4 0 0 200 0 20 8 0.0000 4 90 465 11745 4770 ->method\001
4 0 0 200 0 20 8 0.0000 4 120 1665 9945 6480 X509_STORE_CTX_get_app_data()\001
4 0 0 200 0 20 8 0.0000 4 120 1215 10980 6705 SSL_CTX_get_cert_store()\001
-4 0 0 200 0 20 8 0.0000 4 120 1020 8280 5130 SSL_get_app_data2()\001
+4 0 0 200 0 20 8 0.0000 4 120 1020 8280 5130 modssl_get_app_data2()\001
4 0 0 100 0 18 20 0.0000 4 270 1290 10710 7605 OpenSSL\001
4 0 0 100 0 18 12 0.0000 4 180 720 10710 7785 [Crypto]\001
4 0 0 100 0 18 20 0.0000 4 270 1290 10935 3645 OpenSSL\001
gs 1 -1 sc (SSL_CTX_get_cert_store\(\)) col0 sh gr
/Helvetica-Narrow-iso ff 120.00 scf sf
8280 5130 m
-gs 1 -1 sc (SSL_get_app_data2\(\)) col0 sh gr
+gs 1 -1 sc (modssl_get_app_data2\(\)) col0 sh gr
/Helvetica-Bold-iso ff 180.00 scf sf
3645 1620 m
gs 1 -1 sc (SSLDirConfig) col0 sh gr
}
SSL_set_app_data(ssl, c);
- SSL_set_app_data2(ssl, NULL); /* will be request_rec */
+ modssl_set_app_data2(ssl, NULL); /* will be request_rec */
sslconn->ssl = ssl;
seed->cpPath = ap_server_root_relative(mc->pPool, arg2+4);
#else
return apr_pstrcat(cmd->pool, "Invalid SSLRandomSeed entropy source `",
- arg2, "': This version of " SSL_LIBRARY_NAME
+ arg2, "': This version of " MODSSL_LIBRARY_NAME
" does not support the Entropy Gathering Daemon "
"(EGD).", NULL);
#endif
apr_status_t rv;
apr_array_header_t *pphrases;
- if (SSLeay() < SSL_LIBRARY_VERSION) {
+ if (SSLeay() < MODSSL_LIBRARY_VERSION) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
"Init: this version of mod_ssl was compiled against "
"a newer library (%s, version currently loaded is %s)"
" - may result in undefined or erroneous behavior",
- SSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION));
+ MODSSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION));
}
/* We initialize mc->pid per-process in the child init,
#endif
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01883)
- "Init: Initialized %s library", SSL_LIBRARY_NAME);
+ "Init: Initialized %s library", MODSSL_LIBRARY_NAME);
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_add_version_components(p, base_server);
- SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */
+ modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
init_dh_params();
return APR_SUCCESS;
}
+/*
+ * Read a file that optionally contains the server certificate in PEM
+ * format, possibly followed by a sequence of CA certificates that
+ * should be sent to the peer in the SSL Certificate message.
+ */
+static int use_certificate_chain(
+ SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
+{
+ BIO *bio;
+ X509 *x509;
+ unsigned long err;
+ int n;
+
+ if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
+ return -1;
+ if (BIO_read_filename(bio, file) <= 0) {
+ BIO_free(bio);
+ return -1;
+ }
+ /* optionally skip a leading server certificate */
+ if (skipfirst) {
+ if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
+ BIO_free(bio);
+ return -1;
+ }
+ X509_free(x509);
+ }
+ /* free a perhaps already configured extra chain */
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_clear_extra_chain_certs(ctx);
+#else
+ if (ctx->extra_certs != NULL) {
+ sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free);
+ ctx->extra_certs = NULL;
+ }
+#endif
+ /* create new extra chain by loading the certs */
+ n = 0;
+ while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
+ if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
+ X509_free(x509);
+ BIO_free(bio);
+ return -1;
+ }
+ n++;
+ }
+ /* Make sure that only the error is just an EOF */
+ if ((err = ERR_peek_error()) > 0) {
+ if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
+ && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
+ BIO_free(bio);
+ return -1;
+ }
+ while (ERR_get_error() > 0) ;
+ }
+ BIO_free(bio);
+ return n;
+}
+
static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
}
}
- n = SSL_CTX_use_certificate_chain(mctx->ssl_ctx,
- (char *)chain,
- skip_first, NULL);
+ n = use_certificate_chain(mctx->ssl_ctx, (char *)chain, skip_first, NULL);
if (n < 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
