Diff to https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/
as of upstream r1769589.
diff -uap httpd-2.4.23/acinclude.m4.openssl11 httpd-2.4.23/acinclude.m4
--- httpd-2.4.23/acinclude.m4.openssl11
+++ httpd-2.4.23/acinclude.m4
@@ -586,7 +586,7 @@
dnl Run library and function checks
liberrors=""
AC_CHECK_HEADERS([openssl/engine.h])
- AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
+ AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"])
AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd])
if test "x$liberrors" != "x"; then
AC_MSG_WARN([OpenSSL libraries are unusable])
diff -uap httpd-2.4.23/modules/ssl/mod_ssl.c.openssl11 httpd-2.4.23/modules/ssl/mod_ssl.c
--- httpd-2.4.23/modules/ssl/mod_ssl.c.openssl11
+++ httpd-2.4.23/modules/ssl/mod_ssl.c
@@ -312,7 +312,13 @@
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_cleanup();
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+ ERR_remove_thread_state(NULL);
+#else
ERR_remove_state(0);
+#endif
+#endif
/* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
* actually loaded the error strings once per process due to static
@@ -342,7 +348,11 @@
/* We must register the library in full, to ensure our configuration
* code can successfully test the SSL environment.
*/
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
CRYPTO_malloc_init();
+#else
+ OPENSSL_malloc_init();
+#endif
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
diff -uap httpd-2.4.23/modules/ssl/ssl_engine_init.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_init.c
--- httpd-2.4.23/modules/ssl/ssl_engine_init.c.openssl11
+++ httpd-2.4.23/modules/ssl/ssl_engine_init.c
@@ -47,21 +47,50 @@
#define KEYTYPES "RSA or DSA"
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+/* OpenSSL Pre-1.1.0 compatibility */
+/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
+static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* q is optional */
+ if (p == NULL || g == NULL)
+ return 0;
+ BN_free(dh->p);
+ BN_free(dh->q);
+ BN_free(dh->g);
+ dh->p = p;
+ dh->q = q;
+ dh->g = g;
+
+ if (q != NULL) {
+ dh->length = BN_num_bits(q);
+ }
+
+ return 1;
+}
+#endif
+
/*
- * Grab well-defined DH parameters from OpenSSL, see the get_rfc*
+ * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
* functions in <openssl/bn.h> for all available primes.
*/
-static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)
+static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *))
{
DH *dh = DH_new();
+ BIGNUM *p, *g;
if (!dh) {
return NULL;
}
- dh->p = prime(NULL);
- BN_dec2bn(&dh->g, gen);
- if (!dh->p || !dh->g) {
+ p = prime(NULL);
+ g = BN_new();
+ if (g != NULL) {
+ BN_set_word(g, 2);
+ }
+ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) {
DH_free(dh);
+ BN_free(p);
+ BN_free(g);
return NULL;
}
return dh;
@@ -73,12 +102,12 @@
DH *dh; /* ...this, used for keys.... */
const unsigned int min; /* ...of length >= this. */
} dhparams[] = {
- { get_rfc3526_prime_8192, NULL, 6145 },
- { get_rfc3526_prime_6144, NULL, 4097 },
- { get_rfc3526_prime_4096, NULL, 3073 },
- { get_rfc3526_prime_3072, NULL, 2049 },
- { get_rfc3526_prime_2048, NULL, 1025 },
- { get_rfc2409_prime_1024, NULL, 0 }
+ { BN_get_rfc3526_prime_8192, NULL, 6145 },
+ { BN_get_rfc3526_prime_6144, NULL, 4097 },
+ { BN_get_rfc3526_prime_4096, NULL, 3073 },
+ { BN_get_rfc3526_prime_3072, NULL, 2049 },
+ { BN_get_rfc3526_prime_2048, NULL, 1025 },
+ { BN_get_rfc2409_prime_1024, NULL, 0 }
};
static void init_dh_params(void)
@@ -86,7 +115,7 @@
unsigned n;
for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++)
- dhparams[n].dh = make_dh_params(dhparams[n].prime, "2");
+ dhparams[n].dh = make_dh_params(dhparams[n].prime);
}
static void free_dh_params(void)
@@ -153,7 +182,7 @@
"Init: this version of mod_ssl was compiled against "
"a newer library (%s, version currently loaded is %s)"
" - may result in undefined or erroneous behavior",
- MODSSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION));
+ MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT);
}
/* We initialize mc->pid per-process in the child init,
@@ -228,9 +257,11 @@
#endif
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#if APR_HAS_THREADS
ssl_util_thread_setup(p);
#endif
+#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
/*
* SSL external crypto device ("engine") support
@@ -351,6 +382,9 @@
modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
init_dh_params();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ init_bio_methods();
+#endif
return OK;
}
@@ -481,6 +515,9 @@
char *cp;
int protocol = mctx->protocol;
SSLSrvConfigRec *sc = mySrvConfig(s);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ int prot;
+#endif
/*
* Create the new per-server SSL context
@@ -506,6 +543,7 @@
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
"Creating new SSL context (protocols: %s)", cp);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifndef OPENSSL_NO_SSL3
if (protocol == SSL_PROTOCOL_SSLV3) {
method = mctx->pkp ?
