mirror of
https://github.com/apache/httpd.git
synced 2025-08-08 15:02:10 +03:00
Drop support for the RSA BSAFE SSL-C toolkit from configure,
and remove #ifdef'ed code from mod_ssl and ab where applicable. Consensus for dropping support for SSL/TLS toolkits other than OpenSSL was reached on dev@httpd in June 2010 (message with ID <20100602162310.GA11156@redhat.com> and follow-ups). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154683 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
3
CHANGES
3
CHANGES
@@ -1,6 +1,9 @@
|
||||
-*- coding: utf-8 -*-
|
||||
Changes with Apache 2.3.15
|
||||
|
||||
*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
|
||||
[Kaspar Brand]
|
||||
|
||||
*) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
|
||||
cookie is set when modules such as mod_rewrite trigger a redirect. Also
|
||||
use r->err_headers_out for the cookie, for the same reason. PR29755.
|
||||
|
147
acinclude.m4
147
acinclude.m4
@@ -437,41 +437,32 @@ AC_DEFUN(APACHE_REQUIRE_CXX,[
|
||||
])
|
||||
|
||||
dnl
|
||||
dnl APACHE_CHECK_SSL_TOOLKIT
|
||||
dnl APACHE_CHECK_OPENSSL
|
||||
dnl
|
||||
dnl Configure for the detected openssl/ssl-c toolkit installation, giving
|
||||
dnl preference to "--with-ssl=<path>" if it was specified.
|
||||
dnl Configure for OpenSSL, giving preference to
|
||||
dnl "--with-ssl=<path>" if it was specified.
|
||||
dnl
|
||||
AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
|
||||
AC_CACHE_CHECK([for SSL/TLS toolkit], [ac_cv_ssltk], [
|
||||
AC_DEFUN(APACHE_CHECK_OPENSSL,[
|
||||
AC_CACHE_CHECK([for OpenSSL], [ac_cv_openssl], [
|
||||
dnl initialise the variables we use
|
||||
ac_cv_ssltk=yes
|
||||
ap_ssltk_found=""
|
||||
ap_ssltk_base=""
|
||||
ap_ssltk_libs=""
|
||||
ap_ssltk_type=""
|
||||
ac_cv_openssl=yes
|
||||
ap_openssl_found=""
|
||||
ap_openssl_base=""
|
||||
ap_openssl_libs=""
|
||||
|
||||
dnl Determine the SSL/TLS toolkit's base directory, if any
|
||||
AC_MSG_CHECKING([for user-provided SSL/TLS toolkit base])
|
||||
AC_ARG_WITH(sslc, APACHE_HELP_STRING(--with-sslc=DIR,RSA SSL-C SSL/TLS toolkit), [
|
||||
dnl If --with-sslc specifies a directory, we use that directory or fail
|
||||
dnl Determine the OpenSSL base directory, if any
|
||||
AC_MSG_CHECKING([for user-provided OpenSSL base directory])
|
||||
AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,OpenSSL base directory), [
|
||||
dnl If --with-ssl specifies a directory, we use that directory
|
||||
if test "x$withval" != "xyes" -a "x$withval" != "x"; then
|
||||
dnl This ensures $withval is actually a directory and that it is absolute
|
||||
ap_ssltk_base="`cd $withval ; pwd`"
|
||||
fi
|
||||
ap_ssltk_type="sslc"
|
||||
])
|
||||
AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,OpenSSL SSL/TLS toolkit), [
|
||||
dnl If --with-ssl specifies a directory, we use that directory or fail
|
||||
if test "x$withval" != "xyes" -a "x$withval" != "x"; then
|
||||
dnl This ensures $withval is actually a directory and that it is absolute
|
||||
ap_ssltk_base="`cd $withval ; pwd`"
|
||||
ap_openssl_base="`cd $withval ; pwd`"
|
||||
fi
|
||||
])
|
||||
if test "x$ap_ssltk_base" = "x"; then
|
||||
if test "x$ap_openssl_base" = "x"; then
|
||||
AC_MSG_RESULT(none)
|
||||
else
|
||||
AC_MSG_RESULT($ap_ssltk_base)
|
||||
AC_MSG_RESULT($ap_openssl_base)
|
||||
fi
|
||||
|
||||
dnl Run header and version checks
|
||||
@@ -480,19 +471,19 @@ AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
|
||||
saved_LDFLAGS="$LDFLAGS"
|
||||
SSL_LIBS=""
|
||||
|
||||
dnl Before doing anything else, load in pkg-config variables (if not sslc).
