--- mod_ssl-2.8.14-1.3.27/pkg.sslcfg/sslcfg.patch Fri Mar 21 15:19:41 2003 +++ mod_ssl-2.8.14-1.3.27-afchine/pkg.sslcfg/sslcfg.patch Fri Jun 6 11:24:04 2003 @@ -66,6 +66,7 @@ +# Some MIME-types for downloading Certificates and CRLs +# + ++SSLCryptoDevice pkcs11 +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl + @@ -81,11 +82,11 @@ +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). -+#SSLSessionCache none ++SSLSessionCache none +#SSLSessionCache shmht:logs/ssl_scache(512000) +#SSLSessionCache shmcb:logs/ssl_scache(512000) -+SSLSessionCache dbm:logs/ssl_scache -+SSLSessionCacheTimeout 300 ++#SSLSessionCache dbm:logs/ssl_scache ++#SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the @@ -117,7 +118,7 @@ +# Log levels are (ascending order: higher ones include lower ones): +# none, error, warn, info, trace, debug. +SSLLog logs/ssl_engine_log -+SSLLogLevel info ++SSLLogLevel none + + + @@ -134,7 +135,7 @@ +ServerName new.host.name +ServerAdmin you@your.address +ErrorLog logs/error_log -+TransferLog logs/access_log ++#TransferLog logs/access_log + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. @@ -143,7 +144,7 @@ +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. -+SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL ++SSLCipherSuite RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If @@ -286,8 +287,8 @@ +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. -+CustomLog logs/ssl_request_log \ -+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ++#CustomLog logs/ssl_request_log \ ++# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + --- mod_ssl-2.8.14-1.3.27/pkg.sslmod/libssl.module Fri Oct 4 15:09:50 2002 +++ mod_ssl-2.8.14-1.3.27-afchine/pkg.sslmod/libssl.module Fri Jun 6 11:24:04 2003 @@ -78,7 +78,7 @@ my_outfile="Makefile.config" my_prefix=" +" my_prefixe=" " - SSL_CFLAGS='' + SSL_CFLAGS='-g -DSSL_EXPERIMENTAL_ENGINE' SSL_LDFLAGS='' SSL_LIBS='' --- mod_ssl-2.8.14-1.3.27/pkg.sslmod/mod_ssl.c Sat Feb 23 19:45:45 2002 +++ mod_ssl-2.8.14-1.3.27-afchine/pkg.sslmod/mod_ssl.c Fri Jun 6 11:24:04 2003 @@ -234,7 +234,11 @@ NULL, /* [#9] log a transaction */ NULL, /* [#2] header parser */ ssl_init_Child, /* child_init */ +#ifdef SSL_EXPERIMENTAL_ENGINE + ssl_init_ChildKill, /* child_exit */ +#else NULL, /* child_exit */ +#endif ssl_hook_ReadReq, /* [#0] post read-request */ /* Extended API (forced to be enabled with mod_ssl) */ --- mod_ssl-2.8.14-1.3.27/pkg.sslmod/ssl_engine_init.c Tue Mar 18 14:34:41 2003 +++ mod_ssl-2.8.14-1.3.27-afchine/pkg.sslmod/ssl_engine_init.c Fri Jun 6 11:24:04 2003 @@ -233,27 +233,30 @@ #ifdef SHARED_MODULE ssl_log(s, SSL_LOG_INFO, "Init: %snitializing %s library", mc->nInitCount == 1 ? "I" : "Rei", SSL_LIBRARY_NAME); -#ifdef SSL_EXPERIMENTAL_ENGINE - ssl_init_Engine(s, p); -#endif ssl_init_SSLLibrary(); #else if (mc->nInitCount <= 2) { ssl_log(s, SSL_LOG_INFO, "Init: %snitializing %s library", mc->nInitCount == 1 ? "I" : "Rei", SSL_LIBRARY_NAME); -#ifdef SSL_EXPERIMENTAL_ENGINE - ssl_init_Engine(s, p); -#endif ssl_init_SSLLibrary(); } #endif if (mc->nInitCount == 1) { +#ifdef SSL_EXPERIMENTAL_ENGINE + ssl_init_Engine(s, p); +#endif ssl_pphrase_Handle(s, p); ssl_init_TmpKeysHandle(SSL_TKP_GEN, s, p); #ifndef WIN32 return; #endif } + /* + * SSL external crypto device ("engine") support + */ +#ifdef SSL_EXPERIMENTAL_ENGINE + ssl_init_Engine(s, p); +#endif /* * Warn the user that he should use the session cache. @@ -382,6 +385,7 @@ /* seed PRNG */ ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: "); +#ifndef SSL_EXPERIMENTAL_ENGINE /* generate 512 bit RSA key */ ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys (512/1024 bits)"); if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) { @@ -406,6 +410,7 @@ asn1->cpData = ap_palloc(mc->pPool, asn1->nData); ucp = asn1->cpData; i2d_RSAPrivateKey(rsa, &ucp); /* 2nd arg increments */ RSA_free(rsa); +#endif ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary DH parameters (512/1024 bits)"); @@ -435,6 +440,7 @@ /* Allocate Keys and Params */ else if (action == SSL_TKP_ALLOC) { +#ifndef SSL_EXPERIMENTAL_ENGINE ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary RSA private keys (512/1024 bits)"); /* allocate 512 bit RSA key */ @@ -464,6 +470,7 @@ ssl_die(); } } +#endif ssl_log(s, SSL_LOG_INFO, "Init: Configuring temporary DH parameters (512/1024 bits)"); @@ -498,6 +505,7 @@ /* Free Keys and Params */ else if (action == SSL_TKP_FREE) { +#ifndef SSL_EXPERIMENTAL_ENGINE if (mc->pTmpKeys[SSL_TKPIDX_RSA512] != NULL) { RSA_free((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA512]); mc->pTmpKeys[SSL_TKPIDX_RSA512] = NULL; @@ -506,6 +514,7 @@ RSA_free((RSA *)mc->pTmpKeys[SSL_TKPIDX_RSA1024]); mc->pTmpKeys[SSL_TKPIDX_RSA1024] = NULL; } +#endif if (mc->pTmpKeys[SSL_TKPIDX_DH512] != NULL) { DH_free((DH *)mc->pTmpKeys[SSL_TKPIDX_DH512]); mc->pTmpKeys[SSL_TKPIDX_DH512] = NULL; @@ -788,19 +797,26 @@ ssl_log(s, SSL_LOG_TRACE, "Init: (%s) Configuring RSA server private key", cpVHostID); ucp = asn1->cpData; +#if defined SSL_EXPERIMENTAL_ENGINE && SSL_LIBRARY_VERSION >= 0x00907000 + if ((sc->pPrivateKey[SSL_AIDX_RSA] = + d2i_PublicKey(EVP_PKEY_RSA, NULL, &ucp, asn1->nData)) == NULL) { +#else if ((sc->pPrivateKey[SSL_AIDX_RSA] = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &ucp, asn1->nData)) == NULL) { +#endif ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: (%s) Unable to import RSA server private key", cpVHostID); ssl_die(); } +#if !defined SSL_EXPERIMENTAL_ENGINE if (!RSA_blinding_on(sc->pPrivateKey[SSL_AIDX_RSA]->pkey.rsa, NULL)) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: (%s) Unable to enable RSA blinding (probably PRNG failure)", cpVHostID); ssl_die(); } +#endif if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_RSA]) <= 0) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: (%s) Unable to configure RSA server private key", @@ -1045,7 +1061,11 @@ void ssl_init_ChildKill(void *data) { +#ifdef SSL_EXPERIMENTAL_ENGINE + pkcs11_FreeSession(); +#else /* currently nothing to do */ +#endif return; } --- mod_ssl-2.8.14-1.3.27/pkg.sslmod/ssl_engine_kernel.c Fri Mar 21 13:39:47 2003 +++ mod_ssl-2.8.14-1.3.27-afchine/pkg.sslmod/ssl_engine_kernel.c Fri Jun 6 11:24:04 2003 @@ -1409,6 +1409,7 @@ * So we generated 512 and 1024 bit temporary keys on startup * which we now just handle out on demand.... */ +#ifndef SSL_EXPERIMENTAL_ENGINE RSA *ssl_callback_TmpRSA(SSL *pSSL, int nExport, int nKeyLen) { SSLModConfigRec *mc = myModConfig(); @@ -1431,6 +1432,18 @@ } return rsa; } +#else +extern RSA* pkcs11_RSA_generate_tmp_key(int bits, unsigned long e_value, + void (*callback)(int,int,void *), + void *cb_arg); +static RSA* tmpRSA=NULL; +RSA *ssl_callback_TmpRSA(SSL *pSSL, int nExport, int nKeyLen) +{ + if (tmpRSA == NULL) + tmpRSA = pkcs11_RSA_generate_tmp_key(nKeyLen, RSA_F4, NULL, NULL); + return tmpRSA; +} +#endif /* * Handle out the already generated DH parameters... --- mod_ssl-2.8.14-1.3.27/pkg.sslmod/ssl_engine_log.c