From 0f45e62dcd9c0857089726f033b8b7c2762220ff Mon Sep 17 00:00:00 2001 From: Cliff Woolley Date: Mon, 25 Feb 2002 04:23:03 +0000 Subject: [PATCH] Forward port of changes in mod_ssl for Apache 1.3 up through mod_ssl version 2.8.7-1.3.23. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93564 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ modules/ssl/mod_ssl.h | 5 +++++ modules/ssl/ssl_engine_dh.c | 4 ++-- modules/ssl/ssl_engine_init.c | 7 ++++++- modules/ssl/ssl_engine_kernel.c | 6 +++++- modules/ssl/ssl_engine_rand.c | 20 ++++++++++++-------- modules/ssl/ssl_scache_dbm.c | 4 +++- modules/ssl/ssl_scache_shmcb.c | 28 +++++++++++++++------------- modules/ssl/ssl_scache_shmht.c | 4 +++- 9 files changed, 55 insertions(+), 27 deletions(-) diff --git a/CHANGES b/CHANGES index 5c52a5f8ec..bfb396c5df 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ Changes with Apache 2.0.33-dev + + *) Merged in changes to mod_ssl up through 2.8.7-1.3.23. + [Ralf S. Engelschall, Cliff Woolley] + *) mod-include: make it handle flush'es and fix the 'false-alarm' [Justin Everkrantz, Brian Pane, Ian Holsman] diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h index 697158c81b..a8699ad55b 100644 --- a/modules/ssl/mod_ssl.h +++ b/modules/ssl/mod_ssl.h @@ -513,6 +513,7 @@ typedef struct { char *szMutexFile; apr_lock_t *pMutex; apr_array_header_t *aRandSeed; + int nScoreboardSize; /* used for builtin random seed */ ssl_ds_table *tTmpKeys; void *pTmpKeys[SSL_TKPIDX_MAX]; ssl_ds_table *tPublicCert; @@ -675,7 +676,11 @@ int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, server_rec *); int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); +#if SSL_LIBRARY_VERSION >= 0x00907000 +void ssl_callback_LogTracingState(const SSL *, int, int); +#else void ssl_callback_LogTracingState(SSL *, int, int); +#endif /* Session Cache Support */ void ssl_scache_init(server_rec *, apr_pool_t *); diff --git a/modules/ssl/ssl_engine_dh.c b/modules/ssl/ssl_engine_dh.c index 5e8e09d1c6..5892537924 100644 --- a/modules/ssl/ssl_engine_dh.c +++ b/modules/ssl/ssl_engine_dh.c @@ -225,10 +225,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n"; # generate C source from DH params my $dhsource = ''; -open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand -8 |") || die; +open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die; $dhsource .= $_ while (); close(FP); -open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand -8 |") || die; +open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die; $dhsource .= $_ while (); close(FP); $dhsource =~ s|(DH\s+\*get_dh)|static $1|sg; diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index c7a9776454..adc360512b 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -221,7 +221,11 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, /* * Seed the Pseudo Random Number Generator (PRNG) + * + * Note: scoreboard size must be fetched at init time because + * ap_calc_scoreboard_size() is not threadsafe */ + mc->nScoreboardSize = ap_calc_scoreboard_size(); ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: "); /* @@ -713,7 +717,8 @@ void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc) } if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) { if (apr_is_fnmatch(cp) && - !apr_fnmatch(cp, s->server_hostname, FNM_PERIOD|FNM_CASE_BLIND)) { + apr_fnmatch(cp, s->server_hostname, + FNM_PERIOD|FNM_CASE_BLIND) == FNM_NOMATCH) { ssl_log(s, SSL_LOG_WARN, "Init: (%s) %s server certificate wildcard CommonName (CN) `%s' " "does NOT match server name!?", cpVHostID, diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index a9786d229f..6bee5eaab7 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1587,7 +1587,11 @@ void ssl_callback_DelSessionCacheEntry( * SSL handshake and does SSL record layer stuff. We use it to * trace OpenSSL's processing in out SSL logfile. */ +#if SSL_LIBRARY_VERSION >= 0x00907000 +void ssl_callback_LogTracingState(const SSL *ssl, int where, int rc) +#else void ssl_callback_LogTracingState(SSL *ssl, int where, int rc) +#endif { conn_rec *c; server_rec *s; @@ -1597,7 +1601,7 @@ void ssl_callback_LogTracingState(SSL *ssl, int where, int rc) /* * find corresponding server */ - if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL) + if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) return; s = c->base_server; if ((sc = mySrvConfig(s)) == NULL) diff --git a/modules/ssl/ssl_engine_rand.c b/modules/ssl/ssl_engine_rand.c index 2cf98ff78c..230646d436 100644 --- a/modules/ssl/ssl_engine_rand.c +++ b/modules/ssl/ssl_engine_rand.c @@ -81,6 +81,7 @@ int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix) int nReq, nDone; apr_file_t *fp; int i, n, l; + int m; mc = myModConfig(s); nReq = 0; @@ -154,18 +155,21 @@ int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix) RAND_seed(stackdata+n, 128); nDone += 128; -#if XXX_SBENTROPY_SOLVED /* - * XXX: This is entirely