www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

Remove the ssl_toolkit_compat layer, which is no longer needed

Browse Source 
after support for non-OpenSSL toolkits has been dropped.

Replace macros by their value proper where feasible, and keep
those definitions in ssl_private.h which depend on specific
OpenSSL versions.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154687 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2011-08-07 10:34:31 +00:00
parent 1eb818742f
commit 7bd59fd67a
13 changed files with 198 additions and 315 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache 2.3.15
*) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
[Kaspar Brand]

4
modules/ssl/mod_ssl.dsp
View File

@@ -184,10 +184,6 @@ SOURCE=.\ssl_private.h
# End Source File
# Begin Source File
SOURCE=.\ssl_toolkit_compat.h
# End Source File
# Begin Source File
SOURCE=.\ssl_util_ssl.h
# End Source File
# Begin Source File

48
modules/ssl/ssl_engine_dh.c
View File

@@ -69,8 +69,20 @@ static unsigned char dh512_g[] = {
static DH *get_dh512(void)
{
return modssl_dh_configure(dh512_p, sizeof(dh512_p),
dh512_g, sizeof(dh512_g));
DH *dh;
if (!(dh = DH_new())) {
return NULL;
}
dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
if (!(dh->p && dh->g)) {
DH_free(dh);
return NULL;
}
return dh;
}
static unsigned char dh1024_p[] = {
@@ -92,8 +104,20 @@ static unsigned char dh1024_g[] = {
static DH *get_dh1024(void)
{
return modssl_dh_configure(dh1024_p, sizeof(dh1024_p),
dh1024_g, sizeof(dh1024_g));
DH *dh;
if (!(dh = DH_new())) {
return NULL;
}
dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
if (!(dh->p && dh->g)) {
DH_free(dh);
return NULL;
}
return dh;
}
/* ----END GENERATED SECTION---------- */
@@ -187,8 +211,20 @@ $dhsource .= $_ while (<FP>);
close(FP);
$dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void)
{
return modssl_dh_configure(dh$2_p, sizeof(dh$2_p),
dh$2_g, sizeof(dh$2_g));
DH *dh;
if (!(dh = DH_new())) {
return NULL;
}
dh->p = BN_bin2bn(dh$2_p, sizeof(dh$2_p), NULL);
dh->g = BN_bin2bn(dh$2_g, sizeof(dh$2_g), NULL);
if (!(dh->p && dh->g)) {
DH_free(dh);
return NULL;
}
return dh;
}
|sg;

8
modules/ssl/ssl_engine_init.c
View File

@@ -642,8 +642,8 @@ static void ssl_init_ctx_verify(server_rec *s,
"Configuring client authentication");
if (!SSL_CTX_load_verify_locations(ctx,
MODSSL_PCHAR_CAST mctx->auth.ca_cert_file,
MODSSL_PCHAR_CAST mctx->auth.ca_cert_path))
mctx->auth.ca_cert_file,
mctx->auth.ca_cert_path))
{
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
"Unable to configure verify locations "
@@ -705,7 +705,7 @@ static void ssl_init_ctx_cipher_suite(server_rec *s,
"Configuring permitted SSL ciphers [%s]",
suite);
if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) {
if (!SSL_CTX_set_cipher_list(ctx, suite)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
"Unable to configure permitted SSL ciphers");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
@@ -1278,7 +1278,7 @@ static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
STACK_OF(X509_NAME) *sk;
sk = (STACK_OF(X509_NAME) *)
SSL_load_client_CA_file(MODSSL_PCHAR_CAST file);
SSL_load_client_CA_file(file);
if (!sk) {
return;

4
modules/ssl/ssl_engine_io.c
View File

@@ -1872,7 +1872,7 @@ void ssl_io_filter_register(apr_pool_t *p)
#define DUMP_WIDTH 16
static void ssl_io_data_dump(server_rec *srvr,
MODSSL_BIO_CB_ARG_TYPE *s,
const char *s,
long len)
{
char buf[256];
@@ -1937,7 +1937,7 @@ static void ssl_io_data_dump(server_rec *srvr,
}
long ssl_io_data_cb(BIO *bio, int cmd,
MODSSL_BIO_CB_ARG_TYPE *argp,
const char *argp,
int argi, long argl, long rc)
{
SSL *ssl;

