From 275b140280959ba9dc0b85a3eef6a095036dd627 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Fri, 15 Jun 2018 14:35:31 +0000 Subject: [PATCH] mod_ssl: build with LibreSSL. LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master). So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7 compatibility-exceptions are handled explicitely but overall it's simpler. Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions, while the latter has never been (and will never be) defined. So don't call any with LibreSSL. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833598 13f79535-47bb-0310-9956-ffa450edef68 --- modules/md/md_crypt.c | 3 ++- modules/ssl/mod_ssl.c | 5 ++++- modules/ssl/ssl_engine_init.c | 14 ++++++-------- modules/ssl/ssl_private.h | 5 ++--- 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c index fac6239cab..7e3e2e27e1 100644 --- a/modules/md/md_crypt.c +++ b/modules/md/md_crypt.c @@ -471,7 +471,8 @@ apr_status_t md_pkey_gen(md_pkey_t **ppkey, apr_pool_t *p, md_pkey_spec_t *spec) } } -#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f) +#if MODSSL_USE_OPENSSL_PRE_1_1_API || (defined(LIBRESSL_VERSION_NUMBER) && \ + LIBRESSL_VERSION_NUMBER < 0x2070000f) #ifndef NID_tlsfeature #define NID_tlsfeature 1020 diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 496eb19cf1..8f34ffdacd 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -442,10 +442,13 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, /* We must register the library in full, to ensure our configuration * code can successfully test the SSL environment. */ -#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER) +/* Both undefined (or no-op) with LibreSSL */ +#if !defined(LIBRESSL_VERSION_NUMBER) +#if MODSSL_USE_OPENSSL_PRE_1_1_API CRYPTO_malloc_init(); #else OPENSSL_malloc_init(); +#endif #endif ERR_load_crypto_strings(); #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index e63d42c350..c8a3365e0c 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -51,7 +51,8 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server, #define KEYTYPES "RSA or DSA" #endif -#if MODSSL_USE_OPENSSL_PRE_1_1_API +#if MODSSL_USE_OPENSSL_PRE_1_1_API && (!defined(LIBRESSL_VERSION_NUMBER) || \ + LIBRESSL_VERSION_NUMBER < 0x2070000f) /* OpenSSL Pre-1.1.0 compatibility */ /* Taken from OpenSSL 1.1.0 snapshot 20160410 */ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) @@ -543,8 +544,7 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s, } #endif -#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L) +#if MODSSL_USE_OPENSSL_PRE_1_1_API /* * Enable/disable SSLProtocol. If the mod_ssl enables protocol * which is disabled by default by OpenSSL, show a warning. @@ -582,8 +582,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, char *cp; int protocol = mctx->protocol; SSLSrvConfigRec *sc = mySrvConfig(s); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ - (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x20800000L) +#if !MODSSL_USE_OPENSSL_PRE_1_1_API int prot; #endif @@ -663,8 +662,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, SSL_CTX_set_options(ctx, SSL_OP_ALL); -#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L) +#if MODSSL_USE_OPENSSL_PRE_1_1_API /* always disable SSLv2, as per RFC 6176 */ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); @@ -685,7 +683,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1_3, protocol & SSL_PROTOCOL_TLSV1_3, "TLSv1.3"); #endif -#endif +#endif /* MODSSL_USE_OPENSSL_PRE_1_1_API */ #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ /* We first determine the maximum protocol version we should provide */ diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index e1c871da4f..1f629a46e3 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -132,13 +132,12 @@ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) #define SSL_CTX_set_max_proto_version(ctx, version) \ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) -#elif LIBRESSL_VERSION_NUMBER < 0x2070000f +#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not * include most changes from OpenSSL >= 1.1 (new functions, macros, * deprecations, ...), so we have to work around this... */ -#define MODSSL_USE_OPENSSL_PRE_1_1_API (1) -#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ +#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2080000f) #else /* defined(LIBRESSL_VERSION_NUMBER) */ #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) #endif -- 2.50.1