httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1154687 - in /httpd/httpd/trunk: ./ modules/ssl/
Date Sun, 07 Aug 2011 10:34:32 GMT
Author: kbrand
Date: Sun Aug  7 10:34:31 2011
New Revision: 1154687

URL: http://svn.apache.org/viewvc?rev=1154687&view=rev
Log:
Remove the ssl_toolkit_compat layer, which is no longer needed
after support for non-OpenSSL toolkits has been dropped.

Replace macros by their value proper where feasible, and keep
those definitions in ssl_private.h which depend on specific
OpenSSL versions.

Removed:
    httpd/httpd/trunk/modules/ssl/ssl_toolkit_compat.h
Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/ssl/mod_ssl.dsp
    httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_log.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h
    httpd/httpd/trunk/modules/ssl/ssl_util.c
    httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
    httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Aug  7 10:34:31 2011
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.3.15
 
+  *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
+
   *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
      [Kaspar Brand]
 

Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.dsp
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.dsp?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.dsp (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.dsp Sun Aug  7 10:34:31 2011
@@ -184,10 +184,6 @@ SOURCE=.\ssl_private.h
 # End Source File
 # Begin Source File
 
-SOURCE=.\ssl_toolkit_compat.h
-# End Source File
-# Begin Source File
-
 SOURCE=.\ssl_util_ssl.h
 # End Source File
 # Begin Source File

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c Sun Aug  7 10:34:31 2011
@@ -69,8 +69,20 @@ static unsigned char dh512_g[] = {
 
 static DH *get_dh512(void)
 {
-    return modssl_dh_configure(dh512_p, sizeof(dh512_p),
-                               dh512_g, sizeof(dh512_g));
+    DH *dh;
+
+    if (!(dh = DH_new())) {
+        return NULL;
+    }
+
+    dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+    dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+    if (!(dh->p && dh->g)) {
+        DH_free(dh);
+        return NULL;
+    }
+
+    return dh;
 }
 
 static unsigned char dh1024_p[] = {
@@ -92,8 +104,20 @@ static unsigned char dh1024_g[] = {
 
 static DH *get_dh1024(void)
 {
-    return modssl_dh_configure(dh1024_p, sizeof(dh1024_p),
-                               dh1024_g, sizeof(dh1024_g));
+    DH *dh;
+
+    if (!(dh = DH_new())) {
+        return NULL;
+    }
+
+    dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+    dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+    if (!(dh->p && dh->g)) {
+        DH_free(dh);
+        return NULL;
+    }
+
+    return dh;
 }
 
 /* ----END GENERATED SECTION---------- */
@@ -187,8 +211,20 @@ $dhsource .= $_ while (<FP>);
 close(FP);
 $dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void)
 {
-    return modssl_dh_configure(dh$2_p, sizeof(dh$2_p),
-                               dh$2_g, sizeof(dh$2_g));
+    DH *dh;
+
+    if (!(dh = DH_new())) {
+        return NULL;
+    }
+
+    dh->p = BN_bin2bn(dh$2_p, sizeof(dh$2_p), NULL);
+    dh->g = BN_bin2bn(dh$2_g, sizeof(dh$2_g), NULL);
+    if (!(dh->p && dh->g)) {
+        DH_free(dh);
+        return NULL;
+    }
+
+    return dh;
 }
 |sg;
 

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sun Aug  7 10:34:31 2011
@@ -642,8 +642,8 @@ static void ssl_init_ctx_verify(server_r
                      "Configuring client authentication");
 
         if (!SSL_CTX_load_verify_locations(ctx,
-                         MODSSL_PCHAR_CAST mctx->auth.ca_cert_file,
-                         MODSSL_PCHAR_CAST mctx->auth.ca_cert_path))
+                                           mctx->auth.ca_cert_file,
+                                           mctx->auth.ca_cert_path))
         {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
                     "Unable to configure verify locations "
@@ -705,7 +705,7 @@ static void ssl_init_ctx_cipher_suite(se
                  "Configuring permitted SSL ciphers [%s]",
                  suite);
 
