1 /* $OpenBSD: ssl_engine_init.c,v 1.27 2005/02/09 12:13:10 henning Exp $ */
2 
3 /*                      _             _
4 **  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
5 ** | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
6 ** | | | | | | (_) | (_| |   \__ \__ \ |  www.modssl.org
7 ** |_| |_| |_|\___/ \__,_|___|___/___/_|  ftp.modssl.org
8 **                      |_____|
9 **  ssl_engine_init.c
10 **  Initialization of Servers
11 */
12 
13 /* ====================================================================
14  * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
15  *
16  * Redistribution and use in source and binary forms, with or without
17  * modification, are permitted provided that the following conditions
18  * are met:
19  *
20  * 1. Redistributions of source code must retain the above copyright
21  *    notice, this list of conditions and the following disclaimer.
22  *
23  * 2. Redistributions in binary form must reproduce the above copyright
24  *    notice, this list of conditions and the following
25  *    disclaimer in the documentation and/or other materials
26  *    provided with the distribution.
27  *
28  * 3. All advertising materials mentioning features or use of this
29  *    software must display the following acknowledgment:
30  *    "This product includes software developed by
31  *     Ralf S. Engelschall <rse@engelschall.com> for use in the
32  *     mod_ssl project (http://www.modssl.org/)."
33  *
34  * 4. The names "mod_ssl" must not be used to endorse or promote
35  *    products derived from this software without prior written
36  *    permission. For written permission, please contact
37  *    rse@engelschall.com.
38  *
39  * 5. Products derived from this software may not be called "mod_ssl"
40  *    nor may "mod_ssl" appear in their names without prior
41  *    written permission of Ralf S. Engelschall.
42  *
43  * 6. Redistributions of any form whatsoever must retain the following
44  *    acknowledgment:
45  *    "This product includes software developed by
46  *     Ralf S. Engelschall <rse@engelschall.com> for use in the
47  *     mod_ssl project (http://www.modssl.org/)."
48  *
49  * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
50  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
51  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
52  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL RALF S. ENGELSCHALL OR
53  * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
54  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
55  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
56  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
57  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
58  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
59  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
60  * OF THE POSSIBILITY OF SUCH DAMAGE.
61  * ====================================================================
62  */
63 
64 /* ====================================================================
65  * Copyright (c) 1995-1999 Ben Laurie. All rights reserved.
66  *
67  * Redistribution and use in source and binary forms, with or without
68  * modification, are permitted provided that the following conditions
69  * are met:
70  *
71  * 1. Redistributions of source code must retain the above copyright
72  *    notice, this list of conditions and the following disclaimer.
73  *
74  * 2. Redistributions in binary form must reproduce the above copyright
75  *    notice, this list of conditions and the following disclaimer in
76  *    the documentation and/or other materials provided with the
77  *    distribution.
78  *
79  * 3. All advertising materials mentioning features or use of this
80  *    software must display the following acknowledgment:
81  *    "This product includes software developed by Ben Laurie
82  *    for use in the Apache-SSL HTTP server project."
83  *
84  * 4. The name "Apache-SSL Server" must not be used to
85  *    endorse or promote products derived from this software without
86  *    prior written permission.
87  *
88  * 5. Redistributions of any form whatsoever must retain the following
89  *    acknowledgment:
90  *    "This product includes software developed by Ben Laurie
91  *    for use in the Apache-SSL HTTP server project."
92  *
93  * THIS SOFTWARE IS PROVIDED BY BEN LAURIE ``AS IS'' AND ANY
94  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
95  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
96  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL BEN LAURIE OR
97  * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
98  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
99  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
100  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
101  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
102  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
103  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
104  * OF THE POSSIBILITY OF SUCH DAMAGE.
105  * ====================================================================
106  */
107                              /* ``Recursive, adj.;
108                                   see Recursive.''
109                                         -- Unknown   */
110 #include "mod_ssl.h"
111 
112 
113 /*  _________________________________________________________________
114 **
115 **  Module Initialization
116 **  _________________________________________________________________
117 */
118 
119 /*
120  *  Per-module initialization
121  */
ssl_init_Module(server_rec * s,pool * p)122 void ssl_init_Module(server_rec *s, pool *p)
123 {
124     SSLModConfigRec *mc = myModConfig();
125     SSLSrvConfigRec *sc;
126     server_rec *s2;
127     char *cp;
128     int SSLenabled = 0;
129 
130     mc->nInitCount++;
131 
132     /*
133      * Let us cleanup on restarts and exists
134      */
135     ap_register_cleanup(p, s, ssl_init_ModuleKill, ssl_init_ChildKill);
136 
137     /*
138      * Any init round fixes the global config
139      */
140     ssl_config_global_create(); /* just to avoid problems */
141     ssl_config_global_fix();
142 
143     /*
144      *  try to fix the configuration and open the dedicated SSL
145      *  logfile as early as possible
146      */
147     for (s2 = s; s2 != NULL; s2 = s2->next) {