"Failed to configure CA certificate chain!");
* Some information about the certificate(s)
*/
- if (SSL_X509_getBC(cert, &is_ca, &pathlen)) {
+ if (modssl_X509_getBC(cert, &is_ca, &pathlen)) {
if (is_ca) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01906)
"%s server certificate is a CA certificate "
}
}
- if (SSL_X509_match_name(ptemp, cert, (const char *)s->server_hostname,
- TRUE, s) == FALSE) {
+ if (modssl_X509_match_name(ptemp, cert, (const char *)s->server_hostname,
+ TRUE, s) == FALSE) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01909)
"%s server certificate does NOT include an ID "
"which matches the server name", key_id);
}
#endif
+static BOOL load_x509_info(apr_pool_t *ptemp,
+ STACK_OF(X509_INFO) *sk,
+ const char *filename)
+{
+ BIO *in;
+
+ if (!(in = BIO_new(BIO_s_file()))) {
+ return FALSE;
+ }
+
+ if (BIO_read_filename(in, filename) <= 0) {
+ BIO_free(in);
+ return FALSE;
+ }
+
+ ERR_clear_error();
+
+ PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
+
+ BIO_free(in);
+
+ return TRUE;
+}
+
static apr_status_t ssl_init_proxy_certs(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
sk = sk_X509_INFO_new_null();
if (pkp->cert_file) {
- SSL_X509_INFO_load_file(ptemp, sk, pkp->cert_file);
+ load_x509_info(ptemp, sk, pkp->cert_file);
}
if (pkp->cert_path) {
- SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path);
+ apr_dir_t *dir;
+ apr_finfo_t dirent;
+ apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
+
+ if (apr_dir_open(&dir, pkp->cert_path, ptemp) == APR_SUCCESS) {
+ while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) {
+ const char *fullname;
+
+ if (dirent.filetype == APR_DIR) {
+ continue; /* don't try to load directories */
+ }
+
+ fullname = apr_pstrcat(ptemp,
+ pkp->cert_path, "/", dirent.name,
+ NULL);
+ load_x509_info(ptemp, sk, fullname);
+ }
+
+ apr_dir_close(dir);
+ }
}
if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209)
"CA certificate: %s",
- SSL_X509_NAME_to_string(ptemp, name, 0));
+ modssl_X509_NAME_to_string(ptemp, name, 0));
/*
* note that SSL_load_client_CA_file() checks for duplicates,
}
SSL_set_shutdown(ssl, shutdown_type);
- SSL_smart_shutdown(ssl);
+ modssl_smart_shutdown(ssl);
/* and finally log the fact that we've closed the connection */
if (APLOG_CS_IS_LEVEL(c, mySrvFromConn(c), loglevel)) {
hostname_note) {
apr_table_unset(c->notes, "proxy-request-hostname");
if (!cert
- || SSL_X509_match_name(c->pool, cert, hostname_note,
- TRUE, server) == FALSE) {
+ || modssl_X509_match_name(c->pool, cert, hostname_note,
+ TRUE, server) == FALSE) {
proxy_ssl_check_peer_ok = FALSE;
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02411)
"SSL Proxy: Peer certificate does not match "
if (rc >= 0) {
ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
"%s: %s %ld/%d bytes %s BIO#%pp [mem: %pp] %s",
- SSL_LIBRARY_NAME,
+ MODSSL_LIBRARY_NAME,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"),
bio, argp,
else {
ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s,
"%s: I/O error, %d bytes expected to %s on BIO#%pp [mem: %pp]",
- SSL_LIBRARY_NAME, argi,
+ MODSSL_LIBRARY_NAME, argi,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
bio, argp);
}
}
}
#endif
- SSL_set_app_data2(ssl, r);
+ modssl_set_app_data2(ssl, r);
/*
* Log information about incoming HTTPS requests
SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
- request_rec *r = (request_rec *)SSL_get_app_data2(ssl);
+ request_rec *r = (request_rec *)modssl_get_app_data2(ssl);
server_rec *s = r ? r->server : mySrvFromConn(conn);
SSLSrvConfigRec *sc = mySrvConfig(s);
const char *result,
long timeout)
{
- char buf[SSL_SESSION_ID_STRING_LEN];
+ char buf[MODSSL_SESSION_ID_STRING_LEN];
char timeout_str[56] = {'\0'};
if (!APLOGdebug(s)) {
"Inter-Process Session Cache: "
"request=%s status=%s id=%s %s(session %s)",
request, status,
- SSL_SESSION_id2sz(id, idlen, buf, sizeof(buf)),
+ modssl_SSL_SESSION_id2sz(id, idlen, buf, sizeof(buf)),
timeout_str, result);
}
*/
if (where & SSL_CB_HANDSHAKE_START) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
