Introduce a number of SSLC hints to mod_ssl, including the following

type overrides;

    MODSSL_CLIENT_CERT_CB_ARG_TYPE
    MODSSL_PCHAR_CAST      (for a host of non-void/const sslc values)
    modssl_read_bio_cb_fn  (for several callbacks with same prototypes)

  Declare callback functions appropriately.

  And protect us from indetermineant toolkits with
  #error "Unrecognized SSL Toolkit!"


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99183 13f79535-47bb-0310-9956-ffa450edef68

modules/ssl/mod_ssl.h

@@ -584,7 +584,7 @@ RSA         *ssl_callback_TmpRSA(SSL *, int, int);
 DH          *ssl_callback_TmpDH(SSL *, int, int);
 int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
 int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
-int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+int          ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
 int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
 void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);

modules/ssl/ssl_engine_init.c

@@ -556,8 +556,8 @@ static void ssl_init_ctx_verify(server_rec *s,
                      "Configuring client authentication");
 
         if (!SSL_CTX_load_verify_locations(ctx,
-                                           mctx->auth.ca_cert_file,
+                         MODSSL_PCHAR_CAST mctx->auth.ca_cert_file,
-                                           mctx->auth.ca_cert_path))
+                         MODSSL_PCHAR_CAST mctx->auth.ca_cert_path))
         {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "Unable to configure verify locations "
@@ -614,7 +614,7 @@ static void ssl_init_ctx_cipher_suite(server_rec *s,
                  "Configuring permitted SSL ciphers [%s]", 
                  suite);
 
-    if (!SSL_CTX_set_cipher_list(ctx, suite)) {
+    if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Unable to configure permitted SSL ciphers");
         ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
@@ -1077,10 +1077,17 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
     }
 }
 
+#ifdef SSLC_VERSION_NUMBER
+static int ssl_init_FindCAList_X509NameCmp(char **a, char **b)
+{
+    return(X509_NAME_cmp((void*)*a, (void*)*b));
+}
+#else
 static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b)
 {
     return(X509_NAME_cmp(*a, *b));
 }
+#endif
 
 static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
                                 server_rec *s, const char *file)
@@ -1088,7 +1095,8 @@ static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
     int n;
     STACK_OF(X509_NAME) *sk;
 
-    sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(file);
+    sk = (STACK_OF(X509_NAME) *)
+             SSL_load_client_CA_file(MODSSL_PCHAR_CAST file);
 
     if (!sk) {
         return;

modules/ssl/ssl_engine_kernel.c

@@ -638,7 +638,7 @@ int ssl_hook_Access(request_rec *r)
                  * we put it back here for the purpose of quick_renegotiation.
                  */
                 cert_stack = sk_new_null();
-                sk_X509_push(cert_stack, cert);
+                sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert);
             }
 
             if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
@@ -1531,7 +1531,7 @@ static void modssl_proxy_info_log(server_rec *s,
     *pkey = info->x_pkey->dec_pkey; \
     EVP_PKEY_reference_inc(*pkey)
 
-int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) 
+int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey) 
 {
     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
     server_rec *s = c->base_server;

modules/ssl/ssl_engine_pphrase.c

@@ -142,7 +142,11 @@ static apr_file_t *readtty = NULL;
  */
 static server_rec *ssl_pphrase_server_rec = NULL;
 
+#ifdef SSLC_VERSION_NUMBER
+int ssl_pphrase_Handle_CB(char *, int, int);
+#else
 int ssl_pphrase_Handle_CB(char *, int, int, void *);
+#endif
 
 static char *pphrase_array_get(apr_array_header_t *arr, int idx)
 {
@@ -635,8 +639,14 @@ static int pipe_get_passwd_cb(char *buf, int length, char *prompt, int verify)
     return 0;
 }
 
+#ifdef SSLC_VERSION_NUMBER
+int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
+{
+    void *srv = ssl_pphrase_server_rec;
+#else
 int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
 {
+#endif
     SSLModConfigRec *mc;
     server_rec *s;
     apr_pool_t *p;
@@ -652,11 +662,6 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
     char *cpp;
     int len = -1;
 
