Hi,
I was trying to get mod_ssl work with other SSL toolkits, and I
thought the following changes might be helpful for everybody.. I've tested
the following patch with OpenSSL also and it seems to be fine.. The
highlight of the changes include :
1. Make use of any SSL function/macros whereever possible, and avoid
referring to the data-structure elements if possible
2. INCLUDE type-casting in some cases, as most of the functions return a
generic pointer..
3. The SSL include files need not be in $SSL/include/openssl - we should be
able to pick up from $SSL/include also.
It'd be great if somebody could pl. review the changes and commit if
you feel appropriate.
-Madhu
Index: acinclude.m4
===================================================================
RCS file: /home/cvspublic/httpd-2.0/acinclude.m4,v
retrieving revision 1.108
diff -u -r1.108 acinclude.m4
--- acinclude.m4 6 Jan 2002 23:39:50 -0000 1.108
+++ acinclude.m4 10 Jan 2002 01:05:46 -0000
@@ -451,6 +451,9 @@
if test -f "$p/openssl/ssl.h"; then
ap_ssltk_incdir="$p"
break
+ elif test -f "$p/ssl.h"; then
+ ap_ssltk_incdir="$p"
+ break
fi
done
Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.22
diff -u -r1.22 ssl_engine_init.c
--- ssl_engine_init.c 9 Jan 2002 22:21:34 -0000 1.22
+++ ssl_engine_init.c 10 Jan 2002 01:00:21 -0000
@@ -604,7 +604,7 @@
"CA certificates for client authentication",
cpVHostID);
ssl_die();
}
- SSL_CTX_set_client_CA_list(sc->pSSLCtx, skCAList);
+ SSL_CTX_set_client_CA_list(sc->pSSLCtx, (STACK *)skCAList);
}
/*
@@ -628,7 +628,7 @@
* should take place. This cannot work.
*/
if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
- skCAList = SSL_CTX_get_client_CA_list(ctx);
+ skCAList = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
if (sk_X509_NAME_num(skCAList) == 0)
ssl_log(s, SSL_LOG_WARN,
"Init: Ops, you want to request client authentication,
"
@@ -785,7 +785,7 @@
&& sc->pPrivateKey[SSL_AIDX_DSA] != NULL) {
pKey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]);
if ( pKey != NULL
- && EVP_PKEY_type(pKey->type) == EVP_PKEY_DSA
+ && EVP_PKEY_key_type(pKey) == EVP_PKEY_DSA
&& EVP_PKEY_missing_parameters(pKey))
EVP_PKEY_copy_parameters(pKey, sc->pPrivateKey[SSL_AIDX_DSA]);
}
@@ -924,7 +924,7 @@
* Process CA certificate bundle file
*/
if (cpCAfile != NULL) {
- sk = SSL_load_client_CA_file(cpCAfile);
+ sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cpCAfile);
for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
ssl_log(s, SSL_LOG_TRACE,
"CA certificate: %s",
@@ -941,7 +941,7 @@
apr_dir_open(&dir, cpCApath, p);
while ((apr_dir_read(&direntry, APR_FINFO_DIRENT, dir)) !=
APR_SUCCESS) {
cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL);
- sk = SSL_load_client_CA_file(cp);
+ sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cp);
for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
ssl_log(s, SSL_LOG_TRACE,
"CA certificate: %s",
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.37
diff -u -r1.37 ssl_engine_kernel.c
--- ssl_engine_kernel.c 29 Nov 2001 07:30:30 -0000 1.37
+++ ssl_engine_kernel.c 10 Jan 2002 01:00:21 -0000
@@ -489,7 +489,7 @@
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE)
pCipher = SSL_get_current_cipher(ssl);
else {
- skCipherOld = SSL_get_ciphers(ssl);
+ skCipherOld = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
if (skCipherOld != NULL)
skCipherOld = sk_SSL_CIPHER_dup(skCipherOld);
}
@@ -502,7 +502,7 @@
return HTTP_FORBIDDEN;
}
/* determine whether a renegotiation has to be forced */