@@ -536,12 +574,18 @@
SSLv23_client_method() : /* proxy */
SSLv23_server_method(); /* server */
}
+#else
+ method = mctx->pkp ?
+ TLS_client_method() : /* proxy */
+ TLS_server_method(); /* server */
+#endif
ctx = SSL_CTX_new(method);
mctx->ssl_ctx = ctx;
SSL_CTX_set_options(ctx, SSL_OP_ALL);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
@@ -565,6 +609,43 @@
}
#endif
+#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
+ /* We first determine the maximum protocol version we should provide */
+ if (protocol & SSL_PROTOCOL_TLSV1_2) {
+ prot = TLS1_2_VERSION;
+ } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
+ prot = TLS1_1_VERSION;
+ } else if (protocol & SSL_PROTOCOL_TLSV1) {
+ prot = TLS1_VERSION;
+#ifndef OPENSSL_NO_SSL3
+ } else if (protocol & SSL_PROTOCOL_SSLV3) {
+ prot = SSL3_VERSION;
+#endif
+ } else {
+ SSL_CTX_free(ctx);
+ mctx->ssl_ctx = NULL;
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
+ "No SSL protocols available [hint: SSLProtocol]");
+ return ssl_die(s);
+ }
+ SSL_CTX_set_max_proto_version(ctx, prot);
+
+ /* Next we scan for the minimal protocol version we should provide,
+ * but we do not allow holes between max and min */
+ if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
+ prot = TLS1_1_VERSION;
+ }
+ if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
+ prot = TLS1_VERSION;
+ }
+#ifndef OPENSSL_NO_SSL3
+ if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) {
+ prot = SSL3_VERSION;
+ }
+#endif
+ SSL_CTX_set_min_proto_version(ctx, prot);
+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
if (sc->cipher_server_pref == TRUE) {
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
@@ -858,7 +939,7 @@
unsigned long err;
int n;
- if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
+ if ((bio = BIO_new(BIO_s_file())) == NULL)
return -1;
if (BIO_read_filename(bio, file) <= 0) {
BIO_free(bio);
@@ -1200,7 +1281,7 @@
SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
"Custom DH parameters (%d bits) for %s loaded from %s",
- BN_num_bits(dhparams->p), vhost_id, certfile);
+ DH_bits(dhparams), vhost_id, certfile);
DH_free(dhparams);
}
@@ -1721,7 +1802,7 @@
"an OpenSSL version with support for TLS extensions "
"(RFC 6066 - Server Name Indication / SNI), "
"but the currently used library version (%s) is "
- "lacking this feature", SSLeay_version(SSLEAY_VERSION));
+ "lacking this feature", MODSSL_LIBRARY_DYNTEXT);
}
#endif
@@ -1917,6 +1998,9 @@
ssl_init_ctx_cleanup(sc->server);
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ free_bio_methods();
+#endif
free_dh_params();
return APR_SUCCESS;
diff -uap httpd-2.4.23/modules/ssl/ssl_engine_io.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_io.c
--- httpd-2.4.23/modules/ssl/ssl_engine_io.c.openssl11
+++ httpd-2.4.23/modules/ssl/ssl_engine_io.c
@@ -149,7 +149,7 @@
* success, -1 on failure. */
static int bio_filter_out_flush(BIO *bio)
{
- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
apr_bucket *e;
AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb));
@@ -162,10 +162,16 @@
static int bio_filter_create(BIO *bio)
{
- bio->shutdown = 1;
- bio->init = 1;
+ BIO_set_shutdown(bio, 1);
+ BIO_set_init(bio, 1);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* No setter method for OpenSSL 1.1.0 available,
+ * but I can't find any functional use of the
+ * "num" field there either.
