mod_ssl, ab: compatibility with LibreSSL. PR 61184. (2c87b742) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

modules/ssl/mod_ssl.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -354,7 +354,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
		#endif

		/* Usually needed per thread, but this parent process is single-threaded */
		#if OPENSSL_VERSION_NUMBER < 0x10100000L
		#if MODSSL_USE_OPENSSL_PRE_1_1_API
		#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
		ERR_remove_thread_state(NULL);
		#else
		@@ -398,15 +398,15 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
		/* Some OpenSSL internals are allocated per-thread, make sure they
		* are associated to the/our same thread-id until cleaned up.
		*/
		#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
		#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
		ssl_util_thread_id_setup(pconf);
		#endif

		/* We must register the library in full, to ensure our configuration
		* code can successfully test the SSL environment.
		*/
		#if OPENSSL_VERSION_NUMBER < 0x10100000L
		CRYPTO_malloc_init();
		#if MODSSL_USE_OPENSSL_PRE_1_1_API
		(void)CRYPTO_malloc_init();
		#else
		OPENSSL_malloc_init();
		#endif

+2 −2

Original line number	Diff line number	Diff line
		@@ -32,7 +32,7 @@ static apr_status_t verify_signature(sct_fields_t *sctf,
		return APR_EINVAL;
		}

		#if OPENSSL_VERSION_NUMBER < 0x10100000L
		#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
		ctx = EVP_MD_CTX_create();
		#else
		ctx = EVP_MD_CTX_new();
		@@ -41,7 +41,7 @@ static apr_status_t verify_signature(sct_fields_t *sctf,
		ap_assert(1 == EVP_VerifyUpdate(ctx, sctf->signed_data,
		sctf->signed_data_len));
		rc = EVP_VerifyFinal(ctx, sctf->sig, sctf->siglen, pkey);
		#if OPENSSL_VERSION_NUMBER < 0x10100000L
		#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
		EVP_MD_CTX_destroy(ctx);
		#else
		EVP_MD_CTX_free(ctx);

+5 −5

Original line number	Diff line number	Diff line
		@@ -50,7 +50,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
		#define KEYTYPES "RSA or DSA"
		#endif

		#if OPENSSL_VERSION_NUMBER < 0x10100000L
		#if MODSSL_USE_OPENSSL_PRE_1_1_API
		/* OpenSSL Pre-1.1.0 compatibility */
		/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
		static int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g)
		@@ -253,7 +253,7 @@ apr_status_t ssl_init_Module(apr_pool_t p, apr_pool_t plog,
		#endif
		}

		#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
		#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
		ssl_util_thread_setup(p);
		#endif

		@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t p, apr_pool_t plog,
		modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */

		init_dh_params();
		#if OPENSSL_VERSION_NUMBER >= 0x10100000L
		#if !MODSSL_USE_OPENSSL_PRE_1_1_API
		init_bio_methods();
		#endif

		@@ -1324,7 +1324,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
		* or configure NIST P-256 (required to enable ECDHE for earlier versions)
		* ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
		*/
		#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
		#if MODSSL_USE_OPENSSL_PRE_1_1_API
		else {
		#if defined(SSL_CTX_set_ecdh_auto)
		SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
		@@ -2079,7 +2079,7 @@ apr_status_t ssl_init_ModuleKill(void *data)

		}

		#if OPENSSL_VERSION_NUMBER >= 0x10100000L
		#if !MODSSL_USE_OPENSSL_PRE_1_1_API
		free_bio_methods();
		#endif
		free_dh_params();

+4 −4

Original line number	Diff line number	Diff line
		@@ -165,7 +165,7 @@ static int bio_filter_create(BIO *bio)
		{
		BIO_set_shutdown(bio, 1);
		BIO_set_init(bio, 1);
		#if OPENSSL_VERSION_NUMBER < 0x10100000L
		#if MODSSL_USE_OPENSSL_PRE_1_1_API
		/* No setter method for OpenSSL 1.1.0 available,
		* but I can't find any functional use of the
		* "num" field there either.
		@@ -578,7 +578,7 @@ static long bio_filter_in_ctrl(BIO bio, int cmd, long num, void ptr)
		return -1;
		}

		#if OPENSSL_VERSION_NUMBER < 0x10100000L
		#if MODSSL_USE_OPENSSL_PRE_1_1_API

		static BIO_METHOD bio_filter_out_method = {
		BIO_TYPE_MEM,
		@@ -2080,7 +2080,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t filter_ctx, conn_rec c,

		filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);

		#if OPENSSL_VERSION_NUMBER < 0x10100000L
		#if MODSSL_USE_OPENSSL_PRE_1_1_API
		filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
		#else
		filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
		@@ -2115,7 +2115,7 @@ void ssl_io_filter_init(conn_rec c, request_rec r, SSL *ssl)
		filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
		filter_ctx, r, c);

		#if OPENSSL_VERSION_NUMBER < 0x10100000L
		#if MODSSL_USE_OPENSSL_PRE_1_1_API
		filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
		#else
		filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);

+1 −1

Original line number	Diff line number	Diff line
		@@ -1745,7 +1745,7 @@ static void modssl_proxy_info_log(conn_rec *c,
		* so we need to increment here to prevent them from
		* being freed.
		*/
		#if OPENSSL_VERSION_NUMBER < 0x10100000L
		#if MODSSL_USE_OPENSSL_PRE_1_1_API
		#define modssl_set_cert_info(info, cert, pkey) \
		*cert = info->x509; \
		CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \