From: Kaspar Brand Date: Sun, 29 Sep 2013 10:12:47 +0000 (+0000) Subject: Increase minimum required OpenSSL version to 0.9.8a (in preparation X-Git-Tag: 2.5.0-alpha~4995 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=725978c55498b78a86fcbc884169fd71cf10b522;p=apache Increase minimum required OpenSSL version to 0.9.8a (in preparation for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y functions added in that release): - remove obsolete #defines / macros - in ssl_private.h, regroup definitions based on whether they depend on TLS extension support or not - for ECC and SRP support, set HAVE_X and change the rather awkward #ifndef OPENSSL_NO_X lines accordingly For the discussion prior to taking this step, see https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527294 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 8b37fbda47..357ccb322a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand] + *) mod_lua: Let the Inter-VM get/set functions work with a global shared memory pool instead of a per-process pool. [Daniel Gruno] diff --git a/acinclude.m4 b/acinclude.m4 index ee273ef099..056bbd5e8b 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -570,12 +570,12 @@ AC_DEFUN(APACHE_CHECK_OPENSSL,[ fi fi - AC_MSG_CHECKING([for OpenSSL version >= 0.9.7]) + AC_MSG_CHECKING([for OpenSSL version >= 0.9.8a]) AC_TRY_COMPILE([#include ],[ #if !defined(OPENSSL_VERSION_NUMBER) #error "Missing OpenSSL version" #endif -#if OPENSSL_VERSION_NUMBER < 0x0090700f +#if OPENSSL_VERSION_NUMBER < 0x0090801f #error "Unsupported OpenSSL version " OPENSSL_VERSION_TEXT #endif], [AC_MSG_RESULT(OK) diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 881c443311..d699d2ecab 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -153,7 +153,7 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, "Strict SNI virtual host checking") -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP SSL_CMD_SRV(SRPVerifierFile, TAKE1, "SRP verifier file " "('/path/to/file' - created by srptool)") diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 9734106e99..d0742cb43f 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -148,7 +148,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) mctx->stapling_force_url = NULL; #endif -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP mctx->srp_vfile = NULL; mctx->srp_unknown_user_seed = NULL; mctx->srp_vbase = NULL; @@ -209,7 +209,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET; sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET; sc->proxy_ssl_check_peer_name = SSL_ENABLED_UNSET; -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT sc->strict_sni_vhost_check = SSL_ENABLED_UNSET; #endif #ifdef HAVE_FIPS @@ -283,7 +283,7 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base, cfgMerge(stapling_force_url, NULL); #endif -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP cfgMergeString(srp_vfile); cfgMergeString(srp_unknown_user_seed); #endif @@ -344,7 +344,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET); cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET); cfgMerge(proxy_ssl_check_peer_name, SSL_ENABLED_UNSET); -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET); #endif #ifdef HAVE_FIPS @@ -1664,7 +1664,7 @@ const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag) const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag) { -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; @@ -1834,7 +1834,7 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, return NULL; } #endif -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg) @@ -1858,7 +1858,7 @@ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, return NULL; } -#endif /* OPENSSL_NO_SRP */ +#endif /* HAVE_SRP */ void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) { diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 0ba6375f36..9a47bc02fe 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -35,7 +35,7 @@ ** _________________________________________________________________ */ -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC #define KEYTYPES "RSA, DSA or ECC" #else #define KEYTYPES "RSA or DSA" @@ -303,7 +303,7 @@ static void ssl_init_server_check(server_rec *s, */ if (mctx->pks->certs[SSL_AIDX_RSA] || mctx->pks->certs[SSL_AIDX_DSA] -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC || mctx->pks->certs[SSL_AIDX_ECC] #endif ) @@ -315,7 +315,7 @@ static void ssl_init_server_check(server_rec *s, } } -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT static void ssl_init_ctx_tls_extensions(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, @@ -349,7 +349,7 @@ static void ssl_init_ctx_tls_extensions(server_rec *s, } #endif -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP /* * TLS-SRP support */ @@ -482,7 +482,7 @@ static void ssl_init_ctx_protocol(server_rec *s, #ifdef SSL_OP_NO_COMPRESSION /* OpenSSL >= 1.0 only */ SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); -#elif OPENSSL_VERSION_NUMBER >= 0x00908000L +#else sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); #endif } @@ -500,7 +500,7 @@ static void ssl_init_ctx_protocol(server_rec *s, * Configure additional context ingredients */ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); #endif @@ -836,7 +836,7 @@ static void ssl_init_ctx(server_rec *s, if (mctx->pks) { /* XXX: proxy support? */ ssl_init_ctx_cert_chain(s, p, ptemp, mctx); -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT ssl_init_ctx_tls_extensions(s, p, ptemp, mctx); #endif } @@ -849,7 +849,7 @@ static int ssl_server_import_cert(server_rec *s, { SSLModConfigRec *mc = myModConfig(s); ssl_asn1_t *asn1; - MODSSL_D2I_X509_CONST unsigned char *ptr; + const unsigned char *ptr; const char *type = ssl_asn1_keystr(idx); X509 *cert; @@ -896,12 +896,12 @@ static int ssl_server_import_key(server_rec *s, { SSLModConfigRec *mc = myModConfig(s); ssl_asn1_t *asn1; - MODSSL_D2I_PrivateKey_CONST unsigned char *ptr; + const unsigned char *ptr; const char *type = ssl_asn1_keystr(idx); int pkey_type; EVP_PKEY *pkey; -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC if (idx == SSL_AIDX_ECC) pkey_type = EVP_PKEY_EC; else @@ -1005,30 +1005,30 @@ static void ssl_init_server_certs(server_rec *s, modssl_ctx_t *mctx) { const char *rsa_id, *dsa_id; -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC const char *ecc_id; #endif const char *vhost_id = mctx->sc->vhost_id; int i; int have_rsa, have_dsa; -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC int have_ecc; #endif rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA); dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA); -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC); #endif have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA); have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA); -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC); #endif if (!(have_rsa || have_dsa -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC || have_ecc #endif )) { @@ -1044,12 +1044,12 @@ static void ssl_init_server_certs(server_rec *s, have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA); have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA); -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC); #endif if (!(have_rsa || have_dsa -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC || have_ecc #endif )) { @@ -1058,7 +1058,7 @@ static void ssl_init_server_certs(server_rec *s, ssl_die(s); } -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC /* Enable ECDHE by configuring a default curve */ SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); @@ -1370,7 +1370,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) klen = strlen(key); if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { -#ifdef OPENSSL_NO_TLSEXT +#ifndef HAVE_TLSEXT int level = APLOG_WARNING; const char *problem = "conflict"; #else @@ -1394,7 +1394,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) } if (conflict) { -#ifdef OPENSSL_NO_TLSEXT +#ifndef HAVE_TLSEXT ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) "Init: You should not use name-based " "virtual hosts in conjunction with SSL!!"); @@ -1543,7 +1543,7 @@ static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx) { MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx); -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP if (mctx->srp_vbase != NULL) { SRP_VBASE_free(mctx->srp_vbase); mctx->srp_vbase = NULL; diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 