36
modules/ssl/ssl_engine_kernel.c
View File

@@ -407,7 +407,7 @@ int ssl_hook_Access(request_rec *r)
/* configure new state */
if ((dc->szCipherSuite || sc->server->auth.cipher_suite) &&
!modssl_set_cipher_list(ssl, dc->szCipherSuite ?
!SSL_set_cipher_list(ssl, dc->szCipherSuite ?
dc->szCipherSuite :
sc->server->auth.cipher_suite)) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
@@ -546,7 +546,7 @@ int ssl_hook_Access(request_rec *r)
verify |= SSL_VERIFY_PEER;
}
modssl_set_verify(ssl, verify, ssl_callback_SSLVerify);
SSL_set_verify(ssl, verify, ssl_callback_SSLVerify);
SSL_set_verify_result(ssl, X509_V_OK);
/* determine whether we've to force a renegotiation */
@@ -606,7 +606,7 @@ int ssl_hook_Access(request_rec *r)
"'require' and VirtualHost-specific CA certificate "
"list is only available to clients with TLS server "
"name indication (SNI) support");
modssl_set_verify(ssl, verify_old, NULL);
SSL_set_verify(ssl, verify_old, NULL);
return HTTP_FORBIDDEN;
} else
/* let it pass, possibly with an "incorrect" peer cert,
@@ -695,7 +695,7 @@ int ssl_hook_Access(request_rec *r)
* we put it back here for the purpose of quick_renegotiation.
*/
cert_stack = sk_X509_new_null();
sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert);
sk_X509_push(cert_stack, cert);
}
if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
@@ -729,7 +729,7 @@ int ssl_hook_Access(request_rec *r)
SSL_get_ex_data_X509_STORE_CTX_idx(),
(char *)ssl);
if (!modssl_X509_verify_cert(&cert_store_ctx)) {
if (!X509_verify_cert(&cert_store_ctx)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation verification step failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -798,11 +798,11 @@ int ssl_hook_Access(request_rec *r)
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Awaiting re-negotiation handshake");
/* XXX: Should replace SSL_set_state with SSL_renegotiate(ssl);
/* XXX: Should replace setting ssl->state with SSL_renegotiate(ssl);
* However, this causes failures in perl-framework currently,
* perhaps pre-test if we have already negotiated?
*/
SSL_set_state(ssl, SSL_ST_ACCEPT);
ssl->state = SSL_ST_ACCEPT;
SSL_do_handshake(ssl);
sslconn->reneg_state = RENEG_REJECT;
@@ -1021,7 +1021,7 @@ int ssl_hook_UserCheck(request_rec *r)
X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
char *cp = X509_NAME_oneline(name, NULL, 0);
sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
modssl_free(cp);
OPENSSL_free(cp);
}
clientdn = (char *)sslconn->client_dn;
@@ -1731,7 +1731,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
X509_REVOKED *revoked =
sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked);
ASN1_INTEGER *sn = revoked->serialNumber;
if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) {
if (APLOGdebug(s)) {
@@ -1742,7 +1742,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
"Certificate with serial %ld (0x%lX) "
"revoked per CRL from issuer %s",
serial, serial, cp);
modssl_free(cp);
OPENSSL_free(cp);
}
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
@@ -1789,11 +1789,11 @@ static void modssl_proxy_info_log(server_rec *s,
*/
#define modssl_set_cert_info(info, cert, pkey) \
*cert = info->x509; \
X509_reference_inc(*cert); \
CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
*pkey = info->x_pkey->dec_pkey; \
EVP_PKEY_reference_inc(*pkey)
CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey)
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(c);
@@ -1911,11 +1911,11 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session)
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
id = SSL_SESSION_get_session_id(session);
idlen = SSL_SESSION_get_session_id_length(session);
id = session->session_id;
idlen = session->session_id_length;
rc = ssl_scache_store(s, id, idlen,
apr_time_from_sec(modssl_session_get_time(session)
apr_time_from_sec(SSL_SESSION_get_time(session)
+ timeout),
session, conn->pool);
@@ -1992,8 +1992,8 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx,
/*
* Remove the SSL_SESSION from the inter-process cache
*/
id = SSL_SESSION_get_session_id(session);
idlen = SSL_SESSION_get_session_id_length(session);
id = session->session_id;
idlen = session->session_id_length;
/* TODO: Do we need a temp pool here, or are we always shutting down? */
ssl_scache_remove(s, id, idlen, sc->mc->pPool);

