You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2017/07/29 23:05:03 UTC
svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/
Author: ylavic
Date: Sat Jul 29 23:05:02 2017
New Revision: 1803396
URL: http://svn.apache.org/viewvc?rev=1803396&view=rev
Log:
mod_ssl, ab: compatibility with LibreSSL. PR 61184.
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
Modified:
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/ssl_util.c
httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
httpd/httpd/trunk/support/ab.c
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1803396&r1=1803395&r2=1803396&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sat Jul 29 23:05:02 2017
@@ -354,7 +354,7 @@ static apr_status_t ssl_cleanup_pre_conf
#endif
/* Usually needed per thread, but this parent process is single-threaded */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
ERR_remove_thread_state(NULL);
#else
@@ -398,15 +398,15 @@ static int ssl_hook_pre_config(apr_pool_
/* Some OpenSSL internals are allocated per-thread, make sure they
* are associated to the/our same thread-id until cleaned up.
*/
-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
ssl_util_thread_id_setup(pconf);
#endif
/* We must register the library in full, to ensure our configuration
* code can successfully test the SSL environment.
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CRYPTO_malloc_init();
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
+ (void)CRYPTO_malloc_init();
#else
OPENSSL_malloc_init();
#endif
Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c?rev=1803396&r1=1803395&r2=1803396&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c Sat Jul 29 23:05:02 2017
@@ -32,7 +32,7 @@ static apr_status_t verify_signature(sct
return APR_EINVAL;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
ctx = EVP_MD_CTX_create();
#else
ctx = EVP_MD_CTX_new();
@@ -41,7 +41,7 @@ static apr_status_t verify_signature(sct
ap_assert(1 == EVP_VerifyUpdate(ctx, sctf->signed_data,
sctf->signed_data_len));
rc = EVP_VerifyFinal(ctx, sctf->sig, sctf->siglen, pkey);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
EVP_MD_CTX_destroy(ctx);
#else
EVP_MD_CTX_free(ctx);
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1803396&r1=1803395&r2=1803396&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Jul 29 23:05:02 2017
@@ -50,7 +50,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl,
#define KEYTYPES "RSA or DSA"
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
/* OpenSSL Pre-1.1.0 compatibility */
/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
@@ -253,7 +253,7 @@ apr_status_t ssl_init_Module(apr_pool_t
#endif
}
-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
ssl_util_thread_setup(p);
#endif
@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t
modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
init_dh_params();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
init_bio_methods();
#endif
@@ -1324,7 +1324,7 @@ static apr_status_t ssl_init_server_cert
* or configure NIST P-256 (required to enable ECDHE for earlier versions)
* ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
*/
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
else {
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
@@ -2079,7 +2079,7 @@ apr_status_t ssl_init_ModuleKill(void *d
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
free_bio_methods();
#endif
free_dh_params();
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=1803396&r1=1803395&r2=1803396&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Sat Jul 29 23:05:02 2017
@@ -165,7 +165,7 @@ static int bio_filter_create(BIO *bio)
{
BIO_set_shutdown(bio, 1);
BIO_set_init(bio, 1);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
/* No setter method for OpenSSL 1.1.0 available,
* but I can't find any functional use of the
* "num" field there either.
@@ -578,7 +578,7 @@ static long bio_filter_in_ctrl(BIO *bio,
return -1;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
static BIO_METHOD bio_filter_out_method = {
BIO_TYPE_MEM,
@@ -2080,7 +2080,7 @@ static void ssl_io_input_add_filter(ssl_
filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
#else
filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
@@ -2115,7 +2115,7 @@ void ssl_io_filter_init(conn_rec *c, req
filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
filter_ctx, r, c);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
#else
filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1803396&r1=1803395&r2=1803396&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sat Jul 29 23:05:02 2017
@@ -1745,7 +1745,7 @@ static void modssl_proxy_info_log(conn_r
* so we need to increment here to prevent them from
* being freed.
