static void GenerateNewSslSeed() { UINT8 signature[ 128 ]; UINT8 IVPtr[ BLOCK_SIZE ]; BOOL success; UINT64 data[ 2 ] = { ++g_SSL_SeedData.Config.SeedCounter, HAL_Time_CurrentTicks() }; memset( &IVPtr[ 0 ], 0, sizeof(IVPtr) ); success = Crypto_Encrypt( (BYTE*)&g_SSL_SeedData.Config.SslSeedKey[ 0 ], (UINT8*)IVPtr, sizeof(IVPtr), (BYTE*)&data, sizeof(data), signature, sizeof(signature) ) == CRYPTO_SUCCESS ? S_OK : CLR_E_FAIL; ASSERT(success); ssl_rand_seed(signature, sizeof(signature)); if(!g_SSL_SeedData.m_completion.IsLinked()) { g_SSL_SeedData.m_completion.EnqueueDelta( 5 * 1000000ul ); // 5 seconds } }
int ssl_init_ssl_connection(conn_rec *c) { SSLSrvConfigRec *sc; SSL *ssl; SSLConnRec *sslconn = myConnConfig(c); char *vhost_md5; modssl_ctx_t *mctx; server_rec *server; if (!sslconn) { sslconn = ssl_init_connection_ctx(c); } server = sslconn->server; sc = mySrvConfig(server); /* * Seed the Pseudo Random Number Generator (PRNG) */ ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, ""); mctx = sslconn->is_proxy ? sc->proxy : sc->server; /* * Create a new SSL connection with the configured server SSL context and * attach this to the socket. Additionally we register this attachment * so we can detach later. */ if (!(ssl = SSL_new(mctx->ssl_ctx))) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "Unable to create a new SSL connection from the SSL " "context"); ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); c->aborted = 1; return DECLINED; /* XXX */ } vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id, sc->vhost_id_len); if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5, APR_MD5_DIGESTSIZE*2)) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "Unable to set session id context to `%s'", vhost_md5); ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); c->aborted = 1; return DECLINED; /* XXX */ } SSL_set_app_data(ssl, c); SSL_set_app_data2(ssl, NULL); /* will be request_rec */ sslconn->ssl = ssl; /* * Configure callbacks for SSL connection */ SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); SSL_set_verify_result(ssl, X509_V_OK); ssl_io_filter_init(c, ssl); return APR_SUCCESS; }
/* * Per-module initialization */ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *base_server) { SSLModConfigRec *mc = myModConfig(base_server); SSLSrvConfigRec *sc; server_rec *s; /* We initialize mc->pid per-process in the child init, * but it should be initialized for startup before we * call ssl_rand_seed() below. */ mc->pid = getpid(); /* * Let us cleanup on restarts and exists */ apr_pool_cleanup_register(p, base_server, ssl_init_ModuleKill, apr_pool_cleanup_null); /* * Any init round fixes the global config */ ssl_config_global_create(base_server); /* just to avoid problems */ ssl_config_global_fix(mc); /* * try to fix the configuration and open the dedicated SSL * logfile as early as possible */ for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); if (sc->server) { sc->server->sc = sc; } if (sc->proxy) { sc->proxy->sc = sc; } /* * Create the server host:port string because we need it a lot */ sc->vhost_id = ssl_util_vhostid(p, s); sc->vhost_id_len = strlen(sc->vhost_id); if (ap_get_server_protocol(s) && strcmp("https", ap_get_server_protocol(s)) == 0) { sc->enabled = SSL_ENABLED_TRUE; } /* If sc->enabled is UNSET, then SSL is optional on this vhost */ /* Fix up stuff that may not have been set */ if (sc->enabled == SSL_ENABLED_UNSET) { sc->enabled = SSL_ENABLED_FALSE; } if (sc->proxy_enabled == UNSET) { sc->proxy_enabled = FALSE; } if (sc->session_cache_timeout == UNSET) { sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT; } if (sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) { sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN; } } #if APR_HAS_THREADS ssl_util_thread_setup(p); #endif /* * SSL external crypto device ("engine") support */ #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) ssl_init_Engine(base_server, p); #endif ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Init: Initialized %s library", SSL_LIBRARY_NAME); /* * Seed the Pseudo Random Number Generator (PRNG) * only need ptemp here; nothing inside allocated from the pool * needs to live once we return from ssl_rand_seed(). */ ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: "); /* * read server private keys/public certs into memory. * decrypting any encrypted keys via configured SSLPassPhraseDialogs * anything that needs to live longer than ptemp needs to also survive * restarts, in which case they'll live inside s->process->pool. */ ssl_pphrase_Handle(base_server, ptemp); if (ssl_tmp_keys_init(base_server)) { return !OK; } /* * initialize the mutex handling */ if (!ssl_mutex_init(base_server, p)) { return HTTP_INTERNAL_SERVER_ERROR; } /* * initialize session caching */ ssl_scache_init(base_server, p); /* * initialize servers */ ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, "Init: Initializing (virtual) servers for SSL"); for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); /* * Either now skip this server when SSL is disabled for * it or give out some information about what we're * configuring. */ /* * Read the server certificate and key */ ssl_init_ConfigureServer(s, p, ptemp, sc); } /* * Configuration consistency checks */ ssl_init_CheckServers(base_server, ptemp); /* * Announce mod_ssl and SSL library in HTTP Server field * as ``mod_ssl/X.X.X OpenSSL/X.X.X'' */ ssl_add_version_components(p, base_server); SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */ return OK; }