httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject cvs commit: httpd-2.0/modules/ssl mod_ssl.h ssl_engine_init.c ssl_engine_kernel.c ssl_engine_pphrase.c ssl_toolkit_compat.h ssl_util.c ssl_util_ssl.c ssl_util_ssl.h
Date Fri, 16 May 2003 18:12:19 GMT
wrowe       2003/05/16 11:12:19

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES
               modules/ssl Tag: APACHE_2_0_BRANCH mod_ssl.h
                        ssl_engine_init.c ssl_engine_kernel.c
                        ssl_engine_pphrase.c ssl_toolkit_compat.h
                        ssl_util.c ssl_util_ssl.c ssl_util_ssl.h
  Log:
    Backport the RSA SSL-C compatibility changes.  More work remains because
    not all of the headers required for the 'openssl way' of doing things
    are in the headers from the binary distribution.  While the source distro
    doesn't suffer as many problems, we should find ways to individually
    cripple those features for the binary distro that most users will have
    installed.
  
    Mucho thanks to Trawick for his efforts in keeping the patch in sync.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.988.2.100 +6 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.99
  retrieving revision 1.988.2.100
  diff -u -r1.988.2.99 -r1.988.2.100
  --- CHANGES	15 May 2003 20:28:16 -0000	1.988.2.99
  +++ CHANGES	16 May 2003 18:12:17 -0000	1.988.2.100
  @@ -1,5 +1,11 @@
   Changes with Apache 2.0.46
   
  +  *) Code fixes, constness corrections and ssl_toolkit_compat.h updates
  +     for SSLC and OpenSSL toolkit compatibility.  Still work remains to
  +     be done to cripple features based on the limitations of RSA's binary 
  +     distribution of their SSL-C toolkit.
  +     [William Rowe, Madhusudan Mathihalli, Jeff Trawick]
  +
     *) Linux 2.4+: If Apache is started as root and you code 
        CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
        [Greg Ames]
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.122.2.5 +19 -6     httpd-2.0/modules/ssl/mod_ssl.h
  
  Index: mod_ssl.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
  retrieving revision 1.122.2.4
  retrieving revision 1.122.2.5
  diff -u -r1.122.2.4 -r1.122.2.5
  --- mod_ssl.h	17 Apr 2003 13:35:32 -0000	1.122.2.4
  +++ mod_ssl.h	16 May 2003 18:12:18 -0000	1.122.2.5
  @@ -109,7 +109,19 @@
   
   #define MOD_SSL_VERSION AP_SERVER_BASEREVISION
   
  -/* OpenSSL headers */
  +#ifdef HAVE_SSLC
  +  
  +#include <bio.h>
  +#include <ssl.h>
  +#include <err.h>
  +#include <x509.h>
  +#include <pem.h>
  +#include <evp.h>
  +#include <objects.h>
  +#include <sslc.h>
  +
  +#else /* !HAVE_SSLC (implicit HAVE_OPENSSL) */
  +
   #include <ssl.h>
   #include <err.h>
   #include <x509.h>
  @@ -120,14 +132,15 @@
   #ifdef SSL_EXPERIMENTAL_ENGINE
   #include <engine.h>
   #endif
  -
  -#include "ssl_toolkit_compat.h"
  -
   #ifdef HAVE_SSL_X509V3_H
   #include <x509v3.h>
   #endif
   
  +#endif /* !HAVE_SSLC (implicit HAVE_OPENSSL) */
  +
  +
   /* mod_ssl headers */
  +#include "ssl_toolkit_compat.h"
   #include "ssl_expr.h"
   #include "ssl_util_ssl.h"
   #include "ssl_util_table.h"
  @@ -601,11 +614,11 @@
   DH          *ssl_callback_TmpDH(SSL *, int, int);
   int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
   int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
  -int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
  +int          ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY
**pkey);
   int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
   SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
   void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
  -void         ssl_callback_LogTracingState(SSL *, int, int);
  +void         ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
   
