You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2003/05/16 20:12:19 UTC
cvs commit: httpd-2.0/modules/ssl mod_ssl.h ssl_engine_init.c ssl_engine_kernel.c ssl_engine_pphrase.c ssl_toolkit_compat.h ssl_util.c ssl_util_ssl.c ssl_util_ssl.h
wrowe 2003/05/16 11:12:19
Modified: . Tag: APACHE_2_0_BRANCH CHANGES
modules/ssl Tag: APACHE_2_0_BRANCH mod_ssl.h
ssl_engine_init.c ssl_engine_kernel.c
ssl_engine_pphrase.c ssl_toolkit_compat.h
ssl_util.c ssl_util_ssl.c ssl_util_ssl.h
Log:
Backport the RSA SSL-C compatibility changes. More work remains because
not all of the headers required for the 'openssl way' of doing things
are in the headers from the binary distribution. While the source distro
doesn't suffer as many problems, we should find ways to individually
cripple those features for the binary distro that most users will have
installed.
Mucho thanks to Trawick for his efforts in keeping the patch in sync.
Revision Changes Path
No revision
No revision
1.988.2.100 +6 -0 httpd-2.0/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/httpd-2.0/CHANGES,v
retrieving revision 1.988.2.99
retrieving revision 1.988.2.100
diff -u -r1.988.2.99 -r1.988.2.100
--- CHANGES 15 May 2003 20:28:16 -0000 1.988.2.99
+++ CHANGES 16 May 2003 18:12:17 -0000 1.988.2.100
@@ -1,5 +1,11 @@
Changes with Apache 2.0.46
+ *) Code fixes, constness corrections and ssl_toolkit_compat.h updates
+ for SSLC and OpenSSL toolkit compatibility. Still work remains to
+ be done to cripple features based on the limitations of RSA's binary
+ distribution of their SSL-C toolkit.
+ [William Rowe, Madhusudan Mathihalli, Jeff Trawick]
+
*) Linux 2.4+: If Apache is started as root and you code
CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
[Greg Ames]
No revision
No revision
1.122.2.5 +19 -6 httpd-2.0/modules/ssl/mod_ssl.h
Index: mod_ssl.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.122.2.4
retrieving revision 1.122.2.5
diff -u -r1.122.2.4 -r1.122.2.5
--- mod_ssl.h 17 Apr 2003 13:35:32 -0000 1.122.2.4
+++ mod_ssl.h 16 May 2003 18:12:18 -0000 1.122.2.5
@@ -109,7 +109,19 @@
#define MOD_SSL_VERSION AP_SERVER_BASEREVISION
-/* OpenSSL headers */
+#ifdef HAVE_SSLC
+
+#include <bio.h>
+#include <ssl.h>
+#include <err.h>
+#include <x509.h>
+#include <pem.h>
+#include <evp.h>
+#include <objects.h>
+#include <sslc.h>
+
+#else /* !HAVE_SSLC (implicit HAVE_OPENSSL) */
+
#include <ssl.h>
#include <err.h>
#include <x509.h>
@@ -120,14 +132,15 @@
#ifdef SSL_EXPERIMENTAL_ENGINE
#include <engine.h>
#endif
-
-#include "ssl_toolkit_compat.h"
-
#ifdef HAVE_SSL_X509V3_H
#include <x509v3.h>
#endif
+#endif /* !HAVE_SSLC (implicit HAVE_OPENSSL) */
+
+
/* mod_ssl headers */
+#include "ssl_toolkit_compat.h"
#include "ssl_expr.h"
#include "ssl_util_ssl.h"
#include "ssl_util_table.h"
@@ -601,11 +614,11 @@
DH *ssl_callback_TmpDH(SSL *, int, int);
int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
-int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
-void ssl_callback_LogTracingState(SSL *, int, int);
+void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
/* Session Cache Support */
void ssl_scache_init(server_rec *, apr_pool_t *);
1.106.2.5 +12 -4 httpd-2.0/modules/ssl/ssl_engine_init.c
Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.106.2.4
retrieving revision 1.106.2.5
diff -u -r1.106.2.4 -r1.106.2.5
--- ssl_engine_init.c 6 Mar 2003 08:44:01 -0000 1.106.2.4
+++ ssl_engine_init.c 16 May 2003 18:12:18 -0000 1.106.2.5
@@ -554,8 +554,8 @@
"Configuring client authentication");
