Oops.. Pl. disregard the patch. [sorry].. The patch is incomplete.. I'll be sending another one later (if anybody is interested).
Thanks -Madhu -----Original Message----- From: MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 5:14 PM To: '[EMAIL PROTECTED]' Subject: [PATCH] cleaning up mod_ssl Hi, I was trying to get mod_ssl work with other SSL toolkits, and I thought the following changes might be helpful for everybody.. I've tested the following patch with OpenSSL also and it seems to be fine.. The highlight of the changes include : 1. Make use of any SSL function/macros whereever possible, and avoid referring to the data-structure elements if possible 2. INCLUDE type-casting in some cases, as most of the functions return a generic pointer.. 3. The SSL include files need not be in $SSL/include/openssl - we should be able to pick up from $SSL/include also. It'd be great if somebody could pl. review the changes and commit if you feel appropriate. -Madhu Index: acinclude.m4 =================================================================== RCS file: /home/cvspublic/httpd-2.0/acinclude.m4,v retrieving revision 1.108 diff -u -r1.108 acinclude.m4 --- acinclude.m4 6 Jan 2002 23:39:50 -0000 1.108 +++ acinclude.m4 10 Jan 2002 01:05:46 -0000 @@ -451,6 +451,9 @@ if test -f "$p/openssl/ssl.h"; then ap_ssltk_incdir="$p" break + elif test -f "$p/ssl.h"; then + ap_ssltk_incdir="$p" + break fi done Index: ssl_engine_init.c =================================================================== RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_init.c,v retrieving revision 1.22 diff -u -r1.22 ssl_engine_init.c --- ssl_engine_init.c 9 Jan 2002 22:21:34 -0000 1.22 +++ ssl_engine_init.c 10 Jan 2002 01:00:21 -0000 @@ -604,7 +604,7 @@ "CA certificates for client authentication", cpVHostID); ssl_die(); } - SSL_CTX_set_client_CA_list(sc->pSSLCtx, skCAList); + SSL_CTX_set_client_CA_list(sc->pSSLCtx, (STACK *)skCAList); } /* @@ -628,7 +628,7 @@ * should take place. This cannot work. */ if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) { - skCAList = SSL_CTX_get_client_CA_list(ctx); + skCAList = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx); if (sk_X509_NAME_num(skCAList) == 0) ssl_log(s, SSL_LOG_WARN, "Init: Ops, you want to request client authentication, " @@ -785,7 +785,7 @@ && sc->pPrivateKey[SSL_AIDX_DSA] != NULL) { pKey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]); if ( pKey != NULL - && EVP_PKEY_type(pKey->type) == EVP_PKEY_DSA + && EVP_PKEY_key_type(pKey) == EVP_PKEY_DSA && EVP_PKEY_missing_parameters(pKey)) EVP_PKEY_copy_parameters(pKey, sc->pPrivateKey[SSL_AIDX_DSA]); } @@ -924,7 +924,7 @@ * Process CA certificate bundle file */ if (cpCAfile != NULL) { - sk = SSL_load_client_CA_file(cpCAfile); + sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cpCAfile); for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) { ssl_log(s, SSL_LOG_TRACE, "CA certificate: %s", @@ -941,7 +941,7 @@ apr_dir_open(&dir, cpCApath, p); while ((apr_dir_read(&direntry, APR_FINFO_DIRENT, dir)) != APR_SUCCESS) { cp = apr_pstrcat(p, cpCApath, "/", direntry.name, NULL); - sk = SSL_load_client_CA_file(cp); + sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(cp); for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) { ssl_log(s, SSL_LOG_TRACE, "CA certificate: %s", Index: ssl_engine_kernel.c =================================================================== RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v retrieving revision 1.37 diff -u -r1.37 ssl_engine_kernel.c --- ssl_engine_kernel.c 29 Nov 2001 07:30:30 -0000 1.37 +++ ssl_engine_kernel.c 10 Jan 2002 01:00:21 -0000 @@ -489,7 +489,7 @@ if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) pCipher = SSL_get_current_cipher(ssl); else { - skCipherOld = SSL_get_ciphers(ssl); + skCipherOld = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl); if (skCipherOld != NULL) skCipherOld = sk_SSL_CIPHER_dup(skCipherOld); } @@ -502,7 +502,7 @@ return HTTP_FORBIDDEN; } /* determine whether a renegotiation has to be forced */ - skCipher = SSL_get_ciphers(ssl); + skCipher = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl); if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { /* optimized way */ if ((pCipher == NULL && skCipher != NULL) || @@ -751,7 +751,7 @@ ssl_log(r->server, SSL_LOG_ERROR, "Cannot find certificate storage"); return HTTP_FORBIDDEN; } - certstack = SSL_get_peer_cert_chain(ssl); + certstack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl); if (certstack == NULL || sk_X509_num(certstack) == 0) { ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer certificate chain"); return HTTP_FORBIDDEN; @@ -788,7 +788,7 @@ return HTTP_FORBIDDEN; } ssl_log(r->server, SSL_LOG_INFO, "Awaiting re-negotiation handshake"); - SSL_set_state(ssl, SSL_ST_ACCEPT); + SSL_set_accept_state(ssl); SSL_do_handshake(ssl); ssl_bio_hooks_unset(ssl); @@ -1124,7 +1124,7 @@ apr_table_set(e, "SSL_SERVER_CERT", val); val = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT"); apr_table_set(e, "SSL_CLIENT_CERT", val); - if ((sk = SSL_get_peer_cert_chain(ssl)) != NULL) { + if ((sk = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl)) != NULL) { for (i = 0; i < sk_X509_num(sk); i++) { var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i); val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); @@ -1485,11 +1485,14 @@ #else revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); #endif - if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(xs)) == 0) { + if (ASN1_INTEGER_cmp(X509_REVOKED_get_serialNumber(revoked), + X509_get_serialNumber(xs)) == 0) { + if (sc->nLogLevel >= SSL_LOG_INFO) { char *cp = X509_NAME_oneline(issuer, NULL, 0); - long serial = ASN1_INTEGER_get(revoked->serialNumber); + long serial = ASN1_INTEGER_get( + X509_REVOKED_get_serialNumber(revoked)); ssl_log(s, SSL_LOG_INFO, "Certificate with serial %ld (0x%lX) " @@ -1520,6 +1523,9 @@ SSLSrvConfigRec *sc; long t; BOOL rc; + unsigned char *session_id; + unsigned int session_id_length; + /* * Get Apache context back through OpenSSL context @@ -1539,8 +1545,12 @@ * Store the SSL_SESSION in the inter-process cache with the * same expire time, so it expires automatically there, too. */ + session_id = SSL_SESSION_get_session_id(pNew); + session_id_length = SSL_SESSION_get_session_id_length(pNew); + t = (SSL_get_time(pNew) + sc->nSessionCacheTimeout); - rc = ssl_scache_store(s, pNew->session_id, pNew->session_id_length, t, pNew); + rc = ssl_scache_store(s, session_id, session_id_length, t, pNew); + /* * Log this cache operation @@ -1548,7 +1558,7 @@ ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: " "request=SET status=%s id=%s timeout=%ds (session caching)", rc == TRUE ? "OK" : "BAD", - SSL_SESSION_id2sz(pNew->session_id, pNew->session_id_length), + SSL_SESSION_id2sz(session_id, session_id_length), t-time(NULL)); /* @@ -1615,6 +1625,9 @@ SSL_CTX *ctx, SSL_SESSION *pSession) { server_rec *s; + unsigned char *session_id; + unsigned int session_id_length; + /* * Get Apache context back through OpenSSL context @@ -1626,15 +1639,18 @@ /* * Remove the SSL_SESSION from the inter-process cache */ - ssl_scache_remove(s, pSession->session_id, pSession->session_id_length); + session_id = SSL_SESSION_get_session_id(pSession); + session_id_length = SSL_SESSION_get_session_id_length(pSession); + + ssl_scache_remove(s, session_id, session_id_length); + /* * Log this cache operation */ ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: " "request=REM status=OK id=%s (session dead)", - SSL_SESSION_id2sz(pSession->session_id, - pSession->session_id_length)); + SSL_SESSION_id2sz(session_id, session_id_length)); return; }
