You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2016/02/14 23:40:08 UTC
svn commit: r1730422 - in /httpd/httpd/trunk: ./ modules/ssl/
Author: rjung
Date: Sun Feb 14 22:40:07 2016
New Revision: 1730422
URL: http://svn.apache.org/viewvc?rev=1730422&view=rev
Log:
Support OpenSSL 1.1.0.
- use common code for OpenSSL pre-1.1.0 and
1.1.0 where possible.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1730422&r1=1730421&r2=1730422&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Feb 14 22:40:07 2016
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
+
*) hostname: Test and log useragent_host per-request across various modules,
including the scoreboard, expression and rewrite engines, setenvif,
authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c?rev=1730422&r1=1730421&r2=1730422&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c Sun Feb 14 22:40:07 2016
@@ -1937,10 +1937,6 @@ static int ocsp_resp_cb(SSL *ssl, void *
int i, len;
OCSP_RESPONSE *rsp;
OCSP_BASICRESP *br;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- OCSP_RESPDATA *rd;
- STACK_OF(X509_EXTENSION) *exts;
-#endif
OCSP_SINGLERESP *single;
len = SSL_get_tlsext_status_ocsp_resp(ssl, &p); /* UNDOC */
@@ -1965,25 +1961,13 @@ static int ocsp_resp_cb(SSL *ssl, void *
return 0;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- rd = br->tbsResponseData;
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { /* UNDOC */
-#else
for (i = 0; i < OCSP_resp_count(br); i++) {
-#endif
const unsigned char *p;
X509_EXTENSION *ext;
int idx;
ASN1_OCTET_STRING *oct1, *oct2;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- single = sk_OCSP_SINGLERESP_value(rd->responses, i); /* UNDOC */
-#else
single = OCSP_resp_get0(br, i);
-#endif
if (!single) {
continue;
}
@@ -1998,13 +1982,7 @@ static int ocsp_resp_cb(SSL *ssl, void *
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
"index of NID_ct_cert_scts: %d", idx);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- exts = single->singleExtensions;
-
- ext = sk_X509_EXTENSION_value(exts, idx); /* UNDOC */
-#else
ext = OCSP_SINGLERESP_get_ext(single, idx);
-#endif
oct1 = X509_EXTENSION_get_data(ext); /* UNDOC */
p = oct1->data;
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1730422&r1=1730421&r2=1730422&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sun Feb 14 22:40:07 2016
@@ -876,11 +876,7 @@ static int use_certificate_chain(
unsigned long err;
int n;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
-#else
if ((bio = BIO_new(BIO_s_file())) == NULL)
-#endif
return -1;
if (BIO_read_filename(bio, file) <= 0) {
BIO_free(bio);
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1730422&r1=1730421&r2=1730422&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sun Feb 14 22:40:07 2016
@@ -80,11 +80,7 @@ static apr_status_t upgrade_connection(r
SSL_set_accept_state(ssl);
SSL_do_handshake(ssl);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
- if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+ if (!SSL_is_init_finished(ssl)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
"TLS upgrade handshake failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -460,11 +456,7 @@ int ssl_hook_Access(request_rec *r)
* forbidden in the latter case, let ap_die() handle
* this recursive (same) error.
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
- if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+ if (!SSL_is_init_finished(ssl)) {
return HTTP_FORBIDDEN;
}
ctx = SSL_get_SSL_CTX(ssl);
@@ -948,7 +940,6 @@ int ssl_hook_Access(request_rec *r)
}
else {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- int rc;
char peekbuf[1];
#endif
const char *reneg_support;
@@ -994,11 +985,7 @@ int ssl_hook_Access(request_rec *r)
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
- if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+ if (!SSL_is_init_finished(ssl)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
"Re-negotiation request failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -1033,27 +1020,13 @@ int ssl_hook_Access(request_rec *r)
* It is expected to work without changes with the forthcoming 1.1.0pre3.
