Commit 1fb29146 authored by Rainer Jung's avatar Rainer Jung
Browse files

Support for OpenSSL 1.1.0: 

- X509_STORE_CTX is now opaque.

Backport of r1740653 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755866 13f79535-47bb-0310-9956-ffa450edef68
parent 5f859bc2

modules/ssl/ssl_engine_kernel.c

+9 −7
Original line number Diff line number Diff line
@@ -432,7 +432,7 @@ int ssl_hook_Access(request_rec *r) 
    X509 *cert;

    X509 *peercert;

    X509_STORE *cert_store = NULL;

    X509_STORE_CTX cert_store_ctx;

    X509_STORE_CTX *cert_store_ctx;

    STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;

    const SSL_CIPHER *cipher = NULL;

    int depth, verify_old, verify, n, is_slave = 0;
@@ -914,25 +914,27 @@ int ssl_hook_Access(request_rec *r) 
                cert = sk_X509_value(cert_stack, 0);

            }



            X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);

            cert_store_ctx = X509_STORE_CTX_new();

            X509_STORE_CTX_init(cert_store_ctx, cert_store, cert, cert_stack);

            depth = SSL_get_verify_depth(ssl);



            if (depth >= 0) {

                X509_STORE_CTX_set_depth(&cert_store_ctx, depth);

                X509_STORE_CTX_set_depth(cert_store_ctx, depth);

            }



            X509_STORE_CTX_set_ex_data(&cert_store_ctx,

            X509_STORE_CTX_set_ex_data(cert_store_ctx,

                                       SSL_get_ex_data_X509_STORE_CTX_idx(),

                                       (char *)ssl);



            if (!X509_verify_cert(&cert_store_ctx)) {

            if (!X509_verify_cert(cert_store_ctx)) {

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)

                              "Re-negotiation verification step failed");

                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

            }



            SSL_set_verify_result(ssl, cert_store_ctx.error);

            X509_STORE_CTX_cleanup(&cert_store_ctx);

            SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(cert_store_ctx));

            X509_STORE_CTX_cleanup(cert_store_ctx);

            X509_STORE_CTX_free(cert_store_ctx);



            if (cert_stack != SSL_get_peer_cert_chain(ssl)) {

                /* we created this ourselves, so free it */

modules/ssl/ssl_engine_ocsp.c

+2 −2
Original line number Diff line number Diff line
@@ -109,7 +109,7 @@ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert, 
{

    OCSP_REQUEST *req = OCSP_REQUEST_new();



    *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer);

    *certid = OCSP_cert_to_id(NULL, cert, X509_STORE_CTX_get0_current_issuer(ctx));

    if (!*certid || !OCSP_request_add0_id(req, *certid)) {

        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)

                     "could not retrieve certificate id");
@@ -184,7 +184,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, 


    if (rc == V_OCSP_CERTSTATUS_GOOD) {

        /* TODO: allow flags configuration. */

        if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {

        if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) {

            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)

                        "failed to verify the OCSP response");

            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);

modules/ssl/ssl_private.h

+10 −0
Original line number Diff line number Diff line
@@ -219,6 +219,16 @@ void init_bio_methods(void); 
void free_bio_methods(void);

#endif



#if OPENSSL_VERSION_NUMBER < 0x10002000L

#define X509_STORE_CTX_get0_store(x) (x->ctx)

#endif



#if OPENSSL_VERSION_NUMBER < 0x10000000L

#ifndef X509_STORE_CTX_get0_current_issuer

#define X509_STORE_CTX_get0_current_issuer(x) (x->current_issuer)

#endif

#endif



/* mod_ssl headers */

#include "ssl_util_ssl.h"

modules/ssl/ssl_util_stapling.c

+6 −5
Original line number Diff line number Diff line
@@ -79,7 +79,7 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) 
    X509 *issuer = NULL;

    int i;

    X509_STORE *st = SSL_CTX_get_cert_store(mctx->ssl_ctx);

    X509_STORE_CTX inctx;

    X509_STORE_CTX *inctx;

    STACK_OF(X509) *extra_certs = NULL;



#ifdef OPENSSL_NO_SSL_INTERN
@@ -100,13 +100,14 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) 
        }

    }



    if (!X509_STORE_CTX_init(&inctx, st, NULL, NULL))

    inctx = X509_STORE_CTX_new();

    if (!X509_STORE_CTX_init(inctx, st, NULL, NULL))

        return 0;

    if (X509_STORE_CTX_get1_issuer(&issuer, &inctx, x) <= 0)

    if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0)

        issuer = NULL;

    X509_STORE_CTX_cleanup(&inctx);

    X509_STORE_CTX_cleanup(inctx);

    X509_STORE_CTX_free(inctx);

    return issuer;



}



int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,