View | Details | Raw Unified | Return to bug 60061
Collapse All | Expand All

(-)file_not_specified_in_diff (-165 / +199 lines)
Line  Link Here
0
-- apache2-2.4.23.orig/modules/ssl/mod_ssl.c
0
++ apache2-2.4.23/modules/ssl/mod_ssl.c
Lines 312-318 static apr_status_t ssl_cleanup_pre_conf Link Here
312
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
312
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
313
    ENGINE_cleanup();
313
    ENGINE_cleanup();
314
#endif
314
#endif
315
#if OPENSSL_VERSION_NUMBER < 0x1010000L
315
    ERR_remove_state(0);
316
    ERR_remove_state(0);
317
#endif
316
318
317
    /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
319
    /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
318
     * actually loaded the error strings once per process due to static
320
     * actually loaded the error strings once per process due to static
Lines 342-348 static int ssl_hook_pre_config(apr_pool_ Link Here
342
    /* We must register the library in full, to ensure our configuration
344
    /* We must register the library in full, to ensure our configuration
343
     * code can successfully test the SSL environment.
345
     * code can successfully test the SSL environment.
344
     */
346
     */
347
#if OPENSSL_VERSION_NUMBER < 0x1010000L
345
    CRYPTO_malloc_init();
348
    CRYPTO_malloc_init();
349
#endif
346
    ERR_load_crypto_strings();
350
    ERR_load_crypto_strings();
347
    SSL_load_error_strings();
351
    SSL_load_error_strings();
348
    SSL_library_init();
352
    SSL_library_init();
Lines 378-383 static int ssl_hook_pre_config(apr_pool_ Link Here
378
                      APR_LOCK_DEFAULT, 0);
382
                      APR_LOCK_DEFAULT, 0);
379
#endif
383
#endif
380
384
385
    ssl_engine_io_init();
386
381
    return OK;
387
    return OK;
382
}
388
}
383
389
384
-- apache2-2.4.23.orig/modules/ssl/ssl_engine_init.c
390
++ apache2-2.4.23/modules/ssl/ssl_engine_init.c
Lines 53-66 APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, Link Here
53
 */
53
 */
54
static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)
54
static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)
55
{
55
{
56
    DH *dh = DH_new();
56
    DH *dh;
57
    BIGNUM *p, *g;
57
58
59
    p = prime(NULL);
60
    BN_dec2bn(&g, gen);
61
    if (!p || !g) {
62
        return NULL;
63
    }
64
    dh = DH_new();
58
    if (!dh) {
65
    if (!dh) {
59
        return NULL;
66
        return NULL;
60
    }
67
    }
61
    dh->p = prime(NULL);
68
    if (!DH_set0_pqg(dh, p, NULL, g)) {
62
    BN_dec2bn(&dh->g, gen);
63
    if (!dh->p || !dh->g) {
64
        DH_free(dh);
69
        DH_free(dh);
65
        return NULL;
70
        return NULL;
66
    }
71
    }
Lines 480-485 static apr_status_t ssl_init_ctx_protoco Link Here
480
    MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
485
    MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
481
    char *cp;
486
    char *cp;
482
    int protocol = mctx->protocol;
487
    int protocol = mctx->protocol;
488
    int ssl_version = 0;
483
    SSLSrvConfigRec *sc = mySrvConfig(s);
489
    SSLSrvConfigRec *sc = mySrvConfig(s);
484
490
485
    /*
491
    /*
Lines 506-542 static apr_status_t ssl_init_ctx_protoco Link Here
506
    ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
512
    ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
507
                 "Creating new SSL context (protocols: %s)", cp);
513
                 "Creating new SSL context (protocols: %s)", cp);
508
514
515
    method = mctx->pkp ?
516
        SSLv23_client_method() : /* proxy */
517
        SSLv23_server_method();  /* server */
518
    ctx = SSL_CTX_new(method);
519
520
#if OPENSSL_VERSION_NUMBER >= 0x1010000L
509
#ifndef OPENSSL_NO_SSL3
521
#ifndef OPENSSL_NO_SSL3
510
    if (protocol == SSL_PROTOCOL_SSLV3) {
522
    if (protocol == SSL_PROTOCOL_SSLV3)
511
        method = mctx->pkp ?
523
        ssl_version = SSL3_VERSION;
512
            SSLv3_client_method() : /* proxy */
513
            SSLv3_server_method();  /* server */
514
    }
515
    else
524
    else
516
#endif
525
#endif
517
    if (protocol == SSL_PROTOCOL_TLSV1) {
526
    if (protocol == SSL_PROTOCOL_TLSV1)
518
        method = mctx->pkp ?
527
        ssl_version = TLS1_VERSION;
519
            TLSv1_client_method() : /* proxy */
528
    else if (protocol == SSL_PROTOCOL_TLSV1_1)
520
            TLSv1_server_method();  /* server */
529
        ssl_version = TLS1_1_VERSION;
521
    }
530
    else if (protocol == SSL_PROTOCOL_TLSV1_2)
522
#ifdef HAVE_TLSV1_X
531
        ssl_version = TLS1_2_VERSION;
523
    else if (protocol == SSL_PROTOCOL_TLSV1_1) {
532
    SSL_CTX_set_min_proto_version(ctx, ssl_version);
524
        method = mctx->pkp ?
533
    SSL_CTX_set_max_proto_version(ctx, ssl_version);
525
            TLSv1_1_client_method() : /* proxy */
534
#else
526
            TLSv1_1_server_method();  /* server */
535
    if (protocol == SSL_PROTOCOL_SSLV3)
527
    }
536
        SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
528
    else if (protocol == SSL_PROTOCOL_TLSV1_2) {
537
    else if (protocol == SSL_PROTOCOL_TLSV1)
529
        method = mctx->pkp ?