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
#define modssl_set_cert_info(info, cert, pkey) \
*cert = info->x509; \
CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1803396&r1=1803395&r2=1803396&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Sat Jul 29 23:05:02 2017
@@ -114,7 +114,7 @@ static apr_status_t ssl_get_tls_cb(apr_p
else if (x != NULL) {
const EVP_MD *md;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
md = EVP_get_digestbynid(OBJ_obj2nid(x->sig_alg->algorithm));
#else
md = EVP_get_digestbynid(X509_get_signature_nid(x));
@@ -603,7 +603,7 @@ static char *ssl_var_lookup_ssl_cert(apr
resdup = FALSE;
}
else if (strcEQ(var, "A_SIG")) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
#else
const ASN1_OBJECT *paobj;
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1803396&r1=1803395&r2=1803396&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sat Jul 29 23:05:02 2017
@@ -123,6 +123,25 @@
#define MODSSL_SSL_METHOD_CONST
#endif
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* Missing from LibreSSL */
+#if LIBRESSL_VERSION_NUMBER < 0x2060000f
+#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
+#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
+#define SSL_CTX_set_min_proto_version(ctx, version) \
+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
+#define SSL_CTX_set_max_proto_version(ctx, version) \
+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
+#endif
+/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
+ * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
+ * we have to work around this...
+ */
+#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
+#else
+#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#endif
+
#if defined(OPENSSL_FIPS)
#define HAVE_FIPS
#endif
@@ -136,7 +155,7 @@
#endif
/* session id constness */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
#define IDCONST
#else
#define IDCONST const
@@ -199,7 +218,7 @@
#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
@@ -219,7 +238,7 @@ void init_bio_methods(void);
void free_bio_methods(void);
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
#define X509_STORE_CTX_get0_store(x) (x->ctx)
#endif
@@ -931,10 +950,8 @@ void ssl_util_ppclose(server_rec
char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
const char * const *);
BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
-#if APR_HAS_THREADS
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
void ssl_util_thread_setup(apr_pool_t *);
-#endif
void ssl_util_thread_id_setup(apr_pool_t *);
#endif
int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
Modified: httpd/httpd/trunk/modules/ssl/ssl_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util.c?rev=1803396&r1=1803395&r2=1803396&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util.c Sat Jul 29 23:05:02 2017
@@ -246,8 +246,8 @@ void ssl_asn1_table_unset(apr_hash_t *ta
apr_hash_set(table, key, klen, NULL);
}
-#if APR_HAS_THREADS
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
+
/*
* To ensure thread-safetyness in OpenSSL - work in progress
*/
@@ -510,5 +510,4 @@ void ssl_util_thread_setup(apr_pool_t *p
apr_pool_cleanup_null);
}
-#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
-#endif /* #if APR_HAS_THREADS */
+#endif /* #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API */
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h?rev=1803396&r1=1803395&r2=1803396&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h Sat Jul 29 23:05:02 2017
@@ -41,7 +41,7 @@
#define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
#define MODSSL_LIBRARY_NAME "OpenSSL"
#define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
#define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
#else
#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
Modified: httpd/httpd/trunk/support/ab.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/ab.c?rev=1803396&r1=1803395&r2=1803396&view=diff
==============================================================================
--- httpd/httpd/trunk/support/ab.c (original)
+++ httpd/httpd/trunk/support/ab.c Sat Jul 29 23:05:02 2017
@@ -197,6 +197,14 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
#define HAVE_TLSEXT
#endif
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000f
+#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
+#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
+#define SSL_CTX_set_min_proto_version(ctx, version) \
+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
+#define SSL_CTX_set_max_proto_version(ctx, version) \
+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
+#endif
#endif
#include <math.h>
Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/
Posted by Yann Ylavic <yl...@gmail.com>.
On Thu, Aug 3, 2017 at 9:34 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> IMO that's garbage, please revert. I don't believe that any ASF project,
> which has very firm rules about appropriating code bases, should be
> tolerating namespace abuse and mark infringement against other
> projects.
Not really a technical argument...
LibreSSL is a fork, for some reasons (which we don't have to and won't
discuss/dispute here) some people decided that OpenSSL (as is/was)
didn't suit their needs and forked it (which, AFAICT, isn't forbidden
by the OpenSSL license), and for the same or other reasons (whatever),
some people decided to use and package it in distros.
Thus both projects share code and namespace...
>
> If they want us to test a symbol in a LIBRESSL space, that's fine, but
> OPENSSL namespace was not theirs to begin with.
