www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Increase minimum required OpenSSL version to 0.9.8a (in preparation

Browse Source 
for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether
  they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward
  #ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527294 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2013-09-29 10:12:47 +00:00
parent 056e10bb4f
commit 725978c554
12 changed files with 113 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,6 +1,8 @@
-*- coding: utf-8 -*- -*- coding: utf-8 -*-
Changes with Apache 2.5.0 Changes with Apache 2.5.0
*) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
*) mod_lua: Let the Inter-VM get/set functions work with a global *) mod_lua: Let the Inter-VM get/set functions work with a global
shared memory pool instead of a per-process pool. [Daniel Gruno] shared memory pool instead of a per-process pool. [Daniel Gruno]

4
acinclude.m4
View File

@@ -570,12 +570,12 @@ AC_DEFUN(APACHE_CHECK_OPENSSL,[
fi fi
fi fi
AC_MSG_CHECKING([for OpenSSL version >= 0.9.7]) AC_MSG_CHECKING([for OpenSSL version >= 0.9.8a])
AC_TRY_COMPILE([#include <openssl/opensslv.h>],[ AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
#if !defined(OPENSSL_VERSION_NUMBER) #if !defined(OPENSSL_VERSION_NUMBER)
#error "Missing OpenSSL version" #error "Missing OpenSSL version"
#endif #endif
#if OPENSSL_VERSION_NUMBER < 0x0090700f #if OPENSSL_VERSION_NUMBER < 0x0090801f
#error "Unsupported OpenSSL version " OPENSSL_VERSION_TEXT #error "Unsupported OpenSSL version " OPENSSL_VERSION_TEXT
#endif], #endif],
[AC_MSG_RESULT(OK) [AC_MSG_RESULT(OK)

2
modules/ssl/mod_ssl.c
View File

@@ -153,7 +153,7 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
"Strict SNI virtual host checking") "Strict SNI virtual host checking")
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
SSL_CMD_SRV(SRPVerifierFile, TAKE1, SSL_CMD_SRV(SRPVerifierFile, TAKE1,
"SRP verifier file " "SRP verifier file "
"('/path/to/file' - created by srptool)") "('/path/to/file' - created by srptool)")

14
modules/ssl/ssl_engine_config.c
View File

@@ -148,7 +148,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
mctx->stapling_force_url = NULL; mctx->stapling_force_url = NULL;
#endif #endif
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
mctx->srp_vfile = NULL; mctx->srp_vfile = NULL;
mctx->srp_unknown_user_seed = NULL; mctx->srp_unknown_user_seed = NULL;
mctx->srp_vbase = NULL; mctx->srp_vbase = NULL;
@@ -209,7 +209,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET; sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET; sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET;
sc->proxy_ssl_check_peer_name = SSL_ENABLED_UNSET; sc->proxy_ssl_check_peer_name = SSL_ENABLED_UNSET;
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
sc->strict_sni_vhost_check = SSL_ENABLED_UNSET; sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
#endif #endif
#ifdef HAVE_FIPS #ifdef HAVE_FIPS
@@ -283,7 +283,7 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
cfgMerge(stapling_force_url, NULL); cfgMerge(stapling_force_url, NULL);
#endif #endif
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
cfgMergeString(srp_vfile); cfgMergeString(srp_vfile);
cfgMergeString(srp_unknown_user_seed); cfgMergeString(srp_unknown_user_seed);
#endif #endif
@@ -344,7 +344,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET); cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET); cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
cfgMerge(proxy_ssl_check_peer_name, SSL_ENABLED_UNSET); cfgMerge(proxy_ssl_check_peer_name, SSL_ENABLED_UNSET);
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET); cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
#endif #endif
#ifdef HAVE_FIPS #ifdef HAVE_FIPS
@@ -1664,7 +1664,7 @@ const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag)
const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag) const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
{ {
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
SSLSrvConfigRec *sc = mySrvConfig(cmd->server); SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
@@ -1834,7 +1834,7 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
return NULL; return NULL;
} }
#endif #endif
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
const char *arg) const char *arg)
@@ -1858,7 +1858,7 @@ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg,
return NULL; return NULL;
} }
#endif /* OPENSSL_NO_SRP */ #endif /* HAVE_SRP */
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
{ {

