diff options
| -rw-r--r-- | modules/filters/mod_crypto.c | 2 | ||||
| -rw-r--r-- | modules/session/mod_session_crypto.c | 2 | ||||
| -rw-r--r-- | modules/ssl/mod_ssl.c | 85 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_init.c | 18 | ||||
| -rw-r--r-- | modules/ssl/ssl_private.h | 5 | ||||
| -rw-r--r-- | server/core.c | 68 |
6 files changed, 61 insertions, 119 deletions
diff --git a/modules/filters/mod_crypto.c b/modules/filters/mod_crypto.c index 5d5e6b3c13..2c98692c41 100644 --- a/modules/filters/mod_crypto.c +++ b/modules/filters/mod_crypto.c @@ -1197,7 +1197,7 @@ crypto_init(apr_pool_t * p, apr_pool_t * plog, apr_status_t rv; rv = apr_crypto_init(p); - if (APR_SUCCESS != rv && APR_EREINIT != rv) { + if (APR_SUCCESS != rv) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(03427) "APR crypto could not be initialised"); return rv; diff --git a/modules/session/mod_session_crypto.c b/modules/session/mod_session_crypto.c index a948b2ced9..be7e7b1807 100644 --- a/modules/session/mod_session_crypto.c +++ b/modules/session/mod_session_crypto.c @@ -569,7 +569,7 @@ static int session_crypto_init(apr_pool_t *p, apr_pool_t *plog, apr_status_t rv; rv = apr_crypto_init(p); - if (APR_SUCCESS != rv && APR_EREINIT != rv) { + if (APR_SUCCESS != rv) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(01843) "APR crypto could not be initialised"); return rv; diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index feec875f14..588de2ce92 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -32,16 +32,6 @@ #include "ap_provider.h" #include "http_config.h" -#include "apr_crypto.h" -#include "apr_version.h" -#if APR_VERSION_AT_LEAST(2,0,0) && \ - defined(APU_HAVE_CRYPTO) && APU_HAVE_CRYPTO && \ - defined(APU_HAVE_OPENSSL) && APU_HAVE_OPENSSL -#define USE_APR_CRYPTO_LIB_INIT 1 -#else -#define USE_APR_CRYPTO_LIB_INIT 0 -#endif - #include "mod_proxy.h" /* for proxy_hook_section_post_config() */ #include <assert.h> @@ -342,7 +332,6 @@ static int modssl_is_prelinked(void) return 0; } -#if !USE_APR_CRYPTO_LIB_INIT static apr_status_t ssl_cleanup_pre_config(void *data) { /* @@ -395,7 +384,6 @@ static apr_status_t ssl_cleanup_pre_config(void *data) */ return APR_SUCCESS; } -#endif /* !USE_APR_CRYPTO_LIB_INIT */ static int ssl_hook_pre_config(apr_pool_t *pconf, apr_pool_t *plog, @@ -406,58 +394,29 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, #endif modssl_running_statically = modssl_is_prelinked(); -#if USE_APR_CRYPTO_LIB_INIT - { - /* When mod_ssl is builtin, no need to unload openssl on restart, - * so use pglobal. - */ - apr_pool_t *p = modssl_running_statically ? ap_pglobal : pconf; - apr_status_t rv = apr_crypto_lib_init("openssl", NULL, NULL, p); - if (rv != APR_SUCCESS && rv != APR_EREINIT) { - ap_log_perror(APLOG_MARK, APLOG_ERR, rv, pconf, APLOGNO(10155) - "mod_ssl: can't initialize OpenSSL library"); - return !OK; - } - } -#else /* USE_APR_CRYPTO_LIB_INIT */ - { - /* We must register the library in full, to ensure our configuration - * code can successfully test the SSL environment. - */ -/* Both undefined (or no-op) with LibreSSL */ -#if !defined(LIBRESSL_VERSION_NUMBER) -#if MODSSL_USE_OPENSSL_PRE_1_1_API - CRYPTO_malloc_init(); -#else - OPENSSL_malloc_init(); -#endif -#endif - ERR_load_crypto_strings(); -#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES - ENGINE_load_builtin_engines(); -#endif - OpenSSL_add_all_algorithms(); - OPENSSL_load_builtin_modules(); - - SSL_load_error_strings(); - SSL_library_init(); - - /* - * Let us cleanup the ssl library when the module is unloaded - */ - apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config, - apr_pool_cleanup_null); - } - -#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API /* Some OpenSSL internals are allocated per-thread, make sure they - * are associated to the/our same thread-id until cleaned up. Then - * initialize all the thread locking stuff needed by the lib. + * are associated to the/our same thread-id until cleaned up. */ +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API ssl_util_thread_id_setup(pconf); - ssl_util_thread_setup(pconf); #endif -#endif /* USE_APR_CRYPTO_LIB_INIT */ + + /* We must register the library in full, to ensure our configuration + * code can successfully test the SSL environment. + */ +#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER) + (void)CRYPTO_malloc_init(); +#else + OPENSSL_malloc_init(); +#endif + ERR_load_crypto_strings(); + SSL_load_error_strings(); + SSL_library_init(); +#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES + ENGINE_load_builtin_engines(); +#endif + OpenSSL_add_all_algorithms(); + OPENSSL_load_builtin_modules(); if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) { (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", @@ -467,6 +426,12 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, /* Start w/o errors (e.g. OBJ_txt2nid() above) */ ERR_clear_error(); + /* + * Let us cleanup the ssl library when the module is unloaded + */ + apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config, + apr_pool_cleanup_null); + /* Register us to handle mod_log_config %c/%x variables */ ssl_var_log_config_register(pconf); diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index a5a3d41c5f..b54bc91f75 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -51,8 +51,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server, #define KEYTYPES "RSA or DSA" #endif -#if MODSSL_USE_OPENSSL_PRE_1_1_API && (!defined(LIBRESSL_VERSION_NUMBER) || \ - LIBRESSL_VERSION_NUMBER < 0x2070000f) +#if MODSSL_USE_OPENSSL_PRE_1_1_API /* OpenSSL Pre-1.1.0 compatibility */ /* Taken from OpenSSL 1.1.0 snapshot 20160410 */ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) @@ -302,6 +301,10 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, #endif } +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API + ssl_util_thread_setup(p); +#endif + /* * SSL external crypto device ("engine") support */ @@ -550,7 +553,8 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s, } #endif -#if MODSSL_USE_OPENSSL_PRE_1_1_API +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L) /* * Enable/disable SSLProtocol. If the mod_ssl enables protocol * which is disabled by default by OpenSSL, show a warning. @@ -588,7 +592,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, char *cp; int protocol = mctx->protocol; SSLSrvConfigRec *sc = mySrvConfig(s); -#if !MODSSL_USE_OPENSSL_PRE_1_1_API +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ + (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x20800000L) int prot; #endif @@ -668,7 +673,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, SSL_CTX_set_options(ctx, SSL_OP_ALL); -#if MODSSL_USE_OPENSSL_PRE_1_1_API +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L) /* always disable SSLv2, as per RFC 6176 */ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); @@ -689,7 +695,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3, protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3"); #endif -#endif /* MODSSL_USE_OPENSSL_PRE_1_1_API */ +#endif #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ /* We first determine the maximum protocol version we should provide */ diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 8524c515ba..ebaf96471a 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -132,12 +132,13 @@ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) #define SSL_CTX_set_max_proto_version(ctx, version) \ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) -#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ +#elif LIBRESSL_VERSION_NUMBER < 0x2070000f /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not * include most changes from OpenSSL >= 1.1 (new