Author: dj
Date: Fri May 19 00:38:45 2017
New Revision: 3561

Log:
Add httpd-2.4.25-openssl-1.1.0-1.patch.

Added:
   trunk/httpd/httpd-2.4.25-openssl-1.1.0-1.patch

Added: trunk/httpd/httpd-2.4.25-openssl-1.1.0-1.patch
==============================================================================
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ trunk/httpd/httpd-2.4.25-openssl-1.1.0-1.patch      Fri May 19 00:38:45 
2017        (r3561)
@@ -0,0 +1,1318 @@
+Submitted by:            DJ Lucas (dj_AT_linuxfromscratch_DOT_org)
+Date:                    2017-05-19
+Initial Package Version: 2.4.25
+Upstream Status:         Committed
+Origin:                  
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/
+                         
https://git.archlinux.org/svntogit/packages.git/plain/trunk/httpd-2.4.23-openssl11.patch?h=packages/apache
+Description:             Adds support for OpenSSL 1.1
+
+Diff to 
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat/
+as of upstream r1769589.
+
+diff --git a/acinclude.m4 b/acinclude.m4
+index dd0e2ea..907fbe8 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -579,7 +579,7 @@ AC_DEFUN([APACHE_CHECK_OPENSSL],[
+       dnl Run library and function checks
+       liberrors=""
+       AC_CHECK_HEADERS([openssl/engine.h])
+-      AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
++      AC_CHECK_FUNCS([SSL_CTX_new], [], [liberrors="yes"])
+       AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd])
+       if test "x$liberrors" != "x"; then
+         AC_MSG_WARN([OpenSSL libraries are unusable])
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index 9e63a7d..adc90d1 100644
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -312,7 +312,13 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
+ #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
+     ENGINE_cleanup();
+ #endif
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
++    ERR_remove_thread_state(NULL);
++#else
+     ERR_remove_state(0);
++#endif
++#endif
+ 
+     /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings 
only
+      * actually loaded the error strings once per process due to static
+@@ -342,7 +348,11 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
+     /* We must register the library in full, to ensure our configuration
+      * code can successfully test the SSL environment.
+      */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+     CRYPTO_malloc_init();
++#else
++    OPENSSL_malloc_init();
++#endif
+     ERR_load_crypto_strings();
+     SSL_load_error_strings();
+     SSL_library_init();
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index cb3efa2..ba79ef3 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -47,21 +47,50 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, 
init_server,
+ #define KEYTYPES "RSA or DSA"
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++/* OpenSSL Pre-1.1.0 compatibility */
++/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
++static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
++{
++    /* q is optional */
++    if (p == NULL || g == NULL)
++        return 0;
++    BN_free(dh->p);
++    BN_free(dh->q);
++    BN_free(dh->g);
++    dh->p = p;
++    dh->q = q;
++    dh->g = g;
++
++    if (q != NULL) {
++        dh->length = BN_num_bits(q);
++    }
++
++    return 1;
++}
++#endif
++
+ /*
+- * Grab well-defined DH parameters from OpenSSL, see the get_rfc*
++ * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
+  * functions in <openssl/bn.h> for all available primes.
+  */
+-static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)
++static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *))
+ {
+     DH *dh = DH_new();
++    BIGNUM *p, *g;
+ 
+     if (!dh) {
+         return NULL;
+     }
+-    dh->p = prime(NULL);
+-    BN_dec2bn(&dh->g, gen);
+-    if (!dh->p || !dh->g) {
++    p = prime(NULL);
++    g = BN_new();
++    if (g != NULL) {
++        BN_set_word(g, 2);
++    }
++    if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) {
+         DH_free(dh);
++        BN_free(p);
++        BN_free(g);
+         return NULL;
+     }
+     return dh;
+@@ -73,12 +102,12 @@ static struct dhparam {
+     DH *dh;                           /* ...this, used for keys.... */
+     const unsigned int min;           /* ...of length >= this. */
+ } dhparams[] = {
+-    { get_rfc3526_prime_8192, NULL, 6145 },
+-    { get_rfc3526_prime_6144, NULL, 4097 },
+-    { get_rfc3526_prime_4096, NULL, 3073 },
+-    { get_rfc3526_prime_3072, NULL, 2049 },
+-    { get_rfc3526_prime_2048, NULL, 1025 },
+-    { get_rfc2409_prime_1024, NULL, 0 }
++    { BN_get_rfc3526_prime_8192, NULL, 6145 },
++    { BN_get_rfc3526_prime_6144, NULL, 4097 },
++    { BN_get_rfc3526_prime_4096, NULL, 3073 },
++    { BN_get_rfc3526_prime_3072, NULL, 2049 },
++    { BN_get_rfc3526_prime_2048, NULL, 1025 },
++    { BN_get_rfc2409_prime_1024, NULL, 0 }
+ };
+ 
+ static void init_dh_params(void)
+@@ -86,7 +115,7 @@ static void init_dh_params(void)
+     unsigned n;
+ 
+     for (n = 0; n < sizeof(dhparams)/sizeof(dhparams[0]); n++)
+-        dhparams[n].dh = make_dh_params(dhparams[n].prime, "2");
++        dhparams[n].dh = make_dh_params(dhparams[n].prime);
+ }
+ 
+ static void free_dh_params(void)
+@@ -153,7 +182,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t 
*plog,
+                      "Init: this version of mod_ssl was compiled against "
+                      "a newer library (%s, version currently loaded is %s)"
+                      " - may result in undefined or erroneous behavior",
+-                     MODSSL_LIBRARY_TEXT, SSLeay_version(SSLEAY_VERSION));
++                     MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT);
+     }
+ 
+     /* We initialize mc->pid per-process in the child init,
+@@ -228,9 +257,11 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t 
*plog,
+ #endif
+     }
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #if APR_HAS_THREADS
+     ssl_util_thread_setup(p);
+ #endif
++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
+ 
+     /*
+      * SSL external crypto device ("engine") support
+@@ -351,6 +382,9 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t 
*plog,
+     modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request 
time */
+ 
+     init_dh_params();
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    init_bio_methods();
++#endif
+ 
+     return OK;
+ }
+@@ -481,6 +515,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+     char *cp;
+     int protocol = mctx->protocol;
+     SSLSrvConfigRec *sc = mySrvConfig(s);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    int prot;
++#endif
+ 
+     /*
+      *  Create the new per-server SSL context
+@@ -506,6 +543,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+     ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
+                  "Creating new SSL context (protocols: %s)", cp);
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #ifndef OPENSSL_NO_SSL3
+     if (protocol == SSL_PROTOCOL_SSLV3) {
+         method = mctx->pkp ?
