Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/

Ruediger Pluem


On 07/30/2017 01:05 AM, [hidden email] wrote:

> Author: ylavic
> Date: Sat Jul 29 23:05:02 2017
> New Revision: 1803396
>
> URL: http://svn.apache.org/viewvc?rev=1803396&view=rev
> Log:
> mod_ssl, ab: compatibility with LibreSSL.  PR 61184.
>
> LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
> all of the latest OpenSSL 1.1 API.
>
> Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
> anything but OpenSSL >= 1.1 (for now).
>
> Proposed by: Bernard Spil <brnrd freebsd.org>
> Reviewed by: ylavic
>
>
> Modified:
>     httpd/httpd/trunk/modules/ssl/mod_ssl.c
>     httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
>     httpd/httpd/trunk/modules/ssl/ssl_private.h
>     httpd/httpd/trunk/modules/ssl/ssl_util.c
>     httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
>     httpd/httpd/trunk/support/ab.c
>

> Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c Sat Jul 29 23:05:02 2017
> @@ -32,7 +32,7 @@ static apr_status_t verify_signature(sct
>          return APR_EINVAL;
>      }
>  
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

Why not using MODSSL_USE_OPENSSL_PRE_1_1_API here?

>      ctx = EVP_MD_CTX_create();
>  #else
>      ctx = EVP_MD_CTX_new();
> @@ -41,7 +41,7 @@ static apr_status_t verify_signature(sct
>      ap_assert(1 == EVP_VerifyUpdate(ctx, sctf->signed_data,
>                                      sctf->signed_data_len));
>      rc = EVP_VerifyFinal(ctx, sctf->sig, sctf->siglen, pkey);
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

Why not using MODSSL_USE_OPENSSL_PRE_1_1_API here?

>      EVP_MD_CTX_destroy(ctx);
>  #else
>      EVP_MD_CTX_free(ctx);
>

Regards

RĂ¼diger

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/

William A Rowe Jr
IMO that's garbage, please revert. I don't believe that any ASF project,
which has very firm rules about appropriating code bases, should be
tolerating namespace abuse and mark infringement against other
projects.

If they want us to test a symbol in a LIBRESSL space, that's fine, but
OPENSSL namespace was not theirs to begin with.



On Sat, Jul 29, 2017 at 6:05 PM,  <[hidden email]> wrote:

