ssl_engine_init.c

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

            if (SSL_X509_isSGC(sc->pPublicCert[i])) {
                ssl_log(s, SSL_LOG_INFO,
                        "Init: (%s) %s server certificate enables "
                        "Server Gated Cryptography (SGC)", 
                        cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
            }
            if (SSL_X509_getBC(sc->pPublicCert[i], &isca, &pathlen)) {
                if (isca)
                    ssl_log(s, SSL_LOG_WARN,
                        "Init: (%s) %s server certificate is a CA certificate "
                        "(BasicConstraints: CA == TRUE !?)",
                        cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
                if (pathlen > 0)
                    ssl_log(s, SSL_LOG_WARN,
                        "Init: (%s) %s server certificate is not a leaf certificate "
                        "(BasicConstraints: pathlen == %d > 0 !?)",
                        cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"), pathlen);
            }
            if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) {
                if (ap_is_fnmatch(cp) &&
                    ap_fnmatch(cp, s->server_hostname, 
                               FNM_PERIOD|FNM_CASE_BLIND) == FNM_NOMATCH) {
                    ssl_log(s, SSL_LOG_WARN,
                        "Init: (%s) %s server certificate wildcard CommonName (CN) `%s' "
                        "does NOT match server name!?", cpVHostID, 
                        (i == SSL_AIDX_RSA ? "RSA" : "DSA"), cp);
                }
                else if (strNE(s->server_hostname, cp)) {
                    ssl_log(s, SSL_LOG_WARN,
                        "Init: (%s) %s server certificate CommonName (CN) `%s' "
                        "does NOT match server name!?", cpVHostID, 
                        (i == SSL_AIDX_RSA ? "RSA" : "DSA"), cp);
                }
            }
        }
    }

    /*
     *  Configure server private key(s)
     */
    ok = FALSE;
    cp = ap_psprintf(p, "%s:RSA", cpVHostID);
    if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
        ssl_log(s, SSL_LOG_TRACE,
                "Init: (%s) Configuring RSA server private key", cpVHostID);
        ucp = asn1->cpData;
        if ((sc->pPrivateKey[SSL_AIDX_RSA] = 
#if SSL_LIBRARY_VERSION >= 0x00908000
             d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {
#else
             d2i_PrivateKey(EVP_PKEY_RSA, NULL, &ucp, asn1->nData)) == NULL) {
#endif
            ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                    "Init: (%s) Unable to import RSA server private key",
                    cpVHostID);
            ssl_die();
        }
        if (!RSA_blinding_on(sc->pPrivateKey[SSL_AIDX_RSA]->pkey.rsa, NULL)) {
            ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                    "Init: (%s) Unable to enable RSA blinding (probably PRNG failure)",
                    cpVHostID);
            ssl_die();
        }
        if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_RSA]) <= 0) {
            ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                    "Init: (%s) Unable to configure RSA server private key",
                    cpVHostID);
            ssl_die();
        }
        ok = TRUE;
    }
    cp = ap_psprintf(p, "%s:DSA", cpVHostID);
    if ((asn1 = (ssl_asn1_t *)ssl_ds_table_get(mc->tPrivateKey, cp)) != NULL) {
        ssl_log(s, SSL_LOG_TRACE,
                "Init: (%s) Configuring DSA server private key", cpVHostID);
        ucp = asn1->cpData;
        if ((sc->pPrivateKey[SSL_AIDX_DSA] = 
#if SSL_LIBRARY_VERSION >= 0x00908000
             d2i_PrivateKey(EVP_PKEY_DSA, NULL, (const unsigned char **)&ucp, asn1->nData)) == NULL) {
#else
             d2i_PrivateKey(EVP_PKEY_DSA, NULL, &ucp, asn1->nData)) == NULL) {
#endif
            ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                    "Init: (%s) Unable to import DSA server private key",
                    cpVHostID);
            ssl_die();
        }
        if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_DSA]) <= 0) {
            ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                    "Init: (%s) Unable to configure DSA server private key",
                    cpVHostID);
            ssl_die();
        }
        ok = TRUE;
    }
    if (!ok) {
        ssl_log(s, SSL_LOG_ERROR,
                "Init: (%s) Ops, no RSA or DSA server private key found?!", cpVHostID);
        ssl_die();
    }

    /*
     * Optionally copy DSA parameters for certificate from private key
     * (see http://www.psy.uq.edu.au/~ftp/Crypto/ssleay/TODO.html)
     */
    if (   sc->pPublicCert[SSL_AIDX_DSA] != NULL
        && sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
        pKey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]);
        if (   pKey != NULL
            && EVP_PKEY_type(pKey->type) == EVP_PKEY_DSA 
            && EVP_PKEY_missing_parameters(pKey))
            EVP_PKEY_copy_parameters(pKey, sc->pPrivateKey[SSL_AIDX_DSA]);
    }