58560d85d5..4c4382da91 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1113,7 +1113,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) server = sslconn->server; if (sslconn->is_proxy) { -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT apr_ipsubnet_t *ip; #endif const char *hostname_note = apr_table_get(c->notes, @@ -1121,7 +1121,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) BOOL proxy_ssl_check_peer_ok = TRUE; sc = mySrvConfig(server); -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT /* * Enable SNI for backend requests. Make sure we don't do it for * pure SSLv3 connections, and also prevent IP addresses diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 12d73d5924..36f3c7046b 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -33,7 +33,7 @@ #include "util_md5.h" static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); #endif @@ -120,7 +120,7 @@ int ssl_hook_ReadReq(request_rec *r) SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLConnRec *sslconn; const char *upgrade; -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT const char *servername; #endif SSL *ssl; @@ -163,7 +163,7 @@ int ssl_hook_ReadReq(request_rec *r) if (!ssl) { return DECLINED; } -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { char *host, *scope_id; apr_port_t port; @@ -330,7 +330,7 @@ int ssl_hook_Access(request_rec *r) return DECLINED; } -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP /* * Support for per-directory reconfigured SSL connection parameters * @@ -1114,7 +1114,7 @@ static const char *ssl_hook_Fixup_vars[] = { "SSL_SERVER_A_SIG", "SSL_SESSION_ID", "SSL_SESSION_RESUMED", -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP "SSL_SRP_USER", "SSL_SRP_USERINFO", #endif @@ -1128,7 +1128,7 @@ int ssl_hook_Fixup(request_rec *r) SSLDirConfigRec *dc = myDirConfig(r); apr_table_t *env = r->subprocess_env; char *var, *val = ""; -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT const char *servername; #endif STACK_OF(X509) *peer_certs; @@ -1157,7 +1157,7 @@ int ssl_hook_Fixup(request_rec *r) /* the always present HTTPS (=HTTP over SSL) flag! */ apr_table_setn(env, "HTTPS", "on"); -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT /* add content of SNI TLS extension (if supplied with ClientHello) */ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { apr_table_set(env, "SSL_TLS_SNI", servername); @@ -1851,7 +1851,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) } } -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT /* * This callback function is executed when OpenSSL encounters an extended * client hello with a server name indication extension ("SNI", cf. RFC 4366). @@ -2002,7 +2002,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) return 0; } -#endif /* OPENSSL_NO_TLSEXT */ +#endif /* HAVE_TLSEXT */ #ifdef HAVE_TLS_SESSION_TICKETS /* @@ -2165,7 +2165,7 @@ int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, #endif /* HAVE_TLS_NPN */ -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) { @@ -2189,4 +2189,4 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) return SSL_ERROR_NONE; } -#endif /* OPENSSL_NO_SRP */ +#endif /* HAVE_SRP */ diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c index 23ccaf4a2d..ca8e130fb9 100644 --- a/modules/ssl/ssl_engine_pphrase.c +++ b/modules/ssl/ssl_engine_pphrase.c @@ -708,7 +708,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01966) "Init: Failed to create pass phrase pipe '%s'", sc->server->pphrase_dialog_path); - PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); + PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); memset(buf, 0, (unsigned int)bufsize); return (-1); } @@ -718,7 +718,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) } else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */ #ifdef WIN32 - PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); + PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); memset(buf, 0, (unsigned int)bufsize); return (-1); #else @@ -769,7 +769,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) i = EVP_read_pw_string(buf, bufsize, "", FALSE); } if (i != 0) { - PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); + PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); memset(buf, 