Support OpenSSL 1.1.0.

- use common code for OpenSSL pre-1.1.0 and
  1.1.0 where possible.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730422 13f79535-47bb-0310-9956-ffa450edef68

CHANGES

@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
+ 
   *) hostname: Test and log useragent_host per-request across various modules,
      including the scoreboard, expression and rewrite engines, setenvif,
      authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.

modules/ssl/mod_ssl_ct.c

@@ -1937,10 +1937,6 @@ static int ocsp_resp_cb(SSL *ssl, void *arg)
     int i, len;
     OCSP_RESPONSE *rsp;
     OCSP_BASICRESP *br;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    OCSP_RESPDATA *rd;
-    STACK_OF(X509_EXTENSION) *exts;
-#endif
     OCSP_SINGLERESP *single;
 
     len = SSL_get_tlsext_status_ocsp_resp(ssl, &p); /* UNDOC */
@@ -1965,25 +1961,13 @@ static int ocsp_resp_cb(SSL *ssl, void *arg)
         return 0;
     }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    rd = br->tbsResponseData;
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { /* UNDOC */
-#else
     for (i = 0; i < OCSP_resp_count(br); i++) {
-#endif
         const unsigned char *p;
         X509_EXTENSION *ext;
         int idx;
         ASN1_OCTET_STRING *oct1, *oct2;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-        single = sk_OCSP_SINGLERESP_value(rd->responses, i); /* UNDOC */
-#else
         single = OCSP_resp_get0(br, i);
-#endif
         if (!single) {
             continue;
         }
@@ -1998,13 +1982,7 @@ static int ocsp_resp_cb(SSL *ssl, void *arg)
         ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
                       "index of NID_ct_cert_scts: %d", idx);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-        exts = single->singleExtensions;
-
-        ext = sk_X509_EXTENSION_value(exts, idx); /* UNDOC */
-#else
         ext = OCSP_SINGLERESP_get_ext(single, idx);
-#endif
         oct1 = X509_EXTENSION_get_data(ext); /* UNDOC */
 
         p = oct1->data;

modules/ssl/ssl_engine_init.c

@@ -876,11 +876,7 @@ static int use_certificate_chain(
     unsigned long err;
     int n;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
-#else
     if ((bio = BIO_new(BIO_s_file())) == NULL)
-#endif
         return -1;
     if (BIO_read_filename(bio, file) <= 0) {
         BIO_free(bio);

modules/ssl/ssl_engine_kernel.c

@@ -80,11 +80,7 @@ static apr_status_t upgrade_connection(request_rec *r)
     SSL_set_accept_state(ssl);
     SSL_do_handshake(ssl);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
-    if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+    if (!SSL_is_init_finished(ssl)) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
                       "TLS upgrade handshake failed");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -460,11 +456,7 @@ int ssl_hook_Access(request_rec *r)
          * forbidden in the latter case, let ap_die() handle
          * this recursive (same) error.
          */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-        if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
-        if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+        if (!SSL_is_init_finished(ssl)) {
             return HTTP_FORBIDDEN;
         }
         ctx = SSL_get_SSL_CTX(ssl);
@@ -948,7 +940,6 @@ int ssl_hook_Access(request_rec *r)
         }
         else {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
-            int rc;
             char peekbuf[1];
 #endif
             const char *reneg_support;
@@ -994,11 +985,7 @@ int ssl_hook_Access(request_rec *r)
             SSL_renegotiate(ssl);
             SSL_do_handshake(ssl);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-            if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
-            if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+            if (!SSL_is_init_finished(ssl)) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
                               "Re-negotiation request failed");
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -1033,27 +1020,13 @@ int ssl_hook_Access(request_rec *r)
              * It is expected to work without changes with the forthcoming 1.1.0pre3.
              * See: http://marc.info/?t=145493359200002&r=1&w=2
              */
-            rc = SSL_peek(ssl, peekbuf, 0);
-            ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO()
-                          "Renegotiation peek result=%d, "
-                          "reneg_state=%d, "
-                          "in_init=%d, init_finished=%d, "
-                          "state=%s, sslconn->ssl=%s, peer_certs=%s",
-                          rc, sslconn->reneg_state,
-                          SSL_in_init(ssl), SSL_is_init_finished(ssl),
-                          SSL_state_string_long(ssl),
-                          sslconn->ssl != NULL ? "yes" : "no",
-                          SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no");
+            SSL_peek(ssl, peekbuf, 0);
 
 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
 
             sslconn->reneg_state = RENEG_REJECT;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-            if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
-            if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+            if (!SSL_is_init_finished(ssl)) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
                               "Re-negotiation handshake failed");
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

modules/ssl/ssl_engine_ocsp.c

@@ -262,15 +262,7 @@ int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
                       "No cert available to check with OCSP");
         return 1;
     }
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
-#else
-    /* No need to check cert->valid, because modssl_verify_ocsp() only
-     * is called if OpenSSL already successfully verified the certificate
-     * (parameter "ok" in ssl_callback_SSLVerify() must be true).
-     */
     else if (X509_check_issued(cert,cert) == X509_V_OK) {
-#endif
         /* don't do OCSP checking for valid self-issued certs */
         ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
                       "Skipping OCSP check for valid self-issued cert");

modules/ssl/ssl_engine_vars.c

@@ -683,16 +683,8 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *
     for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
         if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
             && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-            for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
-                                                   xsname->entries);
-                 j++) {
-                xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
-                                                xsname->entries, j);
-#else
             for (j = 0; j < X509_NAME_entry_count(xsname); j++) {
                 xsne = X509_NAME_get_entry(xsname, j);
-#endif
 
                 n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
 
@@ -994,9 +986,6 @@ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var)
 static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
                        X509_NAME *xn, apr_pool_t *p)
 {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
-#endif
     X509_NAME_ENTRY *xsne;
     apr_hash_t *count;
     int i, nid;
@@ -1006,16 +995,9 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
     count = apr_hash_make(p);
 
     /* For each RDN... */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) {
-         const char *tag;
-
-         xsne = sk_X509_NAME_ENTRY_value(ents, i);
-#else
     for (i = 0; i < X509_NAME_entry_count(xn); i++) {
          const char *tag;
          xsne = X509_NAME_get_entry(xn, i);
-#endif
 
          /* Retrieve the nid, and check whether this is one of the nids
           * which are to be extracted. */
@@ -1189,11 +1171,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
     for (j = 0; j < count; j++) {
         X509_EXTENSION *ext = X509_get_ext(xs, j);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-        if (OBJ_cmp(ext->object, oid) == 0) {
-#else
         if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) {
-#endif
             BIO *bio = BIO_new(BIO_s_mem());
 
             /* We want to obtain a string representation of the extensions

modules/ssl/ssl_private.h

@@ -151,6 +151,7 @@
 /* OCSP stapling */
 #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
 #define HAVE_OCSP_STAPLING
+/* All exist but are no longer macros since OpenSSL 1.1.0 */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 /* backward compatibility with OpenSSL < 1.0 */
 #ifndef sk_OPENSSL_STRING_num

modules/ssl/ssl_util_stapling.c

@@ -402,13 +402,9 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
 
             if (bio) {
                 int n;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-                if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) &&
-#else
                 ASN1_INTEGER *pserial;
                 OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
                 if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
-#endif
                     ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
                     snum[n] = '\0';
                 BIO_free(bio);