They define LIBRESSL_VERSION, but alas (for us) also OPENSSL_VERSION=2
(I agree that they probably have to change that some day...).
Anyway, if we want to support LibreSSL we could check LIBRESSL_VERSION
all over the place and have distinct code in mod_ssl for both libs, or
do something like this quite simple patch and thanks to most
code/namespace reuse have it work with few changes.
Do you propose that we don't support LibreSSL for ethical reasons?
Regards,
Yann.
Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
IMO that's garbage, please revert. I don't believe that any ASF project,
which has very firm rules about appropriating code bases, should be
tolerating namespace abuse and mark infringement against other
projects.
If they want us to test a symbol in a LIBRESSL space, that's fine, but
OPENSSL namespace was not theirs to begin with.
On Sat, Jul 29, 2017 at 6:05 PM, <yl...@apache.org> wrote:
> Author: ylavic
> Date: Sat Jul 29 23:05:02 2017
> New Revision: 1803396
>
> URL: http://svn.apache.org/viewvc?rev=1803396&view=rev
> Log:
> mod_ssl, ab: compatibility with LibreSSL. PR 61184.
>
> LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
> all of the latest OpenSSL 1.1 API.
>
> Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
> anything but OpenSSL >= 1.1 (for now).
>
> Proposed by: Bernard Spil <brnrd freebsd.org>
> Reviewed by: ylavic
>
>
> Modified:
> httpd/httpd/trunk/modules/ssl/mod_ssl.c
> httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
> httpd/httpd/trunk/modules/ssl/ssl_private.h
> httpd/httpd/trunk/modules/ssl/ssl_util.c
> httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
> httpd/httpd/trunk/support/ab.c
>
> Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
> +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sat Jul 29 23:05:02 2017
> @@ -354,7 +354,7 @@ static apr_status_t ssl_cleanup_pre_conf
> #endif
>
> /* Usually needed per thread, but this parent process is single-threaded */
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
> ERR_remove_thread_state(NULL);
> #else
> @@ -398,15 +398,15 @@ static int ssl_hook_pre_config(apr_pool_
> /* Some OpenSSL internals are allocated per-thread, make sure they
> * are associated to the/our same thread-id until cleaned up.
> */
> -#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
> ssl_util_thread_id_setup(pconf);
> #endif
>
> /* We must register the library in full, to ensure our configuration
> * code can successfully test the SSL environment.
> */
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> - CRYPTO_malloc_init();
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> + (void)CRYPTO_malloc_init();
> #else
> OPENSSL_malloc_init();
> #endif
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c Sat Jul 29 23:05:02 2017
> @@ -32,7 +32,7 @@ static apr_status_t verify_signature(sct
> return APR_EINVAL;
> }
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> ctx = EVP_MD_CTX_create();
> #else
> ctx = EVP_MD_CTX_new();
> @@ -41,7 +41,7 @@ static apr_status_t verify_signature(sct
> ap_assert(1 == EVP_VerifyUpdate(ctx, sctf->signed_data,
> sctf->signed_data_len));
> rc = EVP_VerifyFinal(ctx, sctf->sig, sctf->siglen, pkey);
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> EVP_MD_CTX_destroy(ctx);
> #else
> EVP_MD_CTX_free(ctx);
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Jul 29 23:05:02 2017
> @@ -50,7 +50,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl,
> #define KEYTYPES "RSA or DSA"
> #endif
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> /* OpenSSL Pre-1.1.0 compatibility */
> /* Taken from OpenSSL 1.1.0 snapshot 20160410 */
> static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
> @@ -253,7 +253,7 @@ apr_status_t ssl_init_Module(apr_pool_t
> #endif
> }
>
> -#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
> ssl_util_thread_setup(p);
> #endif
>
> @@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t
> modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
>
> init_dh_params();
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> +#if !MODSSL_USE_OPENSSL_PRE_1_1_API
> init_bio_methods();
> #endif
>
> @@ -1324,7 +1324,7 @@ static apr_status_t ssl_init_server_cert
> * or configure NIST P-256 (required to enable ECDHE for earlier versions)
> * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
> */
> -#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> else {
> #if defined(SSL_CTX_set_ecdh_auto)
> SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
> @@ -2079,7 +2079,7 @@ apr_status_t ssl_init_ModuleKill(void *d
>
> }
>
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> +#if !MODSSL_USE_OPENSSL_PRE_1_1_API
> free_bio_methods();
> #endif
> free_dh_params();
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Sat Jul 29 23:05:02 2017
> @@ -165,7 +165,7 @@ static int bio_filter_create(BIO *bio)
> {
> BIO_set_shutdown(bio, 1);
> BIO_set_init(bio, 1);
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> /* No setter method for OpenSSL 1.1.0 available,
> * but I can't find any functional use of the
> * "num" field there either.
