SSL_set_accept_state(ssl);
SSL_do_handshake(ssl);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (SSL_get_state(ssl) != SSL_ST_OK) {
+#else
+ if (SSL_get_state(ssl) != TLS_ST_OK) {
+#endif
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
"TLS upgrade handshake failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
* forbidden in the latter case, let ap_die() handle
* this recursive (same) error.
*/
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (SSL_get_state(ssl) != SSL_ST_OK) {
+#else
+ if (SSL_get_state(ssl) != TLS_ST_OK) {
+#endif
return HTTP_FORBIDDEN;
}
ctx = SSL_get_SSL_CTX(ssl);
!renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));
n++)
{
- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
+ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {
renegotiate = TRUE;
!renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));
n++)
{
- SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
+ const SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {
renegotiate = TRUE;
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (SSL_get_state(ssl) != SSL_ST_OK) {
+#else
+ if (SSL_get_state(ssl) != TLS_ST_OK) {
+#endif
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
"Re-negotiation request failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
* However, this causes failures in perl-framework currently,
* perhaps pre-test if we have already negotiated?
*/
+ /* XXX: OpenSSL 1.1.0: SSL_set_state() no longer available.
+ * Would SSL_renegotiate(ssl) work? */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifdef OPENSSL_NO_SSL_INTERN
SSL_set_state(ssl, SSL_ST_ACCEPT);
#else
ssl->state = SSL_ST_ACCEPT;
+#endif
#endif
SSL_do_handshake(ssl);
sslconn->reneg_state = RENEG_REJECT;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (SSL_get_state(ssl) != SSL_ST_OK) {
+#else
+ if (SSL_get_state(ssl) != TLS_ST_OK) {
+#endif
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
"Re-negotiation handshake failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
* so we need to increment here to prevent them from
* being freed.
*/
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define modssl_set_cert_info(info, cert, pkey) \
*cert = info->x509; \
CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
*pkey = info->x_pkey->dec_pkey; \
CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
+#else
+#define modssl_set_cert_info(info, cert, pkey) \
+ *cert = info->x509; \
+ X509_up_ref(*cert); \
+ *pkey = info->x_pkey->dec_pkey; \
+ EVP_PKEY_up_ref(*pkey);
+#endif
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
{
* state machine and move to ABORT if a Client Hello is being
* read. */
if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
+ /* XXX: OpenSSL 1.1.0: Which state machine states to use instead of
+ * SSL3_ST_SR_CLNT_HELLO_A and SSL23_ST_SR_CLNT_HELLO_A ? */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
int state = SSL_get_state((SSL *)ssl);
if (state == SSL3_ST_SR_CLNT_HELLO_A
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
"rejecting client initiated renegotiation");
}
+#endif
}
/* If the first handshake is complete, change state to reject any
* subsequent client-initiated renegotiation. */
}
memcpy(keyname, ticket_key->key_name, 16);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
+#else
+ RAND_bytes(iv, EVP_MAX_IV_LENGTH);
+#endif
EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
ticket_key->aes_key, iv);
HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
resdup = FALSE;
}
else if (strcEQ(var, "A_SIG")) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
+#else
+ ASN1_OBJECT *paobj;
+ X509_ALGOR_get0(&paobj, NULL, NULL, X509_get0_tbs_sigalg(xs));
+ nid = OBJ_obj2nid(paobj);
+#endif
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
}
else if (strcEQ(var, "A_KEY")) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->key->algor->algorithm));
+#else
+ ASN1_OBJECT *paobj;
+ X509_PUBKEY_get0_param(&paobj, NULL, 0, NULL, X509_get_X509_PUBKEY(xs));
+ nid = OBJ_obj2nid(paobj);
+#endif
result = apr_pstrdup(p,
(nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(nid));
resdup = FALSE;
for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
&& strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
xsname->entries);
j++) {
xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
- xsname->entries, j);
+#else
+ for (j = 0; j < X509_NAME_entry_count(xsname); j++) {
+ xsne = X509_NAME_get_entry(xsname, j);
+#endif
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
X509_NAME *xn, apr_pool_t *p)
{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
+#endif
X509_NAME_ENTRY *xsne;
apr_hash_t *count;
int i, nid;
count = apr_hash_make(p);
/* For each RDN... */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) {
const char *tag;
xsne = sk_X509_NAME_ENTRY_value(ents, i);
+#else
+ for (i = 0; i < X509_NAME_entry_count(xn); i++) {
+ const char *tag;
+ xsne = X509_NAME_get_entry(xn, i);
+#endif
/* Retrieve the nid, and check whether this is one of the nids
* which are to be extracted. */
for (j = 0; j < count; j++) {
X509_EXTENSION *ext = X509_get_ext(xs, j);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (OBJ_cmp(ext->object, oid) == 0) {
+#else
+ if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) {
+#endif
BIO *bio = BIO_new(BIO_s_mem());
/* We want to obtain a string representation of the extensions
for (i = 0; i < sk_X509_num(extra_certs); i++) {
issuer = sk_X509_value(extra_certs, i);
if (X509_check_issued(issuer, x) == X509_V_OK) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
+#else
+ X509_up_ref(issuer);
+#endif
return issuer;
}
}
apr_pool_cleanup_null);
if (aia) {
/* allocate uri from the pconf pool */
+ /* XXX: OpenSSL 1.1.0: Compiler warning: passing argument 1 of 'sk_value'
+ * from incompatible pointer type expected 'const struct _STACK *'
+ * but argument is of type 'struct stack_st_OPENSSL_STRING *'
+ */
cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
X509_email_free(aia);
}
if (bio) {
int n;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) &&
+#else
+ ASN1_INTEGER *pserial;
+ OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
+ if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
+#endif
((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
snum[n] = '\0';
BIO_free(bio);
projects / thirdparty / apache / httpd.git / commitdiff