6
modules/ssl/ssl_engine_log.c
View File

@@ -139,15 +139,15 @@ void ssl_log_cxerror(const char *file, int line, int level,
serial ? serial : "-unknown-");
if (sname) {
modssl_free(sname);
OPENSSL_free(sname);
}
if (iname) {
modssl_free(iname);
OPENSSL_free(iname);
}
if (serial) {
modssl_free(serial);
OPENSSL_free(serial);
}
if (bn) {

16
modules/ssl/ssl_engine_vars.c
View File

@@ -336,8 +336,8 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r,
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
result = apr_pstrdup(p, SSL_SESSION_id2sz(
SSL_SESSION_get_session_id(pSession),
SSL_SESSION_get_session_id_length(pSession),
pSession->session_id,
pSession->session_id_length,
buf, sizeof(buf)));
}
}
@@ -404,7 +404,7 @@ static char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r,
if (legacy_format) {
char *cp = X509_NAME_oneline(xsname, NULL, 0);
result = apr_pstrdup(p, cp);
modssl_free(cp);
OPENSSL_free(cp);
}
else {
BIO* bio;
@@ -471,13 +471,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
resdup = FALSE;
}
else if (strcEQ(var, "A_SIG")) {
nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_signature_algorithm(xs));
nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
}
else if (strcEQ(var, "A_KEY")) {
nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_key_algorithm(xs));
nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm));
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
@@ -540,10 +540,10 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *
if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
&& strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
X509_NAME_get_entries(xsname));
xsname->entries);
j++) {
xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
X509_NAME_get_entries(xsname), j);
xsname->entries, j);
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
@@ -764,7 +764,7 @@ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
X509_NAME *xn, apr_pool_t *p)
{
STACK_OF(X509_NAME_ENTRY) *ents = X509_NAME_get_entries(xn);
STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
X509_NAME_ENTRY *xsne;
apr_hash_t *count;
int i, nid;

119
modules/ssl/ssl_private.h
View File

@@ -54,9 +54,18 @@
#include "ap_socache.h"
#include "mod_auth.h"
/* The #ifdef macros are only defined AFTER including the above
* therefore we cannot include these system files at the top :-(
*/
#ifdef APR_HAVE_STDLIB_H
#include <stdlib.h>
#endif
#if APR_HAVE_SYS_TIME_H
#include <sys/time.h>
#endif
#if APR_HAVE_UNISTD_H
#include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
#endif
#ifndef FALSE
#define FALSE 0
@@ -70,32 +79,105 @@
#define BOOL unsigned int
#endif
/* mod_ssl headers */
#include "ssl_toolkit_compat.h"
#include "ap_expr.h"
#include "ssl_util_ssl.h"
/* The #ifdef macros are only defined AFTER including the above
* therefore we cannot include these system files at the top :-(
/* OpenSSL headers */
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
/* hack for non-configure platforms (NetWare, Win32) */
#if !defined(HAVE_OCSP) && (OPENSSL_VERSION_NUMBER >= 0x00907000)
#define HAVE_OCSP
#endif
#ifdef HAVE_OCSP
#include <openssl/x509_vfy.h>
#include <openssl/ocsp.h>
#endif
/* Avoid tripping over an engine build installed globally and detected
* when the user points at an explicit non-engine flavor of OpenSSL
*/
#if APR_HAVE_SYS_TIME_H
#include <sys/time.h>
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
#include <openssl/engine.h>
#endif
#if APR_HAVE_UNISTD_H
#include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
/* ...shifting sands of OpenSSL... */
#if (OPENSSL_VERSION_NUMBER < 0x00907000)
# define MODSSL_INFO_CB_ARG_TYPE SSL*
#else
# define MODSSL_INFO_CB_ARG_TYPE const SSL*
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x0090707f)
#define MODSSL_D2I_SSL_SESSION_CONST const
#else
#define MODSSL_D2I_SSL_SESSION_CONST
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
#define HAVE_GENERATE_EX
#define MODSSL_D2I_ASN1_type_bytes_CONST const
#define MODSSL_D2I_PrivateKey_CONST const
#define MODSSL_D2I_X509_CONST const
#else
#define MODSSL_D2I_ASN1_type_bytes_CONST
#define MODSSL_D2I_PrivateKey_CONST
#define MODSSL_D2I_X509_CONST
#endif
#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
&& !defined(OPENSSL_NO_TLSEXT)
#define HAVE_OCSP_STAPLING
#if (OPENSSL_VERSION_NUMBER < 0x10000000)
#define sk_OPENSSL_STRING_pop sk_pop
#endif
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
#define HAVE_FIPS
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
#define MODSSL_SSL_CIPHER_CONST const
#define MODSSL_SSL_METHOD_CONST const
#else
#define MODSSL_SSL_CIPHER_CONST
#define MODSSL_SSL_METHOD_CONST
/* ECC support came along in OpenSSL 1.0.0 */
#define OPENSSL_NO_EC
#endif
#ifndef PEM_F_DEF_CALLBACK
#ifdef PEM_F_PEM_DEF_CALLBACK
/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK
#endif
#endif
#ifndef OPENSSL_NO_TLSEXT
#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
#define OPENSSL_NO_TLSEXT
#endif
#endif
#ifndef sk_STRING_pop
#define sk_STRING_pop sk_pop
#endif
/* mod_ssl headers */
#include "ssl_util_ssl.h"
APLOG_USE_MODULE(ssl);
/*
* Provide reasonable default for some defines
*/
#ifndef FALSE
#define FALSE (0)
#endif
#ifndef TRUE
#define TRUE (!FALSE)
#endif
#ifndef PFALSE
#define PFALSE ((void *)FALSE)
#endif
@@ -116,9 +198,6 @@ APLOG_USE_MODULE(ssl);
/**
* Provide reasonable defines for some types
*/
#ifndef BOOL
#define BOOL unsigned int
#endif
#ifndef UCHAR
#define UCHAR unsigned char
#endif
@@ -674,7 +753,7 @@ EC_KEY *ssl_callback_TmpECDH(SSL *, int, int);
#endif
int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
@@ -717,7 +796,7 @@ int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
/** I/O */
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
void ssl_io_filter_register(apr_pool_t *);
long ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long);
long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
* to allow an SSL renegotiation to take place. */