538
        SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
530
            TLSv1_2_client_method() : /* proxy */
539
    else if (protocol == SSL_PROTOCOL_TLSV1_1)
531
            TLSv1_2_server_method();  /* server */
540
        SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2);
532
    }
541
    else if (protocol == SSL_PROTOCOL_TLSV1_2)
542
        SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
533
#endif
543
#endif
534
    else { /* For multiple protocols, we need a flexible method */
535
        method = mctx->pkp ?
536
            SSLv23_client_method() : /* proxy */
537
            SSLv23_server_method();  /* server */
538
    }
539
    ctx = SSL_CTX_new(method);
540
544
541
    mctx->ssl_ctx = ctx;
545
    mctx->ssl_ctx = ctx;
542
546
Lines 858-864 static int use_certificate_chain( Link Here
858
    unsigned long err;
862
    unsigned long err;
859
    int n;
863
    int n;
860
864
861
    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
865
    if ((bio = BIO_new(BIO_s_file())) == NULL)
862
        return -1;
866
        return -1;
863
    if (BIO_read_filename(bio, file) <= 0) {
867
    if (BIO_read_filename(bio, file) <= 0) {
864
        BIO_free(bio);
868
        BIO_free(bio);
Lines 1200-1206 static apr_status_t ssl_init_server_cert Link Here
1200
        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
1204
        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
1201
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
1205
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
1202
                     "Custom DH parameters (%d bits) for %s loaded from %s",
1206
                     "Custom DH parameters (%d bits) for %s loaded from %s",
1203
                     BN_num_bits(dhparams->p), vhost_id, certfile);
1207
                     DH_bits(dhparams), vhost_id, certfile);
1204
        DH_free(dhparams);
1208
        DH_free(dhparams);
1205
    }
1209
    }
1206
1210
1207
-- apache2-2.4.23.orig/modules/ssl/ssl_engine_io.c
1211
++ apache2-2.4.23/modules/ssl/ssl_engine_io.c
Lines 149-155 static int bio_filter_out_pass(bio_filte Link Here
149
 * success, -1 on failure. */
149
 * success, -1 on failure. */
150
static int bio_filter_out_flush(BIO *bio)
150
static int bio_filter_out_flush(BIO *bio)
151
{
151
{
152
    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
152
    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
153
    apr_bucket *e;
153
    apr_bucket *e;
154
154
155
    AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb));
155
    AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb));
Lines 162-171 static int bio_filter_out_flush(BIO *bio Link Here
162
162
163
static int bio_filter_create(BIO *bio)
163
static int bio_filter_create(BIO *bio)
164
{
164
{
165
    bio->shutdown = 1;
165
    BIO_set_shutdown(bio, 1);
166
    bio->init = 1;
166
    BIO_set_init(bio, 1);
167
    bio->num = -1;
167
    BIO_set_data(bio, NULL);
168
    bio->ptr = NULL;
169
168
170
    return 1;
169
    return 1;
171
}
170
}
Lines 190-196 static int bio_filter_out_read(BIO *bio, Link Here
190
189
191
static int bio_filter_out_write(BIO *bio, const char *in, int inl)
190
static int bio_filter_out_write(BIO *bio, const char *in, int inl)
192
{
191
{
193
    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
192
    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
194
    apr_bucket *e;
193
    apr_bucket *e;
195
    int need_flush;
194
    int need_flush;
196
195
Lines 241-247 static int bio_filter_out_write(BIO *bio Link Here
241
static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
240
static long bio_filter_out_ctrl(BIO *bio, int cmd, long num, void *ptr)
242
{
241
{
243
    long ret = 1;
242
    long ret = 1;
244
    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
243
    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
245
244
246
    switch (cmd) {
245
    switch (cmd) {
247
    case BIO_CTRL_RESET:
246
    case BIO_CTRL_RESET:
Lines 257-266 static long bio_filter_out_ctrl(BIO *bio Link Here
257
        ret = 0;
256
        ret = 0;
258
        break;
257
        break;
259
    case BIO_CTRL_GET_CLOSE:
258
    case BIO_CTRL_GET_CLOSE:
260
        ret = (long)bio->shutdown;
259
        ret = (long)BIO_get_shutdown(bio);
261
        break;
260
        break;
262
      case BIO_CTRL_SET_CLOSE:
261
      case BIO_CTRL_SET_CLOSE:
263
        bio->shutdown = (int)num;
262
        BIO_set_shutdown(bio, (int)num);
264
        break;
263
        break;
265
      case BIO_CTRL_FLUSH:
264
      case BIO_CTRL_FLUSH:
266
        ret = bio_filter_out_flush(bio);
265
        ret = bio_filter_out_flush(bio);
Lines 294-311 static int bio_filter_out_puts(BIO *bio, Link Here
294
    return -1;
293
    return -1;
295
}
294
}
296
295
297
static BIO_METHOD bio_filter_out_method = {
296
static BIO_METHOD *bio_filter_out_method;
298
    BIO_TYPE_MEM,
297
299
    "APR output filter",
298
static int create_bio_filter_out_method(void)
300
    bio_filter_out_write,
299
{
301
    bio_filter_out_read,     /* read is never called */
300
    bio_filter_out_method = BIO_meth_new(BIO_TYPE_MEM, "APR output filter");
302
    bio_filter_out_puts,     /* puts is never called */
301
    if (bio_filter_out_method == NULL)
303
    bio_filter_out_gets,     /* gets is never called */
302
        return 0;
304
    bio_filter_out_ctrl,
303
    BIO_meth_set_write(bio_filter_out_method, bio_filter_out_write);
305
    bio_filter_create,
304
    BIO_meth_set_read(bio_filter_out_method, bio_filter_out_read); /* read is never called */
306
    bio_filter_destroy,
305
    BIO_meth_set_puts(bio_filter_out_method, bio_filter_out_puts); /* puts is never called */
307
    NULL
306
    BIO_meth_set_gets(bio_filter_out_method, bio_filter_out_gets); /* gets is never called */
308
};
307
    BIO_meth_set_ctrl(bio_filter_out_method, bio_filter_out_ctrl);
308
    BIO_meth_set_create(bio_filter_out_method, bio_filter_create);
309
    BIO_meth_set_destroy(bio_filter_out_method, bio_filter_destroy);
310
    return 1;
311
}
309
312
310
typedef struct {
313
typedef struct {
311
    int length;
314
    int length;
Lines 456-462 static apr_status_t brigade_consume(apr_ Link Here
456
static int bio_filter_in_read(BIO *bio, char *in, int inlen)
459
static int bio_filter_in_read(BIO *bio, char *in, int inlen)
457
{
460
{
458
    apr_size_t inl = inlen;
461
    apr_size_t inl = inlen;
459
    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)(bio->ptr);
462
    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
460
    apr_read_type_e block = inctx->block;
463
    apr_read_type_e block = inctx->block;
461
464
462
    inctx->rc = APR_SUCCESS;
465
    inctx->rc = APR_SUCCESS;
Lines 537-555 static int bio_filter_in_read(BIO *bio, Link Here
537
}
540
}
538
541
539
542
540
static BIO_METHOD bio_filter_in_method = {
543