-#ifndef OPENSSL_VERSION_NUMBER
-    /* make up for sslc flaw */
-    srv = ssl_pphrase_server_rec;
-#endif
-
     mc = myModConfig((server_rec *)srv);
 
     /*

modules/ssl/ssl_toolkit_compat.h

@@ -107,9 +107,13 @@
 
 #define MODSSL_BIO_CB_ARG_TYPE const char
 #define MODSSL_CRYPTO_CB_ARG_TYPE const char
+#define MODSSL_CLIENT_CERT_CB_ARG_TYPE X509
+#define MODSSL_PCHAR_CAST
 
 #define modssl_X509_verify_cert X509_verify_cert
 
+typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
+
 #if (OPENSSL_VERSION_NUMBER < 0x00904000)
 #define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb)
 #else
@@ -134,14 +138,17 @@
 
 #define HAVE_SSL_X509V3_EXT_d2i
 
-#else /* HAVE_SSLC */
+#elif defined(HAVE_SSLC)
 
+#include <bio.h>
+#include <ssl.h>
+#include <err.h>
+#include <x509.h>
+#include <pem.h>
+#include <evp.h>
+#include <objects.h>
 #include <sslc.h>
 
-#if SSLC_VERSION > 0x1FFF
-#include <x509v3.h>
-#endif
-
 /* sslc does not support this function, OpenSSL has since 9.5.1 */
 #define RAND_status() 1
 
@@ -154,6 +161,10 @@
 
 #define MODSSL_BIO_CB_ARG_TYPE char
 #define MODSSL_CRYPTO_CB_ARG_TYPE char
+#define MODSSL_CLIENT_CERT_CB_ARG_TYPE void
+#define MODSSL_PCHAR_CAST (char *)
+
+typedef int (modssl_read_bio_cb_fn)(char*,int,int);
 
 #define modssl_X509_verify_cert(c) X509_verify_cert(c, NULL)
 
@@ -179,7 +190,7 @@
 #define PEM_F_DEF_CALLBACK PEM_F_DEF_CB
 #endif
 
-#if SSLC_VERSION < 0x2000
+#if SSLC_VERSION_NUMBER < 0x2000
 
 #define X509_STORE_CTX_set_depth(st, d)    
 #define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
@@ -190,37 +201,47 @@
 #define modssl_set_verify(ssl, verify, cb) \
     SSL_set_verify(ssl, verify)
 
-#endif
+#else /* SSLC_VERSION_NUMBER >= 0x2000 */
+
+#define CRYPTO_malloc_init R_malloc_init
+
+#define EVP_cleanup() 
+
+#endif /* SSLC_VERSION_NUMBER >= 0x2000 */
+
+typedef void (*modssl_popfree_fn)(char *data);
 
-/* BEGIN GENERATED SECTION */
-#define sk_SSL_CIPHER_free sk_free
 #define sk_SSL_CIPHER_dup sk_dup
-#define sk_SSL_CIPHER_num sk_num
 #define sk_SSL_CIPHER_find(st, data) sk_find(st, (void *)data)
+#define sk_SSL_CIPHER_free sk_free
+#define sk_SSL_CIPHER_num sk_num
 #define sk_SSL_CIPHER_value (SSL_CIPHER *)sk_value
 #define sk_X509_num sk_num
 #define sk_X509_push sk_push
+#define sk_X509_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
 #define sk_X509_value (X509 *)sk_value
-#define sk_X509_INFO_value (X509_INFO *)sk_value
 #define sk_X509_INFO_free sk_free
-#define sk_X509_INFO_pop_free sk_pop_free 
+#define sk_X509_INFO_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
 #define sk_X509_INFO_num sk_num
 #define sk_X509_INFO_new_null sk_new_null
+#define sk_X509_INFO_value (X509_INFO *)sk_value
+#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
+#define sk_X509_NAME_free sk_free
+#define sk_X509_NAME_new sk_new
 #define sk_X509_NAME_num sk_num
 #define sk_X509_NAME_push(st, data) sk_push(st, (void *)data)
 #define sk_X509_NAME_value (X509_NAME *)sk_value
-#define sk_X509_NAME_free sk_free
-#define sk_X509_NAME_new sk_new
-#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
 #define sk_X509_NAME_ENTRY_num sk_num
 #define sk_X509_NAME_ENTRY_value (X509_NAME_ENTRY *)sk_value
 #define sk_X509_NAME_set_cmp_func sk_set_cmp_func
 #define sk_X509_REVOKED_num sk_num
 #define sk_X509_REVOKED_value (X509_REVOKED *)sk_value
-#define sk_X509_pop_free sk_pop_free
-/* END GENERATED SECTION */
 