202
modules/ssl/ssl_toolkit_compat.h
View File

@@ -1,202 +0,0 @@
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef SSL_TOOLKIT_COMPAT_H
#define SSL_TOOLKIT_COMPAT_H
/**
* @file ssl_toolkit_compat.h
* @brief this header file provides a compatiblity layer
*
* @defgroup MOD_SSL_TOOLKIT Toolkit
* @ingroup MOD_SSL
* @{
*/
/** OpenSSL headers */
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
/* hack for non-configure platforms (NetWare, Win32) */
#if !defined(HAVE_OCSP) && (OPENSSL_VERSION_NUMBER >= 0x00907000)
#define HAVE_OCSP
#endif
#ifdef HAVE_OCSP
#include <openssl/x509_vfy.h>
#include <openssl/ocsp.h>
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
#define HAVE_GENERATE_EX
#endif
/* ECC support came along in OpenSSL 1.0.0 */
#if (OPENSSL_VERSION_NUMBER < 0x10000000)
#define OPENSSL_NO_EC
#endif
/** Avoid tripping over an engine build installed globally and detected
* when the user points at an explicit non-engine flavor of OpenSSL
*/
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
#include <openssl/engine.h>
#endif
/**
* rsa sslc uses incomplete types for most structures
* so we macroize for OpenSSL those which cannot be dereferenced
* using the same sames as the sslc functions
*/
#define EVP_PKEY_key_type(k) (EVP_PKEY_type(k->type))
#define X509_NAME_get_entries(xs) (xs->entries)
#define X509_REVOKED_get_serialNumber(xs) (xs->serialNumber)
#define X509_get_signature_algorithm(xs) (xs->cert_info->signature->algorithm)
#define X509_get_key_algorithm(xs) (xs->cert_info->key->algor->algorithm)
#define X509_NAME_ENTRY_get_data_ptr(xs) (xs->value->data)
#define X509_NAME_ENTRY_get_data_len(xs) (xs->value->length)
#define SSL_CTX_get_extra_certs(ctx) (ctx->extra_certs)
#define SSL_CTX_set_extra_certs(ctx,value) {ctx->extra_certs = value;}
#define SSL_CIPHER_get_name(s) (s->name)
#define SSL_CIPHER_get_valid(s) (s->valid)
#define SSL_SESSION_get_session_id(s) (s->session_id)
#define SSL_SESSION_get_session_id_length(s) (s->session_id_length)
/**
* Support for retrieving/overriding states
*/
#ifndef SSL_get_state
#define SSL_get_state(ssl) SSL_state(ssl)
#endif
#define SSL_set_state(ssl,val) (ssl)->state = val
#define MODSSL_BIO_CB_ARG_TYPE const char
#define MODSSL_CRYPTO_CB_ARG_TYPE const char
#if (OPENSSL_VERSION_NUMBER < 0x00907000)
# define MODSSL_INFO_CB_ARG_TYPE SSL*
#else
# define MODSSL_INFO_CB_ARG_TYPE const SSL*
#endif
#define MODSSL_CLIENT_CERT_CB_ARG_TYPE X509
#define MODSSL_PCHAR_CAST
/** ...shifting sands of openssl... */
#if (OPENSSL_VERSION_NUMBER >= 0x0090707f)