148         sc = mySrvConfig(s2);
149 
150         /* Fix up stuff that may not have been set */
151         if (sc->bEnabled == UNSET)
152             sc->bEnabled = FALSE;
153         if (sc->nVerifyClient == SSL_CVERIFY_UNSET)
154             sc->nVerifyClient = SSL_CVERIFY_NONE;
155         if (sc->nVerifyDepth == UNSET)
156             sc->nVerifyDepth = 1;
157 #ifdef SSL_EXPERIMENTAL_PROXY
158         if (sc->nProxyVerifyDepth == UNSET)
159             sc->nProxyVerifyDepth = 1;
160 #endif
161         if (sc->nSessionCacheTimeout == UNSET)
162             sc->nSessionCacheTimeout = SSL_SESSION_CACHE_TIMEOUT;
163         if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET)
164             sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN;
165 
166         /* Open the dedicated SSL logfile */
167         if (!ap_server_is_chrooted())
168             ssl_log_open(s, s2, p);
169     }
170 
171     /*
172      * Identification
173      */
174     if (mc->nInitCount == 1) {
175         ssl_log(s, SSL_LOG_INFO, "Server: %s, Interface: %s, Library: %s",
176                 SERVER_BASEVERSION,
177                 ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"),
178                 ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY"));
179     }
180 
181     /*
182      * Initialization round information
183      */
184     if (mc->nInitCount == 1)
185         ssl_log(s, SSL_LOG_INFO, "Init: 1st startup round (still not detached)");
186     else if (mc->nInitCount == 2)
187         ssl_log(s, SSL_LOG_INFO, "Init: 2nd startup round (already detached)");
188     else
189         ssl_log(s, SSL_LOG_INFO, "Init: %d%s restart round (already detached)",
190                 mc->nInitCount-2, (mc->nInitCount-2) == 1 ? "st" : "nd");
191 
192 #ifdef SSL_VENDOR
193     ap_hook_use("ap::mod_ssl::vendor::init_module",
194                 AP_HOOK_SIG3(void,ptr,ptr), AP_HOOK_ALL, s, p);
195 #endif
196 
197     /*
198      *  The initialization phase inside the Apache API is totally bogus.
199      *  We actually have three non-trivial problems:
200      *
201      *  1. Under Unix the API does a 2-round initialization of modules while
202      *     under Win32 it doesn't. This means we have to make sure that at
203      *     least the pass phrase dialog doesn't occur twice.  We overcome this
204      *     problem by using a counter (mc->nInitCount) which has to
205      *     survive the init rounds.
206      *
207      *  2. Between the first and the second round Apache detaches from
208      *     the terminal under Unix. This means that our pass phrase dialog
209      *     _has_ to be done in the first round and _cannot_ be done in the
210      *     second round.
211      *
212      *  3. When Dynamic Shared Object (DSO) mechanism is used under Unix the
213      *     module segment (code & data) gets unloaded and re-loaded between
214      *     the first and the second round. This means no global data survives
215      *     between first and the second init round. We overcome this by using
216      *     an entry ("ssl_module") inside the ap_global_ctx.
217      *
218      *  The situation as a table:
219      *
220      *  Unix/static Unix/DSO          Win32     Action Required
221      *              (-DSHARED_MODULE) (-DWIN32)
222      *  ----------- ----------------- --------- -----------------------------------
223      *  -           load module       -         -
224      *  init        init              init      SSL library init, Pass Phrase Dialog
225      *  detach      detach            -         -
226      *  -           reload module     -         -
227      *  init        init              -         SSL library init, mod_ssl init
228      *
229      *  Ok, now try to solve this totally ugly situation...
230      */
231 
232 #ifdef SHARED_MODULE
233     ssl_log(s, SSL_LOG_INFO, "Init: %snitializing %s library",
234             mc->nInitCount == 1 ? "I" : "Rei", SSL_LIBRARY_NAME);
235 #ifdef SSL_EXPERIMENTAL_ENGINE
236     ssl_init_Engine(s, p);
237 #endif
238     ssl_init_SSLLibrary();
239 #else
240     if (mc->nInitCount <= 2) {
241         ssl_log(s, SSL_LOG_INFO, "Init: %snitializing %s library",
242                 mc->nInitCount == 1 ? "I" : "Rei", SSL_LIBRARY_NAME);
243 #ifdef SSL_EXPERIMENTAL_ENGINE
244         ssl_init_Engine(s, p);
245 #endif
246         ssl_init_SSLLibrary();
247     }
248 #endif
249     if (mc->nInitCount == 1) {
250         ssl_pphrase_Handle(s, p);
251         return;
252     }
253 
254     for (s2 = s; s2 != NULL; s2 = s2->next) {
255         sc = mySrvConfig(s2);
256        /* find out if anyone's actually doing SSL */
257         if (sc->bEnabled)
258             SSLenabled = 1;
259     }
260     if (SSLenabled) /* skip expensive bits if we're not doing SSL */
261       ssl_init_TmpKeysHandle(SSL_TKP_GEN, s, p);
262 
263     /*
264      * SSL external crypto device ("engine") support
265      */
266 #ifdef SSL_EXPERIMENTAL_ENGINE
267     ssl_init_Engine(s, p);
268 #endif
269 
270     /*
271      * Warn the user that he should use the session cache.
272      * But we can operate without it, of course.
273      */
274     if (mc->nSessionCacheMode == SSL_SCMODE_UNSET) {
275         ssl_log(s, SSL_LOG_WARN,
276                 "Init: Session Cache is not configured [hint: SSLSessionCache]");
277         mc->nSessionCacheMode = SSL_SCMODE_NONE;
278     }
279 
280     /*
281      *  initialize the mutex handling and session caching
282      */
283     ssl_mutex_init(s, p);
284     ssl_scache_init(s, p);
285 
286     /*
287      * Seed the Pseudo Random Number Generator (PRNG)
288      */
289     ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
290 
291     /*
292      *  allocate the temporary RSA keys and DH params
293      */
294     if (SSLenabled)  /* skip expensive bits if we're not doing SSL */
295 	ssl_init_TmpKeysHandle(SSL_TKP_ALLOC, s, p);
296 
297     /*
298      *  initialize servers
299      */
300     ssl_log(s, SSL_LOG_INFO, "Init: Initializing (virtual) servers for SSL");
301     for (s2 = s; s2 != NULL; s2 = s2->next) {
302         sc = mySrvConfig(s2);
303         /*
304          * Either now skip this server when SSL is disabled for
305          * it or give out some information about what we're
306          * configuring.
