summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CHANGES7
-rw-r--r--acinclude.m43
-rw-r--r--modules/ssl/mod_ssl.h25
-rw-r--r--modules/ssl/ssl_engine_init.c10
-rw-r--r--modules/ssl/ssl_engine_kernel.c65
-rw-r--r--modules/ssl/ssl_engine_vars.c36
-rw-r--r--modules/ssl/ssl_util.c2
-rw-r--r--modules/ssl/ssl_util_ssl.c36
8 files changed, 132 insertions, 52 deletions
diff --git a/CHANGES b/CHANGES
index 98c3269115..4a9a79e079 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
Changes with Apache 2.0.31-dev
+ *) mod_ssl adjustments to help with using toolkits other than OpenSSL:
+ Use SSL functions/macros instead of directly dereferencing SSL
+ structures wherever possible.
+ Add type-casts for the cases where functions return a generic pointer.
+ Add $SSL/include to configure search path.
+ [Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>]
+
*) Moved several pointers out of the shared Scoreboard so it is
more portable, and will present the vhost name across server
generation restarts. [William Rowe]
diff --git a/acinclude.m4 b/acinclude.m4
index bda7b56b91..dc47ddc01b 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -451,6 +451,9 @@ if test "x$ap_ssltk_base" = "x"; then
if test -f "$p/openssl/ssl.h"; then
ap_ssltk_incdir="$p"
break
+ elif test -f "$p/ssl.h"; then
+ ap_ssltk_incdir="$p"
+ break
fi
done
if test "x$ap_ssltk_incdir" = "x"; then
diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
index b5e9832541..19dc1e549d 100644
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -345,6 +345,31 @@ typedef enum {
#ifndef X509_V_ERR_CERT_UNTRUSTED
#define X509_V_ERR_CERT_UNTRUSTED 27
+
+#endif
+
+#ifdef OPENSSL_VERSION_NUMBER
+
+#define EVP_PKEY_key_type(k) (EVP_PKEY_type(k->type))
+
+#define X509_NAME_get_entries(xs) (xs->entries)
+#define X509_REVOKED_get_serialNumber(xs) (xs->serialNumber)
+
+#define X509_get_signature_algorithm(xs) (xs->cert_info->signature->algorithm)
+#define X509_get_key_algorithm(xs) (xs->cert_info->key->algor->algorithm)
+
+#define X509_NAME_ENTRY_get_data_ptr(xs) (xs->value->data)
+#define X509_NAME_ENTRY_get_data_len(xs) (xs->value->length)
+
+#define SSL_CTX_get_extra_certs(ctx) (ctx->extra_certs)
+#define SSL_CTX_set_extra_certs(ctx,value) {ctx->extra_certs = value;}
+
+#define SSL_CIPHER_get_name(s) (s->name)
+#define SSL_CIPHER_get_valid(s) (s->valid)
+
+#define SSL_SESSION_get_session_id(s) (s->session_id)
+#define SSL_SESSION_get_session_id_length(s) (s->session_id_length)
+
#endif
#define ssl_verify_error_is_optional(errnum) \
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 26fb44db57..7d4e4e197d 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -604,7 +604,7 @@ void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
"CA certificates for client authentication", cpVHostID);
ssl_die();
}
- SSL_CTX_set_client_CA_list(sc->pSSLCtx, skCAList);
+ SSL_CTX_set_client_CA_list(sc->pSSLCtx, (STACK *)skCAList);
}
/*
@@ -628,7 +628,7 @@ void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
* should take place. This cannot work.
*/
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
- skCAList = SSL_CTX_get_client_CA_list(ctx);
+ skCAList = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
if (sk_X509_NAME_num(skCAList) == 0)
ssl_log(s, SSL_LOG_WARN,
"Init: Ops, you want to request client authentication, "
@@ -785,7 +785,7 @@ void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p, SSLSrvConfigRec *sc)
&& sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
pKey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]);
if ( pKey != NULL
- && EVP_PKEY_type(pKey->type) == EVP_PKEY_DSA
+ && EVP_PKEY_key_type(pKey) == EVP_PKEY_DSA
&& EVP_PKEY_missing_parameters(pKey))
EVP_PKEY_copy_parameters(pKey, sc->pPrivateKey[SSL_AIDX_DSA]);
}
@@ -924,7 +924,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *pp, const ch
* Process CA certificate bundle file
*/
if (cpCAfile != NULL) {
- sk = SSL_load_client_CA_file(cpCAfile);
+ sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cpCAfile);
for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
ssl_log(s, SSL_LOG_TRACE,
"CA certificate: %s",
@@ -941,7 +941,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, apr_pool_t *pp, const ch
apr_dir_open(&dir, cpCApath, p);
while ((apr_dir_read(&direntry, APR_FINFO_DIRENT, dir)) != APR_SUCCESS) {
cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL);
- sk = SSL_load_client_CA_file(cp);
+ sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cp);
for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
ssl_log(s, SSL_LOG_TRACE,
"CA certificate: %s",
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 6d8091e659..5226fa3523 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -489,7 +489,7 @@ int ssl_hook_Access(request_rec *r)
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE)
pCipher = SSL_get_current_cipher(ssl);
else {
- skCipherOld = SSL_get_ciphers(ssl);
+ skCipherOld = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
if (skCipherOld != NULL)
skCipherOld = sk_SSL_CIPHER_dup(skCipherOld);
}
@@ -502,7 +502,7 @@ int ssl_hook_Access(request_rec *r)
return HTTP_FORBIDDEN;
}
/* determine whether a renegotiation has to be forced */
- skCipher = SSL_get_ciphers(ssl);
+ skCipher = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
/* optimized way */
if ((pCipher == NULL && skCipher != NULL) ||
@@ -741,19 +741,23 @@ int ssl_hook_Access(request_rec *r)
* here because it resets too much of the connection. So we set the
* state explicitly and continue the handshake manually.
