diff options
| author |   beck <beck@openbsd.org> | 2000-06-30 05:35:09 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2000-06-30 05:35:09 +0000 |
| commit | e8b955054c8ef9715009d4503352099ed76f5067 (patch) | |
| tree | e999b9579683ad92093aa0e6450e5b685e861cb8 | |
| parent | .es kbd; from nbsd (diff) | |
| download | wireguard-openbsd-e8b955054c8ef9715009d4503352099ed76f5067.tar.xz wireguard-openbsd-e8b955054c8ef9715009d4503352099ed76f5067.zip | |
mod_ssl 2.6.4 merge
From brad@
24 files changed, 309 insertions, 190 deletions
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html index 926a739c575..94e743862f6 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html @@ -645,7 +645,7 @@ And a "PRNG not seeded" error occurs if I try "make certificate".</strong> randomness report an error if the PRNG has not been seeded with at least 128 bits of randomness. So mod_ssl has to provide enough entropy to the PRNG to work correctly. For this one has to use the - <code>SSLRandSeed</code> directives (to solve the run-time problem) + <code>SSLRandomSeed</code> directives (to solve the run-time problem) and create a <code>$HOME/.rnd</code> file to make sure enough entropy is available also for the "<code>make certificate</code>" step (in case the "<code>make certificate</code>" procedure is not diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml index 74e36599a86..80681aa351b 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml @@ -381,7 +381,7 @@ And a "PRNG not seeded" error occurs if I try "make certificate". randomness report an error if the PRNG has not been seeded with at least 128 bits of randomness. So mod_ssl has to provide enough entropy to the PRNG to work correctly. For this one has to use the - <code>SSLRandSeed</code> directives (to solve the run-time problem) + <code>SSLRandomSeed</code> directives (to solve the run-time problem) and create a <code>$HOME/.rnd</code> file to make sure enough entropy is available also for the "<code>make certificate</code>" step (in case the "<code>make certificate</code>" procedure is not diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html index 50e44466b06..22554ca704e 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html @@ -358,7 +358,7 @@ public key. Only the bank will be able to decrypt it. </ul> <H3><a name="ToC3">Message Digests</a></H3> Although Alice may encrypt her message to make it private, there is still a -concern that someone might modify her original message message or substitute +concern that someone might modify her original message or substitute it with a different one, in order to transfer the money to themselves, for instance. One way of guaranteeing the integrity of Alice's message is to create a concise summary of her message and send this to the bank as well. diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml index 69af97df0f5..8c2d46ddb2c 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml @@ -122,7 +122,7 @@ public key. Only the bank will be able to decrypt it. <h3>Message Digests</h3> Although Alice may encrypt her message to make it private, there is still a -concern that someone might modify her original message message or substitute +concern that someone might modify her original message or substitute it with a different one, in order to transfer the money to themselves, for instance. One way of guaranteeing the integrity of Alice's message is to create a concise summary of her message and send this to the bank as well. diff --git a/usr.sbin/httpd/src/CHANGES.SSL b/usr.sbin/httpd/src/CHANGES.SSL index 66b7d5df32e..6e9e84126ba 100644 --- a/usr.sbin/httpd/src/CHANGES.SSL +++ b/usr.sbin/httpd/src/CHANGES.SSL @@ -23,6 +23,91 @@ / __/ | (_) | __ |_____(_)___/____________________________________________ + Changes with mod_ssl 2.6.4 (16-Apr-2000 to 01-May-2000) + + *) Fixed Win32 build by adding gdi32.lib to the libraries + and an additional include for <winsock2.h>. + + *) Added Equifax Secure CA certificates to ca-bundle.crt. + + *) Let the pass phrase dialog force the prompt to occur only once + (no verification step), because mod_ssl uses the dialog only for + pass phrases which are required for reading private keys. This as a + side-effect should fix a problem under Win32 where a second prompt + occured for unknown reasons. + + *) Added more compatibility to Stronghold v2's SSL_SessionCache. + + *) Added two more EAPI hools under SSL_VENDOR: one for overriding + ap_server_root_relative calls and one for hooking into the server + configuration step. + + *) Fixed SSL display for mod_status in `short report' situation. + + *) Made the SSL_EXPERIMENTAL stuff more flexible by checking + for particular subset SSL_EXPERIMENTAL_xxxx defines and let + SSL_EXPERIMENTAL define all those per default. This reduces the + amount of patching vendors have to do in order to just enable a + subset of the experimental code. + + *) Added hint to INSTALL document about port specifiers in test URLs + (`:8080' and `:8443') if the installation is done under a non-root + user. + + *) Fixed Win32's configure.bat: the check for OpenSSL + header and libraries is now extended. + + *) Fixed --with-apxs under Solaris where libssl.module + has to know $CC in order to enable the libgcc.a workaround. + + *) Fixed memory leak caused by not-freed SSL_CTX in the HTTPS proxy + support (ssl_engine_ext.c/mod_proxy) under _NOT_ SSL_EXPERIMENTAL. + + Changes with mod_ssl 2.6.3 (02-Mar-2000 to 16-Apr-2000) + + *) Moved the session cache expire time calculation and handling in + ssl_engine_scache.c down to the particular cache-type dependent + expire functions to allow a custom vendor supplied cache to perform + its own expire handling. + + *) The sub-shells from libssl.module are now called with an + explicitly determined Bourne Shell (instead of the implicit she-bang + line). This both avoids problems on brain-dead platforms where + /bin/sh is broken (Ultrix, etc.) and workarounds a CVS problem in + OpenBSD where on read-only checkouts the x-bits sometimes get lost. + + *) Do a slightly better initialization of the random file + in src/support/mkcert.sh if $HOME/.rnd doesn't exist. + + *) Be aware of OpenSSL 0.9.5's X509_V_ERR_CERT_UNTRUSTED error. + + *) Cleaned up and optimized ssl_engine_vars.c by kicking out the old + static cipher table and calculating the cipher bits dynamically. This + avoids lots of string comparisons, reduces further maintainance costs + and makes the code smaller. + + *) Cleaned up pkg.contrib/truerand.c: volatile variables, + correct function return types, etc. + + *) Fix HTTPS proxy support: if SSLProxyVerify is Off, we don't need + to log any errors if the certification fails. Additionally we now + don't free the proxy context after a connection, because we will need + it for the next proxy connection we make. + + *) Activate `SSLMutex sem' also on HPUX. + + *) Allow libssl.module to handle CFLAGS="cc -flags". + + *) Fixed typo in ssl_intro.wml: "message" was written twice + + *) Added two eval casts for ap_md5() calls. + + *) Fixed typo in ssl_faq.wml: SSLRandSeed -> SSLRandomSeed. + + *) Add final messages also under "configure --with-eapi-only" which + give a hint to proceed with --enable-module=so --enable-rule=EAPI in + the Apache source tree. + Changes with mod_ssl 2.6.2 (29-Feb-2000 to 02-Mar-2000) *) Updated the conf/ssl.crt/ca-bundle.crt file (containing the CA diff --git a/usr.sbin/httpd/src/modules/ssl/Makefile.win32 b/usr.sbin/httpd/src/modules/ssl/Makefile.win32 index 7d1188ff15f..dff2b48fd00 100644 --- a/usr.sbin/httpd/src/modules/ssl/Makefile.win32 +++ b/usr.sbin/httpd/src/modules/ssl/Makefile.win32 @@ -122,7 +122,7 @@ $(LIBNAME).dll: $(OBJS) ..\..\CoreR\ApacheCore.lib \ $(SSL_LIB)\ssleay32.lib \ $(SSL_LIB)\libeay32.lib \ - wsock32.lib + wsock32.lib gdi32.lib clean: -$(RM) $(LIBFILE) diff --git a/usr.sbin/httpd/src/modules/ssl/README b/usr.sbin/httpd/src/modules/ssl/README index 4b6679efbcb..1488a0a641f 100644 --- a/usr.sbin/httpd/src/modules/ssl/README +++ b/usr.sbin/httpd/src/modules/ssl/README @@ -109,21 +109,30 @@ EXPERIMENTAL CODE - Experimental code is always encapsulated as + Experimental code is always encapsulated as following: - | #ifdef SSL_EXPERIMENTAL + | #ifdef SSL_EXPERIMENTAL_xxxx | ... | #endif - blocks and only compiled in when this define is enabled with the APACI - --enable-rule=SSL_EXPERIMENTAL option. Currently the following features are - experimental: + This way it is only compiled in when this define is enabled with + the APACI --enable-rule=SSL_EXPERIMENTAL option and as long as the + C pre-processor variable SSL_EXPERIMENTAL_xxxx_IGNORE is _NOT_ + defined (via CFLAGS). Or in other words: SSL_EXPERIMENTAL enables all + SSL_EXPERIMENTAL_xxxx variables, except if SSL_EXPERIMENTAL_xxxx_IGNORE + is already defined. Currently the following features are experimental: - o The ability to use SSLCACertificateFile and SSLCACertificatePath + o SSL_EXPERIMENTAL_PERDIRCA + The ability to use SSLCACertificateFile and SSLCACertificatePath in a per-directory context (.htaccess). This is provided by some nasty reconfiguration hacks until OpenSSL has better support for this. It should work on non-multithreaded platforms (all but Win32). + o SSL_EXPERIMENTAL_PROXY + The ability to use various additional SSLProxyXXX directives in + oder to control extended client functionality in the HTTPS proxy + code. + VENDOR EXTENSIONS Inside the mod_ssl sources you can enable various EAPI vendor hooks diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.module b/usr.sbin/httpd/src/modules/ssl/libssl.module index 0205d699bd5..d7d4bc7bc28 100644 --- a/usr.sbin/httpd/src/modules/ssl/libssl.module +++ b/usr.sbin/httpd/src/modules/ssl/libssl.module @@ -82,6 +82,18 @@ ConfigStart SSL_LDFLAGS='' SSL_LIBS='' + # + # find a reasonable Bourne Shell for sub-shell calls + # + SH=sh + if [ -f /bin/bash ]; then + SH=/bin/bash + elif [ -f /bin/sh5 ]; then + SH=/bin/sh5 + elif [ -f /bin/sh ]; then + SH=/bin/sh + fi + # # determine mod_ssl author version # @@ -142,11 +154,11 @@ ConfigStart my_rule_SSL_CONSERVATIVE=$SSL_CONSERVATIVE my_rule_SSL_VENDOR=$SSL_VENDOR else - my_rule_SSL_COMPAT=`sh ./helpers/CutRule SSL_COMPAT $file` - my_rule_SSL_SDBM=`sh ./helpers/CutRule SSL_SDBM $file` - my_rule_SSL_EXPERIMENTAL=`sh ./helpers/CutRule SSL_EXPERIMENTAL $file` - my_rule_SSL_CONSERVATIVE=`sh ./helpers/CutRule SSL_CONSERVATIVE $file` - my_rule_SSL_VENDOR=`sh ./helpers/CutRule SSL_VENDOR $file` + my_rule_SSL_COMPAT=`$SH helpers/CutRule SSL_COMPAT $file` + my_rule_SSL_SDBM=`$SH helpers/CutRule SSL_SDBM $file` + my_rule_SSL_EXPERIMENTAL=`$SH helpers/CutRule SSL_EXPERIMENTAL $file` + my_rule_SSL_CONSERVATIVE=`$SH helpers/CutRule SSL_CONSERVATIVE $file` + my_rule_SSL_VENDOR=`$SH helpers/CutRule SSL_VENDOR $file` fi # @@ -208,7 +220,7 @@ ConfigStart if [ ".$DBM_LIB" != . ]; then LIBS_ORIG="$LIBS" LIBS="$LIBS $DBM_LIB" - if sh ./helpers/TestCompile func dbm_open; then + if $SH helpers/TestCompile func dbm_open; then SSL_DBM_NAME="Configured DBM ($DBM_LIB)" SSL_DBM_FLAG="$DBM_LIB" fi @@ -216,13 +228,13 @@ ConfigStart fi # 2. check for various vendor DBM libs if [ ".$SSL_DBM_NAME" = . ]; then - if sh ./helpers/TestCompile func dbm_open; then + if $SH helpers/TestCompile func dbm_open; then SSL_DBM_NAME='Vendor DBM (libc)' SSL_DBM_FLAG='' - elif sh ./helpers/TestCompile lib dbm dbm_open; then + elif $SH helpers/TestCompile lib dbm dbm_open; then SSL_DBM_NAME='Vendor DBM (libdbm)' SSL_DBM_FLAG='-ldbm' - elif sh ./helpers/TestCompile lib ndbm dbm_open; then + elif $SH helpers/TestCompile lib ndbm dbm_open; then SSL_DBM_NAME='Vendor DBM (libndbm)' SSL_DBM_FLAG='-lndbm' fi @@ -517,7 +529,8 @@ ConfigStart # needed (like on FreeBSD, Linux, etc.) # if [ ".$my_buildtype" = .DSO ]; then - case $CC in + my_CC=`echo "$CC" | sed -e 's/ .