httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1154688 - in /httpd/httpd/trunk: ./ modules/ssl/
Date Sun, 07 Aug 2011 10:36:57 GMT
Author: kbrand
Date: Sun Aug  7 10:36:57 2011
New Revision: 1154688

URL: http://svn.apache.org/viewvc?rev=1154688&view=rev
Log:
Enforce OpenSSL 0.9.7 as a minimum requirement in configure, and
remove #ifdef'ed code which was relevant for earlier versions only.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/acinclude.m4
    httpd/httpd/trunk/modules/ssl/config.m4
    httpd/httpd/trunk/modules/ssl/mod_ssl.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_rand.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h
    httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
    httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Aug  7 10:36:57 2011
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.3.15
 
+  *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]
+
   *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
 
   *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.

Modified: httpd/httpd/trunk/acinclude.m4
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/acinclude.m4?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/acinclude.m4 (original)
+++ httpd/httpd/trunk/acinclude.m4 Sun Aug  7 10:36:57 2011
@@ -445,7 +445,7 @@ dnl
 AC_DEFUN(APACHE_CHECK_OPENSSL,[
   AC_CACHE_CHECK([for OpenSSL], [ac_cv_openssl], [
     dnl initialise the variables we use
-    ac_cv_openssl=yes
+    ac_cv_openssl=no
     ap_openssl_found=""
     ap_openssl_base=""
     ap_openssl_libs=""
@@ -506,21 +506,17 @@ AC_DEFUN(APACHE_CHECK_OPENSSL,[
       fi
     fi
 
-    AC_MSG_CHECKING([for OpenSSL version])
+    AC_MSG_CHECKING([for OpenSSL version >= 0.9.7])
     AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
 #if !defined(OPENSSL_VERSION_NUMBER)
 #error "Missing OpenSSL version"
 #endif
-#if  (OPENSSL_VERSION_NUMBER < 0x009060af) \
- || ((OPENSSL_VERSION_NUMBER > 0x00907000) && (OPENSSL_VERSION_NUMBER < 0x0090702f))
-#error "Insecure openssl version " OPENSSL_VERSION_TEXT
+#if OPENSSL_VERSION_NUMBER < 0x0090700f
+#error "Unsupported OpenSSL version " OPENSSL_VERSION_TEXT
 #endif],
-      [AC_MSG_RESULT(OK)],
-      [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h?
-       AC_MSG_RESULT([not encouraging])
-       AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!]
-                   [ Ensure the latest security patches have been applied!])
-    ])
+      [AC_MSG_RESULT(OK)
+       ac_cv_openssl=yes],
+      [AC_MSG_RESULT(FAILED)])
 
     if test "x$ac_cv_openssl" = "xyes"; then
       ap_openssl_libs="-lssl -lcrypto `$apr_config --libs`"
@@ -534,9 +530,10 @@ AC_DEFUN(APACHE_CHECK_OPENSSL,[
       AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
       AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines])
       if test "x$liberrors" != "x"; then
-        ac_cv_openssl=no
         AC_MSG_WARN([OpenSSL libraries are unusable])
       fi
+    else
+      AC_MSG_WARN([OpenSSL version is too old])
     fi
 
     dnl restore

Modified: httpd/httpd/trunk/modules/ssl/config.m4
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/config.m4?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/config.m4 (original)
+++ httpd/httpd/trunk/modules/ssl/config.m4 Sun Aug  7 10:36:57 2011
@@ -13,12 +13,6 @@ dnl WITHOUT WARRANTIES OR CONDITIONS OF 
 dnl See the License for the specific language governing permissions and
 dnl limitations under the License.
 
-AC_DEFUN([CHECK_OCSP], [
-AC_CHECK_HEADERS(openssl/ocsp.h, 
-  [AC_DEFINE([HAVE_OCSP], 1, [Define if OCSP is supported by OpenSSL])]
-)
-])
-
 dnl #  start of module specific part
 APACHE_MODPATH_INIT(ssl)
 
@@ -47,7 +41,6 @@ APACHE_MODULE(ssl, [SSL/TLS support (mod
     APACHE_CHECK_OPENSSL
     if test "$ac_cv_openssl" = "yes" ; then
         APR_ADDTO(MOD_SSL_LDADD, [\$(SSL_LIBS)])
-        CHECK_OCSP
         if test "x$enable_ssl" = "xshared"; then
            # The only symbol which needs to be exported is the module
            # structure, so ask libtool to hide everything else:

Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sun Aug  7 10:36:57 2011
@@ -250,13 +250,11 @@ static apr_status_t ssl_cleanup_pre_conf
     /*
      * Try to kill the internals of the SSL library.
      */
-#if OPENSSL_VERSION_NUMBER >= 0x00907001
     /* Corresponds to OPENSSL_load_builtin_modules():
      * XXX: borrowed from apps.h, but why not CONF_modules_free()
      * which also invokes CONF_modules_finish()?
      */
     CONF_modules_unload(1);
-#endif
     /* Corresponds to SSL_library_init: */
     EVP_cleanup();
 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
@@ -297,9 +295,7 @@ static int ssl_hook_pre_config(apr_pool_
     ENGINE_load_builtin_engines();
 #endif
     OpenSSL_add_all_algorithms();
-#if OPENSSL_VERSION_NUMBER >= 0x00907001
     OPENSSL_load_builtin_modules();
-#endif
 
     /*
      * Let us cleanup the ssl library when the module is unloaded

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Sun Aug  7 10:36:57 2011
@@ -517,12 +517,8 @@ const char *ssl_cmd_SSLRandomSeed(cmd_pa
         seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
     }
     else if ((arg2len > 4) && strEQn(arg2, "egd:", 4)) {
-#ifdef HAVE_SSL_RAND_EGD
         seed->nSrc   = SSL_RSSRC_EGD;
         seed->cpPath = ap_server_root_relative(mc->pPool, arg2+4);
-#else
-    return "egd not supported with this SSL toolkit";
-#endif
     }
     else if (strcEQ(arg2, "builtin")) {
         seed->nSrc   = SSL_RSSRC_BUILTIN;
@@ -1428,9 +1424,9 @@ const char *ssl_cmd_SSLOCSPEnable(cmd_pa
 
     sc->server->ocsp_enabled = flag ? TRUE : FALSE;
 
-#ifndef HAVE_OCSP
+#ifdef OPENSSL_NO_OCSP
     if (flag) {
-        return "OCSP support not detected in SSL library; cannot enable "
+        return "OCSP support disabled in SSL library; cannot enable "
             "OCSP validation";
     }
 #endif    

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c Sun Aug  7 10:36:57 2011
@@ -142,11 +142,7 @@ DH *ssl_dh_GetParamFromFile(char *file)
 
     if ((bio = BIO_new_file(file, "r")) == NULL)
         return NULL;
-#if SSL_LIBRARY_VERSION < 0x00904000
-    dh = PEM_read_bio_DHparams(bio, NULL, NULL);
-#else
     dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
-#endif
     BIO_free(bio);
     return (dh);
 }

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sun Aug  7 10:36:57 2011
@@ -1471,7 +1471,7 @@ int ssl_callback_SSLVerify(int ok, X509_
             errnum = X509_STORE_CTX_get_error(ctx);
         }
         
-#ifdef HAVE_OCSP
+#ifndef OPENSSL_NO_OCSP
         /* If there was an optional verification error, it's not
          * possible to perform OCSP validation since the issuer may be
          * missing/untrusted.  Fail in that case. */
@@ -2005,7 +2005,7 @@ void ssl_callback_DelSessionCacheEntry(S
 }
 
 /* Dump debugginfo trace to the log file. */
-static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, 
+static void log_tracing_state(const SSL *ssl, conn_rec *c, 
                               server_rec *s, int where, int rc)
 {
     /*
@@ -2078,7 +2078,7 @@ static void log_tracing_state(MODSSL_INF
  * client-initiated renegotiations, and for dumping everything to the
  * log.
  */
-void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
+void ssl_callback_Info(const SSL *ssl, int where, int rc)
 {
     conn_rec *c;
     server_rec *s;

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Sun Aug  7 10:36:57 2011
@@ -16,7 +16,7 @@
 
 #include "ssl_private.h"
 
-#ifdef HAVE_OCSP
+#ifndef OPENSSL_NO_OCSP
 #include "apr_base64.h"
 