+@@ -536,12 +574,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+             SSLv23_client_method() : /* proxy */
+             SSLv23_server_method();  /* server */
+     }
++#else
++    method = mctx->pkp ?
++        TLS_client_method() : /* proxy */
++        TLS_server_method();  /* server */
++#endif
+     ctx = SSL_CTX_new(method);
+ 
+     mctx->ssl_ctx = ctx;
+ 
+     SSL_CTX_set_options(ctx, SSL_OP_ALL);
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+     /* always disable SSLv2, as per RFC 6176 */
+     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+ 
+@@ -565,6 +609,43 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+     }
+ #endif
+ 
++#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
++    /* We first determine the maximum protocol version we should provide */
++    if (protocol & SSL_PROTOCOL_TLSV1_2) {
++        prot = TLS1_2_VERSION;
++    } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
++        prot = TLS1_1_VERSION;
++    } else if (protocol & SSL_PROTOCOL_TLSV1) {
++        prot = TLS1_VERSION;
++#ifndef OPENSSL_NO_SSL3
++    } else if (protocol & SSL_PROTOCOL_SSLV3) {
++        prot = SSL3_VERSION;
++#endif
++    } else {
++        SSL_CTX_free(ctx);
++        mctx->ssl_ctx = NULL;
++        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
++                "No SSL protocols available [hint: SSLProtocol]");
++        return ssl_die(s);
++    }
++    SSL_CTX_set_max_proto_version(ctx, prot);
++
++    /* Next we scan for the minimal protocol version we should provide,
++     * but we do not allow holes between max and min */
++    if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
++        prot = TLS1_1_VERSION;
++    }
++    if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
++        prot = TLS1_VERSION;
++    }
++#ifndef OPENSSL_NO_SSL3
++    if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) {
++        prot = SSL3_VERSION;
++    }
++#endif
++    SSL_CTX_set_min_proto_version(ctx, prot);
++#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
++
+ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+     if (sc->cipher_server_pref == TRUE) {
+         SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+@@ -858,7 +939,7 @@ static int use_certificate_chain(
+     unsigned long err;
+     int n;
+ 
+-    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
++    if ((bio = BIO_new(BIO_s_file())) == NULL)
+         return -1;
+     if (BIO_read_filename(bio, file) <= 0) {
+         BIO_free(bio);
+@@ -1200,7 +1281,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+         SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
+         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
+                      "Custom DH parameters (%d bits) for %s loaded from %s",
+-                     BN_num_bits(dhparams->p), vhost_id, certfile);
++                     DH_bits(dhparams), vhost_id, certfile);
+         DH_free(dhparams);
+     }
+ 
+@@ -1721,7 +1802,7 @@ apr_status_t ssl_init_CheckServers(server_rec 
*base_server, apr_pool_t *p)
+                      "an OpenSSL version with support for TLS extensions "
+                      "(RFC 6066 - Server Name Indication / SNI), "
+                      "but the currently used library version (%s) is "
+-                     "lacking this feature", SSLeay_version(SSLEAY_VERSION));
++                     "lacking this feature", MODSSL_LIBRARY_DYNTEXT);
+     }
+ #endif
+ 
+@@ -1917,6 +1998,9 @@ apr_status_t ssl_init_ModuleKill(void *data)
+         ssl_init_ctx_cleanup(sc->server);
+     }
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    free_bio_methods();
++#endif
+     free_dh_params();
+ 
+     return APR_SUCCESS;
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+index 82953ad..b463e1a 100644
+--- a/modules/ssl/ssl_engine_io.c
++++ b/modules/ssl/ssl_engine_io.c
+@@ -149,7 +149,7 @@ static int bio_filter_out_pass(bio_filter_out_ctx_t 
*outctx)
+  * success, -1 on failure. */
+ static int bio_filter_out_flush(BIO *bio)
+ {
+-    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
++    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
+     apr_bucket *e;
+ 
+     AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb));
+@@ -162,10 +162,16 @@ static int bio_filter_out_flush(BIO *bio)
+ 
+ static int bio_filter_create(BIO *bio)
+ {
+-    bio->shutdown = 1;
+-    bio->init = 1;
++    BIO_set_shutdown(bio, 1);
++    BIO_set_init(bio, 1);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++    /* No setter method for OpenSSL 1.1.0 available,
++     * but I can't find any functional use of the
++     * "num" field there either.
++     */
+     bio->num = -1;
+-    bio->ptr = NULL;
++#endif
++    BIO_set_data(bio, NULL);
+ 
+     return 1;
+ }
+@@ -190,7 +196,7 @@ static int bio_filter_out_read(BIO *bio, char *out, int 
outl)
+ 
+ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
+ {
+-    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
++    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
+     apr_bucket *e;
+     int need_flush;
+ 
+@@ -241,7 +247,7 @@ static int bio_filter_out_write(BIO *bio, const char *in, 
int inl)
+ static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
+ {
+     long ret = 1;
+-    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
++    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
+ 
+     switch (cmd) {
+     case BIO_CTRL_RESET:
+@@ -257,10 +263,10 @@ static long bio_filter_out_ctrl(BIO *bio, int cmd, long 
num, void *ptr)
+         ret = 0;
+         break;
+     case BIO_CTRL_GET_CLOSE:
+-        ret = (long)bio->shutdown;
++        ret = (long)BIO_get_shutdown(bio);
+         break;
+       case BIO_CTRL_SET_CLOSE:
+-        bio->shutdown = (int)num;
++        BIO_set_shutdown(bio, (int)num);
+         break;
+       case BIO_CTRL_FLUSH:
+         ret = bio_filter_out_flush(bio);
+@@ -294,19 +300,6 @@ static int bio_filter_out_puts(BIO *bio, const char *str)
+     return -1;
+ }
+ 
+-static BIO_METHOD bio_filter_out_method = {
+-    BIO_TYPE_MEM,
+-    "APR output filter",
+-    bio_filter_out_write,
+-    bio_filter_out_read,     /* read is never called */
+-    bio_filter_out_puts,     /* puts is never called */
+-    bio_filter_out_gets,     /* gets is never called */
+-    bio_filter_out_ctrl,
+-    bio_filter_create,
+-    bio_filter_destroy,
+-    NULL
+-};
+-
+ typedef struct {
+     int length;
+     char *value;
+@@ -456,7 +449,7 @@ static apr_status_t brigade_consume(apr_bucket_brigade *bb,
+ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
+ {
+     apr_size_t inl = inlen;
+-    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
++    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
+     apr_read_type_e block = inctx->block;
+ 
+     inctx->rc = APR_SUCCESS;
+@@ -536,20 +529,86 @@ static int bio_filter_in_read(BIO *bio, char *in, int 
inlen)
+     return -1;
+ }
+ 
++static int bio_filter_in_write(BIO *bio, const char *in, int inl)
++{
++    return -1;
++}
++
++static int bio_filter_in_puts(BIO *bio, const char *str)
++{
++    return -1;
++}
++
++static int bio_filter_in_gets(BIO *bio, char *buf, int size)
++{
++    return -1;
++}
++
++static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
++{
++    return -1;
++}
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++        
++static BIO_METHOD bio_filter_out_method = {
++    BIO_TYPE_MEM,
++    "APR output filter",
++    bio_filter_out_write,
++    bio_filter_out_read,     /* read is never called */
++    bio_filter_out_puts,     /* puts is never called */
++    bio_filter_out_gets,     /* gets is never called */
++    bio_filter_out_ctrl,
++    bio_filter_create,
++    bio_filter_destroy,
++    NULL
++};
+ 
+ static BIO_METHOD bio_filter_in_method = {
+     BIO_TYPE_MEM,
+     "APR input filter",
+-    NULL,                       /* write is never called */
++    bio_filter_in_write,        /* write is never called */
+     bio_filter_in_read,
+-    NULL,                       /* puts is never called */
+-    NULL,                       /* gets is never called */
+-    NULL,                       /* ctrl is never called */
++    bio_filter_in_puts,         /* puts is never called */
++    bio_filter_in_gets,         /* gets is never called */
++    bio_filter_in_ctrl,         /* ctrl is never called */
+     bio_filter_create,
+     bio_filter_destroy,
+     NULL
+ };
+ 
++#else
++
++static BIO_METHOD *bio_filter_out_method = NULL;
++static BIO_METHOD *bio_filter_in_method = NULL;
++
++void init_bio_methods(void)
++{
++    bio_filter_out_method = BIO_meth_new(BIO_TYPE_MEM, "APR output filter");
++    BIO_meth_set_write(bio_filter_out_method, &bio_filter_out_write);
++    BIO_meth_set_read(bio_filter_out_method, &bio_filter_out_read); /* read 
is never called */
++    BIO_meth_set_puts(bio_filter_out_method, &bio_filter_out_puts); /* puts 
is never called */
++    BIO_meth_set_gets(bio_filter_out_method, &bio_filter_out_gets); /* gets 
is never called */
++    BIO_meth_set_ctrl(bio_filter_out_method, &bio_filter_out_ctrl);
++    BIO_meth_set_create(bio_filter_out_method, &bio_filter_create);
++    BIO_meth_set_destroy(bio_filter_out_method, &bio_filter_destroy);
++
++    bio_filter_in_method = BIO_meth_new(BIO_TYPE_MEM, "APR input filter");
++    BIO_meth_set_write(bio_filter_in_method, &bio_filter_in_write); /* write 
is never called */
++    BIO_meth_set_read(bio_filter_in_method, &bio_filter_in_read);
++    BIO_meth_set_puts(bio_filter_in_method, &bio_filter_in_puts);   /* puts 
is never called */
++    BIO_meth_set_gets(bio_filter_in_method, &bio_filter_in_gets);   /* gets 
is never called */
++    BIO_meth_set_ctrl(bio_filter_in_method, &bio_filter_in_ctrl);   /* ctrl 
is never called */
++    BIO_meth_set_create(bio_filter_in_method, &bio_filter_create);
++    BIO_meth_set_destroy(bio_filter_in_method, &bio_filter_destroy);
++}
++
++void free_bio_methods(void)
++{
++    BIO_meth_free(bio_filter_out_method);
++    BIO_meth_free(bio_filter_in_method);
++}
++#endif
+ 
+ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
+                                       char *buf,
+@@ -789,7 +848,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
+      */
+     ERR_clear_error();
+ 
+-    outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
++    outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
+     res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
+ 
+     if (res < 0) {
+@@ -1267,9 +1326,9 @@ static apr_status_t 
ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
+ 
+     if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {
+         bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
+-                                     (filter_ctx->pbioRead->ptr);
++                                     BIO_get_data(filter_ctx->pbioRead);
+         bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)
+-                                       (filter_ctx->pbioWrite->ptr);
++                                       BIO_get_data(filter_ctx->pbioWrite);
+         apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ;
+         ssl_err = SSL_get_error(filter_ctx->pssl, n);
+ 
+@@ -1682,8 +1741,8 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
+         return ap_pass_brigade(f->next, bb);
+     }
+ 
+-    inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr;
+-    outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
++    inctx = (bio_filter_in_ctx_t *)BIO_get_data(filter_ctx->pbioRead);
++    outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
+ 
+     /* When we are the writer, we must initialize the inctx
+      * mode so that we block for any required ssl input, because
+@@ -1964,8 +2023,12 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t 
*filter_ctx, conn_rec *c,
+ 
+     filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, 
c);
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+     filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
+-    filter_ctx->pbioRead->ptr = (void *)inctx;
