From: Yann Ylavic Date: Wed, 13 Jun 2018 09:54:16 +0000 (+0000) Subject: Follow up to r1833368: share openssl between modules. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e6c090ea5a29117f867f2cff06bd99602ce9b356;p=apache Follow up to r1833368: share openssl between modules. Both libapr[-util], the core PRNG, mod_ssl, mod_crypto and mod_session_crypto can use the same crypto library (e.g. openssl), use the new APR crypto loading API so that they can work together and initialize/terminate the lib either once for all or on demand and reusable by the others. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833452 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/filters/mod_crypto.c b/modules/filters/mod_crypto.c index 2c98692c41..5d5e6b3c13 100644 --- a/modules/filters/mod_crypto.c +++ b/modules/filters/mod_crypto.c @@ -1197,7 +1197,7 @@ crypto_init(apr_pool_t * p, apr_pool_t * plog, apr_status_t rv; rv = apr_crypto_init(p); - if (APR_SUCCESS != rv) { + if (APR_SUCCESS != rv && APR_EREINIT != rv) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(03427) "APR crypto could not be initialised"); return rv; diff --git a/modules/session/mod_session_crypto.c b/modules/session/mod_session_crypto.c index be7e7b1807..a948b2ced9 100644 --- a/modules/session/mod_session_crypto.c +++ b/modules/session/mod_session_crypto.c @@ -569,7 +569,7 @@ static int session_crypto_init(apr_pool_t *p, apr_pool_t *plog, apr_status_t rv; rv = apr_crypto_init(p); - if (APR_SUCCESS != rv) { + if (APR_SUCCESS != rv && APR_EREINIT != rv) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(01843) "APR crypto could not be initialised"); return rv; diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 2f538ef4b3..496eb19cf1 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -32,6 +32,16 @@ #include "ap_provider.h" #include "http_config.h" +#include "apr_crypto.h" +#include "apr_version.h" +#if APR_VERSION_AT_LEAST(2,0,0) && \ + defined(APU_HAVE_CRYPTO) && APU_HAVE_CRYPTO && \ + defined(APU_HAVE_OPENSSL) && APU_HAVE_OPENSSL +#define USE_APR_CRYPTO_LIB_INIT 1 +#else +#define USE_APR_CRYPTO_LIB_INIT 0 +#endif + #include "mod_proxy.h" /* for proxy_hook_section_post_config() */ #include @@ -392,6 +402,10 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) { +#if USE_APR_CRYPTO_LIB_INIT + apr_status_t rv; +#endif + #if HAVE_VALGRIND ssl_running_on_valgrind = RUNNING_ON_VALGRIND; #endif @@ -404,22 +418,50 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, ssl_util_thread_id_setup(pconf); #endif - /* We must register the library in full, to ensure our configuration - * code can successfully test the SSL environment. - */ +#if USE_APR_CRYPTO_LIB_INIT + /* When mod_ssl is builtin, no need to unload openssl on restart */ + rv = apr_crypto_lib_init("openssl", NULL, NULL, + modssl_running_statically ? ap_pglobal : pconf); + if (rv == APR_SUCCESS || rv == APR_EREINIT) { + /* apr_crypto inits libcrypto only, so in any case init libssl here, + * each time if openssl is unloaded with pconf, but only once if + * mod_ssl is builtin. + */ + if (!modssl_running_statically + || !ap_retained_data_get("ssl_hook_pre_config")) { + if (modssl_running_statically) { + ap_retained_data_create("ssl_hook_pre_config", 1); + } + SSL_load_error_strings(); + SSL_library_init(); + } + } + else +#endif + { + /* We must register the library in full, to ensure our configuration + * code can successfully test the SSL environment. + */ #if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER) - (void)CRYPTO_malloc_init(); + CRYPTO_malloc_init(); #else - OPENSSL_malloc_init(); + OPENSSL_malloc_init(); #endif - ERR_load_crypto_strings(); - SSL_load_error_strings(); - SSL_library_init(); + ERR_load_crypto_strings(); #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES - ENGINE_load_builtin_engines(); + ENGINE_load_builtin_engines(); #endif - OpenSSL_add_all_algorithms(); - OPENSSL_load_builtin_modules(); + OpenSSL_add_all_algorithms(); + OPENSSL_load_builtin_modules(); + SSL_load_error_strings(); + SSL_library_init(); + + /* + * Let us cleanup the ssl library when the module is unloaded + */ + apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config, + apr_pool_cleanup_null); + } if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) { (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", @@ -429,12 +471,6 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, /* Start w/o errors (e.g. OBJ_txt2nid() above) */ ERR_clear_error(); - /* - * Let us cleanup the ssl library when the module is unloaded - */ - apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config, - apr_pool_cleanup_null); - /* Register us to handle mod_log_config %c/%x variables */ ssl_var_log_config_register(pconf); diff --git a/server/core.c b/server/core.c index d545921b33..0edfae4c02 100644 --- a/server/core.c +++ b/server/core.c @@ -22,7 +22,8 @@ #include "apr_thread_proc.h" /* for RLIMIT stuff */ #include "apr_crypto.h" -#if defined(APU_HAVE_CRYPTO_PRNG) && APU_HAVE_CRYPTO_PRNG +#if defined(APU_HAVE_CRYPTO) && APU_HAVE_CRYPTO && \ + defined(APU_HAVE_CRYPTO_PRNG) && APU_HAVE_CRYPTO_PRNG #define USE_APR_CRYPTO_PRNG 1 #else #define USE_APR_CRYPTO_PRNG 0 @@ -5504,14 +5505,8 @@ AP_CORE_DECLARE(void) ap_init_rng(apr_pool_t *p) apr_status_t rv; #if USE_APR_CRYPTO_PRNG - { - int flags = 0; -#if APR_HAS_THREADS - flags = APR_CRYPTO_PRNG_PER_THREAD; -#endif - rv = apr_crypto_prng_init(p, 0, NULL, flags); - } -#else /* USE_APR_CRYPTO_PRNG */ + rv = apr_crypto_init(p); +#else { unsigned char seed[8]; rng = apr_random_standard_new(p);