-#endif /* OPENSSL_VERSION_NUMBER */
+#else /* ! HAVE_OPENSSL && ! HAVE_SSLC */
+
+#error "Unrecognized SSL Toolkit!"
+
+#endif /* ! HAVE_OPENSSL && ! HAVE_SSLC */
 
 #ifndef modssl_set_verify
 #define modssl_set_verify(ssl, verify, cb) \

modules/ssl/ssl_util.c

@@ -402,8 +402,18 @@ const char *ssl_asn1_table_keyfmt(apr_pool_t *p,
 static apr_thread_mutex_t **lock_cs;
 static int                  lock_num_locks;
 
+#ifdef SSLC_VERSION_NUMBER
+#if SSLC_VERSION_NUMBER >= 0x2000
+static int ssl_util_thr_lock(int mode, int type,
+                              const char *file, int line)
+#else
 static void ssl_util_thr_lock(int mode, int type,
                               const char *file, int line)
+#endif
+#else
+static void ssl_util_thr_lock(int mode, int type,
+                              const char *file, int line)
+#endif
 {
     if (type < lock_num_locks) {
         if (mode & CRYPTO_LOCK) {
@@ -412,6 +422,14 @@ static void ssl_util_thr_lock(int mode, int type,
         else {
             apr_thread_mutex_unlock(lock_cs[type]);
         }
+#ifdef HAVE_SSLC
+#if SSLC_VERSION_NUMBER > 0x2000
+        return 1;
+    }
+    else {
+        return -1;
+#endif
+#endif
     }
 }
 

modules/ssl/ssl_util_ssl.c

@@ -107,7 +107,7 @@ void SSL_set_app_data2(SSL *ssl, void *arg)
 **  _________________________________________________________________
 */
 
-X509 *SSL_read_X509(char* filename, X509 **x509, int (*cb)(char*,int,int,void*))
+X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb)
 {
     X509 *rc;
     BIO *bioS;
@@ -158,7 +158,7 @@ static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
 }
 #endif
 
-EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, int (*cb)(char*,int,int,void*), void *s)
+EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb, void *s)
 {
     EVP_PKEY *rc;
     BIO *bioS;
@@ -430,7 +430,7 @@ BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp,
         return FALSE;
     }
 
-    if (BIO_read_filename(in, filename) <= 0) {
+    if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) {
         BIO_free(in);
         return FALSE;
     }
@@ -493,7 +493,7 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp,
  * should be sent to the peer in the SSL Certificate message.
  */
 int SSL_CTX_use_certificate_chain(
-    SSL_CTX *ctx, char *file, int skipfirst, int (*cb)(char*,int,int,void*))
+    SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb)
 {
     BIO *bio;
     X509 *x509;

modules/ssl/ssl_util_ssl.h

@@ -90,8 +90,8 @@
 void        SSL_init_app_data2_idx(void);
 void       *SSL_get_app_data2(SSL *);
 void        SSL_set_app_data2(SSL *, void *);
-X509       *SSL_read_X509(char *, X509 **, int (*)(char*,int,int,void*));
+X509       *SSL_read_X509(char *, X509 **, modssl_read_bio_cb_fn *);
-EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, int (*)(char*,int,int,void*), void *);
+EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, modssl_read_bio_cb_fn *, void *);
 int         SSL_smart_shutdown(SSL *ssl);
 X509_STORE *SSL_X509_STORE_create(char *, char *);
 int         SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *);
@@ -101,7 +101,7 @@ BOOL        SSL_X509_getBC(X509 *, int *, int *);
 BOOL        SSL_X509_getCN(apr_pool_t *, X509 *, char **);
 BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
 BOOL        SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
-int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, int (*)(char*,int,int,void*));
+int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
 char       *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
 
 /* util functions for OpenSSL+sslc compat */