static BIO_METHOD *bio_filter_in_method;
541
    BIO_TYPE_MEM,
542
    "APR input filter",
543
    NULL,                       /* write is never called */
544
    bio_filter_in_read,
545
    NULL,                       /* puts is never called */
546
    NULL,                       /* gets is never called */
547
    NULL,                       /* ctrl is never called */
548
    bio_filter_create,
549
    bio_filter_destroy,
550
    NULL
551
};
552
544
545
static int create_bio_filter_in_method(void)
546
{
547
    bio_filter_in_method = BIO_meth_new(BIO_TYPE_MEM, "APR input filter");
548
    if (bio_filter_in_method == NULL)
549
        return 0;
550
    BIO_meth_set_read(bio_filter_in_method, bio_filter_in_read);
551
    BIO_meth_set_create(bio_filter_in_method, bio_filter_create);
552
    BIO_meth_set_destroy(bio_filter_in_method, bio_filter_destroy);
553
    return 1;
554
}
553
555
554
static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
556
static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
555
                                      char *buf,
557
                                      char *buf,
Lines 779-785 static apr_status_t ssl_filter_write(ap_ Link Here
779
        return APR_EGENERAL;
781
        return APR_EGENERAL;
780
    }
782
    }
781
783
782
    outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
784
    outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
783
    res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
785
    res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
784
786
785
    if (res < 0) {
787
    if (res < 0) {
Lines 1252-1260 static apr_status_t ssl_io_filter_handsh Link Here
1252
1254
1253
    if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {
1255
    if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {
1254
        bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
1256
        bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
1255
                                     (filter_ctx->pbioRead->ptr);
1257
                                     BIO_get_data(filter_ctx->pbioRead);
1256
        bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)
1258
        bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)
1257
                                       (filter_ctx->pbioWrite->ptr);
1259
                                       BIO_get_data(filter_ctx->pbioWrite);
1258
        apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ;
1260
        apr_status_t rc = inctx->rc ? inctx->rc : outctx->rc ;
1259
        ssl_err = SSL_get_error(filter_ctx->pssl, n);
1261
        ssl_err = SSL_get_error(filter_ctx->pssl, n);
1260
1262
Lines 1667-1674 static apr_status_t ssl_io_filter_output Link Here
1667
        return ap_pass_brigade(f->next, bb);
1669
        return ap_pass_brigade(f->next, bb);
1668
    }
1670
    }
1669
1671
1670
    inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr;
1672
    inctx = (bio_filter_in_ctx_t *)BIO_get_data(filter_ctx->pbioRead);
1671
    outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
1673
    outctx = (bio_filter_out_ctx_t *)BIO_get_data(filter_ctx->pbioWrite);
1672
1674
1673
    /* When we are the writer, we must initialize the inctx
1675
    /* When we are the writer, we must initialize the inctx
1674
     * mode so that we block for any required ssl input, because
1676
     * mode so that we block for any required ssl input, because
Lines 1949-1956 static void ssl_io_input_add_filter(ssl_ Link Here
1949
1951
1950
    filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
1952
    filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
1951
1953
1952
    filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
1954
    filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
1953
    filter_ctx->pbioRead->ptr = (void *)inctx;
1955
    BIO_set_data(filter_ctx->pbioRead, inctx);
1954
1956
1955
    inctx->ssl = ssl;
1957
    inctx->ssl = ssl;
1956
    inctx->bio_out = filter_ctx->pbioWrite;
1958
    inctx->bio_out = filter_ctx->pbioWrite;
Lines 1980-1987 void ssl_io_filter_init(conn_rec *c, req Link Here
1980
    filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,
1982
    filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,
1981
                                                       filter_ctx, r, c);
1983
                                                       filter_ctx, r, c);
1982
1984
1983
    filter_ctx->pbioWrite       = BIO_new(&bio_filter_out_method);
1985
    filter_ctx->pbioWrite       = BIO_new(bio_filter_out_method);
1984
    filter_ctx->pbioWrite->ptr  = (void *)bio_filter_out_ctx_new(filter_ctx, c);
1986
    BIO_set_data(filter_ctx->pbioWrite, bio_filter_out_ctx_new(filter_ctx, c));
1985
1987
1986
    /* write is non blocking for the benefit of async mpm */
1988
    /* write is non blocking for the benefit of async mpm */
1987
    if (c->cs) {
1989
    if (c->cs) {
Lines 2130-2132 long ssl_io_data_cb(BIO *bio, int cmd, Link Here
2130
    }
2132
    }
2131
    return rc;
2133
    return rc;
2132
}
2134
}
2133
-- apache2-2.4.23.orig/modules/ssl/ssl_engine_kernel.c
2135
2136
int ssl_engine_io_init(void)
2137
{
2138
    if (!create_bio_filter_out_method())
2139
        return 0;
2140
    if (!create_bio_filter_in_method())
2141
        return 0;
2142
    return 1;
2143
}
2144
2145
++ apache2-2.4.23/modules/ssl/ssl_engine_kernel.c
Lines 80-86 static apr_status_t upgrade_connection(r Link Here
80
    SSL_set_accept_state(ssl);
80
    SSL_set_accept_state(ssl);
81
    SSL_do_handshake(ssl);
81
    SSL_do_handshake(ssl);
82
82
83
    if (SSL_get_state(ssl) != SSL_ST_OK) {
83
    if (SSL_get_state(ssl) != TLS_ST_OK) {
84
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
84
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
85
                      "TLS upgrade handshake failed");
85
                      "TLS upgrade handshake failed");
86
        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
86
        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
Lines 432-438 int ssl_hook_Access(request_rec *r) Link Here
432
    X509 *cert;
432
    X509 *cert;
433
    X509 *peercert;
433
    X509 *peercert;
434
    X509_STORE *cert_store = NULL;
434
    X509_STORE *cert_store = NULL;
435
    X509_STORE_CTX cert_store_ctx;
435
    X509_STORE_CTX *cert_store_ctx;
436
    STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
436
    STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
437
    const SSL_CIPHER *cipher = NULL;
437
    const SSL_CIPHER *cipher = NULL;
438
    int depth, verify_old, verify, n, is_slave = 0;
438
    int depth, verify_old, verify, n, is_slave = 0;
Lines 456-462 int ssl_hook_Access(request_rec *r) Link Here
456
         * forbidden in the latter case, let ap_die() handle
456
         * forbidden in the latter case, let ap_die() handle
457
         * this recursive (same) error.
