1 /* $OpenBSD: ssl_engine_init.c,v 1.27 2005/02/09 12:13:10 henning Exp $ */
2
3 /* _ _
4 ** _ __ ___ ___ __| | ___ ___| | mod_ssl
5 ** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
6 ** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
7 ** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
8 ** |_____|
9 ** ssl_engine_init.c
10 ** Initialization of Servers
11 */
12
13 /* ====================================================================
14 * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
15 *
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
18 * are met:
19 *
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 *
23 * 2. Redistributions in binary form must reproduce the above copyright
24 * notice, this list of conditions and the following
25 * disclaimer in the documentation and/or other materials
26 * provided with the distribution.
27 *
28 * 3. All advertising materials mentioning features or use of this
29 * software must display the following acknowledgment:
30 * "This product includes software developed by
31 * Ralf S. Engelschall <rse@engelschall.com> for use in the
32 * mod_ssl project (http://www.modssl.org/)."
33 *
34 * 4. The names "mod_ssl" must not be used to endorse or promote
35 * products derived from this software without prior written
36 * permission. For written permission, please contact
37 * rse@engelschall.com.
38 *
39 * 5. Products derived from this software may not be called "mod_ssl"
40 * nor may "mod_ssl" appear in their names without prior
41 * written permission of Ralf S. Engelschall.
42 *
43 * 6. Redistributions of any form whatsoever must retain the following
44 * acknowledgment:
45 * "This product includes software developed by
46 * Ralf S. Engelschall <rse@engelschall.com> for use in the
47 * mod_ssl project (http://www.modssl.org/)."
48 *
49 * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
50 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
51 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
52 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR
53 * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
54 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
55 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
56 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
57 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
58 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
59 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
60 * OF THE POSSIBILITY OF SUCH DAMAGE.
61 * ====================================================================
62 */
63
64 /* ====================================================================
65 * Copyright (c) 1995-1999 Ben Laurie. All rights reserved.
66 *
67 * Redistribution and use in source and binary forms, with or without
68 * modification, are permitted provided that the following conditions
69 * are met:
70 *
71 * 1. Redistributions of source code must retain the above copyright
72 * notice, this list of conditions and the following disclaimer.
73 *
74 * 2. Redistributions in binary form must reproduce the above copyright
75 * notice, this list of conditions and the following disclaimer in
76 * the documentation and/or other materials provided with the
77 * distribution.
78 *
79 * 3. All advertising materials mentioning features or use of this
80 * software must display the following acknowledgment:
81 * "This product includes software developed by Ben Laurie
82 * for use in the Apache-SSL HTTP server project."
83 *
84 * 4. The name "Apache-SSL Server" must not be used to
85 * endorse or promote products derived from this software without
86 * prior written permission.
87 *
88 * 5. Redistributions of any form whatsoever must retain the following
89 * acknowledgment:
90 * "This product includes software developed by Ben Laurie
91 * for use in the Apache-SSL HTTP server project."
92 *
93 * THIS SOFTWARE IS PROVIDED BY BEN LAURIE ``AS IS'' AND ANY
94 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
95 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
96 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BEN LAURIE OR
97 * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
98 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
99 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
100 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
101 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
102 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
103 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
104 * OF THE POSSIBILITY OF SUCH DAMAGE.
105 * ====================================================================
106 */
107 /* ``Recursive, adj.;
108 see Recursive.''
109 -- Unknown */
110 #include "mod_ssl.h"
111
112
113 /* _________________________________________________________________
114 **
115 ** Module Initialization
116 ** _________________________________________________________________
117 */
118
119 /*
120 * Per-module initialization
121 */
ssl_init_Module(server_rec * s,pool * p)122 void ssl_init_Module(server_rec *s, pool *p)
123 {
124 SSLModConfigRec *mc = myModConfig();
125 SSLSrvConfigRec *sc;
126 server_rec *s2;
127 char *cp;
128 int SSLenabled = 0;
129
130 mc->nInitCount++;
131
132 /*
133 * Let us cleanup on restarts and exists
134 */
135 ap_register_cleanup(p, s, ssl_init_ModuleKill, ssl_init_ChildKill);
136
137 /*
138 * Any init round fixes the global config
139 */
140 ssl_config_global_create(); /* just to avoid problems */
141 ssl_config_global_fix();
142
143 /*
144 * try to fix the configuration and open the dedicated SSL
145 * logfile as early as possible
146 */
147 for (s2 = s; s2 != NULL; s2 = s2->next) {
148 sc = mySrvConfig(s2);
149
150 /* Fix up stuff that may not have been set */
151 if (sc->bEnabled == UNSET)
152 sc->bEnabled = FALSE;
153 if (sc->nVerifyClient == SSL_CVERIFY_UNSET)
154 sc->nVerifyClient = SSL_CVERIFY_NONE;
155 if (sc->nVerifyDepth == UNSET)
156 sc->nVerifyDepth = 1;
157 #ifdef SSL_EXPERIMENTAL_PROXY
158 if (sc->nProxyVerifyDepth == UNSET)
159 sc->nProxyVerifyDepth = 1;
160 #endif
161 if (sc->nSessionCacheTimeout == UNSET)
162 sc->nSessionCacheTimeout = SSL_SESSION_CACHE_TIMEOUT;
163 if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET)
164 sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN;
165
166 /* Open the dedicated SSL logfile */
167 if (!ap_server_is_chrooted())
168 ssl_log_open(s, s2, p);
169 }
170
171 /*
172 * Identification
173 */
174 if (mc->nInitCount == 1) {
175 ssl_log(s, SSL_LOG_INFO, "Server: %s, Interface: %s, Library: %s",
176 SERVER_BASEVERSION,
177 ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"),
178 ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY"));
179 }
180
181 /*
182 * Initialization round information
183 */
184 if (mc->nInitCount == 1)
185 ssl_log(s, SSL_LOG_INFO, "Init: 1st startup round (still not detached)");
186 else if (mc->nInitCount == 2)
187 ssl_log(s, SSL_LOG_INFO, "Init: 2nd startup round (already detached)");
188 else
189 ssl_log(s, SSL_LOG_INFO, "Init: %d%s restart round (already detached)",
190 mc->nInitCount-2, (mc->nInitCount-2) == 1 ? "st" : "nd");
191
192 #ifdef SSL_VENDOR
193 ap_hook_use("ap::mod_ssl::vendor::init_module",
194 AP_HOOK_SIG3(void,ptr,ptr), AP_HOOK_ALL, s, p);
195 #endif
196
197 /*
198 * The initialization phase inside the Apache API is totally bogus.