   /*  Session Cache Support  */
   void         ssl_scache_init(server_rec *, apr_pool_t *);
  
  
  
  1.106.2.5 +12 -4     httpd-2.0/modules/ssl/ssl_engine_init.c
  
  Index: ssl_engine_init.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
  retrieving revision 1.106.2.4
  retrieving revision 1.106.2.5
  diff -u -r1.106.2.4 -r1.106.2.5
  --- ssl_engine_init.c	6 Mar 2003 08:44:01 -0000	1.106.2.4
  +++ ssl_engine_init.c	16 May 2003 18:12:18 -0000	1.106.2.5
  @@ -554,8 +554,8 @@
                        "Configuring client authentication");
   
           if (!SSL_CTX_load_verify_locations(ctx,
  -                                           mctx->auth.ca_cert_file,
  -                                           mctx->auth.ca_cert_path))
  +                         MODSSL_PCHAR_CAST mctx->auth.ca_cert_file,
  +                         MODSSL_PCHAR_CAST mctx->auth.ca_cert_path))
           {
               ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                       "Unable to configure verify locations "
  @@ -612,7 +612,7 @@
                    "Configuring permitted SSL ciphers [%s]", 
                    suite);
   
  -    if (!SSL_CTX_set_cipher_list(ctx, suite)) {
  +    if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) {
           ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                   "Unable to configure permitted SSL ciphers");
           ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
  @@ -1072,10 +1072,17 @@
       }
   }
   
  +#ifdef SSLC_VERSION_NUMBER
  +static int ssl_init_FindCAList_X509NameCmp(char **a, char **b)
  +{
  +    return(X509_NAME_cmp((void*)*a, (void*)*b));
  +}
  +#else
   static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b)
   {
       return(X509_NAME_cmp(*a, *b));
   }
  +#endif
   
   static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
                                   server_rec *s, const char *file)
  @@ -1083,7 +1090,8 @@
       int n;
       STACK_OF(X509_NAME) *sk;
   
  -    sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(file);
  +    sk = (STACK_OF(X509_NAME) *)
  +             SSL_load_client_CA_file(MODSSL_PCHAR_CAST file);
   
       if (!sk) {
           return;
  
  
  
  1.82.2.6  +3 -3      httpd-2.0/modules/ssl/ssl_engine_kernel.c
  
  Index: ssl_engine_kernel.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
  retrieving revision 1.82.2.5
  retrieving revision 1.82.2.6
  diff -u -r1.82.2.5 -r1.82.2.6
  --- ssl_engine_kernel.c	5 Apr 2003 19:04:43 -0000	1.82.2.5
  +++ ssl_engine_kernel.c	16 May 2003 18:12:18 -0000	1.82.2.6
  @@ -629,7 +629,7 @@
                    * we put it back here for the purpose of quick_renegotiation.
                    */
                   cert_stack = sk_new_null();
  -                sk_X509_push(cert_stack, cert);
  +                sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert);
               }
   
               if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
  @@ -1526,7 +1526,7 @@
       *pkey = info->x_pkey->dec_pkey; \
       EVP_PKEY_reference_inc(*pkey)
   
  -int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) 
  +int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey)

   {
       conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
       server_rec *s = c->base_server;
  @@ -1740,7 +1740,7 @@
    * SSL handshake and does SSL record layer stuff. We use it to
    * trace OpenSSL's processing in out SSL logfile.
    */
  -void ssl_callback_LogTracingState(SSL *ssl, int where, int rc)
  +void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
   {
       conn_rec *c;
       server_rec *s;
  
  
  
  1.42.2.2  +10 -5     httpd-2.0/modules/ssl/ssl_engine_pphrase.c
  
  Index: ssl_engine_pphrase.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_pphrase.c,v
  retrieving revision 1.42.2.1
  retrieving revision 1.42.2.2
  diff -u -r1.42.2.1 -r1.42.2.2
  --- ssl_engine_pphrase.c	3 Feb 2003 17:31:53 -0000	1.42.2.1
  +++ ssl_engine_pphrase.c	16 May 2003 18:12:18 -0000	1.42.2.2
  @@ -142,7 +142,11 @@
    */
   static server_rec *ssl_pphrase_server_rec = NULL;
   
