domain, fctx.accepted->type, mdomai n);
challenge_setup = CHA_TYPES[i].name; challenge_setup = CHA_TYPES[i].name;
goto out; goto out;
} }
md_result_printf(result, rv, "error setting up challenge '%s ' for %s, " md_result_printf(result, rv, "error setting up challenge '%s ' for %s, "
"for domain %s, looking for other option", "for domain %s, looking for other option",
 End of changes. 10 change blocks. 
12 lines changed or deleted 33 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)