httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1544774 - in /httpd/httpd/trunk: STATUS modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_log.c modules/ssl/ssl_engine_pphrase.c modules/ssl/ssl_private.h modules/ssl/ssl_scache.c modules/ssl/ssl_util.c modules/ssl/ssl_util_stapling.c
Date Sat, 23 Nov 2013 12:22:48 GMT
Author: kbrand
Date: Sat Nov 23 12:22:47 2013
New Revision: 1544774

URL: http://svn.apache.org/r1544774
Log:
Address a todo listed in
https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E
"init functions should return status code rather than ssl_die()"

For diagnostic purposes, ssl_die() is still there, but instead
of abruptly exit(1)ing, it will return APR_EGENERAL to the
ssl_init_* callers in ssl_engine_init.c, and these will propagate
the status back to ssl_init_Module.

Modified:
    httpd/httpd/trunk/STATUS
    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_log.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h
    httpd/httpd/trunk/modules/ssl/ssl_scache.c
    httpd/httpd/trunk/modules/ssl/ssl_util.c
    httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c

Modified: httpd/httpd/trunk/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/STATUS?rev=1544774&r1=1544773&r2=1544774&view=diff
==============================================================================
--- httpd/httpd/trunk/STATUS (original)
+++ httpd/httpd/trunk/STATUS Sat Nov 23 12:22:47 2013
@@ -336,8 +336,6 @@ TODO ISSUES REMAINING IN MOD_SSL:
 
   * CRL callback should be pluggable
 
-  * init functions should return status code rather than ssl_die()
-
   * ssl_engine_pphrase.c needs to be reworked so it is generic enough
     to also decrypt proxy keys
 

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1544774&r1=1544773&r2=1544774&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Nov 23 12:22:47 2013
@@ -59,13 +59,14 @@ static void ssl_add_version_components(a
 /*
  *  Per-module initialization
  */
-int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
-                    apr_pool_t *ptemp,
-                    server_rec *base_server)
+apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+                             apr_pool_t *ptemp,
+                             server_rec *base_server)
 {
     SSLModConfigRec *mc = myModConfig(base_server);
     SSLSrvConfigRec *sc;
     server_rec *s;
+    apr_status_t rv;
 
     if (SSLeay() < SSL_LIBRARY_VERSION) {
         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
@@ -155,7 +156,9 @@ int ssl_init_Module(apr_pool_t *p, apr_p
      * SSL external crypto device ("engine") support
      */
 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
-    ssl_init_Engine(base_server, p);
+    if ((rv = ssl_init_Engine(base_server, p)) != APR_SUCCESS) {
+        return rv;
+    }
 #endif
 
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01883)
@@ -178,7 +181,7 @@ int ssl_init_Module(apr_pool_t *p, apr_p
             else {
                 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                ssl_die(s);
+                return ssl_die(s);
             }
         }
     }
@@ -194,7 +197,9 @@ int ssl_init_Module(apr_pool_t *p, apr_p
      * anything that needs to live longer than ptemp needs to also survive
      * restarts, in which case they'll live inside s->process->pool.
      */
-    ssl_pphrase_Handle(base_server, ptemp);
+    if ((rv = ssl_pphrase_Handle(base_server, ptemp)) != APR_SUCCESS) {
+        return rv;
+    }
 
     /*
      * initialize the mutex handling
@@ -209,7 +214,9 @@ int ssl_init_Module(apr_pool_t *p, apr_p
     /*
      * initialize session caching
      */
-    ssl_scache_init(base_server, p);
+    if ((rv = ssl_scache_init(base_server, p)) != APR_SUCCESS) {
+        return rv;
+    }
 
     /*
      *  initialize servers
@@ -228,13 +235,17 @@ int ssl_init_Module(apr_pool_t *p, apr_p
         /*
          * Read the server certificate and key
          */
-        ssl_init_ConfigureServer(s, p, ptemp, sc);
+        if ((rv = ssl_init_ConfigureServer(s, p, ptemp, sc)) != APR_SUCCESS) {
+            return rv;
+        }
     }
 
     /*
      * Configuration consistency checks
      */
-    ssl_init_CheckServers(base_server, ptemp);
+    if ((rv = ssl_init_CheckServers(base_server, ptemp)) != APR_SUCCESS) {
+        return rv;
+    }
 
     /*
      *  Announce mod_ssl and SSL library in HTTP Server field
@@ -252,7 +263,7 @@ int ssl_init_Module(apr_pool_t *p, apr_p
  * a hardware accellerator card for crypto operations.
  */
 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
-void ssl_init_Engine(server_rec *s, apr_pool_t *p)
+apr_status_t ssl_init_Engine(server_rec *s, apr_pool_t *p)
 {
     SSLModConfigRec *mc = myModConfig(s);
     ENGINE *e;
@@ -263,7 +274,7 @@ void ssl_init_Engine(server_rec *s, apr_
                          "Init: Failed to load Crypto Device API `%s'",
                          mc->szCryptoDevice);
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            ssl_die(s);
+            return ssl_die(s);
         }
 
         if (strEQ(mc->szCryptoDevice, "chil")) {
@@ -275,7 +286,7 @@ void ssl_init_Engine(server_rec *s, apr_
                          "Init: Failed to enable Crypto Device API `%s'",
                          mc->szCryptoDevice);
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            ssl_die(s);
+            return ssl_die(s);
         }
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01890)
                      "Init: loaded Crypto Device API `%s'",
@@ -283,13 +294,15 @@ void ssl_init_Engine(server_rec *s, apr_
 