  +#ifdef SSLC_VERSION_NUMBER
  +int ssl_pphrase_Handle_CB(char *, int, int);
  +#else
   int ssl_pphrase_Handle_CB(char *, int, int, void *);
  +#endif
   
   static char *pphrase_array_get(apr_array_header_t *arr, int idx)
   {
  @@ -635,8 +639,14 @@
       return 0;
   }
   
  +#ifdef SSLC_VERSION_NUMBER
  +int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
  +{
  +    void *srv = ssl_pphrase_server_rec;
  +#else
   int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
   {
  +#endif
       SSLModConfigRec *mc;
       server_rec *s;
       apr_pool_t *p;
  @@ -651,11 +661,6 @@
       BOOL *pbPassPhraseDialogOnce;
       char *cpp;
       int len = -1;
  -
  -#ifndef OPENSSL_VERSION_NUMBER
  -    /* make up for sslc flaw */
  -    srv = ssl_pphrase_server_rec;
  -#endif
   
       mc = myModConfig((server_rec *)srv);
   
  
  
  
  1.27.2.2  +40 -14    httpd-2.0/modules/ssl/ssl_toolkit_compat.h
  
  Index: ssl_toolkit_compat.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_toolkit_compat.h,v
  retrieving revision 1.27.2.1
  retrieving revision 1.27.2.2
  diff -u -r1.27.2.1 -r1.27.2.2
  --- ssl_toolkit_compat.h	3 Feb 2003 17:31:54 -0000	1.27.2.1
  +++ ssl_toolkit_compat.h	16 May 2003 18:12:19 -0000	1.27.2.2
  @@ -94,9 +94,18 @@
   
   #define MODSSL_BIO_CB_ARG_TYPE const char
   #define MODSSL_CRYPTO_CB_ARG_TYPE const char
  +#if (OPENSSL_VERSION_NUMBER < 0x00907000)
  +#define MODSSL_INFO_CB_ARG_TYPE SSL*
  +#else
  +#define MODSSL_INFO_CB_ARG_TYPE const SSL*
  +#endif
  +#define MODSSL_CLIENT_CERT_CB_ARG_TYPE X509
  +#define MODSSL_PCHAR_CAST
   
   #define modssl_X509_verify_cert X509_verify_cert
   
  +typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
  +
   #if (OPENSSL_VERSION_NUMBER < 0x00904000)
   #define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb)
   #else
  @@ -119,9 +128,11 @@
   
   #define HAVE_SSL_RAND_EGD /* since 9.5.1 */
   
  +#ifdef HAVE_SSL_X509V3_H
   #define HAVE_SSL_X509V3_EXT_d2i
  +#endif
   
  -#else /* RSA sslc */
  +#elif defined (SSLC_VERSION_NUMBER) /* RSA */
   
   /* sslc does not support this function, OpenSSL has since 9.5.1 */
   #define RAND_status() 1
  @@ -135,6 +146,11 @@
   
   #define MODSSL_BIO_CB_ARG_TYPE char
   #define MODSSL_CRYPTO_CB_ARG_TYPE char
  +#define MODSSL_INFO_CB_ARG_TYPE SSL*
  +#define MODSSL_CLIENT_CERT_CB_ARG_TYPE void
  +#define MODSSL_PCHAR_CAST (char *)
  +
  +typedef int (modssl_read_bio_cb_fn)(char*,int,int);
   
   #define modssl_X509_verify_cert(c) X509_verify_cert(c, NULL)
   