|
||||
if test "x$ap_ssltk_type" = "x" -a -n "$PKGCONFIG"; then
|
||||
dnl Before doing anything else, load in pkg-config variables
|
||||
if test -n "$PKGCONFIG"; then
|
||||
saved_PKG_CONFIG_PATH="$PKG_CONFIG_PATH"
|
||||
if test "x$ap_ssltk_base" != "x" -a \
|
||||
-f "${ap_ssltk_base}/lib/pkgconfig/openssl.pc"; then
|
||||
if test "x$ap_openssl_base" != "x" -a \
|
||||
-f "${ap_openssl_base}/lib/pkgconfig/openssl.pc"; then
|
||||
dnl Ensure that the given path is used by pkg-config too, otherwise
|
||||
dnl the system openssl.pc might be picked up instead.
|
||||
PKG_CONFIG_PATH="${ap_ssltk_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH}"
|
||||
PKG_CONFIG_PATH="${ap_openssl_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH}"
|
||||
export PKG_CONFIG_PATH
|
||||
fi
|
||||
ap_ssltk_libs="`$PKGCONFIG --libs-only-l openssl 2>&1`"
|
||||
ap_openssl_libs="`$PKGCONFIG --libs-only-l openssl 2>&1`"
|
||||
if test $? -eq 0; then
|
||||
ap_ssltk_found="yes"
|
||||
ap_openssl_found="yes"
|
||||
pkglookup="`$PKGCONFIG --cflags-only-I openssl`"
|
||||
APR_ADDTO(CPPFLAGS, [$pkglookup])
|
||||
APR_ADDTO(INCLUDES, [$pkglookup])
|
||||
@@ -502,25 +493,23 @@ AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
|
||||
fi
|
||||
PKG_CONFIG_PATH="$saved_PKG_CONFIG_PATH"
|
||||
fi
|
||||
if test "x$ap_ssltk_base" != "x" -a "x$ap_ssltk_found" = "x"; then
|
||||
APR_ADDTO(CPPFLAGS, [-I$ap_ssltk_base/include])
|
||||
APR_ADDTO(INCLUDES, [-I$ap_ssltk_base/include])
|
||||
APR_ADDTO(LDFLAGS, [-L$ap_ssltk_base/lib])
|
||||
APR_ADDTO(SSL_LIBS, [-L$ap_ssltk_base/lib])
|
||||
|
||||
dnl fall back to the user-supplied directory if not found via pkg-config
|
||||
if test "x$ap_openssl_base" != "x" -a "x$ap_openssl_found" = "x"; then
|
||||
APR_ADDTO(CPPFLAGS, [-I$ap_openssl_base/include])
|
||||
APR_ADDTO(INCLUDES, [-I$ap_openssl_base/include])
|
||||
APR_ADDTO(LDFLAGS, [-L$ap_openssl_base/lib])
|
||||
APR_ADDTO(SSL_LIBS, [-L$ap_openssl_base/lib])
|
||||
if test "x$ap_platform_runtime_link_flag" != "x"; then
|
||||
APR_ADDTO(LDFLAGS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib])
|
||||
APR_ADDTO(SSL_LIBS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib])
|
||||
APR_ADDTO(LDFLAGS, [$ap_platform_runtime_link_flag$ap_openssl_base/lib])
|
||||
APR_ADDTO(SSL_LIBS, [$ap_platform_runtime_link_flag$ap_openssl_base/lib])
|
||||
fi
|
||||
fi
|
||||
if test "x$ap_ssltk_type" = "x"; then
|
||||
dnl First check for manditory headers
|
||||
AC_CHECK_HEADERS([openssl/opensslv.h openssl/ssl.h], [ap_ssltk_type="openssl"], [])
|
||||
if test "$ap_ssltk_type" = "openssl"; then
|
||||
dnl so it's OpenSSL - test for a good version
|
||||
|
||||
AC_MSG_CHECKING([for OpenSSL version])
|
||||
AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
|
||||
#if !defined(OPENSSL_VERSION_NUMBER)
|
||||
#error "Missing openssl version"
|
||||
#error "Missing OpenSSL version"
|
||||
#endif
|
||||
#if (OPENSSL_VERSION_NUMBER < 0x009060af) \
|
||||
|| ((OPENSSL_VERSION_NUMBER > 0x00907000) && (OPENSSL_VERSION_NUMBER < 0x0090702f))
|
||||
@@ -532,75 +521,31 @@ AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
|
||||
AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!]