- "%s: Handshake: start", SSL_LIBRARY_NAME);
+ "%s: Handshake: start", MODSSL_LIBRARY_NAME);
}
else if (where & SSL_CB_HANDSHAKE_DONE) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
- "%s: Handshake: done", SSL_LIBRARY_NAME);
+ "%s: Handshake: done", MODSSL_LIBRARY_NAME);
}
else if (where & SSL_CB_LOOP) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Loop: %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (where & SSL_CB_READ) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Read: %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (where & SSL_CB_WRITE) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Write: %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (where & SSL_CB_ALERT) {
char *str = (where & SSL_CB_READ) ? "read" : "write";
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Alert: %s:%s:%s",
- SSL_LIBRARY_NAME, str,
+ MODSSL_LIBRARY_NAME, str,
SSL_alert_type_string_long(rc),
SSL_alert_desc_string_long(rc));
}
if (rc == 0) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Exit: failed in %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
else if (rc < 0) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
"%s: Exit: error in %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
}
int maxdnlen = (HUGE_STRING_LEN - msglen - 300) / 2;
BIO_puts(bio, " [subject: ");
- name = SSL_X509_NAME_to_string(p, X509_get_subject_name(cert),
- maxdnlen);
+ name = modssl_X509_NAME_to_string(p, X509_get_subject_name(cert),
+ maxdnlen);
if (!strIsEmpty(name)) {
BIO_puts(bio, name);
} else {
}
BIO_puts(bio, " / issuer: ");
- name = SSL_X509_NAME_to_string(p, X509_get_issuer_name(cert),
- maxdnlen);
+ name = modssl_X509_NAME_to_string(p, X509_get_issuer_name(cert),
+ maxdnlen);
if (!strIsEmpty(name)) {
BIO_puts(bio, name);
} else {
* is not empty. */
ERR_clear_error();
- bReadable = ((pPrivateKey = SSL_read_PrivateKey(ppcb_arg.pkey_file,
+ bReadable = ((pPrivateKey = modssl_read_privatekey(ppcb_arg.pkey_file,
NULL, ssl_pphrase_Handle_CB, &ppcb_arg)) != NULL ?
TRUE : FALSE);
}
static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
-static char var_library_interface[] = SSL_LIBRARY_TEXT;
+static char var_library_interface[] = MODSSL_LIBRARY_TEXT;
static char *var_library = NULL;
static apr_array_header_t *expr_peer_ext_list_fn(ap_expr_eval_ctx_t *ctx,
APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
/* Perform once-per-process library version determination: */
- var_library = apr_pstrdup(p, SSL_LIBRARY_DYNTEXT);
+ var_library = apr_pstrdup(p, MODSSL_LIBRARY_DYNTEXT);
if ((cp = strchr(var_library, ' ')) != NULL) {
*cp = '/';
result = (char *)SSL_get_version(ssl);
}
else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
- char buf[SSL_SESSION_ID_STRING_LEN];
+ char buf[MODSSL_SESSION_ID_STRING_LEN];
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
unsigned char *id;
idlen = pSession->session_id_length;
#endif
- result = apr_pstrdup(p, SSL_SESSION_id2sz(id, idlen,
- buf, sizeof(buf)));
+ result = apr_pstrdup(p, modssl_SSL_SESSION_id2sz(id, idlen,
+ buf, sizeof(buf)));
}
}
else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) {
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {
- result = SSL_X509_NAME_ENTRY_to_string(p, xsne);
+ result = modssl_X509_NAME_ENTRY_to_string(p, xsne);
break;
}
}
if ((numlen < 1) || (numlen > 4) || (numlen != strlen(var)))
return NULL;
- if (SSL_X509_getSAN(p, xs, type, atoi(var), &entries))
+ if (modssl_X509_getSAN(p, xs, type, atoi(var), &entries))
/* return the first entry from this 1-element array */
return APR_ARRAY_IDX(entries, 0, char *);
else
char *decimal = BN_bn2dec(bn);
result = apr_pstrcat(p, "{ serialNumber ", decimal,
", issuer rdnSequence:\"",
- SSL_X509_NAME_to_string(p, issuer, 0), "\" }", NULL);
+ modssl_X509_NAME_to_string(p, issuer, 0), "\" }", NULL);
OPENSSL_free(decimal);
BN_free(bn);
}
apr_hash_set(count, &nid, sizeof nid, dup);
key = apr_pstrcat(p, pfx, tag, NULL);
}
- value = SSL_X509_NAME_ENTRY_to_string(p, xsne);
+ value = modssl_X509_NAME_ENTRY_to_string(p, xsne);
apr_table_setn(t, key, value);