+ */
bio->num = -1;
- bio->ptr = NULL;
+#endif
+ BIO_set_data(bio, NULL);
return 1;
}
@@ -190,7 +196,7 @@
static int bio_filter_out_write(BIO *bio, const char *in, int inl)
{
- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
apr_bucket *e;
int need_flush;
@@ -241,7 +247,7 @@
static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
{
long ret = 1;
- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
switch (cmd) {
case BIO_CTRL_RESET:
@@ -257,10 +263,10 @@
ret = 0;
break;
case BIO_CTRL_GET_CLOSE:
- ret = (long)bio->shutdown;
+ ret = (long)BIO_get_shutdown(bio);
break;
case BIO_CTRL_SET_CLOSE:
- bio->shutdown = (int)num;
+ BIO_set_shutdown(bio, (int)num);
break;
case BIO_CTRL_FLUSH:
ret = bio_filter_out_flush(bio);
@@ -294,19 +300,6 @@
return -1;
}
-static BIO_METHOD bio_filter_out_method = {
- BIO_TYPE_MEM,
- "APR output filter",
- bio_filter_out_write,
- bio_filter_out_read, /* read is never called */
- bio_filter_out_puts, /* puts is never called */
- bio_filter_out_gets, /* gets is never called */
- bio_filter_out_ctrl,
- bio_filter_create,
- bio_filter_destroy,
- NULL
-};
-
typedef struct {
int length;
char *value;
@@ -456,7 +449,7 @@
static int bio_filter_in_read(BIO *bio, char *in, int inlen)
{
apr_size_t inl = inlen;
- bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
apr_read_type_e block = inctx->block;
inctx->rc = APR_SUCCESS;
@@ -536,20 +529,86 @@
return -1;
}
+static int bio_filter_in_write(BIO *bio, const char *in, int inl)
+{
+ return -1;
+}
+
+static int bio_filter_in_puts(BIO *bio, const char *str)
+{
+ return -1;
+}
+
+static int bio_filter_in_gets(BIO *bio, char *buf, int size)
+{
+ return -1;
+}
+
+static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
+{
+ return -1;
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+static BIO_METHOD bio_filter_out_method = {
+ BIO_TYPE_MEM,
+ "APR output filter",
+ bio_filter_out_write,
+ bio_filter_out_read, /* read is never called */
+ bio_filter_out_puts, /* puts is never called */
+ bio_filter_out_gets, /* gets is never called */
+ bio_filter_out_ctrl,
+ bio_filter_create,
+ bio_filter_destroy,
+ NULL
+};
static BIO_METHOD bio_filter_in_method = {
BIO_TYPE_MEM,
"APR input filter",
- NULL, /* write is never called */
+ bio_filter_in_write, /* write is never called */
bio_filter_in_read,
- NULL, /* puts is never called */
- NULL, /* gets is never called */
- NULL, /* ctrl is never called */
+ bio_filter_in_puts, /* puts is never called */
+ bio_filter_in_gets, /* gets is never called */
+ bio_filter_in_ctrl, /* ctrl is never called */
bio_filter_create,
bio_filter_destroy,
NULL
};
+#else
+
+static BIO_METHOD *bio_filter_out_method = NULL;
+static BIO_METHOD *bio_filter_in_method = NULL;
+
+void init_bio_methods(void)
+{
+ bio_filter_out_method = BIO_meth_new(BIO_TYPE_MEM, "APR output filter");
+ BIO_meth_set_write(bio_filter_out_method, &bio_filter_out_write);
+ BIO_meth_set_read(bio_filter_out_method, &bio_filter_out_read); /* read is never called */
+ BIO_meth_set_puts(bio_filter_out_method, &bio_filter_out_puts); /* puts is never called */
+ BIO_meth_set_gets(bio_filter_out_method, &bio_filter_out_gets); /* gets is never called */
+ BIO_meth_set_ctrl(bio_filter_out_method, &bio_filter_out_ctrl);
+ BIO_meth_set_create(bio_filter_out_method, &bio_filter_create);
+ BIO_meth_set_destroy(bio_filter_out_method, &bio_filter_destroy);
+
+ bio_filter_in_method = BIO_meth_new(BIO_TYPE_MEM, "APR input filter");
+ BIO_meth_set_write(bio_filter_in_method, &bio_filter_in_write); /* write is never called */
+ BIO_meth_set_read(bio_filter_in_method, &bio_filter_in_read);
+ BIO_meth_set_puts(bio_filter_in_method, &bio_filter_in_puts); /* puts is never called */
+ BIO_meth_set_gets(bio_filter_in_method, &bio_filter_in_gets); /* gets is never called */
+ BIO_meth_set_ctrl(bio_filter_in_method, &bio_filter_in_ctrl); /* ctrl is never called */
+ BIO_meth_set_create(bio_filter_in_method, &bio_filter_create);
+ BIO_meth_set_destroy(bio_filter_in_method, &bio_filter_destroy);
+}
+
+void free_bio_methods(void)
+{
+ BIO_meth_free(bio_filter_out_method);
+ BIO_meth_free(bio_filter_in_method);
+}
+#endif
static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
char *buf,
@@ -779,7 +838,7 @@
return APR_EGENERAL;
}
- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
+ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
if (res < 0) {
@@ -1252,9 +1311,9 @@
if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {
bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
- (filter_ctx->pbioRead->ptr);
+ BIO_get_data(filter_ctx->pbioRead);
bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)
- (filter_ctx->pbioWrite->ptr);
+ BIO_get_data(filter_ctx->pbioWrite);
apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ;