|
||||
[ Ensure the latest security patches have been applied!])
|
||||
])
|
||||
else
|
||||
AC_MSG_RESULT([no OpenSSL headers found])
|
||||
fi
|
||||
fi
|
||||
if test "$ap_ssltk_type" != "openssl"; then
|
||||
dnl Might be SSL-C - report, then test anything relevant
|
||||
AC_CHECK_HEADERS([sslc.h], [ap_ssltk_type="sslc"], [ap_ssltk_type=""])
|
||||
if test "$ap_ssltk_type" = "sslc"; then
|
||||
ap_ssltk_libs="-lsslc"
|
||||
AC_MSG_CHECKING([for SSL-C version])
|
||||
AC_TRY_COMPILE([#include <sslc.h>],[
|
||||
#if !defined(SSLC_VERSION_NUMBER)
|
||||
#error "Missing SSL-C version"
|
||||
#endif
|
||||
#if SSLC_VERSION_NUMBER < 0x2310
|
||||
#define stringize_ver(x) #x
|
||||
#error "Insecure SSL-C version " stringize_ver(SSLC_VERSION_NUMBER)
|
||||
#endif],
|
||||
[AC_MSG_RESULT(OK)],
|
||||
[dnl Replace this with SSLC_VERSION_NUMBER?
|
||||
AC_MSG_RESULT([not encouraging])
|
||||
echo "WARNING: SSL-C version may contain security vulnerabilities!"
|
||||
echo " Ensure the latest security patches have been applied!"
|
||||
])
|
||||
else
|
||||
AC_MSG_RESULT([no SSL-C headers found])
|
||||
fi
|
||||
fi
|
||||
if test "x$ap_ssltk_type" = "x"; then
|
||||
ac_cv_ssltk="no"
|
||||
AC_MSG_WARN([...No recognized SSL/TLS toolkit detected])
|
||||
else
|
||||
if test "$ap_ssltk_type" = "openssl" -a "x$ap_ssltk_found" = "x"; then
|
||||
ap_ssltk_found="yes"
|
||||
ap_ssltk_libs="-lssl -lcrypto `$apr_config --libs`"
|
||||
fi
|
||||
APR_ADDTO(SSL_LIBS, [$ap_ssltk_libs])
|
||||
APR_ADDTO(LIBS, [$ap_ssltk_libs])
|
||||
|
||||
if test "x$ac_cv_openssl" = "xyes"; then
|
||||
ap_openssl_libs="-lssl -lcrypto `$apr_config --libs`"
|
||||
APR_ADDTO(SSL_LIBS, [$ap_openssl_libs])
|
||||
APR_ADDTO(LIBS, [$ap_openssl_libs])
|
||||
APACHE_SUBST(SSL_LIBS)
|
||||
|
||||
dnl Run library and function checks
|
||||
liberrors=""
|
||||
if test "$ap_ssltk_type" = "openssl"; then
|
||||
AC_CHECK_HEADERS([openssl/engine.h])
|
||||
AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
|
||||
AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines])
|
||||
else
|
||||
AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"])
|
||||
AC_CHECK_FUNCS(SSL_set_state)
|
||||
if test "x$liberrors" != "x"; then
|
||||
ac_cv_openssl=no
|
||||
AC_MSG_WARN([OpenSSL libraries are unusable])
|
||||
fi
|
||||
fi
|
||||
|
||||
dnl restore
|
||||
CPPFLAGS="$saved_CPPFLAGS"
|
||||
LIBS="$saved_LIBS"
|
||||
LDFLAGS="$saved_LDFLAGS"
|
||||
if test "x$liberrors" != "x"; then
|
||||
ac_cv_ssltk=no
|
||||
AC_MSG_WARN([... Error, SSL/TLS libraries were missing or unusable])
|
||||
fi
|
||||
fi
|
||||
])
|
||||
|
||||
if test "x$ac_cv_ssltk" = "xyes" ; then
|
||||
dnl Adjust apache's configuration based on what we found above.