         ENGINE_free(e);
     }
+
+    return APR_SUCCESS;
 }
 #endif
 
-static void ssl_init_server_check(server_rec *s,
-                                  apr_pool_t *p,
-                                  apr_pool_t *ptemp,
-                                  modssl_ctx_t *mctx)
+static apr_status_t ssl_init_server_check(server_rec *s,
+                                          apr_pool_t *p,
+                                          apr_pool_t *ptemp,
+                                          modssl_ctx_t *mctx)
 {
     /*
      * check for important parameters and the
@@ -298,7 +311,7 @@ static void ssl_init_server_check(server
     if (!mctx->pks->cert_files[0] && !mctx->pkcs7) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01891)
                 "No SSL Certificate set [hint: SSLCertificateFile]");
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     /*
@@ -314,16 +327,20 @@ static void ssl_init_server_check(server
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01892)
                 "Illegal attempt to re-initialise SSL for server "
                 "(SSLEngine On should go in the VirtualHost, not in global scope.)");
-        ssl_die(s);
+        return ssl_die(s);
     }
+
+    return APR_SUCCESS;
 }
 
 #ifdef HAVE_TLSEXT
-static void ssl_init_ctx_tls_extensions(server_rec *s,
-                                        apr_pool_t *p,
-                                        apr_pool_t *ptemp,
-                                        modssl_ctx_t *mctx)
+static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
+                                                apr_pool_t *p,
+                                                apr_pool_t *ptemp,
+                                                modssl_ctx_t *mctx)
 {
+    apr_status_t rv;
+
     /*
      * Configure TLS extensions support
      */
@@ -340,7 +357,7 @@ static void ssl_init_ctx_tls_extensions(
                      "Unable to initialize TLS servername extension "
                      "callback (incompatible OpenSSL version?)");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die(s);
+        return ssl_die(s);
     }
 
 #ifdef HAVE_OCSP_STAPLING
@@ -348,7 +365,9 @@ static void ssl_init_ctx_tls_extensions(
      * OCSP Stapling support, status_request extension
      */
     if ((mctx->pkp == FALSE) && (mctx->stapling_enabled == TRUE)) {
-        modssl_init_stapling(s, p, ptemp, mctx);
+        if ((rv = modssl_init_stapling(s, p, ptemp, mctx)) != APR_SUCCESS) {
+            return rv;
+        }
     }
 #endif
 
@@ -367,7 +386,7 @@ static void ssl_init_ctx_tls_extensions(
                          "[%s seed]",
                          mctx->srp_unknown_user_seed ? "with" : "without");
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            ssl_die(s);
+            return ssl_die(s);
         }
 
         err = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
@@ -375,7 +394,7 @@ static void ssl_init_ctx_tls_extensions(
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02310)
                          "Unable to load SRP verifier file [error %d]", err);
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            ssl_die(s);
+            return ssl_die(s);
         }
 
         SSL_CTX_set_srp_username_callback(mctx->ssl_ctx,
@@ -383,13 +402,14 @@ static void ssl_init_ctx_tls_extensions(
         SSL_CTX_set_srp_cb_arg(mctx->ssl_ctx, mctx);
     }
 #endif
+    return APR_SUCCESS;
 }
 #endif
 
-static void ssl_init_ctx_protocol(server_rec *s,
-                                  apr_pool_t *p,
-                                  apr_pool_t *ptemp,
-                                  modssl_ctx_t *mctx)
+static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+                                          apr_pool_t *p,
+                                          apr_pool_t *ptemp,
+                                          modssl_ctx_t *mctx)
 {
     SSL_CTX *ctx = NULL;
     MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
@@ -403,7 +423,7 @@ static void ssl_init_ctx_protocol(server
     if (protocol == SSL_PROTOCOL_NONE) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
                 "No SSL protocols available [hint: SSLProtocol]");
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     cp = apr_pstrcat(p,
@@ -527,14 +547,14 @@ static void ssl_init_ctx_protocol(server
                          "Error SSL_CONF_cmd(\"%s\",\"%s\")",
                          param->name, param->value);
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            ssl_die(s);
+            return ssl_die(s);
         }
     }
     if (SSL_CONF_CTX_finish(cctx) == 0) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)
                          "Error SSL_CONF_CTX_finish()");
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            ssl_die(s);
+            return ssl_die(s);
     }
 }
 #endif
@@ -544,6 +564,8 @@ static void ssl_init_ctx_protocol(server
     if (ap_max_mem_free != APR_ALLOCATOR_MAX_FREE_UNLIMITED)
         SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
+
+    return APR_SUCCESS;
 }
 
 static void ssl_init_ctx_session_cache(server_rec *s,
@@ -580,10 +602,10 @@ static void ssl_init_ctx_callbacks(serve
 #endif
 }
 
-static void ssl_init_ctx_verify(server_rec *s,
-                                apr_pool_t *p,
-                                apr_pool_t *ptemp,
-                                modssl_ctx_t *mctx)
+static apr_status_t ssl_init_ctx_verify(server_rec *s,
+                                        apr_pool_t *p,
+                                        apr_pool_t *ptemp,
+                                        modssl_ctx_t *mctx)
 {
     SSL_CTX *ctx = mctx->ssl_ctx;
 
