You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2011/02/11 13:05:32 UTC
svn commit: r1069765 - in /httpd/httpd/trunk/modules/ssl:
ssl_engine_pphrase.c ssl_private.h
Author: jorton
Date: Fri Feb 11 12:05:31 2011
New Revision: 1069765
URL: http://svn.apache.org/viewvc?rev=1069765&view=rev
Log:
* modules/ssl/ssl_engine_pphrase.c (ssl_pphrase_Handle): Simplify to
calculate hash index only once per loop iteration; no (intended)
functional change. Add comments and tweak a log message.
* modules/ssl/ssl_private.h: Add comments.
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c?rev=1069765&r1=1069764&r2=1069765&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c Fri Feb 11 12:05:31 2011
@@ -132,6 +132,13 @@ static void pphrase_array_clear(apr_arra
arr->nelts = 0;
}
+/* Abandon all hope, ye who read this code. Don't believe the name:
+ * "passphrase handling" is really a peripheral (if complex) concern;
+ * the core purpose of this function to load into memory all
+ * configured certs and key from files. The private key handling in
+ * here should be split out into a separate function for improved
+ * readability. The myCtxVarGet abomination can be thrown away with
+ * SSLC support, vastly simplifying the code. */
void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
@@ -157,7 +164,6 @@ void ssl_pphrase_Handle(server_rec *s, a
int i, j;
ssl_algo_t algoCert, algoKey, at;
char *an;
- char *cp;
apr_time_t pkey_mtime = 0;
apr_status_t rv;
/*
@@ -178,7 +184,8 @@ void ssl_pphrase_Handle(server_rec *s, a
cpVHostID = ssl_util_vhostid(p, pServ);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, pServ,
- "Loading certificate & private key of SSL-aware server");
+ "Loading certificate & private key of SSL-aware server '%s'",
+ cpVHostID);
/*
* Read in server certificate(s): This is the easy part
@@ -193,11 +200,18 @@ void ssl_pphrase_Handle(server_rec *s, a
ssl_die();
}
+ /* Bitmasks for all key algorithms configured for this server;
+ * initialize to zero. */
algoCert = SSL_ALGO_UNKNOWN;
algoKey = SSL_ALGO_UNKNOWN;
+
+ /* Iterate through configured certificate files for this
+ * cert. */
for (i = 0, j = 0; i < SSL_AIDX_MAX
&& (sc->server->pks->cert_files[i] != NULL
|| sc->server->pkcs7); i++) {
+ const char *key_id;
+
if (sc->server->pkcs7) {
STACK_OF(X509) *certs = ssl_read_pkcs7(pServ,
sc->server->pkcs7);
@@ -236,6 +250,11 @@ void ssl_pphrase_Handle(server_rec *s, a
}
algoCert |= at;
+ /* Determine the hash key used for this (vhost, algo-type)
+ * pair used to index both the mc->tPrivateKey and
+ * mc->tPublicCert tables: */
+ key_id = asn1_table_vhost_key(mc, p, cpVHostID, an);
+
/*
* Insert the certificate into global module configuration to let it
* survive the processing between the 1st Apache API init round (where
@@ -243,9 +262,8 @@ void ssl_pphrase_Handle(server_rec *s, a
* certificate is actually used to configure mod_ssl's per-server
* configuration structures).
*/
- cp = asn1_table_vhost_key(mc, p, cpVHostID, an);
length = i2d_X509(pX509Cert, NULL);
- ucp = ssl_asn1_table_set(mc->tPublicCert, cp, length);
+ ucp = ssl_asn1_table_set(mc->tPublicCert, key_id, length);
(void)i2d_X509(pX509Cert, &ucp); /* 2nd arg increments */
/*
@@ -512,14 +530,13 @@ void ssl_pphrase_Handle(server_rec *s, a
* because the SSL library uses static variables inside a
* RSA structure which do not survive DSO reloads!)
*/
- cp = asn1_table_vhost_key(mc, p, cpVHostID, an);
length = i2d_PrivateKey(pPrivateKey, NULL);
- ucp = ssl_asn1_table_set(mc->tPrivateKey, cp, length);
+ ucp = ssl_asn1_table_set(mc->tPrivateKey, key_id, length);
(void)i2d_PrivateKey(pPrivateKey, &ucp); /* 2nd arg increments */
if (nPassPhraseDialogCur != 0) {
/* remember mtime of encrypted keys */
- asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp);
+ asn1 = ssl_asn1_table_get(mc->tPrivateKey, key_id);
asn1->source_mtime = pkey_mtime;
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1069765&r1=1069764&r2=1069765&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Fri Feb 11 12:05:31 2011
@@ -429,8 +429,16 @@ typedef struct {
apr_array_header_t *aRandSeed;
apr_hash_t *tVHostKeys;
void *pTmpKeys[SSL_TMP_KEY_MAX];
+
+ /* Two hash tables of pointers to ssl_asn1_t structures. The
+ * structures are used to store certificates and private keys
+ * respectively, in raw DER format (serialized OpenSSL X509 and
+ * PrivateKey structures). The tables are indexed by (vhost-id,
+ * algorithm type) using the function ssl_asn1_table_keyfmt(); for
+ * example the string "vhost.example.com:443:RSA". */
apr_hash_t *tPublicCert;
apr_hash_t *tPrivateKey;
+
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
const char *szCryptoDevice;
#endif