Diff to https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/ as of upstream r1769589. diff -uap httpd-2.4.23/acinclude.m4.openssl11 httpd-2.4.23/acinclude.m4 --- httpd-2.4.23/acinclude.m4.openssl11 +++ httpd-2.4.23/acinclude.m4 @@ -586,7 +586,7 @@ dnl Run library and function checks liberrors="" AC_CHECK_HEADERS([openssl/engine.h]) - AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"]) + AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"]) AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd]) if test "x$liberrors" != "x"; then AC_MSG_WARN([OpenSSL libraries are unusable]) diff -uap httpd-2.4.23/modules/ssl/mod_ssl.c.openssl11 httpd-2.4.23/modules/ssl/mod_ssl.c --- httpd-2.4.23/modules/ssl/mod_ssl.c.openssl11 +++ httpd-2.4.23/modules/ssl/mod_ssl.c @@ -312,7 +312,13 @@ #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup(); #endif +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER >= 0x1000000fL + ERR_remove_thread_state(NULL); +#else ERR_remove_state(0); +#endif +#endif /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only * actually loaded the error strings once per process due to static @@ -342,7 +348,11 @@ /* We must register the library in full, to ensure our configuration * code can successfully test the SSL environment. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L CRYPTO_malloc_init(); +#else + OPENSSL_malloc_init(); +#endif ERR_load_crypto_strings(); SSL_load_error_strings(); SSL_library_init(); diff -uap httpd-2.4.23/modules/ssl/ssl_engine_init.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_init.c --- httpd-2.4.23/modules/ssl/ssl_engine_init.c.openssl11 +++ httpd-2.4.23/modules/ssl/ssl_engine_init.c @@ -47,21 +47,50 @@ #define KEYTYPES "RSA or DSA" #endif +#if OPENSSL_VERSION_NUMBER < 0x10100000L +/* OpenSSL Pre-1.1.0 compatibility */ +/* Taken from OpenSSL 1.1.0 snapshot 20160410 */ +static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + /* q is optional */ + if (p == NULL || g == NULL) + return 0; + BN_free(dh->p); + BN_free(dh->q); + BN_free(dh->g); + dh->p = p; + dh->q = q; + dh->g = g; + + if (q != NULL) { + dh->length = BN_num_bits(q); + } + + return 1; +} +#endif + /* - * Grab well-defined DH parameters from OpenSSL, see the get_rfc* + * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc* * functions in for all available primes. */ -static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen) +static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *)) { DH *dh = DH_new(); + BIGNUM *p, *g; if (!dh) { return NULL; } - dh->p = prime(NULL); - BN_dec2bn(&dh->g, gen); - if (!dh->p || !dh->g) { + p = prime(NULL); + g = BN_new(); + if (g != NULL) { + BN_set_word(g, 2); + } + if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) { DH_free(dh); + BN_free(p); + BN_free(g); return NULL; } return dh; @@ -73,12 +102,12 @@ DH *dh; /* ...this, used for keys.... */ const unsigned int min; /* ...of length >= this. */ } dhparams[] = { - { get_rfc3526_prime_8192, NULL, 6145 }, - { get_rfc3526_prime_6144, NULL, 4097 }, - { get_rfc3526_prime_4096, NULL, 3073 }, - { get_rfc3526_prime_3072, NULL, 2049 }, - { get_rfc3526_prime_2048, NULL, 1025 }, - { get_rfc2409_prime_1024, NULL, 0 } + { BN_get_rfc3526_prime_8192, NULL, 6145 }, + { BN_get_rfc3526_prime_6144, NULL, 4097 }, + { BN_get_rfc3526_prime_4096, NULL, 3073 }, + { BN_get_rfc3526_prime_3072, NULL, 2049 }, + { BN_get_rfc3526_prime_2048, NULL, 1025 }, + { BN_get_rfc2409_prime_1024, NULL, 0 } }; static void init_dh_params(void) @@ -86,7 +115,7 @@ unsigned n; for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++) - dhparams[n].dh = make_dh_params(dhparams[n].prime, "2"); + dhparams[n].dh = make_dh_params(dhparams[n].prime); } static void free_dh_params(void) @@ -153,7 +182,7 @@ "Init: this version of mod_ssl was compiled against " "a newer library (%s, version currently loaded is %s)" " - may result in undefined or erroneous behavior", - MODSSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION)); + MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT); } /* We initialize mc->pid per-process in the child init, @@ -228,9 +257,11 @@ #endif } +#if OPENSSL_VERSION_NUMBER < 0x10100000L #if APR_HAS_THREADS ssl_util_thread_setup(p); #endif +#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ /* * SSL external crypto device ("engine") support @@ -351,6 +382,9 @@ modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ init_dh_params(); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + init_bio_methods(); +#endif return OK; } @@ -481,6 +515,9 @@ char *cp; int protocol = mctx->protocol; SSLSrvConfigRec *sc = mySrvConfig(s); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + int prot; +#endif /* * Create the new per-server SSL context @@ -506,6 +543,7 @@ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, "Creating new SSL context (protocols: %s)", cp); +#if OPENSSL_VERSION_NUMBER < 0x10100000L #ifndef OPENSSL_NO_SSL3 if (protocol == SSL_PROTOCOL_SSLV3) { method = mctx->pkp ? @@ -536,12 +574,18 @@ SSLv23_client_method() : /* proxy */ SSLv23_server_method(); /* server */ } +#else + method = mctx->pkp ? + TLS_client_method() : /* proxy */ + TLS_server_method(); /* server */ +#endif ctx = SSL_CTX_new(method); mctx->ssl_ctx = ctx; SSL_CTX_set_options(ctx, SSL_OP_ALL); +#if OPENSSL_VERSION_NUMBER < 0x10100000L /* always disable SSLv2, as per RFC 6176 */ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); @@ -565,6 +609,43 @@ } #endif +#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ + /* We first determine the maximum protocol version we should provide */ + if (protocol & SSL_PROTOCOL_TLSV1_2) { + prot = TLS1_2_VERSION; + } else if (protocol & SSL_PROTOCOL_TLSV1_1) { + prot = TLS1_1_VERSION; + } else if (protocol & SSL_PROTOCOL_TLSV1) { + prot = TLS1_VERSION; +#ifndef OPENSSL_NO_SSL3 + } else if (protocol & SSL_PROTOCOL_SSLV3) { + prot = SSL3_VERSION; +#endif + } else { + SSL_CTX_free(ctx); + mctx->ssl_ctx = NULL; + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378) + "No SSL protocols available [hint: SSLProtocol]"); + return ssl_die(s); + } + SSL_CTX_set_max_proto_version(ctx, prot); + + /* Next we scan for the minimal protocol version we should provide, + * but we do not allow holes between max and min */ + if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) { + prot = TLS1_1_VERSION; + } + if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { + prot = TLS1_VERSION; + } +#ifndef OPENSSL_NO_SSL3 + if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) { + prot = SSL3_VERSION; + } +#endif + SSL_CTX_set_min_proto_version(ctx, prot); +#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE if (sc->cipher_server_pref == TRUE) { SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); @@ -858,7 +939,7 @@ unsigned long err; int n; - if ((bio = BIO_new(BIO_s_file_internal())) == NULL) + if ((bio = BIO_new(BIO_s_file())) == NULL) return -1; if (BIO_read_filename(bio, file) <= 0) { BIO_free(bio); @@ -1200,7 +1281,7 @@ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) "Custom DH parameters (%d bits) for %s loaded from %s", - BN_num_bits(dhparams->p), vhost_id, certfile); + DH_bits(dhparams), vhost_id, certfile); DH_free(dhparams); } @@ -1721,7 +1802,7 @@ "an OpenSSL version with support for TLS extensions " "(RFC 6066 - Server Name Indication / SNI), " "but the currently used library version (%s) is " - "lacking this feature", SSLeay_version(SSLEAY_VERSION)); + "lacking this feature", MODSSL_LIBRARY_DYNTEXT); } #endif @@ -1917,6 +1998,9 @@ ssl_init_ctx_cleanup(sc->server); } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + free_bio_methods(); +#endif free_dh_params(); return APR_SUCCESS; diff -uap httpd-2.4.23/modules/ssl/ssl_engine_io.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_io.c --- httpd-2.4.23/modules/ssl/ssl_engine_io.c.openssl11 +++ httpd-2.4.23/modules/ssl/ssl_engine_io.c @@ -149,7 +149,7 @@ * success, -1 on failure. */ static int bio_filter_out_flush(BIO *bio) { - bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); + bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); apr_bucket *e; AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb)); @@ -162,10 +162,16 @@ static int bio_filter_create(BIO *bio) { - bio->shutdown = 1; - bio->init = 1; + BIO_set_shutdown(bio, 1); + BIO_set_init(bio, 1); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* No setter method for OpenSSL 1.1.0 available, + * but I can't find any functional use of the + * "num" field there either. + */ bio->num = -1; - bio->ptr = NULL; +#endif + BIO_set_data(bio, NULL); return 1; } @@ -190,7 +196,7 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl) { - bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); + bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); apr_bucket *e; int need_flush; @@ -241,7 +247,7 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr) { long ret = 1; - bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); + bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); switch (cmd) { case BIO_CTRL_RESET: @@ -257,10 +263,10 @@ ret = 0; break; case BIO_CTRL_GET_CLOSE: - ret = (long)bio->shutdown; + ret = (long)BIO_get_shutdown(bio); break; case BIO_CTRL_SET_CLOSE: - bio->shutdown = (int)num; + BIO_set_shutdown(bio, (int)num); break; case BIO_CTRL_FLUSH: ret = bio_filter_out_flush(bio); @@ -294,19 +300,6 @@ return -1; } -static BIO_METHOD bio_filter_out_method = { - BIO_TYPE_MEM, - "APR output filter", - bio_filter_out_write, - bio_filter_out_read, /* read is never called */ - bio_filter_out_puts, /* puts is never