Merge r1803392, r1803396, r1803398 from trunk:

mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP
is defined.  PR 61206.

Submitted by: Michael Schlenker <msc contact.de>

mod_ssl, ab: compatibility with LibreSSL.  PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic

Follow up to r1803396: CHANGES entry.

Reviewed by: ylavic, jim, covener

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1807734 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 1570904225ae461b5b3aeb017ca2f6edc56cb7da..1988d2cca3cefe7b02132832ae896cc3a1989c6f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.28
 
+  *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
+     [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
+      Yann Ylavic]
+
   *) core/log: Support use of optional "tag" in syslog entries.
      PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
 

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 131ec7e4ae03aeb291d96247b6439d616ca9c1d0..a23f2f574d0b125c626f33bd1b284a161b632789 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -338,11 +338,13 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
     ENGINE_cleanup();
 #endif
 #if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+#ifndef OPENSSL_NO_COMP
     SSL_COMP_free_compression_methods();
+#endif
 #endif
 
     /* Usually needed per thread, but this parent process is single-threaded */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
     ERR_remove_thread_state(NULL);
 #else
@@ -383,15 +385,15 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
     /* Some OpenSSL internals are allocated per-thread, make sure they
      * are associated to the/our same thread-id until cleaned up.
      */
-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
     ssl_util_thread_id_setup(pconf);
 #endif
 
     /* We must register the library in full, to ensure our configuration
      * code can successfully test the SSL environment.
      */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    CRYPTO_malloc_init();
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
+    (void)CRYPTO_malloc_init();
 #else
     OPENSSL_malloc_init();
 #endif

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 3e11d560cdcb50e7312857d41829772f92b481e8..e5dee0fc41232778ff95a43719206d328e113353 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -47,7 +47,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
 #define KEYTYPES "RSA or DSA"
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
 /* OpenSSL Pre-1.1.0 compatibility */
 /* Taken from OpenSSL 1.1.0 snapshot 20160410 */
 static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
@@ -257,7 +257,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
 #endif
     }
 
-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
     ssl_util_thread_setup(p);
 #endif
 
@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
     modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
 
     init_dh_params();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
     init_bio_methods();
 #endif
 
@@ -1301,7 +1301,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
      * or configure NIST P-256 (required to enable ECDHE for earlier versions)
      * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
      */
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
     else {
 #if defined(SSL_CTX_set_ecdh_auto)
         SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
@@ -2011,7 +2011,7 @@ apr_status_t ssl_init_ModuleKill(void *data)
 
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
     free_bio_methods();
 #endif
     free_dh_params();

diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index d1f44e95105b2f18b3f56a7c963343bc2f6e6555..d5ebac9bcbd10487b3337f4102cec08184c21d0d 100644 (file)
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -164,7 +164,7 @@ static int bio_filter_create(BIO *bio)
 {
     BIO_set_shutdown(bio, 1);
     BIO_set_init(bio, 1);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
     /* No setter method for OpenSSL 1.1.0 available,
      * but I can't find any functional use of the
      * "num" field there either.
@@ -549,7 +549,7 @@ static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
     return -1;
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
         
 static BIO_METHOD bio_filter_out_method = {
     BIO_TYPE_MEM,
@@ -2024,7 +2024,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
 
     filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
     filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
 #else
     filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
@@ -2059,7 +2059,7 @@ void ssl_io_filter_init(conn_rec *c, request_rec *r, SSL *ssl)
     filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,
                                                        filter_ctx, r, c);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
     filter_ctx->pbioWrite       = BIO_new(&bio_filter_out_method);
 #else
     filter_ctx->pbioWrite       = BIO_new(bio_filter_out_method);

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index e8484ed4d3d4c3bc9c907c2f4183d4b86fa6c8ce..e402c2fe231be209493ba549b3cf7e9d6ce912c4 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1733,7 +1733,7 @@ static void modssl_proxy_info_log(conn_rec *c,
  * so we need to increment here to prevent them from
  * being freed.
  */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
 #define modssl_set_cert_info(info, cert, pkey) \
     *cert = info->x509; \
     CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \

diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index 04b08790f48fb4b2f017bd026ac43674fcbe8800..8ce40efac99fb1f077d91a6091ac68549bbdf837 100644 (file)
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -529,7 +529,7 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
         resdup = FALSE;
     }
     else if (strcEQ(var, "A_SIG")) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
         nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
 #else
         const ASN1_OBJECT *paobj;

