You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2012/04/03 14:37:57 UTC
svn commit: r1308862 - in /httpd/httpd/branches/2.4.x: CHANGES STATUS
modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c
modules/ssl/ssl_private.h
Author: jim
Date: Tue Apr 3 12:37:57 2012
New Revision: 1308862
URL: http://svn.apache.org/viewvc?rev=1308862&view=rev
Log:
Merge r1294306 from trunk:
Initialize EC temporary key on server startup, as for DH and
RSA. This fixes a race condition that could lead to a crash with threaded
MPMs.
Submitted by: sf
Reviewed/backported by: jim
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1308862&r1=1308861&r2=1308862&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Apr 3 12:37:57 2012
@@ -6,6 +6,9 @@ Changes with Apache 2.4.2
envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs. [Stefan Fritsch]
+ *) mod_ssl: Fix crash with threaded MPMs due to race condition when
+ initializing EC temporary keys. [Stefan Fritsch]
+
*) mod_proxy: Add the forcerecovery balancer parameter that determines if
recovery for balancer workers is enforced. [Ruediger Pluem]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1308862&r1=1308861&r2=1308862&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Tue Apr 3 12:37:57 2012
@@ -88,17 +88,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: Initialize EC temporary key on server startup, fixing a crash
- with threaded MPMs.
- Trunk patch: http://svn.apache.org/viewvc?rev=1294306&view=rev
- 2.4.x patch: Trunk patch works, skip docs/log-message-tags/next-number,
- add CHANGES:
- mod_ssl: Fix crash with threaded MPMs due to race condition when
- initializing EC temporary keys. [Stefan Fritsch]
- NOTE: If you get strange openssl errors during server start, you may have
- forgotten "make clean" before building.
- +1: sf, minfrin, jim
-
* core: Fix regexp substitution bug
Trunk patch: http://svn.apache.org/viewvc?rev=1307067&view=rev
2.4.x patch: Trunk patch works, add CHANGES:
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1308862&r1=1308861&r2=1308862&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Tue Apr 3 12:37:57 2012
@@ -77,6 +77,9 @@ static void ssl_tmp_keys_free(server_rec
MODSSL_TMP_KEYS_FREE(mc, RSA);
MODSSL_TMP_KEYS_FREE(mc, DH);
+#ifndef OPENSSL_NO_EC
+ MODSSL_TMP_KEY_FREE(mc, EC_KEY, SSL_TMP_KEY_EC_256);
+#endif
}
static int ssl_tmp_key_init_rsa(server_rec *s,
@@ -157,6 +160,40 @@ static int ssl_tmp_key_init_dh(server_re
return OK;
}
+#ifndef OPENSSL_NO_EC
+static int ssl_tmp_key_init_ec(server_rec *s,
+ int bits, int idx)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+ EC_KEY *ecdh = NULL;
+
+ /* XXX: Are there any FIPS constraints we should enforce? */
+
+ if (bits != 256) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02298)
+ "Init: Failed to generate temporary "
+ "%d bit EC parameters, only 256 bits supported", bits);
+ return !OK;
+ }
+
+ if ((ecdh = EC_KEY_new()) == NULL ||
+ EC_KEY_set_group(ecdh, EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) != 1)
+ {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02299)
+ "Init: Failed to generate temporary "
+ "%d bit EC parameters", bits);
+ return !OK;
+ }
+
+ mc->pTmpKeys[idx] = ecdh;
+ return OK;
+}
+
+#define MODSSL_TMP_KEY_INIT_EC(s, bits) \
+ ssl_tmp_key_init_ec(s, bits, SSL_TMP_KEY_EC_##bits)
+
+#endif
+
#define MODSSL_TMP_KEY_INIT_RSA(s, bits) \
ssl_tmp_key_init_rsa(s, bits, SSL_TMP_KEY_RSA_##bits)
@@ -181,6 +218,15 @@ static int ssl_tmp_keys_init(server_rec
return !OK;
}
+#ifndef OPENSSL_NO_EC
+ ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
+ "Init: Generating temporary EC parameters (256 bits)");
+
+ if (MODSSL_TMP_KEY_INIT_EC(s, 256)) {
+ return !OK;
+ }
+#endif
+
return OK;
}
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1308862&r1=1308861&r2=1308862&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Tue Apr 3 12:37:57 2012
@@ -1386,24 +1386,20 @@ DH *ssl_callback_TmpDH(SSL *ssl, int exp
EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- static EC_KEY *ecdh = NULL;
- static int init = 0;
+ SSLModConfigRec *mc = myModConfigFromConn(c);
+ int idx;
/* XXX Uses 256-bit key for now. TODO: support other sizes. */
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
"handing out temporary 256 bit ECC key");
- if (init == 0) {
- ecdh = EC_KEY_new();
- if (ecdh != NULL) {
- /* ecdh->group = EC_GROUP_new_by_nid(NID_secp160r2); */
- EC_KEY_set_group(ecdh,
- EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
- }
- init = 1;
+ switch (keylen) {
+ case 256:
+ default:
+ idx = SSL_TMP_KEY_EC_256;
}
- return ecdh;
+ return (EC_KEY *)mc->pTmpKeys[idx];
}
#endif
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1308862&r1=1308861&r2=1308862&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Tue Apr 3 12:37:57 2012
@@ -298,7 +298,12 @@ typedef int ssl_algo_t;
#define SSL_TMP_KEY_RSA_1024 (1)
#define SSL_TMP_KEY_DH_512 (2)
#define SSL_TMP_KEY_DH_1024 (3)
+#ifndef OPENSSL_NO_EC
+#define SSL_TMP_KEY_EC_256 (4)
+#define SSL_TMP_KEY_MAX (5)
+#else
#define SSL_TMP_KEY_MAX (4)
+#endif
/**
* Define the SSL options