307          */
308         if (!sc->bEnabled)
309             continue;
310         ssl_log(s2, SSL_LOG_INFO,
311                 "Init: Configuring server %s for SSL protocol",
312                 ssl_util_vhostid(p, s2));
313 
314         /*
315          * Read the server certificate and key
316          */
317         ssl_init_ConfigureServer(s2, p, sc);
318     }
319 
320     /*
321      * Configuration consistency checks
322      */
323     ssl_init_CheckServers(s, p);
324 
325     /*
326      *  Announce mod_ssl and SSL library in HTTP Server field
327      *  as ``mod_ssl/X.X.X OpenSSL/X.X.X''
328      */
329     if ((cp = ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_PRODUCT")) != NULL && cp[0] != NUL)
330         ap_add_version_component(cp);
331     ap_add_version_component(ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_INTERFACE"));
332     ap_add_version_component(ssl_var_lookup(p, NULL, NULL, NULL, "SSL_VERSION_LIBRARY"));
333 
334     return;
335 }
336 
337 /*
338  *  Initialize SSL library (also already needed for the pass phrase dialog)
339  */
ssl_init_SSLLibrary(void)340 void ssl_init_SSLLibrary(void)
341 {
342     SSL_load_error_strings();
343     SSL_library_init();
344     ssl_util_thread_setup();
345     X509V3_add_standard_extensions();
346     return;
347 }
348 
349 /*
350  * Support for external a Crypto Device ("engine"), usually
351  * a hardware accellerator card for crypto operations.
352  */
353 #ifdef SSL_EXPERIMENTAL_ENGINE
ssl_init_Engine(server_rec * s,pool * p)354 void ssl_init_Engine(server_rec *s, pool *p)
355 {
356     SSLModConfigRec *mc = myModConfig();
357     ENGINE *e;
358 
359     if (mc->szCryptoDevice != NULL) {
360         if ((e = ENGINE_by_id(mc->szCryptoDevice)) == NULL) {
361             ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load Crypto Device API `%s'",
362                     mc->szCryptoDevice);
363             ssl_die();
364         }
365         if (strEQ(mc->szCryptoDevice, "chil"))
366             ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
367         if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
368             ssl_log(s, SSL_LOG_ERROR, "Init: Failed to enable Crypto Device API `%s'",
369                     mc->szCryptoDevice);
370             ssl_die();
371         }
372         ENGINE_free(e);
373     }
374     return;
375 }
376 #endif
377 
378 /*
379  * Handle the Temporary RSA Keys and DH Params
380  */
ssl_init_TmpKeysHandle(int action,server_rec * s,pool * p)381 void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p)
382 {
383     SSLModConfigRec *mc = myModConfig();
384     ssl_asn1_t *asn1;
385     unsigned char *ucp;
386     RSA *rsa;
387     DH *dh;
388 
389     /* Generate Keys and Params */
390     if (action == SSL_TKP_GEN) {
391 
392         /* seed PRNG */
393         ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
394 
395         /* generate 512 bit RSA key */
396         ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys (512/1024 bits)");
397         if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
398             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
399                     "Init: Failed to generate temporary 512 bit RSA private key");
400             ssl_die();
401         }
402         asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:512");
403         asn1->nData  = i2d_RSAPrivateKey(rsa, NULL);
404         asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
405         ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */
406         RSA_free(rsa);
407 
408         /* generate 1024 bit RSA key */
409         if ((rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) {
410             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
411                     "Init: Failed to generate temporary 1024 bit RSA private key");
412             ssl_die();
413         }
414         asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:1024");
415         asn1->nData  = i2d_RSAPrivateKey(rsa, NULL);
416         asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
417         ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */
418         RSA_free(rsa);
419 
420         ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary DH parameters (512/1024 bits)");
421 
422         /* import 512 bit DH param */
423         if ((dh = ssl_dh_GetTmpParam(512)) == NULL) {
424             ssl_log(s, SSL_LOG_ERROR, "Init: Failed to import temporary 512 bit DH parameters");
425             ssl_die();
426         }
427         asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:512");
428         asn1->nData  = i2d_DHparams(dh, NULL);
429         asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
430         ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */
431         DH_free(dh);
432 
433         /* import 1024 bit DH param */
434         if ((dh = ssl_dh_GetTmpParam(1024)) == NULL) {
435             ssl_log(s, SSL_LOG_ERROR, "Init: Failed to import temporary 1024 bit DH parameters");
436             ssl_die();
437         }
438         asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:1024");
439         asn1->nData  = i2d_DHparams(dh, NULL);
440         asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
441         ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */
442         DH_free(dh);
443     }
444 
445     /* Allocate Keys and Params */
446     else if (action == SSL_TKP_ALLOC) {
447 
448         ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary RSA private keys (512/1024 bits)");
449 
450         /* allocate 512 bit RSA key */
451         if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "RSA:512")) != NULL) {
452             ucp = asn1->cpData;
453             if ((mc->pTmpKeys[SSL_TKPIDX_RSA512] =
454                  (void *)d2i_RSAPrivateKey(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {
455                 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 512 bit RSA private key");
456                 ssl_die();
457             }
458 	    if (RSA_blinding_on ((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA512], NULL) != 1) {
459 		ssl_log(s, SSL_LOG_ERROR, "Init: Failed to add blinding for temporary 512 bit RSA private key");
