View | Details | Raw Unified | Return to bug 49559
Collapse All | Expand All

(-)httpd-2.4.2/modules/ssl/mod_ssl.c (+3 lines)
Lines 88-93 Link Here
88
    SSL_CMD_SRV(CertificateKeyFile, TAKE1,
88
    SSL_CMD_SRV(CertificateKeyFile, TAKE1,
89
                "SSL Server Private Key file "
89
                "SSL Server Private Key file "
90
                "('/path/to/file' - PEM or DER encoded)")
90
                "('/path/to/file' - PEM or DER encoded)")
91
    SSL_CMD_SRV(DHParametersFile, TAKE1,
92
                "SSL Server Diffie-Hellman parameters file "
93
                "(`/path/to/file' - PEM or DER encoded)")
91
    SSL_CMD_SRV(CertificateChainFile, TAKE1,
94
    SSL_CMD_SRV(CertificateChainFile, TAKE1,
92
                "SSL Server CA Certificate Chain file "
95
                "SSL Server CA Certificate Chain file "
93
                "('/path/to/file' - PEM encoded)")
96
                "('/path/to/file' - PEM encoded)")
(-)httpd-2.4.2/modules/ssl/ssl_engine_config.c (+21 lines)
Lines 67-72 Link Here
67
    mc->tVHostKeys             = apr_hash_make(pool);
67
    mc->tVHostKeys             = apr_hash_make(pool);
68
    mc->tPrivateKey            = apr_hash_make(pool);
68
    mc->tPrivateKey            = apr_hash_make(pool);
69
    mc->tPublicCert            = apr_hash_make(pool);
69
    mc->tPublicCert            = apr_hash_make(pool);
70
    mc->tDHParams              = apr_hash_make(pool);
70
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
71
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
71
    mc->szCryptoDevice         = NULL;
72
    mc->szCryptoDevice         = NULL;
72
#endif
73
#endif
Lines 182-187 Link Here
182
183
183
    /* mctx->pks->... certs/keys are set during module init */
184
    /* mctx->pks->... certs/keys are set during module init */
184
185
186
    mctx->pks->dhparams_file = NULL;
187
    mctx->pks->dhparams     = NULL;
188
185
#ifdef HAVE_TLS_SESSION_TICKETS
189
#ifdef HAVE_TLS_SESSION_TICKETS
186
    mctx->ticket_key = apr_pcalloc(p, sizeof(*mctx->ticket_key));
190
    mctx->ticket_key = apr_pcalloc(p, sizeof(*mctx->ticket_key));
187
#endif
191
#endif
Lines 299-304 Link Here
299
303
300
    cfgMergeString(pks->ca_name_path);
304
    cfgMergeString(pks->ca_name_path);
301
    cfgMergeString(pks->ca_name_file);
305
    cfgMergeString(pks->ca_name_file);
306
    cfgMergeString(pks->dhparams_file);
302
307
303
#ifdef HAVE_TLS_SESSION_TICKETS
308
#ifdef HAVE_TLS_SESSION_TICKETS
304
    cfgMergeString(ticket_key->file_path);
309
    cfgMergeString(ticket_key->file_path);
Lines 760-765 Link Here
760
765
761
    return NULL;
766
    return NULL;
762
}
767
}
768
769
const char *ssl_cmd_SSLDHParametersFile(cmd_parms *cmd,
770
                                        void *dcfg,
771
					const char *arg)
772
{
773
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
774
    const char *err;
775
776
    if ((err = ssl_cmd_check_file(cmd, &arg))) {
777
        return err;
778
    }
779
780
    sc->server->pks->dhparams_file = arg;
781
782
    return NULL;
783
}
763
784
764
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *cmd,
785
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *cmd,
765
                                          void *dcfg,
786
                                          void *dcfg,
(-)httpd-2.4.2/modules/ssl/ssl_engine_init.c (-1 / +40 lines)
Lines 950-955 Link Here
950
    }
950
    }
951
}
951
}
952
952
953
static int ssl_server_import_dhparams(server_rec *s,
954
                                      modssl_ctx_t *mctx,
955
                                      const char *id)
956
{
957
    SSLModConfigRec *mc = myModConfig(s);
958
    ssl_asn1_t *asn1;
959
    MODSSL_D2I_DHparams_CONST unsigned char *ptr;
960
    DH *dhparams = NULL;
961
962
    if (!(asn1 = ssl_asn1_table_get(mc->tDHParams, id))) {
963
        return FALSE;
964
    }
965
966
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
967
                 "Configuring server Diffie-Hellman parameters");
968
969
    ptr = asn1->cpData;
970
    if (!(dhparams = d2i_DHparams(NULL, &ptr, asn1->nData))) {
971
