httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: namespacing in mod_ssl
Date Wed, 15 Apr 2015 19:54:01 GMT
On 04/15/2015 11:36 AM, Stefan Sperling wrote:
> A few months ago, OpenBSD's LibreSSL added a new function
> called SSL_CTX_use_certificate_chain().
> This unexpectedly broke the build of Apache's mod_ssl which defines
> a function of the same name. In OpenBSD this was worked around by
> patching mod_ssl, renaming the clashing function.
>
> Since then LibreSSL has renamed to SSL_CTX_use_certificate_chain_mem().
> This resolved the immediate problem and mod_ssl patches could be dropped.
>
> However, the actual issue here is that mod_ssl is squatting the SSL_ namespace.
> Historically this may have made sense (it seems mod_ssl and OpenSSL have
> shared history/authors). Bill Rowe suggested to try moving mod_ssl's
> functions into the ap_ namespace to avoid such clashes in the future.

IMO it would be appropriate to instead go one by one and make sure we're 
using an appropriate name to begin with for these functions that are 
squatting the SSL namespace, instead of making these often-bewildering 
names ugly and (still) bewildering.

AP_SSL_LIBRARY_NAME is very appropriate, but ap_SSL_set_app_data2 is the 
wrong fix.

>
> I have verified that no undefined references or undeclared symbols
> are reported by gcc during the build with this diff.
> I have tested startup of a httpd with mod_ssl loaded.
> Additional testing is appreciated.
>
> I'm not sure how README.dsov.ps should be regenerated.
> It contains a refence to SSL_get_app_data2().
> For now I've only updated the .dsov.fig file.
>
> Index: modules/ssl/README.dsov.fig
> ===================================================================
> --- modules/ssl/README.dsov.fig	(revision 1673798)
> +++ modules/ssl/README.dsov.fig	(working copy)
> @@ -339,7 +339,7 @@
>   4 0 0 200 0 20 8 0.0000 4 90 465 11745 4770 ->method\001
>   4 0 0 200 0 20 8 0.0000 4 120 1665 9945 6480 X509_STORE_CTX_get_app_data()\001
>   4 0 0 200 0 20 8 0.0000 4 120 1215 10980 6705 SSL_CTX_get_cert_store()\001
> -4 0 0 200 0 20 8 0.0000 4 120 1020 8280 5130 SSL_get_app_data2()\001
> +4 0 0 200 0 20 8 0.0000 4 120 1020 8280 5130 ap_SSL_get_app_data2()\001
>   4 0 0 100 0 18 20 0.0000 4 270 1290 10710 7605 OpenSSL\001
>   4 0 0 100 0 18 12 0.0000 4 180 720 10710 7785 [Crypto]\001
>   4 0 0 100 0 18 20 0.0000 4 270 1290 10935 3645 OpenSSL\001
> Index: modules/ssl/mod_ssl.c
> ===================================================================
> --- modules/ssl/mod_ssl.c	(revision 1673798)
> +++ modules/ssl/mod_ssl.c	(working copy)
> @@ -570,7 +570,7 @@
>       }
>   
>       SSL_set_app_data(ssl, c);
> -    SSL_set_app_data2(ssl, NULL); /* will be request_rec */
> +    ap_SSL_set_app_data2(ssl, NULL); /* will be request_rec */
>   
>       sslconn->ssl = ssl;
>   
> Index: modules/ssl/ssl_engine_init.c
> ===================================================================
> --- modules/ssl/ssl_engine_init.c	(revision 1673798)
> +++ modules/ssl/ssl_engine_init.c	(working copy)
> @@ -148,12 +148,12 @@
>       apr_status_t rv;
>       apr_array_header_t *pphrases;
>   
> -    if (SSLeay() < SSL_LIBRARY_VERSION) {
> +    if (SSLeay() < AP_SSL_LIBRARY_VERSION) {
>           ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
>                        "Init: this version of mod_ssl was compiled against "
>                        "a newer library (%s, version currently loaded is %s)"
>                        " - may result in undefined or erroneous behavior",
> -                     SSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION));
> +                     AP_SSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION));
>       }
>   
>       /* We initialize mc->pid per-process in the child init,
> @@ -242,7 +242,7 @@
>   #endif
>   
>       ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01883)
> -                 "Init: Initialized %s library", SSL_LIBRARY_NAME);
> +                 "Init: Initialized %s library", AP_SSL_LIBRARY_NAME);
>   
>       /*
>        * Seed the Pseudo Random Number Generator (PRNG)
> @@ -348,7 +348,7 @@
>        */
>       ssl_add_version_components(p, base_server);