-    if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) {
+    if (!SSL_CTX_set_cipher_list(ctx, suite)) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
                 "Unable to configure permitted SSL ciphers");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
@@ -1278,7 +1278,7 @@ static void ssl_init_PushCAList(STACK_OF
     STACK_OF(X509_NAME) *sk;
 
     sk = (STACK_OF(X509_NAME) *)
-             SSL_load_client_CA_file(MODSSL_PCHAR_CAST file);
+             SSL_load_client_CA_file(file);
 
     if (!sk) {
         return;

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Sun Aug  7 10:34:31 2011
@@ -1872,7 +1872,7 @@ void ssl_io_filter_register(apr_pool_t *
 #define DUMP_WIDTH 16
 
 static void ssl_io_data_dump(server_rec *srvr,
-                             MODSSL_BIO_CB_ARG_TYPE *s,
+                             const char *s,
                              long len)
 {
     char buf[256];
@@ -1937,7 +1937,7 @@ static void ssl_io_data_dump(server_rec 
 }
 
 long ssl_io_data_cb(BIO *bio, int cmd,
-                    MODSSL_BIO_CB_ARG_TYPE *argp,
+                    const char *argp,
                     int argi, long argl, long rc)
 {
     SSL *ssl;

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sun Aug  7 10:34:31 2011
@@ -407,9 +407,9 @@ int ssl_hook_Access(request_rec *r)
 
         /* configure new state */
         if ((dc->szCipherSuite || sc->server->auth.cipher_suite) &&
-            !modssl_set_cipher_list(ssl, dc->szCipherSuite ?
-                                         dc->szCipherSuite :
-                                         sc->server->auth.cipher_suite)) {
+            !SSL_set_cipher_list(ssl, dc->szCipherSuite ?
+                                      dc->szCipherSuite :
+                                      sc->server->auth.cipher_suite)) {
             ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
                           "Unable to reconfigure (per-directory) "
                           "permitted SSL ciphers");
@@ -546,7 +546,7 @@ int ssl_hook_Access(request_rec *r)
             verify |= SSL_VERIFY_PEER;
         }
 
-        modssl_set_verify(ssl, verify, ssl_callback_SSLVerify);
+        SSL_set_verify(ssl, verify, ssl_callback_SSLVerify);
         SSL_set_verify_result(ssl, X509_V_OK);
 
         /* determine whether we've to force a renegotiation */
@@ -606,7 +606,7 @@ int ssl_hook_Access(request_rec *r)
                          "'require' and VirtualHost-specific CA certificate "
                          "list is only available to clients with TLS server "
                          "name indication (SNI) support");
-                    modssl_set_verify(ssl, verify_old, NULL);
+                    SSL_set_verify(ssl, verify_old, NULL);
                     return HTTP_FORBIDDEN;
                 } else
                     /* let it pass, possibly with an "incorrect" peer cert,
@@ -695,7 +695,7 @@ int ssl_hook_Access(request_rec *r)
                  * we put it back here for the purpose of quick_renegotiation.
                  */
                 cert_stack = sk_X509_new_null();
-                sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert);
+                sk_X509_push(cert_stack, cert);
             }
 
             if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
@@ -729,7 +729,7 @@ int ssl_hook_Access(request_rec *r)
                                        SSL_get_ex_data_X509_STORE_CTX_idx(),
                                        (char *)ssl);
 
-            if (!modssl_X509_verify_cert(&cert_store_ctx)) {
+            if (!X509_verify_cert(&cert_store_ctx)) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                               "Re-negotiation verification step failed");
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -798,11 +798,11 @@ int ssl_hook_Access(request_rec *r)
             ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                           "Awaiting re-negotiation handshake");
 
-            /* XXX: Should replace SSL_set_state with SSL_renegotiate(ssl);
+            /* XXX: Should replace setting ssl->state with SSL_renegotiate(ssl);
              * However, this causes failures in perl-framework currently,
              * perhaps pre-test if we have already negotiated?
              */
-            SSL_set_state(ssl, SSL_ST_ACCEPT);
+            ssl->state = SSL_ST_ACCEPT;
             SSL_do_handshake(ssl);
 
             sslconn->reneg_state = RENEG_REJECT;
@@ -1021,7 +1021,7 @@ int ssl_hook_UserCheck(request_rec *r)
         X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
         char *cp = X509_NAME_oneline(name, NULL, 0);
         sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
-        modssl_free(cp);
+        OPENSSL_free(cp);
     }
 
     clientdn = (char *)sslconn->client_dn;
@@ -1731,7 +1731,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X
             X509_REVOKED *revoked =
                 sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
 
