On 22.12.2011 17:53, Dr Stephen Henson wrote:
> I've added a few new controls and one new function which should resolve this,
> see last few commits.
>
> I deleted a couple of functions duplicating functionality too.
>
> Let me know if you need further details or it needs fixing.
Thanks for the very prompt reaction. With the attached changes to ssl.h,
works fine for me. If you agree with these, my plan would be to commit
the attached patch to trunk/2.4.x. Comments welcome.
Kaspar
Index: ssl.h
===================================================================
RCS file: /openssl-cvs/openssl/ssl/ssl.h,v
retrieving revision 1.221.2.24.2.23
diff -u -r1.221.2.24.2.23 ssl.h
--- ssl.h 22 Dec 2011 16:01:23 -0000 1.221.2.24.2.23
+++ ssl.h 23 Dec 2011 07:02:56 -0000
@@ -1625,10 +1625,10 @@
#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
-#define SSL_CTX_get_extra_chain_cert(ctx,px509) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERT,0,px509)
-#define SSL_CTX_clear_extra_chain_cert(ctx) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERT,0,NULL)
+#define SSL_CTX_get_extra_chain_certs(ctx,px509) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
+#define SSL_CTX_clear_extra_chain_certs(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
#ifndef OPENSSL_NO_BIO
BIO_METHOD *BIO_f_ssl(void);
Index: modules/ssl/ssl_util_stapling.c
===================================================================
--- modules/ssl/ssl_util_stapling.c (revision 1222593)
+++ modules/ssl/ssl_util_stapling.c (working copy)
@@ -81,9 +81,16 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mct
int i;
X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
X509_STORE_CTX inctx;
+ STACK_OF(X509) *extra_certs = NULL;
- for (i = 0; i < sk_X509_num(mctx->ssl_ctx->extra_certs); i++) {
- issuer = sk_X509_value(mctx->ssl_ctx->extra_certs, i);
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+ extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
+
+ for (i = 0; i < sk_X509_num(extra_certs); i++) {
+ issuer = sk_X509_value(extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
return issuer;
Index: modules/ssl/ssl_private.h
===================================================================
--- modules/ssl/ssl_private.h (revision 1222593)
+++ modules/ssl/ssl_private.h (working copy)
@@ -82,6 +82,11 @@
#include "ap_expr.h"
/* OpenSSL headers */
+#include <openssl/opensslv.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
+/* must be defined before including ssl.h */
+#define OPENSSL_NO_SSL_INTERN
+#endif
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 1222593)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -780,8 +780,15 @@ static void ssl_init_ctx_pkcs7_cert_chain(server_r
{
STACK_OF(X509) *certs = ssl_read_pkcs7(s, mctx->pkcs7);
int n;
+ STACK_OF(X509) *extra_certs = NULL;
- if (!mctx->ssl_ctx->extra_certs)
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
+ extra_certs = mctx->ssl_ctx->extra_certs;
+#endif
+
+ if (!extra_certs)
for (n = 1; n < sk_X509_num(certs); ++n)
SSL_CTX_add_extra_chain_cert(mctx->ssl_ctx, sk_X509_value(certs,
n));
}
Index: modules/ssl/ssl_util_ssl.c
===================================================================
--- modules/ssl/ssl_util_ssl.c (revision 1222593)
+++ modules/ssl/ssl_util_ssl.c (working copy)
@@ -184,47 +184,6 @@ int SSL_smart_shutdown(SSL *ssl)
/* _________________________________________________________________
**
-** Cipher Suite Spec String Creation
-** _________________________________________________________________
-*/
-
-char *SSL_make_ciphersuite(apr_pool_t *p, SSL *ssl)
-{
- STACK_OF(SSL_CIPHER) *sk;
- SSL_CIPHER *c;
- int i;
- int l;
- char *cpCipherSuite;
- char *cp;
-
- if (ssl == NULL)
- return "";
- if ((sk = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl)) == NULL)
- return "";
- l = 0;
- for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
- c = sk_SSL_CIPHER_value(sk, i);
- l += strlen(SSL_CIPHER_get_name(c))+2+1;
- }
- if (l == 0)
- return "";
- cpCipherSuite = (char *)apr_palloc(p, l+1);
- cp = cpCipherSuite;
- for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
- c = sk_SSL_CIPHER_value(sk, i);
- l = strlen(SSL_CIPHER_get_name(c));
- memcpy(cp, SSL_CIPHER_get_name(c), l);
- cp += l;
- *cp++ = '/';
- *cp++ = (c->valid == 1 ? '1' : '0');
- *cp++ = ':';
- }
- *(cp-1) = NUL;
- return cpCipherSuite;
-}
-
-/* _________________________________________________________________
-**
** Certificate Checks
** _________________________________________________________________
*/
@@ -464,7 +423,7 @@ int SSL_CTX_use_certificate_chain(
X509 *x509;
unsigned long err;
int n;
- STACK_OF(X509) *extra_certs;
+ STACK_OF(X509) *extra_certs = NULL;
if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
return -1;
@@ -481,10 +440,18 @@ int SSL_CTX_use_certificate_chain(
X509_free(x509);
