From: Kaspar Brand Date: Wed, 30 Sep 2015 11:31:43 +0000 (+0000) Subject: merge r1674538, r1677143, r1677144, r1677145, r1677146, r1677149, r1677151, X-Git-Tag: 2.4.17~59 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b0dc766b75f07e25a0d5fcd79ee9da46ee5048b4;p=apache merge r1674538, r1677143, r1677144, r1677145, r1677146, r1677149, r1677151, r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832, r1677834, r1677835 from trunk mod_ssl namespacing Proposed by: kbrand Reviewed by: ylavic, jorton mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo. For related discussion, see the dev@ thread starting at: http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2, and SSL_set_app_data2 from SSL_* to modssl_*. Update references in README.dsov.* files. Rename static variable SSL_app_data2_idx to just app_data2_idx since the symbol is internal to ssl_util_ssl.c. mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside ssl_util_ssl.c (no callers outside this file). The new static function name chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_ nor ASN1_ are safe prefixes to use without potential future overlap. mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to modssl_X509_NAME_ENTRY_to_string. mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the file ssl_util_ssl.c (no outside callers). Rename to just getIDs(). mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller ssl_init_proxy_certs() in ssl_engine_init.c. No functional change. Review by: kbrand mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c and make it a static function called load_x509_info(). mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c and make it a static function called use_certificate_chain(). mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz(). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706002 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/README.dsov.fig b/modules/ssl/README.dsov.fig index d8d03db247..77cd2ca277 100644 --- a/modules/ssl/README.dsov.fig +++ b/modules/ssl/README.dsov.fig @@ -339,7 +339,7 @@ Single 4 0 0 200 0 20 8 0.0000 4 90 465 11745 4770 ->method\001 4 0 0 200 0 20 8 0.0000 4 120 1665 9945 6480 X509_STORE_CTX_get_app_data()\001 4 0 0 200 0 20 8 0.0000 4 120 1215 10980 6705 SSL_CTX_get_cert_store()\001 -4 0 0 200 0 20 8 0.0000 4 120 1020 8280 5130 SSL_get_app_data2()\001 +4 0 0 200 0 20 8 0.0000 4 120 1020 8280 5130 modssl_get_app_data2()\001 4 0 0 100 0 18 20 0.0000 4 270 1290 10710 7605 OpenSSL\001 4 0 0 100 0 18 12 0.0000 4 180 720 10710 7785 [Crypto]\001 4 0 0 100 0 18 20 0.0000 4 270 1290 10935 3645 OpenSSL\001 diff --git a/modules/ssl/README.dsov.ps b/modules/ssl/README.dsov.ps index def19dbecf..bcbf268713 100644 --- a/modules/ssl/README.dsov.ps +++ b/modules/ssl/README.dsov.ps @@ -1002,7 +1002,7 @@ gs 1 -1 sc (X509_STORE_CTX_get_app_data\(\)) col0 sh gr gs 1 -1 sc (SSL_CTX_get_cert_store\(\)) col0 sh gr /Helvetica-Narrow-iso ff 120.00 scf sf 8280 5130 m -gs 1 -1 sc (SSL_get_app_data2\(\)) col0 sh gr +gs 1 -1 sc (modssl_get_app_data2\(\)) col0 sh gr /Helvetica-Bold-iso ff 180.00 scf sf 3645 1620 m gs 1 -1 sc (SSLDirConfig) col0 sh gr diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 7e1c431dc6..7d9b8a550c 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -480,7 +480,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) } SSL_set_app_data(ssl, c); - SSL_set_app_data2(ssl, NULL); /* will be request_rec */ + modssl_set_app_data2(ssl, NULL); /* will be request_rec */ sslconn->ssl = ssl; diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 8e8e761850..2ff312e870 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -612,7 +612,7 @@ const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd, seed->cpPath = ap_server_root_relative(mc->pPool, arg2+4); #else return apr_pstrcat(cmd->pool, "Invalid SSLRandomSeed entropy source `", - arg2, "': This version of " SSL_LIBRARY_NAME + arg2, "': This version of " MODSSL_LIBRARY_NAME " does not support the Entropy Gathering Daemon " "(EGD).", NULL); #endif diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 72b458e875..70bdeffcd8 