-            ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked);
+            ASN1_INTEGER *sn = revoked->serialNumber;
 
             if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) {
                 if (APLOGdebug(s)) {
@@ -1742,7 +1742,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X
                                  "Certificate with serial %ld (0x%lX) "
                                  "revoked per CRL from issuer %s",
                                  serial, serial, cp);
-                    modssl_free(cp);
+                    OPENSSL_free(cp);
                 }
 
                 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
@@ -1789,11 +1789,11 @@ static void modssl_proxy_info_log(server
  */
 #define modssl_set_cert_info(info, cert, pkey) \
     *cert = info->x509; \
-    X509_reference_inc(*cert); \
+    CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
     *pkey = info->x_pkey->dec_pkey; \
-    EVP_PKEY_reference_inc(*pkey)
+    CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
 
-int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey)
+int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
 {
     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
     server_rec *s = mySrvFromConn(c);
@@ -1911,11 +1911,11 @@ int ssl_callback_NewSessionCacheEntry(SS
      * Store the SSL_SESSION in the inter-process cache with the
      * same expire time, so it expires automatically there, too.
      */
-    id = SSL_SESSION_get_session_id(session);
-    idlen = SSL_SESSION_get_session_id_length(session);
+    id = session->session_id;
+    idlen = session->session_id_length;
 
     rc = ssl_scache_store(s, id, idlen,
-                          apr_time_from_sec(modssl_session_get_time(session)
+                          apr_time_from_sec(SSL_SESSION_get_time(session)
                                           + timeout),
                           session, conn->pool);
 
@@ -1992,8 +1992,8 @@ void ssl_callback_DelSessionCacheEntry(S
     /*
      * Remove the SSL_SESSION from the inter-process cache
      */
-    id = SSL_SESSION_get_session_id(session);
-    idlen = SSL_SESSION_get_session_id_length(session);
+    id = session->session_id;
+    idlen = session->session_id_length;
 
     /* TODO: Do we need a temp pool here, or are we always shutting down? */
     ssl_scache_remove(s, id, idlen, sc->mc->pPool);

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_log.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_log.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_log.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_log.c Sun Aug  7 10:34:31 2011
@@ -139,15 +139,15 @@ void ssl_log_cxerror(const char *file, i
                   serial ? serial : "-unknown-");
 
     if (sname) {
-        modssl_free(sname);
+        OPENSSL_free(sname);
     }
     
     if (iname) {
-        modssl_free(iname);
+        OPENSSL_free(iname);
     }
     
     if (serial) {
-        modssl_free(serial);
+        OPENSSL_free(serial);
     }
 
     if (bn) {

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Sun Aug  7 10:34:31 2011
@@ -336,8 +336,8 @@ static char *ssl_var_lookup_ssl(apr_pool
         SSL_SESSION *pSession = SSL_get_session(ssl);
         if (pSession) {
             result = apr_pstrdup(p, SSL_SESSION_id2sz(
-                                     SSL_SESSION_get_session_id(pSession),
-                                     SSL_SESSION_get_session_id_length(pSession),
+                                     pSession->session_id,
+                                     pSession->session_id_length,
                                      buf, sizeof(buf)));
         }
     }
@@ -404,7 +404,7 @@ static char *ssl_var_lookup_ssl_cert_dn_
     if (legacy_format) {
         char *cp = X509_NAME_oneline(xsname, NULL, 0);
         result = apr_pstrdup(p, cp);
-        modssl_free(cp);
+        OPENSSL_free(cp);
     }
     else {
         BIO* bio;
@@ -471,13 +471,13 @@ static char *ssl_var_lookup_ssl_cert(apr
         resdup = FALSE;
     }
     else if (strcEQ(var, "A_SIG")) {
-        nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_signature_algorithm(xs));
+        nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
         result = apr_pstrdup(p,
                              (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
         resdup = FALSE;
     }
     else if (strcEQ(var, "A_KEY")) {
-        nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_key_algorithm(xs));
+        nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm));
         result = apr_pstrdup(p,
                              (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
         resdup = FALSE;
@@ -540,10 +540,10 @@ static char *ssl_var_lookup_ssl_cert_dn(
         if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
             && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
             for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
-                                                 X509_NAME_get_entries(xsname));
+                                                   xsname->entries);
                  j++) {
                 xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
-                                             X509_NAME_get_entries(xsname), j);
+                                                xsname->entries, j);
 