460                 ssl_die();
461 	    }
462         }
463 
464         /* allocate 1024 bit RSA key */
465         if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "RSA:1024")) != NULL) {
466             ucp = asn1->cpData;
467             if ((mc->pTmpKeys[SSL_TKPIDX_RSA1024] =
468                  (void *)d2i_RSAPrivateKey(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {
469                 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 1024 bit RSA private key");
470                 ssl_die();
471             }
472 	    if (RSA_blinding_on ((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024], NULL) != 1) {
473 		ssl_log(s, SSL_LOG_ERROR, "Init: Failed to add blinding for temporary 1024 bit RSA private key");
474                 ssl_die();
475 	    }
476         }
477 
478         ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary DH parameters (512/1024 bits)");
479 
480         /* allocate 512 bit DH param */
481         if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "DH:512")) != NULL) {
482             ucp = asn1->cpData;
483             if ((mc->pTmpKeys[SSL_TKPIDX_DH512] =
484                  (void *)d2i_DHparams(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {
485                 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 512 bit DH parameters");
486                 ssl_die();
487             }
488         }
489 
490         /* allocate 1024 bit DH param */
491         if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "DH:1024")) != NULL) {
492             ucp = asn1->cpData;
493             if ((mc->pTmpKeys[SSL_TKPIDX_DH1024] =
494                  (void *)d2i_DHparams(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {
495                 ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 1024 bit DH parameters");
496                 ssl_die();
497             }
498         }
499     }
500 
501     /* Free Keys and Params */
502     else if (action == SSL_TKP_FREE) {
503         if (mc->pTmpKeys[SSL_TKPIDX_RSA512] != NULL) {
504             RSA_free((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA512]);
505             mc->pTmpKeys[SSL_TKPIDX_RSA512] = NULL;
506         }
507         if (mc->pTmpKeys[SSL_TKPIDX_RSA1024] != NULL) {
508             RSA_free((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024]);
509             mc->pTmpKeys[SSL_TKPIDX_RSA1024] = NULL;
510         }
511         if (mc->pTmpKeys[SSL_TKPIDX_DH512] != NULL) {
512             DH_free((DH *)mc->pTmpKeys[SSL_TKPIDX_DH512]);
513             mc->pTmpKeys[SSL_TKPIDX_DH512] = NULL;
514         }
515         if (mc->pTmpKeys[SSL_TKPIDX_DH1024] != NULL) {
516             DH_free((DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024]);
517             mc->pTmpKeys[SSL_TKPIDX_DH1024] = NULL;
518         }
519     }
520     return;
521 }
522 
523 /*
524  * Configure a particular server
525  */
ssl_init_ConfigureServer(server_rec * s,pool * p,SSLSrvConfigRec * sc)526 void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
527 {
528     SSLModConfigRec *mc = myModConfig();
529     int nVerify;
530     char *cpVHostID;
531     EVP_PKEY *pKey;
532     SSL_CTX *ctx;
533     STACK_OF(X509_NAME) *skCAList;
534     ssl_asn1_t *asn1;
535     unsigned char *ucp;
536     char *cp;
537     BOOL ok;
538     BOOL bSkipFirst;
539     int isca, pathlen;
540     int i, n;
541 
542     /*
543      * Create the server host:port string because we need it a lot
544      */
545     cpVHostID = ssl_util_vhostid(p, s);
546 
547     /*
548      * Now check for important parameters and the
549      * possibility that the user forgot to set them.
550      */
551     if (sc->szPublicCertFile[0] == NULL) {
552         ssl_log(s, SSL_LOG_ERROR,
553                 "Init: (%s) No SSL Certificate set [hint: SSLCertificateFile]",
554                 cpVHostID);
555         ssl_die();
556     }
557 
558     /*
559      *  Check for problematic re-initializations
560      */
561     if (sc->pPublicCert[SSL_AIDX_RSA] != NULL ||
562         sc->pPublicCert[SSL_AIDX_DSA] != NULL   ) {
563         ssl_log(s, SSL_LOG_ERROR,
564                 "Init: (%s) Illegal attempt to re-initialise SSL for server "
565                 "(theoretically shouldn't happen!)", cpVHostID);
566         ssl_die();
567     }
568 
569     /*
570      *  Create the new per-server SSL context
571      */
572     if (sc->nProtocol == SSL_PROTOCOL_NONE) {
573         ssl_log(s, SSL_LOG_ERROR,
574                 "Init: (%s) No SSL protocols available [hint: SSLProtocol]",
575                 cpVHostID);
576         ssl_die();
577     }
578     cp = ap_pstrcat(p, (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
579                        (sc->nProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
580                        (sc->nProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL);
581     cp[strlen(cp)-2] = NUL;
582     ssl_log(s, SSL_LOG_TRACE,
583             "Init: (%s) Creating new SSL context (protocols: %s)", cpVHostID, cp);
584     if (sc->nProtocol == SSL_PROTOCOL_SSLV2)
585         ctx = SSL_CTX_new(SSLv2_server_method());  /* only SSLv2 is left */
586     else
587         ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */
588     SSL_CTX_set_options(ctx, SSL_OP_ALL);
589     if (!(sc->nProtocol & SSL_PROTOCOL_SSLV2))
590         SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
591     if (!(sc->nProtocol & SSL_PROTOCOL_SSLV3))
592         SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
593     if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1))
594         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
595     SSL_CTX_set_app_data(ctx, s);
596     sc->pSSLCtx = ctx;
597 
598     /*
599      * Configure additional context ingredients
600      */
601     SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
602     if (mc->nSessionCacheMode == SSL_SCMODE_NONE)
603         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
604     else
605         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
606 
607     /*
608      * Disallow a session from being resumed during a renegotiation,
609      * so that an acceptable cipher suite can be negotiated.