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -142,12 +142,12 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, apr_status_t rv; apr_array_header_t *pphrases; - if (SSLeay() < SSL_LIBRARY_VERSION) { + if (SSLeay() < MODSSL_LIBRARY_VERSION) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882) "Init: this version of mod_ssl was compiled against " "a newer library (%s, version currently loaded is %s)" " - may result in undefined or erroneous behavior", - SSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION)); + MODSSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION)); } /* We initialize mc->pid per-process in the child init, @@ -236,7 +236,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, #endif ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01883) - "Init: Initialized %s library", SSL_LIBRARY_NAME); + "Init: Initialized %s library", MODSSL_LIBRARY_NAME); /* * Seed the Pseudo Random Number Generator (PRNG) @@ -327,7 +327,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, */ ssl_add_version_components(p, base_server); - SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */ + modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ init_dh_params(); @@ -811,6 +811,65 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s, return APR_SUCCESS; } +/* + * Read a file that optionally contains the server certificate in PEM + * format, possibly followed by a sequence of CA certificates that + * should be sent to the peer in the SSL Certificate message. + */ +static int use_certificate_chain( + SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb) +{ + BIO *bio; + X509 *x509; + unsigned long err; + int n; + + if ((bio = BIO_new(BIO_s_file_internal())) == NULL) + return -1; + if (BIO_read_filename(bio, file) <= 0) { + BIO_free(bio); + return -1; + } + /* optionally skip a leading server certificate */ + if (skipfirst) { + if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) { + BIO_free(bio); + return -1; + } + X509_free(x509); + } + /* free a perhaps already configured extra chain */ +#ifdef OPENSSL_NO_SSL_INTERN + SSL_CTX_clear_extra_chain_certs(ctx); +#else + if (ctx->extra_certs != NULL) { + sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free); + ctx->extra_certs = NULL; + } +#endif + /* create new extra chain by loading the certs */ + n = 0; + while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) { + if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) { + X509_free(x509); + BIO_free(bio); + return -1; + } + n++; + } + /* Make sure that only the error is just an EOF */ + if ((err = ERR_peek_error()) > 0) { + if (!( ERR_GET_LIB(err) == ERR_LIB_PEM + && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) { + BIO_free(bio); + return -1; + } + while (ERR_get_error() > 0) ; + } + BIO_free(bio); + return n; +} + static apr_status_t ssl_init_ctx_cert_chain(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, @@ -846,9 +905,7 @@ static apr_status_t ssl_init_ctx_cert_chain(server_rec *s, } } - n = SSL_CTX_use_certificate_chain(mctx->ssl_ctx, - (char *)chain, - skip_first, NULL); + n = use_certificate_chain(mctx->ssl_ctx, (char *)chain, skip_first, NULL); if (n < 0) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903) "Failed to configure CA certificate chain!"); @@ -921,7 +978,7 @@ static void ssl_check_public_cert(server_rec *s, * Some information about the certificate(s) */ - if (SSL_X509_getBC(cert, &is_ca, &pathlen)) { + if (modssl_X509_getBC(cert, &is_ca, &pathlen)) { if (is_ca) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01906) "%s server certificate is a CA certificate " @@ -936,8 +993,8 @@ static void ssl_check_public_cert(server_rec *s, } } - if (SSL_X509_match_name(ptemp, cert, (const char *)s->server_hostname, - TRUE, s) == FALSE) { + if (modssl_X509_match_name(ptemp, cert, (const char *)s->server_hostname, + TRUE, s) == FALSE) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01909) "%s server certificate does NOT include an ID " "which matches the server name", key_id); @@ -1202,6 +1259,30 @@ static apr_status_t ssl_init_ticket_key(server_rec *s, } #endif +static BOOL load_x509_info(apr_pool_t *ptemp, + STACK_OF(X509_INFO) *sk, + const char *filename) +{ + BIO *in; + + if (!