called */ - bio_filter_out_gets, /* gets is never called */ - bio_filter_out_ctrl, - bio_filter_create, - bio_filter_destroy, - NULL -}; - typedef struct { int length; char *value; @@ -456,7 +449,7 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen) { apr_size_t inl = inlen; - bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr); + bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); apr_read_type_e block = inctx->block; inctx->rc = APR_SUCCESS; @@ -536,20 +529,86 @@ return -1; } +static int bio_filter_in_write(BIO *bio, const char *in, int inl) +{ + return -1; +} + +static int bio_filter_in_puts(BIO *bio, const char *str) +{ + return -1; +} + +static int bio_filter_in_gets(BIO *bio, char *buf, int size) +{ + return -1; +} + +static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr) +{ + return -1; +} + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + +static BIO_METHOD bio_filter_out_method = { + BIO_TYPE_MEM, + "APR output filter", + bio_filter_out_write, + bio_filter_out_read, /* read is never called */ + bio_filter_out_puts, /* puts is never called */ + bio_filter_out_gets, /* gets is never called */ + bio_filter_out_ctrl, + bio_filter_create, + bio_filter_destroy, + NULL +}; static BIO_METHOD bio_filter_in_method = { BIO_TYPE_MEM, "APR input filter", - NULL, /* write is never called */ + bio_filter_in_write, /* write is never called */ bio_filter_in_read, - NULL, /* puts is never called */ - NULL, /* gets is never called */ - NULL, /* ctrl is never called */ + bio_filter_in_puts, /* puts is never called */ + bio_filter_in_gets, /* gets is never called */ + bio_filter_in_ctrl, /* ctrl is never called */ bio_filter_create, bio_filter_destroy, NULL }; +#else + +static BIO_METHOD *bio_filter_out_method = NULL; +static BIO_METHOD *bio_filter_in_method = NULL; + +void init_bio_methods(void) +{ + bio_filter_out_method = BIO_meth_new(BIO_TYPE_MEM, "APR output filter"); + BIO_meth_set_write(bio_filter_out_method, &bio_filter_out_write); + BIO_meth_set_read(bio_filter_out_method, &bio_filter_out_read); /* read is never called */ + BIO_meth_set_puts(bio_filter_out_method, &bio_filter_out_puts); /* puts is never called */ + BIO_meth_set_gets(bio_filter_out_method, &bio_filter_out_gets); /* gets is never called */ + BIO_meth_set_ctrl(bio_filter_out_method, &bio_filter_out_ctrl); + BIO_meth_set_create(bio_filter_out_method, &bio_filter_create); + BIO_meth_set_destroy(bio_filter_out_method, &bio_filter_destroy); + + bio_filter_in_method = BIO_meth_new(BIO_TYPE_MEM, "APR input filter"); + BIO_meth_set_write(bio_filter_in_method, &bio_filter_in_write); /* write is never called */ + BIO_meth_set_read(bio_filter_in_method, &bio_filter_in_read); + BIO_meth_set_puts(bio_filter_in_method, &bio_filter_in_puts); /* puts is never called */ + BIO_meth_set_gets(bio_filter_in_method, &bio_filter_in_gets); /* gets is never called */ + BIO_meth_set_ctrl(bio_filter_in_method, &bio_filter_in_ctrl); /* ctrl is never called */ + BIO_meth_set_create(bio_filter_in_method, &bio_filter_create); + BIO_meth_set_destroy(bio_filter_in_method, &bio_filter_destroy); +} + +void free_bio_methods(void) +{ + BIO_meth_free(bio_filter_out_method); + BIO_meth_free(bio_filter_in_method); +} +#endif static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx, char *buf, @@ -779,7 +838,7 @@ return APR_EGENERAL; } - outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr; + outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite); res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len); if (res < 0) { @@ -1252,9 +1311,9 @@ if ((n = SSL_accept(filter_ctx->pssl)) <= 0) { bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *) - (filter_ctx->pbioRead->ptr); + BIO_get_data(filter_ctx->pbioRead); bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *) - (filter_ctx->pbioWrite->ptr); + BIO_get_data(filter_ctx->pbioWrite); apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ; ssl_err = SSL_get_error(filter_ctx->pssl, n); @@ -1667,8 +1726,8 @@ return ap_pass_brigade(f->next, bb); } - inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr; - outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr; + inctx = (bio_filter_in_ctx_t *)BIO_get_data(filter_ctx->pbioRead); + outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite); /* When we are the writer, we must initialize the inctx * mode so that we block for any required ssl input, because @@ -1949,8 +2008,12 @@ filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c); +#if OPENSSL_VERSION_NUMBER < 0x10100000L filter_ctx->pbioRead = BIO_new(&bio_filter_in_method); - filter_ctx->pbioRead->ptr = (void *)inctx; +#else + filter_ctx->pbioRead = BIO_new(bio_filter_in_method); +#endif + BIO_set_data(filter_ctx->pbioRead, (void *)inctx); inctx->ssl = ssl; inctx->bio_out = filter_ctx->pbioWrite; @@ -1980,8 +2043,12 @@ filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, filter_ctx, r, c); +#if OPENSSL_VERSION_NUMBER < 0x10100000L filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method); - filter_ctx->pbioWrite->ptr = (void *)bio_filter_out_ctx_new(filter_ctx, c); +#else + filter_ctx->pbioWrite = BIO_new(bio_filter_out_method); +#endif + BIO_set_data(filter_ctx->pbioWrite, (void *)bio_filter_out_ctx_new(filter_ctx, c)); /* write is non blocking for the benefit of async mpm */ if (c->cs) { diff -uap httpd-2.4.23/modules/ssl/ssl_engine_kernel.