At 04:12 PM 4/5/2003, William A. Rowe, Jr. wrote:
>As I look over Jeff's patch (to change another callback prototype for
>OpenSSL 0.9.7) I also have the following patch that should allow us
>to build clean on SSL-C. Already committed to 2.1-dev, this attached
>patch to 2.0-dev is heavily annotated with respect to what versions
>from 2.1-dev I'm moving.
For those interested, here is the attached patch that include's my
patches to Jeff's patches to fix OpenSSL 0.9.7/AIX sorts of problems.
The original patch further broke SSLC compat - the revised patch
restores SSLC with the fix for 0.9.7.
In other words, this patch should be comprehensive and apply clean
to APACHE_2_0_BRANCH today.
Bill
#
# Introduce a number of SSLC hints to mod_ssl, including the following
# type overrides;
#
# MODSSL_CLIENT_CERT_CB_ARG_TYPE
# MODSSL_PCHAR_CAST (for a host of non-void/const sslc values)
# modssl_read_bio_cb_fn (for several callbacks with same prototypes)
#
# Declare callback functions appropriately.
#
# Note that for this Apache 2.0-dev patch, onus is on the user to
# set up HAVE_SSLC - we continue to assume HAVE_OPENSSL in picking
# up the includes (to minimize breakage for the Open Source users.)
#
# Simple reorganization to pick up SSL-C headers when HAVE_SSLC
# is defined, and adopt MODSSL_CLIENT_CERT_CB_ARG_TYPE for the
# callback declaration.
#
# Corresponds to httpd-2.1-dev bits of ssl_toolkit_compat.h rev 1.30
# that remain part of mod_ssl.h in the httpd-2.0-dev branch.
#
# Includes mod_ssl.h rev 1.129, 1.130, 1.131 changes by trawick/wrowe
# that clean up OpenSSL 0.9.7 emits and emits for some platforms that
# miss strcasecmp() and strncasecmp() declarations.
#
#
Index: modules/ssl/mod_ssl.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.122.2.3
diff -u -r1.122.2.3 mod_ssl.h
--- modules/ssl/mod_ssl.h 30 Mar 2003 23:17:22 -0000 1.122.2.3
+++ modules/ssl/mod_ssl.h 5 Apr 2003 22:55:21 -0000
@@ -95,6 +95,8 @@
#include "mpm.h"
#include "apr.h"
#include "apr_strings.h"
+#define APR_WANT_STRFUNC
+#include "apr_want.h"
#include "apr_tables.h"
#include "apr_lib.h"
#include "apr_fnmatch.h"
@@ -107,7 +109,19 @@
#define MOD_SSL_VERSION AP_SERVER_BASEREVISION
-/* OpenSSL headers */
+#ifdef HAVE_SSLC
+
+#include <bio.h>
+#include <ssl.h>
+#include <err.h>
+#include <x509.h>
+#include <pem.h>
+#include <evp.h>
+#include <objects.h>
+#include <sslc.h>
+
+#else /* !HAVE_SSLC (implicit HAVE_OPENSSL) */
+
#include <ssl.h>
#include <err.h>
#include <x509.h>
@@ -118,14 +132,15 @@
#ifdef SSL_EXPERIMENTAL_ENGINE
#include <engine.h>
#endif
-
-#include "ssl_toolkit_compat.h"
-
#ifdef HAVE_SSL_X509V3_H
#include <x509v3.h>
#endif
+#endif /* !HAVE_SSLC (implicit HAVE_OPENSSL) */
+
+
/* mod_ssl headers */
+#include "ssl_toolkit_compat.h"
#include "ssl_expr.h"
#include "ssl_util_ssl.h"
#include "ssl_util_table.h"
@@ -599,11 +614,11 @@
DH *ssl_callback_TmpDH(SSL *, int, int);
int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
-int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509,
EVP_PKEY **pkey);
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
-void ssl_callback_LogTracingState(SSL *, int, int);
+void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE SSL *, int, int);
/* Session Cache Support */
void ssl_scache_init(server_rec *, apr_pool_t *);
#
# Pick up recasts and callback arg overrides for SSL-C
#
# Corresponds to httpd-2.1-dev rev 1.112
#
Index: modules/ssl/ssl_engine_init.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.106.2.4
diff -u -r1.106.2.4 ssl_engine_init.c
--- modules/ssl/ssl_engine_init.c 6 Mar 2003 08:44:01 -0000 1.106.2.4
+++ modules/ssl/ssl_engine_init.c 5 Apr 2003 22:55:21 -0000
