You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by do...@apache.org on 2002/03/12 02:04:16 UTC
cvs commit: httpd-2.0/modules/ssl ssl_engine_init.c
dougm 02/03/11 17:04:16
Modified: modules/ssl ssl_engine_init.c
Log:
various style fixups / general changes to make code more readable.
Revision Changes Path
1.43 +414 -254 httpd-2.0/modules/ssl/ssl_engine_init.c
Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- ssl_engine_init.c 1 Mar 2002 04:35:17 -0000 1.42
+++ ssl_engine_init.c 12 Mar 2002 01:04:16 -0000 1.43
@@ -71,76 +71,93 @@
* Per-module initialization
*/
int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
- apr_pool_t *ptemp, server_rec *s)
+ apr_pool_t *ptemp,
+ server_rec *base_server)
{
- SSLModConfigRec *mc = myModConfig(s);
+ SSLModConfigRec *mc = myModConfig(base_server);
SSLSrvConfigRec *sc;
- server_rec *s2;
+ server_rec *s;
char *cp;
/*
* Let us cleanup on restarts and exists
*/
- apr_pool_cleanup_register(p, s, ssl_init_ModuleKill, ssl_init_ChildKill);
+ apr_pool_cleanup_register(p, base_server,
+ ssl_init_ModuleKill,
+ ssl_init_ChildKill);
/*
* Any init round fixes the global config
*/
- ssl_config_global_create(s); /* just to avoid problems */
+ ssl_config_global_create(base_server); /* just to avoid problems */
ssl_config_global_fix(mc);
/*
* try to fix the configuration and open the dedicated SSL
* logfile as early as possible
*/
- for (s2 = s; s2 != NULL; s2 = s2->next) {
- sc = mySrvConfig(s2);
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
/* Fix up stuff that may not have been set */
- if (sc->bEnabled == UNSET)
+ if (sc->bEnabled == UNSET) {
sc->bEnabled = FALSE;
- if (sc->nVerifyClient == SSL_CVERIFY_UNSET)
+ }
+
+ if (sc->nVerifyClient == SSL_CVERIFY_UNSET) {
sc->nVerifyClient = SSL_CVERIFY_NONE;
- if (sc->nVerifyDepth == UNSET)
+ }
+
+ if (sc->nVerifyDepth == UNSET) {
sc->nVerifyDepth = 1;
+ }
+
#ifdef SSL_EXPERIMENTAL_PROXY
- if (sc->nProxyVerifyDepth == UNSET)
+ if (sc->nProxyVerifyDepth == UNSET) {
sc->nProxyVerifyDepth = 1;
+ }
#endif
- if (sc->nSessionCacheTimeout == UNSET)
+
+ if (sc->nSessionCacheTimeout == UNSET) {
sc->nSessionCacheTimeout = SSL_SESSION_CACHE_TIMEOUT;
- if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET)
+ }
+
+ if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET) {
sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN;
+ }
/* Open the dedicated SSL logfile */
- ssl_log_open(s, s2, p);
+ ssl_log_open(base_server, s, p);
}
/*
* Identification
*/
- ssl_log(s, SSL_LOG_INFO, "Server: %s, Interface: %s, Library: %s",
+ ssl_log(base_server, SSL_LOG_INFO,
+ "Server: %s, Interface: %s, Library: %s",
AP_SERVER_BASEVERSION,
- ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_INTERFACE"),
- ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_LIBRARY"));
+ ssl_var_lookup(p, base_server,
+ NULL, NULL, "SSL_VERSION_INTERFACE"),
+ ssl_var_lookup(p, base_server,
+ NULL, NULL, "SSL_VERSION_LIBRARY"));
- ssl_log(s, SSL_LOG_INFO, "Init: Initializing %s library",
- SSL_LIBRARY_NAME);
+ ssl_log(base_server, SSL_LOG_INFO,
+ "Init: Initializing %s library", SSL_LIBRARY_NAME);
ssl_init_SSLLibrary();
#if APR_HAS_THREADS
- ssl_util_thread_setup(s, p);
+ ssl_util_thread_setup(base_server, p);
#endif
- ssl_pphrase_Handle(s, p);
- ssl_init_TmpKeysHandle(SSL_TKP_GEN, s, p);
+ ssl_pphrase_Handle(base_server, p);
+ ssl_init_TmpKeysHandle(SSL_TKP_GEN, base_server, p);
/*
* SSL external crypto device ("engine") support
*/
#ifdef SSL_EXPERIMENTAL_ENGINE
- ssl_init_Engine(s, p);
+ ssl_init_Engine(base_server, p);
#endif
/*
@@ -148,67 +165,83 @@
* But we can operate without it, of course.
