www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

Support for OpenSSL 1.1.0:

Browse Source 
- X509_STORE_CTX is now opaque.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1740653 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Rainer Jung
2016-04-23 13:17:52 +00:00
parent 6ba30d2c2b
commit e387d3e9c7
4 changed files with 27 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
modules/ssl/ssl_engine_kernel.c
View File

@@ -432,7 +432,7 @@ int ssl_hook_Access(request_rec *r)
X509 *cert; X509 *cert;
X509 *peercert; X509 *peercert;
X509_STORE *cert_store = NULL; X509_STORE *cert_store = NULL;
X509_STORE_CTX cert_store_ctx; X509_STORE_CTX *cert_store_ctx;
STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL; STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
const SSL_CIPHER *cipher = NULL; const SSL_CIPHER *cipher = NULL;
int depth, verify_old, verify, n, is_slave = 0; int depth, verify_old, verify, n, is_slave = 0;
@@ -913,25 +913,27 @@ int ssl_hook_Access(request_rec *r)
cert = sk_X509_value(cert_stack, 0); cert = sk_X509_value(cert_stack, 0);
} }
X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack); cert_store_ctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack);
depth = SSL_get_verify_depth(ssl); depth = SSL_get_verify_depth(ssl);
if (depth >= 0) { if (depth >= 0) {
X509_STORE_CTX_set_depth(&cert_store_ctx, depth); X509_STORE_CTX_set_depth(cert_store_ctx, depth);
} }
X509_STORE_CTX_set_ex_data(&cert_store_ctx, X509_STORE_CTX_set_ex_data(cert_store_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx(), SSL_get_ex_data_X509_STORE_CTX_idx(),
(char *)ssl); (char *)ssl);
if (!X509_verify_cert(&cert_store_ctx)) { if (!X509_verify_cert(cert_store_ctx)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224) ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)
"Re-negotiation verification step failed"); "Re-negotiation verification step failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
} }
SSL_set_verify_result(ssl, cert_store_ctx.error); SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx));
X509_STORE_CTX_cleanup(&cert_store_ctx); X509_STORE_CTX_cleanup(cert_store_ctx);
X509_STORE_CTX_free(cert_store_ctx);
if (cert_stack != SSL_get_peer_cert_chain(ssl)) { if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
/* we created this ourselves, so free it */ /* we created this ourselves, so free it */

4
modules/ssl/ssl_engine_ocsp.c
View File

@@ -109,7 +109,7 @@ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
{ {
OCSP_REQUEST *req = OCSP_REQUEST_new(); OCSP_REQUEST *req = OCSP_REQUEST_new();
*certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer); *certid = OCSP_cert_to_id(NULL, cert, X509_STORE_CTX_get0_current_issuer(ctx));
if (!*certid || !OCSP_request_add0_id(req, *certid)) { if (!*certid || !OCSP_request_add0_id(req, *certid)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)
"could not retrieve certificate id"); "could not retrieve certificate id");
@@ -184,7 +184,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
if (rc == V_OCSP_CERTSTATUS_GOOD) { if (rc == V_OCSP_CERTSTATUS_GOOD) {
/* TODO: allow flags configuration. */ /* TODO: allow flags configuration. */
if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) { if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
"failed to verify the OCSP response"); "failed to verify the OCSP response");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);

10
modules/ssl/ssl_private.h
View File

@@ -219,6 +219,16 @@ void init_bio_methods(void);
void free_bio_methods(void); void free_bio_methods(void);
#endif #endif
#if OPENSSL_VERSION_NUMBER < 0x10002000L
#define X509_STORE_CTX_get0_store(x) (x->ctx)
#endif
#if OPENSSL_VERSION_NUMBER < 0x10000000L
#ifndef X509_STORE_CTX_get0_current_issuer
#define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)
#endif
#endif
/* mod_ssl headers */ /* mod_ssl headers */
#include "ssl_util_ssl.h" #include "ssl_util_ssl.h"

11
modules/ssl/ssl_util_stapling.c
View File

@@ -79,7 +79,7 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
X509 *issuer = NULL; X509 *issuer = NULL;
int i; int i;
X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx); X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
X509_STORE_CTX inctx; X509_STORE_CTX *inctx;
STACK_OF(X509) *extra_certs = NULL; STACK_OF(X509) *extra_certs = NULL;
#ifdef OPENSSL_NO_SSL_INTERN #ifdef OPENSSL_NO_SSL_INTERN
@@ -100,13 +100,14 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
} }
} }
if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL)) inctx = X509_STORE_CTX_new();
if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
return 0; return 0;
if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0) if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
issuer = NULL; issuer = NULL;
X509_STORE_CTX_cleanup(&inctx); X509_STORE_CTX_cleanup(inctx);
X509_STORE_CTX_free(inctx);
return issuer; return issuer;
} }
int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,