> @@ -578,7 +578,7 @@ static long bio_filter_in_ctrl(BIO *bio,
> return -1;
> }
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>
> static BIO_METHOD bio_filter_out_method = {
> BIO_TYPE_MEM,
> @@ -2080,7 +2080,7 @@ static void ssl_io_input_add_filter(ssl_
>
> filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
> #else
> filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
> @@ -2115,7 +2115,7 @@ void ssl_io_filter_init(conn_rec *c, req
> filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
> filter_ctx, r, c);
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
> #else
> filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sat Jul 29 23:05:02 2017
> @@ -1745,7 +1745,7 @@ static void modssl_proxy_info_log(conn_r
> * so we need to increment here to prevent them from
> * being freed.
> */
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> #define modssl_set_cert_info(info, cert, pkey) \
> *cert = info->x509; \
> CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Sat Jul 29 23:05:02 2017
> @@ -114,7 +114,7 @@ static apr_status_t ssl_get_tls_cb(apr_p
> else if (x != NULL) {
> const EVP_MD *md;
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> md = EVP_get_digestbynid(OBJ_obj2nid(x->sig_alg->algorithm));
> #else
> md = EVP_get_digestbynid(X509_get_signature_nid(x));
> @@ -603,7 +603,7 @@ static char *ssl_var_lookup_ssl_cert(apr
> resdup = FALSE;
> }
> else if (strcEQ(var, "A_SIG")) {
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
> #else
> const ASN1_OBJECT *paobj;
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sat Jul 29 23:05:02 2017
> @@ -123,6 +123,25 @@
> #define MODSSL_SSL_METHOD_CONST
> #endif
>
> +#if defined(LIBRESSL_VERSION_NUMBER)
> +/* Missing from LibreSSL */
> +#if LIBRESSL_VERSION_NUMBER < 0x2060000f
> +#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
> +#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
> +#define SSL_CTX_set_min_proto_version(ctx, version) \
> + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
> +#define SSL_CTX_set_max_proto_version(ctx, version) \
> + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
> +#endif
> +/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
> + * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
> + * we have to work around this...
> + */
> +#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
> +#else
> +#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
> +#endif
> +
> #if defined(OPENSSL_FIPS)
> #define HAVE_FIPS
> #endif
> @@ -136,7 +155,7 @@
> #endif
>
> /* session id constness */
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> #define IDCONST
> #else
> #define IDCONST const
> @@ -199,7 +218,7 @@
>
> #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
> #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
> #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
> @@ -219,7 +238,7 @@ void init_bio_methods(void);
> void free_bio_methods(void);
> #endif
>
> -#if OPENSSL_VERSION_NUMBER < 0x10002000L
> +#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
> #define X509_STORE_CTX_get0_store(x) (x->ctx)
> #endif
>
> @@ -931,10 +950,8 @@ void ssl_util_ppclose(server_rec
> char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
> const char * const *);
> BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
> -#if APR_HAS_THREADS
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
> void ssl_util_thread_setup(apr_pool_t *);
> -#endif
> void ssl_util_thread_id_setup(apr_pool_t *);
> #endif
> int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_util.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_util.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_util.c Sat Jul 29 23:05:02 2017
> @@ -246,8 +246,8 @@ void ssl_asn1_table_unset(apr_hash_t *ta
> apr_hash_set(table, key, klen, NULL);
> }
>
> -#if APR_HAS_THREADS
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
> +
> /*
> * To ensure thread-safetyness in OpenSSL - work in progress
> */
> @@ -510,5 +510,4 @@ void ssl_util_thread_setup(apr_pool_t *p
> apr_pool_cleanup_null);
> }
>
> -#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> -#endif /* #if APR_HAS_THREADS */
> +#endif /* #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API */
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h Sat Jul 29 23:05:02 2017
> @@ -41,7 +41,7 @@
> #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
> #define MODSSL_LIBRARY_NAME "OpenSSL"
> #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
> #else
> #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
>
> Modified: httpd/httpd/trunk/support/ab.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/ab.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/support/ab.c (original)
> +++ httpd/httpd/trunk/support/ab.c Sat Jul 29 23:05:02 2017
> @@ -197,6 +197,14 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
> #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
> #define HAVE_TLSEXT
> #endif
> +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000f
> +#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
> +#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
> +#define SSL_CTX_set_min_proto_version(ctx, version) \
> + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
> +#define SSL_CTX_set_max_proto_version(ctx, version) \
> + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
> +#endif
> #endif
>
> #include <math.h>
>
>
Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/
Posted by Yann Ylavic <yl...@gmail.com>.
