You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by kb...@apache.org on 2011/08/07 12:34:32 UTC
svn commit: r1154687 - in /httpd/httpd/trunk: ./ modules/ssl/
Author: kbrand
Date: Sun Aug 7 10:34:31 2011
New Revision: 1154687
URL: http://svn.apache.org/viewvc?rev=1154687&view=rev
Log:
Remove the ssl_toolkit_compat layer, which is no longer needed
after support for non-OpenSSL toolkits has been dropped.
Replace macros by their value proper where feasible, and keep
those definitions in ssl_private.h which depend on specific
OpenSSL versions.
Removed:
httpd/httpd/trunk/modules/ssl/ssl_toolkit_compat.h
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/mod_ssl.dsp
httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_engine_log.c
httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/ssl_util.c
httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Aug 7 10:34:31 2011
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache 2.3.15
+ *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
+
*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
[Kaspar Brand]
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.dsp
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.dsp?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.dsp (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.dsp Sun Aug 7 10:34:31 2011
@@ -184,10 +184,6 @@ SOURCE=.\ssl_private.h
# End Source File
# Begin Source File
-SOURCE=.\ssl_toolkit_compat.h
-# End Source File
-# Begin Source File
-
SOURCE=.\ssl_util_ssl.h
# End Source File
# Begin Source File
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_dh.c Sun Aug 7 10:34:31 2011
@@ -69,8 +69,20 @@ static unsigned char dh512_g[] = {
static DH *get_dh512(void)
{
- return modssl_dh_configure(dh512_p, sizeof(dh512_p),
- dh512_g, sizeof(dh512_g));
+ DH *dh;
+
+ if (!(dh = DH_new())) {
+ return NULL;
+ }
+
+ dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+ dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+ if (!(dh->p && dh->g)) {
+ DH_free(dh);
+ return NULL;
+ }
+
+ return dh;
}
static unsigned char dh1024_p[] = {
@@ -92,8 +104,20 @@ static unsigned char dh1024_g[] = {
static DH *get_dh1024(void)
{
- return modssl_dh_configure(dh1024_p, sizeof(dh1024_p),
- dh1024_g, sizeof(dh1024_g));
+ DH *dh;
+
+ if (!(dh = DH_new())) {
+ return NULL;
+ }
+
+ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+ if (!(dh->p && dh->g)) {
+ DH_free(dh);
+ return NULL;
+ }
+
+ return dh;
}
/* ----END GENERATED SECTION---------- */
@@ -187,8 +211,20 @@ $dhsource .= $_ while (<FP>);
close(FP);
$dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void)
{
- return modssl_dh_configure(dh$2_p, sizeof(dh$2_p),
- dh$2_g, sizeof(dh$2_g));
+ DH *dh;
+
+ if (!(dh = DH_new())) {
+ return NULL;
+ }
+
+ dh->p = BN_bin2bn(dh$2_p, sizeof(dh$2_p), NULL);
+ dh->g = BN_bin2bn(dh$2_g, sizeof(dh$2_g), NULL);
+ if (!(dh->p && dh->g)) {
+ DH_free(dh);
+ return NULL;
+ }
+
+ return dh;
}
|sg;
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sun Aug 7 10:34:31 2011
@@ -642,8 +642,8 @@ static void ssl_init_ctx_verify(server_r
"Configuring client authentication");
if (!SSL_CTX_load_verify_locations(ctx,
- MODSSL_PCHAR_CAST mctx->auth.ca_cert_file,
- MODSSL_PCHAR_CAST mctx->auth.ca_cert_path))
+ mctx->auth.ca_cert_file,
+ mctx->auth.ca_cert_path))
{
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
"Unable to configure verify locations "
@@ -705,7 +705,7 @@ static void ssl_init_ctx_cipher_suite(se
"Configuring permitted SSL ciphers [%s]",
suite);
- if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) {
+ if (!SSL_CTX_set_cipher_list(ctx, suite)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
"Unable to configure permitted SSL ciphers");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
@@ -1278,7 +1278,7 @@ static void ssl_init_PushCAList(STACK_OF
STACK_OF(X509_NAME) *sk;
sk = (STACK_OF(X509_NAME) *)
- SSL_load_client_CA_file(MODSSL_PCHAR_CAST file);
+ SSL_load_client_CA_file(file);
if (!sk) {
return;
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Sun Aug 7 10:34:31 2011
@@ -1872,7 +1872,7 @@ void ssl_io_filter_register(apr_pool_t *
#define DUMP_WIDTH 16
static void ssl_io_data_dump(server_rec *srvr,
- MODSSL_BIO_CB_ARG_TYPE *s,
+ const char *s,
long len)
{
char buf[256];
@@ -1937,7 +1937,7 @@ static void ssl_io_data_dump(server_rec
}
long ssl_io_data_cb(BIO *bio, int cmd,
- MODSSL_BIO_CB_ARG_TYPE *argp,
+ const char *argp,
int argi, long argl, long rc)
{
SSL *ssl;
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sun Aug 7 10:34:31 2011
@@ -407,9 +407,9 @@ int ssl_hook_Access(request_rec *r)
/* configure new state */
if ((dc->szCipherSuite || sc->server->auth.cipher_suite) &&
- !modssl_set_cipher_list(ssl, dc->szCipherSuite ?