if (!SSL_CTX_load_verify_locations(ctx,
- mctx->auth.ca_cert_file,
- mctx->auth.ca_cert_path))
+ MODSSL_PCHAR_CAST mctx->auth.ca_cert_file,
+ MODSSL_PCHAR_CAST mctx->auth.ca_cert_path))
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to configure verify locations "
@@ -612,7 +612,7 @@
"Configuring permitted SSL ciphers [%s]",
suite);
- if (!SSL_CTX_set_cipher_list(ctx, suite)) {
+ if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to configure permitted SSL ciphers");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
@@ -1072,10 +1072,17 @@
}
}
+#ifdef SSLC_VERSION_NUMBER
+static int ssl_init_FindCAList_X509NameCmp(char **a, char **b)
+{
+ return(X509_NAME_cmp((void*)*a, (void*)*b));
+}
+#else
static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b)
{
return(X509_NAME_cmp(*a, *b));
}
+#endif
static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
server_rec *s, const char *file)
@@ -1083,7 +1090,8 @@
int n;
STACK_OF(X509_NAME) *sk;
- sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(file);
+ sk = (STACK_OF(X509_NAME) *)
+ SSL_load_client_CA_file(MODSSL_PCHAR_CAST file);
if (!sk) {
return;
1.82.2.6 +3 -3 httpd-2.0/modules/ssl/ssl_engine_kernel.c
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.82.2.5
retrieving revision 1.82.2.6
diff -u -r1.82.2.5 -r1.82.2.6
--- ssl_engine_kernel.c 5 Apr 2003 19:04:43 -0000 1.82.2.5
+++ ssl_engine_kernel.c 16 May 2003 18:12:18 -0000 1.82.2.6
@@ -629,7 +629,7 @@
* we put it back here for the purpose of quick_renegotiation.
*/
cert_stack = sk_new_null();
- sk_X509_push(cert_stack, cert);
+ sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert);
}
if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
@@ -1526,7 +1526,7 @@
*pkey = info->x_pkey->dec_pkey; \
EVP_PKEY_reference_inc(*pkey)
-int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
+int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = c->base_server;
@@ -1740,7 +1740,7 @@
* SSL handshake and does SSL record layer stuff. We use it to
* trace OpenSSL's processing in out SSL logfile.
*/
-void ssl_callback_LogTracingState(SSL *ssl, int where, int rc)
+void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
{
conn_rec *c;
server_rec *s;
1.42.2.2 +10 -5 httpd-2.0/modules/ssl/ssl_engine_pphrase.c
Index: ssl_engine_pphrase.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_pphrase.c,v
retrieving revision 1.42.2.1
retrieving revision 1.42.2.2
diff -u -r1.42.2.1 -r1.42.2.2
--- ssl_engine_pphrase.c 3 Feb 2003 17:31:53 -0000 1.42.2.1
+++ ssl_engine_pphrase.c 16 May 2003 18:12:18 -0000 1.42.2.2
@@ -142,7 +142,11 @@
*/
static server_rec *ssl_pphrase_server_rec = NULL;
+#ifdef SSLC_VERSION_NUMBER
+int ssl_pphrase_Handle_CB(char *, int, int);
+#else
int ssl_pphrase_Handle_CB(char *, int, int, void *);
+#endif
static char *pphrase_array_get(apr_array_header_t *arr, int idx)
{
@@ -635,8 +639,14 @@
return 0;
}
+#ifdef SSLC_VERSION_NUMBER
+int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
+{
+ void *srv = ssl_pphrase_server_rec;
+#else
int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
{
+#endif
SSLModConfigRec *mc;
server_rec *s;
apr_pool_t *p;
@@ -651,11 +661,6 @@
BOOL *pbPassPhraseDialogOnce;
char *cpp;
int len = -1;
-
-#ifndef OPENSSL_VERSION_NUMBER
- /* make up for sslc flaw */
- srv = ssl_pphrase_server_rec;
-#endif
mc = myModConfig((server_rec *)srv);
1.27.2.2 +40 -14 httpd-2.0/modules/ssl/ssl_toolkit_compat.h
Index: ssl_toolkit_compat.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_toolkit_compat.h,v
