From 2453c22a1af94ff595186e35d359a49a4d381a04 Mon Sep 17 00:00:00 2001 From: Kaspar Brand Date: Sun, 7 Aug 2011 10:36:57 +0000 Subject: [PATCH] Enforce OpenSSL 0.9.7 as a minimum requirement in configure, and remove #ifdef'ed code which was relevant for earlier versions only. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154688 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 2 ++ acinclude.m4 | 21 +++++++++------------ modules/ssl/config.m4 | 7 ------- modules/ssl/mod_ssl.c | 4 ---- modules/ssl/ssl_engine_config.c | 8 ++------ modules/ssl/ssl_engine_dh.c | 4 ---- modules/ssl/ssl_engine_kernel.c | 6 +++--- modules/ssl/ssl_engine_ocsp.c | 2 +- modules/ssl/ssl_engine_rand.c | 2 -- modules/ssl/ssl_private.h | 17 ++--------------- modules/ssl/ssl_util_ocsp.c | 2 +- modules/ssl/ssl_util_ssl.c | 18 ------------------ 12 files changed, 20 insertions(+), 73 deletions(-) diff --git a/CHANGES b/CHANGES index 4703b9e93f..3d8c558f55 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache 2.3.15 + *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand] + *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand] *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit. diff --git a/acinclude.m4 b/acinclude.m4 index b12fa502f5..bd3d4da4a7 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -445,7 +445,7 @@ dnl AC_DEFUN(APACHE_CHECK_OPENSSL,[ AC_CACHE_CHECK([for OpenSSL], [ac_cv_openssl], [ dnl initialise the variables we use - ac_cv_openssl=yes + ac_cv_openssl=no ap_openssl_found="" ap_openssl_base="" ap_openssl_libs="" @@ -506,21 +506,17 @@ AC_DEFUN(APACHE_CHECK_OPENSSL,[ fi fi - AC_MSG_CHECKING([for OpenSSL version]) + AC_MSG_CHECKING([for OpenSSL version >= 0.9.7]) AC_TRY_COMPILE([#include ],[ #if !defined(OPENSSL_VERSION_NUMBER) #error "Missing OpenSSL version" #endif -#if (OPENSSL_VERSION_NUMBER < 0x009060af) \ - || ((OPENSSL_VERSION_NUMBER > 0x00907000) && (OPENSSL_VERSION_NUMBER < 0x0090702f)) -#error "Insecure openssl version " OPENSSL_VERSION_TEXT +#if OPENSSL_VERSION_NUMBER < 0x0090700f +#error "Unsupported OpenSSL version " OPENSSL_VERSION_TEXT #endif], - [AC_MSG_RESULT(OK)], - [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h? - AC_MSG_RESULT([not encouraging]) - AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!] - [ Ensure the latest security patches have been applied!]) - ]) + [AC_MSG_RESULT(OK) + ac_cv_openssl=yes], + [AC_MSG_RESULT(FAILED)]) if test "x$ac_cv_openssl" = "xyes"; then ap_openssl_libs="-lssl -lcrypto `$apr_config --libs`" @@ -534,9 +530,10 @@ AC_DEFUN(APACHE_CHECK_OPENSSL,[ AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"]) AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines]) if test "x$liberrors" != "x"; then - ac_cv_openssl=no AC_MSG_WARN([OpenSSL libraries are unusable]) fi + else + AC_MSG_WARN([OpenSSL version is too old]) fi dnl restore diff --git a/modules/ssl/config.m4 b/modules/ssl/config.m4 index 5f6fb40121..1ee122e232 100644 --- a/modules/ssl/config.m4 +++ b/modules/ssl/config.m4 @@ -13,12 +13,6 @@ dnl WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. dnl See the License for the specific language governing permissions and dnl limitations under the License. -AC_DEFUN([CHECK_OCSP], [ -AC_CHECK_HEADERS(openssl/ocsp.h, - [AC_DEFINE([HAVE_OCSP], 1, [Define if OCSP is supported by OpenSSL])] -) -]) - dnl # start of module specific part APACHE_MODPATH_INIT(ssl) @@ -47,7 +41,6 @@ APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [ APACHE_CHECK_OPENSSL if test "$ac_cv_openssl" = "yes" ; then APR_ADDTO(MOD_SSL_LDADD, [\$(SSL_LIBS)]) - CHECK_OCSP if test "x$enable_ssl" = "xshared"; then # The only symbol which needs to be exported is the module # structure, so ask libtool to