View | Details | Raw Unified | Return to bug 49559
Collapse All | Expand All

(-)httpd-2.2.14.orig/modules/ssl/mod_ssl.c (+3 lines)
Lines 108-113 Link Here
108
    SSL_CMD_SRV(CertificateKeyFile, TAKE1,
108
    SSL_CMD_SRV(CertificateKeyFile, TAKE1,
109
                "SSL Server Private Key file "
109
                "SSL Server Private Key file "
110
                "(`/path/to/file' - PEM or DER encoded)")
110
                "(`/path/to/file' - PEM or DER encoded)")
111
    SSL_CMD_SRV(DHParametersFile, TAKE1,
112
                "SSL Server Diffie-Hellman parameters file "
113
                "(`/path/to/file' - PEM or DER encoded)")
111
    SSL_CMD_SRV(CertificateChainFile, TAKE1,
114
    SSL_CMD_SRV(CertificateChainFile, TAKE1,
112
                "SSL Server CA Certificate Chain file "
115
                "SSL Server CA Certificate Chain file "
113
                "(`/path/to/file' - PEM encoded)")
116
                "(`/path/to/file' - PEM encoded)")
(-)httpd-2.2.14.orig/modules/ssl/ssl_engine_config.c (+21 lines)
Lines 72-77 Link Here
72
    mc->tVHostKeys             = apr_hash_make(pool);
72
    mc->tVHostKeys             = apr_hash_make(pool);
73
    mc->tPrivateKey            = apr_hash_make(pool);
73
    mc->tPrivateKey            = apr_hash_make(pool);
74
    mc->tPublicCert            = apr_hash_make(pool);
74
    mc->tPublicCert            = apr_hash_make(pool);
75
    mc->tDHParams              = apr_hash_make(pool);
75
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
76
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
76
    mc->szCryptoDevice         = NULL;
77
    mc->szCryptoDevice         = NULL;
77
#endif
78
#endif
Lines 156-161 Link Here
156
    mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
157
    mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
157
158
158
    /* mctx->pks->... certs/keys are set during module init */
159
    /* mctx->pks->... certs/keys are set during module init */
160
161
    mctx->pks->dhparams_file = NULL;
162
    mctx->pks->dhparams     = NULL;
159
}
163
}
160
164
161
static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
165
static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
Lines 246-251 Link Here
246
250
247
    cfgMergeString(pks->ca_name_path);
251
    cfgMergeString(pks->ca_name_path);
248
    cfgMergeString(pks->ca_name_file);
252
    cfgMergeString(pks->ca_name_file);
253
    cfgMergeString(pks->dhparams_file);
249
}
254
}
250
255
251
/*
256
/*
Lines 762-767 Link Here
762
    return NULL;
767
    return NULL;
763
}
768
}
764
769
770
const char *ssl_cmd_SSLDHParametersFile(cmd_parms *cmd,
771
    				        void *dcfg,
772
				        const char *arg)
773
{
774
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
775
    const char *err;
776
777
    if ((err = ssl_cmd_check_file(cmd, &arg))) {
778
        return err;
779
    }
780
781
    sc->server->pks->dhparams_file = arg;
782
783
    return NULL;
784
}
785
765
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *cmd,
786
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *cmd,
766
                                          void *dcfg,
787
                                          void *dcfg,
767
                                          const char *arg)
788
                                          const char *arg)
(-)httpd-2.2.14.orig/modules/ssl/ssl_engine_init.c (-1 / +40 lines)
Lines 723-728 Link Here
723
    }
723
    }
724
}
724
}
725
725
726
static int ssl_server_import_dhparams(server_rec *s,
727
                                      modssl_ctx_t *mctx,
728
                                      const char *id)
729
{
730
    SSLModConfigRec *mc = myModConfig(s);
731
    ssl_asn1_t *asn1;
732
    MODSSL_D2I_DHparams_CONST unsigned char *ptr;
733
    DH *dhparams = NULL;
734
735
    if (!(asn1 = ssl_asn1_table_get(mc->tDHParams, id))) {
736
        return FALSE;
737
    }
738
739
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
740
                 "Configuring server Diffie-Hellman parameters");
741
742
    ptr = asn1->cpData;
743
    if (!(dhparams = d2i_DHparams(NULL, &ptr, asn1->nData))) {
744
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
745
                "Unable to import server Diffie-Hellman parameters");
746
        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
747
        ssl_die();
748
    }
749
750
    if (SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams) <= 0) {
751
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
752
                "Unable to configure server Diffie-Hellman parameters");
753
        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
754
        ssl_die();
755
    }
756
757
    mctx->pks->dhparams = dhparams;
758
759
    return TRUE;
760
}
761
726
static int ssl_server_import_cert(server_rec *s,
762
static int ssl_server_import_cert(server_rec *s,