(in = BIO_new(BIO_s_file()))) { + return FALSE; + } + + if (BIO_read_filename(in, filename) <= 0) { + BIO_free(in); + return FALSE; + } + + ERR_clear_error(); + + PEM_X509_INFO_read_bio(in, sk, NULL, NULL); + + BIO_free(in); + + return TRUE; +} + static apr_status_t ssl_init_proxy_certs(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, @@ -1224,11 +1305,30 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, sk = sk_X509_INFO_new_null(); if (pkp->cert_file) { - SSL_X509_INFO_load_file(ptemp, sk, pkp->cert_file); + load_x509_info(ptemp, sk, pkp->cert_file); } if (pkp->cert_path) { - SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path); + apr_dir_t *dir; + apr_finfo_t dirent; + apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME; + + if (apr_dir_open(&dir, pkp->cert_path, ptemp) == APR_SUCCESS) { + while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) { + const char *fullname; + + if (dirent.filetype == APR_DIR) { + continue; /* don't try to load directories */ + } + + fullname = apr_pstrcat(ptemp, + pkp->cert_path, "/", dirent.name, + NULL); + load_x509_info(ptemp, sk, fullname); + } + + apr_dir_close(dir); + } } if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { @@ -1616,7 +1716,7 @@ static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209) "CA certificate: %s", - SSL_X509_NAME_to_string(ptemp, name, 0)); + modssl_X509_NAME_to_string(ptemp, name, 0)); /* * note that SSL_load_client_CA_file() checks for duplicates, diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 1df43e7163..b2f97e9762 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -996,7 +996,7 @@ static void ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx, } SSL_set_shutdown(ssl, shutdown_type); - SSL_smart_shutdown(ssl); + modssl_smart_shutdown(ssl); /* and finally log the fact that we've closed the connection */ if (APLOG_CS_IS_LEVEL(c, mySrvFromConn(c), loglevel)) { @@ -1124,8 +1124,8 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) hostname_note) { apr_table_unset(c->notes, "proxy-request-hostname"); if (!cert - || SSL_X509_match_name(c->pool, cert, hostname_note, - TRUE, server) == FALSE) { + || modssl_X509_match_name(c->pool, cert, hostname_note, + TRUE, server) == FALSE) { proxy_ssl_check_peer_ok = FALSE; ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02411) "SSL Proxy: Peer certificate does not match " @@ -2085,7 +2085,7 @@ long ssl_io_data_cb(BIO *bio, int cmd, if (rc >= 0) { ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s, "%s: %s %ld/%d bytes %s BIO#%pp [mem: %pp] %s", - SSL_LIBRARY_NAME, + MODSSL_LIBRARY_NAME, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"), rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"), bio, argp, @@ -2096,7 +2096,7 @@ long ssl_io_data_cb(BIO *bio, int cmd, else { ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s, "%s: I/O error, %d bytes expected to %s on BIO#%pp [mem: %pp]", - SSL_LIBRARY_NAME, argi, + MODSSL_LIBRARY_NAME, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"), bio, argp); } diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index caaa19778d..cd07b1bcb2 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -229,7 +229,7 @@ int ssl_hook_ReadReq(request_rec *r) } } #endif - SSL_set_app_data2(ssl, r); + modssl_set_app_data2(ssl, r); /* * Log information about incoming HTTPS requests @@ -1378,7 +1378,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); - request_rec *r = (request_rec *)SSL_get_app_data2(ssl); + request_rec *r = (request_rec *)modssl_get_app_data2(ssl); server_rec *s = r ? r->server : mySrvFromConn(conn); SSLSrvConfigRec *sc = mySrvConfig(s); @@ -1647,7 +1647,7 @@ static void ssl_session_log(server_rec *s, const char *result, long timeout) { - char buf[SSL_SESSION_ID_STRING_LEN]; + char buf[MODSSL_SESSION_ID_STRING_LEN]; char timeout_str[56] = {'\0'}; if (!APLOGdebug(s)) { @@ -1663,7 +1663,7 @@ static void ssl_session_log(server_rec *s, "Inter-Process Session Cache: " "request=%s