www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-01 07:26:57 +03:00
Code Activity

mod_ssl adjustments to help with using toolkits other than OpenSSL:

Browse Source 
Use SSL functions/macros instead of directly dereferencing SSL
  structures wherever possible.
  Add type-casts for the cases where functions return a generic pointer.
  Add $SSL/include to configure search path.
PR:
Obtained from:
Submitted by:	Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by:	dougm


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92800 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Doug MacEachern
2002-01-10 04:55:19 +00:00
parent 71de760992
commit c53456b4c1
8 changed files with 132 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGES
View File

@ -1,4 +1,11 @@
Changes with Apache 2.0.31-dev Changes with Apache 2.0.31-dev
*) mod_ssl adjustments to help with using toolkits other than OpenSSL:
Use SSL functions/macros instead of directly dereferencing SSL
structures wherever possible.
Add type-casts for the cases where functions return a generic pointer.
Add $SSL/include to configure search path.
[Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>]
*) Moved several pointers out of the shared Scoreboard so it is *) Moved several pointers out of the shared Scoreboard so it is
more portable, and will present the vhost name across server more portable, and will present the vhost name across server
generation restarts. [William Rowe] generation restarts. [William Rowe]

3
acinclude.m4
View File

@ -451,6 +451,9 @@ if test "x$ap_ssltk_base" = "x"; then
if test -f "$p/openssl/ssl.h"; then if test -f "$p/openssl/ssl.h"; then
ap_ssltk_incdir="$p" ap_ssltk_incdir="$p"
break break
elif test -f "$p/ssl.h"; then
ap_ssltk_incdir="$p"
break
fi fi
done done
if test "x$ap_ssltk_incdir" = "x"; then if test "x$ap_ssltk_incdir" = "x"; then

25
modules/ssl/mod_ssl.h
View File

@ -345,6 +345,31 @@ typedef enum {
#ifndef X509_V_ERR_CERT_UNTRUSTED #ifndef X509_V_ERR_CERT_UNTRUSTED
#define X509_V_ERR_CERT_UNTRUSTED 27 #define X509_V_ERR_CERT_UNTRUSTED 27
#endif
#ifdef OPENSSL_VERSION_NUMBER
#define EVP_PKEY_key_type(k) (EVP_PKEY_type(k->type))
#define X509_NAME_get_entries(xs) (xs->entries)
#define X509_REVOKED_get_serialNumber(xs) (xs->serialNumber)
#define X509_get_signature_algorithm(xs) (xs->cert_info->signature->algorithm)
#define X509_get_key_algorithm(xs) (xs->cert_info->key->algor->algorithm)
#define X509_NAME_ENTRY_get_data_ptr(xs) (xs->value->data)
#define X509_NAME_ENTRY_get_data_len(xs) (xs->value->length)
#define SSL_CTX_get_extra_certs(ctx) (ctx->extra_certs)
#define SSL_CTX_set_extra_certs(ctx,value) {ctx->extra_certs = value;}
#define SSL_CIPHER_get_name(s) (s->name)
#define SSL_CIPHER_get_valid(s) (s->valid)
#define SSL_SESSION_get_session_id(s) (s->session_id)
#define SSL_SESSION_get_session_id_length(s) (s->session_id_length)
#endif #endif
#define ssl_verify_error_is_optional(errnum) \ #define ssl_verify_error_is_optional(errnum) \