42
modules/ssl/ssl_engine_init.c
View File

@@ -35,7 +35,7 @@
** _________________________________________________________________ ** _________________________________________________________________
*/ */
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
#define KEYTYPES "RSA, DSA or ECC" #define KEYTYPES "RSA, DSA or ECC"
#else #else
#define KEYTYPES "RSA or DSA" #define KEYTYPES "RSA or DSA"
@@ -303,7 +303,7 @@ static void ssl_init_server_check(server_rec *s,
*/ */
if (mctx->pks->certs[SSL_AIDX_RSA] || if (mctx->pks->certs[SSL_AIDX_RSA] ||
mctx->pks->certs[SSL_AIDX_DSA] mctx->pks->certs[SSL_AIDX_DSA]
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
|| mctx->pks->certs[SSL_AIDX_ECC] || mctx->pks->certs[SSL_AIDX_ECC]
#endif #endif
) )
@@ -315,7 +315,7 @@ static void ssl_init_server_check(server_rec *s,
} }
} }
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
static void ssl_init_ctx_tls_extensions(server_rec *s, static void ssl_init_ctx_tls_extensions(server_rec *s,
apr_pool_t *p, apr_pool_t *p,
apr_pool_t *ptemp, apr_pool_t *ptemp,
@@ -349,7 +349,7 @@ static void ssl_init_ctx_tls_extensions(server_rec *s,
} }
#endif #endif
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
/* /*
* TLS-SRP support * TLS-SRP support
*/ */
@@ -482,7 +482,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
#ifdef SSL_OP_NO_COMPRESSION #ifdef SSL_OP_NO_COMPRESSION
/* OpenSSL >= 1.0 only */ /* OpenSSL >= 1.0 only */
SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
#elif OPENSSL_VERSION_NUMBER >= 0x00908000L #else
sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
#endif #endif
} }
@@ -500,7 +500,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
* Configure additional context ingredients * Configure additional context ingredients
*/ */
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
#endif #endif
@@ -836,7 +836,7 @@ static void ssl_init_ctx(server_rec *s,
if (mctx->pks) { if (mctx->pks) {
/* XXX: proxy support? */ /* XXX: proxy support? */
ssl_init_ctx_cert_chain(s, p, ptemp, mctx); ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
ssl_init_ctx_tls_extensions(s, p, ptemp, mctx); ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);
#endif #endif
} }
@@ -849,7 +849,7 @@ static int ssl_server_import_cert(server_rec *s,
{ {
SSLModConfigRec *mc = myModConfig(s); SSLModConfigRec *mc = myModConfig(s);
ssl_asn1_t *asn1; ssl_asn1_t *asn1;
MODSSL_D2I_X509_CONST unsigned char *ptr; const unsigned char *ptr;
const char *type = ssl_asn1_keystr(idx); const char *type = ssl_asn1_keystr(idx);
X509 *cert; X509 *cert;
@@ -896,12 +896,12 @@ static int ssl_server_import_key(server_rec *s,
{ {
SSLModConfigRec *mc = myModConfig(s); SSLModConfigRec *mc = myModConfig(s);
ssl_asn1_t *asn1; ssl_asn1_t *asn1;
MODSSL_D2I_PrivateKey_CONST unsigned char *ptr; const unsigned char *ptr;
const char *type = ssl_asn1_keystr(idx); const char *type = ssl_asn1_keystr(idx);
int pkey_type; int pkey_type;
EVP_PKEY *pkey; EVP_PKEY *pkey;
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
if (idx == SSL_AIDX_ECC) if (idx == SSL_AIDX_ECC)
pkey_type = EVP_PKEY_EC; pkey_type = EVP_PKEY_EC;
else else
@@ -1005,30 +1005,30 @@ static void ssl_init_server_certs(server_rec *s,
modssl_ctx_t *mctx) modssl_ctx_t *mctx)
{ {
const char *rsa_id, *dsa_id; const char *rsa_id, *dsa_id;
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
const char *ecc_id; const char *ecc_id;
#endif #endif
const char *vhost_id = mctx->sc->vhost_id; const char *vhost_id = mctx->sc->vhost_id;
int i; int i;
int have_rsa, have_dsa; int have_rsa, have_dsa;
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
int have_ecc; int have_ecc;
#endif #endif
rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA); rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA); dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC); ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
#endif #endif
have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA); have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA); have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC); have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
#endif #endif
if (!(have_rsa || have_dsa if (!(have_rsa || have_dsa
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
|| have_ecc || have_ecc
#endif #endif
)) { )) {
@@ -1044,12 +1044,12 @@ static void ssl_init_server_certs(server_rec *s,
have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA); have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA);
have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA); have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA);
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC); have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC);
#endif #endif
if (!(have_rsa || have_dsa if (!(have_rsa || have_dsa
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
|| have_ecc || have_ecc
#endif #endif
)) { )) {
@@ -1058,7 +1058,7 @@ static void ssl_init_server_certs(server_rec *s,
ssl_die(s); ssl_die(s);
} }
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
/* Enable ECDHE by configuring a default curve */ /* Enable ECDHE by configuring a default curve */
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
@@ -1370,7 +1370,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
klen = strlen(key); klen = strlen(key);
if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
#ifdef OPENSSL_NO_TLSEXT #ifndef HAVE_TLSEXT
int level = APLOG_WARNING; int level = APLOG_WARNING;
const char *problem = "conflict"; const char *problem = "conflict";
#else #else
@@ -1394,7 +1394,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
} }
if (conflict) { if (conflict) {
#ifdef OPENSSL_NO_TLSEXT #ifndef HAVE_TLSEXT
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
"Init: You should not use name-based " "Init: You should not use name-based "
"virtual hosts in conjunction with SSL!!"); "virtual hosts in conjunction with SSL!!");
@@ -1543,7 +1543,7 @@ static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
{ {
MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx); MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
if (mctx->srp_vbase != NULL) { if (mctx->srp_vbase != NULL) {
SRP_VBASE_free(mctx->srp_vbase); SRP_VBASE_free(mctx->srp_vbase);
mctx->srp_vbase = NULL; mctx->srp_vbase = NULL;

