ssl_util.c revision baa6746bc66ff1daa1852a3a085906d2dfa96bb6
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding/* Licensed to the Apache Software Foundation (ASF) under one or more
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * contributor license agreements. See the NOTICE file distributed with
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * this work for additional information regarding copyright ownership.
b99dbaab171d91e1b664397cc40e039d0c087c65fielding * The ASF licenses this file to You under the Apache License, Version 2.0
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * (the "License"); you may not use this file except in compliance with
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * the License. You may obtain a copy of the License at
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * Unless required by applicable law or agreed to in writing, software
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * distributed under the License is distributed on an "AS IS" BASIS,
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * See the License for the specific language governing permissions and
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * limitations under the License.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * _ __ ___ ___ __| | ___ ___| | mod_ssl
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * | | | | | | (_) | (_| | \__ \__ \ |
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * |_| |_| |_|\___/ \__,_|___|___/___/_|
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding * Utility Functions
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding /* ``Every day of my life
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding I am forced to add another
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding name to the list of people
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding who piss me off!''
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding -- Calvin */
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding/* _________________________________________________________________
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding** Utility Functions
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding** _________________________________________________________________
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fieldingchar *ssl_util_vhostid(apr_pool_t *p, server_rec *s)
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding if (s->port != 0)
3568de757bac0b47256647504c186d17ca272f85rbb id = apr_psprintf(p, "%s:%lu", host, (unsigned long)port);
3568de757bac0b47256647504c186d17ca272f85rbbapr_file_t *ssl_util_ppopen(server_rec *s, apr_pool_t *p, const char *cmd,
3568de757bac0b47256647504c186d17ca272f85rbb const char * const *argv)
3568de757bac0b47256647504c186d17ca272f85rbb if (apr_procattr_io_set(procattr, APR_FULL_BLOCK, APR_FULL_BLOCK,
3568de757bac0b47256647504c186d17ca272f85rbb if (apr_procattr_cmdtype_set(procattr, APR_PROGRAM) != APR_SUCCESS)
3568de757bac0b47256647504c186d17ca272f85rbb if ((proc = (apr_proc_t *)apr_pcalloc(p, sizeof(apr_proc_t))) == NULL)
3568de757bac0b47256647504c186d17ca272f85rbb if (apr_proc_create(proc, cmd, argv, NULL, procattr, p) != APR_SUCCESS)
3568de757bac0b47256647504c186d17ca272f85rbbvoid ssl_util_ppclose(server_rec *s, apr_pool_t *p, apr_file_t *fp)
3568de757bac0b47256647504c186d17ca272f85rbb * Run a filter program and read the first line of its stdout output
3568de757bac0b47256647504c186d17ca272f85rbbchar *ssl_util_readfilter(server_rec *s, apr_pool_t *p, const char *cmd,
3568de757bac0b47256647504c186d17ca272f85rbb const char * const *argv)
3568de757bac0b47256647504c186d17ca272f85rbb /* XXX: we are reading 1 byte at a time here */
3568de757bac0b47256647504c186d17ca272f85rbb for (k = 0; apr_file_read(fp, &c, &nbytes) == APR_SUCCESS
3568de757bac0b47256647504c186d17ca272f85rbbBOOL ssl_util_path_check(ssl_pathcheck_t pcm, const char *path, apr_pool_t *p)
8f3ec4772d2aeb347cf40e87c77627bb784dd018rbbssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey)
3568de757bac0b47256647504c186d17ca272f85rbb /* Only refcounted in OpenSSL */
3568de757bac0b47256647504c186d17ca272f85rbb switch (t) {
3568de757bac0b47256647504c186d17ca272f85rbb * certain key and cert data needs to survive restarts,
3568de757bac0b47256647504c186d17ca272f85rbb * which are stored in the user data table of s->process->pool.
fc1efab92032301e317f07e1b3a00082d9d71f3frbb * to prevent "leaking" of this data, we use malloc/free
3568de757bac0b47256647504c186d17ca272f85rbb * rather than apr_palloc and these wrappers to help make sure
fc1efab92032301e317f07e1b3a00082d9d71f3frbb * we do not leak the malloc-ed data.
3568de757bac0b47256647504c186d17ca272f85rbb const char *key,
3568de757bac0b47256647504c186d17ca272f85rbb * if a value for this key already exists,
3568de757bac0b47256647504c186d17ca272f85rbb * reuse as much of the already malloc-ed data
3568de757bac0b47256647504c186d17ca272f85rbb * as possible.