>   
> -    SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */
> +    ap_SSL_init_app_data2_idx(); /* for ap_SSL_get_app_data2() at request time */
>   
>       init_dh_params();
>   
> @@ -871,9 +871,9 @@
>           }
>       }
>   
> -    n = SSL_CTX_use_certificate_chain(mctx->ssl_ctx,
> -                                      (char *)chain,
> -                                      skip_first, NULL);
> +    n = ap_SSL_CTX_use_certificate_chain(mctx->ssl_ctx,
> +                                         (char *)chain,
> +                                         skip_first, NULL);
>       if (n < 0) {
>           ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
>                   "Failed to configure CA certificate chain!");
> @@ -946,7 +946,7 @@
>        * Some information about the certificate(s)
>        */
>   
> -    if (SSL_X509_getBC(cert, &is_ca, &pathlen)) {
> +    if (ap_SSL_X509_getBC(cert, &is_ca, &pathlen)) {
>           if (is_ca) {
>               ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01906)
>                            "%s server certificate is a CA certificate "
> @@ -961,8 +961,8 @@
>           }
>       }
>   
> -    if (SSL_X509_match_name(ptemp, cert, (const char *)s->server_hostname,
> -                            TRUE, s) == FALSE) {
> +    if (ap_SSL_X509_match_name(ptemp, cert, (const char *)s->server_hostname,
> +                               TRUE, s) == FALSE) {
>           ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01909)
>                        "%s server certificate does NOT include an ID "
>                        "which matches the server name", key_id);
> @@ -1249,11 +1249,11 @@
>       sk = sk_X509_INFO_new_null();
>   
>       if (pkp->cert_file) {
> -        SSL_X509_INFO_load_file(ptemp, sk, pkp->cert_file);
> +        ap_SSL_X509_INFO_load_file(ptemp, sk, pkp->cert_file);
>       }
>   
>       if (pkp->cert_path) {
> -        SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path);
> +        ap_SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path);
>       }
>   
>       if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
> @@ -1640,7 +1640,7 @@
>   
>           ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209)
>                        "CA certificate: %s",
> -                     SSL_X509_NAME_to_string(ptemp, name, 0));
> +                     ap_SSL_X509_NAME_to_string(ptemp, name, 0));
>   
>           /*
>            * note that SSL_load_client_CA_file() checks for duplicates,
> Index: modules/ssl/ssl_engine_io.c
> ===================================================================
> --- modules/ssl/ssl_engine_io.c	(revision 1673798)
> +++ modules/ssl/ssl_engine_io.c	(working copy)
> @@ -1051,7 +1051,7 @@
>       }
>   
>       SSL_set_shutdown(ssl, shutdown_type);
> -    SSL_smart_shutdown(ssl);
> +    ap_SSL_smart_shutdown(ssl);
>   
>       /* and finally log the fact that we've closed the connection */
>       if (APLOG_CS_IS_LEVEL(c, mySrvFromConn(c), loglevel)) {
> @@ -1181,8 +1181,8 @@
>               hostname_note) {
>               apr_table_unset(c->notes, "proxy-request-hostname");
>               if (!cert
> -                || SSL_X509_match_name(c->pool, cert, hostname_note,
> -                                       TRUE, server) == FALSE) {
> +                || ap_SSL_X509_match_name(c->pool, cert, hostname_note,
> +                                          TRUE, server) == FALSE) {
>                   proxy_ssl_check_peer_ok = FALSE;
>                   ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02411)
>                                 "SSL Proxy: Peer certificate does not match "
> @@ -2186,7 +2186,7 @@
>               }
>               ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
>                       "%s: %s %ld/%d bytes %s BIO#%pp [mem: %pp] %s",
> -                    SSL_LIBRARY_NAME,
> +                    AP_SSL_LIBRARY_NAME,
>                       (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
>                       rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"),
>                       bio, argp, dump);
> @@ -2196,7 +2196,7 @@