                 n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
 
@@ -764,7 +764,7 @@ static char *ssl_var_lookup_ssl_version(
 static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, 
                        X509_NAME *xn, apr_pool_t *p)
 {
-    STACK_OF(X509_NAME_ENTRY) *ents = X509_NAME_get_entries(xn);
+    STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
     X509_NAME_ENTRY *xsne;
     apr_hash_t *count;
     int i, nid;

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sun Aug  7 10:34:31 2011
@@ -54,9 +54,18 @@
 #include "ap_socache.h"
 #include "mod_auth.h"
 
+/* The #ifdef macros are only defined AFTER including the above
+ * therefore we cannot include these system files at the top  :-(
+ */
 #ifdef APR_HAVE_STDLIB_H
 #include <stdlib.h>
 #endif
+#if APR_HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#if APR_HAVE_UNISTD_H
+#include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
+#endif
 
 #ifndef FALSE
 #define FALSE 0
@@ -70,32 +79,105 @@
 #define BOOL unsigned int
 #endif
 
-/* mod_ssl headers */
-#include "ssl_toolkit_compat.h"
 #include "ap_expr.h"
-#include "ssl_util_ssl.h"
 
-/* The #ifdef macros are only defined AFTER including the above
- * therefore we cannot include these system files at the top  :-(
+/* OpenSSL headers */
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509v3.h>
+
+/* hack for non-configure platforms (NetWare, Win32) */
+#if !defined(HAVE_OCSP) && (OPENSSL_VERSION_NUMBER >= 0x00907000)
+#define HAVE_OCSP
+#endif
+#ifdef HAVE_OCSP
+#include <openssl/x509_vfy.h>
+#include <openssl/ocsp.h>
+#endif
+
+/* Avoid tripping over an engine build installed globally and detected
+ * when the user points at an explicit non-engine flavor of OpenSSL
  */
-#if APR_HAVE_SYS_TIME_H
-#include <sys/time.h>
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+#include <openssl/engine.h>
 #endif
-#if APR_HAVE_UNISTD_H
-#include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
+
+/* ...shifting sands of OpenSSL... */
+#if (OPENSSL_VERSION_NUMBER < 0x00907000)
+# define MODSSL_INFO_CB_ARG_TYPE SSL*
+#else
+# define MODSSL_INFO_CB_ARG_TYPE const SSL*
 #endif
 
+#if (OPENSSL_VERSION_NUMBER >= 0x0090707f)
+#define MODSSL_D2I_SSL_SESSION_CONST const
+#else
+#define MODSSL_D2I_SSL_SESSION_CONST
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+#define HAVE_GENERATE_EX
+#define MODSSL_D2I_ASN1_type_bytes_CONST const
+#define MODSSL_D2I_PrivateKey_CONST const
+#define MODSSL_D2I_X509_CONST const
+#else
+#define MODSSL_D2I_ASN1_type_bytes_CONST
+#define MODSSL_D2I_PrivateKey_CONST
+#define MODSSL_D2I_X509_CONST
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
+    && !defined(OPENSSL_NO_TLSEXT)
+#define HAVE_OCSP_STAPLING
+#if (OPENSSL_VERSION_NUMBER < 0x10000000)
+#define sk_OPENSSL_STRING_pop sk_pop
+#endif
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
+#define HAVE_FIPS
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
+#define MODSSL_SSL_CIPHER_CONST const
+#define MODSSL_SSL_METHOD_CONST const
+#else
+#define MODSSL_SSL_CIPHER_CONST
+#define MODSSL_SSL_METHOD_CONST
+/* ECC support came along in OpenSSL 1.0.0 */
+#define OPENSSL_NO_EC
+#endif
+
+#ifndef PEM_F_DEF_CALLBACK
+#ifdef PEM_F_PEM_DEF_CALLBACK
+/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
+#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK 
+#endif
+#endif
+
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#define OPENSSL_NO_TLSEXT
+#endif
+#endif
+
+#ifndef sk_STRING_pop
+#define sk_STRING_pop sk_pop
+#endif
+
+/* mod_ssl headers */
+#include "ssl_util_ssl.h"
+
 APLOG_USE_MODULE(ssl);
 