@@ -628,7 +650,7 @@ static void ssl_init_ctx_verify(server_r
                     "Unable to configure verify locations "
                     "for client authentication");
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            ssl_die(s);
+            return ssl_die(s);
         }
 
         if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path))
{
@@ -643,7 +665,7 @@ static void ssl_init_ctx_verify(server_r
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01896)
                     "Unable to determine list of acceptable "
                     "CA certificates for client authentication");
-            ssl_die(s);
+            return ssl_die(s);
         }
 
         SSL_CTX_set_client_CA_list(ctx, ca_list);
@@ -663,12 +685,14 @@ static void ssl_init_ctx_verify(server_r
                          "verification!?  [Hint: SSLCACertificate*]");
         }
     }
+
+    return APR_SUCCESS;
 }
 
-static void ssl_init_ctx_cipher_suite(server_rec *s,
-                                      apr_pool_t *p,
-                                      apr_pool_t *ptemp,
-                                      modssl_ctx_t *mctx)
+static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
+                                              apr_pool_t *p,
+                                              apr_pool_t *ptemp,
+                                              modssl_ctx_t *mctx)
 {
     SSL_CTX *ctx = mctx->ssl_ctx;
     const char *suite;
@@ -690,14 +714,16 @@ static void ssl_init_ctx_cipher_suite(se
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01898)
                 "Unable to configure permitted SSL ciphers");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die(s);
+        return ssl_die(s);
     }
+
+    return APR_SUCCESS;
 }
 
-static void ssl_init_ctx_crl(server_rec *s,
-                             apr_pool_t *p,
-                             apr_pool_t *ptemp,
-                             modssl_ctx_t *mctx)
+static apr_status_t ssl_init_ctx_crl(server_rec *s,
+                                     apr_pool_t *p,
+                                     apr_pool_t *ptemp,
+                                     modssl_ctx_t *mctx)
 {
     X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
     unsigned long crlflags = 0;
@@ -714,9 +740,9 @@ static void ssl_init_ctx_crl(server_rec 
                          "Host %s: CRL checking has been enabled, but "
                          "neither %sCARevocationFile nor %sCARevocationPath "
                          "is configured", mctx->sc->vhost_id, cfgp, cfgp);
-            ssl_die(s);
+            return ssl_die(s);
         }
-        return;
+        return APR_SUCCESS;
     }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
@@ -728,7 +754,7 @@ static void ssl_init_ctx_crl(server_rec 
                      "Host %s: unable to configure X.509 CRL storage "
                      "for certificate revocation", mctx->sc->vhost_id);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     switch (mctx->crl_check_mode) {
@@ -750,14 +776,20 @@ static void ssl_init_ctx_crl(server_rec 
                      "but CRL checking (%sCARevocationCheck) is not "
                      "enabled", mctx->sc->vhost_id, cfgp);
     }
+
+    return APR_SUCCESS;
 }
 
-static void ssl_init_ctx_pkcs7_cert_chain(server_rec *s, modssl_ctx_t *mctx)
+static apr_status_t ssl_init_ctx_pkcs7_cert_chain(server_rec *s,
+                                                  modssl_ctx_t *mctx)
 {
     STACK_OF(X509) *certs = ssl_read_pkcs7(s, mctx->pkcs7);
     int n;
     STACK_OF(X509) *extra_certs = NULL;
 
+    if (!certs)
+        return APR_EGENERAL;
+
 #ifdef OPENSSL_NO_SSL_INTERN
     SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
 #else
@@ -767,20 +799,21 @@ static void ssl_init_ctx_pkcs7_cert_chai
     if (!extra_certs)
         for (n = 1; n < sk_X509_num(certs); ++n)
              SSL_CTX_add_extra_chain_cert(mctx->ssl_ctx, sk_X509_value(certs, n));
+
+    return APR_SUCCESS;
 }
 
-static void ssl_init_ctx_cert_chain(server_rec *s,
-                                    apr_pool_t *p,
-                                    apr_pool_t *ptemp,
-                                    modssl_ctx_t *mctx)
+static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
+                                            apr_pool_t *p,
+                                            apr_pool_t *ptemp,
+                                            modssl_ctx_t *mctx)
 {
     BOOL skip_first = FALSE;
     int i, n;
     const char *chain = mctx->cert_chain;
 
     if (mctx->pkcs7) {
-        ssl_init_ctx_pkcs7_cert_chain(s, mctx);
-        return;
+        return ssl_init_ctx_pkcs7_cert_chain(s, mctx);
     }
 
     /*
@@ -798,7 +831,7 @@ static void ssl_init_ctx_cert_chain(serv
      * used only for the server certificate chain.
      */
     if (!chain) {
-        return;
+        return APR_SUCCESS;
     }
 
     for (i = 0; (i < SSL_AIDX_MAX) && mctx->pks->cert_files[i]; i++) {
@@ -814,45 +847,64 @@ static void ssl_init_ctx_cert_chain(serv
     if (n < 0) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
                 "Failed to configure CA certificate chain!");
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01904)
                  "Configuring server certificate chain "
                  "(%d CA certificate%s)",
                  n, n == 1 ? "" : "s");
+
+    return APR_SUCCESS;
 }
 
