Require that OpenSSL is configured with a suitable entropy source,
or fail startup otherwise.
* modules/ssl/ssl_private.h:
Define MODSSL_USE_SSLRAND for OpenSSL < 1.1.1.
(SSLModConfigRec): Only define pid, aRandSeed for <1.1.1.
(ssl_rand_seed): Define as noop if !MODSSL_USE_SSLRAND.
* modules/ssl/ssl_engine_init.c (ssl_init_Module):
Only initialize mc->pid for MODSSL_USE_SSLRAND.
Fail if RAND_status() returns zero.
(ssl_init_Child): Drop getpid and srand for !MODSSL_USE_SSLRAND.
* modules/ssl/ssl_engine_rand.c: ifdef-out for !MODSSL_USE_SSLRAND.
(ssl_rand_seed): Drop warning if PRNG not seeded (now a startup
error as above).
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Drop
aRandSeed initialization. (ssl_cmd_SSLRandomSeed): Log a warning if
used w/!MODSSL_USE_SSLRAND.
Github: closes #123
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@
1877467 13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: With OpenSSL 1.1.1 and later, SSLRandomSeed is now
+ ignored. OpenSSL must be configured with a suitable entropy
+ source, or mod_ssl will fail to start up. [Joe Orton]
+
*) mod_ssl: With OpenSSL 1.1.1 and later, client-initiated
renegotiation in TLSv1.2 and earlier is blocked at SSL library
level (with a TLS warning alert sent), rather than by aborting
* initialize per-module configuration
*/
mc->sesscache_mode = SSL_SESS_CACHE_OFF;
+#ifdef MODSSL_USE_SSLRAND
mc->aRandSeed = apr_array_make(pool, 4,
sizeof(ssl_randseed_t));
+#endif
#ifdef HAVE_FIPS
mc->fips = UNSET;
#endif
const char *arg2,
const char *arg3)
{
+#ifdef MODSSL_USE_SSLRAND
SSLModConfigRec *mc = myModConfig(cmd->server);
const char *err;
ssl_randseed_t *seed;
}
}
+#else
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server, APLOGNO(10235)
+ "SSLRandomSeed is deprecated and has no effect "
+ "with OpenSSL 1.1.1 and later");
+#endif
+
return NULL;
}
MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT);
}
+#ifdef MODSSL_USE_SSLRAND
/* We initialize mc->pid per-process in the child init,
* but it should be initialized for startup before we
* call ssl_rand_seed() below.
*/
mc->pid = getpid();
+#endif
/*
* Let us cleanup on restarts and exits
*/
ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
+ if (RAND_status() == 0) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, 0, base_server, APLOGNO(01990)
+ MODSSL_LIBRARY_NAME " PRNG does not contain sufficient "
+ "randomness. Build the SSL library with a suitable "
+ "entropy source configured.");
+ return APR_EGENERAL;
+ }
+
#ifdef HAVE_FIPS
if (!FIPS_mode() && mc->fips == TRUE) {
if (!FIPS_mode_set(1)) {
void ssl_init_Child(apr_pool_t *p, server_rec *s)
{
+#ifdef MODSSL_USE_SSLRAND
SSLModConfigRec *mc = myModConfig(s);
mc->pid = getpid(); /* only call getpid() once per-process */
/* XXX: there should be an ap_srand() function */
srand((unsigned int)time(NULL));
+#endif
/* open the mutex lockfile */
ssl_mutex_reinit(s, p);
#include "ssl_private.h"
+#ifdef MODSSL_USE_SSLRAND
+
#if HAVE_VALGRIND
#include <valgrind.h>
#include <memcheck.h>
static int ssl_rand_choosenum(int, int);
static int ssl_rand_feedfp(apr_pool_t *, apr_file_t *, int);
-int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix)
+void ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix)
{
SSLModConfigRec *mc;
apr_array_header_t *apRandSeed;
}
ap_log_error(APLOG_MARK, APLOG_TRACE2, 0, s,
"%sSeeding PRNG with %d bytes of entropy", prefix, nDone);
-
- if (RAND_status() == 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01990)
- "%sPRNG still contains insufficient entropy!", prefix);
-
- return nDone;
}
#define BUFSIZE 8192
return i;
}
+#endif /* MODSSL_USE_SSLRAND */
#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10101000
+#define MODSSL_USE_SSLRAND
+#endif
+
#if defined(OPENSSL_FIPS)
#define HAVE_FIPS
#endif
} modssl_retained_data_t;
typedef struct {
- pid_t pid;
BOOL bFixed;
/* OpenSSL SSL_SESS_CACHE_* flags: */
ap_socache_instance_t *sesscache_context;
apr_global_mutex_t *pMutex;
+
+#ifdef MODSSL_USE_SSLRAND
+ pid_t pid; /* used for seeding after fork() */
apr_array_header_t *aRandSeed;
+#endif
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
const char *szCryptoDevice;
* to allow an SSL renegotiation to take place. */
int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen);
+#ifdef MODSSL_USE_SSLRAND
/** PRNG */
-int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
+void ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
+#else
+#define ssl_rand_seed(s, p, ctx, c) /* noop */
+#endif
/** Utility Functions */
char *ssl_util_vhostid(apr_pool_t *, server_rec *);
projects / thirdparty / apache / httpd.git / commitdiff