retrieving revision 1.27.2.1
retrieving revision 1.27.2.2
diff -u -r1.27.2.1 -r1.27.2.2
--- ssl_toolkit_compat.h 3 Feb 2003 17:31:54 -0000 1.27.2.1
+++ ssl_toolkit_compat.h 16 May 2003 18:12:19 -0000 1.27.2.2
@@ -94,9 +94,18 @@
#define MODSSL_BIO_CB_ARG_TYPE const char
#define MODSSL_CRYPTO_CB_ARG_TYPE const char
+#if (OPENSSL_VERSION_NUMBER < 0x00907000)
+#define MODSSL_INFO_CB_ARG_TYPE SSL*
+#else
+#define MODSSL_INFO_CB_ARG_TYPE const SSL*
+#endif
+#define MODSSL_CLIENT_CERT_CB_ARG_TYPE X509
+#define MODSSL_PCHAR_CAST
#define modssl_X509_verify_cert X509_verify_cert
+typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
+
#if (OPENSSL_VERSION_NUMBER < 0x00904000)
#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb)
#else
@@ -119,9 +128,11 @@
#define HAVE_SSL_RAND_EGD /* since 9.5.1 */
+#ifdef HAVE_SSL_X509V3_H
#define HAVE_SSL_X509V3_EXT_d2i
+#endif
-#else /* RSA sslc */
+#elif defined (SSLC_VERSION_NUMBER) /* RSA */
/* sslc does not support this function, OpenSSL has since 9.5.1 */
#define RAND_status() 1
@@ -135,6 +146,11 @@
#define MODSSL_BIO_CB_ARG_TYPE char
#define MODSSL_CRYPTO_CB_ARG_TYPE char
+#define MODSSL_INFO_CB_ARG_TYPE SSL*
+#define MODSSL_CLIENT_CERT_CB_ARG_TYPE void
+#define MODSSL_PCHAR_CAST (char *)
+
+typedef int (modssl_read_bio_cb_fn)(char*,int,int);
#define modssl_X509_verify_cert(c) X509_verify_cert(c, NULL)
@@ -160,7 +176,7 @@
#define PEM_F_DEF_CALLBACK PEM_F_DEF_CB
#endif
-#if SSLC_VERSION < 0x2000
+#if SSLC_VERSION_NUMBER < 0x2000
#define X509_STORE_CTX_set_depth(st, d)
#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
@@ -173,37 +189,47 @@
#define NO_SSL_X509V3_H
-#endif
+#else /* SSLC_VERSION_NUMBER >= 0x2000 */
+
+#define CRYPTO_malloc_init R_malloc_init
+
+#define EVP_cleanup()
+
+#endif /* SSLC_VERSION_NUMBER >= 0x2000 */
+
+typedef void (*modssl_popfree_fn)(char *data);
-/* BEGIN GENERATED SECTION */
-#define sk_SSL_CIPHER_free sk_free
#define sk_SSL_CIPHER_dup sk_dup
-#define sk_SSL_CIPHER_num sk_num
#define sk_SSL_CIPHER_find(st, data) sk_find(st, (void *)data)
+#define sk_SSL_CIPHER_free sk_free
+#define sk_SSL_CIPHER_num sk_num
#define sk_SSL_CIPHER_value (SSL_CIPHER *)sk_value
#define sk_X509_num sk_num
#define sk_X509_push sk_push
+#define sk_X509_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
#define sk_X509_value (X509 *)sk_value
-#define sk_X509_INFO_value (X509_INFO *)sk_value
#define sk_X509_INFO_free sk_free
-#define sk_X509_INFO_pop_free sk_pop_free
+#define sk_X509_INFO_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
#define sk_X509_INFO_num sk_num
#define sk_X509_INFO_new_null sk_new_null
+#define sk_X509_INFO_value (X509_INFO *)sk_value
+#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
+#define sk_X509_NAME_free sk_free
+#define sk_X509_NAME_new sk_new
#define sk_X509_NAME_num sk_num
#define sk_X509_NAME_push(st, data) sk_push(st, (void *)data)
#define sk_X509_NAME_value (X509_NAME *)sk_value
-#define sk_X509_NAME_free sk_free
-#define sk_X509_NAME_new sk_new
-#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
#define sk_X509_NAME_ENTRY_num sk_num
#define sk_X509_NAME_ENTRY_value (X509_NAME_ENTRY *)sk_value
#define sk_X509_NAME_set_cmp_func sk_set_cmp_func
#define sk_X509_REVOKED_num sk_num
#define sk_X509_REVOKED_value (X509_REVOKED *)sk_value
-#define sk_X509_pop_free sk_pop_free
-/* END GENERATED SECTION */
-#endif /* OPENSSL_VERSION_NUMBER */
+#else /* ! OPENSSL_VERSION_NUMBER && ! SSLC_VERSION_NUMBER */
+
+#error "Unrecognized SSL Toolkit!"