- dc->szCipherSuite :
- sc->server->auth.cipher_suite)) {
+ !SSL_set_cipher_list(ssl, dc->szCipherSuite ?
+ dc->szCipherSuite :
+ sc->server->auth.cipher_suite)) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"Unable to reconfigure (per-directory) "
"permitted SSL ciphers");
@@ -546,7 +546,7 @@ int ssl_hook_Access(request_rec *r)
verify |= SSL_VERIFY_PEER;
}
- modssl_set_verify(ssl, verify, ssl_callback_SSLVerify);
+ SSL_set_verify(ssl, verify, ssl_callback_SSLVerify);
SSL_set_verify_result(ssl, X509_V_OK);
/* determine whether we've to force a renegotiation */
@@ -606,7 +606,7 @@ int ssl_hook_Access(request_rec *r)
"'require' and VirtualHost-specific CA certificate "
"list is only available to clients with TLS server "
"name indication (SNI) support");
- modssl_set_verify(ssl, verify_old, NULL);
+ SSL_set_verify(ssl, verify_old, NULL);
return HTTP_FORBIDDEN;
} else
/* let it pass, possibly with an "incorrect" peer cert,
@@ -695,7 +695,7 @@ int ssl_hook_Access(request_rec *r)
* we put it back here for the purpose of quick_renegotiation.
*/
cert_stack = sk_X509_new_null();
- sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert);
+ sk_X509_push(cert_stack, cert);
}
if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
@@ -729,7 +729,7 @@ int ssl_hook_Access(request_rec *r)
SSL_get_ex_data_X509_STORE_CTX_idx(),
(char *)ssl);
- if (!modssl_X509_verify_cert(&cert_store_ctx)) {
+ if (!X509_verify_cert(&cert_store_ctx)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation verification step failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -798,11 +798,11 @@ int ssl_hook_Access(request_rec *r)
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Awaiting re-negotiation handshake");
- /* XXX: Should replace SSL_set_state with SSL_renegotiate(ssl);
+ /* XXX: Should replace setting ssl->state with SSL_renegotiate(ssl);
* However, this causes failures in perl-framework currently,
* perhaps pre-test if we have already negotiated?
*/
- SSL_set_state(ssl, SSL_ST_ACCEPT);
+ ssl->state = SSL_ST_ACCEPT;
SSL_do_handshake(ssl);
sslconn->reneg_state = RENEG_REJECT;
@@ -1021,7 +1021,7 @@ int ssl_hook_UserCheck(request_rec *r)
X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
char *cp = X509_NAME_oneline(name, NULL, 0);
sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
- modssl_free(cp);
+ OPENSSL_free(cp);
}
clientdn = (char *)sslconn->client_dn;
@@ -1731,7 +1731,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X
X509_REVOKED *revoked =
sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
- ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked);
+ ASN1_INTEGER *sn = revoked->serialNumber;
if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) {
if (APLOGdebug(s)) {
@@ -1742,7 +1742,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X
"Certificate with serial %ld (0x%lX) "
"revoked per CRL from issuer %s",
serial, serial, cp);
- modssl_free(cp);
+ OPENSSL_free(cp);
}
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
@@ -1789,11 +1789,11 @@ static void modssl_proxy_info_log(server
*/
#define modssl_set_cert_info(info, cert, pkey) \
*cert = info->x509; \
- X509_reference_inc(*cert); \
+ CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
*pkey = info->x_pkey->dec_pkey; \
- EVP_PKEY_reference_inc(*pkey)
+ CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
-int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey)
+int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(c);
@@ -1911,11 +1911,11 @@ int ssl_callback_NewSessionCacheEntry(SS
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
- id = SSL_SESSION_get_session_id(session);
- idlen = SSL_SESSION_get_session_id_length(session);
+ id = session->session_id;
+ idlen = session->session_id_length;
rc = ssl_scache_store(s, id, idlen,
- apr_time_from_sec(modssl_session_get_time(session)
+ apr_time_from_sec(SSL_SESSION_get_time(session)
+ timeout),
session, conn->pool);
@@ -1992,8 +1992,8 @@ void ssl_callback_DelSessionCacheEntry(S
/*
* Remove the SSL_SESSION from the inter-process cache
*/