}
}
/* subjectAltName entries of the server certificate */
xs = SSL_get_certificate(ssl);
if (xs) {
- if (SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
+ if (modssl_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
extract_san_array(t, "SSL_SERVER_SAN_Email", entries, p);
}
- if (SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
+ if (modssl_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
extract_san_array(t, "SSL_SERVER_SAN_DNS", entries, p);
}
/* no need to free xs (refcount does not increase) */
/* subjectAltName entries of the client certificate */
xs = SSL_get_peer_certificate(ssl);
if (xs) {
- if (SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
+ if (modssl_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
extract_san_array(t, "SSL_CLIENT_SAN_Email", entries, p);
}
- if (SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
+ if (modssl_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
extract_san_array(t, "SSL_CLIENT_SAN_DNS", entries, p);
}
X509_free(xs);
apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
- unsigned char encoded[SSL_SESSION_MAX_DER], *ptr;
+ unsigned char encoded[MODSSL_SESSION_MAX_DER], *ptr;
unsigned int len;
apr_status_t rv;
apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
- unsigned char dest[SSL_SESSION_MAX_DER];
- unsigned int destlen = SSL_SESSION_MAX_DER;
+ unsigned char dest[MODSSL_SESSION_MAX_DER];
+ unsigned int destlen = MODSSL_SESSION_MAX_DER;
const unsigned char *ptr;
apr_status_t rv;
* also note that OpenSSL increments at static variable when
* SSL_get_ex_new_index() is called, so we _must_ do this at startup.
*/
-static int SSL_app_data2_idx = -1;
+static int app_data2_idx = -1;
-void SSL_init_app_data2_idx(void)
+void modssl_init_app_data2_idx(void)
{
int i;
- if (SSL_app_data2_idx > -1) {
+ if (app_data2_idx > -1) {
return;
}
/* we _do_ need to call this twice */
- for (i=0; i<=1; i++) {
- SSL_app_data2_idx =
+ for (i = 0; i <= 1; i++) {
+ app_data2_idx =
SSL_get_ex_new_index(0,
"Second Application Data for SSL",
NULL, NULL, NULL);
}
}
-void *SSL_get_app_data2(SSL *ssl)
+void *modssl_get_app_data2(SSL *ssl)
{
- return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);
+ return (void *)SSL_get_ex_data(ssl, app_data2_idx);
}
-void SSL_set_app_data2(SSL *ssl, void *arg)
+void modssl_set_app_data2(SSL *ssl, void *arg)
{
- SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg);
+ SSL_set_ex_data(ssl, app_data2_idx, (char *)arg);
return;
}
** _________________________________________________________________
*/
-EVP_PKEY *SSL_read_PrivateKey(const char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
+EVP_PKEY *modssl_read_privatekey(const char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s)
{
EVP_PKEY *rc;
BIO *bioS;
** _________________________________________________________________
*/
-int SSL_smart_shutdown(SSL *ssl)
+int modssl_smart_shutdown(SSL *ssl)
{
int i;
int rc;
*/
/* retrieve basic constraints ingredients */
-BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
+BOOL modssl_X509_getBC(X509 *cert, int *ca, int *pathlen)
{
BASIC_CONSTRAINTS *bc;
BIGNUM *bn = NULL;
}
/* convert an ASN.1 string to a UTF-8 string (escaping control characters) */
-char *SSL_ASN1_STRING_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str)
+static char *asn1_string_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str)
{
char *result = NULL;
BIO *bio;
}
/* convert a NAME_ENTRY to UTF8 string */
-char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
+char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
{
- char *result = SSL_ASN1_STRING_to_utf8(p, X509_NAME_ENTRY_get_data(xsne));
+ char *result = asn1_string_to_utf8(p, X509_NAME_ENTRY_get_data(xsne));
ap_xlate_proto_from_ascii(result, len);
return result;
}
* convert an X509_NAME to an RFC 2253 formatted string, optionally truncated
* to maxlen characters (specify a maxlen of 0 for no length limit)
*/
-char *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
+char *modssl_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
{