    /* 
     * Optionally configure extra server certificate chain certificates.
     * This is usually done by OpenSSL automatically when one of the
     * server cert issuers are found under SSLCACertificatePath or in
     * SSLCACertificateFile. But because these are intended for client
     * authentication it can conflict. For instance when you use a
     * Global ID server certificate you've to send out the intermediate
     * CA certificate, too. When you would just configure this with
     * SSLCACertificateFile and also use client authentication mod_ssl
     * would accept all clients also issued by this CA. Obviously this
     * isn't what we want in this situation. So this feature here exists
     * to allow one to explicity configure CA certificates which are
     * used only for the server certificate chain.
     */
    if (sc->szCertificateChain != NULL) {
        bSkipFirst = FALSE;
        for (i = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++) {
            if (strEQ(sc->szPublicCertFile[i], sc->szCertificateChain)) {
                bSkipFirst = TRUE;
                break;
            }
        }
        if ((n = SSL_CTX_use_certificate_chain(ctx, sc->szCertificateChain, 
                                               bSkipFirst, NULL)) < 0) {
            ssl_log(s, SSL_LOG_ERROR,
                    "Init: (%s) Failed to configure CA certificate chain!", cpVHostID);
            ssl_die();
        }
        ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring "
                "server certificate chain (%d CA certificate%s)", cpVHostID,
                n, n == 1 ? "" : "s");
    }

#ifdef SSL_VENDOR
    ap_hook_use("ap::mod_ssl::vendor::configure_server",
                AP_HOOK_SIG4(void,ptr,ptr,ptr), AP_HOOK_ALL, 
                s, p, sc);
#endif

    return;
}

void ssl_init_CheckServers(server_rec *sm, pool *p)
{
    server_rec *s;
    server_rec **ps;
    SSLSrvConfigRec *sc;
    ssl_ds_table *t;
    pool *sp;
    char *key;
    BOOL bConflict;

    /*
     * Give out warnings when a server has HTTPS configured 
     * for the HTTP port or vice versa
     */
    for (s = sm; s != NULL; s = s->next) {
        sc = mySrvConfig(s);
        if (sc->bEnabled && s->port == DEFAULT_HTTP_PORT)
            ssl_log(sm, SSL_LOG_WARN,
                    "Init: (%s) You configured HTTPS(%d) on the standard HTTP(%d) port!",
                    ssl_util_vhostid(p, s), DEFAULT_HTTPS_PORT, DEFAULT_HTTP_PORT);
        if (!sc->bEnabled && s->port == DEFAULT_HTTPS_PORT)
            ssl_log(sm, SSL_LOG_WARN,
                    "Init: (%s) You configured HTTP(%d) on the standard HTTPS(%d) port!",
                    ssl_util_vhostid(p, s), DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
    }

    /*
     * Give out warnings if more than one SSL-aware virtual server uses the
     * same IP:port. This doesn't work because mod_ssl then will always use
     * just the certificate/keys of one virtual host (which one cannot be said
     * easily - but that doesn't matter here).
     */
    sp = ap_make_sub_pool(p);
    t = ssl_ds_table_make(sp, sizeof(server_rec *));
    bConflict = FALSE;
    for (s = sm; s != NULL; s = s->next) {
        sc = mySrvConfig(s);
        if (!sc->bEnabled)
            continue;
        if (s->addrs == NULL)
            continue;
        key = ap_psprintf(sp, "%pA:%u", &s->addrs->host_addr, s->addrs->host_port);
        ps = ssl_ds_table_get(t, key);
        if (ps != NULL) {
            ssl_log(sm, SSL_LOG_WARN,
                    "Init: SSL server IP/port conflict: %s (%s:%d) vs. %s (%s:%d)",
                    ssl_util_vhostid(p, s), 
                    (s->defn_name != NULL ? s->defn_name : "unknown"),
                    s->defn_line_number,
                    ssl_util_vhostid(p, *ps),
                    ((*ps)->defn_name != NULL ? (*ps)->defn_name : "unknown"), 
                    (*ps)->defn_line_number);
            bConflict = TRUE;
            continue;
        }
        ps = ssl_ds_table_push(t, key);
        *ps = s;
    }
    ssl_ds_table_kill(t);
    ap_destroy_pool(sp);
    if (bConflict)
        ssl_log(sm, SSL_LOG_WARN,
                "Init: You should not use name-based virtual hosts in conjunction with SSL!!");

    return;
}

static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b)
{
    return(X509_NAME_cmp(*a, *b));
}

STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, pool *pp, char *cpCAfile, char *cpCApath)
{
    STACK_OF(X509_NAME) *skCAList;
    STACK_OF(X509_NAME) *sk;
    DIR *dir;
    struct DIR_TYPE *direntry;
    char *cp;
    pool *p;
    int n;
    char buf[256];

    /*
     * Use a subpool so we don't bloat up the server pool which
     * is remains in memory for the complete operation time of
     * the server.
     */
    p = ap_make_sub_pool(pp);

    /*
     * Start with a empty stack/list where new
     * entries get added in sorted order.
     */
    skCAList = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);

    /*
     * Process CA certificate bundle file
     */
    if (cpCAfile != NULL) {
        sk = SSL_load_client_CA_file(cpCAfile);
        for (n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
            X509_NAME *name = sk_X509_NAME_value(sk, n);
            ssl_log(s, SSL_LOG_TRACE,
                    "CA certificate: %s",
                    X509_NAME_oneline(name, buf, sizeof(buf)));
            if (sk_X509_NAME_find(skCAList, name) < 0)
                sk_X509_NAME_push(skCAList, name); /* will be freed when skCAList is */
            else
                X509_NAME_free(name);
        }
        sk_X509_NAME_free(sk);
    }

    /*
     * Process CA certificate path files
     */
    if (cpCApath != NULL) {
        dir = ap_popendir(p, cpCApath);
        while ((direntry = readdir(dir)) != NULL) {
            cp = ap_pstrcat(p, cpCApath, "/", direntry->d_name, NULL);
            sk = SSL_load_client_CA_file(cp);
            for (n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
                X509_NAME *name = sk_X509_NAME_value(sk, n);
                ssl_log(s, SSL_LOG_TRACE,
                        "CA certificate: %s",
                        X509_NAME_oneline(name, buf, sizeof(buf)));
                if (sk_X509_NAME_find(skCAList, name) < 0)
                    sk_X509_NAME_push(skCAList, name);
                else
                    X509_NAME_free(name);
            }
            sk_X509_NAME_free(sk);
        }
        ap_pclosedir(p, dir);
    }

    /*
     * Cleanup
     */
    sk_X509_NAME_set_cmp_func(skCAList, NULL);
    ap_destroy_pool(p);

    return skCAList;
}

void ssl_init_Child(server_rec *s, pool *p)
{
     /* open the mutex lockfile */
     ssl_mutex_reinit(s, p);
     return;
}

void ssl_init_ChildKill(void *data)
{
    /* currently nothing to do */
    return;
}

void ssl_init_ModuleKill(void *data)
{
    SSLSrvConfigRec *sc;
    server_rec *s = (server_rec *)data;

    /*
     * Drop the session cache and mutex
     */
    ssl_scache_kill(s);
    ssl_mutex_kill(s);

    /* 
     * Destroy the temporary keys and params
     */
    ssl_init_TmpKeysHandle(SSL_TKP_FREE, s, NULL);

    /*
     * Free the non-pool allocated structures
     * in the per-server configurations
     */
    for (; s != NULL; s = s->next) {
        sc = mySrvConfig(s);
        if (sc->pRevocationStore != NULL) {
            X509_STORE_free(sc->pRevocationStore);
            sc->pRevocationStore = NULL;
        }
        if (sc->pPublicCert[SSL_AIDX_RSA] != NULL) {
            X509_free(sc->pPublicCert[SSL_AIDX_RSA]);
            sc->pPublicCert[SSL_AIDX_RSA] = NULL;
        }
        if (sc->pPublicCert[SSL_AIDX_DSA] != NULL) {
            X509_free(sc->pPublicCert[SSL_AIDX_DSA]);
            sc->pPublicCert[SSL_AIDX_DSA] = NULL;
        }
        if (sc->pPrivateKey[SSL_AIDX_RSA] != NULL) {
            EVP_PKEY_free(sc->pPrivateKey[SSL_AIDX_RSA]);
            sc->pPrivateKey[SSL_AIDX_RSA] = NULL;
        }
        if (sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
            EVP_PKEY_free(sc->pPrivateKey[SSL_AIDX_DSA]);
            sc->pPrivateKey[SSL_AIDX_DSA] = NULL;
        }
        if (sc->pSSLCtx != NULL) {
            SSL_CTX_free(sc->pSSLCtx);
            sc->pSSLCtx = NULL;
        }
    }

    /*
     * Try to kill the internals of the SSL library.
     */
#ifdef SHARED_MODULE
    ERR_free_strings();
    ERR_remove_state(0);
    EVP_cleanup();
#endif

    ssl_util_thread_cleanup();

    return;
}