httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Sperling <s...@apache.org>
Subject namespacing in mod_ssl
Date Wed, 15 Apr 2015 16:36:21 GMT
A few months ago, OpenBSD's LibreSSL added a new function
called SSL_CTX_use_certificate_chain().
This unexpectedly broke the build of Apache's mod_ssl which defines
a function of the same name. In OpenBSD this was worked around by
patching mod_ssl, renaming the clashing function.

Since then LibreSSL has renamed to SSL_CTX_use_certificate_chain_mem().
This resolved the immediate problem and mod_ssl patches could be dropped.

However, the actual issue here is that mod_ssl is squatting the SSL_ namespace.
Historically this may have made sense (it seems mod_ssl and OpenSSL have
shared history/authors). Bill Rowe suggested to try moving mod_ssl's
functions into the ap_ namespace to avoid such clashes in the future.

I have verified that no undefined references or undeclared symbols
are reported by gcc during the build with this diff.
I have tested startup of a httpd with mod_ssl loaded.
Additional testing is appreciated.

I'm not sure how README.dsov.ps should be regenerated.
It contains a refence to SSL_get_app_data2().
For now I've only updated the .dsov.fig file.

Index: modules/ssl/README.dsov.fig
===================================================================
--- modules/ssl/README.dsov.fig	(revision 1673798)
+++ modules/ssl/README.dsov.fig	(working copy)
@@ -339,7 +339,7 @@
 4 0 0 200 0 20 8 0.0000 4 90 465 11745 4770 ->method\001
 4 0 0 200 0 20 8 0.0000 4 120 1665 9945 6480 X509_STORE_CTX_get_app_data()\001
 4 0 0 200 0 20 8 0.0000 4 120 1215 10980 6705 SSL_CTX_get_cert_store()\001
-4 0 0 200 0 20 8 0.0000 4 120 1020 8280 5130 SSL_get_app_data2()\001
+4 0 0 200 0 20 8 0.0000 4 120 1020 8280 5130 ap_SSL_get_app_data2()\001
 4 0 0 100 0 18 20 0.0000 4 270 1290 10710 7605 OpenSSL\001
 4 0 0 100 0 18 12 0.0000 4 180 720 10710 7785 [Crypto]\001
 4 0 0 100 0 18 20 0.0000 4 270 1290 10935 3645 OpenSSL\001
Index: modules/ssl/mod_ssl.c
===================================================================
--- modules/ssl/mod_ssl.c	(revision 1673798)
+++ modules/ssl/mod_ssl.c	(working copy)
@@ -570,7 +570,7 @@
     }
 
     SSL_set_app_data(ssl, c);
-    SSL_set_app_data2(ssl, NULL); /* will be request_rec */
+    ap_SSL_set_app_data2(ssl, NULL); /* will be request_rec */
 
     sslconn->ssl = ssl;
 
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c	(revision 1673798)
+++ modules/ssl/ssl_engine_init.c	(working copy)
@@ -148,12 +148,12 @@
     apr_status_t rv;
     apr_array_header_t *pphrases;
 
-    if (SSLeay() < SSL_LIBRARY_VERSION) {
+    if (SSLeay() < AP_SSL_LIBRARY_VERSION) {
         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
                      "Init: this version of mod_ssl was compiled against "
                      "a newer library (%s, version currently loaded is %s)"
                      " - may result in undefined or erroneous behavior",
-                     SSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION));
+                     AP_SSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION));
     }
 
     /* We initialize mc->pid per-process in the child init,
@@ -242,7 +242,7 @@
 #endif
 
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01883)
-                 "Init: Initialized %s library", SSL_LIBRARY_NAME);
+                 "Init: Initialized %s library", AP_SSL_LIBRARY_NAME);
 
     /*
      * Seed the Pseudo Random Number Generator (PRNG)
@@ -348,7 +348,7 @@
      */
     ssl_add_version_components(p, base_server);
 
-    SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */
+    ap_SSL_init_app_data2_idx(); /* for ap_SSL_get_app_data2() at request time */
 
     init_dh_params();
 