610      */
611     SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
612 
613     /*
614      *  Configure callbacks for SSL context
615      */
616     nVerify = SSL_VERIFY_NONE;
617     if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE)
618         nVerify |= SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
619     if (   (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL)
620         || (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) )
621         nVerify |= SSL_VERIFY_PEER;
622     SSL_CTX_set_verify(ctx, nVerify,  ssl_callback_SSLVerify);
623     SSL_CTX_sess_set_new_cb(ctx,      ssl_callback_NewSessionCacheEntry);
624     SSL_CTX_sess_set_get_cb(ctx,      ssl_callback_GetSessionCacheEntry);
625     SSL_CTX_sess_set_remove_cb(ctx,   ssl_callback_DelSessionCacheEntry);
626     SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
627     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
628     SSL_CTX_set_info_callback(ctx,    ssl_callback_LogTracingState);
629 
630     /*
631      *  Configure SSL Cipher Suite
632      */
633     if (sc->szCipherSuite != NULL) {
634         ssl_log(s, SSL_LOG_TRACE,
635                 "Init: (%s) Configuring permitted SSL ciphers [%s]",
636                 cpVHostID, sc->szCipherSuite);
637         if (!SSL_CTX_set_cipher_list(ctx, sc->szCipherSuite)) {
638             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
639                     "Init: (%s) Unable to configure permitted SSL ciphers",
640                     cpVHostID);
641             ssl_die();
642         }
643     }
644 
645     /*
646      * Configure Client Authentication details
647      */
648     if (sc->szCACertificateFile != NULL || sc->szCACertificatePath != NULL) {
649         ssl_log(s, SSL_LOG_TRACE,
650                 "Init: (%s) Configuring client authentication", cpVHostID);
651         if (!SSL_CTX_load_verify_locations(ctx,
652                                            sc->szCACertificateFile,
653                                            sc->szCACertificatePath)) {
654             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
655                     "Init: (%s) Unable to configure verify locations "
656                     "for client authentication", cpVHostID);
657             ssl_die();
658         }
659         if ((skCAList = ssl_init_FindCAList(s, p, sc->szCACertificateFile,
660                                             sc->szCACertificatePath)) == NULL) {
661             ssl_log(s, SSL_LOG_ERROR,
662                     "Init: (%s) Unable to determine list of available "
663                     "CA certificates for client authentication", cpVHostID);
664             ssl_die();
665         }
666         SSL_CTX_set_client_CA_list(sc->pSSLCtx, skCAList);
667     }
668 
669     /*
670      * Configure Certificate Revocation List (CRL) Details
671      */
672     if (sc->szCARevocationFile != NULL || sc->szCARevocationPath != NULL) {
673         ssl_log(s, SSL_LOG_TRACE,
674                 "Init: (%s) Configuring certificate revocation facility", cpVHostID);
675         if ((sc->pRevocationStore =
676                 SSL_X509_STORE_create(sc->szCARevocationFile,
677                                       sc->szCARevocationPath)) == NULL) {
678             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
679                     "Init: (%s) Unable to configure X.509 CRL storage "
680                     "for certificate revocation", cpVHostID);
681             ssl_die();
682         }
683     }
684 
685     /*
686      * Give a warning when no CAs were configured but client authentication
687      * should take place. This cannot work.
