From d7639a5ad052a8c44b0735e6782c546bfb9db290 Mon Sep 17 00:00:00 2001 From: Rainer Jung Date: Sun, 14 Feb 2016 22:40:07 +0000 Subject: [PATCH] Support OpenSSL 1.1.0. - use common code for OpenSSL pre-1.1.0 and 1.1.0 where possible. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730422 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 2 ++ modules/ssl/mod_ssl_ct.c | 22 -------------------- modules/ssl/ssl_engine_init.c | 4 ---- modules/ssl/ssl_engine_kernel.c | 37 +++++---------------------------- modules/ssl/ssl_engine_ocsp.c | 8 ------- modules/ssl/ssl_engine_vars.c | 22 -------------------- modules/ssl/ssl_private.h | 1 + modules/ssl/ssl_util_stapling.c | 4 ---- 8 files changed, 8 insertions(+), 92 deletions(-) diff --git a/CHANGES b/CHANGES index a5ba845e8a..5e84e2a04e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung] + *) hostname: Test and log useragent_host per-request across various modules, including the scoreboard, expression and rewrite engines, setenvif, authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables. diff --git a/modules/ssl/mod_ssl_ct.c b/modules/ssl/mod_ssl_ct.c index 0b3de1852b..a5167469e6 100644 --- a/modules/ssl/mod_ssl_ct.c +++ b/modules/ssl/mod_ssl_ct.c @@ -1937,10 +1937,6 @@ static int ocsp_resp_cb(SSL *ssl, void *arg) int i, len; OCSP_RESPONSE *rsp; OCSP_BASICRESP *br; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - OCSP_RESPDATA *rd; - STACK_OF(X509_EXTENSION) *exts; -#endif OCSP_SINGLERESP *single; len = SSL_get_tlsext_status_ocsp_resp(ssl, &p); /* UNDOC */ @@ -1965,25 +1961,13 @@ static int ocsp_resp_cb(SSL *ssl, void *arg) return 0; } -#if OPENSSL_VERSION_NUMBER < 0x10100000L - rd = br->tbsResponseData; -#endif - -#if OPENSSL_VERSION_NUMBER < 0x10100000L - for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { /* UNDOC */ -#else for (i = 0; i < OCSP_resp_count(br); i++) { -#endif const unsigned char *p; X509_EXTENSION *ext; int idx; ASN1_OCTET_STRING *oct1, *oct2; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - single = sk_OCSP_SINGLERESP_value(rd->responses, i); /* UNDOC */ -#else single = OCSP_resp_get0(br, i); -#endif if (!single) { continue; } @@ -1998,13 +1982,7 @@ static int ocsp_resp_cb(SSL *ssl, void *arg) ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "index of NID_ct_cert_scts: %d", idx); -#if OPENSSL_VERSION_NUMBER < 0x10100000L - exts = single->singleExtensions; - - ext = sk_X509_EXTENSION_value(exts, idx); /* UNDOC */ -#else ext = OCSP_SINGLERESP_get_ext(single, idx); -#endif oct1 = X509_EXTENSION_get_data(ext); /* UNDOC */ p = oct1->data; diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 5690fd7eff..e8a9487d50 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -876,11 +876,7 @@ static int use_certificate_chain( unsigned long err; int n; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if ((bio = BIO_new(BIO_s_file_internal())) == NULL) -#else if ((bio = BIO_new(BIO_s_file())) == NULL) -#endif return -1; if (BIO_read_filename(bio, file) <= 0) { BIO_free(bio); diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 21db85f671..f61f3a33d8 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -80,11 +80,7 @@ static apr_status_t upgrade_connection(request_rec *r) SSL_set_accept_state(ssl); SSL_do_handshake(ssl); -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (SSL_get_state(ssl) != SSL_ST_OK) { -#else - if (SSL_get_state(ssl) != TLS_ST_OK) { -#endif + if (!SSL_is_init_finished(ssl)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) "TLS upgrade handshake failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); @@ -460,11 +456,7 @@ int ssl_hook_Access(request_rec *r) * forbidden in the latter case, let ap_die() handle * this recursive (same) error. */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (SSL_get_state(ssl) != SSL_ST_OK) { -#else - if (SSL_get_state(ssl) != TLS_ST_OK) { -#endif + if (!SSL_is_init_finished(ssl)) { return HTTP_FORBIDDEN; } ctx = SSL_get_SSL_CTX(ssl); @@ -948,7 +940,6 @@ int ssl_hook_Access(request_rec *r) } else { #if OPENSSL_VERSION_NUMBER >= 0x10100000L - int rc; char peekbuf[1]; #endif const char *reneg_support; @@ -994,11 +985,7 @@ int ssl_hook_Access(request_rec *r) SSL_renegotiate(ssl); SSL_do_handshake(ssl); -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (SSL_get_state(ssl) != SSL_ST_OK) { -#else - if (SSL_get_state(ssl) != TLS_ST_OK) { -#endif + if (!SSL_is_init_finished(ssl)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225) "Re-negotiation request failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); @@ -1033,27 +1020,13 @@ int ssl_hook_Access(request_rec *r) * It is expected to work without changes with the