@@ -554,8 +554,8 @@
"Configuring client authentication");
if (!SSL_CTX_load_verify_locations(ctx,
- mctx->auth.ca_cert_file,
- mctx->auth.ca_cert_path))
+ MODSSL_PCHAR_CAST mctx->auth.ca_cert_file,
+ MODSSL_PCHAR_CAST mctx->auth.ca_cert_path))
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to configure verify locations "
@@ -612,7 +612,7 @@
"Configuring permitted SSL ciphers [%s]",
suite);
- if (!SSL_CTX_set_cipher_list(ctx, suite)) {
+ if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to configure permitted SSL ciphers");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
@@ -1072,10 +1072,17 @@
}
}
+#ifdef SSLC_VERSION_NUMBER
+static int ssl_init_FindCAList_X509NameCmp(char **a, char **b)
+{
+ return(X509_NAME_cmp((void*)*a, (void*)*b));
+}
+#else
static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b)
{
return(X509_NAME_cmp(*a, *b));
}
+#endif
static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
server_rec *s, const char *file)
@@ -1083,7 +1090,8 @@
int n;
STACK_OF(X509_NAME) *sk;
- sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(file);
+ sk = (STACK_OF(X509_NAME) *)
+ SSL_load_client_CA_file(MODSSL_PCHAR_CAST file);
if (!sk) {
return;
#
# Pick up recasts and callback arg overrides for SSL-C
#
# Corresponds to httpd-2.1-dev rev 1.87, 1.88 and 1.92
#
# (1.89, 1.90 and 1.91 already applied to revert and/or fix
# bits of the bogus commit 1.79)
#
Index: modules/ssl/ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.82.2.5
diff -u -r1.82.2.5 ssl_engine_kernel.c
--- modules/ssl/ssl_engine_kernel.c 5 Apr 2003 19:04:43 -0000 1.82.2.5
+++ modules/ssl/ssl_engine_kernel.c 5 Apr 2003 22:55:22 -0000
@@ -629,7 +629,7 @@
* we put it back here for the purpose of quick_renegotiation.
*/
cert_stack = sk_new_null();
- sk_X509_push(cert_stack, cert);
+ sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert);
}
if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
@@ -1526,7 +1526,7 @@
*pkey = info->x_pkey->dec_pkey; \
EVP_PKEY_reference_inc(*pkey)
-int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
+int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY
**pkey)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = c->base_server;
@@ -1740,7 +1740,7 @@
* SSL handshake and does SSL record layer stuff. We use it to
* trace OpenSSL's processing in out SSL logfile.
*/
-void ssl_callback_LogTracingState(SSL *ssl, int where, int rc)
+void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
{
conn_rec *c;
server_rec *s;
#
# Pick up callback arg overrides for SSL-C
#
# Corresponds to httpd-2.1-dev rev 1.44
#
Index: modules/ssl/ssl_engine_pphrase.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_pphrase.c,v
retrieving revision 1.42.2.1
diff -u -r1.42.2.1 ssl_engine_pphrase.c
--- modules/ssl/ssl_engine_pphrase.c 3 Feb 2003 17:31:53 -0000 1.42.2.1
+++ modules/ssl/ssl_engine_pphrase.c 5 Apr 2003 22:55:23 -0000
@@ -142,7 +142,11 @@
*/
static server_rec *ssl_pphrase_server_rec = NULL;
+#ifdef SSLC_VERSION_NUMBER
+int ssl_pphrase_Handle_CB(char *, int, int);
+#else
int ssl_pphrase_Handle_CB(char *, int, int, void *);
+#endif
static char *pphrase_array_get(apr_array_header_t *arr, int idx)
{
@@ -635,8 +639,14 @@
return 0;
}
+#ifdef SSLC_VERSION_NUMBER
+int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
+{
+ void *srv = ssl_pphrase_server_rec;
+#else
int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
{
+#endif
SSLModConfigRec *mc;
server_rec *s;
apr_pool_t *p;
@@ -651,11 +661,6 @@
BOOL *pbPassPhraseDialogOnce;
char *cpp;
int len = -1;
-
-#ifndef OPENSSL_VERSION_NUMBER
- /* make up for sslc flaw */
- srv = ssl_pphrase_server_rec;
-#endif
mc = myModConfig((server_rec *)srv);