ssl_err = SSL_get_error(filter_ctx->pssl, n);
@@ -1667,8 +1726,8 @@
return ap_pass_brigade(f->next, bb);
}
- inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr;
- outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
+ inctx = (bio_filter_in_ctx_t *)BIO_get_data(filter_ctx->pbioRead);
+ outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
/* When we are the writer, we must initialize the inctx
* mode so that we block for any required ssl input, because
@@ -1949,8 +2008,12 @@
filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
- filter_ctx->pbioRead->ptr = (void *)inctx;
+#else
+ filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
+#endif
+ BIO_set_data(filter_ctx->pbioRead, (void *)inctx);
inctx->ssl = ssl;
inctx->bio_out = filter_ctx->pbioWrite;
@@ -1980,8 +2043,12 @@
filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
filter_ctx, r, c);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
- filter_ctx->pbioWrite->ptr = (void *)bio_filter_out_ctx_new(filter_ctx, c);
+#else
+ filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);
+#endif
+ BIO_set_data(filter_ctx->pbioWrite, (void *)bio_filter_out_ctx_new(filter_ctx, c));
/* write is non blocking for the benefit of async mpm */
if (c->cs) {
diff -uap httpd-2.4.23/modules/ssl/ssl_engine_kernel.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_kernel.c
--- httpd-2.4.23/modules/ssl/ssl_engine_kernel.c.openssl11
+++ httpd-2.4.23/modules/ssl/ssl_engine_kernel.c
@@ -80,7 +80,7 @@
SSL_set_accept_state(ssl);
SSL_do_handshake(ssl);
- if (SSL_get_state(ssl) != SSL_ST_OK) {
+ if (!SSL_is_init_finished(ssl)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
"TLS upgrade handshake failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -114,6 +114,7 @@
return result;
}
+#ifdef HAVE_TLSEXT
static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
{
int i;
@@ -215,6 +216,7 @@
return 1;
}
+#endif
/*
* Post Read Request Handler
@@ -432,7 +434,7 @@
X509 *cert;
X509 *peercert;
X509_STORE *cert_store = NULL;
- X509_STORE_CTX cert_store_ctx;
+ X509_STORE_CTX *cert_store_ctx;
STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
const SSL_CIPHER *cipher = NULL;
int depth, verify_old, verify, n, is_slave = 0;
@@ -456,7 +458,7 @@
* forbidden in the latter case, let ap_die() handle
* this recursive (same) error.
*/
- if (SSL_get_state(ssl) != SSL_ST_OK) {
+ if (!SSL_is_init_finished(ssl)) {
return HTTP_FORBIDDEN;
}
ctx = SSL_get_SSL_CTX(ssl);
@@ -622,7 +624,7 @@
!renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));
n++)
{
- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
+ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {
renegotiate = TRUE;
@@ -633,7 +635,7 @@
!renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));
n++)
{
- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
+ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {
renegotiate = TRUE;
@@ -914,25 +916,27 @@
cert = sk_X509_value(cert_stack, 0);
}
- X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);
+ cert_store_ctx = X509_STORE_CTX_new();
+ X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack);
depth = SSL_get_verify_depth(ssl);
if (depth >= 0) {
- X509_STORE_CTX_set_depth(&cert_store_ctx, depth);
+ X509_STORE_CTX_set_depth(cert_store_ctx, depth);
}
- X509_STORE_CTX_set_ex_data(&cert_store_ctx,
+ X509_STORE_CTX_set_ex_data(cert_store_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx(),
(char *)ssl);
- if (!X509_verify_cert(&cert_store_ctx)) {
+ if (!X509_verify_cert(cert_store_ctx)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)
"Re-negotiation verification step failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
}
- SSL_set_verify_result(ssl, cert_store_ctx.error);
- X509_STORE_CTX_cleanup(&cert_store_ctx);
+ SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx));
+ X509_STORE_CTX_cleanup(cert_store_ctx);
+ X509_STORE_CTX_free(cert_store_ctx);
if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
/* we created this ourselves, so free it */
@@ -940,6 +944,7 @@
}
}
else {
+ char peekbuf[1];
const char *reneg_support;
request_rec *id = r->main ? r->main : r;
@@ -983,7 +988,7 @@
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
- if (SSL_get_state(ssl) != SSL_ST_OK) {
+ if (!SSL_is_init_finished(ssl)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
"Re-negotiation request failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -999,16 +1004,15 @@
* However, this causes failures in perl-framework currently,
* perhaps pre-test if we have already negotiated?
*/
-#ifdef OPENSSL_NO_SSL_INTERN
- SSL_set_state(ssl, SSL_ST_ACCEPT);
-#else
- ssl->state = SSL_ST_ACCEPT;
-#endif
- SSL_do_handshake(ssl);
+ /* Need to trigger renegotiation handshake by reading.
+ * Peeking 0 bytes actually works.
