From 6eaa5d8a6d13a43ad2f2dd9a08d4435624cdb36d Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Thu, 3 Apr 2003 04:54:20 +0000 Subject: [PATCH] Introduce a number of SSLC hints to mod_ssl, including the following type overrides; MODSSL_CLIENT_CERT_CB_ARG_TYPE MODSSL_PCHAR_CAST (for a host of non-void/const sslc values) modssl_read_bio_cb_fn (for several callbacks with same prototypes) Declare callback functions appropriately. And protect us from indetermineant toolkits with #error "Unrecognized SSL Toolkit!" git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@99183 13f79535-47bb-0310-9956-ffa450edef68 --- mod_ssl.h | 2 +- ssl_engine_init.c | 16 +++++++++---- ssl_engine_kernel.c | 4 ++-- ssl_engine_pphrase.c | 15 ++++++++---- ssl_toolkit_compat.h | 57 ++++++++++++++++++++++++++++++-------------- ssl_util.c | 18 ++++++++++++++ ssl_util_ssl.c | 8 +++---- ssl_util_ssl.h | 6 ++--- 8 files changed, 89 insertions(+), 37 deletions(-) diff --git a/mod_ssl.h b/mod_ssl.h index 7c5e944bb68..c9132033269 100644 --- a/mod_ssl.h +++ b/mod_ssl.h @@ -584,7 +584,7 @@ RSA *ssl_callback_TmpRSA(SSL *, int, int); DH *ssl_callback_TmpDH(SSL *, int, int); int ssl_callback_SSLVerify(int, X509_STORE_CTX *); int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); -int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); +int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey); int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); diff --git a/ssl_engine_init.c b/ssl_engine_init.c index b1e7dfdda9a..ff229cdb31a 100644 --- a/ssl_engine_init.c +++ b/ssl_engine_init.c @@ -556,8 +556,8 @@ static void ssl_init_ctx_verify(server_rec *s, "Configuring client authentication"); if (!SSL_CTX_load_verify_locations(ctx, - mctx->auth.ca_cert_file, - mctx->auth.ca_cert_path)) + MODSSL_PCHAR_CAST mctx->auth.ca_cert_file, + MODSSL_PCHAR_CAST mctx->auth.ca_cert_path)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to configure verify locations " @@ -614,7 +614,7 @@ static void ssl_init_ctx_cipher_suite(server_rec *s, "Configuring permitted SSL ciphers [%s]", suite); - if (!SSL_CTX_set_cipher_list(ctx, suite)) { + if (!SSL_CTX_set_cipher_list(ctx, MODSSL_PCHAR_CAST suite)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to configure permitted SSL ciphers"); ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); @@ -1077,10 +1077,17 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) } } +#ifdef SSLC_VERSION_NUMBER +static int ssl_init_FindCAList_X509NameCmp(char **a, char **b) +{ + return(X509_NAME_cmp((void*)*a, (void*)*b)); +} +#else static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b) { return(X509_NAME_cmp(*a, *b)); } +#endif static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, server_rec *s, const char *file) @@ -1088,7 +1095,8 @@ static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, int n; STACK_OF(X509_NAME) *sk; - sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(file); + sk = (STACK_OF(X509_NAME) *) + SSL_load_client_CA_file(MODSSL_PCHAR_CAST file); if (!sk) { return; diff --git a/ssl_engine_kernel.c b/ssl_engine_kernel.c index 6a5ecbf9f41..c4cb37880e5 100644 --- a/ssl_engine_kernel.c +++ b/ssl_engine_kernel.c @@ -638,7 +638,7 @@ int ssl_hook_Access(request_rec *r) * we put it back here for the purpose of quick_renegotiation. */ cert_stack = sk_new_null(); - sk_X509_push(cert_stack, cert); + sk_X509_push(cert_stack, MODSSL_PCHAR_CAST cert); } if (!cert_stack || (sk_X509_num(cert_stack) == 0)) { @@ -1531,7 +1531,7 @@ static void modssl_proxy_info_log(server_rec *s, *pkey = info->x_pkey->dec_pkey; \ EVP_PKEY_reference_inc(*pkey) -int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey) +int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey) { conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); server_rec *s = c->base_server; diff --git a/ssl_engine_pphrase.c b/ssl_engine_pphrase.c index 2c815a2078e..f83a9899b9d 100644 --- a/ssl_engine_pphrase.c +++ b/ssl_engine_pphrase.c @@ -142,7 +142,11 @@ static apr_file_t *readtty = NULL; */ static server_rec *ssl_pphrase_server_rec = NULL; +#ifdef SSLC_VERSION_NUMBER +int ssl_pphrase_Handle_CB(char *, int, int); +#else int ssl_pphrase_Handle_CB(char *, int, int, void *); +#endif static char *pphrase_array_get(apr_array_header_t *arr, int idx) { @@ -635,8 +639,14 @@ static int pipe_get_passwd_cb(char *buf, int length, char *prompt, int verify) return 0; } +#ifdef SSLC_VERSION_NUMBER +int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify) +{ + void *srv = ssl_pphrase_server_rec; +#else int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) { +#endif SSLModConfigRec *mc; server_rec *s; apr_pool_t *p; @@ -652,11 +662,6 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) char *cpp; int len = -1; -#ifndef OPENSSL_VERSION_NUMBER - /* make up for sslc flaw */ - srv = ssl_pphrase_server_rec; -#endif - mc = myModConfig((server_rec *)srv); /* diff --git a/ssl_toolkit_compat.h b/ssl_toolkit_compat.h index f2519005dec..b37441a2c8b 100644 --- a/ssl_toolkit_compat.h +++ b/ssl_toolkit_compat.h @@ -107,9 +107,13 @@ #define MODSSL_BIO_CB_ARG_TYPE const char #define MODSSL_CRYPTO_CB_ARG_TYPE const char +#define MODSSL_CLIENT_CERT_CB_ARG_TYPE X509 +#define MODSSL_PCHAR_CAST #define modssl_X509_verify_cert X509_verify_cert +typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*); + #if (OPENSSL_VERSION_NUMBER < 0x00904000) #define modssl_PEM_read_bio_X509(b, x, cb, arg) PEM_read_bio_X509(b, x, cb) #else @@ -134,14 +138,17 @@ #define HAVE_SSL_X509V3_EXT_d2i -#else /* HAVE_SSLC */ +#elif defined(HAVE_SSLC) +#include +#include +#include +#include +#include +#include +#include #include -#if SSLC_VERSION > 0x1FFF -#include -#endif - /* sslc does not support this function, OpenSSL has since 9.5.1 */ #define RAND_status() 1 @@ -154,6 +161,10 @@ #define MODSSL_BIO_CB_ARG_TYPE char #define MODSSL_CRYPTO_CB_ARG_TYPE char +#define MODSSL_CLIENT_CERT_CB_ARG_TYPE void +#define MODSSL_PCHAR_CAST (char *) + +typedef int (modssl_read_bio_cb_fn)(char*,int,int); #define modssl_X509_verify_cert(c) X509_verify_cert(c, NULL) @@ -179,7 +190,7 @@ #define PEM_F_DEF_CALLBACK PEM_F_DEF_CB #endif -#if SSLC_VERSION < 0x2000 +#if SSLC_VERSION_NUMBER < 0x2000 #define X509_STORE_CTX_set_depth(st, d) #define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate) @@ -190,37 +201,47 @@ #define modssl_set_verify(ssl, verify, cb) \ SSL_set_verify(ssl, verify) -#endif +#else /* SSLC_VERSION_NUMBER >= 0x2000 */ + +#define CRYPTO_malloc_init R_malloc_init + +#define EVP_cleanup() + +#endif /* SSLC_VERSION_NUMBER >= 0x2000 */ + +typedef void (*modssl_popfree_fn)(char *data); -/* BEGIN GENERATED SECTION */ -#define sk_SSL_CIPHER_free sk_free #define sk_SSL_CIPHER_dup sk_dup -#define sk_SSL_CIPHER_num sk_num #define sk_SSL_CIPHER_find(st, data) sk_find(st, (void *)data) +#define sk_SSL_CIPHER_free sk_free +#define sk_SSL_CIPHER_num sk_num #define sk_SSL_CIPHER_value (SSL_CIPHER *)sk_value #define sk_X509_num sk_num #define sk_X509_push sk_push +#define sk_X509_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free)) #define sk_X509_value (X509 *)sk_value -#define sk_X509_INFO_value (X509_INFO *)sk_value #define sk_X509_INFO_free sk_free -#define sk_X509_INFO_pop_free sk_pop_free +#define sk_X509_INFO_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free)) #define sk_X509_INFO_num sk_num #define sk_X509_INFO_new_null sk_new_null +#define sk_X509_INFO_value (X509_INFO *)sk_value +#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data) +#define sk_X509_NAME_free sk_free +#define sk_X509_NAME_new sk_new #define sk_X509_NAME_num sk_num #define sk_X509_NAME_push(st, data) sk_push(st, (void *)data) #define sk_X509_NAME_value (X509_NAME *)sk_value -#define sk_X509_NAME_free sk_free -#define sk_X509_NAME_new sk_new -#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data) #define sk_X509_NAME_ENTRY_num