296 lines
10 KiB
Diff
296 lines
10 KiB
Diff
|
# ./pullrev.sh 1876934
|
||
|
http://svn.apache.org/viewvc?view=revision&revision=1876934
|
||
|
|
||
|
only in patch2:
|
||
|
--- httpd-2.4.48/modules/ssl/ssl_engine_init.c.r1876934
|
||
|
+++ httpd-2.4.48/modules/ssl/ssl_engine_init.c
|
||
|
@@ -879,6 +879,23 @@
|
||
|
#endif
|
||
|
}
|
||
|
|
||
|
+static APR_INLINE
|
||
|
+int modssl_CTX_load_verify_locations(SSL_CTX *ctx,
|
||
|
+ const char *file,
|
||
|
+ const char *path)
|
||
|
+{
|
||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||
|
+ if (!SSL_CTX_load_verify_locations(ctx, file, path))
|
||
|
+ return 0;
|
||
|
+#else
|
||
|
+ if (file && !SSL_CTX_load_verify_file(ctx, file))
|
||
|
+ return 0;
|
||
|
+ if (path && !SSL_CTX_load_verify_dir(ctx, path))
|
||
|
+ return 0;
|
||
|
+#endif
|
||
|
+ return 1;
|
||
|
+}
|
||
|
+
|
||
|
static apr_status_t ssl_init_ctx_verify(server_rec *s,
|
||
|
apr_pool_t *p,
|
||
|
apr_pool_t *ptemp,
|
||
|
@@ -919,10 +936,8 @@
|
||
|
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
|
||
|
"Configuring client authentication");
|
||
|
|
||
|
- if (!SSL_CTX_load_verify_locations(ctx,
|
||
|
- mctx->auth.ca_cert_file,
|
||
|
- mctx->auth.ca_cert_path))
|
||
|
- {
|
||
|
+ if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file,
|
||
|
+ mctx->auth.ca_cert_path)) {
|
||
|
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
|
||
|
"Unable to configure verify locations "
|
||
|
"for client authentication");
|
||
|
@@ -1007,6 +1022,23 @@
|
||
|
return APR_SUCCESS;
|
||
|
}
|
||
|
|
||
|
+static APR_INLINE
|
||
|
+int modssl_X509_STORE_load_locations(X509_STORE *store,
|
||
|
+ const char *file,
|
||
|
+ const char *path)
|
||
|
+{
|
||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||
|
+ if (!X509_STORE_load_locations(store, file, path))
|
||
|
+ return 0;
|
||
|
+#else
|
||
|
+ if (file && !X509_STORE_load_file(store, file))
|
||
|
+ return 0;
|
||
|
+ if (path && !X509_STORE_load_path(store, path))
|
||
|
+ return 0;
|
||
|
+#endif
|
||
|
+ return 1;
|
||
|
+}
|
||
|
+
|
||
|
static apr_status_t ssl_init_ctx_crl(server_rec *s,
|
||
|
apr_pool_t *p,
|
||
|
apr_pool_t *ptemp,
|
||
|
@@ -1045,7 +1077,7 @@
|
||
|
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
|
||
|
"Configuring certificate revocation facility");
|
||
|
|
||
|
- if (!store || !X509_STORE_load_locations(store, mctx->crl_file,
|
||
|
+ if (!store || modssl_X509_STORE_load_locations(store, mctx->crl_file,
|
||
|
mctx->crl_path)) {
|
||
|
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
|
||
|
"Host %s: unable to configure X.509 CRL storage "
|
||
|
@@ -1285,7 +1317,7 @@
|
||
|
const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
|
||
|
int i;
|
||
|
X509 *cert;
|
||
|
- DH *dhparams;
|
||
|
+ DH *dh;
|
||
|
#ifdef HAVE_ECC
|
||
|
EC_GROUP *ecparams = NULL;
|
||
|
int nid;
|
||
|
@@ -1470,12 +1502,12 @@
|
||
|
*/
|
||
|
certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
|
||
|
if (certfile && !modssl_is_engine_id(certfile)
|
||
|
- && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
|
||
|
- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
|
||
|
+ && (dh = ssl_dh_GetParamFromFile(certfile))) {
|
||
|
+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
|
||
|
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
|
||
|
"Custom DH parameters (%d bits) for %s loaded from %s",
|
||
|