@@ -871,9 +871,9 @@
         }
     }
 
-    n = SSL_CTX_use_certificate_chain(mctx->ssl_ctx,
-                                      (char *)chain,
-                                      skip_first, NULL);
+    n = ap_SSL_CTX_use_certificate_chain(mctx->ssl_ctx,
+                                         (char *)chain,
+                                         skip_first, NULL);
     if (n < 0) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
                 "Failed to configure CA certificate chain!");
@@ -946,7 +946,7 @@
      * Some information about the certificate(s)
      */
 
-    if (SSL_X509_getBC(cert, &is_ca, &pathlen)) {
+    if (ap_SSL_X509_getBC(cert, &is_ca, &pathlen)) {
         if (is_ca) {
             ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01906)
                          "%s server certificate is a CA certificate "
@@ -961,8 +961,8 @@
         }
     }
 
-    if (SSL_X509_match_name(ptemp, cert, (const char *)s->server_hostname,
-                            TRUE, s) == FALSE) {
+    if (ap_SSL_X509_match_name(ptemp, cert, (const char *)s->server_hostname,
+                               TRUE, s) == FALSE) {
         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01909)
                      "%s server certificate does NOT include an ID "
                      "which matches the server name", key_id);
@@ -1249,11 +1249,11 @@
     sk = sk_X509_INFO_new_null();
 
     if (pkp->cert_file) {
-        SSL_X509_INFO_load_file(ptemp, sk, pkp->cert_file);
+        ap_SSL_X509_INFO_load_file(ptemp, sk, pkp->cert_file);
     }
 
     if (pkp->cert_path) {
-        SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path);
+        ap_SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path);
     }
 
     if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
@@ -1640,7 +1640,7 @@
 
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209)
                      "CA certificate: %s",
-                     SSL_X509_NAME_to_string(ptemp, name, 0));
+                     ap_SSL_X509_NAME_to_string(ptemp, name, 0));
 
         /*
          * note that SSL_load_client_CA_file() checks for duplicates,
Index: modules/ssl/ssl_engine_io.c
===================================================================
--- modules/ssl/ssl_engine_io.c	(revision 1673798)
+++ modules/ssl/ssl_engine_io.c	(working copy)
@@ -1051,7 +1051,7 @@
     }
 
     SSL_set_shutdown(ssl, shutdown_type);
-    SSL_smart_shutdown(ssl);
+    ap_SSL_smart_shutdown(ssl);
 
     /* and finally log the fact that we've closed the connection */
     if (APLOG_CS_IS_LEVEL(c, mySrvFromConn(c), loglevel)) {
@@ -1181,8 +1181,8 @@
             hostname_note) {
             apr_table_unset(c->notes, "proxy-request-hostname");
             if (!cert
-                || SSL_X509_match_name(c->pool, cert, hostname_note,
-                                       TRUE, server) == FALSE) {
+                || ap_SSL_X509_match_name(c->pool, cert, hostname_note,
+                                          TRUE, server) == FALSE) {
                 proxy_ssl_check_peer_ok = FALSE;
                 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02411)
                               "SSL Proxy: Peer certificate does not match "
@@ -2186,7 +2186,7 @@
             }
             ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
                     "%s: %s %ld/%d bytes %s BIO#%pp [mem: %pp] %s",
-                    SSL_LIBRARY_NAME,
+                    AP_SSL_LIBRARY_NAME,
                     (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
                     rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"),
                     bio, argp, dump);
@@ -2196,7 +2196,7 @@
         else {
             ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
                     "%s: I/O error, %d bytes expected to %s on BIO#%pp [mem: %pp]",
-                    SSL_LIBRARY_NAME, argi,
+                    AP_SSL_LIBRARY_NAME, argi,
                     (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
                     bio, argp);
         }
Index: modules/ssl/ssl_engine_kernel.c
===================================================================
--- modules/ssl/ssl_engine_kernel.c	(revision 1673798)
+++ modules/ssl/ssl_engine_kernel.c	(working copy)
@@ -229,7 +229,7 @@
         }
     }
 #endif
-    SSL_set_app_data2(ssl, r);
+    ap_SSL_set_app_data2(ssl, r);
 
