From: Kaspar Brand Date: Sat, 24 Dec 2011 06:35:20 +0000 (+0000) Subject: merge r1222917 from trunk: X-Git-Tag: 2.4.0~44 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ea32bc39c2b7db5991df9c549ef3bd8e5d7c40b3;p=apache merge r1222917 from trunk: Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1 or later, so that mod_ssl retains binary compatibility with future versions when internal structures are changed. Use API functions where available, and fall back to direct access for OpenSSL up to 1.0.0, where needed. Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was never used by any released version of mod_ssl. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1222920 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index eb50f19b78..a3195c6897 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.0 + *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1 + or later, to improve binary compatibility with future OpenSSL releases. + [Kaspar Brand] + *) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass, but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime behave identically in both cases. PR52342. [Graham Leggett] diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index dc4269d8ef..39b083be08 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -780,8 +780,15 @@ static void ssl_init_ctx_pkcs7_cert_chain(server_rec *s, modssl_ctx_t *mctx) { STACK_OF(X509) *certs = ssl_read_pkcs7(s, mctx->pkcs7); int n; + STACK_OF(X509) *extra_certs = NULL; - if (!mctx->ssl_ctx->extra_certs) +#ifdef OPENSSL_NO_SSL_INTERN + SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs); +#else + extra_certs = mctx->ssl_ctx->extra_certs; +#endif + + if (!extra_certs) for (n = 1; n < sk_X509_num(certs); ++n) SSL_CTX_add_extra_chain_cert(mctx->ssl_ctx, sk_X509_value(certs, n)); } diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 9092440df5..45ba428050 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -799,11 +799,15 @@ int ssl_hook_Access(request_rec *r) ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226) "Awaiting re-negotiation handshake"); - /* XXX: Should replace setting ssl->state with SSL_renegotiate(ssl); + /* XXX: Should replace setting state with SSL_renegotiate(ssl); * However, this causes failures in perl-framework currently, * perhaps pre-test if we have already negotiated? */ +#ifdef OPENSSL_NO_SSL_INTERN + SSL_set_state(ssl, SSL_ST_ACCEPT); +#else ssl->state = SSL_ST_ACCEPT; +#endif SSL_do_handshake(ssl); sslconn->reneg_state = RENEG_REJECT; @@ -1728,8 +1732,12 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session) * Store the SSL_SESSION in the inter-process cache with the * same expire time, so it expires automatically there, too. */ +#ifdef OPENSSL_NO_SSL_INTERN + id = (unsigned char *)SSL_SESSION_get_id(session, &idlen); +#else id = session->session_id; idlen = session->session_id_length; +#endif rc = ssl_scache_store(s, id, idlen, apr_time_from_sec(SSL_SESSION_get_time(session) @@ -1809,8 +1817,12 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx, /* * Remove the SSL_SESSION from the inter-process cache */ +#ifdef OPENSSL_NO_SSL_INTERN + id = (unsigned char *)SSL_SESSION_get_id(session, &idlen); +#else id = session->session_id; idlen = session->session_id_length; +#endif /* TODO: Do we need a temp pool here, or are we always shutting down? */ ssl_scache_remove(s, id, idlen, sc->mc->pPool); @@ -2024,13 +2036,14 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) sslcon = myConnConfig(c); if (found && (ssl = sslcon->ssl) && (sc = mySrvConfig(s))) { + SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx); /* * SSL_set_SSL_CTX() only deals with the server cert, * so we need to duplicate a few additional settings * from the ctx by hand */ - SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx)); + SSL_set_options(ssl, SSL_CTX_get_options(ctx)); if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || (SSL_num_renegotiations(ssl) == 0)) { /* @@ -2040,8 +2053,8 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) * Otherwise, we would possibly reset a per-directory * configuration which was put into effect by ssl_hook_Access. */ - SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), - SSL_CTX_get_verify_callback(ssl->ctx)); + SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), + SSL_CTX_get_verify_callback(ctx)); } /* diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 3815cd4323..febc176efa 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -335,10 +335,18 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char buf[SSL_SESSION_ID_STRING_LEN]; SSL_SESSION *pSession = SSL_get_session(ssl); if (pSession) { - result = apr_pstrdup(p, SSL_SESSION_id2sz( - pSession->session_id, - pSession->session_id_length, - buf, sizeof(buf))); + unsigned char *id; + unsigned int idlen; + +#ifdef OPENSSL_NO_SSL_INTERN + id = (unsigned char *)SSL_SESSION_get_id(pSession, &idlen); +#else + id = pSession->session_id; + idlen = pSession->session_id_length; +#endif + + result = apr_pstrdup(p, SSL_SESSION_id2sz(id, idlen, + buf, sizeof(buf))); } } else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) { @@ -955,11 +963,15 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl) { char *result = "NULL"; -#if (OPENSSL_VERSION_NUMBER >= 0x00908000) +#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP) SSL_SESSION *pSession = SSL_get_session(ssl); if (pSession) { +#ifdef OPENSSL_NO_SSL_INTERN + switch (SSL_SESSION_get_compress_id(pSession)) { +#else switch (pSession->compress_meth) { +#endif case 0: /* default "NULL" already set */ break; diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 0ed6e254b0..31b9c8956f 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -82,6 +82,11 @@ #include "ap_expr.h" /* OpenSSL headers */ +#include +#if (OPENSSL_VERSION_NUMBER >= 0x10001000) +/* must be defined before including ssl.h */ +#define OPENSSL_NO_SSL_INTERN +#endif #include #include #include diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c index 5022d0da38..d5b89ef2a7 100644 --- a/modules/ssl/ssl_util_ssl.c +++ b/modules/ssl/ssl_util_ssl.c @@ -182,47 +182,6 @@ int SSL_smart_shutdown(SSL *ssl) return rc; } -/* _________________________________________________________________ -** -** Cipher Suite Spec String Creation -** _________________________________________________________________ -*/ - -char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl) -{ - STACK_OF(SSL_CIPHER) *sk; - SSL_CIPHER *c; - int i; - int l; - char *cpCipherSuite; - char *cp; - - if (ssl == NULL) - return ""; - if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL) - return ""; - l = 0; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { - c = sk_SSL_CIPHER_value(sk, i); - l += strlen(SSL_CIPHER_get_name(c))+2+1; - } - if (l == 0) - return ""; - cpCipherSuite = (char *)apr_palloc(p, l+1); - cp = cpCipherSuite; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { - c = sk_SSL_CIPHER_value(sk, i); - l = strlen(SSL_CIPHER_get_name(c)); - memcpy(cp, SSL_CIPHER_get_name(c), l); - cp += l; - *cp++ = '/'; - *cp++ = (c->valid == 1 ? '1' : '0'); - *cp++ = ':'; - } - *(cp-1) = NUL; - return cpCipherSuite; -} - /* _________________________________________________________________ ** ** Certificate Checks @@ -464,7 +423,6 @@ int SSL_CTX_use_certificate_chain( X509 *x509; unsigned long err; int n; - STACK_OF(X509) *extra_certs; if ((bio = BIO_new(BIO_s_file_internal())) == NULL) return -1; @@ -481,11 +439,14 @@ int SSL_CTX_use_certificate_chain( X509_free(x509); } /* free a perhaps already configured extra chain */ - extra_certs = ctx->extra_certs; - if (extra_certs != NULL) { - sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free); +#ifdef OPENSSL_NO_SSL_INTERN + SSL_CTX_clear_extra_chain_certs(ctx); +#else + if (ctx->extra_certs != NULL) { + sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free); ctx->extra_certs = NULL; } +#endif /* create new extra chain by loading the certs */ n = 0; while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) { diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h index db2a2e30fe..6eaa137436 100644 --- a/modules/ssl/ssl_util_ssl.h +++ b/modules/ssl/ssl_util_ssl.h @@ -63,7 +63,6 @@ void SSL_set_app_data2(SSL *, void *); X509 *SSL_read_X509(char *, X509 **, pem_password_cb *); EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *); int SSL_smart_shutdown(SSL *ssl); -char *SSL_make_ciphersuite(apr_pool_t *, SSL *); BOOL SSL_X509_isSGC(X509 *); BOOL SSL_X509_getBC(X509 *, int *, int *); char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne); diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index 941fb2851d..3ff08dcc67 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -81,9 +81,16 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) int i; X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx); X509_STORE_CTX inctx; + STACK_OF(X509) *extra_certs = NULL; - for (i = 0; i < sk_X509_num(mctx->ssl_ctx->extra_certs); i++) { - issuer = sk_X509_value(mctx->ssl_ctx->extra_certs, i); +#ifdef OPENSSL_NO_SSL_INTERN + SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs); +#else + extra_certs = mctx->ssl_ctx->extra_certs; +#endif + + for (i = 0; i < sk_X509_num(extra_certs); i++) { + issuer = sk_X509_value(extra_certs, i); if (X509_check_issued(issuer, x) == X509_V_OK) { CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); return issuer;