Re: svn commit: r1837435 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c ssl_engine_init.c

Mon, 06 Aug 2018 04:47:46 -0700 

Yann and RĂ¼diger, looking at this, I am thinking about how to improve mod_md's 
init of openssl. Basically, if mod_ssl + mod_md is loaded, mod_md does not have 
to do anything, it seems.

However, there is a slim chance that someone has another ssl module (or none?) 
and what should mod_md do then? I can copy the crypto parts of the pre_config 
and cleanup code, but given the ever increasing version number checks...is 
there a better way?

-Stefan



> Am 04.08.2018 um 19:17 schrieb [email protected]:
> 
> Author: ylavic
> Date: Sat Aug  4 17:17:03 2018
> New Revision: 1837435
> 
> URL: http://svn.apache.org/viewvc?rev=1837435&view=rev
> Log:
> mod_ssl: OpenSSL now initializes fully through APR, use that.
> 
> Follow up to r1833368 and r1833452.
> 
> Modified:
>    httpd/httpd/trunk/modules/ssl/mod_ssl.c
>    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> 
> Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1837435&r1=1837434&r2=1837435&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
> +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sat Aug  4 17:17:03 2018
> @@ -342,6 +342,7 @@ static int modssl_is_prelinked(void)
>     return 0;
> }
> 
> +#if !USE_APR_CRYPTO_LIB_INIT
> static apr_status_t ssl_cleanup_pre_config(void *data)
> {
>     /*
> @@ -397,47 +398,31 @@ static apr_status_t ssl_cleanup_pre_conf
>      */
>     return APR_SUCCESS;
> }
> +#endif /* !USE_APR_CRYPTO_LIB_INIT */
> 
> static int ssl_hook_pre_config(apr_pool_t *pconf,
>                                apr_pool_t *plog,
>                                apr_pool_t *ptemp)
> {
> -#if USE_APR_CRYPTO_LIB_INIT
> -    apr_status_t rv;
> -#endif
> -
> #if HAVE_VALGRIND
>     ssl_running_on_valgrind = RUNNING_ON_VALGRIND;
> #endif
>     modssl_running_statically = modssl_is_prelinked();
> 
> -    /* Some OpenSSL internals are allocated per-thread, make sure they
> -     * are associated to the/our same thread-id until cleaned up.
> -     */
> -#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
> -    ssl_util_thread_id_setup(pconf);
> -#endif
> -
> #if USE_APR_CRYPTO_LIB_INIT
> -    /* When mod_ssl is builtin, no need to unload openssl on restart */
> -    rv = apr_crypto_lib_init("openssl", NULL, NULL,
> -                             modssl_running_statically ? ap_pglobal : pconf);
> -    if (rv == APR_SUCCESS || rv == APR_EREINIT) {
> -        /* apr_crypto inits libcrypto only, so in any case init libssl here,
> -         * each time if openssl is unloaded with pconf, but only once if
> -         * mod_ssl is builtin.
> +    {
> +        /* When mod_ssl is builtin, no need to unload openssl on restart,
> +         * so use pglobal.
>          */
> -        if (!modssl_running_statically
> -                || !ap_retained_data_get("ssl_hook_pre_config")) {
> -            if (modssl_running_statically) {
> -                ap_retained_data_create("ssl_hook_pre_config", 1);
> -            }
> -            SSL_load_error_strings();
> -            SSL_library_init();
> +        apr_pool_t *p = modssl_running_statically ? ap_pglobal : pconf;
> +        apr_status_t rv = apr_crypto_lib_init("openssl", NULL, NULL, p);
> +        if (rv != APR_SUCCESS && rv != APR_EREINIT) {
> +            ap_log_perror(APLOG_MARK, APLOG_ERR, rv, pconf, APLOGNO()
> +                          "mod_ssl: can't initialize OpenSSL library");
> +            return !OK;
>         }
>     }
> -    else
> -#endif
> +#else /* USE_APR_CRYPTO_LIB_INIT */
>     {
>         /* We must register the library in full, to ensure our configuration
>          * code can successfully test the SSL environment.
> @@ -456,6 +441,7 @@ static int ssl_hook_pre_config(apr_pool_
> #endif
>         OpenSSL_add_all_algorithms();
>         OPENSSL_load_builtin_modules();
> +
>         SSL_load_error_strings();
>         SSL_library_init();
> 
> @@ -466,6 +452,16 @@ static int ssl_hook_pre_config(apr_pool_
>                                                apr_pool_cleanup_null);
>     }
> 
> +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
> +    /* Some OpenSSL internals are allocated per-thread, make sure they
> +     * are associated to the/our same thread-id until cleaned up. Then
> +     * initialize all the thread locking stuff needed by the lib.
> +     */
> +    ssl_util_thread_id_setup(pconf);
> +    ssl_util_thread_setup(pconf);
> +#endif
> +#endif /* USE_APR_CRYPTO_LIB_INIT */
> +
>     if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
>         (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
>                          "SRVName otherName form");
> 
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1837435&r1=1837434&r2=1837435&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Aug  4 17:17:03 2018
> @@ -294,10 +294,6 @@ apr_status_t ssl_init_Module(apr_pool_t
> #endif
>     }
> 
> -#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
> -    ssl_util_thread_setup(p);
> -#endif
> -
>     /*
>      * SSL external crypto device ("engine") support
>      */
> 
>

Reply via email to