httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1222917 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_init.c ssl_engine_kernel.c ssl_engine_vars.c ssl_private.h ssl_util_ssl.c ssl_util_ssl.h ssl_util_stapling.c
Date Sat, 24 Dec 2011 06:31:38 GMT
Author: kbrand
Date: Sat Dec 24 06:31:37 2011
New Revision: 1222917

URL: http://svn.apache.org/viewvc?rev=1222917&view=rev
Log:
Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
or later, so that mod_ssl retains binary compatibility with future
versions when internal structures are changed. Use API functions
where available, and fall back to direct access for OpenSSL up
to 1.0.0, where needed.

Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was
never used by any released version of mod_ssl.

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h
    httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
    httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
    httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Dec 24 06:31:37 2011
@@ -780,8 +780,15 @@ static void ssl_init_ctx_pkcs7_cert_chai
 {
     STACK_OF(X509) *certs = ssl_read_pkcs7(s, mctx->pkcs7);
     int n;
+    STACK_OF(X509) *extra_certs = NULL;
 
-    if (!mctx->ssl_ctx->extra_certs)
+#ifdef OPENSSL_NO_SSL_INTERN
+    SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+    extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
+
+    if (!extra_certs)
         for (n = 1; n < sk_X509_num(certs); ++n)
              SSL_CTX_add_extra_chain_cert(mctx->ssl_ctx, sk_X509_value(certs, n));
 }

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sat Dec 24 06:31:37 2011
@@ -799,11 +799,15 @@ int ssl_hook_Access(request_rec *r)
             ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226)
                           "Awaiting re-negotiation handshake");
 
-            /* XXX: Should replace setting ssl->state with SSL_renegotiate(ssl);
+            /* XXX: Should replace setting state with SSL_renegotiate(ssl);
              * However, this causes failures in perl-framework currently,
              * perhaps pre-test if we have already negotiated?
              */
+#ifdef OPENSSL_NO_SSL_INTERN
+            SSL_set_state(ssl, SSL_ST_ACCEPT);
+#else
             ssl->state = SSL_ST_ACCEPT;
+#endif
             SSL_do_handshake(ssl);
 
             sslconn->reneg_state = RENEG_REJECT;
@@ -1728,8 +1732,12 @@ int ssl_callback_NewSessionCacheEntry(SS
      * Store the SSL_SESSION in the inter-process cache with the
      * same expire time, so it expires automatically there, too.
      */
+#ifdef OPENSSL_NO_SSL_INTERN
+    id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
+#else
     id = session->session_id;
     idlen = session->session_id_length;
+#endif
 
     rc = ssl_scache_store(s, id, idlen,
                           apr_time_from_sec(SSL_SESSION_get_time(session)
@@ -1809,8 +1817,12 @@ void ssl_callback_DelSessionCacheEntry(S
     /*
      * Remove the SSL_SESSION from the inter-process cache
      */
+#ifdef OPENSSL_NO_SSL_INTERN
+    id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
+#else
     id = session->session_id;
     idlen = session->session_id_length;
+#endif
 
     /* TODO: Do we need a temp pool here, or are we always shutting down? */
     ssl_scache_remove(s, id, idlen, sc->mc->pPool);
@@ -2024,13 +2036,14 @@ static int ssl_find_vhost(void *serverna
     sslcon = myConnConfig(c);
     if (found && (ssl = sslcon->ssl) &&
         (sc = mySrvConfig(s))) {
+        SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
         SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
         /*
          * SSL_set_SSL_CTX() only deals with the server cert,
          * so we need to duplicate a few additional settings
          * from the ctx by hand
          */
-        SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
+        SSL_set_options(ssl, SSL_CTX_get_options(ctx));
         if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
             (SSL_num_renegotiations(ssl) == 0)) {
            /*
@@ -2040,8 +2053,8 @@ static int ssl_find_vhost(void *serverna
             * Otherwise, we would possibly reset a per-directory
             * configuration which was put into effect by ssl_hook_Access.
             */
-            SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
-                           SSL_CTX_get_verify_callback(ssl->ctx));
+            SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
+                           SSL_CTX_get_verify_callback(ctx));
         }
 
