Commit 6b2f95a4 authored by William A. Rowe Jr's avatar William A. Rowe Jr
Browse files 

  Introduce a number of SSLC hints to mod_ssl, including the following
  type overrides;

    MODSSL_CLIENT_CERT_CB_ARG_TYPE
    MODSSL_PCHAR_CAST      (for a host of non-void/const sslc values)
    modssl_read_bio_cb_fn  (for several callbacks with same prototypes)

  Declare callback functions appropriately.

  And protect us from indetermineant toolkits with
  #error "Unrecognized SSL Toolkit!"


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99183 13f79535-47bb-0310-9956-ffa450edef68
parent 38684807

mod_ssl.h

+1 −1
Original line number Diff line number Diff line
@@ -584,7 +584,7 @@ RSA *ssl_callback_TmpRSA(SSL *, int, int); 
DH          *ssl_callback_TmpDH(SSL *, int, int);

int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);

int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);

int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);

int          ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);

int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);

SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);

void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);

ssl_engine_init.c

+12 −4
Original line number Diff line number Diff line
@@ -556,8 +556,8 @@ static void ssl_init_ctx_verify(server_rec *s, 
                     "Configuring client authentication");



        if (!SSL_CTX_load_verify_locations(ctx,

                                           mctx->auth.ca_cert_file,

                                           mctx->auth.ca_cert_path))

                         MODSSL_PCHAR_CAST mctx->auth.ca_cert_file,

                         MODSSL_PCHAR_CAST mctx->auth.ca_cert_path))

        {

            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

                    "Unable to configure verify locations "
@@ -614,7 +614,7 @@ static void ssl_init_ctx_cipher_suite(server_rec *s, 
                 "Configuring permitted SSL ciphers [%s]", 

                 suite);



    if (!SSL_CTX_set_cipher_list(ctx, suite)) {

    if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) {

        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,

                "Unable to configure permitted SSL ciphers");

        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
@@ -1077,10 +1077,17 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) 
    }

}



#ifdef SSLC_VERSION_NUMBER

static int ssl_init_FindCAList_X509NameCmp(char **a, char **b)

{

    return(X509_NAME_cmp((void*)*a, (void*)*b));

}

#else

static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b)

{

    return(X509_NAME_cmp(*a, *b));

}

#endif



static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,

                                server_rec *s, const char *file)
@@ -1088,7 +1095,8 @@ static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, 
    int n;

    STACK_OF(X509_NAME) *sk;



    sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(file);

    sk = (STACK_OF(X509_NAME) *)

             SSL_load_client_CA_file(MODSSL_PCHAR_CAST file);



    if (!sk) {

        return;

ssl_engine_kernel.c

+2 −2
Original line number Diff line number Diff line
@@ -638,7 +638,7 @@ int ssl_hook_Access(request_rec *r) 
                 * we put it back here for the purpose of quick_renegotiation.

                 */

                cert_stack = sk_new_null();

                sk_X509_push(cert_stack, cert);

                sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert);

            }



            if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
@@ -1531,7 +1531,7 @@ static void modssl_proxy_info_log(server_rec *s, 
    *pkey = info->x_pkey->dec_pkey; \

    EVP_PKEY_reference_inc(*pkey)



int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) 

int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey) 

{

    conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);

    server_rec *s = c->base_server;

ssl_engine_pphrase.c

+10 −5
Original line number Diff line number Diff line
@@ -142,7 +142,11 @@ static apr_file_t *readtty = NULL; 
 */

static server_rec *ssl_pphrase_server_rec = NULL;



#ifdef SSLC_VERSION_NUMBER

int ssl_pphrase_Handle_CB(char *, int, int);

#else

int ssl_pphrase_Handle_CB(char *, int, int, void *);

#endif



static char *pphrase_array_get(apr_array_header_t *arr, int idx)

{
@@ -635,8 +639,14 @@ static int pipe_get_passwd_cb(char *buf, int length, char *prompt, int verify) 
    return 0;

}



#ifdef SSLC_VERSION_NUMBER

int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)

{

    void *srv = ssl_pphrase_server_rec;

#else

int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)

{

#endif

    SSLModConfigRec *mc;

    server_rec *s;

    apr_pool_t *p;
@@ -652,11 +662,6 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) 
    char *cpp;

    int len = -1;



#ifndef OPENSSL_VERSION_NUMBER

    /* make up for sslc flaw */

    srv = ssl_pphrase_server_rec;

#endif



    mc = myModConfig((server_rec *)srv);