-static void ssl_init_ctx(server_rec *s,
-                         apr_pool_t *p,
-                         apr_pool_t *ptemp,
-                         modssl_ctx_t *mctx)
+static apr_status_t ssl_init_ctx(server_rec *s,
+                                 apr_pool_t *p,
+                                 apr_pool_t *ptemp,
+                                 modssl_ctx_t *mctx)
 {
-    ssl_init_ctx_protocol(s, p, ptemp, mctx);
+    apr_status_t rv;
+
+    if ((rv = ssl_init_ctx_protocol(s, p, ptemp, mctx)) != APR_SUCCESS) {
+        return rv;
+    }
 
     ssl_init_ctx_session_cache(s, p, ptemp, mctx);
 
     ssl_init_ctx_callbacks(s, p, ptemp, mctx);
 
-    ssl_init_ctx_verify(s, p, ptemp, mctx);
+    if ((rv = ssl_init_ctx_verify(s, p, ptemp, mctx)) != APR_SUCCESS) {
+        return rv;
+    }
 
-    ssl_init_ctx_cipher_suite(s, p, ptemp, mctx);
+    if ((rv = ssl_init_ctx_cipher_suite(s, p, ptemp, mctx)) != APR_SUCCESS) {
+        return rv;
+    }
 
-    ssl_init_ctx_crl(s, p, ptemp, mctx);
+    if ((rv = ssl_init_ctx_crl(s, p, ptemp, mctx)) != APR_SUCCESS) {
+        return rv;
+    }
 
     if (mctx->pks) {
         /* XXX: proxy support? */
-        ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
+        if ((rv = ssl_init_ctx_cert_chain(s, p, ptemp, mctx)) != APR_SUCCESS) {
+            return rv;
+        }
 #ifdef HAVE_TLSEXT
-        ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);
+        if ((rv = ssl_init_ctx_tls_extensions(s, p, ptemp, mctx)) !=
+            APR_SUCCESS) {
+            return rv;
+        }
 #endif
     }
+
+    return APR_SUCCESS;
 }
 
-static int ssl_server_import_cert(server_rec *s,
-                                  modssl_ctx_t *mctx,
-                                  const char *id,
-                                  int idx)
+static apr_status_t ssl_server_import_cert(server_rec *s,
+                                           modssl_ctx_t *mctx,
+                                           const char *id,
+                                           int idx)
 {
     SSLModConfigRec *mc = myModConfig(s);
     ssl_asn1_t *asn1;
@@ -861,7 +913,7 @@ static int ssl_server_import_cert(server
     X509 *cert;
 
     if (!(asn1 = ssl_asn1_table_get(mc->tPublicCert, id))) {
-        return FALSE;
+        return APR_EGENERAL;
     }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02232)
@@ -872,14 +924,14 @@ static int ssl_server_import_cert(server
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02233)
                 "Unable to import %s server certificate", type);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02234)
                 "Unable to configure %s server certificate", type);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die(s);
+        return ssl_die(s);
     }
 
 #ifdef HAVE_OCSP_STAPLING
@@ -893,13 +945,13 @@ static int ssl_server_import_cert(server
 
     mctx->pks->certs[idx] = cert;
 
-    return TRUE;
+    return APR_SUCCESS;
 }
 
-static int ssl_server_import_key(server_rec *s,
-                                 modssl_ctx_t *mctx,
-                                 const char *id,
-                                 int idx)
+static apr_status_t ssl_server_import_key(server_rec *s,
+                                          modssl_ctx_t *mctx,
+                                          const char *id,
+                                          int idx)
 {
     SSLModConfigRec *mc = myModConfig(s);
     ssl_asn1_t *asn1;
@@ -916,7 +968,7 @@ static int ssl_server_import_key(server_
     pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
 
     if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
-        return FALSE;
+        return APR_EGENERAL;
     }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02236)
@@ -928,14 +980,14 @@ static int ssl_server_import_key(server_
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02237)
                 "Unable to import %s server private key", type);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02238)
                 "Unable to configure %s server private key", type);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     /*
@@ -956,7 +1008,7 @@ static int ssl_server_import_key(server_
 
     mctx->pks->keys[idx] = pkey;
 
-    return TRUE;
+    return APR_SUCCESS;
 }
 
 static void ssl_check_public_cert(server_rec *s,
@@ -1006,10 +1058,10 @@ static void ssl_check_public_cert(server
     }
 }
 
-static void ssl_init_server_certs(server_rec *s,
-                                  apr_pool_t *p,
-                                  apr_pool_t *ptemp,
-                                  modssl_ctx_t *mctx)
+static apr_status_t ssl_init_server_certs(server_rec *s,
+                                          apr_pool_t *p,
+                                          apr_pool_t *ptemp,
+                                          modssl_ctx_t *mctx)
 {
     const char *rsa_id, *dsa_id;
 #ifdef HAVE_ECC
@@ -1020,10 +1072,10 @@ static void ssl_init_server_certs(server
 #endif
     const char *vhost_id = mctx->sc->vhost_id;
     int i;
-    int have_rsa, have_dsa;
+    apr_status_t have_rsa, have_dsa;
     DH *dhparams;
 #ifdef HAVE_ECC
-    int have_ecc;
+    apr_status_t have_ecc;
 #endif
 
     rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
@@ -1038,15 +1090,15 @@ static void ssl_init_server_certs(server
     have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
 #endif
 