++#else
++    filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
++#endif
++    BIO_set_data(filter_ctx->pbioRead, (void *)inctx);
+ 
+     inctx->ssl = ssl;
+     inctx->bio_out = filter_ctx->pbioWrite;
+@@ -1995,8 +2058,12 @@ void ssl_io_filter_init(conn_rec *c, request_rec *r, 
SSL *ssl)
+     filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,
+                                                        filter_ctx, r, c);
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+     filter_ctx->pbioWrite       = BIO_new(&bio_filter_out_method);
+-    filter_ctx->pbioWrite->ptr  = (void *)bio_filter_out_ctx_new(filter_ctx, 
c);
++#else
++    filter_ctx->pbioWrite       = BIO_new(bio_filter_out_method);
++#endif
++    BIO_set_data(filter_ctx->pbioWrite, (void 
*)bio_filter_out_ctx_new(filter_ctx, c));
+ 
+     /* write is non blocking for the benefit of async mpm */
+     if (c->cs) {
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index d4459a2..da2776f 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -80,7 +80,7 @@ static apr_status_t upgrade_connection(request_rec *r)
+     SSL_set_accept_state(ssl);
+     SSL_do_handshake(ssl);
+ 
+-    if (SSL_get_state(ssl) != SSL_ST_OK) {
++    if (!SSL_is_init_finished(ssl)) {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
+                       "TLS upgrade handshake failed");
+         ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+@@ -114,6 +114,7 @@ static int has_buffered_data(request_rec *r)
+     return result;
+ }
+ 
++#ifdef HAVE_TLSEXT
+ static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t 
*s2)
+ {
+     int i;
+@@ -215,6 +216,7 @@ static int ssl_server_compatible(server_rec *s1, 
server_rec *s2)
+     
+     return 1;
+ }
++#endif
+ 
+ /*
+  *  Post Read Request Handler
+@@ -432,7 +434,7 @@ int ssl_hook_Access(request_rec *r)
+     X509 *cert;
+     X509 *peercert;
+     X509_STORE *cert_store = NULL;
+-    X509_STORE_CTX cert_store_ctx;
++    X509_STORE_CTX *cert_store_ctx;
+     STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
+     const SSL_CIPHER *cipher = NULL;
+     int depth, verify_old, verify, n, is_slave = 0;
+@@ -456,7 +458,7 @@ int ssl_hook_Access(request_rec *r)
+          * forbidden in the latter case, let ap_die() handle
+          * this recursive (same) error.
+          */
+-        if (SSL_get_state(ssl) != SSL_ST_OK) {
++        if (!SSL_is_init_finished(ssl)) {
+             return HTTP_FORBIDDEN;
+         }
+         ctx = SSL_get_SSL_CTX(ssl);
+@@ -622,7 +624,7 @@ int ssl_hook_Access(request_rec *r)
+                      !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));
+                      n++)
+                 {
+-                    SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
++                    const SSL_CIPHER *value = 
sk_SSL_CIPHER_value(cipher_list, n);
+ 
+                     if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {
+                         renegotiate = TRUE;
+@@ -633,7 +635,7 @@ int ssl_hook_Access(request_rec *r)
+                      !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));
+                      n++)
+                 {
+-                    SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, 
n);
++                    const SSL_CIPHER *value = 
sk_SSL_CIPHER_value(cipher_list_old, n);
+ 
+                     if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {
+                         renegotiate = TRUE;
+@@ -914,25 +916,27 @@ int ssl_hook_Access(request_rec *r)
+                 cert = sk_X509_value(cert_stack, 0);
+             }
+ 
+-            X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, 
cert_stack);
++            cert_store_ctx = X509_STORE_CTX_new();
++            X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack);
+             depth = SSL_get_verify_depth(ssl);
+ 
+             if (depth >= 0) {
+-                X509_STORE_CTX_set_depth(&cert_store_ctx, depth);
++                X509_STORE_CTX_set_depth(cert_store_ctx, depth);
+             }
+ 
+-            X509_STORE_CTX_set_ex_data(&cert_store_ctx,
++            X509_STORE_CTX_set_ex_data(cert_store_ctx,
+                                        SSL_get_ex_data_X509_STORE_CTX_idx(),
+                                        (char *)ssl);
+ 
+-            if (!X509_verify_cert(&cert_store_ctx)) {
++            if (!X509_verify_cert(cert_store_ctx)) {
+                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)
+                               "Re-negotiation verification step failed");
+                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+             }
+ 
+-            SSL_set_verify_result(ssl, cert_store_ctx.error);
+-            X509_STORE_CTX_cleanup(&cert_store_ctx);
++            SSL_set_verify_result(ssl, 
X509_STORE_CTX_get_error(cert_store_ctx));
++            X509_STORE_CTX_cleanup(cert_store_ctx);
++            X509_STORE_CTX_free(cert_store_ctx);
+ 
+             if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
+                 /* we created this ourselves, so free it */
+@@ -940,6 +944,7 @@ int ssl_hook_Access(request_rec *r)
+             }
+         }
+         else {
++            char peekbuf[1];
+             const char *reneg_support;
+             request_rec *id = r->main ? r->main : r;
+ 
+@@ -983,7 +988,7 @@ int ssl_hook_Access(request_rec *r)
+             SSL_renegotiate(ssl);
+             SSL_do_handshake(ssl);
+ 
+-            if (SSL_get_state(ssl) != SSL_ST_OK) {
++            if (!SSL_is_init_finished(ssl)) {
+                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
+                               "Re-negotiation request failed");
+                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+@@ -999,16 +1004,15 @@ int ssl_hook_Access(request_rec *r)
+              * However, this causes failures in perl-framework currently,
+              * perhaps pre-test if we have already negotiated?
+              */
+-#ifdef OPENSSL_NO_SSL_INTERN
+-            SSL_set_state(ssl, SSL_ST_ACCEPT);
+-#else
+-            ssl->state = SSL_ST_ACCEPT;
+-#endif
+-            SSL_do_handshake(ssl);
++            /* Need to trigger renegotiation handshake by reading.
++             * Peeking 0 bytes actually works.
++             * See: http://marc.info/?t=145493359200002&r=1&w=2
++             */
++            SSL_peek(ssl, peekbuf, 0);
+ 
+             sslconn->reneg_state = RENEG_REJECT;
+ 
+-            if (SSL_get_state(ssl) != SSL_ST_OK) {
++            if (!SSL_is_init_finished(ssl)) {
+                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
+                               "Re-negotiation handshake failed");
+                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+@@ -1513,7 +1517,11 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
+     SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
+ #endif
+     pkey = SSL_get_privatekey(ssl);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+     type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
++#else
++    type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
++#endif
+ 
+     /*
+      * OpenSSL will call us with either keylen == 512 or keylen == 1024
+@@ -1725,11 +1733,19 @@ static void modssl_proxy_info_log(conn_rec *c,
+  * so we need to increment here to prevent them from
+  * being freed.