199 * We actually have three non-trivial problems:
200 *
201 * 1. Under Unix the API does a 2-round initialization of modules while
202 * under Win32 it doesn't. This means we have to make sure that at
203 * least the pass phrase dialog doesn't occur twice. We overcome this
204 * problem by using a counter (mc->nInitCount) which has to
205 * survive the init rounds.
206 *
207 * 2. Between the first and the second round Apache detaches from
208 * the terminal under Unix. This means that our pass phrase dialog
209 * _has_ to be done in the first round and _cannot_ be done in the
210 * second round.
211 *
212 * 3. When Dynamic Shared Object (DSO) mechanism is used under Unix the
213 * module segment (code & data) gets unloaded and re-loaded between
214 * the first and the second round. This means no global data survives
215 * between first and the second init round. We overcome this by using
216 * an entry ("ssl_module") inside the ap_global_ctx.
217 *
218 * The situation as a table:
219 *
220 * Unix/static Unix/DSO Win32 Action Required
221 * (-DSHARED_MODULE) (-DWIN32)
222 * ----------- ----------------- --------- -----------------------------------
223 * - load module - -
224 * init init init SSL library init, Pass Phrase Dialog
225 * detach detach - -
226 * - reload module - -
227 * init init - SSL library init, mod_ssl init
228 *
229 * Ok, now try to solve this totally ugly situation...
230 */
231
232 #ifdef SHARED_MODULE
233 ssl_log(s, SSL_LOG_INFO, "Init: %snitializing %s library",
234 mc->nInitCount == 1 ? "I" : "Rei", SSL_LIBRARY_NAME);
235 #ifdef SSL_EXPERIMENTAL_ENGINE
236 ssl_init_Engine(s, p);
237 #endif
238 ssl_init_SSLLibrary();
239 #else
240 if (mc->nInitCount <= 2) {
241 ssl_log(s, SSL_LOG_INFO, "Init: %snitializing %s library",
242 mc->nInitCount == 1 ? "I" : "Rei", SSL_LIBRARY_NAME);
243 #ifdef SSL_EXPERIMENTAL_ENGINE
244 ssl_init_Engine(s, p);
245 #endif
246 ssl_init_SSLLibrary();
247 }
248 #endif
249 if (mc->nInitCount == 1) {
250 ssl_pphrase_Handle(s, p);
251 return;
252 }
253
254 for (s2 = s; s2 != NULL; s2 = s2->next) {
255 sc = mySrvConfig(s2);
256 /* find out if anyone's actually doing SSL */
257 if (sc->bEnabled)
258 SSLenabled = 1;
259 }
260 if (SSLenabled) /* skip expensive bits if we're not doing SSL */
261 ssl_init_TmpKeysHandle(SSL_TKP_GEN, s, p);
262
263 /*
264 * SSL external crypto device ("engine") support
265 */
266 #ifdef SSL_EXPERIMENTAL_ENGINE
267 ssl_init_Engine(s, p);
268 #endif
269
270 /*
271 * Warn the user that he should use the session cache.
272 * But we can operate without it, of course.
273 */
274 if (mc->nSessionCacheMode == SSL_SCMODE_UNSET) {
275 ssl_log(s, SSL_LOG_WARN,
276 "Init: Session Cache is not configured [hint: SSLSessionCache]");
277 mc->nSessionCacheMode = SSL_SCMODE_NONE;
278 }
279
280 /*
281 * initialize the mutex handling and session caching
282 */
283 ssl_mutex_init(s, p);
284 ssl_scache_init(s, p);
285
286 /*
287 * Seed the Pseudo Random Number Generator (PRNG)
288 */
289 ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
290
291 /*
292 * allocate the temporary RSA keys and DH params
293 */
294 if (SSLenabled) /* skip expensive bits if we're not doing SSL */
295 ssl_init_TmpKeysHandle(SSL_TKP_ALLOC, s, p);
296
297 /*
298 * initialize servers
299 */
300 ssl_log(s, SSL_LOG_INFO, "Init: Initializing (virtual) servers for SSL");
301 for (s2 = s; s2 != NULL; s2 = s2->next) {
302 sc = mySrvConfig(s2);
303 /*
304 * Either now skip this server when SSL is disabled for
305 * it or give out some information about what we're
306 * configuring.