10
modules/ssl/ssl_engine_init.c
View File

@ -604,7 +604,7 @@ void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
"CA certificates for client authentication", cpVHostID); "CA certificates for client authentication", cpVHostID);
ssl_die(); ssl_die();
} }
SSL_CTX_set_client_CA_list(sc->pSSLCtx, skCAList); SSL_CTX_set_client_CA_list(sc->pSSLCtx, (STACK *)skCAList);
} }
/* /*
@ -628,7 +628,7 @@ void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
* should take place. This cannot work. * should take place. This cannot work.
*/ */
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) { if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
skCAList = SSL_CTX_get_client_CA_list(ctx); skCAList = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
if (sk_X509_NAME_num(skCAList) == 0) if (sk_X509_NAME_num(skCAList) == 0)
ssl_log(s, SSL_LOG_WARN, ssl_log(s, SSL_LOG_WARN,
"Init: Ops, you want to request client authentication, " "Init: Ops, you want to request client authentication, "
@ -785,7 +785,7 @@ void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
&& sc->pPrivateKey[SSL_AIDX_DSA] != NULL) { && sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
pKey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]); pKey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]);
if ( pKey != NULL if ( pKey != NULL
&& EVP_PKEY_type(pKey->type) == EVP_PKEY_DSA && EVP_PKEY_key_type(pKey) == EVP_PKEY_DSA
&& EVP_PKEY_missing_parameters(pKey)) && EVP_PKEY_missing_parameters(pKey))
EVP_PKEY_copy_parameters(pKey, sc->pPrivateKey[SSL_AIDX_DSA]); EVP_PKEY_copy_parameters(pKey, sc->pPrivateKey[SSL_AIDX_DSA]);
} }
@ -924,7 +924,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *pp, const ch
* Process CA certificate bundle file * Process CA certificate bundle file
*/ */
if (cpCAfile != NULL) { if (cpCAfile != NULL) {
sk = SSL_load_client_CA_file(cpCAfile); sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cpCAfile);
for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) { for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
ssl_log(s, SSL_LOG_TRACE, ssl_log(s, SSL_LOG_TRACE,
"CA certificate: %s", "CA certificate: %s",
@ -941,7 +941,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *pp, const ch
apr_dir_open(&dir, cpCApath, p); apr_dir_open(&dir, cpCApath, p);
while ((apr_dir_read(&direntry, APR_FINFO_DIRENT, dir)) != APR_SUCCESS) { while ((apr_dir_read(&direntry, APR_FINFO_DIRENT, dir)) != APR_SUCCESS) {
cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL); cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL);
sk = SSL_load_client_CA_file(cp); sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cp);
for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) { for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
ssl_log(s, SSL_LOG_TRACE, ssl_log(s, SSL_LOG_TRACE,
"CA certificate: %s", "CA certificate: %s",