    /*

ssl_toolkit_compat.h

+39 −18
Original line number Diff line number Diff line
@@ -107,9 +107,13 @@ 


#define MODSSL_BIO_CB_ARG_TYPE const char

#define MODSSL_CRYPTO_CB_ARG_TYPE const char

#define MODSSL_CLIENT_CERT_CB_ARG_TYPE X509

#define MODSSL_PCHAR_CAST



#define modssl_X509_verify_cert X509_verify_cert



typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);



#if (OPENSSL_VERSION_NUMBER < 0x00904000)

#define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb)

#else
@@ -134,14 +138,17 @@ 


#define HAVE_SSL_X509V3_EXT_d2i



#else /* HAVE_SSLC */

#elif defined(HAVE_SSLC)



#include <bio.h>

#include <ssl.h>

#include <err.h>

#include <x509.h>

#include <pem.h>

#include <evp.h>

#include <objects.h>

#include <sslc.h>



#if SSLC_VERSION > 0x1FFF

#include <x509v3.h>

#endif



/* sslc does not support this function, OpenSSL has since 9.5.1 */

#define RAND_status() 1
@@ -154,6 +161,10 @@ 


#define MODSSL_BIO_CB_ARG_TYPE char

#define MODSSL_CRYPTO_CB_ARG_TYPE char

#define MODSSL_CLIENT_CERT_CB_ARG_TYPE void

#define MODSSL_PCHAR_CAST (char *)



typedef int (modssl_read_bio_cb_fn)(char*,int,int);



#define modssl_X509_verify_cert(c) X509_verify_cert(c, NULL)
@@ -179,7 +190,7 @@ 
#define PEM_F_DEF_CALLBACK PEM_F_DEF_CB

#endif



#if SSLC_VERSION < 0x2000

#if SSLC_VERSION_NUMBER < 0x2000



#define X509_STORE_CTX_set_depth(st, d)    

#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
@@ -190,37 +201,47 @@ 
#define modssl_set_verify(ssl, verify, cb) \

    SSL_set_verify(ssl, verify)



#endif

#else /* SSLC_VERSION_NUMBER >= 0x2000 */



#define CRYPTO_malloc_init R_malloc_init



#define EVP_cleanup() 



#endif /* SSLC_VERSION_NUMBER >= 0x2000 */



typedef void (*modssl_popfree_fn)(char *data);



/* BEGIN GENERATED SECTION */

#define sk_SSL_CIPHER_free sk_free

#define sk_SSL_CIPHER_dup sk_dup

#define sk_SSL_CIPHER_num sk_num

#define sk_SSL_CIPHER_find(st, data) sk_find(st, (void *)data)

#define sk_SSL_CIPHER_free sk_free

#define sk_SSL_CIPHER_num sk_num

#define sk_SSL_CIPHER_value (SSL_CIPHER *)sk_value

#define sk_X509_num sk_num

#define sk_X509_push sk_push

#define sk_X509_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))

#define sk_X509_value (X509 *)sk_value

#define sk_X509_INFO_value (X509_INFO *)sk_value

#define sk_X509_INFO_free sk_free

#define sk_X509_INFO_pop_free sk_pop_free 

#define sk_X509_INFO_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))

#define sk_X509_INFO_num sk_num

#define sk_X509_INFO_new_null sk_new_null

#define sk_X509_INFO_value (X509_INFO *)sk_value

#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)

#define sk_X509_NAME_free sk_free

#define sk_X509_NAME_new sk_new

#define sk_X509_NAME_num sk_num

#define sk_X509_NAME_push(st, data) sk_push(st, (void *)data)

#define sk_X509_NAME_value (X509_NAME *)sk_value

#define sk_X509_NAME_free sk_free

#define sk_X509_NAME_new sk_new

#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)

#define sk_X509_NAME_ENTRY_num sk_num

#define sk_X509_NAME_ENTRY_value (X509_NAME_ENTRY *)sk_value

#define sk_X509_NAME_set_cmp_func sk_set_cmp_func

#define sk_X509_REVOKED_num sk_num

#define sk_X509_REVOKED_value (X509_REVOKED *)sk_value

#define sk_X509_pop_free sk_pop_free

/* END GENERATED SECTION */



#endif /* OPENSSL_VERSION_NUMBER */

#else /* ! HAVE_OPENSSL && ! HAVE_SSLC */



#error "Unrecognized SSL Toolkit!"



#endif /* ! HAVE_OPENSSL && ! HAVE_SSLC */



#ifndef modssl_set_verify

#define modssl_set_verify(ssl, verify, cb) \