0, (unsigned int)bufsize); return (-1); } diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 536e6b1f73..922bf7c11f 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -382,7 +382,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { result = ssl_var_lookup_ssl_compress_meth(ssl); } -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { result = apr_pstrdup(p, SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)); @@ -395,7 +395,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, #endif result = apr_pstrdup(p, flag ? "true" : "false"); } -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP else if (ssl != NULL && strcEQ(var, "SRP_USER")) { if ((result = SSL_get_srp_username(ssl)) != NULL) { result = apr_pstrdup(p, result); @@ -879,7 +879,7 @@ void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p) * success and writes the string to the given bio. */ static int dump_extn_value(BIO *bio, ASN1_OCTET_STRING *str) { - MODSSL_D2I_ASN1_type_bytes_CONST unsigned char *pp = str->data; + const unsigned char *pp = str->data; ASN1_STRING *ret = ASN1_STRING_new(); int rv = 0; @@ -975,7 +975,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl) { char *result = "NULL"; -#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP) +#ifndef OPENSSL_NO_COMP SSL_SESSION *pSession = SSL_get_session(ssl); if (pSession) { diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 0e9fd70aba..6e47ef6342 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -105,74 +105,59 @@ #include #endif -#if (OPENSSL_VERSION_NUMBER < 0x0090700f) -#error mod_ssl requires OpenSSL 0.9.7 or later +#if (OPENSSL_VERSION_NUMBER < 0x0090801f) +#error mod_ssl requires OpenSSL 0.9.8a or later #endif -/* ...shifting sands of OpenSSL... */ -#if (OPENSSL_VERSION_NUMBER >= 0x0090707f) -#define MODSSL_D2I_SSL_SESSION_CONST const -#else -#define MODSSL_D2I_SSL_SESSION_CONST -#endif - -#if (OPENSSL_VERSION_NUMBER >= 0x00908000) -#define HAVE_GENERATE_EX -#define MODSSL_D2I_ASN1_type_bytes_CONST const -#define MODSSL_D2I_PrivateKey_CONST const -#define MODSSL_D2I_X509_CONST const +/** + * ...shifting sands of OpenSSL... + * Note: when adding support for new OpenSSL features, avoid explicit + * version number checks whenever possible, and use "feature-based" + * detection instead (check for definitions of constants or functions) + */ +#if (OPENSSL_VERSION_NUMBER >= 0x10000000) +#define MODSSL_SSL_CIPHER_CONST const +#define MODSSL_SSL_METHOD_CONST const #else -#define MODSSL_D2I_ASN1_type_bytes_CONST -#define MODSSL_D2I_PrivateKey_CONST -#define MODSSL_D2I_X509_CONST -#endif - -#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \ - && !defined(OPENSSL_NO_TLSEXT) -#define HAVE_OCSP_STAPLING -#if (OPENSSL_VERSION_NUMBER < 0x10000000) -#define sk_OPENSSL_STRING_pop sk_pop -#endif +#define MODSSL_SSL_CIPHER_CONST +#define MODSSL_SSL_METHOD_CONST #endif -#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS) +#if defined(OPENSSL_FIPS) #define HAVE_FIPS #endif -#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ - && !defined(OPENSSL_NO_TLSEXT) -#define HAVE_TLS_NPN +#if defined(SSL_OP_NO_TLSv1_2) +#define HAVE_TLSV1_X #endif -#ifdef SSL_CONF_FLAG_FILE +#if defined(SSL_CONF_FLAG_FILE) #define HAVE_SSL_CONF_CMD #endif -#if (OPENSSL_VERSION_NUMBER >= 0x10000000) -#define MODSSL_SSL_CIPHER_CONST const -#define MODSSL_SSL_METHOD_CONST const -#else -#define MODSSL_SSL_CIPHER_CONST -#define MODSSL_SSL_METHOD_CONST -/* ECC support came along in OpenSSL 1.0.0 */ -#define OPENSSL_NO_EC -#endif +/** + * The following features all depend on TLS extension support. + * Within this block, check again for features (not version numbers). + */ +#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) -#ifndef PEM_F_DEF_CALLBACK -#ifdef PEM_F_PEM_DEF_CALLBACK -/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */ -#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK -#endif +#define HAVE_TLSEXT + +/* ECC: make sure we have at least 1.0.0 */ +#if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed) +#define HAVE_ECC #endif -#ifndef OPENSSL_NO_TLSEXT -#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME -#define