# define MODSSL_D2I_SSL_SESSION_CONST const
# define MODSSL_SSL_CIPHER_CONST const
#else
# define MODSSL_D2I_SSL_SESSION_CONST
# define MODSSL_SSL_CIPHER_CONST
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
# define MODSSL_D2I_ASN1_type_bytes_CONST const
# define MODSSL_D2I_PrivateKey_CONST const
# define MODSSL_D2I_X509_CONST const
#else
# define MODSSL_D2I_ASN1_type_bytes_CONST
# define MODSSL_D2I_PrivateKey_CONST
# define MODSSL_D2I_X509_CONST
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x00909000)
# define MODSSL_SSL_METHOD_CONST const
#else
# define MODSSL_SSL_METHOD_CONST
#endif
#define modssl_X509_verify_cert X509_verify_cert
typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
#if (OPENSSL_VERSION_NUMBER < 0x00904000)
#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb)
#else
#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb, arg)
#endif
#define modssl_PEM_X509_INFO_read_bio PEM_X509_INFO_read_bio
#define modssl_PEM_read_bio_PrivateKey PEM_read_bio_PrivateKey
#define modssl_set_cipher_list SSL_set_cipher_list
#define modssl_free OPENSSL_free
#define EVP_PKEY_reference_inc(pkey) \
CRYPTO_add(&((pkey)->references), +1, CRYPTO_LOCK_X509_PKEY)
#define X509_reference_inc(cert) \
CRYPTO_add(&((cert)->references), +1, CRYPTO_LOCK_X509)
#define HAVE_SSL_RAND_EGD /* since 9.5.1 */
#define HAVE_SSL_X509V3_EXT_d2i
#if OPENSSL_VERSION_NUMBER >= 0x00908080 && defined(HAVE_OCSP) \
&& !defined(OPENSSL_NO_TLSEXT)
#define HAVE_OCSP_STAPLING
#if (OPENSSL_VERSION_NUMBER < 0x10000000)
#define sk_OPENSSL_STRING_pop sk_pop
#endif
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
#define HAVE_FIPS
#endif
#ifndef PEM_F_DEF_CALLBACK
#ifdef PEM_F_PEM_DEF_CALLBACK
/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK
#endif
#endif
#ifndef modssl_set_verify
#define modssl_set_verify(ssl, verify, cb) \
SSL_set_verify(ssl, verify, cb)
#endif
#ifndef SSL_SESS_CACHE_NO_INTERNAL
#define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
#endif
#ifndef OPENSSL_NO_TLSEXT
#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
#define OPENSSL_NO_TLSEXT
#endif
#endif
#ifndef sk_STRING_pop
#define sk_STRING_pop sk_pop
#endif
#endif /* SSL_TOOLKIT_COMPAT_H */
/** @} */

2
modules/ssl/ssl_util.c
View File

@@ -143,7 +143,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey)
if (pCert != NULL)
pFreeKey = pKey = X509_get_pubkey(pCert);
if (pKey != NULL) {
switch (EVP_PKEY_key_type(pKey)) {
switch (EVP_PKEY_type(pKey->type)) {
case EVP_PKEY_RSA:
t = SSL_ALGO_RSA;
break;