|
||||
dnl (a) define preprocessor symbols
|
||||
if test "$ap_ssltk_type" = "openssl"; then
|
||||
AC_DEFINE(HAVE_OPENSSL, 1, [Define if SSL is supported using OpenSSL])
|
||||
else
|
||||
AC_DEFINE(HAVE_SSLC, 1, [Define if SSL is supported using SSL-C])
|
||||
fi
|
||||
if test "x$ac_cv_openssl" = "xyes"; then
|
||||
AC_DEFINE(HAVE_OPENSSL, 1, [Define if OpenSSL is available])
|
||||
fi
|
||||
])
|
||||
|
||||
|
@@ -98,7 +98,6 @@ MAJOR CHANGES
|
||||
the original SSLProxy* directives
|
||||
o per-directory SSLCACertificate{File,Path} is now thread-safe but
|
||||
requires SSL_set_cert_store patch to OpenSSL
|
||||
o RSA sslc is supported via ssl_toolkit_compat.h
|
||||
o the ssl_engine_{ds,ext}.c source files are obsolete and no longer
|
||||
exist
|
||||
|
||||
|
@@ -44,8 +44,8 @@ ssl_util_ocsp.lo dnl
|
||||
"
|
||||
dnl # hook module into the Autoconf mechanism (--enable-ssl option)
|
||||
APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [
|
||||
APACHE_CHECK_SSL_TOOLKIT
|
||||
if test "$ac_cv_ssltk" = "yes" ; then
|
||||
APACHE_CHECK_OPENSSL
|
||||
if test "$ac_cv_openssl" = "yes" ; then
|
||||
APR_ADDTO(MOD_SSL_LDADD, [\$(SSL_LIBS)])
|
||||
CHECK_OCSP
|
||||
if test "x$enable_ssl" = "xshared"; then
|
||||
|
@@ -250,14 +250,12 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
|
||||
/*
|
||||
* Try to kill the internals of the SSL library.
|
||||
*/
|
||||
#ifdef HAVE_OPENSSL
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907001
|
||||
/* Corresponds to OPENSSL_load_builtin_modules():
|
||||
* XXX: borrowed from apps.h, but why not CONF_modules_free()
|
||||
* which also invokes CONF_modules_finish()?
|
||||
*/
|
||||
CONF_modules_unload(1);
|
||||
#endif
|
||||
#endif
|
||||
/* Corresponds to SSL_library_init: */
|
||||
EVP_cleanup();
|
||||
@@ -292,19 +290,15 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
|
||||
* code can successfully test the SSL environment.
|
||||
*/
|
||||
CRYPTO_malloc_init();
|
||||
#ifdef HAVE_OPENSSL
|
||||
ERR_load_crypto_strings();
|
||||
#endif
|
||||
SSL_load_error_strings();
|
||||
SSL_library_init();
|
||||
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
|
||||
ENGINE_load_builtin_engines();
|
||||
#endif
|
||||
#ifdef HAVE_OPENSSL
|
||||
OpenSSL_add_all_algorithms();
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907001
|
||||
OPENSSL_load_builtin_modules();
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@@ -895,7 +895,7 @@ static int ssl_server_import_key(server_rec *s,
|
||||
if (idx == SSL_AIDX_ECC)
|
||||
pkey_type = EVP_PKEY_EC;
|
||||
else
|
||||
#endif /* SSL_LIBRARY_VERSION */
|
||||
#endif
|
||||
pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
|
||||
|
||||
if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
|
||||
@@ -1265,18 +1265,11 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef SSLC_VERSION_NUMBER
|
||||
static int ssl_init_FindCAList_X509NameCmp(char **a, char **b)
|
||||
{
|
||||
return(X509_NAME_cmp((void*)*a, (void*)*b));
|
||||
}
|
||||
#else
|
||||
static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a,
|
||||
const X509_NAME * const *b)
|
||||
{
|
||||
return(X509_NAME_cmp(*a, *b));
|
||||
}
|
||||
#endif
|
||||
|
||||
static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
|
||||
server_rec *s, const char *file)