*/
- ssl_log(r->server, SSL_LOG_INFO, "Requesting connection re-negotiation");
+ ssl_log(r->server, SSL_LOG_INFO,
+ "Requesting connection re-negotiation");
if (renegotiate_quick) {
/* perform just a manual re-verification of the peer */
ssl_log(r->server, SSL_LOG_TRACE,
- "Performing quick renegotiation: just re-verifying the peer");
+ "Performing quick renegotiation: "
+ "just re-verifying the peer");
certstore = SSL_CTX_get_cert_store(ctx);
if (certstore == NULL) {
- ssl_log(r->server, SSL_LOG_ERROR, "Cannot find certificate storage");
+ ssl_log(r->server, SSL_LOG_ERROR,
+ "Cannot find certificate storage");
return HTTP_FORBIDDEN;
}
- certstack = SSL_get_peer_cert_chain(ssl);
+ certstack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
if (certstack == NULL || sk_X509_num(certstack) == 0) {
- ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer certificate chain");
+ ssl_log(r->server, SSL_LOG_ERROR,
+ "Cannot find peer certificate chain");
return HTTP_FORBIDDEN;
}
cert = sk_X509_value(certstack, 0);
@@ -772,9 +776,11 @@ int ssl_hook_Access(request_rec *r)
else {
/* do a full renegotiation */
ssl_log(r->server, SSL_LOG_TRACE,
- "Performing full renegotiation: complete handshake protocol");
+ "Performing full renegotiation: "
+ "complete handshake protocol");
if (r->main != NULL)
- SSL_set_session_id_context(ssl, (unsigned char *)&(r->main), sizeof(r->main));
+ SSL_set_session_id_context(ssl, (unsigned char *)&(r->main),
+ sizeof(r->main));
else
SSL_set_session_id_context(ssl, (unsigned char *)&r, sizeof(r));
/* will need to push to / pull from filters to renegotiate */
@@ -783,11 +789,13 @@ int ssl_hook_Access(request_rec *r)
SSL_do_handshake(ssl);
if (SSL_get_state(ssl) != SSL_ST_OK) {
- ssl_log(r->server, SSL_LOG_ERROR, "Re-negotiation request failed");
+ ssl_log(r->server, SSL_LOG_ERROR,
+ "Re-negotiation request failed");
ssl_bio_hooks_unset(ssl);
return HTTP_FORBIDDEN;
}
- ssl_log(r->server, SSL_LOG_INFO, "Awaiting re-negotiation handshake");
+ ssl_log(r->server, SSL_LOG_INFO,
+ "Awaiting re-negotiation handshake");
SSL_set_state(ssl, SSL_ST_ACCEPT);
SSL_do_handshake(ssl);
@@ -795,7 +803,8 @@ int ssl_hook_Access(request_rec *r)
if (SSL_get_state(ssl) != SSL_ST_OK) {
ssl_log(r->server, SSL_LOG_ERROR,
- "Re-negotiation handshake failed: Not accepted by client!?");
+ "Re-negotiation handshake failed: "
+ "Not accepted by client!?");
return HTTP_FORBIDDEN;
}
}
@@ -1124,7 +1133,7 @@ int ssl_hook_Fixup(request_rec *r)
apr_table_set(e, "SSL_SERVER_CERT", val);
val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
apr_table_set(e, "SSL_CLIENT_CERT", val);
- if ((sk = SSL_get_peer_cert_chain(ssl)) != NULL) {
+ if ((sk = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl)) != NULL) {
for (i = 0; i < sk_X509_num(sk); i++) {
var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
@@ -1485,11 +1494,14 @@ int ssl_callback_SSLVerify_CRL(
#else
revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
#endif
- if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(xs)) == 0) {
+ if (ASN1_INTEGER_cmp(X509_REVOKED_get_serialNumber(revoked),
+ X509_get_serialNumber(xs)) == 0) {
+
if (sc->nLogLevel >= SSL_LOG_INFO) {
char *cp = X509_NAME_oneline(issuer, NULL, 0);
- long serial = ASN1_INTEGER_get(revoked->serialNumber);
+ long serial = ASN1_INTEGER_get(
+ X509_REVOKED_get_serialNumber(revoked));
ssl_log(s, SSL_LOG_INFO,
"Certificate with serial %ld (0x%lX) "
@@ -1520,6 +1532,9 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
SSLSrvConfigRec *sc;
long t;
BOOL rc;
+ unsigned char *session_id;
+ unsigned int session_id_length;
+
/*
* Get Apache context back through OpenSSL context
@@ -1539,8 +1554,12 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