status=%s id=%s %s(session %s)", request, status, - SSL_SESSION_id2sz(id, idlen, buf, sizeof(buf)), + modssl_SSL_SESSION_id2sz(id, idlen, buf, sizeof(buf)), timeout_str, result); } @@ -1804,32 +1804,32 @@ static void log_tracing_state(const SSL *ssl, conn_rec *c, */ if (where & SSL_CB_HANDSHAKE_START) { ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, - "%s: Handshake: start", SSL_LIBRARY_NAME); + "%s: Handshake: start", MODSSL_LIBRARY_NAME); } else if (where & SSL_CB_HANDSHAKE_DONE) { ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, - "%s: Handshake: done", SSL_LIBRARY_NAME); + "%s: Handshake: done", MODSSL_LIBRARY_NAME); } else if (where & SSL_CB_LOOP) { ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, "%s: Loop: %s", - SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl)); } else if (where & SSL_CB_READ) { ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, "%s: Read: %s", - SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl)); } else if (where & SSL_CB_WRITE) { ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, "%s: Write: %s", - SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl)); } else if (where & SSL_CB_ALERT) { char *str = (where & SSL_CB_READ) ? "read" : "write"; ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, "%s: Alert: %s:%s:%s", - SSL_LIBRARY_NAME, str, + MODSSL_LIBRARY_NAME, str, SSL_alert_type_string_long(rc), SSL_alert_desc_string_long(rc)); } @@ -1837,12 +1837,12 @@ static void log_tracing_state(const SSL *ssl, conn_rec *c, if (rc == 0) { ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, "%s: Exit: failed in %s", - SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl)); } else if (rc < 0) { ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, "%s: Exit: error in %s", - SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + MODSSL_LIBRARY_NAME, SSL_state_string_long(ssl)); } } diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index 2c87638fa4..d2f9ed0aaa 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -141,8 +141,8 @@ static void ssl_log_cert_error(const char *file, int line, int level, int maxdnlen = (HUGE_STRING_LEN - msglen - 300) / 2; BIO_puts(bio, " [subject: "); - name = SSL_X509_NAME_to_string(p, X509_get_subject_name(cert), - maxdnlen); + name = modssl_X509_NAME_to_string(p, X509_get_subject_name(cert), + maxdnlen); if (!strIsEmpty(name)) { BIO_puts(bio, name); } else { @@ -150,8 +150,8 @@ static void ssl_log_cert_error(const char *file, int line, int level, } BIO_puts(bio, " / issuer: "); - name = SSL_X509_NAME_to_string(p, X509_get_issuer_name(cert), - maxdnlen); + name = modssl_X509_NAME_to_string(p, X509_get_issuer_name(cert), + maxdnlen); if (!strIsEmpty(name)) { BIO_puts(bio, name); } else { diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c index e158a4765a..4099864fe5 100644 --- a/modules/ssl/ssl_engine_pphrase.c +++ b/modules/ssl/ssl_engine_pphrase.c @@ -222,7 +222,7 @@ apr_status_t ssl_load_encrypted_pkey(server_rec *s, apr_pool_t *p, int idx, * is not empty. */ ERR_clear_error(); - bReadable = ((pPrivateKey = SSL_read_PrivateKey(ppcb_arg.pkey_file, + bReadable = ((pPrivateKey = modssl_read_privatekey(ppcb_arg.pkey_file, NULL, ssl_pphrase_Handle_CB, &ppcb_arg)) != NULL ? TRUE : FALSE); diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 413f7fe141..4fce7fc85d 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -62,7 +62,7 @@ static int ssl_is_https(conn_rec *c) } static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION; -static char var_library_interface[] = SSL_LIBRARY_TEXT; +static char var_library_interface[] = MODSSL_LIBRARY_TEXT; static char *var_library = NULL; static apr_array_header_t *expr_peer_ext_list_fn(ap_expr_eval_ctx_t *ctx, @@ -115,7 +115,7 @@ void ssl_var_register(apr_pool_t *p) APR_REGISTER_OPTIONAL_FN(ssl_ext_list); /* Perform once-per-process library version determination: */ - var_library = apr_pstrdup(p, SSL_LIBRARY_DYNTEXT); + var_library = apr_pstrdup(p, MODSSL_LIBRARY_DYNTEXT); if ((cp = strchr(var_library, ' ')) != NULL) { *cp = '/'; @@ -336,7 +336,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, result = (char *)SSL_get_version(ssl); } else if (ssl != NULL && strcEQ(var, "SESSION_ID")) { - char buf[SSL_SESSION_ID_STRING_LEN]; + char buf[MODSSL_SESSION_ID_STRING_LEN]; SSL_SESSION *pSession = SSL_get_session(ssl); if (pSession) { unsigned char *id; @@ -349,8 +349,8 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, idlen = pSession->session_id_length; #endif - result = apr_pstrdup(p, SSL_SESSION_id2sz(id, idlen, - buf, sizeof(buf))); + result = apr_pstrdup(p, modssl_SSL_SESSION_id2sz(id, idlen, + buf, sizeof(buf))); } } else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) { @@ -581,7 +581,7 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char * n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) { - result = SSL_X509_NAME_ENTRY_to_string(p, xsne); + result = modssl_X509_NAME_ENTRY_to_string(p, xsne); break; } } @@ -612,7 +612,7 @@ static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var) if ((numlen < 1) || (numlen > 4) || (numlen != strlen(var))) return NULL; - if (SSL_X509_getSAN(p, xs, type, atoi(var), &entries)) + if (modssl_X509_getSAN(p, xs, type, atoi(var), &entries)) /* return the first entry from this 1-element array */ return APR_ARRAY_IDX(entries, 0, char *); else @@ -737,7 +737,7 @@ static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl) char *decimal = BN_bn2dec(bn); result = apr_pstrcat(p, "{ serialNumber ", decimal, ", issuer rdnSequence:\"", - SSL_X509_NAME_to_string(p, issuer, 0), "\" }", NULL); + modssl_X509_NAME_to_string(p, issuer, 0), "\" }", NULL); OPENSSL_free(decimal); BN_free(bn); } @@ -902,7 +902,7 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, apr_hash_set(count, &nid, sizeof nid, dup); key = apr_pstrcat(p, pfx, tag, NULL); } - value = SSL_X509_NAME_ENTRY_to_string(p, xsne); + value = modssl_X509_NAME_ENTRY_to_string(p, xsne); apr_table_setn(t, key, value); } } @@ -962,10 +962,10 @@ void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p) /* subjectAltName entries of the server certificate */ xs = SSL_get_certificate(ssl); if (xs) { - if (SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) { + if (modssl_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) { extract_san_array(t, "SSL_SERVER_SAN_Email", entries, p); } - if (SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) { + if (modssl_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) { extract_san_array(t, "SSL_SERVER_SAN_DNS", entries, p); } /* no need to free xs (refcount does not increase) */ @@ -974,10 +974,10 @@ void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p) /* subjectAltName entries of the client certificate */ xs = SSL_get_peer_certificate(ssl); if (xs) { - if (SSL_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) { + if (modssl_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) { extract_san_array(t, "SSL_CLIENT_SAN_Email", entries, p); } - if (SSL_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) { + if (modssl_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) { extract_san_array(t, "SSL_CLIENT_SAN_DNS", entries, p); } X509_free(xs); diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c index 2d365b2215..70d18772e0 100644 --- a/modules/ssl/ssl_scache.c +++ b/modules/ssl/ssl_scache.c @@ -115,7 +115,7 @@ BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen, apr_pool_t *p) { SSLModConfigRec *mc = myModConfig(s); - unsigned char encoded[SSL_SESSION_MAX_DER], *ptr; + unsigned char encoded[MODSSL_SESSION_MAX_DER], *ptr; unsigned int len; apr_status_t rv; @@ -148,8 +148,8 @@ SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen, apr_pool_t *p) { SSLModConfigRec *mc = myModConfig(s); - unsigned char dest[SSL_SESSION_MAX_DER]; - unsigned int destlen = SSL_SESSION_MAX_DER; + unsigned char dest[MODSSL_SESSION_MAX_DER]; + unsigned int destlen = MODSSL_SESSION_MAX_DER; const unsigned char *ptr; apr_status_t rv; diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c index a1fca36202..1acda0d772 100644 --- a/modules/ssl/ssl_util_ssl.c +++ b/modules/ssl/ssl_util_ssl.c @@ -38,33 +38,33 @@ * also note that OpenSSL increments at static