Support for OpenSSL 1.1.0:

- mod_ssl Look out for "XXX: OpenSSL 1.1.0:" for a few open problems. Not tested with test suite yet. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1728909 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2016-02-07 01:20:37 +00:00
parent 967edd5581
commit 8bc4871c57
8 changed files with 117 additions and 7 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -80,7 +80,11 @@ static apr_status_t upgrade_connection(request_rec *r)
    SSL_set_accept_state(ssl);
    SSL_do_handshake(ssl);

+#if OPENSSL_VERSION_NUMBER < 0x10100000L
    if (SSL_get_state(ssl) != SSL_ST_OK) {
+#else
+    if (SSL_get_state(ssl) != TLS_ST_OK) {
+#endif
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
                      "TLS upgrade handshake failed");
        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -456,7 +460,11 @@ int ssl_hook_Access(request_rec *r)
         * forbidden in the latter case, let ap_die() handle
         * this recursive (same) error.
         */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
        if (SSL_get_state(ssl) != SSL_ST_OK) {
+#else
+        if (SSL_get_state(ssl) != TLS_ST_OK) {
+#endif
            return HTTP_FORBIDDEN;
        }
        ctx = SSL_get_SSL_CTX(ssl);
@@ -622,7 +630,7 @@ int ssl_hook_Access(request_rec *r)
                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));
                     n++)
                {
-                    SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
+                    const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);

                    if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {
                        renegotiate = TRUE;
@@ -633,7 +641,7 @@ int ssl_hook_Access(request_rec *r)
                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));
                     n++)
                {
-                    SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
+                    const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);

                    if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {
                        renegotiate = TRUE;
@@ -982,7 +990,11 @@ int ssl_hook_Access(request_rec *r)
            SSL_renegotiate(ssl);
            SSL_do_handshake(ssl);

+#if OPENSSL_VERSION_NUMBER < 0x10100000L
            if (SSL_get_state(ssl) != SSL_ST_OK) {
+#else
+            if (SSL_get_state(ssl) != TLS_ST_OK) {
+#endif
                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
                              "Re-negotiation request failed");
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -998,16 +1010,24 @@ int ssl_hook_Access(request_rec *r)
             * However, this causes failures in perl-framework currently,
             * perhaps pre-test if we have already negotiated?
             */
+            /* XXX: OpenSSL 1.1.0: SSL_set_state() no longer available.
+             * Would SSL_renegotiate(ssl) work? */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 #ifdef OPENSSL_NO_SSL_INTERN
            SSL_set_state(ssl, SSL_ST_ACCEPT);
 #else
            ssl->state = SSL_ST_ACCEPT;
+#endif
 #endif
            SSL_do_handshake(ssl);

            sslconn->reneg_state = RENEG_REJECT;

+#if OPENSSL_VERSION_NUMBER < 0x10100000L
            if (SSL_get_state(ssl) != SSL_ST_OK) {
+#else
+            if (SSL_get_state(ssl) != TLS_ST_OK) {
+#endif
                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
                              "Re-negotiation handshake failed");
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -1723,11 +1743,19 @@ static void modssl_proxy_info_log(conn_rec *c,
 * so we need to increment here to prevent them from
 * being freed.
 */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 #define modssl_set_cert_info(info, cert, pkey) \
    *cert = info->x509; \
    CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
    *pkey = info->x_pkey->dec_pkey; \
    CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
+#else
+#define modssl_set_cert_info(info, cert, pkey) \
+    *cert = info->x509; \
+    X509_up_ref(*cert); \
+    *pkey = info->x_pkey->dec_pkey; \
+    EVP_PKEY_up_ref(*pkey);
+#endif

 int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
 {
@@ -2066,6 +2094,9 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
     * state machine and move to ABORT if a Client Hello is being
     * read. */
    if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
+    /* XXX: OpenSSL 1.1.0: Which state machine states to use instead of
+     * SSL3_ST_SR_CLNT_HELLO_A and SSL23_ST_SR_CLNT_HELLO_A ? */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
        int state = SSL_get_state((SSL *)ssl);

        if (state == SSL3_ST_SR_CLNT_HELLO_A
@@ -2074,6 +2105,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
                          "rejecting client initiated renegotiation");
        }
+#endif
    }
    /* If the first handshake is complete, change state to reject any
     * subsequent client-initiated renegotiation. */
@@ -2277,7 +2309,11 @@ int ssl_callback_SessionTicket(SSL *ssl,
        }

        memcpy(keyname, ticket_key->key_name, 16);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
        RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
+#else
+        RAND_bytes(iv, EVP_MAX_IV_LENGTH);
+#endif
        EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
                           ticket_key->aes_key, iv);
        HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);