> Author: ylavic
> Date: Sat Jul 29 23:05:02 2017
> New Revision: 1803396
>
> URL: http://svn.apache.org/viewvc?rev=1803396&view=rev
> Log:
> mod_ssl, ab: compatibility with LibreSSL.  PR 61184.
>
> LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
> all of the latest OpenSSL 1.1 API.
>
> Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
> anything but OpenSSL >= 1.1 (for now).
>
> Proposed by: Bernard Spil <brnrd freebsd.org>
> Reviewed by: ylavic
>
>
> Modified:
>     httpd/httpd/trunk/modules/ssl/mod_ssl.c
>     httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
>     httpd/httpd/trunk/modules/ssl/ssl_private.h
>     httpd/httpd/trunk/modules/ssl/ssl_util.c
>     httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
>     httpd/httpd/trunk/support/ab.c
>
> Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
> +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sat Jul 29 23:05:02 2017
> @@ -354,7 +354,7 @@ static apr_status_t ssl_cleanup_pre_conf
>  #endif
>
>      /* Usually needed per thread, but this parent process is single-threaded */
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>  #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
>      ERR_remove_thread_state(NULL);
>  #else
> @@ -398,15 +398,15 @@ static int ssl_hook_pre_config(apr_pool_
>      /* Some OpenSSL internals are allocated per-thread, make sure they
>       * are associated to the/our same thread-id until cleaned up.
>       */
> -#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
>      ssl_util_thread_id_setup(pconf);
>  #endif
>
>      /* We must register the library in full, to ensure our configuration
>       * code can successfully test the SSL environment.
>       */
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -    CRYPTO_malloc_init();
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
> +    (void)CRYPTO_malloc_init();
>  #else
>      OPENSSL_malloc_init();
>  #endif
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_ct_sct.c Sat Jul 29 23:05:02 2017
> @@ -32,7 +32,7 @@ static apr_status_t verify_signature(sct
>          return APR_EINVAL;
>      }
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
>      ctx = EVP_MD_CTX_create();
>  #else
>      ctx = EVP_MD_CTX_new();
> @@ -41,7 +41,7 @@ static apr_status_t verify_signature(sct
>      ap_assert(1 == EVP_VerifyUpdate(ctx, sctf->signed_data,
>                                      sctf->signed_data_len));
>      rc = EVP_VerifyFinal(ctx, sctf->sig, sctf->siglen, pkey);
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
>      EVP_MD_CTX_destroy(ctx);
>  #else
>      EVP_MD_CTX_free(ctx);
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Jul 29 23:05:02 2017
> @@ -50,7 +50,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl,
>  #define KEYTYPES "RSA or DSA"
>  #endif
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>  /* OpenSSL Pre-1.1.0 compatibility */
>  /* Taken from OpenSSL 1.1.0 snapshot 20160410 */
>  static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
> @@ -253,7 +253,7 @@ apr_status_t ssl_init_Module(apr_pool_t
>  #endif
>      }
>
> -#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
>      ssl_util_thread_setup(p);
>  #endif
>
> @@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t
>      modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
>
>      init_dh_params();
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> +#if !MODSSL_USE_OPENSSL_PRE_1_1_API
>      init_bio_methods();
>  #endif
>
> @@ -1324,7 +1324,7 @@ static apr_status_t ssl_init_server_cert
>       * or configure NIST P-256 (required to enable ECDHE for earlier versions)
>       * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
>       */
> -#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>      else {
>  #if defined(SSL_CTX_set_ecdh_auto)
>          SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
> @@ -2079,7 +2079,7 @@ apr_status_t ssl_init_ModuleKill(void *d
>
>      }
>
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> +#if !MODSSL_USE_OPENSSL_PRE_1_1_API
>      free_bio_methods();
>  #endif
>      free_dh_params();
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Sat Jul 29 23:05:02 2017
> @@ -165,7 +165,7 @@ static int bio_filter_create(BIO *bio)
>  {
>      BIO_set_shutdown(bio, 1);
>      BIO_set_init(bio, 1);
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>      /* No setter method for OpenSSL 1.1.0 available,
>       * but I can't find any functional use of the
>       * "num" field there either.
> @@ -578,7 +578,7 @@ static long bio_filter_in_ctrl(BIO *bio,
>      return -1;
>  }
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>
>  static BIO_METHOD bio_filter_out_method = {
>      BIO_TYPE_MEM,
> @@ -2080,7 +2080,7 @@ static void ssl_io_input_add_filter(ssl_
>
>      filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>      filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
>  #else
>      filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
> @@ -2115,7 +2115,7 @@ void ssl_io_filter_init(conn_rec *c, req
>      filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,
>                                                         filter_ctx, r, c);
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>      filter_ctx->pbioWrite       = BIO_new(&bio_filter_out_method);
>  #else
>      filter_ctx->pbioWrite       = BIO_new(bio_filter_out_method);