-    if (!(have_rsa || have_dsa
+    if ((have_rsa != APR_SUCCESS) && (have_dsa != APR_SUCCESS)
 #ifdef HAVE_ECC
-        || have_ecc
+        && (have_ecc != APR_SUCCESS)
 #endif
-)) {
+) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01910)
                 "Oops, no " KEYTYPES " server certificate found "
                 "for '%s:%d'?!", s->server_hostname, s->port);
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     for (i = 0; i < SSL_AIDX_MAX; i++) {
@@ -1059,14 +1111,14 @@ static void ssl_init_server_certs(server
     have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC);
 #endif
 
-    if (!(have_rsa || have_dsa
+    if ((have_rsa != APR_SUCCESS) && (have_dsa != APR_SUCCESS)
 #ifdef HAVE_ECC
-        || have_ecc
+        && (have_ecc != APR_SUCCESS)
 #endif
-          )) {
+          ) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01911)
                 "Oops, no " KEYTYPES " server private key found?!");
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     /*
@@ -1102,13 +1154,15 @@ static void ssl_init_server_certs(server
                              EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
     }
 #endif
+
+    return APR_SUCCESS;
 }
 
 #ifdef HAVE_TLS_SESSION_TICKETS
-static void ssl_init_ticket_key(server_rec *s,
-                                apr_pool_t *p,
-                                apr_pool_t *ptemp,
-                                modssl_ctx_t *mctx)
+static apr_status_t ssl_init_ticket_key(server_rec *s,
+                                        apr_pool_t *p,
+                                        apr_pool_t *ptemp,
+                                        modssl_ctx_t *mctx)
 {
     apr_status_t rv;
     apr_file_t *fp;
@@ -1118,7 +1172,7 @@ static void ssl_init_ticket_key(server_r
     modssl_ticket_key_t *ticket_key = mctx->ticket_key;
 
     if (!ticket_key->file_path) {
-        return;
+        return APR_SUCCESS;
     }
 
     path = ap_server_root_relative(p, ticket_key->file_path);
@@ -1130,7 +1184,7 @@ static void ssl_init_ticket_key(server_r
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02286)
                      "Failed to open ticket key file %s: (%d) %pm",
                      path, rv, &rv);
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     rv = apr_file_read_full(fp, &buf[0], TLSEXT_TICKET_KEY_LEN, &len);
@@ -1139,7 +1193,7 @@ static void ssl_init_ticket_key(server_r
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02287)
                      "Failed to read %d bytes from %s: (%d) %pm",
                      TLSEXT_TICKET_KEY_LEN, path, rv, &rv);
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     memcpy(ticket_key->key_name, buf, 16);
@@ -1152,19 +1206,21 @@ static void ssl_init_ticket_key(server_r
                      "Unable to initialize TLS session ticket key callback "
                      "(incompatible OpenSSL version?)");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02288)
                  "TLS session ticket key for %s successfully loaded from %s",
                  (mySrvConfig(s))->vhost_id, path);
+
+    return APR_SUCCESS;
 }
 #endif
 
-static void ssl_init_proxy_certs(server_rec *s,
-                                 apr_pool_t *p,
-                                 apr_pool_t *ptemp,
-                                 modssl_ctx_t *mctx)
+static apr_status_t ssl_init_proxy_certs(server_rec *s,
+                                         apr_pool_t *p,
+                                         apr_pool_t *ptemp,
+                                         modssl_ctx_t *mctx)
 {
     int n, ncerts = 0;
     STACK_OF(X509_INFO) *sk;
@@ -1177,7 +1233,7 @@ static void ssl_init_proxy_certs(server_
                                ssl_callback_proxy_cert);
 
     if (!(pkp->cert_file || pkp->cert_path)) {
-        return;
+        return APR_SUCCESS;
     }
 
     sk = sk_X509_INFO_new_null();
@@ -1194,7 +1250,7 @@ static void ssl_init_proxy_certs(server_
         sk_X509_INFO_free(sk);
         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206)
                      "no client certs found for SSL proxy");
-        return;
+        return APR_SUCCESS;
     }
 
     /* Check that all client certs have got certificates and private
@@ -1208,8 +1264,7 @@ static void ssl_init_proxy_certs(server_
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
                          "incomplete client cert configured for SSL proxy "
                          "(missing or encrypted private key?)");
-            ssl_die(s);
-            return;
+            return ssl_die(s);
         }
         
         if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
@@ -1217,8 +1272,7 @@ static void ssl_init_proxy_certs(server_
                            APLOGNO(02326) "proxy client certificate and "
                            "private key do not match");
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
-            ssl_die(s);
-            return;
+            return ssl_die(s);
         }
     }
 
@@ -1229,7 +1283,7 @@ static void ssl_init_proxy_certs(server_
 
 
     if (!pkp->ca_cert_file || !store) {
-        return;
+        return APR_SUCCESS;
     }
 
     /* If SSLProxyMachineCertificateChainFile is configured, load all
@@ -1244,7 +1298,7 @@ static void ssl_init_proxy_certs(server_
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02208)
                      "SSL proxy client cert initialization failed");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die(s);
+        return ssl_die(s);
     }
 