*/
if (mc->nSessionCacheMode == SSL_SCMODE_UNSET) {
- ssl_log(s, SSL_LOG_WARN,
- "Init: Session Cache is not configured [hint: SSLSessionCache]");
+ ssl_log(base_server, SSL_LOG_WARN,
+ "Init: Session Cache is not configured "
+ "[hint: SSLSessionCache]");
mc->nSessionCacheMode = SSL_SCMODE_NONE;
}
/*
- * initialize the mutex handling and session caching
+ * initialize the mutex handling
*/
- if (!ssl_mutex_init(s, p)) {
+ if (!ssl_mutex_init(base_server, p)) {
return HTTP_INTERNAL_SERVER_ERROR;
}
- ssl_scache_init(s, p);
+
+ /*
+ * initialize session caching
+ */
+ ssl_scache_init(base_server, p);
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
- ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
+ ssl_rand_seed(base_server, p, SSL_RSCTX_STARTUP, "Init: ");
/*
* allocate the temporary RSA keys and DH params
*/
- ssl_init_TmpKeysHandle(SSL_TKP_ALLOC, s, p);
+ ssl_init_TmpKeysHandle(SSL_TKP_ALLOC, base_server, p);
/*
* initialize servers
*/
- ssl_log(s, SSL_LOG_INFO, "Init: Initializing (virtual) servers for SSL");
- for (s2 = s; s2 != NULL; s2 = s2->next) {
- sc = mySrvConfig(s2);
+ ssl_log(base_server, SSL_LOG_INFO,
+ "Init: Initializing (virtual) servers for SSL");
+
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
/*
* Either now skip this server when SSL is disabled for
* it or give out some information about what we're
* configuring.
*/
- if (!sc->bEnabled)
+ if (!sc->bEnabled) {
continue;
- ssl_log(s2, SSL_LOG_INFO,
+ }
+
+ ssl_log(s, SSL_LOG_INFO,
"Init: Configuring server %s for SSL protocol",
- ssl_util_vhostid(p, s2));
+ ssl_util_vhostid(p, s));
/*
* Read the server certificate and key
*/
- ssl_init_ConfigureServer(s2, p, sc);
+ ssl_init_ConfigureServer(s, p, sc);
}
/*
* Configuration consistency checks
*/
- ssl_init_CheckServers(s, p);
+ ssl_init_CheckServers(base_server, p);
/*
* Announce mod_ssl and SSL library in HTTP Server field
* as ``mod_ssl/X.X.X OpenSSL/X.X.X''
*/
- if ((cp = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_PRODUCT")) != NULL && cp[0] != NUL)
+ cp = ssl_var_lookup(p, base_server,
+ NULL, NULL, "SSL_VERSION_PRODUCT");
+ if (cp && *cp) {
ap_add_version_component(p, cp);
- ap_add_version_component(p, ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_INTERFACE"));
- ap_add_version_component(p, ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_LIBRARY"));
+ }
+
+ ap_add_version_component(p, ssl_var_lookup(p, base_server, NULL, NULL,
+ "SSL_VERSION_INTERFACE"));
+ ap_add_version_component(p, ssl_var_lookup(p, base_server, NULL, NULL,
+ "SSL_VERSION_LIBRARY"));
SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */
+
return OK;
}
@@ -221,7 +254,6 @@
SSL_load_error_strings();
SSL_library_init();
X509V3_add_standard_extensions();
- return;
}
/*
@@ -234,30 +266,39 @@
SSLModConfigRec *mc = myModConfig(s);
ENGINE *e;
- if (mc->szCryptoDevice != NULL) {
- if ((e = ENGINE_by_id(mc->szCryptoDevice)) == NULL) {
- ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load Crypto Device API `%s'",
+ if (mc->szCryptoDevice) {
+ if (!(e = ENGINE_by_id(mc->szCryptoDevice))) {
+ ssl_log(s, SSL_LOG_ERROR,
+ "Init: Failed to load Crypto Device API `%s'",
mc->szCryptoDevice);
ssl_die();
}
- if (strEQ(mc->szCryptoDevice, "chil"))
+
+ if (strEQ(mc->szCryptoDevice, "chil")) {
ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
+ }
+
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
- ssl_log(s, SSL_LOG_ERROR, "Init: Failed to enable Crypto Device API `%s'",
+ ssl_log(s, SSL_LOG_ERROR,
+ "Init: Failed to enable Crypto Device API `%s'",
mc->szCryptoDevice);
ssl_die();
}
+
ENGINE_free(e);
}
- return;
}
#endif
-#if SSL_LIBRARY_VERSION >= 0x00907000
-#define SSL_UCP_CAST(ucp) (const unsigned char **)ucp
-#else
-#define SSL_UCP_CAST(ucp) ucp
-#endif
+#define MODSSL_TEMP_KEY_FREE(mc, type, idx) \
+ if (mc->pTmpKeys[idx]) { \
+ type##_free((type *)mc->pTmpKeys[idx]); \
+ mc->pTmpKeys[idx] = NULL; \
+ }
+
+#define MODSSL_TEMP_KEYS_FREE(mc, type) \
+ MODSSL_TEMP_KEY_FREE(mc, type, SSL_TKPIDX_##type##512); \
+ MODSSL_TEMP_KEY_FREE(mc, type, SSL_TKPIDX_##type##1024)
/*
* Handle the Temporary RSA Keys and DH Params
@@ -271,17 +312,18 @@
RSA *rsa;
DH *dh;
- /* Generate Keys and Params */
- if (action == SSL_TKP_GEN) {
-
+ if (action == SSL_TKP_GEN) { /* Generate Keys and Params */
/* seed PRNG */
ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
/* generate 512 bit RSA key */
- ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys (512/1024 bits)");
- if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
+ ssl_log(s, SSL_LOG_INFO,
+ "Init: Generating temporary RSA private keys (512/1024 bits)");
+
+ if (!(rsa = RSA_generate_key(512, RSA_F4, NULL, NULL))) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
- "Init: Failed to generate temporary 512 bit RSA private key");
+ "Init: Failed to generate temporary "