- DH_bits(dhparams), vhost_id, certfile);
|
||
|
- DH_free(dhparams);
|
||
|
+ BN_num_bits(DH_get0_p(dh)), vhost_id, certfile);
|
||
|
+ DH_free(dh);
|
||
|
}
|
||
|
|
||
|
#ifdef HAVE_ECC
|
||
|
@@ -1526,6 +1558,7 @@
|
||
|
char buf[TLSEXT_TICKET_KEY_LEN];
|
||
|
char *path;
|
||
|
modssl_ticket_key_t *ticket_key = mctx->ticket_key;
|
||
|
+ int res;
|
||
|
|
||
|
if (!ticket_key->file_path) {
|
||
|
return APR_SUCCESS;
|
||
|
@@ -1553,11 +1586,22 @@
|
||
|
}
|
||
|
|
||
|
memcpy(ticket_key->key_name, buf, 16);
|
||
|
- memcpy(ticket_key->hmac_secret, buf + 16, 16);
|
||
|
memcpy(ticket_key->aes_key, buf + 32, 16);
|
||
|
-
|
||
|
- if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
|
||
|
- ssl_callback_SessionTicket)) {
|
||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||
|
+ memcpy(ticket_key->hmac_secret, buf + 16, 16);
|
||
|
+ res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
|
||
|
+ ssl_callback_SessionTicket);
|
||
|
+#else
|
||
|
+ ticket_key->mac_params[0] =
|
||
|
+ OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16);
|
||
|
+ ticket_key->mac_params[1] =
|
||
|
+ OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0);
|
||
|
+ ticket_key->mac_params[2] =
|
||
|
+ OSSL_PARAM_construct_end();
|
||
|
+ res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx,
|
||
|
+ ssl_callback_SessionTicket);
|
||
|
+#endif
|
||
|
+ if (!res) {
|
||
|
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
|
||
|
"Unable to initialize TLS session ticket key callback "
|
||
|
"(incompatible OpenSSL version?)");
|
||
|
@@ -1688,7 +1732,7 @@
|
||
|
return ssl_die(s);
|
||
|
}
|
||
|
|
||
|
- X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
|
||
|
+ modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
|
||
|
|
||
|
for (n = 0; n < ncerts; n++) {
|
||
|
int i;
|
||
|
--- httpd-2.4.48/modules/ssl/ssl_engine_io.c.r1876934
|
||
|
+++ httpd-2.4.48/modules/ssl/ssl_engine_io.c
|
||
|
@@ -548,7 +548,20 @@
|
||
|
|
||
|
static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
|
||
|
{
|
||
|
- return -1;
|
||
|
+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
|
||
|
+ switch (cmd) {
|
||
|
+#ifdef BIO_CTRL_EOF
|
||
|
+ case BIO_CTRL_EOF:
|
||
|
+ return inctx->rc == APR_EOF;
|
||
|
+#endif
|
||
|
+ default:
|
||
|
+ break;
|
||
|
+ }
|
||
|
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
|
||
|
+ "BUG: bio_filter_in_ctrl() should not be called with cmd=%i",
|
||
|
+ cmd);
|
||
|
+ AP_DEBUG_ASSERT(0);
|
||
|
+ return 0;
|
||
|
}
|
||
|
|
||
|
#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
||
|
@@ -573,7 +586,7 @@
|
||
|
bio_filter_in_read,
|
||
|
bio_filter_in_puts, /* puts is never called */
|
||
|
bio_filter_in_gets, /* gets is never called */
|
||
|
- bio_filter_in_ctrl, /* ctrl is never called */
|
||
|
+ bio_filter_in_ctrl, /* ctrl is called for EOF check */
|
||
|
bio_filter_create,
|
||
|
bio_filter_destroy,
|
||
|
NULL
|
||
|
--- httpd-2.4.48/modules/ssl/ssl_engine_kernel.c.r1876934
|
||
|
+++ httpd-2.4.48/modules/ssl/ssl_engine_kernel.c
|
||
|
@@ -2614,7 +2614,11 @@
|
||
|
unsigned char *keyname,
|
||
|
unsigned char *iv,
|
||
|
EVP_CIPHER_CTX *cipher_ctx,
|
||
|
- HMAC_CTX *hctx,
|
||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||
|
+ HMAC_CTX *hmac_ctx,
|
||
|
+#else
|
||
|
+ EVP_MAC_CTX *mac_ctx,
|
||
|
+#endif
|
||
|
int mode)
|
||
|
{
|
||
|
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
|
||
|