457
         * this recursive (same) error.
458
         */
458
         */
459
        if (SSL_get_state(ssl) != SSL_ST_OK) {
459
        if (SSL_get_state(ssl) != TLS_ST_OK) {
460
            return HTTP_FORBIDDEN;
460
            return HTTP_FORBIDDEN;
461
        }
461
        }
462
        ctx = SSL_get_SSL_CTX(ssl);
462
        ctx = SSL_get_SSL_CTX(ssl);
Lines 622-628 int ssl_hook_Access(request_rec *r) Link Here
622
                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));
622
                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));
623
                     n++)
623
                     n++)
624
                {
624
                {
625
                    SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
625
                    const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
626
626
627
                    if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {
627
                    if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {
628
                        renegotiate = TRUE;
628
                        renegotiate = TRUE;
Lines 633-639 int ssl_hook_Access(request_rec *r) Link Here
633
                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));
633
                     !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));
634
                     n++)
634
                     n++)
635
                {
635
                {
636
                    SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
636
                    const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
637
637
638
                    if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {
638
                    if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {
639
                        renegotiate = TRUE;
639
                        renegotiate = TRUE;
Lines 914-938 int ssl_hook_Access(request_rec *r) Link Here
914
                cert = sk_X509_value(cert_stack, 0);
914
                cert = sk_X509_value(cert_stack, 0);
915
            }
915
            }
916
916
917
            X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);
917
            cert_store_ctx = X509_STORE_CTX_new();
918
            X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack);
918
            depth = SSL_get_verify_depth(ssl);
919
            depth = SSL_get_verify_depth(ssl);
919
920
920
            if (depth >= 0) {
921
            if (depth >= 0) {
921
                X509_STORE_CTX_set_depth(&cert_store_ctx, depth);
922
                X509_STORE_CTX_set_depth(cert_store_ctx, depth);
922
            }
923
            }
923
924
924
            X509_STORE_CTX_set_ex_data(&cert_store_ctx,
925
            X509_STORE_CTX_set_ex_data(cert_store_ctx,
925
                                       SSL_get_ex_data_X509_STORE_CTX_idx(),
926
                                       SSL_get_ex_data_X509_STORE_CTX_idx(),
926
                                       (char *)ssl);
927
                                       (char *)ssl);
927
928
928
            if (!X509_verify_cert(&cert_store_ctx)) {
929
            if (!X509_verify_cert(cert_store_ctx)) {
929
                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)
930
                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)
930
                              "Re-negotiation verification step failed");
931
                              "Re-negotiation verification step failed");
931
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
932
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
932
            }
933
            }
933
934
934
            SSL_set_verify_result(ssl, cert_store_ctx.error);
935
            SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx));
935
            X509_STORE_CTX_cleanup(&cert_store_ctx);
936
            X509_STORE_CTX_free(cert_store_ctx);
936
937
937
            if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
938
            if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
938
                /* we created this ourselves, so free it */
939
                /* we created this ourselves, so free it */
Lines 983-989 int ssl_hook_Access(request_rec *r) Link Here
983
            SSL_renegotiate(ssl);
984
            SSL_renegotiate(ssl);
984
            SSL_do_handshake(ssl);
985
            SSL_do_handshake(ssl);
985
986
986
            if (SSL_get_state(ssl) != SSL_ST_OK) {
987
            if (SSL_get_state(ssl) != TLS_ST_OK) {
987
                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
988
                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
988
                              "Re-negotiation request failed");
989
                              "Re-negotiation request failed");
989
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
990
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
Lines 995-1014 int ssl_hook_Access(request_rec *r) Link Here
995
            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226)
996
            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226)
996
                          "Awaiting re-negotiation handshake");
997
                          "Awaiting re-negotiation handshake");
997
998
998
            /* XXX: Should replace setting state with SSL_renegotiate(ssl);
999
            /* XXX: Why is this done twice? */
999
             * However, this causes failures in perl-framework currently,
1000
            SSL_renegotiate(ssl);
1000
             * perhaps pre-test if we have already negotiated?