borked, sizeof(scoreboard) < 1024 + * seed in data extracted from the current scoreboard * - * seed in an 1KB extract of the current scoreboard + * XXX: this assumes that the entire scoreboard is + * allocated in one big block of memory that begins at + * the location pointed to by ap_scoreboard_image->global */ - if (ap_scoreboard_image != NULL) { - n = ssl_rand_choosenum(0,ap_calc_scoreboard_size()-1024-1); - RAND_seed(((unsigned char *)ap_scoreboard_image)+n, 1024); - nDone += 1024; + if (ap_scoreboard_image != NULL && mc->nScoreboardSize > 16) + { + m = ((mc->nScoreboardSize / 2) - 1); + n = ssl_rand_choosenum(0, m); + RAND_seed( + ((unsigned char *)ap_scoreboard_image->global)+n, m); + nDone += m; } -#endif } } } diff --git a/modules/ssl/ssl_scache_dbm.c b/modules/ssl/ssl_scache_dbm.c index f6275dbc3b..09bca87e85 100644 --- a/modules/ssl/ssl_scache_dbm.c +++ b/modules/ssl/ssl_scache_dbm.c @@ -142,8 +142,10 @@ BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SS UCHAR *ucp; /* streamline session data */ + if ((nData = i2d_SSL_SESSION(sess, NULL)) > sizeof(ucaData)) + return FALSE; ucp = ucaData; - nData = i2d_SSL_SESSION(sess, &ucp); + i2d_SSL_SESSION(sess, &ucp); /* be careful: do not try to store too much bytes in a DBM file! */ #ifdef PAIRMAX diff --git a/modules/ssl/ssl_scache_shmcb.c b/modules/ssl/ssl_scache_shmcb.c index 7309e89a66..cec7374922 100644 --- a/modules/ssl/ssl_scache_shmcb.c +++ b/modules/ssl/ssl_scache_shmcb.c @@ -183,9 +183,9 @@ typedef struct { unsigned int division_offset; unsigned int division_size; unsigned int queue_size; - unsigned char index_num; - unsigned char index_offset; - unsigned char index_size; + unsigned int index_num; + unsigned int index_offset; + unsigned int index_size; unsigned int cache_data_offset; unsigned int cache_data_size; unsigned long num_stores; @@ -208,10 +208,10 @@ typedef struct { unsigned int queue_size; unsigned int cache_data_offset; unsigned int cache_data_size; + unsigned int index_num; + unsigned int index_offset; + unsigned int index_size; unsigned char division_mask; - unsigned char index_num; - unsigned char index_offset; - unsigned char index_size; #endif } SHMCBHeader; @@ -456,7 +456,7 @@ void ssl_scache_shmcb_kill(server_rec *s) return; } -BOOL ssl_scache_shmcb_store(server_rec *s, UCHAR * id, int idlen, +BOOL ssl_scache_shmcb_store(server_rec *s, UCHAR *id, int idlen, time_t timeout, SSL_SESSION * pSession) { SSLModConfigRec *mc = myModConfig(); @@ -478,7 +478,7 @@ BOOL ssl_scache_shmcb_store(server_rec *s, UCHAR * id, int idlen, return to_return; } -SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *s, UCHAR * id, int idlen) +SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *s, UCHAR *id, int idlen) { SSLModConfigRec *mc = myModConfig(); void *shm_segment; @@ -499,14 +499,16 @@ SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *s, UCHAR * id, int idlen) return pSession; } -void ssl_scache_shmcb_remove(server_rec *s, UCHAR * id, int idlen) +void ssl_scache_shmcb_remove(server_rec *s, UCHAR *id, int idlen) { SSLModConfigRec *mc = myModConfig(); void *shm_segment; /* We've kludged our pointer into the other cache's member variable. */ shm_segment = (void *) mc->tSessionCacheDataTable; + ssl_mutex_on(s); shmcb_remove_session(s, shm_segment, id, idlen); + ssl_mutex_off(s); } void ssl_scache_shmcb_expire(server_rec *s) @@ -705,7 +707,7 @@ static BOOL shmcb_init_memory( } static BOOL shmcb_store_session( - server_rec *s, void *shm_segment, UCHAR * id, + server_rec *s, void *shm_segment, UCHAR *id, int idlen, SSL_SESSION * pSession, time_t timeout) { @@ -755,7 +757,7 @@ static BOOL shmcb_store_session( static SSL_SESSION *shmcb_retrieve_session( server_rec *s, void *shm_segment, - UCHAR * id, int idlen) + UCHAR *id, int idlen) { SHMCBHeader *header; SHMCBQueue queue; @@ -795,7 +797,7 @@ static SSL_SESSION *shmcb_retrieve_session( static BOOL shmcb_remove_session( server_rec *s, void *shm_segment, - UCHAR * id, int idlen) + UCHAR *id, int idlen) { SHMCBHeader *header; SHMCBQueue queue; @@ -992,7 +994,7 @@ static SHMCBIndex *shmcb_get_index( const SHMCBQueue *queue, unsigned int idx) { /* bounds check */ - if (idx > (unsigned int) queue->header->index_num) + if (idx > queue->header->index_num) return NULL; /* Return a pointer to the index. NB: I am being horribly pendantic diff --git a/modules/ssl/ssl_scache_shmht.c b/modules/ssl/ssl_scache_shmht.c index 42c4dbcf4b..78d2adc32a 100644 --- a/modules/ssl/ssl_scache_shmht.c +++ b/modules/ssl/ssl_scache_shmht.c @@ -175,8 +175,10 @@ BOOL ssl_scache_shmht_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, UCHAR *ucp; /* streamline session data */ + if ((nData = i2d_SSL_SESSION(sess, NULL)) > sizeof(ucaData)) + return FALSE; ucp = ucaData; - nData = i2d_SSL_SESSION(sess, &ucp); + i2d_SSL_SESSION(sess, &ucp); ssl_mutex_on(s); if (table_insert_kd(mc->tSessionCacheDataTable, -- 2.50.1