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_kernel.c --- httpd-2.4.23/modules/ssl/ssl_engine_kernel.c.openssl11 +++ httpd-2.4.23/modules/ssl/ssl_engine_kernel.c @@ -80,7 +80,7 @@ SSL_set_accept_state(ssl); SSL_do_handshake(ssl); - if (SSL_get_state(ssl) != SSL_ST_OK) { + if (!SSL_is_init_finished(ssl)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) "TLS upgrade handshake failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); @@ -114,6 +114,7 @@ return result; } +#ifdef HAVE_TLSEXT static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2) { int i; @@ -215,6 +216,7 @@ return 1; } +#endif /* * Post Read Request Handler @@ -432,7 +434,7 @@ X509 *cert; X509 *peercert; X509_STORE *cert_store = NULL; - X509_STORE_CTX cert_store_ctx; + X509_STORE_CTX *cert_store_ctx; STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL; const SSL_CIPHER *cipher = NULL; int depth, verify_old, verify, n, is_slave = 0; @@ -456,7 +458,7 @@ * forbidden in the latter case, let ap_die() handle * this recursive (same) error. */ - if (SSL_get_state(ssl) != SSL_ST_OK) { + if (!SSL_is_init_finished(ssl)) { return HTTP_FORBIDDEN; } ctx = SSL_get_SSL_CTX(ssl); @@ -622,7 +624,7 @@ !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list)); n++) { - SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n); + const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n); if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) { renegotiate = TRUE; @@ -633,7 +635,7 @@ !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old)); n++) { - SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n); + const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n); if (sk_SSL_CIPHER_find(cipher_list, value) < 0) { renegotiate = TRUE; @@ -914,25 +916,27 @@ cert = sk_X509_value(cert_stack, 0); } - X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack); + cert_store_ctx = X509_STORE_CTX_new(); + X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack); depth = SSL_get_verify_depth(ssl); if (depth >= 0) { - X509_STORE_CTX_set_depth(&cert_store_ctx, depth); + X509_STORE_CTX_set_depth(cert_store_ctx, depth); } - X509_STORE_CTX_set_ex_data(&cert_store_ctx, + X509_STORE_CTX_set_ex_data(cert_store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), (char *)ssl); - if (!X509_verify_cert(&cert_store_ctx)) { + if (!X509_verify_cert(cert_store_ctx)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224) "Re-negotiation verification step failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); } - SSL_set_verify_result(ssl, cert_store_ctx.error); - X509_STORE_CTX_cleanup(&cert_store_ctx); + SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx)); + X509_STORE_CTX_cleanup(cert_store_ctx); + X509_STORE_CTX_free(cert_store_ctx); if (cert_stack != SSL_get_peer_cert_chain(ssl)) { /* we created this ourselves, so free it */ @@ -940,6 +944,7 @@ } } else { + char peekbuf[1]; const char *reneg_support; request_rec *id = r->main ? r->main : r; @@ -983,7 +988,7 @@ SSL_renegotiate(ssl); SSL_do_handshake(ssl); - if (SSL_get_state(ssl) != SSL_ST_OK) { + if (!SSL_is_init_finished(ssl)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225) "Re-negotiation request failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); @@ -999,16 +1004,15 @@ * However, this causes failures in perl-framework currently, * perhaps pre-test if we have already negotiated? */ -#ifdef OPENSSL_NO_SSL_INTERN - SSL_set_state(ssl, SSL_ST_ACCEPT); -#else - ssl->state = SSL_ST_ACCEPT; -#endif - SSL_do_handshake(ssl); + /* Need to trigger renegotiation handshake by reading. + * Peeking 0 bytes actually works. + * See: http://marc.info/?t=145493359200002&r=1&w=2 + */ + SSL_peek(ssl, peekbuf, 0); sslconn->reneg_state = RENEG_REJECT; - if (SSL_get_state(ssl) != SSL_ST_OK) { + if (!SSL_is_init_finished(ssl)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) "Re-negotiation handshake failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); @@ -1513,7 +1517,11 @@ SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER); #endif pkey = SSL_get_privatekey(ssl); +#if OPENSSL_VERSION_NUMBER < 0x10100000L type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; +#else + type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE; +#endif /* * OpenSSL will call us with either keylen == 512 or keylen == 1024 @@ -1725,11 +1733,19 @@ * so we need to increment here to prevent them from * being freed. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define modssl_set_cert_info(info, cert, pkey) \ *cert = info->x509; \ CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ *pkey = info->x_pkey->dec_pkey; \ CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY) +#else +#define modssl_set_cert_info(info, cert, pkey) \ + *cert = info->x509; \ + X509_up_ref(*cert); \ + *pkey = info->x_pkey->dec_pkey; \ + EVP_PKEY_up_ref(*pkey); +#endif int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) { @@ -1823,7 +1839,7 @@ static void ssl_session_log(server_rec *s, const char *request, - unsigned char *id, + IDCONST unsigned char *id, unsigned int idlen, const char *status, const char *result, @@ -1863,7 +1879,7 @@ SSLSrvConfigRec *sc = mySrvConfig(s); long timeout = sc->session_cache_timeout; BOOL rc; - unsigned char *id; + IDCONST unsigned char *id; unsigned int idlen; /* @@ -1907,7 +1923,7 @@ * of our other Apache pre-forked server processes. */ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl, - unsigned char *id, + IDCONST unsigned char *id, int idlen, int *do_copy) { /* Get Apache context back through OpenSSL context */ @@ -1946,7 +1962,7 @@ { server_rec *s; SSLSrvConfigRec *sc; - unsigned char *id; + IDCONST unsigned char *id; unsigned int idlen; /* @@ -2067,15 +2083,12 @@ /* If the reneg state is to reject renegotiations, check the SSL * state machine and move to ABORT if a Client Hello is being * read. */ - if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { - int state = SSL_get_state((SSL *)ssl); - - if (state == SSL3_ST_SR_CLNT_HELLO_A - || state == SSL23_ST_SR_CLNT_HELLO_A) { + if (!scr->is_proxy && + (where & SSL_CB_HANDSHAKE_START) && + scr->reneg_state == RENEG_REJECT) { scr->reneg_state = RENEG_ABORT; ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042) "rejecting client initiated renegotiation"); - } } /* If the first handshake is complete, change state to reject any * subsequent client-initiated renegotiation. */ @@ -2279,7 +2292,7 @@ } memcpy(keyname, ticket_key->key_name, 16); - RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH); + RAND_bytes(iv, EVP_MAX_IV_LENGTH); EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, ticket_key->aes_key, iv); HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); @@ -2416,17 +2429,27 @@ SRP_user_pwd *u; if (username == NULL +#if OPENSSL_VERSION_NUMBER < 0x10100000L || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) { +#else + || (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) { +#endif *ad = SSL_AD_UNKNOWN_PSK_IDENTITY; return SSL3_AL_FATAL; } if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + SRP_user_pwd_free(u); +#endif *ad = SSL_AD_INTERNAL_ERROR; return SSL3_AL_FATAL; } /* reset all other options */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + SRP_user_pwd_free(u); +#endif SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify); return SSL_ERROR_NONE; } diff -uap httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c --- httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c.openssl11 +++ httpd-2.4.23/modules/ssl/ssl_engine_ocsp.c @@ -109,7 +109,7 @@ { OCSP_REQUEST *req = OCSP_REQUEST_new(); - *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer); + *certid = OCSP_cert_to_id(NULL, cert, X509_STORE_CTX_get0_current_issuer(ctx)); if (!*certid || !OCSP_request_add0_id(req, *certid)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921) "could not retrieve certificate id"); @@ -184,7 +184,7 @@ if (rc == V_OCSP_CERTSTATUS_GOOD) { /* TODO: allow flags configuration. */ - if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) { + if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925) "failed to verify the OCSP response"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); @@ -262,7 +262,7 @@ "No cert available to check with OCSP"); return 1; } - else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { + else if (X509_check_issued(cert,cert) == X509_V_OK) { /* don't do OCSP checking for valid self-issued certs */ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "Skipping OCSP check for valid self-issued cert"); diff -uap httpd-2.4.23/modules/ssl/ssl_engine_vars.c.openssl11 httpd-2.4.23/modules/ssl/ssl_engine_vars.c --- httpd-2.4.23/modules/ssl/ssl_engine_vars.c.openssl11 +++ httpd-2.4.23/modules/ssl/ssl_engine_vars.c @@ -380,7 +380,7 @@ char buf[MODSSL_SESSION_ID_STRING_LEN]; SSL_SESSION *pSession = SSL_get_session(ssl); if (pSession) { - unsigned char *id; + IDCONST unsigned char *id; unsigned int idlen; #ifdef OPENSSL_NO_SSL_INTERN @@ -545,13 +545,25 @@ resdup = FALSE; } else if (strcEQ(var, "A_SIG")) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm)); +#else + ASN1_OBJECT *paobj; + X509_ALGOR_get0(&paobj, NULL, NULL, X509_get0_tbs_sigalg(xs)); + nid = OBJ_obj2nid(paobj); +#endif result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); resdup = FALSE; } else if (strcEQ(var, "A_KEY")) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm)); +#else + ASN1_OBJECT *paobj; + X509_PUBKEY_get0_param(&paobj, NULL, 0, NULL, X509_get_X509_PUBKEY(xs)); + nid = OBJ_obj2nid(paobj); +#endif result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid)); resdup = FALSE; @@ -613,11 +625,8 @@ for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) { if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen) && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) { - for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *) - xsname->entries); - j++) { - xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *) - xsname->entries, j); + for (j = 0; j < X509_NAME_entry_count(xsname); j++) { + xsne = X509_NAME_get_entry(xsname, j); n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne)); @@ -919,7 +928,6 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx, X509_NAME *xn, apr_pool_t *p) { - STACK_OF(X509_NAME_ENTRY) *ents = xn->entries; X509_NAME_ENTRY *xsne; apr_hash_t *count; int i, nid; @@ -929,10 +937,9 @@ count = apr_hash_make(p); /* For each RDN... */ - for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) { + for (i = 0; i < X509_NAME_entry_count(xn); i++) { const char *tag; - - xsne = sk_X509_NAME_ENTRY_value(ents, i); + xsne = X509_NAME_get_entry(xn, i); /* Retrieve the nid, and check whether this is one of the nids * which are to be extracted. */ @@ -1106,7 +1113,7 @@ for (j = 0; j < count; j++) { X509_EXTENSION *ext = X509_get_ext(xs, j); - if (OBJ_cmp(ext->object, oid) == 0) { + if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) { BIO *bio = BIO_new(BIO_s_mem()); /* We want to obtain a string representation of the extensions diff -uap httpd-2.4.23/modules/ssl/ssl_private.h.openssl11 httpd-2.4.23/modules/ssl/ssl_private.h --- httpd-2.4.23/modules/ssl/ssl_private.h.openssl11 +++ httpd-2.4.23/modules/ssl/ssl_private.h @@ -135,6 +135,13 @@ #define HAVE_SSL_CONF_CMD #endif +/* session id constness */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define IDCONST +#else +#define IDCONST const +#endif + /** * The following features all depend on TLS extension support. * Within this block, check again for features (not version numbers). @@ -151,6 +158,8 @@ /* OCSP stapling */ #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) #define HAVE_OCSP_STAPLING +/* All exist but are no longer macros since OpenSSL 1.1.0 */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L /* backward compatibility with OpenSSL < 1.0 */ #ifndef sk_OPENSSL_STRING_num #define sk_OPENSSL_STRING_num sk_num @@ -161,7 +170,8 @@ #ifndef sk_OPENSSL_STRING_pop #define sk_OPENSSL_STRING_pop sk_pop #endif -#endif +#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ +#endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */ /* TLS session tickets */ #if defined(SSL_CTX_set_tlsext_ticket_key_cb) @@ -189,6 +199,36 @@ #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768 +#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024 +#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536 +#define BN_get_rfc3526_prime_2048 get_rfc3526_prime_2048 +#define BN_get_rfc3526_prime_3072 get_rfc3526_prime_3072 +#define BN_get_rfc3526_prime_4096 get_rfc3526_prime_4096 +#define BN_get_rfc3526_prime_6144 get_rfc3526_prime_6144 +#define BN_get_rfc3526_prime_8192 get_rfc3526_prime_8192 +#define BIO_set_init(x,v) (x->init=v) +#define BIO_get_data(x) (x->ptr) +#define BIO_set_data(x,v) (x->ptr=v) +#define BIO_get_shutdown(x) (x->shutdown) +#define BIO_set_shutdown(x,v) (x->shutdown=v) +#define DH_bits(x) (BN_num_bits(x->p)) +#else +void init_bio_methods(void); +void free_bio_methods(void); +#endif + +#if OPENSSL_VERSION_NUMBER < 0x10002000L +#define X509_STORE_CTX_get0_store(x) (x->ctx) +#endif + +#if OPENSSL_VERSION_NUMBER < 0x10000000L +#ifndef X509_STORE_CTX_get0_current_issuer +#define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer) +#endif +#endif + /* mod_ssl headers */ #include "ssl_util_ssl.h" @@ -454,12 +494,12 @@ * partial fix for CVE-2009-3555. */ enum { RENEG_INIT = 0, /* Before initial handshake */ - RENEG_REJECT, /* After initial handshake; any client-initiated - * renegotiation should be rejected */ - RENEG_ALLOW, /* A server-initiated renegotiation is taking - * place (as dictated by configuration) */ - RENEG_ABORT /* Renegotiation initiated by client, abort the - * connection */ + RENEG_REJECT, /* After initial handshake; any