-*- coding: utf-8 -*-
Changes with Apache 2.3.15
+ *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
+
*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
[Kaspar Brand]
# End Source File
# Begin Source File
-SOURCE=.\ssl_toolkit_compat.h
-# End Source File
-# Begin Source File
-
SOURCE=.\ssl_util_ssl.h
# End Source File
# Begin Source File
static DH *get_dh512(void)
{
- return modssl_dh_configure(dh512_p, sizeof(dh512_p),
- dh512_g, sizeof(dh512_g));
+ DH *dh;
+
+ if (!(dh = DH_new())) {
+ return NULL;
+ }
+
+ dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+ dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+ if (!(dh->p && dh->g)) {
+ DH_free(dh);
+ return NULL;
+ }
+
+ return dh;
}
static unsigned char dh1024_p[] = {
static DH *get_dh1024(void)
{
- return modssl_dh_configure(dh1024_p, sizeof(dh1024_p),
- dh1024_g, sizeof(dh1024_g));
+ DH *dh;
+
+ if (!(dh = DH_new())) {
+ return NULL;
+ }
+
+ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+ if (!(dh->p && dh->g)) {
+ DH_free(dh);
+ return NULL;
+ }
+
+ return dh;
}
/* ----END GENERATED SECTION---------- */
close(FP);
$dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void)
{
- return modssl_dh_configure(dh$2_p, sizeof(dh$2_p),
- dh$2_g, sizeof(dh$2_g));
+ DH *dh;
+
+ if (!(dh = DH_new())) {
+ return NULL;
+ }
+
+ dh->p = BN_bin2bn(dh$2_p, sizeof(dh$2_p), NULL);
+ dh->g = BN_bin2bn(dh$2_g, sizeof(dh$2_g), NULL);
+ if (!(dh->p && dh->g)) {
+ DH_free(dh);
+ return NULL;
+ }
+
+ return dh;
}
|sg;
"Configuring client authentication");
if (!SSL_CTX_load_verify_locations(ctx,
- MODSSL_PCHAR_CAST mctx->auth.ca_cert_file,
- MODSSL_PCHAR_CAST mctx->auth.ca_cert_path))
+ mctx->auth.ca_cert_file,
+ mctx->auth.ca_cert_path))
{
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
"Unable to configure verify locations "
"Configuring permitted SSL ciphers [%s]",
suite);
- if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) {
+ if (!SSL_CTX_set_cipher_list(ctx, suite)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
"Unable to configure permitted SSL ciphers");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
STACK_OF(X509_NAME) *sk;
sk = (STACK_OF(X509_NAME) *)
- SSL_load_client_CA_file(MODSSL_PCHAR_CAST file);
+ SSL_load_client_CA_file(file);
if (!sk) {
return;
#define DUMP_WIDTH 16
static void ssl_io_data_dump(server_rec *srvr,
- MODSSL_BIO_CB_ARG_TYPE *s,
+ const char *s,
long len)
{
char buf[256];
}
long ssl_io_data_cb(BIO *bio, int cmd,
- MODSSL_BIO_CB_ARG_TYPE *argp,
+ const char *argp,
int argi, long argl, long rc)
{
SSL *ssl;
/* configure new state */
if ((dc->szCipherSuite || sc->server->auth.cipher_suite) &&
- !modssl_set_cipher_list(ssl, dc->szCipherSuite ?
- dc->szCipherSuite :
- sc->server->auth.cipher_suite)) {
+ !SSL_set_cipher_list(ssl, dc->szCipherSuite ?
+ dc->szCipherSuite :
+ sc->server->auth.cipher_suite)) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"Unable to reconfigure (per-directory) "
"permitted SSL ciphers");
verify |= SSL_VERIFY_PEER;
}
- modssl_set_verify(ssl, verify, ssl_callback_SSLVerify);
+ SSL_set_verify(ssl, verify, ssl_callback_SSLVerify);
SSL_set_verify_result(ssl, X509_V_OK);
/* determine whether we've to force a renegotiation */
"'require' and VirtualHost-specific CA certificate "
"list is only available to clients with TLS server "
"name indication (SNI) support");
- modssl_set_verify(ssl, verify_old, NULL);
+ SSL_set_verify(ssl, verify_old, NULL);
return HTTP_FORBIDDEN;
} else
/* let it pass, possibly with an "incorrect" peer cert,
* we put it back here for the purpose of quick_renegotiation.