+ "512 bit RSA private key");
ssl_die();
}
@@ -291,9 +333,10 @@
RSA_free(rsa);
/* generate 1024 bit RSA key */
- if ((rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) {
+ if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL))) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
- "Init: Failed to generate temporary 1024 bit RSA private key");
+ "Init: Failed to generate temporary "
+ "1024 bit RSA private key");
ssl_die();
}
@@ -302,11 +345,14 @@
(void)i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */
RSA_free(rsa);
- ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary DH parameters (512/1024 bits)");
+ ssl_log(s, SSL_LOG_INFO,
+ "Init: Configuring temporary DH parameters (512/1024 bits)");
/* import 512 bit DH param */
- if ((dh = ssl_dh_GetTmpParam(512)) == NULL) {
- ssl_log(s, SSL_LOG_ERROR, "Init: Failed to import temporary 512 bit DH parameters");
+ if (!(dh = ssl_dh_GetTmpParam(512))) {
+ ssl_log(s, SSL_LOG_ERROR,
+ "Init: Failed to import temporary "
+ "512 bit DH parameters");
ssl_die();
}
@@ -316,8 +362,10 @@
DH_free(dh);
/* import 1024 bit DH param */
- if ((dh = ssl_dh_GetTmpParam(1024)) == NULL) {
- ssl_log(s, SSL_LOG_ERROR, "Init: Failed to import temporary 1024 bit DH parameters");
+ if (!(dh = ssl_dh_GetTmpParam(1024))) {
+ ssl_log(s, SSL_LOG_ERROR,
+ "Init: Failed to import temporary "
+ "1024 bit DH parameters");
ssl_die();
}
@@ -326,93 +374,88 @@
(void)i2d_DHparams(dh, &ucp); /* 2nd arg increments */
DH_free(dh);
}
-
- /* Allocate Keys and Params */
- else if (action == SSL_TKP_ALLOC) {
-
- ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary RSA private keys (512/1024 bits)");
+ else if (action == SSL_TKP_ALLOC) { /* Allocate Keys and Params */
+ ssl_log(s, SSL_LOG_INFO,
+ "Init: Configuring temporary "
+ "RSA private keys (512/1024 bits)");
/* allocate 512 bit RSA key */
- if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "RSA:512")) != NULL) {
+ if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "RSA:512"))) {
ucp = asn1->cpData;
- if ((mc->pTmpKeys[SSL_TKPIDX_RSA512] =
- (void *)d2i_RSAPrivateKey(NULL, SSL_UCP_CAST(&ucp), asn1->nData)) == NULL) {
- ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 512 bit RSA private key");
+ if (!(mc->pTmpKeys[SSL_TKPIDX_RSA512] =
+ d2i_RSAPrivateKey(NULL, &ucp, asn1->nData)))
+ {
+ ssl_log(s, SSL_LOG_ERROR,
+ "Init: Failed to load temporary "
+ "512 bit RSA private key");
ssl_die();
}
}
/* allocate 1024 bit RSA key */
- if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "RSA:1024")) != NULL) {
+ if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "RSA:1024"))) {
ucp = asn1->cpData;
- if ((mc->pTmpKeys[SSL_TKPIDX_RSA1024] =
- (void *)d2i_RSAPrivateKey(NULL, SSL_UCP_CAST(&ucp), asn1->nData)) == NULL) {
- ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 1024 bit RSA private key");
+ if (!(mc->pTmpKeys[SSL_TKPIDX_RSA1024] =
+ d2i_RSAPrivateKey(NULL, &ucp, asn1->nData)))
+ {
+ ssl_log(s, SSL_LOG_ERROR,
+ "Init: Failed to load temporary "
+ "1024 bit RSA private key");
ssl_die();
}
}
- ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary DH parameters (512/1024 bits)");
+ ssl_log(s, SSL_LOG_INFO,
+ "Init: Configuring temporary "
+ "DH parameters (512/1024 bits)");
/* allocate 512 bit DH param */
- if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "DH:512")) != NULL) {
+ if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "DH:512"))) {
ucp = asn1->cpData;
- if ((mc->pTmpKeys[SSL_TKPIDX_DH512] =
- (void *)d2i_DHparams(NULL, SSL_UCP_CAST(&ucp), asn1->nData)) == NULL) {
- ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 512 bit DH parameters");
+ if (!(mc->pTmpKeys[SSL_TKPIDX_DH512] =
+ d2i_DHparams(NULL, &ucp, asn1->nData)))
+ {
+ ssl_log(s, SSL_LOG_ERROR,
+ "Init: Failed to load temporary "
+ "512 bit DH parameters");
ssl_die();
}
}
/* allocate 1024 bit DH param */
- if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "DH:1024")) != NULL) {
+ if ((asn1 = ssl_asn1_table_get(mc->tTmpKeys, "DH:1024"))) {
ucp = asn1->cpData;
- if ((mc->pTmpKeys[SSL_TKPIDX_DH1024] =
- (void *)d2i_DHparams(NULL, SSL_UCP_CAST(&ucp), asn1->nData)) == NULL) {
- ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load temporary 1024 bit DH parameters");
+ if (!(mc->pTmpKeys[SSL_TKPIDX_DH1024] =
+ d2i_DHparams(NULL, &ucp, asn1->nData)))
+ {
+ ssl_log(s, SSL_LOG_ERROR,
+ "Init: Failed to load temporary "
+ "1024 bit DH parameters");
ssl_die();
}
}
}
-
- /* Free Keys and Params */
- else if (action == SSL_TKP_FREE) {
- if (mc->pTmpKeys[SSL_TKPIDX_RSA512] != NULL) {
- RSA_free((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA512]);
- mc->pTmpKeys[SSL_TKPIDX_RSA512] = NULL;
- }
- if (mc->pTmpKeys[SSL_TKPIDX_RSA1024] != NULL) {
- RSA_free((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024]);
- mc->pTmpKeys[SSL_TKPIDX_RSA1024] = NULL;