1001
            /* XXX: Return value ignored, uses SSL_get_state instead? */
1001
             */
1002
#ifdef OPENSSL_NO_SSL_INTERN
1003
            SSL_set_state(ssl, SSL_ST_ACCEPT);
1004
#else
1005
            ssl->state = SSL_ST_ACCEPT;
1006
#endif
1007
            SSL_do_handshake(ssl);
1002
            SSL_do_handshake(ssl);
1008
1003
1009
            sslconn->reneg_state = RENEG_REJECT;
1004
            sslconn->reneg_state = RENEG_REJECT;
1010
1005
1011
            if (SSL_get_state(ssl) != SSL_ST_OK) {
1006
            if (SSL_get_state(ssl) != TLS_ST_OK) {
1012
                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
1007
                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
1013
                              "Re-negotiation handshake failed");
1008
                              "Re-negotiation handshake failed");
1014
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
1009
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
Lines 1513-1519 DH *ssl_callback_TmpDH(SSL *ssl, int exp Link Here
1513
    SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
1508
    SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
1514
#endif
1509
#endif
1515
    pkey = SSL_get_privatekey(ssl);
1510
    pkey = SSL_get_privatekey(ssl);
1516
    type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
1511
    type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
1517
1512
1518
    /*
1513
    /*
1519
     * OpenSSL will call us with either keylen == 512 or keylen == 1024
1514
     * OpenSSL will call us with either keylen == 512 or keylen == 1024
Lines 1727-1735 static void modssl_proxy_info_log(conn_r Link Here
1727
 */
1722
 */
1728
#define modssl_set_cert_info(info, cert, pkey) \
1723
#define modssl_set_cert_info(info, cert, pkey) \
1729
    *cert = info->x509; \
1724
    *cert = info->x509; \
1730
    CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
1725
    X509_up_ref(*cert); \
1731
    *pkey = info->x_pkey->dec_pkey; \
1726
    *pkey = info->x_pkey->dec_pkey; \
1732
    CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
1727
    EVP_PKEY_up_ref(*pkey)
1733
1728
1734
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
1729
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
1735
{
1730
{
Lines 1823-1829 int ssl_callback_proxy_cert(SSL *ssl, X5 Link Here
1823
1818
1824
static void ssl_session_log(server_rec *s,
1819
static void ssl_session_log(server_rec *s,
1825
                            const char *request,
1820
                            const char *request,
1826
                            unsigned char *id,
1821
                            const unsigned char *id,
1827
                            unsigned int idlen,
1822
                            unsigned int idlen,
1828
                            const char *status,
1823
                            const char *status,
1829
                            const char *result,
1824
                            const char *result,
Lines 1907-1913 int ssl_callback_NewSessionCacheEntry(SS Link Here
1907
 *  of our other Apache pre-forked server processes.
1902
 *  of our other Apache pre-forked server processes.
1908
 */
1903
 */
1909
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
1904
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
1910
                                               unsigned char *id,
1905
                                               const unsigned char *id,
1911
                                               int idlen, int *do_copy)
1906
                                               int idlen, int *do_copy)
1912
{
1907
{
1913
    /* Get Apache context back through OpenSSL context */
1908
    /* Get Apache context back through OpenSSL context */
Lines 2070-2077 void ssl_callback_Info(const SSL *ssl, i Link Here
2070
    if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
2065
    if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
2071
        int state = SSL_get_state((SSL *)ssl);
2066
        int state = SSL_get_state((SSL *)ssl);
2072
2067
2073
        if (state == SSL3_ST_SR_CLNT_HELLO_A
2068
        if (state == TLS_ST_SR_CLNT_HELLO) {
2074
            || state == SSL23_ST_SR_CLNT_HELLO_A) {
2075
            scr->reneg_state = RENEG_ABORT;
2069
            scr->reneg_state = RENEG_ABORT;
2076
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
2070
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
2077
                          "rejecting client initiated renegotiation");
2071
                          "rejecting client initiated renegotiation");
Lines 2279-2285 int ssl_callback_SessionTicket(SSL *ssl, Link Here
2279
        }
2273
        }
2280
2274
2281
        memcpy(keyname, ticket_key->key_name, 16);
2275
        memcpy(keyname, ticket_key->key_name, 16);
2282
        RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
2276
        /* XXX: Return value not checked. */
2277
        RAND_bytes(iv, EVP_MAX_IV_LENGTH);
2283
        EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
2278
        EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
2284
                           ticket_key->aes_key, iv);
2279
                           ticket_key->aes_key, iv);
2285
        HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
2280
        HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
Lines 2416-2433 int ssl_callback_SRPServerParams(SSL *ss Link Here
2416
    SRP_user_pwd *u;
2411
    SRP_user_pwd *u;
2417
2412
2418
    if (username == NULL
2413
    if (username == NULL
2419
        || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
2414
        || (u = SRP_VBASE_get1_by_user(mctx->srp_vbase, username)) == NULL) {
2420
        *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
2415
        *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
2421
        return SSL3_AL_FATAL;
2416
        return SSL3_AL_FATAL;
2422
    }
2417
    }
2423
2418
2424
    if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {
2419
    if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {
2420
        SRP_user_pwd_free(u);
2425
        *ad = SSL_AD_INTERNAL_ERROR;
2421
        *ad = SSL_AD_INTERNAL_ERROR;
2426
        return SSL3_AL_FATAL;
2422
        return SSL3_AL_FATAL;
2427
    }
2423
    }
2428
2424
2429
    /* reset all other options */
2425
    /* reset all other options */
2430
    SSL_set_verify(ssl, SSL_VERIFY_NONE,  ssl_callback_SSLVerify);
2426
    SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
2427
    SRP_user_pwd_free(u);
2431
    return SSL_ERROR_NONE;
2428
    return SSL_ERROR_NONE;
2432
}
2429
}
2433
2430
2434
-- apache2-2.4.23.orig/modules/ssl/ssl_engine_ocsp.c
2431
++ apache2-2.4.23/modules/ssl/ssl_engine_ocsp.c
