www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Drop support for the RSA BSAFE SSL-C toolkit from configure,

Browse Source 
and remove #ifdef'ed code from mod_ssl and ab where applicable.

Consensus for dropping support for SSL/TLS toolkits other
than OpenSSL was reached on dev@httpd in June 2010 (message
with ID <20100602162310.GA11156@redhat.com> and follow-ups).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154683 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2011-08-07 10:29:09 +00:00
parent f19d2caa4d
commit 1eb818742f
16 changed files with 72 additions and 343 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,6 +1,9 @@
-*- coding: utf-8 -*- -*- coding: utf-8 -*-
Changes with Apache 2.3.15 Changes with Apache 2.3.15
*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
[Kaspar Brand]
*) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
cookie is set when modules such as mod_rewrite trigger a redirect. Also cookie is set when modules such as mod_rewrite trigger a redirect. Also
use r->err_headers_out for the cookie, for the same reason. PR29755. use r->err_headers_out for the cookie, for the same reason. PR29755.

173
acinclude.m4
View File

@@ -437,41 +437,32 @@ AC_DEFUN(APACHE_REQUIRE_CXX,[
]) ])
dnl dnl
dnl APACHE_CHECK_SSL_TOOLKIT dnl APACHE_CHECK_OPENSSL
dnl dnl
dnl Configure for the detected openssl/ssl-c toolkit installation, giving dnl Configure for OpenSSL, giving preference to
dnl preference to "--with-ssl=<path>" if it was specified. dnl "--with-ssl=<path>" if it was specified.
dnl dnl
AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[ AC_DEFUN(APACHE_CHECK_OPENSSL,[
AC_CACHE_CHECK([for SSL/TLS toolkit], [ac_cv_ssltk], [ AC_CACHE_CHECK([for OpenSSL], [ac_cv_openssl], [
dnl initialise the variables we use dnl initialise the variables we use
ac_cv_ssltk=yes ac_cv_openssl=yes
ap_ssltk_found="" ap_openssl_found=""
ap_ssltk_base="" ap_openssl_base=""
ap_ssltk_libs="" ap_openssl_libs=""
ap_ssltk_type=""
dnl Determine the SSL/TLS toolkit's base directory, if any dnl Determine the OpenSSL base directory, if any
AC_MSG_CHECKING([for user-provided SSL/TLS toolkit base]) AC_MSG_CHECKING([for user-provided OpenSSL base directory])
AC_ARG_WITH(sslc, APACHE_HELP_STRING(--with-sslc=DIR,RSA SSL-C SSL/TLS toolkit), [ AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,OpenSSL base directory), [
dnl If --with-sslc specifies a directory, we use that directory or fail dnl If --with-ssl specifies a directory, we use that directory
if test "x$withval" != "xyes" -a "x$withval" != "x"; then if test "x$withval" != "xyes" -a "x$withval" != "x"; then
dnl This ensures $withval is actually a directory and that it is absolute dnl This ensures $withval is actually a directory and that it is absolute
ap_ssltk_base="`cd $withval ; pwd`" ap_openssl_base="`cd $withval ; pwd`"
fi
ap_ssltk_type="sslc"
])
AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,OpenSSL SSL/TLS toolkit), [
dnl If --with-ssl specifies a directory, we use that directory or fail
if test "x$withval" != "xyes" -a "x$withval" != "x"; then
dnl This ensures $withval is actually a directory and that it is absolute
ap_ssltk_base="`cd $withval ; pwd`"
fi fi
]) ])
if test "x$ap_ssltk_base" = "x"; then if test "x$ap_openssl_base" = "x"; then
AC_MSG_RESULT(none) AC_MSG_RESULT(none)
else else
AC_MSG_RESULT($ap_ssltk_base) AC_MSG_RESULT($ap_openssl_base)
fi fi
dnl Run header and version checks dnl Run header and version checks