     X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
@@ -1302,56 +1356,86 @@ static void ssl_init_proxy_certs(server_
     }
 
     X509_STORE_CTX_free(sctx);
+
+    return APR_SUCCESS;
 }
 
-static void ssl_init_proxy_ctx(server_rec *s,
-                               apr_pool_t *p,
-                               apr_pool_t *ptemp,
-                               SSLSrvConfigRec *sc)
+static apr_status_t ssl_init_proxy_ctx(server_rec *s,
+                                       apr_pool_t *p,
+                                       apr_pool_t *ptemp,
+                                       SSLSrvConfigRec *sc)
 {
-    ssl_init_ctx(s, p, ptemp, sc->proxy);
+    apr_status_t rv;
 
-    ssl_init_proxy_certs(s, p, ptemp, sc->proxy);
+    if ((rv = ssl_init_ctx(s, p, ptemp, sc->proxy)) != APR_SUCCESS) {
+        return rv;
+    }
+
+    if ((rv = ssl_init_proxy_certs(s, p, ptemp, sc->proxy)) != APR_SUCCESS) {
+        return rv;
+    }
+
+    return APR_SUCCESS;
 }
 
-static void ssl_init_server_ctx(server_rec *s,
-                                apr_pool_t *p,
-                                apr_pool_t *ptemp,
-                                SSLSrvConfigRec *sc)
+static apr_status_t ssl_init_server_ctx(server_rec *s,
+                                        apr_pool_t *p,
+                                        apr_pool_t *ptemp,
+                                        SSLSrvConfigRec *sc)
 {
-    ssl_init_server_check(s, p, ptemp, sc->server);
+    apr_status_t rv;
+
+    if ((rv = ssl_init_server_check(s, p, ptemp, sc->server)) != APR_SUCCESS) {
+        return rv;
+    }
 
-    ssl_init_ctx(s, p, ptemp, sc->server);
+    if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) {
+        return rv;
+    }
 
-    ssl_init_server_certs(s, p, ptemp, sc->server);
+    if ((rv = ssl_init_server_certs(s, p, ptemp, sc->server)) != APR_SUCCESS) {
+        return rv;
+    }
 
 #ifdef HAVE_TLS_SESSION_TICKETS
-    ssl_init_ticket_key(s, p, ptemp, sc->server);
+    if ((rv = ssl_init_ticket_key(s, p, ptemp, sc->server)) != APR_SUCCESS) {
+        return rv;
+    }
 #endif
+
+    return APR_SUCCESS;
 }
 
 /*
  * Configure a particular server
  */
-void ssl_init_ConfigureServer(server_rec *s,
-                              apr_pool_t *p,
-                              apr_pool_t *ptemp,
-                              SSLSrvConfigRec *sc)
+apr_status_t ssl_init_ConfigureServer(server_rec *s,
+                                      apr_pool_t *p,
+                                      apr_pool_t *ptemp,
+                                      SSLSrvConfigRec *sc)
 {
+    apr_status_t rv;
+
     /* Initialize the server if SSL is enabled or optional.
      */
     if ((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL))
{
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01914)
                      "Configuring server %s for SSL protocol", sc->vhost_id);
-        ssl_init_server_ctx(s, p, ptemp, sc);
+        if ((rv = ssl_init_server_ctx(s, p, ptemp, sc)) != APR_SUCCESS) {
+            return rv;
+        }
     }
 
     if (sc->proxy_enabled) {
-        ssl_init_proxy_ctx(s, p, ptemp, sc);
+        if ((rv = ssl_init_proxy_ctx(s, p, ptemp, sc)) != APR_SUCCESS) {
+            return rv;
+        }
     }
+
+    return APR_SUCCESS;
 }
 
-void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
+apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
 {
     server_rec *s, *ps;
     SSLSrvConfigRec *sc;
@@ -1444,6 +1528,8 @@ void ssl_init_CheckServers(server_rec *b
                      "support (RFC 4366)");
 #endif
     }
+
+    return APR_SUCCESS;
 }
 
 static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a,
@@ -1534,7 +1620,8 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList
             ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02211)
                     "Failed to open Certificate Path `%s'",
                     ca_path);
-            ssl_die(s);
+            sk_X509_NAME_pop_free(ca_list, X509_NAME_free);
+            return NULL;
         }
 
         while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_log.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_log.c?rev=1544774&r1=1544773&r2=1544774&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_log.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_log.c Sat Nov 23 12:22:47 2013
@@ -63,7 +63,7 @@ static const char *ssl_log_annotation(co
     return ssl_log_annotate[i].cpAnnotation;
 }
 
-void ssl_die(server_rec *s)
+apr_status_t ssl_die(server_rec *s)
 {
     if (s != NULL && s->is_virtual && s->error_fname != NULL)
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02311)
@@ -75,13 +75,7 @@ void ssl_die(server_rec *s)
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02312)
                      "Fatal error initialising mod_ssl, exiting.");
 
-    /*
-     * This is used for fatal errors and here
-     * it is common module practice to really
-     * exit from the complete program.
-     * XXX: The config hooks should return errors instead of calling exit().
-     */
-    exit(1);
+    return APR_EGENERAL;
 }
 