65
modules/ssl/ssl_engine_kernel.c
View File

@ -489,7 +489,7 @@ int ssl_hook_Access(request_rec *r)
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE)
pCipher = SSL_get_current_cipher(ssl); pCipher = SSL_get_current_cipher(ssl);
else { else {
skCipherOld = SSL_get_ciphers(ssl); skCipherOld = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
if (skCipherOld != NULL) if (skCipherOld != NULL)
skCipherOld = sk_SSL_CIPHER_dup(skCipherOld); skCipherOld = sk_SSL_CIPHER_dup(skCipherOld);
} }
@ -502,7 +502,7 @@ int ssl_hook_Access(request_rec *r)
return HTTP_FORBIDDEN; return HTTP_FORBIDDEN;
} }
/* determine whether a renegotiation has to be forced */ /* determine whether a renegotiation has to be forced */
skCipher = SSL_get_ciphers(ssl); skCipher = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
/* optimized way */ /* optimized way */
if ((pCipher == NULL && skCipher != NULL) || if ((pCipher == NULL && skCipher != NULL) ||
@ -741,19 +741,23 @@ int ssl_hook_Access(request_rec *r)
* here because it resets too much of the connection. So we set the * here because it resets too much of the connection. So we set the
* state explicitly and continue the handshake manually. * state explicitly and continue the handshake manually.
*/ */
ssl_log(r->server, SSL_LOG_INFO, "Requesting connection re-negotiation"); ssl_log(r->server, SSL_LOG_INFO,
"Requesting connection re-negotiation");
if (renegotiate_quick) { if (renegotiate_quick) {
/* perform just a manual re-verification of the peer */ /* perform just a manual re-verification of the peer */
ssl_log(r->server, SSL_LOG_TRACE, ssl_log(r->server, SSL_LOG_TRACE,
"Performing quick renegotiation: just re-verifying the peer"); "Performing quick renegotiation: "
"just re-verifying the peer");
certstore = SSL_CTX_get_cert_store(ctx); certstore = SSL_CTX_get_cert_store(ctx);
if (certstore == NULL) { if (certstore == NULL) {
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find certificate storage"); ssl_log(r->server, SSL_LOG_ERROR,
"Cannot find certificate storage");
return HTTP_FORBIDDEN; return HTTP_FORBIDDEN;
} }
certstack = SSL_get_peer_cert_chain(ssl); certstack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
if (certstack == NULL || sk_X509_num(certstack) == 0) { if (certstack == NULL || sk_X509_num(certstack) == 0) {
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer certificate chain"); ssl_log(r->server, SSL_LOG_ERROR,
"Cannot find peer certificate chain");
return HTTP_FORBIDDEN; return HTTP_FORBIDDEN;
} }
cert = sk_X509_value(certstack, 0); cert = sk_X509_value(certstack, 0);
@ -772,9 +776,11 @@ int ssl_hook_Access(request_rec *r)
else { else {
/* do a full renegotiation */ /* do a full renegotiation */
ssl_log(r->server, SSL_LOG_TRACE, ssl_log(r->server, SSL_LOG_TRACE,
"Performing full renegotiation: complete handshake protocol"); "Performing full renegotiation: "
"complete handshake protocol");
if (r->main != NULL) if (r->main != NULL)
SSL_set_session_id_context(ssl, (unsigned char *)&(r->main), sizeof(r->main)); SSL_set_session_id_context(ssl, (unsigned char *)&(r->main),
sizeof(r->main));
else else
SSL_set_session_id_context(ssl, (unsigned char *)&r, sizeof(r)); SSL_set_session_id_context(ssl, (unsigned char *)&r, sizeof(r));
/* will need to push to / pull from filters to renegotiate */ /* will need to push to / pull from filters to renegotiate */
@ -783,11 +789,13 @@ int ssl_hook_Access(request_rec *r)
SSL_do_handshake(ssl); SSL_do_handshake(ssl);
if (SSL_get_state(ssl) != SSL_ST_OK) { if (SSL_get_state(ssl) != SSL_ST_OK) {
ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation request failed"); ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation request failed");
ssl_bio_hooks_unset(ssl); ssl_bio_hooks_unset(ssl);
return HTTP_FORBIDDEN; return HTTP_FORBIDDEN;
} }
ssl_log(r->server, SSL_LOG_INFO, "Awaiting re-negotiation handshake"); ssl_log(r->server, SSL_LOG_INFO,
"Awaiting re-negotiation handshake");
SSL_set_state(ssl, SSL_ST_ACCEPT); SSL_set_state(ssl, SSL_ST_ACCEPT);
SSL_do_handshake(ssl); SSL_do_handshake(ssl);
@ -795,7 +803,8 @@ int ssl_hook_Access(request_rec *r)
if (SSL_get_state(ssl) != SSL_ST_OK) { if (SSL_get_state(ssl) != SSL_ST_OK) {