@@ -480,19 +471,19 @@ AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
saved_LDFLAGS="$LDFLAGS" saved_LDFLAGS="$LDFLAGS"
SSL_LIBS="" SSL_LIBS=""
dnl Before doing anything else, load in pkg-config variables (if not sslc). dnl Before doing anything else, load in pkg-config variables
if test "x$ap_ssltk_type" = "x" -a -n "$PKGCONFIG"; then if test -n "$PKGCONFIG"; then
saved_PKG_CONFIG_PATH="$PKG_CONFIG_PATH" saved_PKG_CONFIG_PATH="$PKG_CONFIG_PATH"
if test "x$ap_ssltk_base" != "x" -a \ if test "x$ap_openssl_base" != "x" -a \
-f "${ap_ssltk_base}/lib/pkgconfig/openssl.pc"; then -f "${ap_openssl_base}/lib/pkgconfig/openssl.pc"; then
dnl Ensure that the given path is used by pkg-config too, otherwise dnl Ensure that the given path is used by pkg-config too, otherwise
dnl the system openssl.pc might be picked up instead. dnl the system openssl.pc might be picked up instead.
PKG_CONFIG_PATH="${ap_ssltk_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH}" PKG_CONFIG_PATH="${ap_openssl_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH}"
export PKG_CONFIG_PATH export PKG_CONFIG_PATH
fi fi
ap_ssltk_libs="`$PKGCONFIG --libs-only-l openssl 2>&1`" ap_openssl_libs="`$PKGCONFIG --libs-only-l openssl 2>&1`"
if test $? -eq 0; then if test $? -eq 0; then
ap_ssltk_found="yes" ap_openssl_found="yes"
pkglookup="`$PKGCONFIG --cflags-only-I openssl`" pkglookup="`$PKGCONFIG --cflags-only-I openssl`"
APR_ADDTO(CPPFLAGS, [$pkglookup]) APR_ADDTO(CPPFLAGS, [$pkglookup])
APR_ADDTO(INCLUDES, [$pkglookup]) APR_ADDTO(INCLUDES, [$pkglookup])
@@ -502,105 +493,59 @@ AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
fi fi
PKG_CONFIG_PATH="$saved_PKG_CONFIG_PATH" PKG_CONFIG_PATH="$saved_PKG_CONFIG_PATH"
fi fi
if test "x$ap_ssltk_base" != "x" -a "x$ap_ssltk_found" = "x"; then
APR_ADDTO(CPPFLAGS, [-I$ap_ssltk_base/include]) dnl fall back to the user-supplied directory if not found via pkg-config
APR_ADDTO(INCLUDES, [-I$ap_ssltk_base/include]) if test "x$ap_openssl_base" != "x" -a "x$ap_openssl_found" = "x"; then
APR_ADDTO(LDFLAGS, [-L$ap_ssltk_base/lib]) APR_ADDTO(CPPFLAGS, [-I$ap_openssl_base/include])
APR_ADDTO(SSL_LIBS, [-L$ap_ssltk_base/lib]) APR_ADDTO(INCLUDES, [-I$ap_openssl_base/include])
APR_ADDTO(LDFLAGS, [-L$ap_openssl_base/lib])
APR_ADDTO(SSL_LIBS, [-L$ap_openssl_base/lib])
if test "x$ap_platform_runtime_link_flag" != "x"; then if test "x$ap_platform_runtime_link_flag" != "x"; then
APR_ADDTO(LDFLAGS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib]) APR_ADDTO(LDFLAGS, [$ap_platform_runtime_link_flag$ap_openssl_base/lib])
APR_ADDTO(SSL_LIBS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib]) APR_ADDTO(SSL_LIBS, [$ap_platform_runtime_link_flag$ap_openssl_base/lib])
fi fi
fi fi
if test "x$ap_ssltk_type" = "x"; then
dnl First check for manditory headers AC_MSG_CHECKING([for OpenSSL version])
AC_CHECK_HEADERS([openssl/opensslv.h openssl/ssl.h], [ap_ssltk_type="openssl"], []) AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
if test "$ap_ssltk_type" = "openssl"; then
dnl so it's OpenSSL - test for a good version
AC_MSG_CHECKING([for OpenSSL version])
AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
#if !defined(OPENSSL_VERSION_NUMBER) #if !defined(OPENSSL_VERSION_NUMBER)
#error "Missing openssl version" #error "Missing OpenSSL version"
#endif #endif
#if (OPENSSL_VERSION_NUMBER < 0x009060af) \ #if (OPENSSL_VERSION_NUMBER < 0x009060af) \