51
modules/ssl/ssl_util_ssl.c
View File

@@ -74,7 +74,7 @@ void SSL_set_app_data2(SSL *ssl, void *arg)
** _________________________________________________________________
*/
X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb)
X509 *SSL_read_X509(char* filename, X509 **x509, pem_password_cb *cb)
{
X509 *rc;
BIO *bioS;
@@ -83,7 +83,7 @@ X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb)
/* 1. try PEM (= DER+Base64+headers) */
if ((bioS=BIO_new_file(filename, "r")) == NULL)
return NULL;
rc = modssl_PEM_read_bio_X509 (bioS, x509, cb, NULL);
rc = PEM_read_bio_X509 (bioS, x509, cb, NULL);
BIO_free(bioS);
if (rc == NULL) {
@@ -125,7 +125,7 @@ static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
}
#endif
EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb, void *s)
EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
{
EVP_PKEY *rc;
BIO *bioS;
@@ -134,7 +134,7 @@ EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb
/* 1. try PEM (= DER+Base64+headers) */
if ((bioS=BIO_new_file(filename, "r")) == NULL)
return NULL;
rc = modssl_PEM_read_bio_PrivateKey(bioS, key, cb, s);
rc = PEM_read_bio_PrivateKey(bioS, key, cb, s);
BIO_free(bioS);
if (rc == NULL) {
@@ -275,7 +275,7 @@ char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
memcpy(cp, SSL_CIPHER_get_name(c), l);
cp += l;
*cp++ = '/';
*cp++ = (SSL_CIPHER_get_valid(c) == 1 ? '1' : '0');
*cp++ = (c->valid == 1 ? '1' : '0');
*cp++ = ':';
}
*(cp-1) = NUL;
@@ -373,9 +373,9 @@ BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)
xsn = X509_get_subject_name(xs);
for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
X509_NAME_get_entries(xsn)); i++) {
xsn->entries); i++) {
xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
X509_NAME_get_entries(xsn), i);
xsn->entries, i);
nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
if (nid == NID_commonName) {
*cppCN = SSL_X509_NAME_ENTRY_to_string(p, xsne);
@@ -401,14 +401,14 @@ BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp,
return FALSE;
}
if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) {
if (BIO_read_filename(in, filename) <= 0) {
BIO_free(in);
return FALSE;
}
ERR_clear_error();
modssl_PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
BIO_free(in);
@@ -464,7 +464,7 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp,
* should be sent to the peer in the SSL Certificate message.
*/
int SSL_CTX_use_certificate_chain(
SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb)
SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
{
BIO *bio;
X509 *x509;
@@ -480,21 +480,21 @@ int SSL_CTX_use_certificate_chain(
}
/* optionally skip a leading server certificate */
if (skipfirst) {
if ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
BIO_free(bio);
return -1;
}
X509_free(x509);
}
/* free a perhaps already configured extra chain */
extra_certs=SSL_CTX_get_extra_certs(ctx);
extra_certs = ctx->extra_certs;
if (extra_certs != NULL) {
sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
SSL_CTX_set_extra_certs(ctx,NULL);
ctx->extra_certs = NULL;
}
/* create new extra chain by loading the certs */
n = 0;
while ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
X509_free(x509);
BIO_free(bio);
@@ -535,26 +535,3 @@ char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
*cp = NUL;
return str;
}
int modssl_session_get_time(SSL_SESSION *session)
{
return SSL_SESSION_get_time(session);
}
DH *modssl_dh_configure(unsigned char *p, int plen,
unsigned char *g, int glen)
{
DH *dh;
if (!(dh = DH_new())) {
return NULL;
}
dh->p = BN_bin2bn(p, plen, NULL);
dh->g = BN_bin2bn(g, glen, NULL);
if (!(dh->p && dh->g)) {
DH_free(dh);
return NULL;
}
return dh;
}

11
modules/ssl/ssl_util_ssl.h
View File

@@ -60,8 +60,8 @@
void SSL_init_app_data2_idx(void);
void *SSL_get_app_data2(SSL *);
void SSL_set_app_data2(SSL *, void *);
X509 *SSL_read_X509(char *, X509 **, modssl_read_bio_cb_fn *);
EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, modssl_read_bio_cb_fn *, void *);
X509 *SSL_read_X509(char *, X509 **, pem_password_cb *);
EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
int SSL_smart_shutdown(SSL *ssl);
X509_STORE *SSL_X509_STORE_create(char *, char *);
int SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *);
@@ -72,14 +72,9 @@ char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **);
BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
int modssl_session_get_time(SSL_SESSION *session);
DH *modssl_dh_configure(unsigned char *p, int plen,
unsigned char *g, int glen);
#endif /* __SSL_UTIL_SSL_H__ */
/** @} */