+ session_id = SSL_SESSION_get_session_id(pNew);
+ session_id_length = SSL_SESSION_get_session_id_length(pNew);
+
t = (SSL_get_time(pNew) + sc->nSessionCacheTimeout);
- rc = ssl_scache_store(s, pNew->session_id, pNew->session_id_length, t, pNew);
+ rc = ssl_scache_store(s, session_id, session_id_length, t, pNew);
+
/*
* Log this cache operation
@@ -1548,7 +1567,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=SET status=%s id=%s timeout=%ds (session caching)",
rc == TRUE ? "OK" : "BAD",
- SSL_SESSION_id2sz(pNew->session_id, pNew->session_id_length),
+ SSL_SESSION_id2sz(session_id, session_id_length),
t-time(NULL));
/*
@@ -1615,6 +1634,9 @@ void ssl_callback_DelSessionCacheEntry(
SSL_CTX *ctx, SSL_SESSION *pSession)
{
server_rec *s;
+ unsigned char *session_id;
+ unsigned int session_id_length;
+
/*
* Get Apache context back through OpenSSL context
@@ -1626,15 +1648,18 @@ void ssl_callback_DelSessionCacheEntry(
/*
* Remove the SSL_SESSION from the inter-process cache
*/
- ssl_scache_remove(s, pSession->session_id, pSession->session_id_length);
+ session_id = SSL_SESSION_get_session_id(pSession);
+ session_id_length = SSL_SESSION_get_session_id_length(pSession);
+
+ ssl_scache_remove(s, session_id, session_id_length);
+
/*
* Log this cache operation
*/
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=REM status=OK id=%s (session dead)",
- SSL_SESSION_id2sz(pSession->session_id,
- pSession->session_id_length));
+ SSL_SESSION_id2sz(session_id, session_id_length));
return;
}
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index 6e2e190166..3c5934f554 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -283,8 +283,9 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var)
}
else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
SSL_SESSION *pSession = SSL_get_session(ssl);
- result = apr_pstrdup(p, SSL_SESSION_id2sz(pSession->session_id,
- pSession->session_id_length));
+ result = apr_pstrdup(p, SSL_SESSION_id2sz(
+ SSL_SESSION_get_session_id(pSession),
+ SSL_SESSION_get_session_id_length(pSession)));
}
else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) {
result = ssl_var_lookup_ssl_cipher(p, c, var+6);
@@ -356,13 +357,15 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, X509 *xs, char *var)
resdup = FALSE;
}
else if (strcEQ(var, "A_SIG")) {
- nid = OBJ_obj2nid(xs->cert_info->signature->algorithm);
- result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
+ nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_signature_algorithm(xs));
+ result = apr_pstrdup(p,
+ (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
}
else if (strcEQ(var, "A_KEY")) {
- nid = OBJ_obj2nid(xs->cert_info->key->algor->algorithm);
- result = apr_pstrdup(p, (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
+ nid = OBJ_obj2nid((ASN1_OBJECT *)X509_get_key_algorithm(xs));
+ result = apr_pstrdup(p,
+ (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
}
else if (strcEQ(var, "CERT")) {
@@ -400,21 +403,30 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *
char *result;
X509_NAME_ENTRY *xsne;
int i, j, n;
+ char *data_ptr;
+ int data_len;
result = NULL;
for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
if (strEQ(var, ssl_var_lookup_ssl_cert_dn_rec[i].name)) {
- for (j = 0; j < sk_X509_NAME_ENTRY_num(xsname->entries); j++) {
- xsne = sk_X509_NAME_ENTRY_value(xsname->entries, j);
- n = OBJ_obj2nid(xsne->object);
+ for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
+ X509_NAME_get_entries(xsname));
+ j++) {
+ xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
+ X509_NAME_get_entries(xsname), j);
+
+ n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