|| ((OPENSSL_VERSION_NUMBER > 0x00907000) && (OPENSSL_VERSION_NUMBER < 0x0090702f)) || ((OPENSSL_VERSION_NUMBER > 0x00907000) && (OPENSSL_VERSION_NUMBER < 0x0090702f))
#error "Insecure openssl version " OPENSSL_VERSION_TEXT #error "Insecure openssl version " OPENSSL_VERSION_TEXT
#endif], #endif],
[AC_MSG_RESULT(OK)], [AC_MSG_RESULT(OK)],
[dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h? [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h?
AC_MSG_RESULT([not encouraging]) AC_MSG_RESULT([not encouraging])
AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!] AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!]
[ Ensure the latest security patches have been applied!]) [ Ensure the latest security patches have been applied!])
]) ])
else
AC_MSG_RESULT([no OpenSSL headers found]) if test "x$ac_cv_openssl" = "xyes"; then
fi ap_openssl_libs="-lssl -lcrypto `$apr_config --libs`"
fi APR_ADDTO(SSL_LIBS, [$ap_openssl_libs])
if test "$ap_ssltk_type" != "openssl"; then APR_ADDTO(LIBS, [$ap_openssl_libs])
dnl Might be SSL-C - report, then test anything relevant
AC_CHECK_HEADERS([sslc.h], [ap_ssltk_type="sslc"], [ap_ssltk_type=""])
if test "$ap_ssltk_type" = "sslc"; then
ap_ssltk_libs="-lsslc"
AC_MSG_CHECKING([for SSL-C version])
AC_TRY_COMPILE([#include <sslc.h>],[
#if !defined(SSLC_VERSION_NUMBER)
#error "Missing SSL-C version"
#endif
#if SSLC_VERSION_NUMBER < 0x2310
#define stringize_ver(x) #x
#error "Insecure SSL-C version " stringize_ver(SSLC_VERSION_NUMBER)
#endif],
[AC_MSG_RESULT(OK)],
[dnl Replace this with SSLC_VERSION_NUMBER?
AC_MSG_RESULT([not encouraging])
echo "WARNING: SSL-C version may contain security vulnerabilities!"
echo " Ensure the latest security patches have been applied!"
])
else
AC_MSG_RESULT([no SSL-C headers found])
fi
fi
if test "x$ap_ssltk_type" = "x"; then
ac_cv_ssltk="no"
AC_MSG_WARN([...No recognized SSL/TLS toolkit detected])
else
if test "$ap_ssltk_type" = "openssl" -a "x$ap_ssltk_found" = "x"; then
ap_ssltk_found="yes"
ap_ssltk_libs="-lssl -lcrypto `$apr_config --libs`"
fi
APR_ADDTO(SSL_LIBS, [$ap_ssltk_libs])
APR_ADDTO(LIBS, [$ap_ssltk_libs])
APACHE_SUBST(SSL_LIBS) APACHE_SUBST(SSL_LIBS)
dnl Run library and function checks dnl Run library and function checks
liberrors="" liberrors=""
if test "$ap_ssltk_type" = "openssl"; then AC_CHECK_HEADERS([openssl/engine.h])
AC_CHECK_HEADERS([openssl/engine.h]) AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"]) AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines])
AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines])
else
AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"])
AC_CHECK_FUNCS(SSL_set_state)
fi
dnl restore
CPPFLAGS="$saved_CPPFLAGS"
LIBS="$saved_LIBS"
LDFLAGS="$saved_LDFLAGS"
if test "x$liberrors" != "x"; then if test "x$liberrors" != "x"; then
ac_cv_ssltk=no ac_cv_openssl=no
AC_MSG_WARN([... Error, SSL/TLS libraries were missing or unusable]) AC_MSG_WARN([OpenSSL libraries are unusable])
fi fi
fi fi
])
if test "x$ac_cv_ssltk" = "xyes" ; then dnl restore
dnl Adjust apache's configuration based on what we found above. CPPFLAGS="$saved_CPPFLAGS"
dnl (a) define preprocessor symbols LIBS="$saved_LIBS"
if test "$ap_ssltk_type" = "openssl"; then LDFLAGS="$saved_LDFLAGS"
AC_DEFINE(HAVE_OPENSSL, 1, [Define if SSL is supported using OpenSSL]) ])
else if test "x$ac_cv_openssl" = "xyes"; then
AC_DEFINE(HAVE_SSLC, 1, [Define if SSL is supported using SSL-C]) AC_DEFINE(HAVE_OPENSSL, 1, [Define if OpenSSL is available])
fi
fi fi
]) ])