- }
- if (mc->pTmpKeys[SSL_TKPIDX_DH512] != NULL) {
- DH_free((DH *)mc->pTmpKeys[SSL_TKPIDX_DH512]);
- mc->pTmpKeys[SSL_TKPIDX_DH512] = NULL;
- }
- if (mc->pTmpKeys[SSL_TKPIDX_DH1024] != NULL) {
- DH_free((DH *)mc->pTmpKeys[SSL_TKPIDX_DH1024]);
- mc->pTmpKeys[SSL_TKPIDX_DH1024] = NULL;
- }
+ else if (action == SSL_TKP_FREE) { /* Free Keys and Params */
+ MODSSL_TEMP_KEYS_FREE(mc, RSA);
+ MODSSL_TEMP_KEYS_FREE(mc, DH);
}
- return;
}
/*
* Configure a particular server
*/
-void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
+void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p,
+ SSLSrvConfigRec *sc)
{
SSLModConfigRec *mc = myModConfig(s);
- int nVerify;
- char *cpVHostID;
+ int nVerify = SSL_VERIFY_NONE;
+ char *cp, *cpVHostID;
EVP_PKEY *pKey;
SSL_CTX *ctx;
STACK_OF(X509_NAME) *skCAList;
ssl_asn1_t *asn1;
unsigned char *ucp;
- char *cp;
- BOOL ok;
- BOOL bSkipFirst;
+ BOOL ok = FALSE;
int isca, pathlen;
int i, n;
long cache_mode;
@@ -427,7 +470,7 @@
* Now check for important parameters and the
* possibility that the user forgot to set them.
*/
- if (sc->szPublicCertFile[0] == NULL) {
+ if (!sc->szPublicCertFile[0]) {
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) No SSL Certificate set [hint: SSLCertificateFile]",
cpVHostID);
@@ -437,8 +480,9 @@
/*
* Check for problematic re-initializations
*/
- if (sc->pPublicCert[SSL_AIDX_RSA] != NULL ||
- sc->pPublicCert[SSL_AIDX_DSA] != NULL ) {
+ if (sc->pPublicCert[SSL_AIDX_RSA] ||
+ sc->pPublicCert[SSL_AIDX_DSA])
+ {
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) Illegal attempt to re-initialise SSL for server "
"(theoretically shouldn't happen!)", cpVHostID);
@@ -454,23 +498,39 @@
cpVHostID);
ssl_die();
}
- cp = apr_pstrcat(p, (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
- (sc->nProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
- (sc->nProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL);
+
+ cp = apr_pstrcat(p,
+ (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
+ (sc->nProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+ (sc->nProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
+ NULL);
cp[strlen(cp)-2] = NUL;
+
ssl_log(s, SSL_LOG_TRACE,
- "Init: (%s) Creating new SSL context (protocols: %s)", cpVHostID, cp);
- if (sc->nProtocol == SSL_PROTOCOL_SSLV2)
+ "Init: (%s) Creating new SSL context (protocols: %s)",
+ cpVHostID, cp);
+
+ if (sc->nProtocol == SSL_PROTOCOL_SSLV2) {
ctx = SSL_CTX_new(SSLv2_server_method()); /* only SSLv2 is left */
- else
+ }
+ else {
ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */
+ }
+
SSL_CTX_set_options(ctx, SSL_OP_ALL);
- if (!(sc->nProtocol & SSL_PROTOCOL_SSLV2))
+
+ if (!(sc->nProtocol & SSL_PROTOCOL_SSLV2)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
- if (!(sc->nProtocol & SSL_PROTOCOL_SSLV3))
+ }
+
+ if (!(sc->nProtocol & SSL_PROTOCOL_SSLV3)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
- if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1))
+ }
+
+ if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1)) {
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
+ }
+
SSL_CTX_set_app_data(ctx, s);
sc->pSSLCtx = ctx;
@@ -478,6 +538,7 @@
* Configure additional context ingredients
*/
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+
if (mc->nSessionCacheMode == SSL_SCMODE_NONE) {
cache_mode = SSL_SESS_CACHE_OFF;
}
@@ -494,31 +555,38 @@
/*
* Configure callbacks for SSL context
*/
- nVerify = SSL_VERIFY_NONE;
- if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE)
- nVerify |= SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
- if ( (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL)
- || (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) )
+ if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
+ nVerify |= SSL_VERIFY_PEER_STRICT;
+ }
+
+ if ((sc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
+ (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
+ {
nVerify |= SSL_VERIFY_PEER;
+ }
+
SSL_CTX_set_verify(ctx, nVerify, ssl_callback_SSLVerify);
+
SSL_CTX_sess_set_new_cb(ctx, ssl_callback_NewSessionCacheEntry);
SSL_CTX_sess_set_get_cb(ctx, ssl_callback_GetSessionCacheEntry);
SSL_CTX_sess_set_remove_cb(ctx, ssl_callback_DelSessionCacheEntry);
+
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
if (sc->nLogLevel >= SSL_LOG_INFO) {
/* this callback only logs if SSLLogLevel >= info */
- SSL_CTX_set_info_callback(ctx,ssl_callback_LogTracingState);
+ SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
}
/*
* Configure SSL Cipher Suite
*/
- if (sc->szCipherSuite != NULL) {
+ if (sc->szCipherSuite) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring permitted SSL ciphers [%s]",
cpVHostID, sc->szCipherSuite);
+
if (!SSL_CTX_set_cipher_list(ctx, sc->szCipherSuite)) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure permitted SSL ciphers",