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
972
                "Unable to import server Diffie-Hellman parameters");
973
        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
974
        ssl_die();
975
    }
976
977
    if (SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams) <= 0) {
978
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
979
                "Unable to configure server Diffie-Hellman parameters");
980
        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
981
        ssl_die();
982
    }
983
984
    mctx->pks->dhparams = dhparams;
985
986
    return TRUE;
987
}
988
953
static int ssl_server_import_cert(server_rec *s,
989
static int ssl_server_import_cert(server_rec *s,
954
                                  modssl_ctx_t *mctx,
990
                                  modssl_ctx_t *mctx,
955
                                  const char *id,
991
                                  const char *id,
Lines 1157-1163 Link Here
1157
                                  apr_pool_t *ptemp,
1193
                                  apr_pool_t *ptemp,
1158
                                  modssl_ctx_t *mctx)
1194
                                  modssl_ctx_t *mctx)
1159
{
1195
{
1160
    const char *rsa_id, *dsa_id;
1196
    const char *rsa_id, *dsa_id, *dh_id;
1161
#ifndef OPENSSL_NO_EC
1197
#ifndef OPENSSL_NO_EC
1162
    const char *ecc_id;
1198
    const char *ecc_id;
1163
#endif
1199
#endif
Lines 1170-1181 Link Here
1170
1206
1171
    rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
1207
    rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
1172
    dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
1208
    dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
1209
    dh_id = apr_pstrcat(ptemp, vhost_id, ":", "DH", NULL);
1173
#ifndef OPENSSL_NO_EC
1210
#ifndef OPENSSL_NO_EC
1174
    ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
1211
    ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
1175
#endif
1212
#endif
1176
1213
1177
    have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
1214
    have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
1178
    have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
1215
    have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
1216
    (void)ssl_server_import_dhparams(s, mctx, dh_id);
1179
#ifndef OPENSSL_NO_EC
1217
#ifndef OPENSSL_NO_EC
1180
    have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
1218
    have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
1181
#endif
1219
#endif
Lines 1711-1716 Link Here
1711
        MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
1749
        MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
1712
                             mctx->pks->keys[i]);
1750
                             mctx->pks->keys[i]);
1713
    }
1751
    }
1752
    MODSSL_CFG_ITEM_FREE(DH_free, mctx->pks->dhparams);
1714
}
1753
}
1715
1754
1716
apr_status_t ssl_init_ModuleKill(void *data)
1755
apr_status_t ssl_init_ModuleKill(void *data)
(-)httpd-2.4.2/modules/ssl/ssl_engine_pphrase.c (+39 lines)
Lines 147-152 Link Here
147
    unsigned char *ucp;
147
    unsigned char *ucp;
148
    long int length;
148
    long int length;
149
    X509 *pX509Cert;
149
    X509 *pX509Cert;
150
    DH *pDHParams;
150
    BOOL bReadable;
151
    BOOL bReadable;
151
    apr_array_header_t *aPassPhrase;
152
    apr_array_header_t *aPassPhrase;
152
    int nPassPhrase;
153
    int nPassPhrase;
Lines 162-167 Link Here
162
    char *an;
163
    char *an;
163
    apr_time_t pkey_mtime = 0;
164
    apr_time_t pkey_mtime = 0;
164
    apr_status_t rv;
165
    apr_status_t rv;
166
    const char *dhid;
165
    /*
167
    /*
166
     * Start with a fresh pass phrase array
168
     * Start with a fresh pass phrase array
167
     */
169
     */
Lines 550-555 Link Here
550
             */
552
             */
551
            EVP_PKEY_free(pPrivateKey);
553
            EVP_PKEY_free(pPrivateKey);
552
        }
554
        }
555
	/*
556
         * Read in Diffie-Hellman parameters file if such a file is
557
         * specified.