*/
cert_stack = sk_X509_new_null();
- sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert);
+ sk_X509_push(cert_stack, cert);
}
if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
SSL_get_ex_data_X509_STORE_CTX_idx(),
(char *)ssl);
- if (!modssl_X509_verify_cert(&cert_store_ctx)) {
+ if (!X509_verify_cert(&cert_store_ctx)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation verification step failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Awaiting re-negotiation handshake");
- /* XXX: Should replace SSL_set_state with SSL_renegotiate(ssl);
+ /* XXX: Should replace setting ssl->state with SSL_renegotiate(ssl);
* However, this causes failures in perl-framework currently,
* perhaps pre-test if we have already negotiated?
*/
- SSL_set_state(ssl, SSL_ST_ACCEPT);
+ ssl->state = SSL_ST_ACCEPT;
SSL_do_handshake(ssl);
sslconn->reneg_state = RENEG_REJECT;
X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
char *cp = X509_NAME_oneline(name, NULL, 0);
sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
- modssl_free(cp);
+ OPENSSL_free(cp);
}
clientdn = (char *)sslconn->client_dn;
X509_REVOKED *revoked =
sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
- ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked);
+ ASN1_INTEGER *sn = revoked->serialNumber;
if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) {
if (APLOGdebug(s)) {
"Certificate with serial %ld (0x%lX) "
"revoked per CRL from issuer %s",
serial, serial, cp);
- modssl_free(cp);
+ OPENSSL_free(cp);
}
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
*/
#define modssl_set_cert_info(info, cert, pkey) \
*cert = info->x509; \
- X509_reference_inc(*cert); \
+ CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
*pkey = info->x_pkey->dec_pkey; \
- EVP_PKEY_reference_inc(*pkey)
+ CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
-int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey)
+int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(c);
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
- id = SSL_SESSION_get_session_id(session);
- idlen = SSL_SESSION_get_session_id_length(session);
+ id = session->session_id;
+ idlen = session->session_id_length;
rc = ssl_scache_store(s, id, idlen,
- apr_time_from_sec(modssl_session_get_time(session)
+ apr_time_from_sec(SSL_SESSION_get_time(session)
+ timeout),
session, conn->pool);
/*
* Remove the SSL_SESSION from the inter-process cache
*/
- id = SSL_SESSION_get_session_id(session);
- idlen = SSL_SESSION_get_session_id_length(session);
+ id = session->session_id;
+ idlen = session->session_id_length;
/* TODO: Do we need a temp pool here, or are we always shutting down? */
ssl_scache_remove(s, id, idlen, sc->mc->pPool);
serial ? serial : "-unknown-");
if (sname) {
- modssl_free(sname);
+ OPENSSL_free(sname);
}
if (iname) {
- modssl_free(iname);
+ OPENSSL_free(iname);
}
if (serial) {
- modssl_free(serial);
+ OPENSSL_free(serial);
}
if (bn) {
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
result = apr_pstrdup(p, SSL_SESSION_id2sz(
- SSL_SESSION_get_session_id(pSession),
- SSL_SESSION_get_session_id_length(pSession),
+ pSession->session_id,
+ pSession->session_id_length,
buf, sizeof(buf)));
}
}
if (legacy_format) {
char *cp = X509_NAME_oneline(xsname, NULL, 0);
result = apr_pstrdup(p, cp);
- modssl_free(cp);
+ OPENSSL_free(cp);
}
else {
BIO* bio;
resdup = FALSE;
}
else if (strcEQ(var, "A_SIG")) {
- nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_signature_algorithm(xs));
+ nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
}
else if (strcEQ(var, "A_KEY")) {
- nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_key_algorithm(xs));
+ nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm));
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
&& strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
- X509_NAME_get_entries(xsname));
+ xsname->entries);
j++) {
xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
- X509_NAME_get_entries(xsname), j);
+ xsname->entries, j);
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
X509_NAME *xn, apr_pool_t *p)
{
- STACK_OF(X509_NAME_ENTRY) *ents = X509_NAME_get_entries(xn);
+ STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
X509_NAME_ENTRY *xsne;
apr_hash_t *count;
int i, nid;
#include "ap_socache.h"
#include "mod_auth.h"
+/* The #ifdef macros are only defined AFTER including the above
+ * therefore we cannot include these system files at the top :-(
+ */
#ifdef APR_HAVE_STDLIB_H
#include <stdlib.h>
#endif
+#if APR_HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#if APR_HAVE_UNISTD_H
+#include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
+#endif
#ifndef FALSE
#define FALSE 0
#define BOOL unsigned int
#endif
-/* mod_ssl headers */
-#include "ssl_toolkit_compat.h"
#include "ap_expr.h"
-#include "ssl_util_ssl.h"
-/* The #ifdef macros are only defined AFTER including the above
- * therefore we cannot include these system files at the top :-(
+/* OpenSSL headers */
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509v3.h>
+
+/* hack for non-configure platforms (NetWare, Win32) */
+#if !defined(HAVE_OCSP) && (OPENSSL_VERSION_NUMBER >= 0x00907000)
+#define HAVE_OCSP
+#endif
+#ifdef HAVE_OCSP
+#include <openssl/x509_vfy.h>
+#include <openssl/ocsp.h>
+#endif
+
+/* Avoid tripping over an engine build installed globally and detected
+ * when the user points at an explicit non-engine flavor of OpenSSL
*/
-#if APR_HAVE_SYS_TIME_H
-#include <sys/time.h>
+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
+#include <openssl/engine.h>
#endif
-#if APR_HAVE_UNISTD_H
-#include <unistd.h> /* needed for STDIN_FILENO et.al., at least on FreeBSD */
+
+/* ...shifting sands of OpenSSL... */
+#if (OPENSSL_VERSION_NUMBER < 0x00907000)
+# define MODSSL_INFO_CB_ARG_TYPE SSL*
+#else
+# define MODSSL_INFO_CB_ARG_TYPE const SSL*
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x0090707f)
+#define MODSSL_D2I_SSL_SESSION_CONST const
+#else
+#define MODSSL_D2I_SSL_SESSION_CONST
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+#define HAVE_GENERATE_EX
+#define MODSSL_D2I_ASN1_type_bytes_CONST const
+#define MODSSL_D2I_PrivateKey_CONST const
+#define MODSSL_D2I_X509_CONST const
+#else
+#define MODSSL_D2I_ASN1_type_bytes_CONST
+#define MODSSL_D2I_PrivateKey_CONST
+#define MODSSL_D2I_X509_CONST
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
+ && !defined(OPENSSL_NO_TLSEXT)
+#define HAVE_OCSP_STAPLING
+#if (OPENSSL_VERSION_NUMBER < 0x10000000)
+#define sk_OPENSSL_STRING_pop sk_pop
+#endif
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
+#define HAVE_FIPS
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
+#define MODSSL_SSL_CIPHER_CONST const
+#define MODSSL_SSL_METHOD_CONST const
+#else
+#define MODSSL_SSL_CIPHER_CONST
+#define MODSSL_SSL_METHOD_CONST
+/* ECC support came along in OpenSSL 1.0.0 */
+#define OPENSSL_NO_EC
+#endif
+
+#ifndef PEM_F_DEF_CALLBACK
+#ifdef PEM_F_PEM_DEF_CALLBACK
+/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
