📄 ssl_engine_init.c
字号:
/* seed PRNG */ ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: "); /* generate 512 bit RSA key */ ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys (512/1024 bits)"); if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Failed to generate temporary 512 bit RSA private key"); ssl_die(); } asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:512"); asn1->nData = i2d_RSAPrivateKey(rsa, NULL); asn1->cpData = ap_palloc(mc->pPool, asn1->nData); ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */ RSA_free(rsa); /* generate 1024 bit RSA key */ if ((rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Failed to generate temporary 1024 bit RSA private key"); ssl_die(); } asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:1024"); asn1->nData = i2d_RSAPrivateKey(rsa, NULL); asn1->cpData = ap_palloc(mc->pPool, asn1->nData); ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */ RSA_free(rsa); ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary DH parameters (512/1024 bits)"); /* import 512 bit DH param */ if ((dh = ssl_dh_GetTmpParam(512)) == NULL) { ssl_log(s, SSL_LOG_ERROR, "Init: Failed to import temporary 512 bit DH parameters"); ssl_die(); } asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:512"); asn1->nData = i2d_DHparams(dh, NULL); asn1->cpData = ap_palloc(mc->pPool, asn1->nData); ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */ DH_free(dh); /* import 1024 bit DH param */ if ((dh = ssl_dh_GetTmpParam(1024)) == NULL) { ssl_log(s, SSL_LOG_ERROR, "Init: Failed to import temporary 1024 bit DH parameters"); ssl_die(); } asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "DH:1024"); asn1->nData = i2d_DHparams(dh, NULL); asn1->cpData = ap_palloc(mc->pPool, asn1->nData); ucp = asn1->cpData; i2d_DHparams(dh, &ucp); /* 2nd arg increments */ DH_free(dh); } /* Allocate Keys and Params */ else if (action == SSL_TKP_ALLOC) { ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary RSA private keys (512/1024 bits)"); /* allocate 512 bit RSA key */ if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "RSA:512")) != NULL) { ucp = asn1->cpData; if ((mc->pTmpKeys[SSL_TKPIDX_RSA512] = #if SSL_LIBRARY_VERSION >= 0x00907000 (void *)d2i_RSAPrivateKey(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {#else (void *)d2i_RSAPrivateKey(NULL, &ucp, asn1->nData)) == NULL) {#endif ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 512 bit RSA private key"); ssl_die(); } } /* allocate 1024 bit RSA key */ if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "RSA:1024")) != NULL) { ucp = asn1->cpData; if ((mc->pTmpKeys[SSL_TKPIDX_RSA1024] = #if SSL_LIBRARY_VERSION >= 0x00907000 (void *)d2i_RSAPrivateKey(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {#else (void *)d2i_RSAPrivateKey(NULL, &ucp, asn1->nData)) == NULL) {#endif ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 1024 bit RSA private key"); ssl_die(); } } ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary DH parameters (512/1024 bits)"); /* allocate 512 bit DH param */ if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "DH:512")) != NULL) { ucp = asn1->cpData; if ((mc->pTmpKeys[SSL_TKPIDX_DH512] = #if SSL_LIBRARY_VERSION >= 0x00907000 (void *)d2i_DHparams(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {#else (void *)d2i_DHparams(NULL, &ucp, asn1->nData)) == NULL) {#endif ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 512 bit DH parameters"); ssl_die(); } } /* allocate 1024 bit DH param */ if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tTmpKeys, "DH:1024")) != NULL) { ucp = asn1->cpData; if ((mc->pTmpKeys[SSL_TKPIDX_DH1024] = #if SSL_LIBRARY_VERSION >= 0x00907000 (void *)d2i_DHparams(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {#else (void *)d2i_DHparams(NULL, &ucp, asn1->nData)) == NULL) {#endif ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 1024 bit DH parameters"); ssl_die(); } } } /* Free Keys and Params */ else if (action == SSL_TKP_FREE) { if (mc->pTmpKeys[SSL_TKPIDX_RSA512] != NULL) { RSA_free((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA512]); mc->pTmpKeys[SSL_TKPIDX_RSA512] = NULL; } if (mc->pTmpKeys[SSL_TKPIDX_RSA1024] != NULL) { RSA_free((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024]); mc->pTmpKeys[SSL_TKPIDX_RSA1024] = NULL; } if (mc->pTmpKeys[SSL_TKPIDX_DH512] != NULL) { DH_free((DH *)mc->pTmpKeys[SSL_TKPIDX_DH512]); mc->pTmpKeys[SSL_TKPIDX_DH512] = NULL; } if (mc->pTmpKeys[SSL_TKPIDX_DH1024] != NULL) { DH_free((DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024]); mc->pTmpKeys[SSL_TKPIDX_DH1024] = NULL; } } return;}/* * Configure a particular server */void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc){ SSLModConfigRec *mc = myModConfig(); int nVerify; char *cpVHostID; EVP_PKEY *pKey; SSL_CTX *ctx; STACK_OF(X509_NAME) *skCAList; ssl_asn1_t *asn1; unsigned char *ucp; char *cp; BOOL ok; BOOL bSkipFirst; int isca, pathlen; int i, n; /* * Create the server host:port string because we need it a lot */ cpVHostID = ssl_util_vhostid(p, s); /* * Now check for important parameters and the * possibility that the user forgot to set them. */ if (sc->szPublicCertFile[0] == NULL) { ssl_log(s, SSL_LOG_ERROR, "Init: (%s) No SSL Certificate set [hint: SSLCertificateFile]", cpVHostID); ssl_die(); } /* * Check for problematic re-initializations */ if (sc->pPublicCert[SSL_AIDX_RSA] != NULL || sc->pPublicCert[SSL_AIDX_DSA] != NULL ) { ssl_log(s, SSL_LOG_ERROR, "Init: (%s) Illegal attempt to re-initialise SSL for server " "(theoretically shouldn't happen!)", cpVHostID); ssl_die(); } /* * Create the new per-server SSL context */ if (sc->nProtocol == SSL_PROTOCOL_NONE) { ssl_log(s, SSL_LOG_ERROR, "Init: (%s) No SSL protocols available [hint: SSLProtocol]", cpVHostID); ssl_die(); } cp = ap_pstrcat(p, (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""), (sc->nProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), (sc->nProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL); cp[strlen(cp)-2] = NUL; ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Creating new SSL context (protocols: %s)", cpVHostID, cp); if (sc->nProtocol == SSL_PROTOCOL_SSLV2) ctx = SSL_CTX_new(SSLv2_server_method()); /* only SSLv2 is left */ else ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */ SSL_CTX_set_options(ctx, SSL_OP_ALL); if (!(sc->nProtocol & SSL_PROTOCOL_SSLV2)) SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); if (!(sc->nProtocol & SSL_PROTOCOL_SSLV3)) SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1)) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); SSL_CTX_set_app_data(ctx, s); sc->pSSLCtx = ctx; /* * Configure additional context ingredients */ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); if (mc->nSessionCacheMode == SSL_SCMODE_NONE) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); else SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); /* * Disallow a session from being resumed during a renegotiation, * so that an acceptable cipher suite can be negotiated. */#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);#endif /* * Configure callbacks for SSL context */ nVerify = SSL_VERIFY_NONE; if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) nVerify |= SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if ( (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL) || (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ) nVerify |= SSL_VERIFY_PEER; SSL_CTX_set_verify(ctx, nVerify, ssl_callback_SSLVerify); SSL_CTX_sess_set_new_cb(ctx, ssl_callback_NewSessionCacheEntry); SSL_CTX_sess_set_get_cb(ctx, ssl_callback_GetSessionCacheEntry); SSL_CTX_sess_set_remove_cb(ctx, ssl_callback_DelSessionCacheEntry); SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState); /* * Configure SSL Cipher Suite */ if (sc->szCipherSuite != NULL) { ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring permitted SSL ciphers [%s]", cpVHostID, sc->szCipherSuite); if (!SSL_CTX_set_cipher_list(ctx, sc->szCipherSuite)) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: (%s) Unable to configure permitted SSL ciphers", cpVHostID); ssl_die(); } } /* * Configure Client Authentication details */ if (sc->szCACertificateFile != NULL || sc->szCACertificatePath != NULL) { ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring client authentication", cpVHostID); if (!SSL_CTX_load_verify_locations(ctx, sc->szCACertificateFile, sc->szCACertificatePath)) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: (%s) Unable to configure verify locations " "for client authentication", cpVHostID); ssl_die(); } if ((skCAList = ssl_init_FindCAList(s, p, sc->szCACertificateFile, sc->szCACertificatePath)) == NULL) { ssl_log(s, SSL_LOG_ERROR, "Init: (%s) Unable to determine list of available " "CA certificates for client authentication", cpVHostID); ssl_die(); } SSL_CTX_set_client_CA_list(sc->pSSLCtx, skCAList); } /* * Configure Certificate Revocation List (CRL) Details */ if (sc->szCARevocationFile != NULL || sc->szCARevocationPath != NULL) { ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring certificate revocation facility", cpVHostID); if ((sc->pRevocationStore = SSL_X509_STORE_create(sc->szCARevocationFile, sc->szCARevocationPath)) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: (%s) Unable to configure X.509 CRL storage " "for certificate revocation", cpVHostID); ssl_die(); } } /* * Give a warning when no CAs were configured but client authentication * should take place. This cannot work. */ if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) { skCAList = SSL_CTX_get_client_CA_list(ctx); if (sk_X509_NAME_num(skCAList) == 0) ssl_log(s, SSL_LOG_WARN, "Init: Ops, you want to request client authentication, " "but no CAs are known for verification!? " "[Hint: SSLCACertificate*]"); } /* * Configure server certificate(s) */ ok = FALSE; cp = ap_psprintf(p, "%s:RSA", cpVHostID); if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) { ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring RSA server certificate", cpVHostID); ucp = asn1->cpData;#if SSL_LIBRARY_VERSION >= 0x00908000 if ((sc->pPublicCert[SSL_AIDX_RSA] = d2i_X509(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {#else if ((sc->pPublicCert[SSL_AIDX_RSA] = d2i_X509(NULL, &ucp, asn1->nData)) == NULL) {#endif ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: (%s) Unable to import RSA server certificate", cpVHostID); ssl_die(); } if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_RSA]) <= 0) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: (%s) Unable to configure RSA server certificate", cpVHostID); ssl_die(); } ok = TRUE; } cp = ap_psprintf(p, "%s:DSA", cpVHostID); if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPublicCert, cp)) != NULL) { ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring DSA server certificate", cpVHostID); ucp = asn1->cpData;#if SSL_LIBRARY_VERSION >= 0x00908000 if ((sc->pPublicCert[SSL_AIDX_DSA] = d2i_X509(NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {#else if ((sc->pPublicCert[SSL_AIDX_DSA] = d2i_X509(NULL, &ucp, asn1->nData)) == NULL) {#endif ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: (%s) Unable to import DSA server certificate", cpVHostID); ssl_die(); } if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_DSA]) <= 0) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: (%s) Unable to configure DSA server certificate", cpVHostID); ssl_die(); } ok = TRUE; } if (!ok) { ssl_log(s, SSL_LOG_ERROR, "Init: (%s) Ops, no RSA or DSA server certificate found?!", cpVHostID); ssl_log(s, SSL_LOG_ERROR, "Init: (%s) You have to perform a *full* server restart when you added or removed a certificate and/or key file", cpVHostID); ssl_die(); } /* * Some information about the certificate(s) */ for (i = 0; i < SSL_AIDX_MAX; i++) { if (sc->pPublicCert[i] != NULL) {⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -