httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)" <madhusudan_mathiha...@hp.com>
Subject [PATCH] cleaning up mod_ssl
Date Thu, 10 Jan 2002 01:14:06 GMT
Hi,
	I was trying to get mod_ssl work with other SSL toolkits, and I
thought the following changes might be helpful for everybody.. I've tested
the following patch with OpenSSL also and it seems to be fine.. The
highlight of the changes include :
1. Make use of any SSL function/macros whereever possible, and avoid
referring to the data-structure elements if possible
2. INCLUDE type-casting in some cases, as most of the functions return a
generic pointer.. 
3. The SSL include files need not be in $SSL/include/openssl - we should be
able to pick up from $SSL/include also.

	It'd be great if somebody could pl. review the changes and commit if
you feel appropriate.

-Madhu


Index: acinclude.m4
===================================================================
RCS file: /home/cvspublic/httpd-2.0/acinclude.m4,v
retrieving revision 1.108
diff -u -r1.108 acinclude.m4
--- acinclude.m4        6 Jan 2002 23:39:50 -0000       1.108
+++ acinclude.m4        10 Jan 2002 01:05:46 -0000
@@ -451,6 +451,9 @@
     if test -f "$p/openssl/ssl.h"; then
       ap_ssltk_incdir="$p"
       break
+    elif test -f "$p/ssl.h"; then
+      ap_ssltk_incdir="$p"
+      break
     fi
   done

Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.22
diff -u -r1.22 ssl_engine_init.c
--- ssl_engine_init.c   9 Jan 2002 22:21:34 -0000       1.22
+++ ssl_engine_init.c   10 Jan 2002 01:00:21 -0000
@@ -604,7 +604,7 @@
                     "CA certificates for client authentication",
cpVHostID);
             ssl_die();
         }
-        SSL_CTX_set_client_CA_list(sc->pSSLCtx, skCAList);
+        SSL_CTX_set_client_CA_list(sc->pSSLCtx, (STACK *)skCAList);
     }

     /*
@@ -628,7 +628,7 @@
      * should take place. This cannot work.
      */
     if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
-        skCAList = SSL_CTX_get_client_CA_list(ctx);
+        skCAList = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
         if (sk_X509_NAME_num(skCAList) == 0)
             ssl_log(s, SSL_LOG_WARN,
                     "Init: Ops, you want to request client authentication,
"
@@ -785,7 +785,7 @@
         && sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
         pKey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]);
         if (   pKey != NULL
-            && EVP_PKEY_type(pKey->type) == EVP_PKEY_DSA
+            && EVP_PKEY_key_type(pKey) == EVP_PKEY_DSA
             && EVP_PKEY_missing_parameters(pKey))
             EVP_PKEY_copy_parameters(pKey, sc->pPrivateKey[SSL_AIDX_DSA]);
     }
@@ -924,7 +924,7 @@
      * Process CA certificate bundle file
      */
     if (cpCAfile != NULL) {
-        sk = SSL_load_client_CA_file(cpCAfile);
+        sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cpCAfile);
         for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
             ssl_log(s, SSL_LOG_TRACE,
                     "CA certificate: %s",
@@ -941,7 +941,7 @@
         apr_dir_open(&dir, cpCApath, p);
         while ((apr_dir_read(&direntry, APR_FINFO_DIRENT, dir)) !=
APR_SUCCESS) {
             cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL);
-            sk = SSL_load_client_CA_file(cp);
+            sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cp);
             for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
                 ssl_log(s, SSL_LOG_TRACE,
                         "CA certificate: %s",
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.37
diff -u -r1.37 ssl_engine_kernel.c
--- ssl_engine_kernel.c 29 Nov 2001 07:30:30 -0000      1.37
+++ ssl_engine_kernel.c 10 Jan 2002 01:00:21 -0000
@@ -489,7 +489,7 @@
         if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE)
             pCipher = SSL_get_current_cipher(ssl);
         else {
-            skCipherOld = SSL_get_ciphers(ssl);
+            skCipherOld = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
             if (skCipherOld != NULL)
                 skCipherOld = sk_SSL_CIPHER_dup(skCipherOld);
         }
@@ -502,7 +502,7 @@
             return HTTP_FORBIDDEN;
         }
         /* determine whether a renegotiation has to be forced */
-        skCipher = SSL_get_ciphers(ssl);
+        skCipher = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
         if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
             /* optimized way */
             if ((pCipher == NULL && skCipher != NULL) ||
@@ -751,7 +751,7 @@
                 ssl_log(r->server, SSL_LOG_ERROR, "Cannot find certificate
storage");
                 return HTTP_FORBIDDEN;
             }
-            certstack = SSL_get_peer_cert_chain(ssl);
+            certstack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
             if (certstack == NULL || sk_X509_num(certstack) == 0) {
                 ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer
certificate chain");
                 return HTTP_FORBIDDEN;
@@ -788,7 +788,7 @@
                 return HTTP_FORBIDDEN;
             }
             ssl_log(r->server, SSL_LOG_INFO, "Awaiting re-negotiation
handshake");
-            SSL_set_state(ssl, SSL_ST_ACCEPT);
+            SSL_set_accept_state(ssl);
             SSL_do_handshake(ssl);