@@ -530,39 +598,51 @@
/*
* Configure Client Authentication details
*/
- if (sc->szCACertificateFile != NULL || sc->szCACertificatePath != NULL) {
+ if (sc->szCACertificateFile || sc->szCACertificatePath) {
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring client authentication", cpVHostID);
+
if (!SSL_CTX_load_verify_locations(ctx,
sc->szCACertificateFile,
- sc->szCACertificatePath)) {
+ sc->szCACertificatePath))
+ {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure verify locations "
"for client authentication", cpVHostID);
ssl_die();
}
- if ((skCAList = ssl_init_FindCAList(s, p, sc->szCACertificateFile,
- sc->szCACertificatePath)) == NULL) {
+
+ skCAList = ssl_init_FindCAList(s, p,
+ sc->szCACertificateFile,
+ sc->szCACertificatePath);
+ if (!skCAList) {
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) Unable to determine list of available "
- "CA certificates for client authentication", cpVHostID);
+ "CA certificates for client authentication",
+ cpVHostID);
ssl_die();
}
+
SSL_CTX_set_client_CA_list(sc->pSSLCtx, (STACK *)skCAList);
}
/*
* Configure Certificate Revocation List (CRL) Details
*/
- if (sc->szCARevocationFile != NULL || sc->szCARevocationPath != NULL) {
+ if (sc->szCARevocationFile || sc->szCARevocationPath) {
ssl_log(s, SSL_LOG_TRACE,
- "Init: (%s) Configuring certificate revocation facility", cpVHostID);
- if ((sc->pRevocationStore =
- SSL_X509_STORE_create((char*)sc->szCARevocationFile,
- (char*)sc->szCARevocationPath)) == NULL) {
+ "Init: (%s) Configuring certificate revocation facility",
+ cpVHostID);
+
+ sc->pRevocationStore =
+ SSL_X509_STORE_create((char *)sc->szCARevocationFile,
+ (char *)sc->szCARevocationPath);
+
+ if (!sc->pRevocationStore) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure X.509 CRL storage "
- "for certificate revocation", cpVHostID);
+ "for certificate revocation",
+ cpVHostID);
ssl_die();
}
}
@@ -573,60 +653,80 @@
*/
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
skCAList = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
- if (sk_X509_NAME_num(skCAList) == 0)
+
+ if (sk_X509_NAME_num(skCAList) == 0) {
ssl_log(s, SSL_LOG_WARN,
"Init: Ops, you want to request client authentication, "
"but no CAs are known for verification!? "
"[Hint: SSLCACertificate*]");
+ }
}
/*
* Configure server certificate(s)
*/
- ok = FALSE;
cp = apr_psprintf(p, "%s:RSA", cpVHostID);
- if ((asn1 = ssl_asn1_table_get(mc->tPublicCert, cp)) != NULL) {
+
+ if ((asn1 = ssl_asn1_table_get(mc->tPublicCert, cp))) {
ssl_log(s, SSL_LOG_TRACE,
- "Init: (%s) Configuring RSA server certificate", cpVHostID);
+ "Init: (%s) Configuring RSA server certificate",
+ cpVHostID);
+
ucp = asn1->cpData;
- if ((sc->pPublicCert[SSL_AIDX_RSA] = d2i_X509(NULL, &ucp, asn1->nData)) == NULL) {
+ if (!(sc->pPublicCert[SSL_AIDX_RSA] =
+ d2i_X509(NULL, &ucp, asn1->nData)))
+ {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to import RSA server certificate",
cpVHostID);
ssl_die();
}
+
if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_RSA]) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure RSA server certificate",
cpVHostID);
ssl_die();
}
+
ok = TRUE;
}
+
cp = apr_psprintf(p, "%s:DSA", cpVHostID);
- if ((asn1 = ssl_asn1_table_get(mc->tPublicCert, cp)) != NULL) {
+
+ if ((asn1 = ssl_asn1_table_get(mc->tPublicCert, cp))) {
ssl_log(s, SSL_LOG_TRACE,
- "Init: (%s) Configuring DSA server certificate", cpVHostID);
+ "Init: (%s) Configuring DSA server certificate",
+ cpVHostID);
+
ucp = asn1->cpData;
- if ((sc->pPublicCert[SSL_AIDX_DSA] = d2i_X509(NULL, &ucp, asn1->nData)) == NULL) {
+ if (!(sc->pPublicCert[SSL_AIDX_DSA] =
+ d2i_X509(NULL, &ucp, asn1->nData)))
+ {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to import DSA server certificate",
cpVHostID);
ssl_die();
}
+
if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_DSA]) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure DSA server certificate",
cpVHostID);
ssl_die();
}
+
ok = TRUE;
}
+
if (!ok) {
ssl_log(s, SSL_LOG_ERROR,
- "Init: (%s) Ops, no RSA or DSA server certificate found?!", cpVHostID);
+ "Init: (%s) Ops, no RSA or DSA server certificate found?!",
+ cpVHostID);
ssl_log(s, SSL_LOG_ERROR,
- "Init: (%s) You have to perform a *full* server restart when you added or removed a certificate and/or key file", cpVHostID);
+ "Init: (%s) You have to perform a *full* server restart "
+ "when you added or removed a certificate and/or key file",
+ cpVHostID);
ssl_die();
}
@@ -634,39 +734,54 @@
* Some information about the certificate(s)
*/
for (i = 0; i < SSL_AIDX_MAX; i++) {
- if (sc->pPublicCert[i] != NULL) {
+ if (sc->pPublicCert[i]) {
if (SSL_X509_isSGC(sc->pPublicCert[i])) {
ssl_log(s, SSL_LOG_INFO,
"Init: (%s) %s server certificate enables "
"Server Gated Cryptography (SGC)",
cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