+  */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #define modssl_set_cert_info(info, cert, pkey) \
+     *cert = info->x509; \
+     CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
+     *pkey = info->x_pkey->dec_pkey; \
+     CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
++#else
++#define modssl_set_cert_info(info, cert, pkey) \
++    *cert = info->x509; \
++    X509_up_ref(*cert); \
++    *pkey = info->x_pkey->dec_pkey; \
++    EVP_PKEY_up_ref(*pkey);
++#endif
+ 
+ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
+ {
+@@ -1823,7 +1839,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, 
EVP_PKEY **pkey)
+ 
+ static void ssl_session_log(server_rec *s,
+                             const char *request,
+-                            unsigned char *id,
++                            IDCONST unsigned char *id,
+                             unsigned int idlen,
+                             const char *status,
+                             const char *result,
+@@ -1863,7 +1879,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, 
SSL_SESSION *session)
+     SSLSrvConfigRec *sc = mySrvConfig(s);
+     long timeout        = sc->session_cache_timeout;
+     BOOL rc;
+-    unsigned char *id;
++    IDCONST unsigned char *id;
+     unsigned int idlen;
+ 
+     /*
+@@ -1907,7 +1923,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, 
SSL_SESSION *session)
+  *  of our other Apache pre-forked server processes.
+  */
+ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
+-                                               unsigned char *id,
++                                               IDCONST unsigned char *id,
+                                                int idlen, int *do_copy)
+ {
+     /* Get Apache context back through OpenSSL context */
+@@ -1946,7 +1962,7 @@ void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx,
+ {
+     server_rec *s;
+     SSLSrvConfigRec *sc;
+-    unsigned char *id;
++    IDCONST unsigned char *id;
+     unsigned int idlen;
+ 
+     /*
+@@ -2067,15 +2083,12 @@ void ssl_callback_Info(const SSL *ssl, int where, int 
rc)
+     /* If the reneg state is to reject renegotiations, check the SSL
+      * state machine and move to ABORT if a Client Hello is being
+      * read. */
+-    if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
+-        int state = SSL_get_state((SSL *)ssl);
+-
+-        if (state == SSL3_ST_SR_CLNT_HELLO_A
+-            || state == SSL23_ST_SR_CLNT_HELLO_A) {
++    if (!scr->is_proxy &&
++        (where & SSL_CB_HANDSHAKE_START) &&
++        scr->reneg_state == RENEG_REJECT) {
+             scr->reneg_state = RENEG_ABORT;
+             ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
+                           "rejecting client initiated renegotiation");
+-        }
+     }
+     /* If the first handshake is complete, change state to reject any
+      * subsequent client-initiated renegotiation. */
+@@ -2279,7 +2292,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
+         }
+ 
+         memcpy(keyname, ticket_key->key_name, 16);
+-        RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
++        RAND_bytes(iv, EVP_MAX_IV_LENGTH);
+         EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
+                            ticket_key->aes_key, iv);
+         HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), 
NULL);
+@@ -2416,17 +2429,27 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, 
void *arg)
+     SRP_user_pwd *u;
+ 
+     if (username == NULL
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+         || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
++#else
++        || (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) {
++#endif
+         *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
+         return SSL3_AL_FATAL;
+     }
+ 
+     if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++        SRP_user_pwd_free(u);
++#endif
+         *ad = SSL_AD_INTERNAL_ERROR;
+         return SSL3_AL_FATAL;
+     }
+ 
+     /* reset all other options */
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    SRP_user_pwd_free(u);
++#endif
+     SSL_set_verify(ssl, SSL_VERIFY_NONE,  ssl_callback_SSLVerify);
+     return SSL_ERROR_NONE;
+ }
+diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
+index f295651..282a2a2 100644
+--- a/modules/ssl/ssl_engine_ocsp.c
++++ b/modules/ssl/ssl_engine_ocsp.c
+@@ -109,7 +109,7 @@ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, 
X509 *cert,
+ {
+     OCSP_REQUEST *req = OCSP_REQUEST_new();
+ 
+-    *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer);
++    *certid = OCSP_cert_to_id(NULL, cert, 
X509_STORE_CTX_get0_current_issuer(ctx));
+     if (!*certid || !OCSP_request_add0_id(req, *certid)) {
+         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)
+                      "could not retrieve certificate id");
+@@ -184,7 +184,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX 
*ctx, conn_rec *c,
+ 
+     if (rc == V_OCSP_CERTSTATUS_GOOD) {
+         /* TODO: allow flags configuration. */
+-        if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {
++        if (OCSP_basic_verify(basicResponse, NULL, 
X509_STORE_CTX_get0_store(ctx), 0) != 1) {
+             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
+                         "failed to verify the OCSP response");
+             ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+@@ -262,7 +262,7 @@ int modssl_verify_ocsp(X509_STORE_CTX *ctx, 
SSLSrvConfigRec *sc,
+                       "No cert available to check with OCSP");
+         return 1;
+     }
+-    else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
++    else if (X509_check_issued(cert,cert) == X509_V_OK) {
+         /* don't do OCSP checking for valid self-issued certs */
+         ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+                       "Skipping OCSP check for valid self-issued cert");
+diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
+index 036cb36..42c22b0 100644
+--- a/modules/ssl/ssl_engine_vars.c
++++ b/modules/ssl/ssl_engine_vars.c
+@@ -380,7 +380,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec 
*sslconn,
+         char buf[MODSSL_SESSION_ID_STRING_LEN];
+         SSL_SESSION *pSession = SSL_get_session(ssl);
+         if (pSession) {
+-            unsigned char *id;
++            IDCONST unsigned char *id;
+             unsigned int idlen;
+ 
+ #ifdef OPENSSL_NO_SSL_INTERN
+@@ -545,13 +545,25 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, 