OPENSSL_NO_TLSEXT +/* OCSP stapling */ +#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) +#define HAVE_OCSP_STAPLING +#ifndef sk_OPENSSL_STRING_pop +#define sk_OPENSSL_STRING_pop sk_pop #endif #endif -#ifndef OPENSSL_NO_TLSEXT -#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB +/* TLS session tickets */ +#if defined(SSL_CTX_set_tlsext_ticket_key_cb) #define HAVE_TLS_SESSION_TICKETS #define TLSEXT_TICKET_KEY_LEN 48 #ifndef tlsext_tick_md @@ -183,26 +168,20 @@ #endif #endif #endif -#endif - -#ifdef SSL_OP_NO_TLSv1_2 -#define HAVE_TLSV1_X -#endif -#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ - && OPENSSL_VERSION_NUMBER < 0x00908000L -#define OPENSSL_NO_COMP +/* Next Protocol Negotiation */ +#if !defined(OPENSSL_NO_NEXTPROTONEG) && defined(OPENSSL_NPN_NEGOTIATED) +#define HAVE_TLS_NPN #endif -/* SRP support came in OpenSSL 1.0.1 */ -#ifndef OPENSSL_NO_SRP -#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB +/* Secure Remote Password */ +#if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB) +#define HAVE_SRP #include -#else -#define OPENSSL_NO_SRP -#endif #endif +#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ + /* mod_ssl headers */ #include "ssl_util_ssl.h" @@ -296,7 +275,7 @@ typedef int ssl_algo_t; #define SSL_ALGO_UNKNOWN (0) #define SSL_ALGO_RSA (1<<0) #define SSL_ALGO_DSA (1<<1) -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC #define SSL_ALGO_ECC (1<<2) #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC) #else @@ -305,7 +284,7 @@ typedef int ssl_algo_t; #define SSL_AIDX_RSA (0) #define SSL_AIDX_DSA (1) -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC #define SSL_AIDX_ECC (2) #define SSL_AIDX_MAX (3) #else @@ -661,7 +640,7 @@ typedef struct { const char *stapling_force_url; #endif -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP char *srp_vfile; char *srp_unknown_user_seed; SRP_VBASE *srp_vbase; @@ -695,7 +674,7 @@ struct SSLSrvConfigRec { ssl_enabled_t proxy_ssl_check_peer_expire; ssl_enabled_t proxy_ssl_check_peer_cn; ssl_enabled_t proxy_ssl_check_peer_name; -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT ssl_enabled_t strict_sni_vhost_check; #endif #ifdef HAVE_FIPS @@ -801,7 +780,7 @@ const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2); -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); #endif @@ -840,7 +819,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); void ssl_callback_Info(const SSL *, int, int); -#ifndef OPENSSL_NO_TLSEXT +#ifdef HAVE_TLSEXT int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); #endif #ifdef HAVE_TLS_SESSION_TICKETS @@ -875,7 +854,7 @@ void modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, mods void ssl_stapling_ex_init(void); int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x); #endif -#ifndef OPENSSL_NO_SRP +#ifdef HAVE_SRP int ssl_callback_SRPServerParams(SSL *, int *, void *); #endif diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c index d32f8e1dd6..bfed6e7c1c 100644 --- a/modules/ssl/ssl_scache.c +++ b/modules/ssl/ssl_scache.c @@ -148,7 +148,7 @@ SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen, SSLModConfigRec *mc = myModConfig(s); unsigned char dest[SSL_SESSION_MAX_DER]; unsigned int destlen = SSL_SESSION_MAX_DER; - MODSSL_D2I_SSL_SESSION_CONST unsigned char *ptr; + const unsigned char *ptr; apr_status_t rv; if (mc->sesscache->flags & AP_SOCACHE_FLAG_NOTMPSAFE) { diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c index c102789adc..df98f5e854 100644 --- a/modules/ssl/ssl_util.c +++ b/modules/ssl/ssl_util.c @@ -151,7 +151,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey) case EVP_PKEY_DSA: t = SSL_ALGO_DSA; break; -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC case EVP_PKEY_EC: t = SSL_ALGO_ECC; break; @@ -177,7 +177,7 @@ char *ssl_util_algotypestr(ssl_algo_t t) case SSL_ALGO_DSA: cp = "DSA"; break; -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC case SSL_ALGO_ECC: cp = "ECC"; break; @@ -253,7 +253,7 @@ void ssl_asn1_table_unset(apr_hash_t *table, apr_hash_set(table, key, klen, NULL); } -#ifndef OPENSSL_NO_EC +#ifdef HAVE_ECC static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"}; #else static const char *ssl_asn1_key_types[] = {"RSA", "DSA"};