diff options
| author | Graham Leggett <minfrin@apache.org> | 2019-06-23 23:10:23 +0200 |
|---|---|---|
| committer | Graham Leggett <minfrin@apache.org> | 2019-06-23 23:10:23 +0200 |
| commit | cd58f1856a9adc31b95e8ed58b168df635c1af71 (patch) | |
| tree | 123050f64142673b8dcce015e093685e05dbf3fc /modules | |
| parent | French doc rebuild. (diff) | |
| download | apache2-cd58f1856a9adc31b95e8ed58b168df635c1af71.tar.xz apache2-cd58f1856a9adc31b95e8ed58b168df635c1af71.zip | |
After reinstatement of DSO support in APR/APR-util, revert r1837437,
r1837435, r1834553, r1833598, r1833452, r1833383, r1833368.
Undoes the following:
mod_ssl: OpenSSL now initializes fully through APR, use that.
mod_ssl: build with LibreSSL.
LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).
So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7
compatibility-exceptions are handled explicitely but overall it's simpler.
Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the
former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,
while the latter has never been (and will never be) defined. So don't call any
with LibreSSL.
Follow up to r1833368: share openssl between modules.
Both libapr[-util], the core PRNG, mod_ssl, mod_crypto and mod_session_crypto
can use the same crypto library (e.g. openssl), use the new APR crypto loading
API so that they can work together and initialize/terminate the lib either once
for all or on demand and reusable by the others.
Follow up to r1833368: apr_crypto_prng_after_fork() now used a PID.
Make use of the new apr_crypto_rng API if available.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1861947 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/filters/mod_crypto.c | 2 | ||||
| -rw-r--r-- | modules/session/mod_session_crypto.c | 2 | ||||
| -rw-r--r-- | modules/ssl/mod_ssl.c | 85 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_init.c | 18 | ||||
| -rw-r--r-- | modules/ssl/ssl_private.h | 5 |
5 files changed, 42 insertions, 70 deletions
diff --git a/modules/filters/mod_crypto.c b/modules/filters/mod_crypto.c index 5d5e6b3c13..2c98692c41 100644 --- a/modules/filters/mod_crypto.c +++ b/modules/filters/mod_crypto.c @@ -1197,7 +1197,7 @@ crypto_init(apr_pool_t * p, apr_pool_t * plog, apr_status_t rv; rv = apr_crypto_init(p); - if (APR_SUCCESS != rv && APR_EREINIT != rv) { + if (APR_SUCCESS != rv) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(03427) "APR crypto could not be initialised"); return rv; diff --git a/modules/session/mod_session_crypto.c b/modules/session/mod_session_crypto.c index a948b2ced9..be7e7b1807 100644 --- a/modules/session/mod_session_crypto.c +++ b/modules/session/mod_session_crypto.c @@ -569,7 +569,7 @@ static int session_crypto_init(apr_pool_t *p, apr_pool_t *plog, apr_status_t rv; rv = apr_crypto_init(p); - if (APR_SUCCESS != rv && APR_EREINIT != rv) { + if (APR_SUCCESS != rv) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(01843) "APR crypto could not be initialised"); return rv; diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index feec875f14..588de2ce92 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -32,16 +32,6 @@ #include "ap_provider.h" #include "http_config.h" -#include "apr_crypto.h" -#include "apr_version.h" -#if APR_VERSION_AT_LEAST(2,0,0) && \ - defined(APU_HAVE_CRYPTO) && APU_HAVE_CRYPTO && \ - defined(APU_HAVE_OPENSSL) && APU_HAVE_OPENSSL -#define USE_APR_CRYPTO_LIB_INIT 1 -#else -#define USE_APR_CRYPTO_LIB_INIT 0 -#endif - #include "mod_proxy.h" /* for proxy_hook_section_post_config() */ #include <assert.h> @@ -342,7 +332,6 @@ static int modssl_is_prelinked(void) return 0; } -#if !USE_APR_CRYPTO_LIB_INIT static apr_status_t ssl_cleanup_pre_config(void *data) { /* @@ -395,7 +384,6 @@ static apr_status_t ssl_cleanup_pre_config(void *data) */ return APR_SUCCESS; } -#endif /* !USE_APR_CRYPTO_LIB_INIT */ static int ssl_hook_pre_config(apr_pool_t *pconf, apr_pool_t *plog, @@ -406,58 +394,29 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, #endif modssl_running_statically = modssl_is_prelinked(); -#if USE_APR_CRYPTO_LIB_INIT - { - /* When mod_ssl is builtin, no need to unload openssl on restart, - * so use pglobal. - */ - apr_pool_t *p = modssl_running_statically ? ap_pglobal : pconf; - apr_status_t rv = apr_crypto_lib_init("openssl", NULL, NULL, p); - if (rv != APR_SUCCESS && rv != APR_EREINIT) { - ap_log_perror(APLOG_MARK, APLOG_ERR, rv, pconf, APLOGNO(10155) - "mod_ssl: can't initialize OpenSSL library"); - return !OK; - } - } -#else /* USE_APR_CRYPTO_LIB_INIT */ - { - /* We must register the library in full, to ensure our configuration - * code can successfully test the SSL environment. - */ -/* Both undefined (or no-op) with LibreSSL */ -#if !defined(LIBRESSL_VERSION_NUMBER) -#if MODSSL_USE_OPENSSL_PRE_1_1_API - CRYPTO_malloc_init(); -#else - OPENSSL_malloc_init(); -#endif -#endif - ERR_load_crypto_strings(); -#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES - ENGINE_load_builtin_engines(); -#endif - OpenSSL_add_all_algorithms(); - OPENSSL_load_builtin_modules(); - - SSL_load_error_strings(); - SSL_library_init(); - - /* - * Let us cleanup the ssl library when the module is unloaded - */ - apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config, - apr_pool_cleanup_null); - } - -#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API /* Some OpenSSL internals are allocated per-thread, make sure they - * are associated to the/our same thread-id until cleaned up. Then - * initialize all the thread locking stuff needed by the lib. + * are associated to the/our same thread-id until cleaned up. */ +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API ssl_util_thread_id_setup(pconf); - ssl_util_thread_setup(pconf); #endif -#endif /* USE_APR_CRYPTO_LIB_INIT */ + + /* We must register the library in full, to ensure our configuration + * code can successfully test the SSL environment. + */ +#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER) + (void)CRYPTO_malloc_init(); +#else + OPENSSL_malloc_init(); +#endif + ERR_load_crypto_strings(); + SSL_load_error_strings(); + SSL_library_init(); +#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES + ENGINE_load_builtin_engines(); +#endif + OpenSSL_add_all_algorithms(); + OPENSSL_load_builtin_modules(); if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) { (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", @@ -467,6 +426,12 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, /* Start w/o errors (e.g. OBJ_txt2nid() above) */ ERR_clear_error(); + /* + * Let us cleanup the ssl library when the module is unloaded + */ + apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config, + apr_pool_cleanup_null); + /* Register us to handle mod_log_config %c/%x variables */ ssl_var_log_config_register(pconf); diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index a5a3d41c5f..b54bc91f75 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -51,8 +51,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server, #define KEYTYPES "RSA or DSA" #endif -#if MODSSL_USE_OPENSSL_PRE_1_1_API && (!defined(LIBRESSL_VERSION_NUMBER) || \ - LIBRESSL_VERSION_NUMBER < 0x2070000f) +#if MODSSL_USE_OPENSSL_PRE_1_1_API /* OpenSSL Pre-1.1.0 compatibility */ /* Taken from OpenSSL 1.1.0 snapshot 20160410 */ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) @@ -302,6 +301,10 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, #endif } +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API + ssl_util_thread_setup(p); +#endif + /* * SSL external crypto device ("engine") support */ @@ -550,7 +553,8 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s, } #endif -#if MODSSL_USE_OPENSSL_PRE_1_1_API +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L) /* * Enable/disable SSLProtocol. If the mod_ssl enables protocol * which is disabled by default by OpenSSL, show a warning. @@ -588,7 +592,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, char *cp; int protocol = mctx->protocol; SSLSrvConfigRec *sc = mySrvConfig(s); -#if !MODSSL_USE_OPENSSL_PRE_1_1_API +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ + (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x20800000L) int prot; #endif @@ -668,7 +673,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, SSL_CTX_set_options(ctx, SSL_OP_ALL); -#if MODSSL_USE_OPENSSL_PRE_1_1_API +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L) /* always disable SSLv2, as per RFC 6176 */ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); @@ -689,7 +695,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3, protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3"); #endif -#endif /* MODSSL_USE_OPENSSL_PRE_1_1_API */ +#endif #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ /* We first determine the maximum protocol version we should provide */ diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 8524c515ba..ebaf96471a 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -132,12 +132,13 @@ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) #define SSL_CTX_set_max_proto_version(ctx, version) \ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) -#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ +#elif LIBRESSL_VERSION_NUMBER < 0x2070000f /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not * include most changes from OpenSSL >= 1.1 (new functions, macros, * deprecations, ...), so we have to work around this... */ -#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2080000f) +#define MODSSL_USE_OPENSSL_PRE_1_1_API (1) +#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ #else /* defined(LIBRESSL_VERSION_NUMBER) */ #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) #endif |