727
                                  modssl_ctx_t *mctx,
763
                                  modssl_ctx_t *mctx,
728
                                  const char *id,
764
                                  const char *id,
Lines 882-897 Link Here
882
                                  apr_pool_t *ptemp,
918
                                  apr_pool_t *ptemp,
883
                                  modssl_ctx_t *mctx)
919
                                  modssl_ctx_t *mctx)
884
{
920
{
885
    const char *rsa_id, *dsa_id;
921
    const char *rsa_id, *dsa_id, *dh_id;
886
    const char *vhost_id = mctx->sc->vhost_id;
922
    const char *vhost_id = mctx->sc->vhost_id;
887
    int i;
923
    int i;
888
    int have_rsa, have_dsa;
924
    int have_rsa, have_dsa;
889
925
890
    rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
926
    rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
891
    dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
927
    dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
928
    dh_id = apr_pstrcat(ptemp, vhost_id, ":", "DH", NULL);
892
929
893
    have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
930
    have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
894
    have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
931
    have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
932
    (void)ssl_server_import_dhparams(s, mctx, dh_id);
895
933
896
    if (!(have_rsa || have_dsa)) {
934
    if (!(have_rsa || have_dsa)) {
897
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
935
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
Lines 1265-1270 Link Here
1265
        MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
1303
        MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
1266
                             mctx->pks->keys[i]);
1304
                             mctx->pks->keys[i]);
1267
    }
1305
    }
1306
    MODSSL_CFG_ITEM_FREE(DH_free, mctx->pks->dhparams);
1268
}
1307
}
1269
1308
1270
apr_status_t ssl_init_ModuleKill(void *data)
1309
apr_status_t ssl_init_ModuleKill(void *data)
(-)httpd-2.2.14.orig/modules/ssl/ssl_engine_pphrase.c (+42 lines)
Lines 144-149 Link Here
144
    unsigned char *ucp;
144
    unsigned char *ucp;
145
    long int length;
145
    long int length;
146
    X509 *pX509Cert;
146
    X509 *pX509Cert;
147
    DH *pDHParams;
147
    BOOL bReadable;
148
    BOOL bReadable;
148
    apr_array_header_t *aPassPhrase;
149
    apr_array_header_t *aPassPhrase;
149
    int nPassPhrase;
150
    int nPassPhrase;
Lines 192-199 Link Here
192
                         pServ->defn_name, pServ->defn_line_number);
193
                         pServ->defn_name, pServ->defn_line_number);
193
            ssl_die();
194
            ssl_die();
194
        }
195
        }
196
195
        algoCert = SSL_ALGO_UNKNOWN;
197
        algoCert = SSL_ALGO_UNKNOWN;
196
        algoKey  = SSL_ALGO_UNKNOWN;
198
        algoKey  = SSL_ALGO_UNKNOWN;
199
197
        for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->server->pks->cert_files[i] != NULL; i++) {
200
        for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->server->pks->cert_files[i] != NULL; i++) {
198
201
199
            apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath));
202
            apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath));
Lines 517-522 Link Here
517
             */
520
             */
518
            EVP_PKEY_free(pPrivateKey);
521
            EVP_PKEY_free(pPrivateKey);
519
        }
522
        }
523
524
	/*
525
	 * Read in Diffie-Hellman parameters file if such a file is
526
	 * specified.
527
	 */
528
	if (sc->server->pks->dhparams_file) {
529
            apr_cpystrn(szPath, sc->server->pks->dhparams_file, sizeof(szPath));
530
            if ((rv = exists_and_readable(szPath, p, NULL)) != APR_SUCCESS) {
531
                ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
532
                             "Init: Can't open server Diffie-Hellman parameters file %s",
533
                             szPath);
534
                ssl_die();
535
            }
536
            if ((pDHParams = SSL_read_DHparams(szPath, NULL, NULL)) == NULL) {
537
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
538
                        "Init: Unable to read server Diffie-Hellman parameters from file %s", szPath);
539
                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
540
                ssl_die();
541
            }
542
543
            /*
544
	     * Insert the DH params into global module configuration
545
	     * to let it survive the processing between the 1st Apache
546
	     * API init round (where we operate here) and the 2nd
547
	     * Apache init round (where it will be actually used to
548
	     * configure mod_ssl's per-server configuration
549
	     * structures).