ssl_log(r->server, SSL_LOG_ERROR, ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Not accepted by client!?"); "Re-negotiation handshake failed: "
"Not accepted by client!?");
return HTTP_FORBIDDEN; return HTTP_FORBIDDEN;
} }
} }
@ -1124,7 +1133,7 @@ int ssl_hook_Fixup(request_rec *r)
apr_table_set(e, "SSL_SERVER_CERT", val); apr_table_set(e, "SSL_SERVER_CERT", val);
val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT"); val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
apr_table_set(e, "SSL_CLIENT_CERT", val); apr_table_set(e, "SSL_CLIENT_CERT", val);
if ((sk = SSL_get_peer_cert_chain(ssl)) != NULL) { if ((sk = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl)) != NULL) {
for (i = 0; i < sk_X509_num(sk); i++) { for (i = 0; i < sk_X509_num(sk); i++) {
var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i); var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
@ -1485,11 +1494,14 @@ int ssl_callback_SSLVerify_CRL(
#else #else
revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
#endif #endif
if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(xs)) == 0) { if (ASN1_INTEGER_cmp(X509_REVOKED_get_serialNumber(revoked),
X509_get_serialNumber(xs)) == 0) {
if (sc->nLogLevel >= SSL_LOG_INFO) { if (sc->nLogLevel >= SSL_LOG_INFO) {
char *cp = X509_NAME_oneline(issuer, NULL, 0); char *cp = X509_NAME_oneline(issuer, NULL, 0);
long serial = ASN1_INTEGER_get(revoked->serialNumber); long serial = ASN1_INTEGER_get(
X509_REVOKED_get_serialNumber(revoked));
ssl_log(s, SSL_LOG_INFO, ssl_log(s, SSL_LOG_INFO,
"Certificate with serial %ld (0x%lX) " "Certificate with serial %ld (0x%lX) "
@ -1520,6 +1532,9 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
SSLSrvConfigRec *sc; SSLSrvConfigRec *sc;
long t; long t;
BOOL rc; BOOL rc;
unsigned char *session_id;
unsigned int session_id_length;
/* /*
* Get Apache context back through OpenSSL context * Get Apache context back through OpenSSL context
@ -1539,8 +1554,12 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
* Store the SSL_SESSION in the inter-process cache with the * Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too. * same expire time, so it expires automatically there, too.
*/ */
session_id = SSL_SESSION_get_session_id(pNew);
session_id_length = SSL_SESSION_get_session_id_length(pNew);
t = (SSL_get_time(pNew) + sc->nSessionCacheTimeout); t = (SSL_get_time(pNew) + sc->nSessionCacheTimeout);
rc = ssl_scache_store(s, pNew->session_id, pNew->session_id_length, t, pNew); rc = ssl_scache_store(s, session_id, session_id_length, t, pNew);
/* /*
* Log this cache operation * Log this cache operation
@ -1548,7 +1567,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: " ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=SET status=%s id=%s timeout=%ds (session caching)", "request=SET status=%s id=%s timeout=%ds (session caching)",
rc == TRUE ? "OK" : "BAD", rc == TRUE ? "OK" : "BAD",
SSL_SESSION_id2sz(pNew->session_id, pNew->session_id_length), SSL_SESSION_id2sz(session_id, session_id_length),
t-time(NULL)); t-time(NULL));
/* /*
@ -1615,6 +1634,9 @@ void ssl_callback_DelSessionCacheEntry(
SSL_CTX *ctx, SSL_SESSION *pSession) SSL_CTX *ctx, SSL_SESSION *pSession)
{ {
server_rec *s; server_rec *s;
unsigned char *session_id;
unsigned int session_id_length;
/* /*
* Get Apache context back through OpenSSL context * Get Apache context back through OpenSSL context
@ -1626,15 +1648,18 @@ void ssl_callback_DelSessionCacheEntry(
/* /*
* Remove the SSL_SESSION from the inter-process cache * Remove the SSL_SESSION from the inter-process cache
*/ */
ssl_scache_remove(s, pSession->session_id, pSession->session_id_length); session_id = SSL_SESSION_get_session_id(pSession);
session_id_length = SSL_SESSION_get_session_id_length(pSession);
ssl_scache_remove(s, session_id, session_id_length);
/* /*
* Log this cache operation * Log this cache operation
*/ */
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: " ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=REM status=OK id=%s (session dead)", "request=REM status=OK id=%s (session dead)",
SSL_SESSION_id2sz(pSession->session_id, SSL_SESSION_id2sz(session_id, session_id_length));
pSession->session_id_length));
return; return;
} }