307 */
308 if (!sc->bEnabled)
309 continue;
310 ssl_log(s2, SSL_LOG_INFO,
311 "Init: Configuring server %s for SSL protocol",
312 ssl_util_vhostid(p, s2));
313
314 /*
315 * Read the server certificate and key
316 */
317 ssl_init_ConfigureServer(s2, p, sc);
318 }
319
320 /*
321 * Configuration consistency checks
322 */
323 ssl_init_CheckServers(s, p);
324
325 /*
326 * Announce mod_ssl and SSL library in HTTP Server field
327 * as ``mod_ssl/X.X.X OpenSSL/X.X.X''
328 */
329 if ((cp = ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_PRODUCT")) != NULL && cp[0] != NUL)
330 ap_add_version_component(cp);
331 ap_add_version_component(ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"));
332 ap_add_version_component(ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY"));
333
334 return;
335 }
336
337 /*
338 * Initialize SSL library (also already needed for the pass phrase dialog)
339 */
ssl_init_SSLLibrary(void)340 void ssl_init_SSLLibrary(void)
341 {
342 SSL_load_error_strings();
343 SSL_library_init();
344 ssl_util_thread_setup();
345 X509V3_add_standard_extensions();
346 return;
347 }
348
349 /*
350 * Support for external a Crypto Device ("engine"), usually
351 * a hardware accellerator card for crypto operations.
352 */
353 #ifdef SSL_EXPERIMENTAL_ENGINE
ssl_init_Engine(server_rec * s,pool * p)354 void ssl_init_Engine(server_rec *s, pool *p)
355 {
356 SSLModConfigRec *mc = myModConfig();
357 ENGINE *e;
358
359 if (mc->szCryptoDevice != NULL) {
360 if ((e = ENGINE_by_id(mc->szCryptoDevice)) == NULL) {
361 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load Crypto Device API `%s'",
362 mc->szCryptoDevice);
363 ssl_die();
364 }
365 if (strEQ(mc->szCryptoDevice, "chil"))
366 ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
367 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
368 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to enable Crypto Device API `%s'",
369 mc->szCryptoDevice);
370 ssl_die();
371 }
372 ENGINE_free(e);
373 }
374 return;
375 }
376 #endif
377
378 /*
379 * Handle the Temporary RSA Keys and DH Params
380 */
ssl_init_TmpKeysHandle(int action,server_rec * s,pool * p)381 void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p)
382 {
383 SSLModConfigRec *mc = myModConfig();
384 ssl_asn1_t *asn1;
385 unsigned char *ucp;
386 RSA *rsa;
387 DH *dh;
388
389 /* Generate Keys and Params */
390 if (action == SSL_TKP_GEN) {
391
392 /* seed PRNG */
393 ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
394
395 /* generate 512 bit RSA key */
396 ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys (512/1024 bits)");
397 if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
398 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
399 "Init: Failed to generate temporary 512 bit RSA private key");
400 ssl_die();
401 }
402 asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:512");
403 asn1->nData = i2d_RSAPrivateKey(rsa, NULL);
404 asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
405 ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */
406 RSA_free(rsa);
407
408 /* generate 1024 bit RSA key */
409 if ((rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) {
410 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
411 "Init: Failed to generate temporary 1024 bit RSA private key");
412 ssl_die();
413 }
414 asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:1024");
415 asn1->nData = i2d_RSAPrivateKey(rsa, NULL);
416 asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
417 ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */
418 RSA_free(rsa);
419
420 ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary DH parameters (512/1024 bits)");
421
422 /* import 512 bit DH param */
423 if ((dh = ssl_dh_GetTmpParam(512)) == NULL) {
424 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to import temporary 512 bit DH parameters");
425 ssl_die();
426 }
427 asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:512");
428 asn1->nData = i2d_DHparams(dh, NULL);
429 asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
430 ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */
431 DH_free(dh);
432
433 /* import 1024 bit DH param */
434 if ((dh = ssl_dh_GetTmpParam(1024)) == NULL) {
435 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to import temporary 1024 bit DH parameters");
436 ssl_die();
437 }
438 asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:1024");
439 asn1->nData = i2d_DHparams(dh, NULL);
440 asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
441 ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */
442 DH_free(dh);
443 }
444
445 /* Allocate Keys and Params */
446 else if (action == SSL_TKP_ALLOC) {
447
448 ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary RSA private keys (512/1024 bits)");
449
450 /* allocate 512 bit RSA key */
451 if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "RSA:512")) != NULL) {
452 ucp = asn1->cpData;
453 if ((mc->pTmpKeys[SSL_TKPIDX_RSA512] =
454 (void *)d2i_RSAPrivateKey(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {
455 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 512 bit RSA private key");
456 ssl_die();
457 }
458 if (RSA_blinding_on ((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA512], NULL) != 1) {