4
modules/ssl/ssl_engine_io.c
View File

@@ -1113,7 +1113,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
server = sslconn->server; server = sslconn->server;
if (sslconn->is_proxy) { if (sslconn->is_proxy) {
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
apr_ipsubnet_t *ip; apr_ipsubnet_t *ip;
#endif #endif
const char *hostname_note = apr_table_get(c->notes, const char *hostname_note = apr_table_get(c->notes,
@@ -1121,7 +1121,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
BOOL proxy_ssl_check_peer_ok = TRUE; BOOL proxy_ssl_check_peer_ok = TRUE;
sc = mySrvConfig(server); sc = mySrvConfig(server);
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
/* /*
* Enable SNI for backend requests. Make sure we don't do it for * Enable SNI for backend requests. Make sure we don't do it for
* pure SSLv3 connections, and also prevent IP addresses * pure SSLv3 connections, and also prevent IP addresses

22
modules/ssl/ssl_engine_kernel.c
View File

@@ -33,7 +33,7 @@
#include "util_md5.h" #include "util_md5.h"
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
#endif #endif
@@ -120,7 +120,7 @@ int ssl_hook_ReadReq(request_rec *r)
SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLConnRec *sslconn; SSLConnRec *sslconn;
const char *upgrade; const char *upgrade;
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
const char *servername; const char *servername;
#endif #endif
SSL *ssl; SSL *ssl;
@@ -163,7 +163,7 @@ int ssl_hook_ReadReq(request_rec *r)
if (!ssl) { if (!ssl) {
return DECLINED; return DECLINED;
} }
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
char *host, *scope_id; char *host, *scope_id;
apr_port_t port; apr_port_t port;
@@ -330,7 +330,7 @@ int ssl_hook_Access(request_rec *r)
return DECLINED; return DECLINED;
} }
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
/* /*
* Support for per-directory reconfigured SSL connection parameters * Support for per-directory reconfigured SSL connection parameters
* *
@@ -1114,7 +1114,7 @@ static const char *ssl_hook_Fixup_vars[] = {
"SSL_SERVER_A_SIG", "SSL_SERVER_A_SIG",
"SSL_SESSION_ID", "SSL_SESSION_ID",
"SSL_SESSION_RESUMED", "SSL_SESSION_RESUMED",
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
"SSL_SRP_USER", "SSL_SRP_USER",
"SSL_SRP_USERINFO", "SSL_SRP_USERINFO",
#endif #endif
@@ -1128,7 +1128,7 @@ int ssl_hook_Fixup(request_rec *r)
SSLDirConfigRec *dc = myDirConfig(r); SSLDirConfigRec *dc = myDirConfig(r);
apr_table_t *env = r->subprocess_env; apr_table_t *env = r->subprocess_env;
char *var, *val = ""; char *var, *val = "";
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
const char *servername; const char *servername;
#endif #endif
STACK_OF(X509) *peer_certs; STACK_OF(X509) *peer_certs;
@@ -1157,7 +1157,7 @@ int ssl_hook_Fixup(request_rec *r)
/* the always present HTTPS (=HTTP over SSL) flag! */ /* the always present HTTPS (=HTTP over SSL) flag! */
apr_table_setn(env, "HTTPS", "on"); apr_table_setn(env, "HTTPS", "on");
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
/* add content of SNI TLS extension (if supplied with ClientHello) */ /* add content of SNI TLS extension (if supplied with ClientHello) */
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
apr_table_set(env, "SSL_TLS_SNI", servername); apr_table_set(env, "SSL_TLS_SNI", servername);
@@ -1851,7 +1851,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
} }
} }
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
/* /*
* This callback function is executed when OpenSSL encounters an extended * This callback function is executed when OpenSSL encounters an extended
* client hello with a server name indication extension ("SNI", cf. RFC 4366). * client hello with a server name indication extension ("SNI", cf. RFC 4366).
@@ -2002,7 +2002,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
return 0; return 0;
} }
#endif /* OPENSSL_NO_TLSEXT */ #endif /* HAVE_TLSEXT */
#ifdef HAVE_TLS_SESSION_TICKETS #ifdef HAVE_TLS_SESSION_TICKETS
/* /*
@@ -2165,7 +2165,7 @@ int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
#endif /* HAVE_TLS_NPN */ #endif /* HAVE_TLS_NPN */
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
{ {
@@ -2189,4 +2189,4 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
return SSL_ERROR_NONE; return SSL_ERROR_NONE;
} }
#endif /* OPENSSL_NO_SRP */ #endif /* HAVE_SRP */

6
modules/ssl/ssl_engine_pphrase.c
View File

@@ -708,7 +708,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966)
"Init: Failed to create pass phrase pipe '%s'", "Init: Failed to create pass phrase pipe '%s'",
sc->server->pphrase_dialog_path); sc->server->pphrase_dialog_path);
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize); memset(buf, 0, (unsigned int)bufsize);
return (-1); return (-1);
} }
@@ -718,7 +718,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
} }
else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */ else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */
#ifdef WIN32 #ifdef WIN32
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize); memset(buf, 0, (unsigned int)bufsize);
return (-1); return (-1);
#else #else
@@ -769,7 +769,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
i = EVP_read_pw_string(buf, bufsize, "", FALSE); i = EVP_read_pw_string(buf, bufsize, "", FALSE);
} }
if (i != 0) { if (i != 0) {
PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize); memset(buf, 0, (unsigned int)bufsize);
return (-1); return (-1);
} }

