You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by kb...@apache.org on 2011/12/24 07:35:21 UTC
svn commit: r1222920 - in /httpd/httpd/branches/2.4.x: ./ modules/ssl/
Author: kbrand
Date: Sat Dec 24 06:35:20 2011
New Revision: 1222920
URL: http://svn.apache.org/viewvc?rev=1222920&view=rev
Log:
merge r1222917 from trunk:
Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
or later, so that mod_ssl retains binary compatibility with future
versions when internal structures are changed. Use API functions
where available, and fall back to direct access for OpenSSL up
to 1.0.0, where needed.
Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was
never used by any released version of mod_ssl.
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.h
httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat Dec 24 06:35:20 2011
@@ -1,3 +1,3 @@
/httpd/httpd/branches/revert-ap-ldap:1150158-1150173
/httpd/httpd/branches/wombat-integration:723609-723841
-/httpd/httpd/trunk:1201042,1201111,1201194,1201198,1201202,1202236,1202456,1202886,1203859,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206587,1206850,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210080,1210124,1210130,1210219,1210221,1210252,1210284,1210378,1210725,1210892,1210951,1210954,1211528,1211663,1211680,1212883,1213338,1213567,1214003,1214005,1214015,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221292,1222335,1222370,1222473,1222915
+/httpd/httpd/trunk:1201042,1201111,1201194,1201198,1201202,1202236,1202456,1202886,1203859,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206587,1206850,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210080,1210124,1210130,1210219,1210221,1210252,1210284,1210378,1210725,1210892,1210951,1210954,1211528,1211663,1211680,1212883,1213338,1213567,1214003,1214005,1214015,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221292,1222335,1222370,1222473,1222915,1222917
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1222920&r1=1222919&r2=1222920&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Sat Dec 24 06:35:20 2011
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.0
+ *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
+ or later, to improve binary compatibility with future OpenSSL releases.
+ [Kaspar Brand]
+
*) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass,
but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime
behave identically in both cases. PR52342. [Graham Leggett]
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1222920&r1=1222919&r2=1222920&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Sat Dec 24 06:35:20 2011
@@ -780,8 +780,15 @@ static void ssl_init_ctx_pkcs7_cert_chai
{
STACK_OF(X509) *certs = ssl_read_pkcs7(s, mctx->pkcs7);
int n;
+ STACK_OF(X509) *extra_certs = NULL;
- if (!mctx->ssl_ctx->extra_certs)
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+ extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
+
+ if (!extra_certs)
for (n = 1; n < sk_X509_num(certs); ++n)
SSL_CTX_add_extra_chain_cert(mctx->ssl_ctx, sk_X509_value(certs, n));
}
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1222920&r1=1222919&r2=1222920&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Sat Dec 24 06:35:20 2011
@@ -799,11 +799,15 @@ int ssl_hook_Access(request_rec *r)
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226)
"Awaiting re-negotiation handshake");
- /* XXX: Should replace setting ssl->state with SSL_renegotiate(ssl);
+ /* XXX: Should replace setting state with SSL_renegotiate(ssl);
* However, this causes failures in perl-framework currently,
* perhaps pre-test if we have already negotiated?
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_set_state(ssl, SSL_ST_ACCEPT);
+#else
ssl->state = SSL_ST_ACCEPT;
+#endif
SSL_do_handshake(ssl);
sslconn->reneg_state = RENEG_REJECT;
@@ -1728,8 +1732,12 @@ int ssl_callback_NewSessionCacheEntry(SS
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
+#else
id = session->session_id;
idlen = session->session_id_length;
+#endif
rc = ssl_scache_store(s, id, idlen,
apr_time_from_sec(SSL_SESSION_get_time(session)
@@ -1809,8 +1817,12 @@ void ssl_callback_DelSessionCacheEntry(S
/*
* Remove the SSL_SESSION from the inter-process cache
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
+#else
id = session->session_id;
idlen = session->session_id_length;
+#endif
/* TODO: Do we need a temp pool here, or are we always shutting down? */
ssl_scache_remove(s, id, idlen, sc->mc->pPool);
@@ -2024,13 +2036,14 @@ static int ssl_find_vhost(void *serverna
sslcon = myConnConfig(c);
if (found && (ssl = sslcon->ssl) &&
(sc = mySrvConfig(s))) {
+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
/*
* SSL_set_SSL_CTX() only deals with the server cert,
* so we need to duplicate a few additional settings
* from the ctx by hand
*/
- SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
+ SSL_set_options(ssl, SSL_CTX_get_options(ctx));
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {
/*
@@ -2040,8 +2053,8 @@ static int ssl_find_vhost(void *serverna
* Otherwise, we would possibly reset a per-directory
* configuration which was put into effect by ssl_hook_Access.