550
             */
551
            cp = asn1_table_vhost_key(mc, p, cpVHostID, "DH");
552
            length = i2d_DHparams(pDHParams, NULL);
553
            ucp = ssl_asn1_table_set(mc->tDHParams, cp, length);
554
            (void)i2d_DHparams(pDHParams, &ucp); /* 2nd arg increments */
555
556
            /*
557
             * Free the DH structure
558
             */
559
            DH_free(pDHParams);
560
	}
561
520
    }
562
    }
521
563
522
    /*
564
    /*
(-)httpd-2.2.14.orig/modules/ssl/ssl_private.h (+4 lines)
Lines 378-383 Link Here
378
    void           *pTmpKeys[SSL_TMP_KEY_MAX];
378
    void           *pTmpKeys[SSL_TMP_KEY_MAX];
379
    apr_hash_t     *tPublicCert;
379
    apr_hash_t     *tPublicCert;
380
    apr_hash_t     *tPrivateKey;
380
    apr_hash_t     *tPrivateKey;
381
    apr_hash_t     *tDHParams;
381
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
382
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
382
    const char     *szCryptoDevice;
383
    const char     *szCryptoDevice;
383
#endif
384
#endif
Lines 394-401 Link Here
394
     */
395
     */
395
    const char  *cert_files[SSL_AIDX_MAX];
396
    const char  *cert_files[SSL_AIDX_MAX];
396
    const char  *key_files[SSL_AIDX_MAX];
397
    const char  *key_files[SSL_AIDX_MAX];
398
    const char	*dhparams_file;
397
    X509        *certs[SSL_AIDX_MAX];
399
    X509        *certs[SSL_AIDX_MAX];
398
    EVP_PKEY    *keys[SSL_AIDX_MAX];
400
    EVP_PKEY    *keys[SSL_AIDX_MAX];
401
    DH		*dhparams;
399
402
400
    /** Certificates which specify the set of CA names which should be
403
    /** Certificates which specify the set of CA names which should be
401
     * sent in the CertificateRequest message: */
404
     * sent in the CertificateRequest message: */
Lines 510-515 Link Here
510
const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
513
const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
511
const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
514
const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
512
const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
515
const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
516
const char  *ssl_cmd_SSLDHParametersFile(cmd_parms *, void *, const char *);
513
const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
517
const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
514
const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
518
const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
515
const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
519
const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
(-)httpd-2.2.14.orig/modules/ssl/ssl_toolkit_compat.h (+4 lines)
Lines 100-108 Link Here
100
#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
100
#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
101
# define MODSSL_D2I_PrivateKey_CONST const
101
# define MODSSL_D2I_PrivateKey_CONST const
102
# define MODSSL_D2I_X509_CONST const
102
# define MODSSL_D2I_X509_CONST const
103
# define MODSSL_D2I_DHparams_CONST const
103
#else
104
#else
104
# define MODSSL_D2I_PrivateKey_CONST
105
# define MODSSL_D2I_PrivateKey_CONST
105
# define MODSSL_D2I_X509_CONST
106
# define MODSSL_D2I_X509_CONST
107
# define MODSSL_D2I_DHparams_CONST
106
#endif
108
#endif
107
109
108
#if (OPENSSL_VERSION_NUMBER >= 0x00909000)
110
#if (OPENSSL_VERSION_NUMBER >= 0x00909000)
Lines 117-124 Link Here
117
119
118
#if (OPENSSL_VERSION_NUMBER < 0x00904000)
120
#if (OPENSSL_VERSION_NUMBER < 0x00904000)
119
#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb)
121
#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb)
122
#define modssl_PEM_read_bio_DHparams(b, x, cb, arg) PEM_read_bio_DHparams(b, x, cb)
120
#else
123
#else
121
#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb, arg)
124
#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb, arg)
125
#define modssl_PEM_read_bio_DHparams(b, x, cb, arg) PEM_read_bio_DHparams(b, x, cb, arg)
122
#endif
126
#endif
123
127
124
#define modssl_PEM_X509_INFO_read_bio PEM_X509_INFO_read_bio 
128
#define modssl_PEM_X509_INFO_read_bio PEM_X509_INFO_read_bio 
(-)httpd-2.2.14.orig/modules/ssl/ssl_util_ssl.c (+41 lines)
Lines 115-120 Link Here
115
    return rc;
115
    return rc;
116
}
116
}
117
117
118
DH *SSL_read_DHparams(char* filename, DH **DHparams, modssl_read_bio_cb_fn *cb)
119
{
120
    DH  *rc;
121
    BIO *bioS;
122
    BIO *bioF;
123
124
    /* 1. try PEM (= DER+Base64+headers) */
125
    if ((bioS=BIO_new_file(filename, "r")) == NULL)
126
        return NULL;
127
    rc = modssl_PEM_read_bio_DHparams (bioS, DHparams, cb, NULL);
128
    BIO_free(bioS);
129
130
    if (rc == NULL) {
131
        /* 2. try DER+Base64 */
132
        if ((bioS=BIO_new_file(filename, "r")) == NULL)
133
            return NULL;
134
135
        if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
136
            BIO_free(bioS);
137
            return NULL;
138
        }
139
        bioS = BIO_push(bioF, bioS);
140
        rc = d2i_DHparams_bio(bioS, NULL);
141
        BIO_free_all(bioS);
142
143
        if (rc == NULL) {
144
            /* 3. try plain DER */
145
            if ((bioS=BIO_new_file(filename, "r")) == NULL)
146
                return NULL;
147
            rc = d2i_DHparams_bio(bioS, NULL);
148
            BIO_free(bioS);
149
        }
150
    }
151
    if (rc != NULL && DHparams != NULL) {
152
        if (*DHparams != NULL)
153
            DH_free(*DHparams);
154
        *DHparams = rc;
155
    }
156
    return rc;
157
}
158
118
#if SSL_LIBRARY_VERSION <= 0x00904100
159
#if SSL_LIBRARY_VERSION <= 0x00904100
119
static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
160
static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
120
{
161
{

Return to bug 49559