459 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to add blinding for temporary 512 bit RSA private key");
460 ssl_die();
461 }
462 }
463
464 /* allocate 1024 bit RSA key */
465 if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "RSA:1024")) != NULL) {
466 ucp = asn1->cpData;
467 if ((mc->pTmpKeys[SSL_TKPIDX_RSA1024] =
468 (void *)d2i_RSAPrivateKey(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {
469 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 1024 bit RSA private key");
470 ssl_die();
471 }
472 if (RSA_blinding_on ((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024], NULL) != 1) {
473 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to add blinding for temporary 1024 bit RSA private key");
474 ssl_die();
475 }
476 }
477
478 ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary DH parameters (512/1024 bits)");
479
480 /* allocate 512 bit DH param */
481 if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "DH:512")) != NULL) {
482 ucp = asn1->cpData;
483 if ((mc->pTmpKeys[SSL_TKPIDX_DH512] =
484 (void *)d2i_DHparams(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {
485 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 512 bit DH parameters");
486 ssl_die();
487 }
488 }
489
490 /* allocate 1024 bit DH param */
491 if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "DH:1024")) != NULL) {
492 ucp = asn1->cpData;
493 if ((mc->pTmpKeys[SSL_TKPIDX_DH1024] =
494 (void *)d2i_DHparams(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {
495 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 1024 bit DH parameters");
496 ssl_die();
497 }
498 }
499 }
500
501 /* Free Keys and Params */
502 else if (action == SSL_TKP_FREE) {
503 if (mc->pTmpKeys[SSL_TKPIDX_RSA512] != NULL) {
504 RSA_free((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA512]);
505 mc->pTmpKeys[SSL_TKPIDX_RSA512] = NULL;
506 }
507 if (mc->pTmpKeys[SSL_TKPIDX_RSA1024] != NULL) {
508 RSA_free((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024]);
509 mc->pTmpKeys[SSL_TKPIDX_RSA1024] = NULL;
510 }
511 if (mc->pTmpKeys[SSL_TKPIDX_DH512] != NULL) {
512 DH_free((DH *)mc->pTmpKeys[SSL_TKPIDX_DH512]);
513 mc->pTmpKeys[SSL_TKPIDX_DH512] = NULL;
514 }
515 if (mc->pTmpKeys[SSL_TKPIDX_DH1024] != NULL) {
516 DH_free((DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024]);
517 mc->pTmpKeys[SSL_TKPIDX_DH1024] = NULL;
518 }
519 }
520 return;
521 }
522
523 /*
524 * Configure a particular server
525 */
ssl_init_ConfigureServer(server_rec * s,pool * p,SSLSrvConfigRec * sc)526 void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
527 {
528 SSLModConfigRec *mc = myModConfig();
529 int nVerify;
530 char *cpVHostID;
531 EVP_PKEY *pKey;
532 SSL_CTX *ctx;
533 STACK_OF(X509_NAME) *skCAList;
534 ssl_asn1_t *asn1;
535 unsigned char *ucp;
536 char *cp;
537 BOOL ok;
538 BOOL bSkipFirst;
539 int isca, pathlen;
540 int i, n;
541
542 /*
543 * Create the server host:port string because we need it a lot
544 */
545 cpVHostID = ssl_util_vhostid(p, s);
546
547 /*
548 * Now check for important parameters and the
549 * possibility that the user forgot to set them.
550 */
551 if (sc->szPublicCertFile[0] == NULL) {
552 ssl_log(s, SSL_LOG_ERROR,
553 "Init: (%s) No SSL Certificate set [hint: SSLCertificateFile]",
554 cpVHostID);
555 ssl_die();
556 }
557
558 /*
559 * Check for problematic re-initializations
560 */
561 if (sc->pPublicCert[SSL_AIDX_RSA] != NULL ||
562 sc->pPublicCert[SSL_AIDX_DSA] != NULL ) {
563 ssl_log(s, SSL_LOG_ERROR,
564 "Init: (%s) Illegal attempt to re-initialise SSL for server "
565 "(theoretically shouldn't happen!)", cpVHostID);
566 ssl_die();
567 }
568
569 /*
570 * Create the new per-server SSL context
571 */
572 if (sc->nProtocol == SSL_PROTOCOL_NONE) {
573 ssl_log(s, SSL_LOG_ERROR,
574 "Init: (%s) No SSL protocols available [hint: SSLProtocol]",
575 cpVHostID);
576 ssl_die();
577 }
578 cp = ap_pstrcat(p, (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
579 (sc->nProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
580 (sc->nProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL);
581 cp[strlen(cp)-2] = NUL;
582 ssl_log(s, SSL_LOG_TRACE,
583 "Init: (%s) Creating new SSL context (protocols: %s)", cpVHostID, cp);
584 if (sc->nProtocol == SSL_PROTOCOL_SSLV2)
585 ctx = SSL_CTX_new(SSLv2_server_method()); /* only SSLv2 is left */
586 else
587 ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */
588 SSL_CTX_set_options(ctx, SSL_OP_ALL);
589 if (!(sc->nProtocol & SSL_PROTOCOL_SSLV2))
590 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
591 if (!(sc->nProtocol & SSL_PROTOCOL_SSLV3))
592 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
593 if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1))
594 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
595 SSL_CTX_set_app_data(ctx, s);
596 sc->pSSLCtx = ctx;
597
598 /*
599 * Configure additional context ingredients
600 */
601 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
602 if (mc->nSessionCacheMode == SSL_SCMODE_NONE)
603 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
604 else
605 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
606
607 /*
608 * Disallow a session from being resumed during a renegotiation,
609 * so that an acceptable cipher suite can be negotiated.