}
+
if (SSL_X509_getBC(sc->pPublicCert[i], &isca, &pathlen)) {
- if (isca)
+ if (isca) {
ssl_log(s, SSL_LOG_WARN,
- "Init: (%s) %s server certificate is a CA certificate "
- "(BasicConstraints: CA == TRUE !?)",
- cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
- if (pathlen > 0)
+ "Init: (%s) %s server certificate "
+ "is a CA certificate "
+ "(BasicConstraints: CA == TRUE !?)",
+ cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
+ }
+
+ if (pathlen > 0) {
ssl_log(s, SSL_LOG_WARN,
- "Init: (%s) %s server certificate is not a leaf certificate "
- "(BasicConstraints: pathlen == %d > 0 !?)",
- cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"), pathlen);
+ "Init: (%s) %s server certificate "
+ "is not a leaf certificate "
+ "(BasicConstraints: pathlen == %d > 0 !?)",
+ cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
+ pathlen);
+ }
}
+
if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) {
+ int fnm_flags = FNM_PERIOD|FNM_CASE_BLIND;
+
if (apr_is_fnmatch(cp) &&
- apr_fnmatch(cp, s->server_hostname,
- FNM_PERIOD|FNM_CASE_BLIND) == FNM_NOMATCH) {
+ (apr_fnmatch(cp, s->server_hostname,
+ fnm_flags) == FNM_NOMATCH))
+ {
ssl_log(s, SSL_LOG_WARN,
- "Init: (%s) %s server certificate wildcard CommonName (CN) `%s' "
- "does NOT match server name!?", cpVHostID,
- (i == SSL_AIDX_RSA ? "RSA" : "DSA"), cp);
+ "Init: (%s) %s server certificate "
+ "wildcard CommonName (CN) `%s' "
+ "does NOT match server name!?",
+ cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
+ cp);
}
else if (strNE(s->server_hostname, cp)) {
ssl_log(s, SSL_LOG_WARN,
- "Init: (%s) %s server certificate CommonName (CN) `%s' "
- "does NOT match server name!?", cpVHostID,
- (i == SSL_AIDX_RSA ? "RSA" : "DSA"), cp);
+ "Init: (%s) %s server certificate "
+ "CommonName (CN) `%s' "
+ "does NOT match server name!?",
+ cpVHostID, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
+ cp);
}
}
}
@@ -677,48 +792,63 @@
*/
ok = FALSE;
cp = apr_psprintf(p, "%s:RSA", cpVHostID);
- if ((asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp)) != NULL) {
+
+ if ((asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp))) {
ssl_log(s, SSL_LOG_TRACE,
- "Init: (%s) Configuring RSA server private key", cpVHostID);
+ "Init: (%s) Configuring RSA server private key",
+ cpVHostID);
+
ucp = asn1->cpData;
- if ((sc->pPrivateKey[SSL_AIDX_RSA] =
- d2i_PrivateKey(EVP_PKEY_RSA, NULL, &ucp, asn1->nData)) == NULL) {
+ if (!(sc->pPrivateKey[SSL_AIDX_RSA] =
+ d2i_PrivateKey(EVP_PKEY_RSA, NULL, &ucp, asn1->nData)))
+ {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to import RSA server private key",
cpVHostID);
ssl_die();
}
+
if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_RSA]) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure RSA server private key",
cpVHostID);
ssl_die();
}
+
ok = TRUE;
}
+
cp = apr_psprintf(p, "%s:DSA", cpVHostID);
- if ((asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp)) != NULL) {
+
+ if ((asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp))) {
ssl_log(s, SSL_LOG_TRACE,
- "Init: (%s) Configuring DSA server private key", cpVHostID);
+ "Init: (%s) Configuring DSA server private key",
+ cpVHostID);
+
ucp = asn1->cpData;
- if ((sc->pPrivateKey[SSL_AIDX_DSA] =
- d2i_PrivateKey(EVP_PKEY_DSA, NULL, &ucp, asn1->nData)) == NULL) {
+ if (!(sc->pPrivateKey[SSL_AIDX_DSA] =
+ d2i_PrivateKey(EVP_PKEY_DSA, NULL, &ucp, asn1->nData)))
+ {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to import DSA server private key",
cpVHostID);
ssl_die();
}
+
if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_DSA]) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"Init: (%s) Unable to configure DSA server private key",
cpVHostID);
ssl_die();
}
+
ok = TRUE;
}
+
if (!ok) {
ssl_log(s, SSL_LOG_ERROR,
- "Init: (%s) Ops, no RSA or DSA server private key found?!", cpVHostID);
+ "Init: (%s) Ops, no RSA or DSA server private key found?!",
+ cpVHostID);
ssl_die();
}
@@ -726,13 +856,17 @@
* Optionally copy DSA parameters for certificate from private key
* (see http://www.psy.uq.edu.au/~ftp/Crypto/ssleay/TODO.html)
*/
- if ( sc->pPublicCert[SSL_AIDX_DSA] != NULL
- && sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
+ if (sc->pPublicCert[SSL_AIDX_DSA] &&
+ sc->pPrivateKey[SSL_AIDX_DSA])
+ {
pKey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]);
- if ( pKey != NULL
- && EVP_PKEY_key_type(pKey) == EVP_PKEY_DSA
- && EVP_PKEY_missing_parameters(pKey))
- EVP_PKEY_copy_parameters(pKey, sc->pPrivateKey[SSL_AIDX_DSA]);
+
+ if (pKey && (EVP_PKEY_key_type(pKey) == EVP_PKEY_DSA) &&
+ EVP_PKEY_missing_parameters(pKey))
+ {
+ EVP_PKEY_copy_parameters(pKey,
+ sc->pPrivateKey[SSL_AIDX_DSA]);
+ }
}
/*
@@ -749,29 +883,34 @@
* to allow one to explicity configure CA certificates which are
* used only for the server certificate chain.
