You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2021/12/11 12:57:53 UTC
svn commit: r1895808 - in /httpd/httpd/branches/2.4.x: ./ modules/http2/ modules/ssl/
Author: ylavic
Date: Sat Dec 11 12:57:53 2021
New Revision: 1895808
URL: http://svn.apache.org/viewvc?rev=1895808&view=rev
Log:
Revert r1895807 [skip ci].
Modified:
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/http2/h2_session.c
httpd/httpd/branches/2.4.x/modules/http2/h2_version.h
httpd/httpd/branches/2.4.x/modules/http2/h2_workers.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_log.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1895808&r1=1895807&r2=1895808&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Sat Dec 11 12:57:53 2021
@@ -145,28 +145,7 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) mod_ssl: Updates to support OpenSSL 3.x
- trunk patch: https://svn.apache.org/r1519264
- https://svn.apache.org/r1737657
- https://svn.apache.org/r1876934
- https://svn.apache.org/r1876936
- https://svn.apache.org/r1876938
- https://svn.apache.org/r1890067
- https://svn.apache.org/r1890076
- https://svn.apache.org/r1891138
- https://svn.apache.org/r1893876
- https://svn.apache.org/r1893964
- https://svn.apache.org/r1894716
- https://svn.apache.org/r1895774
- backport PR: https://github.com/apache/httpd/pull/258
- 2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/258.patch
- or https://people.apache.org/~jorton/mod_ssl-openssl3.patch
- +1: jorton, minfrin, ylavic
- *) mod_http2: fixes PR65731 and https://github.com/icing/mod_h2/issues/212
- trunk patch: na, fixed on 2.4.x source base
- backport PR: https://github.com/apache/httpd/pull/281
- +1: icing, minfrin, ylavic
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
@@ -217,6 +196,29 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
w.r.t. num_buckets > 1 and ease merging of r1895553, with r1895550 for
correctness of active_daemons used in r1895553 and r1895630.
+ *) mod_http2: fixes PR65731 and https://github.com/icing/mod_h2/issues/212
+ trunk patch: na, fixed on 2.4.x source base
+ backport PR: https://github.com/apache/httpd/pull/281
+ +1: icing, minfrin
+
+ *) mod_ssl: Updates to support OpenSSL 3.x
+ trunk patch: https://svn.apache.org/r1519264
+ https://svn.apache.org/r1737657
+ https://svn.apache.org/r1876934
+ https://svn.apache.org/r1876936
+ https://svn.apache.org/r1876938
+ https://svn.apache.org/r1890067
+ https://svn.apache.org/r1890076
+ https://svn.apache.org/r1891138
+ https://svn.apache.org/r1893876
+ https://svn.apache.org/r1893964
+ https://svn.apache.org/r1894716
+ https://svn.apache.org/r1895774
+ backport PR: https://github.com/apache/httpd/pull/258
+ 2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/258.patch
+ or https://people.apache.org/~jorton/mod_ssl-openssl3.patch
+ +1: jorton, minfrin
+
PATCHES/ISSUES THAT ARE BEING WORKED
[ New entries should be added at the START of the list ]
Modified: httpd/httpd/branches/2.4.x/modules/http2/h2_session.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_session.c?rev=1895808&r1=1895807&r2=1895808&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/http2/h2_session.c (original)
+++ httpd/httpd/branches/2.4.x/modules/http2/h2_session.c Sat Dec 11 12:57:53 2021
@@ -275,7 +275,7 @@ static int on_begin_headers_cb(nghttp2_s
const nghttp2_frame *frame, void *userp)
{
h2_session *session = (h2_session *)userp;
- h2_stream *s = NULL;
+ h2_stream *s;
/* We may see HEADERs at the start of a stream or after all DATA
* streams to carry trailers. */
@@ -284,7 +284,7 @@ static int on_begin_headers_cb(nghttp2_s
if (s) {
/* nop */
}
- else if (session->local.accepting) {
+ else {
s = h2_session_open_stream(userp, frame->hd.stream_id, 0);
}
return s? 0 : NGHTTP2_ERR_START_STREAM_NOT_ALLOWED;
@@ -2115,16 +2115,7 @@ apr_status_t h2_session_process(h2_sessi
now = apr_time_now();
session->have_read = session->have_written = 0;
- /* PR65731: we may get a new connection to process while the
- * MPM already is stopping. For example due to having reached
- * MaxRequestsPerChild limit.