     /*
      * Log information about incoming HTTPS requests
@@ -1385,7 +1385,7 @@
     SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
                                           SSL_get_ex_data_X509_STORE_CTX_idx());
     conn_rec *conn      = (conn_rec *)SSL_get_app_data(ssl);
-    request_rec *r      = (request_rec *)SSL_get_app_data2(ssl);
+    request_rec *r      = (request_rec *)ap_SSL_get_app_data2(ssl);
     server_rec *s       = r ? r->server : mySrvFromConn(conn);
 
     SSLSrvConfigRec *sc = mySrvConfig(s);
@@ -1654,7 +1654,7 @@
                             const char *result,
                             long timeout)
 {
-    char buf[SSL_SESSION_ID_STRING_LEN];
+    char buf[AP_SSL_SESSION_ID_STRING_LEN];
     char timeout_str[56] = {'\0'};
 
     if (!APLOGdebug(s)) {
@@ -1670,7 +1670,7 @@
                  "Inter-Process Session Cache: "
                  "request=%s status=%s id=%s %s(session %s)",
                  request, status,
-                 SSL_SESSION_id2sz(id, idlen, buf, sizeof(buf)),
+                 ap_SSL_SESSION_id2sz(id, idlen, buf, sizeof(buf)),
                  timeout_str, result);
 }
 
@@ -1811,32 +1811,32 @@
      */
     if (where & SSL_CB_HANDSHAKE_START) {
         ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
-                      "%s: Handshake: start", SSL_LIBRARY_NAME);
+                      "%s: Handshake: start", AP_SSL_LIBRARY_NAME);
     }
     else if (where & SSL_CB_HANDSHAKE_DONE) {
         ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
-                      "%s: Handshake: done", SSL_LIBRARY_NAME);
+                      "%s: Handshake: done", AP_SSL_LIBRARY_NAME);
     }
     else if (where & SSL_CB_LOOP) {
         ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
                       "%s: Loop: %s",
-                      SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+                      AP_SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
     }
     else if (where & SSL_CB_READ) {
         ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
                       "%s: Read: %s",
-                      SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+                      AP_SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
     }
     else if (where & SSL_CB_WRITE) {
         ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
                       "%s: Write: %s",
-                      SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+                      AP_SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
     }
     else if (where & SSL_CB_ALERT) {
         char *str = (where & SSL_CB_READ) ? "read" : "write";
         ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
                       "%s: Alert: %s:%s:%s",
-                      SSL_LIBRARY_NAME, str,
+                      AP_SSL_LIBRARY_NAME, str,
                       SSL_alert_type_string_long(rc),
                       SSL_alert_desc_string_long(rc));
     }
@@ -1844,12 +1844,12 @@
         if (rc == 0) {
             ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
                           "%s: Exit: failed in %s",
-                          SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+                          AP_SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
         }
         else if (rc < 0) {
             ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
                           "%s: Exit: error in %s",
-                          SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+                          AP_SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
         }
     }
 
Index: modules/ssl/ssl_engine_log.c
===================================================================
--- modules/ssl/ssl_engine_log.c	(revision 1673798)
+++ modules/ssl/ssl_engine_log.c	(working copy)
@@ -141,8 +141,8 @@
             int maxdnlen = (HUGE_STRING_LEN - msglen - 300) / 2;
 
             BIO_puts(bio, " [subject: ");
-            name = SSL_X509_NAME_to_string(p, X509_get_subject_name(cert),
-                                           maxdnlen);
+            name = ap_SSL_X509_NAME_to_string(p, X509_get_subject_name(cert),
+                                              maxdnlen);
             if (!strIsEmpty(name)) {
                 BIO_puts(bio, name);
             } else {
@@ -150,8 +150,8 @@
             }
 
             BIO_puts(bio, " / issuer: ");
-            name = SSL_X509_NAME_to_string(p, X509_get_issuer_name(cert),
-                                           maxdnlen);
+            name = ap_SSL_X509_NAME_to_string(p, X509_get_issuer_name(cert),
+                                              maxdnlen);
             if (!strIsEmpty(name)) {
                 BIO_puts(bio, name);
             } else {
Index: modules/ssl/ssl_engine_pphrase.c
===================================================================
--- modules/ssl/ssl_engine_pphrase.c	(revision 1673798)
+++ modules/ssl/ssl_engine_pphrase.c	(working copy)
@@ -216,7 +216,7 @@
          * is not empty. */
         ERR_clear_error();
 