Lines 109-115 static OCSP_REQUEST *create_request(X509 Link Here
109
{
109
{
110
    OCSP_REQUEST *req = OCSP_REQUEST_new();
110
    OCSP_REQUEST *req = OCSP_REQUEST_new();
111
111
112
    *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer);
112
    *certid = OCSP_cert_to_id(NULL, cert, X509_STORE_CTX_get0_current_issuer(ctx));
113
    if (!*certid || !OCSP_request_add0_id(req, *certid)) {
113
    if (!*certid || !OCSP_request_add0_id(req, *certid)) {
114
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)
114
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)
115
                     "could not retrieve certificate id");
115
                     "could not retrieve certificate id");
Lines 184-190 static int verify_ocsp_status(X509 *cert Link Here
184
184
185
    if (rc == V_OCSP_CERTSTATUS_GOOD) {
185
    if (rc == V_OCSP_CERTSTATUS_GOOD) {
186
        /* TODO: allow flags configuration. */
186
        /* TODO: allow flags configuration. */
187
        if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {
187
        if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) {
188
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
188
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
189
                        "failed to verify the OCSP response");
189
                        "failed to verify the OCSP response");
190
            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
190
            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
Lines 262-268 int modssl_verify_ocsp(X509_STORE_CTX *c Link Here
262
                      "No cert available to check with OCSP");
262
                      "No cert available to check with OCSP");
263
        return 1;
263
        return 1;
264
    }
264
    }
265
    else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
265
    else if (X509_check_issued(cert, cert) == X509_V_OK) {
266
        /* don't do OCSP checking for valid self-issued certs */
266
        /* don't do OCSP checking for valid self-issued certs */
267
        ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
267
        ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
268
                      "Skipping OCSP check for valid self-issued cert");
268
                      "Skipping OCSP check for valid self-issued cert");
269
-- apache2-2.4.23.orig/modules/ssl/ssl_engine_vars.c
269
++ apache2-2.4.23/modules/ssl/ssl_engine_vars.c
Lines 529-541 static char *ssl_var_lookup_ssl_cert(apr Link Here
529
        resdup = FALSE;
529
        resdup = FALSE;
530
    }
530
    }
531
    else if (strcEQ(var, "A_SIG")) {
531
    else if (strcEQ(var, "A_SIG")) {
532
        nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
532
        nid = OBJ_obj2nid(X509_get0_tbs_sigalg(xs)->algorithm);
533
        result = apr_pstrdup(p,
533
        result = apr_pstrdup(p,
534
                             (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
534
                             (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
535
        resdup = FALSE;
535
        resdup = FALSE;
536
    }
536
    }
537
    else if (strcEQ(var, "A_KEY")) {
537
    else if (strcEQ(var, "A_KEY")) {
538
        nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm));
538
        X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(xs);
539
	X509_ALGOR *algor;
540
	X509_PUBKEY_get0_param(NULL, NULL, NULL, &algor, pubkey);
541
        nid = OBJ_obj2nid(algor->algorithm);
539
        result = apr_pstrdup(p,
542
        result = apr_pstrdup(p,
540
                             (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
543
                             (nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
541
        resdup = FALSE;
544
        resdup = FALSE;
Lines 597-609 static char *ssl_var_lookup_ssl_cert_dn( Link Here
597
    for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
600
    for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
598
        if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
601
        if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
599
            && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
602
            && strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
600
            for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
603
            for (j = 0; j < X509_NAME_entry_count(xsname); j++) {
601
                                                   xsname->entries);
604
                xsne = X509_NAME_get_entry(xsname, j);
602
                 j++) {
603
                xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
604
                                                xsname->entries, j);
605
605
606
                n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
606
                n = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne));
607
607
608
                if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {
608
                if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {
609
                    result = modssl_X509_NAME_ENTRY_to_string(p, xsne);
609
                    result = modssl_X509_NAME_ENTRY_to_string(p, xsne);
Lines 903-909 static char *ssl_var_lookup_ssl_version( Link Here
903
static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
903
static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
904
                       X509_NAME *xn, apr_pool_t *p)
904
                       X509_NAME *xn, apr_pool_t *p)
905
{
905
{
906
    STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
907
    X509_NAME_ENTRY *xsne;
906
    X509_NAME_ENTRY *xsne;
908
    apr_hash_t *count;
907
    apr_hash_t *count;
909
    int i, nid;
908
    int i, nid;
Lines 913-926 static void extract_dn(apr_table_t *t, a Link Here
913
    count = apr_hash_make(p);
912
    count = apr_hash_make(p);
914
913
915
    /* For each RDN... */
914
    /* For each RDN... */
916
    for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) {
915
    for (i = 0; i < X509_NAME_entry_count(xn); i++) {
917
         const char *tag;
916
         const char *tag;
918
917
919
         xsne = sk_X509_NAME_ENTRY_value(ents, i);
918
         xsne = X509_NAME_get_entry(xn, i);
920
919
921
         /* Retrieve the nid, and check whether this is one of the nids
920
         /* Retrieve the nid, and check whether this is one of the nids
922
          * which are to be extracted. */
921
          * which are to be extracted. */
923
         nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
922
         nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne));
924
923
925
         tag = apr_hash_get(nids, &nid, sizeof nid);
924