- * Since this is supposed to handle things gracefully, we need to:
- * a) fully initialize the session before GOAWAYing
- * b) give the client the chance to submit at least one request
- */
- if (session->state != H2_SESSION_ST_INIT /* no longer intializing */
- && session->local.accepted_max > 0 /* have gotten at least one stream */
- && session->local.accepting /* have not already locally shut down */
+ if (session->local.accepting
&& !ap_mpm_query(AP_MPMQ_MPM_STATE, &mpm_state)) {
if (mpm_state == AP_MPMQ_STOPPING) {
dispatch_event(session, H2_SESSION_EV_MPM_STOPPING, 0, NULL);
Modified: httpd/httpd/branches/2.4.x/modules/http2/h2_version.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_version.h?rev=1895808&r1=1895807&r2=1895808&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/http2/h2_version.h (original)
+++ httpd/httpd/branches/2.4.x/modules/http2/h2_version.h Sat Dec 11 12:57:53 2021
@@ -27,7 +27,7 @@
* @macro
* Version number of the http2 module as c string
*/
-#define MOD_HTTP2_VERSION "1.15.26"
+#define MOD_HTTP2_VERSION "1.15.24"
/**
* @macro
@@ -35,7 +35,7 @@
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_HTTP2_VERSION_NUM 0x010f1a
+#define MOD_HTTP2_VERSION_NUM 0x010f18
#endif /* mod_h2_h2_version_h */
Modified: httpd/httpd/branches/2.4.x/modules/http2/h2_workers.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_workers.c?rev=1895808&r1=1895807&r2=1895808&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/http2/h2_workers.c (original)
+++ httpd/httpd/branches/2.4.x/modules/http2/h2_workers.c Sat Dec 11 12:57:53 2021
@@ -479,6 +479,8 @@ apr_status_t h2_workers_unregister(h2_wo
void h2_workers_graceful_shutdown(h2_workers *workers)
{
workers->shutdown = 1;
+ workers->min_workers = 1;
workers->max_idle_duration = apr_time_from_sec(1);
+ h2_fifo_term(workers->mplxs);
wake_non_essential_workers(workers);
}
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1895808&r1=1895807&r2=1895808&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Sat Dec 11 12:57:53 2021
@@ -91,6 +91,7 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p
return 1;
}
+#endif
/*
* Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
@@ -170,7 +171,6 @@ DH *modssl_get_dh_params(unsigned keylen
return NULL; /* impossible to reach. */
}
-#endif
static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
server_rec *s)
@@ -440,9 +440,8 @@ apr_status_t ssl_init_Module(apr_pool_t
modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
-#if MODSSL_USE_OPENSSL_PRE_1_1_API
init_dh_params();
-#else
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
init_bio_methods();
#endif
@@ -863,11 +862,7 @@ static void ssl_init_ctx_callbacks(serve
{
SSL_CTX *ctx = mctx->ssl_ctx;
-#if MODSSL_USE_OPENSSL_PRE_1_1_API
- /* Note that for OpenSSL>=1.1, auto selection is enabled via
- * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
-#endif
SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
@@ -876,23 +871,6 @@ static void ssl_init_ctx_callbacks(serve
#endif
}
-static APR_INLINE
-int modssl_CTX_load_verify_locations(SSL_CTX *ctx,
- const char *file,
- const char *path)
-{
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- if (!SSL_CTX_load_verify_locations(ctx, file, path))
- return 0;
-#else
- if (file && !SSL_CTX_load_verify_file(ctx, file))
- return 0;
- if (path && !SSL_CTX_load_verify_dir(ctx, path))
- return 0;
-#endif
- return 1;
-}
-
static apr_status_t ssl_init_ctx_verify(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
@@ -933,8 +911,10 @@ static apr_status_t ssl_init_ctx_verify(
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
"Configuring client authentication");
- if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file,
- mctx->auth.ca_cert_path)) {
+ if (!SSL_CTX_load_verify_locations(ctx,
+ mctx->auth.ca_cert_file,
+ mctx->auth.ca_cert_path))
+ {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
"Unable to configure verify locations "
"for client authentication");
@@ -1019,23 +999,6 @@ static apr_status_t ssl_init_ctx_cipher_
return APR_SUCCESS;
}
-static APR_INLINE
-int modssl_X509_STORE_load_locations(X509_STORE *store,
- const char *file,
- const char *path)
-{
