From 7bd59fd67a7ef3eb7aba69e34cab6b714fddbec5 Mon Sep 17 00:00:00 2001 From: Kaspar Brand Date: Sun, 7 Aug 2011 10:34:31 +0000 Subject: [PATCH] Remove the ssl_toolkit_compat layer, which is no longer needed after support for non-OpenSSL toolkits has been dropped. Replace macros by their value proper where feasible, and keep those definitions in ssl_private.h which depend on specific OpenSSL versions. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154687 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 2 + modules/ssl/mod_ssl.dsp | 4 - modules/ssl/ssl_engine_dh.c | 48 +++++++- modules/ssl/ssl_engine_init.c | 8 +- modules/ssl/ssl_engine_io.c | 4 +- modules/ssl/ssl_engine_kernel.c | 40 +++--- modules/ssl/ssl_engine_log.c | 6 +- modules/ssl/ssl_engine_vars.c | 16 +-- modules/ssl/ssl_private.h | 119 +++++++++++++++--- modules/ssl/ssl_toolkit_compat.h | 202 ------------------------------- modules/ssl/ssl_util.c | 2 +- modules/ssl/ssl_util_ssl.c | 51 +++----- modules/ssl/ssl_util_ssl.h | 11 +- 13 files changed, 198 insertions(+), 315 deletions(-) delete mode 100644 modules/ssl/ssl_toolkit_compat.h diff --git a/CHANGES b/CHANGES index 3082b0fb12..4703b9e93f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache 2.3.15 + *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand] + *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit. [Kaspar Brand] diff --git a/modules/ssl/mod_ssl.dsp b/modules/ssl/mod_ssl.dsp index 6d738fe2e3..fc86a7b6e8 100644 --- a/modules/ssl/mod_ssl.dsp +++ b/modules/ssl/mod_ssl.dsp @@ -184,10 +184,6 @@ SOURCE=.\ssl_private.h # End Source File # Begin Source File -SOURCE=.\ssl_toolkit_compat.h -# End Source File -# Begin Source File - SOURCE=.\ssl_util_ssl.h # End Source File # Begin Source File diff --git a/modules/ssl/ssl_engine_dh.c b/modules/ssl/ssl_engine_dh.c index 0239924b37..935b0c7307 100644 --- a/modules/ssl/ssl_engine_dh.c +++ b/modules/ssl/ssl_engine_dh.c @@ -69,8 +69,20 @@ static unsigned char dh512_g[] = { static DH *get_dh512(void) { - return modssl_dh_configure(dh512_p, sizeof(dh512_p), - dh512_g, sizeof(dh512_g)); + DH *dh; + + if (!(dh = DH_new())) { + return NULL; + } + + dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); + dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); + if (!(dh->p && dh->g)) { + DH_free(dh); + return NULL; + } + + return dh; } static unsigned char dh1024_p[] = { @@ -92,8 +104,20 @@ static unsigned char dh1024_g[] = { static DH *get_dh1024(void) { - return modssl_dh_configure(dh1024_p, sizeof(dh1024_p), - dh1024_g, sizeof(dh1024_g)); + DH *dh; + + if (!(dh = DH_new())) { + return NULL; + } + + dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); + dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); + if (!(dh->p && dh->g)) { + DH_free(dh); + return NULL; + } + + return dh; } /* ----END GENERATED SECTION---------- */ @@ -187,8 +211,20 @@ $dhsource .= $_ while (); close(FP); $dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void) { - return modssl_dh_configure(dh$2_p, sizeof(dh$2_p), - dh$2_g, sizeof(dh$2_g)); + DH *dh; + + if (!(dh = DH_new())) { + return NULL; + } + + dh->p = BN_bin2bn(dh$2_p, sizeof(dh$2_p), NULL); + dh->g = BN_bin2bn(dh$2_g, sizeof(dh$2_g), NULL); + if (!(dh->p && dh->g)) { + DH_free(dh); + return NULL; + } + + return dh; } |sg; diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index f0fb8629f7..f9ae36b32e 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -642,8 +642,8 @@ static void ssl_init_ctx_verify(server_rec *s, "Configuring client authentication"); if (!SSL_CTX_load_verify_locations(ctx, - MODSSL_PCHAR_CAST mctx->auth.ca_cert_file, - MODSSL_PCHAR_CAST mctx->auth.ca_cert_path)) + mctx->auth.ca_cert_file, + mctx->auth.ca_cert_path)) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, "Unable to configure verify locations " @@ -705,7 +705,7 @@ static void ssl_init_ctx_cipher_suite(server_rec *s, "Configuring permitted SSL ciphers [%s]", suite); - if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) { + if (!SSL_CTX_set_cipher_list(ctx, suite)) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, "Unable to configure permitted SSL ciphers"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); @@ -1278,7 +1278,7 @@ static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, STACK_OF(X509_NAME) *sk; sk = (STACK_OF(X509_NAME) *) - SSL_load_client_CA_file(MODSSL_PCHAR_CAST file); + SSL_load_client_CA_file(file); if (!sk) { return; diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 2b32706ed1..a0fd808896 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1872,7 +1872,7 @@ void ssl_io_filter_register(apr_pool_t *p) #define DUMP_WIDTH 16 static void ssl_io_data_dump(server_rec *srvr, - MODSSL_BIO_CB_ARG_TYPE *s, + const char *s, long len) { char buf[256]; @@ -1937,7 +1937,7 @@ static void ssl_io_data_dump(server_rec *srvr, } long ssl_io_data_cb(BIO *bio, int cmd, - MODSSL_BIO_CB_ARG_TYPE *argp, + const char *argp, int argi, long argl, long rc) { SSL *ssl; diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index eaed7ae86f..6bc7219869 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -407,9 +407,9 @@ int ssl_hook_Access(request_rec *r) /* configure new state */ if ((dc->szCipherSuite || sc->server->auth.cipher_suite) && - !modssl_set_cipher_list(ssl, dc->szCipherSuite ? - dc->szCipherSuite : - sc->server->auth.cipher_suite)) { + !SSL_set_cipher_list(ssl, dc->szCipherSuite ? + dc->szCipherSuite : + sc->server->auth.cipher_suite)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "Unable to reconfigure (per-directory) " "permitted SSL ciphers"); @@ -546,7 +546,7 @@ int ssl_hook_Access(request_rec *r) verify |= SSL_VERIFY_PEER; } - modssl_set_verify(ssl, verify, ssl_callback_SSLVerify); + SSL_set_verify(ssl, verify, ssl_callback_SSLVerify); SSL_set_verify_result(ssl, X509_V_OK); /* determine whether we've to force a renegotiation */ @@ -606,7 +606,7 @@ int ssl_hook_Access(request_rec *r) "'require' and VirtualHost-specific CA certificate " "list is only available to clients with TLS server " "name indication (SNI) support"); - modssl_set_verify(ssl, verify_old, NULL); + SSL_set_verify(ssl, verify_old, NULL); return HTTP_FORBIDDEN; } else /* let it pass, possibly with an "incorrect" peer cert, @@ -695,7 +695,7 @@ int ssl_hook_Access(request_rec *r) * we put it back here for the purpose of quick_renegotiation. */ cert_stack = sk_X509_new_null(); - sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert); + sk_X509_push(cert_stack, cert); } if (!cert_stack || (sk_X509_num(cert_stack) == 0)) { @@ -729,7 +729,7 @@ int ssl_hook_Access(request_rec *r) SSL_get_ex_data_X509_STORE_CTX_idx(), (char *)ssl); - if (!modssl_X509_verify_cert(&cert_store_ctx)) { + if (!X509_verify_cert(&cert_store_ctx)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Re-negotiation verification step failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); @@ -798,11 +798,11 @@ int ssl_hook_Access(request_rec *r) ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "Awaiting re-negotiation handshake"); - /* XXX: Should replace SSL_set_state with SSL_renegotiate(ssl); + /* XXX: Should replace setting ssl->state with SSL_renegotiate(ssl); * However, this causes failures in perl-framework currently, * perhaps pre-test if we have already negotiated? */ - SSL_set_state(ssl, SSL_ST_ACCEPT); + ssl->state = SSL_ST_ACCEPT; SSL_do_handshake(ssl); sslconn->reneg_state = RENEG_REJECT; @@ -1021,7 +1021,7 @@ int ssl_hook_UserCheck(request_rec *r) X509_NAME *name = X509_get_subject_name(sslconn->client_cert); char *cp = X509_NAME_oneline(name, NULL, 0); sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); - modssl_free(cp); + OPENSSL_free(cp); } clientdn = (char *)sslconn->client_dn; @@ -1731,7 +1731,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) X509_REVOKED *revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); - ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked); + ASN1_INTEGER *sn = revoked->serialNumber; if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) { if (APLOGdebug(s)) { @@ -1742,7 +1742,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) "Certificate with serial %ld (0x%lX) " "revoked per CRL from issuer %s", serial, serial, cp); - modssl_free(cp); + OPENSSL_free(cp); } X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); @@ -1789,11 +1789,11 @@ static void modssl_proxy_info_log(server_rec *s, */ #define modssl_set_cert_info(info, cert, pkey) \ *cert = info->x509; \ - X509_reference_inc(*cert); \ + CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ *pkey = info->x_pkey->dec_pkey; \ - EVP_PKEY_reference_inc(*pkey) + CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY) -int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey) +int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) { conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); server_rec *s = mySrvFromConn(c); @@ -1911,11 +1911,11 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session) * Store the SSL_SESSION in the inter-process cache with the * same expire time, so it expires automatically there, too. */ - id = SSL_SESSION_get_session_id(session); - idlen = SSL_SESSION_get_session_id_length(session); + id = session->session_id; + idlen = session->session_id_length; rc = ssl_scache_store(s, id, idlen, - apr_time_from_sec(modssl_session_get_time(session) + apr_time_from_sec(SSL_SESSION_get_time(session) + timeout), session, conn->pool); @@ -1992,8 +1992,8 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx, /* * Remove the SSL_SESSION from the inter-process cache */ - id = SSL_SESSION_get_session_id(session); - idlen = SSL_SESSION_get_session_id_length(session); + id = session->session_id; + idlen = session->session_id_length; /* TODO: Do we need a temp pool here, or are we always shutting down? */ ssl_scache_remove(s, id, idlen, sc->mc->pPool); diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index 24ea839d56..055020105a 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -139,15 +139,15 @@ void ssl_log_cxerror(const char *file, int line, int level, serial ? serial : "-unknown-"); if (sname) { - modssl_free(sname); + OPENSSL_free(sname); } if (iname) { - modssl_free(iname); + OPENSSL_free(iname); } if (serial) { - modssl_free(serial); + OPENSSL_free(serial); } if (bn) { diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index bdaa2fdb40..e95405c6c8 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -336,8 +336,8 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, SSL_SESSION *pSession = SSL_get_session(ssl); if (pSession) { result = apr_pstrdup(p, SSL_SESSION_id2sz( - SSL_SESSION_get_session_id(pSession), - SSL_SESSION_get_session_id_length(pSession), + pSession->session_id, + pSession->session_id_length, buf, sizeof(buf))); } } @@ -404,7 +404,7 @@ static char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r, if (legacy_format) { char *cp = X509_NAME_oneline(xsname, NULL, 0); result = apr_pstrdup(p, cp); - modssl_free(cp); + OPENSSL_free(cp); } else { BIO* bio; @@ -471,13 +471,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, resdup = FALSE; } else if (strcEQ(var, "A_SIG")) { - nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_signature_algorithm(xs)); + nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm)); result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); resdup = FALSE; } else if (strcEQ(var, "A_KEY")) { - nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_key_algorithm(xs)); + nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm)); result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); resdup = FALSE; @@ -540,10 +540,10 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char * if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen) && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) { for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *) - X509_NAME_get_entries(xsname)); + xsname->entries); j++) { xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *) - X509_NAME_get_entries(xsname), j); + xsname->entries, j); n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); @@ -764,7 +764,7 @@ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var) static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, X509_NAME *xn, apr_pool_t *p) { - STACK_OF(X509_NAME_ENTRY) *ents = X509_NAME_get_entries(xn); + STACK_OF(X509_NAME_ENTRY) *ents = xn->entries; X509_NAME_ENTRY *xsne; apr_hash_t *count; int i, nid; diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 98c8eb94f1..e237ea4c1b 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -54,9 +54,18 @@ #include "ap_socache.h" #include "mod_auth.h" +/* The #ifdef macros are only defined AFTER including the above + * therefore we cannot include these system files at the top :-( + */ #ifdef APR_HAVE_STDLIB_H #include #endif +#if APR_HAVE_SYS_TIME_H +#include +#endif +#if APR_HAVE_UNISTD_H +#include /* needed for STDIN_FILENO et.al., at least on FreeBSD */ +#endif #ifndef FALSE #define FALSE 0 @@ -70,32 +79,105 @@ #define BOOL unsigned int #endif -/* mod_ssl headers */ -#include "ssl_toolkit_compat.h" #include "ap_expr.h" -#include "ssl_util_ssl.h" -/* The #ifdef macros are only defined AFTER including the above - * therefore we cannot include these system files at the top :-( +/* OpenSSL headers */ +#include +#include +#include +#include +#include +#include +#include +#include + +/* hack for non-configure platforms (NetWare, Win32) */ +#if !defined(HAVE_OCSP) && (OPENSSL_VERSION_NUMBER >= 0x00907000) +#define HAVE_OCSP +#endif +#ifdef HAVE_OCSP +#include +#include +#endif + +/* Avoid tripping over an engine build installed globally and detected + * when the user points at an explicit non-engine flavor of OpenSSL */ -#if APR_HAVE_SYS_TIME_H -#include +#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) +#include #endif -#if APR_HAVE_UNISTD_H -#include /* needed for STDIN_FILENO et.al., at least on FreeBSD */ + +/* ...shifting sands of OpenSSL... */ +#if (OPENSSL_VERSION_NUMBER < 0x00907000) +# define MODSSL_INFO_CB_ARG_TYPE SSL* +#else +# define MODSSL_INFO_CB_ARG_TYPE const SSL* +#endif + +#if (OPENSSL_VERSION_NUMBER >= 0x0090707f) +#define MODSSL_D2I_SSL_SESSION_CONST const +#else +#define MODSSL_D2I_SSL_SESSION_CONST +#endif + +#if (OPENSSL_VERSION_NUMBER >= 0x00908000) +#define HAVE_GENERATE_EX +#define MODSSL_D2I_ASN1_type_bytes_CONST const +#define MODSSL_D2I_PrivateKey_CONST const +#define MODSSL_D2I_X509_CONST const +#else +#define MODSSL_D2I_ASN1_type_bytes_CONST +#define MODSSL_D2I_PrivateKey_CONST +#define MODSSL_D2I_X509_CONST +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \ + && !defined(OPENSSL_NO_TLSEXT) +#define HAVE_OCSP_STAPLING +#if (OPENSSL_VERSION_NUMBER < 0x10000000) +#define sk_OPENSSL_STRING_pop sk_pop +#endif +#endif + +#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS) +#define HAVE_FIPS #endif +#if (OPENSSL_VERSION_NUMBER >= 0x10000000) +#define MODSSL_SSL_CIPHER_CONST const +#define MODSSL_SSL_METHOD_CONST const +#else +#define MODSSL_SSL_CIPHER_CONST +#define MODSSL_SSL_METHOD_CONST +/* ECC support came along in OpenSSL 1.0.0 */ +#define OPENSSL_NO_EC +#endif + +#ifndef PEM_F_DEF_CALLBACK +#ifdef PEM_F_PEM_DEF_CALLBACK +/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */ +#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK +#endif +#endif + +#ifndef OPENSSL_NO_TLSEXT +#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME +#define OPENSSL_NO_TLSEXT +#endif +#endif + +#ifndef sk_STRING_pop +#define sk_STRING_pop sk_pop +#endif + +/* mod_ssl headers */ +#include "ssl_util_ssl.h" + APLOG_USE_MODULE(ssl); /* * Provide reasonable default for some defines */ -#ifndef FALSE -#define FALSE (0) -#endif -#ifndef TRUE -#define TRUE (!FALSE) -#endif #ifndef PFALSE #define PFALSE ((void *)FALSE) #endif @@ -116,9 +198,6 @@ APLOG_USE_MODULE(ssl); /** * Provide reasonable defines for some types */ -#ifndef BOOL -#define BOOL unsigned int -#endif #ifndef UCHAR #define UCHAR unsigned char #endif @@ -674,7 +753,7 @@ EC_KEY *ssl_callback_TmpECDH(SSL *, int, int); #endif int ssl_callback_SSLVerify(int, X509_STORE_CTX *); int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); -int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey); +int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); @@ -717,7 +796,7 @@ int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x); /** I/O */ void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *); void ssl_io_filter_register(apr_pool_t *); -long ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long); +long ssl_io_data_cb(BIO *, int, const char *, int, long, long); /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request * to allow an SSL renegotiation to take place. */ diff --git a/modules/ssl/ssl_toolkit_compat.h b/modules/ssl/ssl_toolkit_compat.h deleted file mode 100644 index 69cfc25c03..0000000000 --- a/modules/ssl/ssl_toolkit_compat.h +++ /dev/null @@ -1,202 +0,0 @@ -/* Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef SSL_TOOLKIT_COMPAT_H -#define SSL_TOOLKIT_COMPAT_H - -/** - * @file ssl_toolkit_compat.h - * @brief this header file provides a compatiblity layer - * - * @defgroup MOD_SSL_TOOLKIT Toolkit - * @ingroup MOD_SSL - * @{ - */ - -/** OpenSSL headers */ -#include -#include -#include -#include -#include -#include -#include -#include - -/* hack for non-configure platforms (NetWare, Win32) */ -#if !defined(HAVE_OCSP) && (OPENSSL_VERSION_NUMBER >= 0x00907000) -#define HAVE_OCSP -#endif -#ifdef HAVE_OCSP -#include -#include -#endif - -#if (OPENSSL_VERSION_NUMBER >= 0x00908000) -#define HAVE_GENERATE_EX -#endif - -/* ECC support came along in OpenSSL 1.0.0 */ -#if (OPENSSL_VERSION_NUMBER < 0x10000000) -#define OPENSSL_NO_EC -#endif - -/** Avoid tripping over an engine build installed globally and detected - * when the user points at an explicit non-engine flavor of OpenSSL - */ -#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) -#include -#endif - -/** - * rsa sslc uses incomplete types for most structures - * so we macroize for OpenSSL those which cannot be dereferenced - * using the same sames as the sslc functions - */ - -#define EVP_PKEY_key_type(k) (EVP_PKEY_type(k->type)) - -#define X509_NAME_get_entries(xs) (xs->entries) -#define X509_REVOKED_get_serialNumber(xs) (xs->serialNumber) - -#define X509_get_signature_algorithm(xs) (xs->cert_info->signature->algorithm) -#define X509_get_key_algorithm(xs) (xs->cert_info->key->algor->algorithm) - -#define X509_NAME_ENTRY_get_data_ptr(xs) (xs->value->data) -#define X509_NAME_ENTRY_get_data_len(xs) (xs->value->length) - -#define SSL_CTX_get_extra_certs(ctx) (ctx->extra_certs) -#define SSL_CTX_set_extra_certs(ctx,value) {ctx->extra_certs = value;} - -#define SSL_CIPHER_get_name(s) (s->name) -#define SSL_CIPHER_get_valid(s) (s->valid) - -#define SSL_SESSION_get_session_id(s) (s->session_id) -#define SSL_SESSION_get_session_id_length(s) (s->session_id_length) - -/** - * Support for retrieving/overriding states - */ -#ifndef SSL_get_state -#define SSL_get_state(ssl) SSL_state(ssl) -#endif - -#define SSL_set_state(ssl,val) (ssl)->state = val - -#define MODSSL_BIO_CB_ARG_TYPE const char -#define MODSSL_CRYPTO_CB_ARG_TYPE const char -#if (OPENSSL_VERSION_NUMBER < 0x00907000) -# define MODSSL_INFO_CB_ARG_TYPE SSL* -#else -# define MODSSL_INFO_CB_ARG_TYPE const SSL* -#endif -#define MODSSL_CLIENT_CERT_CB_ARG_TYPE X509 -#define MODSSL_PCHAR_CAST - -/** ...shifting sands of openssl... */ -#if (OPENSSL_VERSION_NUMBER >= 0x0090707f) -# define MODSSL_D2I_SSL_SESSION_CONST const -# define MODSSL_SSL_CIPHER_CONST const -#else -# define MODSSL_D2I_SSL_SESSION_CONST -# define MODSSL_SSL_CIPHER_CONST -#endif - -#if (OPENSSL_VERSION_NUMBER >= 0x00908000) -# define MODSSL_D2I_ASN1_type_bytes_CONST const -# define MODSSL_D2I_PrivateKey_CONST const -# define MODSSL_D2I_X509_CONST const -#else -# define MODSSL_D2I_ASN1_type_bytes_CONST -# define MODSSL_D2I_PrivateKey_CONST -# define MODSSL_D2I_X509_CONST -#endif - -#if (OPENSSL_VERSION_NUMBER >= 0x00909000) -# define MODSSL_SSL_METHOD_CONST const -#else -# define MODSSL_SSL_METHOD_CONST -#endif - -#define modssl_X509_verify_cert X509_verify_cert - -typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*); - -#if (OPENSSL_VERSION_NUMBER < 0x00904000) -#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb) -#else -#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb, arg) -#endif - -#define modssl_PEM_X509_INFO_read_bio PEM_X509_INFO_read_bio - -#define modssl_PEM_read_bio_PrivateKey PEM_read_bio_PrivateKey - -#define modssl_set_cipher_list SSL_set_cipher_list - -#define modssl_free OPENSSL_free - -#define EVP_PKEY_reference_inc(pkey) \ - CRYPTO_add(&((pkey)->references), +1, CRYPTO_LOCK_X509_PKEY) - -#define X509_reference_inc(cert) \ - CRYPTO_add(&((cert)->references), +1, CRYPTO_LOCK_X509) - -#define HAVE_SSL_RAND_EGD /* since 9.5.1 */ - -#define HAVE_SSL_X509V3_EXT_d2i - -#if OPENSSL_VERSION_NUMBER >= 0x00908080 && defined(HAVE_OCSP) \ - && !defined(OPENSSL_NO_TLSEXT) -#define HAVE_OCSP_STAPLING -#if (OPENSSL_VERSION_NUMBER < 0x10000000) -#define sk_OPENSSL_STRING_pop sk_pop -#endif -#endif - -#if (OPENSSL_VERSION_NUMBER >= 0x009080a0) && defined(OPENSSL_FIPS) -#define HAVE_FIPS -#endif - -#ifndef PEM_F_DEF_CALLBACK -#ifdef PEM_F_PEM_DEF_CALLBACK -/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */ -#define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK -#endif -#endif - -#ifndef modssl_set_verify -#define modssl_set_verify(ssl, verify, cb) \ - SSL_set_verify(ssl, verify, cb) -#endif - -#ifndef SSL_SESS_CACHE_NO_INTERNAL -#define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP -#endif - -#ifndef OPENSSL_NO_TLSEXT -#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME -#define OPENSSL_NO_TLSEXT -#endif -#endif - -#ifndef sk_STRING_pop -#define sk_STRING_pop sk_pop -#endif - -#endif /* SSL_TOOLKIT_COMPAT_H */ - -/** @} */ diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c index 0360964c82..6057a6f491 100644 --- a/modules/ssl/ssl_util.c +++ b/modules/ssl/ssl_util.c @@ -143,7 +143,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey) if (pCert != NULL) pFreeKey = pKey = X509_get_pubkey(pCert); if (pKey != NULL) { - switch (EVP_PKEY_key_type(pKey)) { + switch (EVP_PKEY_type(pKey->type)) { case EVP_PKEY_RSA: t = SSL_ALGO_RSA; break; diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c index 4373c4fff2..305ffc9c77 100644 --- a/modules/ssl/ssl_util_ssl.c +++ b/modules/ssl/ssl_util_ssl.c @@ -74,7 +74,7 @@ void SSL_set_app_data2(SSL *ssl, void *arg) ** _________________________________________________________________ */ -X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb) +X509 *SSL_read_X509(char* filename, X509 **x509, pem_password_cb *cb) { X509 *rc; BIO *bioS; @@ -83,7 +83,7 @@ X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb) /* 1. try PEM (= DER+Base64+headers) */ if ((bioS=BIO_new_file(filename, "r")) == NULL) return NULL; - rc = modssl_PEM_read_bio_X509 (bioS, x509, cb, NULL); + rc = PEM_read_bio_X509 (bioS, x509, cb, NULL); BIO_free(bioS); if (rc == NULL) { @@ -125,7 +125,7 @@ static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key) } #endif -EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb, void *s) +EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, pem_password_cb *cb, void *s) { EVP_PKEY *rc; BIO *bioS; @@ -134,7 +134,7 @@ EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb /* 1. try PEM (= DER+Base64+headers) */ if ((bioS=BIO_new_file(filename, "r")) == NULL) return NULL; - rc = modssl_PEM_read_bio_PrivateKey(bioS, key, cb, s); + rc = PEM_read_bio_PrivateKey(bioS, key, cb, s); BIO_free(bioS); if (rc == NULL) { @@ -275,7 +275,7 @@ char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl) memcpy(cp, SSL_CIPHER_get_name(c), l); cp += l; *cp++ = '/'; - *cp++ = (SSL_CIPHER_get_valid(c) == 1 ? '1' : '0'); + *cp++ = (c->valid == 1 ? '1' : '0'); *cp++ = ':'; } *(cp-1) = NUL; @@ -373,9 +373,9 @@ BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN) xsn = X509_get_subject_name(xs); for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *) - X509_NAME_get_entries(xsn)); i++) { + xsn->entries); i++) { xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *) - X509_NAME_get_entries(xsn), i); + xsn->entries, i); nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); if (nid == NID_commonName) { *cppCN = SSL_X509_NAME_ENTRY_to_string(p, xsne); @@ -401,14 +401,14 @@ BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp, return FALSE; } - if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) { + if (BIO_read_filename(in, filename) <= 0) { BIO_free(in); return FALSE; } ERR_clear_error(); - modssl_PEM_X509_INFO_read_bio(in, sk, NULL, NULL); + PEM_X509_INFO_read_bio(in, sk, NULL, NULL); BIO_free(in); @@ -464,7 +464,7 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp, * should be sent to the peer in the SSL Certificate message. */ int SSL_CTX_use_certificate_chain( - SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb) + SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb) { BIO *bio; X509 *x509; @@ -480,21 +480,21 @@ int SSL_CTX_use_certificate_chain( } /* optionally skip a leading server certificate */ if (skipfirst) { - if ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) { + if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) { BIO_free(bio); return -1; } X509_free(x509); } /* free a perhaps already configured extra chain */ - extra_certs=SSL_CTX_get_extra_certs(ctx); + extra_certs = ctx->extra_certs; if (extra_certs != NULL) { sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free); - SSL_CTX_set_extra_certs(ctx,NULL); + ctx->extra_certs = NULL; } /* create new extra chain by loading the certs */ n = 0; - while ((x509 = modssl_PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) { + while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) { if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) { X509_free(x509); BIO_free(bio); @@ -535,26 +535,3 @@ char *SSL_SESSION_id2sz(unsigned char *id, int idlen, *cp = NUL; return str; } -int modssl_session_get_time(SSL_SESSION *session) -{ - return SSL_SESSION_get_time(session); -} - -DH *modssl_dh_configure(unsigned char *p, int plen, - unsigned char *g, int glen) -{ - DH *dh; - - if (!(dh = DH_new())) { - return NULL; - } - - dh->p = BN_bin2bn(p, plen, NULL); - dh->g = BN_bin2bn(g, glen, NULL); - if (!(dh->p && dh->g)) { - DH_free(dh); - return NULL; - } - - return dh; -} diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h index c56b5a0435..1b553e2278 100644 --- a/modules/ssl/ssl_util_ssl.h +++ b/modules/ssl/ssl_util_ssl.h @@ -60,8 +60,8 @@ void SSL_init_app_data2_idx(void); void *SSL_get_app_data2(SSL *); void SSL_set_app_data2(SSL *, void *); -X509 *SSL_read_X509(char *, X509 **, modssl_read_bio_cb_fn *); -EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, modssl_read_bio_cb_fn *, void *); +X509 *SSL_read_X509(char *, X509 **, pem_password_cb *); +EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *); int SSL_smart_shutdown(SSL *ssl); X509_STORE *SSL_X509_STORE_create(char *, char *); int SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *); @@ -72,14 +72,9 @@ char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne); BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **); BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *); BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *); -int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *); +int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *); char *SSL_SESSION_id2sz(unsigned char *, int, char *, int); -int modssl_session_get_time(SSL_SESSION *session); - -DH *modssl_dh_configure(unsigned char *p, int plen, - unsigned char *g, int glen); - #endif /* __SSL_UTIL_SSL_H__ */ /** @} */ -- 2.40.0