>           else {
>               ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
>                       "%s: I/O error, %d bytes expected to %s on BIO#%pp [mem: %pp]",
> -                    SSL_LIBRARY_NAME, argi,
> +                    AP_SSL_LIBRARY_NAME, argi,
>                       (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
>                       bio, argp);
>           }
> Index: modules/ssl/ssl_engine_kernel.c
> ===================================================================
> --- modules/ssl/ssl_engine_kernel.c	(revision 1673798)
> +++ modules/ssl/ssl_engine_kernel.c	(working copy)
> @@ -229,7 +229,7 @@
>           }
>       }
>   #endif
> -    SSL_set_app_data2(ssl, r);
> +    ap_SSL_set_app_data2(ssl, r);
>   
>       /*
>        * Log information about incoming HTTPS requests
> @@ -1385,7 +1385,7 @@
>       SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
>                                             SSL_get_ex_data_X509_STORE_CTX_idx());
>       conn_rec *conn      = (conn_rec *)SSL_get_app_data(ssl);
> -    request_rec *r      = (request_rec *)SSL_get_app_data2(ssl);
> +    request_rec *r      = (request_rec *)ap_SSL_get_app_data2(ssl);
>       server_rec *s       = r ? r->server : mySrvFromConn(conn);
>   
>       SSLSrvConfigRec *sc = mySrvConfig(s);
> @@ -1654,7 +1654,7 @@
>                               const char *result,
>                               long timeout)
>   {
> -    char buf[SSL_SESSION_ID_STRING_LEN];
> +    char buf[AP_SSL_SESSION_ID_STRING_LEN];
>       char timeout_str[56] = {'\0'};
>   
>       if (!APLOGdebug(s)) {
> @@ -1670,7 +1670,7 @@
>                    "Inter-Process Session Cache: "
>                    "request=%s status=%s id=%s %s(session %s)",
>                    request, status,
> -                 SSL_SESSION_id2sz(id, idlen, buf, sizeof(buf)),
> +                 ap_SSL_SESSION_id2sz(id, idlen, buf, sizeof(buf)),
>                    timeout_str, result);
>   }
>   
> @@ -1811,32 +1811,32 @@
>        */
>       if (where & SSL_CB_HANDSHAKE_START) {
>           ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
> -                      "%s: Handshake: start", SSL_LIBRARY_NAME);
> +                      "%s: Handshake: start", AP_SSL_LIBRARY_NAME);
>       }
>       else if (where & SSL_CB_HANDSHAKE_DONE) {
>           ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
> -                      "%s: Handshake: done", SSL_LIBRARY_NAME);
> +                      "%s: Handshake: done", AP_SSL_LIBRARY_NAME);
>       }
>       else if (where & SSL_CB_LOOP) {
>           ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
>                         "%s: Loop: %s",
> -                      SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
> +                      AP_SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
>       }
>       else if (where & SSL_CB_READ) {
>           ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
>                         "%s: Read: %s",
> -                      SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
> +                      AP_SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
>       }
>       else if (where & SSL_CB_WRITE) {
>           ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
>                         "%s: Write: %s",
> -                      SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
> +                      AP_SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
>       }
>       else if (where & SSL_CB_ALERT) {
>           char *str = (where & SSL_CB_READ) ? "read" : "write";
>           ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
>                         "%s: Alert: %s:%s:%s",
> -                      SSL_LIBRARY_NAME, str,
> +                      AP_SSL_LIBRARY_NAME, str,
>                         SSL_alert_type_string_long(rc),
>                         SSL_alert_desc_string_long(rc));
>       }
> @@ -1844,12 +1844,12 @@
>           if (rc == 0) {
>               ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
>                             "%s: Exit: failed in %s",
