Forward port of changes in mod_ssl for Apache 1.3 up through mod_ssl

version 2.8.7-1.3.23.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93564 13f79535-47bb-0310-9956-ffa450edef68

CHANGES

@@ -1,4 +1,8 @@
 Changes with Apache 2.0.33-dev
+
+  *) Merged in changes to mod_ssl up through 2.8.7-1.3.23.
+     [Ralf S. Engelschall, Cliff Woolley]
+
   *) mod-include: make it handle flush'es and fix the 'false-alarm'
      [Justin Everkrantz, Brian Pane, Ian Holsman]
 

modules/ssl/mod_ssl.h

@@ -513,6 +513,7 @@ typedef struct {
     char           *szMutexFile;
     apr_lock_t     *pMutex;
     apr_array_header_t   *aRandSeed;
+    int             nScoreboardSize; /* used for builtin random seed */
     ssl_ds_table   *tTmpKeys;
     void           *pTmpKeys[SSL_TKPIDX_MAX];
     ssl_ds_table   *tPublicCert;
@@ -675,7 +676,11 @@ int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, server_rec *);
 int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
 void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
+#if SSL_LIBRARY_VERSION >= 0x00907000
+void         ssl_callback_LogTracingState(const SSL *, int, int);
+#else
 void         ssl_callback_LogTracingState(SSL *, int, int);
+#endif
 
 /*  Session Cache Support  */
 void         ssl_scache_init(server_rec *, apr_pool_t *);

modules/ssl/ssl_engine_dh.c

@@ -225,10 +225,10 @@ $dhinfo = "\n\/\*\n$dhinfo\*\/\n\n";
 
 #   generate C source from DH params
 my $dhsource = '';
-open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand -8 |") || die;
+open(FP, "openssl dh -noout -C -in dh512.pem | indent | expand |") || die;
 $dhsource .= $_ while (<FP>);
 close(FP);
-open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand -8 |") || die;
+open(FP, "openssl dh -noout -C -in dh1024.pem | indent | expand |") || die;
 $dhsource .= $_ while (<FP>);
 close(FP);
 $dhsource =~ s|(DH\s+\*get_dh)|static $1|sg;

modules/ssl/ssl_engine_init.c

@@ -221,7 +221,11 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
 
     /*
      * Seed the Pseudo Random Number Generator (PRNG)
+     *
+     * Note: scoreboard size must be fetched at init time because
+     * ap_calc_scoreboard_size() is not threadsafe
      */
+    mc->nScoreboardSize = ap_calc_scoreboard_size();
     ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
 
     /*
@@ -713,7 +717,8 @@ void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
             }
             if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) {
                 if (apr_is_fnmatch(cp) &&
-                    !apr_fnmatch(cp, s->server_hostname, FNM_PERIOD|FNM_CASE_BLIND)) {
+                    apr_fnmatch(cp, s->server_hostname,
+                                FNM_PERIOD|FNM_CASE_BLIND) == FNM_NOMATCH) {
                     ssl_log(s, SSL_LOG_WARN,
                         "Init: (%s) %s server certificate wildcard CommonName (CN) `%s' "
                         "does NOT match server name!?", cpVHostID, 

modules/ssl/ssl_engine_kernel.c

@@ -1587,7 +1587,11 @@ void ssl_callback_DelSessionCacheEntry(
  * SSL handshake and does SSL record layer stuff. We use it to
  * trace OpenSSL's processing in out SSL logfile.
  */
+#if SSL_LIBRARY_VERSION >= 0x00907000
+void ssl_callback_LogTracingState(const SSL *ssl, int where, int rc)
+#else
 void ssl_callback_LogTracingState(SSL *ssl, int where, int rc)
+#endif
 {
     conn_rec *c;
     server_rec *s;
@@ -1597,7 +1601,7 @@ void ssl_callback_LogTracingState(SSL *ssl, int where, int rc)
     /*
      * find corresponding server
      */
-    if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL)
+    if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL)
         return;
     s = c->base_server;
     if ((sc = mySrvConfig(s)) == NULL)

modules/ssl/ssl_engine_rand.c

@@ -81,6 +81,7 @@ int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix)
     int nReq, nDone;
     apr_file_t *fp;
     int i, n, l;
+    int m;
 
     mc = myModConfig(s);
     nReq  = 0;
@@ -154,18 +155,21 @@ int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix)
                 RAND_seed(stackdata+n, 128);
                 nDone += 128;
 
-#if XXX_SBENTROPY_SOLVED
                 /*
-                 * XXX: This is entirely borked, sizeof(scoreboard) < 1024
+                 * seed in data extracted from the current scoreboard
                  *
-                 * seed in an 1KB extract of the current scoreboard
+                 * XXX: this assumes that the entire scoreboard is
+                 * allocated in one big block of memory that begins at
+                 * the location pointed to by ap_scoreboard_image->global
                  */
-                if (ap_scoreboard_image != NULL) {
-                    n = ssl_rand_choosenum(0,ap_calc_scoreboard_size()-1024-1);
-                    RAND_seed(((unsigned char *)ap_scoreboard_image)+n, 1024);
-                    nDone += 1024;
+                if (ap_scoreboard_image != NULL && mc->nScoreboardSize > 16)
+                {
+                    m = ((mc->nScoreboardSize / 2) - 1);
+                    n = ssl_rand_choosenum(0, m);
+                    RAND_seed(
+                        ((unsigned char *)ap_scoreboard_image->global)+n, m);
+                    nDone += m;
                 }
-#endif
             }
         }
     }

modules/ssl/ssl_scache_dbm.c

@@ -142,8 +142,10 @@ BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SS
     UCHAR *ucp;
 