688      */
689     if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
690         skCAList = SSL_CTX_get_client_CA_list(ctx);
691         if (sk_X509_NAME_num(skCAList) == 0)
692             ssl_log(s, SSL_LOG_WARN,
693                     "Init: Ops, you want to request client authentication, "
694                     "but no CAs are known for verification!? "
695                     "[Hint: SSLCACertificate*]");
696     }
697 
698     /*
699      *  Configure server certificate(s)
700      */
701     ok = FALSE;
702     cp = ap_psprintf(p, "%s:RSA", cpVHostID);
703     if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) {
704         ssl_log(s, SSL_LOG_TRACE,
705                 "Init: (%s) Configuring RSA server certificate", cpVHostID);
706         ucp = asn1->cpData;
707         if ((sc->pPublicCert[SSL_AIDX_RSA] = d2i_X509(NULL, &ucp, asn1->nData)) == NULL) {
708             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
709                     "Init: (%s) Unable to import RSA server certificate",
710                     cpVHostID);
711             ssl_die();
712         }
713         if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_RSA]) <= 0) {
714             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
715                     "Init: (%s) Unable to configure RSA server certificate",
716                     cpVHostID);
717             ssl_die();
718         }
719         ok = TRUE;
720     }
721     cp = ap_psprintf(p, "%s:DSA", cpVHostID);
722     if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) {
723         ssl_log(s, SSL_LOG_TRACE,
724                 "Init: (%s) Configuring DSA server certificate", cpVHostID);
725         ucp = asn1->cpData;
726         if ((sc->pPublicCert[SSL_AIDX_DSA] = d2i_X509(NULL, &ucp, asn1->nData)) == NULL) {
727             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
728                     "Init: (%s) Unable to import DSA server certificate",
729                     cpVHostID);
730             ssl_die();
731         }
732         if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_DSA]) <= 0) {
733             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
734                     "Init: (%s) Unable to configure DSA server certificate",
735                     cpVHostID);
736             ssl_die();
737         }
738         ok = TRUE;
739     }
740     if (!ok) {
741         ssl_log(s, SSL_LOG_ERROR,
742                 "Init: (%s) Ops, no RSA or DSA server certificate found?!", cpVHostID);
743         ssl_log(s, SSL_LOG_ERROR,
744                 "Init: (%s) You have to perform a *full* server restart when you added or removed a certificate and/or key file", cpVHostID);
745         ssl_die();
746     }
747 
748     /*
749      * Some information about the certificate(s)
750      */
751     for (i = 0; i < SSL_AIDX_MAX; i++) {
752         if (sc->pPublicCert[i] != NULL) {
753             if (SSL_X509_isSGC(sc->pPublicCert[i])) {
754                 ssl_log(s, SSL_LOG_INFO,
755                         "Init: (%s) %s server certificate enables "
756                         "Server Gated Cryptography (SGC)",
757                         cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
758             }
759             if (SSL_X509_getBC(sc->pPublicCert[i], &isca, &pathlen)) {
760                 if (isca)
761                     ssl_log(s, SSL_LOG_WARN,
762                         "Init: (%s) %s server certificate is a CA certificate "
763                         "(BasicConstraints: CA == TRUE !?)",
764                         cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
765                 if (pathlen > 0)
766                     ssl_log(s, SSL_LOG_WARN,
767                         "Init: (%s) %s server certificate is not a leaf certificate "
768                         "(BasicConstraints: pathlen == %d > 0 !?)",
769                         cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"), pathlen);
770             }
771             if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) {
772                 if (ap_is_fnmatch(cp) &&
773                     ap_fnmatch(cp, s->server_hostname,
774                                FNM_PERIOD|FNM_CASE_BLIND) == FNM_NOMATCH) {
775                     ssl_log(s, SSL_LOG_WARN,
776                         "Init: (%s) %s server certificate wildcard CommonName (CN) `%s' "
777                         "does NOT match server name!?", cpVHostID,
778                         (i == SSL_AIDX_RSA ? "RSA" : "DSA"), cp);
779                 }
780                 else if (strNE(s->server_hostname, cp)) {
781                     ssl_log(s, SSL_LOG_WARN,
782                         "Init: (%s) %s server certificate CommonName (CN) `%s' "
783                         "does NOT match server name!?", cpVHostID,
784                         (i == SSL_AIDX_RSA ? "RSA" : "DSA"), cp);
785                 }
786             }
787         }
788     }
789 
790     /*
791      *  Configure server private key(s)
792      */
793     ok = FALSE;
794     cp = ap_psprintf(p, "%s:RSA", cpVHostID);
795     if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
796         ssl_log(s, SSL_LOG_TRACE,
797                 "Init: (%s) Configuring RSA server private key", cpVHostID);
798         ucp = asn1->cpData;
799         if ((sc->pPrivateKey[SSL_AIDX_RSA] =
800              d2i_PrivateKey(EVP_PKEY_RSA, NULL, &ucp, asn1->nData)) == NULL) {
801             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
802                     "Init: (%s) Unable to import RSA server private key",
803                     cpVHostID);
804             ssl_die();
805         }
806         if (!RSA_blinding_on(sc->pPrivateKey[SSL_AIDX_RSA]->pkey.rsa, NULL)) {
807             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
808                     "Init: (%s) Unable to enable RSA blinding (probably PRNG failure)",
809                     cpVHostID);
810             ssl_die();
811         }
812         if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_RSA]) <= 0) {
813             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
814                     "Init: (%s) Unable to configure RSA server private key",
815                     cpVHostID);
816             ssl_die();
817         }
818         ok = TRUE;
819     }
820     cp = ap_psprintf(p, "%s:DSA", cpVHostID);
821     if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
822         ssl_log(s, SSL_LOG_TRACE,
823                 "Init: (%s) Configuring DSA server private key", cpVHostID);
824         ucp = asn1->cpData;
825         if ((sc->pPrivateKey[SSL_AIDX_DSA] =
826              d2i_PrivateKey(EVP_PKEY_DSA, NULL, &ucp, asn1->nData)) == NULL) {
827             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
828                     "Init: (%s) Unable to import DSA server private key",
829                     cpVHostID);
830             ssl_die();
831         }
832         if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_DSA]) <= 0) {
833             ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
834                     "Init: (%s) Unable to configure DSA server private key",
835                     cpVHostID);
836             ssl_die();
837         }
838         ok = TRUE;
839     }
840     if (!ok) {
841         ssl_log(s, SSL_LOG_ERROR,
842                 "Init: (%s) Ops, no RSA or DSA server private key found?!", cpVHostID);
843         ssl_die();
844     }
845 
846     /*
847      * Optionally copy DSA parameters for certificate from private key
848      * (see http://www.psy.uq.edu.au/~ftp/Crypto/ssleay/TODO.html)
849      */
850     if (   sc->pPublicCert[SSL_AIDX_DSA] != NULL
851         && sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
852         pKey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]);
853         if (   pKey != NULL
854             && EVP_PKEY_type(pKey->type) == EVP_PKEY_DSA
855             && EVP_PKEY_missing_parameters(pKey))
856             EVP_PKEY_copy_parameters(pKey, sc->pPrivateKey[SSL_AIDX_DSA]);
857     }
858 
859     /*
860      * Optionally configure extra server certificate chain certificates.
