static void GenerateNewSslSeed()
{
UINT8 signature[ 128 ];
UINT8 IVPtr[ BLOCK_SIZE ];
BOOL success;
UINT64 data[ 2 ] = { ++g_SSL_SeedData.Config.SeedCounter, HAL_Time_CurrentTicks() };
memset( &IVPtr[ 0 ], 0, sizeof(IVPtr) );
success = Crypto_Encrypt( (BYTE*)&g_SSL_SeedData.Config.SslSeedKey[ 0 ], (UINT8*)IVPtr, sizeof(IVPtr), (BYTE*)&data, sizeof(data), signature, sizeof(signature) ) == CRYPTO_SUCCESS ? S_OK : CLR_E_FAIL;
ASSERT(success);
ssl_rand_seed(signature, sizeof(signature));
if(!g_SSL_SeedData.m_completion.IsLinked())
{
g_SSL_SeedData.m_completion.EnqueueDelta( 5 * 1000000ul ); // 5 seconds
}
}
int ssl_init_ssl_connection(conn_rec *c)
{
SSLSrvConfigRec *sc;
SSL *ssl;
SSLConnRec *sslconn = myConnConfig(c);
char *vhost_md5;
modssl_ctx_t *mctx;
server_rec *server;
if (!sslconn) {
sslconn = ssl_init_connection_ctx(c);
}
server = sslconn->server;
sc = mySrvConfig(server);
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, "");
mctx = sslconn->is_proxy ? sc->proxy : sc->server;
/*
* Create a new SSL connection with the configured server SSL context and
* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
if (!(ssl = SSL_new(mctx->ssl_ctx))) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"Unable to create a new SSL connection from the SSL "
"context");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
return DECLINED; /* XXX */
}
vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
sc->vhost_id_len);
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
APR_MD5_DIGESTSIZE*2))
{
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
"Unable to set session id context to `%s'", vhost_md5);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
return DECLINED; /* XXX */
}
SSL_set_app_data(ssl, c);
SSL_set_app_data2(ssl, NULL); /* will be request_rec */
sslconn->ssl = ssl;
/*
* Configure callbacks for SSL connection
*/
SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH);
SSL_set_verify_result(ssl, X509_V_OK);
ssl_io_filter_init(c, ssl);
return APR_SUCCESS;
}
/*
* Per-module initialization
*/
int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
apr_pool_t *ptemp,
server_rec *base_server)
{
SSLModConfigRec *mc = myModConfig(base_server);
SSLSrvConfigRec *sc;
server_rec *s;
/* We initialize mc->pid per-process in the child init,
* but it should be initialized for startup before we
* call ssl_rand_seed() below.
*/
mc->pid = getpid();
/*
* Let us cleanup on restarts and exists
*/
apr_pool_cleanup_register(p, base_server,
ssl_init_ModuleKill,
apr_pool_cleanup_null);
/*
* Any init round fixes the global config
*/
ssl_config_global_create(base_server); /* just to avoid problems */
ssl_config_global_fix(mc);
/*
* try to fix the configuration and open the dedicated SSL
* logfile as early as possible
*/
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
if (sc->server) {
sc->server->sc = sc;
}
if (sc->proxy) {
sc->proxy->sc = sc;
}
/*
* Create the server host:port string because we need it a lot
*/
sc->vhost_id = ssl_util_vhostid(p, s);
sc->vhost_id_len = strlen(sc->vhost_id);
if (ap_get_server_protocol(s) &&
strcmp("https", ap_get_server_protocol(s)) == 0) {
sc->enabled = SSL_ENABLED_TRUE;
}
/* If sc->enabled is UNSET, then SSL is optional on this vhost */
/* Fix up stuff that may not have been set */
if (sc->enabled == SSL_ENABLED_UNSET) {
sc->enabled = SSL_ENABLED_FALSE;
}
if (sc->proxy_enabled == UNSET) {
sc->proxy_enabled = FALSE;
}
if (sc->session_cache_timeout == UNSET) {
sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT;
}
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) {
sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
}
}
#if APR_HAS_THREADS
ssl_util_thread_setup(p);
#endif
/*
* SSL external crypto device ("engine") support
*/
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
ssl_init_Engine(base_server, p);
#endif
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Init: Initialized %s library", SSL_LIBRARY_NAME);
/*
* Seed the Pseudo Random Number Generator (PRNG)
* only need ptemp here; nothing inside allocated from the pool
* needs to live once we return from ssl_rand_seed().
*/
ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
/*
* read server private keys/public certs into memory.
* decrypting any encrypted keys via configured SSLPassPhraseDialogs
* anything that needs to live longer than ptemp needs to also survive
* restarts, in which case they'll live inside s->process->pool.
*/
ssl_pphrase_Handle(base_server, ptemp);
if (ssl_tmp_keys_init(base_server)) {
return !OK;
}
/*
* initialize the mutex handling
*/
if (!ssl_mutex_init(base_server, p)) {
return HTTP_INTERNAL_SERVER_ERROR;
}
/*
* initialize session caching
*/
ssl_scache_init(base_server, p);
/*
* initialize servers
*/
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
"Init: Initializing (virtual) servers for SSL");
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
/*
* Either now skip this server when SSL is disabled for
* it or give out some information about what we're
* configuring.
*/
/*
* Read the server certificate and key
*/
ssl_init_ConfigureServer(s, p, ptemp, sc);
}
/*
* Configuration consistency checks
*/
ssl_init_CheckServers(base_server, ptemp);
/*
* Announce mod_ssl and SSL library in HTTP Server field
* as ``mod_ssl/X.X.X OpenSSL/X.X.X''
*/
ssl_add_version_components(p, base_server);
SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */
return OK;
}