610 */
611 SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
612
613 /*
614 * Configure callbacks for SSL context
615 */
616 nVerify = SSL_VERIFY_NONE;
617 if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE)
618 nVerify |= SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
619 if ( (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL)
620 || (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) )
621 nVerify |= SSL_VERIFY_PEER;
622 SSL_CTX_set_verify(ctx, nVerify, ssl_callback_SSLVerify);
623 SSL_CTX_sess_set_new_cb(ctx, ssl_callback_NewSessionCacheEntry);
624 SSL_CTX_sess_set_get_cb(ctx, ssl_callback_GetSessionCacheEntry);
625 SSL_CTX_sess_set_remove_cb(ctx, ssl_callback_DelSessionCacheEntry);
626 SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
627 SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
628 SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
629
630 /*
631 * Configure SSL Cipher Suite
632 */
633 if (sc->szCipherSuite != NULL) {
634 ssl_log(s, SSL_LOG_TRACE,
635 "Init: (%s) Configuring permitted SSL ciphers [%s]",
636 cpVHostID, sc->szCipherSuite);
637 if (!SSL_CTX_set_cipher_list(ctx, sc->szCipherSuite)) {
638 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
639 "Init: (%s) Unable to configure permitted SSL ciphers",
640 cpVHostID);
641 ssl_die();
642 }
643 }
644
645 /*
646 * Configure Client Authentication details
647 */
648 if (sc->szCACertificateFile != NULL || sc->szCACertificatePath != NULL) {
649 ssl_log(s, SSL_LOG_TRACE,
650 "Init: (%s) Configuring client authentication", cpVHostID);
651 if (!SSL_CTX_load_verify_locations(ctx,
652 sc->szCACertificateFile,
653 sc->szCACertificatePath)) {
654 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
655 "Init: (%s) Unable to configure verify locations "
656 "for client authentication", cpVHostID);
657 ssl_die();
658 }
659 if ((skCAList = ssl_init_FindCAList(s, p, sc->szCACertificateFile,
660 sc->szCACertificatePath)) == NULL) {
661 ssl_log(s, SSL_LOG_ERROR,
662 "Init: (%s) Unable to determine list of available "
663 "CA certificates for client authentication", cpVHostID);
664 ssl_die();
665 }
666 SSL_CTX_set_client_CA_list(sc->pSSLCtx, skCAList);
667 }
668
669 /*
670 * Configure Certificate Revocation List (CRL) Details
671 */
672 if (sc->szCARevocationFile != NULL || sc->szCARevocationPath != NULL) {
673 ssl_log(s, SSL_LOG_TRACE,
674 "Init: (%s) Configuring certificate revocation facility", cpVHostID);
675 if ((sc->pRevocationStore =
676 SSL_X509_STORE_create(sc->szCARevocationFile,
677 sc->szCARevocationPath)) == NULL) {
678 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
679 "Init: (%s) Unable to configure X.509 CRL storage "
680 "for certificate revocation", cpVHostID);
681 ssl_die();
682 }
683 }
684
685 /*
686 * Give a warning when no CAs were configured but client authentication
687 * should take place. This cannot work.
688 */
689 if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
690 skCAList = SSL_CTX_get_client_CA_list(ctx);
691 if (sk_X509_NAME_num(skCAList) == 0)
692 ssl_log(s, SSL_LOG_WARN,
693 "Init: Ops, you want to request client authentication, "
694 "but no CAs are known for verification!? "
695 "[Hint: SSLCACertificate*]");
696 }
697
698 /*
699 * Configure server certificate(s)
700 */
701 ok = FALSE;
702 cp = ap_psprintf(p, "%s:RSA", cpVHostID);
703 if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) {
704 ssl_log(s, SSL_LOG_TRACE,
705 "Init: (%s) Configuring RSA server certificate", cpVHostID);
706 ucp = asn1->cpData;
707 if ((sc->pPublicCert[SSL_AIDX_RSA] = d2i_X509(NULL, &ucp, asn1->nData)) == NULL) {
708 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
709 "Init: (%s) Unable to import RSA server certificate",
710 cpVHostID);
711 ssl_die();
712 }
713 if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_RSA]) <= 0) {
714 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
715 "Init: (%s) Unable to configure RSA server certificate",
716 cpVHostID);
717 ssl_die();
718 }
719 ok = TRUE;
720 }
721 cp = ap_psprintf(p, "%s:DSA", cpVHostID);
722 if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) {
723 ssl_log(s, SSL_LOG_TRACE,
724 "Init: (%s) Configuring DSA server certificate", cpVHostID);
725 ucp = asn1->cpData;
726 if ((sc->pPublicCert[SSL_AIDX_DSA] = d2i_X509(NULL, &ucp, asn1->nData)) == NULL) {
727 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
728 "Init: (%s) Unable to import DSA server certificate",
729 cpVHostID);
730 ssl_die();
731 }
732 if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_DSA]) <= 0) {