* See: http://marc.info/?t=145493359200002&r=1&w=2
*/
- rc = SSL_peek(ssl, peekbuf, 0);
- ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO()
- "Renegotiation peek result=%d, "
- "reneg_state=%d, "
- "in_init=%d, init_finished=%d, "
- "state=%s, sslconn->ssl=%s, peer_certs=%s",
- rc, sslconn->reneg_state,
- SSL_in_init(ssl), SSL_is_init_finished(ssl),
- SSL_state_string_long(ssl),
- sslconn->ssl != NULL ? "yes" : "no",
- SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no");
+ SSL_peek(ssl, peekbuf, 0);
#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
sslconn->reneg_state = RENEG_REJECT;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
- if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+ if (!SSL_is_init_finished(ssl)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
"Re-negotiation handshake failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=1730422&r1=1730421&r2=1730422&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Sun Feb 14 22:40:07 2016
@@ -262,15 +262,7 @@ int modssl_verify_ocsp(X509_STORE_CTX *c
"No cert available to check with OCSP");
return 1;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
-#else
- /* No need to check cert->valid, because modssl_verify_ocsp() only
- * is called if OpenSSL already successfully verified the certificate
- * (parameter "ok" in ssl_callback_SSLVerify() must be true).
- */
else if (X509_check_issued(cert,cert) == X509_V_OK) {
-#endif
/* don't do OCSP checking for valid self-issued certs */
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
"Skipping OCSP check for valid self-issued cert");
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1730422&r1=1730421&r2=1730422&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Sun Feb 14 22:40:07 2016
@@ -683,16 +683,8 @@ static char *ssl_var_lookup_ssl_cert_dn(
for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
&& strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
- xsname->entries);
- j++) {
- xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
- xsname->entries, j);
-#else
for (j = 0; j < X509_NAME_entry_count(xsname); j++) {
xsne = X509_NAME_get_entry(xsname, j);
-#endif
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
@@ -994,9 +986,6 @@ static char *ssl_var_lookup_ssl_version(
static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
X509_NAME *xn, apr_pool_t *p)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
-#endif
X509_NAME_ENTRY *xsne;
apr_hash_t *count;
int i, nid;
@@ -1006,16 +995,9 @@ static void extract_dn(apr_table_t *t, a
count = apr_hash_make(p);
/* For each RDN... */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) {
- const char *tag;
-
- xsne = sk_X509_NAME_ENTRY_value(ents, i);
-#else
for (i = 0; i < X509_NAME_entry_count(xn); i++) {
const char *tag;
xsne = X509_NAME_get_entry(xn, i);
-#endif
/* Retrieve the nid, and check whether this is one of the nids
* which are to be extracted. */
@@ -1189,11 +1171,7 @@ apr_array_header_t *ssl_ext_list(apr_poo
for (j = 0; j < count; j++) {
X509_EXTENSION *ext = X509_get_ext(xs, j);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (OBJ_cmp(ext->object, oid) == 0) {
-#else
if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) {
-#endif
BIO *bio = BIO_new(BIO_s_mem());
/* We want to obtain a string representation of the extensions
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1730422&r1=1730421&r2=1730422&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sun Feb 14 22:40:07 2016
@@ -151,6 +151,7 @@
/* OCSP stapling */
#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
#define HAVE_OCSP_STAPLING
+/* All exist but are no longer macros since OpenSSL 1.1.0 */
#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* backward compatibility with OpenSSL < 1.0 */
#ifndef sk_OPENSSL_STRING_num
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c?rev=1730422&r1=1730421&r2=1730422&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c Sun Feb 14 22:40:07 2016
@@ -402,13 +402,9 @@ static int stapling_check_response(serve
if (bio) {
int n;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) &&
-#else
ASN1_INTEGER *pserial;
OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
-#endif
((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
snum[n] = '\0';
BIO_free(bio);