+ * See: http://marc.info/?t=145493359200002&r=1&w=2
+ */
+ SSL_peek(ssl, peekbuf, 0);
sslconn->reneg_state = RENEG_REJECT;
- if (SSL_get_state(ssl) != SSL_ST_OK) {
+ if (!SSL_is_init_finished(ssl)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
"Re-negotiation handshake failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
@@ -1513,7 +1517,11 @@
SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
#endif
pkey = SSL_get_privatekey(ssl);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
+#else
+ type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
+#endif
/*
* OpenSSL will call us with either keylen == 512 or keylen == 1024
@@ -1725,11 +1733,19 @@
* so we need to increment here to prevent them from
* being freed.
*/
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define modssl_set_cert_info(info, cert, pkey) \
*cert = info->x509; \
CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
*pkey = info->x_pkey->dec_pkey; \
CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
+#else
+#define modssl_set_cert_info(info, cert, pkey) \
+ *cert = info->x509; \
+ X509_up_ref(*cert); \
+ *pkey = info->x_pkey->dec_pkey; \
+ EVP_PKEY_up_ref(*pkey);
+#endif
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
{
@@ -1823,7 +1839,7 @@
static void ssl_session_log(server_rec *s,
const char *request,
- unsigned char *id,
+ IDCONST unsigned char *id,
unsigned int idlen,
const char *status,
const char *result,
@@ -1863,7 +1879,7 @@
SSLSrvConfigRec *sc = mySrvConfig(s);
long timeout = sc->session_cache_timeout;
BOOL rc;
- unsigned char *id;
+ IDCONST unsigned char *id;
unsigned int idlen;
/*
@@ -1907,7 +1923,7 @@
* of our other Apache pre-forked server processes.
*/
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
- unsigned char *id,
+ IDCONST unsigned char *id,
int idlen, int *do_copy)
{
/* Get Apache context back through OpenSSL context */
@@ -1946,7 +1962,7 @@
{
server_rec *s;
SSLSrvConfigRec *sc;
- unsigned char *id;
+ IDCONST unsigned char *id;
unsigned int idlen;
/*
@@ -2067,15 +2083,12 @@
/* If the reneg state is to reject renegotiations, check the SSL
* state machine and move to ABORT if a Client Hello is being
* read. */
- if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
- int state = SSL_get_state((SSL *)ssl);
-
- if (state == SSL3_ST_SR_CLNT_HELLO_A
- || state == SSL23_ST_SR_CLNT_HELLO_A) {
+ if (!scr->is_proxy &&
+ (where & SSL_CB_HANDSHAKE_START) &&
+ scr->reneg_state == RENEG_REJECT) {
scr->reneg_state = RENEG_ABORT;
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
"rejecting client initiated renegotiation");
- }
}
/* If the first handshake is complete, change state to reject any
* subsequent client-initiated renegotiation. */
@@ -2279,7 +2292,7 @@
}
memcpy(keyname, ticket_key->key_name, 16);
- RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
+ RAND_bytes(iv, EVP_MAX_IV_LENGTH);
EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
ticket_key->aes_key, iv);
HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
@@ -2416,17 +2429,27 @@
SRP_user_pwd *u;
if (username == NULL
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|| (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
+#else
+ || (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) {
+#endif
*ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
return SSL3_AL_FATAL;
}
if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ SRP_user_pwd_free(u);
+#endif
*ad = SSL_AD_INTERNAL_ERROR;
return SSL3_AL_FATAL;
}
/* reset all other options */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ SRP_user_pwd_free(u);
+#endif
SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
return SSL_ERROR_NONE;
}
diff -uap httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c
--- httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c.openssl11
+++ httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c
@@ -109,7 +109,7 @@
{
OCSP_REQUEST *req = OCSP_REQUEST_new();
- *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer);
+ *certid = OCSP_cert_to_id(NULL, cert, X509_STORE_CTX_get0_current_issuer(ctx));
if (!*certid || !OCSP_request_add0_id(req, *certid)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)
"could not retrieve certificate id");
@@ -184,7 +184,7 @@
if (rc == V_OCSP_CERTSTATUS_GOOD) {
/* TODO: allow flags configuration. */
- if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {
+ if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
"failed to verify the OCSP response");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
@@ -262,7 +262,7 @@
"No cert available to check with OCSP");
return 1;
}
- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+ else if (X509_check_issued(cert,cert) == X509_V_OK) {
/* don't do OCSP checking for valid self-issued certs */
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
"Skipping OCSP check for valid self-issued cert");
diff -uap httpd-2.4.23/modules/ssl/ssl_engine_vars.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_vars.c
--- httpd-2.4.23/modules/ssl/ssl_engine_vars.c.openssl11
+++ httpd-2.4.23/modules/ssl/ssl_engine_vars.c