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sat Jul 29 23:05:02 2017
> @@ -1745,7 +1745,7 @@ static void modssl_proxy_info_log(conn_r
>   * so we need to increment here to prevent them from
>   * being freed.
>   */
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>  #define modssl_set_cert_info(info, cert, pkey) \
>      *cert = info->x509; \
>      CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Sat Jul 29 23:05:02 2017
> @@ -114,7 +114,7 @@ static apr_status_t ssl_get_tls_cb(apr_p
>      else if (x != NULL) {
>          const EVP_MD *md;
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>          md = EVP_get_digestbynid(OBJ_obj2nid(x->sig_alg->algorithm));
>  #else
>          md = EVP_get_digestbynid(X509_get_signature_nid(x));
> @@ -603,7 +603,7 @@ static char *ssl_var_lookup_ssl_cert(apr
>          resdup = FALSE;
>      }
>      else if (strcEQ(var, "A_SIG")) {
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>          nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
>  #else
>          const ASN1_OBJECT *paobj;
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sat Jul 29 23:05:02 2017
> @@ -123,6 +123,25 @@
>  #define MODSSL_SSL_METHOD_CONST
>  #endif
>
> +#if defined(LIBRESSL_VERSION_NUMBER)
> +/* Missing from LibreSSL */
> +#if LIBRESSL_VERSION_NUMBER < 0x2060000f
> +#define SSL_CTRL_SET_MIN_PROTO_VERSION          123
> +#define SSL_CTRL_SET_MAX_PROTO_VERSION          124
> +#define SSL_CTX_set_min_proto_version(ctx, version) \
> +        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
> +#define SSL_CTX_set_max_proto_version(ctx, version) \
> +        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
> +#endif
> +/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
> + * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
> + * we have to work around this...
> + */
> +#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
> +#else
> +#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
> +#endif
> +
>  #if defined(OPENSSL_FIPS)
>  #define HAVE_FIPS
>  #endif
> @@ -136,7 +155,7 @@
>  #endif
>
>  /* session id constness */
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>  #define IDCONST
>  #else
>  #define IDCONST const
> @@ -199,7 +218,7 @@
>
>  #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>  #define BN_get_rfc2409_prime_768   get_rfc2409_prime_768
>  #define BN_get_rfc2409_prime_1024  get_rfc2409_prime_1024
>  #define BN_get_rfc3526_prime_1536  get_rfc3526_prime_1536
> @@ -219,7 +238,7 @@ void init_bio_methods(void);
>  void free_bio_methods(void);
>  #endif
>
> -#if OPENSSL_VERSION_NUMBER < 0x10002000L
> +#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
>  #define X509_STORE_CTX_get0_store(x) (x->ctx)
>  #endif
>
> @@ -931,10 +950,8 @@ void         ssl_util_ppclose(server_rec
>  char        *ssl_util_readfilter(server_rec *, apr_pool_t *, const char *,
>                                   const char * const *);
>  BOOL         ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
> -#if APR_HAS_THREADS
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
>  void         ssl_util_thread_setup(apr_pool_t *);
> -#endif
>  void         ssl_util_thread_id_setup(apr_pool_t *);
>  #endif
>  int          ssl_init_ssl_connection(conn_rec *c, request_rec *r);
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_util.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_util.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_util.c Sat Jul 29 23:05:02 2017
> @@ -246,8 +246,8 @@ void ssl_asn1_table_unset(apr_hash_t *ta
>      apr_hash_set(table, key, klen, NULL);
>  }
>
> -#if APR_HAS_THREADS
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
> +
>  /*
>   * To ensure thread-safetyness in OpenSSL - work in progress
>   */
> @@ -510,5 +510,4 @@ void ssl_util_thread_setup(apr_pool_t *p
>                                         apr_pool_cleanup_null);
>  }
>
> -#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
> -#endif /* #if APR_HAS_THREADS */
> +#endif /* #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API */
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h Sat Jul 29 23:05:02 2017
> @@ -41,7 +41,7 @@
>  #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
>  #define MODSSL_LIBRARY_NAME    "OpenSSL"
>  #define MODSSL_LIBRARY_TEXT    OPENSSL_VERSION_TEXT
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#if MODSSL_USE_OPENSSL_PRE_1_1_API
>  #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
>  #else
>  #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
>
> Modified: httpd/httpd/trunk/support/ab.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/ab.c?rev=1803396&r1=1803395&r2=1803396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/support/ab.c (original)
> +++ httpd/httpd/trunk/support/ab.c Sat Jul 29 23:05:02 2017
> @@ -197,6 +197,14 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
>  #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
>  #define HAVE_TLSEXT
>  #endif
> +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000f
> +#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
> +#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
> +#define SSL_CTX_set_min_proto_version(ctx, version) \
> +   SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
> +#define SSL_CTX_set_max_proto_version(ctx, version) \
> +   SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
> +#endif
>  #endif
>
>  #include <math.h>
>
>
Loading...