 /*
  * Provide reasonable default for some defines
  */
-#ifndef FALSE
-#define FALSE (0)
-#endif
-#ifndef TRUE
-#define TRUE (!FALSE)
-#endif
 #ifndef PFALSE
 #define PFALSE ((void *)FALSE)
 #endif
@@ -116,9 +198,6 @@ APLOG_USE_MODULE(ssl);
 /**
  * Provide reasonable defines for some types
  */
-#ifndef BOOL
-#define BOOL unsigned int
-#endif
 #ifndef UCHAR
 #define UCHAR unsigned char
 #endif
@@ -674,7 +753,7 @@ EC_KEY      *ssl_callback_TmpECDH(SSL *,
 #endif
 int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
 int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
-int          ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY
**pkey);
+int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
 int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
 void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
@@ -717,7 +796,7 @@ int          ssl_stapling_init_cert(serv
 /**  I/O  */
 void         ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
 void         ssl_io_filter_register(apr_pool_t *);
-long         ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long);
+long         ssl_io_data_cb(BIO *, int, const char *, int, long, long);
 
 /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
  * to allow an SSL renegotiation to take place. */

Modified: httpd/httpd/trunk/modules/ssl/ssl_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util.c Sun Aug  7 10:34:31 2011
@@ -143,7 +143,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCe
     if (pCert != NULL)
         pFreeKey = pKey = X509_get_pubkey(pCert);
     if (pKey != NULL) {
-        switch (EVP_PKEY_key_type(pKey)) {
+        switch (EVP_PKEY_type(pKey->type)) {
             case EVP_PKEY_RSA:
                 t = SSL_ALGO_RSA;
                 break;

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sun Aug  7 10:34:31 2011
@@ -74,7 +74,7 @@ void SSL_set_app_data2(SSL *ssl, void *a
 **  _________________________________________________________________
 */
 
-X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb)
+X509 *SSL_read_X509(char* filename, X509 **x509, pem_password_cb *cb)
 {
     X509 *rc;
     BIO *bioS;
@@ -83,7 +83,7 @@ X509 *SSL_read_X509(char* filename, X509
     /* 1. try PEM (= DER+Base64+headers) */
     if ((bioS=BIO_new_file(filename, "r")) == NULL)
         return NULL;
-    rc = modssl_PEM_read_bio_X509 (bioS, x509, cb, NULL);
+    rc = PEM_read_bio_X509 (bioS, x509, cb, NULL);
     BIO_free(bioS);
 
     if (rc == NULL) {
@@ -125,7 +125,7 @@ static EVP_PKEY *d2i_PrivateKey_bio(BIO 
 }
 #endif
 
-EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb,
void *s)
+EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
 {
     EVP_PKEY *rc;
     BIO *bioS;
@@ -134,7 +134,7 @@ EVP_PKEY *SSL_read_PrivateKey(char* file
     /* 1. try PEM (= DER+Base64+headers) */
     if ((bioS=BIO_new_file(filename, "r")) == NULL)
         return NULL;
-    rc = modssl_PEM_read_bio_PrivateKey(bioS, key, cb, s);
+    rc = PEM_read_bio_PrivateKey(bioS, key, cb, s);
     BIO_free(bioS);
 