*//'` + case $my_CC in gcc|*/gcc|egcs|*/egcs|egcc|*/egcc|pgcc|*/pgcc ) gcclibdir="`$CC --print-libgcc-file-name | sed -e 's;/[^/]*$;;'`" SSL_LIBS="$SSL_LIBS -L$gcclibdir -lgcc" diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.version b/usr.sbin/httpd/src/modules/ssl/libssl.version index f772c9fffa1..9b6e42714fd 100644 --- a/usr.sbin/httpd/src/modules/ssl/libssl.version +++ b/usr.sbin/httpd/src/modules/ssl/libssl.version @@ -1 +1 @@ -mod_ssl/2.6.2-1.3.12 +mod_ssl/2.6.4-1.3.12 diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c index d872b6701e4..978bc389032 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c @@ -74,7 +74,7 @@ * identify the module to SCCS `what' and RCS `ident' commands */ static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >"; -static char const rcsid[] = "$Id: mod_ssl.c,v 1.4 2000/03/19 11:17:20 beck Exp $"; +static char const rcsid[] = "$Id: mod_ssl.c,v 1.5 2000/06/30 05:35:10 beck Exp $"; /* * the table of configuration directives we provide @@ -114,7 +114,7 @@ static command_rec ssl_config_cmds[] = { AP_SRV_CMD(CertificateChainFile, TAKE1, "SSL Server CA Certificate Chain file " "(`/path/to/file' - PEM encoded)") -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PERDIRCA AP_ALL_CMD(CACertificatePath, TAKE1, "SSL CA Certificate path " "(`/path/to/dir' - contains PEM encoded files)") @@ -154,7 +154,7 @@ static command_rec ssl_config_cmds[] = { "Enable or disable various SSL protocols" "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY /* * Proxy configuration for remote SSL connections */ diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h index 3725844c3d0..df91598563f 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h @@ -73,6 +73,20 @@ #error "mod_ssl requires Extended API (EAPI)" #endif +/* + * Optionally enable the experimental stuff, but allow the user to + * override the decision which experimental parts are included by using + * CFLAGS="-DSSL_EXPERIMENTAL_xxxx_IGNORE". + */ +#ifdef SSL_EXPERIMENTAL +#ifndef SSL_EXPERIMENTAL_PERDIRCA_IGNORE +#define SSL_EXPERIMENTAL_PERDIRCA +#endif +#ifndef SSL_EXPERIMENTAL_PROXY_IGNORE +#define SSL_EXPERIMENTAL_PROXY +#endif +#endif /* SSL_EXPERIMENTAL */ + /* * Power up our brain... */ @@ -90,6 +104,7 @@ #endif #ifdef WIN32 #include <wincrypt.h> +#include <winsock2.h> #endif /* OpenSSL headers */ @@ -265,7 +280,7 @@ __FreeBSD_version >= 300000) ||\ (defined(LINUX) && defined(__GLIBC__) && defined(__GLIBC_MINOR__) &&\ LINUX >= 2 && __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1) ||\ - defined(SOLARIS2) + defined(SOLARIS2) || defined(__hpux) #define SSL_CAN_USE_SEM #define SSL_HAVE_IPCSEM #include <sys/types.h> @@ -579,7 +594,7 @@ typedef struct { char *szCARevocationPath; char *szCARevocationFile; X509_STORE *pRevocationStore; -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY /* Configuration details for proxy operation */ ssl_proto_t nProxyProtocol; int bProxyVerify; @@ -611,7 +626,7 @@ typedef struct { char *szCipherSuite; ssl_verify_t nVerifyClient; int nVerifyDepth; -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PERDIRCA char *szCACertificatePath; char *szCACertificateFile; #endif @@ -657,7 +672,7 @@ const char *ssl_cmd_SSLProtocol(cmd_parms *, char *, const char *); const char *ssl_cmd_SSLOptions(cmd_parms *, SSLDirConfigRec *, const char *); const char *ssl_cmd_SSLRequireSSL(cmd_parms *, SSLDirConfigRec *, char *); const char *ssl_cmd_SSLRequire(cmd_parms *, SSLDirConfigRec *, char *); -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, char *, const char *); const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, char *, char *); const char *ssl_cmd_SSLProxyVerify(cmd_parms *, char *, int); @@ -801,6 +816,7 @@ void ssl_compat_variables(request_rec *); #endif /* Utility Functions */ +char *ssl_util_server_root_relative(pool *, char *); char *ssl_util_vhostid(pool *, server_rec *); void ssl_util_strupper(char *); void ssl_util_uuencode(char *, const char *, BOOL); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c index 1f44f4440d9..14f9ae1643b 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c @@ -83,6 +83,7 @@ static char *ssl_compat_SSLSessionLockFile(pool *, const char *, const char *, c static char *ssl_compat_SSLCacheDisable(pool *, const char *, const char *, const char *); static char *ssl_compat_SSLRequireCipher(pool *, const char *, const char *, const char *); static char *ssl_compat_SSLBanCipher(pool *, const char *, const char *, const char *); +static char *ssl_compat_SSL_SessionDir(pool *, const char *, const char *, const char *); static char *ssl_compat_words2list(pool *, const char *); #define CRM_BEGIN /* nop */ @@ -136,7 +137,7 @@ static struct { CRM_ENTRY( CRM_CMD("SSL_ClientAuth"), CRM_SUB("SSLVerifyClient") ) CRM_ENTRY( CRM_CMD("SSL_X509VerifyDepth"), CRM_SUB("SSLVerifyDepth") ) CRM_ENTRY( CRM_CMD("SSL_FetchKeyPhraseFrom"), CRM_LOG("Use SSLPassPhraseDialog instead") ) - CRM_ENTRY( CRM_CMD("SSL_SessionDir"), CRM_LOG("Use SSLSessionCache instead") ) + CRM_ENTRY( CRM_CMD("SSL_SessionDir"), CRM_CAL(ssl_compat_SSL_SessionDir) ) CRM_ENTRY( CRM_CMD("SSL_Require"), CRM_LOG("Use SSLRequire instead (Syntax!)")) CRM_ENTRY( CRM_CMD("SSL_CertFileType"), CRM_LOG("Not supported by mod_ssl") ) CRM_ENTRY( CRM_CMD("SSL_KeyFileType"), CRM_LOG("Not supported by mod_ssl") ) @@ -160,7 +161,7 @@ static struct { CRM_ENTRY( CRM_CMD("SSL_CertificateLogDir"), CRM_LOG("Not supported by mod_ssl") ) CRM_ENTRY( CRM_CMD("AuthCertDir"), CRM_LOG("Not supported by mod_ssl") ) CRM_ENTRY( CRM_CMD("SSL_Group"), CRM_LOG("Not supported by mod_ssl") ) -#ifndef SSL_EXPERIMENTAL +#ifndef SSL_EXPERIMENTAL_PROXY CRM_ENTRY( CRM_CMD("SSLProxyMachineCertPath"), CRM_LOG("Not supported by mod_ssl") ) CRM_ENTRY( CRM_CMD("SSLProxyMachineCertFile"), CRM_LOG("Not supported by mod_ssl") ) CRM_ENTRY( CRM_CMD("SSLProxyCACertificatePath"), CRM_LOG("Not supported by mod_ssl") ) @@ -222,6 +223,16 @@ static char *ssl_compat_SSLBanCipher(pool *p, const char *oline, const char *cmd "})", NULL); } +static char *ssl_compat_SSL_SessionDir( + pool *p, const char *oline, const char *cmd, const char *args) +{ + char *cp; + + for (cp = (char *)args; ap_isspace(*cp); cp++) + ; + return ap_pstrcat(p, "SSLSessionCache dir:", cp, NULL); +} + static char *ssl_compat_words2list(pool *p, const char *oline) { char *line; diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c index 9f62ee6c216..91c4883de25 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c @@ -206,7 +206,7 @@ void *ssl_config_server_create(pool *p, server_rec *s) sc->szCARevocationFile = NULL; sc->pRevocationStore = NULL; -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY sc->nProxyVerifyDepth = UNSET; sc->szProxyCACertificatePath = NULL; sc->szProxyCACertificateFile = NULL; @@ -276,7 +276,7 @@ void *ssl_config_server_merge(pool *p, void *basev, void *addv) p, base, add, new); #endif -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY cfgMergeInt(nProxyVerifyDepth); cfgMergeString(szProxyCACertificatePath); cfgMergeString(szProxyCACertificateFile); @@ -307,7 +307,7 @@ void *ssl_config_perdir_create(pool *p, char *dir) dc->szCipherSuite = NULL; dc->nVerifyClient = SSL_CVERIFY_UNSET; dc->nVerifyDepth = UNSET; -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PERDIRCA dc->szCACertificatePath = NULL; dc->szCACertificateFile = NULL; #endif @@ -349,7 +349,7 @@ void *ssl_config_perdir_merge(pool *p, void *basev, void *addv) cfgMergeString(szCipherSuite); cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET); cfgMergeInt(nVerifyDepth); -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PERDIRCA cfgMergeString(szCACertificatePath); cfgMergeString(szCACertificateFile); #endif @@ -398,7 +398,7 @@ const char *ssl_cmd_SSLMutex( #ifndef WIN32 mc->nMutexMode = SSL_MUTEXMODE_FILE; mc->szMutexFile = ap_psprintf(mc->pPool, "%s.%lu", - ap_server_root_relative(cmd->pool, arg+5), + ssl_util_server_root_relative(cmd->pool, arg+5), (unsigned long)getpid()); #else return "SSLMutex: Lockfiles not available on this platform"; @@ -430,7 +430,7 @@ const char *ssl_cmd_SSLPassPhraseDialog( } else if (strlen(arg) > 5 && strEQn(arg, "exec:", 5)) { sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER; - sc->szPassPhraseDialogPath = ap_server_root_relative(cmd->pool, arg+5); + sc->szPassPhraseDialogPath = ssl_util_server_root_relative(cmd->pool, arg+5); if (!ssl_util_path_check(SSL_PCM_EXISTS, sc->szPassPhraseDialogPath)) return ap_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '", sc->szPassPhraseDialogPath, "' not exists", NULL); @@ -461,16 +461,16 @@ const char *ssl_cmd_SSLRandomSeed( "invalid context: `", arg1, "'"); if (strlen(arg2) > 5 && strEQn(arg2, "file:", 5)) { pRS->nSrc = SSL_RSSRC_FILE; - pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+5)); + pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, arg2+5)); } else if (strlen(arg2) > 5 && strEQn(arg2, "exec:", 5)) { pRS->nSrc = SSL_RSSRC_EXEC; - pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+5)); + pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, arg2+5)); } #if SSL_LIBRARY_VERSION >= 0x00905100 else if (strlen(arg2) > 4 && strEQn(arg2, "egd:", 4)) { pRS->nSrc = SSL_RSSRC_EGD; - pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+4)); + pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, arg2+4)); } #endif else if (strcEQ(arg2, "builtin")) { @@ -479,7 +479,7 @@ const char *ssl_cmd_SSLRandomSeed( } else { pRS->nSrc = SSL_RSSRC_FILE; - pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2)); + pRS->cpPath = ap_pstrdup(mc->pPool, ssl_util_server_root_relative(cmd->pool, arg2)); } if (pRS->nSrc != SSL_RSSRC_BUILTIN) if (!ssl_util_path_check(SSL_PCM_EXISTS, pRS->cpPath)) @@ -526,7 +526,7 @@ const char *ssl_cmd_SSLCertificateFile( char *cpPath; int i; - cpPath = ap_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCertificateFile: file '", cpPath, "' not exists or empty", NULL); @@ -547,7 +547,7 @@ const char *ssl_cmd_SSLCertificateKeyFile( char *cpPath; int i; - cpPath = ap_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCertificateKeyFile: file '", cpPath, "' not exists or empty", NULL); @@ -567,7 +567,7 @@ const char *ssl_cmd_SSLCertificateChainFile( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCertificateChainFile: file '", cpPath, "' not exists or empty", NULL); @@ -581,11 +581,11 @@ const char *ssl_cmd_SSLCACertificatePath( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLCACertificatePath: directory '", cpPath, "' not exists", NULL); -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PERDIRCA if (cmd->path == NULL || dc == NULL) sc->szCACertificatePath = cpPath; else @@ -602,11 +602,11 @@ const char *ssl_cmd_SSLCACertificateFile( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCACertificateFile: file '", cpPath, "' not exists or empty", NULL); -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PERDIRCA if (cmd->path == NULL || dc == NULL) sc->szCACertificateFile = cpPath; else @@ -623,7 +623,7 @@ const char *ssl_cmd_SSLCARevocationPath( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLCARecocationPath: directory '", cpPath, "' not exists", NULL); @@ -637,7 +637,7 @@ const char *ssl_cmd_SSLCARevocationFile( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLCARevocationFile: file '", cpPath, "' not exists or empty", NULL); @@ -703,14 +703,14 @@ const char *ssl_cmd_SSLSessionCache( else if (strlen(arg) > 4 && strcEQn(arg, "dbm:", 4)) { mc->nSessionCacheMode = SSL_SCMODE_DBM; mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool, - ap_server_root_relative(cmd->pool, arg+4)); + ssl_util_server_root_relative(cmd->pool, arg+4)); } else if (strlen(arg) > 4 && strcEQn(arg, "shm:", 4)) { if (!ap_mm_useable()) return "SSLSessionCache: shared memory cache not useable on this platform"; mc->nSessionCacheMode = SSL_SCMODE_SHM; mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool, - ap_server_root_relative(cmd->pool, arg+4)); + ssl_util_server_root_relative(cmd->pool, arg+4)); mc->tSessionCacheDataTable = NULL; mc->nSessionCacheDataSize = 1024*512; /* 512KB */ if ((cp = strchr(mc->szSessionCacheDataFile, '(')) != NULL) { @@ -902,7 +902,7 @@ const char *ssl_cmd_SSLProtocol( return NULL; } -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY const char *ssl_cmd_SSLProxyProtocol( cmd_parms *cmd, char *struct_ptr, const char *opt) @@ -980,7 +980,7 @@ const char *ssl_cmd_SSLProxyCACertificateFile( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '", cpPath, "' not exists or empty", NULL); @@ -994,7 +994,7 @@ const char *ssl_cmd_SSLProxyCACertificatePath( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '", cpPath, "' does not exists", NULL); @@ -1008,7 +1008,7 @@ const char *ssl_cmd_SSLProxyMachineCertificateFile( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '", cpPath, "' not exists or empty", NULL); @@ -1022,7 +1022,7 @@ const char *ssl_cmd_SSLProxyMachineCertificatePath( SSLSrvConfigRec *sc = mySrvConfig(cmd->server); char *cpPath; - cpPath = ap_server_root_relative(cmd->pool, arg); + cpPath = ssl_util_server_root_relative(cmd->pool, arg); if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath)) return ap_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '", cpPath, "' does not exists", NULL); @@ -1030,5 +1030,5 @@ const char *ssl_cmd_SSLProxyMachineCertificatePath( return NULL; } -#endif /* SSL_EXPERIMENTAL */ +#endif /* SSL_EXPERIMENTAL_PROXY */ diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c index 47092184c89..d2e538492d4 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c @@ -219,7 +219,7 @@ static int ssl_ext_mp_set_destport(request_rec *); static char *ssl_ext_mp_new_connection(request_rec *, BUFF *, char *); static void ssl_ext_mp_close_connection(void *); static int ssl_ext_mp_write_host_header(request_rec *, BUFF *, char *, int, char *); -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY static void ssl_ext_mp_init(server_rec *, pool *); static int ssl_ext_mp_verify_cb(int, X509_STORE_CTX *); static int ssl_ext_mp_clientcert_cb(SSL *, X509 **, EVP_PKEY **); @@ -230,7 +230,7 @@ static int ssl_ext_mp_clientcert_cb(SSL *, X509 **, EVP_PKEY **); */ static void ssl_ext_mp_register(void) { -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY ap_hook_register("ap::mod_proxy::init", ssl_ext_mp_init, AP_HOOK_NOCTX); #endif @@ -249,7 +249,7 @@ static void ssl_ext_mp_register(void) static void ssl_ext_mp_unregister(void) { -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY ap_hook_unregister("ap::mod_proxy::init", ssl_ext_mp_init); #endif ap_hook_unregister("ap::mod_proxy::canon", ssl_ext_mp_canon); @@ -266,7 +266,7 @@ static void ssl_ext_mp_unregister(void) /* * SSL proxy initialization */ -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY static void ssl_ext_mp_init(server_rec *s, pool *p) { SSLSrvConfigRec *sc; @@ -400,7 +400,7 @@ static void ssl_ext_mp_init(server_rec *s, pool *p) } return; } -#endif /* SSL_EXPERIMENTAL */ +#endif /* SSL_EXPERIMENTAL_PROXY */ static int ssl_ext_mp_canon(request_rec *r, char *url) { @@ -442,7 +442,7 @@ static int ssl_ext_mp_set_destport(request_rec *r) static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb, char *peer) { -#ifndef SSL_EXPERIMENTAL +#ifndef SSL_EXPERIMENTAL_PROXY SSL_CTX *ssl_ctx; #endif SSL *ssl; @@ -450,7 +450,7 @@ static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb, char *peer) int rc; char *cpVHostID; char *cpVHostMD5; -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY SSLSrvConfigRec *sc; char *cp; #endif @@ -461,7 +461,7 @@ static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb, char *peer) /* * Find context */ -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY sc = mySrvConfig(r->server); #endif cpVHostID = ssl_util_vhostid(r->pool, r->server); @@ -469,7 +469,7 @@ static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb, char *peer) /* * Create a SSL context and handle */ -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY ssl = SSL_new(sc->pSSLProxyCtx); #else ssl_ctx = SSL_CTX_new(SSLv23_client_method()); @@ -482,7 +482,7 @@ static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb, char *peer) return errmsg; } SSL_clear(ssl); - cpVHostMD5 = ap_md5(r->pool, cpVHostID); + cpVHostMD5 = ap_md5(r->pool, (unsigned char *)cpVHostID); if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5, strlen(cpVHostMD5))) { errmsg = ap_psprintf(r->pool, "Unable to set session id context to `%s': peer %s: %s", cpVHostMD5, peer, ERR_reason_error_string(ERR_get_error())); @@ -490,11 +490,11 @@ static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb, char *peer) return errmsg; } SSL_set_fd(ssl, fb->fd); -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY SSL_set_app_data(ssl, fb->ctx); #endif ap_ctx_set(fb->ctx, "ssl", ssl); -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY ap_ctx_set(fb->ctx, "ssl::proxy::server_rec", r->server); ap_ctx_set(fb->ctx, "ssl::proxy::peer", peer); ap_ctx_set(fb->ctx, "ssl::proxy::servername", cpVHostID); @@ -511,7 +511,7 @@ static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb, char *peer) * Establish the SSL connection */ if ((rc = SSL_connect(ssl)) <= 0) { -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY if ((cp = (char *)ap_ctx_get(fb->ctx, "ssl::proxy::verifyerror")) != NULL) { SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); SSL_smart_shutdown(ssl); @@ -536,17 +536,23 @@ static void ssl_ext_mp_close_connection(void *_fb) { BUFF *fb = _fb; SSL *ssl; +#ifndef SSL_EXPERIMENTAL_PROXY SSL_CTX *ctx; +#endif ssl = ap_ctx_get(fb->ctx, "ssl"); if (ssl != NULL) { +#ifndef SSL_EXPERIMENTAL_PROXY ctx = SSL_get_SSL_CTX(ssl); +#endif SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); SSL_smart_shutdown(ssl); SSL_free(ssl); ap_ctx_set(fb->ctx, "ssl", NULL); +#ifndef SSL_EXPERIMENTAL_PROXY if (ctx != NULL) SSL_CTX_free(ctx); +#endif } return; } @@ -564,7 +570,7 @@ static int ssl_ext_mp_write_host_header( return DECLINED; } -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY /* * Callback for client certificate stuff. @@ -684,6 +690,14 @@ static int ssl_ext_mp_verify_cb(int ok, X509_STORE_CTX *ctx) sc = mySrvConfig(s); /* + * Unless stated otherwise by the configuration, we really don't + * care if the verification was okay or not, so lets return now + * before we do anything involving memory or time. + */ + if (sc->bProxyVerify == FALSE) + return ok; + + /* * Get verify ingredients */ xs = X509_STORE_CTX_get_current_cert(ctx); @@ -740,7 +754,7 @@ static int ssl_ext_mp_verify_cb(int ok, X509_STORE_CTX *ctx) return (ok); } -#endif /* SSL_EXPERIMENTAL */ +#endif /* SSL_EXPERIMENTAL_PROXY */ /* _________________________________________________________________ ** @@ -776,6 +790,8 @@ static void ssl_ext_ms_display(request_rec *r, int no_table_report, int short_re if (sc == NULL) return; + if (short_report) + return; ap_rputs("<hr>\n", r); ap_rputs("<table cellspacing=0 cellpadding=0>\n", r); ap_rputs("<tr><td bgcolor=\"#000000\">\n", r); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c index 0b38b9a4a94..125d8c41160 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c @@ -151,7 +151,7 @@ void ssl_init_Module(server_rec *s, pool *p) sc->nVerifyClient = SSL_CVERIFY_NONE; if (sc->nVerifyDepth == UNSET) sc->nVerifyDepth = 1; -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY if (sc->nProxyVerifyDepth == UNSET) sc->nProxyVerifyDepth = 1; #endif @@ -353,10 +353,10 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p) ssl_log(s, SSL_LOG_ERROR, "Init: Failed to generate temporary 512 bit RSA private key"); #if 0 ssl_die(); -#else +#else ssl_log(s, SSL_LOG_ERROR, "Init: You probably have no RSA support in libcrypto. See ssl(8)"); return; -#endif +#endif } asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:512"); asn1->nData = i2d_RSAPrivateKey(rsa, NULL); @@ -826,6 +826,12 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) n, n == 1 ? "" : "s"); } +#ifdef SSL_VENDOR + ap_hook_use("ap::mod_ssl::vendor::configure_server", + AP_HOOK_SIG4(void,ptr,ptr,ptr), AP_HOOK_ALL, + s, p, sc); +#endif + return; } diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c index 50e9f88af9b..e7eaebe12ab 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c @@ -185,7 +185,7 @@ void ssl_hook_NewConnection(conn_rec *conn) return; } SSL_clear(ssl); - cpVHostMD5 = ap_md5(conn->pool, cpVHostID); + cpVHostMD5 = ap_md5(conn->pool, (unsigned char *)cpVHostID); if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5, strlen(cpVHostMD5))) { ssl_log(conn->server, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Unable to set session id context to `%s'", cpVHostMD5); @@ -637,7 +637,7 @@ int ssl_hook_Access(request_rec *r) int i; BOOL renegotiate; BOOL renegotiate_quick; -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PERDIRCA BOOL reconfigured_locations; STACK_OF(X509_NAME) *skCAList; char *cpCAPath; @@ -704,7 +704,7 @@ int ssl_hook_Access(request_rec *r) */ renegotiate = FALSE; renegotiate_quick = FALSE; -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PERDIRCA reconfigured_locations = FALSE; #endif @@ -870,7 +870,7 @@ int ssl_hook_Access(request_rec *r) * OpenSSL provides a SSL_load_verify_locations() function we've no other * chance to provide this functionality... */ -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PERDIRCA if ( ( dc->szCACertificateFile != NULL && ( sc->szCACertificateFile == NULL || ( sc->szCACertificateFile != NULL @@ -907,7 +907,7 @@ int ssl_hook_Access(request_rec *r) ssl_log(r->server, SSL_LOG_TRACE, "Changed client verification locations will force renegotiation"); } -#endif /* SSL_EXPERIMENTAL */ +#endif /* SSL_EXPERIMENTAL_PERDIRCA */ #ifdef SSL_CONSERVATIVE /* @@ -1028,7 +1028,7 @@ int ssl_hook_Access(request_rec *r) * to the old values. This should be changed with forthcoming OpenSSL * versions when better functionality is avaiable. */ -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PERDIRCA if (renegotiate && reconfigured_locations) { if (!SSL_CTX_load_verify_locations(ctx, sc->szCACertificateFile, sc->szCACertificatePath)) { @@ -1038,7 +1038,7 @@ int ssl_hook_Access(request_rec *r) return FORBIDDEN; } } -#endif /* SSL_EXPERIMENTAL */ +#endif /* SSL_EXPERIMENTAL_PERDIRCA */ /* * Check SSLRequire boolean expressions @@ -1456,6 +1456,9 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) if ( ( errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY +#if SSL_LIBRARY_VERSION >= 0x00905000 + || errnum == X509_V_ERR_CERT_UNTRUSTED +#endif || errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ) && verify == SSL_CVERIFY_OPTIONAL_NO_CA ) { ssl_log(s, SSL_LOG_TRACE, diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c index faabce00397..4fcb2685866 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c @@ -98,7 +98,7 @@ void ssl_log_open(server_rec *s_main, server_rec *s, pool *p) if (strEQ(sc->szLogFile, "/dev/null")) return; else if (sc->szLogFile[0] == '|') { - szLogFile = ap_server_root_relative(p, sc->szLogFile+1); + szLogFile = ssl_util_server_root_relative(p, sc->szLogFile+1); if ((pl = ap_open_piped_log(p, szLogFile)) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open reliable pipe to SSL logfile filter %s", szLogFile); @@ -108,7 +108,7 @@ void ssl_log_open(server_rec *s_main, server_rec *s, pool *p) setbuf(sc->fileLogFile, NULL); } else { - szLogFile = ap_server_root_relative(p, sc->szLogFile); + szLogFile = ssl_util_server_root_relative(p, sc->szLogFile); if ((sc->fileLogFile = ap_pfopen(p, szLogFile, "a")) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Cannot open SSL logfile %s", szLogFile); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c index cf2c90bb3d8..dc2927e66b1 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c @@ -131,7 +131,7 @@ void ssl_pphrase_Handle(server_rec *s, pool *p) if (sc->szPublicCertFile[0] == NULL) { ssl_log(pServ, SSL_LOG_ERROR, "Init: Server %s should be SSL-aware but has no certificate configured " - "[Hint: SSLCertifcateFile]", cpVHostID); + "[Hint: SSLCertificateFile]", cpVHostID); ssl_die(); } algoCert = SSL_ALGO_UNKNOWN; @@ -386,7 +386,7 @@ void ssl_pphrase_Handle(server_rec *s, pool *p) return; } -int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice) +int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify) { SSLModConfigRec *mc = myModConfig(); server_rec *s; @@ -489,7 +489,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice) */ prompt = "Enter pass phrase:"; for (;;) { - if ((i = EVP_read_pw_string(buf, bufsize, prompt, ask_twice)) != 0) { + if ((i = EVP_read_pw_string(buf, bufsize, prompt, FALSE)) != 0) { PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); memset(buf, 0, (unsigned int)bufsize); return (-1); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c index eefb5056308..478e82d7d47 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_scache.c @@ -109,6 +109,7 @@ void ssl_scache_kill(server_rec *s) ap_hook_use("ap::mod_ssl::vendor::scache_kill", AP_HOOK_SIG1(void), AP_HOOK_ALL); #endif + return; } @@ -228,25 +229,20 @@ void ssl_scache_remove(server_rec *s, SSL_SESSION *pSession) void ssl_scache_expire(server_rec *s, time_t now) { SSLModConfigRec *mc = myModConfig(); - SSLSrvConfigRec *sc = mySrvConfig(s); - static time_t last = 0; /* - * make sure the expiration for still not-accessed session - * cache entries is done only from time to time - */ - if (now < last+sc->nSessionCacheTimeout) - return; - last = now; - - /* - * Now perform the expiration + * Pass through to the particular expiration functions */ if (mc->nSessionCacheMode == SSL_SCMODE_DBM) ssl_scache_dbm_expire(s, now); else if (mc->nSessionCacheMode == SSL_SCMODE_SHM) ssl_scache_shm_expire(s, now); +#ifdef SSL_VENDOR + ap_hook_use("ap::mod_ssl::vendor::scache_expire", + AP_HOOK_SIG3(void,ptr,int), AP_HOOK_ALL, s, now); +#endif + return; } @@ -499,6 +495,8 @@ void ssl_scache_dbm_remove(server_rec *s, ssl_scinfo_t *SCI) void ssl_scache_dbm_expire(server_rec *s, time_t tNow) { SSLModConfigRec *mc = myModConfig(); + SSLSrvConfigRec *sc = mySrvConfig(s); + static time_t tLast = 0; DBM *dbm; datum dbmkey; datum dbmval; @@ -512,6 +510,14 @@ void ssl_scache_dbm_expire(server_rec *s, time_t tNow) int i; /* + * make sure the expiration for still not-accessed session + * cache entries is done only from time to time + */ + if (tNow < tLast+sc->nSessionCacheTimeout) + return; + tLast = tNow; + + /* * Here we have to be very carefully: Not all DBM libraries are * smart enough to allow one to iterate over the elements and at the * same time delete expired ones. Some of them get totally crazy @@ -818,6 +824,8 @@ void ssl_scache_shm_remove(server_rec *s, ssl_scinfo_t *SCI) void ssl_scache_shm_expire(server_rec *s, time_t tNow) { SSLModConfigRec *mc = myModConfig(); + SSLSrvConfigRec *sc = mySrvConfig(s); + static time_t tLast = 0; table_linear_t iterator; time_t tExpiresAt; void *vpKey; @@ -831,6 +839,14 @@ void ssl_scache_shm_expire(server_rec *s, time_t tNow) int bDelete; int rc; + /* + * make sure the expiration for still not-accessed session + * cache entries is done only from time to time + */ + if (tNow < tLast+sc->nSessionCacheTimeout) + return; + tLast = tNow; + ssl_mutex_on(s); if (table_first_r(mc->tSessionCacheDataTable, &iterator, &vpKey, &nKey, &vpData, &nData) == TABLE_ERROR_NONE) { diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c index f9a3c529f66..392edec5952 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c @@ -81,7 +81,7 @@ static char *ssl_var_lookup_ssl_cert_chain(pool *p, STACK_OF(X509) *sk, char *va static char *ssl_var_lookup_ssl_cert_PEM(pool *p, X509 *xs); static char *ssl_var_lookup_ssl_cert_verify(pool *p, conn_rec *c); static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var); -static void ssl_var_lookup_ssl_cipher_bits(char *cipher, int *usekeysize, int *algkeysize); +static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize); static char *ssl_var_lookup_ssl_version(pool *p, char *var); void ssl_var_register(void) @@ -546,34 +546,24 @@ static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var) { char *result; BOOL resdup; - char *cipher; int usekeysize, algkeysize; SSL *ssl; result = NULL; resdup = TRUE; - if (strEQ(var, "")) { - ssl = ap_ctx_get(c->client->ctx, "ssl"); - result = (char *)SSL_get_cipher_name(ssl); - } - else if (strcEQ(var, "_EXPORT")) { - ssl = ap_ctx_get(c->client->ctx, "ssl"); - cipher = (char *)SSL_get_cipher_name(ssl); - ssl_var_lookup_ssl_cipher_bits(cipher, &usekeysize, &algkeysize); + ssl = ap_ctx_get(c->client->ctx, "ssl"); + ssl_var_lookup_ssl_cipher_bits(ssl, &usekeysize, &algkeysize); + + if (strEQ(var, "")) + result = (ssl != NULL ? (char *)SSL_get_cipher_name(ssl) : NULL); + else if (strcEQ(var, "_EXPORT")) result = (usekeysize < 56 ? "true" : "false"); - } else if (strcEQ(var, "_USEKEYSIZE")) { - ssl = ap_ctx_get(c->client->ctx, "ssl"); - cipher = (char *)SSL_get_cipher_name(ssl); - ssl_var_lookup_ssl_cipher_bits(cipher, &usekeysize, &algkeysize); result = ap_psprintf(p, "%d", usekeysize); resdup = FALSE; } else if (strcEQ(var, "_ALGKEYSIZE")) { - ssl = ap_ctx_get(c->client->ctx, "ssl"); - cipher = (char *)SSL_get_cipher_name(ssl); - ssl_var_lookup_ssl_cipher_bits(cipher, &usekeysize, &algkeysize); result = ap_psprintf(p, "%d", algkeysize); resdup = FALSE; } @@ -583,76 +573,15 @@ static char *ssl_var_lookup_ssl_cipher(pool *p, conn_rec *c, char *var) return result; } -/* - * This structure is used instead of SSL_get_cipher_bits() because - * this OpenSSL function has rounding problems, but we want the - * correct sizes. - */ -static const struct { - char *szName; - int nUseKeySize; - int nAlgKeySize; -} ssl_var_lookup_ssl_cipher_bits_rec[] = { - - { TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 /*EXP1024-RC4-MD5*/, 56, 128 }, - { TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 /*EXP1024-RC2-CBC-MD5*/,56, 128 }, - { TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA /*EXP1024-DES-CBC-SHA*/,56, 56 }, - - { SSL3_TXT_RSA_IDEA_128_SHA /*IDEA-CBC-SHA*/, 128, 