+ data_ptr = X509_NAME_ENTRY_get_data_ptr(xsne);
+ data_len = X509_NAME_ENTRY_get_data_len(xsne);
+
if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid) {
- result = apr_palloc(p, xsne->value->length+1);
- apr_cpystrn(result, (char *)xsne->value->data, xsne->value->length+1);
+ result = apr_palloc(p, data_len+1);
+ apr_cpystrn(result, (char *)data_ptr, data_len+1);
#ifdef CHARSET_EBCDIC
ascii2ebcdic(result, result, xsne->value->length);
#endif /* CHARSET_EBCDIC */
- result[xsne->value->length] = NUL;
+ result[data_len] = NUL;
break;
}
}
diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c
index 2dd65083cf..f4ca8ac656 100644
--- a/modules/ssl/ssl_util.c
+++ b/modules/ssl/ssl_util.c
@@ -221,7 +221,7 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey)
if (pCert != NULL)
pKey = X509_get_pubkey(pCert);
if (pKey != NULL) {
- switch (EVP_PKEY_type(pKey->type)) {
+ switch (EVP_PKEY_key_type(pKey)) {
case EVP_PKEY_RSA:
t = SSL_ALGO_RSA;
break;
diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
index cc5d6cf04b..b68ed6685e 100644
--- a/modules/ssl/ssl_util_ssl.c
+++ b/modules/ssl/ssl_util_ssl.c
@@ -284,12 +284,12 @@ char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
if (ssl == NULL)
return "";
- if ((sk = SSL_get_ciphers(ssl)) == NULL)
+ if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL)
return "";
l = 0;
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
c = sk_SSL_CIPHER_value(sk, i);
- l += strlen(c->name)+2+1;
+ l += strlen(SSL_CIPHER_get_name(c))+2+1;
}
if (l == 0)
return "";
@@ -297,11 +297,11 @@ char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
cp = cpCipherSuite;
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
c = sk_SSL_CIPHER_value(sk, i);
- l = strlen(c->name);
- memcpy(cp, c->name, l);
+ l = strlen(SSL_CIPHER_get_name(c));
+ memcpy(cp, SSL_CIPHER_get_name(c), l);
cp += l;
*cp++ = '/';
- *cp++ = (c->valid == 1 ? '1' : '0');
+ *cp++ = (SSL_CIPHER_get_valid(c) == 1 ? '1' : '0');
*cp++ = ':';
}
*(cp-1) = NUL;
@@ -378,15 +378,21 @@ BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)
X509_NAME *xsn;
X509_NAME_ENTRY *xsne;
int i, nid;
+ char *data_ptr;
+ int data_len;
xsn = X509_get_subject_name(xs);
- for (i = 0; i < sk_X509_NAME_ENTRY_num(xsn->entries); i++) {
- xsne = sk_X509_NAME_ENTRY_value(xsn->entries, i);
- nid = OBJ_obj2nid(xsne->object);
+ for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
+ X509_NAME_get_entries(xsn)); i++) {
+ xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
+ X509_NAME_get_entries(xsn), i);
+ nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
if (nid == NID_commonName) {
- *cppCN = apr_palloc(p, xsne->value->length+1);
- apr_cpystrn(*cppCN, (char *)xsne->value->data, xsne->value->length+1);
- (*cppCN)[xsne->value->length] = NUL;
+ data_ptr = X509_NAME_ENTRY_get_data_ptr(xsne);
+ data_len = X509_NAME_ENTRY_get_data_len(xsne);
+ *cppCN = apr_palloc(p, data_len+1);
+ apr_cpystrn(*cppCN, (char *)data_ptr, data_len+1);
+ (*cppCN)[data_len] = NUL;
#ifdef CHARSET_EBCDIC
ascii2ebcdic(*cppCN, *cppCN, strlen(*cppCN));
#endif
@@ -470,6 +476,7 @@ int SSL_CTX_use_certificate_chain(
X509 *x509;
unsigned long err;
int n;
+ STACK *extra_certs;
if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
return -1;
@@ -490,9 +497,10 @@ int SSL_CTX_use_certificate_chain(
X509_free(x509);
}
/* free a perhaps already configured extra chain */
- if (ctx->extra_certs != NULL) {
- sk_X509_pop_free(ctx->extra_certs, X509_free);
- ctx->extra_certs = NULL;
+ extra_certs=SSL_CTX_get_extra_certs(ctx);
+ if (extra_certs != NULL) {
+ sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
+ SSL_CTX_set_extra_certs(ctx,NULL);
}
/* create new extra chain by loading the certs */
n = 0;