@@ -380,7 +380,7 @@
char buf[MODSSL_SESSION_ID_STRING_LEN];
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
- unsigned char *id;
+ IDCONST unsigned char *id;
unsigned int idlen;
#ifdef OPENSSL_NO_SSL_INTERN
@@ -545,13 +545,25 @@
resdup = FALSE;
}
else if (strcEQ(var, "A_SIG")) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
+#else
+ ASN1_OBJECT *paobj;
+ X509_ALGOR_get0(&paobj, NULL, NULL, X509_get0_tbs_sigalg(xs));
+ nid = OBJ_obj2nid(paobj);
+#endif
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
}
else if (strcEQ(var, "A_KEY")) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm));
+#else
+ ASN1_OBJECT *paobj;
+ X509_PUBKEY_get0_param(&paobj, NULL, 0, NULL, X509_get_X509_PUBKEY(xs));
+ nid = OBJ_obj2nid(paobj);
+#endif
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
@@ -613,11 +625,8 @@
for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
&& strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
- for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
- xsname->entries);
- j++) {
- xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
- xsname->entries, j);
+ for (j = 0; j < X509_NAME_entry_count(xsname); j++) {
+ xsne = X509_NAME_get_entry(xsname, j);
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
@@ -919,7 +928,6 @@
static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
X509_NAME *xn, apr_pool_t *p)
{
- STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
X509_NAME_ENTRY *xsne;
apr_hash_t *count;
int i, nid;
@@ -929,10 +937,9 @@
count = apr_hash_make(p);
/* For each RDN... */
- for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) {
+ for (i = 0; i < X509_NAME_entry_count(xn); i++) {
const char *tag;
-
- xsne = sk_X509_NAME_ENTRY_value(ents, i);
+ xsne = X509_NAME_get_entry(xn, i);
/* Retrieve the nid, and check whether this is one of the nids
* which are to be extracted. */
@@ -1106,7 +1113,7 @@
for (j = 0; j < count; j++) {
X509_EXTENSION *ext = X509_get_ext(xs, j);
- if (OBJ_cmp(ext->object, oid) == 0) {
+ if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) {
BIO *bio = BIO_new(BIO_s_mem());
/* We want to obtain a string representation of the extensions
diff -uap httpd-2.4.23/modules/ssl/ssl_private.h.openssl11 httpd-2.4.23/modules/ssl/ssl_private.h
--- httpd-2.4.23/modules/ssl/ssl_private.h.openssl11
+++ httpd-2.4.23/modules/ssl/ssl_private.h
@@ -135,6 +135,13 @@
#define HAVE_SSL_CONF_CMD
#endif
+/* session id constness */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define IDCONST
+#else
+#define IDCONST const
+#endif
+
/**
* The following features all depend on TLS extension support.
* Within this block, check again for features (not version numbers).
@@ -151,6 +158,8 @@
/* OCSP stapling */
#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
#define HAVE_OCSP_STAPLING
+/* All exist but are no longer macros since OpenSSL 1.1.0 */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* backward compatibility with OpenSSL < 1.0 */
#ifndef sk_OPENSSL_STRING_num
#define sk_OPENSSL_STRING_num sk_num
@@ -161,7 +170,8 @@
#ifndef sk_OPENSSL_STRING_pop
#define sk_OPENSSL_STRING_pop sk_pop
#endif
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */
/* TLS session tickets */
#if defined(SSL_CTX_set_tlsext_ticket_key_cb)
@@ -189,6 +199,36 @@
#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
+#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
+#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
+#define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048
+#define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072
+#define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096
+#define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144
+#define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192
+#define BIO_set_init(x,v) (x->init=v)
+#define BIO_get_data(x) (x->ptr)
+#define BIO_set_data(x,v) (x->ptr=v)
+#define BIO_get_shutdown(x) (x->shutdown)
+#define BIO_set_shutdown(x,v) (x->shutdown=v)
+#define DH_bits(x) (BN_num_bits(x->p))
+#else
+void init_bio_methods(void);
+void free_bio_methods(void);
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+#define X509_STORE_CTX_get0_store(x) (x->ctx)
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+#ifndef X509_STORE_CTX_get0_current_issuer
+#define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)
+#endif
+#endif
+
/* mod_ssl headers */
#include "ssl_util_ssl.h"
@@ -454,12 +494,12 @@
* partial fix for CVE-2009-3555. */
enum {
RENEG_INIT = 0, /* Before initial handshake */
- RENEG_REJECT, /* After initial handshake; any client-initiated
- * renegotiation should be rejected */
- RENEG_ALLOW, /* A server-initiated renegotiation is taking
- * place (as dictated by configuration) */
- RENEG_ABORT /* Renegotiation initiated by client, abort the
- * connection */
+ RENEG_REJECT, /* After initial handshake; any client-initiated
+ * renegotiation should be rejected */
+ RENEG_ALLOW, /* A server-initiated renegotiation is taking
+ * place (as dictated by configuration) */
+ RENEG_ABORT /* Renegotiation initiated by client, abort the