1
modules/ssl/README
View File

@@ -98,7 +98,6 @@ MAJOR CHANGES
the original SSLProxy* directives the original SSLProxy* directives
o per-directory SSLCACertificate{File,Path} is now thread-safe but o per-directory SSLCACertificate{File,Path} is now thread-safe but
requires SSL_set_cert_store patch to OpenSSL requires SSL_set_cert_store patch to OpenSSL
o RSA sslc is supported via ssl_toolkit_compat.h
o the ssl_engine_{ds,ext}.c source files are obsolete and no longer o the ssl_engine_{ds,ext}.c source files are obsolete and no longer
exist exist

4
modules/ssl/config.m4
View File

@@ -44,8 +44,8 @@ ssl_util_ocsp.lo dnl
" "
dnl # hook module into the Autoconf mechanism (--enable-ssl option) dnl # hook module into the Autoconf mechanism (--enable-ssl option)
APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [ APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [
APACHE_CHECK_SSL_TOOLKIT APACHE_CHECK_OPENSSL
if test "$ac_cv_ssltk" = "yes" ; then if test "$ac_cv_openssl" = "yes" ; then
APR_ADDTO(MOD_SSL_LDADD, [\$(SSL_LIBS)]) APR_ADDTO(MOD_SSL_LDADD, [\$(SSL_LIBS)])
CHECK_OCSP CHECK_OCSP
if test "x$enable_ssl" = "xshared"; then if test "x$enable_ssl" = "xshared"; then

6
modules/ssl/mod_ssl.c
View File

@@ -250,14 +250,12 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
/* /*
* Try to kill the internals of the SSL library. * Try to kill the internals of the SSL library.
*/ */
#ifdef HAVE_OPENSSL
#if OPENSSL_VERSION_NUMBER >= 0x00907001 #if OPENSSL_VERSION_NUMBER >= 0x00907001
/* Corresponds to OPENSSL_load_builtin_modules(): /* Corresponds to OPENSSL_load_builtin_modules():
* XXX: borrowed from apps.h, but why not CONF_modules_free() * XXX: borrowed from apps.h, but why not CONF_modules_free()
* which also invokes CONF_modules_finish()? * which also invokes CONF_modules_finish()?
*/ */
CONF_modules_unload(1); CONF_modules_unload(1);
#endif
#endif #endif
/* Corresponds to SSL_library_init: */ /* Corresponds to SSL_library_init: */
EVP_cleanup(); EVP_cleanup();
@@ -292,19 +290,15 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
* code can successfully test the SSL environment. * code can successfully test the SSL environment.
*/ */
CRYPTO_malloc_init(); CRYPTO_malloc_init();
#ifdef HAVE_OPENSSL
ERR_load_crypto_strings(); ERR_load_crypto_strings();
#endif
SSL_load_error_strings(); SSL_load_error_strings();
SSL_library_init(); SSL_library_init();
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_load_builtin_engines(); ENGINE_load_builtin_engines();
#endif #endif
#ifdef HAVE_OPENSSL
OpenSSL_add_all_algorithms(); OpenSSL_add_all_algorithms();
#if OPENSSL_VERSION_NUMBER >= 0x00907001 #if OPENSSL_VERSION_NUMBER >= 0x00907001
OPENSSL_load_builtin_modules(); OPENSSL_load_builtin_modules();
#endif
#endif #endif
/* /*

9
modules/ssl/ssl_engine_init.c
View File

@@ -895,7 +895,7 @@ static int ssl_server_import_key(server_rec *s,
if (idx == SSL_AIDX_ECC) if (idx == SSL_AIDX_ECC)
pkey_type = EVP_PKEY_EC; pkey_type = EVP_PKEY_EC;
else else
#endif /* SSL_LIBRARY_VERSION */ #endif
pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA; pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) { if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
@@ -1265,18 +1265,11 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
} }
} }
#ifdef SSLC_VERSION_NUMBER
static int ssl_init_FindCAList_X509NameCmp(char **a, char **b)
{
return(X509_NAME_cmp((void*)*a, (void*)*b));
}
#else
static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a, static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a,
const X509_NAME * const *b) const X509_NAME * const *b)
{ {
return(X509_NAME_cmp(*a, *b)); return(X509_NAME_cmp(*a, *b));
} }
#endif
static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
server_rec *s, const char *file) server_rec *s, const char *file)