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- if (!X509_STORE_load_locations(store, file, path))
- return 0;
-#else
- if (file && !X509_STORE_load_file(store, file))
- return 0;
- if (path && !X509_STORE_load_path(store, path))
- return 0;
-#endif
- return 1;
-}
-
static apr_status_t ssl_init_ctx_crl(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
@@ -1074,8 +1037,8 @@ static apr_status_t ssl_init_ctx_crl(ser
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
"Configuring certificate revocation facility");
- if (!store || !modssl_X509_STORE_load_locations(store, mctx->crl_file,
- mctx->crl_path)) {
+ if (!store || !X509_STORE_load_locations(store, mctx->crl_file,
+ mctx->crl_path)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
"Host %s: unable to configure X.509 CRL storage "
"for certificate revocation", mctx->sc->vhost_id);
@@ -1304,31 +1267,6 @@ static int ssl_no_passwd_prompt_cb(char
return 0;
}
-static APR_INLINE int modssl_DH_bits(DH *dh)
-{
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- return DH_bits(dh);
-#else
- return BN_num_bits(DH_get0_p(dh));
-#endif
-}
-
-/* SSL_CTX_use_PrivateKey_file() can fail either because the private
- * key was encrypted, or due to a mismatch between an already-loaded
- * cert and the key - a common misconfiguration - from calling
- * X509_check_private_key(). This macro is passed the last error code
- * off the OpenSSL stack and evaluates to true only for the first
- * case. With OpenSSL < 3 the second case is identifiable by the
- * function code, but function codes are not used from 3.0. */
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
-#else
-#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB(ec) != ERR_LIB_X509 \
- || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
- && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
- && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
-#endif
-
static apr_status_t ssl_init_server_certs(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
@@ -1339,7 +1277,7 @@ static apr_status_t ssl_init_server_cert
const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
int i;
X509 *cert;
- DH *dh;
+ DH *dhparams;
#ifdef HAVE_ECC
EC_GROUP *ecparams = NULL;
int nid;
@@ -1434,7 +1372,8 @@ static apr_status_t ssl_init_server_cert
}
else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
SSL_FILETYPE_PEM) < 1)
- && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
+ && (ERR_GET_FUNC(ERR_peek_last_error())
+ != X509_F_X509_CHECK_PRIVATE_KEY)) {
ssl_asn1_t *asn1;
const unsigned char *ptr;
@@ -1523,22 +1462,13 @@ static apr_status_t ssl_init_server_cert
*/
certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
if (certfile && !modssl_is_engine_id(certfile)
- && (dh = ssl_dh_GetParamFromFile(certfile))) {
- /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
- * for OpenSSL 3.0+. */
- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
+ && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
"Custom DH parameters (%d bits) for %s loaded from %s",
- modssl_DH_bits(dh), vhost_id, certfile);
- DH_free(dh);
+ DH_bits(dhparams), vhost_id, certfile);
+ DH_free(dhparams);
}
-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
- else {
- /* If no parameter is manually configured, enable auto
- * selection. */
- SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
- }
-#endif
#ifdef HAVE_ECC
/*
@@ -1588,7 +1518,6 @@ static apr_status_t ssl_init_ticket_key(
char buf[TLSEXT_TICKET_KEY_LEN];
char *path;
modssl_ticket_key_t *ticket_key = mctx->ticket_key;
- int res;
if (!ticket_key->file_path) {
return APR_SUCCESS;
@@ -1616,22 +1545,11 @@ static apr_status_t ssl_init_ticket_key(
}
memcpy(ticket_key->key_name, buf, 16);
- memcpy(ticket_key->aes_key, buf + 32, 16);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
memcpy(ticket_key->hmac_secret, buf + 16, 16);
- res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
- ssl_callback_SessionTicket);
-#else
- ticket_key->mac_params[0] =
- OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16);
- ticket_key->mac_params[1] =
- OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0);
- ticket_key->mac_params[2] =
- OSSL_PARAM_construct_end();
- res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx,
- ssl_callback_SessionTicket);
-#endif
- if (!res) {
+ memcpy(ticket_key->aes_key, buf + 32, 16);
+
+ if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
+ ssl_callback_SessionTicket)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
"Unable to initialize TLS session ticket key callback "
"(incompatible OpenSSL version?)");
@@ -1762,7 +1680,7 @@ static apr_status_t ssl_init_proxy_certs
return ssl_die(s);
}
- modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
+ X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
for (n = 0; n < ncerts; n++) {
int i;
@@ -2359,11 +2277,10 @@ apr_status_t ssl_init_ModuleKill(void *d
}
-#if MODSSL_USE_OPENSSL_PRE_1_1_API
- free_dh_params();
-#else
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
free_bio_methods();
#endif
+ free_dh_params();
return APR_SUCCESS;
}
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c?rev=1895808&r1=1895807&r2=1895808&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c Sat Dec 11 12:57:53 2021
@@ -194,10 +194,6 @@ static int bio_filter_destroy(BIO *bio)
static int bio_filter_out_read(BIO *bio, char *out, int outl)
{
/* this is never called */
- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
- "BUG: %s() should not be called", "bio_filter_out_read");
- AP_DEBUG_ASSERT(0);
return -1;
}
@@ -297,20 +293,12 @@ static long bio_filter_out_ctrl(BIO *bio
static int bio_filter_out_gets(BIO *bio, char *buf, int size)
{
/* this is never called */
- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
- "BUG: %s() should not be called", "bio_filter_out_gets");
- AP_DEBUG_ASSERT(0);
return -1;
}
static int bio_filter_out_puts(BIO *bio, const char *str)
{
/* this is never called */
- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
- "BUG: %s() should not be called", "bio_filter_out_puts");
- AP_DEBUG_ASSERT(0);
return -1;
}
@@ -545,46 +533,22 @@ static int bio_filter_in_read(BIO *bio,
static int bio_filter_in_write(BIO *bio, const char *in, int inl)
{
- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
- "BUG: %s() should not be called", "bio_filter_in_write");
- AP_DEBUG_ASSERT(0);
return -1;
}
static int bio_filter_in_puts(BIO *bio, const char *str)
{
- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
- "BUG: %s() should not be called", "bio_filter_in_puts");
- AP_DEBUG_ASSERT(0);
return -1;
}
static int bio_filter_in_gets(BIO *bio, char *buf, int size)
{
- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
- "BUG: %s() should not be called", "bio_filter_in_gets");
- AP_DEBUG_ASSERT(0);
return -1;
}
static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
{
- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
- switch (cmd) {
-#ifdef BIO_CTRL_EOF
- case BIO_CTRL_EOF:
- return inctx->rc == APR_EOF;
-#endif
- default:
- break;
- }
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
- "BUG: bio_filter_in_ctrl() should not be called with cmd=%i",
- cmd);
- return 0;
+ return -1;
}
#if MODSSL_USE_OPENSSL_PRE_1_1_API
@@ -609,7 +573,7 @@ static BIO_METHOD bio_filter_in_method =
bio_filter_in_read,
bio_filter_in_puts, /* puts is never called */
bio_filter_in_gets, /* gets is never called */
- bio_filter_in_ctrl, /* ctrl is called for EOF check */
+ bio_filter_in_ctrl, /* ctrl is never called */
bio_filter_create,
bio_filter_destroy,
NULL
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1895808&r1=1895807&r2=1895808&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Sat Dec 11 12:57:53 2021
@@ -1685,7 +1685,6 @@ const authz_provider ssl_authz_provider_
** _________________________________________________________________
*/
-#if MODSSL_USE_OPENSSL_PRE_1_1_API
/*
* Hand out standard DH parameters, based on the authentication strength
*/
@@ -1731,7 +1730,6 @@ DH *ssl_callback_TmpDH(SSL *ssl, int exp
return modssl_get_dh_params(keylen);
}
-#endif
/*
* This OpenSSL callback function is called when OpenSSL
@@ -2616,11 +2614,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
unsigned char *keyname,
unsigned char *iv,
EVP_CIPHER_CTX *cipher_ctx,
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- HMAC_CTX *hmac_ctx,
-#else
- EVP_MAC_CTX *mac_ctx,
-#endif
+ HMAC_CTX *hctx,