sk_num #define sk_X509_NAME_ENTRY_value (X509_NAME_ENTRY *)sk_value #define sk_X509_NAME_set_cmp_func sk_set_cmp_func #define sk_X509_REVOKED_num sk_num #define sk_X509_REVOKED_value (X509_REVOKED *)sk_value -#define sk_X509_pop_free sk_pop_free -/* END GENERATED SECTION */ -#endif /* OPENSSL_VERSION_NUMBER */ +#else /* ! HAVE_OPENSSL && ! HAVE_SSLC */ + +#error "Unrecognized SSL Toolkit!" + +#endif /* ! HAVE_OPENSSL && ! HAVE_SSLC */ #ifndef modssl_set_verify #define modssl_set_verify(ssl, verify, cb) \ diff --git a/ssl_util.c b/ssl_util.c index bbcb291f3ff..e1dbb2db462 100644 --- a/ssl_util.c +++ b/ssl_util.c @@ -402,8 +402,18 @@ const char *ssl_asn1_table_keyfmt(apr_pool_t *p, static apr_thread_mutex_t **lock_cs; static int lock_num_locks; +#ifdef SSLC_VERSION_NUMBER +#if SSLC_VERSION_NUMBER >= 0x2000 +static int ssl_util_thr_lock(int mode, int type, + const char *file, int line) +#else +static void ssl_util_thr_lock(int mode, int type, + const char *file, int line) +#endif +#else static void ssl_util_thr_lock(int mode, int type, const char *file, int line) +#endif { if (type < lock_num_locks) { if (mode & CRYPTO_LOCK) { @@ -412,6 +422,14 @@ static void ssl_util_thr_lock(int mode, int type, else { apr_thread_mutex_unlock(lock_cs[type]); } +#ifdef HAVE_SSLC +#if SSLC_VERSION_NUMBER > 0x2000 + return 1; + } + else { + return -1; +#endif +#endif } } diff --git a/ssl_util_ssl.c b/ssl_util_ssl.c index a269bddd829..faaebc4fdaa 100644 --- a/ssl_util_ssl.c +++ b/ssl_util_ssl.c @@ -107,7 +107,7 @@ void SSL_set_app_data2(SSL *ssl, void *arg) ** _________________________________________________________________ */ -X509 *SSL_read_X509(char* filename, X509 **x509, int (*cb)(char*,int,int,void*)) +X509 *SSL_read_X509(char* filename, X509 **x509, modssl_read_bio_cb_fn *cb) { X509 *rc; BIO *bioS; @@ -158,7 +158,7 @@ static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key) } #endif -EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, int (*cb)(char*,int,int,void*), void *s) +EVP_PKEY *SSL_read_PrivateKey(char* filename, EVP_PKEY **key, modssl_read_bio_cb_fn *cb, void *s) { EVP_PKEY *rc; BIO *bioS; @@ -430,7 +430,7 @@ BOOL SSL_X509_INFO_load_file(apr_pool_t *ptemp, return FALSE; } - if (BIO_read_filename(in, filename) <= 0) { + if (BIO_read_filename(in, MODSSL_PCHAR_CAST filename) <= 0) { BIO_free(in); return FALSE; } @@ -493,7 +493,7 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t *ptemp, * should be sent to the peer in the SSL Certificate message. */ int SSL_CTX_use_certificate_chain( - SSL_CTX *ctx, char *file, int skipfirst, int (*cb)(char*,int,int,void*)) + SSL_CTX *ctx, char *file, int skipfirst, modssl_read_bio_cb_fn *cb) { BIO *bio; X509 *x509; diff --git a/ssl_util_ssl.h b/ssl_util_ssl.h index 54b2e4ef0d3..50e46a73ab8 100644 --- a/ssl_util_ssl.h +++ b/ssl_util_ssl.h @@ -90,8 +90,8 @@ void SSL_init_app_data2_idx(void); void *SSL_get_app_data2(SSL *); void SSL_set_app_data2(SSL *, void *); -X509 *SSL_read_X509(char *, X509 **, int (*)(char*,int,int,void*)); -EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, int (*)(char*,int,int,void*), void *); +X509 *SSL_read_X509(char *, X509 **, modssl_read_bio_cb_fn *); +EVP_PKEY *SSL_read_PrivateKey(char *, EVP_PKEY **, modssl_read_bio_cb_fn *, void *); int SSL_smart_shutdown(SSL *ssl); X509_STORE *SSL_X509_STORE_create(char *, char *); int SSL_X509_STORE_lookup(X509_STORE *, int, X509_NAME *, X509_OBJECT *); @@ -101,7 +101,7 @@ BOOL SSL_X509_getBC(X509 *, int *, int *); BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **); BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *); BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *); -int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, int (*)(char*,int,int,void*)); +int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *); char *SSL_SESSION_id2sz(unsigned char *, int, char *, int); /* util functions for OpenSSL+sslc compat */ -- 2.47.2