 /*

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c?rev=1544774&r1=1544773&r2=1544774&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c Sat Nov 23 12:22:47 2013
@@ -135,7 +135,7 @@ static void pphrase_array_clear(apr_arra
  * here should be split out into a separate function for improved
  * readability.  The myCtxVarGet abomination can be thrown away with
  * SSLC support, vastly simplifying the code. */
-void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
+apr_status_t ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
 {
     SSLModConfigRec *mc = myModConfig(s);
     SSLSrvConfigRec *sc;
@@ -196,7 +196,7 @@ void ssl_pphrase_Handle(server_rec *s, a
                          "Server should be SSL-aware but has no certificate "
                          "configured [Hint: SSLCertificateFile] (%s:%d)",
                          pServ->defn_name, pServ->defn_line_number);
-            ssl_die(pServ);
+            return ssl_die(pServ);
         }
 
         /* Bitmasks for all key algorithms configured for this server;
@@ -215,6 +215,8 @@ void ssl_pphrase_Handle(server_rec *s, a
             if (sc->server->pkcs7) {
                 STACK_OF(X509) *certs = ssl_read_pkcs7(pServ,
                                                        sc->server->pkcs7);
+                if (!certs)
+                    return APR_EGENERAL;
                 pX509Cert = sk_X509_value(certs, 0);
                 i = SSL_AIDX_MAX;
             } else {
@@ -225,14 +227,14 @@ void ssl_pphrase_Handle(server_rec *s, a
                     ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02201)
                                  "Init: Can't open server certificate file %s",
                                  szPath);
-                    ssl_die(s);
+                    return ssl_die(s);
                 }
                 if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
                     ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02241)
                                  "Init: Unable to read server certificate from"
                                  " file %s", szPath);
                     ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                    ssl_die(s);
+                    return ssl_die(s);
                 }
                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02202)
                              "Init: Read server certificate from '%s'",
@@ -249,7 +251,7 @@ void ssl_pphrase_Handle(server_rec *s, a
                              "Init: Multiple %s server certificates not "
                              "allowed", an);
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                ssl_die(s);
+                return ssl_die(s);
             }
             algoCert |= at;
 
@@ -328,7 +330,7 @@ void ssl_pphrase_Handle(server_rec *s, a
                      ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02243)
                                   "Init: Can't open server private key file "
                                   "%s",szPath);
-                     ssl_die(s);
+                     return ssl_die(s);
                 }
 
                 /*
@@ -425,7 +427,7 @@ void ssl_pphrase_Handle(server_rec *s, a
                                  "Init: SSLPassPhraseDialog builtin is not "
                                  "supported on Win32 (key file "
                                  "%s)", szPath);
-                    ssl_die(s);
+                    return ssl_die(s);
                 }
 #endif /* WIN32 */
 
@@ -464,7 +466,7 @@ void ssl_pphrase_Handle(server_rec *s, a
                         apr_file_printf(writetty, "**Stopped\n");
                     }
                 }
-                ssl_die(pServ);
+                return ssl_die(pServ);
             }
 
             /* If a cached private key was found, nothing more to do
@@ -479,7 +481,7 @@ void ssl_pphrase_Handle(server_rec *s, a
                             "file %s [Hint: Perhaps it is in a separate file? "
                             "  See SSLCertificateKeyFile]", szPath);
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                ssl_die(s);
+                return ssl_die(s);
             }
 
             /*
@@ -493,7 +495,7 @@ void ssl_pphrase_Handle(server_rec *s, a
                              "Init: Multiple %s server private keys not "
                              "allowed", an);
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                ssl_die(s);
+                return ssl_die(s);
             }
             algoKey |= at;
 
@@ -579,7 +581,8 @@ void ssl_pphrase_Handle(server_rec *s, a
         apr_file_close(writetty);
         readtty = writetty = NULL;
     }
-    return;
+
+    return APR_SUCCESS;
 }
 
 static apr_status_t ssl_pipe_child_create(apr_pool_t *p, const char *progname)

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1544774&r1=1544773&r2=1544774&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sat Nov 23 12:22:47 2013
@@ -789,10 +789,10 @@ const char *ssl_cmd_SSLSRPUnknownUserSee
 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
 
 /**  module initialization  */
-int          ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
-void         ssl_init_Engine(server_rec *, apr_pool_t *);
-void         ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec
*);
-void         ssl_init_CheckServers(server_rec *, apr_pool_t *);
+apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
+apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *);
+apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec
*);
+apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *);
 STACK_OF(X509_NAME)
             *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
 void         ssl_init_Child(apr_pool_t *, server_rec *);
@@ -830,7 +830,7 @@ int         ssl_callback_SessionTicket(S
 int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len,
void *arg);
 
 /**  Session Cache Support  */
-void         ssl_scache_init(server_rec *, apr_pool_t *);
+apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);
 void         ssl_scache_status_register(apr_pool_t *p);
 void         ssl_scache_kill(server_rec *);
 BOOL         ssl_scache_store(server_rec *, UCHAR *, int,
@@ -851,7 +851,7 @@ const char *ssl_cmd_SSLStaplingReturnRes
 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);
 const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
-void         modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t
*);
+apr_status_t modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t
*);
 void         ssl_stapling_ex_init(void);
 int          ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
 #endif
@@ -885,7 +885,7 @@ void         ssl_util_thread_setup(apr_p
 int          ssl_init_ssl_connection(conn_rec *c, request_rec *r);
 