> -                          SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
> +                          AP_SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
>           }
>           else if (rc < 0) {
>               ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
>                             "%s: Exit: error in %s",
> -                          SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
> +                          AP_SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
>           }
>       }
>   
> Index: modules/ssl/ssl_engine_log.c
> ===================================================================
> --- modules/ssl/ssl_engine_log.c	(revision 1673798)
> +++ modules/ssl/ssl_engine_log.c	(working copy)
> @@ -141,8 +141,8 @@
>               int maxdnlen = (HUGE_STRING_LEN - msglen - 300) / 2;
>   
>               BIO_puts(bio, " [subject: ");
> -            name = SSL_X509_NAME_to_string(p, X509_get_subject_name(cert),
> -                                           maxdnlen);
> +            name = ap_SSL_X509_NAME_to_string(p, X509_get_subject_name(cert),
> +                                              maxdnlen);
>               if (!strIsEmpty(name)) {
>                   BIO_puts(bio, name);
>               } else {
> @@ -150,8 +150,8 @@
>               }
>   
>               BIO_puts(bio, " / issuer: ");
> -            name = SSL_X509_NAME_to_string(p, X509_get_issuer_name(cert),
> -                                           maxdnlen);
> +            name = ap_SSL_X509_NAME_to_string(p, X509_get_issuer_name(cert),
> +                                              maxdnlen);
>               if (!strIsEmpty(name)) {
>                   BIO_puts(bio, name);
>               } else {
> Index: modules/ssl/ssl_engine_pphrase.c
> ===================================================================
> --- modules/ssl/ssl_engine_pphrase.c	(revision 1673798)
> +++ modules/ssl/ssl_engine_pphrase.c	(working copy)
> @@ -216,7 +216,7 @@
>            * is not empty. */
>           ERR_clear_error();
>   
> -        bReadable = ((pPrivateKey = SSL_read_PrivateKey(ppcb_arg.pkey_file,
> +        bReadable = ((pPrivateKey = ap_SSL_read_PrivateKey(ppcb_arg.pkey_file,
>                        NULL, ssl_pphrase_Handle_CB, &ppcb_arg)) != NULL ?
>                        TRUE : FALSE);
>   
> Index: modules/ssl/ssl_engine_vars.c
> ===================================================================
> --- modules/ssl/ssl_engine_vars.c	(revision 1673798)
> +++ modules/ssl/ssl_engine_vars.c	(working copy)
> @@ -131,7 +131,7 @@
>   }
>   
>   static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
> -static char var_library_interface[] = SSL_LIBRARY_TEXT;
> +static char var_library_interface[] = AP_SSL_LIBRARY_TEXT;
>   static char *var_library = NULL;
>   
>   static apr_array_header_t *expr_peer_ext_list_fn(ap_expr_eval_ctx_t *ctx,
> @@ -185,7 +185,7 @@
>       APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
>   
>       /* Perform once-per-process library version determination: */
> -    var_library = apr_pstrdup(p, SSL_LIBRARY_DYNTEXT);
> +    var_library = apr_pstrdup(p, AP_SSL_LIBRARY_DYNTEXT);
>   
>       if ((cp = strchr(var_library, ' ')) != NULL) {
>           *cp = '/';
> @@ -406,7 +406,7 @@
>           result = (char *)SSL_get_version(ssl);
>       }
>       else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
> -        char buf[SSL_SESSION_ID_STRING_LEN];
> +        char buf[AP_SSL_SESSION_ID_STRING_LEN];
>           SSL_SESSION *pSession = SSL_get_session(ssl);
>           if (pSession) {
>               unsigned char *id;
> @@ -419,8 +419,8 @@
>               idlen = pSession->session_id_length;
>   #endif
>   
> -            result = apr_pstrdup(p, SSL_SESSION_id2sz(id, idlen,
> -                                                      buf, sizeof(buf)));
> +            result = apr_pstrdup(p, ap_SSL_SESSION_id2sz(id, idlen,
> +                                                         buf, sizeof(buf)));
>           }
>       }
>       else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) {
> @@ -651,7 +651,7 @@
>                   n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
>   