*/
- SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
- SSL_CTX_get_verify_callback(ssl->ctx));
+ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
+ SSL_CTX_get_verify_callback(ctx));
}
/*
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c?rev=1222920&r1=1222919&r2=1222920&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c Sat Dec 24 06:35:20 2011
@@ -335,10 +335,18 @@ static char *ssl_var_lookup_ssl(apr_pool
char buf[SSL_SESSION_ID_STRING_LEN];
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
- result = apr_pstrdup(p, SSL_SESSION_id2sz(
- pSession->session_id,
- pSession->session_id_length,
- buf, sizeof(buf)));
+ unsigned char *id;
+ unsigned int idlen;
+
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(pSession, &idlen);
+#else
+ id = pSession->session_id;
+ idlen = pSession->session_id_length;
+#endif
+
+ result = apr_pstrdup(p, SSL_SESSION_id2sz(id, idlen,
+ buf, sizeof(buf)));
}
}
else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) {
@@ -955,11 +963,15 @@ apr_array_header_t *ssl_ext_list(apr_poo
static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
{
char *result = "NULL";
-#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP)
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
+#ifdef OPENSSL_NO_SSL_INTERN
+ switch (SSL_SESSION_get_compress_id(pSession)) {
+#else
switch (pSession->compress_meth) {
+#endif
case 0:
/* default "NULL" already set */
break;
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1222920&r1=1222919&r2=1222920&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Sat Dec 24 06:35:20 2011
@@ -82,6 +82,11 @@
#include "ap_expr.h"
/* OpenSSL headers */
+#include <openssl/opensslv.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
+/* must be defined before including ssl.h */
+#define OPENSSL_NO_SSL_INTERN
+#endif
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.c?rev=1222920&r1=1222919&r2=1222920&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.c Sat Dec 24 06:35:20 2011
@@ -184,47 +184,6 @@ int SSL_smart_shutdown(SSL *ssl)
/* _________________________________________________________________
**
-** Cipher Suite Spec String Creation
-** _________________________________________________________________
-*/
-
-char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
-{
- STACK_OF(SSL_CIPHER) *sk;
- SSL_CIPHER *c;
- int i;
- int l;
- char *cpCipherSuite;
- char *cp;
-
- if (ssl == NULL)
- return "";
- if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL)
- return "";
- l = 0;
- for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
- c = sk_SSL_CIPHER_value(sk, i);
- l += strlen(SSL_CIPHER_get_name(c))+2+1;
- }
- if (l == 0)
- return "";
- cpCipherSuite = (char *)apr_palloc(p, l+1);
- cp = cpCipherSuite;
- for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
- c = sk_SSL_CIPHER_value(sk, i);
- l = strlen(SSL_CIPHER_get_name(c));
- memcpy(cp, SSL_CIPHER_get_name(c), l);
- cp += l;
- *cp++ = '/';
- *cp++ = (c->valid == 1 ? '1' : '0');
- *cp++ = ':';
- }
- *(cp-1) = NUL;
- return cpCipherSuite;
-}
-
-/* _________________________________________________________________
-**
** Certificate Checks
** _________________________________________________________________
*/
@@ -464,7 +423,6 @@ int SSL_CTX_use_certificate_chain(
X509 *x509;
unsigned long err;
int n;
- STACK_OF(X509) *extra_certs;
if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
return -1;
@@ -481,11 +439,14 @@ int SSL_CTX_use_certificate_chain(
X509_free(x509);
}
/* free a perhaps already configured extra chain */
- extra_certs = ctx->extra_certs;
- if (extra_certs != NULL) {
- sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_clear_extra_chain_certs(ctx);
+#else
+ if (ctx->extra_certs != NULL) {
+ sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free);
ctx->extra_certs = NULL;
}
+#endif
/* create new extra chain by loading the certs */
n = 0;
while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.h?rev=1222920&r1=1222919&r2=1222920&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.h Sat Dec 24 06:35:20 2011
@@ -63,7 +63,6 @@ void SSL_set_app_data2(SSL *, voi
X509 *SSL_read_X509(char *, X509 **, pem_password_cb *);
EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
int SSL_smart_shutdown(SSL *ssl);
-char *SSL_make_ciphersuite(apr_pool_t *, SSL *);
BOOL SSL_X509_isSGC(X509 *);
BOOL SSL_X509_getBC(X509 *, int *, int *);
char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c?rev=1222920&r1=1222919&r2=1222920&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c Sat Dec 24 06:35:20 2011
@@ -81,9 +81,16 @@ static X509 *stapling_get_issuer(modssl_
int i;
X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
X509_STORE_CTX inctx;
+ STACK_OF(X509) *extra_certs = NULL;
- for (i = 0; i < sk_X509_num(mctx->ssl_ctx->extra_certs); i++) {
- issuer = sk_X509_value(mctx->ssl_ctx->extra_certs, i);
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+ extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
+
+ for (i = 0; i < sk_X509_num(extra_certs); i++) {
+ issuer = sk_X509_value(extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
return issuer;