+#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK
+#endif
+#endif
+
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#define OPENSSL_NO_TLSEXT
+#endif
+#endif
+
+#ifndef sk_STRING_pop
+#define sk_STRING_pop sk_pop
+#endif
+
+/* mod_ssl headers */
+#include "ssl_util_ssl.h"
+
APLOG_USE_MODULE(ssl);
/*
* Provide reasonable default for some defines
*/
-#ifndef FALSE
-#define FALSE (0)
-#endif
-#ifndef TRUE
-#define TRUE (!FALSE)
-#endif
#ifndef PFALSE
#define PFALSE ((void *)FALSE)
#endif
/**
* Provide reasonable defines for some types
*/
-#ifndef BOOL
-#define BOOL unsigned int
-#endif
#ifndef UCHAR
#define UCHAR unsigned char
#endif
#endif
int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
-int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
+int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
/** I/O */
void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
void ssl_io_filter_register(apr_pool_t *);
-long ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long);
+long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
* to allow an SSL renegotiation to take place. */
+++ /dev/null
-/* Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SSL_TOOLKIT_COMPAT_H
-#define SSL_TOOLKIT_COMPAT_H
-
-/**
- * @file ssl_toolkit_compat.h
- * @brief this header file provides a compatiblity layer
- *
- * @defgroup MOD_SSL_TOOLKIT Toolkit
- * @ingroup MOD_SSL
- * @{
- */
-
-/** OpenSSL headers */
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/crypto.h>
-#include <openssl/evp.h>
-#include <openssl/rand.h>
-#include <openssl/x509v3.h>
-
-/* hack for non-configure platforms (NetWare, Win32) */
-#if !defined(HAVE_OCSP) && (OPENSSL_VERSION_NUMBER >= 0x00907000)
-#define HAVE_OCSP
-#endif
-#ifdef HAVE_OCSP
-#include <openssl/x509_vfy.h>
-#include <openssl/ocsp.h>
-#endif
-
-#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
-#define HAVE_GENERATE_EX
-#endif
-
-/* ECC support came along in OpenSSL 1.0.0 */
-#if (OPENSSL_VERSION_NUMBER < 0x10000000)
-#define OPENSSL_NO_EC
-#endif
-
-/** Avoid tripping over an engine build installed globally and detected
- * when the user points at an explicit non-engine flavor of OpenSSL
- */
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
-#include <openssl/engine.h>
-#endif
-
-/**
- * rsa sslc uses incomplete types for most structures
- * so we macroize for OpenSSL those which cannot be dereferenced
- * using the same sames as the sslc functions
- */
-
-#define EVP_PKEY_key_type(k) (EVP_PKEY_type(k->type))
-
-#define X509_NAME_get_entries(xs) (xs->entries)
-#define X509_REVOKED_get_serialNumber(xs) (xs->serialNumber)
-
-#define X509_get_signature_algorithm(xs) (xs->cert_info->signature->algorithm)
-#define X509_get_key_algorithm(xs) (xs->cert_info->key->algor->algorithm)
-
-#define X509_NAME_ENTRY_get_data_ptr(xs) (xs->value->data)
-#define X509_NAME_ENTRY_get_data_len(xs) (xs->value->length)
-
-#define SSL_CTX_get_extra_certs(ctx) (ctx->extra_certs)
-#define SSL_CTX_set_extra_certs(ctx,value) {ctx->extra_certs = value;}
-
-#define SSL_CIPHER_get_name(s) (s->name)
-#define SSL_CIPHER_get_valid(s) (s->valid)
-
-#define SSL_SESSION_get_session_id(s) (s->session_id)
-#define SSL_SESSION_get_session_id_length(s) (s->session_id_length)
-
-/**
- * Support for retrieving/overriding states
- */
-#ifndef SSL_get_state
-#define SSL_get_state(ssl) SSL_state(ssl)
-#endif
-
-#define SSL_set_state(ssl,val) (ssl)->state = val
-
-#define MODSSL_BIO_CB_ARG_TYPE const char
-#define MODSSL_CRYPTO_CB_ARG_TYPE const char