         tag = apr_hash_get(nids, &nid, sizeof nid);
926
         if (tag) {
925
         if (tag) {
Lines 1090-1096 apr_array_header_t *ssl_ext_list(apr_poo Link Here
1090
    for (j = 0; j < count; j++) {
1089
    for (j = 0; j < count; j++) {
1091
        X509_EXTENSION *ext = X509_get_ext(xs, j);
1090
        X509_EXTENSION *ext = X509_get_ext(xs, j);
1092
1091
1093
        if (OBJ_cmp(ext->object, oid) == 0) {
1092
        if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) {
1094
            BIO *bio = BIO_new(BIO_s_mem());
1093
            BIO *bio = BIO_new(BIO_s_mem());
1095
1094
1096
            /* We want to obtain a string representation of the extensions
1095
            /* We want to obtain a string representation of the extensions
1097
-- apache2-2.4.23.orig/modules/ssl/ssl_private.h
1096
++ apache2-2.4.23/modules/ssl/ssl_private.h
Lines 810-816 int ssl_callback_SSLVerify(int, Link Here
810
int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
810
int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
811
int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
811
int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
812
int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
812
int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
813
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
813
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, const unsigned char *, int, int *);
814
void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
814
void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
815
void         ssl_callback_Info(const SSL *, int, int);
815
void         ssl_callback_Info(const SSL *, int, int);
816
#ifdef HAVE_TLSEXT
816
#ifdef HAVE_TLSEXT
Lines 833-839 void ssl_scache_status_register( Link Here
833
void         ssl_scache_kill(server_rec *);
833
void         ssl_scache_kill(server_rec *);
834
BOOL         ssl_scache_store(server_rec *, UCHAR *, int,
834
BOOL         ssl_scache_store(server_rec *, UCHAR *, int,
835
                              apr_time_t, SSL_SESSION *, apr_pool_t *);
835
                              apr_time_t, SSL_SESSION *, apr_pool_t *);
836
SSL_SESSION *ssl_scache_retrieve(server_rec *, UCHAR *, int, apr_pool_t *);
836
SSL_SESSION *ssl_scache_retrieve(server_rec *, const UCHAR *, int, apr_pool_t *);
837
void         ssl_scache_remove(server_rec *, UCHAR *, int,
837
void         ssl_scache_remove(server_rec *, UCHAR *, int,
838
                               apr_pool_t *);
838
                               apr_pool_t *);
839
839
Lines 866-871 int ssl_callback_SRPServerParam Link Here
866
void         ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
866
void         ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
867
void         ssl_io_filter_register(apr_pool_t *);
867
void         ssl_io_filter_register(apr_pool_t *);
868
long         ssl_io_data_cb(BIO *, int, const char *, int, long, long);
868
long         ssl_io_data_cb(BIO *, int, const char *, int, long, long);
869
int          ssl_engine_io_init(void);
869
870
870
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
871
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
871
 * to allow an SSL renegotiation to take place. */
872
 * to allow an SSL renegotiation to take place. */
872
-- apache2-2.4.23.orig/modules/ssl/ssl_scache.c
873
++ apache2-2.4.23/modules/ssl/ssl_scache.c
Lines 144-150 BOOL ssl_scache_store(server_rec *s, UCH Link Here
144
    return rv == APR_SUCCESS ? TRUE : FALSE;
144
    return rv == APR_SUCCESS ? TRUE : FALSE;
145
}
145
}
146
146
147
SSL_SESSION *ssl_scache_retrieve(server_rec *s, UCHAR *id, int idlen,
147
SSL_SESSION *ssl_scache_retrieve(server_rec *s, const UCHAR *id, int idlen,
148
                                 apr_pool_t *p)
148
                                 apr_pool_t *p)
149
{
149
{
150
    SSLModConfigRec *mc = myModConfig(s);
150
    SSLModConfigRec *mc = myModConfig(s);
151
-- apache2-2.4.23.orig/modules/ssl/ssl_util_ssl.c
151
++ apache2-2.4.23/modules/ssl/ssl_util_ssl.c
Lines 488-494 EC_GROUP *ssl_ec_GetParamFromFile(const Link Here
488
**  _________________________________________________________________
488
**  _________________________________________________________________
489
*/
489
*/
490
490
491
char *modssl_SSL_SESSION_id2sz(unsigned char *id, int idlen,
491
char *modssl_SSL_SESSION_id2sz(const unsigned char *id, int idlen,
492
                               char *str, int strsize)
492
                               char *str, int strsize)
493
{
493
{
494
    if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
494
    if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
495
-- apache2-2.4.23.orig/modules/ssl/ssl_util_ssl.h
495
++ apache2-2.4.23/modules/ssl/ssl_util_ssl.h
Lines 67-73 char *modssl_X509_NAME_ENTRY_to_st Link Here
67
char       *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
67
char       *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
68
BOOL        modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);
68
BOOL        modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);
69
BOOL        modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
69
BOOL        modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
70
char       *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int);
70
char       *modssl_SSL_SESSION_id2sz(const unsigned char *, int, char *, int);
71
71
72
#endif /* __SSL_UTIL_SSL_H__ */
72
#endif /* __SSL_UTIL_SSL_H__ */
73
/** @} */
73
/** @} */
74
-- apache2-2.4.23.orig/modules/ssl/ssl_util_stapling.c
74
++ apache2-2.4.23/modules/ssl/ssl_util_stapling.c
Lines 79-85 static X509 *stapling_get_issuer(modssl_ Link Here
79
    X509 *issuer = NULL;
79
    X509 *issuer = NULL;
80
    int i;
80
    int i;
81
    X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
81
    X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);
82
    X509_STORE_CTX inctx;
82
    X509_STORE_CTX *inctx;
83
    STACK_OF(X509) *extra_certs = NULL;
83
    STACK_OF(X509) *extra_certs = NULL;
84
84
85
#ifdef OPENSSL_NO_SSL_INTERN
85
#ifdef OPENSSL_NO_SSL_INTERN
Lines 91-106 static X509 *stapling_get_issuer(modssl_ Link Here
91
    for (i = 0; i < sk_X509_num(extra_certs); i++) {
91
    for (i = 0; i < sk_X509_num(extra_certs); i++) {
92
        issuer = sk_X509_value(extra_certs, i);
92
        issuer = sk_X509_value(extra_certs, i);
93
        if (X509_check_issued(issuer, x) == X509_V_OK) {
93
        if (X509_check_issued(issuer, x) == X509_V_OK) {
94
            CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
94
            X509_up_ref(issuer);
95
            return issuer;
95
            return issuer;
96
        }
96
        }
97
    }
97
    }