#
# Add new cast, callback arg overrides and other misc fixes for SSL-C.
#
# Here we add the #error "Unrecognized SSL Toolkit!" based on our
# included OPENSSL_VERSION_NUMBER or SSLC_VERSION_NUMBER defines.
#
# Includes httpd-2.1-dev rev 1.30 and 1.31, sans the #include changes
# which belong to mod_ssl.h in the httpd-2.0-dev branch.
#
Index: modules/ssl/ssl_toolkit_compat.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_toolkit_compat.h,v
retrieving revision 1.27.2.1
diff -u -r1.27.2.1 ssl_toolkit_compat.h
--- modules/ssl/ssl_toolkit_compat.h 3 Feb 2003 17:31:54 -0000 1.27.2.1
+++ modules/ssl/ssl_toolkit_compat.h 5 Apr 2003 22:55:23 -0000
@@ -94,9 +94,14 @@
#define MODSSL_BIO_CB_ARG_TYPE const char
#define MODSSL_CRYPTO_CB_ARG_TYPE const char
+#define MODSSL_INFO_CB_ARG_TYPE const SSL*
+#define MODSSL_CLIENT_CERT_CB_ARG_TYPE X509
+#define MODSSL_PCHAR_CAST
#define modssl_X509_verify_cert X509_verify_cert
+typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
+
#if (OPENSSL_VERSION_NUMBER < 0x00904000)
#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb)
#else
@@ -119,9 +124,11 @@
#define HAVE_SSL_RAND_EGD /* since 9.5.1 */
+#ifdef HAVE_SSL_X509V3_H
#define HAVE_SSL_X509V3_EXT_d2i
+#endif
-#else /* RSA sslc */
+#elif defined (SSLC_VERSION_NUMBER) /* RSA */
/* sslc does not support this function, OpenSSL has since 9.5.1 */
#define RAND_status() 1
@@ -135,6 +142,11 @@
#define MODSSL_BIO_CB_ARG_TYPE char
#define MODSSL_CRYPTO_CB_ARG_TYPE char
+#define MODSSL_INFO_CB_ARG_TYPE SSL*
+#define MODSSL_CLIENT_CERT_CB_ARG_TYPE void
+#define MODSSL_PCHAR_CAST (char *)
+
+typedef int (modssl_read_bio_cb_fn)(char*,int,int);
#define modssl_X509_verify_cert(c) X509_verify_cert(c, NULL)
@@ -160,7 +172,7 @@
#define PEM_F_DEF_CALLBACK PEM_F_DEF_CB
#endif
-#if SSLC_VERSION < 0x2000
+#if SSLC_VERSION_NUMBER < 0x2000
#define X509_STORE_CTX_set_depth(st, d)
#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
@@ -173,37 +185,47 @@
#define NO_SSL_X509V3_H
-#endif
+#else /* SSLC_VERSION_NUMBER >= 0x2000 */
+
+#define CRYPTO_malloc_init R_malloc_init
+
+#define EVP_cleanup()
+
+#endif /* SSLC_VERSION_NUMBER >= 0x2000 */
+
+typedef void (*modssl_popfree_fn)(char *data);
-/* BEGIN GENERATED SECTION */
-#define sk_SSL_CIPHER_free sk_free
#define sk_SSL_CIPHER_dup sk_dup
-#define sk_SSL_CIPHER_num sk_num
#define sk_SSL_CIPHER_find(st, data) sk_find(st, (void *)data)
+#define sk_SSL_CIPHER_free sk_free
+#define sk_SSL_CIPHER_num sk_num
#define sk_SSL_CIPHER_value (SSL_CIPHER *)sk_value
#define sk_X509_num sk_num
#define sk_X509_push sk_push
+#define sk_X509_pop_free(st, free) sk_pop_free((STACK*)(st),
(modssl_popfree_fn)(free))
#define sk_X509_value (X509 *)sk_value
-#define sk_X509_INFO_value (X509_INFO *)sk_value
#define sk_X509_INFO_free sk_free
-#define sk_X509_INFO_pop_free sk_pop_free
+#define sk_X509_INFO_pop_free(st, free) sk_pop_free((STACK*)(st),
(modssl_popfree_fn)(free))
#define sk_X509_INFO_num sk_num
#define sk_X509_INFO_new_null sk_new_null
+#define sk_X509_INFO_value (X509_INFO *)sk_value
+#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
+#define sk_X509_NAME_free sk_free
+#define sk_X509_NAME_new sk_new
#define sk_X509_NAME_num sk_num
#define sk_X509_NAME_push(st, data) sk_push(st, (void *)data)
#define sk_X509_NAME_value (X509_NAME *)sk_value
-#define sk_X509_NAME_free sk_free
-#define sk_X509_NAME_new sk_new
-#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
#define sk_X509_NAME_ENTRY_num sk_num
#define sk_X509_NAME_ENTRY_value (X509_NAME_ENTRY *)sk_value
#define sk_X509_NAME_set_cmp_func sk_set_cmp_func
#define sk_X509_REVOKED_num sk_num
#define sk_X509_REVOKED_value (X509_REVOKED *)sk_value
-#define sk_X509_pop_free sk_pop_free
-/* END GENERATED SECTION */
-#endif /* OPENSSL_VERSION_NUMBER */
+#else /* ! OPENSSL_VERSION_NUMBER && ! SSLC_VERSION_NUMBER */
+
+#error "Unrecognized SSL Toolkit!"