}
/* free a perhaps already configured extra chain */
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_get_extra_chain_certs(ctx, &extra_certs);
+#else
extra_certs = ctx->extra_certs;
+#endif
if (extra_certs != NULL) {
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_CTX_clear_extra_chain_certs(ctx);
+#else
sk_X509_pop_free((STACK_OF(X509) *)extra_certs, X509_free);
ctx->extra_certs = NULL;
+#endif
}
/* create new extra chain by loading the certs */
n = 0;
Index: modules/ssl/ssl_engine_vars.c
===================================================================
--- modules/ssl/ssl_engine_vars.c (revision 1222593)
+++ modules/ssl/ssl_engine_vars.c (working copy)
@@ -335,10 +335,18 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, con
char buf[SSL_SESSION_ID_STRING_LEN];
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
- result = apr_pstrdup(p, SSL_SESSION_id2sz(
- pSession->session_id,
- pSession->session_id_length,
- buf, sizeof(buf)));
+ unsigned char *id;
+ unsigned int idlen;
+
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(pSession, &idlen);
+#else
+ id = pSession->session_id;
+ idlen = pSession->session_id_length;
+#endif
+
+ result = apr_pstrdup(p, SSL_SESSION_id2sz(id, idlen,
+ buf, sizeof(buf)));
}
}
else if(ssl != NULL && strcEQ(var, "SESSION_RESUMED")) {
@@ -955,11 +963,15 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, co
static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
{
char *result = "NULL";
-#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000) && !defined(OPENSSL_NO_COMP)
SSL_SESSION *pSession = SSL_get_session(ssl);
if (pSession) {
+#ifdef OPENSSL_NO_SSL_INTERN
+ switch (SSL_SESSION_get_compress_id(pSession)) {
+#else
switch (pSession->compress_meth) {
+#endif
case 0:
/* default "NULL" already set */
break;
Index: modules/ssl/ssl_util_ssl.h
===================================================================
--- modules/ssl/ssl_util_ssl.h (revision 1222593)
+++ modules/ssl/ssl_util_ssl.h (working copy)
@@ -63,7 +63,6 @@ void SSL_set_app_data2(SSL *, void *);
X509 *SSL_read_X509(char *, X509 **, pem_password_cb *);
EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void
*);
int SSL_smart_shutdown(SSL *ssl);
-char *SSL_make_ciphersuite(apr_pool_t *, SSL *);
BOOL SSL_X509_isSGC(X509 *);
BOOL SSL_X509_getBC(X509 *, int *, int *);
char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY
*xsne);
Index: modules/ssl/ssl_engine_kernel.c
===================================================================
--- modules/ssl/ssl_engine_kernel.c (revision 1222593)
+++ modules/ssl/ssl_engine_kernel.c (working copy)
@@ -799,11 +799,15 @@ int ssl_hook_Access(request_rec *r)
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226)
"Awaiting re-negotiation handshake");
- /* XXX: Should replace setting ssl->state with
SSL_renegotiate(ssl);
+ /* XXX: Should replace setting state with SSL_renegotiate(ssl);
* However, this causes failures in perl-framework currently,
* perhaps pre-test if we have already negotiated?
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ SSL_set_state(ssl, SSL_ST_ACCEPT);
+#else
ssl->state = SSL_ST_ACCEPT;
+#endif
SSL_do_handshake(ssl);
sslconn->reneg_state = RENEG_REJECT;
@@ -1728,8 +1732,12 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SS
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
+#else
id = session->session_id;
idlen = session->session_id_length;
+#endif
rc = ssl_scache_store(s, id, idlen,
apr_time_from_sec(SSL_SESSION_get_time(session)
@@ -1809,8 +1817,12 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *ct
/*
* Remove the SSL_SESSION from the inter-process cache
*/
+#ifdef OPENSSL_NO_SSL_INTERN
+ id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
+#else
id = session->session_id;
idlen = session->session_id_length;
+#endif
/* TODO: Do we need a temp pool here, or are we always shutting down? */
ssl_scache_remove(s, id, idlen, sc->mc->pPool);
@@ -2026,13 +2038,14 @@ static int ssl_find_vhost(void *servername, conn_r
sslcon = myConnConfig(c);
if (found && (ssl = sslcon->ssl) &&
(sc = mySrvConfig(s))) {
+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
/*
* SSL_set_SSL_CTX() only deals with the server cert,
* so we need to duplicate a few additional settings
* from the ctx by hand
*/
- SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
+ SSL_set_options(ssl, SSL_CTX_get_options(ctx));
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {
/*
@@ -2042,8 +2055,8 @@ static int ssl_find_vhost(void *servername, conn_r
* Otherwise, we would possibly reset a per-directory
* configuration which was put into effect by ssl_hook_Access.
*/
- SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
- SSL_CTX_get_verify_callback(ssl->ctx));
+ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
+ SSL_CTX_get_verify_callback(ctx));
}
/*