-        bReadable = ((pPrivateKey = SSL_read_PrivateKey(ppcb_arg.pkey_file,
+        bReadable = ((pPrivateKey = ap_SSL_read_PrivateKey(ppcb_arg.pkey_file,
                      NULL, ssl_pphrase_Handle_CB, &ppcb_arg)) != NULL ?
                      TRUE : FALSE);
 
Index: modules/ssl/ssl_engine_vars.c
===================================================================
--- modules/ssl/ssl_engine_vars.c	(revision 1673798)
+++ modules/ssl/ssl_engine_vars.c	(working copy)
@@ -131,7 +131,7 @@
 }
 
 static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
-static char var_library_interface[] = SSL_LIBRARY_TEXT;
+static char var_library_interface[] = AP_SSL_LIBRARY_TEXT;
 static char *var_library = NULL;
 
 static apr_array_header_t *expr_peer_ext_list_fn(ap_expr_eval_ctx_t *ctx,
@@ -185,7 +185,7 @@
     APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
 
     /* Perform once-per-process library version determination: */
-    var_library = apr_pstrdup(p, SSL_LIBRARY_DYNTEXT);
+    var_library = apr_pstrdup(p, AP_SSL_LIBRARY_DYNTEXT);
 
     if ((cp = strchr(var_library, ' ')) != NULL) {
         *cp = '/';
@@ -406,7 +406,7 @@
         result = (char *)SSL_get_version(ssl);
     }
     else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
-        char buf[SSL_SESSION_ID_STRING_LEN];
+        char buf[AP_SSL_SESSION_ID_STRING_LEN];
         SSL_SESSION *pSession = SSL_get_session(ssl);
         if (pSession) {
             unsigned char *id;
@@ -419,8 +419,8 @@
             idlen = pSession->session_id_length;
 #endif
 
-            result = apr_pstrdup(p, SSL_SESSION_id2sz(id, idlen,
-                                                      buf, sizeof(buf)));
+            result = apr_pstrdup(p, ap_SSL_SESSION_id2sz(id, idlen,
+                                                         buf, sizeof(buf)));
         }
     }
     else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) {
@@ -651,7 +651,7 @@
                 n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
 
                 if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {
-                    result = SSL_X509_NAME_ENTRY_to_string(p, xsne);
+                    result = ap_SSL_X509_NAME_ENTRY_to_string(p, xsne);
                     break;
                 }
             }
@@ -682,7 +682,7 @@
     if ((numlen < 1) || (numlen > 4) || (numlen != strlen(var)))
         return NULL;
 
-    if (SSL_X509_getSAN(p, xs, type, atoi(var), &entries))
+    if (ap_SSL_X509_getSAN(p, xs, type, atoi(var), &entries))
        /* return the first entry from this 1-element array */
        return APR_ARRAY_IDX(entries, 0, char *);
     else
@@ -807,7 +807,7 @@
             char *decimal = BN_bn2dec(bn);
             result = apr_pstrcat(p, "{ serialNumber ", decimal,
                     ", issuer rdnSequence:\"",
-                    SSL_X509_NAME_to_string(p, issuer, 0), "\" }", NULL);
+                    ap_SSL_X509_NAME_to_string(p, issuer, 0), "\" }", NULL);
             OPENSSL_free(decimal);
             BN_free(bn);
         }
@@ -972,7 +972,7 @@
                  apr_hash_set(count, &nid, sizeof nid, dup);
                  key = apr_pstrcat(p, pfx, tag, NULL);
              }
-             value = SSL_X509_NAME_ENTRY_to_string(p, xsne);
+             value = ap_SSL_X509_NAME_ENTRY_to_string(p, xsne);
              apr_table_setn(t, key, value);
          }
     }
@@ -1032,10 +1032,10 @@
     /* subjectAltName entries of the server certificate */
     xs = SSL_get_certificate(ssl);
     if (xs) {
-        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
+        if (ap_SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
             extract_san_array(t, "SSL_SERVER_SAN_Email", entries, p);
         }
-        if (SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
+        if (ap_SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
             extract_san_array(t, "SSL_SERVER_SAN_DNS", entries, p);
         }
         /* no need to free xs (refcount does not increase) */
@@ -1044,10 +1044,10 @@
     /* subjectAltName entries of the client certificate */
     xs = SSL_get_peer_certificate(ssl);
     if (xs) {
-        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
+        if (ap_SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
             extract_san_array(t, "SSL_CLIENT_SAN_Email", entries, p);
         }
-        if (SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
+        if (ap_SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
             extract_san_array(t, "SSL_CLIENT_SAN_DNS", entries, p);
         }
         X509_free(xs);
Index: modules/ssl/ssl_scache.c
===================================================================
--- modules/ssl/ssl_scache.c	(revision 1673798)
+++ modules/ssl/ssl_scache.c	(working copy)
@@ -115,7 +115,7 @@
                       apr_pool_t *p)
 {
     SSLModConfigRec *mc = myModConfig(s);
-    unsigned char encoded[SSL_SESSION_MAX_DER], *ptr;
+    unsigned char encoded[AP_SSL_SESSION_MAX_DER], *ptr;
     unsigned int len;
     apr_status_t rv;
 