+ * connection */
} reneg_state;
server_rec *server;
@@ -810,7 +850,7 @@
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
-SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
+SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
void ssl_callback_Info(const SSL *, int, int);
#ifdef HAVE_TLSEXT
@@ -831,10 +871,10 @@
apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);
void ssl_scache_status_register(apr_pool_t *p);
void ssl_scache_kill(server_rec *);
-BOOL ssl_scache_store(server_rec *, UCHAR *, int,
+BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int,
apr_time_t, SSL_SESSION *, apr_pool_t *);
-SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *);
-void ssl_scache_remove(server_rec *, UCHAR *, int,
+SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *);
+void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int,
apr_pool_t *);
/** Proxy Support */
@@ -882,7 +922,9 @@
char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
const char * const *);
BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
void ssl_util_thread_setup(apr_pool_t *);
+#endif
int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
BOOL ssl_util_vhost_matches(const char *servername, server_rec *s);
diff -uap httpd-2.4.23/modules/ssl/ssl_scache.c.openssl11 httpd-2.4.23/modules/ssl/ssl_scache.c
--- httpd-2.4.23/modules/ssl/ssl_scache.c.openssl11
+++ httpd-2.4.23/modules/ssl/ssl_scache.c
@@ -110,7 +110,7 @@
}
-BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen,
+BOOL ssl_scache_store(server_rec *s, IDCONST UCHAR *id, int idlen,
apr_time_t expiry, SSL_SESSION *sess,
apr_pool_t *p)
{
@@ -144,7 +144,7 @@
return rv == APR_SUCCESS ? TRUE : FALSE;
}
-SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen,
+SSL_SESSION *ssl_scache_retrieve(server_rec *s, IDCONST UCHAR *id, int idlen,
apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
@@ -173,7 +173,7 @@
return d2i_SSL_SESSION(NULL, &ptr, destlen);
}
-void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen,
+void ssl_scache_remove(server_rec *s, IDCONST UCHAR *id, int idlen,
apr_pool_t *p)
{
SSLModConfigRec *mc = myModConfig(s);
diff -uap httpd-2.4.23/modules/ssl/ssl_util.c.openssl11 httpd-2.4.23/modules/ssl/ssl_util.c
--- httpd-2.4.23/modules/ssl/ssl_util.c.openssl11
+++ httpd-2.4.23/modules/ssl/ssl_util.c
@@ -247,6 +247,7 @@
}
#if APR_HAS_THREADS
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/*
* To ensure thread-safetyness in OpenSSL - work in progress
*/
@@ -362,6 +363,28 @@
apr_pool_destroy(l->pool);
}
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+
+static void ssl_util_thr_id(CRYPTO_THREADID *id)
+{
+ /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread
+ * id is a structure twice that big. Use the TCB pointer instead as a
+ * unique unsigned long.
+ */
+#ifdef __MVS__
+ struct PSA {
+ char unmapped[540]; /* PSATOLD is at offset 540 in the PSA */
+ unsigned long PSATOLD;
+ } *psaptr = 0; /* PSA is at address 0 */
+
+ CRYPTO_THREADID_set_numeric(id, psaptr->PSATOLD);
+#else
+ CRYPTO_THREADID_set_numeric(id, (unsigned long) apr_os_thread_current());
+#endif
+}
+
+#else
+
static unsigned long ssl_util_thr_id(void)
{
/* OpenSSL needs this to return an unsigned long. On OS/390, the pthread
@@ -380,10 +403,16 @@
#endif
}
+#endif
+
static apr_status_t ssl_util_thread_cleanup(void *data)
{
CRYPTO_set_locking_callback(NULL);
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ CRYPTO_THREADID_set_callback(NULL);
+#else
CRYPTO_set_id_callback(NULL);
+#endif
CRYPTO_set_dynlock_create_callback(NULL);
CRYPTO_set_dynlock_lock_callback(NULL);
@@ -407,7 +436,11 @@
apr_thread_mutex_create(&(lock_cs[i]), APR_THREAD_MUTEX_DEFAULT, p);
}
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ CRYPTO_THREADID_set_callback(ssl_util_thr_id);
+#else
CRYPTO_set_id_callback(ssl_util_thr_id);
+#endif
CRYPTO_set_locking_callback(ssl_util_thr_lock);
@@ -422,4 +455,5 @@
apr_pool_cleanup_register(p, NULL, ssl_util_thread_cleanup,
apr_pool_cleanup_null);
}
-#endif
+#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif /* #if APR_HAS_THREADS */
diff -uap httpd-2.4.23/modules/ssl/ssl_util_ssl.c.openssl11 httpd-2.4.23/modules/ssl/ssl_util_ssl.c
--- httpd-2.4.23/modules/ssl/ssl_util_ssl.c.openssl11
+++ httpd-2.4.23/modules/ssl/ssl_util_ssl.c
@@ -488,7 +488,7 @@
** _________________________________________________________________
*/
-char *modssl_SSL_SESSION_id2sz(unsigned char *id, int idlen,
+char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *id, int idlen,
char *str, int strsize)
{
if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
diff -uap httpd-2.4.23/modules/ssl/ssl_util_ssl.h.openssl11 httpd-2.4.23/modules/ssl/ssl_util_ssl.h
--- httpd-2.4.23/modules/ssl/ssl_util_ssl.h.openssl11
+++ httpd-2.4.23/modules/ssl/ssl_util_ssl.h
@@ -41,7 +41,11 @@
#define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
#define MODSSL_LIBRARY_NAME "OpenSSL"
#define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
+#else
+#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
+#endif
/**
* Maximum length of a DER encoded session.