request_rec *r, X509 *xs,
+         resdup = FALSE;
+     }
+     else if (strcEQ(var, "A_SIG")) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+         nid = OBJ_obj2nid((ASN1_OBJECT 
*)(xs->cert_info->signature->algorithm));
++#else
++        ASN1_OBJECT *paobj;
++        X509_ALGOR_get0(&paobj, NULL, NULL, X509_get0_tbs_sigalg(xs));
++        nid = OBJ_obj2nid(paobj);
++#endif
+         result = apr_pstrdup(p,
+                              (nid == NID_undef) ? "UNKNOWN" : 
OBJ_nid2ln(nid));
+         resdup = FALSE;
+     }
+     else if (strcEQ(var, "A_KEY")) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+         nid = OBJ_obj2nid((ASN1_OBJECT 
*)(xs->cert_info->key->algor->algorithm));
++#else
++        ASN1_OBJECT *paobj;
++        X509_PUBKEY_get0_param(&paobj, NULL, 0, NULL, 
X509_get_X509_PUBKEY(xs));
++        nid = OBJ_obj2nid(paobj);
++#endif
+         result = apr_pstrdup(p,
+                              (nid == NID_undef) ? "UNKNOWN" : 
OBJ_nid2ln(nid));
+         resdup = FALSE;
+@@ -613,11 +625,8 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, 
X509_NAME *xsname, char *
+     for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
+         if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
+             && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
+-            for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) 
*)
+-                                                   xsname->entries);
+-                 j++) {
+-                xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
+-                                                xsname->entries, j);
++            for (j = 0; j < X509_NAME_entry_count(xsname); j++) {
++                xsne = X509_NAME_get_entry(xsname, j);
+ 
+                 n =OBJ_obj2nid((ASN1_OBJECT 
*)X509_NAME_ENTRY_get_object(xsne));
+ 
+@@ -919,7 +928,6 @@ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, 
char *var)
+ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
+                        X509_NAME *xn, apr_pool_t *p)
+ {
+-    STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
+     X509_NAME_ENTRY *xsne;
+     apr_hash_t *count;
+     int i, nid;
+@@ -929,10 +937,9 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, 
const char *pfx,
+     count = apr_hash_make(p);
+ 
+     /* For each RDN... */
+-    for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) {
++    for (i = 0; i < X509_NAME_entry_count(xn); i++) {
+          const char *tag;
+-
+-         xsne = sk_X509_NAME_ENTRY_value(ents, i);
++         xsne = X509_NAME_get_entry(xn, i);
+ 
+          /* Retrieve the nid, and check whether this is one of the nids
+           * which are to be extracted. */
+@@ -1106,7 +1113,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec 
*c, int peer,
+     for (j = 0; j < count; j++) {
+         X509_EXTENSION *ext = X509_get_ext(xs, j);
+ 
+-        if (OBJ_cmp(ext->object, oid) == 0) {
++        if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) {
+             BIO *bio = BIO_new(BIO_s_mem());
+ 
+             /* We want to obtain a string representation of the extensions
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index 7813e41..08de3a1 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -135,6 +135,13 @@
+ #define HAVE_SSL_CONF_CMD
+ #endif
+ 
++/* session id constness */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define IDCONST
++#else
++#define IDCONST const
++#endif
++
+ /**
+   * The following features all depend on TLS extension support.
+   * Within this block, check again for features (not version numbers).
+@@ -151,6 +158,8 @@
+ /* OCSP stapling */
+ #if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
+ #define HAVE_OCSP_STAPLING
++/* All exist but are no longer macros since OpenSSL 1.1.0 */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* backward compatibility with OpenSSL < 1.0 */
+ #ifndef sk_OPENSSL_STRING_num
+ #define sk_OPENSSL_STRING_num sk_num
+@@ -161,7 +170,8 @@
+ #ifndef sk_OPENSSL_STRING_pop
+ #define sk_OPENSSL_STRING_pop sk_pop
+ #endif
+-#endif
++#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
++#endif /* if !defined(OPENSSL_NO_OCSP) && 
defined(SSL_CTX_set_tlsext_status_cb) */
+ 
+ /* TLS session tickets */
+ #if defined(SSL_CTX_set_tlsext_ticket_key_cb)
+@@ -189,6 +199,36 @@
+ 
+ #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define BN_get_rfc2409_prime_768   get_rfc2409_prime_768
++#define BN_get_rfc2409_prime_1024  get_rfc2409_prime_1024
++#define BN_get_rfc3526_prime_1536  get_rfc3526_prime_1536
++#define BN_get_rfc3526_prime_2048  get_rfc3526_prime_2048
++#define BN_get_rfc3526_prime_3072  get_rfc3526_prime_3072
++#define BN_get_rfc3526_prime_4096  get_rfc3526_prime_4096
++#define BN_get_rfc3526_prime_6144  get_rfc3526_prime_6144
++#define BN_get_rfc3526_prime_8192  get_rfc3526_prime_8192
++#define BIO_set_init(x,v)          (x->init=v)
++#define BIO_get_data(x)            (x->ptr)
++#define BIO_set_data(x,v)          (x->ptr=v)
++#define BIO_get_shutdown(x)        (x->shutdown)
++#define BIO_set_shutdown(x,v)      (x->shutdown=v)
++#define DH_bits(x)                 (BN_num_bits(x->p))
++#else
++void init_bio_methods(void);
++void free_bio_methods(void);
++#endif
++
++#if OPENSSL_VERSION_NUMBER < 0x10002000L
++#define X509_STORE_CTX_get0_store(x) (x->ctx)
++#endif
++
++#if OPENSSL_VERSION_NUMBER < 0x10000000L
++#ifndef X509_STORE_CTX_get0_current_issuer
++#define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)
++#endif
++#endif
++
+ /* mod_ssl headers */
+ #include "ssl_util_ssl.h"
+ 
+@@ -454,12 +494,12 @@ typedef struct {
+      * partial fix for CVE-2009-3555. */
+     enum {
+         RENEG_INIT = 0, /* Before initial handshake */
+-        RENEG_REJECT, /* After initial handshake; any client-initiated
+-                       * renegotiation should be rejected */
+-        RENEG_ALLOW, /* A server-initiated renegotiation is taking
+-                      * place (as dictated by configuration) */
+-        RENEG_ABORT /* Renegotiation initiated by client, abort the
+-                     * connection */
++        RENEG_REJECT,   /* After initial handshake; any client-initiated
++                         * renegotiation should be rejected */
++        RENEG_ALLOW,    /* A server-initiated renegotiation is taking
++                         * place (as dictated by configuration) */
++        RENEG_ABORT     /* Renegotiation initiated by client, abort the
++                         * connection */
+     } reneg_state;
+ 
+     server_rec *server;