-#if (OPENSSL_VERSION_NUMBER < 0x00907000)
-# define MODSSL_INFO_CB_ARG_TYPE SSL*
-#else
-# define MODSSL_INFO_CB_ARG_TYPE const SSL*
-#endif
-#define MODSSL_CLIENT_CERT_CB_ARG_TYPE X509
-#define MODSSL_PCHAR_CAST
-
-/** ...shifting sands of openssl... */
-#if (OPENSSL_VERSION_NUMBER >= 0x0090707f)
-# define MODSSL_D2I_SSL_SESSION_CONST const
-# define MODSSL_SSL_CIPHER_CONST const
-#else
-# define MODSSL_D2I_SSL_SESSION_CONST
-# define MODSSL_SSL_CIPHER_CONST
-#endif
-
-#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
-# define MODSSL_D2I_ASN1_type_bytes_CONST const
-# define MODSSL_D2I_PrivateKey_CONST const
-# define MODSSL_D2I_X509_CONST const
-#else
-# define MODSSL_D2I_ASN1_type_bytes_CONST
-# define MODSSL_D2I_PrivateKey_CONST
-# define MODSSL_D2I_X509_CONST
-#endif
-
-#if (OPENSSL_VERSION_NUMBER >= 0x00909000)
-# define MODSSL_SSL_METHOD_CONST const
-#else
-# define MODSSL_SSL_METHOD_CONST
-#endif
-
-#define modssl_X509_verify_cert X509_verify_cert
-
-typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
-
-#if (OPENSSL_VERSION_NUMBER < 0x00904000)
-#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb)
-#else
-#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb, arg)
-#endif
-
-#define modssl_PEM_X509_INFO_read_bio PEM_X509_INFO_read_bio
-
-#define modssl_PEM_read_bio_PrivateKey PEM_read_bio_PrivateKey
-
-#define modssl_set_cipher_list SSL_set_cipher_list
-
-#define modssl_free OPENSSL_free
-
-#define EVP_PKEY_reference_inc(pkey) \
- CRYPTO_add(&((pkey)->references), +1, CRYPTO_LOCK_X509_PKEY)
-
-#define X509_reference_inc(cert) \
- CRYPTO_add(&((cert)->references), +1, CRYPTO_LOCK_X509)
-
-#define HAVE_SSL_RAND_EGD /* since 9.5.1 */
-
-#define HAVE_SSL_X509V3_EXT_d2i
-
-#if OPENSSL_VERSION_NUMBER >= 0x00908080 && defined(HAVE_OCSP) \
- && !defined(OPENSSL_NO_TLSEXT)
-#define HAVE_OCSP_STAPLING
-#if (OPENSSL_VERSION_NUMBER < 0x10000000)
-#define sk_OPENSSL_STRING_pop sk_pop
-#endif
-#endif
-
-#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS)
-#define HAVE_FIPS
-#endif
-
-#ifndef PEM_F_DEF_CALLBACK
-#ifdef PEM_F_PEM_DEF_CALLBACK
-/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
-#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK
-#endif
-#endif
-
-#ifndef modssl_set_verify
-#define modssl_set_verify(ssl, verify, cb) \
- SSL_set_verify(ssl, verify, cb)
-#endif
-
-#ifndef SSL_SESS_CACHE_NO_INTERNAL
-#define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
-#endif
-
-#ifndef OPENSSL_NO_TLSEXT
-#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
-#define OPENSSL_NO_TLSEXT
-#endif
-#endif
-
-#ifndef sk_STRING_pop
-#define sk_STRING_pop sk_pop
-#endif
-
-#endif /* SSL_TOOLKIT_COMPAT_H */
-
-/** @} */
if (pCert != NULL)
pFreeKey = pKey = X509_get_pubkey(pCert);
if (pKey != NULL) {
- switch (EVP_PKEY_key_type(pKey)) {
+ switch (EVP_PKEY_type(pKey->type)) {
case EVP_PKEY_RSA:
t = SSL_ALGO_RSA;
break;
** _________________________________________________________________
*/
-X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb)
+X509 *SSL_read_X509(char* filename, X509 **x509, pem_password_cb *cb)
{
X509 *rc;
BIO *bioS;
/* 1. try PEM (= DER+Base64+headers) */
if ((bioS=BIO_new_file(filename, "r")) == NULL)
return NULL;
- rc = modssl_PEM_read_bio_X509 (bioS, x509, cb, NULL);
+ rc = PEM_read_bio_X509 (bioS, x509, cb, NULL);
BIO_free(bioS);
if (rc == NULL) {
}
#endif
-EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb, void *s)
+EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