@@ -67,7 +71,7 @@
char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);
BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
-char *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int);
+char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int);
#endif /* __SSL_UTIL_SSL_H__ */
/** @} */
diff -uap httpd-2.4.23/modules/ssl/ssl_util_stapling.c.openssl11 httpd-2.4.23/modules/ssl/ssl_util_stapling.c
--- httpd-2.4.23/modules/ssl/ssl_util_stapling.c.openssl11
+++ httpd-2.4.23/modules/ssl/ssl_util_stapling.c
@@ -79,7 +79,7 @@
X509 *issuer = NULL;
int i;
X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
- X509_STORE_CTX inctx;
+ X509_STORE_CTX *inctx;
STACK_OF(X509) *extra_certs = NULL;
#ifdef OPENSSL_NO_SSL_INTERN
@@ -91,18 +91,23 @@
for (i = 0; i < sk_X509_num(extra_certs); i++) {
issuer = sk_X509_value(extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
+#else
+ X509_up_ref(issuer);
+#endif
return issuer;
}
}
- if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))
+ inctx = X509_STORE_CTX_new();
+ if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
return 0;
- if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
+ if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
issuer = NULL;
- X509_STORE_CTX_cleanup(&inctx);
+ X509_STORE_CTX_cleanup(inctx);
+ X509_STORE_CTX_free(inctx);
return issuer;
-
}
int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
@@ -398,7 +403,9 @@
if (bio) {
int n;
- if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) &&
+ ASN1_INTEGER *pserial;
+ OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
+ if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
snum[n] = '\0';
BIO_free(bio);
diff -uap httpd-2.4.23/support/ab.c.openssl11 httpd-2.4.23/support/ab.c
--- httpd-2.4.23/support/ab.c.openssl11
+++ httpd-2.4.23/support/ab.c
@@ -2133,6 +2133,14 @@
apr_getopt_t *opt;
const char *opt_arg;
char c;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ int max_prot = TLS1_2_VERSION;
+#ifndef OPENSSL_NO_SSL3
+ int min_prot = SSL3_VERSION;
+#else
+ int min_prot = TLS1_VERSION;
+#endif
+#endif /* #if OPENSSL_VERSION_NUMBER >= 0x10100000L */
#ifdef USE_SSL
AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method();
#endif
@@ -2350,6 +2358,7 @@
method_str[CUSTOM_METHOD] = strdup(opt_arg);
break;
case 'f':
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (strncasecmp(opt_arg, "ALL", 3) == 0) {
meth = SSLv23_client_method();
#ifndef OPENSSL_NO_SSL2
@@ -2369,6 +2378,31 @@
} else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {
meth = TLSv1_client_method();
}
+#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
+ meth = TLS_client_method();
+ if (strncasecmp(opt_arg, "ALL", 3) == 0) {
+ max_prot = TLS1_2_VERSION;
+#ifndef OPENSSL_NO_SSL3
+ min_prot = SSL3_VERSION;
+#else
+ min_prot = TLS1_VERSION;
+#endif
+#ifndef OPENSSL_NO_SSL3
+ } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
+ max_prot = SSL3_VERSION;
+ min_prot = SSL3_VERSION;
+#endif
+ } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
+ max_prot = TLS1_1_VERSION;
+ min_prot = TLS1_1_VERSION;
+ } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) {
+ max_prot = TLS1_2_VERSION;
+ min_prot = TLS1_2_VERSION;
+ } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {
+ max_prot = TLS1_VERSION;
+ min_prot = TLS1_VERSION;
+ }
+#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
break;
#endif
}
@@ -2413,7 +2447,11 @@
#ifdef RSAREF
R_malloc_init();
#else
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
CRYPTO_malloc_init();
+#else
+ OPENSSL_malloc_init();
+#endif
#endif
SSL_load_error_strings();
SSL_library_init();
@@ -2426,6 +2464,10 @@
exit(1);
}
SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ SSL_CTX_set_max_proto_version(ssl_ctx, max_prot);
+ SSL_CTX_set_min_proto_version(ssl_ctx, min_prot);
+#endif
#ifdef SSL_MODE_RELEASE_BUFFERS
/* Keep memory usage as low as possible */
SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);