>                   if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- ==
0) {
> -                    result = SSL_X509_NAME_ENTRY_to_string(p, xsne);
> +                    result = ap_SSL_X509_NAME_ENTRY_to_string(p, xsne);
>                       break;
>                   }
>               }
> @@ -682,7 +682,7 @@
>       if ((numlen < 1) || (numlen > 4) || (numlen != strlen(var)))
>           return NULL;
>   
> -    if (SSL_X509_getSAN(p, xs, type, atoi(var), &entries))
> +    if (ap_SSL_X509_getSAN(p, xs, type, atoi(var), &entries))
>          /* return the first entry from this 1-element array */
>          return APR_ARRAY_IDX(entries, 0, char *);
>       else
> @@ -807,7 +807,7 @@
>               char *decimal = BN_bn2dec(bn);
>               result = apr_pstrcat(p, "{ serialNumber ", decimal,
>                       ", issuer rdnSequence:\"",
> -                    SSL_X509_NAME_to_string(p, issuer, 0), "\" }", NULL);
> +                    ap_SSL_X509_NAME_to_string(p, issuer, 0), "\" }", NULL);
>               OPENSSL_free(decimal);
>               BN_free(bn);
>           }
> @@ -972,7 +972,7 @@
>                    apr_hash_set(count, &nid, sizeof nid, dup);
>                    key = apr_pstrcat(p, pfx, tag, NULL);
>                }
> -             value = SSL_X509_NAME_ENTRY_to_string(p, xsne);
> +             value = ap_SSL_X509_NAME_ENTRY_to_string(p, xsne);
>                apr_table_setn(t, key, value);
>            }
>       }
> @@ -1032,10 +1032,10 @@
>       /* subjectAltName entries of the server certificate */
>       xs = SSL_get_certificate(ssl);
>       if (xs) {
> -        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
> +        if (ap_SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
>               extract_san_array(t, "SSL_SERVER_SAN_Email", entries, p);
>           }
> -        if (SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
> +        if (ap_SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
>               extract_san_array(t, "SSL_SERVER_SAN_DNS", entries, p);
>           }
>           /* no need to free xs (refcount does not increase) */
> @@ -1044,10 +1044,10 @@
>       /* subjectAltName entries of the client certificate */
>       xs = SSL_get_peer_certificate(ssl);
>       if (xs) {
> -        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
> +        if (ap_SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
>               extract_san_array(t, "SSL_CLIENT_SAN_Email", entries, p);
>           }
> -        if (SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
> +        if (ap_SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
>               extract_san_array(t, "SSL_CLIENT_SAN_DNS", entries, p);
>           }
>           X509_free(xs);
> Index: modules/ssl/ssl_scache.c
> ===================================================================
> --- modules/ssl/ssl_scache.c	(revision 1673798)
> +++ modules/ssl/ssl_scache.c	(working copy)
> @@ -115,7 +115,7 @@
>                         apr_pool_t *p)
>   {
>       SSLModConfigRec *mc = myModConfig(s);
> -    unsigned char encoded[SSL_SESSION_MAX_DER], *ptr;
> +    unsigned char encoded[AP_SSL_SESSION_MAX_DER], *ptr;
>       unsigned int len;
>       apr_status_t rv;
>   
> @@ -148,8 +148,8 @@
>                                    apr_pool_t *p)
>   {
>       SSLModConfigRec *mc = myModConfig(s);
> -    unsigned char dest[SSL_SESSION_MAX_DER];
> -    unsigned int destlen = SSL_SESSION_MAX_DER;
> +    unsigned char dest[AP_SSL_SESSION_MAX_DER];
> +    unsigned int destlen = AP_SSL_SESSION_MAX_DER;
>       const unsigned char *ptr;
>       apr_status_t rv;
>   
> Index: modules/ssl/ssl_util_ssl.c
> ===================================================================
> --- modules/ssl/ssl_util_ssl.c	(revision 1673798)
> +++ modules/ssl/ssl_util_ssl.c	(working copy)
> @@ -40,7 +40,7 @@
>    */
>   static int SSL_app_data2_idx = -1;
>   
> -void SSL_init_app_data2_idx(void)
> +void ap_SSL_init_app_data2_idx(void)
>   {
>       int i;
>   
> @@ -57,12 +57,12 @@
>       }
>   }
>   
> -void *SSL_get_app_data2(SSL *ssl)
> +void *ap_SSL_get_app_data2(SSL *ssl)
>   {