*/
- if (sc->szCertificateChain != NULL) {
- bSkipFirst = FALSE;
- for (i = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++) {
+ if (sc->szCertificateChain) {
+ BOOL bSkipFirst = FALSE;
+
+ for (i = 0; (i < SSL_AIDX_MAX) && sc->szPublicCertFile[i]; i++) {
if (strEQ(sc->szPublicCertFile[i], sc->szCertificateChain)) {
bSkipFirst = TRUE;
break;
}
}
- if ((n = SSL_CTX_use_certificate_chain(ctx, (char*)sc->szCertificateChain,
- bSkipFirst, NULL)) < 0) {
+
+ n = SSL_CTX_use_certificate_chain(ctx,
+ (char *)sc->szCertificateChain,
+ bSkipFirst, NULL);
+ if (n < 0) {
ssl_log(s, SSL_LOG_ERROR,
- "Init: (%s) Failed to configure CA certificate chain!", cpVHostID);
+ "Init: (%s) Failed to configure CA certificate chain!",
+ cpVHostID);
ssl_die();
}
- ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring "
- "server certificate chain (%d CA certificate%s)", cpVHostID,
- n, n == 1 ? "" : "s");
- }
- return;
+ ssl_log(s, SSL_LOG_TRACE,
+ "Init: (%s) Configuring server certificate chain "
+ "(%d CA certificate%s)",
+ cpVHostID, n, n == 1 ? "" : "s");
+ }
}
-void ssl_init_CheckServers(server_rec *sm, apr_pool_t *p)
+void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
{
server_rec *s;
server_rec **ps;
@@ -779,22 +918,30 @@
ssl_ds_table *t;
apr_pool_t *sp;
char *key;
- BOOL bConflict;
+ BOOL bConflict = FALSE;
/*
* Give out warnings when a server has HTTPS configured
* for the HTTP port or vice versa
*/
- for (s = sm; s != NULL; s = s->next) {
+ for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
- if (sc->bEnabled && s->port == DEFAULT_HTTP_PORT)
- ssl_log(sm, SSL_LOG_WARN,
- "Init: (%s) You configured HTTPS(%d) on the standard HTTP(%d) port!",
- ssl_util_vhostid(p, s), DEFAULT_HTTPS_PORT, DEFAULT_HTTP_PORT);
- if (!sc->bEnabled && s->port == DEFAULT_HTTPS_PORT)
- ssl_log(sm, SSL_LOG_WARN,
- "Init: (%s) You configured HTTP(%d) on the standard HTTPS(%d) port!",
- ssl_util_vhostid(p, s), DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
+
+ if (sc->bEnabled && (s->port == DEFAULT_HTTP_PORT)) {
+ ssl_log(base_server, SSL_LOG_WARN,
+ "Init: (%s) You configured HTTPS(%d) "
+ "on the standard HTTP(%d) port!",
+ ssl_util_vhostid(p, s),
+ DEFAULT_HTTPS_PORT, DEFAULT_HTTP_PORT);
+ }
+
+ if (!sc->bEnabled && (s->port == DEFAULT_HTTPS_PORT)) {
+ ssl_log(base_server, SSL_LOG_WARN,
+ "Init: (%s) You configured HTTP(%d) "
+ "on the standard HTTPS(%d) port!",
+ ssl_util_vhostid(p, s),
+ DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
+ }
}
/*
@@ -805,36 +952,44 @@
*/
apr_pool_create(&sp, p);
t = ssl_ds_table_make(sp, sizeof(server_rec *));
- bConflict = FALSE;
- for (s = sm; s != NULL; s = s->next) {
+
+ for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
- if (!sc->bEnabled)
+
+ if (!sc->bEnabled) {
continue;
- key = apr_psprintf(sp, "%pA:%u", &s->addrs->host_addr, s->addrs->host_port);
- ps = ssl_ds_table_get(t, key);
- if (ps != NULL) {
- ssl_log(sm, SSL_LOG_WARN,
- "Init: SSL server IP/port conflict: %s (%s:%d) vs. %s (%s:%d)",
+ }
+
+ key = apr_psprintf(sp, "%pA:%u",
+ &s->addrs->host_addr, s->addrs->host_port);
+
+ if ((ps = ssl_ds_table_get(t, key))) {
+ ssl_log(base_server, SSL_LOG_WARN,
+ "Init: SSL server IP/port conflict: "
+ "%s (%s:%d) vs. %s (%s:%d)",
ssl_util_vhostid(p, s),
- (s->defn_name != NULL ? s->defn_name : "unknown"),
+ (s->defn_name ? s->defn_name : "unknown"),
s->defn_line_number,
ssl_util_vhostid(p, *ps),
- ((*ps)->defn_name != NULL ? (*ps)->defn_name : "unknown"),
+ ((*ps)->defn_name ? (*ps)->defn_name : "unknown"),
(*ps)->defn_line_number);
bConflict = TRUE;
