i was about to move the usage of c->notes.ssl::verify::depth to
SSLConnRec.verify_depth and in the process noticed the bloody thing is
never used. the comment says:
/*
* override of SSLVerifyDepth
*
* The depth checks are handled by us manually inside the verify callback
* function and not by OpenSSL internally (and our function is aware of
* both the per-server and per-directory contexts). So we cannot ask
* OpenSSL about the currently verify depth. Instead we remember it in our
* ap_ctx attached to the SSL* of OpenSSL. We've to force the
* renegotiation if the reconfigured/new verify depth is less than the
* currently active/remembered verify depth (because this means more
* restriction on the certificate chain).
*/
but if you look at the patch below, after ssl::verify::depth usage is
replaced, this is only place it is referenced, in ssl_hook_Access:
if (!(n = sslconn->verify_depth)) {
sslconn->verify_depth = n = sc->nVerifyDepth;
}
i see no reason why that couldn't just be:
n = sc->nVerifyDepth;
can anybody see something i'm missing? mod_ssl 1.x is no different.
Index: mod_ssl.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.34
diff -u -r1.34 mod_ssl.c
--- mod_ssl.c 2001/11/21 22:29:14 1.34
+++ mod_ssl.c 2001/11/21 23:17:16
@@ -274,7 +274,6 @@
SSL_set_app_data(ssl, c);
apctx = apr_table_make(c->pool, AP_CTX_MAX_ENTRIES);
apr_table_setn(apctx, "ssl::request_rec", NULL);
- apr_table_setn(apctx, "ssl::verify::depth", AP_CTX_NUM2PTR(0));
SSL_set_app_data2(ssl, apctx);
sslconn->ssl = ssl;
Index: mod_ssl.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.38
diff -u -r1.38 mod_ssl.h
--- mod_ssl.h 2001/11/21 22:29:14 1.38
+++ mod_ssl.h 2001/11/21 23:17:16
@@ -462,6 +462,7 @@
ssl_shutdown_type_e shutdown_type;
const char *verify_info;
const char *verify_error;
+ int verify_depth;
} SSLConnRec;
typedef struct {
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.24
diff -u -r1.24 ssl_engine_kernel.c
--- ssl_engine_kernel.c 2001/11/21 22:29:14 1.24
+++ ssl_engine_kernel.c 2001/11/21 23:17:18
@@ -371,11 +371,9 @@
STACK_OF(SSL_CIPHER) *skCipherOld;
STACK_OF(SSL_CIPHER) *skCipher;
SSL_CIPHER *pCipher;
- apr_table_t *apctx;
int nVerifyOld;
int nVerify;
int n;
- void *vp;
int rc;
dc = myDirConfig(r);
@@ -522,13 +520,10 @@
* restriction on the certificate chain).
*/
if (dc->nVerifyDepth != UNSET) {
- apctx = (apr_table_t *)SSL_get_app_data2(ssl);
- if ((vp = (void *)apr_table_get(apctx, "ssl::verify::depth")) != NULL)
- n = (int)AP_CTX_PTR2NUM(vp);
- else
- n = sc->nVerifyDepth;
- apr_table_setn(apctx, "ssl::verify::depth",
- (const char *)AP_CTX_NUM2PTR(dc->nVerifyDepth));
+ if (!(n = sslconn->verify_depth)) {
+ sslconn->verify_depth = n = sc->nVerifyDepth;
+ }
+
/* determine whether a renegotiation has to be forced */
if (dc->nVerifyDepth < n) {
renegotiate = TRUE;