@@ -148,8 +148,8 @@
                                  apr_pool_t *p)
 {
     SSLModConfigRec *mc = myModConfig(s);
-    unsigned char dest[SSL_SESSION_MAX_DER];
-    unsigned int destlen = SSL_SESSION_MAX_DER;
+    unsigned char dest[AP_SSL_SESSION_MAX_DER];
+    unsigned int destlen = AP_SSL_SESSION_MAX_DER;
     const unsigned char *ptr;
     apr_status_t rv;
 
Index: modules/ssl/ssl_util_ssl.c
===================================================================
--- modules/ssl/ssl_util_ssl.c	(revision 1673798)
+++ modules/ssl/ssl_util_ssl.c	(working copy)
@@ -40,7 +40,7 @@
  */
 static int SSL_app_data2_idx = -1;
 
-void SSL_init_app_data2_idx(void)
+void ap_SSL_init_app_data2_idx(void)
 {
     int i;
 
@@ -57,12 +57,12 @@
     }
 }
 
-void *SSL_get_app_data2(SSL *ssl)
+void *ap_SSL_get_app_data2(SSL *ssl)
 {
     return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);
 }
 
-void SSL_set_app_data2(SSL *ssl, void *arg)
+void ap_SSL_set_app_data2(SSL *ssl, void *arg)
 {
     SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg);
     return;
@@ -74,7 +74,7 @@
 **  _________________________________________________________________
 */
 
-EVP_PKEY *SSL_read_PrivateKey(const char* filename, EVP_PKEY **key, pem_password_cb *cb,
void *s)
+EVP_PKEY *ap_SSL_read_PrivateKey(const char* filename, EVP_PKEY **key, pem_password_cb *cb,
void *s)
 {
     EVP_PKEY *rc;
     BIO *bioS;
@@ -121,7 +121,7 @@
 **  _________________________________________________________________
 */
 
-int SSL_smart_shutdown(SSL *ssl)
+int ap_SSL_smart_shutdown(SSL *ssl)
 {
     int i;
     int rc;
@@ -161,7 +161,7 @@
 */
 
 /* retrieve basic constraints ingredients */
-BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
+BOOL ap_SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
 {
     BASIC_CONSTRAINTS *bc;
     BIGNUM *bn = NULL;
@@ -191,7 +191,7 @@
 }
 
 /* convert an ASN.1 string to a UTF-8 string (escaping control characters) */
-char *SSL_ASN1_STRING_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str)
+char *ap_SSL_ASN1_STRING_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str)
 {
     char *result = NULL;
     BIO *bio;
@@ -213,9 +213,9 @@
 }
 