- skCipher = SSL_get_ciphers(ssl);
+ skCipher = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
/* optimized way */
if ((pCipher == NULL && skCipher != NULL) ||
@@ -751,7 +751,7 @@
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find certificate
storage");
return HTTP_FORBIDDEN;
}
- certstack = SSL_get_peer_cert_chain(ssl);
+ certstack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
if (certstack == NULL || sk_X509_num(certstack) == 0) {
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer
certificate chain");
return HTTP_FORBIDDEN;
@@ -788,7 +788,7 @@
return HTTP_FORBIDDEN;
}
ssl_log(r->server, SSL_LOG_INFO, "Awaiting re-negotiation
handshake");
- SSL_set_state(ssl, SSL_ST_ACCEPT);
+ SSL_set_accept_state(ssl);
SSL_do_handshake(ssl);
ssl_bio_hooks_unset(ssl);
@@ -1124,7 +1124,7 @@
apr_table_set(e, "SSL_SERVER_CERT", val);
val = ssl_var_lookup(r->pool, r->server, r->connection, r,
"SSL_CLIENT_CERT");
apr_table_set(e, "SSL_CLIENT_CERT", val);
- if ((sk = SSL_get_peer_cert_chain(ssl)) != NULL) {
+ if ((sk = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl)) != NULL)
{
for (i = 0; i < sk_X509_num(sk); i++) {
var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
val = ssl_var_lookup(r->pool, r->server, r->connection, r,
var);
@@ -1485,11 +1485,14 @@
#else
revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
#endif
- if (ASN1_INTEGER_cmp(revoked->serialNumber,
X509_get_serialNumber(xs)) == 0) {
+ if (ASN1_INTEGER_cmp(X509_REVOKED_get_serialNumber(revoked),
+ X509_get_serialNumber(xs)) == 0) {
+
if (sc->nLogLevel >= SSL_LOG_INFO) {
char *cp = X509_NAME_oneline(issuer, NULL, 0);
- long serial = ASN1_INTEGER_get(revoked->serialNumber);
+ long serial = ASN1_INTEGER_get(
+
X509_REVOKED_get_serialNumber(revoked));
ssl_log(s, SSL_LOG_INFO,
"Certificate with serial %ld (0x%lX) "
@@ -1520,6 +1523,9 @@
SSLSrvConfigRec *sc;
long t;
BOOL rc;
+ unsigned char *session_id;
+ unsigned int session_id_length;
+
/*
* Get Apache context back through OpenSSL context
@@ -1539,8 +1545,12 @@
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
+ session_id = SSL_SESSION_get_session_id(pNew);
+ session_id_length = SSL_SESSION_get_session_id_length(pNew);
+
t = (SSL_get_time(pNew) + sc->nSessionCacheTimeout);
- rc = ssl_scache_store(s, pNew->session_id, pNew->session_id_length, t,
pNew);
+ rc = ssl_scache_store(s, session_id, session_id_length, t, pNew);
+
/*
* Log this cache operation
@@ -1548,7 +1558,7 @@
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=SET status=%s id=%s timeout=%ds (session caching)",
rc == TRUE ? "OK" : "BAD",
- SSL_SESSION_id2sz(pNew->session_id, pNew->session_id_length),
+ SSL_SESSION_id2sz(session_id, session_id_length),
t-time(NULL));
/*
@@ -1615,6 +1625,9 @@
SSL_CTX *ctx, SSL_SESSION *pSession)
{
server_rec *s;
+ unsigned char *session_id;
+ unsigned int session_id_length;
+
/*
* Get Apache context back through OpenSSL context
@@ -1626,15 +1639,18 @@
/*
* Remove the SSL_SESSION from the inter-process cache
*/
- ssl_scache_remove(s, pSession->session_id,
pSession->session_id_length);
+ session_id = SSL_SESSION_get_session_id(pSession);
+ session_id_length = SSL_SESSION_get_session_id_length(pSession);
+
+ ssl_scache_remove(s, session_id, session_id_length);
+
/*
* Log this cache operation
*/
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
"request=REM status=OK id=%s (session dead)",
- SSL_SESSION_id2sz(pSession->session_id,
- pSession->session_id_length));
+ SSL_SESSION_id2sz(session_id, session_id_length));
return;
}