36
modules/ssl/ssl_engine_vars.c
View File

@ -283,8 +283,9 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var)
} }
else if (ssl != NULL && strcEQ(var, "SESSION_ID")) { else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
SSL_SESSION *pSession = SSL_get_session(ssl); SSL_SESSION *pSession = SSL_get_session(ssl);
result = apr_pstrdup(p, SSL_SESSION_id2sz(pSession->session_id, result = apr_pstrdup(p, SSL_SESSION_id2sz(
pSession->session_id_length)); SSL_SESSION_get_session_id(pSession),
SSL_SESSION_get_session_id_length(pSession)));
} }
else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) { else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) {
result = ssl_var_lookup_ssl_cipher(p, c, var+6); result = ssl_var_lookup_ssl_cipher(p, c, var+6);
@ -356,13 +357,15 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, X509 *xs, char *var)
resdup = FALSE; resdup = FALSE;
} }
else if (strcEQ(var, "A_SIG")) { else if (strcEQ(var, "A_SIG")) {
nid = OBJ_obj2nid(xs->cert_info->signature->algorithm); nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_signature_algorithm(xs));
result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE; resdup = FALSE;
} }
else if (strcEQ(var, "A_KEY")) { else if (strcEQ(var, "A_KEY")) {
nid = OBJ_obj2nid(xs->cert_info->key->algor->algorithm); nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_key_algorithm(xs));
result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE; resdup = FALSE;
} }
else if (strcEQ(var, "CERT")) { else if (strcEQ(var, "CERT")) {
@ -400,21 +403,30 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *
char *result; char *result;
X509_NAME_ENTRY *xsne; X509_NAME_ENTRY *xsne;
int i, j, n; int i, j, n;
char *data_ptr;
int data_len;
result = NULL; result = NULL;
for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) { for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
if (strEQ(var, ssl_var_lookup_ssl_cert_dn_rec[i].name)) { if (strEQ(var, ssl_var_lookup_ssl_cert_dn_rec[i].name)) {
for (j = 0; j < sk_X509_NAME_ENTRY_num(xsname->entries); j++) { for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
xsne = sk_X509_NAME_ENTRY_value(xsname->entries, j); X509_NAME_get_entries(xsname));
n = OBJ_obj2nid(xsne->object); j++) {
xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
X509_NAME_get_entries(xsname), j);
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
data_ptr = X509_NAME_ENTRY_get_data_ptr(xsne);
data_len = X509_NAME_ENTRY_get_data_len(xsne);
if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid) { if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid) {
result = apr_palloc(p, xsne->value->length+1); result = apr_palloc(p, data_len+1);
apr_cpystrn(result, (char *)xsne->value->data, xsne->value->length+1); apr_cpystrn(result, (char *)data_ptr, data_len+1);
#ifdef CHARSET_EBCDIC #ifdef CHARSET_EBCDIC
ascii2ebcdic(result, result, xsne->value->length); ascii2ebcdic(result, result, xsne->value->length);
#endif /* CHARSET_EBCDIC */ #endif /* CHARSET_EBCDIC */
result[xsne->value->length] = NUL; result[data_len] = NUL;
break; break;
} }
} }

2
modules/ssl/ssl_util.c
View File

@ -221,7 +221,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey)
if (pCert != NULL) if (pCert != NULL)
pKey = X509_get_pubkey(pCert); pKey = X509_get_pubkey(pCert);
if (pKey != NULL) { if (pKey != NULL) {
switch (EVP_PKEY_type(pKey->type)) { switch (EVP_PKEY_key_type(pKey)) {
case EVP_PKEY_RSA: case EVP_PKEY_RSA:
t = SSL_ALGO_RSA; t = SSL_ALGO_RSA;
break; break;

