src - OpenBSD base system

diff options


context:
space:
mode:

author	Brad Smith <brad@cvs.openbsd.org>	1999-10-01 23:50:45 +0000
committer	Brad Smith <brad@cvs.openbsd.org>	1999-10-01 23:50:45 +0000
commit	0acd9cb2363683f7fd4c849e740b152717aca732 (patch)
tree	6557d9460e0f63f0a22b26449f0c1ec39be585d0
parent	4eb1a8adc0eba603e08e9ce646152706a8293506 (diff)

Sync with mod_ssl v2.4.5. ok beck@.

Diffstat

-rw-r--r--

usr.sbin/httpd/src/CHANGES.SSL

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/libssl.module

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/libssl.version

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/mod_ssl.h

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c

-rw-r--r--

usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c

8 files changed, 92 insertions, 31 deletions

diff --git a/usr.sbin/httpd/src/CHANGES.SSL b/usr.sbin/httpd/src/CHANGES.SSL
index 5d1ba553ea3..ee2f9d9ae86 100644
--- a/usr.sbin/httpd/src/CHANGES.SSL
+++ b/usr.sbin/httpd/src/CHANGES.SSL

@@ -23,6 +23,50 @@

/ __/ |__ _|

__ |_____(_) |_| ___________________________________________

+ Changes with mod_ssl 2.4.5 (28-Sep-1999 to 01-Oct-1999)

+ *) Now ``make certificate'' displays a warning message if one generates a

+ DSA certificate with it to make sure the user is aware of the fact that

+ a DSA-only webserver is currently useless because the popular browsers

+ do not speak DH-based ciphers. A hint is given that a DSA cert/key pair

+ is only useful in _combination_ with a parallel configured RSA

+ cert/key pair.

+ *) Enhanced the pass phrase dialog: Now ``Server <host>:<port> (<algo>)''

+ is displayed instead of just ``Server <host>:<port>'' and the

+ ``SSLPassPhraseDialog exec:/path/to/program'' is called with arguments

+ ``<host>:<port> <algo>'' instead of just ``<host>:<port>'' to allow the

+ distinction between RSA and DSA keys both to the user and to the

+ program. This is important, because a single virtual host can use both

+ a RSA and a DSA cert/key at the same time.

+ *) Added pre-configured (but commented out) SSLCertificate[Key]File

+ directives to conf/httpd.conf-dist which explains the use of the

+ additional DSA cert/key.

+ *) Now the default for SSL_SDBM is 'yes' on Linux boxes because it occurrs

+ too often that Linux boxes with broken DBM libraries are used and people

+ are wondering why their session cache operations segfault the server. If

+ you really want to use the vendor DBM library on Linux you now have to

+ use --disable-rule=SSL_SDBM. But I recommend you to use SDBM except

+ you know what you're doing.

+ *) Fixed typo in FAQ: SSLSessioCache -> SSLSessionCache.

+ *) Enhanced the logging facility: First the "Connection to child x"

+ messages now also contain the client IP address, second every

+ logfile entry now has a prefix which contains also the process id in

+ addition to the time. This way it's easier to identify logfile entries

+ written by different processes.

+ *) Fixed ssl_engine_vars.c: SSL3_TXT_RSA_IDEA_128_SHA was contained twice

+ in a table. Instead the second occurrence should be

+ SSL2_TXT_IDEA_128_CBC_WITH_MD5.

+ *) Fixed the `union semun' situation for SSLMutex again, this time for

+ brain-dead anchient Linux versions which have incorrect semctl(2)

+ prototypes. We now enable IPC semaphores only on glibc 2.1 boxes.

Changes with mod_ssl 2.4.4 (27-Sep-1999 to 28-Sep-1999)

*) Fixed the `union semun' situation for SSLMutex which was broken in 2.4.3

@@ -200,7 +244,7 @@

*) Added support for latest OpenSSL 0.9.4-dev snapshot version.

- *) Fixed initialization and cleanup relazed problems with SSLMutex: The

+ *) Fixed initialization and cleanup related problems with SSLMutex: The

mutex is now closed before the chown and the mutex is removed only in

the parent on module shutdown.

diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.module b/usr.sbin/httpd/src/modules/ssl/libssl.module
index 444a3818c5b..d6537529aa4 100644
--- a/usr.sbin/httpd/src/modules/ssl/libssl.module
+++ b/usr.sbin/httpd/src/modules/ssl/libssl.module

@@ -229,7 +229,17 @@ ConfigStart

exit 1

- # 4. finally configure the chosen DBM lib

+ # 4. override decision on a few brain-dead platforms

+ if [ ".$my_rule_SSL_SDBM" = .default ]; then

+ case "$OS" in

+ Linux )