8
modules/ssl/ssl_engine_vars.c
View File

@@ -382,7 +382,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r,
else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
result = ssl_var_lookup_ssl_compress_meth(ssl); result = ssl_var_lookup_ssl_compress_meth(ssl);
} }
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
result = apr_pstrdup(p, SSL_get_servername(ssl, result = apr_pstrdup(p, SSL_get_servername(ssl,
TLSEXT_NAMETYPE_host_name)); TLSEXT_NAMETYPE_host_name));
@@ -395,7 +395,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r,
#endif #endif
result = apr_pstrdup(p, flag ? "true" : "false"); result = apr_pstrdup(p, flag ? "true" : "false");
} }
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
else if (ssl != NULL && strcEQ(var, "SRP_USER")) { else if (ssl != NULL && strcEQ(var, "SRP_USER")) {
if ((result = SSL_get_srp_username(ssl)) != NULL) { if ((result = SSL_get_srp_username(ssl)) != NULL) {
result = apr_pstrdup(p, result); result = apr_pstrdup(p, result);
@@ -879,7 +879,7 @@ void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p)
* success and writes the string to the given bio. */ * success and writes the string to the given bio. */
static int dump_extn_value(BIO *bio, ASN1_OCTET_STRING *str) static int dump_extn_value(BIO *bio, ASN1_OCTET_STRING *str)
{ {
MODSSL_D2I_ASN1_type_bytes_CONST unsigned char *pp = str->data; const unsigned char *pp = str->data;
ASN1_STRING *ret = ASN1_STRING_new(); ASN1_STRING *ret = ASN1_STRING_new();
int rv = 0; int rv = 0;
@@ -975,7 +975,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl) static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
{ {
char *result = "NULL"; char *result = "NULL";
#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP) #ifndef OPENSSL_NO_COMP
SSL_SESSION *pSession = SSL_get_session(ssl); SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) { if (pSession) {

