You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2011/12/29 09:59:44 UTC
svn commit: r1225477 - in /httpd/httpd/branches/2.4.x: ./
modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c
Author: sf
Date: Thu Dec 29 08:59:44 2011
New Revision: 1225477
URL: http://svn.apache.org/viewvc?rev=1225477&view=rev
Log:
Merge r1225476:
Don't use #ifdef inside macro calls
The behavior is undefined according to C99 6.10.3.11 and it breaks with
xlc on AIX
PR: 52394
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Dec 29 08:59:44 2011
@@ -1,3 +1,3 @@
/httpd/httpd/branches/revert-ap-ldap:1150158-1150173
/httpd/httpd/branches/wombat-integration:723609-723841
-/httpd/httpd/trunk:1201042,1201111,1201194,1201198,1201202,1202236,1202456,1202886,1203859,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206587,1206850,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210080,1210124,1210130,1210219,1210221,1210252,1210284,1210378,1210725,1210892,1210951,1210954,1211528,1211663,1211680,1212883,1213338,1213567,1214003,1214005,1214015,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221292,1222335,1222370,1222473,1222915,1222917,1222921,1223048,1225060,1225197-1225198,1225380
+/httpd/httpd/trunk:1201042,1201111,1201194,1201198,1201202,1202236,1202456,1202886,1203859,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206587,1206850,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210080,1210124,1210130,1210219,1210221,1210252,1210284,1210378,1210725,1210892,1210951,1210954,1211528,1211663,1211680,1212883,1213338,1213567,1214003,1214005,1214015,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221292,1222335,1222370,1222473,1222915,1222917,1222921,1223048,1225060,1225197-1225198,1225380,1225476
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1225477&r1=1225476&r2=1225477&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Thu Dec 29 08:59:44 2011
@@ -35,6 +35,11 @@
** _________________________________________________________________
*/
+#ifndef OPENSSL_NO_EC
+#define KEYTYPES "RSA, DSA or ECC"
+#else
+#define KEYTYPES "RSA or DSA"
+#endif
static void ssl_add_version_components(apr_pool_t *p,
server_rec *s)
@@ -1135,11 +1140,7 @@ static void ssl_init_server_certs(server
#endif
)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01910)
-#ifndef OPENSSL_NO_EC
- "Oops, no RSA, DSA or ECC server certificate found "
-#else
- "Oops, no RSA or DSA server certificate found "
-#endif
+ "Oops, no " KEYTYPES " server certificate found "
"for '%s:%d'?!", s->server_hostname, s->port);
ssl_die();
}
@@ -1160,11 +1161,7 @@ static void ssl_init_server_certs(server
#endif
)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01911)
-#ifndef OPENSSL_NO_EC
- "Oops, no RSA, DSA or ECC server private key found?!");
-#else
- "Oops, no RSA or DSA server private key found?!");
-#endif
+ "Oops, no " KEYTYPES " server private key found?!");
ssl_die();
}
}
@@ -1460,21 +1457,17 @@ void ssl_init_CheckServers(server_rec *b
klen = strlen(key);
if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
- ap_log_error(APLOG_MARK,
-#ifdef OPENSSL_NO_TLSEXT
- APLOG_WARNING,
-#else
- APLOG_DEBUG,
-#endif
- 0,
- base_server,
#ifdef OPENSSL_NO_TLSEXT
- "Init: SSL server IP/port conflict: "
+ int level = APLOG_WARNING;
+ const char *problem = "conflict";
#else
- "Init: SSL server IP/port overlap: "
+ int level = APLOG_DEBUG;
+ const char *problem = "overlap";
#endif
+ ap_log_error(APLOG_MARK, level, 0, base_server,
+ "Init: SSL server IP/port %s: "
"%s (%s:%d) vs. %s (%s:%d)",
- ssl_util_vhostid(p, s),
+ problem, ssl_util_vhostid(p, s),
(s->defn_name ? s->defn_name : "unknown"),
s->defn_line_number,
ssl_util_vhostid(p, ps),
@@ -1488,11 +1481,12 @@ void ssl_init_CheckServers(server_rec *b
}
if (conflict) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
#ifdef OPENSSL_NO_TLSEXT
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
"Init: You should not use name-based "
"virtual hosts in conjunction with SSL!!");
#else
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(02292)
"Init: Name-based SSL virtual hosts only "
"work for clients with TLS server name indication "
"support (RFC 4366)");
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1225477&r1=1225476&r2=1225477&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Thu Dec 29 08:59:44 2011
@@ -745,6 +745,7 @@ int ssl_hook_Access(request_rec *r)
}
}
else {
+ const char *reneg_support;
request_rec *id = r->main ? r->main : r;
/* Additional mitigation for CVE-2009-3555: At this point,
@@ -764,17 +765,17 @@ int ssl_hook_Access(request_rec *r)
r->connection->keepalive = AP_CONN_CLOSE;
}
+#if defined(SSL_get_secure_renegotiation_support)
+ reneg_support = SSL_get_secure_renegotiation_support(ssl) ?
+ "client does" : "client does not";
+#else
+ reneg_support = "server does not";
+#endif
/* Perform a full renegotiation. */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02260)
"Performing full renegotiation: complete handshake "
"protocol (%s support secure renegotiation)",
-#if defined(SSL_get_secure_renegotiation_support)
- SSL_get_secure_renegotiation_support(ssl) ?
- "client does" : "client does not"
-#else
- "server does not"
-#endif
- );
+ reneg_support);
SSL_set_session_id_context(ssl,
(unsigned char *)&id,