36
modules/ssl/ssl_util_ssl.c
View File

@ -284,12 +284,12 @@ char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
if (ssl == NULL) if (ssl == NULL)
return ""; return "";
if ((sk = SSL_get_ciphers(ssl)) == NULL) if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL)
return ""; return "";
l = 0; l = 0;
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
c = sk_SSL_CIPHER_value(sk, i); c = sk_SSL_CIPHER_value(sk, i);
l += strlen(c->name)+2+1; l += strlen(SSL_CIPHER_get_name(c))+2+1;
} }
if (l == 0) if (l == 0)
return ""; return "";
@ -297,11 +297,11 @@ char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
cp = cpCipherSuite; cp = cpCipherSuite;
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
c = sk_SSL_CIPHER_value(sk, i); c = sk_SSL_CIPHER_value(sk, i);
l = strlen(c->name); l = strlen(SSL_CIPHER_get_name(c));
memcpy(cp, c->name, l); memcpy(cp, SSL_CIPHER_get_name(c), l);
cp += l; cp += l;
*cp++ = '/'; *cp++ = '/';
*cp++ = (c->valid == 1 ? '1' : '0'); *cp++ = (SSL_CIPHER_get_valid(c) == 1 ? '1' : '0');
*cp++ = ':'; *cp++ = ':';
} }
*(cp-1) = NUL; *(cp-1) = NUL;
@ -378,15 +378,21 @@ BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)
X509_NAME *xsn; X509_NAME *xsn;
X509_NAME_ENTRY *xsne; X509_NAME_ENTRY *xsne;
int i, nid; int i, nid;
char *data_ptr;
int data_len;
xsn = X509_get_subject_name(xs); xsn = X509_get_subject_name(xs);
for (i = 0; i < sk_X509_NAME_ENTRY_num(xsn->entries); i++) { for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
xsne = sk_X509_NAME_ENTRY_value(xsn->entries, i); X509_NAME_get_entries(xsn)); i++) {
nid = OBJ_obj2nid(xsne->object); xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
X509_NAME_get_entries(xsn), i);
nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
if (nid == NID_commonName) { if (nid == NID_commonName) {
*cppCN = apr_palloc(p, xsne->value->length+1); data_ptr = X509_NAME_ENTRY_get_data_ptr(xsne);
apr_cpystrn(*cppCN, (char *)xsne->value->data, xsne->value->length+1); data_len = X509_NAME_ENTRY_get_data_len(xsne);
(*cppCN)[xsne->value->length] = NUL; *cppCN = apr_palloc(p, data_len+1);
apr_cpystrn(*cppCN, (char *)data_ptr, data_len+1);
(*cppCN)[data_len] = NUL;
#ifdef CHARSET_EBCDIC #ifdef CHARSET_EBCDIC
ascii2ebcdic(*cppCN, *cppCN, strlen(*cppCN)); ascii2ebcdic(*cppCN, *cppCN, strlen(*cppCN));
#endif #endif
@ -470,6 +476,7 @@ int SSL_CTX_use_certificate_chain(
X509 *x509; X509 *x509;
unsigned long err; unsigned long err;
int n; int n;
STACK *extra_certs;
if ((bio = BIO_new(BIO_s_file_internal())) == NULL) if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
return -1; return -1;
@ -490,9 +497,10 @@ int SSL_CTX_use_certificate_chain(
X509_free(x509); X509_free(x509);
} }
/* free a perhaps already configured extra chain */ /* free a perhaps already configured extra chain */
if (ctx->extra_certs != NULL) { extra_certs=SSL_CTX_get_extra_certs(ctx);
sk_X509_pop_free(ctx->extra_certs, X509_free); if (extra_certs != NULL) {
ctx->extra_certs = NULL; sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
SSL_CTX_set_extra_certs(ctx,NULL);
} }
/* create new extra chain by loading the certs */ /* create new extra chain by loading the certs */
n = 0; n = 0;