         /*

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Sat Dec 24 06:31:37 2011
@@ -335,10 +335,18 @@ static char *ssl_var_lookup_ssl(apr_pool
         char buf[SSL_SESSION_ID_STRING_LEN];
         SSL_SESSION *pSession = SSL_get_session(ssl);
         if (pSession) {
-            result = apr_pstrdup(p, SSL_SESSION_id2sz(
-                                     pSession->session_id,
-                                     pSession->session_id_length,
-                                     buf, sizeof(buf)));
+            unsigned char *id;
+            unsigned int idlen;
+
+#ifdef OPENSSL_NO_SSL_INTERN
+            id = (unsigned char *)SSL_SESSION_get_id(pSession, &idlen);
+#else
+            id = pSession->session_id;
+            idlen = pSession->session_id_length;
+#endif
+
+            result = apr_pstrdup(p, SSL_SESSION_id2sz(id, idlen,
+                                                      buf, sizeof(buf)));
         }
     }
     else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) {
@@ -955,11 +963,15 @@ apr_array_header_t *ssl_ext_list(apr_poo
 static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
 {
     char *result = "NULL";
-#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP)
     SSL_SESSION *pSession = SSL_get_session(ssl);
 
     if (pSession) {
+#ifdef OPENSSL_NO_SSL_INTERN
+        switch (SSL_SESSION_get_compress_id(pSession)) {
+#else
         switch (pSession->compress_meth) {
+#endif
         case 0:
             /* default "NULL" already set */
             break;

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sat Dec 24 06:31:37 2011
@@ -82,6 +82,11 @@
 #include "ap_expr.h"
 
 /* OpenSSL headers */
+#include <openssl/opensslv.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
+/* must be defined before including ssl.h */
+#define OPENSSL_NO_SSL_INTERN
+#endif
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/x509.h>

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sat Dec 24 06:31:37 2011
@@ -184,47 +184,6 @@ int SSL_smart_shutdown(SSL *ssl)
 
 /*  _________________________________________________________________
 **
-**  Cipher Suite Spec String Creation
-**  _________________________________________________________________
-*/
-
-char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
-{
-    STACK_OF(SSL_CIPHER) *sk;
-    SSL_CIPHER *c;
-    int i;
-    int l;
-    char *cpCipherSuite;
-    char *cp;
-
-    if (ssl == NULL)
-        return "";
-    if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL)
-        return "";
-    l = 0;
-    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-        c = sk_SSL_CIPHER_value(sk, i);
-        l += strlen(SSL_CIPHER_get_name(c))+2+1;
-    }
-    if (l == 0)
-        return "";
-    cpCipherSuite = (char *)apr_palloc(p, l+1);
-    cp = cpCipherSuite;
-    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-        c = sk_SSL_CIPHER_value(sk, i);
-        l = strlen(SSL_CIPHER_get_name(c));
-        memcpy(cp, SSL_CIPHER_get_name(c), l);
-        cp += l;
-        *cp++ = '/';
-        *cp++ = (c->valid == 1 ? '1' : '0');
-        *cp++ = ':';
-    }
-    *(cp-1) = NUL;
-    return cpCipherSuite;
-}
-
-/*  _________________________________________________________________
-**
 **  Certificate Checks
 **  _________________________________________________________________
 */
@@ -464,7 +423,6 @@ int SSL_CTX_use_certificate_chain(
     X509 *x509;
     unsigned long err;
     int n;
-    STACK_OF(X509) *extra_certs;
 
     if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
         return -1;
@@ -481,11 +439,14 @@ int SSL_CTX_use_certificate_chain(
         X509_free(x509);
     }
     /* free a perhaps already configured extra chain */
-    extra_certs = ctx->extra_certs;
-    if (extra_certs != NULL) {
-        sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
+#ifdef OPENSSL_NO_SSL_INTERN
+    SSL_CTX_clear_extra_chain_certs(ctx);
+#else
+    if (ctx->extra_certs != NULL) {
+        sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free);
         ctx->extra_certs = NULL;
     }
+#endif
     /* create new extra chain by loading the certs */
     n = 0;
     while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h Sat Dec 24 06:31:37 2011
@@ -63,7 +63,6 @@ void        SSL_set_app_data2(SSL *, voi
 X509       *SSL_read_X509(char *, X509 **, pem_password_cb *);
 EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
 int         SSL_smart_shutdown(SSL *ssl);
-char       *SSL_make_ciphersuite(apr_pool_t *, SSL *);
 BOOL        SSL_X509_isSGC(X509 *);
 BOOL        SSL_X509_getBC(X509 *, int *, int *);
 char       *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c?rev=1222917&r1=1222916&r2=1222917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c Sat Dec 24 06:31:37 2011
@@ -81,9 +81,16 @@ static X509 *stapling_get_issuer(modssl_
     int i;
     X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
     X509_STORE_CTX inctx;
+    STACK_OF(X509) *extra_certs = NULL;
 
-    for (i = 0; i < sk_X509_num(mctx->ssl_ctx->extra_certs); i++) {
-        issuer = sk_X509_value(mctx->ssl_ctx->extra_certs, i);
+#ifdef OPENSSL_NO_SSL_INTERN
+    SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+    extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
+
+    for (i = 0; i < sk_X509_num(extra_certs); i++) {
+        issuer = sk_X509_value(extra_certs, i);
         if (X509_check_issued(issuer, x) == X509_V_OK) {
             CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
             return issuer;



Mime
View raw message