Changes with Apache 2.0.33-dev
+
+ *) Merged in changes to mod_ssl up through 2.8.7-1.3.23.
+ [Ralf S. Engelschall, Cliff Woolley]
+
*) mod-include: make it handle flush'es and fix the 'false-alarm'
[Justin Everkrantz, Brian Pane, Ian Holsman]
char *szMutexFile;
apr_lock_t *pMutex;
apr_array_header_t *aRandSeed;
+ int nScoreboardSize; /* used for builtin random seed */
ssl_ds_table *tTmpKeys;
void *pTmpKeys[SSL_TKPIDX_MAX];
ssl_ds_table *tPublicCert;
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
+#if SSL_LIBRARY_VERSION >= 0x00907000
+void ssl_callback_LogTracingState(const SSL *, int, int);
+#else
void ssl_callback_LogTracingState(SSL *, int, int);
+#endif
/* Session Cache Support */
void ssl_scache_init(server_rec *, apr_pool_t *);
# generate C source from DH params
my $dhsource = '';
-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand -8 |") || die;
+open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
$dhsource .= $_ while (<FP>);
close(FP);
-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand -8 |") || die;
+open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
$dhsource .= $_ while (<FP>);
close(FP);
$dhsource =~ s|(DH\s+\*get_dh)|static $1|sg;
/*
* Seed the Pseudo Random Number Generator (PRNG)
+ *
+ * Note: scoreboard size must be fetched at init time because
+ * ap_calc_scoreboard_size() is not threadsafe
*/
+ mc->nScoreboardSize = ap_calc_scoreboard_size();
ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
/*
}
if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) {
if (apr_is_fnmatch(cp) &&
- !apr_fnmatch(cp, s->server_hostname, FNM_PERIOD|FNM_CASE_BLIND)) {
+ apr_fnmatch(cp, s->server_hostname,
+ FNM_PERIOD|FNM_CASE_BLIND) == FNM_NOMATCH) {
ssl_log(s, SSL_LOG_WARN,
"Init: (%s) %s server certificate wildcard CommonName (CN) `%s' "
"does NOT match server name!?", cpVHostID,
* SSL handshake and does SSL record layer stuff. We use it to
* trace OpenSSL's processing in out SSL logfile.
*/
+#if SSL_LIBRARY_VERSION >= 0x00907000
+void ssl_callback_LogTracingState(const SSL *ssl, int where, int rc)
+#else
void ssl_callback_LogTracingState(SSL *ssl, int where, int rc)
+#endif
{
conn_rec *c;
server_rec *s;
/*
* find corresponding server
*/
- if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL)
+ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL)
return;
s = c->base_server;
if ((sc = mySrvConfig(s)) == NULL)
int nReq, nDone;
apr_file_t *fp;
int i, n, l;
+ int m;
mc = myModConfig(s);
nReq = 0;
RAND_seed(stackdata+n, 128);
nDone += 128;
-#if XXX_SBENTROPY_SOLVED
/*
- * XXX: This is entirely borked, sizeof(scoreboard) < 1024
+ * seed in data extracted from the current scoreboard
*
- * seed in an 1KB extract of the current scoreboard
+ * XXX: this assumes that the entire scoreboard is
+ * allocated in one big block of memory that begins at
+ * the location pointed to by ap_scoreboard_image->global
*/
- if (ap_scoreboard_image != NULL) {
- n = ssl_rand_choosenum(0,ap_calc_scoreboard_size()-1024-1);
- RAND_seed(((unsigned char *)ap_scoreboard_image)+n, 1024);
- nDone += 1024;
+ if (ap_scoreboard_image != NULL && mc->nScoreboardSize > 16)
+ {
+ m = ((mc->nScoreboardSize / 2) - 1);
+ n = ssl_rand_choosenum(0, m);
+ RAND_seed(
+ ((unsigned char *)ap_scoreboard_image->global)+n, m);
+ nDone += m;
}
-#endif
}
}
}
UCHAR *ucp;
/* streamline session data */
+ if ((nData = i2d_SSL_SESSION(sess, NULL)) > sizeof(ucaData))
+ return FALSE;
ucp = ucaData;
- nData = i2d_SSL_SESSION(sess, &ucp);
+ i2d_SSL_SESSION(sess, &ucp);
/* be careful: do not try to store too much bytes in a DBM file! */
#ifdef PAIRMAX
unsigned int division_offset;
unsigned int division_size;
unsigned int queue_size;
- unsigned char index_num;
- unsigned char index_offset;
- unsigned char index_size;
+ unsigned int index_num;
+ unsigned int index_offset;
+ unsigned int index_size;
unsigned int cache_data_offset;
unsigned int cache_data_size;
unsigned long num_stores;
unsigned int queue_size;
unsigned int cache_data_offset;
unsigned int cache_data_size;
+ unsigned int index_num;
+ unsigned int index_offset;
+ unsigned int index_size;
unsigned char division_mask;
- unsigned char index_num;
- unsigned char index_offset;
- unsigned char index_size;
#endif
} SHMCBHeader;
return;
}
-BOOL ssl_scache_shmcb_store(server_rec *s, UCHAR * id, int idlen,
+BOOL ssl_scache_shmcb_store(server_rec *s, UCHAR *id, int idlen,
time_t timeout, SSL_SESSION * pSession)
{
SSLModConfigRec *mc = myModConfig();
return to_return;
}
-SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *s, UCHAR * id, int idlen)
+SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *s, UCHAR *id, int idlen)
{
SSLModConfigRec *mc = myModConfig();
void *shm_segment;
return pSession;
}
-void ssl_scache_shmcb_remove(server_rec *s, UCHAR * id, int idlen)
+void ssl_scache_shmcb_remove(server_rec *s, UCHAR *id, int idlen)
{
SSLModConfigRec *mc = myModConfig();
void *shm_segment;
/* We've kludged our pointer into the other cache's member variable. */
shm_segment = (void *) mc->tSessionCacheDataTable;
+ ssl_mutex_on(s);
shmcb_remove_session(s, shm_segment, id, idlen);
+ ssl_mutex_off(s);
}
void ssl_scache_shmcb_expire(server_rec *s)
}
static BOOL shmcb_store_session(
- server_rec *s, void *shm_segment, UCHAR * id,
+ server_rec *s, void *shm_segment, UCHAR *id,
int idlen, SSL_SESSION * pSession,
time_t timeout)
{
static SSL_SESSION *shmcb_retrieve_session(
server_rec *s, void *shm_segment,
- UCHAR * id, int idlen)
+ UCHAR *id, int idlen)
{
SHMCBHeader *header;
SHMCBQueue queue;
static BOOL shmcb_remove_session(
server_rec *s, void *shm_segment,
- UCHAR * id, int idlen)
+ UCHAR *id, int idlen)
{
SHMCBHeader *header;
SHMCBQueue queue;
const SHMCBQueue *queue, unsigned int idx)
{
/* bounds check */
- if (idx > (unsigned int) queue->header->index_num)
+ if (idx > queue->header->index_num)
return NULL;
/* Return a pointer to the index. NB: I am being horribly pendantic
UCHAR *ucp;
/* streamline session data */
+ if ((nData = i2d_SSL_SESSION(sess, NULL)) > sizeof(ucaData))
+ return FALSE;
ucp = ucaData;
- nData = i2d_SSL_SESSION(sess, &ucp);
+ i2d_SSL_SESSION(sess, &ucp);
ssl_mutex_on(s);
if (table_insert_kd(mc->tSessionCacheDataTable,
projects / apache / commitdiff