- id = SSL_SESSION_get_session_id(session);
- idlen = SSL_SESSION_get_session_id_length(session);
+ id = session->session_id;
+ idlen = session->session_id_length;
/* TODO: Do we need a temp pool here, or are we always shutting down? */
ssl_scache_remove(s, id, idlen, sc->mc->pPool);
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_log.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_log.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_log.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_log.c Sun Aug 7 10:34:31 2011
@@ -139,15 +139,15 @@ void ssl_log_cxerror(const char *file, i
serial ? serial : "-unknown-");
if (sname) {
- modssl_free(sname);
+ OPENSSL_free(sname);
}
if (iname) {
- modssl_free(iname);
+ OPENSSL_free(iname);
}
if (serial) {
- modssl_free(serial);
+ OPENSSL_free(serial);
}
if (bn) {
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Sun Aug 7 10:34:31 2011
@@ -336,8 +336,8 @@ static char *ssl_var_lookup_ssl(apr_pool
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
result = apr_pstrdup(p, SSL_SESSION_id2sz(
- SSL_SESSION_get_session_id(pSession),
- SSL_SESSION_get_session_id_length(pSession),
+ pSession->session_id,
+ pSession->session_id_length,
buf, sizeof(buf)));
}
}
@@ -404,7 +404,7 @@ static char *ssl_var_lookup_ssl_cert_dn_
if (legacy_format) {
char *cp = X509_NAME_oneline(xsname, NULL, 0);
result = apr_pstrdup(p, cp);
- modssl_free(cp);
+ OPENSSL_free(cp);
}
else {
BIO* bio;
@@ -471,13 +471,13 @@ static char *ssl_var_lookup_ssl_cert(apr
resdup = FALSE;
}
else if (strcEQ(var, "A_SIG")) {
- nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_signature_algorithm(xs));
+ nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
}
else if (strcEQ(var, "A_KEY")) {
- nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_key_algorithm(xs));
+ nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm));
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
@@ -540,10 +540,10 @@ static char *ssl_var_lookup_ssl_cert_dn(
if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
&& strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
- X509_NAME_get_entries(xsname));
+ xsname->entries);
j++) {
xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
- X509_NAME_get_entries(xsname), j);
+ xsname->entries, j);
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
@@ -764,7 +764,7 @@ static char *ssl_var_lookup_ssl_version(
static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
X509_NAME *xn, apr_pool_t *p)
{
- STACK_OF(X509_NAME_ENTRY) *ents = X509_NAME_get_entries(xn);
+ STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
X509_NAME_ENTRY *xsne;
apr_hash_t *count;
int i, nid;
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sun Aug 7 10:34:31 2011
@@ -54,9 +54,18 @@
#include "ap_socache.h"
#include "mod_auth.h"
+/* The #ifdef macros are only defined AFTER including the above
+ * therefore we cannot include these system files at the top :-(
+ */
#ifdef APR_HAVE_STDLIB_H
#include <stdlib.h>
#endif
+#if APR_HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#if APR_HAVE_UNISTD_H
+#include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
+#endif
#ifndef FALSE
#define FALSE 0
@@ -70,32 +79,105 @@
#define BOOL unsigned int
#endif
-/* mod_ssl headers */
-#include "ssl_toolkit_compat.h"
#include "ap_expr.h"
-#include "ssl_util_ssl.h"
-/* The #ifdef macros are only defined AFTER including the above
- * therefore we cannot include these system files at the top :-(
+/* OpenSSL headers */
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509v3.h>
+
+/* hack for non-configure platforms (NetWare, Win32) */
+#if !defined(HAVE_OCSP) && (OPENSSL_VERSION_NUMBER >= 0x00907000)
+#define HAVE_OCSP
+#endif
+#ifdef HAVE_OCSP
+#include <openssl/x509_vfy.h>
+#include <openssl/ocsp.h>
+#endif
+
+/* Avoid tripping over an engine build installed globally and detected
+ * when the user points at an explicit non-engine flavor of OpenSSL
*/
-#if APR_HAVE_SYS_TIME_H
-#include <sys/time.h>
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+#include <openssl/engine.h>