98
98
99
    if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))
99
    inctx = X509_STORE_CTX_new();
100
    if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))
100
        return 0;
101
        return 0;
101
    if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)
102
    if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)
102
        issuer = NULL;
103
        issuer = NULL;
103
    X509_STORE_CTX_cleanup(&inctx);
104
    X509_STORE_CTX_free(inctx);
104
    return issuer;
105
    return issuer;
105
106
106
}
107
}
Lines 398-404 static int stapling_check_response(serve Link Here
398
399
399
            if (bio) {
400
            if (bio) {
400
                int n;
401
                int n;
401
                if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) &&
402
                ASN1_INTEGER *serial;
403
		OCSP_id_get0_info(NULL, NULL, NULL, &serial, cinf->cid);
404
                if ((i2a_ASN1_INTEGER(bio, serial) != -1) &&
402
                    ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
405
                    ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
403
                    snum[n] = '\0';
406
                    snum[n] = '\0';
404
                BIO_free(bio);
407
                BIO_free(bio);
405
-- apache2-2.4.23.orig/support/ab.c
408
++ apache2-2.4.23/support/ab.c
Lines 1991-2002 static void usage(const char *progname) Link Here
1991
    fprintf(stderr, "    -h              Display usage information (this message)\n");
1991
    fprintf(stderr, "    -h              Display usage information (this message)\n");
1992
#ifdef USE_SSL
1992
#ifdef USE_SSL
1993
1993
1994
#ifndef OPENSSL_NO_SSL2
1995
#define SSL2_HELP_MSG "SSL2, "
1996
#else
1997
#define SSL2_HELP_MSG ""
1998
#endif
1999
2000
#ifndef OPENSSL_NO_SSL3
1994
#ifndef OPENSSL_NO_SSL3
2001
#define SSL3_HELP_MSG "SSL3, "
1995
#define SSL3_HELP_MSG "SSL3, "
2002
#else
1996
#else
Lines 2011-2017 static void usage(const char *progname) Link Here
2011
2005
2012
    fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");
2006
    fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");
2013
    fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n");
2007
    fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n");
2014
    fprintf(stderr, "                    (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
2008
    fprintf(stderr, "                    (" SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
2015
#endif
2009
#endif
2016
    exit(EINVAL);
2010
    exit(EINVAL);
2017
}
2011
}
Lines 2135-2140 int main(int argc, const char * const ar Link Here
2135
    char c;
2129
    char c;
2136
#ifdef USE_SSL
2130
#ifdef USE_SSL
2137
    AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method();
2131
    AB_SSL_METHOD_CONST SSL_METHOD *meth = SSLv23_client_method();
2132
    int ssl_version = 0;
2138
#endif
2133
#endif
2139
2134
2140
    /* table defaults  */
2135
    /* table defaults  */
Lines 2351-2373 int main(int argc, const char * const ar Link Here
2351
                break;
2346
                break;
2352
            case 'f':
2347
            case 'f':
2353
                if (strncasecmp(opt_arg, "ALL", 3) == 0) {
2348
                if (strncasecmp(opt_arg, "ALL", 3) == 0) {
2354
                    meth = SSLv23_client_method();
2349
                    ssl_version = 0;
2355
#ifndef OPENSSL_NO_SSL2
2356
                } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
2357
                    meth = SSLv2_client_method();
2358
#endif
2359
#ifndef OPENSSL_NO_SSL3
2350
#ifndef OPENSSL_NO_SSL3
2360
                } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
2351
                } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
2361
                    meth = SSLv3_client_method();
2352
                    ssl_version = SSL3_VERSION;
2362
#endif
2353
#endif
2363
#ifdef HAVE_TLSV1_X
2364
                } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
2354
                } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
2365
                    meth = TLSv1_1_client_method();
2355
                    ssl_version = TLS1_1_VERSION;
2366
                } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) {
2356
                } else if (strncasecmp(opt_arg, "TLS1.2", 6) == 0) {
2367
                    meth = TLSv1_2_client_method();
2357
                    ssl_version = TLS1_2_VERSION;
2368
#endif
2369
                } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {
2358
                } else if (strncasecmp(opt_arg, "TLS1", 4) == 0) {
2370
                    meth = TLSv1_client_method();
2359
                    ssl_version = TLS1_VERSION;
2371
                }
2360
                }
2372
                break;
2361
                break;
2373
#endif
2362
#endif
Lines 2413-2420 int main(int argc, const char * const ar Link Here
2413
#ifdef RSAREF
2402
#ifdef RSAREF
2414
    R_malloc_init();
2403
    R_malloc_init();
2415
#else
2404
#else
2405
#if OPENSSL_VERSION_NUMBER < 0x1010000L
2416
    CRYPTO_malloc_init();
2406
    CRYPTO_malloc_init();
2417
#endif
2407
#endif
2408
#endif
2418
    SSL_load_error_strings();
2409
    SSL_load_error_strings();
2419
    SSL_library_init();
2410
    SSL_library_init();
2420
    bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
2411
    bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
Lines 2425-2430 int main(int argc, const char * const ar Link Here
2425
        ERR_print_errors(bio_err);
2416
        ERR_print_errors(bio_err);
2426
        exit(1);
2417
        exit(1);
2427
    }
2418
    }
2419
#if OPENSSL_VERSION_NUMBER >= 0x1010000L
2420
    SSL_CTX_set_min_proto_version(ssl_ctx, ssl_version);
2421
    SSL_CTX_set_max_proto_version(ssl_ctx, ssl_version);
2422
#else
2423
    switch (ssl_version) {
2424
#ifndef OPENSSL_NO_SSL3
2425
        case SSL3_VERSION:
2426
	    SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
2427
            break;
2428
#endif
2429
        case TLS1_VERSION:
2430
	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
2431
            break;
2432
        case TLS1_1_VERSION:
2433
	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2);
2434
            break;
2435
        case TLS1_1_VERSION:
2436
	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
2437
            break;
2438
    }
2439
#endif
2428
    SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
2440
    SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
2429
#ifdef SSL_MODE_RELEASE_BUFFERS
2441
#ifdef SSL_MODE_RELEASE_BUFFERS
2430
    /* Keep memory usage as low as possible */
2442
    /* Keep memory usage as low as possible */

Return to bug 60061