>       return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);
>   }
>   
> -void SSL_set_app_data2(SSL *ssl, void *arg)
> +void ap_SSL_set_app_data2(SSL *ssl, void *arg)
>   {
>       SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg);
>       return;
> @@ -74,7 +74,7 @@
>   **  _________________________________________________________________
>   */
>   
> -EVP_PKEY *SSL_read_PrivateKey(const char* filename, EVP_PKEY **key, pem_password_cb
*cb, void *s)
> +EVP_PKEY *ap_SSL_read_PrivateKey(const char* filename, EVP_PKEY **key, pem_password_cb
*cb, void *s)
>   {
>       EVP_PKEY *rc;
>       BIO *bioS;
> @@ -121,7 +121,7 @@
>   **  _________________________________________________________________
>   */
>   
> -int SSL_smart_shutdown(SSL *ssl)
> +int ap_SSL_smart_shutdown(SSL *ssl)
>   {
>       int i;
>       int rc;
> @@ -161,7 +161,7 @@
>   */
>   
>   /* retrieve basic constraints ingredients */
> -BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
> +BOOL ap_SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
>   {
>       BASIC_CONSTRAINTS *bc;
>       BIGNUM *bn = NULL;
> @@ -191,7 +191,7 @@
>   }
>   
>   /* convert an ASN.1 string to a UTF-8 string (escaping control characters) */
> -char *SSL_ASN1_STRING_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str)
> +char *ap_SSL_ASN1_STRING_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str)
>   {
>       char *result = NULL;
>       BIO *bio;
> @@ -213,9 +213,9 @@
>   }
>   
>   /* convert a NAME_ENTRY to UTF8 string */
> -char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
> +char *ap_SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
>   {
> -    char *result = SSL_ASN1_STRING_to_utf8(p, X509_NAME_ENTRY_get_data(xsne));
> +    char *result = ap_SSL_ASN1_STRING_to_utf8(p, X509_NAME_ENTRY_get_data(xsne));
>       ap_xlate_proto_from_ascii(result, len);
>       return result;
>   }
> @@ -224,7 +224,7 @@
>    * convert an X509_NAME to an RFC 2253 formatted string, optionally truncated
>    * to maxlen characters (specify a maxlen of 0 for no length limit)
>    */
> -char *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
> +char *ap_SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
>   {
>       char *result = NULL;
>       BIO *bio;
> @@ -259,8 +259,8 @@
>    * GEN_EMAIL (rfc822Name)
>    * GEN_DNS (dNSName)
>    */
> -BOOL SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, int idx,
> -                     apr_array_header_t **entries)
> +BOOL ap_SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, int idx,
> +                        apr_array_header_t **entries)
>   {
>       STACK_OF(GENERAL_NAME) *names;
>   
> @@ -282,7 +282,7 @@
>                       switch (type) {
>                       case GEN_EMAIL:
>                       case GEN_DNS:
> -                        utf8str = SSL_ASN1_STRING_to_utf8(p, name->d.ia5);
> +                        utf8str = ap_SSL_ASN1_STRING_to_utf8(p, name->d.ia5);
>                           if (utf8str) {
>                               APR_ARRAY_PUSH(*entries, const char *) = utf8str;
>                           }
> @@ -313,7 +313,7 @@
>   }
>   
>   /* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
> -BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
> +BOOL ap_SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
>   {
>       X509_NAME *subj;
>       int i = -1;
> @@ -320,7 +320,7 @@
>   
>       /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
>       if (!x509 ||
> -        (SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids)) {
> +        (ap_SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids)) {
>           *ids = NULL;
>           return FALSE;
>       }
> @@ -329,7 +329,7 @@
>       subj = X509_get_subject_name(x509);
>       while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) {
>           APR_ARRAY_PUSH(*ids, const char *) =
> -            SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
> +            ap_SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
>       }
>   
>       return apr_is_empty_array(*ids) ? FALSE : TRUE;
> @@ -340,8 +340,8 @@
>    * DNS-IDs and CN-IDs (RFC 6125), optionally with basic wildcard matching.