 /* Return the responder URI specified in the given certificate, or

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_rand.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_rand.c?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_rand.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_rand.c Sun Aug  7 10:36:57 2011
@@ -81,7 +81,6 @@ int ssl_rand_seed(server_rec *s, apr_poo
                 nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
                 ssl_util_ppclose(s, p, fp);
             }
-#ifdef HAVE_SSL_RAND_EGD
             else if (pRandSeed->nSrc == SSL_RSSRC_EGD) {
                 /*
                  * seed in contents provided by the external
@@ -91,7 +90,6 @@ int ssl_rand_seed(server_rec *s, apr_poo
                     continue;
                 nDone += n;
             }
-#endif
             else if (pRandSeed->nSrc == SSL_RSSRC_BUILTIN) {
                 struct {
                     time_t t;

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sun Aug  7 10:36:57 2011
@@ -90,15 +90,8 @@
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
-
-/* hack for non-configure platforms (NetWare, Win32) */
-#if !defined(HAVE_OCSP) && (OPENSSL_VERSION_NUMBER >= 0x00907000)
-#define HAVE_OCSP
-#endif
-#ifdef HAVE_OCSP
 #include <openssl/x509_vfy.h>
 #include <openssl/ocsp.h>
-#endif
 
 /* Avoid tripping over an engine build installed globally and detected
  * when the user points at an explicit non-engine flavor of OpenSSL
@@ -108,12 +101,6 @@
 #endif
 
 /* ...shifting sands of OpenSSL... */
-#if (OPENSSL_VERSION_NUMBER < 0x00907000)
-# define MODSSL_INFO_CB_ARG_TYPE SSL*
-#else
-# define MODSSL_INFO_CB_ARG_TYPE const SSL*
-#endif
-
 #if (OPENSSL_VERSION_NUMBER >= 0x0090707f)
 #define MODSSL_D2I_SSL_SESSION_CONST const
 #else
@@ -757,7 +744,7 @@ int          ssl_callback_proxy_cert(SSL
 int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
 void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
-void         ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int);
+void         ssl_callback_Info(const SSL *, int, int);
 #ifndef OPENSSL_NO_TLSEXT
 int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
 #endif
@@ -883,7 +870,7 @@ void         ssl_var_log_config_register
  * allocating from 'p': */
 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
 
-#ifdef HAVE_OCSP
+#ifndef OPENSSL_NO_OCSP
 /* Perform OCSP validation of the current cert in the given context.
  * Returns non-zero on success or zero on failure.  On failure, the
  * context error code is set. */

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Sun Aug  7 10:36:57 2011
@@ -20,7 +20,7 @@
 
 #include "ssl_private.h"
 
-#ifdef HAVE_OCSP
+#ifndef OPENSSL_NO_OCSP
 
 #include "apr_buckets.h"
 #include "apr_uri.h"

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c?rev=1154688&r1=1154687&r2=1154688&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sun Aug  7 10:36:57 2011
@@ -115,16 +115,6 @@ X509 *SSL_read_X509(char* filename, X509
     return rc;
 }
 
-#if SSL_LIBRARY_VERSION <= 0x00904100
-static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
-{
-     return ((EVP_PKEY *)ASN1_d2i_bio(
-             (char *(*)())EVP_PKEY_new,
-             (char *(*)())d2i_PrivateKey,
-             (bio), (unsigned char **)(key)));
-}
-#endif
-
 EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
 {
     EVP_PKEY *rc;
@@ -291,7 +281,6 @@ char *SSL_make_ciphersuite(apr_pool_t *p
 /* check whether cert contains extended key usage with a SGC tag */
 BOOL SSL_X509_isSGC(X509 *cert)
 {
-#ifdef HAVE_SSL_X509V3_EXT_d2i
     int ext_nid;
     EXTENDED_KEY_USAGE *sk;
     BOOL is_sgc;
@@ -310,15 +299,11 @@ BOOL SSL_X509_isSGC(X509 *cert)
     EXTENDED_KEY_USAGE_free(sk);
     }
     return is_sgc;
-#else
-    return FALSE;
-#endif
 }
 
 /* retrieve basic constraints ingredients */
 BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
 {
-#ifdef HAVE_SSL_X509V3_EXT_d2i
     BASIC_CONSTRAINTS *bc;
     BIGNUM *bn = NULL;
     char *cp;
@@ -339,9 +324,6 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca,
     }
     BASIC_CONSTRAINTS_free(bc);
     return TRUE;
-#else
-    return FALSE;
-#endif
 }
 
 /* convert a NAME_ENTRY to UTF8 string */



Mime
View raw message