|
||||
|
@@ -277,9 +277,7 @@ static BIO_METHOD bio_filter_out_method = {
|
||||
bio_filter_out_ctrl,
|
||||
bio_filter_create,
|
||||
bio_filter_destroy,
|
||||
#ifdef OPENSSL_VERSION_NUMBER
|
||||
NULL /* sslc does not have the callback_ctrl field */
|
||||
#endif
|
||||
NULL
|
||||
};
|
||||
|
||||
typedef struct {
|
||||
@@ -531,9 +529,7 @@ static BIO_METHOD bio_filter_in_method = {
|
||||
NULL, /* ctrl is never called */
|
||||
bio_filter_create,
|
||||
bio_filter_destroy,
|
||||
#ifdef OPENSSL_VERSION_NUMBER
|
||||
NULL /* sslc does not have the callback_ctrl field */
|
||||
#endif
|
||||
NULL
|
||||
};
|
||||
|
||||
|
||||
|
@@ -1671,11 +1671,8 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
|
||||
*/
|
||||
pubkey = X509_get_pubkey(cert);
|
||||
rc = X509_CRL_verify(crl, pubkey);
|
||||
#ifdef OPENSSL_VERSION_NUMBER
|
||||
/* Only refcounted in OpenSSL */
|
||||
if (pubkey)
|
||||
EVP_PKEY_free(pubkey);
|
||||
#endif
|
||||
if (rc <= 0) {
|
||||
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
|
||||
"Invalid signature on CRL");
|
||||
|
@@ -109,11 +109,7 @@ static apr_file_t *readtty = NULL;
|
||||
*/
|
||||
static server_rec *ssl_pphrase_server_rec = NULL;
|
||||
|
||||
#ifdef SSLC_VERSION_NUMBER
|
||||
int ssl_pphrase_Handle_CB(char *, int, int);
|
||||
#else
|
||||
int ssl_pphrase_Handle_CB(char *, int, int, void *);
|
||||
#endif
|
||||
|
||||
static char *pphrase_array_get(apr_array_header_t *arr, int idx)
|
||||
{
|
||||
@@ -649,14 +645,8 @@ static int pipe_get_passwd_cb(char *buf, int length, char *prompt, int verify)
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef SSLC_VERSION_NUMBER
|
||||
int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
|
||||
{
|
||||
void *srv = ssl_pphrase_server_rec;
|
||||
#else
|
||||
int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
|
||||
{
|
||||
#endif
|
||||
SSLModConfigRec *mc;
|
||||
server_rec *s;
|
||||
apr_pool_t *p;
|
||||
|
@@ -944,7 +944,6 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
|
||||
static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
|
||||
{
|
||||
char *result = "NULL";
|
||||
#ifdef OPENSSL_VERSION_NUMBER
|
||||
#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
|
||||
SSL_SESSION *pSession = SSL_get_session(ssl);
|
||||
|
||||
@@ -969,7 +968,6 @@ static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
|
||||
break;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
return result;
|
||||
}
|
||||
|
@@ -194,7 +194,7 @@ typedef int ssl_algo_t;
|
||||
#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC)
|
||||
#else
|
||||
#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA)
|
||||
#endif /* SSL_LIBRARY_VERSION */
|
||||
#endif
|
||||
|
||||
#define SSL_AIDX_RSA (0)
|
||||
#define SSL_AIDX_DSA (1)
|
||||
@@ -203,7 +203,7 @@ typedef int ssl_algo_t;
|
||||
#define SSL_AIDX_MAX (3)
|
||||
#else
|
||||
#define SSL_AIDX_MAX (2)
|
||||
#endif /* SSL_LIBRARY_VERSION */
|
||||
#endif
|
||||
|
||||
|
||||
/**
|
||||
@@ -671,7 +671,7 @@ RSA *ssl_callback_TmpRSA(SSL *, int, int);
|
||||
DH *ssl_callback_TmpDH(SSL *, int, int);
|
||||
#ifndef OPENSSL_NO_EC
|
||||
EC_KEY *ssl_callback_TmpECDH(SSL *, int, int);
|
||||
#endif /* SSL_LIBRARY_VERSION */
|
||||
#endif
|
||||
