#endif
/* Usually needed per thread, but this parent process is single-threaded */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
ERR_remove_thread_state(NULL);
#else
/* Some OpenSSL internals are allocated per-thread, make sure they
* are associated to the/our same thread-id until cleaned up.
*/
-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
ssl_util_thread_id_setup(pconf);
#endif
/* We must register the library in full, to ensure our configuration
* code can successfully test the SSL environment.
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CRYPTO_malloc_init();
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
+ (void)CRYPTO_malloc_init();
#else
OPENSSL_malloc_init();
#endif
return APR_EINVAL;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
ctx = EVP_MD_CTX_create();
#else
ctx = EVP_MD_CTX_new();
ap_assert(1 == EVP_VerifyUpdate(ctx, sctf->signed_data,
sctf->signed_data_len));
rc = EVP_VerifyFinal(ctx, sctf->sig, sctf->siglen, pkey);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
EVP_MD_CTX_destroy(ctx);
#else
EVP_MD_CTX_free(ctx);
#define KEYTYPES "RSA or DSA"
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
/* OpenSSL Pre-1.1.0 compatibility */
/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
#endif
}
-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
ssl_util_thread_setup(p);
#endif
modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
init_dh_params();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
init_bio_methods();
#endif
* or configure NIST P-256 (required to enable ECDHE for earlier versions)
* ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
*/
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
else {
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
free_bio_methods();
#endif
free_dh_params();
{
BIO_set_shutdown(bio, 1);
BIO_set_init(bio, 1);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
/* No setter method for OpenSSL 1.1.0 available,
* but I can't find any functional use of the
* "num" field there either.
return -1;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
static BIO_METHOD bio_filter_out_method = {
BIO_TYPE_MEM,
filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
#else
filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
filter_ctx, r, c);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
#else
filter_ctx->pbioWrite = BIO_new(bio_filter_out_method);
* so we need to increment here to prevent them from
* being freed.
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
#define modssl_set_cert_info(info, cert, pkey) \
*cert = info->x509; \
CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
else if (x != NULL) {
const EVP_MD *md;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
md = EVP_get_digestbynid(OBJ_obj2nid(x->sig_alg->algorithm));
#else
md = EVP_get_digestbynid(X509_get_signature_nid(x));
resdup = FALSE;
}
else if (strcEQ(var, "A_SIG")) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
#else
const ASN1_OBJECT *paobj;
#define MODSSL_SSL_METHOD_CONST
#endif
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* Missing from LibreSSL */
+#if LIBRESSL_VERSION_NUMBER < 0x2060000f
+#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
+#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
+#define SSL_CTX_set_min_proto_version(ctx, version) \
+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
+#define SSL_CTX_set_max_proto_version(ctx, version) \
+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
+#endif
+/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
+ * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
+ * we have to work around this...
+ */
+#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
+#else
+#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#endif
+
#if defined(OPENSSL_FIPS)
#define HAVE_FIPS
#endif
#endif
/* session id constness */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
#define IDCONST
#else
#define IDCONST const
#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
#define BN_get_rfc2409_prime_768 get_rfc2409_prime_768
#define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024
#define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536
void free_bio_methods(void);
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
#define X509_STORE_CTX_get0_store(x) (x->ctx)
#endif
char *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
const char * const *);
BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
-#if APR_HAS_THREADS
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
void ssl_util_thread_setup(apr_pool_t *);
-#endif
void ssl_util_thread_id_setup(apr_pool_t *);
#endif
int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
apr_hash_set(table, key, klen, NULL);
}
-#if APR_HAS_THREADS
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
+
/*
* To ensure thread-safetyness in OpenSSL - work in progress
*/
apr_pool_cleanup_null);
}
-#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
-#endif /* #if APR_HAS_THREADS */
+#endif /* #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API */
#define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
#define MODSSL_LIBRARY_NAME "OpenSSL"
#define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
#define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
#else
#define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
#define HAVE_TLSEXT
#endif
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000f
+#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
+#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
+#define SSL_CTX_set_min_proto_version(ctx, version) \
+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
+#define SSL_CTX_set_max_proto_version(ctx, version) \
+ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
+#endif
#endif
#include <math.h>
projects / thirdparty / apache / httpd.git / commitdiff