Wed Mar 27 18:12:52 2002 +++ mod_ssl-2.8.14-1.3.27-afchine/pkg.sslmod/ssl_engine_log.c Fri Jun 6 11:24:04 2003 @@ -289,22 +289,45 @@ strerror(safe_errno), safe_errno); } if (add & SSL_ADD_SSLERR) { +#ifdef SSL_EXPERIMENTAL_ENGINE + const char *file,*data; + int line,flags; + while ((e = ERR_get_error_line_data(&file,&line,&data,&flags))) { +#else while ((e = ERR_get_error())) { +#endif cpE = ERR_error_string(e, NULL); cpA = ssl_log_annotation(cpE); if (level <= sc->nLogLevel && sc->fileLogFile != NULL) { +#ifdef SSL_EXPERIMENTAL_ENGINE + ap_snprintf(str, sizeof(str), "%s%s%s: %s: %s:%s%s%s%s", + tstr, lstr, SSL_LIBRARY_NAME, cpE, + data!= NULL ? data : "" , + cpA != NULL ? " [Hint: " : "", + cpA != NULL ? cpA : "", cpA != NULL ? "]" : "", + nstr); +#else ap_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s", tstr, lstr, SSL_LIBRARY_NAME, cpE, cpA != NULL ? " [Hint: " : "", cpA != NULL ? cpA : "", cpA != NULL ? "]" : "", nstr); +#endif fprintf(sc->fileLogFile, "%s", str); } if (level & SSL_LOG_ERROR) +#ifdef SSL_EXPERIMENTAL_ENGINE + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, + "%s: %s: %s%s%s%s", SSL_LIBRARY_NAME, cpE, + data!= NULL ? data : "" , + cpA != NULL ? " [Hint: " : "", + cpA != NULL ? cpA : "", cpA != NULL ? "]" : ""); +#else ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, s, "%s: %s%s%s%s", SSL_LIBRARY_NAME, cpE, cpA != NULL ? " [Hint: " : "", cpA != NULL ? cpA : "", cpA != NULL ? "]" : ""); +#endif } } /* make sure the next log starts from a clean base */ --- mod_ssl-2.8.14-1.3.27/pkg.sslmod/ssl_engine_pphrase.c Sat Feb 23 19:45:45 2002 +++ mod_ssl-2.8.14-1.3.27-afchine/pkg.sslmod/ssl_engine_pphrase.c Fri Jun 6 11:24:04 2003 @@ -102,7 +102,8 @@ ssl_algo_t algoCert, algoKey, at; char *an; char *cp; - + ENGINE *e; + /* * Start with a fresh pass phrase array */ @@ -231,6 +232,20 @@ * the callback function which serves the pass * phrases to OpenSSL */ +#if defined SSL_EXPERIMENTAL_ENGINE && SSL_LIBRARY_VERSION >= 0x00907000 + if (mc->szCryptoDevice != NULL) { + if ((e = ENGINE_by_id(mc->szCryptoDevice)) == NULL) { + ssl_log(s, SSL_LOG_ERROR, "Init: Failed to load Crypto Device API `%s'", + mc->szCryptoDevice); + ssl_die(); + } + bReadable = ((pPrivateKey = ENGINE_load_private_key(e, szPath, + NULL, NULL)) != NULL ? TRUE : FALSE); + ENGINE_free(e); + } + else + { +#endif if ((fp = ap_pfopen(p, szPath, "r")) == NULL) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Init: Can't open server private key file %s", szPath); @@ -240,7 +255,9 @@ bReadable = ((pPrivateKey = SSL_read_PrivateKey(fp, NULL, ssl_pphrase_Handle_CB)) != NULL ? TRUE : FALSE); ap_pfclose(p, fp); - +#if defined SSL_EXPERIMENTAL_ENGINE && SSL_LIBRARY_VERSION >= 0x00907000 + } +#endif /* * when the private key file now was readable, * it's fine and we go out of the loop @@ -351,9 +368,17 @@ */ cp = ap_psprintf(mc->pPool, "%s:%s", cpVHostID, an); asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tPrivateKey, cp); +#if defined SSL_EXPERIMENTAL_ENGINE && SSL_LIBRARY_VERSION >= 0x00907000 + asn1->nData = i2d_PublicKey(pPrivateKey, NULL); +#else asn1->nData = i2d_PrivateKey(pPrivateKey, NULL); +#endif asn1->cpData = ap_palloc(mc->pPool, asn1->nData); +#if defined SSL_EXPERIMENTAL_ENGINE && SSL_LIBRARY_VERSION >= 0x00907000 + ucp = asn1->cpData; i2d_PublicKey(pPrivateKey, &ucp); /* 2nd arg increments */ +#else ucp = asn1->cpData; i2d_PrivateKey(pPrivateKey, &ucp); /* 2nd arg increments */ +#endif /* * Free the private key structure