client-initiated + * renegotiation should be rejected */ + RENEG_ALLOW, /* A server-initiated renegotiation is taking + * place (as dictated by configuration) */ + RENEG_ABORT /* Renegotiation initiated by client, abort the + * connection */ } reneg_state; server_rec *server; @@ -810,7 +850,7 @@ int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); -SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); +SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char *, int, int *); void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); void ssl_callback_Info(const SSL *, int, int); #ifdef HAVE_TLSEXT @@ -831,10 +871,10 @@ apr_status_t ssl_scache_init(server_rec *, apr_pool_t *); void ssl_scache_status_register(apr_pool_t *p); void ssl_scache_kill(server_rec *); -BOOL ssl_scache_store(server_rec *, UCHAR *, int, +BOOL ssl_scache_store(server_rec *, IDCONST UCHAR *, int, apr_time_t, SSL_SESSION *, apr_pool_t *); -SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *); -void ssl_scache_remove(server_rec *, UCHAR *, int, +SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, apr_pool_t *); +void ssl_scache_remove(server_rec *, IDCONST UCHAR *, int, apr_pool_t *); /** Proxy Support */ @@ -882,7 +922,9 @@ char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *, const char * const *); BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); +#if OPENSSL_VERSION_NUMBER < 0x10100000L void ssl_util_thread_setup(apr_pool_t *); +#endif int ssl_init_ssl_connection(conn_rec *c, request_rec *r); BOOL ssl_util_vhost_matches(const char *servername, server_rec *s); diff -uap httpd-2.4.23/modules/ssl/ssl_scache.c.openssl11 httpd-2.4.23/modules/ssl/ssl_scache.c --- httpd-2.4.23/modules/ssl/ssl_scache.c.openssl11 +++ httpd-2.4.23/modules/ssl/ssl_scache.c @@ -110,7 +110,7 @@ } -BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen, +BOOL ssl_scache_store(server_rec *s, IDCONST UCHAR *id, int idlen, apr_time_t expiry, SSL_SESSION *sess, apr_pool_t *p) { @@ -144,7 +144,7 @@ return rv == APR_SUCCESS ? TRUE : FALSE; } -SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen, +SSL_SESSION *ssl_scache_retrieve(server_rec *s, IDCONST UCHAR *id, int idlen, apr_pool_t *p) { SSLModConfigRec *mc = myModConfig(s); @@ -173,7 +173,7 @@ return d2i_SSL_SESSION(NULL, &ptr, destlen); } -void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen, +void ssl_scache_remove(server_rec *s, IDCONST UCHAR *id, int idlen, apr_pool_t *p) { SSLModConfigRec *mc = myModConfig(s); diff -uap httpd-2.4.23/modules/ssl/ssl_util.c.openssl11 httpd-2.4.23/modules/ssl/ssl_util.c --- httpd-2.4.23/modules/ssl/ssl_util.c.openssl11 +++ httpd-2.4.23/modules/ssl/ssl_util.c @@ -247,6 +247,7 @@ } #if APR_HAS_THREADS +#if OPENSSL_VERSION_NUMBER < 0x10100000L /* * To ensure thread-safetyness in OpenSSL - work in progress */ @@ -362,6 +363,28 @@ apr_pool_destroy(l->pool); } +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + +static void ssl_util_thr_id(CRYPTO_THREADID *id) +{ + /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread + * id is a structure twice that big. Use the TCB pointer instead as a + * unique unsigned long. + */ +#ifdef __MVS__ + struct PSA { + char unmapped[540]; /* PSATOLD is at offset 540 in the PSA */ + unsigned long PSATOLD; + } *psaptr = 0; /* PSA is at address 0 */ + + CRYPTO_THREADID_set_numeric(id, psaptr->PSATOLD); +#else + CRYPTO_THREADID_set_numeric(id, (unsigned long) apr_os_thread_current()); +#endif +} + +#else + static unsigned long ssl_util_thr_id(void) { /* OpenSSL needs this to return an unsigned long. On OS/390, the pthread @@ -380,10 +403,16 @@ #endif } +#endif + static apr_status_t ssl_util_thread_cleanup(void *data) { CRYPTO_set_locking_callback(NULL); +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + CRYPTO_THREADID_set_callback(NULL); +#else CRYPTO_set_id_callback(NULL); +#endif CRYPTO_set_dynlock_create_callback(NULL); CRYPTO_set_dynlock_lock_callback(NULL); @@ -407,7 +436,11 @@ apr_thread_mutex_create(&(lock_cs[i]), APR_THREAD_MUTEX_DEFAULT, p); } +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + CRYPTO_THREADID_set_callback(ssl_util_thr_id); +#else CRYPTO_set_id_callback(ssl_util_thr_id); +#endif CRYPTO_set_locking_callback(ssl_util_thr_lock); @@ -422,4 +455,5 @@ apr_pool_cleanup_register(p, NULL, ssl_util_thread_cleanup, apr_pool_cleanup_null); } -#endif +#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ +#endif /* #if APR_HAS_THREADS */ diff -uap httpd-2.4.23/modules/ssl/ssl_util_ssl.c.openssl11 httpd-2.4.23/modules/ssl/ssl_util_ssl.c --- httpd-2.4.23/modules/ssl/ssl_util_ssl.c.openssl11 +++ httpd-2.4.23/modules/ssl/ssl_util_ssl.c @@ -488,7 +488,7 @@ ** _________________________________________________________________ */ -char *modssl_SSL_SESSION_id2sz(unsigned char *id, int idlen, +char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *id, int idlen, char *str, int strsize) { if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH) diff -uap httpd-2.4.23/modules/ssl/ssl_util_ssl.h.openssl11 httpd-2.4.23/modules/ssl/ssl_util_ssl.h --- httpd-2.4.23/modules/ssl/ssl_util_ssl.h.openssl11 +++ httpd-2.4.23/modules/ssl/ssl_util_ssl.h @@ -41,7 +41,11 @@ #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER #define MODSSL_LIBRARY_NAME "OpenSSL" #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) +#else +#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION) +#endif /** * Maximum length of a DER encoded session. @@ -67,7 +71,7 @@ char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int); BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **); BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *); -char *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int); +char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int); #endif /* __SSL_UTIL_SSL_H__ */ /** @} */ diff -uap httpd-2.4.23/modules/ssl/ssl_util_stapling.c.openssl11 httpd-2.4.23/modules/ssl/ssl_util_stapling.c --- httpd-2.4.23/modules/ssl/ssl_util_stapling.c.openssl11 +++ httpd-2.4.23/modules/ssl/ssl_util_stapling.c @@ -79,7 +79,7 @@ X509 *issuer = NULL; int i; X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx); - X509_STORE_CTX inctx; + X509_STORE_CTX *inctx; STACK_OF(X509) *extra_certs = NULL; #ifdef OPENSSL_NO_SSL_INTERN @@ -91,18 +91,23 @@ for (i = 0; i < sk_X509_num(extra_certs); i++) { issuer = sk_X509_value(extra_certs, i); if (X509_check_issued(issuer, x) == X509_V_OK) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +#else + X509_up_ref(issuer); +#endif return issuer; } } - if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL)) + inctx = X509_STORE_CTX_new(); + if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) return 0; - if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0) + if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0) issuer = NULL; - X509_STORE_CTX_cleanup(&inctx); + X509_STORE_CTX_cleanup(inctx); + X509_STORE_CTX_free(inctx); return issuer; - } int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, @@ -398,7 +403,9 @@ if (bio) { int n; - if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) && + ASN1_INTEGER *pserial; + OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid); + if ((i2a_ASN1_INTEGER(bio, pserial) != -1) && ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0)) snum[n] = '\0'; BIO_free(bio); diff -uap httpd-2.4.23/support/ab.c.openssl11 httpd-2.4.23/support/ab.c --- httpd-2.4.23/support/ab.c.openssl11 +++ httpd-2.4.23/support/ab.c @@ -2133,6 +2133,14 @@ apr_getopt_t *opt; const char *opt_arg; char c; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + int max_prot = TLS1_2_VERSION; +#ifndef OPENSSL_NO_SSL3 + int min_prot = SSL3_VERSION; +#else + int min_prot = TLS1_VERSION; +#endif +#endif /* #if OPENSSL_VERSION_NUMBER >= 0x10100000L */ #ifdef USE_SSL AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method(); #endif @@ -2350,6 +2358,7 @@ method_str[CUSTOM_METHOD] = strdup(opt_arg); break; case 'f': +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (strncasecmp(opt_arg, "ALL", 3) == 0) { meth = SSLv23_client_method(); #ifndef OPENSSL_NO_SSL2 @@ -2369,6 +2378,31 @@ } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { meth = TLSv1_client_method(); } +#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ + meth = TLS_client_method(); + if (strncasecmp(opt_arg, "ALL", 3) == 0) { + max_prot = TLS1_2_VERSION; +#ifndef OPENSSL_NO_SSL3 + min_prot = SSL3_VERSION; +#else + min_prot = TLS1_VERSION; +#endif +#ifndef OPENSSL_NO_SSL3 + } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) { + max_prot = SSL3_VERSION; + min_prot = SSL3_VERSION; +#endif + } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) { + max_prot = TLS1_1_VERSION; + min_prot = TLS1_1_VERSION; + } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) { + max_prot = TLS1_2_VERSION; + min_prot = TLS1_2_VERSION; + } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) { + max_prot = TLS1_VERSION; + min_prot = TLS1_VERSION; + } +#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ break; #endif } @@ -2413,7 +2447,11 @@ #ifdef RSAREF R_malloc_init(); #else +#if OPENSSL_VERSION_NUMBER < 0x10100000L CRYPTO_malloc_init(); +#else + OPENSSL_malloc_init(); +#endif #endif SSL_load_error_strings(); SSL_library_init(); @@ -2426,6 +2464,10 @@ exit(1); } SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + SSL_CTX_set_max_proto_version(ssl_ctx, max_prot); + SSL_CTX_set_min_proto_version(ssl_ctx, min_prot); +#endif #ifdef SSL_MODE_RELEASE_BUFFERS /* Keep memory usage as low as possible */ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);