733 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
734 "Init: (%s) Unable to configure DSA server certificate",
735 cpVHostID);
736 ssl_die();
737 }
738 ok = TRUE;
739 }
740 if (!ok) {
741 ssl_log(s, SSL_LOG_ERROR,
742 "Init: (%s) Ops, no RSA or DSA server certificate found?!", cpVHostID);
743 ssl_log(s, SSL_LOG_ERROR,
744 "Init: (%s) You have to perform a *full* server restart when you added or removed a certificate and/or key file", cpVHostID);
745 ssl_die();
746 }
747
748 /*
749 * Some information about the certificate(s)
750 */
751 for (i = 0; i < SSL_AIDX_MAX; i++) {
752 if (sc->pPublicCert[i] != NULL) {
753 if (SSL_X509_isSGC(sc->pPublicCert[i])) {
754 ssl_log(s, SSL_LOG_INFO,
755 "Init: (%s) %s server certificate enables "
756 "Server Gated Cryptography (SGC)",
757 cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
758 }
759 if (SSL_X509_getBC(sc->pPublicCert[i], &isca, &pathlen)) {
760 if (isca)
761 ssl_log(s, SSL_LOG_WARN,
762 "Init: (%s) %s server certificate is a CA certificate "
763 "(BasicConstraints: CA == TRUE !?)",
764 cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
765 if (pathlen > 0)
766 ssl_log(s, SSL_LOG_WARN,
767 "Init: (%s) %s server certificate is not a leaf certificate "
768 "(BasicConstraints: pathlen == %d > 0 !?)",
769 cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"), pathlen);
770 }
771 if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) {
772 if (ap_is_fnmatch(cp) &&
773 ap_fnmatch(cp, s->server_hostname,
774 FNM_PERIOD|FNM_CASE_BLIND) == FNM_NOMATCH) {
775 ssl_log(s, SSL_LOG_WARN,
776 "Init: (%s) %s server certificate wildcard CommonName (CN) `%s' "
777 "does NOT match server name!?", cpVHostID,
778 (i == SSL_AIDX_RSA ? "RSA" : "DSA"), cp);
779 }
780 else if (strNE(s->server_hostname, cp)) {
781 ssl_log(s, SSL_LOG_WARN,
782 "Init: (%s) %s server certificate CommonName (CN) `%s' "
783 "does NOT match server name!?", cpVHostID,
784 (i == SSL_AIDX_RSA ? "RSA" : "DSA"), cp);
785 }
786 }
787 }
788 }
789
790 /*
791 * Configure server private key(s)
792 */
793 ok = FALSE;
794 cp = ap_psprintf(p, "%s:RSA", cpVHostID);
795 if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
796 ssl_log(s, SSL_LOG_TRACE,
797 "Init: (%s) Configuring RSA server private key", cpVHostID);
798 ucp = asn1->cpData;
799 if ((sc->pPrivateKey[SSL_AIDX_RSA] =
800 d2i_PrivateKey(EVP_PKEY_RSA, NULL, &ucp, asn1->nData)) == NULL) {
801 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
802 "Init: (%s) Unable to import RSA server private key",
803 cpVHostID);
804 ssl_die();
805 }
806 if (!RSA_blinding_on(sc->pPrivateKey[SSL_AIDX_RSA]->pkey.rsa, NULL)) {
807 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
808 "Init: (%s) Unable to enable RSA blinding (probably PRNG failure)",
809 cpVHostID);
810 ssl_die();
811 }
812 if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_RSA]) <= 0) {
813 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
814 "Init: (%s) Unable to configure RSA server private key",
815 cpVHostID);
816 ssl_die();
817 }
818 ok = TRUE;
819 }
820 cp = ap_psprintf(p, "%s:DSA", cpVHostID);
821 if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
822 ssl_log(s, SSL_LOG_TRACE,
823 "Init: (%s) Configuring DSA server private key", cpVHostID);
824 ucp = asn1->cpData;
825 if ((sc->pPrivateKey[SSL_AIDX_DSA] =
826 d2i_PrivateKey(EVP_PKEY_DSA, NULL, &ucp, asn1->nData)) == NULL) {
827 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
828 "Init: (%s) Unable to import DSA server private key",
829 cpVHostID);
830 ssl_die();
831 }
832 if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_DSA]) <= 0) {
833 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
834 "Init: (%s) Unable to configure DSA server private key",
835 cpVHostID);
836 ssl_die();
837 }
838 ok = TRUE;
839 }
840 if (!ok) {
841 ssl_log(s, SSL_LOG_ERROR,
842 "Init: (%s) Ops, no RSA or DSA server private key found?!", cpVHostID);
843 ssl_die();
844 }
845
846 /*
847 * Optionally copy DSA parameters for certificate from private key
848 * (see http://www.psy.uq.edu.au/~ftp/Crypto/ssleay/TODO.html)
849 */
850 if ( sc->pPublicCert[SSL_AIDX_DSA] != NULL
851 && sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
852 pKey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]);
853 if ( pKey != NULL
854 && EVP_PKEY_type(pKey->type) == EVP_PKEY_DSA
855 && EVP_PKEY_missing_parameters(pKey))
856 EVP_PKEY_copy_parameters(pKey, sc->pPrivateKey[SSL_AIDX_DSA]);
857 }
858
859 /*
860 * Optionally configure extra server certificate chain certificates.