861      * This is usually done by OpenSSL automatically when one of the
862      * server cert issuers are found under SSLCACertificatePath or in
863      * SSLCACertificateFile. But because these are intended for client
864      * authentication it can conflict. For instance when you use a
865      * Global ID server certificate you've to send out the intermediate
866      * CA certificate, too. When you would just configure this with
867      * SSLCACertificateFile and also use client authentication mod_ssl
868      * would accept all clients also issued by this CA. Obviously this
869      * isn't what we want in this situation. So this feature here exists
870      * to allow one to explicity configure CA certificates which are
871      * used only for the server certificate chain.
872      */
873     if (sc->szCertificateChain != NULL) {
874         bSkipFirst = FALSE;
875         for (i = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++) {
876             if (strEQ(sc->szPublicCertFile[i], sc->szCertificateChain)) {
877                 bSkipFirst = TRUE;
878                 break;
879             }
880         }
881         if ((n = SSL_CTX_use_certificate_chain(ctx, sc->szCertificateChain,
882                                                bSkipFirst, NULL)) < 0) {
883             ssl_log(s, SSL_LOG_ERROR,
884                     "Init: (%s) Failed to configure CA certificate chain!", cpVHostID);
885             ssl_die();
886         }
887         ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring "
888                 "server certificate chain (%d CA certificate%s)", cpVHostID,
889                 n, n == 1 ? "" : "s");
890     }
891 
892 #ifdef SSL_VENDOR
893     ap_hook_use("ap::mod_ssl::vendor::configure_server",
894                 AP_HOOK_SIG4(void,ptr,ptr,ptr), AP_HOOK_ALL,
895                 s, p, sc);
896 #endif
897 
898     return;
899 }
900 
ssl_init_CheckServers(server_rec * sm,pool * p)901 void ssl_init_CheckServers(server_rec *sm, pool *p)
902 {
903     server_rec *s;
904     server_rec **ps;
905     SSLSrvConfigRec *sc;
906     ssl_ds_table *t;
907     pool *sp;
908     char *key;
909     BOOL bConflict;
910 
911     /*
912      * Give out warnings when a server has HTTPS configured
913      * for the HTTP port or vice versa
914      */
915     for (s = sm; s != NULL; s = s->next) {
916         sc = mySrvConfig(s);
917         if (sc->bEnabled && s->port == DEFAULT_HTTP_PORT)
918             ssl_log(sm, SSL_LOG_WARN,
919                     "Init: (%s) You configured HTTPS(%d) on the standard HTTP(%d) port!",
920                     ssl_util_vhostid(p, s), DEFAULT_HTTPS_PORT, DEFAULT_HTTP_PORT);
921         if (!sc->bEnabled && s->port == DEFAULT_HTTPS_PORT)
922             ssl_log(sm, SSL_LOG_WARN,
923                     "Init: (%s) You configured HTTP(%d) on the standard HTTPS(%d) port!",
924                     ssl_util_vhostid(p, s), DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
925     }
926 
927     /*
928      * Give out warnings if more than one SSL-aware virtual server uses the
929      * same IP:port. This doesn't work because mod_ssl then will always use
930      * just the certificate/keys of one virtual host (which one cannot be said
931      * easily - but that doesn't matter here).
932      */
933     sp = ap_make_sub_pool(p);
934     t = ssl_ds_table_make(sp, sizeof(server_rec *));
935     bConflict = FALSE;
936     for (s = sm; s != NULL; s = s->next) {
937         sc = mySrvConfig(s);
938         if (!sc->bEnabled)
939             continue;
940         if (s->addrs == NULL)
941             continue;
942         key = ap_psprintf(sp, "%pA:%u", &s->addrs->host_addr, s->addrs->host_port);
943         ps = ssl_ds_table_get(t, key);
944         if (ps != NULL) {
945             ssl_log(sm, SSL_LOG_WARN,
946                     "Init: SSL server IP/port conflict: %s (%s:%d) vs. %s (%s:%d)",
947                     ssl_util_vhostid(p, s),
948                     (s->defn_name != NULL ? s->defn_name : "unknown"),
949                     s->defn_line_number,
950                     ssl_util_vhostid(p, *ps),
951                     ((*ps)->defn_name != NULL ? (*ps)->defn_name : "unknown"),
952                     (*ps)->defn_line_number);
953             bConflict = TRUE;
954             continue;
955         }
956         ps = ssl_ds_table_push(t, key);
957         *ps = s;
958     }
959     ssl_ds_table_kill(t);
960     ap_destroy_pool(sp);
961     if (bConflict)
962         ssl_log(sm, SSL_LOG_WARN,
963                 "Init: You should not use name-based virtual hosts in conjunction with SSL!!");
964 
965     return;
966 }
967 
ssl_init_FindCAList_X509NameCmp(X509_NAME ** a,X509_NAME ** b)968 static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b)
969 {
970     return(X509_NAME_cmp(*a, *b));
971 }
972 
STACK_OF(X509_NAME)973 STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile, char *cpCApath)
974 {
975     STACK_OF(X509_NAME) *skCAList;
976     STACK_OF(X509_NAME) *sk;
977     DIR *dir;
978     struct DIR_TYPE *direntry;
979     char *cp;
980     pool *p;
981     int n;
982     char buf[256];
983 
984     /*
985      * Use a subpool so we don't bloat up the server pool which
986      * is remains in memory for the complete operation time of
987      * the server.