+
+#endif /* ! OPENSSL_VERSION_NUMBER && ! SSLC_VERSION_NUMBER */
#ifndef modssl_set_verify
#define modssl_set_verify(ssl, verify, cb) \
#
# Fixup callback return args for SSL-C
#
# Corresponds to httpd-2.1-dev 1.38 and 1.39
#
Index: modules/ssl/ssl_util.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_util.c,v
retrieving revision 1.35.2.1
diff -u -r1.35.2.1 ssl_util.c
--- modules/ssl/ssl_util.c 3 Feb 2003 17:31:54 -0000 1.35.2.1
+++ modules/ssl/ssl_util.c 5 Apr 2003 22:55:23 -0000
@@ -402,8 +402,18 @@
static apr_thread_mutex_t **lock_cs;
static int lock_num_locks;
+#ifdef SSLC_VERSION_NUMBER
+#if SSLC_VERSION_NUMBER >= 0x2000
+static int ssl_util_thr_lock(int mode, int type,
+ const char *file, int line)
+#else
+static void ssl_util_thr_lock(int mode, int type,
+ const char *file, int line)
+#endif
+#else
static void ssl_util_thr_lock(int mode, int type,
const char *file, int line)
+#endif
{
if (type < lock_num_locks) {
if (mode & CRYPTO_LOCK) {
@@ -412,6 +422,14 @@
else {
apr_thread_mutex_unlock(lock_cs[type]);
}
+#ifdef SSLC_VERSION_NUMBER
+#if SSLC_VERSION_NUMBER >= 0x2000
+ return 1;
+ }
+ else {
+ return -1;
+#endif
+#endif
}
}
#
# Fixup callback args and add cast overrides for SSL-C
#
# Corresponds to httpd-2.1-dev rev 1.26
#
Index: modules/ssl/ssl_util_ssl.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_util_ssl.c,v
retrieving revision 1.23.2.2
diff -u -r1.23.2.2 ssl_util_ssl.c
--- modules/ssl/ssl_util_ssl.c 3 Feb 2003 17:31:54 -0000 1.23.2.2
+++ modules/ssl/ssl_util_ssl.c 5 Apr 2003 22:55:23 -0000
@@ -107,7 +107,7 @@
** _________________________________________________________________
*/
-X509 *SSL_read_X509(char* filename, X509 **x509, int (*cb)(char*,int,int,void*))
+X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb)
{
X509 *rc;
BIO *bioS;
@@ -158,7 +158,7 @@
}
#endif
-EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, int
(*cb)(char*,int,int,void*), void *s)
+EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn
*cb, void *s)
{
EVP_PKEY *rc;
BIO *bioS;
@@ -430,7 +430,7 @@
return FALSE;
}
- if (BIO_read_filename(in, filename) <= 0) {
+ if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) {
BIO_free(in);
return FALSE;
}
@@ -493,7 +493,7 @@
* should be sent to the peer in the SSL Certificate message.
*/
int SSL_CTX_use_certificate_chain(
- SSL_CTX *ctx, char *file, int skipfirst, int (*cb)(char*,int,int,void*))
+ SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb)
{
BIO *bio;
X509 *x509;
#
# Fixup callback args for SSL-C
#
# Corresponds to httpd-2.1-dev rev 1.19
#
Index: modules/ssl/ssl_util_ssl.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_util_ssl.h,v
retrieving revision 1.17.2.1
diff -u -r1.17.2.1 ssl_util_ssl.h
--- modules/ssl/ssl_util_ssl.h 3 Feb 2003 17:31:54 -0000 1.17.2.1
+++ modules/ssl/ssl_util_ssl.h 5 Apr 2003 22:55:23 -0000
@@ -90,8 +90,8 @@
void SSL_init_app_data2_idx(void);
void *SSL_get_app_data2(SSL *);
void SSL_set_app_data2(SSL *, void *);
-X509 *SSL_read_X509(char *, X509 **, int (*)(char*,int,int,void*));
-EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, int (*)(char*,int,int,void*),
void *);
+X509 *SSL_read_X509(char *, X509 **, modssl_read_bio_cb_fn *);
+EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, modssl_read_bio_cb_fn *, void *);
int SSL_smart_shutdown(SSL *ssl);
X509_STORE *SSL_X509_STORE_create(char *, char *);
int SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *);
@@ -101,7 +101,7 @@
BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **);
BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char
*);
BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char
*);
-int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, int
(*)(char*,int,int,void*));
+int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int,
modssl_read_bio_cb_fn *);
char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
/* util functions for OpenSSL+sslc compat */