     /* streamline session data */
+    if ((nData = i2d_SSL_SESSION(sess, NULL)) > sizeof(ucaData))
+        return FALSE;
     ucp = ucaData;
-    nData = i2d_SSL_SESSION(sess, &ucp);
+    i2d_SSL_SESSION(sess, &ucp);
 
     /* be careful: do not try to store too much bytes in a DBM file! */
 #ifdef PAIRMAX

modules/ssl/ssl_scache_shmcb.c

@@ -183,9 +183,9 @@ typedef struct {
     unsigned int division_offset;
     unsigned int division_size;
     unsigned int queue_size;
-    unsigned char index_num;
-    unsigned char index_offset;
-    unsigned char index_size;
+    unsigned int index_num;
+    unsigned int index_offset;
+    unsigned int index_size;
     unsigned int cache_data_offset;
     unsigned int cache_data_size;
     unsigned long num_stores;
@@ -208,10 +208,10 @@ typedef struct {
     unsigned int queue_size;
     unsigned int cache_data_offset;
     unsigned int cache_data_size;
+    unsigned int index_num;
+    unsigned int index_offset;
+    unsigned int index_size;
     unsigned char division_mask;
-    unsigned char index_num;
-    unsigned char index_offset;
-    unsigned char index_size;
 #endif
 } SHMCBHeader;
 
@@ -456,7 +456,7 @@ void ssl_scache_shmcb_kill(server_rec *s)
     return;
 }
 
-BOOL ssl_scache_shmcb_store(server_rec *s, UCHAR * id, int idlen,
+BOOL ssl_scache_shmcb_store(server_rec *s, UCHAR *id, int idlen,
                            time_t timeout, SSL_SESSION * pSession)
 {
     SSLModConfigRec *mc = myModConfig();
@@ -478,7 +478,7 @@ BOOL ssl_scache_shmcb_store(server_rec *s, UCHAR * id, int idlen,
     return to_return;
 }
 
-SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *s, UCHAR * id, int idlen)
+SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *s, UCHAR *id, int idlen)
 {
     SSLModConfigRec *mc = myModConfig();
     void *shm_segment;
@@ -499,14 +499,16 @@ SSL_SESSION *ssl_scache_shmcb_retrieve(server_rec *s, UCHAR * id, int idlen)
     return pSession;
 }
 
-void ssl_scache_shmcb_remove(server_rec *s, UCHAR * id, int idlen)
+void ssl_scache_shmcb_remove(server_rec *s, UCHAR *id, int idlen)
 {
     SSLModConfigRec *mc = myModConfig();
     void *shm_segment;
 
     /* We've kludged our pointer into the other cache's member variable. */
     shm_segment = (void *) mc->tSessionCacheDataTable;
+    ssl_mutex_on(s);
     shmcb_remove_session(s, shm_segment, id, idlen);
+    ssl_mutex_off(s);
 }
 
 void ssl_scache_shmcb_expire(server_rec *s)
@@ -705,7 +707,7 @@ static BOOL shmcb_init_memory(
 }
 
 static BOOL shmcb_store_session(
-    server_rec *s, void *shm_segment, UCHAR * id,
+    server_rec *s, void *shm_segment, UCHAR *id,
     int idlen, SSL_SESSION * pSession,
     time_t timeout)
 {
@@ -755,7 +757,7 @@ static BOOL shmcb_store_session(
 
 static SSL_SESSION *shmcb_retrieve_session(
     server_rec *s, void *shm_segment,
-    UCHAR * id, int idlen)
+    UCHAR *id, int idlen)
 {
     SHMCBHeader *header;
     SHMCBQueue queue;
@@ -795,7 +797,7 @@ static SSL_SESSION *shmcb_retrieve_session(
 
 static BOOL shmcb_remove_session(
     server_rec *s, void *shm_segment,
-    UCHAR * id, int idlen)
+    UCHAR *id, int idlen)
 {
     SHMCBHeader *header;
     SHMCBQueue queue;
@@ -992,7 +994,7 @@ static SHMCBIndex *shmcb_get_index(
     const SHMCBQueue *queue, unsigned int idx)
 {
     /* bounds check */
-    if (idx > (unsigned int) queue->header->index_num)
+    if (idx > queue->header->index_num)
         return NULL;
 
     /* Return a pointer to the index. NB: I am being horribly pendantic

modules/ssl/ssl_scache_shmht.c

@@ -175,8 +175,10 @@ BOOL ssl_scache_shmht_store(server_rec *s, UCHAR *id, int idlen, time_t expiry,
     UCHAR *ucp;
 
     /* streamline session data */
+    if ((nData = i2d_SSL_SESSION(sess, NULL)) > sizeof(ucaData))
+        return FALSE;
     ucp = ucaData;
-    nData = i2d_SSL_SESSION(sess, &ucp);
+    i2d_SSL_SESSION(sess, &ucp);
 
     ssl_mutex_on(s);
     if (table_insert_kd(mc->tSessionCacheDataTable,