int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
|
||||
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
|
||||
int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
|
||||
|
@@ -20,15 +20,12 @@
|
||||
/**
|
||||
* @file ssl_toolkit_compat.h
|
||||
* @brief this header file provides a compatiblity layer
|
||||
* between OpenSSL and RSA sslc
|
||||
*
|
||||
* @defgroup MOD_SSL_TOOLKIT Toolkit
|
||||
* @ingroup MOD_SSL
|
||||
* @{
|
||||
*/
|
||||
|
||||
#ifdef HAVE_OPENSSL
|
||||
|
||||
/** OpenSSL headers */
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/err.h>
|
||||
@@ -181,115 +178,6 @@ typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#elif defined(HAVE_SSLC)
|
||||
|
||||
#include <bio.h>
|
||||
#include <ssl.h>
|
||||
#include <err.h>
|
||||
#include <x509.h>
|
||||
#include <pem.h>
|
||||
#include <evp.h>
|
||||
#include <objects.h>
|
||||
#include <sslc.h>
|
||||
|
||||
/** sslc does not support this function, OpenSSL has since 9.5.1 */
|
||||
#define RAND_status() 1
|
||||
|
||||
/** sslc names this function a bit differently */
|
||||
#define CRYPTO_num_locks() CRYPTO_get_num_locks()
|
||||
|
||||
#ifndef STACK_OF
|
||||
#define STACK_OF(type) STACK
|
||||
#endif
|
||||
|
||||
#define MODSSL_BIO_CB_ARG_TYPE char
|
||||
#define MODSSL_CRYPTO_CB_ARG_TYPE char
|
||||
#define MODSSL_INFO_CB_ARG_TYPE SSL*
|
||||
#define MODSSL_CLIENT_CERT_CB_ARG_TYPE void
|
||||
#define MODSSL_PCHAR_CAST (char *)
|
||||
#define MODSSL_D2I_SSL_SESSION_CONST
|
||||
#define MODSSL_D2I_PrivateKey_CONST
|
||||
#define MODSSL_D2I_X509_CONST
|
||||
|
||||
typedef int (modssl_read_bio_cb_fn)(char*,int,int);
|
||||
|
||||
#define modssl_X509_verify_cert(c) X509_verify_cert(c, NULL)
|
||||
|
||||
#define modssl_PEM_read_bio_X509(b, x, cb, arg) \
|
||||
PEM_read_bio_X509(b, x, cb)
|
||||
|
||||
#define modssl_PEM_X509_INFO_read_bio(b, x, cb, arg)\
|
||||
PEM_X509_INFO_read_bio(b, x, cb)
|
||||
|
||||
#define modssl_PEM_read_bio_PrivateKey(b, k, cb, arg) \
|
||||
PEM_read_bio_PrivateKey(b, k, cb)
|
||||
|
||||
#ifndef HAVE_SSL_SET_STATE
|
||||
#define SSL_set_state(ssl, state) /** XXX: should throw an error */
|
||||
#endif
|
||||
|
||||
#define modssl_set_cipher_list(ssl, l) \
|
||||
SSL_set_cipher_list(ssl, (char *)l)
|
||||
|
||||
#define modssl_free free
|
||||
|
||||
#ifndef PEM_F_DEF_CALLBACK
|
||||
#define PEM_F_DEF_CALLBACK PEM_F_DEF_CB
|
||||
#endif
|
||||
|
||||
#if SSLC_VERSION_NUMBER < 0x2000
|
||||
|
||||
#define X509_STORE_CTX_set_depth(st, d)
|
||||
#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
|
||||
#define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate)
|
||||
#define X509_CRL_get_REVOKED(x) ((x)->crl->revoked)
|
||||
#define X509_REVOKED_get_serialNumber(xs) (xs->serialNumber)
|
||||
|
||||
#define modssl_set_verify(ssl, verify, cb) \
|
||||
SSL_set_verify(ssl, verify)
|
||||
|
||||
#else /** SSLC_VERSION_NUMBER >= 0x2000 */
|
||||
|
||||
#define CRYPTO_malloc_init R_malloc_init
|
||||
|
||||
#define EVP_cleanup()
|
||||
|
||||
#endif /** SSLC_VERSION_NUMBER >= 0x2000 */
|
||||
|
||||
typedef void (*modssl_popfree_fn)(char *data);
|
||||
|
||||
#define sk_SSL_CIPHER_dup sk_dup
|
||||
#define sk_SSL_CIPHER_find(st, data) sk_find(st, (void *)data)
|
||||
#define sk_SSL_CIPHER_free sk_free
|
||||