On Thu, Aug 3, 2017 at 9:25 AM, Ruediger Pluem <rp...@apache.org> wrote:
>
> On 07/30/2017 01:05 AM, ylavic@apache.org wrote:
>>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c?rev=1803396&r1=1803395&r2=1803396&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c Sat Jul 29 23:05:02 2017
>> @@ -32,7 +32,7 @@ static apr_status_t verify_signature(sct
>> return APR_EINVAL;
>> }
>>
>> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
>> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
>
> Why not using MODSSL_USE_OPENSSL_PRE_1_1_API here?
>
>> ctx = EVP_MD_CTX_create();
>> #else
>> ctx = EVP_MD_CTX_new();
>> @@ -41,7 +41,7 @@ static apr_status_t verify_signature(sct
>> ap_assert(1 == EVP_VerifyUpdate(ctx, sctf->signed_data,
>> sctf->signed_data_len));
>> rc = EVP_VerifyFinal(ctx, sctf->sig, sctf->siglen, pkey);
>> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
>> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
>
> Why not using MODSSL_USE_OPENSSL_PRE_1_1_API here?
#including "ssl_private.h" in "ssl_ct_sct.c" doesn't work; the former
defines MODSSL_USE_OPENSSL_PRE_1_1 but also APLOG_USE_MODULE(ssl), the
latter has AP_DECLARE_MODULE(ssl_ct).
There are surely ways to address this, but I don't know how for now...
Regards,
Yann.
Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/
support/
Posted by Ruediger Pluem <rp...@apache.org>.
On 07/30/2017 01:05 AM, ylavic@apache.org wrote:
> Author: ylavic
> Date: Sat Jul 29 23:05:02 2017
> New Revision: 1803396
>
> URL: http://svn.apache.org/viewvc?rev=1803396&view=rev
> Log:
> mod_ssl, ab: compatibility with LibreSSL. PR 61184.
>
> LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
> all of the latest OpenSSL 1.1 API.
>
> Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
> anything but OpenSSL >= 1.1 (for now).
>
> Proposed by: Bernard Spil <brnrd freebsd.org>
> Reviewed by: ylavic
>
>
> Modified:
> httpd/httpd/trunk/modules/ssl/mod_ssl.c
> httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
> httpd/httpd/trunk/modules/ssl/ssl_private.h
> httpd/httpd/trunk/modules/ssl/ssl_util.c
> httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
> httpd/httpd/trunk/support/ab.c
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c Sat Jul 29 23:05:02 2017
> @@ -32,7 +32,7 @@ static apr_status_t verify_signature(sct
> return APR_EINVAL;
> }
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
Why not using MODSSL_USE_OPENSSL_PRE_1_1_API here?
> ctx = EVP_MD_CTX_create();
> #else
> ctx = EVP_MD_CTX_new();
> @@ -41,7 +41,7 @@ static apr_status_t verify_signature(sct
> ap_assert(1 == EVP_VerifyUpdate(ctx, sctf->signed_data,
> sctf->signed_data_len));
> rc = EVP_VerifyFinal(ctx, sctf->sig, sctf->siglen, pkey);
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
Why not using MODSSL_USE_OPENSSL_PRE_1_1_API here?
> EVP_MD_CTX_destroy(ctx);
> #else
> EVP_MD_CTX_free(ctx);
>
Regards
RĂ¼diger