128 }, - { SSL3_TXT_RSA_NULL_MD5 /*NULL-MD5*/, 0, 0 }, - { SSL3_TXT_RSA_NULL_SHA /*NULL-SHA*/, 0, 0 }, - { SSL3_TXT_RSA_RC4_40_MD5 /*EXP-RC4-MD5*/, 40, 128 }, - { SSL3_TXT_RSA_RC4_128_MD5 /*RC4-MD5*/, 128, 128 }, - { SSL3_TXT_RSA_RC4_128_SHA /*RC4-SHA*/, 128, 128 }, - { SSL3_TXT_RSA_RC2_40_MD5 /*EXP-RC2-CBC-MD5*/, 40, 128 }, - { SSL3_TXT_RSA_DES_40_CBC_SHA /*EXP-DES-CBC-SHA*/, 40, 56 }, - { SSL3_TXT_RSA_DES_64_CBC_SHA /*DES-CBC-SHA*/ , 56, 56 }, - { SSL3_TXT_RSA_DES_192_CBC3_SHA /*DES-CBC3-SHA*/ , 168, 168 }, - { SSL3_TXT_DH_DSS_DES_40_CBC_SHA /*EXP-DH-DSS-DES-CBC-SHA*/, 40, 56 }, - { SSL3_TXT_DH_DSS_DES_64_CBC_SHA /*DH-DSS-DES-CBC-SHA*/, 56, 56 }, - { SSL3_TXT_DH_DSS_DES_192_CBC3_SHA /*DH-DSS-DES-CBC3-SHA*/, 168, 168 }, - { SSL3_TXT_DH_RSA_DES_40_CBC_SHA /*EXP-DH-RSA-DES-CBC-SHA*/, 40, 56 }, - { SSL3_TXT_DH_RSA_DES_64_CBC_SHA /*DH-RSA-DES-CBC-SHA*/, 56, 56 }, - { SSL3_TXT_DH_RSA_DES_192_CBC3_SHA /*DH-RSA-DES-CBC3-SHA*/, 168, 168 }, - { SSL3_TXT_EDH_DSS_DES_40_CBC_SHA /*EXP-EDH-DSS-DES-CBC-SHA*/, 40, 56 }, - { SSL3_TXT_EDH_DSS_DES_64_CBC_SHA /*EDH-DSS-DES-CBC-SHA*/, 56, 56 }, - { SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA /*EDH-DSS-DES-CBC3-SHA*/, 168, 168 }, - { SSL3_TXT_EDH_RSA_DES_40_CBC_SHA /*EXP-EDH-RSA-DES-CBC*/, 40, 56 }, - { SSL3_TXT_EDH_RSA_DES_64_CBC_SHA /*EDH-RSA-DES-CBC-SHA*/, 56, 56 }, - { SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA /*EDH-RSA-DES-CBC3-SHA*/, 168, 168 }, - { SSL3_TXT_ADH_RC4_40_MD5 /*EXP-ADH-RC4-MD5*/, 40, 128 }, - { SSL3_TXT_ADH_RC4_128_MD5 /*ADH-RC4-MD5*/, 128, 128 }, - { SSL3_TXT_ADH_DES_40_CBC_SHA /*EXP-ADH-DES-CBC-SHA*/, 40, 128 }, - { SSL3_TXT_ADH_DES_64_CBC_SHA /*ADH-DES-CBC-SHA*/, 56, 56 }, - { SSL3_TXT_ADH_DES_192_CBC_SHA /*ADH-DES-CBC3-SHA*/, 168, 168 }, - { SSL3_TXT_FZA_DMS_NULL_SHA /*FZA-NULL-SHA*/, 0, 0 }, - { SSL3_TXT_FZA_DMS_FZA_SHA /*FZA-FZA-CBC-SHA*/, 0, 0 }, - { SSL3_TXT_FZA_DMS_RC4_SHA /*FZA-RC4-SHA*/, 128, 128 }, - - { SSL2_TXT_IDEA_128_CBC_WITH_MD5 /*IDEA-CBC-MD5*/, 128, 128 }, - { SSL2_TXT_DES_64_CFB64_WITH_MD5_1 /*DES-CFB-M1*/, 56, 56 }, - { SSL2_TXT_RC2_128_CBC_WITH_MD5 /*RC2-CBC-MD5*/, 128, 128 }, - { SSL2_TXT_DES_64_CBC_WITH_MD5 /*DES-CBC-MD5*/, 56, 56 }, - { SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 /*DES-CBC3-MD5*/, 168, 168 }, - { SSL2_TXT_RC4_64_WITH_MD5 /*RC4-64-MD5*/, 64, 64 }, - { SSL2_TXT_NULL /*NULL*/, 0, 0 }, - - { NULL, 0, 0 } -}; - -static void ssl_var_lookup_ssl_cipher_bits(char *cipher, int *usekeysize, int *algkeysize) +static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize) { - int n; + SSL_CIPHER *cipher; *usekeysize = 0; *algkeysize = 0; - for (n = 0; ssl_var_lookup_ssl_cipher_bits_rec[n].szName; n++) { - if (strEQ(cipher, ssl_var_lookup_ssl_cipher_bits_rec[n].szName)) { - *algkeysize = ssl_var_lookup_ssl_cipher_bits_rec[n].nAlgKeySize; - *usekeysize = ssl_var_lookup_ssl_cipher_bits_rec[n].nUseKeySize; - break; - } - } + if (ssl != NULL) + if ((cipher = SSL_get_current_cipher(ssl)) != NULL) + *usekeysize = SSL_CIPHER_get_bits(cipher, algkeysize); return; } diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util.c b/usr.sbin/httpd/src/modules/ssl/ssl_util.c index ce238a52389..045ec60ed58 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util.c @@ -116,6 +116,20 @@ ** _________________________________________________________________ */ +char *ssl_util_server_root_relative(pool *p, char *arg) +{ + char *rv = NULL; + +#ifdef SSL_VENDOR + ap_hook_use("ap::mod_ssl::vendor::ssl_server_root_relative", + AP_HOOK_SIG3(ptr,ptr,ptr), AP_HOOK_ALL, &rv, p, arg); + if (rv != NULL) + return rv; +#endif + rv = ap_server_root_relative(p, arg); + return rv; +} + char *ssl_util_vhostid(pool *p, server_rec *s) { char *id; diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c index d73344abb14..d57a8855b6c 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c @@ -396,7 +396,7 @@ BOOL SSL_X509_getCN(pool *p, X509 *xs, char **cppCN) ** _________________________________________________________________ */ -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY BOOL SSL_load_CrtAndKeyInfo_file(pool *p, STACK_OF(X509_INFO) *sk, char *filename) { @@ -447,7 +447,7 @@ BOOL SSL_load_CrtAndKeyInfo_path(pool *p, STACK_OF(X509_INFO) *sk, char *pathnam return ok; } -#endif /* SSL_EXPERIMENTAL */ +#endif /* SSL_EXPERIMENTAL_PROXY */ /* _________________________________________________________________ ** diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h index 56674c3946a..b9356fe298c 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h @@ -98,10 +98,10 @@ char *SSL_make_ciphersuite(pool *, SSL *); BOOL SSL_X509_isSGC(X509 *); BOOL SSL_X509_getBC(X509 *, int *, int *); BOOL SSL_X509_getCN(pool *, X509 *, char **); -#ifdef SSL_EXPERIMENTAL +#ifdef SSL_EXPERIMENTAL_PROXY BOOL SSL_load_CrtAndKeyInfo_file(pool *, STACK_OF(X509_INFO) *, char *); BOOL SSL_load_CrtAndKeyInfo_path(pool *, STACK_OF(X509_INFO) *, char *); -#endif +#endif /* SSL_EXPERIMENTAL_PROXY */ int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, int (*)()); #endif /* SSL_UTIL_SSL_H */ diff --git a/usr.sbin/httpd/src/support/mkcert.sh b/usr.sbin/httpd/src/support/mkcert.sh index 46e44eea6c0..a9d3c8599f5 100644 --- a/usr.sbin/httpd/src/support/mkcert.sh +++ b/usr.sbin/httpd/src/support/mkcert.sh @@ -96,9 +96,10 @@ fi # (do not use /dev/random here, because this device # doesn't work as expected on all platforms) randfiles='' -for file in /var/log/messages /var/adm/messages /var/log/system.log \ - /kernel /vmunix /vmlinuz /mach /etc/hosts /etc/resolv.conf; do - if [ -f $file ]; then +for file in /var/log/messages /var/adm/messages /var/log/system.log /var/wtmp \ + /kernel /kernel/genunix /vmunix /vmlinuz /mach \ + /etc/hosts /etc/group /etc/resolv.conf /bin/ls; do + if [ -r $file ]; then if [ ".$randfiles" = . ]; then randfiles="$file" else @@ -112,7 +113,7 @@ if [ -f $HOME/.rnd ]; then RANDFILE="$HOME/.rnd" else RANDFILE=".mkcert.rnd" - touch $RANDFILE + (ps; date) >$RANDFILE fi export RANDFILE |