 /* convert a NAME_ENTRY to UTF8 string */
-char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
+char *ap_SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
 {
-    char *result = SSL_ASN1_STRING_to_utf8(p, X509_NAME_ENTRY_get_data(xsne));
+    char *result = ap_SSL_ASN1_STRING_to_utf8(p, X509_NAME_ENTRY_get_data(xsne));
     ap_xlate_proto_from_ascii(result, len);
     return result;
 }
@@ -224,7 +224,7 @@
  * convert an X509_NAME to an RFC 2253 formatted string, optionally truncated
  * to maxlen characters (specify a maxlen of 0 for no length limit)
  */
-char *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
+char *ap_SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
 {
     char *result = NULL;
     BIO *bio;
@@ -259,8 +259,8 @@
  * GEN_EMAIL (rfc822Name)
  * GEN_DNS (dNSName)
  */
-BOOL SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, int idx,
-                     apr_array_header_t **entries)
+BOOL ap_SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, int idx,
+                        apr_array_header_t **entries)
 {
     STACK_OF(GENERAL_NAME) *names;
 
@@ -282,7 +282,7 @@
                     switch (type) {
                     case GEN_EMAIL:
                     case GEN_DNS:
-                        utf8str = SSL_ASN1_STRING_to_utf8(p, name->d.ia5);
+                        utf8str = ap_SSL_ASN1_STRING_to_utf8(p, name->d.ia5);
                         if (utf8str) {
                             APR_ARRAY_PUSH(*entries, const char *) = utf8str;
                         }
@@ -313,7 +313,7 @@
 }
 
 /* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
-BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
+BOOL ap_SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
 {
     X509_NAME *subj;
     int i = -1;
@@ -320,7 +320,7 @@
 
     /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
     if (!x509 ||
-        (SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids)) {
+        (ap_SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids)) {
         *ids = NULL;
         return FALSE;
     }
@@ -329,7 +329,7 @@
     subj = X509_get_subject_name(x509);
     while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) {
         APR_ARRAY_PUSH(*ids, const char *) = 
-            SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
+            ap_SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
     }
 
     return apr_is_empty_array(*ids) ? FALSE : TRUE;
@@ -340,8 +340,8 @@
  * DNS-IDs and CN-IDs (RFC 6125), optionally with basic wildcard matching.
  * If server_rec is non-NULL, some (debug/trace) logging is enabled.
  */
-BOOL SSL_X509_match_name(apr_pool_t *p, X509 *x509, const char *name,
-                         BOOL allow_wildcard, server_rec *s)
+BOOL ap_SSL_X509_match_name(apr_pool_t *p, X509 *x509, const char *name,
+                            BOOL allow_wildcard, server_rec *s)
 {
     BOOL matched = FALSE;
     apr_array_header_t *ids;
@@ -356,7 +356,7 @@
      *    is found).
      */
 
-    if (SSL_X509_getIDs(p, x509, &ids)) {
+    if (ap_SSL_X509_getIDs(p, x509, &ids)) {
         const char *cp;
         int i;
         char **id = (char **)ids->elts;
@@ -387,8 +387,8 @@
 
             if (s) {
                 ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
-                             "[%s] SSL_X509_match_name: expecting name '%s', "
-                             "%smatched by ID '%s'",
+                             "[%s] ap_SSL_X509_match_name: expecting name "
+                             "'%s', %smatched by ID '%s'",
                              (mySrvConfig(s))->vhost_id, name,
                              matched == TRUE ? "" : "NOT ", id[i]);
             }
@@ -417,9 +417,9 @@
 **  _________________________________________________________________
 */
 
-BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp,
-                             STACK_OF(X509_INFO) *sk,
-                             const char *filename)
+BOOL ap_SSL_X509_INFO_load_file(apr_pool_t *ptemp,
+                                STACK_OF(X509_INFO) *sk,
+                                const char *filename)
 {
     BIO *in;
 
@@ -441,9 +441,9 @@
     return TRUE;
 }
 
-BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp,
-                             STACK_OF(X509_INFO) *sk,
-                             const char *pathname)
+BOOL ap_SSL_X509_INFO_load_path(apr_pool_t *ptemp,
+                                STACK_OF(X509_INFO) *sk,
+                                const char *pathname)
 {
     /* XXX: this dir read code is exactly the same as that in
      * ssl_engine_init.c, only the call to handle the fullname is different,
@@ -468,7 +468,7 @@
                                pathname, "/", dirent.name,
                                NULL);
 