>    * If server_rec is non-NULL, some (debug/trace) logging is enabled.
>    */
> -BOOL SSL_X509_match_name(apr_pool_t *p, X509 *x509, const char *name,
> -                         BOOL allow_wildcard, server_rec *s)
> +BOOL ap_SSL_X509_match_name(apr_pool_t *p, X509 *x509, const char *name,
> +                            BOOL allow_wildcard, server_rec *s)
>   {
>       BOOL matched = FALSE;
>       apr_array_header_t *ids;
> @@ -356,7 +356,7 @@
>        *    is found).
>        */
>   
> -    if (SSL_X509_getIDs(p, x509, &ids)) {
> +    if (ap_SSL_X509_getIDs(p, x509, &ids)) {
>           const char *cp;
>           int i;
>           char **id = (char **)ids->elts;
> @@ -387,8 +387,8 @@
>   
>               if (s) {
>                   ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
> -                             "[%s] SSL_X509_match_name: expecting name '%s', "
> -                             "%smatched by ID '%s'",
> +                             "[%s] ap_SSL_X509_match_name: expecting name "
> +                             "'%s', %smatched by ID '%s'",
>                                (mySrvConfig(s))->vhost_id, name,
>                                matched == TRUE ? "" : "NOT ", id[i]);
>               }
> @@ -417,9 +417,9 @@
>   **  _________________________________________________________________
>   */
>   
> -BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp,
> -                             STACK_OF(X509_INFO) *sk,
> -                             const char *filename)
> +BOOL ap_SSL_X509_INFO_load_file(apr_pool_t *ptemp,
> +                                STACK_OF(X509_INFO) *sk,
> +                                const char *filename)
>   {
>       BIO *in;
>   
> @@ -441,9 +441,9 @@
>       return TRUE;
>   }
>   
> -BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp,
> -                             STACK_OF(X509_INFO) *sk,
> -                             const char *pathname)
> +BOOL ap_SSL_X509_INFO_load_path(apr_pool_t *ptemp,
> +                                STACK_OF(X509_INFO) *sk,
> +                                const char *pathname)
>   {
>       /* XXX: this dir read code is exactly the same as that in
>        * ssl_engine_init.c, only the call to handle the fullname is different,
> @@ -468,7 +468,7 @@
>                                  pathname, "/", dirent.name,
>                                  NULL);
>   
> -        if (SSL_X509_INFO_load_file(ptemp, sk, fullname)) {
> +        if (ap_SSL_X509_INFO_load_file(ptemp, sk, fullname)) {
>               ok = TRUE;
>           }
>       }
> @@ -521,7 +521,7 @@
>    * format, possibly followed by a sequence of CA certificates that
>    * should be sent to the peer in the SSL Certificate message.