  @@ -160,7 +176,7 @@
   #define PEM_F_DEF_CALLBACK PEM_F_DEF_CB
   #endif
   
  -#if SSLC_VERSION < 0x2000
  +#if SSLC_VERSION_NUMBER < 0x2000
   
   #define X509_STORE_CTX_set_depth(st, d)    
   #define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
  @@ -173,37 +189,47 @@
   
   #define NO_SSL_X509V3_H
   
  -#endif
  +#else /* SSLC_VERSION_NUMBER >= 0x2000 */
  +
  +#define CRYPTO_malloc_init R_malloc_init
  +
  +#define EVP_cleanup() 
  +
  +#endif /* SSLC_VERSION_NUMBER >= 0x2000 */
  +
  +typedef void (*modssl_popfree_fn)(char *data);
   
  -/* BEGIN GENERATED SECTION */
  -#define sk_SSL_CIPHER_free sk_free
   #define sk_SSL_CIPHER_dup sk_dup
  -#define sk_SSL_CIPHER_num sk_num
   #define sk_SSL_CIPHER_find(st, data) sk_find(st, (void *)data)
  +#define sk_SSL_CIPHER_free sk_free
  +#define sk_SSL_CIPHER_num sk_num
   #define sk_SSL_CIPHER_value (SSL_CIPHER *)sk_value
   #define sk_X509_num sk_num
   #define sk_X509_push sk_push
  +#define sk_X509_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
   #define sk_X509_value (X509 *)sk_value
  -#define sk_X509_INFO_value (X509_INFO *)sk_value
   #define sk_X509_INFO_free sk_free
  -#define sk_X509_INFO_pop_free sk_pop_free 
  +#define sk_X509_INFO_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
   #define sk_X509_INFO_num sk_num
   #define sk_X509_INFO_new_null sk_new_null
  +#define sk_X509_INFO_value (X509_INFO *)sk_value
  +#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
  +#define sk_X509_NAME_free sk_free
  +#define sk_X509_NAME_new sk_new
   #define sk_X509_NAME_num sk_num
   #define sk_X509_NAME_push(st, data) sk_push(st, (void *)data)
   #define sk_X509_NAME_value (X509_NAME *)sk_value
  -#define sk_X509_NAME_free sk_free
  -#define sk_X509_NAME_new sk_new
  -#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
   #define sk_X509_NAME_ENTRY_num sk_num
   #define sk_X509_NAME_ENTRY_value (X509_NAME_ENTRY *)sk_value
   #define sk_X509_NAME_set_cmp_func sk_set_cmp_func
   #define sk_X509_REVOKED_num sk_num
   #define sk_X509_REVOKED_value (X509_REVOKED *)sk_value
  -#define sk_X509_pop_free sk_pop_free
  -/* END GENERATED SECTION */
   
  -#endif /* OPENSSL_VERSION_NUMBER */
  +#else /* ! OPENSSL_VERSION_NUMBER && ! SSLC_VERSION_NUMBER */
  +
  +#error "Unrecognized SSL Toolkit!"
  +
  +#endif /* ! OPENSSL_VERSION_NUMBER && ! SSLC_VERSION_NUMBER */
   
   #ifndef modssl_set_verify
   #define modssl_set_verify(ssl, verify, cb) \
  
  
  
  1.35.2.2  +18 -0     httpd-2.0/modules/ssl/ssl_util.c
  
  Index: ssl_util.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_util.c,v
  retrieving revision 1.35.2.1
  retrieving revision 1.35.2.2
  diff -u -r1.35.2.1 -r1.35.2.2
  --- ssl_util.c	3 Feb 2003 17:31:54 -0000	1.35.2.1
  +++ ssl_util.c	16 May 2003 18:12:19 -0000	1.35.2.2
  @@ -402,8 +402,18 @@
   static apr_thread_mutex_t **lock_cs;
   static int                  lock_num_locks;
   