558
         */
559
        if (sc->server->pks->dhparams_file) {
560
            apr_cpystrn(szPath, sc->server->pks->dhparams_file, sizeof(szPath));
561
            if ((rv = exists_and_readable(szPath, p, NULL)) != APR_SUCCESS) {
562
                ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
563
                             "Init: Can't open server Diffie-Hellman parameters file %s",
564
                             szPath);
565
                ssl_die();
566
            }
567
            if ((pDHParams = SSL_read_DHparams(szPath, NULL, NULL)) == NULL) {
568
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
569
                        "Init: Unable to read server Diffie-Hellman parameters from file %s", szPath);
570
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
571
                ssl_die();
572
            }
573
574
	    /*
575
             * Insert the DH params into global module configuration
576
             * to let it survive the processing between the 1st Apache
577
             * API init round (where we operate here) and the 2nd
578
             * Apache init round (where it will be actually used to
579
             * configure mod_ssl's per-server configuration
580
             * structures).
581
             */
582
            dhid = asn1_table_vhost_key(mc, p, cpVHostID, "DH");
583
            length = i2d_DHparams(pDHParams, NULL);
584
            ucp = ssl_asn1_table_set(mc->tDHParams, dhid, length);
585
            (void)i2d_DHparams(pDHParams, &ucp); /* 2nd arg increments */
586
587
            /*
588
             * Free the DH structure
589
             */
590
            DH_free(pDHParams);
591
        }
553
    }
592
    }
554
593
555
    /*
594
    /*
(-)httpd-2.4.2/modules/ssl/ssl_private.h (+6 lines)
Lines 121-130 Link Here
121
#define MODSSL_D2I_ASN1_type_bytes_CONST const
121
#define MODSSL_D2I_ASN1_type_bytes_CONST const
122
#define MODSSL_D2I_PrivateKey_CONST const
122
#define MODSSL_D2I_PrivateKey_CONST const
123
#define MODSSL_D2I_X509_CONST const
123
#define MODSSL_D2I_X509_CONST const
124
#define MODSSL_D2I_DHparams_CONST const
124
#else
125
#else
125
#define MODSSL_D2I_ASN1_type_bytes_CONST
126
#define MODSSL_D2I_ASN1_type_bytes_CONST
126
#define MODSSL_D2I_PrivateKey_CONST
127
#define MODSSL_D2I_PrivateKey_CONST
127
#define MODSSL_D2I_X509_CONST
128
#define MODSSL_D2I_X509_CONST
129
#define MODSSL_D2I_DHparams_CONST
128
#endif
130
#endif
129
131
130
#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
132
#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
Lines 526-531 Link Here
526
     * example the string "vhost.example.com:443:RSA". */
528
     * example the string "vhost.example.com:443:RSA". */
527
    apr_hash_t     *tPublicCert;
529
    apr_hash_t     *tPublicCert;
528
    apr_hash_t     *tPrivateKey;
530
    apr_hash_t     *tPrivateKey;
531
    apr_hash_t     *tDHParams;
529
532
530
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
533
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
531
    const char     *szCryptoDevice;
534
    const char     *szCryptoDevice;
Lines 552-562 Link Here
552
     * unordered lists. */
555
     * unordered lists. */
553
    const char  *cert_files[SSL_AIDX_MAX];
556
    const char  *cert_files[SSL_AIDX_MAX];
554
    const char  *key_files[SSL_AIDX_MAX];
557
    const char  *key_files[SSL_AIDX_MAX];
558
    const char  *dhparams_file;
555
    /* Loaded certs and keys; these arrays ARE indexed by the
559
    /* Loaded certs and keys; these arrays ARE indexed by the
556
     * algorithm type, i.e.  keys[SSL_AIDX_RSA] maps to the RSA
560
     * algorithm type, i.e.  keys[SSL_AIDX_RSA] maps to the RSA
557
     * private key. */
561