>    */
> -int SSL_CTX_use_certificate_chain(
> +int ap_SSL_CTX_use_certificate_chain(
>       SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
>   {
>       BIO *bio;
> @@ -581,8 +581,8 @@
>   **  _________________________________________________________________
>   */
>   
> -char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
> -                        char *str, int strsize)
> +char *ap_SSL_SESSION_id2sz(unsigned char *id, int idlen,
> +                           char *str, int strsize)
>   {
>       if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
>           idlen = SSL_MAX_SSL_SESSION_ID_LENGTH;
> Index: modules/ssl/ssl_util_ssl.h
> ===================================================================
> --- modules/ssl/ssl_util_ssl.h	(revision 1673798)
> +++ modules/ssl/ssl_util_ssl.h	(working copy)
> @@ -38,10 +38,10 @@
>    * SSL library version number
>    */
>   
> -#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
> -#define SSL_LIBRARY_NAME    "OpenSSL"
> -#define SSL_LIBRARY_TEXT    OPENSSL_VERSION_TEXT
> -#define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
> +#define AP_SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
> +#define AP_SSL_LIBRARY_NAME    "OpenSSL"
> +#define AP_SSL_LIBRARY_TEXT    OPENSSL_VERSION_TEXT
> +#define AP_SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
>   
>   /**
>    *  Maximum length of a DER encoded session.
> @@ -48,31 +48,31 @@
>    *  FIXME: There is no define in OpenSSL, but OpenSSL uses 1024*10,
>    *         so this value should be ok. Although we have no warm feeling.
>    */
> -#define SSL_SESSION_MAX_DER 1024*10
> +#define AP_SSL_SESSION_MAX_DER 1024*10
>   
> -/** max length for SSL_SESSION_id2sz */
> -#define SSL_SESSION_ID_STRING_LEN \
> +/** max length for AP_SSL_SESSION_id2sz */
> +#define AP_SSL_SESSION_ID_STRING_LEN \
>       ((SSL_MAX_SSL_SESSION_ID_LENGTH + 1) * 2)
>   
>   /**
>    *  Additional Functions
>    */
> -void        SSL_init_app_data2_idx(void);
> -void       *SSL_get_app_data2(SSL *);
> -void        SSL_set_app_data2(SSL *, void *);
> -EVP_PKEY   *SSL_read_PrivateKey(const char *, EVP_PKEY **, pem_password_cb *, void *);
> -int         SSL_smart_shutdown(SSL *ssl);
> -BOOL        SSL_X509_getBC(X509 *, int *, int *);
> -char       *SSL_ASN1_STRING_to_utf8(apr_pool_t *, ASN1_STRING *);
> -char       *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
> -char       *SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
> -BOOL        SSL_X509_getSAN(apr_pool_t *, X509 *, int, int, apr_array_header_t **);
> -BOOL        SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **);
> -BOOL        SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec
*);
> -BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char
*);
> -BOOL        SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char
*);
> -int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
> -char       *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
> +void        ap_SSL_init_app_data2_idx(void);
> +void       *ap_SSL_get_app_data2(SSL *);
> +void        ap_SSL_set_app_data2(SSL *, void *);
> +EVP_PKEY   *ap_SSL_read_PrivateKey(const char *, EVP_PKEY **, pem_password_cb *, void
*);
> +int         ap_SSL_smart_shutdown(SSL *ssl);
> +BOOL        ap_SSL_X509_getBC(X509 *, int *, int *);
> +char       *ap_SSL_ASN1_STRING_to_utf8(apr_pool_t *, ASN1_STRING *);
> +char       *ap_SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
> +char       *ap_SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
> +BOOL        ap_SSL_X509_getSAN(apr_pool_t *, X509 *, int, int, apr_array_header_t **);
> +BOOL        ap_SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **);
> +BOOL        ap_SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec
*);
> +BOOL        ap_SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char
*);
> +BOOL        ap_SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char
*);
> +int         ap_SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb
*);
> +char       *ap_SSL_SESSION_id2sz(unsigned char *, int, char *, int);
>   
>   #endif /* __SSL_UTIL_SSL_H__ */
>   /** @} */


Mime
View raw message