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 3e9602ca5206c80dff37a0df12d0246945709120..0ab60a0dfb74ada4056b68da299f57582ce3104a 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -123,6 +123,25 @@
 #define MODSSL_SSL_METHOD_CONST
 #endif
 
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* Missing from LibreSSL */
+#if LIBRESSL_VERSION_NUMBER < 0x2060000f
+#define SSL_CTRL_SET_MIN_PROTO_VERSION          123
+#define SSL_CTRL_SET_MAX_PROTO_VERSION          124
+#define SSL_CTX_set_min_proto_version(ctx, version) \
+        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
+#define SSL_CTX_set_max_proto_version(ctx, version) \
+        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
+#endif
+/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
+ * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
+ * we have to work around this...
+ */
+#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
+#else
+#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#endif
+
 #if defined(OPENSSL_FIPS)
 #define HAVE_FIPS
 #endif
@@ -136,7 +155,7 @@
 #endif
 
 /* session id constness */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
 #define IDCONST
 #else
 #define IDCONST const
@@ -199,7 +218,7 @@
 
 #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
 #define BN_get_rfc2409_prime_768   get_rfc2409_prime_768
 #define BN_get_rfc2409_prime_1024  get_rfc2409_prime_1024
 #define BN_get_rfc3526_prime_1536  get_rfc3526_prime_1536
@@ -219,7 +238,7 @@ void init_bio_methods(void);
 void free_bio_methods(void);
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
 #define X509_STORE_CTX_get0_store(x) (x->ctx)
 #endif
 
@@ -933,10 +952,8 @@ void         ssl_util_ppclose(server_rec *, apr_pool_t *, apr_file_t *);
 char        *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
                                  const char * const *);
 BOOL         ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
-#if APR_HAS_THREADS
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
 void         ssl_util_thread_setup(apr_pool_t *);
-#endif
 void         ssl_util_thread_id_setup(apr_pool_t *);
 #endif
 int          ssl_init_ssl_connection(conn_rec *c, request_rec *r);

diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c
index 9e4e719f4bc9928a3651b3bee25ef06f0793d731..afc64a3ac48844513a5fcf1a396ab550e36487d7 100644 (file)
--- a/modules/ssl/ssl_util.c
+++ b/modules/ssl/ssl_util.c
@@ -246,8 +246,8 @@ void ssl_asn1_table_unset(apr_hash_t *table,
     apr_hash_set(table, key, klen, NULL);
 }
 
-#if APR_HAS_THREADS
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
+
 /*
  * To ensure thread-safetyness in OpenSSL - work in progress
  */
@@ -467,5 +467,5 @@ void ssl_util_thread_id_setup(apr_pool_t *p)
     apr_pool_cleanup_register(p, NULL, ssl_util_thr_id_cleanup,
                                        apr_pool_cleanup_null);
 }
-#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
-#endif /* #if APR_HAS_THREADS */
+
+#endif /* #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API */

diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h
index 4f18f916b4ffd9e75d0058b1c96595f8be5180d6..04b138d2aea5d62e28ec67b1c87b18c1be5c577a 100644 (file)
--- a/modules/ssl/ssl_util_ssl.h
+++ b/modules/ssl/ssl_util_ssl.h
@@ -41,7 +41,7 @@
 #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
 #define MODSSL_LIBRARY_NAME    "OpenSSL"
 #define MODSSL_LIBRARY_TEXT    OPENSSL_VERSION_TEXT
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
 #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
 #else
 #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)

diff --git a/support/ab.c b/support/ab.c
index daba92e83d40af3f913d35608aa1e603afaf1ced..0d0cf1125fcd8af44ff314f9b0e469f02f2325d7 100644 (file)
--- a/support/ab.c
+++ b/support/ab.c
@@ -197,6 +197,14 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
 #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
 #define HAVE_TLSEXT
 #endif
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000f
+#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
+#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
+#define SSL_CTX_set_min_proto_version(ctx, version) \
+   SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
+#define SSL_CTX_set_max_proto_version(ctx, version) \
+   SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
+#endif
 #endif
 
 #include <math.h>