#endif
-#if APR_HAVE_UNISTD_H
-#include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
+
+/* ...shifting sands of OpenSSL... */
+#if (OPENSSL_VERSION_NUMBER < 0x00907000)
+# define MODSSL_INFO_CB_ARG_TYPE SSL*
+#else
+# define MODSSL_INFO_CB_ARG_TYPE const SSL*
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x0090707f)
+#define MODSSL_D2I_SSL_SESSION_CONST const
+#else
+#define MODSSL_D2I_SSL_SESSION_CONST
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+#define HAVE_GENERATE_EX
+#define MODSSL_D2I_ASN1_type_bytes_CONST const
+#define MODSSL_D2I_PrivateKey_CONST const
+#define MODSSL_D2I_X509_CONST const
+#else
+#define MODSSL_D2I_ASN1_type_bytes_CONST
+#define MODSSL_D2I_PrivateKey_CONST
+#define MODSSL_D2I_X509_CONST
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
+ && !defined(OPENSSL_NO_TLSEXT)
+#define HAVE_OCSP_STAPLING
+#if (OPENSSL_VERSION_NUMBER < 0x10000000)
+#define sk_OPENSSL_STRING_pop sk_pop
+#endif
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
+#define HAVE_FIPS
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
+#define MODSSL_SSL_CIPHER_CONST const
+#define MODSSL_SSL_METHOD_CONST const
+#else
+#define MODSSL_SSL_CIPHER_CONST
+#define MODSSL_SSL_METHOD_CONST
+/* ECC support came along in OpenSSL 1.0.0 */
+#define OPENSSL_NO_EC
+#endif
+
+#ifndef PEM_F_DEF_CALLBACK
+#ifdef PEM_F_PEM_DEF_CALLBACK
+/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
+#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK
+#endif
+#endif
+
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#define OPENSSL_NO_TLSEXT
+#endif
+#endif
+
+#ifndef sk_STRING_pop
+#define sk_STRING_pop sk_pop
+#endif
+
+/* mod_ssl headers */
+#include "ssl_util_ssl.h"
+
APLOG_USE_MODULE(ssl);
/*
* Provide reasonable default for some defines
*/
-#ifndef FALSE
-#define FALSE (0)
-#endif
-#ifndef TRUE
-#define TRUE (!FALSE)
-#endif
#ifndef PFALSE
#define PFALSE ((void *)FALSE)
#endif
@@ -116,9 +198,6 @@ APLOG_USE_MODULE(ssl);
/**
* Provide reasonable defines for some types
*/
-#ifndef BOOL
-#define BOOL unsigned int
-#endif
#ifndef UCHAR
#define UCHAR unsigned char
#endif
@@ -674,7 +753,7 @@ EC_KEY *ssl_callback_TmpECDH(SSL *,
#endif
int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
-int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
+int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
@@ -717,7 +796,7 @@ int ssl_stapling_init_cert(serv
/** I/O */
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
void ssl_io_filter_register(apr_pool_t *);
-long ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long);
+long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
* to allow an SSL renegotiation to take place. */
Modified: httpd/httpd/trunk/modules/ssl/ssl_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util.c Sun Aug 7 10:34:31 2011
@@ -143,7 +143,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCe
if (pCert != NULL)
pFreeKey = pKey = X509_get_pubkey(pCert);
if (pKey != NULL) {
- switch (EVP_PKEY_key_type(pKey)) {
+ switch (EVP_PKEY_type(pKey->type)) {
case EVP_PKEY_RSA:
t = SSL_ALGO_RSA;
break;
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sun Aug 7 10:34:31 2011
@@ -74,7 +74,7 @@ void SSL_set_app_data2(SSL *ssl, void *a
** _________________________________________________________________
*/
-X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb)
+X509 *SSL_read_X509(char* filename, X509 **x509, pem_password_cb *cb)
{
X509 *rc;
BIO *bioS;
@@ -83,7 +83,7 @@ X509 *SSL_read_X509(char* filename, X509
/* 1. try PEM (= DER+Base64+headers) */
if ((bioS=BIO_new_file(filename, "r")) == NULL)
return NULL;
- rc = modssl_PEM_read_bio_X509 (bioS, x509, cb, NULL);
+ rc = PEM_read_bio_X509 (bioS, x509, cb, NULL);
BIO_free(bioS);
if (rc == NULL) {
@@ -125,7 +125,7 @@ static EVP_PKEY *d2i_PrivateKey_bio(BIO
}
#endif
-EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb, void *s)
+EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
{
EVP_PKEY *rc;
BIO *bioS;
@@ -134,7 +134,7 @@ EVP_PKEY *SSL_read_PrivateKey(char* file
