-*- coding: utf-8 -*-
Changes with Apache 2.3.15
+ *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]
+
*) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
AC_DEFUN(APACHE_CHECK_OPENSSL,[
AC_CACHE_CHECK([for OpenSSL], [ac_cv_openssl], [
dnl initialise the variables we use
- ac_cv_openssl=yes
+ ac_cv_openssl=no
ap_openssl_found=""
ap_openssl_base=""
ap_openssl_libs=""
fi
fi
- AC_MSG_CHECKING([for OpenSSL version])
+ AC_MSG_CHECKING([for OpenSSL version >= 0.9.7])
AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
#if !defined(OPENSSL_VERSION_NUMBER)
#error "Missing OpenSSL version"
#endif
-#if (OPENSSL_VERSION_NUMBER < 0x009060af) \
- || ((OPENSSL_VERSION_NUMBER > 0x00907000) && (OPENSSL_VERSION_NUMBER < 0x0090702f))
-#error "Insecure openssl version " OPENSSL_VERSION_TEXT
+#if OPENSSL_VERSION_NUMBER < 0x0090700f
+#error "Unsupported OpenSSL version " OPENSSL_VERSION_TEXT
#endif],
- [AC_MSG_RESULT(OK)],
- [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h?
- AC_MSG_RESULT([not encouraging])
- AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!]
- [ Ensure the latest security patches have been applied!])
- ])
+ [AC_MSG_RESULT(OK)
+ ac_cv_openssl=yes],
+ [AC_MSG_RESULT(FAILED)])
if test "x$ac_cv_openssl" = "xyes"; then
ap_openssl_libs="-lssl -lcrypto `$apr_config --libs`"
AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines])
if test "x$liberrors" != "x"; then
- ac_cv_openssl=no
AC_MSG_WARN([OpenSSL libraries are unusable])
fi
+ else
+ AC_MSG_WARN([OpenSSL version is too old])
fi
dnl restore
dnl See the License for the specific language governing permissions and
dnl limitations under the License.
-AC_DEFUN([CHECK_OCSP], [
-AC_CHECK_HEADERS(openssl/ocsp.h,
- [AC_DEFINE([HAVE_OCSP], 1, [Define if OCSP is supported by OpenSSL])]
-)
-])
-
dnl # start of module specific part
APACHE_MODPATH_INIT(ssl)
APACHE_CHECK_OPENSSL
if test "$ac_cv_openssl" = "yes" ; then
APR_ADDTO(MOD_SSL_LDADD, [\$(SSL_LIBS)])
- CHECK_OCSP
if test "x$enable_ssl" = "xshared"; then
# The only symbol which needs to be exported is the module
# structure, so ask libtool to hide everything else:
/*
* Try to kill the internals of the SSL library.
*/
-#if OPENSSL_VERSION_NUMBER >= 0x00907001
/* Corresponds to OPENSSL_load_builtin_modules():
* XXX: borrowed from apps.h, but why not CONF_modules_free()
* which also invokes CONF_modules_finish()?
*/
CONF_modules_unload(1);
-#endif
/* Corresponds to SSL_library_init: */
EVP_cleanup();
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_load_builtin_engines();
#endif
OpenSSL_add_all_algorithms();
-#if OPENSSL_VERSION_NUMBER >= 0x00907001
OPENSSL_load_builtin_modules();
-#endif
/*
* Let us cleanup the ssl library when the module is unloaded
seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
}
else if ((arg2len > 4) && strEQn(arg2, "egd:", 4)) {
-#ifdef HAVE_SSL_RAND_EGD
seed->nSrc = SSL_RSSRC_EGD;
seed->cpPath = ap_server_root_relative(mc->pPool, arg2+4);
-#else
- return "egd not supported with this SSL toolkit";
-#endif
}
else if (strcEQ(arg2, "builtin")) {
seed->nSrc = SSL_RSSRC_BUILTIN;
sc->server->ocsp_enabled = flag ? TRUE : FALSE;
-#ifndef HAVE_OCSP
+#ifdef OPENSSL_NO_OCSP
if (flag) {
- return "OCSP support not detected in SSL library; cannot enable "
+ return "OCSP support disabled in SSL library; cannot enable "
"OCSP validation";
}
#endif
if ((bio = BIO_new_file(file, "r")) == NULL)
return NULL;
-#if SSL_LIBRARY_VERSION < 0x00904000
- dh = PEM_read_bio_DHparams(bio, NULL, NULL);
-#else
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
-#endif
BIO_free(bio);
return (dh);
}
errnum = X509_STORE_CTX_get_error(ctx);
}
-#ifdef HAVE_OCSP
+#ifndef OPENSSL_NO_OCSP
/* If there was an optional verification error, it's not
* possible to perform OCSP validation since the issuer may be
* missing/untrusted. Fail in that case. */
}
/* Dump debugginfo trace to the log file. */
-static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c,
+static void log_tracing_state(const SSL *ssl, conn_rec *c,
server_rec *s, int where, int rc)
{
/*
* client-initiated renegotiations, and for dumping everything to the
* log.