+@@ -810,7 +850,7 @@ int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
+ int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
+ int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+ int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
+-SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, 
int *);
++SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, IDCONST unsigned char 
*, int, int *);
+ void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
+ void         ssl_callback_Info(const SSL *, int, int);
+ #ifdef HAVE_TLSEXT
+@@ -831,10 +871,10 @@ int ssl_callback_alpn_select(SSL *ssl, const unsigned 
char **out,
+ apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);
+ void         ssl_scache_status_register(apr_pool_t *p);
+ void         ssl_scache_kill(server_rec *);
+-BOOL         ssl_scache_store(server_rec *, UCHAR *, int,
++BOOL         ssl_scache_store(server_rec *, IDCONST UCHAR *, int,
+                               apr_time_t, SSL_SESSION *, apr_pool_t *);
+-SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *);
+-void         ssl_scache_remove(server_rec *, UCHAR *, int,
++SSL_SESSION *ssl_scache_retrieve(server_rec *, IDCONST UCHAR *, int, 
apr_pool_t *);
++void         ssl_scache_remove(server_rec *, IDCONST UCHAR *, int,
+                                apr_pool_t *);
+ 
+ /** Proxy Support */
+@@ -882,7 +922,9 @@ void         ssl_util_ppclose(server_rec *, apr_pool_t *, 
apr_file_t *);
+ char        *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
+                                  const char * const *);
+ BOOL         ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ void         ssl_util_thread_setup(apr_pool_t *);
++#endif
+ int          ssl_init_ssl_connection(conn_rec *c, request_rec *r);
+ 
+ BOOL         ssl_util_vhost_matches(const char *servername, server_rec *s);
+diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c
+index 70d1877..7b4a203 100644
+--- a/modules/ssl/ssl_scache.c
++++ b/modules/ssl/ssl_scache.c
+@@ -110,7 +110,7 @@ void ssl_scache_kill(server_rec *s)
+ 
+ }
+ 
+-BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen,
++BOOL ssl_scache_store(server_rec *s, IDCONST UCHAR *id, int idlen,
+                       apr_time_t expiry, SSL_SESSION *sess,
+                       apr_pool_t *p)
+ {
+@@ -144,7 +144,7 @@ BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen,
+     return rv == APR_SUCCESS ? TRUE : FALSE;
+ }
+ 
+-SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen,
++SSL_SESSION *ssl_scache_retrieve(server_rec *s, IDCONST UCHAR *id, int idlen,
+                                  apr_pool_t *p)
+ {
+     SSLModConfigRec *mc = myModConfig(s);
+@@ -173,7 +173,7 @@ SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, 
int idlen,
+     return d2i_SSL_SESSION(NULL, &ptr, destlen);
+ }
+ 
+-void ssl_scache_remove(server_rec *s, UCHAR *id, int idlen,
++void ssl_scache_remove(server_rec *s, IDCONST UCHAR *id, int idlen,
+                        apr_pool_t *p)
+ {
+     SSLModConfigRec *mc = myModConfig(s);
+diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c
+index ddde3c7..052d23e 100644
+--- a/modules/ssl/ssl_util.c
++++ b/modules/ssl/ssl_util.c
+@@ -247,6 +247,7 @@ void ssl_asn1_table_unset(apr_hash_t *table,
+ }
+ 
+ #if APR_HAS_THREADS
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /*
+  * To ensure thread-safetyness in OpenSSL - work in progress
+  */
+@@ -362,6 +363,28 @@ static void ssl_dyn_destroy_function(struct 
CRYPTO_dynlock_value *l,
+     apr_pool_destroy(l->pool);
+ }
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++
++static void ssl_util_thr_id(CRYPTO_THREADID *id)
++{
++    /* OpenSSL needs this to return an unsigned long.  On OS/390, the pthread
++     * id is a structure twice that big.  Use the TCB pointer instead as a
++     * unique unsigned long.
++     */
++#ifdef __MVS__
++    struct PSA {
++        char unmapped[540]; /* PSATOLD is at offset 540 in the PSA */
++        unsigned long PSATOLD;
++    } *psaptr = 0; /* PSA is at address 0 */
++
++    CRYPTO_THREADID_set_numeric(id, psaptr->PSATOLD);
++#else
++    CRYPTO_THREADID_set_numeric(id, (unsigned long) apr_os_thread_current());
++#endif
++}
++
++#else
++
+ static unsigned long ssl_util_thr_id(void)
+ {
+     /* OpenSSL needs this to return an unsigned long.  On OS/390, the pthread
+@@ -380,10 +403,16 @@ static unsigned long ssl_util_thr_id(void)
+ #endif
+ }
+ 
++#endif
++
+ static apr_status_t ssl_util_thread_cleanup(void *data)
+ {
+     CRYPTO_set_locking_callback(NULL);
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++    CRYPTO_THREADID_set_callback(NULL);
++#else
+     CRYPTO_set_id_callback(NULL);
++#endif
+ 
+     CRYPTO_set_dynlock_create_callback(NULL);
+     CRYPTO_set_dynlock_lock_callback(NULL);
+@@ -407,7 +436,11 @@ void ssl_util_thread_setup(apr_pool_t *p)
+         apr_thread_mutex_create(&(lock_cs[i]), APR_THREAD_MUTEX_DEFAULT, p);
+     }
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++    CRYPTO_THREADID_set_callback(ssl_util_thr_id);
++#else
+     CRYPTO_set_id_callback(ssl_util_thr_id);
++#endif
+ 
+     CRYPTO_set_locking_callback(ssl_util_thr_lock);
+ 
+@@ -422,4 +455,5 @@ void ssl_util_thread_setup(apr_pool_t *p)
+     apr_pool_cleanup_register(p, NULL, ssl_util_thread_cleanup,
+                                        apr_pool_cleanup_null);
+ }
+-#endif
++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
++#endif /* #if APR_HAS_THREADS */
+diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
+index a7607c7..9807592 100644
+--- a/modules/ssl/ssl_util_ssl.c
++++ b/modules/ssl/ssl_util_ssl.c
+@@ -488,7 +488,7 @@ EC_GROUP *ssl_ec_GetParamFromFile(const char *file)
+ **  _________________________________________________________________
+ */
+ 
+-char *modssl_SSL_SESSION_id2sz(unsigned char *id, int idlen,
++char *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *id, int idlen,
+                                char *str, int strsize)
+ {
+     if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
+diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h
+index 5f74831..4f18f91 100644
+--- a/modules/ssl/ssl_util_ssl.h
++++ b/modules/ssl/ssl_util_ssl.h
+@@ -41,7 +41,11 @@
+ #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
+ #define MODSSL_LIBRARY_NAME    "OpenSSL"
+ #define MODSSL_LIBRARY_TEXT    OPENSSL_VERSION_TEXT
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
++#else
++#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
++#endif
+ 
+ /**
+  *  Maximum length of a DER encoded session.