     * private key. */
558
    X509        *certs[SSL_AIDX_MAX];
562
    X509        *certs[SSL_AIDX_MAX];
559
    EVP_PKEY    *keys[SSL_AIDX_MAX];
563
    EVP_PKEY    *keys[SSL_AIDX_MAX];
564
    DH          *dhparams;
560
565
561
    /** Certificates which specify the set of CA names which should be
566
    /** Certificates which specify the set of CA names which should be
562
     * sent in the CertificateRequest message: */
567
     * sent in the CertificateRequest message: */
Lines 711-716 Link Here
711
const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
716
const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
712
const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
717
const char  *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
713
const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
718
const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
719
const char  *ssl_cmd_SSLDHParametersFile(cmd_parms *, void *, const char *);
714
const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
720
const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
715
const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
721
const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
716
const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
722
const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
(-)httpd-2.4.2/modules/ssl/ssl_util_ssl.c (+41 lines)
Lines 156-161 Link Here
156
    return rc;
156
    return rc;
157
}
157
}
158
158
159
DH *SSL_read_DHparams(char* filename, DH **DHparams, void *cb)
160
{
161
    DH  *rc;
162
    BIO *bioS;
163
    BIO *bioF;
164
165
    /* 1. try PEM (= DER+Base64+headers) */
166
    if ((bioS=BIO_new_file(filename, "r")) == NULL)
167
        return NULL;
168
    rc = PEM_read_bio_DHparams(bioS, DHparams, cb, NULL);
169
    BIO_free(bioS);
170
171
    if (rc == NULL) {
172
        /* 2. try DER+Base64 */
173
        if ((bioS=BIO_new_file(filename, "r")) == NULL)
174
            return NULL;
175
176
        if ((bioF = BIO_new(BIO_f_base64())) == NULL) {
177
            BIO_free(bioS);
178
            return NULL;
179
        }
180
        bioS = BIO_push(bioF, bioS);
181
        rc = d2i_DHparams_bio(bioS, NULL);
182
        BIO_free_all(bioS);
183
184
        if (rc == NULL) {
185
            /* 3. try plain DER */
186
            if ((bioS=BIO_new_file(filename, "r")) == NULL)
187
                return NULL;
188
            rc = d2i_DHparams_bio(bioS, NULL);
189
            BIO_free(bioS);
190
        }
191
    }
192
    if (rc != NULL && DHparams != NULL) {
193
        if (*DHparams != NULL)
194
            DH_free(*DHparams);
195
        *DHparams = rc;
196
    }
197
    return rc;
198
}
199
159
/*  _________________________________________________________________
200
/*  _________________________________________________________________
160
**
201
**
161
**  Smart shutdown
202
**  Smart shutdown
(-)httpd-2.4.2/modules/ssl/ssl_util_ssl.h (+1 lines)
Lines 62-67 Link Here
62
void        SSL_set_app_data2(SSL *, void *);
62
void        SSL_set_app_data2(SSL *, void *);
63
X509       *SSL_read_X509(char *, X509 **, pem_password_cb *);
63
X509       *SSL_read_X509(char *, X509 **, pem_password_cb *);
64
EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
64
EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
65
DH         *SSL_read_DHparams(char* filename, DH **DHparams, void *cb);
65
int         SSL_smart_shutdown(SSL *ssl);
66
int         SSL_smart_shutdown(SSL *ssl);
66
BOOL        SSL_X509_isSGC(X509 *);
67
BOOL        SSL_X509_isSGC(X509 *);
67
BOOL        SSL_X509_getBC(X509 *, int *, int *);
68
BOOL        SSL_X509_getBC(X509 *, int *, int *);

Return to bug 49559