133
modules/ssl/ssl_private.h
View File

@@ -105,74 +105,59 @@
#include <openssl/engine.h> #include <openssl/engine.h>
#endif #endif
#if (OPENSSL_VERSION_NUMBER < 0x0090700f) #if (OPENSSL_VERSION_NUMBER < 0x0090801f)
#error mod_ssl requires OpenSSL 0.9.7 or later #error mod_ssl requires OpenSSL 0.9.8a or later
#endif
/* ...shifting sands of OpenSSL... */
#if (OPENSSL_VERSION_NUMBER >= 0x0090707f)
#define MODSSL_D2I_SSL_SESSION_CONST const
#else
#define MODSSL_D2I_SSL_SESSION_CONST
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
#define HAVE_GENERATE_EX
#define MODSSL_D2I_ASN1_type_bytes_CONST const
#define MODSSL_D2I_PrivateKey_CONST const
#define MODSSL_D2I_X509_CONST const
#else
#define MODSSL_D2I_ASN1_type_bytes_CONST
#define MODSSL_D2I_PrivateKey_CONST
#define MODSSL_D2I_X509_CONST
#endif
#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
&& !defined(OPENSSL_NO_TLSEXT)
#define HAVE_OCSP_STAPLING
#if (OPENSSL_VERSION_NUMBER < 0x10000000)
#define sk_OPENSSL_STRING_pop sk_pop
#endif
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
#define HAVE_FIPS
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
&& !defined(OPENSSL_NO_TLSEXT)
#define HAVE_TLS_NPN
#endif
#ifdef SSL_CONF_FLAG_FILE
#define HAVE_SSL_CONF_CMD
#endif #endif
/**
* ...shifting sands of OpenSSL...
* Note: when adding support for new OpenSSL features, avoid explicit
* version number checks whenever possible, and use "feature-based"
* detection instead (check for definitions of constants or functions)
*/
#if (OPENSSL_VERSION_NUMBER >= 0x10000000) #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
#define MODSSL_SSL_CIPHER_CONST const #define MODSSL_SSL_CIPHER_CONST const
#define MODSSL_SSL_METHOD_CONST const #define MODSSL_SSL_METHOD_CONST const
#else #else
#define MODSSL_SSL_CIPHER_CONST #define MODSSL_SSL_CIPHER_CONST
#define MODSSL_SSL_METHOD_CONST #define MODSSL_SSL_METHOD_CONST
/* ECC support came along in OpenSSL 1.0.0 */
#define OPENSSL_NO_EC
#endif #endif
#ifndef PEM_F_DEF_CALLBACK #if defined(OPENSSL_FIPS)
#ifdef PEM_F_PEM_DEF_CALLBACK #define HAVE_FIPS
/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */ #endif
#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK
#if defined(SSL_OP_NO_TLSv1_2)
#define HAVE_TLSV1_X
#endif
#if defined(SSL_CONF_FLAG_FILE)
#define HAVE_SSL_CONF_CMD
#endif
/**
* The following features all depend on TLS extension support.
* Within this block, check again for features (not version numbers).
*/
#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
#define HAVE_TLSEXT
/* ECC: make sure we have at least 1.0.0 */
#if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
#define HAVE_ECC
#endif
/* OCSP stapling */
#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
#define HAVE_OCSP_STAPLING
#ifndef sk_OPENSSL_STRING_pop
#define sk_OPENSSL_STRING_pop sk_pop
#endif #endif
#endif #endif
#ifndef OPENSSL_NO_TLSEXT /* TLS session tickets */
#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME #if defined(SSL_CTX_set_tlsext_ticket_key_cb)
#define OPENSSL_NO_TLSEXT
#endif
#endif
#ifndef OPENSSL_NO_TLSEXT
#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
#define HAVE_TLS_SESSION_TICKETS #define HAVE_TLS_SESSION_TICKETS
#define TLSEXT_TICKET_KEY_LEN 48 #define TLSEXT_TICKET_KEY_LEN 48
#ifndef tlsext_tick_md #ifndef tlsext_tick_md
@@ -183,26 +168,20 @@