+@@ -67,7 +71,7 @@ char       *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, 
X509_NAME_ENTRY *xsn
+ char       *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
+ BOOL        modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, 
apr_array_header_t **);
+ BOOL        modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, 
server_rec *);
+-char       *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int);
++char       *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, 
int);
+ 
+ #endif /* __SSL_UTIL_SSL_H__ */
+ /** @} */
+diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
+index 413e40f..718a291 100644
+--- a/modules/ssl/ssl_util_stapling.c
++++ b/modules/ssl/ssl_util_stapling.c
+@@ -79,7 +79,7 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
+     X509 *issuer = NULL;
+     int i;
+     X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
+-    X509_STORE_CTX inctx;
++    X509_STORE_CTX *inctx;
+     STACK_OF(X509) *extra_certs = NULL;
+ 
+ #ifdef OPENSSL_NO_SSL_INTERN
+@@ -91,18 +91,23 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 
*x)
+     for (i = 0; i < sk_X509_num(extra_certs); i++) {
+         issuer = sk_X509_value(extra_certs, i);
+         if (X509_check_issued(issuer, x) == X509_V_OK) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+             CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
++#else
++            X509_up_ref(issuer);
++#endif
+             return issuer;
+         }
+     }
+ 
+-    if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))
++    inctx = X509_STORE_CTX_new();
++    if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
+         return 0;
+-    if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
++    if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
+         issuer = NULL;
+-    X509_STORE_CTX_cleanup(&inctx);
++    X509_STORE_CTX_cleanup(inctx);
++    X509_STORE_CTX_free(inctx);
+     return issuer;
+-
+ }
+ 
+ int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
+@@ -398,7 +403,9 @@ static int stapling_check_response(server_rec *s, 
modssl_ctx_t *mctx,
+ 
+             if (bio) {
+                 int n;
+-                if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) &&
++                ASN1_INTEGER *pserial;
++                OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
++                if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
+                     ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
+                     snum[n] = '\0';
+                 BIO_free(bio);
+diff --git a/support/ab.c b/support/ab.c
+index 072d2e6..3d61b2d 100644
+--- a/support/ab.c
++++ b/support/ab.c
+@@ -2165,6 +2165,14 @@ int main(int argc, const char * const argv[])
+     apr_getopt_t *opt;
+     const char *opt_arg;
+     char c;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    int max_prot = TLS1_2_VERSION;
++#ifndef OPENSSL_NO_SSL3
++    int min_prot = SSL3_VERSION;
++#else
++    int min_prot = TLS1_VERSION;
++#endif
++#endif /* #if OPENSSL_VERSION_NUMBER >= 0x10100000L */
+ #ifdef USE_SSL
+     AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method();
+ #endif
+@@ -2391,6 +2399,7 @@ int main(int argc, const char * const argv[])
+                 method_str[CUSTOM_METHOD] = strdup(opt_arg);
+                 break;
+             case 'f':
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+                 if (strncasecmp(opt_arg, "ALL", 3) == 0) {
+                     meth = SSLv23_client_method();
+ #ifndef OPENSSL_NO_SSL2
+@@ -2416,6 +2425,31 @@ int main(int argc, const char * const argv[])
+                 } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {
+                     meth = TLSv1_client_method();
+                 }
++#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
++                meth = TLS_client_method();
++                if (strncasecmp(opt_arg, "ALL", 3) == 0) {
++                    max_prot = TLS1_2_VERSION;
++#ifndef OPENSSL_NO_SSL3
++                    min_prot = SSL3_VERSION;
++#else
++                    min_prot = TLS1_VERSION;
++#endif
++#ifndef OPENSSL_NO_SSL3
++                } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
++                    max_prot = SSL3_VERSION;
++                    min_prot = SSL3_VERSION;
++#endif
++                } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
++                    max_prot = TLS1_1_VERSION;
++                    min_prot = TLS1_1_VERSION;
++                } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) {
++                    max_prot = TLS1_2_VERSION;
++                    min_prot = TLS1_2_VERSION;
++                } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {
++                    max_prot = TLS1_VERSION;
++                    min_prot = TLS1_VERSION;
++                }
++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
+                 break;
+ #ifdef HAVE_TLSEXT
+             case 'I':
+@@ -2465,7 +2499,11 @@ int main(int argc, const char * const argv[])
+ #ifdef RSAREF
+     R_malloc_init();
+ #else
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+     CRYPTO_malloc_init();
++#else
++    OPENSSL_malloc_init();
++#endif
+ #endif
+     SSL_load_error_strings();
+     SSL_library_init();
+@@ -2478,6 +2516,10 @@ int main(int argc, const char * const argv[])
+         exit(1);
+     }
+     SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++    SSL_CTX_set_max_proto_version(ssl_ctx, max_prot);
++    SSL_CTX_set_min_proto_version(ssl_ctx, min_prot);
++#endif
+ #ifdef SSL_MODE_RELEASE_BUFFERS
+     /* Keep memory usage as low as possible */
+     SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
-- 
http://lists.linuxfromscratch.org/listinfo/patches
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to