 /**  Pass Phrase Support  */
-void         ssl_pphrase_Handle(server_rec *, apr_pool_t *);
+apr_status_t ssl_pphrase_Handle(server_rec *, apr_pool_t *);
 
 /**  Diffie-Hellman Parameter Support  */
 DH           *ssl_dh_GetParamFromFile(const char *);
@@ -923,8 +923,9 @@ int          ssl_stapling_mutex_reinit(s
 #define SSL_CACHE_MUTEX_TYPE    "ssl-cache"
 #define SSL_STAPLING_MUTEX_TYPE "ssl-stapling"
 
+apr_status_t ssl_die(server_rec *);
+
 /**  Logfile Support  */
-void         ssl_die(server_rec *);
 void         ssl_log_ssl_error(const char *, int, int, server_rec *);
 
 /* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the

Modified: httpd/httpd/trunk/modules/ssl/ssl_scache.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_scache.c?rev=1544774&r1=1544773&r2=1544774&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_scache.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_scache.c Sat Nov 23 12:22:47 2013
@@ -37,7 +37,7 @@
 **  _________________________________________________________________
 */
 
-void ssl_scache_init(server_rec *s, apr_pool_t *p)
+apr_status_t ssl_scache_init(server_rec *s, apr_pool_t *p)
 {
     SSLModConfigRec *mc = myModConfig(s);
     apr_status_t rv;
@@ -49,7 +49,7 @@ void ssl_scache_init(server_rec *s, apr_
      * will be immediately cleared anyway.  For every subsequent
      * invocation, initialize the configured cache. */
     if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
-        return;
+        return APR_SUCCESS;
 
 #ifdef HAVE_OCSP_STAPLING
     if (mc->stapling_cache) {
@@ -63,7 +63,7 @@ void ssl_scache_init(server_rec *s, apr_
         if (rv) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01872)
                          "Could not initialize stapling cache. Exiting.");
-            ssl_die(s);
+            return ssl_die(s);
         }
     }
 #endif
@@ -76,7 +76,7 @@ void ssl_scache_init(server_rec *s, apr_
         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01873)
                      "Init: Session Cache is not configured "
                      "[hint: SSLSessionCache]");
-        return;
+        return APR_SUCCESS;
     }
 
     memset(&hints, 0, sizeof hints);
@@ -88,8 +88,10 @@ void ssl_scache_init(server_rec *s, apr_
     if (rv) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01874)
                      "Could not initialize session cache. Exiting.");
-        ssl_die(s);
+        return ssl_die(s);
     }
+
+    return APR_SUCCESS;
 }
 
 void ssl_scache_kill(server_rec *s)

Modified: httpd/httpd/trunk/modules/ssl/ssl_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util.c?rev=1544774&r1=1544773&r2=1544774&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util.c Sat Nov 23 12:22:47 2013
@@ -286,15 +286,16 @@ STACK_OF(X509) *ssl_read_pkcs7(server_re
     f = fopen(pkcs7, "r");
     if (!f) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02212) "Can't open %s", pkcs7);
-        ssl_die(s);
+        return NULL;
     }
 
     p7 = PEM_read_PKCS7(f, NULL, NULL, NULL);
+    fclose(f);
     if (!p7) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02274)
                      "Can't read PKCS7 object %s", pkcs7);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_CRIT, s);
-        exit(1);
+        return NULL;
     }
 
     switch (OBJ_obj2nid(p7->type)) {
@@ -313,17 +314,15 @@ STACK_OF(X509) *ssl_read_pkcs7(server_re
     default:
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02213)
                      "Don't understand PKCS7 file %s", pkcs7);
-        ssl_die(s);
+        return NULL;
     }
 
     if (!certs) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02214)
                      "No certificates in %s", pkcs7);
-        ssl_die(s);
+        return NULL;
     }
 
-    fclose(f);
-
     return certs;
 }
 

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c?rev=1544774&r1=1544773&r2=1544774&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c Sat Nov 23 12:22:47 2013
@@ -653,8 +653,8 @@ static int stapling_cb(SSL *ssl, void *a
 
 }
 
-void modssl_init_stapling(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
-                          modssl_ctx_t *mctx)
+apr_status_t modssl_init_stapling(server_rec *s, apr_pool_t *p,
+                                  apr_pool_t *ptemp, modssl_ctx_t *mctx)
 {
     SSL_CTX *ctx = mctx->ssl_ctx;
     SSLModConfigRec *mc = myModConfig(s);
@@ -662,12 +662,12 @@ void modssl_init_stapling(server_rec *s,
     if (mc->stapling_cache == NULL) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01958)
                      "SSLStapling: no stapling cache available");
-        ssl_die(s);
+        return ssl_die(s);
     }
     if (ssl_stapling_mutex_init(s, ptemp) == FALSE) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01959)
                      "SSLStapling: cannot initialise stapling mutex");
-        ssl_die(s);
+        return ssl_die(s);
     }
     /* Set some default values for parameters if they are not set */
     if (mctx->stapling_resptime_skew == UNSET) {
@@ -690,6 +690,8 @@ void modssl_init_stapling(server_rec *s,
     }
     SSL_CTX_set_tlsext_status_cb(ctx, stapling_cb);
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01960) "OCSP stapling initialized");
+
+    return APR_SUCCESS;
 }
 
 #endif



Mime
View raw message