On Wed, Feb 10, 1999, Toru Takinaka wrote:
>[...]
> sc->prsaKey->meth is a pointer of static variable.
> But it isn't valid after Apache's second initialization when I use chroot(1M)
> command without my patch.
Oh, _THAT'S_ the problem: the static variable inside SSLeay/OpenSSL. Hmmmm...
yes, now I know why it core dumps: It's because the DSO (which contains the
libssl/libcrypto stuff) is loaded to a different memory address in the second
round and this way we loose the contents of this variable, of course. But
BTW, it has still nothing to do with chroot(1M) ;-)
And I don't want to fix it by adding a kludge which overrides the meth
variable with a fresh contents. That's ugly and doesn't address the actual
problem. The only correct solution IMO is in the first round to convert the
RSA/X509 structures into a bytestream (with i2d_XXX) which is allocated from
Apache's memory pool and in the second round convert it from this bytestream
back to the internal RSA/X509 structures of SSLeay/OpenSSL.
I append you a patch for mod_ssl 2.2.2 which should solve your problem in this
clean way. Please try it out and give me feedback whether it works or not for
you, too.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: mod_ssl.h
===================================================================
RCS file: /e/apache/SSL/REPOS/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v
retrieving revision 1.68
diff -u -r1.68 mod_ssl.h
--- mod_ssl.h 1999/02/03 15:21:18 1.68
+++ mod_ssl.h 1999/02/13 14:56:23
@@ -419,6 +419,14 @@
} SSLRandSeed;
/*
+ * Define the structure of an ASN.1 anything
+ */
+typedef struct {
+ long int nData;
+ unsigned char *cpData;
+} ASN1Obj;
+
+/*
* Define the mod_ssl per-module configuration structure
* (i.e. the global configuration for each httpd process)
*/
Index: ssl_engine_config.c
===================================================================
RCS file: /e/apache/SSL/REPOS/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_config.c,v
retrieving revision 1.41
diff -u -r1.41 ssl_engine_config.c
--- ssl_engine_config.c 1999/02/03 15:21:18 1.41
+++ ssl_engine_config.c 1999/02/13 14:39:43
@@ -130,8 +130,8 @@
mc->nMutexSEMID = -1;
mc->aRandSeed = ap_make_array(pPool, 4, sizeof(SSLRandSeed));
- mc->tPrivateKey = ssl_ds_table_make(pPool, sizeof(RSA *));
- mc->tPublicCert = ssl_ds_table_make(pPool, sizeof(X509 *));
+ mc->tPrivateKey = ssl_ds_table_make(pPool, sizeof(ASN1Obj));
+ mc->tPublicCert = ssl_ds_table_make(pPool, sizeof(ASN1Obj));
/*
* And push it into Apache's global context
Index: ssl_engine_init.c
===================================================================
RCS file: /e/apache/SSL/REPOS/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.48
diff -u -r1.48 ssl_engine_init.c
--- ssl_engine_init.c 1999/02/03 15:21:18 1.48
+++ ssl_engine_init.c 1999/02/13 14:57:01
@@ -318,10 +318,9 @@
SSLModConfigRec *mc = myModConfig();
int nVerify;
char *cpVHostID;
- RSA **ppRSA;
- X509 **ppX509;
SSL_CTX *ctx;
STACK *skCAList;
+ ASN1Obj *asn1;
char *cp;
/*
@@ -450,25 +449,24 @@
*/
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring server certificate", cpVHostID);
- if ((ppX509 = (X509 **)ssl_ds_table_get(mc->tPublicCert,
- cpVHostID)) == NULL) {
+ if ((asn1 = (ASN1Obj *)ssl_ds_table_get(mc->tPublicCert, cpVHostID)) == NULL) {
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) Ops, can't find server certificate?!", cpVHostID);
ssl_die();
}
- sc->px509Certificate = *ppX509;
+ sc->px509Certificate = d2i_X509(NULL, &(asn1->cpData), asn1->nData);
/*
* Configure server private key
*/
ssl_log(s, SSL_LOG_TRACE,
"Init: (%s) Configuring server private key", cpVHostID);
- if ((ppRSA = (RSA **)ssl_ds_table_get(mc->tPrivateKey, cpVHostID)) == NULL) {
+ if ((asn1 = (ASN1Obj *)ssl_ds_table_get(mc->tPrivateKey, cpVHostID)) == NULL) {
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) Ops, can't find server private key?!", cpVHostID);
ssl_die();
}
- sc->prsaKey = *ppRSA;
+ sc->prsaKey = d2i_RSAPrivateKey(NULL, &(asn1->cpData), asn1->nData);
return;
}
Index: ssl_engine_pphrase.c
===================================================================
RCS file: /e/apache/SSL/REPOS/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_pphrase.c,v
retrieving revision 1.24
diff -u -r1.24 ssl_engine_pphrase.c
--- ssl_engine_pphrase.c 1999/01/06 11:43:09 1.24
+++ ssl_engine_pphrase.c 1999/02/13 14:57:16
@@ -83,10 +83,10 @@
server_rec *pServ;
char *cpVHostID;
char szPath[MAX_STRING_LEN];
+ ASN1Obj *asn1;
+ unsigned char **ucpp;
RSA *pRSAKey;
- RSA **ppRSAKey;
X509 *pX509Cert;
- X509 **ppX509Cert;
FILE *fp;
BOOL bReadable;
ssl_ds_array *aPassPhrase;
@@ -151,8 +151,10 @@
* certificate is actually used to configure mod_ssl's per-server
* configuration structures).
*/
- ppX509Cert = ssl_ds_table_push(mc->tPublicCert, cpVHostID);
- *ppX509Cert = pX509Cert;
+ asn1 = (ASN1Obj *)ssl_ds_table_push(mc->tPublicCert, cpVHostID);
+ asn1->nData = i2d_X509(pX509Cert, NULL);
+ asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
+ ucpp = &asn1->cpData; i2d_X509(pX509Cert, ucpp); /* 2nd arg increments */
/*
* Read in the private key: This is the non-trivial part, because the
@@ -286,9 +288,14 @@
/*
* Insert private key into the global module configuration
- */
- ppRSAKey = ssl_ds_table_push(mc->tPrivateKey, cpVHostID);
- *ppRSAKey = pRSAKey;
+ * (we convert it to a stand-alone DER byte sequence
+ * because the SSL library uses static variables inside a
+ * RSA structure which do not survive DSO reloads!)
+ */
+ asn1 = (ASN1Obj *)ssl_ds_table_push(mc->tPrivateKey, cpVHostID);
+ asn1->nData = i2d_RSAPrivateKey(pRSAKey, NULL);
+ asn1->cpData = ap_palloc(mc->pPool, asn1->nData);
+ ucpp = &asn1->cpData; i2d_RSAPrivateKey(pRSAKey, ucpp); /* 2nd arg increments
+*/
}
/*
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]