@@ -2641,7 +2645,13 @@
|
||
|
}
|
||
|
EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
|
||
|
ticket_key->aes_key, iv);
|
||
|
- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
|
||
|
+
|
||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||
|
+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
|
||
|
+ tlsext_tick_md(), NULL);
|
||
|
+#else
|
||
|
+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
|
||
|
+#endif
|
||
|
|
||
|
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
|
||
|
"TLS session ticket key for %s successfully set, "
|
||
|
@@ -2662,7 +2672,13 @@
|
||
|
|
||
|
EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
|
||
|
ticket_key->aes_key, iv);
|
||
|
- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
|
||
|
+
|
||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||
|
+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
|
||
|
+ tlsext_tick_md(), NULL);
|
||
|
+#else
|
||
|
+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
|
||
|
+#endif
|
||
|
|
||
|
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
|
||
|
"TLS session ticket key for %s successfully set, "
|
||
|
--- httpd-2.4.48/modules/ssl/ssl_engine_log.c.r1876934
|
||
|
+++ httpd-2.4.48/modules/ssl/ssl_engine_log.c
|
||
|
@@ -78,6 +78,16 @@
|
||
|
return APR_EGENERAL;
|
||
|
}
|
||
|
|
||
|
+static APR_INLINE
|
||
|
+unsigned long modssl_ERR_peek_error_data(const char **data, int *flags)
|
||
|
+{
|
||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||
|
+ return ERR_peek_error_line_data(NULL, NULL, data, flags);
|
||
|
+#else
|
||
|
+ return ERR_peek_error_data(data, flags);
|
||
|
+#endif
|
||
|
+}
|
||
|
+
|
||
|
/*
|
||
|
* Prints the SSL library error information.
|
||
|
*/
|
||
|
@@ -87,7 +97,7 @@
|
||
|
const char *data;
|
||
|
int flags;
|
||
|
|
||
|
- while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) {
|
||
|
+ while ((e = modssl_ERR_peek_error_data(&data, &flags))) {
|
||
|
const char *annotation;
|
||
|
char err[256];
|
||
|
|
||
|
--- httpd-2.4.48/modules/ssl/ssl_private.h.r1876934
|
||
|
+++ httpd-2.4.48/modules/ssl/ssl_private.h
|
||
|
@@ -89,6 +89,9 @@
|
||
|
/* must be defined before including ssl.h */
|
||
|
#define OPENSSL_NO_SSL_INTERN
|
||
|
#endif
|
||
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
|
||
|
+#include <openssl/core_names.h>
|
||
|
+#endif
|
||
|
#include <openssl/ssl.h>
|
||
|
#include <openssl/err.h>
|
||
|
#include <openssl/x509.h>
|
||
|
@@ -674,7 +677,11 @@
|
||
|
typedef struct {
|
||
|
const char *file_path;
|
||
|
unsigned char key_name[16];
|
||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||
|
unsigned char hmac_secret[16];
|
||
|
+#else
|
||
|
+ OSSL_PARAM mac_params[3];
|
||
|
+#endif
|
||
|
unsigned char aes_key[16];
|
||
|
} modssl_ticket_key_t;
|
||
|
#endif
|
||
|
@@ -938,8 +945,16 @@
|
||
|
int ssl_callback_ClientHello(SSL *, int *, void *);
|
||
|
#endif
|
||
|
#ifdef HAVE_TLS_SESSION_TICKETS
|
||
|
-int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
|
||
|
- EVP_CIPHER_CTX *, HMAC_CTX *, int);
|
||
|
+int ssl_callback_SessionTicket(SSL *ssl,
|
||
|
+ unsigned char *keyname,
|
||
|
+ unsigned char *iv,
|
||
|
+ EVP_CIPHER_CTX *cipher_ctx,
|
||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||
|
+ HMAC_CTX *hmac_ctx,
|
||
|
+#else
|
||
|
+ EVP_MAC_CTX *mac_ctx,
|
||
|
+#endif
|
||
|
+ int mode);
|
||
|
#endif
|
||
|
|
||
|
#ifdef HAVE_TLS_ALPN
|