8
modules/ssl/ssl_engine_io.c
View File

@@ -277,9 +277,7 @@ static BIO_METHOD bio_filter_out_method = {
bio_filter_out_ctrl, bio_filter_out_ctrl,
bio_filter_create, bio_filter_create,
bio_filter_destroy, bio_filter_destroy,
#ifdef OPENSSL_VERSION_NUMBER NULL
NULL /* sslc does not have the callback_ctrl field */
#endif
}; };
typedef struct { typedef struct {
@@ -531,9 +529,7 @@ static BIO_METHOD bio_filter_in_method = {
NULL, /* ctrl is never called */ NULL, /* ctrl is never called */
bio_filter_create, bio_filter_create,
bio_filter_destroy, bio_filter_destroy,
#ifdef OPENSSL_VERSION_NUMBER NULL
NULL /* sslc does not have the callback_ctrl field */
#endif
}; };

3
modules/ssl/ssl_engine_kernel.c
View File

@@ -1671,11 +1671,8 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
*/ */
pubkey = X509_get_pubkey(cert); pubkey = X509_get_pubkey(cert);
rc = X509_CRL_verify(crl, pubkey); rc = X509_CRL_verify(crl, pubkey);
#ifdef OPENSSL_VERSION_NUMBER
/* Only refcounted in OpenSSL */
if (pubkey) if (pubkey)
EVP_PKEY_free(pubkey); EVP_PKEY_free(pubkey);
#endif
if (rc <= 0) { if (rc <= 0) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
"Invalid signature on CRL"); "Invalid signature on CRL");

10
modules/ssl/ssl_engine_pphrase.c
View File

@@ -109,11 +109,7 @@ static apr_file_t *readtty = NULL;
*/ */
static server_rec *ssl_pphrase_server_rec = NULL; static server_rec *ssl_pphrase_server_rec = NULL;
#ifdef SSLC_VERSION_NUMBER
int ssl_pphrase_Handle_CB(char *, int, int);
#else
int ssl_pphrase_Handle_CB(char *, int, int, void *); int ssl_pphrase_Handle_CB(char *, int, int, void *);
#endif
static char *pphrase_array_get(apr_array_header_t *arr, int idx) static char *pphrase_array_get(apr_array_header_t *arr, int idx)
{ {
@@ -649,14 +645,8 @@ static int pipe_get_passwd_cb(char *buf, int length, char *prompt, int verify)
return 0; return 0;
} }
#ifdef SSLC_VERSION_NUMBER
int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
{
void *srv = ssl_pphrase_server_rec;
#else
int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
{ {
#endif
SSLModConfigRec *mc; SSLModConfigRec *mc;
server_rec *s; server_rec *s;
apr_pool_t *p; apr_pool_t *p;

2
modules/ssl/ssl_engine_vars.c
View File

@@ -944,7 +944,6 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl) static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
{ {
char *result = "NULL"; char *result = "NULL";
#ifdef OPENSSL_VERSION_NUMBER
#if (OPENSSL_VERSION_NUMBER >= 0x00908000) #if (OPENSSL_VERSION_NUMBER >= 0x00908000)
SSL_SESSION *pSession = SSL_get_session(ssl); SSL_SESSION *pSession = SSL_get_session(ssl);
@@ -969,7 +968,6 @@ static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
break; break;
} }
} }
#endif
#endif #endif
return result; return result;
} }