#define sk_SSL_CIPHER_num sk_num
|
||||
#define sk_SSL_CIPHER_value (SSL_CIPHER *)sk_value
|
||||
#define sk_X509_num sk_num
|
||||
#define sk_X509_push sk_push
|
||||
#define sk_X509_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
|
||||
#define sk_X509_value (X509 *)sk_value
|
||||
#define sk_X509_INFO_free sk_free
|
||||
#define sk_X509_INFO_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
|
||||
#define sk_X509_INFO_num sk_num
|
||||
#define sk_X509_INFO_new_null sk_new_null
|
||||
#define sk_X509_INFO_value (X509_INFO *)sk_value
|
||||
#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
|
||||
#define sk_X509_NAME_free sk_free
|
||||
#define sk_X509_NAME_new sk_new
|
||||
#define sk_X509_NAME_num sk_num
|
||||
#define sk_X509_NAME_push(st, data) sk_push(st, (void *)data)
|
||||
#define sk_X509_NAME_value (X509_NAME *)sk_value
|
||||
#define sk_X509_NAME_ENTRY_num sk_num
|
||||
#define sk_X509_NAME_ENTRY_value (X509_NAME_ENTRY *)sk_value
|
||||
#define sk_X509_NAME_set_cmp_func sk_set_cmp_func
|
||||
#define sk_X509_REVOKED_num sk_num
|
||||
#define sk_X509_REVOKED_value (X509_REVOKED *)sk_value
|
||||
|
||||
#else /** ! HAVE_OPENSSL && ! HAVE_SSLC */
|
||||
|
||||
#error "Unrecognized SSL Toolkit!"
|
||||
|
||||
#endif /* ! HAVE_OPENSSL && ! HAVE_SSLC */
|
||||
|
||||
#ifndef modssl_set_verify
|
||||
#define modssl_set_verify(ssl, verify, cb) \
|
||||
SSL_set_verify(ssl, verify, cb)
|
||||
|
@@ -159,11 +159,8 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey)
|
||||
break;
|
||||
}
|
||||
}
|
||||
#ifdef OPENSSL_VERSION_NUMBER
|
||||
/* Only refcounted in OpenSSL */
|
||||
if (pFreeKey != NULL)
|
||||
EVP_PKEY_free(pFreeKey);
|
||||
#endif
|
||||
return t;
|
||||
}
|
||||
|
||||
@@ -338,18 +335,8 @@ STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7)
|
||||
static apr_thread_mutex_t **lock_cs;
|
||||
static int lock_num_locks;
|
||||
|
||||
#ifdef HAVE_SSLC
|
||||
#if SSLC_VERSION_NUMBER >= 0x2000
|
||||
static int ssl_util_thr_lock(int mode, int type,
|
||||
char *file, int line)
|
||||
#else
|
||||
static void ssl_util_thr_lock(int mode, int type,
|
||||
char *file, int line)
|
||||
#endif
|
||||
#else
|
||||
static void ssl_util_thr_lock(int mode, int type,
|
||||
const char *file, int line)
|
||||
#endif
|
||||
{
|
||||
if (type < lock_num_locks) {
|
||||
if (mode & CRYPTO_LOCK) {
|
||||
@@ -358,14 +345,6 @@ static void ssl_util_thr_lock(int mode, int type,
|
||||
else {
|
||||
apr_thread_mutex_unlock(lock_cs[type]);
|
||||
}
|
||||
#ifdef HAVE_SSLC
|
||||
#if SSLC_VERSION_NUMBER >= 0x2000
|
||||
return 1;
|
||||
}
|
||||
else {
|
||||
return -1;
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
|
@@ -535,24 +535,11 @@ char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
|
||||
*cp = NUL;
|
||||
return str;
|
||||
}
|
||||
|
||||
/* sslc+OpenSSL compat */
|
||||
|
||||
int modssl_session_get_time(SSL_SESSION *session)
|
||||
{
|
||||
#ifdef OPENSSL_VERSION_NUMBER
|
||||
return SSL_SESSION_get_time(session);
|
||||
#else /* assume sslc */
|
||||
CRYPTO_TIME_T ct;
|
||||
SSL_SESSION_get_time(session, &ct);
|
||||
return CRYPTO_time_to_int(&ct);
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifndef SSLC_VERSION_NUMBER
|
||||
#define SSLC_VERSION_NUMBER 0x0000
|
||||
#endif
|
||||
|
||||