3568de757bac0b47256647504c186d17ca272f85rbb asn1->source_mtime = 0; /* used as a note for encrypted private keys */
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding return asn1->cpData; /* caller will assign a value to this */
3568de757bac0b47256647504c186d17ca272f85rbb const char *key)
3568de757bac0b47256647504c186d17ca272f85rbb return (ssl_asn1_t *)apr_hash_get(table, key, APR_HASH_KEY_STRING);
3568de757bac0b47256647504c186d17ca272f85rbb const char *key)
3568de757bac0b47256647504c186d17ca272f85rbbstatic const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"};
ca53a74f4012a45cbad48e940eddf27d866981f9dougmstatic const char *ssl_asn1_key_types[] = {"RSA", "DSA"};
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding const char *id,
3568de757bac0b47256647504c186d17ca272f85rbbSTACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7)
3568de757bac0b47256647504c186d17ca272f85rbb ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Can't open %s", pkcs7);
3568de757bac0b47256647504c186d17ca272f85rbb ap_log_error(APLOG_MARK, APLOG_CRIT|APLOG_NOERRNO, 0, s,
3568de757bac0b47256647504c186d17ca272f85rbb ap_log_error(APLOG_MARK, APLOG_CRIT|APLOG_NOERRNO, 0, s,
3568de757bac0b47256647504c186d17ca272f85rbb * To ensure thread-safetyness in OpenSSL - work in progress
3568de757bac0b47256647504c186d17ca272f85rbb return -1;
3568de757bac0b47256647504c186d17ca272f85rbb/* Dynamic lock structure */
3568de757bac0b47256647504c186d17ca272f85rbb const char* file;
3568de757bac0b47256647504c186d17ca272f85rbb/* Global reference to the pool passed into ssl_util_thread_setup() */
3568de757bac0b47256647504c186d17ca272f85rbb * Dynamic lock creation callback
3568de757bac0b47256647504c186d17ca272f85rbbstatic struct CRYPTO_dynlock_value *ssl_dyn_create_function(const char *file,
3568de757bac0b47256647504c186d17ca272f85rbb * We need a pool to allocate our mutex. Since we can't clear
3568de757bac0b47256647504c186d17ca272f85rbb * allocated memory from a pool, create a subpool that we can blow
3568de757bac0b47256647504c186d17ca272f85rbb * away in the destruction callback.
3568de757bac0b47256647504c186d17ca272f85rbb "Failed to create subpool for dynamic lock");
3568de757bac0b47256647504c186d17ca272f85rbb "Creating dynamic lock");
3568de757bac0b47256647504c186d17ca272f85rbb sizeof(struct CRYPTO_dynlock_value));
3568de757bac0b47256647504c186d17ca272f85rbb "Failed to allocate dynamic lock structure");
3568de757bac0b47256647504c186d17ca272f85rbb /* Keep our own copy of the place from which we were created,
3568de757bac0b47256647504c186d17ca272f85rbb using our own pool. */
3568de757bac0b47256647504c186d17ca272f85rbb rv = apr_thread_mutex_create(&(value->mutex), APR_THREAD_MUTEX_DEFAULT,
3568de757bac0b47256647504c186d17ca272f85rbb "Failed to create thread mutex for dynamic lock");
3568de757bac0b47256647504c186d17ca272f85rbb * Dynamic locking and unlocking function
3568de757bac0b47256647504c186d17ca272f85rbbstatic void ssl_dyn_lock_function(int mode, struct CRYPTO_dynlock_value *l,
3568de757bac0b47256647504c186d17ca272f85rbb * Dynamic lock destruction callback
3568de757bac0b47256647504c186d17ca272f85rbbstatic void ssl_dyn_destroy_function(struct CRYPTO_dynlock_value *l,
3568de757bac0b47256647504c186d17ca272f85rbb "Failed to destroy mutex for dynamic lock %s:%d",
8e9734d1a4af74c141e2a0f880bb51bb061fa03atrawick /* Trust that whomever owned the CRYPTO_dynlock_value we were
3568de757bac0b47256647504c186d17ca272f85rbb * passed has no future use for it...
3568de757bac0b47256647504c186d17ca272f85rbbstatic unsigned long ssl_util_thr_id(void)
3568de757bac0b47256647504c186d17ca272f85rbb /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread
3568de757bac0b47256647504c186d17ca272f85rbb * id is a structure twice that big. Use the TCB pointer instead as a
8e9734d1a4af74c141e2a0f880bb51bb061fa03atrawick * unique unsigned long.
3568de757bac0b47256647504c186d17ca272f85rbb unsigned long PSATOLD;
3568de757bac0b47256647504c186d17ca272f85rbb return (unsigned long) apr_os_thread_current();
3568de757bac0b47256647504c186d17ca272f85rbb /* Let the registered mutex cleanups do their own thing
ad83978f20c7d1a4323059d9af122e56fcd353bdstoddard lock_cs = apr_palloc(p, lock_num_locks * sizeof(*lock_cs));
ad83978f20c7d1a4323059d9af122e56fcd353bdstoddard for (i = 0; i < lock_num_locks; i++) {
3568de757bac0b47256647504c186d17ca272f85rbb apr_thread_mutex_create(&(lock_cs[i]), APR_THREAD_MUTEX_DEFAULT, p);
3568de757bac0b47256647504c186d17ca272f85rbb /* Set up dynamic locking scaffolding for OpenSSL to use at its
ad83978f20c7d1a4323059d9af122e56fcd353bdstoddard * convenience.
3568de757bac0b47256647504c186d17ca272f85rbb CRYPTO_set_dynlock_create_callback(ssl_dyn_create_function);
3568de757bac0b47256647504c186d17ca272f85rbb CRYPTO_set_dynlock_lock_callback(ssl_dyn_lock_function);
3568de757bac0b47256647504c186d17ca272f85rbb CRYPTO_set_dynlock_destroy_callback(ssl_dyn_destroy_function);