  +#ifdef SSLC_VERSION_NUMBER
  +#if SSLC_VERSION_NUMBER >= 0x2000
  +static int ssl_util_thr_lock(int mode, int type,
  +                              const char *file, int line)
  +#else
  +static void ssl_util_thr_lock(int mode, int type,
  +                              const char *file, int line)
  +#endif
  +#else
   static void ssl_util_thr_lock(int mode, int type,
                                 const char *file, int line)
  +#endif
   {
       if (type < lock_num_locks) {
           if (mode & CRYPTO_LOCK) {
  @@ -412,6 +422,14 @@
           else {
               apr_thread_mutex_unlock(lock_cs[type]);
           }
  +#ifdef SSLC_VERSION_NUMBER
  +#if SSLC_VERSION_NUMBER >= 0x2000
  +        return 1;
  +    }
  +    else {
  +        return -1;
  +#endif
  +#endif
       }
   }
   
  
  
  
  1.23.2.3  +4 -4      httpd-2.0/modules/ssl/ssl_util_ssl.c
  
  Index: ssl_util_ssl.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_util_ssl.c,v
  retrieving revision 1.23.2.2
  retrieving revision 1.23.2.3
  diff -u -r1.23.2.2 -r1.23.2.3
  --- ssl_util_ssl.c	3 Feb 2003 17:31:54 -0000	1.23.2.2
  +++ ssl_util_ssl.c	16 May 2003 18:12:19 -0000	1.23.2.3
  @@ -107,7 +107,7 @@
   **  _________________________________________________________________
   */
   
  -X509 *SSL_read_X509(char* filename, X509 **x509, int (*cb)(char*,int,int,void*))
  +X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb)
   {
       X509 *rc;
       BIO *bioS;
  @@ -158,7 +158,7 @@
   }
   #endif
   
  -EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, int (*cb)(char*,int,int,void*),
void *s)
  +EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb,
void *s)
   {
       EVP_PKEY *rc;
       BIO *bioS;
  @@ -430,7 +430,7 @@
           return FALSE;
       }
   
  -    if (BIO_read_filename(in, filename) <= 0) {
  +    if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) {
           BIO_free(in);
           return FALSE;
       }
  @@ -493,7 +493,7 @@
    * should be sent to the peer in the SSL Certificate message.
    */
   int SSL_CTX_use_certificate_chain(
  -    SSL_CTX *ctx, char *file, int skipfirst, int (*cb)(char*,int,int,void*))
  +    SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb)
   {
       BIO *bio;
       X509 *x509;
  
  
  
  1.17.2.2  +3 -3      httpd-2.0/modules/ssl/ssl_util_ssl.h
  
  Index: ssl_util_ssl.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_util_ssl.h,v
  retrieving revision 1.17.2.1
  retrieving revision 1.17.2.2
  diff -u -r1.17.2.1 -r1.17.2.2
  --- ssl_util_ssl.h	3 Feb 2003 17:31:54 -0000	1.17.2.1
  +++ ssl_util_ssl.h	16 May 2003 18:12:19 -0000	1.17.2.2
  @@ -90,8 +90,8 @@
   void        SSL_init_app_data2_idx(void);
   void       *SSL_get_app_data2(SSL *);
   void        SSL_set_app_data2(SSL *, void *);
  -X509       *SSL_read_X509(char *, X509 **, int (*)(char*,int,int,void*));
  -EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, int (*)(char*,int,int,void*), void
*);
  +X509       *SSL_read_X509(char *, X509 **, modssl_read_bio_cb_fn *);
  +EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, modssl_read_bio_cb_fn *, void *);
   int         SSL_smart_shutdown(SSL *ssl);
   X509_STORE *SSL_X509_STORE_create(char *, char *);
   int         SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *);
  @@ -101,7 +101,7 @@
   BOOL        SSL_X509_getCN(apr_pool_t *, X509 *, char **);
   BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
   BOOL        SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
  -int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, int (*)(char*,int,int,void*));
  +int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn
*);
   char       *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
   
   /* util functions for OpenSSL+sslc compat */
  
  
  

Mime
View raw message