hide everything else: diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 84accdbbb2..89089fb674 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -250,13 +250,11 @@ static apr_status_t ssl_cleanup_pre_config(void *data) /* * Try to kill the internals of the SSL library. */ -#if OPENSSL_VERSION_NUMBER >= 0x00907001 /* Corresponds to OPENSSL_load_builtin_modules(): * XXX: borrowed from apps.h, but why not CONF_modules_free() * which also invokes CONF_modules_finish()? */ CONF_modules_unload(1); -#endif /* Corresponds to SSL_library_init: */ EVP_cleanup(); #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES @@ -297,9 +295,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, ENGINE_load_builtin_engines(); #endif OpenSSL_add_all_algorithms(); -#if OPENSSL_VERSION_NUMBER >= 0x00907001 OPENSSL_load_builtin_modules(); -#endif /* * Let us cleanup the ssl library when the module is unloaded diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 20c2e8f3cf..918f9216d7 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -517,12 +517,8 @@ const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd, seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5); } else if ((arg2len > 4) && strEQn(arg2, "egd:", 4)) { -#ifdef HAVE_SSL_RAND_EGD seed->nSrc = SSL_RSSRC_EGD; seed->cpPath = ap_server_root_relative(mc->pPool, arg2+4); -#else - return "egd not supported with this SSL toolkit"; -#endif } else if (strcEQ(arg2, "builtin")) { seed->nSrc = SSL_RSSRC_BUILTIN; @@ -1428,9 +1424,9 @@ const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag) sc->server->ocsp_enabled = flag ? TRUE : FALSE; -#ifndef HAVE_OCSP +#ifdef OPENSSL_NO_OCSP if (flag) { - return "OCSP support not detected in SSL library; cannot enable " + return "OCSP support disabled in SSL library; cannot enable " "OCSP validation"; } #endif diff --git a/modules/ssl/ssl_engine_dh.c b/modules/ssl/ssl_engine_dh.c index 935b0c7307..0cc7455570 100644 --- a/modules/ssl/ssl_engine_dh.c +++ b/modules/ssl/ssl_engine_dh.c @@ -142,11 +142,7 @@ DH *ssl_dh_GetParamFromFile(char *file) if ((bio = BIO_new_file(file, "r")) == NULL) return NULL; -#if SSL_LIBRARY_VERSION < 0x00904000 - dh = PEM_read_bio_DHparams(bio, NULL, NULL); -#else dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -#endif BIO_free(bio); return (dh); } diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 6bc7219869..f516d83542 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1471,7 +1471,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) errnum = X509_STORE_CTX_get_error(ctx); } -#ifdef HAVE_OCSP +#ifndef OPENSSL_NO_OCSP /* If there was an optional verification error, it's not * possible to perform OCSP validation since the issuer may be * missing/untrusted. Fail in that case. */ @@ -2005,7 +2005,7 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx, } /* Dump debugginfo trace to the log file. */ -static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, +static void log_tracing_state(const SSL *ssl, conn_rec *c, server_rec *s, int where, int rc) { /* @@ -2078,7 +2078,7 @@ static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, * client-initiated renegotiations, and for dumping everything to the * log. */ -void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) +void ssl_callback_Info(const SSL *ssl, int where, int rc) { conn_rec *c; server_rec *s; diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c index 28ace8a672..d7f33c9587 100644 --- a/modules/ssl/ssl_engine_ocsp.c +++ b/modules/ssl/ssl_engine_ocsp.c @@ -16,7 +16,7 @@ #include "ssl_private.h" -#ifdef HAVE_OCSP +#ifndef OPENSSL_NO_OCSP #include "apr_base64.h" /* Return the responder URI specified in the given certificate, or diff --git