6
modules/ssl/ssl_private.h
View File

@@ -194,7 +194,7 @@ typedef int ssl_algo_t;
#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC) #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC)
#else #else
#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA) #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA)
#endif /* SSL_LIBRARY_VERSION */ #endif
#define SSL_AIDX_RSA (0) #define SSL_AIDX_RSA (0)
#define SSL_AIDX_DSA (1) #define SSL_AIDX_DSA (1)
@@ -203,7 +203,7 @@ typedef int ssl_algo_t;
#define SSL_AIDX_MAX (3) #define SSL_AIDX_MAX (3)
#else #else
#define SSL_AIDX_MAX (2) #define SSL_AIDX_MAX (2)
#endif /* SSL_LIBRARY_VERSION */ #endif
/** /**
@@ -671,7 +671,7 @@ RSA *ssl_callback_TmpRSA(SSL *, int, int);
DH *ssl_callback_TmpDH(SSL *, int, int); DH *ssl_callback_TmpDH(SSL *, int, int);
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
EC_KEY *ssl_callback_TmpECDH(SSL *, int, int); EC_KEY *ssl_callback_TmpECDH(SSL *, int, int);
#endif /* SSL_LIBRARY_VERSION */ #endif
int ssl_callback_SSLVerify(int, X509_STORE_CTX *); int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey); int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);

112
modules/ssl/ssl_toolkit_compat.h
View File

@@ -20,15 +20,12 @@
/** /**
* @file ssl_toolkit_compat.h * @file ssl_toolkit_compat.h
* @brief this header file provides a compatiblity layer * @brief this header file provides a compatiblity layer
* between OpenSSL and RSA sslc
* *
* @defgroup MOD_SSL_TOOLKIT Toolkit * @defgroup MOD_SSL_TOOLKIT Toolkit
* @ingroup MOD_SSL * @ingroup MOD_SSL
* @{ * @{
*/ */
#ifdef HAVE_OPENSSL
/** OpenSSL headers */ /** OpenSSL headers */
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/err.h> #include <openssl/err.h>
@@ -181,115 +178,6 @@ typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
#endif #endif
#endif #endif
#elif defined(HAVE_SSLC)
#include <bio.h>
#include <ssl.h>
#include <err.h>
#include <x509.h>
#include <pem.h>
#include <evp.h>
#include <objects.h>
#include <sslc.h>
/** sslc does not support this function, OpenSSL has since 9.5.1 */
#define RAND_status() 1
/** sslc names this function a bit differently */
#define CRYPTO_num_locks() CRYPTO_get_num_locks()
#ifndef STACK_OF
#define STACK_OF(type) STACK
#endif
#define MODSSL_BIO_CB_ARG_TYPE char
#define MODSSL_CRYPTO_CB_ARG_TYPE char
#define MODSSL_INFO_CB_ARG_TYPE SSL*
#define MODSSL_CLIENT_CERT_CB_ARG_TYPE void
#define MODSSL_PCHAR_CAST (char *)
#define MODSSL_D2I_SSL_SESSION_CONST
#define MODSSL_D2I_PrivateKey_CONST
#define MODSSL_D2I_X509_CONST
typedef int (modssl_read_bio_cb_fn)(char*,int,int);
#define modssl_X509_verify_cert(c) X509_verify_cert(c, NULL)
#define modssl_PEM_read_bio_X509(b, x, cb, arg) \
PEM_read_bio_X509(b, x, cb)
#define modssl_PEM_X509_INFO_read_bio(b, x, cb, arg)\
PEM_X509_INFO_read_bio(b, x, cb)
#define modssl_PEM_read_bio_PrivateKey(b, k, cb, arg) \
PEM_read_bio_PrivateKey(b, k, cb)
#ifndef HAVE_SSL_SET_STATE
#define SSL_set_state(ssl, state) /** XXX: should throw an error */
#endif
#define modssl_set_cipher_list(ssl, l) \
SSL_set_cipher_list(ssl, (char *)l)
#define modssl_free free
#ifndef PEM_F_DEF_CALLBACK
#define PEM_F_DEF_CALLBACK PEM_F_DEF_CB
#endif
#if SSLC_VERSION_NUMBER < 0x2000
#define X509_STORE_CTX_set_depth(st, d)
#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
#define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate)
#define X509_CRL_get_REVOKED(x) ((x)->crl->revoked)
#define X509_REVOKED_get_serialNumber(xs) (xs->serialNumber)
#define modssl_set_verify(ssl, verify, cb) \
SSL_set_verify(ssl, verify)
#else /** SSLC_VERSION_NUMBER >= 0x2000 */
#define CRYPTO_malloc_init R_malloc_init
#define EVP_cleanup()
#endif /** SSLC_VERSION_NUMBER >= 0x2000 */
typedef void (*modssl_popfree_fn)(char *data);
#define sk_SSL_CIPHER_dup sk_dup
#define sk_SSL_CIPHER_find(st, data) sk_find(st, (void *)data)
#define sk_SSL_CIPHER_free sk_free
#define sk_SSL_CIPHER_num sk_num
#define sk_SSL_CIPHER_value (SSL_CIPHER *)sk_value
#define sk_X509_num sk_num
#define sk_X509_push sk_push
#define sk_X509_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
#define sk_X509_value (X509 *)sk_value
#define sk_X509_INFO_free sk_free
#define sk_X509_INFO_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
#define sk_X509_INFO_num sk_num
#define sk_X509_INFO_new_null sk_new_null
#define sk_X509_INFO_value (X509_INFO *)sk_value
#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
#define sk_X509_NAME_free sk_free
#define sk_X509_NAME_new sk_new
#define sk_X509_NAME_num sk_num
#define sk_X509_NAME_push(st, data) sk_push(st, (void *)data)
#define sk_X509_NAME_value (X509_NAME *)sk_value
#define sk_X509_NAME_ENTRY_num sk_num
#define sk_X509_NAME_ENTRY_value (X509_NAME_ENTRY *)sk_value
#define sk_X509_NAME_set_cmp_func sk_set_cmp_func
#define sk_X509_REVOKED_num sk_num
#define sk_X509_REVOKED_value (X509_REVOKED *)sk_value
#else /** ! HAVE_OPENSSL && ! HAVE_SSLC */
#error "Unrecognized SSL Toolkit!"
#endif /* ! HAVE_OPENSSL && ! HAVE_SSLC */
#ifndef modssl_set_verify #ifndef modssl_set_verify
#define modssl_set_verify(ssl, verify, cb) \ #define modssl_set_verify(ssl, verify, cb) \
SSL_set_verify(ssl, verify, cb) SSL_set_verify(ssl, verify, cb)