continue;
}
+
ps = ssl_ds_table_push(t, key);
*ps = s;
}
+
ssl_ds_table_kill(t);
/* XXX - It was giving some problem earlier - check it out - TBD */
apr_pool_destroy(sp);
- if (bConflict)
- ssl_log(sm, SSL_LOG_WARN,
- "Init: You should not use name-based virtual hosts in conjunction with SSL!!");
- return;
+ if (bConflict) {
+ ssl_log(base_server, SSL_LOG_WARN,
+ "Init: You should not use name-based "
+ "virtual hosts in conjunction with SSL!!");
+ }
}
static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b)
@@ -850,7 +1005,11 @@
sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(file);
- for (n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
+ if (!sk) {
+ return;
+ }
+
+ for (n = 0; n < sk_X509_NAME_num(sk); n++) {
char name_buf[256];
X509_NAME *name = sk_X509_NAME_value(sk, n);
@@ -877,7 +1036,10 @@
sk_X509_NAME_free(sk);
}
-STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *pp, const char *cpCAfile, const char *cpCApath)
+STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
+ apr_pool_t *pp,
+ const char *cpCAfile,
+ const char *cpCApath)
{
STACK_OF(X509_NAME) *skCAList;
apr_pool_t *p;
@@ -898,14 +1060,14 @@
/*
* Process CA certificate bundle file
*/
- if (cpCAfile != NULL) {
+ if (cpCAfile) {
ssl_init_PushCAList(skCAList, s, cpCAfile);
}
/*
* Process CA certificate path files
*/
- if (cpCApath != NULL) {
+ if (cpCApath) {
apr_dir_t *dir;
apr_finfo_t direntry;
apr_int32_t finfo_flags = APR_FINFO_MIN|APR_FINFO_NAME;
@@ -925,6 +1087,7 @@
cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL);
ssl_init_PushCAList(skCAList, s, cp);
}
+
apr_dir_close(dir);
}
@@ -947,7 +1110,6 @@
/* open the mutex lockfile */
ssl_mutex_reinit(s, p);
- return;
}
apr_status_t ssl_init_ChildKill(void *data)
@@ -957,51 +1119,49 @@
return APR_SUCCESS;
}
+#define MODSSL_CFG_ITEM_FREE(func, item) \
+ if (item) { \
+ func(item); \
+ item = NULL; \
+ }
+
apr_status_t ssl_init_ModuleKill(void *data)
{
SSLSrvConfigRec *sc;
- server_rec *s = (server_rec *)data;
+ server_rec *base_server = (server_rec *)data;
+ server_rec *s;
/*
* Drop the session cache and mutex
*/
- ssl_scache_kill(s);
+ ssl_scache_kill(base_server);
/*
* Destroy the temporary keys and params
*/
- ssl_init_TmpKeysHandle(SSL_TKP_FREE, s, NULL);
+ ssl_init_TmpKeysHandle(SSL_TKP_FREE, base_server, NULL);
/*
* Free the non-pool allocated structures
* in the per-server configurations
*/
- for (; s != NULL; s = s->next) {
+ for (s = base_server; s; s = s->next) {
+ int i;
sc = mySrvConfig(s);
- if (sc->pRevocationStore != NULL) {
- X509_STORE_free(sc->pRevocationStore);
- sc->pRevocationStore = NULL;
- }
- if (sc->pPublicCert[SSL_AIDX_RSA] != NULL) {
- X509_free(sc->pPublicCert[SSL_AIDX_RSA]);
- sc->pPublicCert[SSL_AIDX_RSA] = NULL;
- }
- if (sc->pPublicCert[SSL_AIDX_DSA] != NULL) {
- X509_free(sc->pPublicCert[SSL_AIDX_DSA]);
- sc->pPublicCert[SSL_AIDX_DSA] = NULL;
- }
- if (sc->pPrivateKey[SSL_AIDX_RSA] != NULL) {
- EVP_PKEY_free(sc->pPrivateKey[SSL_AIDX_RSA]);
- sc->pPrivateKey[SSL_AIDX_RSA] = NULL;
- }
- if (sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
- EVP_PKEY_free(sc->pPrivateKey[SSL_AIDX_DSA]);
- sc->pPrivateKey[SSL_AIDX_DSA] = NULL;
- }
- if (sc->pSSLCtx != NULL) {
- SSL_CTX_free(sc->pSSLCtx);
- sc->pSSLCtx = NULL;
+
+ for (i=0; i < SSL_AIDX_MAX; i++) {
+ MODSSL_CFG_ITEM_FREE(X509_free,
+ sc->pPublicCert[i]);
+
+ MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
+ sc->pPrivateKey[i]);
}
+
+ MODSSL_CFG_ITEM_FREE(X509_STORE_free,
+ sc->pRevocationStore);
+
+ MODSSL_CFG_ITEM_FREE(SSL_CTX_free,
+ sc->pSSLCtx);
}
/*