+ # force Linux boxes to use builtin SDBM per default because

+ # of too much broken vendor DBM libraries on this platform

+ SSL_DBM_NAME=''

+ ;;

+ esac

+ fi

+ # 5. finally configure the chosen DBM lib

if [ ".$SSL_DBM_NAME" != . ]; then

echo "$my_prefix SSL interface plugin: $SSL_DBM_NAME"

my_dbm_already_used=`echo $LIBS | grep -- " $SSL_DBM_FLAG"`

diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.version b/usr.sbin/httpd/src/modules/ssl/libssl.version
index e4156ddb315..aaa8f08aab2 100644
--- a/usr.sbin/httpd/src/modules/ssl/libssl.version
+++ b/usr.sbin/httpd/src/modules/ssl/libssl.version

@@ -1 +1 @@

-mod_ssl/2.4.4-1.3.9

+mod_ssl/2.4.5-1.3.9

diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
index 5dac8c81ec7..e49ed932100 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h

@@ -257,7 +257,8 @@

#endif

#if defined(USE_SYSVSEM_SERIALIZED_ACCEPT) ||\

defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) ||\

- (defined(LINUX) && LINUX >= 2) ||\

+ (defined(LINUX) && defined(__GLIBC__) && defined(__GLIBC_MINOR__) && \

+ LINUX >= 2 && __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1) ||\

defined(SOLARIS2)

#define SSL_CAN_USE_SEM

#define SSL_HAVE_IPCSEM

@@ -521,7 +522,7 @@ typedef struct {

ssl_ds_table *tPublicCert;

ssl_ds_table *tPrivateKey;

struct {

- void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9;

+ void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;

} rCtx;

#ifdef SSL_VENDOR

ap_ctx *ctx;

diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
index 152a61b1a8e..f404914903a 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c

@@ -162,8 +162,8 @@ void ssl_hook_NewConnection(conn_rec *conn)

* later access inside callback functions

cpVHostID = ssl_util_vhostid(conn->pool, srvr);

- ssl_log(srvr, SSL_LOG_INFO, "Connection to child %d established (server %s)",

- conn->child_num, cpVHostID);

+ ssl_log(srvr, SSL_LOG_INFO, "Connection to child %d established "

+ "(server %s, client %s)", conn->child_num, cpVHostID, conn->remote_ip);

* Seed the Pseudo Random Number Generator (PRNG)

@@ -505,8 +505,9 @@ void ssl_hook_CloseConnection(conn_rec *conn)

/* and finally log the fact that we've closed the connection */

ssl_log(conn->server, SSL_LOG_INFO,

- "Connection to child %d closed with %s shutdown (server %s)",

- conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server));

+ "Connection to child %d closed with %s shutdown (server %s, client %s)",

+ conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server),

+ conn->remote_ip);

return;

}

diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c
index 7b57f399056..7b18e8b4347 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c

@@ -222,7 +222,9 @@ void ssl_log(server_rec *s, int level, const char *msg, ...)

tstr[0] = NUL;

else {

t = ap_get_gmtoff(&timz);

- strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S] ", t);

+ strftime(tstr, 80, "[%d/%b/%Y %H:%M:%S", t);

+ i = strlen(tstr);

+ ap_snprintf(tstr+i, 80-i, " %05d] ", (unsigned int)getpid());

}

/* determine whether newline should be writteni */

diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c
index 11261aee565..5ff057d0ede 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c

@@ -207,15 +207,16 @@ void ssl_pphrase_Handle(server_rec *s, pool *p)

* the callback function which serves the pass

* phrases to OpenSSL

- myCtxVarSet(mc, 1, pServ);

- myCtxVarSet(mc, 2, p);

- myCtxVarSet(mc, 3, aPassPhrase);

- myCtxVarSet(mc, 4, &nPassPhraseCur);

- myCtxVarSet(mc, 5, &cpPassPhraseCur);

- myCtxVarSet(mc, 6, cpVHostID);

- myCtxVarSet(mc, 7, &nPassPhraseDialog);

- myCtxVarSet(mc, 8, &nPassPhraseDialogCur);

- myCtxVarSet(mc, 9, &bPassPhraseDialogOnce);

+ myCtxVarSet(mc, 1, pServ);

+ myCtxVarSet(mc, 2, p);

+ myCtxVarSet(mc, 3, aPassPhrase);

+ myCtxVarSet(mc, 4, &nPassPhraseCur);

+ myCtxVarSet(mc, 5, &cpPassPhraseCur);

+ myCtxVarSet(mc, 6, cpVHostID);

+ myCtxVarSet(mc, 7, an);

+ myCtxVarSet(mc, 8, &nPassPhraseDialog);

+ myCtxVarSet(mc, 9, &nPassPhraseDialogCur);

+ myCtxVarSet(mc, 10, &bPassPhraseDialogOnce);

nPassPhraseCur = 0;

nPassPhraseRetry = 0;

@@ -395,6 +396,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice)

int *pnPassPhraseCur;

char **cppPassPhraseCur;

char *cpVHostID;

+ char *cpAlgoType;

int *pnPassPhraseDialog;

int *pnPassPhraseDialogCur;

BOOL *pbPassPhraseDialogOnce;

@@ -404,15 +406,16 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice)

* Reconnect to the context of ssl_phrase_Handle()

- s = myCtxVarGet(mc, 1, server_rec *);

- p = myCtxVarGet(mc, 2, pool *);

- aPassPhrase = myCtxVarGet(mc, 3, ssl_ds_array *);

- pnPassPhraseCur = myCtxVarGet(mc, 4, int *);

- cppPassPhraseCur = myCtxVarGet(mc, 5, char **);

- cpVHostID = myCtxVarGet(mc, 6, char *);

- pnPassPhraseDialog = myCtxVarGet(mc, 7, int *);

- pnPassPhraseDialogCur = myCtxVarGet(mc, 8, int *);

- pbPassPhraseDialogOnce = myCtxVarGet(mc, 9, BOOL *);

+ s = myCtxVarGet(mc, 1, server_rec *);

+ p = myCtxVarGet(mc, 2, pool *);

+ aPassPhrase = myCtxVarGet(mc, 3, ssl_ds_array *);

+ pnPassPhraseCur = myCtxVarGet(mc, 4, int *);

+ cppPassPhraseCur = myCtxVarGet(mc, 5, char **);

+ cpVHostID = myCtxVarGet(mc, 6, char *);

+ cpAlgoType = myCtxVarGet(mc, 7, char *);

+ pnPassPhraseDialog = myCtxVarGet(mc, 8, int *);

+ pnPassPhraseDialogCur = myCtxVarGet(mc, 9, int *);

+ pbPassPhraseDialogOnce = myCtxVarGet(mc, 10, BOOL *);

sc = mySrvConfig(s);

(*pnPassPhraseDialog)++;

@@ -460,7 +463,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice)

if (*pbPassPhraseDialogOnce) {

*pbPassPhraseDialogOnce = FALSE;

fprintf(stderr, "\n");

- fprintf(stderr, "Server %s\n", cpVHostID);

+ fprintf(stderr, "Server %s (%s)\n", cpVHostID, cpAlgoType);

}

@@ -498,7 +501,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice)

"Init: Requesting pass phrase from dialog filter program (%s)",

sc->szPassPhraseDialogPath);

- cmd = ap_psprintf(p, "%s %s", sc->szPassPhraseDialogPath, cpVHostID);

+ cmd = ap_psprintf(p, "%s %s %s", sc->szPassPhraseDialogPath, cpVHostID, cpAlgoType);

result = ssl_util_readfilter(s, p, cmd);

ap_cpystrn(buf, result, bufsize);

len = strlen(buf);

diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
index b5d84ae6e15..207084f8770 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c

@@ -592,7 +592,6 @@ static const struct {

{ SSL3_TXT_RSA_RC4_128_MD5 /*RC4-MD5*/, 128, 128 },

{ SSL3_TXT_RSA_RC4_128_SHA /*RC4-SHA*/, 128, 128 },

{ SSL3_TXT_RSA_RC2_40_MD5 /*EXP-RC2-CBC-MD5*/, 40, 128 },

- { SSL3_TXT_RSA_IDEA_128_SHA /*IDEA-CBC-MD5*/, 128, 128 },

{ SSL3_TXT_RSA_DES_40_CBC_SHA /*EXP-DES-CBC-SHA*/, 40, 56 },

{ SSL3_TXT_RSA_DES_64_CBC_SHA /*DES-CBC-SHA*/ , 56, 56 },

{ SSL3_TXT_RSA_DES_192_CBC3_SHA /*DES-CBC3-SHA*/ , 168, 168 },

@@ -617,6 +616,7 @@ static const struct {

{ SSL3_TXT_FZA_DMS_FZA_SHA /*FZA-FZA-CBC-SHA*/, 0, 0 },

{ SSL3_TXT_FZA_DMS_RC4_SHA /*FZA-RC4-SHA*/, 128, 128 },

+ { SSL2_TXT_IDEA_128_CBC_WITH_MD5 /*IDEA-CBC-MD5*/, 128, 128 },

{ SSL2_TXT_DES_64_CFB64_WITH_MD5_1 /*DES-CFB-M1*/, 56, 56 },

{ SSL2_TXT_RC2_128_CBC_WITH_MD5 /*RC2-CBC-MD5*/, 128, 128 },

{ SSL2_TXT_DES_64_CBC_WITH_MD5 /*DES-CBC-MD5*/, 56, 56 },