DH *modssl_dh_configure(unsigned char *p, int plen,
|
||||
unsigned char *g, int glen)
|
||||
{
|
||||
@@ -562,17 +549,12 @@ DH *modssl_dh_configure(unsigned char *p, int plen,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
#if defined(OPENSSL_VERSION_NUMBER) || (SSLC_VERSION_NUMBER < 0x2000)
|
||||
dh->p = BN_bin2bn(p, plen, NULL);
|
||||
dh->g = BN_bin2bn(g, glen, NULL);
|
||||
if (!(dh->p && dh->g)) {
|
||||
DH_free(dh);
|
||||
return NULL;
|
||||
}
|
||||
#else
|
||||
R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_P, 0, p, plen, R_EITEMS_PF_COPY);
|
||||
R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_G, 0, g, glen, R_EITEMS_PF_COPY);
|
||||
#endif
|
||||
|
||||
return dh;
|
||||
}
|
||||
|
@@ -35,30 +35,13 @@
|
||||
#define __SSL_UTIL_SSL_H__
|
||||
|
||||
/**
|
||||
* Determine SSL library version number
|
||||
* SSL library version number
|
||||
*/
|
||||
#define SSL_NIBBLE(x,n) ((x >> (n * 4)) & 0xF)
|
||||
|
||||
#ifdef OPENSSL_VERSION_NUMBER
|
||||
#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
|
||||
#define SSL_LIBRARY_NAME "OpenSSL"
|
||||
#define SSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
|
||||
#define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
|
||||
#elif defined(SSLC_VERSION_NUMBER)
|
||||
#define SSL_LIBRARY_VERSION SSLC_VERSION_NUMBER
|
||||
#define SSL_LIBRARY_NAME "SSL-C"
|
||||
#define SSL_LIBRARY_TEXT { 'S', 'S', 'L', '-', 'C', ' ', \
|
||||
'0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,3), '.', \
|
||||
'0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,2), '.', \
|
||||
'0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,1), '.', \
|
||||
'0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,0), 0 }
|
||||
#define SSL_LIBRARY_DYNTEXT SSLC_library_info(SSLC_INFO_VERSION)
|
||||
#elif !defined(SSL_LIBRARY_VERSION)
|
||||
#define SSL_LIBRARY_VERSION 0x0000
|
||||
#define SSL_LIBRARY_NAME "OtherSSL"
|
||||
#define SSL_LIBRARY_TEXT "OtherSSL 0.0.0 00 XXX 0000"
|
||||
#define SSL_LIBRARY_DYNTEXT "OtherSSL 0.0.0 00 XXX 0000"
|
||||
#endif
|
||||
|
||||
/**
|
||||
* Maximum length of a DER encoded session.
|
||||
@@ -92,7 +75,6 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const c
|
||||
int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
|
||||
char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
|
||||
|
||||
/** util functions for OpenSSL+sslc compat */
|
||||
int modssl_session_get_time(SSL_SESSION *session);
|
||||
|
||||
DH *modssl_dh_configure(unsigned char *p, int plen,
|
||||
|
19
support/ab.c
19
support/ab.c
@@ -156,25 +156,8 @@
|
||||
#include "ap_config_auto.h"
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_SSLC)
|
||||
#if defined(HAVE_OPENSSL)
|
||||
|
||||
/* Libraries for RSA SSL-C */
|
||||
#include <rsa.h>
|
||||
#include <x509.h>
|
||||
#include <pem.h>
|
||||
#include <err.h>
|
||||
#include <ssl.h>
|
||||
#include <r_rand.h>
|
||||
#include <sslc.h>
|
||||
#define USE_SSL
|
||||
#define RSAREF
|
||||
#define SK_NUM(x) sk_num(x)
|
||||
#define SK_VALUE(x,y) sk_value(x,y)
|
||||
typedef STACK X509_STACK_TYPE;
|
||||
|
||||
#elif defined(HAVE_OPENSSL)
|
||||
|
||||
/* Libraries on most systems.. */
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/x509.h>
|
||||
|
Reference in New Issue
Block a user