int mode)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
@@ -2646,13 +2640,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
}
EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
ticket_key->aes_key, iv);
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
- tlsext_tick_md(), NULL);
-#else
- EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
-#endif
+ HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
"TLS session ticket key for %s successfully set, "
@@ -2673,13 +2661,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
ticket_key->aes_key, iv);
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
- tlsext_tick_md(), NULL);
-#else
- EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
-#endif
+ HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
"TLS session ticket key for %s successfully set, "
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_log.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_log.c?rev=1895808&r1=1895807&r2=1895808&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_log.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_log.c Sat Dec 11 12:57:53 2021
@@ -78,16 +78,6 @@ apr_status_t ssl_die(server_rec *s)
return APR_EGENERAL;
}
-static APR_INLINE
-unsigned long modssl_ERR_peek_error_data(const char **data, int *flags)
-{
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- return ERR_peek_error_line_data(NULL, NULL, data, flags);
-#else
- return ERR_peek_error_data(data, flags);
-#endif
-}
-
/*
* Prints the SSL library error information.
*/
@@ -97,7 +87,7 @@ void ssl_log_ssl_error(const char *file,
const char *data;
int flags;
- while ((e = modssl_ERR_peek_error_data(&data, &flags))) {
+ while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) {
const char *annotation;
char err[256];
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1895808&r1=1895807&r2=1895808&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Sat Dec 11 12:57:53 2021
@@ -89,9 +89,6 @@
/* must be defined before including ssl.h */
#define OPENSSL_NO_SSL_INTERN
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x30000000
-#include <openssl/core_names.h>
-#endif
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>
@@ -137,12 +134,13 @@
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
#define SSL_CTX_set_max_proto_version(ctx, version) \
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
-#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
+#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
/* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
* include most changes from OpenSSL >= 1.1 (new functions, macros,
* deprecations, ...), so we have to work around this...
*/
-#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
+#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
+#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
#else /* defined(LIBRESSL_VERSION_NUMBER) */
#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
#endif
@@ -683,11 +681,7 @@ typedef struct {
typedef struct {
const char *file_path;
unsigned char key_name[16];
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
unsigned char hmac_secret[16];
-#else
- OSSL_PARAM mac_params[3];
-#endif
unsigned char aes_key[16];
} modssl_ticket_key_t;
#endif
@@ -951,16 +945,8 @@ int ssl_callback_ServerNameIndi
int ssl_callback_ClientHello(SSL *, int *, void *);
#endif
#ifdef HAVE_TLS_SESSION_TICKETS
-int ssl_callback_SessionTicket(SSL *ssl,
- unsigned char *keyname,
- unsigned char *iv,
- EVP_CIPHER_CTX *cipher_ctx,
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- HMAC_CTX *hmac_ctx,
-#else
- EVP_MAC_CTX *mac_ctx,
-#endif
- int mode);
+int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
+ EVP_CIPHER_CTX *, HMAC_CTX *, int);
#endif
#ifdef HAVE_TLS_ALPN
@@ -1138,12 +1124,10 @@ void ssl_init_ocsp_certificates(server_r
#endif
-#if MODSSL_USE_OPENSSL_PRE_1_1_API
/* Retrieve DH parameters for given key length. Return value should
* be treated as unmutable, since it is stored in process-global
* memory. */
DH *modssl_get_dh_params(unsigned keylen);
-#endif
/* Returns non-zero if the request was made over SSL/TLS. If sslconn
* is non-NULL and the request is using SSL/TLS, sets *sslconn to the