-        if (SSL_X509_INFO_load_file(ptemp, sk, fullname)) {
+        if (ap_SSL_X509_INFO_load_file(ptemp, sk, fullname)) {
             ok = TRUE;
         }
     }
@@ -521,7 +521,7 @@
  * format, possibly followed by a sequence of CA certificates that
  * should be sent to the peer in the SSL Certificate message.
  */
-int SSL_CTX_use_certificate_chain(
+int ap_SSL_CTX_use_certificate_chain(
     SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
 {
     BIO *bio;
@@ -581,8 +581,8 @@
 **  _________________________________________________________________
 */
 
-char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
-                        char *str, int strsize)
+char *ap_SSL_SESSION_id2sz(unsigned char *id, int idlen,
+                           char *str, int strsize)
 {
     if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
         idlen = SSL_MAX_SSL_SESSION_ID_LENGTH;
Index: modules/ssl/ssl_util_ssl.h
===================================================================
--- modules/ssl/ssl_util_ssl.h	(revision 1673798)
+++ modules/ssl/ssl_util_ssl.h	(working copy)
@@ -38,10 +38,10 @@
  * SSL library version number
  */
 
-#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
-#define SSL_LIBRARY_NAME    "OpenSSL"
-#define SSL_LIBRARY_TEXT    OPENSSL_VERSION_TEXT
-#define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
+#define AP_SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
+#define AP_SSL_LIBRARY_NAME    "OpenSSL"
+#define AP_SSL_LIBRARY_TEXT    OPENSSL_VERSION_TEXT
+#define AP_SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
 
 /**
  *  Maximum length of a DER encoded session.
@@ -48,31 +48,31 @@
  *  FIXME: There is no define in OpenSSL, but OpenSSL uses 1024*10,
  *         so this value should be ok. Although we have no warm feeling.
  */
-#define SSL_SESSION_MAX_DER 1024*10
+#define AP_SSL_SESSION_MAX_DER 1024*10
 
-/** max length for SSL_SESSION_id2sz */
-#define SSL_SESSION_ID_STRING_LEN \
+/** max length for AP_SSL_SESSION_id2sz */
+#define AP_SSL_SESSION_ID_STRING_LEN \
     ((SSL_MAX_SSL_SESSION_ID_LENGTH + 1) * 2)
 
 /**
  *  Additional Functions
  */
-void        SSL_init_app_data2_idx(void);
-void       *SSL_get_app_data2(SSL *);
-void        SSL_set_app_data2(SSL *, void *);
-EVP_PKEY   *SSL_read_PrivateKey(const char *, EVP_PKEY **, pem_password_cb *, void *);
-int         SSL_smart_shutdown(SSL *ssl);
-BOOL        SSL_X509_getBC(X509 *, int *, int *);
-char       *SSL_ASN1_STRING_to_utf8(apr_pool_t *, ASN1_STRING *);
-char       *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
-char       *SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
-BOOL        SSL_X509_getSAN(apr_pool_t *, X509 *, int, int, apr_array_header_t **);
-BOOL        SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **);
-BOOL        SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
-BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
-BOOL        SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
-int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
-char       *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
+void        ap_SSL_init_app_data2_idx(void);
+void       *ap_SSL_get_app_data2(SSL *);
+void        ap_SSL_set_app_data2(SSL *, void *);
+EVP_PKEY   *ap_SSL_read_PrivateKey(const char *, EVP_PKEY **, pem_password_cb *, void *);
+int         ap_SSL_smart_shutdown(SSL *ssl);
+BOOL        ap_SSL_X509_getBC(X509 *, int *, int *);
+char       *ap_SSL_ASN1_STRING_to_utf8(apr_pool_t *, ASN1_STRING *);
+char       *ap_SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
+char       *ap_SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
+BOOL        ap_SSL_X509_getSAN(apr_pool_t *, X509 *, int, int, apr_array_header_t **);
+BOOL        ap_SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **);
+BOOL        ap_SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
+BOOL        ap_SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
+BOOL        ap_SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
+int         ap_SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
+char       *ap_SSL_SESSION_id2sz(unsigned char *, int, char *, int);
 
 #endif /* __SSL_UTIL_SSL_H__ */
 /** @} */

Mime
View raw message