{
EVP_PKEY *rc;
BIO *bioS;
/* 1. try PEM (= DER+Base64+headers) */
if ((bioS=BIO_new_file(filename, "r")) == NULL)
return NULL;
- rc = modssl_PEM_read_bio_PrivateKey(bioS, key, cb, s);
+ rc = PEM_read_bio_PrivateKey(bioS, key, cb, s);
BIO_free(bioS);
if (rc == NULL) {
memcpy(cp, SSL_CIPHER_get_name(c), l);
cp += l;
*cp++ = '/';
- *cp++ = (SSL_CIPHER_get_valid(c) == 1 ? '1' : '0');
+ *cp++ = (c->valid == 1 ? '1' : '0');
*cp++ = ':';
}
*(cp-1) = NUL;
xsn = X509_get_subject_name(xs);
for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
- X509_NAME_get_entries(xsn)); i++) {
+ xsn->entries); i++) {
xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
- X509_NAME_get_entries(xsn), i);
+ xsn->entries, i);
nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
if (nid == NID_commonName) {
*cppCN = SSL_X509_NAME_ENTRY_to_string(p, xsne);
return FALSE;
}
- if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) {
+ if (BIO_read_filename(in, filename) <= 0) {
BIO_free(in);
return FALSE;
}
ERR_clear_error();
- modssl_PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
+ PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
BIO_free(in);
* should be sent to the peer in the SSL Certificate message.
*/
int SSL_CTX_use_certificate_chain(
- SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb)
+ SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
{
BIO *bio;
X509 *x509;
}
/* optionally skip a leading server certificate */
if (skipfirst) {
- if ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
+ if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
BIO_free(bio);
return -1;
}
X509_free(x509);
}
/* free a perhaps already configured extra chain */
- extra_certs=SSL_CTX_get_extra_certs(ctx);
+ extra_certs = ctx->extra_certs;
if (extra_certs != NULL) {
sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
- SSL_CTX_set_extra_certs(ctx,NULL);
+ ctx->extra_certs = NULL;
}
/* create new extra chain by loading the certs */
n = 0;
- while ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
+ while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
X509_free(x509);
BIO_free(bio);
*cp = NUL;
return str;
}
-int modssl_session_get_time(SSL_SESSION *session)
-{
- return SSL_SESSION_get_time(session);
-}
-
-DH *modssl_dh_configure(unsigned char *p, int plen,
- unsigned char *g, int glen)
-{
- DH *dh;
-
- if (!(dh = DH_new())) {
- return NULL;
- }
-
- dh->p = BN_bin2bn(p, plen, NULL);
- dh->g = BN_bin2bn(g, glen, NULL);
- if (!(dh->p && dh->g)) {
- DH_free(dh);
- return NULL;
- }
-
- return dh;
-}
void SSL_init_app_data2_idx(void);
void *SSL_get_app_data2(SSL *);
void SSL_set_app_data2(SSL *, void *);
-X509 *SSL_read_X509(char *, X509 **, modssl_read_bio_cb_fn *);
-EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, modssl_read_bio_cb_fn *, void *);
+X509 *SSL_read_X509(char *, X509 **, pem_password_cb *);
+EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
int SSL_smart_shutdown(SSL *ssl);
X509_STORE *SSL_X509_STORE_create(char *, char *);
int SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *);
BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **);
BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
-int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
+int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
-int modssl_session_get_time(SSL_SESSION *session);
-
-DH *modssl_dh_configure(unsigned char *p, int plen,
- unsigned char *g, int glen);
-
#endif /* __SSL_UTIL_SSL_H__ */
/** @} */
projects / apache / commitdiff