861 * This is usually done by OpenSSL automatically when one of the
862 * server cert issuers are found under SSLCACertificatePath or in
863 * SSLCACertificateFile. But because these are intended for client
864 * authentication it can conflict. For instance when you use a
865 * Global ID server certificate you've to send out the intermediate
866 * CA certificate, too. When you would just configure this with
867 * SSLCACertificateFile and also use client authentication mod_ssl
868 * would accept all clients also issued by this CA. Obviously this
869 * isn't what we want in this situation. So this feature here exists
870 * to allow one to explicity configure CA certificates which are
871 * used only for the server certificate chain.
872 */
873 if (sc->szCertificateChain != NULL) {
874 bSkipFirst = FALSE;
875 for (i = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++) {
876 if (strEQ(sc->szPublicCertFile[i], sc->szCertificateChain)) {
877 bSkipFirst = TRUE;
878 break;
879 }
880 }
881 if ((n = SSL_CTX_use_certificate_chain(ctx, sc->szCertificateChain,
882 bSkipFirst, NULL)) < 0) {
883 ssl_log(s, SSL_LOG_ERROR,
884 "Init: (%s) Failed to configure CA certificate chain!", cpVHostID);
885 ssl_die();
886 }
887 ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring "
888 "server certificate chain (%d CA certificate%s)", cpVHostID,
889 n, n == 1 ? "" : "s");
890 }
891
892 #ifdef SSL_VENDOR
893 ap_hook_use("ap::mod_ssl::vendor::configure_server",
894 AP_HOOK_SIG4(void,ptr,ptr,ptr), AP_HOOK_ALL,
895 s, p, sc);
896 #endif
897
898 return;
899 }
900
ssl_init_CheckServers(server_rec * sm,pool * p)901 void ssl_init_CheckServers(server_rec *sm, pool *p)
902 {
903 server_rec *s;
904 server_rec **ps;
905 SSLSrvConfigRec *sc;
906 ssl_ds_table *t;
907 pool *sp;
908 char *key;
909 BOOL bConflict;
910
911 /*
912 * Give out warnings when a server has HTTPS configured
913 * for the HTTP port or vice versa
914 */
915 for (s = sm; s != NULL; s = s->next) {
916 sc = mySrvConfig(s);
917 if (sc->bEnabled && s->port == DEFAULT_HTTP_PORT)
918 ssl_log(sm, SSL_LOG_WARN,
919 "Init: (%s) You configured HTTPS(%d) on the standard HTTP(%d) port!",
920 ssl_util_vhostid(p, s), DEFAULT_HTTPS_PORT, DEFAULT_HTTP_PORT);
921 if (!sc->bEnabled && s->port == DEFAULT_HTTPS_PORT)
922 ssl_log(sm, SSL_LOG_WARN,
923 "Init: (%s) You configured HTTP(%d) on the standard HTTPS(%d) port!",
924 ssl_util_vhostid(p, s), DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
925 }
926
927 /*
928 * Give out warnings if more than one SSL-aware virtual server uses the
929 * same IP:port. This doesn't work because mod_ssl then will always use
930 * just the certificate/keys of one virtual host (which one cannot be said
931 * easily - but that doesn't matter here).
932 */
933 sp = ap_make_sub_pool(p);
934 t = ssl_ds_table_make(sp, sizeof(server_rec *));
935 bConflict = FALSE;
936 for (s = sm; s != NULL; s = s->next) {
937 sc = mySrvConfig(s);
938 if (!sc->bEnabled)
939 continue;
940 if (s->addrs == NULL)
941 continue;
942 key = ap_psprintf(sp, "%pA:%u", &s->addrs->host_addr, s->addrs->host_port);
943 ps = ssl_ds_table_get(t, key);
944 if (ps != NULL) {
945 ssl_log(sm, SSL_LOG_WARN,
946 "Init: SSL server IP/port conflict: %s (%s:%d) vs. %s (%s:%d)",
947 ssl_util_vhostid(p, s),
948 (s->defn_name != NULL ? s->defn_name : "unknown"),
949 s->defn_line_number,
950 ssl_util_vhostid(p, *ps),
951 ((*ps)->defn_name != NULL ? (*ps)->defn_name : "unknown"),
952 (*ps)->defn_line_number);
953 bConflict = TRUE;
954 continue;
955 }
956 ps = ssl_ds_table_push(t, key);
957 *ps = s;
958 }
959 ssl_ds_table_kill(t);
960 ap_destroy_pool(sp);
961 if (bConflict)
962 ssl_log(sm, SSL_LOG_WARN,
963 "Init: You should not use name-based virtual hosts in conjunction with SSL!!");
964
965 return;
966 }
967
ssl_init_FindCAList_X509NameCmp(X509_NAME ** a,X509_NAME ** b)968 static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b)
969 {
970 return(X509_NAME_cmp(*a, *b));
971 }
972
STACK_OF(X509_NAME)973 STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile, char *cpCApath)
974 {
975 STACK_OF(X509_NAME) *skCAList;
976 STACK_OF(X509_NAME) *sk;
977 DIR *dir;
978 struct DIR_TYPE *direntry;
979 char *cp;
980 pool *p;
981 int n;
982 char buf[256];
983
984 /*
985 * Use a subpool so we don't bloat up the server pool which
986 * is remains in memory for the complete operation time of
987 * the server.