variable when * SSL_get_ex_new_index() is called, so we _must_ do this at startup. */ -static int SSL_app_data2_idx = -1; +static int app_data2_idx = -1; -void SSL_init_app_data2_idx(void) +void modssl_init_app_data2_idx(void) { int i; - if (SSL_app_data2_idx > -1) { + if (app_data2_idx > -1) { return; } /* we _do_ need to call this twice */ - for (i=0; i<=1; i++) { - SSL_app_data2_idx = + for (i = 0; i <= 1; i++) { + app_data2_idx = SSL_get_ex_new_index(0, "Second Application Data for SSL", NULL, NULL, NULL); } } -void *SSL_get_app_data2(SSL *ssl) +void *modssl_get_app_data2(SSL *ssl) { - return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx); + return (void *)SSL_get_ex_data(ssl, app_data2_idx); } -void SSL_set_app_data2(SSL *ssl, void *arg) +void modssl_set_app_data2(SSL *ssl, void *arg) { - SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg); + SSL_set_ex_data(ssl, app_data2_idx, (char *)arg); return; } @@ -74,7 +74,7 @@ void SSL_set_app_data2(SSL *ssl, void *arg) ** _________________________________________________________________ */ -EVP_PKEY *SSL_read_PrivateKey(const char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s) +EVP_PKEY *modssl_read_privatekey(const char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s) { EVP_PKEY *rc; BIO *bioS; @@ -121,7 +121,7 @@ EVP_PKEY *SSL_read_PrivateKey(const char* filename, EVP_PKEY **key, pem_password ** _________________________________________________________________ */ -int SSL_smart_shutdown(SSL *ssl) +int modssl_smart_shutdown(SSL *ssl) { int i; int rc; @@ -161,7 +161,7 @@ int SSL_smart_shutdown(SSL *ssl) */ /* retrieve basic constraints ingredients */ -BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen) +BOOL modssl_X509_getBC(X509 *cert, int *ca, int *pathlen) { BASIC_CONSTRAINTS *bc; BIGNUM *bn = NULL; @@ -191,7 +191,7 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen) } /* convert an ASN.1 string to a UTF-8 string (escaping control characters) */ -char *SSL_ASN1_STRING_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str) +static char *asn1_string_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str) { char *result = NULL; BIO *bio; @@ -213,9 +213,9 @@ char *SSL_ASN1_STRING_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str) } /* convert a NAME_ENTRY to UTF8 string */ -char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne) +char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne) { - char *result = SSL_ASN1_STRING_to_utf8(p, X509_NAME_ENTRY_get_data(xsne)); + char *result = asn1_string_to_utf8(p, X509_NAME_ENTRY_get_data(xsne)); ap_xlate_proto_from_ascii(result, len); return result; } @@ -224,7 +224,7 @@ char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne) * convert an X509_NAME to an RFC 2253 formatted string, optionally truncated * to maxlen characters (specify a maxlen of 0 for no length limit) */ -char *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen) +char *modssl_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen) { char *result = NULL; BIO *bio; @@ -259,8 +259,8 @@ char *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen) * GEN_EMAIL (rfc822Name) * GEN_DNS (dNSName) */ -BOOL SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, int idx, - apr_array_header_t **entries) +BOOL modssl_X509_getSAN(apr_pool_t *p, X509 *x509, int type, int idx, + apr_array_header_t **entries) { STACK_OF(GENERAL_NAME) *names; @@ -282,7 +282,7 @@ BOOL SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, int idx, switch (type) { case GEN_EMAIL: case GEN_DNS: - utf8str = SSL_ASN1_STRING_to_utf8(p, name->d.ia5); + utf8str = asn1_string_to_utf8(p, name->d.ia5); if (utf8str) { APR_ARRAY_PUSH(*entries, const char *) = utf8str; } @@ -313,14 +313,14 @@ BOOL SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, int idx, } /* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */ -BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids) +static BOOL getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids) { X509_NAME *subj; int i = -1; /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */ if (!x509 || - (SSL_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids)) { + (modssl_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids)) { *ids = NULL; return FALSE; } @@ -329,7 +329,7 @@ BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids) subj = X509_get_subject_name(x509); while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) { APR_ARRAY_PUSH(*ids, const char *) = - SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i)); + modssl_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i)); } return apr_is_empty_array(*ids) ? FALSE : TRUE; @@ -340,8 +340,8 @@ BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids) * DNS-IDs and CN-IDs (RFC 6125), optionally with basic wildcard matching. * If server_rec is non-NULL, some (debug/trace) logging is enabled. */ -BOOL SSL_X509_match_name(apr_pool_t *p, X509 *x509, const char *name, - BOOL allow_wildcard, server_rec *s) +BOOL modssl_X509_match_name(apr_pool_t *p, X509 *x509, const char *name, + BOOL allow_wildcard, server_rec *s) { BOOL matched = FALSE; apr_array_header_t *ids; @@ -356,7 +356,7 @@ BOOL SSL_X509_match_name(apr_pool_t *p, X509 *x509, const char *name, * is found). */ - if (SSL_X509_getIDs(p, x509, &ids)) { + if (getIDs(p, x509, &ids)) { const char *cp; int i; char **id = (char **)ids->elts; @@ -387,7 +387,7 @@ BOOL SSL_X509_match_name(apr_pool_t *p, X509 *x509, const char *name, if (s) { ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, - "[%s] SSL_X509_match_name: expecting name '%s', " + "[%s] modssl_X509_match_name: expecting name '%s', " "%smatched by ID '%s'", (mySrvConfig(s))->vhost_id, name, matched == TRUE ? "" : "NOT ", id[i]); @@ -411,73 +411,6 @@ BOOL SSL_X509_match_name(apr_pool_t *p, X509 *x509, const char *name, return matched; } -/* _________________________________________________________________ -** -** Low-Level CA Certificate Loading -** _________________________________________________________________ -*/ - -BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp, - STACK_OF(X509_INFO) *sk, - const char *filename) -{ - BIO *in; - - if (!(in = BIO_new(BIO_s_file()))) { - return FALSE; - } - - if (BIO_read_filename(in, filename) <= 0) { - BIO_free(in); - return FALSE; - } - - ERR_clear_error(); - - PEM_X509_INFO_read_bio(in, sk, NULL, NULL); - - BIO_free(in); - - return TRUE; -} - -BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp, - STACK_OF(X509_INFO) *sk, - const char *pathname) -{ - /* XXX: this dir read code is exactly the same as that in - * ssl_engine_init.c, only the call to handle the fullname is different, - * should fold the duplication. - */ - apr_dir_t *dir; - apr_finfo_t dirent; - apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME; - const char *fullname; - BOOL ok = FALSE; - - if (apr_dir_open(&dir, pathname, ptemp) != APR_SUCCESS) { - return FALSE; - } - - while ((apr_dir_read(&dirent, finfo_flags, dir)) == APR_SUCCESS) { - if (dirent.filetype == APR_DIR) { - continue; /* don't try to load directories */ - } - - fullname = apr_pstrcat(ptemp, - pathname, "/", dirent.name, - NULL); - - if (SSL_X509_INFO_load_file(ptemp, sk, fullname)) { - ok = TRUE; - } - } - - apr_dir_close(dir); - - return ok; -} - /* _________________________________________________________________ ** ** Custom (EC)DH parameter support @@ -510,79 +443,14 @@ EC_GROUP *ssl_ec_GetParamFromFile(const char *file) } #endif -/* _________________________________________________________________ -** -** Extra Server Certificate Chain Support -** _________________________________________________________________ -*/ - -/* - * Read a file that optionally contains the server certificate in PEM - * format, possibly followed by a sequence of CA certificates that - * should be sent to the peer in the SSL Certificate message. - */ -int SSL_CTX_use_certificate_chain( - SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb) -{ - BIO *bio; - X509 *x509; - unsigned long err; - int n; - - if ((bio = BIO_new(BIO_s_file_internal())) == NULL) - return -1; - if (BIO_read_filename(bio, file) <= 0) { - BIO_free(bio); - return -1; - } - /* optionally skip a leading server