/* 1. try PEM (= DER+Base64+headers) */
if ((bioS=BIO_new_file(filename, "r")) == NULL)
return NULL;
- rc = modssl_PEM_read_bio_PrivateKey(bioS, key, cb, s);
+ rc = PEM_read_bio_PrivateKey(bioS, key, cb, s);
BIO_free(bioS);
if (rc == NULL) {
@@ -275,7 +275,7 @@ char *SSL_make_ciphersuite(apr_pool_t *p
memcpy(cp, SSL_CIPHER_get_name(c), l);
cp += l;
*cp++ = '/';
- *cp++ = (SSL_CIPHER_get_valid(c) == 1 ? '1' : '0');
+ *cp++ = (c->valid == 1 ? '1' : '0');
*cp++ = ':';
}
*(cp-1) = NUL;
@@ -373,9 +373,9 @@ BOOL SSL_X509_getCN(apr_pool_t *p, X509
xsn = X509_get_subject_name(xs);
for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
- X509_NAME_get_entries(xsn)); i++) {
+ xsn->entries); i++) {
xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
- X509_NAME_get_entries(xsn), i);
+ xsn->entries, i);
nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
if (nid == NID_commonName) {
*cppCN = SSL_X509_NAME_ENTRY_to_string(p, xsne);
@@ -401,14 +401,14 @@ BOOL SSL_X509_INFO_load_file(apr_pool_t
return FALSE;
}
- if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) {
+ if (BIO_read_filename(in, filename) <= 0) {
BIO_free(in);
return FALSE;
}
ERR_clear_error();
- modssl_PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
+ PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
BIO_free(in);
@@ -464,7 +464,7 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t
* should be sent to the peer in the SSL Certificate message.
*/
int SSL_CTX_use_certificate_chain(
- SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb)
+ SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
{
BIO *bio;
X509 *x509;
@@ -480,21 +480,21 @@ int SSL_CTX_use_certificate_chain(
}
/* optionally skip a leading server certificate */
if (skipfirst) {
- if ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
+ if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
BIO_free(bio);
return -1;
}
X509_free(x509);
}
/* free a perhaps already configured extra chain */
- extra_certs=SSL_CTX_get_extra_certs(ctx);
+ extra_certs = ctx->extra_certs;
if (extra_certs != NULL) {
sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
- SSL_CTX_set_extra_certs(ctx,NULL);
+ ctx->extra_certs = NULL;
}
/* create new extra chain by loading the certs */
n = 0;
- while ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
+ while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
X509_free(x509);
BIO_free(bio);
@@ -535,26 +535,3 @@ char *SSL_SESSION_id2sz(unsigned char *i
*cp = NUL;
return str;
}
-int modssl_session_get_time(SSL_SESSION *session)
-{
- return SSL_SESSION_get_time(session);
-}
-
-DH *modssl_dh_configure(unsigned char *p, int plen,
- unsigned char *g, int glen)
-{
- DH *dh;
-
- if (!(dh = DH_new())) {
- return NULL;
- }
-
- dh->p = BN_bin2bn(p, plen, NULL);
- dh->g = BN_bin2bn(g, glen, NULL);
- if (!(dh->p && dh->g)) {
- DH_free(dh);
- return NULL;
- }
-
- return dh;
-}
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h?rev=1154687&r1=1154686&r2=1154687&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h Sun Aug 7 10:34:31 2011
@@ -60,8 +60,8 @@
void SSL_init_app_data2_idx(void);
void *SSL_get_app_data2(SSL *);
void SSL_set_app_data2(SSL *, void *);
-X509 *SSL_read_X509(char *, X509 **, modssl_read_bio_cb_fn *);
-EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, modssl_read_bio_cb_fn *, void *);
+X509 *SSL_read_X509(char *, X509 **, pem_password_cb *);
+EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
int SSL_smart_shutdown(SSL *ssl);
X509_STORE *SSL_X509_STORE_create(char *, char *);
int SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *);
@@ -72,14 +72,9 @@ char *SSL_X509_NAME_ENTRY_to_strin
BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **);
BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
-int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
+int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
-int modssl_session_get_time(SSL_SESSION *session);
-
-DH *modssl_dh_configure(unsigned char *p, int plen,
- unsigned char *g, int glen);
-
#endif /* __SSL_UTIL_SSL_H__ */
/** @} */