     if (rc == NULL) {
@@ -275,7 +275,7 @@ char *SSL_make_ciphersuite(apr_pool_t *p
         memcpy(cp, SSL_CIPHER_get_name(c), l);
         cp += l;
         *cp++ = '/';
-        *cp++ = (SSL_CIPHER_get_valid(c) == 1 ? '1' : '0');
+        *cp++ = (c->valid == 1 ? '1' : '0');
         *cp++ = ':';
     }
     *(cp-1) = NUL;
@@ -373,9 +373,9 @@ BOOL SSL_X509_getCN(apr_pool_t *p, X509 
 
     xsn = X509_get_subject_name(xs);
     for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
-                                           X509_NAME_get_entries(xsn)); i++) {
+                                           xsn->entries); i++) {
         xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
-                                         X509_NAME_get_entries(xsn), i);
+                                        xsn->entries, i);
         nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
         if (nid == NID_commonName) {
             *cppCN = SSL_X509_NAME_ENTRY_to_string(p, xsne);
@@ -401,14 +401,14 @@ BOOL SSL_X509_INFO_load_file(apr_pool_t 
         return FALSE;
     }
 
-    if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) {
+    if (BIO_read_filename(in, filename) <= 0) {
         BIO_free(in);
         return FALSE;
     }
 
     ERR_clear_error();
 
-    modssl_PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
+    PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
 
     BIO_free(in);
 
@@ -464,7 +464,7 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t 
  * should be sent to the peer in the SSL Certificate message.
  */
 int SSL_CTX_use_certificate_chain(
-    SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb)
+    SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
 {
     BIO *bio;
     X509 *x509;
@@ -480,21 +480,21 @@ int SSL_CTX_use_certificate_chain(
     }
     /* optionally skip a leading server certificate */
     if (skipfirst) {
-        if ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
+        if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
             BIO_free(bio);
             return -1;
         }
         X509_free(x509);
     }
     /* free a perhaps already configured extra chain */
-    extra_certs=SSL_CTX_get_extra_certs(ctx);
+    extra_certs = ctx->extra_certs;
     if (extra_certs != NULL) {
         sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
-        SSL_CTX_set_extra_certs(ctx,NULL);
+        ctx->extra_certs = NULL;
     }
     /* create new extra chain by loading the certs */
     n = 0;
-    while ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
+    while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
         if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
             X509_free(x509);
             BIO_free(bio);
@@ -535,26 +535,3 @@ char *SSL_SESSION_id2sz(unsigned char *i
     *cp = NUL;
     return str;
 }
-int modssl_session_get_time(SSL_SESSION *session)
-{
-    return SSL_SESSION_get_time(session);
-}
-
-DH *modssl_dh_configure(unsigned char *p, int plen,
-                        unsigned char *g, int glen)
-{
-    DH *dh;
-
-    if (!(dh = DH_new())) {
-        return NULL;
-    }
-
-    dh->p = BN_bin2bn(p, plen, NULL);
-    dh->g = BN_bin2bn(g, glen, NULL);
-    if (!(dh->p && dh->g)) {
-        DH_free(dh);
-        return NULL;
-    }
-
-    return dh;
-}

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h Sun Aug  7 10:34:31 2011
@@ -60,8 +60,8 @@
 void        SSL_init_app_data2_idx(void);
 void       *SSL_get_app_data2(SSL *);
 void        SSL_set_app_data2(SSL *, void *);
-X509       *SSL_read_X509(char *, X509 **, modssl_read_bio_cb_fn *);
-EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, modssl_read_bio_cb_fn *, void *);
+X509       *SSL_read_X509(char *, X509 **, pem_password_cb *);
+EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
 int         SSL_smart_shutdown(SSL *ssl);
 X509_STORE *SSL_X509_STORE_create(char *, char *);
 int         SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *);
@@ -72,14 +72,9 @@ char       *SSL_X509_NAME_ENTRY_to_strin
 BOOL        SSL_X509_getCN(apr_pool_t *, X509 *, char **);
 BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
 BOOL        SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
-int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
+int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
 char       *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
 
-int modssl_session_get_time(SSL_SESSION *session);
-
-DH *modssl_dh_configure(unsigned char *p, int plen,
-                        unsigned char *g, int glen);
-
 #endif /* __SSL_UTIL_SSL_H__ */
 /** @} */
 



Mime
View raw message