certificate */ - if (skipfirst) { - if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) { - BIO_free(bio); - return -1; - } - X509_free(x509); - } - /* free a perhaps already configured extra chain */ -#ifdef OPENSSL_NO_SSL_INTERN - SSL_CTX_clear_extra_chain_certs(ctx); -#else - if (ctx->extra_certs != NULL) { - sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; - } -#endif - /* create new extra chain by loading the certs */ - n = 0; - while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) { - if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) { - X509_free(x509); - BIO_free(bio); - return -1; - } - n++; - } - /* Make sure that only the error is just an EOF */ - if ((err = ERR_peek_error()) > 0) { - if (!( ERR_GET_LIB(err) == ERR_LIB_PEM - && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) { - BIO_free(bio); - return -1; - } - while (ERR_get_error() > 0) ; - } - BIO_free(bio); - return n; -} - /* _________________________________________________________________ ** ** Session Stuff ** _________________________________________________________________ */ -char *SSL_SESSION_id2sz(unsigned char *id, int idlen, - char *str, int strsize) +char *modssl_SSL_SESSION_id2sz(unsigned char *id, int idlen, + char *str, int strsize) { if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH) idlen = SSL_MAX_SSL_SESSION_ID_LENGTH; diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h index 8944702d28..c7c4a916a0 100644 --- a/modules/ssl/ssl_util_ssl.h +++ b/modules/ssl/ssl_util_ssl.h @@ -38,41 +38,36 @@ * SSL library version number */ -#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER -#define SSL_LIBRARY_NAME "OpenSSL" -#define SSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT -#define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) +#define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER +#define MODSSL_LIBRARY_NAME "OpenSSL" +#define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT +#define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) /** * Maximum length of a DER encoded session. * FIXME: There is no define in OpenSSL, but OpenSSL uses 1024*10, * so this value should be ok. Although we have no warm feeling. */ -#define SSL_SESSION_MAX_DER 1024*10 +#define MODSSL_SESSION_MAX_DER 1024*10 -/** max length for SSL_SESSION_id2sz */ -#define SSL_SESSION_ID_STRING_LEN \ +/** max length for modssl_SSL_SESSION_id2sz */ +#define MODSSL_SESSION_ID_STRING_LEN \ ((SSL_MAX_SSL_SESSION_ID_LENGTH + 1) * 2) /** * Additional Functions */ -void SSL_init_app_data2_idx(void); -void *SSL_get_app_data2(SSL *); -void SSL_set_app_data2(SSL *, void *); -EVP_PKEY *SSL_read_PrivateKey(const char *, EVP_PKEY **, pem_password_cb *, void *); -int SSL_smart_shutdown(SSL *ssl); -BOOL SSL_X509_getBC(X509 *, int *, int *); -char *SSL_ASN1_STRING_to_utf8(apr_pool_t *, ASN1_STRING *); -char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne); -char *SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int); -BOOL SSL_X509_getSAN(apr_pool_t *, X509 *, int, int, apr_array_header_t **); -BOOL SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **); -BOOL SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); -BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *); -BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *); -int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *); -char *SSL_SESSION_id2sz(unsigned char *, int, char *, int); +void modssl_init_app_data2_idx(void); +void *modssl_get_app_data2(SSL *); +void modssl_set_app_data2(SSL *, void *); +EVP_PKEY *modssl_read_privatekey(const char *, EVP_PKEY **, pem_password_cb *, void *); +int modssl_smart_shutdown(SSL *ssl); +BOOL modssl_X509_getBC(X509 *, int *, int *); +char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne); +char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int); +BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, int, apr_array_header_t **); +BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); +char *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int); #endif /* __SSL_UTIL_SSL_H__ */ /** @} */