21
modules/ssl/ssl_util.c
View File

@@ -159,11 +159,8 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey)
break; break;
} }
} }
#ifdef OPENSSL_VERSION_NUMBER
/* Only refcounted in OpenSSL */
if (pFreeKey != NULL) if (pFreeKey != NULL)
EVP_PKEY_free(pFreeKey); EVP_PKEY_free(pFreeKey);
#endif
return t; return t;
} }
@@ -338,18 +335,8 @@ STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7)
static apr_thread_mutex_t **lock_cs; static apr_thread_mutex_t **lock_cs;
static int lock_num_locks; static int lock_num_locks;
#ifdef HAVE_SSLC
#if SSLC_VERSION_NUMBER >= 0x2000
static int ssl_util_thr_lock(int mode, int type,
char *file, int line)
#else
static void ssl_util_thr_lock(int mode, int type,
char *file, int line)
#endif
#else
static void ssl_util_thr_lock(int mode, int type, static void ssl_util_thr_lock(int mode, int type,
const char *file, int line) const char *file, int line)
#endif
{ {
if (type < lock_num_locks) { if (type < lock_num_locks) {
if (mode & CRYPTO_LOCK) { if (mode & CRYPTO_LOCK) {
@@ -358,14 +345,6 @@ static void ssl_util_thr_lock(int mode, int type,
else { else {
apr_thread_mutex_unlock(lock_cs[type]); apr_thread_mutex_unlock(lock_cs[type]);
} }
#ifdef HAVE_SSLC
#if SSLC_VERSION_NUMBER >= 0x2000
return 1;
}
else {
return -1;
#endif
#endif
} }
} }