char *result = NULL;
BIO *bio;
* GEN_EMAIL (rfc822Name)
* GEN_DNS (dNSName)
*/
-BOOL SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, int idx,
- apr_array_header_t **entries)
+BOOL modssl_X509_getSAN(apr_pool_t *p, X509 *x509, int type, int idx,
+ apr_array_header_t **entries)
{
STACK_OF(GENERAL_NAME) *names;
switch (type) {
case GEN_EMAIL:
case GEN_DNS:
- utf8str = SSL_ASN1_STRING_to_utf8(p, name->d.ia5);
+ utf8str = asn1_string_to_utf8(p, name->d.ia5);
if (utf8str) {
APR_ARRAY_PUSH(*entries, const char *) = utf8str;
}
}
/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
-BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
+static BOOL getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
{
X509_NAME *subj;
int i = -1;
/* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
if (!x509 ||
- (SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids)) {
+ (modssl_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids)) {
*ids = NULL;
return FALSE;
}
subj = X509_get_subject_name(x509);
while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) {
APR_ARRAY_PUSH(*ids, const char *) =
- SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
+ modssl_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
}
return apr_is_empty_array(*ids) ? FALSE : TRUE;
* DNS-IDs and CN-IDs (RFC 6125), optionally with basic wildcard matching.
* If server_rec is non-NULL, some (debug/trace) logging is enabled.
*/
-BOOL SSL_X509_match_name(apr_pool_t *p, X509 *x509, const char *name,
- BOOL allow_wildcard, server_rec *s)
+BOOL modssl_X509_match_name(apr_pool_t *p, X509 *x509, const char *name,
+ BOOL allow_wildcard, server_rec *s)
{
BOOL matched = FALSE;
apr_array_header_t *ids;
* is found).
*/
- if (SSL_X509_getIDs(p, x509, &ids)) {
+ if (getIDs(p, x509, &ids)) {
const char *cp;
int i;
char **id = (char **)ids->elts;
if (s) {
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
- "[%s] SSL_X509_match_name: expecting name '%s', "
+ "[%s] modssl_X509_match_name: expecting name '%s', "
"%smatched by ID '%s'",
(mySrvConfig(s))->vhost_id, name,
matched == TRUE ? "" : "NOT ", id[i]);
return matched;
}
-/* _________________________________________________________________
-**
-** Low-Level CA Certificate Loading
-** _________________________________________________________________
-*/
-
-BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp,
- STACK_OF(X509_INFO) *sk,
- const char *filename)
-{
- BIO *in;
-
- if (!(in = BIO_new(BIO_s_file()))) {
- return FALSE;
- }
-
- if (BIO_read_filename(in, filename) <= 0) {
- BIO_free(in);
- return FALSE;
- }
-
- ERR_clear_error();
-
- PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
-
- BIO_free(in);
-
- return TRUE;
-}
-
-BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp,
- STACK_OF(X509_INFO) *sk,
- const char *pathname)
-{
- /* XXX: this dir read code is exactly the same as that in
- * ssl_engine_init.c, only the call to handle the fullname is different,
- * should fold the duplication.
- */
- apr_dir_t *dir;
- apr_finfo_t dirent;
- apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
- const char *fullname;
- BOOL ok = FALSE;
-
- if (apr_dir_open(&dir, pathname, ptemp) != APR_SUCCESS) {
- return FALSE;
- }
-
- while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) {
- if (dirent.filetype == APR_DIR) {
- continue; /* don't try to load directories */
- }
-
- fullname = apr_pstrcat(ptemp,
- pathname, "/", dirent.name,
- NULL);
-
- if (SSL_X509_INFO_load_file(ptemp, sk, fullname)) {
- ok = TRUE;
- }
- }
-
- apr_dir_close(dir);
-
- return ok;
-}
-
/* _________________________________________________________________
**
** Custom (EC)DH parameter support
}
#endif
-/* _________________________________________________________________
-**
-** Extra Server Certificate Chain Support
-** _________________________________________________________________
-*/
-
-/*
- * Read a file that optionally contains the server certificate in PEM
- * format, possibly followed by a sequence of CA certificates that
- * should be sent to the peer in the SSL Certificate message.