functions, macros, * deprecations, ...), so we have to work around this... */ -#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2080000f) +#define MODSSL_USE_OPENSSL_PRE_1_1_API (1) +#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ #else /* defined(LIBRESSL_VERSION_NUMBER) */ #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) #endif diff --git a/server/core.c b/server/core.c index 96709f207a..11bf8d3d10 100644 --- a/server/core.c +++ b/server/core.c @@ -20,15 +20,7 @@ #include "apr_fnmatch.h" #include "apr_hash.h" #include "apr_thread_proc.h" /* for RLIMIT stuff */ - -#include "apr_crypto.h" -#if defined(APU_HAVE_CRYPTO) && APU_HAVE_CRYPTO && \ - defined(APU_HAVE_CRYPTO_PRNG) && APU_HAVE_CRYPTO_PRNG -#define USE_APR_CRYPTO_PRNG 1 -#else -#define USE_APR_CRYPTO_PRNG 0 #include "apr_random.h" -#endif #include "apr_version.h" #if APR_MAJOR_VERSION < 2 @@ -5610,26 +5602,14 @@ AP_DECLARE(char *) ap_state_dir_relative(apr_pool_t *p, const char *file) } -#if !USE_APR_CRYPTO_PRNG static apr_random_t *rng = NULL; #if APR_HAS_THREADS static apr_thread_mutex_t *rng_mutex = NULL; #endif -#endif /* !USE_APR_CRYPTO_PRNG */ static void core_child_init(apr_pool_t *pchild, server_rec *s) { - /* The MPMs use plain fork() and not apr_proc_fork(), so we have to - * take care of the random generator manually in the child. - */ apr_proc_t proc; - - memset(&proc, 0, sizeof(proc)); - proc.pid = getpid(); - -#if USE_APR_CRYPTO_PRNG - apr_crypto_prng_after_fork(NULL, 1); -#else #if APR_HAS_THREADS { int threaded_mpm; @@ -5640,8 +5620,11 @@ static void core_child_init(apr_pool_t *pchild, server_rec *s) } } #endif + /* The MPMs use plain fork() and not apr_proc_fork(), so we have to call + * apr_random_after_fork() manually in the child + */ + proc.pid = getpid(); apr_random_after_fork(&proc); -#endif /* USE_APR_CRYPTO_PRNG */ } static void core_optional_fn_retrieve(void) @@ -5651,7 +5634,6 @@ static void core_optional_fn_retrieve(void) AP_CORE_DECLARE(void) ap_random_parent_after_fork(void) { -#if !USE_APR_CRYPTO_PRNG /* * To ensure that the RNG state in the parent changes after the fork, we * pull some data from the RNG and discard it. This ensures that the RNG @@ -5663,41 +5645,30 @@ AP_CORE_DECLARE(void) ap_random_parent_after_fork(void) */ apr_uint16_t data; apr_random_insecure_bytes(rng, &data, sizeof(data)); -#endif /* !USE_APR_CRYPTO_PRNG */ } AP_CORE_DECLARE(void) ap_init_rng(apr_pool_t *p) { + unsigned char seed[8]; apr_status_t rv; - -#if USE_APR_CRYPTO_PRNG - rv = apr_crypto_init(p); -#else - { - unsigned char seed[8]; - rng = apr_random_standard_new(p); - do { - rv = apr_generate_random_bytes(seed, sizeof(seed)); - if (rv != APR_SUCCESS) - break; - apr_random_add_entropy(rng, seed, sizeof(seed)); - rv = apr_random_insecure_ready(rng); - } while (rv == APR_ENOTENOUGHENTROPY); - } -#endif /* USE_APR_CRYPTO_PRNG */ - - if (rv != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_CRIT, rv, NULL, APLOGNO(00141) - "Could not initialize random number generator"); - exit(1); - } + rng = apr_random_standard_new(p); + do { + rv = apr_generate_random_bytes(seed, sizeof(seed)); + if (rv != APR_SUCCESS) + goto error; + apr_random_add_entropy(rng, seed, sizeof(seed)); + rv = apr_random_insecure_ready(rng); + } while (rv == APR_ENOTENOUGHENTROPY); + if (rv == APR_SUCCESS) + return; +error: + ap_log_error(APLOG_MARK, APLOG_CRIT, rv, NULL, APLOGNO(00141) + "Could not initialize random number generator"); + exit(1); } AP_DECLARE(void) ap_random_insecure_bytes(void *buf, apr_size_t size) { -#if USE_APR_CRYPTO_PRNG - apr_crypto_random_bytes(buf, size); -#else #if APR_HAS_THREADS if (rng_mutex) apr_thread_mutex_lock(rng_mutex); @@ -5711,7 +5682,6 @@ AP_DECLARE(void) ap_random_insecure_bytes(void *buf, apr_size_t size) if (rng_mutex) apr_thread_mutex_unlock(rng_mutex); #endif -#endif /* USE_APR_CRYPTO_PRNG */ } /* |