988      */
989     p = ap_make_sub_pool(pp);
990 
991     /*
992      * Start with a empty stack/list where new
993      * entries get added in sorted order.
994      */
995     skCAList = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
996 
997     /*
998      * Process CA certificate bundle file
999      */
1000     if (cpCAfile != NULL) {
1001         sk = SSL_load_client_CA_file(cpCAfile);
1002         for (n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
1003             X509_NAME *name = sk_X509_NAME_value(sk, n);
1004             ssl_log(s, SSL_LOG_TRACE,
1005                     "CA certificate: %s",
1006                     X509_NAME_oneline(name, buf, sizeof(buf)));
1007             if (sk_X509_NAME_find(skCAList, name) < 0)
1008                 sk_X509_NAME_push(skCAList, name); /* will be freed when skCAList is */
1009             else
1010                 X509_NAME_free(name);
1011         }
1012         sk_X509_NAME_free(sk);
1013     }
1014 
1015     /*
1016      * Process CA certificate path files
1017      */
1018     if (cpCApath != NULL) {
1019         dir = ap_popendir(p, cpCApath);
1020         while ((direntry = readdir(dir)) != NULL) {
1021             cp = ap_pstrcat(p, cpCApath, "/", direntry->d_name, NULL);
1022             sk = SSL_load_client_CA_file(cp);
1023             for (n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
1024                 X509_NAME *name = sk_X509_NAME_value(sk, n);
1025                 ssl_log(s, SSL_LOG_TRACE,
1026                         "CA certificate: %s",
1027                         X509_NAME_oneline(name, buf, sizeof(buf)));
1028                 if (sk_X509_NAME_find(skCAList, name) < 0)
1029                     sk_X509_NAME_push(skCAList, name);
1030                 else
1031                     X509_NAME_free(name);
1032             }
1033             sk_X509_NAME_free(sk);
1034         }
1035         ap_pclosedir(p, dir);
1036     }
1037 
1038     /*
1039      * Cleanup
1040      */
1041     sk_X509_NAME_set_cmp_func(skCAList, NULL);
1042     ap_destroy_pool(p);
1043 
1044     return skCAList;
1045 }
1046 
ssl_init_Child(server_rec * s,pool * p)1047 void ssl_init_Child(server_rec *s, pool *p)
1048 {
1049      /* open the mutex lockfile */
1050      ssl_mutex_reinit(s, p);
1051      return;
1052 }
1053 
ssl_init_ChildKill(void * data)1054 void ssl_init_ChildKill(void *data)
1055 {
1056     /* currently nothing to do */
1057     return;
1058 }
1059 
ssl_init_ModuleKill(void * data)1060 void ssl_init_ModuleKill(void *data)
1061 {
1062     SSLSrvConfigRec *sc;
1063     server_rec *s = (server_rec *)data;
1064 
1065     /*
1066      * Drop the session cache and mutex
1067      */
1068     ssl_scache_kill(s);
1069     ssl_mutex_kill(s);
1070 
1071     /*
1072      * Destroy the temporary keys and params
1073      */
1074     ssl_init_TmpKeysHandle(SSL_TKP_FREE, s, NULL);
1075 
1076     /*
1077      * Free the non-pool allocated structures
1078      * in the per-server configurations
1079      */
1080     for (; s != NULL; s = s->next) {
1081         sc = mySrvConfig(s);
1082         if (sc->pRevocationStore != NULL) {
1083             X509_STORE_free(sc->pRevocationStore);
1084             sc->pRevocationStore = NULL;
1085         }
1086         if (sc->pPublicCert[SSL_AIDX_RSA] != NULL) {
1087             X509_free(sc->pPublicCert[SSL_AIDX_RSA]);
1088             sc->pPublicCert[SSL_AIDX_RSA] = NULL;
1089         }
1090         if (sc->pPublicCert[SSL_AIDX_DSA] != NULL) {
1091             X509_free(sc->pPublicCert[SSL_AIDX_DSA]);
1092             sc->pPublicCert[SSL_AIDX_DSA] = NULL;
1093         }
1094         if (sc->pPrivateKey[SSL_AIDX_RSA] != NULL) {
1095             EVP_PKEY_free(sc->pPrivateKey[SSL_AIDX_RSA]);
1096             sc->pPrivateKey[SSL_AIDX_RSA] = NULL;
1097         }
1098         if (sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
1099             EVP_PKEY_free(sc->pPrivateKey[SSL_AIDX_DSA]);
1100             sc->pPrivateKey[SSL_AIDX_DSA] = NULL;
1101         }
1102         if (sc->pSSLCtx != NULL) {
1103             SSL_CTX_free(sc->pSSLCtx);
1104             sc->pSSLCtx = NULL;
1105         }
1106     }
1107 
1108     /*
1109      * Try to kill the internals of the SSL library.
1110      */
1111 #ifdef SHARED_MODULE
1112     ERR_free_strings();
1113     ERR_remove_state(0);
1114     EVP_cleanup();
1115 #endif
1116 
1117     ssl_util_thread_cleanup();
1118 
1119     return;
1120 }
1121