#endif #endif
#endif #endif
#endif #endif
/* Next Protocol Negotiation */
#if !defined(OPENSSL_NO_NEXTPROTONEG) && defined(OPENSSL_NPN_NEGOTIATED)
#define HAVE_TLS_NPN
#endif #endif
#ifdef SSL_OP_NO_TLSv1_2 /* Secure Remote Password */
#define HAVE_TLSV1_X #if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB)
#endif #define HAVE_SRP
#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
&& OPENSSL_VERSION_NUMBER < 0x00908000L
#define OPENSSL_NO_COMP
#endif
/* SRP support came in OpenSSL 1.0.1 */
#ifndef OPENSSL_NO_SRP
#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB
#include <openssl/srp.h> #include <openssl/srp.h>
#else
#define OPENSSL_NO_SRP
#endif
#endif #endif
#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
/* mod_ssl headers */ /* mod_ssl headers */
#include "ssl_util_ssl.h" #include "ssl_util_ssl.h"
@@ -296,7 +275,7 @@ typedef int ssl_algo_t;
#define SSL_ALGO_UNKNOWN (0) #define SSL_ALGO_UNKNOWN (0)
#define SSL_ALGO_RSA (1<<0) #define SSL_ALGO_RSA (1<<0)
#define SSL_ALGO_DSA (1<<1) #define SSL_ALGO_DSA (1<<1)
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
#define SSL_ALGO_ECC (1<<2) #define SSL_ALGO_ECC (1<<2)
#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC) #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC)
#else #else
@@ -305,7 +284,7 @@ typedef int ssl_algo_t;
#define SSL_AIDX_RSA (0) #define SSL_AIDX_RSA (0)
#define SSL_AIDX_DSA (1) #define SSL_AIDX_DSA (1)
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
#define SSL_AIDX_ECC (2) #define SSL_AIDX_ECC (2)
#define SSL_AIDX_MAX (3) #define SSL_AIDX_MAX (3)
#else #else
@@ -661,7 +640,7 @@ typedef struct {
const char *stapling_force_url; const char *stapling_force_url;
#endif #endif
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
char *srp_vfile; char *srp_vfile;
char *srp_unknown_user_seed; char *srp_unknown_user_seed;
SRP_VBASE *srp_vbase; SRP_VBASE *srp_vbase;
@@ -695,7 +674,7 @@ struct SSLSrvConfigRec {
ssl_enabled_t proxy_ssl_check_peer_expire; ssl_enabled_t proxy_ssl_check_peer_expire;
ssl_enabled_t proxy_ssl_check_peer_cn; ssl_enabled_t proxy_ssl_check_peer_cn;
ssl_enabled_t proxy_ssl_check_peer_name; ssl_enabled_t proxy_ssl_check_peer_name;
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
ssl_enabled_t strict_sni_vhost_check; ssl_enabled_t strict_sni_vhost_check;
#endif #endif
#ifdef HAVE_FIPS #ifdef HAVE_FIPS
@@ -801,7 +780,7 @@ const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2); const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
#endif #endif
@@ -840,7 +819,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
void ssl_callback_Info(const SSL *, int, int); void ssl_callback_Info(const SSL *, int, int);
#ifndef OPENSSL_NO_TLSEXT #ifdef HAVE_TLSEXT
int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
#endif #endif
#ifdef HAVE_TLS_SESSION_TICKETS #ifdef HAVE_TLS_SESSION_TICKETS
@@ -875,7 +854,7 @@ void modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, mods
void ssl_stapling_ex_init(void); void ssl_stapling_ex_init(void);
int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x); int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
#endif #endif
#ifndef OPENSSL_NO_SRP #ifdef HAVE_SRP
int ssl_callback_SRPServerParams(SSL *, int *, void *); int ssl_callback_SRPServerParams(SSL *, int *, void *);
#endif #endif