+
+#endif /* ! OPENSSL_VERSION_NUMBER && ! SSLC_VERSION_NUMBER */
#ifndef modssl_set_verify
#define modssl_set_verify(ssl, verify, cb) \
1.35.2.2 +18 -0 httpd-2.0/modules/ssl/ssl_util.c
Index: ssl_util.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_util.c,v
retrieving revision 1.35.2.1
retrieving revision 1.35.2.2
diff -u -r1.35.2.1 -r1.35.2.2
--- ssl_util.c 3 Feb 2003 17:31:54 -0000 1.35.2.1
+++ ssl_util.c 16 May 2003 18:12:19 -0000 1.35.2.2
@@ -402,8 +402,18 @@
static apr_thread_mutex_t **lock_cs;
static int lock_num_locks;
+#ifdef SSLC_VERSION_NUMBER
+#if SSLC_VERSION_NUMBER >= 0x2000
+static int ssl_util_thr_lock(int mode, int type,
+ const char *file, int line)
+#else
+static void ssl_util_thr_lock(int mode, int type,
+ const char *file, int line)
+#endif
+#else
static void ssl_util_thr_lock(int mode, int type,
const char *file, int line)
+#endif
{
if (type < lock_num_locks) {
if (mode & CRYPTO_LOCK) {
@@ -412,6 +422,14 @@
else {
apr_thread_mutex_unlock(lock_cs[type]);
}
+#ifdef SSLC_VERSION_NUMBER
+#if SSLC_VERSION_NUMBER >= 0x2000
+ return 1;
+ }
+ else {
+ return -1;
+#endif
+#endif
}
}
1.23.2.3 +4 -4 httpd-2.0/modules/ssl/ssl_util_ssl.c
Index: ssl_util_ssl.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_util_ssl.c,v
retrieving revision 1.23.2.2
retrieving revision 1.23.2.3
diff -u -r1.23.2.2 -r1.23.2.3
--- ssl_util_ssl.c 3 Feb 2003 17:31:54 -0000 1.23.2.2
+++ ssl_util_ssl.c 16 May 2003 18:12:19 -0000 1.23.2.3
@@ -107,7 +107,7 @@
** _________________________________________________________________
*/
-X509 *SSL_read_X509(char* filename, X509 **x509, int (*cb)(char*,int,int,void*))
+X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb)
{
X509 *rc;
BIO *bioS;
@@ -158,7 +158,7 @@
}
#endif
-EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, int (*cb)(char*,int,int,void*), void *s)
+EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb, void *s)
{
EVP_PKEY *rc;
BIO *bioS;
@@ -430,7 +430,7 @@
return FALSE;
}
- if (BIO_read_filename(in, filename) <= 0) {
+ if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) {
BIO_free(in);
return FALSE;
}
@@ -493,7 +493,7 @@
* should be sent to the peer in the SSL Certificate message.
*/
int SSL_CTX_use_certificate_chain(
- SSL_CTX *ctx, char *file, int skipfirst, int (*cb)(char*,int,int,void*))
+ SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb)
{
BIO *bio;
X509 *x509;
1.17.2.2 +3 -3 httpd-2.0/modules/ssl/ssl_util_ssl.h
Index: ssl_util_ssl.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_util_ssl.h,v
retrieving revision 1.17.2.1
retrieving revision 1.17.2.2
diff -u -r1.17.2.1 -r1.17.2.2
--- ssl_util_ssl.h 3 Feb 2003 17:31:54 -0000 1.17.2.1
+++ ssl_util_ssl.h 16 May 2003 18:12:19 -0000 1.17.2.2
@@ -90,8 +90,8 @@
void SSL_init_app_data2_idx(void);
void *SSL_get_app_data2(SSL *);
void SSL_set_app_data2(SSL *, void *);
-X509 *SSL_read_X509(char *, X509 **, int (*)(char*,int,int,void*));
-EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, int (*)(char*,int,int,void*), void *);
+X509 *SSL_read_X509(char *, X509 **, modssl_read_bio_cb_fn *);
+EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, modssl_read_bio_cb_fn *, void *);
int SSL_smart_shutdown(SSL *ssl);
X509_STORE *SSL_X509_STORE_create(char *, char *);
int SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *);
@@ -101,7 +101,7 @@
BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **);
BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
-int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, int (*)(char*,int,int,void*));
+int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
/* util functions for OpenSSL+sslc compat */