             ssl_bio_hooks_unset(ssl);
@@ -1124,7 +1124,7 @@
         apr_table_set(e, "SSL_SERVER_CERT", val);
         val = ssl_var_lookup(r->pool, r->server, r->connection, r,
"SSL_CLIENT_CERT");
         apr_table_set(e, "SSL_CLIENT_CERT", val);
-        if ((sk = SSL_get_peer_cert_chain(ssl)) != NULL) {
+        if ((sk = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl)) != NULL)
{
             for (i = 0; i < sk_X509_num(sk); i++) {
                 var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
                 val = ssl_var_lookup(r->pool, r->server, r->connection, r,
var);
@@ -1485,11 +1485,14 @@
 #else
             revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
 #endif
-            if (ASN1_INTEGER_cmp(revoked->serialNumber,
X509_get_serialNumber(xs)) == 0) {
+            if (ASN1_INTEGER_cmp(X509_REVOKED_get_serialNumber(revoked),
+                                 X509_get_serialNumber(xs)) == 0) {
+

                 if (sc->nLogLevel >= SSL_LOG_INFO) {
                     char *cp = X509_NAME_oneline(issuer, NULL, 0);
-                    long serial = ASN1_INTEGER_get(revoked->serialNumber);
+                    long serial = ASN1_INTEGER_get(
+
X509_REVOKED_get_serialNumber(revoked));

                     ssl_log(s, SSL_LOG_INFO,
                             "Certificate with serial %ld (0x%lX) "
@@ -1520,6 +1523,9 @@
     SSLSrvConfigRec *sc;
     long t;
     BOOL rc;
+    unsigned char *session_id;
+    unsigned int session_id_length;
+

     /*
      * Get Apache context back through OpenSSL context
@@ -1539,8 +1545,12 @@
      * Store the SSL_SESSION in the inter-process cache with the
      * same expire time, so it expires automatically there, too.
      */
+    session_id = SSL_SESSION_get_session_id(pNew);
+    session_id_length = SSL_SESSION_get_session_id_length(pNew);
+
     t = (SSL_get_time(pNew) + sc->nSessionCacheTimeout);
-    rc = ssl_scache_store(s, pNew->session_id, pNew->session_id_length, t,
pNew);
+    rc = ssl_scache_store(s, session_id, session_id_length, t, pNew);
+

     /*
      * Log this cache operation
@@ -1548,7 +1558,7 @@
     ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
             "request=SET status=%s id=%s timeout=%ds (session caching)",
             rc == TRUE ? "OK" : "BAD",
-            SSL_SESSION_id2sz(pNew->session_id, pNew->session_id_length),
+            SSL_SESSION_id2sz(session_id, session_id_length),
             t-time(NULL));

     /*
@@ -1615,6 +1625,9 @@
     SSL_CTX *ctx, SSL_SESSION *pSession)
 {
     server_rec *s;
+    unsigned char *session_id;
+    unsigned int session_id_length;
+

     /*
      * Get Apache context back through OpenSSL context
@@ -1626,15 +1639,18 @@
     /*
      * Remove the SSL_SESSION from the inter-process cache
      */
-    ssl_scache_remove(s, pSession->session_id,
pSession->session_id_length);
+    session_id = SSL_SESSION_get_session_id(pSession);
+    session_id_length = SSL_SESSION_get_session_id_length(pSession);
+
+    ssl_scache_remove(s, session_id, session_id_length);
+

     /*
      * Log this cache operation
      */
     ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
             "request=REM status=OK id=%s (session dead)",
-            SSL_SESSION_id2sz(pSession->session_id,
-            pSession->session_id_length));
+            SSL_SESSION_id2sz(session_id, session_id_length));

     return;
 }

Mime
View raw message