- */
-int SSL_CTX_use_certificate_chain(
- SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
-{
- BIO *bio;
- X509 *x509;
- unsigned long err;
- int n;
-
- if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
- return -1;
- if (BIO_read_filename(bio, file) <= 0) {
- BIO_free(bio);
- return -1;
- }
- /* optionally skip a leading server certificate */
- if (skipfirst) {
- if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
- BIO_free(bio);
- return -1;
- }
- X509_free(x509);
- }
- /* free a perhaps already configured extra chain */
-#ifdef OPENSSL_NO_SSL_INTERN
- SSL_CTX_clear_extra_chain_certs(ctx);
-#else
- if (ctx->extra_certs != NULL) {
- sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free);
- ctx->extra_certs = NULL;
- }
-#endif
- /* create new extra chain by loading the certs */
- n = 0;
- while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
- if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
- X509_free(x509);
- BIO_free(bio);
- return -1;
- }
- n++;
- }
- /* Make sure that only the error is just an EOF */
- if ((err = ERR_peek_error()) > 0) {
- if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
- && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
- BIO_free(bio);
- return -1;
- }
- while (ERR_get_error() > 0) ;
- }
- BIO_free(bio);
- return n;
-}
-
/* _________________________________________________________________
**
** Session Stuff
** _________________________________________________________________
*/
-char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
- char *str, int strsize)
+char *modssl_SSL_SESSION_id2sz(unsigned char *id, int idlen,
+ char *str, int strsize)
{
if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
idlen = SSL_MAX_SSL_SESSION_ID_LENGTH;
* SSL library version number
*/
-#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
-#define SSL_LIBRARY_NAME "OpenSSL"
-#define SSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
-#define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
+#define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
+#define MODSSL_LIBRARY_NAME "OpenSSL"
+#define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
+#define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
/**
* Maximum length of a DER encoded session.
* FIXME: There is no define in OpenSSL, but OpenSSL uses 1024*10,
* so this value should be ok. Although we have no warm feeling.
*/
-#define SSL_SESSION_MAX_DER 1024*10
+#define MODSSL_SESSION_MAX_DER 1024*10
-/** max length for SSL_SESSION_id2sz */
-#define SSL_SESSION_ID_STRING_LEN \
+/** max length for modssl_SSL_SESSION_id2sz */
+#define MODSSL_SESSION_ID_STRING_LEN \
((SSL_MAX_SSL_SESSION_ID_LENGTH + 1) * 2)
/**
* Additional Functions
*/
-void SSL_init_app_data2_idx(void);
-void *SSL_get_app_data2(SSL *);
-void SSL_set_app_data2(SSL *, void *);
-EVP_PKEY *SSL_read_PrivateKey(const char *, EVP_PKEY **, pem_password_cb *, void *);
-int SSL_smart_shutdown(SSL *ssl);
-BOOL SSL_X509_getBC(X509 *, int *, int *);
-char *SSL_ASN1_STRING_to_utf8(apr_pool_t *, ASN1_STRING *);
-char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
-char *SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
-BOOL SSL_X509_getSAN(apr_pool_t *, X509 *, int, int, apr_array_header_t **);
-BOOL SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **);
-BOOL SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
-BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
-BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
-int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
-char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
+void modssl_init_app_data2_idx(void);
+void *modssl_get_app_data2(SSL *);
+void modssl_set_app_data2(SSL *, void *);
+EVP_PKEY *modssl_read_privatekey(const char *, EVP_PKEY **, pem_password_cb *, void *);
+int modssl_smart_shutdown(SSL *ssl);
+BOOL modssl_X509_getBC(X509 *, int *, int *);
+char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
+char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
+BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, int, apr_array_header_t **);
+BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
+char *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int);
#endif /* __SSL_UTIL_SSL_H__ */
/** @} */
projects / apache / commitdiff