-*- coding: utf-8 -*-
Changes with Apache 2.4.0
+ *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
+ or later, to improve binary compatibility with future OpenSSL releases.
+ [Kaspar Brand]
+
*) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass,
but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime
behave identically in both cases. PR52342. [Graham Leggett]
{
STACK_OF(X509) *certs = ssl_read_pkcs7(s, mctx->pkcs7);
int n;
+ STACK_OF(X509) *extra_certs = NULL;
- if (!mctx->ssl_ctx->extra_certs)
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+ extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
+
+ if (!extra_certs)
for (n = 1; n < sk_X509_num(certs); ++n)
SSL_CTX_add_extra_chain_cert(mctx->ssl_ctx, sk_X509_value(certs, n));
}
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226)
"Awaiting re-negotiation handshake");
- /* XXX: Should replace setting ssl->state with SSL_renegotiate(ssl);
+ /* XXX: Should replace setting state with SSL_renegotiate(ssl);
* However, this causes failures in perl-framework currently,
* perhaps pre-test if we have already negotiated?
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_set_state(ssl, SSL_ST_ACCEPT);
+#else
ssl->state = SSL_ST_ACCEPT;
+#endif
SSL_do_handshake(ssl);
sslconn->reneg_state = RENEG_REJECT;
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
+#else
id = session->session_id;
idlen = session->session_id_length;
+#endif
rc = ssl_scache_store(s, id, idlen,
apr_time_from_sec(SSL_SESSION_get_time(session)
/*
* Remove the SSL_SESSION from the inter-process cache
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
+#else
id = session->session_id;
idlen = session->session_id_length;
+#endif
/* TODO: Do we need a temp pool here, or are we always shutting down? */
ssl_scache_remove(s, id, idlen, sc->mc->pPool);
sslcon = myConnConfig(c);
if (found && (ssl = sslcon->ssl) &&
(sc = mySrvConfig(s))) {
+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
/*
* SSL_set_SSL_CTX() only deals with the server cert,
* so we need to duplicate a few additional settings
* from the ctx by hand
*/
- SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
+ SSL_set_options(ssl, SSL_CTX_get_options(ctx));
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {
/*
* Otherwise, we would possibly reset a per-directory
* configuration which was put into effect by ssl_hook_Access.
*/
- SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
- SSL_CTX_get_verify_callback(ssl->ctx));
+ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
+ SSL_CTX_get_verify_callback(ctx));
}
/*
char buf[SSL_SESSION_ID_STRING_LEN];
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
- result = apr_pstrdup(p, SSL_SESSION_id2sz(
- pSession->session_id,
- pSession->session_id_length,
- buf, sizeof(buf)));
+ unsigned char *id;
+ unsigned int idlen;
+
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(pSession, &idlen);
+#else
+ id = pSession->session_id;
+ idlen = pSession->session_id_length;
+#endif
+
+ result = apr_pstrdup(p, SSL_SESSION_id2sz(id, idlen,
+ buf, sizeof(buf)));
}
}
else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) {
static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
{
char *result = "NULL";
-#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP)
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
+#ifdef OPENSSL_NO_SSL_INTERN
+ switch (SSL_SESSION_get_compress_id(pSession)) {
+#else
switch (pSession->compress_meth) {
+#endif
case 0:
/* default "NULL" already set */
break;
#include "ap_expr.h"
/* OpenSSL headers */
+#include <openssl/opensslv.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
+/* must be defined before including ssl.h */
+#define OPENSSL_NO_SSL_INTERN
+#endif
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>
return rc;
}
-/* _________________________________________________________________
-**
-** Cipher Suite Spec String Creation
-** _________________________________________________________________
-*/
-
-char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
-{
- STACK_OF(SSL_CIPHER) *sk;
- SSL_CIPHER *c;
- int i;
- int l;
- char *cpCipherSuite;
- char *cp;
-
- if (ssl == NULL)
- return "";
- if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL)
- return "";
- l = 0;
- for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
- c = sk_SSL_CIPHER_value(sk, i);
- l += strlen(SSL_CIPHER_get_name(c))+2+1;
- }
- if (l == 0)
- return "";
- cpCipherSuite = (char *)apr_palloc(p, l+1);
- cp = cpCipherSuite;
- for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
- c = sk_SSL_CIPHER_value(sk, i);
- l = strlen(SSL_CIPHER_get_name(c));
- memcpy(cp, SSL_CIPHER_get_name(c), l);
- cp += l;
- *cp++ = '/';
- *cp++ = (c->valid == 1 ? '1' : '0');
- *cp++ = ':';
- }
- *(cp-1) = NUL;
- return cpCipherSuite;
-}
-
/* _________________________________________________________________
**
** Certificate Checks
X509 *x509;
unsigned long err;
int n;
- STACK_OF(X509) *extra_certs;
if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
return -1;
X509_free(x509);
}
/* free a perhaps already configured extra chain */
- extra_certs = ctx->extra_certs;
- if (extra_certs != NULL) {
- sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_clear_extra_chain_certs(ctx);
+#else
+ if (ctx->extra_certs != NULL) {
+ sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free);
ctx->extra_certs = NULL;
}
+#endif
/* create new extra chain by loading the certs */
n = 0;
while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
X509 *SSL_read_X509(char *, X509 **, pem_password_cb *);
EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
int SSL_smart_shutdown(SSL *ssl);
-char *SSL_make_ciphersuite(apr_pool_t *, SSL *);
BOOL SSL_X509_isSGC(X509 *);
BOOL SSL_X509_getBC(X509 *, int *, int *);
char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
int i;
X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
X509_STORE_CTX inctx;
+ STACK_OF(X509) *extra_certs = NULL;
- for (i = 0; i < sk_X509_num(mctx->ssl_ctx->extra_certs); i++) {
- issuer = sk_X509_value(mctx->ssl_ctx->extra_certs, i);
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+ extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
+
+ for (i = 0; i < sk_X509_num(extra_certs); i++) {
+ issuer = sk_X509_value(extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
return issuer;
projects / apache / commitdiff