988 */
989 p = ap_make_sub_pool(pp);
990
991 /*
992 * Start with a empty stack/list where new
993 * entries get added in sorted order.
994 */
995 skCAList = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
996
997 /*
998 * Process CA certificate bundle file
999 */
1000 if (cpCAfile != NULL) {
1001 sk = SSL_load_client_CA_file(cpCAfile);
1002 for (n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
1003 X509_NAME *name = sk_X509_NAME_value(sk, n);
1004 ssl_log(s, SSL_LOG_TRACE,
1005 "CA certificate: %s",
1006 X509_NAME_oneline(name, buf, sizeof(buf)));
1007 if (sk_X509_NAME_find(skCAList, name) < 0)
1008 sk_X509_NAME_push(skCAList, name); /* will be freed when skCAList is */
1009 else
1010 X509_NAME_free(name);
1011 }
1012 sk_X509_NAME_free(sk);
1013 }
1014
1015 /*
1016 * Process CA certificate path files
1017 */
1018 if (cpCApath != NULL) {
1019 dir = ap_popendir(p, cpCApath);
1020 while ((direntry = readdir(dir)) != NULL) {
1021 cp = ap_pstrcat(p, cpCApath, "/", direntry->d_name, NULL);
1022 sk = SSL_load_client_CA_file(cp);
1023 for (n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
1024 X509_NAME *name = sk_X509_NAME_value(sk, n);
1025 ssl_log(s, SSL_LOG_TRACE,
1026 "CA certificate: %s",
1027 X509_NAME_oneline(name, buf, sizeof(buf)));
1028 if (sk_X509_NAME_find(skCAList, name) < 0)
1029 sk_X509_NAME_push(skCAList, name);
1030 else
1031 X509_NAME_free(name);
1032 }
1033 sk_X509_NAME_free(sk);
1034 }
1035 ap_pclosedir(p, dir);
1036 }
1037
1038 /*
1039 * Cleanup
1040 */
1041 sk_X509_NAME_set_cmp_func(skCAList, NULL);
1042 ap_destroy_pool(p);
1043
1044 return skCAList;
1045 }
1046
ssl_init_Child(server_rec * s,pool * p)1047 void ssl_init_Child(server_rec *s, pool *p)
1048 {
1049 /* open the mutex lockfile */
1050 ssl_mutex_reinit(s, p);
1051 return;
1052 }
1053
ssl_init_ChildKill(void * data)1054 void ssl_init_ChildKill(void *data)
1055 {
1056 /* currently nothing to do */
1057 return;
1058 }
1059
ssl_init_ModuleKill(void * data)1060 void ssl_init_ModuleKill(void *data)
1061 {
1062 SSLSrvConfigRec *sc;
1063 server_rec *s = (server_rec *)data;
1064
1065 /*
1066 * Drop the session cache and mutex
1067 */
1068 ssl_scache_kill(s);
1069 ssl_mutex_kill(s);
1070
1071 /*
1072 * Destroy the temporary keys and params
1073 */
1074 ssl_init_TmpKeysHandle(SSL_TKP_FREE, s, NULL);
1075
1076 /*
1077 * Free the non-pool allocated structures
1078 * in the per-server configurations
1079 */
1080 for (; s != NULL; s = s->next) {
1081 sc = mySrvConfig(s);
1082 if (sc->pRevocationStore != NULL) {
1083 X509_STORE_free(sc->pRevocationStore);
1084 sc->pRevocationStore = NULL;
1085 }
1086 if (sc->pPublicCert[SSL_AIDX_RSA] != NULL) {
1087 X509_free(sc->pPublicCert[SSL_AIDX_RSA]);
1088 sc->pPublicCert[SSL_AIDX_RSA] = NULL;
1089 }
1090 if (sc->pPublicCert[SSL_AIDX_DSA] != NULL) {
1091 X509_free(sc->pPublicCert[SSL_AIDX_DSA]);
1092 sc->pPublicCert[SSL_AIDX_DSA] = NULL;
1093 }
1094 if (sc->pPrivateKey[SSL_AIDX_RSA] != NULL) {
1095 EVP_PKEY_free(sc->pPrivateKey[SSL_AIDX_RSA]);
1096 sc->pPrivateKey[SSL_AIDX_RSA] = NULL;
1097 }
1098 if (sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
1099 EVP_PKEY_free(sc->pPrivateKey[SSL_AIDX_DSA]);
1100 sc->pPrivateKey[SSL_AIDX_DSA] = NULL;
1101 }
1102 if (sc->pSSLCtx != NULL) {
1103 SSL_CTX_free(sc->pSSLCtx);
1104 sc->pSSLCtx = NULL;
1105 }
1106 }
1107
1108 /*
1109 * Try to kill the internals of the SSL library.
1110 */
1111 #ifdef SHARED_MODULE
1112 ERR_free_strings();
1113 ERR_remove_state(0);
1114 EVP_cleanup();
1115 #endif
1116
1117 ssl_util_thread_cleanup();
1118
1119 return;
1120 }
1121