forthcoming 1.1.0pre3. * See: http://marc.info/?t=145493359200002&r=1&w=2 */ - rc = SSL_peek(ssl, peekbuf, 0); - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO() - "Renegotiation peek result=%d, " - "reneg_state=%d, " - "in_init=%d, init_finished=%d, " - "state=%s, sslconn->ssl=%s, peer_certs=%s", - rc, sslconn->reneg_state, - SSL_in_init(ssl), SSL_is_init_finished(ssl), - SSL_state_string_long(ssl), - sslconn->ssl != NULL ? "yes" : "no", - SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no"); + SSL_peek(ssl, peekbuf, 0); #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ sslconn->reneg_state = RENEG_REJECT; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (SSL_get_state(ssl) != SSL_ST_OK) { -#else - if (SSL_get_state(ssl) != TLS_ST_OK) { -#endif + if (!SSL_is_init_finished(ssl)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) "Re-negotiation handshake failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c index 6bdd2cdce1..ddaebb3e8d 100644 --- a/modules/ssl/ssl_engine_ocsp.c +++ b/modules/ssl/ssl_engine_ocsp.c @@ -262,15 +262,7 @@ int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, "No cert available to check with OCSP"); return 1; } -#if OPENSSL_VERSION_NUMBER < 0x10100000L - else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { -#else - /* No need to check cert->valid, because modssl_verify_ocsp() only - * is called if OpenSSL already successfully verified the certificate - * (parameter "ok" in ssl_callback_SSLVerify() must be true). - */ else if (X509_check_issued(cert,cert) == X509_V_OK) { -#endif /* don't do OCSP checking for valid self-issued certs */ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "Skipping OCSP check for valid self-issued cert"); diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 9a9cfded68..0992e8caa3 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -683,16 +683,8 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char * for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) { if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen) && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L - for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *) - xsname->entries); - j++) { - xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *) - xsname->entries, j); -#else for (j = 0; j < X509_NAME_entry_count(xsname); j++) { xsne = X509_NAME_get_entry(xsname, j); -#endif n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); @@ -994,9 +986,6 @@ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var) static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, X509_NAME *xn, apr_pool_t *p) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L - STACK_OF(X509_NAME_ENTRY) *ents = xn->entries; -#endif X509_NAME_ENTRY *xsne; apr_hash_t *count; int i, nid; @@ -1006,16 +995,9 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, count = apr_hash_make(p); /* For each RDN... */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L - for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) { - const char *tag; - - xsne = sk_X509_NAME_ENTRY_value(ents, i); -#else for (i = 0; i < X509_NAME_entry_count(xn); i++) { const char *tag; xsne = X509_NAME_get_entry(xn, i); -#endif /* Retrieve the nid, and check whether this is one of the nids * which are to be extracted. */ @@ -1189,11 +1171,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer, for (j = 0; j < count; j++) { X509_EXTENSION *ext = X509_get_ext(xs, j); -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (OBJ_cmp(ext->object, oid) == 0) { -#else if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) { -#endif BIO *bio = BIO_new(BIO_s_mem()); /* We want to obtain a string representation of the extensions diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 6734096cc4..7ba9903b98 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -151,6 +151,7 @@ /* OCSP stapling */ #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) #define HAVE_OCSP_STAPLING +/* All exist but are no longer macros since OpenSSL 1.1.0 */ #if OPENSSL_VERSION_NUMBER < 0x10100000L /* backward compatibility with OpenSSL < 1.0 */ #ifndef sk_OPENSSL_STRING_num diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index 57a753c16f..63be9b2ced 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -402,13 +402,9 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx, if (bio) { int n; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) && -#else ASN1_INTEGER *pserial; OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid); if ((i2a_ASN1_INTEGER(bio, pserial) != -1) && -#endif ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0)) snum[n] = '\0'; BIO_free(bio); -- 2.49.0