*/
-void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
+void ssl_callback_Info(const SSL *ssl, int where, int rc)
{
conn_rec *c;
server_rec *s;
#include "ssl_private.h"
-#ifdef HAVE_OCSP
+#ifndef OPENSSL_NO_OCSP
#include "apr_base64.h"
/* Return the responder URI specified in the given certificate, or
nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
ssl_util_ppclose(s, p, fp);
}
-#ifdef HAVE_SSL_RAND_EGD
else if (pRandSeed->nSrc == SSL_RSSRC_EGD) {
/*
* seed in contents provided by the external
continue;
nDone += n;
}
-#endif
else if (pRandSeed->nSrc == SSL_RSSRC_BUILTIN) {
struct {
time_t t;
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
-
-/* hack for non-configure platforms (NetWare, Win32) */
-#if !defined(HAVE_OCSP) && (OPENSSL_VERSION_NUMBER >= 0x00907000)
-#define HAVE_OCSP
-#endif
-#ifdef HAVE_OCSP
#include <openssl/x509_vfy.h>
#include <openssl/ocsp.h>
-#endif
/* Avoid tripping over an engine build installed globally and detected
* when the user points at an explicit non-engine flavor of OpenSSL
#endif
/* ...shifting sands of OpenSSL... */
-#if (OPENSSL_VERSION_NUMBER < 0x00907000)
-# define MODSSL_INFO_CB_ARG_TYPE SSL*
-#else
-# define MODSSL_INFO_CB_ARG_TYPE const SSL*
-#endif
-
#if (OPENSSL_VERSION_NUMBER >= 0x0090707f)
#define MODSSL_D2I_SSL_SESSION_CONST const
#else
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
-void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int);
+void ssl_callback_Info(const SSL *, int, int);
#ifndef OPENSSL_NO_TLSEXT
int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
#endif
* allocating from 'p': */
void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
-#ifdef HAVE_OCSP
+#ifndef OPENSSL_NO_OCSP
/* Perform OCSP validation of the current cert in the given context.
* Returns non-zero on success or zero on failure. On failure, the
* context error code is set. */
#include "ssl_private.h"
-#ifdef HAVE_OCSP
+#ifndef OPENSSL_NO_OCSP
#include "apr_buckets.h"
#include "apr_uri.h"
return rc;
}
-#if SSL_LIBRARY_VERSION <= 0x00904100
-static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
-{
- return ((EVP_PKEY *)ASN1_d2i_bio(
- (char *(*)())EVP_PKEY_new,
- (char *(*)())d2i_PrivateKey,
- (bio), (unsigned char **)(key)));
-}
-#endif
-
EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
{
EVP_PKEY *rc;
/* check whether cert contains extended key usage with a SGC tag */
BOOL SSL_X509_isSGC(X509 *cert)
{
-#ifdef HAVE_SSL_X509V3_EXT_d2i
int ext_nid;
EXTENDED_KEY_USAGE *sk;
BOOL is_sgc;
EXTENDED_KEY_USAGE_free(sk);
}
return is_sgc;
-#else
- return FALSE;
-#endif
}
/* retrieve basic constraints ingredients */
BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
{
-#ifdef HAVE_SSL_X509V3_EXT_d2i
BASIC_CONSTRAINTS *bc;
BIGNUM *bn = NULL;
char *cp;
}
BASIC_CONSTRAINTS_free(bc);
return TRUE;
-#else
- return FALSE;
-#endif
}
/* convert a NAME_ENTRY to UTF8 string */
projects / apache / commitdiff