2
modules/ssl/ssl_scache.c
View File

@@ -148,7 +148,7 @@ SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen,
SSLModConfigRec *mc = myModConfig(s); SSLModConfigRec *mc = myModConfig(s);
unsigned char dest[SSL_SESSION_MAX_DER]; unsigned char dest[SSL_SESSION_MAX_DER];
unsigned int destlen = SSL_SESSION_MAX_DER; unsigned int destlen = SSL_SESSION_MAX_DER;
MODSSL_D2I_SSL_SESSION_CONST unsigned char *ptr; const unsigned char *ptr;
apr_status_t rv; apr_status_t rv;
if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) { if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) {

6
modules/ssl/ssl_util.c
View File

@@ -151,7 +151,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey)
case EVP_PKEY_DSA: case EVP_PKEY_DSA:
t = SSL_ALGO_DSA; t = SSL_ALGO_DSA;
break; break;
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
case EVP_PKEY_EC: case EVP_PKEY_EC:
t = SSL_ALGO_ECC; t = SSL_ALGO_ECC;
break; break;
@@ -177,7 +177,7 @@ char *ssl_util_algotypestr(ssl_algo_t t)
case SSL_ALGO_DSA: case SSL_ALGO_DSA:
cp = "DSA"; cp = "DSA";
break; break;
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
case SSL_ALGO_ECC: case SSL_ALGO_ECC:
cp = "ECC"; cp = "ECC";
break; break;
@@ -253,7 +253,7 @@ void ssl_asn1_table_unset(apr_hash_t *table,
apr_hash_set(table, key, klen, NULL); apr_hash_set(table, key, klen, NULL);
} }
#ifndef OPENSSL_NO_EC #ifdef HAVE_ECC
static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"}; static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"};
#else #else
static const char *ssl_asn1_key_types[] = {"RSA", "DSA"}; static const char *ssl_asn1_key_types[] = {"RSA", "DSA"};