a/modules/ssl/ssl_engine_rand.c b/modules/ssl/ssl_engine_rand.c index a45012a309..d3521f5cc3 100644 --- a/modules/ssl/ssl_engine_rand.c +++ b/modules/ssl/ssl_engine_rand.c @@ -81,7 +81,6 @@ int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix) nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes); ssl_util_ppclose(s, p, fp); } -#ifdef HAVE_SSL_RAND_EGD else if (pRandSeed->nSrc == SSL_RSSRC_EGD) { /* * seed in contents provided by the external @@ -91,7 +90,6 @@ int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix) continue; nDone += n; } -#endif else if (pRandSeed->nSrc == SSL_RSSRC_BUILTIN) { struct { time_t t; diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index e237ea4c1b..36ea614078 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -90,15 +90,8 @@ #include #include #include - -/* hack for non-configure platforms (NetWare, Win32) */ -#if !defined(HAVE_OCSP) && (OPENSSL_VERSION_NUMBER >= 0x00907000) -#define HAVE_OCSP -#endif -#ifdef HAVE_OCSP #include #include -#endif /* Avoid tripping over an engine build installed globally and detected * when the user points at an explicit non-engine flavor of OpenSSL @@ -108,12 +101,6 @@ #endif /* ...shifting sands of OpenSSL... */ -#if (OPENSSL_VERSION_NUMBER < 0x00907000) -# define MODSSL_INFO_CB_ARG_TYPE SSL* -#else -# define MODSSL_INFO_CB_ARG_TYPE const SSL* -#endif - #if (OPENSSL_VERSION_NUMBER >= 0x0090707f) #define MODSSL_D2I_SSL_SESSION_CONST const #else @@ -757,7 +744,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); -void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int); +void ssl_callback_Info(const SSL *, int, int); #ifndef OPENSSL_NO_TLSEXT int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); #endif @@ -883,7 +870,7 @@ void ssl_var_log_config_register(apr_pool_t *p); * allocating from 'p': */ void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p); -#ifdef HAVE_OCSP +#ifndef OPENSSL_NO_OCSP /* Perform OCSP validation of the current cert in the given context. * Returns non-zero on success or zero on failure. On failure, the * context error code is set. */ diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index f171060caf..5fb8e24377 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -20,7 +20,7 @@ #include "ssl_private.h" -#ifdef HAVE_OCSP +#ifndef OPENSSL_NO_OCSP #include "apr_buckets.h" #include "apr_uri.h" diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c index 305ffc9c77..e0c07967bf 100644 --- a/modules/ssl/ssl_util_ssl.c +++ b/modules/ssl/ssl_util_ssl.c @@ -115,16 +115,6 @@ X509 *SSL_read_X509(char* filename, X509 **x509, pem_password_cb *cb) return rc; } -#if SSL_LIBRARY_VERSION <= 0x00904100 -static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key) -{ - return ((EVP_PKEY *)ASN1_d2i_bio( - (char *(*)())EVP_PKEY_new, - (char *(*)())d2i_PrivateKey, - (bio), (unsigned char **)(key))); -} -#endif - EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s) { EVP_PKEY *rc; @@ -291,7 +281,6 @@ char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl) /* check whether cert contains extended key usage with a SGC tag */ BOOL SSL_X509_isSGC(X509 *cert) { -#ifdef HAVE_SSL_X509V3_EXT_d2i int ext_nid; EXTENDED_KEY_USAGE *sk; BOOL is_sgc; @@ -310,15 +299,11 @@ BOOL SSL_X509_isSGC(X509 *cert) EXTENDED_KEY_USAGE_free(sk); } return is_sgc; -#else - return FALSE; -#endif } /* retrieve basic constraints ingredients */ BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen) { -#ifdef HAVE_SSL_X509V3_EXT_d2i BASIC_CONSTRAINTS *bc; BIGNUM *bn = NULL; char *cp; @@ -339,9 +324,6 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen) } BASIC_CONSTRAINTS_free(bc); return TRUE; -#else - return FALSE; -#endif } /* convert a NAME_ENTRY to UTF8 string */