18
modules/ssl/ssl_util_ssl.c
View File

@@ -535,24 +535,11 @@ char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
*cp = NUL; *cp = NUL;
return str; return str;
} }
/* sslc+OpenSSL compat */
int modssl_session_get_time(SSL_SESSION *session) int modssl_session_get_time(SSL_SESSION *session)
{ {
#ifdef OPENSSL_VERSION_NUMBER
return SSL_SESSION_get_time(session); return SSL_SESSION_get_time(session);
#else /* assume sslc */
CRYPTO_TIME_T ct;
SSL_SESSION_get_time(session, &ct);
return CRYPTO_time_to_int(&ct);
#endif
} }
#ifndef SSLC_VERSION_NUMBER
#define SSLC_VERSION_NUMBER 0x0000
#endif
DH *modssl_dh_configure(unsigned char *p, int plen, DH *modssl_dh_configure(unsigned char *p, int plen,
unsigned char *g, int glen) unsigned char *g, int glen)
{ {
@@ -562,17 +549,12 @@ DH *modssl_dh_configure(unsigned char *p, int plen,
return NULL; return NULL;
} }
#if defined(OPENSSL_VERSION_NUMBER) || (SSLC_VERSION_NUMBER < 0x2000)
dh->p = BN_bin2bn(p, plen, NULL); dh->p = BN_bin2bn(p, plen, NULL);
dh->g = BN_bin2bn(g, glen, NULL); dh->g = BN_bin2bn(g, glen, NULL);
if (!(dh->p && dh->g)) { if (!(dh->p && dh->g)) {
DH_free(dh); DH_free(dh);
return NULL; return NULL;
} }
#else
R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_P, 0, p, plen, R_EITEMS_PF_COPY);
R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_G, 0, g, glen, R_EITEMS_PF_COPY);
#endif
return dh; return dh;
} }

20
modules/ssl/ssl_util_ssl.h
View File

@@ -35,30 +35,13 @@
#define __SSL_UTIL_SSL_H__ #define __SSL_UTIL_SSL_H__
/** /**
* Determine SSL library version number * SSL library version number
*/ */
#define SSL_NIBBLE(x,n) ((x >> (n * 4)) & 0xF)
#ifdef OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER #define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
#define SSL_LIBRARY_NAME "OpenSSL" #define SSL_LIBRARY_NAME "OpenSSL"
#define SSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT #define SSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
#define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) #define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
#elif defined(SSLC_VERSION_NUMBER)
#define SSL_LIBRARY_VERSION SSLC_VERSION_NUMBER
#define SSL_LIBRARY_NAME "SSL-C"
#define SSL_LIBRARY_TEXT { 'S', 'S', 'L', '-', 'C', ' ', \
'0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,3), '.', \
'0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,2), '.', \
'0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,1), '.', \
'0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,0), 0 }
#define SSL_LIBRARY_DYNTEXT SSLC_library_info(SSLC_INFO_VERSION)
#elif !defined(SSL_LIBRARY_VERSION)
#define SSL_LIBRARY_VERSION 0x0000
#define SSL_LIBRARY_NAME "OtherSSL"
#define SSL_LIBRARY_TEXT "OtherSSL 0.0.0 00 XXX 0000"
#define SSL_LIBRARY_DYNTEXT "OtherSSL 0.0.0 00 XXX 0000"
#endif
/** /**
* Maximum length of a DER encoded session. * Maximum length of a DER encoded session.
@@ -92,7 +75,6 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const c
int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *); int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
char *SSL_SESSION_id2sz(unsigned char *, int, char *, int); char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
/** util functions for OpenSSL+sslc compat */
int modssl_session_get_time(SSL_SESSION *session); int modssl_session_get_time(SSL_SESSION *session);
DH *modssl_dh_configure(unsigned char *p, int plen, DH *modssl_dh_configure(unsigned char *p, int plen,

19
support/ab.c
View File

@@ -156,25 +156,8 @@
#include "ap_config_auto.h" #include "ap_config_auto.h"
#endif #endif
#if defined(HAVE_SSLC) #if defined(HAVE_OPENSSL)
/* Libraries for RSA SSL-C */
#include <rsa.h>
#include <x509.h>
#include <pem.h>
#include <err.h>
#include <ssl.h>
#include <r_rand.h>
#include <sslc.h>
#define USE_SSL
#define RSAREF
#define SK_NUM(x) sk_num(x)
#define SK_VALUE(x,y) sk_value(x,y)
typedef STACK X509_STACK_TYPE;
#elif defined(HAVE_OPENSSL)
/* Libraries on most systems.. */
#include <openssl/rsa.h> #include <openssl/rsa.h>
#include <openssl/crypto.h> #include <openssl/crypto.h>
#include <openssl/x509.h> #include <openssl/x509.h>